1 /*
2  * Copyright (C) 2014 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "FwmarkServer.h"
18 
19 #include <netinet/in.h>
20 #include <selinux/selinux.h>
21 #include <sys/socket.h>
22 #include <unistd.h>
23 #include <utils/String16.h>
24 
25 #include <android-base/cmsg.h>
26 #include <android-base/logging.h>
27 #include <android-base/properties.h>
28 #include <binder/IServiceManager.h>
29 #include <netd_resolv/resolv.h>  // NETID_UNSET
30 
31 #include "Fwmark.h"
32 #include "FwmarkCommand.h"
33 #include "NetdConstants.h"
34 #include "NetworkController.h"
35 #include "TrafficController.h"
36 
37 using android::String16;
38 using android::base::ReceiveFileDescriptorVector;
39 using android::base::unique_fd;
40 using android::net::metrics::INetdEventListener;
41 
42 namespace android {
43 namespace net {
44 
45 constexpr const char *SYSTEM_SERVER_CONTEXT = "u:r:system_server:s0";
46 
isSystemServer(SocketClient * client)47 bool isSystemServer(SocketClient* client) {
48     if (client->getUid() != AID_SYSTEM) {
49         return false;
50     }
51 
52     char *context;
53     if (getpeercon(client->getSocket(), &context)) {
54         return false;
55     }
56 
57     // We can't use context_new and context_type_get as they're private to libselinux. So just do
58     // a string match instead.
59     bool ret = !strcmp(context, SYSTEM_SERVER_CONTEXT);
60     freecon(context);
61 
62     return ret;
63 }
64 
FwmarkServer(NetworkController * networkController,EventReporter * eventReporter,TrafficController * trafficCtrl)65 FwmarkServer::FwmarkServer(NetworkController* networkController, EventReporter* eventReporter,
66                            TrafficController* trafficCtrl)
67     : SocketListener(SOCKET_NAME, true),
68       mNetworkController(networkController),
69       mEventReporter(eventReporter),
70       mTrafficCtrl(trafficCtrl),
71       mRedirectSocketCalls(
72               android::base::GetBoolProperty("ro.vendor.redirect_socket_calls", false)) {}
73 
onDataAvailable(SocketClient * client)74 bool FwmarkServer::onDataAvailable(SocketClient* client) {
75     int socketFd = -1;
76     int error = processClient(client, &socketFd);
77     if (socketFd >= 0) {
78         close(socketFd);
79     }
80 
81     // Always send a response even if there were connection errors or read errors, so that we don't
82     // inadvertently cause the client to hang (which always waits for a response).
83     client->sendData(&error, sizeof(error));
84 
85     // Always close the client connection (by returning false). This prevents a DoS attack where
86     // the client issues multiple commands on the same connection, never reading the responses,
87     // causing its receive buffer to fill up, and thus causing our client->sendData() to block.
88     return false;
89 }
90 
hasDestinationAddress(FwmarkCommand::CmdId cmdId,bool redirectSocketCalls)91 static bool hasDestinationAddress(FwmarkCommand::CmdId cmdId, bool redirectSocketCalls) {
92     if (redirectSocketCalls) {
93         return (cmdId == FwmarkCommand::ON_SENDTO || cmdId == FwmarkCommand::ON_CONNECT ||
94                 cmdId == FwmarkCommand::ON_SENDMSG || cmdId == FwmarkCommand::ON_SENDMMSG ||
95                 cmdId == FwmarkCommand::ON_CONNECT_COMPLETE);
96     } else {
97         return (cmdId == FwmarkCommand::ON_CONNECT_COMPLETE);
98     }
99 }
100 
processClient(SocketClient * client,int * socketFd)101 int FwmarkServer::processClient(SocketClient* client, int* socketFd) {
102     FwmarkCommand command;
103     FwmarkConnectInfo connectInfo;
104 
105     char buf[sizeof(command) + sizeof(connectInfo)];
106     std::vector<unique_fd> received_fds;
107     ssize_t messageLength =
108             ReceiveFileDescriptorVector(client->getSocket(), buf, sizeof(buf), 1, &received_fds);
109 
110     if (messageLength < 0) {
111         return -errno;
112     } else if (messageLength == 0) {
113         return -ESHUTDOWN;
114     }
115 
116     memcpy(&command, buf, sizeof(command));
117     memcpy(&connectInfo, buf + sizeof(command), sizeof(connectInfo));
118 
119     size_t expectedLen = sizeof(command);
120     if (hasDestinationAddress(command.cmdId, mRedirectSocketCalls)) {
121         expectedLen += sizeof(connectInfo);
122     }
123 
124     if (messageLength != static_cast<ssize_t>(expectedLen)) {
125         return -EBADMSG;
126     }
127 
128     Permission permission = mNetworkController->getPermissionForUser(client->getUid());
129 
130     if (command.cmdId == FwmarkCommand::QUERY_USER_ACCESS) {
131         if ((permission & PERMISSION_SYSTEM) != PERMISSION_SYSTEM) {
132             return -EPERM;
133         }
134         return mNetworkController->checkUserNetworkAccess(command.uid, command.netId);
135     }
136 
137     if (command.cmdId == FwmarkCommand::SET_COUNTERSET) {
