/*
* Copyright (C) 2014 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "NetdClient.h"
#include <arpa/inet.h>
#include <errno.h>
#include <math.h>
#include <resolv.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <unistd.h>
#include <atomic>
#include <string>
#include <vector>
#include <android-base/parseint.h>
#include <android-base/unique_fd.h>
#include "Fwmark.h"
#include "FwmarkClient.h"
#include "FwmarkCommand.h"
#include "netdclient_priv.h"
#include "netdutils/ResponseCode.h"
#include "netdutils/Stopwatch.h"
#include "netid_client.h"
using android::base::ParseInt;
using android::base::unique_fd;
using android::netdutils::ResponseCode;
using android::netdutils::Stopwatch;
namespace {
// Keep this in sync with CMD_BUF_SIZE in FrameworkListener.cpp.
constexpr size_t MAX_CMD_SIZE = 4096;
std::atomic_uint netIdForProcess(NETID_UNSET);
std::atomic_uint netIdForResolv(NETID_UNSET);
typedef int (*Accept4FunctionType)(int, sockaddr*, socklen_t*, int);
typedef int (*ConnectFunctionType)(int, const sockaddr*, socklen_t);
typedef int (*SocketFunctionType)(int, int, int);
typedef unsigned (*NetIdForResolvFunctionType)(unsigned);
typedef int (*DnsOpenProxyType)();
// These variables are only modified at startup (when libc.so is loaded) and never afterwards, so
// it's okay that they are read later at runtime without a lock.
Accept4FunctionType libcAccept4 = nullptr;
ConnectFunctionType libcConnect = nullptr;
SocketFunctionType libcSocket = nullptr;
int checkSocket(int socketFd) {
if (socketFd < 0) {
return -EBADF;
}
int family;
socklen_t familyLen = sizeof(family);
if (getsockopt(socketFd, SOL_SOCKET, SO_DOMAIN, &family, &familyLen) == -1) {
return -errno;
}
if (!FwmarkClient::shouldSetFwmark(family)) {
return -EAFNOSUPPORT;
}
return 0;
}
bool shouldMarkSocket(int socketFd, const sockaddr* dst) {
// Only mark inet sockets that are connecting to inet destinations. This excludes, for example,
// inet sockets connecting to AF_UNSPEC (i.e., being disconnected), and non-inet sockets that
// for some reason the caller wants to attempt to connect to an inet destination.
return dst && FwmarkClient::shouldSetFwmark(dst->sa_family) && (checkSocket(socketFd) == 0);
}
int closeFdAndSetErrno(int fd, int error) {
close(fd);
errno = -error;
return -1;
}
int netdClientAccept4(int sockfd, sockaddr* addr, socklen_t* addrlen, int flags) {
int acceptedSocket = libcAccept4(sockfd, addr, addrlen, flags);
if (acceptedSocket == -1) {
return -1;
}
int family;
if (addr) {
family = addr->sa_family;
} else {
socklen_t familyLen = sizeof(family);
if (getsockopt(acceptedSocket, SOL_SOCKET, SO_DOMAIN, &family, &familyLen) == -1) {
return closeFdAndSetErrno(acceptedSocket, -errno);
}
}
if (FwmarkClient::shouldSetFwmark(family)) {
FwmarkCommand command = {FwmarkCommand::ON_ACCEPT, 0, 0, 0};
if (int error = FwmarkClient().send(&command, acceptedSocket, nullptr)) {
return closeFdAndSetErrno(acceptedSocket, error);
}
}
return acceptedSocket;
}
int netdClientConnect(int sockfd, const sockaddr* addr, socklen_t addrlen) {
const bool shouldSetFwmark = shouldMarkSocket(sockfd, addr);
if (shouldSetFwmark) {
FwmarkCommand command = {FwmarkCommand::ON_CONNECT, 0, 0, 0};
if (int error = FwmarkClient().send(&command, sockfd, nullptr)) {
errno = -error;
return -1;
}
}
// Latency measurement does not include time of sending commands to Fwmark
Stopwatch s;
const int ret = libcConnect(sockfd, addr, addrlen);
// Save errno so it isn't clobbered by sending ON_CONNECT_COMPLETE
const int connectErrno = errno;
const unsigned latencyMs = lround(s.timeTaken());
// Send an ON_CONNECT_COMPLETE command that includes sockaddr and connect latency for reporting
if (shouldSetFwmark && FwmarkClient::shouldReportConnectComplete(addr->sa_family)) {
FwmarkConnectInfo connectInfo(ret == 0 ? 0 : connectErrno, latencyMs, addr);
// TODO: get the netId from the socket mark once we have continuous benchmark runs
