2 * Copyright (C) 2014 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
19 // The methods in this file are called from multiple threads (from CommandListener, FwmarkServer
20 // and DnsProxyListener). So, all accesses to shared state are guarded by a lock.
22 // In some cases, a single non-const method acquires and releases the lock several times, like so:
23 // if (isValidNetwork(...)) { // isValidNetwork() acquires and releases the lock.
24 // setDefaultNetwork(...); // setDefaultNetwork() also acquires and releases the lock.
26 // It might seem that this allows races where the state changes between the two statements, but in
27 // fact there are no races because:
28 // 1. This pattern only occurs in non-const methods (i.e., those that mutate state).
29 // 2. Only CommandListener calls these non-const methods. The others call only const methods.
30 // 3. CommandListener only processes one command at a time. I.e., it's serialized.
31 // Thus, no other mutation can occur in between the two statements above.
33 #include "NetworkController.h"
36 #include "LocalNetwork.h"
37 #include "PhysicalNetwork.h"
38 #include "RouteController.h"
39 #include "VirtualNetwork.h"
41 #include "cutils/misc.h"
42 #define LOG_TAG "Netd"
44 #include "resolv_netid.h"
48 // Keep these in sync with ConnectivityService.java.
49 const unsigned MIN_NET_ID = 100;
50 const unsigned MAX_NET_ID = 65535;
54 const unsigned NetworkController::MIN_OEM_ID = 1;
55 const unsigned NetworkController::MAX_OEM_ID = 50;
56 // NetIds 51..98 are reserved for future use.
57 const unsigned NetworkController::LOCAL_NET_ID = 99;
59 // All calls to methods here are made while holding a write lock on mRWLock.
60 class NetworkController::DelegateImpl : public PhysicalNetwork::Delegate {
62 explicit DelegateImpl(NetworkController* networkController);
63 virtual ~DelegateImpl();
65 int modifyFallthrough(unsigned vpnNetId, const std::string& physicalInterface,
66 Permission permission, bool add) WARN_UNUSED_RESULT;
69 int addFallthrough(const std::string& physicalInterface,
70 Permission permission) override WARN_UNUSED_RESULT;
71 int removeFallthrough(const std::string& physicalInterface,
72 Permission permission) override WARN_UNUSED_RESULT;
74 int modifyFallthrough(const std::string& physicalInterface, Permission permission,
75 bool add) WARN_UNUSED_RESULT;
77 NetworkController* const mNetworkController;
80 NetworkController::DelegateImpl::DelegateImpl(NetworkController* networkController) :
81 mNetworkController(networkController) {
84 NetworkController::DelegateImpl::~DelegateImpl() {
87 int NetworkController::DelegateImpl::modifyFallthrough(unsigned vpnNetId,
88 const std::string& physicalInterface,
89 Permission permission, bool add) {
91 if (int ret = RouteController::addVirtualNetworkFallthrough(vpnNetId,
92 physicalInterface.c_str(),
94 ALOGE("failed to add fallthrough to %s for VPN netId %u", physicalInterface.c_str(),
99 if (int ret = RouteController::removeVirtualNetworkFallthrough(vpnNetId,
100 physicalInterface.c_str(),
102 ALOGE("failed to remove fallthrough to %s for VPN netId %u", physicalInterface.c_str(),
110 int NetworkController::DelegateImpl::addFallthrough(const std::string& physicalInterface,
111 Permission permission) {
112 return modifyFallthrough(physicalInterface, permission, true);
115 int NetworkController::DelegateImpl::removeFallthrough(const std::string& physicalInterface,
116 Permission permission) {
117 return modifyFallthrough(physicalInterface, permission, false);
120 int NetworkController::DelegateImpl::modifyFallthrough(const std::string& physicalInterface,
121 Permission permission, bool add) {
122 for (const auto& entry : mNetworkController->mNetworks) {
123 if (entry.second->getType() == Network::VIRTUAL) {
