| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Normally when an IP address is removed, all sockets associated with the
addresses are destroyed. This patchset changes this behavior such that
if the address in question is still being used by another interface that
belongs to the same underlying virtual network, the destroy operation is
skipped. This change is needed to support VPN seamless handover where the
VPN app will establish a second TUN interface (with different config)
before tearing down the existing interface. The intention is that during
this handover existing socket connections should not be disturbed. There
is a companion change in the framework side to make sure during such
handover, the VPN netId remains unchanged so routing still works.
Bug: 64692591
Test: cts-tradefed run commandAndExit cts-dev -m CtsHostsideNetworkTests -t com.android.cts.net.HostsideVpnTests
Test: system/netd/tests/runtests.sh
Change-Id: I02c6b0db5f15cd1aef3e3fa6f0c36e86b4f427fd
Merged-In: I02c6b0db5f15cd1aef3e3fa6f0c36e86b4f427fd
(cherry picked from commit acbb6b7bbea17c5653929ee5224bd4f8e16c0f69)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Generally, it is not safe to set the explicit bit on DNS queries
due to the presence of (split tunnel) VPNs. However, the vast
majority of DNS queries occur without a VPN, and in these cases
it is safe to set the explicit bit.
Setting the explicit bit on DNS queries allows us to use upstream
DNS servers even in the case that we have a route to them in the
local_network table. This is the case, for example, when
tethering an Android device to a hotspot created by another
Android device.
Bug: 70673901
Test: marlin builds, boots
Test: netd_{unit,integration}_test pass
Change-Id: Ic24e3df9ca47b54256f012aee0facfcd410ce541
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TcpSocketMonitor starts a sock_diag polling thread in its ctor whose
polling interval can be controlled with setPollingInterval() and
suspendPolling().
Initially the polling thread will immediately be suspended. The polling
thread is automatically started when 1 or more physical network exists,
and automatically stopped when there is 0 physical networks.
By default the polling interval is set to 30 secs.
Also fix some code indentation issues.
Bug: 64147860
Test: tested manually, watching the result of
$ adb shell dumpsys netd tcp_socket_info
Change-Id: I7fe356a0a073ebc83486bc774a3002648e9dd457
|
| |
|
|
|
| |
Test: builds
Change-Id: Iaa32c1deb71da546e23ab48459df1388cd1d6d38
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NetworkController uses read-write locking to protect readers
from network configuration changes, but is not fully thread-safe
in the presence of concurrent modification.
Currently concurrent modification almost never happens because
most netd commands are sent through CommandListener, which is
single-threaded. However, we need proper thread-safety to expose
NetworkController control via binder, which is inherently
multi-threaded.
Test: netd_{unit,integration}_test passes
Test: system boots, networking works.
Change-Id: Icc35c9173f342c8d0c45c6b47c0ebdb68de40073
|
| |
|
|
|
|
|
|
|
|
|
| |
Implement Netd HAL server and register service.
OEM network create and destroy
Test: ran VtsHalNetNetdV1_0TargetTest, netd_unit_test, netd_integration_test
Bug: 36682246
CRs-fixed: 2070022
Change-Id: I35681f0fbffbe09bf6db0ad25a276844ea997398
(cherry picked from commit 9560bedd6ce334d64d4e9e9331d00f90f5103e0e)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a secure VPN is up, setting protectFromVpn=1 and explicitlySelected=0
causes the probe routing lookups used by _have_ipv4 and _have_ipv6 to skip
the VPN rule, instead selecting the default network.
This means that the address families for which we query DNS records are
determined by the address families of the the default network, not those of
the VPN.
If explicitlySelected==true, setting protectFromVpn=true (if the app can
protect its sockets) results in querying the address families from the
specified network, which is correct.
Test: as follows
- built
- flashed
- booted
- runtest -x netd_integration_test.cpp passes
- testing per bug discussion
Bug: 37131664
Bug: 37347238
Change-Id: I7cf322a047494fd70c3c4d8862d53d6a6dac66de
|
| |
|
|
|
|
|
| |
Test: netd_{unit,integration}_test pass
Test: bullhead builds, boots
Bug: 34873832
Change-Id: I0a252328041b342f9c03cd08c11a69d452b045b3
|
| |
|
|
|
|
|
|
|
|
|
| |
This class stores the reporting level and can be used to get
the event listener service.
