FwmarkServer.cpp revision f4cfad361175a7f9ccf4d41e76a9b289c3c3da22
1/* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#include "FwmarkServer.h" 18 19#include "Fwmark.h" 20#include "FwmarkCommand.h" 21#include "NetworkController.h" 22#include "PermissionsController.h" 23 24 25#include <sys/socket.h> 26#include <unistd.h> 27 28namespace { 29 30const int MAX_COMMAND_LENGTH = 16; 31 32} // namespace 33 34FwmarkServer::FwmarkServer(NetworkController* networkController, 35 PermissionsController* permissionsController) 36 : SocketListener("fwmarkd", true), 37 mNetworkController(networkController), 38 mPermissionsController(permissionsController) { 39} 40 41bool FwmarkServer::onDataAvailable(SocketClient* client) { 42 int fd = -1; 43 processClient(client, &fd); 44 int error = errno; 45 if (fd >= 0) { 46 close(fd); 47 } 48 49 // Always send a response even if there were connection errors or read errors, so that we don't 50 // inadvertently cause the client to hang (which always waits for a response). 51 client->sendData(&error, sizeof(error)); 52 53 // Always close the client connection (by returning false). This prevents a DoS attack where 54 // the client issues multiple commands on the same connection, never reading the responses, 55 // causing its receive buffer to fill up, and thus causing our client->sendData() to block. 56 return false; 57} 58 59void FwmarkServer::processClient(SocketClient* client, int* fd) { 60 char command[MAX_COMMAND_LENGTH] = {}; 61 iovec iov; 62 iov.iov_base = command; 63 iov.iov_len = sizeof(command); 64 65 msghdr message; 66 memset(&message, 0, sizeof(message)); 67 message.msg_iov = &iov; 68 message.msg_iovlen = 1; 69 70 union { 71 cmsghdr cmh; 72 char cmsg[CMSG_SPACE(sizeof(*fd))]; 73 } cmsgu; 74 75 memset(cmsgu.cmsg, 0, sizeof(cmsgu.cmsg)); 76 message.msg_control = cmsgu.cmsg; 77 message.msg_controllen = sizeof(cmsgu.cmsg); 78 79 int messageLength = TEMP_FAILURE_RETRY(recvmsg(client->getSocket(), &message, 0)); 80 if (messageLength <= 0) { 81 return; 82 } 83 84 cmsghdr* const cmsgh = CMSG_FIRSTHDR(&message); 85 if (cmsgh && cmsgh->cmsg_level == SOL_SOCKET && cmsgh->cmsg_type == SCM_RIGHTS && 86 cmsgh->cmsg_len == CMSG_LEN(sizeof(*fd))) { 87 memcpy(fd, CMSG_DATA(cmsgh), sizeof(*fd)); 88 } 89 90 if (*fd < 0) { 91 errno = ENOENT; 92 return; 93 } 94 95 Fwmark fwmark; 96 socklen_t fwmarkLen = sizeof(fwmark.intValue); 97 if (getsockopt(*fd, SOL_SOCKET, SO_MARK, &fwmark.intValue, &fwmarkLen) == -1) { 98 return; 99 } 100 101 switch (command[0]) { 102 case FWMARK_COMMAND_ON_CREATE: { 103 // on socket creation 104 // TODO 105 break; 106 } 107 108 case FWMARK_COMMAND_ON_CONNECT: { 109 // Set the netId (of the default network) into the fwmark, if it has not already been 110 // set explicitly. Called before a socket connect() happens. 111 if (!fwmark.explicitlySelected) { 112 fwmark.netId = mNetworkController->getDefaultNetwork(); 113 } 114 break; 115 } 116 117 case FWMARK_COMMAND_ON_ACCEPT: { 118 // Called after a socket accept(). The kernel would've marked the netId into the socket 119 // already, so we just need to check permissions here. 120 if (!mPermissionsController->isUserPermittedOnNetwork(client->getUid(), fwmark.netId)) { 121 errno = EPERM; 122 return; 123 } 124 break; 125 } 126 127 case FWMARK_COMMAND_SELECT_NETWORK: { 128 // set socket mark 129 // TODO 130 break; 131 } 132 133 case FWMARK_COMMAND_PROTECT_FROM_VPN: { 134 // set vpn protect 135 // TODO 136 break; 137 } 138 139 default: { 140 // unknown command 141 errno = EINVAL; 142 return; 143 } 144 } 145 146 fwmark.permission = mPermissionsController->getPermissionForUser(client->getUid()); 147 148 if (setsockopt(*fd, SOL_SOCKET, SO_MARK, &fwmark.intValue, sizeof(fwmark.intValue)) == -1) { 149 return; 150 } 151 152 errno = 0; 153} 154