FwmarkCommand command = {FwmarkCommand::ON_CONNECT_COMPLETE, /* netId (ignored) */ 0,
/* uid (filled in by the server) */ 0, 0};
// Ignore return value since it's only used for logging
FwmarkClient().send(&command, sockfd, &connectInfo);
}
errno = connectErrno;
return ret;
}
int netdClientSocket(int domain, int type, int protocol) {
int socketFd = libcSocket(domain, type, protocol);
if (socketFd == -1) {
return -1;
}
unsigned netId = netIdForProcess & ~NETID_USE_LOCAL_NAMESERVERS;
if (netId != NETID_UNSET && FwmarkClient::shouldSetFwmark(domain)) {
if (int error = setNetworkForSocket(netId, socketFd)) {
return closeFdAndSetErrno(socketFd, error);
}
}
return socketFd;
}
unsigned getNetworkForResolv(unsigned netId) {
if (netId != NETID_UNSET) {
return netId;
}
// Special case for DNS-over-TLS bypass; b/72345192 .
if ((netIdForResolv & ~NETID_USE_LOCAL_NAMESERVERS) != NETID_UNSET) {
return netIdForResolv;
}
netId = netIdForProcess;
if (netId != NETID_UNSET) {
return netId;
}
return netIdForResolv;
}
int setNetworkForTarget(unsigned netId, std::atomic_uint* target) {
const unsigned requestedNetId = netId;
netId &= ~NETID_USE_LOCAL_NAMESERVERS;
if (netId == NETID_UNSET) {
*target = netId;
return 0;
}
// Verify that we are allowed to use |netId|, by creating a socket and trying to have it marked
// with the netId. Call libcSocket() directly; else the socket creation (via netdClientSocket())
// might itself cause another check with the fwmark server, which would be wasteful.
const auto socketFunc = libcSocket ? libcSocket : socket;
int socketFd = socketFunc(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
if (socketFd < 0) {
return -errno;
}
int error = setNetworkForSocket(netId, socketFd);
if (!error) {
*target = requestedNetId;
}
close(socketFd);
return error;
}
int dns_open_proxy() {
const char* cache_mode = getenv("ANDROID_DNS_MODE");
const bool use_proxy = (cache_mode == NULL || strcmp(cache_mode, "local") != 0);
if (!use_proxy) {
errno = ENOSYS;
return -1;
}
const auto socketFunc = libcSocket ? libcSocket : socket;
int s = socketFunc(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
if (s == -1) {
return -1;
}
const int one = 1;
setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));
static const struct sockaddr_un proxy_addr = {
.sun_family = AF_UNIX,
.sun_path = "/dev/socket/dnsproxyd",
};
const auto connectFunc = libcConnect ? libcConnect : connect;
if (TEMP_FAILURE_RETRY(
connectFunc(s, (const struct sockaddr*) &proxy_addr, sizeof(proxy_addr))) != 0) {
// Store the errno for connect because we only care about why we can't connect to dnsproxyd
int storedErrno = errno;
close(s);
errno = storedErrno;
return -1;
}
return s;
}
auto divCeil(size_t dividend, size_t divisor) {
return ((dividend + divisor - 1) / divisor);
}
// FrameworkListener only does only read() call, and fails if the read doesn't contain \0
// Do single write here
int sendData(int fd, const void* buf, size_t size) {
if (fd < 0) {
return -EBADF;
}
ssize_t rc = TEMP_FAILURE_RETRY(write(fd, (char*) buf, size));
if (rc > 0) {
return rc;
} else if (rc == 0) {
return -EIO;
} else {
return -errno;
}
}
int readData(int fd, void* buf, size_t size) {
if (fd < 0) {
return -EBADF;
}
size_t current = 0;
for (;;) {
ssize_t rc = TEMP_FAILURE_RETRY(read(fd, (char*) buf + current, size - current));
if (rc > 0) {
current += rc;
if (current == size) {
break;
}
} else if (rc == 0) {
return -EIO;
} else {
return -errno;
}
}
return 0;
}
bool readBE32(int fd, int32_t* result) {
int32_t tmp;
ssize_t n = TEMP_FAILURE_RETRY(read(fd, &tmp, sizeof(tmp)));
if (n < static_cast<ssize_t>(sizeof(tmp))) {
return false;
}
*result = ntohl(tmp);
return true;
}
bool readResponseCode(int fd, int* result) {
char buf[4];
ssize_t n = TEMP_FAILURE_RETRY(read(fd, &buf, sizeof(buf)));
if (n < static_cast<ssize_t>(sizeof(buf))) {
return false;
}
// The format of response code is 3 bytes followed by a space.