Bug: 29748723
(cherry picked from commit be581e228bd1a97efd179edcdd3e744622fb99b8)
Change-Id: I98bfa97cb502f4d19ccf8c79f32d347e7e168492
|
| |
|
|
|
|
|
|
|
| |
Bug: 29748723
Test: this is an APCT test.
(cherry picked from commit 484dac1d071c7476895c4a3184e8dbdd7b63e524)
Change-Id: I482a7d5c15210906069e0fe7ef55ab3f21bfc127
|
| |
|
|
|
|
|
|
| |
Bug: 23113288
(cherry picked from commit 1f28b6403effcbf8a2c6fd35a7b1474b60bc0463)
Change-Id: I8056830bf1e458017947912261d61bc060a1f340
|
| |
|
|
|
|
|
|
| |
Bug: 23113288
(cherry picked from commit c6201c3754710e235f16118761b23760ff4136ad)
Change-Id: I1407644e06e960e453a31b298e46ef866f0eebd2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a VPN provides no DNS servers, DNS lookups are usually sent
to the default network's DNS servers. However, if a DNS lookup
is explicitly made on the VPN (e.g., via Network#openConnection),
then it just fails.
This breaks system proxies which perform network traffic on VPNs
on behalf of other apps, e.g., the download manager.
Fix this by doing the query to the default DNS servers (via the
default network) instead. This is consistent with what we do with
DNS queries that do not specify a network. While this is a change
in behaviour, it shouldn't cause much breakage because the query
would previously just fail.
Bug: 29498052
Change-Id: Ie4002c9835bb1ff6d3d92c00c9c04e634fc3cda4
|
| |
|
|
|
| |
BUG: 27199751
Change-Id: I1144228febba0c4cce1333fb39ea186d2963ed10
|
| |
|
|
|
|
| |
BUG: 25731675
Change-Id: I1c715368b1f2d5e732528cd226b3f69792b75321
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Change the SockDiag callback function to be a filter that
returns a bool instead of a function that optionally kills a
socket. All existing callbacks basically only existed to kill
sockets under certain conditions, and making them return a
boolean allows reusing the same callback function signature
to filter sockets as well.
2. Add a new SockDiag method to kill sockets based on a UidRanges
object (which contains a number of UID ranges) and a list of
users to skip.
3. Add a new UIDRANGE mode to SockDiagTest to test the above.
4. When UID ranges are added or removed from the VPN, kill
sockets in those UID ranges unless the socket UIDs are in
mProtectableUsers and thus their creator might have set the
protect bit on their mark. Short of actually being
able to see the socket mark on each socket and basing our
decision on that, this is the best we can do.
Bug: 26976388
Change-Id: I53a30df3feb63254a6451a29fa6041c9b679f9bb
|
| |
|
|
|
|
|
| |
This is called by "dumpsys netd".
Bug: 27239233
Change-Id: I27fb308f8067243ff241a6f8fd6a83f406087d2a
|
| |
|
|
|
|
|
| |
Specifically: set explicitlySelected, protectedFromVpn and permissions.
Bug: 26256264
Change-Id: I1ebd2c1878fb7166ac63c061c8731e66b0050a30
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a new NetworkController::getNetworkContext() that builds the
contents of a struct net_context out of getNetworkForConnect()
and getNetworkForDns().
Bug: 19470192
Bug: 20733156
Bug: 21832279
Change-Id: I5a69b0413a83d33be28b78c0a99359b109517a8f
|
| |
|
|
|
| |
Bug: 19500693
Change-Id: Ic25f2d8c481f1528e887e43ca3fa868189582110
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's very confusing to see EPERM when opening or connecting a
socket when the problem is not security-related. In the (common)
case where an app cannot select a network because it does not
exist, return ENONET ("Machine is not on network") instead.
Also, return EREMOTEIO for when we can't figure out who the user
is, and use EPERM for VPN denials and EACCES for permission
bits.
Bug: 17702933
Change-Id: Ia680c485e0ea1efad1ad374231d994e9bfd4cd5a
|
| |
|
|
|
|
|
| |
Also reserve 51..100 for our use.
