1 /*
2  * Copyright (C) 2014 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "FwmarkServer.h"
18 
19 #include "Fwmark.h"
20 #include "FwmarkCommand.h"
21 #include "NetdConstants.h"
22 #include "NetworkController.h"
23 #include "resolv_netid.h"
24 
25 #include <netinet/in.h>
26 #include <sys/socket.h>
27 #include <unistd.h>
28 #include <utils/String16.h>
29 
30 using android::String16;
31 using android::net::metrics::INetdEventListener;
32 
33 namespace android {
34 namespace net {
35 
FwmarkServer(NetworkController * networkController,EventReporter * eventReporter)36 FwmarkServer::FwmarkServer(NetworkController* networkController, EventReporter* eventReporter) :
37         SocketListener("fwmarkd", true), mNetworkController(networkController),
38         mEventReporter(eventReporter) {
39 }
40 
onDataAvailable(SocketClient * client)41 bool FwmarkServer::onDataAvailable(SocketClient* client) {
42     int socketFd = -1;
43     int error = processClient(client, &socketFd);
44     if (socketFd >= 0) {
45         close(socketFd);
46     }
47 
48     // Always send a response even if there were connection errors or read errors, so that we don't
49     // inadvertently cause the client to hang (which always waits for a response).
50     client->sendData(&error, sizeof(error));
51 
52     // Always close the client connection (by returning false). This prevents a DoS attack where
53     // the client issues multiple commands on the same connection, never reading the responses,
54     // causing its receive buffer to fill up, and thus causing our client->sendData() to block.
55     return false;
56 }
57 
processClient(SocketClient * client,int * socketFd)58 int FwmarkServer::processClient(SocketClient* client, int* socketFd) {
59     FwmarkCommand command;
60     FwmarkConnectInfo connectInfo;
61 
62     iovec iov[2] = {
63         { &command, sizeof(command) },
64         { &connectInfo, sizeof(connectInfo) },
65     };
66     msghdr message;
67     memset(&message, 0, sizeof(message));
68     message.msg_iov = iov;
69     message.msg_iovlen = ARRAY_SIZE(iov);
70 
71     union {
72         cmsghdr cmh;
73         char cmsg[CMSG_SPACE(sizeof(*socketFd))];
74     } cmsgu;
75 
76     memset(cmsgu.cmsg, 0, sizeof(cmsgu.cmsg));
77     message.msg_control = cmsgu.cmsg;
78     message.msg_controllen = sizeof(cmsgu.cmsg);
79 
80     int messageLength = TEMP_FAILURE_RETRY(recvmsg(client->getSocket(), &message, MSG_CMSG_CLOEXEC));
81     if (messageLength <= 0) {
82         return -errno;
83     }
84 
85     if (!((command.cmdId != FwmarkCommand::ON_CONNECT_COMPLETE && messageLength == sizeof(command))
86             || (command.cmdId == FwmarkCommand::ON_CONNECT_COMPLETE
87             && messageLength == sizeof(command) + sizeof(connectInfo)))) {
88         return -EBADMSG;
89     }
90 
91     Permission permission = mNetworkController->getPermissionForUser(client->getUid());
92 
93     if (command.cmdId == FwmarkCommand::QUERY_USER_ACCESS) {
94         if ((permission & PERMISSION_SYSTEM) != PERMISSION_SYSTEM) {
95             return -EPERM;
96         }
97         return mNetworkController->checkUserNetworkAccess(command.uid, command.netId);
98     }
99 
100     cmsghdr* const cmsgh = CMSG_FIRSTHDR(&message);
101     if (cmsgh && cmsgh->cmsg_level == SOL_SOCKET && cmsgh->cmsg_type == SCM_RIGHTS &&
102         cmsgh->cmsg_len == CMSG_LEN(sizeof(*socketFd))) {
103         memcpy(socketFd, CMSG_DATA(cmsgh), sizeof(*socketFd));
104     }
105 
106     if (*socketFd < 0) {
107         return -EBADF;
108     }
109 
110     Fwmark fwmark;
111     socklen_t fwmarkLen = sizeof(fwmark.intValue);
112     if (getsockopt(*socketFd, SOL_SOCKET, SO_MARK, &fwmark.intValue, &fwmarkLen) == -1) {
113         return -errno;
114     }
115 
116     switch (command.cmdId) {
117         case FwmarkCommand::ON_ACCEPT: {
118             // Called after a socket accept(). The kernel would've marked the NetId and necessary
119             // permissions bits, so we just add the rest of the user's permissions here.
120             permission = static_cast<Permission>(permission | fwmark.permission);
121             break;
122         }
123 
124         case FwmarkCommand::ON_CONNECT: {
125             // Called before a socket connect() happens. Set an appropriate NetId into the fwmark so
126             // that the socket routes consistently over that network. Do this even if the socket
127             // already has a NetId, so that calling connect() multiple times still works.
128             //
129             // But if the explicit bit was set, the existing NetId was explicitly preferred (and not
130             // a case of connect() being called multiple times). Don't reset the NetId in that case.
131             //
132             // An "appropriate" NetId is the NetId of a bypassable VPN that applies to the user, or
133             // failing that, the default network. We'll never set the NetId of a secure VPN here.
134             // See the comments in the implementation of getNetworkForConnect() for more details.
135             //
136             // If the protect bit is set, this could be either a system proxy (e.g.: the dns proxy
137             // or the download manager) acting on behalf of another user, or a VPN provider. If it's
138             // a proxy, we shouldn't reset the NetId. If it's a VPN provider, we should set the
139             // default network's NetId.