124 if (int ret = modifyFallthrough(entry.first, physicalInterface, permission, add)) {
132 NetworkController::NetworkController() :
133 mDelegateImpl(new NetworkController::DelegateImpl(this)), mDefaultNetId(NETID_UNSET) {
134 mNetworks[LOCAL_NET_ID] = new LocalNetwork(LOCAL_NET_ID);
137 unsigned NetworkController::getDefaultNetwork() const {
138 android::RWLock::AutoRLock lock(mRWLock);
139 return mDefaultNetId;
142 int NetworkController::setDefaultNetwork(unsigned netId) {
143 android::RWLock::AutoWLock lock(mRWLock);
145 if (netId == mDefaultNetId) {
149 if (netId != NETID_UNSET) {
150 Network* network = getNetworkLocked(netId);
152 ALOGE("no such netId %u", netId);
155 if (network->getType() != Network::PHYSICAL) {
156 ALOGE("cannot set default to non-physical network with netId %u", netId);
159 if (int ret = static_cast<PhysicalNetwork*>(network)->addAsDefault()) {
164 if (mDefaultNetId != NETID_UNSET) {
165 Network* network = getNetworkLocked(mDefaultNetId);
166 if (!network || network->getType() != Network::PHYSICAL) {
167 ALOGE("cannot find previously set default network with netId %u", mDefaultNetId);
170 if (int ret = static_cast<PhysicalNetwork*>(network)->removeAsDefault()) {
175 mDefaultNetId = netId;
179 uint32_t NetworkController::getNetworkForDns(unsigned* netId, uid_t uid) const {
180 android::RWLock::AutoRLock lock(mRWLock);
182 fwmark.protectedFromVpn = true;
183 fwmark.permission = PERMISSION_SYSTEM;
184 if (checkUserNetworkAccessLocked(uid, *netId) == 0) {
185 // If a non-zero NetId was explicitly specified, and the user has permission for that
186 // network, use that network's DNS servers. Do not fall through to the default network even
187 // if the explicitly selected network is a split tunnel VPN or a VPN without DNS servers.
188 fwmark.explicitlySelected = true;
190 // If the user is subject to a VPN and the VPN provides DNS servers, use those servers
191 // (possibly falling through to the default network if the VPN doesn't provide a route to
192 // them). Otherwise, use the default network's DNS servers.
193 VirtualNetwork* virtualNetwork = getVirtualNetworkForUserLocked(uid);
194 if (virtualNetwork && virtualNetwork->getHasDns()) {
195 *netId = virtualNetwork->getNetId();
197 *netId = mDefaultNetId;
200 fwmark.netId = *netId;
201 return fwmark.intValue;
204 // Returns the NetId that a given UID would use if no network is explicitly selected. Specifically,
205 // the VPN that applies to the UID if any; otherwise, the default network.
206 unsigned NetworkController::getNetworkForUser(uid_t uid) const {
207 android::RWLock::AutoRLock lock(mRWLock);
208 if (VirtualNetwork* virtualNetwork = getVirtualNetworkForUserLocked(uid)) {
209 return virtualNetwork->getNetId();
211 return mDefaultNetId;
214 // Returns the NetId that will be set when a socket connect()s. This is the bypassable VPN that
215 // applies to the user if any; otherwise, the default network.
217 // In general, we prefer to always set the default network's NetId in connect(), so that if the VPN
218 // is a split-tunnel and disappears later, the socket continues working (since the default network's
219 // NetId is still valid). Secure VPNs will correctly grab the socket's traffic since they have a
220 // high-priority routing rule that doesn't care what NetId the socket has.
222 // But bypassable VPNs have a very low priority rule, so we need to mark the socket with the
223 // bypassable VPN's NetId if we expect it to get any traffic at all. If the bypassable VPN is a
224 // split-tunnel, that's okay, because we have fallthrough rules that will direct the fallthrough
225 // traffic to the default network. But it does mean that if the bypassable VPN goes away (and thus
226 // the fallthrough rules also go away), the socket that used to fallthrough to the default network
227 // will stop working.
