/* * Copyright (C) 2014 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ // THREAD-SAFETY // ------------- // The methods in this file are called from multiple threads (from CommandListener, FwmarkServer // and DnsProxyListener). So, all accesses to shared state are guarded by a lock. // // Public functions accessible by external callers should be thread-safe and are responsible for // acquiring the lock. Private functions in this file should call xxxLocked() methods and access // internal state directly. #define LOG_TAG "Netd" #include "NetworkController.h" #include #include // FIRST_APPLICATION_UID #include #include #include "log/log.h" #include "Controllers.h" #include "DummyNetwork.h" #include "Fwmark.h" #include "LocalNetwork.h" #include "PhysicalNetwork.h" #include "RouteController.h" #include "TcUtils.h" #include "UnreachableNetwork.h" #include "VirtualNetwork.h" #include "netdutils/DumpWriter.h" #include "netdutils/Utils.h" #include "netid_client.h" #define DBG 0 using android::netdutils::DumpWriter; using android::netdutils::getIfaceNames; namespace android::net { namespace { // Keep these in sync with ConnectivityService.java. const unsigned MIN_NET_ID = 100; const unsigned MAX_NET_ID = 65535; } // namespace // All calls to methods here are made while holding a write lock on mRWLock. // They are mostly not called directly from this class, but from methods in PhysicalNetwork.cpp. // However, we're the only user of that class, so all calls to those methods come from here and are // made under lock. // For example, PhysicalNetwork::setPermission ends up calling addFallthrough and removeFallthrough, // but it's only called from here under lock (specifically, from createPhysicalNetworkLocked and // setPermissionForNetworks). // TODO: use std::mutex and GUARDED_BY instead of manual inspection. class NetworkController::DelegateImpl : public PhysicalNetwork::Delegate { public: explicit DelegateImpl(NetworkController* networkController); virtual ~DelegateImpl(); [[nodiscard]] int modifyFallthrough(unsigned vpnNetId, const std::string& physicalInterface, Permission permission, bool add); private: [[nodiscard]] int addFallthrough(const std::string& physicalInterface, Permission permission) override; [[nodiscard]] int removeFallthrough(const std::string& physicalInterface, Permission permission) override; [[nodiscard]] int modifyFallthrough(const std::string& physicalInterface, Permission permission, bool add); NetworkController* const mNetworkController; }; NetworkController::DelegateImpl::DelegateImpl(NetworkController* networkController) : mNetworkController(networkController) { } NetworkController::DelegateImpl::~DelegateImpl() { } int NetworkController::DelegateImpl::modifyFallthrough(unsigned vpnNetId, const std::string& physicalInterface, Permission permission, bool add) { if (add) { if (int ret = RouteController::addVirtualNetworkFallthrough(vpnNetId, physicalInterface.c_str(), permission)) { ALOGE("failed to add fallthrough to %s for VPN netId %u", physicalInterface.c_str(), vpnNetId); return ret; } } else { if (int ret = RouteController::removeVirtualNetworkFallthrough(vpnNetId, physicalInterface.c_str(), permission)) { ALOGE("failed to remove fallthrough to %s for VPN netId %u", physicalInterface.c_str(), vpnNetId); return ret; } } return 0; } int NetworkController::DelegateImpl::addFallthrough(const std::string& physicalInterface, Permission permission) { return modifyFallthrough(physicalInterface, permission, true); } int NetworkController::DelegateImpl::removeFallthrough(const std::string& physicalInterface, Permission permission) { return modifyFallthrough(physicalInterface, permission, false); } int NetworkController::DelegateImpl::modifyFallthrough(const std::string& physicalInterface, Permission permission, bool add) { for (const auto& entry : mNetworkController->mNetworks) { if (entry.second->isVirtual()) { if (int ret = modifyFallthrough(entry.first, physicalInterface, permission, add)) { return ret; } } } return 0; } NetworkController::NetworkController() : mDelegateImpl(new NetworkController::DelegateImpl(this)), mDefaultNetId(NETID_UNSET), mProtectableUsers({std::make_pair(AID_VPN, NETID_UNSET)}) { gLog.info("enter