INetd.aidl revision e760181ff41a5f4526e4f543f3838eb05690e2aa 
1/**
2 * Copyright (c) 2016, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *     http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.net;
18
19import android.net.UidRange;
20
21/** {@hide} */
22interface INetd {
23    /**
24     * Returns true if the service is responding.
25     */
26    boolean isAlive();
27
28    /**
29     * Replaces the contents of the specified UID-based firewall chain.
30     *
31     * The chain may be a whitelist chain or a blacklist chain. A blacklist chain contains DROP
32     * rules for the specified UIDs and a RETURN rule at the end. A whitelist chain contains RETURN
33     * rules for the system UID range (0 to {@code UID_APP} - 1), RETURN rules for for the specified
34     * UIDs, and a DROP rule at the end. The chain will be created if it does not exist.
35     *
36     * @param chainName The name of the chain to replace.
37     * @param isWhitelist Whether this is a whitelist or blacklist chain.
38     * @param uids The list of UIDs to allow/deny.
39     * @return true if the chain was successfully replaced, false otherwise.
40     */
41    boolean firewallReplaceUidChain(String chainName, boolean isWhitelist, in int[] uids);
42
43    /**
44     * Enables or disables data saver mode on costly network interfaces.
45     *
46     * - When disabled, all packets to/from apps in the penalty box chain are rejected on costly
47     *   interfaces. Traffic to/from other apps or on other network interfaces is allowed.
48     * - When enabled, only apps that are in the happy box chain and not in the penalty box chain
49     *   are allowed network connectivity on costly interfaces. All other packets on these
50     *   interfaces are rejected. The happy box chain always contains all system UIDs; to disallow
51     *   traffic from system UIDs, place them in the penalty box chain.
52     *
53     * By default, data saver mode is disabled. This command has no effect but might still return an
54     * error) if {@code enable} is the same as the current value.
55     *
56     * @param enable whether to enable or disable data saver mode.
57     * @return true if the if the operation was successful, false otherwise.
58     */
59    boolean bandwidthEnableDataSaver(boolean enable);
60
61    /**
62     * Adds or removes one rule for each supplied UID range to prohibit all network activity outside
63     * of secure VPN.
64     *
65     * When a UID is covered by one of these rules, traffic sent through any socket that is not
66     * protected or explicitly overriden by the system will be rejected. The kernel will respond
67     * with an ICMP prohibit message.
68     *
69     * Initially, there are no such rules. Any rules that are added will only last until the next
70     * restart of netd or the device.
71     *
72     * @param add {@code true} if the specified UID ranges should be denied access to any network
73     *        which is not secure VPN by adding rules, {@code false} to remove existing rules.
74     * @param uidRanges a set of non-overlapping, contiguous ranges of UIDs to which to apply or
75     *        remove this restriction.
76     *        <p> Added rules should not overlap with existing rules. Likewise, removed rules should
77     *        each correspond to an existing rule.
78     *
79     * @throws ServiceSpecificException in case of failure, with an error code corresponding to the
80     *         unix errno.
81     */
82    void networkRejectNonSecureVpn(boolean add, in UidRange[] uidRanges);
83
84    /**
85     * Administratively closes sockets belonging to the specified UIDs.
86     */
87    void socketDestroy(in UidRange[] uidRanges, in int[] exemptUids);
88
89    // Array indices for resolver parameters.
90    const int RESOLVER_PARAMS_SAMPLE_VALIDITY = 0;
91    const int RESOLVER_PARAMS_SUCCESS_THRESHOLD = 1;
92    const int RESOLVER_PARAMS_MIN_SAMPLES = 2;
93    const int RESOLVER_PARAMS_MAX_SAMPLES = 3;
94    const int RESOLVER_PARAMS_COUNT = 4;
95
96    /**
97     * Sets the name servers, search domains and resolver params for the given network. Flushes the
98     * cache as needed (i.e. when the servers or the number of samples to store changes).
99     *
100     * @param netId the network ID of the network for which information should be configured.
101     * @param servers the DNS servers to configure for the network.
102     * @param domains the search domains to configure.
