#include "NetworkController.h"
+#include "DummyNetwork.h"
+#include "Fwmark.h"
+#include "LocalNetwork.h"
#include "PhysicalNetwork.h"
#include "RouteController.h"
#include "VirtualNetwork.h"
namespace {
// Keep these in sync with ConnectivityService.java.
-const unsigned MIN_NET_ID = 10;
+const unsigned MIN_NET_ID = 100;
const unsigned MAX_NET_ID = 65535;
} // namespace
-NetworkController::NetworkController() : mDefaultNetId(NETID_UNSET) {
+const unsigned NetworkController::MIN_OEM_ID = 1;
+const unsigned NetworkController::MAX_OEM_ID = 50;
+const unsigned NetworkController::DUMMY_NET_ID = 51;
+// NetIds 52..98 are reserved for future use.
+const unsigned NetworkController::LOCAL_NET_ID = 99;
+
+// All calls to methods here are made while holding a write lock on mRWLock.
+class NetworkController::DelegateImpl : public PhysicalNetwork::Delegate {
+public:
+ explicit DelegateImpl(NetworkController* networkController);
+ virtual ~DelegateImpl();
+
+ int modifyFallthrough(unsigned vpnNetId, const std::string& physicalInterface,
+ Permission permission, bool add) WARN_UNUSED_RESULT;
+
+private:
+ int addFallthrough(const std::string& physicalInterface,
+ Permission permission) override WARN_UNUSED_RESULT;
+ int removeFallthrough(const std::string& physicalInterface,
+ Permission permission) override WARN_UNUSED_RESULT;
+
+ int modifyFallthrough(const std::string& physicalInterface, Permission permission,
+ bool add) WARN_UNUSED_RESULT;
+
+ NetworkController* const mNetworkController;
+};
+
+NetworkController::DelegateImpl::DelegateImpl(NetworkController* networkController) :
+ mNetworkController(networkController) {
+}
+
+NetworkController::DelegateImpl::~DelegateImpl() {
+}
+
+int NetworkController::DelegateImpl::modifyFallthrough(unsigned vpnNetId,
+ const std::string& physicalInterface,
+ Permission permission, bool add) {
+ if (add) {
+ if (int ret = RouteController::addVirtualNetworkFallthrough(vpnNetId,
+ physicalInterface.c_str(),
+ permission)) {
+ ALOGE("failed to add fallthrough to %s for VPN netId %u", physicalInterface.c_str(),
+ vpnNetId);
+ return ret;
+ }
+ } else {
+ if (int ret = RouteController::removeVirtualNetworkFallthrough(vpnNetId,
+ physicalInterface.c_str(),
+ permission)) {
+ ALOGE("failed to remove fallthrough to %s for VPN netId %u", physicalInterface.c_str(),
+ vpnNetId);
+ return ret;
+ }
+ }
+ return 0;
+}
+
+int NetworkController::DelegateImpl::addFallthrough(const std::string& physicalInterface,
+ Permission permission) {
+ return modifyFallthrough(physicalInterface, permission, true);
+}
+
+int NetworkController::DelegateImpl::removeFallthrough(const std::string& physicalInterface,
+ Permission permission) {
+ return modifyFallthrough(physicalInterface, permission, false);
+}
+
+int NetworkController::DelegateImpl::modifyFallthrough(const std::string& physicalInterface,
+ Permission permission, bool add) {
+ for (const auto& entry : mNetworkController->mNetworks) {
+ if (entry.second->getType() == Network::VIRTUAL) {
+ if (int ret = modifyFallthrough(entry.first, physicalInterface, permission, add)) {
+ return ret;
+ }
+ }
+ }
+ return 0;
+}
+
+NetworkController::NetworkController() :
+ mDelegateImpl(new NetworkController::DelegateImpl(this)), mDefaultNetId(NETID_UNSET) {
+ mNetworks[LOCAL_NET_ID] = new LocalNetwork(LOCAL_NET_ID);