NetworkController ctor"); mNetworks[LOCAL_NET_ID] = new LocalNetwork(LOCAL_NET_ID); mNetworks[DUMMY_NET_ID] = new DummyNetwork(DUMMY_NET_ID); mNetworks[UNREACHABLE_NET_ID] = new UnreachableNetwork(UNREACHABLE_NET_ID); // Clear all clsact stubs on all interfaces. // TODO: perhaps only remove the clsact on the interface which is added by // RouteController::addInterfaceToPhysicalNetwork. Currently, the netd only // attach the clsact to the interface for the physical network. const auto& ifaces = getIfaceNames(); if (isOk(ifaces)) { for (const std::string& iface : ifaces.value()) { if (int ifIndex = if_nametoindex(iface.c_str())) { // Ignore the error because the interface might not have a clsact. tcQdiscDelDevClsact(ifIndex); } } } gLog.info("leave NetworkController ctor"); } unsigned NetworkController::getDefaultNetwork() const { ScopedRLock lock(mRWLock); return mDefaultNetId; } int NetworkController::setDefaultNetwork(unsigned netId) { ScopedWLock lock(mRWLock); if (netId == mDefaultNetId) { return 0; } if (netId != NETID_UNSET) { Network* network = getNetworkLocked(netId); if (!network) { ALOGE("no such netId %u", netId); return -ENONET; } if (!network->isPhysical()) { ALOGE("cannot set default to non-physical network with netId %u", netId); return -EINVAL; } if (int ret = static_cast(network)->addAsDefault()) { return ret; } } if (mDefaultNetId != NETID_UNSET) { Network* network = getNetworkLocked(mDefaultNetId); if (!network || !network->isPhysical()) { ALOGE("cannot find previously set default network with netId %u", mDefaultNetId); return -ESRCH; } if (int ret = static_cast(network)->removeAsDefault()) { return ret; } } mDefaultNetId = netId; return 0; } uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const { Fwmark fwmark; fwmark.protectedFromVpn = true; fwmark.permission = PERMISSION_SYSTEM; Network* appDefaultNetwork = getPhysicalOrUnreachableNetworkForUserLocked(uid); unsigned defaultNetId = appDefaultNetwork ? appDefaultNetwork->getNetId() : mDefaultNetId; // Common case: there is no VPN that applies to the user, and the query did not specify a netId. // Therefore, it is safe to set the explicit bit on this query and skip all the complex logic // below. While this looks like a special case, it is actually the one that handles the vast // majority of DNS queries. // TODO: untangle this code. if (*netId == NETID_UNSET && getVirtualNetworkForUserLocked(uid) == nullptr) { *netId = defaultNetId; fwmark.netId = *netId; fwmark.explicitlySelected = true; return fwmark.intValue; } if (checkUserNetworkAccessLocked(uid, *netId) == 0) { // If a non-zero NetId was explicitly specified, and the user has permission for that // network, use that network's DNS servers. (possibly falling through the to the default // network if the VPN doesn't provide a route to them). fwmark.explicitlySelected = true; // If the network is a VPN and it doesn't have DNS servers, use the default network's DNS // servers (through the default network). Otherwise, the query is guaranteed to fail. // http://b/29498052 Network *network = getNetworkLocked(*netId); if (network && network->isVirtual() && !resolv_has_nameservers(*netId)) { *netId = defaultNetId; } } else { // If the user is subject to a VPN and the VPN provides DNS servers, use those servers // (possibly falling through to the default network if the VPN doesn't provide a route to // them). Otherwise, use the default network's DNS servers. // TODO: Consider if we should set the explicit bit here. VirtualNetwork* virtualNetwork = getVirtualNetworkForUserLocked(uid); if (virtualNetwork && resolv_has_nameservers(virtualNetwork->getNetId())) { *netId = virtualNetwork->getNetId(); } else { // TODO: return an error instead of silently doing the DNS lookup on the wrong network. // http://b/27560555 *netId = defaultNetId; } } fwmark.netId = *netId; return fwmark.intValue; } // Returns the NetId that a given UID would use if no network is explicitly selected. Specifically, // the VPN that applies to the UID if any; Otherwise, the default network for UID; Otherwise the // unreachable network that applies to the UID; lastly, the default network. unsigned