103     * @param params the params to set. This array contains RESOLVER_PARAMS_COUNT integers that
104     *   encode the contents of Bionic's __res_params struct, i.e. sample_validity is stored at
105     *   position RESOLVER_PARAMS_SAMPLE_VALIDITY, etc.
106     * @throws ServiceSpecificException in case of failure, with an error code corresponding to the
107     *         unix errno.
108     */
109    void setResolverConfiguration(int netId, in @utf8InCpp String[] servers,
110            in @utf8InCpp String[] domains, in int[] params);
111
112    // Array indices for resolver stats.
113    const int RESOLVER_STATS_SUCCESSES = 0;
114    const int RESOLVER_STATS_ERRORS = 1;
115    const int RESOLVER_STATS_TIMEOUTS = 2;
116    const int RESOLVER_STATS_INTERNAL_ERRORS = 3;
117    const int RESOLVER_STATS_RTT_AVG = 4;
118    const int RESOLVER_STATS_LAST_SAMPLE_TIME = 5;
119    const int RESOLVER_STATS_USABLE = 6;
120    const int RESOLVER_STATS_COUNT = 7;
121
122    /**
123     * Retrieves the name servers, search domains and resolver stats associated with the given
124     * network ID.
125     *
126     * @param netId the network ID of the network for which information should be retrieved.
127     * @param servers the DNS servers that are currently configured for the network.
128     * @param domains the search domains currently configured.
129     * @param params the resolver parameters configured, i.e. the contents of __res_params in order.
130     * @param stats the stats for each server in the order specified by RESOLVER_STATS_XXX
131     *         constants, serialized as an int array. The contents of this array are the number of
132     *         <ul>
133     *           <li> successes,
134     *           <li> errors,
135     *           <li> timeouts,
136     *           <li> internal errors,
137     *           <li> the RTT average,
138     *           <li> the time of the last recorded sample,
139     *           <li> and an integer indicating whether the server is usable (1) or broken (0).
140     *         </ul>
141     *         in this order. For example, the timeout counter for server N is stored at position
142     *         RESOLVER_STATS_COUNT*N + RESOLVER_STATS_TIMEOUTS
143     * @throws ServiceSpecificException in case of failure, with an error code corresponding to the
144     *         unix errno.
145     */
146    void getResolverInfo(int netId, out @utf8InCpp String[] servers,
147            out @utf8InCpp String[] domains, out int[] params, out int[] stats);
148
149    // Private DNS function error codes.
150    const int PRIVATE_DNS_SUCCESS = 0;
151    const int PRIVATE_DNS_BAD_ADDRESS = 1;
152    const int PRIVATE_DNS_BAD_PORT = 2;
153    const int PRIVATE_DNS_UNKNOWN_ALGORITHM = 3;
154    const int PRIVATE_DNS_BAD_FINGERPRINT = 4;
155
156    /**
157     * Adds a server to the list of DNS resolvers that support DNS over TLS.  After this action
158     * succeeds, any subsequent call to setResolverConfiguration will opportunistically use DNS
159     * over TLS if the specified server is on this list and is reachable on that network.
160     *
161     * @param server the DNS server's IP address.  If a private DNS server is already configured
162     *        with this IP address, it will be overwritten.
163     * @param port the port on which the server is listening, typically 853.
164     * @param fingerprintAlgorithm the hash algorithm used to compute the fingerprints.  This should
165     *        be a name in MessageDigest's format.  Currently "SHA-256" is the only supported
166     *        algorithm. Set this to the empty string to disable fingerprint validation.
167     * @param fingerprints the server's public key fingerprints as Base64 strings.
168     *        These can be generated using MessageDigest and android.util.Base64.encodeToString.
169     *        Currently "SHA-256" is the only supported algorithm. Set this to empty to disable
170     *        fingerprint validation.
171     * @throws ServiceSpecificException in case of failure, with an error code indicating the
172     *         cause of the the failure.
173     * @return true if the arguments were successfully parsed and recognized.
