1 /** 2 * Copyright (c) 2016, The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #define LOG_TAG "Netd" 18 19 #include <set> 20 #include <vector> 21 22 #include <android-base/stringprintf.h> 23 #include <android-base/strings.h> 24 #include <cutils/log.h> 25 #include <cutils/properties.h> 26 #include <utils/Errors.h> 27 #include <utils/String16.h> 28 29 #include <binder/IPCThreadState.h> 30 #include <binder/IServiceManager.h> 31 #include "android/net/BnNetd.h" 32 33 #include <openssl/base64.h> 34 35 #include "Controllers.h" 36 #include "DumpWriter.h" 37 #include "EventReporter.h" 38 #include "InterfaceController.h" 39 #include "NetdConstants.h" 40 #include "NetdNativeService.h" 41 #include "RouteController.h" 42 #include "SockDiag.h" 43 #include "UidRanges.h" 44 45 using android::base::StringPrintf; 46 using android::os::PersistableBundle; 47 48 namespace android { 49 namespace net { 50 51 namespace { 52 53 const char CONNECTIVITY_INTERNAL[] = "android.permission.CONNECTIVITY_INTERNAL"; 54 const char NETWORK_STACK[] = "android.permission.NETWORK_STACK"; 55 const char DUMP[] = "android.permission.DUMP"; 56 57 binder::Status toBinderStatus(const netdutils::Status s) { 58 if (isOk(s)) { 59 return binder::Status::ok(); 60 } 61 return binder::Status::fromServiceSpecificError(s.code(), s.msg().c_str()); 62 } 63 64 binder::Status checkPermission(const char *permission) { 65 pid_t pid; 66 uid_t uid; 67 68 if (checkCallingPermission(String16(permission), (int32_t *) &pid, (int32_t *) &uid)) { 69 return binder::Status::ok(); 70 } else { 71 auto err = StringPrintf("UID %d / PID %d lacks permission %s", uid, pid, permission); 72 return binder::Status::fromExceptionCode(binder::Status::EX_SECURITY, String8(err.c_str())); 73 } 74 } 75 76 #define ENFORCE_DEBUGGABLE() { \ 77 char value[PROPERTY_VALUE_MAX + 1]; \ 78 if (property_get("ro.debuggable", value, NULL) != 1 \ 79 || value[0] != '1') { \ 80 return binder::Status::fromExceptionCode( \ 81 binder::Status::EX_SECURITY, \ 82 String8("Not available in production builds.") \ 83 ); \ 84 } \ 85 } 86 87 #define ENFORCE_PERMISSION(permission) { \ 88 binder::Status status = checkPermission((permission)); \ 89 if (!status.isOk()) { \ 90 return status; \ 91 } \ 92 } 93 94 #define NETD_LOCKING_RPC(permission, lock) \ 95 ENFORCE_PERMISSION(permission); \ 96 android::RWLock::AutoWLock _lock(lock); 97 98 #define NETD_BIG_LOCK_RPC(permission) NETD_LOCKING_RPC((permission), gBigNetdLock) 99 100 inline binder::Status statusFromErrcode(int ret) { 101 if (ret) { 102 return binder::Status::fromServiceSpecificError(-ret, strerror(-ret)); 103 } 104 return binder::Status::ok(); 105 } 106 107 } // namespace 108 109 110 status_t NetdNativeService::start() { 111 IPCThreadState::self()->disableBackgroundScheduling(true); 112 status_t ret = BinderService<NetdNativeService>::publish(); 113 if (ret != android::OK) { 114 return ret; 115 } 116 sp<ProcessState> ps(ProcessState::self()); 117 ps->startThreadPool(); 118 ps->giveThreadPoolName(); 119 return android::OK; 120 } 121 122 status_t NetdNativeService::dump(int fd, const Vector<String16> &args) { 123 const binder::Status dump_permission = checkPermission(DUMP); 124 if (!dump_permission.isOk()) { 125 const String8 msg(dump_permission.toString8()); 126 write(fd, msg.string(), msg.size()); 127 return PERMISSION_DENIED; 128 } 129 130 // This method does not grab any locks. If individual classes need locking 131 // their dump() methods MUST handle locking appropriately. 