+ mNetworks[DUMMY_NET_ID] = new DummyNetwork(DUMMY_NET_ID);
}
unsigned NetworkController::getDefaultNetwork() const {
if (netId != NETID_UNSET) {
Network* network = getNetworkLocked(netId);
- if (!network || network->getType() != Network::PHYSICAL) {
- ALOGE("invalid netId %u", netId);
+ if (!network) {
+ ALOGE("no such netId %u", netId);
+ return -ENONET;
+ }
+ if (network->getType() != Network::PHYSICAL) {
+ ALOGE("cannot set default to non-physical network with netId %u", netId);
return -EINVAL;
}
if (int ret = static_cast<PhysicalNetwork*>(network)->addAsDefault()) {
return 0;
}
-bool NetworkController::setNetworkForUidRange(uid_t uidStart, uid_t uidEnd, unsigned netId,
- bool forwardDns) {
- if (uidStart > uidEnd || !isValidNetwork(netId)) {
- errno = EINVAL;
- return false;
- }
-
- android::RWLock::AutoWLock lock(mRWLock);
- for (UidEntry& entry : mUidMap) {
- if (entry.uidStart == uidStart && entry.uidEnd == uidEnd && entry.netId == netId) {
- entry.forwardDns = forwardDns;
- return true;
+uint32_t NetworkController::getNetworkForDns(unsigned* netId, uid_t uid) const {
+ android::RWLock::AutoRLock lock(mRWLock);
+ Fwmark fwmark;
+ fwmark.protectedFromVpn = true;
+ fwmark.permission = PERMISSION_SYSTEM;
+ if (checkUserNetworkAccessLocked(uid, *netId) == 0) {
+ // If a non-zero NetId was explicitly specified, and the user has permission for that
+ // network, use that network's DNS servers. Do not fall through to the default network even
+ // if the explicitly selected network is a split tunnel VPN or a VPN without DNS servers.
+ fwmark.explicitlySelected = true;
+ } else {
+ // If the user is subject to a VPN and the VPN provides DNS servers, use those servers
+ // (possibly falling through to the default network if the VPN doesn't provide a route to
+ // them). Otherwise, use the default network's DNS servers.
+ VirtualNetwork* virtualNetwork = getVirtualNetworkForUserLocked(uid);
+ if (virtualNetwork && virtualNetwork->getHasDns()) {
+ *netId = virtualNetwork->getNetId();
+ } else {
+ *netId = mDefaultNetId;
}
}
+ fwmark.netId = *netId;
+ return fwmark.intValue;
+}
- mUidMap.push_front(UidEntry(uidStart, uidEnd, netId, forwardDns));
- return true;
+// Returns the NetId that a given UID would use if no network is explicitly selected. Specifically,
+// the VPN that applies to the UID if any; otherwise, the default network.
+unsigned NetworkController::getNetworkForUser(uid_t uid) const {
+ android::RWLock::AutoRLock lock(mRWLock);
+ if (VirtualNetwork* virtualNetwork = getVirtualNetworkForUserLocked(uid)) {
+ return virtualNetwork->getNetId();
+ }
+ return mDefaultNetId;
}
-bool NetworkController::clearNetworkForUidRange(uid_t uidStart, uid_t uidEnd, unsigned netId) {
- if (uidStart > uidEnd || !isValidNetwork(netId)) {
- errno = EINVAL;
- return false;
+// Returns the NetId that will be set when a socket connect()s. This is the bypassable VPN that
+// applies to the user if any; otherwise, the default network.
+//
+// In general, we prefer to always set the default network's NetId in connect(), so that if the VPN
+// is a split-tunnel and disappears later, the socket continues working (since the default network's
+// NetId is still valid). Secure VPNs will correctly grab the socket's traffic since they have a
+// high-priority routing rule that doesn't care what NetId the socket has.
