Merge tag 'android-7.1.1_r4' into cm-14.1

Android 7.1.1 release 4 # gpg: Signature made Thu Dec 1 13:07:11 2016 CST # gpg: using DSA key E8AD3F819AB10E78 # gpg: Can't check signature: No public key
CyanogenMod · Dec 6, 2016 · 5615983 · 5615983
2 parents a97730b + 1f28b64
commit 5615983
Show file tree

Hide file tree

Showing 14 changed files with 389 additions and 23 deletions.
diff --git a/include/Permission.h b/include/Permission.h
@@ -39,4 +39,14 @@ enum Permission {
     PERMISSION_SYSTEM  = 0x3,  // Includes PERMISSION_NETWORK.
 };
 
+inline const char *permissionToName(Permission permission) {
+    switch (permission) {
+        case PERMISSION_NONE:    return "NONE";
+        case PERMISSION_NETWORK: return "NETWORK";
+        case PERMISSION_SYSTEM:  return "SYSTEM";
+        // No default statement. We want to see errors of the form:
+        // "enumeration value 'PERMISSION_SYSTEM' not handled in switch [-Werror,-Wswitch]".
+    }
+}
+
 #endif  // NETD_INCLUDE_PERMISSION_H
diff --git a/server/InterfaceController.cpp b/server/InterfaceController.cpp
@@ -17,6 +17,7 @@
 #include <dirent.h>
 #include <errno.h>
 #include <malloc.h>
+#include <sys/socket.h>
 
 #define LOG_TAG "InterfaceController"
 #include <android-base/file.h>
@@ -29,6 +30,7 @@
 #include "RouteController.h"
 
 using android::base::StringPrintf;
+using android::base::ReadFileToString;
 using android::base::WriteStringToFile;
 
 namespace {
@@ -39,15 +41,25 @@ const char ipv4_neigh_conf_dir[] = "/proc/sys/net/ipv4/neigh";
 
 const char ipv6_neigh_conf_dir[] = "/proc/sys/net/ipv6/neigh";
 
+const char proc_net_path[] = "/proc/sys/net";
 const char sys_net_path[] = "/sys/class/net";
 
 const char wl_util_path[] = "/vendor/xbin/wlutil";
 
-bool isInterfaceName(const char *name) {
-    return strcmp(name, ".") &&
-            strcmp(name, "..") &&
-            strcmp(name, "default") &&
-            strcmp(name, "all");
+inline bool isNormalPathComponent(const char *component) {
+    return (strcmp(component, ".") != 0) &&
+           (strcmp(component, "..") != 0) &&
+           (strchr(component, '/') == nullptr);
+}
+
+inline bool isAddressFamilyPathComponent(const char *component) {
+    return strcmp(component, "ipv4") == 0 || strcmp(component, "ipv6") == 0;
+}
+
+inline bool isInterfaceName(const char *name) {
+    return isNormalPathComponent(name) &&
+           (strcmp(name, "default") != 0) &&
+           (strcmp(name, "all") != 0);
 }
 
 int writeValueToPath(
@@ -81,6 +93,21 @@ void setIPv6UseOutgoingInterfaceAddrsOnly(const char *value) {
     setOnAllInterfaces(ipv6_proc_path, "use_oif_addrs_only", value);
 }
 
+std::string getParameterPathname(
+        const char *family, const char *which, const char *interface, const char *parameter) {
+    if (!isAddressFamilyPathComponent(family)) {
+        errno = EAFNOSUPPORT;
+        return "";
+    } else if (!isNormalPathComponent(which) ||
+               !isInterfaceName(interface) ||
+               !isNormalPathComponent(parameter)) {
+        errno = EINVAL;
+        return "";
+    }
+
+    return StringPrintf("%s/%s/%s/%s/%s", proc_net_path, family, which, interface, parameter);
+}
+
 }  // namespace
 
 void InterfaceController::initializeAll() {
@@ -201,7 +228,6 @@ int InterfaceController::setMtu(const char *interface, const char *mtu)
     return writeValueToPath(sys_net_path, interface, "mtu", mtu);
 }
 
-
 int InterfaceController::addAddress(const char *interface,
         const char *addrString, int prefixLength) {
     return ifc_add_address(interface, addrString, prefixLength);
@@ -212,6 +238,26 @@ int InterfaceController::delAddress(const char *interface,
     return ifc_del_address(interface, addrString, prefixLength);
 }
 
+int InterfaceController::getParameter(
+        const char *family, const char *which, const char *interface, const char *parameter,
+        std::string *value) {
+    const std::string path(getParameterPathname(family, which, interface, parameter));
+    if (path.empty()) {
+        return -errno;
+    }
+    return ReadFileToString(path, value) ? 0 : -errno;
+}
+
+int InterfaceController::setParameter(
+        const char *family, const char *which, const char *interface, const char *parameter,
+        const char *value) {
+    const std::string path(getParameterPathname(family, which, interface, parameter));
+    if (path.empty()) {
+        return -errno;
+    }
+    return WriteStringToFile(value, path) ? 0 : -errno;
+}
+
 void InterfaceController::setBaseReachableTimeMs(unsigned int millis) {
     std::string value(StringPrintf("%u", millis));
     setOnAllInterfaces(ipv4_neigh_conf_dir, "base_reachable_time_ms", value.c_str());

diff --git a/server/InterfaceController.h b/server/InterfaceController.h
@@ -17,6 +17,8 @@
 #ifndef _INTERFACE_CONTROLLER_H
 #define _INTERFACE_CONTROLLER_H
 
