1 /* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include "FwmarkServer.h" 18 19 #include "Fwmark.h" 20 #include "FwmarkCommand.h" 21 #include "NetdConstants.h" 22 #include "NetworkController.h" 23 #include "resolv_netid.h" 24 25 #include <netinet/in.h> 26 #include <sys/socket.h> 27 #include <unistd.h> 28 #include <utils/String16.h> 29 30 using android::String16; 31 using android::net::metrics::INetdEventListener; 32 33 namespace android { 34 namespace net { 35 36 FwmarkServer::FwmarkServer(NetworkController* networkController, EventReporter* eventReporter) : 37 SocketListener("fwmarkd", true), mNetworkController(networkController), 38 mEventReporter(eventReporter) { 39 } 40 41 bool FwmarkServer::onDataAvailable(SocketClient* client) { 42 int socketFd = -1; 43 int error = processClient(client, &socketFd); 44 if (socketFd >= 0) { 45 close(socketFd); 46 } 47 48 // Always send a response even if there were connection errors or read errors, so that we don't 49 // inadvertently cause the client to hang (which always waits for a response). 50 client->sendData(&error, sizeof(error)); 51 52 // Always close the client connection (by returning false). This prevents a DoS attack where 53 // the client issues multiple commands on the same connection, never reading the responses, 54 // causing its receive buffer to fill up, and thus causing our client->sendData() to block. 55 return false; 56 } 57 58 int FwmarkServer::processClient(SocketClient* client, int* socketFd) { 59 FwmarkCommand command; 60 FwmarkConnectInfo connectInfo; 61 62 iovec iov[2] = { 63 { &command, sizeof(command) }, 64 { &connectInfo, sizeof(connectInfo) }, 65 }; 66 msghdr message; 67 memset(&message, 0, sizeof(message)); 68 message.msg_iov = iov; 69 message.msg_iovlen = ARRAY_SIZE(iov); 70 71 union { 72 cmsghdr cmh; 73 char cmsg[CMSG_SPACE(sizeof(*socketFd))]; 74 } cmsgu; 75 76 memset(cmsgu.cmsg, 0, sizeof(cmsgu.cmsg)); 77 message.msg_control = cmsgu.cmsg; 78 message.msg_controllen = sizeof(cmsgu.cmsg); 79 80 int messageLength = TEMP_FAILURE_RETRY(recvmsg(client->getSocket(), &message, MSG_CMSG_CLOEXEC)); 81 if (messageLength <= 0) { 82 return -errno; 83 } 84 85 if (!((command.cmdId != FwmarkCommand::ON_CONNECT_COMPLETE && messageLength == sizeof(command)) 86 || (command.cmdId == FwmarkCommand::ON_CONNECT_COMPLETE 87 && messageLength == sizeof(command) + sizeof(connectInfo)))) { 88 return -EBADMSG; 89 } 90 91 Permission permission = mNetworkController->getPermissionForUser(client->getUid()); 92 93 if (command.cmdId == FwmarkCommand::QUERY_USER_ACCESS) { 94 if ((permission & PERMISSION_SYSTEM) != PERMISSION_SYSTEM) { 95 return -EPERM; 96 } 97 return mNetworkController->checkUserNetworkAccess(command.uid, command.netId); 98 } 99 100 cmsghdr* const cmsgh = CMSG_FIRSTHDR(&message); 101 if (cmsgh && cmsgh->cmsg_level == SOL_SOCKET && cmsgh->cmsg_type == SCM_RIGHTS && 102 cmsgh->cmsg_len == CMSG_LEN(sizeof(*socketFd))) { 103 memcpy(socketFd, CMSG_DATA(cmsgh), sizeof(*socketFd)); 104 } 105 106 if (*socketFd < 0) { 107 return -EBADF; 108 } 109 110 Fwmark fwmark; 111 socklen_t fwmarkLen = sizeof(fwmark.intValue); 112 if (getsockopt(*socketFd, SOL_SOCKET, SO_MARK, &fwmark.intValue, &fwmarkLen) == -1) { 113 return -errno; 114 } 115 116 switch (command.cmdId) { 117 case FwmarkCommand::ON_ACCEPT: { 118 // Called after a socket accept(). The kernel would've marked the NetId and necessary 119 // permissions bits, so we just add the rest of the user's permissions here. 120 permission = static_cast<Permission>(permission | fwmark.permission); 121 break; 122 } 123 124 case FwmarkCommand::ON_CONNECT: { 125 // Called before a socket connect() happens. Set an appropriate NetId into the fwmark so 126 // that the socket routes consistently over that network. Do this even if the socket 127 // already has a NetId, so that calling connect() multiple times still works. 128 // 129 // But if the explicit bit was set, the existing NetId was explicitly preferred (and not 130 // a case of connect() being called multiple times). Don't reset the NetId in that case. 131 // 132 // An "appropriate" NetId is the NetId of a bypassable VPN that applies to the user, or 133 // failing that, the default network. We'll never set the NetId of a secure VPN here. 134 // See the comments in the implementation of getNetworkForConnect() for more details. 135 // 136 // If the protect bit is set, this could be either a system proxy (e.g.: the dns proxy 137 // or the download manager) acting on behalf of another user, or a VPN provider. If it's 138 // a proxy, we shouldn't reset the NetId. If it's a VPN provider, we should set the 139 // default network's NetId. 