+//
+// But bypassable VPNs have a very low priority rule, so we need to mark the socket with the
+// bypassable VPN's NetId if we expect it to get any traffic at all. If the bypassable VPN is a
+// split-tunnel, that's okay, because we have fallthrough rules that will direct the fallthrough
+// traffic to the default network. But it does mean that if the bypassable VPN goes away (and thus
+// the fallthrough rules also go away), the socket that used to fallthrough to the default network
+// will stop working.
+unsigned NetworkController::getNetworkForConnect(uid_t uid) const {
+ android::RWLock::AutoRLock lock(mRWLock);
+ VirtualNetwork* virtualNetwork = getVirtualNetworkForUserLocked(uid);
+ if (virtualNetwork && !virtualNetwork->isSecure()) {
+ return virtualNetwork->getNetId();
}
+ return mDefaultNetId;
+}
- android::RWLock::AutoWLock lock(mRWLock);
- for (auto iter = mUidMap.begin(); iter != mUidMap.end(); ++iter) {
- if (iter->uidStart == uidStart && iter->uidEnd == uidEnd && iter->netId == netId) {
- mUidMap.erase(iter);
- return true;
- }
+void NetworkController::getNetworkContext(
+ unsigned netId, uid_t uid, struct android_net_context* netcontext) const {
+ struct android_net_context nc = {
+ .app_netid = netId,
+ .app_mark = MARK_UNSET,
+ .dns_netid = netId,
+ .dns_mark = MARK_UNSET,
+ .uid = uid,
+ };
+
+ if (nc.app_netid == NETID_UNSET) {
+ nc.app_netid = getNetworkForConnect(uid);
}
+ Fwmark fwmark;
+ fwmark.netId = nc.app_netid;
+ nc.app_mark = fwmark.intValue;
- errno = ENOENT;
- return false;
-}
+ nc.dns_mark = getNetworkForDns(&(nc.dns_netid), uid);
-unsigned NetworkController::getNetwork(uid_t uid, unsigned requestedNetId, bool forDns) const {
- android::RWLock::AutoRLock lock(mRWLock);
- for (const UidEntry& entry : mUidMap) {
- if (entry.uidStart <= uid && uid <= entry.uidEnd) {
- if (forDns && !entry.forwardDns) {
- break;
- }
- return entry.netId;
- }
+ if (netcontext) {
+ *netcontext = nc;
}
- return getNetworkLocked(requestedNetId) ? requestedNetId : mDefaultNetId;
}
-unsigned NetworkController::getNetworkId(const char* interface) const {
+unsigned NetworkController::getNetworkForInterface(const char* interface) const {
android::RWLock::AutoRLock lock(mRWLock);
for (const auto& entry : mNetworks) {
if (entry.second->hasInterface(interface)) {
return NETID_UNSET;
}
-bool NetworkController::isValidNetwork(unsigned netId) const {
+bool NetworkController::isVirtualNetwork(unsigned netId) const {
android::RWLock::AutoRLock lock(mRWLock);
- return getNetworkLocked(netId);
+ Network* network = getNetworkLocked(netId);
+ return network && network->getType() == Network::VIRTUAL;
}
-int NetworkController::createNetwork(unsigned netId, Permission permission) {
- if (netId < MIN_NET_ID || netId > MAX_NET_ID) {
+int NetworkController::createPhysicalNetwork(unsigned netId, Permission permission) {
+ if (!((MIN_NET_ID <= netId && netId <= MAX_NET_ID) ||
+ (MIN_OEM_ID <= netId && netId <= MAX_OEM_ID))) {
ALOGE("invalid netId %u", netId);
return -EINVAL;
}
return -EEXIST;
}