132 133 DumpWriter dw(fd); 134 135 if (!args.isEmpty() && args[0] == TcpSocketMonitor::DUMP_KEYWORD) { 136 dw.blankline(); 137 gCtls->tcpSocketMonitor.dump(dw); 138 dw.blankline(); 139 return NO_ERROR; 140 } 141 142 if (!args.isEmpty() && args[0] == TrafficController::DUMP_KEYWORD) { 143 dw.blankline(); 144 gCtls->trafficCtrl.dump(dw, true); 145 dw.blankline(); 146 return NO_ERROR; 147 } 148 149 dw.blankline(); 150 gCtls->netCtrl.dump(dw); 151 dw.blankline(); 152 153 gCtls->trafficCtrl.dump(dw, false); 154 dw.blankline(); 155 156 return NO_ERROR; 157 } 158 159 binder::Status NetdNativeService::isAlive(bool *alive) { 160 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL); 161 162 *alive = true; 163 return binder::Status::ok(); 164 } 165 166 binder::Status NetdNativeService::firewallReplaceUidChain(const android::String16& chainName, 167 bool isWhitelist, const std::vector<int32_t>& uids, bool *ret) { 168 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->firewallCtrl.lock); 169 170 android::String8 name = android::String8(chainName); 171 int err = gCtls->firewallCtrl.replaceUidChain(name.string(), isWhitelist, uids); 172 *ret = (err == 0); 173 return binder::Status::ok(); 174 } 175 176 binder::Status NetdNativeService::bandwidthEnableDataSaver(bool enable, bool *ret) { 177 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->bandwidthCtrl.lock); 178 179 int err = gCtls->bandwidthCtrl.enableDataSaver(enable); 180 *ret = (err == 0); 181 return binder::Status::ok(); 182 } 183 184 binder::Status NetdNativeService::networkCreatePhysical(int32_t netId, 185 const std::string& permission) { 186 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 187 int ret = gCtls->netCtrl.createPhysicalNetwork(netId, stringToPermission(permission.c_str())); 188 return statusFromErrcode(ret); 189 } 190 191 binder::Status NetdNativeService::networkCreateVpn(int32_t netId, bool hasDns, bool secure) { 192 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 193 int ret = gCtls->netCtrl.createVirtualNetwork(netId, hasDns, secure); 194 return statusFromErrcode(ret); 195 } 196 197 binder::Status NetdNativeService::networkDestroy(int32_t netId) { 198 ENFORCE_PERMISSION(NETWORK_STACK); 199 // Both of these functions manage their own locking internally. 200 const int ret = gCtls->netCtrl.destroyNetwork(netId); 201 gCtls->resolverCtrl.clearDnsServers(netId); 202 return statusFromErrcode(ret); 203 } 204 205 binder::Status NetdNativeService::networkAddInterface(int32_t netId, const std::string& iface) { 206 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 207 int ret = gCtls->netCtrl.addInterfaceToNetwork(netId, iface.c_str()); 208 return statusFromErrcode(ret); 209 } 210 211 binder::Status NetdNativeService::networkRemoveInterface(int32_t netId, const std::string& iface) { 212 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 213 int ret = gCtls->netCtrl.removeInterfaceFromNetwork(netId, iface.c_str()); 214 return statusFromErrcode(ret); 215 } 216 217 binder::Status NetdNativeService::networkAddUidRanges(int32_t netId, 218 const std::vector<UidRange>& uidRangeArray) { 219 // NetworkController::addUsersToNetwork is thread-safe. 220 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 221 int ret = gCtls->netCtrl.addUsersToNetwork(netId, UidRanges(uidRangeArray)); 222 return statusFromErrcode(ret); 223 } 224 225 binder::Status NetdNativeService::networkRemoveUidRanges(int32_t