Home | History | Annotate | Download | only in server 
      1 /*
      2  * Copyright (C) 2014 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 #ifndef NETD_SERVER_NETWORK_CONTROLLER_H
     18 #define NETD_SERVER_NETWORK_CONTROLLER_H
     19 
     20 #include <android/multinetwork.h>
     21 #include "NetdConstants.h"
     22 #include "Permission.h"
     23 
     24 #include "utils/RWLock.h"
     25 
     26 #include <list>
     27 #include <map>
     28 #include <set>
     29 #include <sys/types.h>
     30 #include <unordered_map>
     31 #include <unordered_set>
     32 #include <vector>
     33 
     34 struct android_net_context;
     35 
     36 namespace android {
     37 namespace net {
     38 
     39 constexpr uint32_t kHandleMagic = 0xcafed00d;
     40 
     41 // Utility to convert from netId to net_handle_t. Doing this here as opposed to exporting
     42 // from net.c as it may have NDK implications. Besides no conversion available in net.c for
     43 // obtaining handle given netId.
     44 // TODO: Use getnetidfromhandle() in net.c.
     45 static inline unsigned netHandleToNetId(net_handle_t fromNetHandle) {
     46     const uint32_t k32BitMask = 0xffffffff;
     47     // This value MUST be kept in sync with the corresponding value in
     48     // the android.net.Network#getNetworkHandle() implementation.
     49 
     50     // Check for minimum acceptable version of the API in the low bits.
     51     if (fromNetHandle != NETWORK_UNSPECIFIED &&
     52         (fromNetHandle & k32BitMask) != kHandleMagic) {
     53         return 0;
     54     }
     55 
     56     return ((fromNetHandle >> (CHAR_BIT * sizeof(k32BitMask))) & k32BitMask);
     57 }
     58 
     59 // Utility to convert from nethandle to netid, keep in sync with getNetworkHandle
     60 // in Network.java.
     61 static inline net_handle_t netIdToNetHandle(unsigned fromNetId) {
     62     if (!fromNetId) {
     63         return NETWORK_UNSPECIFIED;
     64     }
     65     return (((net_handle_t)fromNetId << 32) | kHandleMagic);
     66 }
     67 
     68 class DumpWriter;
     69 class Network;
     70 class UidRanges;
     71 class VirtualNetwork;
     72 
     73 /*
     74  * Keeps track of default, per-pid, and per-uid-range network selection, as
     75  * well as the mark associated with each network. Networks are identified
     76  * by netid. In all set* commands netid == 0 means "unspecified" and is
     77  * equivalent to clearing the mapping.
     78  */
     79 class NetworkController {
     80 public:
     81     static const unsigned MIN_OEM_ID;
     82     static const unsigned MAX_OEM_ID;
     83     static const unsigned LOCAL_NET_ID;
     84     static const unsigned DUMMY_NET_ID;
     85 
     86     NetworkController();
     87 
     88     unsigned getDefaultNetwork() const;
     89     int setDefaultNetwork(unsigned netId) WARN_UNUSED_RESULT;
     90 
     91     // Sets |*netId| to an appropriate NetId to use for DNS for the given user. Call with |*netId|
     92     // set to a non-NETID_UNSET value if the user already has indicated a preference. Returns the
     93     // fwmark value to set on the socket when performing the DNS request.
     94     uint32_t getNetworkForDns(unsigned* netId, uid_t uid) const;
     95     unsigned getNetworkForUser(uid_t uid) const;
     96     unsigned getNetworkForConnect(uid_t uid) const;
     97     void getNetworkContext(unsigned netId, uid_t uid, struct android_net_context* netcontext) const;
     98     unsigned getNetworkForInterface(const char* interface) const;
     99     bool isVirtualNetwork(unsigned netId) const;
    100 
    101     int createPhysicalNetwork(unsigned netId, Permission permission) WARN_UNUSED_RESULT;
    102     int createPhysicalOemNetwork(Permission permission, unsigned *netId) WARN_UNUSED_RESULT;
    103     int createVirtualNetwork(unsigned netId, bool hasDns, bool secure) WARN_UNUSED_RESULT;
    104     int destroyNetwork(unsigned netId) WARN_UNUSED_RESULT;
    105 
    106     int addInterfaceToNetwork(unsigned netId, const char* interface) WARN_UNUSED_RESULT;
    107     int removeInterfaceFromNetwork(unsigned netId, const char* interface) WARN_UNUSED_RESULT;
    108 
    109     Permission getPermissionForUser(uid_t uid) const;
    110     void setPermissionForUsers(Permission permission, const std::vector<uid_t>& uids);
    111     int checkUserNetworkAccess(uid_t uid, unsigned netId) const;
    112     int setPermissionForNetworks(Permission permission,
    113                                  const std::vector<unsigned>& netIds) WARN_UNUSED_RESULT;
    114 
    115     int addUsersToNetwork(unsigned netId, const UidRanges& uidRanges) WARN_UNUSED_RESULT;
    116     int removeUsersFromNetwork(unsigned netId, const UidRanges& uidRanges) WARN_UNUSED_RESULT;
    117 
    118     // |nexthop| can be NULL (to indicate a directly-connected route), "unreachable" (to indicate a
    119     // route that's blocked), "throw" (to indicate the lack of a match), or a regular IP address.