- PhysicalNetwork* physicalNetwork = new PhysicalNetwork(netId);
+ PhysicalNetwork* physicalNetwork = new PhysicalNetwork(netId, mDelegateImpl);
if (int ret = physicalNetwork->setPermission(permission)) {
ALOGE("inconceivable! setPermission cannot fail on an empty network");
delete physicalNetwork;
return 0;
}
-int NetworkController::createVpn(unsigned netId) {
- if (netId < MIN_NET_ID || netId > MAX_NET_ID) {
+int NetworkController::createVirtualNetwork(unsigned netId, bool hasDns, bool secure) {
+ if (!(MIN_NET_ID <= netId && netId <= MAX_NET_ID)) {
ALOGE("invalid netId %u", netId);
return -EINVAL;
}
}
android::RWLock::AutoWLock lock(mRWLock);
- mNetworks[netId] = new VirtualNetwork(netId);
+ if (int ret = modifyFallthroughLocked(netId, true)) {
+ return ret;
+ }
+ mNetworks[netId] = new VirtualNetwork(netId, hasDns, secure);
return 0;
}
int NetworkController::destroyNetwork(unsigned netId) {
- if (!isValidNetwork(netId)) {
- ALOGE("invalid netId %u", netId);
+ if (netId == LOCAL_NET_ID) {
+ ALOGE("cannot destroy local network");
return -EINVAL;
}
+ if (!isValidNetwork(netId)) {
+ ALOGE("no such netId %u", netId);
+ return -ENONET;
+ }
// TODO: ioctl(SIOCKILLADDR, ...) to kill all sockets on the old network.
android::RWLock::AutoWLock lock(mRWLock);
Network* network = getNetworkLocked(netId);
- if (int ret = network->clearInterfaces()) {
- return ret;
- }
+
+ // If we fail to destroy a network, things will get stuck badly. Therefore, unlike most of the
+ // other network code, ignore failures and attempt to clear out as much state as possible, even
+ // if we hit an error on the way. Return the first error that we see.
+ int ret = network->clearInterfaces();
+
if (mDefaultNetId == netId) {
- if (int ret = static_cast<PhysicalNetwork*>(network)->removeAsDefault()) {
+ if (int err = static_cast<PhysicalNetwork*>(network)->removeAsDefault()) {
ALOGE("inconceivable! removeAsDefault cannot fail on an empty network");
- return ret;
+ if (!ret) {
+ ret = err;
+ }
}
mDefaultNetId = NETID_UNSET;
+ } else if (network->getType() == Network::VIRTUAL) {
+ if (int err = modifyFallthroughLocked(netId, false)) {
+ if (!ret) {
+ ret = err;
+ }
+ }
}
mNetworks.erase(netId);
delete network;
_resolv_delete_cache_for_net(netId);
- return 0;
+ return ret;
}
int NetworkController::addInterfaceToNetwork(unsigned netId, const char* interface) {
if (!isValidNetwork(netId)) {
- ALOGE("invalid netId %u", netId);
- return -EINVAL;
+ ALOGE("no such netId %u", netId);
+ return -ENONET;
}
- unsigned existingNetId = getNetworkId(interface);
+ unsigned existingNetId = getNetworkForInterface(interface);
if (existingNetId != NETID_UNSET && existingNetId != netId) {
ALOGE("interface %s already assigned to netId %u", interface, existingNetId);
return -EBUSY;
int NetworkController::removeInterfaceFromNetwork(unsigned netId, const char* interface) {
if (!isValidNetwork(netId)) {
- ALOGE("invalid netId %u", netId);
- return -EINVAL;
+ ALOGE("no such netId %u", netId);
+ return -ENONET;
}
android::RWLock::AutoWLock lock(mRWLock);
}
}
-// TODO: Handle VPNs.