Bug: 17303534
Change-Id: Id082368b493dc3c5b5c479e51d273458d80ec6aa
|
| |
|
|
|
|
|
|
| |
1. Retry route flushes if they fail.
2. Make destroyNetwork ignore (but return) errors.
Bug: 16944962
Change-Id: I26301613437d7cc373ff64955fd44d716e9982b9
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, when trying to perform an operation on netId that
does not exist, we return EINVAL. This can be confusing
because lots of things can return EINVAL for many different
reasons.
Instead, change this to ENONET ("Machine is not on network"),
which was what Sreeram originally implemented before we changed
it to EINVAL. I also considered ENOENT ("No such file or
directory"), but on reflection that seems less appropriate, and
it's used by other things as well. ENONET appears to have no
uses in our tree. It is also clearly separate from the ESRCH we
return for nonexistent rules.
While I'm at it, also disambiguate some of the
if (foo || bar ) { return EFOO; } to return two different error
codes.
Bug: 16667349
Change-Id: Ief2d720a58679aa746f5ba273d545487d0825e52
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is a significant change to the way fwmarks are handled for two purposes:
1. Bypassable VPN.
This was introduced in http://ag/510058 and had an issue that if there's a
default network, it would always be used in connect(), so the bypassable VPN
wouldn't get any traffic. This CL fixes that issue by using the bypassable
VPN's NetId in connect(). See the comments in the code for more details.
2. DNS.
The previous DNS code (specifically, getNetworkForUser()) had two problems:
+ Even if a user asks for a NetId they have permission for, we'd always use
the user's VPN if they were subject to one. So, for example, a system IMS
app that brings up the mobile network in the presence of a VPN would still
have its DNS queries sent over the VPN, instead of mobile as desired.
+ Any user could perform DNS over any valid network, even one they didn't
have permissions for, as long as they weren't subject to a VPN. So, for
example, an app could use the DNS servers of a different profile's VPN.
This CL fixes those problems. See getNetworkForDns() for more details.
The two pieces above are inter-related. Previously, we never set the explicit
bit from the DNS code. But we need to do that if the user asks for a network
explicitly, for two reasons:
o So that the DNS query is really restricted to that network and doesn't
fallthrough to the default network.
o So that the heuristic described in ON_CONNECT works in all cases. I.e., if the
DNS proxy's connect() request comes in with the explicit bit NOT set, we know
that the NetId can only be either the default network or a VPN.
This CL is not intended to be robust against race conditions. In general, very
little of the netd code is resilient. A separate effort needs to be undertaken
to carefully audit all the code and logic to guard against things like:
* A VPN being established between calls to getNetworkForDns() and connect().
* State changes between multiple calls to NetworkController from clients such as
FwmarkServer and DnsProxyListener.
* Routing rules / iptables rules being set up in a less-than-ideal order.
* ... etc.
Bug: 15347374
Change-Id: I5baad9168c4f4f3ef4129e07234b4bf24b0d8ba2
|
| |/
|
|
| |
Change-Id: Ibc48caedb5954c6b12bfa553d978bab56c4b09aa
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bypassable VPNs grab all traffic by default (just like secure VPNs), but:
+ They allow all apps to choose other networks using the multinetwork APIs.
If these other networks are insecure ("untrusted"), they will enforce that the
app holds the necessary permissions, such as CHANGE_NETWORK_STATE.
+ They support consistent routing. If an app has an existing connection over
some other network when the bypassable VPN comes up, it's not interrupted.
Bug: 15347374
Change-Id: Iaee9c6f6fa8103215738570d2b65d3fcf10343f3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A LocalNetwork object now always exists in the NetworkController, with a fixed
NetId that's guaranteed not to collide with NetIds created by the framework.
When routes are added on an interface tracked by the LocalNetwork, they are
added to a fixed "local_network" table.
When NAT is enabled, we add a special "iif -> oif" tethering rule.
Bug: 15413694
Bug: 15413741
Change-Id: I36effc438d5ac193a77174493bf196cb68a5b97a
|
| |
|
|
| |
Change-Id: I0cc6c0e221a40c9100c8f4c0c5e761fce3f9b0ae
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes tethering via Ethernet, Bluetooth and WiFi (hotspot).
Tethering when the upstream has a DUN-specific APN is likely still broken
(untested).
For now, assign a fixed NetId (a hack) until we can change the framework to
create a valid NetworkAgent and all that jazz.
