1/**
2 * Copyright (c) 2016, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *     http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.net;
18
19import android.net.UidRange;
20
21/** {@hide} */
22interface INetd {
23    /**
24     * Returns true if the service is responding.
25     */
26    boolean isAlive();
27
28    /**
29     * Replaces the contents of the specified UID-based firewall chain.
30     *
31     * The chain may be a whitelist chain or a blacklist chain. A blacklist chain contains DROP
32     * rules for the specified UIDs and a RETURN rule at the end. A whitelist chain contains RETURN
33     * rules for the system UID range (0 to {@code UID_APP} - 1), RETURN rules for for the specified
34     * UIDs, and a DROP rule at the end. The chain will be created if it does not exist.
35     *
36     * @param chainName The name of the chain to replace.
37     * @param isWhitelist Whether this is a whitelist or blacklist chain.
38     * @param uids The list of UIDs to allow/deny.
39     * @return true if the chain was successfully replaced, false otherwise.
40     */
41    boolean firewallReplaceUidChain(String chainName, boolean isWhitelist, in int[] uids);
42
43    /**
44     * Enables or disables data saver mode on costly network interfaces.
45     *
46     * - When disabled, all packets to/from apps in the penalty box chain are rejected on costly
47     *   interfaces. Traffic to/from other apps or on other network interfaces is allowed.
48     * - When enabled, only apps that are in the happy box chain and not in the penalty box chain
49     *   are allowed network connectivity on costly interfaces. All other packets on these
50     *   interfaces are rejected. The happy box chain always contains all system UIDs; to disallow
51     *   traffic from system UIDs, place them in the penalty box chain.
52     *
53     * By default, data saver mode is disabled. This command has no effect but might still return an
54     * error) if {@code enable} is the same as the current value.
55     *
56     * @param enable whether to enable or disable data saver mode.
57     * @return true if the if the operation was successful, false otherwise.
58     */
59    boolean bandwidthEnableDataSaver(boolean enable);
60
61    /**
62     * Adds or removes one rule for each supplied UID range to prohibit all network activity outside
63     * of secure VPN.
64     *
65     * When a UID is covered by one of these rules, traffic sent through any socket that is not
66     * protected or explicitly overriden by the system will be rejected. The kernel will respond
67     * with an ICMP prohibit message.
68     *
69     * Initially, there are no such rules. Any rules that are added will only last until the next
70     * restart of netd or the device.
71     *
72     * @param add {@code true} if the specified UID ranges should be denied access to any network
73     *        which is not secure VPN by adding rules, {@code false} to remove existing rules.
74     * @param uidRanges a set of non-overlapping, contiguous ranges of UIDs to which to apply or
75     *        remove this restriction.
76     *        <p> Added rules should not overlap with existing rules. Likewise, removed rules should
77     *        each correspond to an existing rule.
78     *
79     * @throws ServiceSpecificException in case of failure, with an error code corresponding to the
80     *         unix errno.
81     */
82    void networkRejectNonSecureVpn(boolean add, in UidRange[] uidRanges);
83
84    /**
85     * Administratively closes sockets belonging to the specified UIDs.
86     */
87    void socketDestroy(in UidRange[] uidRanges, in int[] exemptUids);
88
89    // Array indices for resolver parameters.
90    const int RESOLVER_PARAMS_SAMPLE_VALIDITY = 0;
91    const int RESOLVER_PARAMS_SUCCESS_THRESHOLD = 1;
92    const int RESOLVER_PARAMS_MIN_SAMPLES = 2;
93    const int RESOLVER_PARAMS_MAX_SAMPLES = 3;
94    const int RESOLVER_PARAMS_COUNT = 4;
95
96    /**
97     * Sets the name servers, search domains and resolver params for the given network. Flushes the
98     * cache as needed (i.e. when the servers or the number of samples to store changes).
99     *
100     * @param netId the network ID of the network for which information should be configured.
101     * @param servers the DNS servers to configure for the network.
102     * @param domains the search domains to configure.