140             //
141             // There's no easy way to tell the difference between a proxy and a VPN app. We can't
142             // use PERMISSION_SYSTEM to identify the proxy because a VPN app may also have those
143             // permissions. So we use the following heuristic:
144             //
145             // If it's a proxy, but the existing NetId is not a VPN, that means the user (that the
146             // proxy is acting on behalf of) is not subject to a VPN, so the proxy must have picked
147             // the default network's NetId. So, it's okay to replace that with the current default
148             // network's NetId (which in all likelihood is the same).
149             //
150             // Conversely, if it's a VPN provider, the existing NetId cannot be a VPN. The only time
151             // we set a VPN's NetId into a socket without setting the explicit bit is here, in
152             // ON_CONNECT, but we won't do that if the socket has the protect bit set. If the VPN
153             // provider connect()ed (and got the VPN NetId set) and then called protect(), we
154             // would've unset the NetId in PROTECT_FROM_VPN below.
155             //
156             // So, overall (when the explicit bit is not set but the protect bit is set), if the
157             // existing NetId is a VPN, don't reset it. Else, set the default network's NetId.
158             if (!fwmark.explicitlySelected) {
159                 if (!fwmark.protectedFromVpn) {
160                     fwmark.netId = mNetworkController->getNetworkForConnect(client->getUid());
161                 } else if (!mNetworkController->isVirtualNetwork(fwmark.netId)) {
162                     fwmark.netId = mNetworkController->getDefaultNetwork();
163                 }
164             }
165             break;
166         }
167 
168         case FwmarkCommand::ON_CONNECT_COMPLETE: {
169             // Called after a socket connect() completes.
170             // This reports connect event including netId, destination IP address, destination port,
171             // uid, connect latency, and connect errno if any.
172 
173             // Skip reporting if connect() happened on a UDP socket.
174             int socketProto;
175             socklen_t intSize = sizeof(socketProto);
176             const int ret = getsockopt(*socketFd, SOL_SOCKET, SO_PROTOCOL, &socketProto, &intSize);
177             if ((ret != 0) || (socketProto == IPPROTO_UDP)) {
178                 break;
179             }
180 
181             android::sp<android::net::metrics::INetdEventListener> netdEventListener =
182                     mEventReporter->getNetdEventListener();
183 
184             if (netdEventListener != nullptr) {
185                 char addrstr[INET6_ADDRSTRLEN];
186                 char portstr[sizeof("65536")];
187                 const int ret = getnameinfo((sockaddr*) &connectInfo.addr, sizeof(connectInfo.addr),
188                         addrstr, sizeof(addrstr), portstr, sizeof(portstr),
189                         NI_NUMERICHOST | NI_NUMERICSERV);
190 
191                 netdEventListener->onConnectEvent(fwmark.netId, connectInfo.error,
192                         connectInfo.latencyMs,
193                         (ret == 0) ? String16(addrstr) : String16(""),
194                         (ret == 0) ? strtoul(portstr, NULL, 10) : 0, client->getUid());
195             }
196             break;
197         }
198 
199         case FwmarkCommand::SELECT_NETWORK: {
200             fwmark.netId = command.netId;
201             if (command.netId == NETID_UNSET) {
202                 fwmark.explicitlySelected = false;
203                 fwmark.protectedFromVpn = false;
204                 permission = PERMISSION_NONE;
205             } else {
206                 if (int ret = mNetworkController->checkUserNetworkAccess(client->getUid(),
207                                                                          command.netId)) {
208                     return ret;
209                 }
210                 fwmark.explicitlySelected = true;
211                 fwmark.protectedFromVpn = mNetworkController->canProtect(client->getUid());
212             }
213             break;
214         }
215 
216         case FwmarkCommand::PROTECT_FROM_VPN: {
217             if (!mNetworkController->canProtect(client->getUid())) {
218                 return -EPERM;
219             }
220             // If a bypassable VPN's provider app calls connect() and then protect(), it will end up
221             // with a socket that looks like that of a system proxy but is not (see comments for
222             // ON_CONNECT above). So, reset the NetId.
223             //
224             // In any case, it's appropriate that if the socket has an implicit VPN NetId mark, the
225             // PROTECT_FROM_VPN command should unset it.
226             if (!fwmark.explicitlySelected && mNetworkController->isVirtualNetwork(fwmark.netId)) {
227                 fwmark.netId = mNetworkController->getDefaultNetwork();
228             }
229             fwmark.protectedFromVpn = true;
230             permission = static_cast<Permission>(permission | fwmark.permission);
231             break;
232         }
233 
234         case FwmarkCommand::SELECT_FOR_USER: {
235             if ((permission & PERMISSION_SYSTEM) != PERMISSION_SYSTEM) {
236                 return -EPERM;
237             }
238             fwmark.netId = mNetworkController->getNetworkForUser(command.uid);
239             fwmark.protectedFromVpn = true;
240             break;
241         }
242 
243         default: {
244             // unknown command
245             return -EPROTO;
246         }
247     }
248 
249     fwmark.permission = permission;
250 
251     if (setsockopt(*socketFd, SOL_SOCKET, SO_MARK, &fwmark.intValue,
252                    sizeof(fwmark.intValue)) == -1) {
253         return -errno;
254     }
255 
256     return 0;
257 }
258 
259 }  // namespace net
260 }  // namespace android
261