netId, 226 const std::vector<UidRange>& uidRangeArray) { 227 // NetworkController::removeUsersFromNetwork is thread-safe. 228 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 229 int ret = gCtls->netCtrl.removeUsersFromNetwork(netId, UidRanges(uidRangeArray)); 230 return statusFromErrcode(ret); 231 } 232 233 binder::Status NetdNativeService::networkRejectNonSecureVpn(bool add, 234 const std::vector<UidRange>& uidRangeArray) { 235 // TODO: elsewhere RouteController is only used from the tethering and network controllers, so 236 // it should be possible to use the same lock as NetworkController. However, every call through 237 // the CommandListener "network" command will need to hold this lock too, not just the ones that 238 // read/modify network internal state (that is sufficient for ::dump() because it doesn't 239 // look at routes, but it's not enough here). 240 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL); 241 242 UidRanges uidRanges(uidRangeArray); 243 244 int err; 245 if (add) { 246 err = RouteController::addUsersToRejectNonSecureNetworkRule(uidRanges); 247 } else { 248 err = RouteController::removeUsersFromRejectNonSecureNetworkRule(uidRanges); 249 } 250 251 return statusFromErrcode(err); 252 } 253 254 binder::Status NetdNativeService::socketDestroy(const std::vector<UidRange>& uids, 255 const std::vector<int32_t>& skipUids) { 256 257 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 258 259 SockDiag sd; 260 if (!sd.open()) { 261 return binder::Status::fromServiceSpecificError(EIO, 262 String8("Could not open SOCK_DIAG socket")); 263 } 264 265 UidRanges uidRanges(uids); 266 int err = sd.destroySockets(uidRanges, std::set<uid_t>(skipUids.begin(), skipUids.end()), 267 true /* excludeLoopback */); 268 269 if (err) { 270 return binder::Status::fromServiceSpecificError(-err, 271 String8::format("destroySockets: %s", strerror(-err))); 272 } 273 return binder::Status::ok(); 274 } 275 276 // Parse a base64 encoded string into a vector of bytes. 277 // On failure, return an empty vector. 278 static std::vector<uint8_t> parseBase64(const std::string& input) { 279 std::vector<uint8_t> decoded; 280 size_t out_len; 281 if (EVP_DecodedLength(&out_len, input.size()) != 1) { 282 return decoded; 283 } 284 // out_len is now an upper bound on the output length. 285 decoded.resize(out_len); 286 if (EVP_DecodeBase64(decoded.data(), &out_len, decoded.size(), 287 reinterpret_cast<const uint8_t*>(input.data()), input.size()) == 1) { 288 // Possibly shrink the vector if the actual output was smaller than the bound. 289 decoded.resize(out_len); 290 } else { 291 decoded.clear(); 292 } 293 if (out_len != SHA256_SIZE) { 294 decoded.clear(); 295 } 296 return decoded; 297 } 298 299 binder::Status NetdNativeService::setResolverConfiguration(int32_t netId, 300 const std::vector<std::string>& servers, const std::vector<std::string>& domains, 301 const std::vector<int32_t>& params, const std::string& tlsName, 302 const std::vector<std::string>& tlsServers, 303 const std::vector<std::string>& tlsFingerprints) { 304 // This function intentionally does not lock within Netd, as Bionic is thread-safe. 305 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 306 307 std::set<std::vector<uint8_t>> decoded_fingerprints; 308 for (const std::string& fingerprint : tlsFingerprints) { 309 std::vector<uint8_t> decoded = parseBase64(fingerprint); 310 if (decoded.empty()) { 311 return