Bug: 15968336
Bug: 14988803
Change-Id: Idcf4d492d9329a9c87913e27be6dd835a792bea2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major:
+ Implement the functions mentioned in http://go/android-multinetwork-routing
correctly, including handling accept(), connect(), setNetworkForSocket()
and protect() and supporting functions like canUserSelectNetwork().
+ Eliminate the old code path of getting/setting UID ranges through
SecondaryTableController (which is currently unused) and mUidMap.
Minor:
+ Rename some methods/variables for clarity and consistency.
+ Moved some methods in .cpp files to match declaration order in the .h files.
Bug: 15409918
Change-Id: Ic6ce3646c58cf645db0d9a53cbeefdd7ffafff93
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As per the latest changes to: http://go/android-multinetwork-routing
Functional changes:
+ Add explicit=NO to the implicit network rules, though it's a no-op.
+ Remove most of the UID=0 (kernel access) rules since they are no longer
needed, except in one case to allow access to a VPN.
+ Add the explicit, protect and permissions bits to the incoming packet mark.
+ VPNs now don't need an implicit network rule.
+ Modifying network permissions now modifies the incoming packet mark as well.
Cosmetic changes:
+ Renamed the legacy tables to match their permissions (SYSTEM and NETWORK).
+ Renamed most functions and methods for clarity and consistency.
+ Renamed and adjusted some ule priorities.
+ Move most rule modifications into their own functions, to prevent brittle
reliance on the previous state of the fwmark/mask variables.
Change-Id: I958a7e158ee918d5254de606fcfa55fe23327438
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
+ Rename the permissions as per: http://go/android-multinetwork-routing
+ Make the SYSTEM permission explicitly include NETWORK.
+ Grant the SYSTEM permission to system UIDs by default, but allow the framework
to override them if necessary.
+ Move the "string to permission" parsing to CommandListener.cpp, thus allowing
us to get rid of Permission.cpp.
+ There's no need to support multiple permissions string arguments, so tighten
that up.
Change-Id: I73d51b5e2f44a97e6d5ab5943ff198cebfbcc0c4
|
| |
|
|
|
|
|
|
|
|
| |
This is an API change between ConnectivityService and Netd.
The ownerUid was meant for this purpose, but it's insufficient, as apps need to
call protect() _before_ they create a VPN.
Bug: 15409918
Change-Id: If804aa106002e96d5ffb623d32db35fd76928367
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a cosmetic change, i.e., there's no change in functionality.
This is the poor man's RTTI. It turns out that maintaining separate lists (or
maps) of the different types of networks gets burdensome pretty quickly
(especially in an upcoming CL where we add functions like
canUserSelectNetwork()).
Change-Id: If5250c0fc106045f681d0fd71278b793addbe1e3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the rules in RouteController as per the latest iteration of the routing
design: http://go/android-multinetwork-routing. Changes include:
+ The legacy tables have to be global. So remove the UID being passed in to
modifyRoute() and remove the associated TODOs.
+ Add UID=0 rules to let the kernel access routes on privileged networks.
+ Add a UID=0 clause to the directly-connected hack, thus fixing the TODO.
+ Add the privileged_legacy table just above the legacy table, when overriding
the default network. (The same table remains added at the top of the rule
chain, to override VPNs, but only for CONNECTIVITY_INTERNAL-privileged apps).
Other cosmetic changes:
+ Update the names and values of the rule priorities.
+ Move the legacy table IDs to the .h file in anticipation of using them from
bugreport / dump commands.
+ Make 'action' the first parameter consistently.
Change-Id: I6634a19ddc8062b2ef55d926c7892fff8c586106
|
| |
|
|
|
|
|
|
|
|
| |
This adds the necessary routing rules.
Future CLs will add the ability to select the right netId for connect(),
setNetworkForSocket(), DNS resolutions, etc.
Bug: 15409918
Change-Id: I88a67660d49cecda834dd72ab947fbfed250f09d
|
| |
|
|
|
|
|
|
|
| |
This change sets up the basic routing rules for VPNs. It doesn't yet handle UID
ranges (that are meant to apply to the VPN) correctly. That's forthcoming in
other CLs.
Bug: 15409918
Change-Id: I284de04f176dcf6ba702361de6a614266256d04e
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, there's a lot of logic in NetworkController surrounding events such
as interface addition/removal, network creation/destruction and default network
change, because these events are interwined. For example, adding an interface
means also adding a corresponding default network rule if the interface is being
added to the current default network.