138         return mTrafficCtrl->setCounterSet(command.trafficCtrlInfo, command.uid, client->getUid());
139     }
140 
141     if (command.cmdId == FwmarkCommand::DELETE_TAGDATA) {
142         return mTrafficCtrl->deleteTagData(command.trafficCtrlInfo, command.uid, client->getUid());
143     }
144 
145     if (received_fds.size() != 1) {
146         LOG(ERROR) << "FwmarkServer received " << received_fds.size() << " fds from client?";
147         return -EBADF;
148     } else if (received_fds[0] < 0) {
149         LOG(ERROR) << "FwmarkServer received fd -1 from ReceiveFileDescriptorVector?";
150         return -EBADF;
151     }
152 
153     *socketFd = received_fds[0].release();
154 
155     int family;
156     socklen_t familyLen = sizeof(family);
157     if (getsockopt(*socketFd, SOL_SOCKET, SO_DOMAIN, &family, &familyLen) == -1) {
158         return -errno;
159     }
160     if (!FwmarkCommand::isSupportedFamily(family)) {
161         return -EAFNOSUPPORT;
162     }
163 
164     Fwmark fwmark;
165     socklen_t fwmarkLen = sizeof(fwmark.intValue);
166     if (getsockopt(*socketFd, SOL_SOCKET, SO_MARK, &fwmark.intValue, &fwmarkLen) == -1) {
167         return -errno;
168     }
169 
170     switch (command.cmdId) {
171         case FwmarkCommand::ON_ACCEPT: {
172             // Called after a socket accept(). The kernel would've marked the NetId and necessary
173             // permissions bits, so we just add the rest of the user's permissions here.
174             permission = static_cast<Permission>(permission | fwmark.permission);
175             break;
176         }
177 
178         case FwmarkCommand::ON_CONNECT: {
179             // Called before a socket connect() happens. Set an appropriate NetId into the fwmark so
180             // that the socket routes consistently over that network. Do this even if the socket
181             // already has a NetId, so that calling connect() multiple times still works.
182             //
183             // But if the explicit bit was set, the existing NetId was explicitly preferred (and not
184             // a case of connect() being called multiple times). Don't reset the NetId in that case.
185             //
186             // An "appropriate" NetId is the NetId of a bypassable VPN that applies to the user, or
187             // failing that, the default network. We'll never set the NetId of a secure VPN here.
188             // See the comments in the implementation of getNetworkForConnect() for more details.
189             //
190             // If the protect bit is set, this could be either a system proxy (e.g.: the dns proxy
191             // or the download manager) acting on behalf of another user, or a VPN provider. If it's
192             // a proxy, we shouldn't reset the NetId. If it's a VPN provider, we should set the
193             // default network's NetId.
194             //
195             // There's no easy way to tell the difference between a proxy and a VPN app. We can't
196             // use PERMISSION_SYSTEM to identify the proxy because a VPN app may also have those
197             // permissions. So we use the following heuristic:
198             //
199             // If it's a proxy, but the existing NetId is not a VPN, that means the user (that the
200             // proxy is acting on behalf of) is not subject to a VPN, so the proxy must have picked
201             // the default network's NetId. So, it's okay to replace that with the current default
202             // network's NetId (which in all likelihood is the same).
203             //
204             // Conversely, if it's a VPN provider, the existing NetId cannot be a VPN. The only time
205             // we set a VPN's NetId into a socket without setting the explicit bit is here, in
206             // ON_CONNECT, but we won't do that if the socket has the protect bit set. If the VPN
207             // provider connect()ed (and got the VPN NetId set) and then called protect(), we
208             // would've unset the NetId in PROTECT_FROM_VPN below.
209             //
210             // So, overall (when the explicit bit is not set but the protect bit is set), if the
211             // existing NetId is a VPN, don't reset it. Else, set the default network's NetId.
212             if (!fwmark.explicitlySelected) {
213                 if (!fwmark.protectedFromVpn) {
214                     fwmark.netId = mNetworkController->getNetworkForConnect(client->getUid());
215                 } else if (!mNetworkController->isVirtualNetwork(fwmark.netId)) {
216                     fwmark.netId = mNetworkController->getDefaultNetwork();
217                 }
218             }
219             break;
220         }
221 
222         case FwmarkCommand::ON_CONNECT_COMPLETE: {
223             // Called after a socket connect() completes.