binder::Status::fromServiceSpecificError(EINVAL, 312 String8::format("ResolverController error: bad fingerprint")); 313 } 314 decoded_fingerprints.emplace(decoded); 315 } 316 317 int err = gCtls->resolverCtrl.setResolverConfiguration(netId, servers, domains, params, 318 tlsName, tlsServers, decoded_fingerprints); 319 if (err != 0) { 320 return binder::Status::fromServiceSpecificError(-err, 321 String8::format("ResolverController error: %s", strerror(-err))); 322 } 323 return binder::Status::ok(); 324 } 325 326 binder::Status NetdNativeService::getResolverInfo(int32_t netId, 327 std::vector<std::string>* servers, std::vector<std::string>* domains, 328 std::vector<int32_t>* params, std::vector<int32_t>* stats) { 329 // This function intentionally does not lock within Netd, as Bionic is thread-safe. 330 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 331 332 int err = gCtls->resolverCtrl.getResolverInfo(netId, servers, domains, params, stats); 333 if (err != 0) { 334 return binder::Status::fromServiceSpecificError(-err, 335 String8::format("ResolverController error: %s", strerror(-err))); 336 } 337 return binder::Status::ok(); 338 } 339 340 binder::Status NetdNativeService::tetherApplyDnsInterfaces(bool *ret) { 341 NETD_LOCKING_RPC(NETWORK_STACK, gCtls->tetherCtrl.lock) 342 343 *ret = gCtls->tetherCtrl.applyDnsInterfaces(); 344 return binder::Status::ok(); 345 } 346 347 namespace { 348 349 void tetherAddStats(PersistableBundle *bundle, const TetherController::TetherStats& stats) { 350 String16 iface = String16(stats.extIface.c_str()); 351 std::vector<int64_t> statsVector(INetd::TETHER_STATS_ARRAY_SIZE); 352 353 bundle->getLongVector(iface, &statsVector); 354 if (statsVector.size() == 0) { 355 for (int i = 0; i < INetd::TETHER_STATS_ARRAY_SIZE; i++) statsVector.push_back(0); 356 } 357 358 statsVector[INetd::TETHER_STATS_RX_BYTES] += stats.rxBytes; 359 statsVector[INetd::TETHER_STATS_RX_PACKETS] += stats.rxPackets; 360 statsVector[INetd::TETHER_STATS_TX_BYTES] += stats.txBytes; 361 statsVector[INetd::TETHER_STATS_TX_PACKETS] += stats.txPackets; 362 363 bundle->putLongVector(iface, statsVector); 364 } 365 366 } // namespace 367 368 binder::Status NetdNativeService::tetherGetStats(PersistableBundle *bundle) { 369 NETD_LOCKING_RPC(NETWORK_STACK, gCtls->tetherCtrl.lock) 370 371 const auto& statsList = gCtls->tetherCtrl.getTetherStats(); 372 if (!isOk(statsList)) { 373 return toBinderStatus(statsList); 374 } 375 376 for (const auto& stats : statsList.value()) { 377 tetherAddStats(bundle, stats); 378 } 379 380 return binder::Status::ok(); 381 } 382 383 binder::Status NetdNativeService::interfaceAddAddress(const std::string &ifName, 384 const std::string &addrString, int prefixLength) { 385 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 386 387 const int err = InterfaceController::addAddress( 388 ifName.c_str(), addrString.c_str(), prefixLength); 389 if (err != 0) { 390 return binder::Status::fromServiceSpecificError(-err, 391 String8::format("InterfaceController error: %s", strerror(-err))); 392 } 393 return binder::Status::ok(); 394 } 395 396 binder::Status NetdNativeService::interfaceDelAddress(const std::string &ifName, 397 const std::string &addrString, int prefixLength) { 398 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 399 400 const int err = InterfaceController::delAddress( 401 ifName.c_str(), addrString.c_str(), prefixLength); 402 if (err != 0) { 403 return binder::Status::fromServiceSpecificError(-err, 