174     */
175    void addPrivateDnsServer(in @utf8InCpp String server, int port,
176             in @utf8InCpp String fingerprintAlgorithm, in @utf8InCpp String[] fingerprints);
177
178    /**
179     * Remove a server from the list of DNS resolvers that support DNS over TLS.
180     *
181     * @param server the DNS server's IP address.
182     * @throws ServiceSpecificException in case of failure, with an error code indicating the
183     *         cause of the the failure.
184     */
185    void removePrivateDnsServer(in @utf8InCpp String server);
186
187    /**
188     * Instruct the tethering DNS server to reevaluated serving interfaces.
189     * This is needed to for the DNS server to observe changes in the set
190     * of potential listening IP addresses. (Listening on wildcard addresses
191     * can turn the device into an open resolver; b/7530468)
192     *
193     * TODO: Return something richer than just a boolean.
194     */
195    boolean tetherApplyDnsInterfaces();
196
197    /**
198     * Add/Remove and IP address from an interface.
199     *
200     * @param ifName the interface name
201     * @param addrString the IP address to add/remove as a string literal
202     * @param prefixLength the prefix length associated with this IP address
203     *
204     * @throws ServiceSpecificException in case of failure, with an error code corresponding to the
205     *         unix errno.
206     */
207    void interfaceAddAddress(in @utf8InCpp String ifName, in @utf8InCpp String addrString,
208            int prefixLength);
209    void interfaceDelAddress(in @utf8InCpp String ifName, in @utf8InCpp String addrString,
210            int prefixLength);
211
212    /**
213     * Set and get /proc/sys/net interface configuration parameters.
214     *
215     * @param family One of IPV4/IPV6 integers, indicating the desired address family directory.
216     * @param which One of CONF/NEIGH integers, indicating the desired parameter category directory.
217     * @param ifname The interface name portion of the path; may also be "all" or "default".
218     * @param parameter The parameter name portion of the path.
219     * @param value The value string to be written into the assembled path.
220     */
221
222    const int IPV4  = 4;
223    const int IPV6  = 6;
224    const int CONF  = 1;
225    const int NEIGH = 2;
226    void setProcSysNet(int family, int which, in @utf8InCpp String ifname,
227            in @utf8InCpp String parameter, in @utf8InCpp String value);
228    // TODO: add corresponding getProcSysNet().
229
230    /**
231     * Get/Set metrics reporting level.
232     *
233     * Reporting level is one of:
234     *     0 (NONE)
235     *     1 (METRICS)
236     *     2 (FULL)
237     */
238    int getMetricsReportingLevel();
239    void setMetricsReportingLevel(int level);
240
241   /**
242    * Reserve an SPI from the kernel
243    *
244    * @param transformId a unique identifier for allocated resources
245    * @param direction DIRECTION_IN or DIRECTION_OUT
246    * @param localAddress InetAddress as string for the local endpoint
247    * @param remoteAddress InetAddress as string for the remote endpoint
248    * @param spi a requested 32-bit unique ID or 0 to request random allocation
249    * @return the SPI that was allocated or 0 if failed
250    */
251    int ipSecAllocateSpi(
252            int transformId,
253            int direction,
254            in @utf8InCpp String localAddress,
255            in @utf8InCpp String remoteAddress,
256            int spi);
257
258   /**
259    * Create an IpSec Security Association describing how ip(v6) traffic will be encrypted
260    * or decrypted.