224             // This reports connect event including netId, destination IP address, destination port,
225             // uid, connect latency, and connect errno if any.
226 
227             // Skip reporting if connect() happened on a UDP socket.
228             int socketProto;
229             socklen_t intSize = sizeof(socketProto);
230             const int ret = getsockopt(*socketFd, SOL_SOCKET, SO_PROTOCOL, &socketProto, &intSize);
231             if ((ret != 0) || (socketProto == IPPROTO_UDP)) {
232                 break;
233             }
234 
235             android::sp<android::net::metrics::INetdEventListener> netdEventListener =
236                     mEventReporter->getNetdEventListener();
237 
238             if (netdEventListener != nullptr) {
239                 char addrstr[INET6_ADDRSTRLEN];
240                 char portstr[sizeof("65536")];
241                 const int ret = getnameinfo((sockaddr*) &connectInfo.addr, sizeof(connectInfo.addr),
242                         addrstr, sizeof(addrstr), portstr, sizeof(portstr),
243                         NI_NUMERICHOST | NI_NUMERICSERV);
244 
245                 netdEventListener->onConnectEvent(fwmark.netId, connectInfo.error,
246                         connectInfo.latencyMs,
247                         (ret == 0) ? String16(addrstr) : String16(""),
248                         (ret == 0) ? strtoul(portstr, nullptr, 10) : 0, client->getUid());
249             }
250             break;
251         }
252 
253         case FwmarkCommand::ON_SENDMMSG:
254         case FwmarkCommand::ON_SENDMSG:
255         case FwmarkCommand::ON_SENDTO: {
256             return 0;
257         }
258 
259         case FwmarkCommand::SELECT_NETWORK: {
260             fwmark.netId = command.netId;
261             if (command.netId == NETID_UNSET) {
262                 fwmark.explicitlySelected = false;
263                 fwmark.protectedFromVpn = false;
264                 permission = PERMISSION_NONE;
265             } else {
266                 if (int ret = mNetworkController->checkUserNetworkAccess(client->getUid(),
267                                                                          command.netId)) {
268                     return ret;
269                 }
270                 fwmark.explicitlySelected = true;
271                 fwmark.protectedFromVpn = mNetworkController->canProtect(client->getUid());
272             }
273             break;
274         }
275 
276         case FwmarkCommand::PROTECT_FROM_VPN: {
277             if (!mNetworkController->canProtect(client->getUid())) {
278                 return -EPERM;
279             }
280             // If a bypassable VPN's provider app calls connect() and then protect(), it will end up
281             // with a socket that looks like that of a system proxy but is not (see comments for
282             // ON_CONNECT above). So, reset the NetId.
283             //
284             // In any case, it's appropriate that if the socket has an implicit VPN NetId mark, the
285             // PROTECT_FROM_VPN command should unset it.
286             if (!fwmark.explicitlySelected && mNetworkController->isVirtualNetwork(fwmark.netId)) {
287                 fwmark.netId = mNetworkController->getDefaultNetwork();
288             }
289             fwmark.protectedFromVpn = true;
290             permission = static_cast<Permission>(permission | fwmark.permission);
291             break;
292         }
293 
294         case FwmarkCommand::SELECT_FOR_USER: {
295             if ((permission & PERMISSION_SYSTEM) != PERMISSION_SYSTEM) {
296                 return -EPERM;
297             }
298             fwmark.netId = mNetworkController->getNetworkForUser(command.uid);
299             fwmark.protectedFromVpn = true;
300             break;
301         }
302 
303         case FwmarkCommand::TAG_SOCKET: {
304             // If the UID is -1, tag as the caller's UID:
305             //  - TrafficStats and NetworkManagementSocketTagger use -1 to indicate "use the
306             //    caller's UID".
307             //  - xt_qtaguid will see -1 on the command line, fail to parse it as a uint32_t, and
308             //    fall back to current_fsuid().
309             if (static_cast<int>(command.uid) == -1) {
310                 command.uid = client->getUid();
311             }
312             return mTrafficCtrl->tagSocket(*socketFd, command.trafficCtrlInfo, command.uid,
313                                            client->getUid());
314         }
315 
316         case FwmarkCommand::UNTAG_SOCKET: {
317             // Any process can untag a socket it has an fd for.
318             return mTrafficCtrl->untagSocket(*socketFd);
319         }
320 
321         default: {
322             // unknown command
323             return -EPROTO;
324         }
325     }
326 
327     fwmark.permission = permission;
328 
329     if (setsockopt(*socketFd, SOL_SOCKET, SO_MARK, &fwmark.intValue,
330                    sizeof(fwmark.intValue)) == -1) {
331         return -errno;
332     }
333 
334     return 0;
335 }
336 
337 }  // namespace net
338 }  // namespace android
339