404 String8::format("InterfaceController error: %s", strerror(-err))); 405 } 406 return binder::Status::ok(); 407 } 408 409 binder::Status NetdNativeService::setProcSysNet( 410 int32_t family, int32_t which, const std::string &ifname, const std::string ¶meter, 411 const std::string &value) { 412 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 413 414 const char *familyStr; 415 switch (family) { 416 case INetd::IPV4: 417 familyStr = "ipv4"; 418 break; 419 case INetd::IPV6: 420 familyStr = "ipv6"; 421 break; 422 default: 423 return binder::Status::fromServiceSpecificError(EAFNOSUPPORT, String8("Bad family")); 424 } 425 426 const char *whichStr; 427 switch (which) { 428 case INetd::CONF: 429 whichStr = "conf"; 430 break; 431 case INetd::NEIGH: 432 whichStr = "neigh"; 433 break; 434 default: 435 return binder::Status::fromServiceSpecificError(EINVAL, String8("Bad category")); 436 } 437 438 const int err = InterfaceController::setParameter( 439 familyStr, whichStr, ifname.c_str(), parameter.c_str(), 440 value.c_str()); 441 if (err != 0) { 442 return binder::Status::fromServiceSpecificError(-err, 443 String8::format("ResolverController error: %s", strerror(-err))); 444 } 445 return binder::Status::ok(); 446 } 447 448 binder::Status NetdNativeService::getMetricsReportingLevel(int *reportingLevel) { 449 // This function intentionally does not lock, since the only thing it does is one read from an 450 // atomic_int. 451 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 452 ENFORCE_DEBUGGABLE(); 453 454 *reportingLevel = gCtls->eventReporter.getMetricsReportingLevel(); 455 return binder::Status::ok(); 456 } 457 458 binder::Status NetdNativeService::setMetricsReportingLevel(const int reportingLevel) { 459 // This function intentionally does not lock, since the only thing it does is one write to an 460 // atomic_int. 461 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 462 ENFORCE_DEBUGGABLE(); 463 464 return (gCtls->eventReporter.setMetricsReportingLevel(reportingLevel) == 0) 465 ? binder::Status::ok() 466 : binder::Status::fromExceptionCode(binder::Status::EX_ILLEGAL_ARGUMENT); 467 } 468 469 binder::Status NetdNativeService::ipSecSetEncapSocketOwner(const android::base::unique_fd& socket, 470 int newUid) { 471 ENFORCE_PERMISSION(NETWORK_STACK) 472 ALOGD("ipSecSetEncapSocketOwner()"); 473 474 uid_t callerUid = IPCThreadState::self()->getCallingUid(); 475 return asBinderStatus(gCtls->xfrmCtrl.ipSecSetEncapSocketOwner(socket, newUid, callerUid)); 476 } 477 478 binder::Status NetdNativeService::ipSecAllocateSpi( 479 int32_t transformId, 480 const std::string& sourceAddress, 481 const std::string& destinationAddress, 482 int32_t inSpi, 483 int32_t* outSpi) { 484 // Necessary locking done in IpSecService and kernel 485 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 486 ALOGD("ipSecAllocateSpi()"); 487 return asBinderStatus(gCtls->xfrmCtrl.ipSecAllocateSpi( 488 transformId, 489 sourceAddress, 490 destinationAddress, 491 inSpi, 492 outSpi)); 493 } 494 495 binder::Status NetdNativeService::ipSecAddSecurityAssociation( 496 int32_t transformId, 497 int32_t mode, 498 const std::string& sourceAddress, 499 const std::string& destinationAddress, 500 int32_t underlyingNetId, 501 int32_t spi, 502 int32_t markValue, 503 int32_t markMask, 504 const std::string& authAlgo, const std::vector<uint8_t>& authKey, int32_t authTruncBits, 505 const std::string& cryptAlgo, const