2 * Copyright (c) 2016, The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #define LOG_TAG "Netd"
21 #include <android-base/stringprintf.h>
22 #include <cutils/log.h>
23 #include <utils/Errors.h>
25 #include <binder/IPCThreadState.h>
26 #include <binder/IServiceManager.h>
27 #include "android/net/BnNetd.h"
29 #include "Controllers.h"
30 #include "DumpWriter.h"
31 #include "NetdConstants.h"
32 #include "NetdNativeService.h"
33 #include "RouteController.h"
34 #include "UidRanges.h"
36 using android::base::StringPrintf;
43 const char CONNECTIVITY_INTERNAL[] = "android.permission.CONNECTIVITY_INTERNAL";
44 const char DUMP[] = "android.permission.DUMP";
46 binder::Status checkPermission(const char *permission) {
50 if (checkCallingPermission(String16(permission), (int32_t *) &pid, (int32_t *) &uid)) {
51 return binder::Status::ok();
53 auto err = StringPrintf("UID %d / PID %d lacks permission %s", uid, pid, permission);
54 return binder::Status::fromExceptionCode(binder::Status::EX_SECURITY, String8(err.c_str()));
58 #define ENFORCE_PERMISSION(permission) { \
59 binder::Status status = checkPermission((permission)); \
60 if (!status.isOk()) { \
65 #define NETD_LOCKING_RPC(permission, lock) \
66 ENFORCE_PERMISSION(permission); \
67 android::RWLock::AutoWLock _lock(lock);
69 #define NETD_BIG_LOCK_RPC(permission) NETD_LOCKING_RPC((permission), gBigNetdLock)
74 status_t NetdNativeService::start() {
75 IPCThreadState::self()->disableBackgroundScheduling(true);
76 status_t ret = BinderService<NetdNativeService>::publish();
77 if (ret != android::OK) {
80 sp<ProcessState> ps(ProcessState::self());
81 ps->startThreadPool();
82 ps->giveThreadPoolName();
86 status_t NetdNativeService::dump(int fd, const Vector<String16> & /* args */) {
87 const binder::Status dump_permission = checkPermission(DUMP);
88 if (!dump_permission.isOk()) {
89 const String8 msg(dump_permission.toString8());
90 write(fd, msg.string(), msg.size());
91 return PERMISSION_DENIED;
94 // This method does not grab any locks. If individual classes need locking
95 // their dump() methods MUST handle locking appropriately.
98 gCtls->netCtrl.dump(dw);
104 binder::Status NetdNativeService::isAlive(bool *alive) {
105 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
108 return binder::Status::ok();
111 binder::Status NetdNativeService::firewallReplaceUidChain(const android::String16& chainName,
112 bool isWhitelist, const std::vector<int32_t>& uids, bool *ret) {
113 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->firewallCtrl.lock);
115 android::String8 name = android::String8(chainName);
116 int err = gCtls->firewallCtrl.replaceUidChain(name.string(), isWhitelist, uids);
118 return binder::Status::ok();
121 binder::Status NetdNativeService::bandwidthEnableDataSaver(bool enable, bool *ret) {
122 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->bandwidthCtrl.lock);
124 int err = gCtls->bandwidthCtrl.enableDataSaver(enable);
126 return binder::Status::ok();
129 binder::Status NetdNativeService::networkRejectNonSecureVpn(bool add,
130 const std::vector<UidRange>& uidRangeArray) {
131 // TODO: elsewhere RouteController is only used from the tethering and network controllers, so
132 // it should be possible to use the same lock as NetworkController. However, every call through
133 // the CommandListener "network" command will need to hold this lock too, not just the ones that
134 // read/modify network internal state (that is sufficient for ::dump() because it doesn't
135 // look at routes, but it's not enough here).
136 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
139 uidRanges.createFrom(uidRangeArray);
143 err = RouteController::addUsersToRejectNonSecureNetworkRule(uidRanges);
145 err = RouteController::removeUsersFromRejectNonSecureNetworkRule(uidRanges);
149 return binder::Status::fromServiceSpecificError(-err,
150 String8::format("RouteController error: %s", strerror(-err)));
152 return binder::Status::ok();
156 } // namespace android