NetworkController::getNetworkForUser(uid_t uid) const { ScopedRLock lock(mRWLock); if (VirtualNetwork* virtualNetwork = getVirtualNetworkForUserLocked(uid)) { return virtualNetwork->getNetId(); } if (Network* network = getPhysicalOrUnreachableNetworkForUserLocked(uid)) { return network->getNetId(); } return mDefaultNetId; } // Returns the NetId that will be set when a socket connect()s. This is the bypassable VPN that // applies to the user if any; otherwise, the default network that applies to user if any; lastly, // the default network. // // In general, we prefer to always set the default network's NetId in connect(), so that if the VPN // is a split-tunnel and disappears later, the socket continues working (since the default network's // NetId is still valid). Secure VPNs will correctly grab the socket's traffic since they have a // high-priority routing rule that doesn't care what NetId the socket has. // // But bypassable VPNs have a very low priority rule, so we need to mark the socket with the // bypassable VPN's NetId if we expect it to get any traffic at all. If the bypassable VPN is a // split-tunnel, that's okay, because we have fallthrough rules that will direct the fallthrough // traffic to the default network. But it does mean that if the bypassable VPN goes away (and thus // the fallthrough rules also go away), the socket that used to fallthrough to the default network // will stop working. // // Per-app physical default networks behave the same as bypassable VPNs: when a socket is connected // on one of these networks, we mark the socket with the netId of the network. This ensures that if // the per-app default network changes, sockets established on the previous network are still // routed to that network, assuming the network's UID ranges still apply to the UID. While this // means that fallthrough to the default network does not work, physical networks not expected // ever to be split tunnels. unsigned NetworkController::getNetworkForConnectLocked(uid_t uid) const { VirtualNetwork* virtualNetwork = getVirtualNetworkForUserLocked(uid); if (virtualNetwork && !virtualNetwork->isSecure()) { return virtualNetwork->getNetId(); } if (Network* network = getPhysicalOrUnreachableNetworkForUserLocked(uid)) { return network->getNetId(); } return mDefaultNetId; } unsigned NetworkController::getNetworkForConnect(uid_t uid) const { ScopedRLock lock(mRWLock); return getNetworkForConnectLocked(uid); } void NetworkController::getNetworkContext( unsigned netId, uid_t uid, struct android_net_context* netcontext) const { ScopedRLock lock(mRWLock); struct android_net_context nc = { .app_netid = netId, .app_mark = MARK_UNSET, .dns_netid = netId, .dns_mark = MARK_UNSET, .uid = uid, }; // |netId| comes directly (via dnsproxyd) from the value returned by netIdForResolv() in the // client process. This value is nonzero iff.: // // 1. The app specified a netid/nethandle to a DNS resolution method such as: // - [Java] android.net.Network#getAllByName() // - [C/++] android_getaddrinfofornetwork() // 2. The app specified a netid/nethandle to be used as a process default via: // - [Java] android.net.ConnectivityManager#bindProcessToNetwork() // - [C/++] android_setprocnetwork() // 3. The app called android.net.ConnectivityManager#startUsingNetworkFeature(). // // In all these cases (with the possible exception of #3), the right thing to do is to treat // such cases as explicitlySelected. const bool explicitlySelected = (nc.app_netid != NETID_UNSET); if (!explicitlySelected) { nc.app_netid = getNetworkForConnectLocked(uid); } Fwmark fwmark; fwmark.netId = nc.app_netid; fwmark.explicitlySelected = explicitlySelected; fwmark.protectedFromVpn = explicitlySelected && canProtectLocked(uid, nc.app_netid); fwmark.permission = getPermissionForUserLocked(uid); nc.app_mark = fwmark.intValue; nc.dns_mark = getNetworkForDnsLocked(&(nc.dns_netid), uid); if (DBG) { ALOGD("app_netid:0x%x app_mark:0x%x dns_netid:0x%x dns_mark:0x%x uid:%d", nc.app_netid, nc.app_mark, nc.dns_netid, nc.dns_mark, uid); } if (netcontext) { *netcontext = nc; } } unsigned NetworkController::getNetworkForInterfaceLocked(const char* interface) const { for (const auto& entry : mNetworks) { if (entry.second->hasInterface(interface)) { return entry.first; } } return NETID_UNSET; } unsigned NetworkController::getNetworkForInterface(const char* interface) const { ScopedRLock lock(mRWLock); return getNetworkForInterfaceLocked(interface); } unsigned NetworkController::getNetworkForInterfaceLocked(const int ifIndex) const { char interfaceName[IFNAMSIZ] = {}; if (if_indextoname(ifIndex, interfaceName)) { return getNetworkForInterfaceLocked(interfaceName); } return NETID_UNSET; } unsigned NetworkController::getNetworkForInterface(const int ifIndex) const { ScopedRLock lock(mRWLock); return getNetworkForInterfaceLocked(ifIndex); } bool NetworkController::isVirtualNetwork(unsigned netId) const { ScopedRLock lock(mRWLock); return isVirtualNetworkLocked(netId); } bool NetworkController::isVirtualNetworkLocked(unsigned netId) const { Network* network = getNetworkLocked(netId); return network && network->isVirtual(); } int NetworkController::createPhysicalNetworkLocked(unsigned netId, Permission permission, bool local) { if (!((MIN_NET_ID <= netId && netId <= MAX_NET_ID) || (MIN_OEM_ID <= netId && netId <= MAX_OEM_ID))) { ALOGE("invalid netId %u", netId); return -EINVAL; } if (isValidNetworkLocked(netId)) { ALOGE("duplicate netId %u", netId); return -EEXIST; } PhysicalNetwork* physicalNetwork = new PhysicalNetwork(netId, mDelegateImpl, local); if (int ret = physicalNetwork->setPermission(permission)) { ALOGE("inconceivable! setPermission cannot fail on an empty network"); delete physicalNetwork; return ret; } mNetworks[netId] = physicalNetwork; updateTcpSocketMonitorPolling(); return 0; } int NetworkController::createPhysicalNetwork(unsigned netId, Permission permission, bool local) { ScopedWLock lock(mRWLock); return createPhysicalNetworkLocked(netId, permission, local); } int NetworkController::createPhysicalOemNetwork(Permission permission, unsigned *pNetId) { if (pNetId == nullptr) { return -EINVAL; } ScopedWLock lock(mRWLock); for (*pNetId = MIN_OEM_ID; *pNetId <= MAX_OEM_ID; (*pNetId)++) { if (!isValidNetworkLocked(*pNetId)) { break; } } if (*pNetId > MAX_OEM_ID) { ALOGE("No free network ID"); *pNetId = 0; return -ENONET; } int ret = createPhysicalNetworkLocked(*pNetId, permission, false /* local */); if (ret) { *pNetId = 0; } return ret; } int NetworkController::createVirtualNetwork(unsigned netId, bool secure, NativeVpnType vpnType, bool excludeLocalRoutes) { ScopedWLock lock(mRWLock); if (!(MIN_NET_ID <= netId && netId <= MAX_NET_ID)) { ALOGE("invalid netId %u", netId); return -EINVAL; } if (isValidNetworkLocked(netId)) { ALOGE("duplicate netId %u", netId); return -EEXIST; } if (vpnType < NativeVpnType::SERVICE || NativeVpnType::OEM < vpnType) { ALOGE("invalid vpnType %d", static_cast(vpnType)); return -EINVAL; } if (int ret = modifyFallthroughLocked(netId, true)) { return ret; } mNetworks[netId] = new VirtualNetwork(netId, secure, excludeLocalRoutes); return 0; } int NetworkController::destroyNetwork(unsigned netId) { ScopedWLock lock(mRWLock); if (netId == LOCAL_NET_ID || netId == UNREACHABLE_NET_ID) { ALOGE("cannot destroy local or unreachable network"); return -EINVAL; } if (!isValidNetworkLocked(netId)) { ALOGE("no such netId %u", netId); return -ENONET; } // TODO: ioctl(SIOCKILLADDR, ...) to kill all sockets on the old network. Network* network = getNetworkLocked(netId); // If we fail to destroy a network, things will get stuck badly. Therefore, unlike most of the // other network code, ignore failures and attempt to clear out as much state as possible, even // if we hit an error on the way. Return the first error that we see. int ret = network->clearInterfaces(); if (mDefaultNetId == netId) { if (int err = static_cast(network)->removeAsDefault()) { ALOGE("inconceivable! removeAsDefault cannot fail on an empty network"); if (!ret) { ret = err; } } mDefaultNetId = NETID_UNSET; } else if (network->isVirtual()) { if (int err = modifyFallthroughLocked(netId, false)) { if (!ret) { ret = err; } } } mNetworks.erase(netId); delete network; for (auto iter = mIfindexToLastNetId.begin(); iter != mIfindexToLastNetId.end();) { if (iter->second == netId) { iter = mIfindexToLastNetId.erase(iter); } else { ++iter; } } updateTcpSocketMonitorPolling(); return ret; } int NetworkController::addInterfaceToNetwork(unsigned netId, const char* interface) { ScopedWLock lock(mRWLock); if (!isValidNetworkLocked(netId)) { ALOGE("no such netId %u", netId); return -ENONET; } unsigned existingNetId = getNetworkForInterfaceLocked(interface); if (existingNetId != NETID_UNSET && existingNetId != netId) { ALOGE("interface %s already assigned to netId %u", interface, existingNetId); return -EBUSY; } if (int ret = getNetworkLocked(netId)->addInterface(interface)) { return ret; } // Only populate mIfindexToLastNetId for non-local networks, because for these getIfIndex will // return 0. That's fine though, because that map is only used to prevent force-closing sockets // when the same IP address is handed over from one interface to another interface that is in // the same network but not in the same netId (for now this is done only on VPNs). That is not // useful for the local network because IP addresses in the local network are always assigned by // the device itself and never meaningful on any other network. if (netId != LOCAL_NET_ID) { int ifIndex = RouteController::getIfIndex(interface); if (ifIndex) { mIfindexToLastNetId[ifIndex] = netId; } else { // Cannot happen, since addInterface() above will have failed. ALOGE("inconceivable! added interface %s with no index", interface); } } return 0; } int NetworkController::removeInterfaceFromNetwork(unsigned netId, const char* interface) { ScopedWLock lock(mRWLock); if (!isValidNetworkLocked(netId)) { ALOGE("no such netId %u", netId); return -ENONET; } return getNetworkLocked(netId)->removeInterface(interface); } Permission NetworkController::getPermissionForUser(uid_t uid) const { ScopedRLock lock(mRWLock); return getPermissionForUserLocked(uid); } void NetworkController::setPermissionForUsers(Permission permission, const std::vector& uids) { ScopedWLock lock(mRWLock); for (uid_t uid : uids) { mUsers[uid] = permission; } } int NetworkController::checkUserNetworkAccess(uid_t uid, unsigned netId) const { ScopedRLock lock(mRWLock); return checkUserNetworkAccessLocked(uid, netId); } int NetworkController::setPermissionForNetworks(Permission permission, const std::vector& netIds) { ScopedWLock lock(mRWLock); for (unsigned netId : netIds) { Network* network = getNetworkLocked(netId); if (!network) { ALOGE("no such netId %u", netId); return -ENONET; } if (!network->isPhysical()) { ALOGE("cannot set permissions on non-physical network with netId %u", netId); return -EINVAL; } if (int ret = static_cast(network)->setPermission(permission)) { return ret; } } return 0; } namespace { int isWrongNetworkForUidRanges(unsigned netId, Network* network) { if (!network) { ALOGE("no such netId %u", netId); return -ENONET; } if (!network->canAddUsers()) { ALOGE("cannot add/remove users to/from %s network %u", network->getTypeString().c_str(), netId); return -EINVAL; } return 0; } } // namespace int NetworkController::addUsersToNetwork(unsigned netId, const UidRanges& uidRanges, int32_t subPriority) { ScopedWLock lock(mRWLock); Network* network = getNetworkLocked(netId); if (int ret = isWrongNetworkForUidRanges(netId, network)) { return ret; } return network->addUsers(uidRanges, subPriority); } int NetworkController::removeUsersFromNetwork(unsigned netId, const UidRanges& uidRanges, int32_t subPriority) { ScopedWLock lock(mRWLock); Network* network = getNetworkLocked(netId); if (int ret = isWrongNetworkForUidRanges(netId, network)) { return ret; } return network->removeUsers(uidRanges, subPriority); } int NetworkController::addRoute(unsigned netId, const char* interface, const char* destination, const char* nexthop, bool legacy, uid_t uid, int mtu) { return modifyRoute(netId, interface, destination, nexthop, ROUTE_ADD, legacy, uid, mtu); } int NetworkController::updateRoute(unsigned netId, const char* interface, const char* destination, const char* nexthop, bool legacy, uid_t uid, int mtu) { return modifyRoute(netId, interface, destination, nexthop, ROUTE_UPDATE, legacy, uid, mtu); } int NetworkController::removeRoute(unsigned netId, const char* interface, const char* destination, const char* nexthop, bool