std::vector<uint8_t>& cryptKey, int32_t cryptTruncBits, 506 const std::string& aeadAlgo, const std::vector<uint8_t>& aeadKey, int32_t aeadIcvBits, 507 int32_t encapType, 508 int32_t encapLocalPort, 509 int32_t encapRemotePort) { 510 // Necessary locking done in IpSecService and kernel 511 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 512 ALOGD("ipSecAddSecurityAssociation()"); 513 return asBinderStatus(gCtls->xfrmCtrl.ipSecAddSecurityAssociation( 514 transformId, mode, sourceAddress, destinationAddress, 515 underlyingNetId, 516 spi, markValue, markMask, 517 authAlgo, authKey, authTruncBits, 518 cryptAlgo, cryptKey, cryptTruncBits, 519 aeadAlgo, aeadKey, aeadIcvBits, 520 encapType, encapLocalPort, encapRemotePort)); 521 } 522 523 binder::Status NetdNativeService::ipSecDeleteSecurityAssociation( 524 int32_t transformId, 525 const std::string& sourceAddress, 526 const std::string& destinationAddress, 527 int32_t spi, 528 int32_t markValue, 529 int32_t markMask) { 530 // Necessary locking done in IpSecService and kernel 531 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 532 ALOGD("ipSecDeleteSecurityAssociation()"); 533 return asBinderStatus(gCtls->xfrmCtrl.ipSecDeleteSecurityAssociation( 534 transformId, 535 sourceAddress, 536 destinationAddress, 537 spi, 538 markValue, 539 markMask)); 540 } 541 542 binder::Status NetdNativeService::ipSecApplyTransportModeTransform( 543 const android::base::unique_fd& socket, 544 int32_t transformId, 545 int32_t direction, 546 const std::string& sourceAddress, 547 const std::string& destinationAddress, 548 int32_t spi) { 549 // Necessary locking done in IpSecService and kernel 550 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 551 ALOGD("ipSecApplyTransportModeTransform()"); 552 return asBinderStatus(gCtls->xfrmCtrl.ipSecApplyTransportModeTransform( 553 socket, 554 transformId, 555 direction, 556 sourceAddress, 557 destinationAddress, 558 spi)); 559 } 560 561 binder::Status NetdNativeService::ipSecRemoveTransportModeTransform( 562 const android::base::unique_fd& socket) { 563 // Necessary locking done in IpSecService and kernel 564 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); 565 ALOGD("ipSecRemoveTransportModeTransform()"); 566 return asBinderStatus(gCtls->xfrmCtrl.ipSecRemoveTransportModeTransform( 567 socket)); 568 } 569 570 binder::Status NetdNativeService::ipSecAddSecurityPolicy( 571 int32_t transformId, 572 int32_t direction, 573 const std::string& sourceAddress, 574 const std::string& destinationAddress, 575 int32_t spi, 576 int32_t markValue, 577 int32_t markMask){ 578 // Necessary locking done in IpSecService and kernel 579 ENFORCE_PERMISSION(NETWORK_STACK); 580 ALOGD("ipSecAddSecurityPolicy()"); 581 return asBinderStatus(gCtls->xfrmCtrl.ipSecAddSecurityPolicy( 582 transformId, 583 direction, 584 sourceAddress, 585 destinationAddress, 586 spi, 587 markValue, 588 markMask)); 589 } 590 591 binder::Status NetdNativeService::ipSecUpdateSecurityPolicy( 592 int32_t transformId, 593 int32_t direction, 594 const std::string& sourceAddress, 595 const std::string& destinationAddress, 596 int32_t spi, 597 int32_t markValue, 598 int32_t markMask){ 599 // Necessary locking done in IpSecService and kernel 600 ENFORCE_PERMISSION(NETWORK_STACK); 601 ALOGD("ipSecAddSecurityPolicy()"); 602 return asBinderStatus(gCtls->xfrmCtrl.ipSecUpdateSecurityPolicy( 603 transformId, 604 direction, 605 sourceAddress, 606 destinationAddress, 607 spi, 608 markValue, 609 