When we introduce VPNs into this mix, things will get hairy real quick for all
this logic in NetworkController.
In this refactor, we introduce an abstract base class Network which supports
adding and removing interfaces. The main concrete implementation of this is
PhysicalNetwork, which allows setting permissions and "default network" state.
Since we've moved network permissions into the above class, and user permissions
into NetworkController, PermissionsController is unused and has been removed.
Also fix a few bugs in RouteController:
+ Use uidEnd correctly.
+ Check for all error cases in inet_pton.
+ Check the return value of android_fork_execvp() correctly.
+ The "return cmd1() && cmd2()" pattern is wrong. Rewrite that code.
Also (non-functional changes):
+ Remove instantiations of RouteController. It has static methods only.
+ Reorder some blocks in CommandListener so that the most frequent commands are
checked first.
+ Remove unused paramError() and clearNetworkPreference().
+ Change all return codes to int (negative errno) wherever applicable.
+ Add WARN_UNUSED_RESULT everywhere.
+ Cleanup some style in RouteController and NetworkController.
+ Use uid_t instead of unsigned for user IDs.
+ Add clearer log messages at the source of failures.
+ Add a check for when fwmark bits are set without corresponding mask bits.
Bug: 15409918
Change-Id: Ibba78b0850160f9f3d17d476f16331a6db0025d1
|
| |
|
|
| |
Change-Id: If01334dccad8b6230648713a57fd58be180ac66b
|
| |
|
|
| |
Change-Id: Id1d6d578963080e141f71bc1303801fc53bce40a
|
| |
|
|
|
|
|
|
|
| |
Without caching them netd will fail to remove rules and routes,
for example, when the Bluetooth reverse-tether interface ("bt-pan")
goes away.
bug:15407087
Change-Id: I99fcf00f9645a0b029455516a705b70110f62ff6
|
| |
|
|
|
|
| |
bug:15560990
Change-Id: I899827c4f50847a3a60b6359f829bee5d6eb4f00
|
| |\
| |
| |
| |
| | |
* commit 'ce8f583ff6620a19602d3c4604557e1b1501cafa':
Set errno in NetworkController commands.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Set errno in the NetworkController functions that are called by
CommandListener and where failure causes an operationError. This
is because operationError always appends errno to its messages,
and
"400 481 addInterfaceToNetwork() failed (Device or resource busy)"
is more useful than:
"400 481 addInterfaceToNetwork() failed (Success)"
We already call ALOGE to put descriptive messages in the system
log, but the bugreport already conveniently aggregates all netd
commands in one place in the network_management service dump, and
it would help if the errno in those messages were accurate.
Unfortunately many of the route and iptables commands shell out
to /sbin/ip and we can't return meaningful values, but we'll
fix that when (if?) we replace that with a proper netlink
implementation.
Bug: 15316764
Change-Id: Ia47f451029d611491aa72bca602de77333f2c6a0
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the routes to two fixed tables:
+ LEGACY, which has higher priority than other non-explicit lookup tables
(per-network and default network).
+ PRIVILEGED_LEGACY, available only to system apps and has higher priority than
VPNs (system apps are those with the CONNECTIVITY_INTERNAL permission).
This will be changed to per-UID tables once the kernel supports UID-based
routing, so that these legacy routes are scoped to each app and not global.
Also, fix a TODO: The framework (as of http://ag/471599) will not set the
gateway argument if it's actually a direct-connected route.
Change-Id: I0ee1ca89fdc859d75a89021ca8c1902811b1e4a9
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
+ isNetIdValid() doesn't make much sense. What we want is whether the netId has
actually been created (via createNetwork()).
+ It isn't an error to call deleteNetwork() or setDefaultNetwork() even when
there are no interfaces assigned to the network.
+ Secure all accesses to the maps in PermissionsController with locks; they are
called from many threads (CommandListener, DnsProxyListener and FwmarkServer).
+ Remove the redundant mIfaceNetidMap.
+ Minor cosmetic changes to things such as #includes and log messages.
Change-Id: Ieb154589b24f00ba8067eaaec4def3534aec4923
|
|
|
Change-Id: Ie4b6b303225c93f2448a503d6ea9cebb552cbad5
|
