1 /** 2 * Copyright (c) 2016, The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.net; 18 19 import android.net.UidRange; 20 21 /** {@hide} */ 22 interface INetd { 23 /** 24 * Returns true if the service is responding. 25 */ isAlive()26 boolean isAlive(); 27 28 /** 29 * Replaces the contents of the specified UID-based firewall chain. 30 * 31 * The chain may be a whitelist chain or a blacklist chain. A blacklist chain contains DROP 32 * rules for the specified UIDs and a RETURN rule at the end. A whitelist chain contains RETURN 33 * rules for the system UID range (0 to {@code UID_APP} - 1), RETURN rules for for the specified 34 * UIDs, and a DROP rule at the end. The chain will be created if it does not exist. 35 * 36 * @param chainName The name of the chain to replace. 37 * @param isWhitelist Whether this is a whitelist or blacklist chain. 38 * @param uids The list of UIDs to allow/deny. 39 * @return true if the chain was successfully replaced, false otherwise. 40 */ firewallReplaceUidChain(String chainName, boolean isWhitelist, in int[] uids)41 boolean firewallReplaceUidChain(String chainName, boolean isWhitelist, in int[] uids); 42 43 /** 44 * Enables or disables data saver mode on costly network interfaces. 45 * 46 * - When disabled, all packets to/from apps in the penalty box chain are rejected on costly 47 * interfaces. Traffic to/from other apps or on other network interfaces is allowed. 48 * - When enabled, only apps that are in the happy box chain and not in the penalty box chain 49 * are allowed network connectivity on costly interfaces. All other packets on these 50 * interfaces are rejected. The happy box chain always contains all system UIDs; to disallow 51 * traffic from system UIDs, place them in the penalty box chain. 52 * 53 * By default, data saver mode is disabled. This command has no effect but might still return an 54 * error) if {@code enable} is the same as the current value. 55 * 56 * @param enable whether to enable or disable data saver mode. 57 * @return true if the if the operation was successful, false otherwise. 58 */ bandwidthEnableDataSaver(boolean enable)59 boolean bandwidthEnableDataSaver(boolean enable); 60 61 /** 62 * Adds or removes one rule for each supplied UID range to prohibit all network activity outside 63 * of secure VPN. 64 * 65 * When a UID is covered by one of these rules, traffic sent through any socket that is not 66 * protected or explicitly overriden by the system will be rejected. The kernel will respond 67 * with an ICMP prohibit message. 68 * 69 * Initially, there are no such rules. Any rules that are added will only last until the next 70 * restart of netd or the device. 71 * 72 * @param add {@code true} if the specified UID ranges should be denied access to any network 73 * which is not secure VPN by adding rules, {@code false} to remove existing rules. 74 * @param uidRanges a set of non-overlapping, contiguous ranges of UIDs to which to apply or 75 * remove this restriction. 76 * <p> Added rules should not overlap with existing rules. Likewise, removed rules should 77 * each correspond to an existing rule. 78 * 79 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 80 * unix errno. 81 */ networkRejectNonSecureVpn(boolean add, in UidRange[] uidRanges)82 void networkRejectNonSecureVpn(boolean add, in UidRange[] uidRanges); 83 84 /** 85 * Administratively closes sockets belonging to the specified UIDs. 86 */ socketDestroy(in UidRange[] uidRanges, in int[] exemptUids)87 void socketDestroy(in UidRange[] uidRanges, in int[] exemptUids); 88 89 // Array indices for resolver parameters. 90 const int RESOLVER_PARAMS_SAMPLE_VALIDITY = 0; 91 const int RESOLVER_PARAMS_SUCCESS_THRESHOLD = 1; 92 const int RESOLVER_PARAMS_MIN_SAMPLES = 2; 93 const int RESOLVER_PARAMS_MAX_SAMPLES = 3; 94 const int RESOLVER_PARAMS_COUNT = 4; 95 96 /** 97 * Sets the name servers, search domains and resolver params for the given network. Flushes the 98 * cache as needed (i.e. when the servers or the number of samples to store changes). 99 * 100 * @param netId the network ID of the network for which information should be configured. 101 * @param servers the DNS servers to configure for the network. 102 * @param domains the search domains to configure. 103 * @param params the params to set. This array contains RESOLVER_PARAMS_COUNT integers that 104 * encode the contents of Bionic's __res_params struct, i.e. sample_validity is stored at 105 * position RESOLVER_PARAMS_SAMPLE_VALIDITY, etc. 106 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 107 * unix errno. 