markMask)); 610 } 611 612 binder::Status NetdNativeService::ipSecDeleteSecurityPolicy( 613 int32_t transformId, 614 int32_t direction, 615 const std::string& sourceAddress, 616 const std::string& destinationAddress, 617 int32_t markValue, 618 int32_t markMask){ 619 // Necessary locking done in IpSecService and kernel 620 ENFORCE_PERMISSION(NETWORK_STACK); 621 ALOGD("ipSecAddSecurityPolicy()"); 622 return asBinderStatus(gCtls->xfrmCtrl.ipSecDeleteSecurityPolicy( 623 transformId, 624 direction, 625 sourceAddress, 626 destinationAddress, 627 markValue, 628 markMask)); 629 } 630 631 binder::Status NetdNativeService::addVirtualTunnelInterface( 632 const std::string& deviceName, 633 const std::string& localAddress, 634 const std::string& remoteAddress, 635 int32_t iKey, 636 int32_t oKey) { 637 // Necessary locking done in IpSecService and kernel 638 ENFORCE_PERMISSION(NETWORK_STACK); 639 ALOGD("addVirtualTunnelInterface()"); 640 int ret = gCtls->xfrmCtrl.addVirtualTunnelInterface( 641 deviceName, 642 localAddress, 643 remoteAddress, 644 iKey, 645 oKey, 646 false); 647 648 return (ret == 0) ? binder::Status::ok() : 649 asBinderStatus(netdutils::statusFromErrno( 650 ret, "Error in creating virtual tunnel interface.")); 651 } 652 653 binder::Status NetdNativeService::updateVirtualTunnelInterface( 654 const std::string& deviceName, 655 const std::string& localAddress, 656 const std::string& remoteAddress, 657 int32_t iKey, 658 int32_t oKey) { 659 // Necessary locking done in IpSecService and kernel 660 ENFORCE_PERMISSION(NETWORK_STACK); 661 ALOGD("updateVirtualTunnelInterface()"); 662 int ret = gCtls->xfrmCtrl.addVirtualTunnelInterface( 663 deviceName, 664 localAddress, 665 remoteAddress, 666 iKey, 667 oKey, 668 true); 669 670 return (ret == 0) ? binder::Status::ok() : 671 asBinderStatus(netdutils::statusFromErrno( 672 ret, "Error in updating virtual tunnel interface.")); 673 } 674 675 binder::Status NetdNativeService::removeVirtualTunnelInterface(const std::string& deviceName) { 676 // Necessary locking done in IpSecService and kernel 677 ENFORCE_PERMISSION(NETWORK_STACK); 678 ALOGD("removeVirtualTunnelInterface()"); 679 int ret = gCtls->xfrmCtrl.removeVirtualTunnelInterface(deviceName); 680 681 return (ret == 0) ? binder::Status::ok() : 682 asBinderStatus(netdutils::statusFromErrno( 683 ret, "Error in removing virtual tunnel interface.")); 684 } 685 686 binder::Status NetdNativeService::setIPv6AddrGenMode(const std::string& ifName, 687 int32_t mode) { 688 ENFORCE_PERMISSION(NETWORK_STACK); 689 return toBinderStatus(InterfaceController::setIPv6AddrGenMode(ifName, mode)); 690 } 691 692 binder::Status NetdNativeService::wakeupAddInterface(const std::string& ifName, 693 const std::string& prefix, int32_t mark, 694 int32_t mask) { 695 ENFORCE_PERMISSION(NETWORK_STACK); 696 return toBinderStatus(gCtls->wakeupCtrl.addInterface(ifName, prefix, mark, mask)); 697 } 698 699 binder::Status NetdNativeService::wakeupDelInterface(const std::string& ifName, 700 const std::string& prefix, int32_t mark, 701 int32_t mask) { 702 ENFORCE_PERMISSION(NETWORK_STACK); 703 return toBinderStatus(gCtls->wakeupCtrl.delInterface(ifName, prefix, mark, mask)); 704 } 705 706 binder::Status NetdNativeService::trafficCheckBpfStatsEnable(bool* ret) { 707 ENFORCE_PERMISSION(NETWORK_STACK); 708 *ret = gCtls->trafficCtrl.checkBpfStatsEnable(); 709 return binder::Status::ok(); 710 } 711 712 } // namespace net 713 } // namespace android 714
