#include "NetworkController.h"
+#include "DummyNetwork.h"
#include "Fwmark.h"
#include "LocalNetwork.h"
#include "PhysicalNetwork.h"
namespace {
// Keep these in sync with ConnectivityService.java.
-const unsigned MIN_NET_ID = 10;
+const unsigned MIN_NET_ID = 100;
const unsigned MAX_NET_ID = 65535;
} // namespace
+const unsigned NetworkController::MIN_OEM_ID = 1;
+const unsigned NetworkController::MAX_OEM_ID = 50;
+const unsigned NetworkController::DUMMY_NET_ID = 51;
+// NetIds 52..98 are reserved for future use.
+const unsigned NetworkController::LOCAL_NET_ID = 99;
+
// All calls to methods here are made while holding a write lock on mRWLock.
class NetworkController::DelegateImpl : public PhysicalNetwork::Delegate {
public:
NetworkController::NetworkController() :
mDelegateImpl(new NetworkController::DelegateImpl(this)), mDefaultNetId(NETID_UNSET) {
mNetworks[LOCAL_NET_ID] = new LocalNetwork(LOCAL_NET_ID);
+ mNetworks[DUMMY_NET_ID] = new DummyNetwork(DUMMY_NET_ID);
}
unsigned NetworkController::getDefaultNetwork() const {
Fwmark fwmark;
fwmark.protectedFromVpn = true;
fwmark.permission = PERMISSION_SYSTEM;
- if (canUserSelectNetworkLocked(uid, *netId)) {
+ if (checkUserNetworkAccessLocked(uid, *netId) == 0) {
// If a non-zero NetId was explicitly specified, and the user has permission for that
// network, use that network's DNS servers. Do not fall through to the default network even
// if the explicitly selected network is a split tunnel VPN or a VPN without DNS servers.
return mDefaultNetId;
}
+void NetworkController::getNetworkContext(
+ unsigned netId, uid_t uid, struct android_net_context* netcontext) const {
+ struct android_net_context nc = {
+ .app_netid = netId,
+ .app_mark = MARK_UNSET,
+ .dns_netid = netId,
+ .dns_mark = MARK_UNSET,
+ .uid = uid,
+ };
+
+ if (nc.app_netid == NETID_UNSET) {
+ nc.app_netid = getNetworkForConnect(uid);
+ }
+ Fwmark fwmark;
+ fwmark.netId = nc.app_netid;
+ nc.app_mark = fwmark.intValue;
+
+ nc.dns_mark = getNetworkForDns(&(nc.dns_netid), uid);
+
+ if (netcontext) {
+ *netcontext = nc;
+ }
+}
+
unsigned NetworkController::getNetworkForInterface(const char* interface) const {
android::RWLock::AutoRLock lock(mRWLock);
for (const auto& entry : mNetworks) {
}
int NetworkController::createPhysicalNetwork(unsigned netId, Permission permission) {
- if (netId < MIN_NET_ID || netId > MAX_NET_ID) {
+ if (!((MIN_NET_ID <= netId && netId <= MAX_NET_ID) ||
+ (MIN_OEM_ID <= netId && netId <= MAX_OEM_ID))) {
ALOGE("invalid netId %u", netId);
return -EINVAL;
}
}
int NetworkController::createVirtualNetwork(unsigned netId, bool hasDns, bool secure) {
- if (netId < MIN_NET_ID || netId > MAX_NET_ID) {
+ if (!(MIN_NET_ID <= netId && netId <= MAX_NET_ID)) {
ALOGE("invalid netId %u", netId);
return -EINVAL;
}
android::RWLock::AutoWLock lock(mRWLock);
Network* network = getNetworkLocked(netId);
- if (int ret = network->clearInterfaces()) {
- return ret;
- }
+
+ // If we fail to destroy a network, things will get stuck badly. Therefore, unlike most of the
+ // other network code, ignore failures and attempt to clear out as much state as possible, even
+ // if we hit an error on the way. Return the first error that we see.
+ int ret = network->clearInterfaces();
+
if (mDefaultNetId == netId) {
- if (int ret = static_cast<PhysicalNetwork*>(network)->removeAsDefault()) {
+ if (int err = static_cast<PhysicalNetwork*>(network)->removeAsDefault()) {
ALOGE("inconceivable! removeAsDefault cannot fail on an empty network");
- return ret;
+ if (!ret) {
+ ret = err;
+ }
}
mDefaultNetId = NETID_UNSET;
} else if (network->getType() == Network::VIRTUAL) {
- if (int ret = modifyFallthroughLocked(netId, false)) {
- return ret;
+ if (int err = modifyFallthroughLocked(netId, false)) {
+ if (!ret) {
+ ret = err;
+ }
}
}
mNetworks.erase(netId);
delete network;
_resolv_delete_cache_for_net(netId);
- return 0;
+ return ret;
}
int NetworkController::addInterfaceToNetwork(unsigned netId, const char* interface) {
}
}
-bool NetworkController::canUserSelectNetwork(uid_t uid, unsigned netId) const {
+int NetworkController::checkUserNetworkAccess(uid_t uid, unsigned netId) const {
android::RWLock::AutoRLock lock(mRWLock);
- return canUserSelectNetworkLocked(uid, netId);
+ return checkUserNetworkAccessLocked(uid, netId);
}
int NetworkController::setPermissionForNetworks(Permission permission,
return uid < FIRST_APPLICATION_UID ? PERMISSION_SYSTEM : PERMISSION_NONE;
}
-bool NetworkController::canUserSelectNetworkLocked(uid_t uid, unsigned netId) const {
+int NetworkController::checkUserNetworkAccessLocked(uid_t uid, unsigned netId) const {
Network* network = getNetworkLocked(netId);
+ if (!network) {
+ return -ENONET;
+ }
+
// If uid is INVALID_UID, this likely means that we were unable to retrieve the UID of the peer
// (using SO_PEERCRED). Be safe and deny access to the network, even if it's valid.
- if (!network || uid == INVALID_UID) {
- return false;
+ if (uid == INVALID_UID) {
+ return -EREMOTEIO;
}
Permission userPermission = getPermissionForUserLocked(uid);
if ((userPermission & PERMISSION_SYSTEM) == PERMISSION_SYSTEM) {
- return true;
+ return 0;
}
if (network->getType() == Network::VIRTUAL) {
- return static_cast<VirtualNetwork*>(network)->appliesToUser(uid);
+ return static_cast<VirtualNetwork*>(network)->appliesToUser(uid) ? 0 : -EPERM;
}
VirtualNetwork* virtualNetwork = getVirtualNetworkForUserLocked(uid);
if (virtualNetwork && virtualNetwork->isSecure() &&
mProtectableUsers.find(uid) == mProtectableUsers.end()) {
- return false;
+ return -EPERM;
}
Permission networkPermission = static_cast<PhysicalNetwork*>(network)->getPermission();
- return (userPermission & networkPermission) == networkPermission;
+ return ((userPermission & networkPermission) == networkPermission) ? 0 : -EACCES;
}
int NetworkController::modifyRoute(unsigned netId, const char* interface, const char* destination,