228 unsigned NetworkController::getNetworkForConnect(uid_t uid) const {
229 android::RWLock::AutoRLock lock(mRWLock);
230 VirtualNetwork* virtualNetwork = getVirtualNetworkForUserLocked(uid);
231 if (virtualNetwork && !virtualNetwork->isSecure()) {
232 return virtualNetwork->getNetId();
234 return mDefaultNetId;
237 unsigned NetworkController::getNetworkForInterface(const char* interface) const {
238 android::RWLock::AutoRLock lock(mRWLock);
239 for (const auto& entry : mNetworks) {
240 if (entry.second->hasInterface(interface)) {
247 bool NetworkController::isVirtualNetwork(unsigned netId) const {
248 android::RWLock::AutoRLock lock(mRWLock);
249 Network* network = getNetworkLocked(netId);
250 return network && network->getType() == Network::VIRTUAL;
253 int NetworkController::createPhysicalNetwork(unsigned netId, Permission permission) {
254 if (!((MIN_NET_ID <= netId && netId <= MAX_NET_ID) ||
255 (MIN_OEM_ID <= netId && netId <= MAX_OEM_ID))) {
256 ALOGE("invalid netId %u", netId);
260 if (isValidNetwork(netId)) {
261 ALOGE("duplicate netId %u", netId);
265 PhysicalNetwork* physicalNetwork = new PhysicalNetwork(netId, mDelegateImpl);
266 if (int ret = physicalNetwork->setPermission(permission)) {
267 ALOGE("inconceivable! setPermission cannot fail on an empty network");
268 delete physicalNetwork;
272 android::RWLock::AutoWLock lock(mRWLock);
273 mNetworks[netId] = physicalNetwork;
277 int NetworkController::createVirtualNetwork(unsigned netId, bool hasDns, bool secure) {
278 if (!(MIN_NET_ID <= netId && netId <= MAX_NET_ID)) {
279 ALOGE("invalid netId %u", netId);
283 if (isValidNetwork(netId)) {
284 ALOGE("duplicate netId %u", netId);
288 android::RWLock::AutoWLock lock(mRWLock);
289 if (int ret = modifyFallthroughLocked(netId, true)) {
292 mNetworks[netId] = new VirtualNetwork(netId, hasDns, secure);
296 int NetworkController::destroyNetwork(unsigned netId) {
297 if (netId == LOCAL_NET_ID) {
298 ALOGE("cannot destroy local network");
301 if (!isValidNetwork(netId)) {
302 ALOGE("no such netId %u", netId);
306 // TODO: ioctl(SIOCKILLADDR, ...) to kill all sockets on the old network.
308 android::RWLock::AutoWLock lock(mRWLock);
309 Network* network = getNetworkLocked(netId);
311 // If we fail to destroy a network, things will get stuck badly. Therefore, unlike most of the
312 // other network code, ignore failures and attempt to clear out as much state as possible, even
313 // if we hit an error on the way. Return the first error that we see.
