FwmarkServer.cpp revision f4cfad361175a7f9ccf4d41e76a9b289c3c3da22 
1/*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include "FwmarkServer.h"
18
19#include "Fwmark.h"
20#include "FwmarkCommand.h"
21#include "NetworkController.h"
22#include "PermissionsController.h"
23
24
25#include <sys/socket.h>
26#include <unistd.h>
27
28namespace {
29
30const int MAX_COMMAND_LENGTH = 16;
31
32}  // namespace
33
34FwmarkServer::FwmarkServer(NetworkController* networkController,
35                           PermissionsController* permissionsController)
36        : SocketListener("fwmarkd", true),
37          mNetworkController(networkController),
38          mPermissionsController(permissionsController) {
39}
40
41bool FwmarkServer::onDataAvailable(SocketClient* client) {
42    int fd = -1;
43    processClient(client, &fd);
44    int error = errno;
45    if (fd >= 0) {
46        close(fd);
47    }
48
49    // Always send a response even if there were connection errors or read errors, so that we don't
50    // inadvertently cause the client to hang (which always waits for a response).
51    client->sendData(&error, sizeof(error));
52
53    // Always close the client connection (by returning false). This prevents a DoS attack where
54    // the client issues multiple commands on the same connection, never reading the responses,
55    // causing its receive buffer to fill up, and thus causing our client->sendData() to block.
56    return false;
57}
58
59void FwmarkServer::processClient(SocketClient* client, int* fd) {
60    char command[MAX_COMMAND_LENGTH] = {};
61    iovec iov;
62    iov.iov_base = command;
63    iov.iov_len = sizeof(command);
64
65    msghdr message;
66    memset(&message, 0, sizeof(message));
67    message.msg_iov = &iov;
68    message.msg_iovlen = 1;
69
70    union {
71        cmsghdr cmh;
72        char cmsg[CMSG_SPACE(sizeof(*fd))];
73    } cmsgu;
74
75    memset(cmsgu.cmsg, 0, sizeof(cmsgu.cmsg));
76    message.msg_control = cmsgu.cmsg;
77    message.msg_controllen = sizeof(cmsgu.cmsg);
78
79    int messageLength = TEMP_FAILURE_RETRY(recvmsg(client->getSocket(), &message, 0));
80    if (messageLength <= 0) {
81        return;
82    }
83
84    cmsghdr* const cmsgh = CMSG_FIRSTHDR(&message);
85    if (cmsgh && cmsgh->cmsg_level == SOL_SOCKET && cmsgh->cmsg_type == SCM_RIGHTS &&
86        cmsgh->cmsg_len == CMSG_LEN(sizeof(*fd))) {
87        memcpy(fd, CMSG_DATA(cmsgh), sizeof(*fd));
88    }
89
90    if (*fd < 0) {
91        errno = ENOENT;
92        return;
93    }
94
95    Fwmark fwmark;
96    socklen_t fwmarkLen = sizeof(fwmark.intValue);
97    if (getsockopt(*fd, SOL_SOCKET, SO_MARK, &fwmark.intValue, &fwmarkLen) == -1) {
98        return;
99    }
100
101    switch (command[0]) {
102        case FWMARK_COMMAND_ON_CREATE: {
103            // on socket creation
104            // TODO
105            break;
106        }
107
108        case FWMARK_COMMAND_ON_CONNECT: {
109            // Set the netId (of the default network) into the fwmark, if it has not already been
110            // set explicitly. Called before a socket connect() happens.
111            if (!fwmark.explicitlySelected) {
112                fwmark.netId = mNetworkController->getDefaultNetwork();
113            }
114            break;
115        }
116
117        case FWMARK_COMMAND_ON_ACCEPT: {
118            // Called after a socket accept(). The kernel would've marked the netId into the socket
119            // already, so we just need to check permissions here.
120            if (!mPermissionsController->isUserPermittedOnNetwork(client->getUid(), fwmark.netId)) {
121                errno = EPERM;
122                return;
123            }
124            break;
125        }
126
127        case FWMARK_COMMAND_SELECT_NETWORK: {
128            // set socket mark
129            // TODO
130            break;
131        }
132
133        case FWMARK_COMMAND_PROTECT_FROM_VPN: {
134            // set vpn protect
135            // TODO
136            break;
137        }
138
139        default: {
140            // unknown command
141            errno = EINVAL;
142            return;
143        }
144    }
145
146    fwmark.permission = mPermissionsController->getPermissionForUser(client->getUid());
147
148    if (setsockopt(*fd, SOL_SOCKET, SO_MARK, &fwmark.intValue, sizeof(fwmark.intValue)) == -1) {
149        return;
150    }
151
152    errno = 0;
153}
154