buf[3] = '\0';
if (!ParseInt(buf, result)) {
errno = EINVAL;
return false;
}
return true;
}
} // namespace
#define CHECK_SOCKET_IS_MARKABLE(sock) \
do { \
int err; \
if ((err = checkSocket(sock)) != 0) { \
return err; \
} \
} while (false);
// accept() just calls accept4(..., 0), so there's no need to handle accept() separately.
extern "C" void netdClientInitAccept4(Accept4FunctionType* function) {
if (function && *function) {
libcAccept4 = *function;
*function = netdClientAccept4;
}
}
extern "C" void netdClientInitConnect(ConnectFunctionType* function) {
if (function && *function) {
libcConnect = *function;
*function = netdClientConnect;
}
}
extern "C" void netdClientInitSocket(SocketFunctionType* function) {
if (function && *function) {
libcSocket = *function;
*function = netdClientSocket;
}
}
extern "C" void netdClientInitNetIdForResolv(NetIdForResolvFunctionType* function) {
if (function) {
*function = getNetworkForResolv;
}
}
extern "C" void netdClientInitDnsOpenProxy(DnsOpenProxyType* function) {
if (function) {
*function = dns_open_proxy;
}
}
extern "C" int getNetworkForSocket(unsigned* netId, int socketFd) {
if (!netId || socketFd < 0) {
return -EBADF;
}
Fwmark fwmark;
socklen_t fwmarkLen = sizeof(fwmark.intValue);
if (getsockopt(socketFd, SOL_SOCKET, SO_MARK, &fwmark.intValue, &fwmarkLen) == -1) {
return -errno;
}
*netId = fwmark.netId;
return 0;
}
extern "C" unsigned getNetworkForProcess() {
return netIdForProcess & ~NETID_USE_LOCAL_NAMESERVERS;
}
extern "C" int setNetworkForSocket(unsigned netId, int socketFd) {
CHECK_SOCKET_IS_MARKABLE(socketFd);
FwmarkCommand command = {FwmarkCommand::SELECT_NETWORK, netId, 0, 0};
return FwmarkClient().send(&command, socketFd, nullptr);
}
extern "C" int setNetworkForProcess(unsigned netId) {
return setNetworkForTarget(netId, &netIdForProcess);
}
extern "C" int setNetworkForResolv(unsigned netId) {
return setNetworkForTarget(netId, &netIdForResolv);
}
extern "C" int protectFromVpn(int socketFd) {
if (socketFd < 0) {
return -EBADF;
}
FwmarkCommand command = {FwmarkCommand::PROTECT_FROM_VPN, 0, 0, 0};
return FwmarkClient().send(&command, socketFd, nullptr);
}
extern "C" int setNetworkForUser(uid_t uid, int socketFd) {
CHECK_SOCKET_IS_MARKABLE(socketFd);
FwmarkCommand command = {FwmarkCommand::SELECT_FOR_USER, 0, uid, 0};
return FwmarkClient().send(&command, socketFd, nullptr);
}
extern "C" int queryUserAccess(uid_t uid, unsigned netId) {
FwmarkCommand command = {FwmarkCommand::QUERY_USER_ACCESS, netId, uid, 0};
return FwmarkClient().send(&command, -1, nullptr);
}
extern "C" int tagSocket(int socketFd, uint32_t tag, uid_t uid) {
CHECK_SOCKET_IS_MARKABLE(socketFd);
FwmarkCommand command = {FwmarkCommand::TAG_SOCKET, 0, uid, tag};
return FwmarkClient().send(&command, socketFd, nullptr);
}
extern "C" int untagSocket(int socketFd) {
CHECK_SOCKET_IS_MARKABLE(socketFd);
FwmarkCommand command = {FwmarkCommand::UNTAG_SOCKET, 0, 0, 0};
return FwmarkClient().send(&command, socketFd, nullptr);
}
extern "C" int setCounterSet(uint32_t counterSet, uid_t uid) {
FwmarkCommand command = {FwmarkCommand::SET_COUNTERSET, 0, uid, counterSet};
return FwmarkClient().send(&command, -1, nullptr);