314 int ret = network->clearInterfaces();
316 if (mDefaultNetId == netId) {
317 if (int err = static_cast<PhysicalNetwork*>(network)->removeAsDefault()) {
318 ALOGE("inconceivable! removeAsDefault cannot fail on an empty network");
323 mDefaultNetId = NETID_UNSET;
324 } else if (network->getType() == Network::VIRTUAL) {
325 if (int err = modifyFallthroughLocked(netId, false)) {
331 mNetworks.erase(netId);
333 _resolv_delete_cache_for_net(netId);
337 int NetworkController::addInterfaceToNetwork(unsigned netId, const char* interface) {
338 if (!isValidNetwork(netId)) {
339 ALOGE("no such netId %u", netId);
343 unsigned existingNetId = getNetworkForInterface(interface);
344 if (existingNetId != NETID_UNSET && existingNetId != netId) {
345 ALOGE("interface %s already assigned to netId %u", interface, existingNetId);
349 android::RWLock::AutoWLock lock(mRWLock);
350 return getNetworkLocked(netId)->addInterface(interface);
353 int NetworkController::removeInterfaceFromNetwork(unsigned netId, const char* interface) {
354 if (!isValidNetwork(netId)) {
355 ALOGE("no such netId %u", netId);
359 android::RWLock::AutoWLock lock(mRWLock);
360 return getNetworkLocked(netId)->removeInterface(interface);
363 Permission NetworkController::getPermissionForUser(uid_t uid) const {
364 android::RWLock::AutoRLock lock(mRWLock);
365 return getPermissionForUserLocked(uid);
368 void NetworkController::setPermissionForUsers(Permission permission,
369 const std::vector<uid_t>& uids) {
370 android::RWLock::AutoWLock lock(mRWLock);
371 for (uid_t uid : uids) {
372 mUsers[uid] = permission;
376 int NetworkController::checkUserNetworkAccess(uid_t uid, unsigned netId) const {
377 android::RWLock::AutoRLock lock(mRWLock);
378 return checkUserNetworkAccessLocked(uid, netId);
381 int NetworkController::setPermissionForNetworks(Permission permission,
382 const std::vector<unsigned>& netIds) {
383 android::RWLock::AutoWLock lock(mRWLock);
384 for (unsigned netId : netIds) {
385 Network* network = getNetworkLocked(netId);
387 ALOGE("no such netId %u", netId);
390 if (network->getType() != Network::PHYSICAL) {
391 ALOGE("cannot set permissions on non-physical network with netId %u", netId);
395 // TODO: ioctl(SIOCKILLADDR, ...) to kill socets on the network that don't have permission.
397 if (int ret = static_cast<PhysicalNetwork*>(network)->setPermission(permission)) {
404 int NetworkController::addUsersToNetwork(unsigned netId, const UidRanges& uidRanges) {
405 android::RWLock::AutoWLock lock(mRWLock);
406 Network* network = getNetworkLocked(netId);
408 ALOGE("no such netId %u", netId);
411 if (network->getType() != Network::VIRTUAL) {
412 ALOGE("cannot add users to non-virtual network with netId %u", netId);
415 if (int ret = static_cast<VirtualNetwork*>(network)->addUsers(uidRanges)) {
421 int NetworkController::removeUsersFromNetwork(unsigned netId, const UidRanges& uidRanges) {
422 android::RWLock::AutoWLock lock(mRWLock);
423 Network* network = getNetworkLocked(netId);
425 ALOGE("no such netId %u", netId);
428 if (network->getType() != Network::VIRTUAL) {
429 ALOGE("cannot remove users from non-virtual network with netId %u", netId);
432 if (int ret = static_cast<VirtualNetwork*>(network)->removeUsers(uidRanges)) {
438 int NetworkController::addRoute(unsigned netId, const char* interface, const char* destination,
439 const char* nexthop, bool legacy, uid_t uid) {
440 return modifyRoute(netId, interface, destination, nexthop, true, legacy, uid);
443 int NetworkController::removeRoute(unsigned netId, const char* interface, const char* destination,
444 const char* nexthop, bool legacy, uid_t uid) {
445 return modifyRoute(netId, interface, destination, nexthop, false, legacy, uid);
448 bool NetworkController::canProtect(uid_t uid) const {
449 android::RWLock::AutoRLock lock(mRWLock);
450 return ((getPermissionForUserLocked(uid) & PERMISSION_SYSTEM) == PERMISSION_SYSTEM) ||