103     * @param params the params to set. This array contains RESOLVER_PARAMS_COUNT integers that
104     *   encode the contents of Bionic's __res_params struct, i.e. sample_validity is stored at
105     *   position RESOLVER_PARAMS_SAMPLE_VALIDITY, etc.
106     * @throws ServiceSpecificException in case of failure, with an error code corresponding to the
107     *         unix errno.
108     */
109    void setResolverConfiguration(int netId, in @utf8InCpp String[] servers,
110            in @utf8InCpp String[] domains, in int[] params);
111
112    // Array indices for resolver stats.
113    const int RESOLVER_STATS_SUCCESSES = 0;
114    const int RESOLVER_STATS_ERRORS = 1;
115    const int RESOLVER_STATS_TIMEOUTS = 2;
116    const int RESOLVER_STATS_INTERNAL_ERRORS = 3;
117    const int RESOLVER_STATS_RTT_AVG = 4;
118    const int RESOLVER_STATS_LAST_SAMPLE_TIME = 5;
119    const int RESOLVER_STATS_USABLE = 6;
120    const int RESOLVER_STATS_COUNT = 7;
121
122    /**
123     * Retrieves the name servers, search domains and resolver stats associated with the given
124     * network ID.
125     *
126     * @param netId the network ID of the network for which information should be retrieved.
127     * @param servers the DNS servers that are currently configured for the network.
128     * @param domains the search domains currently configured.
129     * @param params the resolver parameters configured, i.e. the contents of __res_params in order.
130     * @param stats the stats for each server in the order specified by RESOLVER_STATS_XXX
131     *         constants, serialized as an int array. The contents of this array are the number of
132     *         <ul>
133     *           <li> successes,
134     *           <li> errors,
135     *           <li> timeouts,
136     *           <li> internal errors,
137     *           <li> the RTT average,
138     *           <li> the time of the last recorded sample,
139     *           <li> and an integer indicating whether the server is usable (1) or broken (0).
140     *         </ul>
141     *         in this order. For example, the timeout counter for server N is stored at position
142     *         RESOLVER_STATS_COUNT*N + RESOLVER_STATS_TIMEOUTS
143     * @throws ServiceSpecificException in case of failure, with an error code corresponding to the
144     *         unix errno.
145     */
146    void getResolverInfo(int netId, out @utf8InCpp String[] servers,
147            out @utf8InCpp String[] domains, out int[] params, out int[] stats);
148
149    // Private DNS function error codes.
150    const int PRIVATE_DNS_SUCCESS = 0;
151    const int PRIVATE_DNS_BAD_ADDRESS = 1;
152    const int PRIVATE_DNS_BAD_PORT = 2;
153    const int PRIVATE_DNS_UNKNOWN_ALGORITHM = 3;
154    const int PRIVATE_DNS_BAD_FINGERPRINT = 4;
155
156    /**
157     * Adds a server to the list of DNS resolvers that support DNS over TLS.  After this action
158     * succeeds, any subsequent call to setResolverConfiguration will opportunistically use DNS
159     * over TLS if the specified server is on this list and is reachable on that network.
160     *
161     * @param server the DNS server's IP address.  If a private DNS server is already configured
162     *        with this IP address, it will be overwritten.
163     * @param port the port on which the server is listening, typically 853.
164     * @param fingerprintAlgorithm the hash algorithm used to compute the fingerprints.  This should
165     *        be a name in MessageDigest's format.  Currently "SHA-256" is the only supported
166     *        algorithm. Set this to the empty string to disable fingerprint validation.
167     * @param fingerprints the server's public key fingerprints as Base64 strings.
168     *        These can be generated using MessageDigest and android.util.Base64.encodeToString.
169     *        Currently "SHA-256" is the only supported algorithm. Set this to empty to disable
170     *        fingerprint validation.
171     * @throws ServiceSpecificException in case of failure, with an error code indicating the
172     *         cause of the the failure.