108 */ setResolverConfiguration(int netId, in @utf8InCpp String[] servers, in @utf8InCpp String[] domains, in int[] params)109 void setResolverConfiguration(int netId, in @utf8InCpp String[] servers, 110 in @utf8InCpp String[] domains, in int[] params); 111 112 // Array indices for resolver stats. 113 const int RESOLVER_STATS_SUCCESSES = 0; 114 const int RESOLVER_STATS_ERRORS = 1; 115 const int RESOLVER_STATS_TIMEOUTS = 2; 116 const int RESOLVER_STATS_INTERNAL_ERRORS = 3; 117 const int RESOLVER_STATS_RTT_AVG = 4; 118 const int RESOLVER_STATS_LAST_SAMPLE_TIME = 5; 119 const int RESOLVER_STATS_USABLE = 6; 120 const int RESOLVER_STATS_COUNT = 7; 121 122 /** 123 * Retrieves the name servers, search domains and resolver stats associated with the given 124 * network ID. 125 * 126 * @param netId the network ID of the network for which information should be retrieved. 127 * @param servers the DNS servers that are currently configured for the network. 128 * @param domains the search domains currently configured. 129 * @param params the resolver parameters configured, i.e. the contents of __res_params in order. 130 * @param stats the stats for each server in the order specified by RESOLVER_STATS_XXX 131 * constants, serialized as an int array. The contents of this array are the number of 132 * <ul> 133 * <li> successes, 134 * <li> errors, 135 * <li> timeouts, 136 * <li> internal errors, 137 * <li> the RTT average, 138 * <li> the time of the last recorded sample, 139 * <li> and an integer indicating whether the server is usable (1) or broken (0). 140 * </ul> 141 * in this order. For example, the timeout counter for server N is stored at position 142 * RESOLVER_STATS_COUNT*N + RESOLVER_STATS_TIMEOUTS 143 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 144 * unix errno. 145 */ getResolverInfo(int netId, out @utf8InCpp String[] servers, out @utf8InCpp String[] domains, out int[] params, out int[] stats)146 void getResolverInfo(int netId, out @utf8InCpp String[] servers, 147 out @utf8InCpp String[] domains, out int[] params, out int[] stats); 148 149 /** 150 * Instruct the tethering DNS server to reevaluated serving interfaces. 151 * This is needed to for the DNS server to observe changes in the set 152 * of potential listening IP addresses. (Listening on wildcard addresses 153 * can turn the device into an open resolver; b/7530468) 154 * 155 * TODO: Return something richer than just a boolean. 156 */ tetherApplyDnsInterfaces()157 boolean tetherApplyDnsInterfaces(); 158 159 /** 160 * Add/Remove and IP address from an interface. 161 * 162 * @param ifName the interface name 163 * @param addrString the IP address to add/remove as a string literal 164 * @param prefixLength the prefix length associated with this IP address 165 * 166 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 167 * unix errno. 168 */ interfaceAddAddress(in @tf8InCpp String ifName, in @utf8InCpp String addrString, int prefixLength)169 void interfaceAddAddress(in @utf8InCpp String ifName, in @utf8InCpp String addrString, 170 int prefixLength); interfaceDelAddress(in @tf8InCpp String ifName, in @utf8InCpp String addrString, int prefixLength)171 void interfaceDelAddress(in @utf8InCpp String ifName, in @utf8InCpp String addrString, 172 int prefixLength); 173 174 /** 175 * Set and get /proc/sys/net interface configuration parameters. 176 * 177 * @param family One of IPV4/IPV6 integers, indicating the desired address family directory. 178 * @param which One of CONF/NEIGH integers, indicating the desired parameter category directory. 179 * @param ifname The interface name portion of the path; may also be "all" or "default". 180 * @param parameter The parameter name portion of the path. 181 * @param value The value string to be written into the assembled path. 182 */ 183 184 const int IPV4 = 4; 185 const int IPV6 = 6; 186 const int CONF = 1; 187 const int NEIGH = 2; setProcSysNet(int family, int which, in @utf8InCpp String ifname, in @utf8InCpp String parameter, in @utf8InCpp String value)188 void setProcSysNet(int family, int which, in @utf8InCpp String ifname, 189 in @utf8InCpp String parameter, in @utf8InCpp String value); 190 // TODO: add corresponding getProcSysNet(). 191 192 /** 193 * Get/Set metrics reporting level. 194 * 195 * Reporting level is one of: 196 * 0 (NONE) 197 * 1 (METRICS) 198 * 2 (FULL) 199 */ getMetricsReportingLevel()200 int getMetricsReportingLevel(); setMetricsReportingLevel(int level)201 void setMetricsReportingLevel(int level); 202 203 /** 204 * Reserve an SPI from the kernel 205 * 206 * @param transformId a unique identifier for allocated resources 207 * @param direction DIRECTION_IN or DIRECTION_OUT 208 * @param localAddress InetAddress as string for the local endpoint 209 * @param remoteAddress InetAddress as string for the remote endpoint 210 * @param spi a requested 32-bit unique ID or 0 to request random allocation 211 * @return the SPI that was allocated or 0 if failed 212 */ ipSecAllocateSpi( int transformId, int direction, in @utf8InCpp String localAddress, in @utf8InCpp String remoteAddress, int spi)213 int ipSecAllocateSpi( 214 int transformId, 215 int direction, 216 in @utf8InCpp String localAddress, 217 in @utf8InCpp String remoteAddress, 218 int spi); 219 220 /** 221 * Create an IpSec Security Association describing how ip(v6) traffic will be encrypted 222 * or decrypted. 