1/*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#ifndef NETD_SERVER_NETWORK_CONTROLLER_H
18#define NETD_SERVER_NETWORK_CONTROLLER_H
19
20#include "NetdConstants.h"
21#include "Permission.h"
22
23#include "utils/RWLock.h"
24
25#include <list>
26#include <map>
27#include <set>
28#include <sys/types.h>
29#include <vector>
30
31class Network;
32class UidRanges;
33class VirtualNetwork;
34
35/*
36 * Keeps track of default, per-pid, and per-uid-range network selection, as
37 * well as the mark associated with each network. Networks are identified
38 * by netid. In all set* commands netid == 0 means "unspecified" and is
39 * equivalent to clearing the mapping.
40 */
41class NetworkController {
42public:
43    static const unsigned MIN_OEM_ID;
44    static const unsigned MAX_OEM_ID;
45    static const unsigned LOCAL_NET_ID;
46
47    NetworkController();
48
49    unsigned getDefaultNetwork() const;
50    int setDefaultNetwork(unsigned netId) WARN_UNUSED_RESULT;
51
52    // Sets |*netId| to an appropriate NetId to use for DNS for the given user. Call with |*netId|
53    // set to a non-NETID_UNSET value if the user already has indicated a preference. Returns the
54    // fwmark value to set on the socket when performing the DNS request.
55    uint32_t getNetworkForDns(unsigned* netId, uid_t uid) const;
56    unsigned getNetworkForUser(uid_t uid) const;
57    unsigned getNetworkForConnect(uid_t uid) const;
58    unsigned getNetworkForInterface(const char* interface) const;
59    bool isVirtualNetwork(unsigned netId) const;
60
61    int createPhysicalNetwork(unsigned netId, Permission permission) WARN_UNUSED_RESULT;
62    int createVirtualNetwork(unsigned netId, bool hasDns, bool secure) WARN_UNUSED_RESULT;
63    int destroyNetwork(unsigned netId) WARN_UNUSED_RESULT;
64
65    int addInterfaceToNetwork(unsigned netId, const char* interface) WARN_UNUSED_RESULT;
66    int removeInterfaceFromNetwork(unsigned netId, const char* interface) WARN_UNUSED_RESULT;
67
68    Permission getPermissionForUser(uid_t uid) const;
69    void setPermissionForUsers(Permission permission, const std::vector<uid_t>& uids);
70    int checkUserNetworkAccess(uid_t uid, unsigned netId) const;
71    int setPermissionForNetworks(Permission permission,
72                                 const std::vector<unsigned>& netIds) WARN_UNUSED_RESULT;
73
74    int addUsersToNetwork(unsigned netId, const UidRanges& uidRanges) WARN_UNUSED_RESULT;
75    int removeUsersFromNetwork(unsigned netId, const UidRanges& uidRanges) WARN_UNUSED_RESULT;
76
77    // |nexthop| can be NULL (to indicate a directly-connected route), "unreachable" (to indicate a
78    // route that's blocked), "throw" (to indicate the lack of a match), or a regular IP address.
79    //
80    // Routes are added to tables determined by the interface, so only |interface| is actually used.
81    // |netId| is given only to sanity check that the interface has the correct netId.
82    int addRoute(unsigned netId, const char* interface, const char* destination,
83                 const char* nexthop, bool legacy, uid_t uid) WARN_UNUSED_RESULT;
84    int removeRoute(unsigned netId, const char* interface, const char* destination,
85                    const char* nexthop, bool legacy, uid_t uid) WARN_UNUSED_RESULT;
86
87    bool canProtect(uid_t uid) const;
88    void allowProtect(const std::vector<uid_t>& uids);
89    void denyProtect(const std::vector<uid_t>& uids);
90
91private:
92    bool isValidNetwork(unsigned netId) const;
93    Network* getNetworkLocked(unsigned netId) const;
94    VirtualNetwork* getVirtualNetworkForUserLocked(uid_t uid) const;
95    Permission getPermissionForUserLocked(uid_t uid) const;
96    int checkUserNetworkAccessLocked(uid_t uid, unsigned netId) const;
97
98    int modifyRoute(unsigned netId, const char* interface, const char* destination,
99                    const char* nexthop, bool add, bool legacy, uid_t uid) WARN_UNUSED_RESULT;
100    int modifyFallthroughLocked(unsigned vpnNetId, bool add) WARN_UNUSED_RESULT;
101
102    class DelegateImpl;
103    DelegateImpl* const mDelegateImpl;
104
105    // mRWLock guards all accesses to mDefaultNetId, mNetworks, mUsers and mProtectableUsers.
106    mutable android::RWLock mRWLock;
107    unsigned mDefaultNetId;
108    std::map<unsigned, Network*> mNetworks;  // Map keys are NetIds.
109    std::map<uid_t, Permission> mUsers;
110    std::set<uid_t> mProtectableUsers;
111};
112
113#endif  // NETD_SERVER_NETWORK_CONTROLLER_H
114