legacy, uid_t uid) { return modifyRoute(netId, interface, destination, nexthop, ROUTE_REMOVE, legacy, uid, 0); } void NetworkController::addInterfaceAddress(unsigned ifIndex, const char* address) { ScopedWLock lock(mRWLock); if (ifIndex == 0) { ALOGE("Attempting to add address %s without ifindex", address); return; } mAddressToIfindices[address].insert(ifIndex); } // Returns whether we should call SOCK_DESTROY on the removed address. bool NetworkController::removeInterfaceAddress(unsigned ifindex, const char* address) { ScopedWLock lock(mRWLock); // First, update mAddressToIfindices map auto ifindicesIter = mAddressToIfindices.find(address); if (ifindicesIter == mAddressToIfindices.end()) { ALOGE("Removing unknown address %s from ifindex %u", address, ifindex); return true; } std::unordered_set& ifindices = ifindicesIter->second; if (ifindices.erase(ifindex) > 0) { if (ifindices.size() == 0) { mAddressToIfindices.erase(ifindicesIter); // Invalidates ifindices // The address is no longer configured on any interface. return true; } } else { ALOGE("No record of address %s on interface %u", address, ifindex); return true; } // Then, check for VPN handover condition if (mIfindexToLastNetId.find(ifindex) == mIfindexToLastNetId.end()) { ALOGW("Interface index %u was never in a currently-connected non-local netId", ifindex); return true; } unsigned lastNetId = mIfindexToLastNetId[ifindex]; for (unsigned idx : ifindices) { unsigned activeNetId = mIfindexToLastNetId[idx]; // If this IP address is still assigned to another interface in the same network, // then we don't need to destroy sockets on it because they are likely still valid. // For now we do this only on VPNs. // TODO: evaluate extending this to all network types. if (lastNetId == activeNetId && isVirtualNetworkLocked(activeNetId)) { return false; } } return true; } bool NetworkController::isProtectableLocked(uid_t uid, unsigned netId) const { return mProtectableUsers.find({uid, NETID_UNSET}) != mProtectableUsers.cend() || mProtectableUsers.find({uid, netId}) != mProtectableUsers.cend(); } bool NetworkController::canProtectLocked(uid_t uid, unsigned netId) const { if ((getPermissionForUserLocked(uid) & PERMISSION_SYSTEM) == PERMISSION_SYSTEM) { return true; } return isProtectableLocked(uid, netId); } bool NetworkController::canProtect(uid_t uid, unsigned netId) const { ScopedRLock lock(mRWLock); return canProtectLocked(uid, netId); } void NetworkController::allowProtect(uid_t uid, unsigned netId) { ScopedWLock lock(mRWLock); mProtectableUsers.emplace(std::make_pair(uid, netId)); } void NetworkController::denyProtect(uid_t uid, unsigned netId) { ScopedWLock lock(mRWLock); mProtectableUsers.erase(std::make_pair(uid, netId)); } void NetworkController::dump(DumpWriter& dw) { ScopedRLock lock(mRWLock); dw.incIndent(); dw.println("NetworkController"); dw.incIndent(); dw.println("Default network: %u", mDefaultNetId); dw.blankline(); dw.println("Networks:"); dw.incIndent(); for (const auto& i : mNetworks) { Network* network = i.second; dw.println(network->toString()); if (network->isPhysical()) { dw.incIndent(); Permission permission = reinterpret_cast(network)->getPermission(); dw.println("Required permission: %s", permissionToName(permission)); dw.decIndent(); } if (const auto& str = network->uidRangesToString(); !str.empty()) { dw.incIndent(); dw.println("Per-app UID ranges: %s", str.c_str()); dw.decIndent(); } if (const auto& str = network->allowedUidsToString(); !str.empty()) { dw.incIndent(); dw.println("Allowed UID ranges: %s", str.c_str()); dw.decIndent(); } dw.blankline(); } dw.decIndent(); dw.blankline(); dw.println("Interface <-> last network map:"); dw.incIndent(); for (const auto& i : mIfindexToLastNetId) { dw.println("Ifindex: %u NetId: %u", i.first, i.second); } dw.decIndent(); dw.blankline(); dw.println("Interface addresses:"); dw.incIndent(); for (const auto& i : mAddressToIfindices) { dw.println("address: %s ifindices: [%s]", i.first.c_str(), android::base::Join(i.second, ", ").c_str()); } dw.decIndent(); dw.blankline(); dw.println("Permission of users:"); dw.incIndent(); std::vector systemUids; std::vector networkUids; for (const auto& [uid, permission] : mUsers) { if ((permission & PERMISSION_SYSTEM) == PERMISSION_SYSTEM) { systemUids.push_back(uid); } else if ((permission & PERMISSION_NETWORK) == PERMISSION_NETWORK) { networkUids.push_back(uid); } } dw.println("NETWORK: %s", android::base::Join(networkUids, ", ").c_str()); dw.println("SYSTEM: %s", android::base::Join(systemUids, ", ").c_str()); dw.decIndent(); dw.blankline(); dw.println("Protectable users:"); for (auto it : mProtectableUsers) { dw.println("[uid: %u : netId: %u]", it.first, it.second); } dw.decIndent(); dw.decIndent(); } void NetworkController::clearAllowedUidsForAllNetworksLocked() { for (const auto& [_, network] : mNetworks) { network->clearAllowedUids(); } } int NetworkController::setNetworkAllowlist( const std::vector& rangeConfigs) { const ScopedWLock lock(mRWLock); for (const auto& config : rangeConfigs) { Network* network = getNetworkLocked(config.netId); if (!network) return -ENONET; } clearAllowedUidsForAllNetworksLocked(); for (const auto& config : rangeConfigs) { Network* network = getNetworkLocked(config.netId); network->setAllowedUids(UidRanges(config.uidRanges)); } return 0; } bool NetworkController::isUidAllowed(unsigned netId, uid_t uid) const { const ScopedRLock lock(mRWLock); Network* network = getNetworkLocked(netId); // Exempt when no netId is specified and there is no default network, so that apps or tests can // do DNS lookups for hostnames in etc/hosts. if (netId == NETID_UNSET && mDefaultNetId == NETID_UNSET) { return true; } return network && network->isUidAllowed(uid); } bool NetworkController::isValidNetworkLocked(unsigned netId) const { return getNetworkLocked(netId); } Network* NetworkController::getNetworkLocked(unsigned netId) const { auto iter = mNetworks.find(netId); return iter == mNetworks.end() ? nullptr : iter->second; } VirtualNetwork* NetworkController::getVirtualNetworkForUserLocked(uid_t uid) const { int32_t subPriority; for (const auto& [_, network] : mNetworks) { if (network->isVirtual() && network->appliesToUser(uid, &subPriority)) { return static_cast(network); } } return nullptr; } // Returns the default network with the highest subsidiary priority among physical and unreachable // networks that applies to uid. For a single subsidiary priority, an uid should belong to only one // network. If the uid apply to different network with the same priority at the same time, the // behavior is undefined. That is a configuration error. Network* NetworkController::getPhysicalOrUnreachableNetworkForUserLocked(uid_t uid) const { Network* bestNetwork = nullptr; // In this function, appliesToUser() is used to figure out if this network is the user's default // network (not just if the user has access to this network). Rules at SUB_PRIORITY_NO_DEFAULT // "apply to the user" but do not include a default network rule. Since their subpriority (999) // is greater than SUB_PRIORITY_LOWEST (998), these rules never trump any subpriority that // includes a default network rule (appliesToUser returns the "highest" (=lowest value) // subPriority that includes the uid), and they get filtered out in the if-statement below. int32_t bestSubPriority = UidRanges::SUB_PRIORITY_NO_DEFAULT; for (const auto& [netId, network] : mNetworks) { int32_t subPriority; if (!network->isPhysical() && !network->isUnreachable()) continue; if (!network->appliesToUser(uid, &subPriority)) continue; if (subPriority == UidRanges::SUB_PRIORITY_NO_DEFAULT) continue; if (subPriority < bestSubPriority) { bestNetwork = network; bestSubPriority = subPriority; } } return bestNetwork; } Permission NetworkController::getPermissionForUserLocked(uid_t uid) const { auto iter = mUsers.find(uid); if (iter != mUsers.end()) { return iter->second; } return uid < FIRST_APPLICATION_UID ? PERMISSION_SYSTEM : PERMISSION_NONE; } int NetworkController::checkUserNetworkAccessLocked(uid_t uid, unsigned netId) const { Network* network = getNetworkLocked(netId); if (!network) { return -ENONET; } // If uid is INVALID_UID, this likely means that we were unable to retrieve the UID of the peer // (using SO_PEERCRED). Be safe and deny access to the network, even if it's valid. if (uid == INVALID_UID) { return -EREMOTEIO; } // If the UID has PERMISSION_SYSTEM, it can use whatever network it wants. Permission userPermission = getPermissionForUserLocked(uid); if ((userPermission & PERMISSION_SYSTEM) == PERMISSION_SYSTEM) { return 0; } // If the UID wants to use a VPN, it can do so if and only if the VPN applies to the UID. int32_t subPriority; if (network->isVirtual()) { return network->appliesToUser(uid, &subPriority) ? 