173     */
174    void addPrivateDnsServer(in @utf8InCpp String server, int port,
175             in @utf8InCpp String fingerprintAlgorithm, in @utf8InCpp String[] fingerprints);
176
177    /**
178     * Remove a server from the list of DNS resolvers that support DNS over TLS.
179     *
180     * @param server the DNS server's IP address.
181     * @throws ServiceSpecificException in case of failure, with an error code indicating the
182     *         cause of the the failure.
183     */
184    void removePrivateDnsServer(in @utf8InCpp String server);
185
186    /**
187     * Instruct the tethering DNS server to reevaluated serving interfaces.
188     * This is needed to for the DNS server to observe changes in the set
189     * of potential listening IP addresses. (Listening on wildcard addresses
190     * can turn the device into an open resolver; b/7530468)
191     *
192     * TODO: Return something richer than just a boolean.
193     */
194    boolean tetherApplyDnsInterfaces();
195
196    /**
197     * Add/Remove and IP address from an interface.
198     *
199     * @param ifName the interface name
200     * @param addrString the IP address to add/remove as a string literal
201     * @param prefixLength the prefix length associated with this IP address
202     *
203     * @throws ServiceSpecificException in case of failure, with an error code corresponding to the
204     *         unix errno.
205     */
206    void interfaceAddAddress(in @utf8InCpp String ifName, in @utf8InCpp String addrString,
207            int prefixLength);
208    void interfaceDelAddress(in @utf8InCpp String ifName, in @utf8InCpp String addrString,
209            int prefixLength);
210
211    /**
212     * Set and get /proc/sys/net interface configuration parameters.
213     *
214     * @param family One of IPV4/IPV6 integers, indicating the desired address family directory.
215     * @param which One of CONF/NEIGH integers, indicating the desired parameter category directory.
216     * @param ifname The interface name portion of the path; may also be "all" or "default".
217     * @param parameter The parameter name portion of the path.
218     * @param value The value string to be written into the assembled path.
219     */
220
221    const int IPV4  = 4;
222    const int IPV6  = 6;
223    const int CONF  = 1;
224    const int NEIGH = 2;
225    void setProcSysNet(int family, int which, in @utf8InCpp String ifname,
226            in @utf8InCpp String parameter, in @utf8InCpp String value);
227    // TODO: add corresponding getProcSysNet().
228
229    /**
230     * Get/Set metrics reporting level.
231     *
232     * Reporting level is one of:
233     *     0 (NONE)
234     *     1 (METRICS)
235     *     2 (FULL)
236     */
237    int getMetricsReportingLevel();
238    void setMetricsReportingLevel(int level);
239
240   /**
241    * Reserve an SPI from the kernel
242    *
243    * @param transformId a unique identifier for allocated resources
244    * @param direction DIRECTION_IN or DIRECTION_OUT
245    * @param localAddress InetAddress as string for the local endpoint
246    * @param remoteAddress InetAddress as string for the remote endpoint
247    * @param spi a requested 32-bit unique ID or 0 to request random allocation
248    * @return the SPI that was allocated or 0 if failed
249    */
250    int ipSecAllocateSpi(
251            int transformId,
252            int direction,
253            in @utf8InCpp String localAddress,
254            in @utf8InCpp String remoteAddress,
255            int spi);
256
257   /**
258    * Create an IpSec Security Association describing how ip(v6) traffic will be encrypted
259    * or decrypted.