261    *
262    * @param transformId a unique identifier for allocated resources
263    * @param mode either Transport or Tunnel mode
264    * @param direction DIRECTION_IN or DIRECTION_OUT
265    * @param localAddress InetAddress as string for the local endpoint
266    * @param remoteAddress InetAddress as string for the remote endpoint
267    * @param underlyingNetworkHandle the networkHandle of the network to which the SA is applied
268    * @param spi a 32-bit unique ID allocated to the user
269    * @param authAlgo a string identifying the authentication algorithm to be used
270    * @param authKey a byte array containing the authentication key
271    * @param authTruncBits the truncation length of the MAC produced by the authentication algorithm
272    * @param cryptAlgo a string identifying the encryption algorithm to be used
273    * @param cryptKey a byte arrray containing the encryption key
274    * @param cryptTruncBits unused parameter
275    * @param encapType encapsulation type used (if any) for the udp encap socket
276    * @param encapLocalPort the port number on the host to be used in encap packets
277    * @param encapRemotePort the port number of the remote to be used for encap packets
278    * @return the spi that was used to create this SA (should match the SPI paramter)
279    */
280    int ipSecAddSecurityAssociation(
281            int transformId,
282            int mode,
283            int direction,
284            in @utf8InCpp String localAddress,
285            in @utf8InCpp String remoteAddress,
286            long underlyingNetworkHandle,
287            int spi,
288            in @utf8InCpp String authAlgo, in byte[] authKey, in int authTruncBits,
289            in @utf8InCpp String cryptAlgo, in byte[] cryptKey, in int cryptTruncBits,
290            int encapType,
291            int encapLocalPort,
292            int encapRemotePort);
293
294   /**
295    * Delete a previously created security association identified by the provided parameters
296    *
297    * @param transformId a unique identifier for allocated resources
298    * @param direction DIRECTION_IN or DIRECTION_OUT
299    * @param localAddress InetAddress as string for the local endpoint
300    * @param remoteAddress InetAddress as string for the remote endpoint
301    * @param spi a requested 32-bit unique ID allocated to the user
302    */
303    void ipSecDeleteSecurityAssociation(
304            int transformId,
305            int direction,
306            in @utf8InCpp String localAddress,
307            in @utf8InCpp String remoteAddress,
308            int spi);
309
310   /**
311    * Apply a previously created SA to a specified socket, starting IPsec on that socket
312    *
313    * @param socket a user-provided socket that will have IPsec applied
314    * @param transformId a unique identifier for allocated resources
315    * @param direction DIRECTION_IN or DIRECTION_OUT
316    * @param localAddress InetAddress as string for the local endpoint
317    * @param remoteAddress InetAddress as string for the remote endpoint
318    * @param spi a 32-bit unique ID allocated to the user (socket owner)
319    */
320    void ipSecApplyTransportModeTransform(
321            in FileDescriptor socket,
322            int transformId,
323            int direction,
324            in @utf8InCpp String localAddress,
325            in @utf8InCpp String remoteAddress,
326            int spi);
327
328   /**
329    * Remove an IPsec SA from a given socket. This will allow unencrypted traffic to flow
330    * on that socket if a transform had been previously applied.
331    *
332    * @param socket a user-provided socket from which to remove any IPsec configuration
333    */
334    void ipSecRemoveTransportModeTransform(
335            in FileDescriptor socket);
336
337   /**
338    * Request notification of wakeup packets arriving on an interface. Notifications will be
339    * delivered to INetdEventListener.onWakeupEvent().
340    *
341    * @param ifName the interface
342    * @param prefix arbitrary string used to identify wakeup sources in onWakeupEvent
343    */
344    void wakeupAddInterface(in @utf8InCpp String ifName, in @utf8InCpp String prefix, int mark, int mask);
345
346   /**
347    * Stop notification of wakeup packets arriving on an interface.
348    *
349    * @param ifName the interface
350    * @param prefix arbitrary string used to identify wakeup sources in onWakeupEvent
351    */
352    void wakeupDelInterface(in @utf8InCpp String ifName, in @utf8InCpp String prefix, int mark, int mask);
353
354    const int IPV6_ADDR_GEN_MODE_EUI64 = 0;
355    const int IPV6_ADDR_GEN_MODE_NONE = 1;
356    const int IPV6_ADDR_GEN_MODE_STABLE_PRIVACY = 2;
357    const int IPV6_ADDR_GEN_MODE_RANDOM = 3;
358
359    const int IPV6_ADDR_GEN_MODE_DEFAULT = 0;
360   /**
361    * Set IPv6 address generation mode. IPv6 should be disabled before changing mode.
362    *
363    * @param mode SLAAC address generation mechanism to use
364    */
365    void setIPv6AddrGenMode(in @utf8InCpp String ifName, int mode);
366}
367