223 * 224 * @param transformId a unique identifier for allocated resources 225 * @param mode either Transport or Tunnel mode 226 * @param direction DIRECTION_IN or DIRECTION_OUT 227 * @param localAddress InetAddress as string for the local endpoint 228 * @param remoteAddress InetAddress as string for the remote endpoint 229 * @param underlyingNetworkHandle the networkHandle of the network to which the SA is applied 230 * @param spi a 32-bit unique ID allocated to the user 231 * @param authAlgo a string identifying the authentication algorithm to be used 232 * @param authKey a byte array containing the authentication key 233 * @param authTruncBits the truncation length of the MAC produced by the authentication algorithm 234 * @param cryptAlgo a string identifying the encryption algorithm to be used 235 * @param cryptKey a byte arrray containing the encryption key 236 * @param cryptTruncBits unused parameter 237 * @param encapType encapsulation type used (if any) for the udp encap socket 238 * @param encapLocalPort the port number on the host to be used in encap packets 239 * @param encapRemotePort the port number of the remote to be used for encap packets 240 * @return the spi that was used to create this SA (should match the SPI paramter) 241 */ ipSecAddSecurityAssociation( int transformId, int mode, int direction, in @utf8InCpp String localAddress, in @utf8InCpp String remoteAddress, long underlyingNetworkHandle, int spi, in @utf8InCpp String authAlgo, in byte[] authKey, in int authTruncBits, in @utf8InCpp String cryptAlgo, in byte[] cryptKey, in int cryptTruncBits, int encapType, int encapLocalPort, int encapRemotePort)242 int ipSecAddSecurityAssociation( 243 int transformId, 244 int mode, 245 int direction, 246 in @utf8InCpp String localAddress, 247 in @utf8InCpp String remoteAddress, 248 long underlyingNetworkHandle, 249 int spi, 250 in @utf8InCpp String authAlgo, in byte[] authKey, in int authTruncBits, 251 in @utf8InCpp String cryptAlgo, in byte[] cryptKey, in int cryptTruncBits, 252 int encapType, 253 int encapLocalPort, 254 int encapRemotePort); 255 256 /** 257 * Delete a previously created security association identified by the provided parameters 258 * 259 * @param transformId a unique identifier for allocated resources 260 * @param direction DIRECTION_IN or DIRECTION_OUT 261 * @param localAddress InetAddress as string for the local endpoint 262 * @param remoteAddress InetAddress as string for the remote endpoint 263 * @param spi a requested 32-bit unique ID allocated to the user 264 */ ipSecDeleteSecurityAssociation( int transformId, int direction, in @utf8InCpp String localAddress, in @utf8InCpp String remoteAddress, int spi)265 void ipSecDeleteSecurityAssociation( 266 int transformId, 267 int direction, 268 in @utf8InCpp String localAddress, 269 in @utf8InCpp String remoteAddress, 270 int spi); 271 272 /** 273 * Apply a previously created SA to a specified socket, starting IPsec on that socket 274 * 275 * @param socket a user-provided socket that will have IPsec applied 276 * @param transformId a unique identifier for allocated resources 277 * @param direction DIRECTION_IN or DIRECTION_OUT 278 * @param localAddress InetAddress as string for the local endpoint 279 * @param remoteAddress InetAddress as string for the remote endpoint 280 * @param spi a 32-bit unique ID allocated to the user (socket owner) 281 */ ipSecApplyTransportModeTransform( in FileDescriptor socket, int transformId, int direction, in @utf8InCpp String localAddress, in @utf8InCpp String remoteAddress, int spi)282 void ipSecApplyTransportModeTransform( 283 in FileDescriptor socket, 284 int transformId, 285 int direction, 286 in @utf8InCpp String localAddress, 287 in @utf8InCpp String remoteAddress, 288 int spi); 289 290 /** 291 * Remove an IPsec SA from a given socket. This will allow unencrypted traffic to flow 292 * on that socket if a transform had been previously applied. 293 * 294 * @param socket a user-provided socket from which to remove any IPsec configuration 295 */ ipSecRemoveTransportModeTransform( in FileDescriptor socket)296 void ipSecRemoveTransportModeTransform( 297 in FileDescriptor socket); 298 } 299