}
extern "C" int deleteTagData(uint32_t tag, uid_t uid) {
FwmarkCommand command = {FwmarkCommand::DELETE_TAGDATA, 0, uid, tag};
return FwmarkClient().send(&command, -1, nullptr);
}
extern "C" int resNetworkQuery(unsigned netId, const char* dname, int ns_class, int ns_type,
uint32_t flags) {
std::vector<uint8_t> buf(MAX_CMD_SIZE, 0);
int len = res_mkquery(ns_o_query, dname, ns_class, ns_type, nullptr, 0, nullptr, buf.data(),
MAX_CMD_SIZE);
return resNetworkSend(netId, buf.data(), len, flags);
}
extern "C" int resNetworkSend(unsigned netId, const uint8_t* msg, size_t msglen, uint32_t flags) {
// Encode
// Base 64 encodes every 3 bytes into 4 characters, but then adds padding to the next
// multiple of 4 and a \0
const size_t encodedLen = divCeil(msglen, 3) * 4 + 1;
std::string encodedQuery(encodedLen - 1, 0);
int enLen = b64_ntop(msg, msglen, encodedQuery.data(), encodedLen);
if (enLen < 0) {
// Unexpected behavior, encode failed
// b64_ntop only fails when size is too long.
return -EMSGSIZE;
}
// Send
netId = getNetworkForResolv(netId);
const std::string cmd = "resnsend " + std::to_string(netId) + " " + std::to_string(flags) +
" " + encodedQuery + '\0';
if (cmd.size() > MAX_CMD_SIZE) {
// Cmd size must less than buffer size of FrameworkListener
return -EMSGSIZE;
}
int fd = dns_open_proxy();
if (fd == -1) {
return -errno;
}
ssize_t rc = sendData(fd, cmd.c_str(), cmd.size());
if (rc < 0) {
close(fd);
return rc;
}
shutdown(fd, SHUT_WR);
return fd;
}
extern "C" int resNetworkResult(int fd, int* rcode, uint8_t* answer, size_t anslen) {
int32_t result = 0;
unique_fd ufd(fd);
// Read -errno/rcode
if (!readBE32(fd, &result)) {
// Unexpected behavior, read -errno/rcode fail
return -errno;
}
if (result < 0) {
// result < 0, it's -errno
return result;
}
// result >= 0, it's rcode
*rcode = result;
// Read answer
int32_t size = 0;
if (!readBE32(fd, &size)) {
// Unexpected behavior, read ans len fail
return -EREMOTEIO;
}
if (anslen < static_cast<size_t>(size)) {
// Answer buffer is too small
return -EMSGSIZE;
}
int rc = readData(fd, answer, size);
if (rc < 0) {
// Reading the answer failed.
return rc;
}
return size;
}
extern "C" void resNetworkCancel(int fd) {
close(fd);
}
extern "C" int getNetworkForDns(unsigned* dnsNetId) {
if (dnsNetId == nullptr) return -EFAULT;
int fd = dns_open_proxy();
if (fd == -1) {
return -errno;
}
unique_fd ufd(fd);
return getNetworkForDnsInternal(fd, dnsNetId);
}
int getNetworkForDnsInternal(int fd, unsigned* dnsNetId) {
if (fd == -1) {
return -EBADF;
}
unsigned resolvNetId = getNetworkForResolv(NETID_UNSET);
const std::string cmd = "getdnsnetid " + std::to_string(resolvNetId);
ssize_t rc = sendData(fd, cmd.c_str(), cmd.size() + 1);
if (rc < 0) {
return rc;
}
int responseCode = 0;
// Read responseCode
if (!readResponseCode(fd, &responseCode)) {
// Unexpected behavior, read responseCode fail
return -errno;
}
if (responseCode != ResponseCode::DnsProxyQueryResult) {
return -EOPNOTSUPP;
}
int32_t result = 0;
// Read -errno/dnsnetid
if (!readBE32(fd, &result)) {
// Unexpected behavior, read -errno/dnsnetid fail
return -errno;
}
*dnsNetId = result;
return 0;
}