Google Git
Sign in
nest-open-source / nest-cam / 4320010 / netd / refs/heads/master / . / netd / client / NetdClient.cpp
blob: 392b0af6a583eb90b17d5a9ca29c6f9eb8a57f78 [file] [log] [blame]
/*
* Copyright (C) 2014 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "NetdClient.h"
#include <errno.h>
#include <sys/socket.h>
#include <unistd.h>
#include <atomic>
#include "Fwmark.h"
#include "FwmarkClient.h"
#include "FwmarkCommand.h"
#include "resolv_netid.h"
namespace {
std::atomic_uint netIdForProcess(NETID_UNSET);
std::atomic_uint netIdForResolv(NETID_UNSET);
typedef int (*Accept4FunctionType)(int, sockaddr*, socklen_t*, int);
typedef int (*ConnectFunctionType)(int, const sockaddr*, socklen_t);
typedef int (*SocketFunctionType)(int, int, int);
typedef unsigned (*NetIdForResolvFunctionType)(unsigned);
// These variables are only modified at startup (when libc.so is loaded) and never afterwards, so
// it's okay that they are read later at runtime without a lock.
Accept4FunctionType libcAccept4 = 0;
ConnectFunctionType libcConnect = 0;
SocketFunctionType libcSocket = 0;
int closeFdAndSetErrno(int fd, int error) {
close(fd);
errno = -error;
return -1;
}
int netdClientAccept4(int sockfd, sockaddr* addr, socklen_t* addrlen, int flags) {
int acceptedSocket = libcAccept4(sockfd, addr, addrlen, flags);
if (acceptedSocket == -1) {
return -1;
}
int family;
if (addr) {
family = addr->sa_family;
} else {
socklen_t familyLen = sizeof(family);
if (getsockopt(acceptedSocket, SOL_SOCKET, SO_DOMAIN, &family, &familyLen) == -1) {
return closeFdAndSetErrno(acceptedSocket, -errno);
}
}
if (FwmarkClient::shouldSetFwmark(family)) {
FwmarkCommand command = {FwmarkCommand::ON_ACCEPT, 0, 0};
if (int error = FwmarkClient().send(&command, acceptedSocket)) {
return closeFdAndSetErrno(acceptedSocket, error);
}
}
return acceptedSocket;
}
int netdClientConnect(int sockfd, const sockaddr* addr, socklen_t addrlen) {
if (sockfd >= 0 && addr && FwmarkClient::shouldSetFwmark(addr->sa_family)) {
FwmarkCommand command = {FwmarkCommand::ON_CONNECT, 0, 0};
if (int error = FwmarkClient().send(&command, sockfd)) {
errno = -error;
return -1;
}
}
return libcConnect(sockfd, addr, addrlen);
}
int netdClientSocket(int domain, int type, int protocol) {
int socketFd = libcSocket(domain, type, protocol);
if (socketFd == -1) {
return -1;
}
unsigned netId = netIdForProcess;
if (netId != NETID_UNSET && FwmarkClient::shouldSetFwmark(domain)) {
if (int error = setNetworkForSocket(netId, socketFd)) {
return closeFdAndSetErrno(socketFd, error);
}
}
return socketFd;
}
unsigned getNetworkForResolv(unsigned netId) {
if (netId != NETID_UNSET) {
return netId;
}
netId = netIdForProcess;
if (netId != NETID_UNSET) {
return netId;
}
return netIdForResolv;
}
int setNetworkForTarget(unsigned netId, std::atomic_uint* target) {
if (netId == NETID_UNSET) {
*target = netId;
return 0;
}
// Verify that we are allowed to use |netId|, by creating a socket and trying to have it marked
// with the netId. Call libcSocket() directly; else the socket creation (via netdClientSocket())
// might itself cause another check with the fwmark server, which would be wasteful.
int socketFd;
if (libcSocket) {
socketFd = libcSocket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
} else {
socketFd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
}
if (socketFd < 0) {
return -errno;
}
int error = setNetworkForSocket(netId, socketFd);
if (!error) {
*target = netId;
}
close(socketFd);
return error;
}
} // namespace
// accept() just calls accept4(..., 0), so there's no need to handle accept() separately.
extern "C" void netdClientInitAccept4(Accept4FunctionType* function) {
if (function && *function) {
libcAccept4 = *function;
*function = netdClientAccept4;
}
}
extern "C" void netdClientInitConnect(ConnectFunctionType* function) {
if (function && *function) {
libcConnect = *function;
*function = netdClientConnect;
}
}
extern "C" void netdClientInitSocket(SocketFunctionType* function) {
if (function && *function) {
libcSocket = *function;
*function = netdClientSocket;
}
}
extern "C" void netdClientInitNetIdForResolv(NetIdForResolvFunctionType* function) {
if (function) {
*function = getNetworkForResolv;
}
}
extern "C" int getNetworkForSocket(unsigned* netId, int socketFd) {
if (!netId || socketFd < 0) {
return -EBADF;
}
Fwmark fwmark;
socklen_t fwmarkLen = sizeof(fwmark.intValue);
if (getsockopt(socketFd, SOL_SOCKET, SO_MARK, &fwmark.intValue, &fwmarkLen) == -1) {
return -errno;
}
*netId = fwmark.netId;
return 0;
}
extern "C" unsigned getNetworkForProcess() {
return netIdForProcess;
}
extern "C" int setNetworkForSocket(unsigned netId, int socketFd) {
if (socketFd < 0) {
return -EBADF;
}
FwmarkCommand command = {FwmarkCommand::SELECT_NETWORK, netId, 0};
return FwmarkClient().send(&command, socketFd);
}
extern "C" int setNetworkForProcess(unsigned netId) {
return setNetworkForTarget(netId, &netIdForProcess);
}
extern "C" int setNetworkForResolv(unsigned netId) {
return setNetworkForTarget(netId, &netIdForResolv);
}
extern "C" int protectFromVpn(int socketFd) {
if (socketFd < 0) {
return -EBADF;
}
FwmarkCommand command = {FwmarkCommand::PROTECT_FROM_VPN, 0, 0};
return FwmarkClient().send(&command, socketFd);
}
extern "C" int setNetworkForUser(uid_t uid, int socketFd) {
if (socketFd < 0) {
return -EBADF;
}
FwmarkCommand command = {FwmarkCommand::SELECT_FOR_USER, 0, uid};
return FwmarkClient().send(&command, socketFd);
}
extern "C" int queryUserAccess(uid_t uid, unsigned netId) {
FwmarkCommand command = {FwmarkCommand::QUERY_USER_ACCESS, netId, uid};
return FwmarkClient().send(&command, -1);
}