0 : -EPERM; } // If a VPN applies to the UID, and the VPN is secure (i.e., not bypassable), then the UID can // only select a different network if it has the ability to protect its sockets. VirtualNetwork* virtualNetwork = getVirtualNetworkForUserLocked(uid); if (virtualNetwork && virtualNetwork->isSecure() && !isProtectableLocked(uid, netId)) { ALOGE("uid %u can't select networks other than %u.", uid, virtualNetwork->getNetId()); return -EPERM; } // If the UID wants to use a physical network and it has a UID range that includes the UID, the // UID has permission to use it regardless of whether the permission bits match. if (network->isPhysical() && network->appliesToUser(uid, &subPriority)) { return 0; } // Only apps that are configured as "no default network" can use the unreachable network. if (network->isUnreachable()) { return network->appliesToUser(uid, &subPriority) ? 0 : -EPERM; } if (!network->isUidAllowed(uid)) { return -EACCES; } // Check whether the UID's permission bits are sufficient to use the network. // Because the permission of the system default network is PERMISSION_NONE(0x0), apps can always // pass the check here when using the system default network. const Permission networkPermission = network->getPermission(); return ((userPermission & networkPermission) == networkPermission) ? 0 : -EACCES; } int NetworkController::modifyRoute(unsigned netId, const char* interface, const char* destination, const char* nexthop, enum RouteOperation op, bool legacy, uid_t uid, int mtu) { ScopedRLock lock(mRWLock); if (!isValidNetworkLocked(netId)) { ALOGE("no such netId %u", netId); return -ENONET; } unsigned existingNetId = getNetworkForInterfaceLocked(interface); if (existingNetId == NETID_UNSET) { ALOGE("interface %s not assigned to any netId", interface); return -ENODEV; } if (existingNetId != netId) { ALOGE("interface %s assigned to netId %u, not %u", interface, existingNetId, netId); return -ENOENT; } RouteController::TableType tableType; if (netId == LOCAL_NET_ID) { tableType = RouteController::LOCAL_NETWORK; } else if (legacy) { if ((getPermissionForUserLocked(uid) & PERMISSION_SYSTEM) == PERMISSION_SYSTEM) { tableType = RouteController::LEGACY_SYSTEM; } else { tableType = RouteController::LEGACY_NETWORK; } } else { tableType = RouteController::INTERFACE; } switch (op) { case ROUTE_ADD: return RouteController::addRoute(interface, destination, nexthop, tableType, mtu, 0 /* priority */); case ROUTE_UPDATE: return RouteController::updateRoute(interface, destination, nexthop, tableType, mtu); case ROUTE_REMOVE: return RouteController::removeRoute(interface, destination, nexthop, tableType, 0 /* priority */); } return -EINVAL; } int NetworkController::modifyFallthroughLocked(unsigned vpnNetId, bool add) { if (mDefaultNetId == NETID_UNSET) { return 0; } Network* network = getNetworkLocked(mDefaultNetId); if (!network) { ALOGE("cannot find previously set default network with netId %u", mDefaultNetId); return -ESRCH; } if (!network->isPhysical()) { ALOGE("inconceivable! default network must be a physical network"); return -EINVAL; } Permission permission = static_cast(network)->getPermission(); for (const auto& physicalInterface : network->getInterfaces()) { if (int ret = mDelegateImpl->modifyFallthrough(vpnNetId, physicalInterface, permission, add)) { return ret; } } return 0; } void NetworkController::updateTcpSocketMonitorPolling() { bool physicalNetworkExists = false; for (const auto& entry : mNetworks) { const auto& network = entry.second; if (network->isPhysical() && network->getNetId() >= MIN_NET_ID) { physicalNetworkExists = true; break; } } if (physicalNetworkExists) { android::net::gCtls->tcpSocketMonitor.resumePolling(); } else { android::net::gCtls->tcpSocketMonitor.suspendPolling(); } } } // namespace android::net