-bool NetworkController::isUserPermittedOnNetwork(uid_t uid, unsigned netId) const {
- if (uid == INVALID_UID || netId == NETID_UNSET) {
- return false;
- }
-
+int NetworkController::checkUserNetworkAccess(uid_t uid, unsigned netId) const {
android::RWLock::AutoRLock lock(mRWLock);
- Network* network = getNetworkLocked(netId);
- if (!network || network->getType() != Network::PHYSICAL) {
- return false;
- }
- Permission userPermission = getPermissionForUserLocked(uid);
- Permission networkPermission = static_cast<PhysicalNetwork*>(network)->getPermission();
- return (userPermission & networkPermission) == networkPermission;
+ return checkUserNetworkAccessLocked(uid, netId);
}
int NetworkController::setPermissionForNetworks(Permission permission,
android::RWLock::AutoWLock lock(mRWLock);
for (unsigned netId : netIds) {
Network* network = getNetworkLocked(netId);
- if (!network || network->getType() != Network::PHYSICAL) {
- ALOGE("invalid netId %u", netId);
+ if (!network) {
+ ALOGE("no such netId %u", netId);
+ return -ENONET;
+ }
+ if (network->getType() != Network::PHYSICAL) {
+ ALOGE("cannot set permissions on non-physical network with netId %u", netId);
return -EINVAL;
}
int NetworkController::addUsersToNetwork(unsigned netId, const UidRanges& uidRanges) {
android::RWLock::AutoWLock lock(mRWLock);
Network* network = getNetworkLocked(netId);
- if (!network || network->getType() != Network::VIRTUAL) {
- ALOGE("invalid netId %u", netId);
+ if (!network) {
+ ALOGE("no such netId %u", netId);
+ return -ENONET;
+ }
+ if (network->getType() != Network::VIRTUAL) {
+ ALOGE("cannot add users to non-virtual network with netId %u", netId);
return -EINVAL;
}
if (int ret = static_cast<VirtualNetwork*>(network)->addUsers(uidRanges)) {
int NetworkController::removeUsersFromNetwork(unsigned netId, const UidRanges& uidRanges) {
android::RWLock::AutoWLock lock(mRWLock);
Network* network = getNetworkLocked(netId);
- if (!network || network->getType() != Network::VIRTUAL) {
- ALOGE("invalid netId %u", netId);
+ if (!network) {
+ ALOGE("no such netId %u", netId);
+ return -ENONET;
+ }
+ if (network->getType() != Network::VIRTUAL) {
+ ALOGE("cannot remove users from non-virtual network with netId %u", netId);
return -EINVAL;
}
if (int ret = static_cast<VirtualNetwork*>(network)->removeUsers(uidRanges)) {
return modifyRoute(netId, interface, destination, nexthop, false, legacy, uid);
}
+bool NetworkController::canProtect(uid_t uid) const {
+ android::RWLock::AutoRLock lock(mRWLock);
+ return ((getPermissionForUserLocked(uid) & PERMISSION_SYSTEM) == PERMISSION_SYSTEM) ||
+ mProtectableUsers.find(uid) != mProtectableUsers.end();
+}
+
void NetworkController::allowProtect(const std::vector<uid_t>& uids) {
android::RWLock::AutoWLock lock(mRWLock);
mProtectableUsers.insert(uids.begin(), uids.end());
}
}
+bool NetworkController::isValidNetwork(unsigned netId) const {
+ android::RWLock::AutoRLock lock(mRWLock);
+ return getNetworkLocked(netId);
+}
+
Network* NetworkController::getNetworkLocked(unsigned netId) const {
auto iter = mNetworks.find(netId);
return iter == mNetworks.end() ? NULL : iter->second;
}
+VirtualNetwork* NetworkController::getVirtualNetworkForUserLocked(uid_t uid) const {
+ for (const auto& entry : mNetworks) {
+ if (entry.second->getType() == Network::VIRTUAL) {
+ VirtualNetwork* virtualNetwork = static_cast<VirtualNetwork*>(entry.second);
+ if (virtualNetwork->appliesToUser(uid)) {
+ return virtualNetwork;
+ }
+ }
+ }
+ return NULL;
+}
+
Permission NetworkController::getPermissionForUserLocked(uid_t uid) const {
auto iter = mUsers.find(uid);
if (iter != mUsers.end()) {
return uid < FIRST_APPLICATION_UID ? PERMISSION_SYSTEM : PERMISSION_NONE;
}
+int NetworkController::checkUserNetworkAccessLocked(uid_t uid, unsigned netId) const {
+ Network* network = getNetworkLocked(netId);
+ if (!network) {
+ return -ENONET;
+ }
+
+ // If uid is INVALID_UID, this likely means that we were unable to retrieve the UID of the peer
+ // (using SO_PEERCRED). Be safe and deny access to the network, even if it's valid.