    120     //
    121     // Routes are added to tables determined by the interface, so only |interface| is actually used.
    122     // |netId| is given only to sanity check that the interface has the correct netId.
    123     int addRoute(unsigned netId, const char* interface, const char* destination,
    124                  const char* nexthop, bool legacy, uid_t uid) WARN_UNUSED_RESULT;
    125     int removeRoute(unsigned netId, const char* interface, const char* destination,
    126                     const char* nexthop, bool legacy, uid_t uid) WARN_UNUSED_RESULT;
    127 
    128     // Notes that the specified address has appeared on the specified interface.
    129     void addInterfaceAddress(unsigned ifIndex, const char* address);
    130     // Notes that the specified address has been removed from the specified interface.
    131     // Returns true if we should destroy sockets on this address.
    132     bool removeInterfaceAddress(unsigned ifIndex, const char* address);
    133 
    134     bool canProtect(uid_t uid) const;
    135     void allowProtect(const std::vector<uid_t>& uids);
    136     void denyProtect(const std::vector<uid_t>& uids);
    137 
    138     void dump(DumpWriter& dw);
    139 
    140 private:
    141     bool isValidNetworkLocked(unsigned netId) const;
    142     Network* getNetworkLocked(unsigned netId) const;
    143     uint32_t getNetworkForDnsLocked(unsigned* netId, uid_t uid) const;
    144     unsigned getNetworkForUserLocked(uid_t uid) const;
    145     unsigned getNetworkForConnectLocked(uid_t uid) const;
    146     unsigned getNetworkForInterfaceLocked(const char* interface) const;
    147     bool canProtectLocked(uid_t uid) const;
    148     bool isVirtualNetworkLocked(unsigned netId) const;
    149 
    150     VirtualNetwork* getVirtualNetworkForUserLocked(uid_t uid) const;
    151     Permission getPermissionForUserLocked(uid_t uid) const;
    152     int checkUserNetworkAccessLocked(uid_t uid, unsigned netId) const;
    153     int createPhysicalNetworkLocked(unsigned netId, Permission permission) WARN_UNUSED_RESULT;
    154 
    155     int modifyRoute(unsigned netId, const char* interface, const char* destination,
    156                     const char* nexthop, bool add, bool legacy, uid_t uid) WARN_UNUSED_RESULT;
    157     int modifyFallthroughLocked(unsigned vpnNetId, bool add) WARN_UNUSED_RESULT;
    158     void updateTcpSocketMonitorPolling();
    159 
    160     class DelegateImpl;
    161     DelegateImpl* const mDelegateImpl;
    162 
    163     // mRWLock guards all accesses to mDefaultNetId, mNetworks, mUsers, mProtectableUsers,
    164     // mIfindexToLastNetId and mAddressToIfindices.
    165     mutable android::RWLock mRWLock;
    166     unsigned mDefaultNetId;
    167     std::map<unsigned, Network*> mNetworks;  // Map keys are NetIds.
    168     std::map<uid_t, Permission> mUsers;
    169     std::set<uid_t> mProtectableUsers;
    170     // Map interface (ifIndex) to its current NetId, or the last NetId if the interface was removed
    171     // from the network and not added to another network. This state facilitates the interface to
    172     // NetId lookup during RTM_DELADDR (NetworkController::removeInterfaceAddress), when the
    173     // interface in question might already have been removed from the network.
    174     // An interface is added to this map when it is added to a network and removed from this map
    175     // when its network is destroyed.
    176     std::unordered_map<unsigned, unsigned> mIfindexToLastNetId;
    177     // Map IP address to the list of active interfaces (ifIndex) that have that address.
    178     // Also contains IP addresses configured on interfaces that have not been added to any network.
    179     // TODO: Does not track IP addresses present when netd is started or restarts after a crash.
    180     // This is not a problem for its intended use (tracking IP addresses on VPN interfaces), but
    181     // we should fix it.
    182     std::unordered_map<std::string, std::unordered_set<unsigned>> mAddressToIfindices;
    183 
    184 };
    185 
    186 }  // namespace net
    187 }  // namespace android
    188 
    189 #endif  // NETD_SERVER_NETWORK_CONTROLLER_H
    190