451 mProtectableUsers.find(uid) != mProtectableUsers.end();
454 void NetworkController::allowProtect(const std::vector<uid_t>& uids) {
455 android::RWLock::AutoWLock lock(mRWLock);
456 mProtectableUsers.insert(uids.begin(), uids.end());
459 void NetworkController::denyProtect(const std::vector<uid_t>& uids) {
460 android::RWLock::AutoWLock lock(mRWLock);
461 for (uid_t uid : uids) {
462 mProtectableUsers.erase(uid);
466 bool NetworkController::isValidNetwork(unsigned netId) const {
467 android::RWLock::AutoRLock lock(mRWLock);
468 return getNetworkLocked(netId);
471 Network* NetworkController::getNetworkLocked(unsigned netId) const {
472 auto iter = mNetworks.find(netId);
473 return iter == mNetworks.end() ? NULL : iter->second;
476 VirtualNetwork* NetworkController::getVirtualNetworkForUserLocked(uid_t uid) const {
477 for (const auto& entry : mNetworks) {
478 if (entry.second->getType() == Network::VIRTUAL) {
479 VirtualNetwork* virtualNetwork = static_cast<VirtualNetwork*>(entry.second);
480 if (virtualNetwork->appliesToUser(uid)) {
481 return virtualNetwork;
488 Permission NetworkController::getPermissionForUserLocked(uid_t uid) const {
489 auto iter = mUsers.find(uid);
490 if (iter != mUsers.end()) {
493 return uid < FIRST_APPLICATION_UID ? PERMISSION_SYSTEM : PERMISSION_NONE;
496 int NetworkController::checkUserNetworkAccessLocked(uid_t uid, unsigned netId) const {
497 Network* network = getNetworkLocked(netId);
502 // If uid is INVALID_UID, this likely means that we were unable to retrieve the UID of the peer
503 // (using SO_PEERCRED). Be safe and deny access to the network, even if it's valid.
504 if (uid == INVALID_UID) {
507 Permission userPermission = getPermissionForUserLocked(uid);
508 if ((userPermission & PERMISSION_SYSTEM) == PERMISSION_SYSTEM) {
511 if (network->getType() == Network::VIRTUAL) {
512 return static_cast<VirtualNetwork*>(network)->appliesToUser(uid) ? 0 : -EPERM;
514 VirtualNetwork* virtualNetwork = getVirtualNetworkForUserLocked(uid);
515 if (virtualNetwork && virtualNetwork->isSecure() &&
516 mProtectableUsers.find(uid) == mProtectableUsers.end()) {
519 Permission networkPermission = static_cast<PhysicalNetwork*>(network)->getPermission();
520 return ((userPermission & networkPermission) == networkPermission) ? 0 : -EACCES;
523 int NetworkController::modifyRoute(unsigned netId, const char* interface, const char* destination,
524 const char* nexthop, bool add, bool legacy, uid_t uid) {
525 if (!isValidNetwork(netId)) {
526 ALOGE("no such netId %u", netId);
529 unsigned existingNetId = getNetworkForInterface(interface);
530 if (existingNetId == NETID_UNSET) {
531 ALOGE("interface %s not assigned to any netId", interface);
534 if (existingNetId != netId) {
535 ALOGE("interface %s assigned to netId %u, not %u", interface, existingNetId, netId);
539 RouteController::TableType tableType;
540 if (netId == LOCAL_NET_ID) {
541 tableType = RouteController::LOCAL_NETWORK;
543 if ((getPermissionForUser(uid) & PERMISSION_SYSTEM) == PERMISSION_SYSTEM) {
544 tableType = RouteController::LEGACY_SYSTEM;
546 tableType = RouteController::LEGACY_NETWORK;
549 tableType = RouteController::INTERFACE;
552 return add ? RouteController::addRoute(interface, destination, nexthop, tableType) :
553 RouteController::removeRoute(interface, destination, nexthop, tableType);
556 int NetworkController::modifyFallthroughLocked(unsigned vpnNetId, bool add) {
557 if (mDefaultNetId == NETID_UNSET) {
560 Network* network = getNetworkLocked(mDefaultNetId);
562 ALOGE("cannot find previously set default network with netId %u", mDefaultNetId);
565 if (network->getType() != Network::PHYSICAL) {
566 ALOGE("inconceivable! default network must be a physical network");
569 Permission permission = static_cast<PhysicalNetwork*>(network)->getPermission();
570 for (const auto& physicalInterface : network->getInterfaces()) {
571 if (int ret = mDelegateImpl->modifyFallthrough(vpnNetId, physicalInterface, permission,