+ if (uid == INVALID_UID) {
+ return -EREMOTEIO;
+ }
+ Permission userPermission = getPermissionForUserLocked(uid);
+ if ((userPermission & PERMISSION_SYSTEM) == PERMISSION_SYSTEM) {
+ return 0;
+ }
+ if (network->getType() == Network::VIRTUAL) {
+ return static_cast<VirtualNetwork*>(network)->appliesToUser(uid) ? 0 : -EPERM;
+ }
+ VirtualNetwork* virtualNetwork = getVirtualNetworkForUserLocked(uid);
+ if (virtualNetwork && virtualNetwork->isSecure() &&
+ mProtectableUsers.find(uid) == mProtectableUsers.end()) {
+ return -EPERM;
+ }
+ Permission networkPermission = static_cast<PhysicalNetwork*>(network)->getPermission();
+ return ((userPermission & networkPermission) == networkPermission) ? 0 : -EACCES;
+}
+
int NetworkController::modifyRoute(unsigned netId, const char* interface, const char* destination,
const char* nexthop, bool add, bool legacy, uid_t uid) {
- unsigned existingNetId = getNetworkId(interface);
- if (netId == NETID_UNSET || existingNetId != netId) {
+ if (!isValidNetwork(netId)) {
+ ALOGE("no such netId %u", netId);
+ return -ENONET;
+ }
+ unsigned existingNetId = getNetworkForInterface(interface);
+ if (existingNetId == NETID_UNSET) {
+ ALOGE("interface %s not assigned to any netId", interface);
+ return -ENODEV;
+ }
+ if (existingNetId != netId) {
ALOGE("interface %s assigned to netId %u, not %u", interface, existingNetId, netId);
return -ENOENT;
}
RouteController::TableType tableType;
- if (legacy) {
+ if (netId == LOCAL_NET_ID) {
+ tableType = RouteController::LOCAL_NETWORK;
+ } else if (legacy) {
if ((getPermissionForUser(uid) & PERMISSION_SYSTEM) == PERMISSION_SYSTEM) {
- tableType = RouteController::PRIVILEGED_LEGACY;
+ tableType = RouteController::LEGACY_SYSTEM;
} else {
- tableType = RouteController::LEGACY;
+ tableType = RouteController::LEGACY_NETWORK;
}
} else {
tableType = RouteController::INTERFACE;
RouteController::removeRoute(interface, destination, nexthop, tableType);
}
-NetworkController::UidEntry::UidEntry(uid_t uidStart, uid_t uidEnd, unsigned netId,
- bool forwardDns) :
- uidStart(uidStart), uidEnd(uidEnd), netId(netId), forwardDns(forwardDns) {
+int NetworkController::modifyFallthroughLocked(unsigned vpnNetId, bool add) {
+ if (mDefaultNetId == NETID_UNSET) {
+ return 0;
+ }
+ Network* network = getNetworkLocked(mDefaultNetId);
+ if (!network) {
+ ALOGE("cannot find previously set default network with netId %u", mDefaultNetId);
+ return -ESRCH;
+ }
+ if (network->getType() != Network::PHYSICAL) {
+ ALOGE("inconceivable! default network must be a physical network");
+ return -EINVAL;
+ }
+ Permission permission = static_cast<PhysicalNetwork*>(network)->getPermission();
+ for (const auto& physicalInterface : network->getInterfaces()) {
+ if (int ret = mDelegateImpl->modifyFallthrough(vpnNetId, physicalInterface, permission,
+ add)) {
+ return ret;
+ }
+ }
+ return 0;
}