diff options
| author | Sreeram Ramachandran <sreeram@google.com> | 2014-07-05 17:15:14 -0700 |
|---|---|---|
| committer | Sreeram Ramachandran <sreeram@google.com> | 2014-07-07 16:20:18 -0700 |
| commit | e09b20aee85f1dfd8c18c3d8581ac875d939ba70 (patch) | |
| tree | bdfbd786a1cc3069ffa8b5d7513ccb6a115b72e1 /server/NetworkController.h | |
| parent | 5009d5ef3fbcdc69d772b528fd22184b7d605afa (diff) | |
| download | netd-e09b20aee85f1dfd8c18c3d8581ac875d939ba70.tar.gz | |
Add full support for UIDs in VPNs.
Major:
+ Implement the functions mentioned in http://go/android-multinetwork-routing
correctly, including handling accept(), connect(), setNetworkForSocket()
and protect() and supporting functions like canUserSelectNetwork().
+ Eliminate the old code path of getting/setting UID ranges through
SecondaryTableController (which is currently unused) and mUidMap.
Minor:
+ Rename some methods/variables for clarity and consistency.
+ Moved some methods in .cpp files to match declaration order in the .h files.
Bug: 15409918
Change-Id: Ic6ce3646c58cf645db0d9a53cbeefdd7ffafff93
Diffstat (limited to 'server/NetworkController.h')
| -rw-r--r-- | server/NetworkController.h | 31 |
1 files changed, 10 insertions, 21 deletions
diff --git a/server/NetworkController.h b/server/NetworkController.h index 0418f96b..217dfbc1 100644 --- a/server/NetworkController.h +++ b/server/NetworkController.h @@ -30,6 +30,7 @@ class Network; class UidRanges; +class VirtualNetwork; /* * Keeps track of default, per-pid, and per-uid-range network selection, as @@ -44,19 +45,15 @@ public: unsigned getDefaultNetwork() const; int setDefaultNetwork(unsigned netId) WARN_UNUSED_RESULT; - bool setNetworkForUidRange(uid_t uidStart, uid_t uidEnd, unsigned netId, bool forwardDns); - bool clearNetworkForUidRange(uid_t uidStart, uid_t uidEnd, unsigned netId); - // Order of preference: UID-specific, requestedNetId, default. // Specify NETID_UNSET for requestedNetId if the default network is preferred. // forDns indicates if we're querying the netId for a DNS request. This avoids sending DNS // requests to VPNs without DNS servers. - unsigned getNetwork(uid_t uid, unsigned requestedNetId, bool forDns) const; - unsigned getNetworkId(const char* interface) const; - bool isValidNetwork(unsigned netId) const; + unsigned getNetworkForUser(uid_t uid, unsigned requestedNetId, bool forDns) const; + unsigned getNetworkForInterface(const char* interface) const; - int createNetwork(unsigned netId, Permission permission) WARN_UNUSED_RESULT; - int createVpn(unsigned netId) WARN_UNUSED_RESULT; + int createPhysicalNetwork(unsigned netId, Permission permission) WARN_UNUSED_RESULT; + int createVirtualNetwork(unsigned netId, bool hasDns) WARN_UNUSED_RESULT; int destroyNetwork(unsigned netId) WARN_UNUSED_RESULT; int addInterfaceToNetwork(unsigned netId, const char* interface) WARN_UNUSED_RESULT; @@ -64,7 +61,7 @@ public: Permission getPermissionForUser(uid_t uid) const; void setPermissionForUsers(Permission permission, const std::vector<uid_t>& uids); - bool isUserPermittedOnNetwork(uid_t uid, unsigned netId) const; + bool canUserSelectNetwork(uid_t uid, unsigned netId) const; int setPermissionForNetworks(Permission permission, const std::vector<unsigned>& netIds) WARN_UNUSED_RESULT; @@ -78,29 +75,21 @@ public: int removeRoute(unsigned netId, const char* interface, const char* destination, const char* nexthop, bool legacy, uid_t uid) WARN_UNUSED_RESULT; + bool canProtect(uid_t uid) const; void allowProtect(const std::vector<uid_t>& uids); void denyProtect(const std::vector<uid_t>& uids); private: + bool isValidNetwork(unsigned netId) const; Network* getNetworkLocked(unsigned netId) const; + VirtualNetwork* getVirtualNetworkForUserLocked(uid_t uid) const; Permission getPermissionForUserLocked(uid_t uid) const; int modifyRoute(unsigned netId, const char* interface, const char* destination, const char* nexthop, bool add, bool legacy, uid_t uid) WARN_UNUSED_RESULT; - struct UidEntry { - const uid_t uidStart; - const uid_t uidEnd; - const unsigned netId; - bool forwardDns; - - UidEntry(uid_t uidStart, uid_t uidEnd, unsigned netId, bool forwardDns); - }; - - // mRWLock guards all accesses to mUidMap, mDefaultNetId, mNetworks, mUsers and - // mProtectableUsers. + // mRWLock guards all accesses to mDefaultNetId, mNetworks, mUsers and mProtectableUsers. mutable android::RWLock mRWLock; - std::list<UidEntry> mUidMap; unsigned mDefaultNetId; std::map<unsigned, Network*> mNetworks; // Map keys are NetIds. std::map<uid_t, Permission> mUsers; |