260    *
261    * @param transformId a unique identifier for allocated resources
262    * @param mode either Transport or Tunnel mode
263    * @param direction DIRECTION_IN or DIRECTION_OUT
264    * @param localAddress InetAddress as string for the local endpoint
265    * @param remoteAddress InetAddress as string for the remote endpoint
266    * @param underlyingNetworkHandle the networkHandle of the network to which the SA is applied
267    * @param spi a 32-bit unique ID allocated to the user
268    * @param authAlgo a string identifying the authentication algorithm to be used
269    * @param authKey a byte array containing the authentication key
270    * @param authTruncBits the truncation length of the MAC produced by the authentication algorithm
271    * @param cryptAlgo a string identifying the encryption algorithm to be used
272    * @param cryptKey a byte arrray containing the encryption key
273    * @param cryptTruncBits unused parameter
274    * @param encapType encapsulation type used (if any) for the udp encap socket
275    * @param encapLocalPort the port number on the host to be used in encap packets
276    * @param encapRemotePort the port number of the remote to be used for encap packets
277    */
278    void ipSecAddSecurityAssociation(
279            int transformId,
280            int mode,
281            int direction,
282            in @utf8InCpp String localAddress,
283            in @utf8InCpp String remoteAddress,
284            long underlyingNetworkHandle,
285            int spi,
286            in @utf8InCpp String authAlgo, in byte[] authKey, in int authTruncBits,
287            in @utf8InCpp String cryptAlgo, in byte[] cryptKey, in int cryptTruncBits,
288            int encapType,
289            int encapLocalPort,
290            int encapRemotePort);
291
292   /**
293    * Delete a previously created security association identified by the provided parameters
294    *
295    * @param transformId a unique identifier for allocated resources
296    * @param direction DIRECTION_IN or DIRECTION_OUT
297    * @param localAddress InetAddress as string for the local endpoint
298    * @param remoteAddress InetAddress as string for the remote endpoint
299    * @param spi a requested 32-bit unique ID allocated to the user
300    */
301    void ipSecDeleteSecurityAssociation(
302            int transformId,
303            int direction,
304            in @utf8InCpp String localAddress,
305            in @utf8InCpp String remoteAddress,
306            int spi);
307
308   /**
309    * Apply a previously created SA to a specified socket, starting IPsec on that socket
310    *
311    * @param socket a user-provided socket that will have IPsec applied
312    * @param transformId a unique identifier for allocated resources
313    * @param direction DIRECTION_IN or DIRECTION_OUT
314    * @param localAddress InetAddress as string for the local endpoint
315    * @param remoteAddress InetAddress as string for the remote endpoint
316    * @param spi a 32-bit unique ID allocated to the user (socket owner)
317    */
318    void ipSecApplyTransportModeTransform(
319            in FileDescriptor socket,
320            int transformId,
321            int direction,
322            in @utf8InCpp String localAddress,
323            in @utf8InCpp String remoteAddress,
324            int spi);
325
326   /**
327    * Remove an IPsec SA from a given socket. This will allow unencrypted traffic to flow
328    * on that socket if a transform had been previously applied.
329    *
330    * @param socket a user-provided socket from which to remove any IPsec configuration
331    */
332    void ipSecRemoveTransportModeTransform(
333            in FileDescriptor socket);
334
335   /**
336    * Request notification of wakeup packets arriving on an interface. Notifications will be
337    * delivered to INetdEventListener.onWakeupEvent().
338    *
339    * @param ifName the interface
340    * @param prefix arbitrary string used to identify wakeup sources in onWakeupEvent
341    */
342    void wakeupAddInterface(in @utf8InCpp String ifName, in @utf8InCpp String prefix, int mark, int mask);
343
344   /**
345    * Stop notification of wakeup packets arriving on an interface.
346    *
347    * @param ifName the interface
348    * @param prefix arbitrary string used to identify wakeup sources in onWakeupEvent
349    */
350    void wakeupDelInterface(in @utf8InCpp String ifName, in @utf8InCpp String prefix, int mark, int mask);
351
352    const int IPV6_ADDR_GEN_MODE_EUI64 = 0;
353    const int IPV6_ADDR_GEN_MODE_NONE = 1;
354    const int IPV6_ADDR_GEN_MODE_STABLE_PRIVACY = 2;
355    const int IPV6_ADDR_GEN_MODE_RANDOM = 3;
356
357    const int IPV6_ADDR_GEN_MODE_DEFAULT = 0;
358   /**
359    * Set IPv6 address generation mode. IPv6 should be disabled before changing mode.
360    *
361    * @param mode SLAAC address generation mechanism to use
362    */
363    void setIPv6AddrGenMode(in @utf8InCpp String ifName, int mode);
364}
365