140 // 141 // There's no easy way to tell the difference between a proxy and a VPN app. We can't 142 // use PERMISSION_SYSTEM to identify the proxy because a VPN app may also have those 143 // permissions. So we use the following heuristic: 144 // 145 // If it's a proxy, but the existing NetId is not a VPN, that means the user (that the 146 // proxy is acting on behalf of) is not subject to a VPN, so the proxy must have picked 147 // the default network's NetId. So, it's okay to replace that with the current default 148 // network's NetId (which in all likelihood is the same). 149 // 150 // Conversely, if it's a VPN provider, the existing NetId cannot be a VPN. The only time 151 // we set a VPN's NetId into a socket without setting the explicit bit is here, in 152 // ON_CONNECT, but we won't do that if the socket has the protect bit set. If the VPN 153 // provider connect()ed (and got the VPN NetId set) and then called protect(), we 154 // would've unset the NetId in PROTECT_FROM_VPN below. 155 // 156 // So, overall (when the explicit bit is not set but the protect bit is set), if the 157 // existing NetId is a VPN, don't reset it. Else, set the default network's NetId. 158 if (!fwmark.explicitlySelected) { 159 if (!fwmark.protectedFromVpn) { 160 fwmark.netId = mNetworkController->getNetworkForConnect(client->getUid()); 161 } else if (!mNetworkController->isVirtualNetwork(fwmark.netId)) { 162 fwmark.netId = mNetworkController->getDefaultNetwork(); 163 } 164 } 165 break; 166 } 167 168 case FwmarkCommand::ON_CONNECT_COMPLETE: { 169 // Called after a socket connect() completes. 170 // This reports connect event including netId, destination IP address, destination port, 171 // uid, connect latency, and connect errno if any. 172 173 // Skip reporting if connect() happened on a UDP socket. 174 int socketProto; 175 socklen_t intSize = sizeof(socketProto); 176 const int ret = getsockopt(*socketFd, SOL_SOCKET, SO_PROTOCOL, &socketProto, &intSize); 177 if ((ret != 0) || (socketProto == IPPROTO_UDP)) { 178 break; 179 } 180 181 android::sp<android::net::metrics::INetdEventListener> netdEventListener = 182 mEventReporter->getNetdEventListener(); 183 184 if (netdEventListener != nullptr) { 185 char addrstr[INET6_ADDRSTRLEN]; 186 char portstr[sizeof("65536")]; 187 const int ret = getnameinfo((sockaddr*) &connectInfo.addr, sizeof(connectInfo.addr), 188 addrstr, sizeof(addrstr), portstr, sizeof(portstr), 189 NI_NUMERICHOST | NI_NUMERICSERV); 190 191 netdEventListener->onConnectEvent(fwmark.netId, connectInfo.error, 192 connectInfo.latencyMs, 193 (ret == 0) ? String16(addrstr) : String16(""), 194 (ret == 0) ? strtoul(portstr, NULL, 10) : 0, client->getUid()); 195 } 196 break; 197 } 198 199 case FwmarkCommand::SELECT_NETWORK: { 200 fwmark.netId = command.netId; 201 if (command.netId == NETID_UNSET) { 202 fwmark.explicitlySelected = false; 203 fwmark.protectedFromVpn = false; 204 permission = PERMISSION_NONE; 205 } else { 206 if (int ret = mNetworkController->checkUserNetworkAccess(client->getUid(), 207 command.netId)) { 208 return ret; 209 } 210 fwmark.explicitlySelected = true; 211 fwmark.protectedFromVpn = mNetworkController->canProtect(client->getUid()); 212 } 213 break; 214 } 215 216 case FwmarkCommand::PROTECT_FROM_VPN: { 217 if (!mNetworkController->canProtect(client->getUid())) { 218 return -EPERM; 219 } 220 // If a bypassable VPN's provider app calls connect() and then protect(), it will end up 221 // with a socket that looks like that of a system proxy but is not (see comments for 222 // ON_CONNECT above). So, reset the NetId. 223 // 224 // In any case, it's appropriate that if the socket has an implicit VPN NetId mark, the 225 // PROTECT_FROM_VPN command should unset it. 226 if (!fwmark.explicitlySelected && mNetworkController->isVirtualNetwork(fwmark.netId)) { 227 fwmark.netId = mNetworkController->getDefaultNetwork(); 228 } 229 fwmark.protectedFromVpn = true; 230 permission = static_cast<Permission>(permission | fwmark.permission); 231 break; 232 } 233 234 case FwmarkCommand::SELECT_FOR_USER: { 235 if ((permission & PERMISSION_SYSTEM) != PERMISSION_SYSTEM) { 236 return -EPERM; 237 } 238 fwmark.netId = mNetworkController->getNetworkForUser(command.uid); 239 fwmark.protectedFromVpn = true; 240 break; 241 } 242 243 default: { 244 // unknown command 245 return -EPROTO; 246 } 247 } 248 249 fwmark.permission = permission; 250 251 if (setsockopt(*socketFd, SOL_SOCKET, SO_MARK, &fwmark.intValue, 252 sizeof(fwmark.intValue)) == -1) { 253 return -errno; 254 } 255 256 return 0; 257 } 258 259 } // namespace net 260 } // namespace android 261