+#include <string>
+
 class InterfaceController {
 public:
     static void initializeAll();
@@ -31,6 +33,15 @@ class InterfaceController {
     static int addAddress(const char *interface, const char *addrString, int prefixLength);
     static int delAddress(const char *interface, const char *addrString, int prefixLength);
 
+    // Read and write values in files of the form:
+    //     /proc/sys/net/<family>/<which>/<interface>/<parameter>
+    static int getParameter(
+            const char *family, const char *which, const char *interface, const char *parameter,
+            std::string *value);
+    static int setParameter(
+            const char *family, const char *which, const char *interface, const char *parameter,
+            const char *value);
+
 private:
     static void setAcceptRA(const char* value);
     static void setAcceptRARouteTable(int tableOrOffset);

diff --git a/server/NatController.cpp b/server/NatController.cpp
@@ -376,8 +376,7 @@ int NatController::setForwardRules(bool add, const char *intIface, const char *e
         goto err_return;
     }
 
-    // STOPSHIP: Make this an error.
-    if (runCmd(ARRAY_SIZE(cmd4), cmd4) && add && false /* STOPSHIP */) {
+    if (runCmd(ARRAY_SIZE(cmd4), cmd4) && add) {
         rc = -1;
         goto err_rpfilter;
     }

diff --git a/server/NetdNativeService.cpp b/server/NetdNativeService.cpp
@@ -29,6 +29,7 @@
 
 #include "Controllers.h"
 #include "DumpWriter.h"
+#include "InterfaceController.h"
 #include "NetdConstants.h"
 #include "NetdNativeService.h"
 #include "RouteController.h"
@@ -235,5 +236,44 @@ binder::Status NetdNativeService::interfaceDelAddress(const std::string &ifName,
     return binder::Status::ok();
 }
 
+binder::Status NetdNativeService::setProcSysNet(
+        int32_t family, int32_t which, const std::string &ifname, const std::string &parameter,
+        const std::string &value) {
+    ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
+
+    const char *familyStr;
+    switch (family) {
+        case INetd::IPV4:
+            familyStr = "ipv4";
+            break;
+        case INetd::IPV6:
+            familyStr = "ipv6";
+            break;
+        default:
+            return binder::Status::fromServiceSpecificError(EAFNOSUPPORT, String8("Bad family"));
+    }
+
+    const char *whichStr;
+    switch (which) {
+        case INetd::CONF:
+            whichStr = "conf";
+            break;
+        case INetd::NEIGH:
+            whichStr = "neigh";
+            break;
+        default:
+            return binder::Status::fromServiceSpecificError(EINVAL, String8("Bad category"));
+    }
+
+    const int err = InterfaceController::setParameter(
+            familyStr, whichStr, ifname.c_str(), parameter.c_str(),
+            value.c_str());
+    if (err != 0) {
+        return binder::Status::fromServiceSpecificError(-err,
+                String8::format("ResolverController error: %s", strerror(-err)));
+    }
+    return binder::Status::ok();
+}
+
 }  // namespace net
 }  // namespace android
diff --git a/server/NetdNativeService.h b/server/NetdNativeService.h
@@ -55,6 +55,10 @@ class NetdNativeService : public BinderService<NetdNativeService>, public BnNetd
             const std::string &addrString, int prefixLength) override;
     binder::Status interfaceDelAddress(const std::string &ifName,
             const std::string &addrString, int prefixLength) override;
+
+    binder::Status setProcSysNet(
+            int32_t family, int32_t which, const std::string &ifname, const std::string &parameter,
+            const std::string &value) override;
 };
 
 }  // namespace net

diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
@@ -453,8 +453,6 @@ int NetworkController::setPermissionForNetworks(Permission permission,
             return -EINVAL;
         }
 
-        // TODO: ioctl(SIOCKILLADDR, ...) to kill socets on the network that don't have permission.
-
         if (int ret = static_cast<PhysicalNetwork*>(network)->setPermission(permission)) {
             return ret;
         }
@@ -538,7 +536,14 @@ void NetworkController::dump(DumpWriter& dw) {
     dw.println("Networks:");
     dw.incIndent();
     for (const auto& i : mNetworks) {
-        dw.println(i.second->toString().c_str());
+        Network* network = i.second;
+        dw.println(network->toString().c_str());
+        if (network->getType() == Network::PHYSICAL) {
+            dw.incIndent();
+            Permission permission = reinterpret_cast<PhysicalNetwork*>(network)->getPermission();
+            dw.println("Required permission: %s", permissionToName(permission));
+            dw.decIndent();
+        }
         android::net::gCtls->resolverCtrl.dump(dw, i.first);
         dw.blankline();
     }

diff --git a/server/PhysicalNetwork.cpp b/server/PhysicalNetwork.cpp
@@ -17,6 +17,7 @@
 #include "PhysicalNetwork.h"
 
 #include "RouteController.h"
+#include "SockDiag.h"
 
 #define LOG_TAG "Netd"
 #include "log/log.h"
@@ -65,10 +66,33 @@ Permission PhysicalNetwork::getPermission() const {
     return mPermission;
 }
 
+int PhysicalNetwork::destroySocketsLackingPermission(Permission permission) {
+    if (permission == PERMISSION_NONE) return 0;
+
+    SockDiag sd;
+    if (!sd.open()) {
+       ALOGE("Error closing sockets for netId %d permission change", mNetId);
+       return -EBADFD;
+    }
+    if (int ret = sd.destroySocketsLackingPermission(mNetId, permission,
+                                                     true /* excludeLoopback */)) {
+        ALOGE("Failed to close sockets changing netId %d to permission %d: %s",
+              mNetId, permission, strerror(-ret));
+        return ret;
+    }
+    return 0;
+}
+
 int PhysicalNetwork::setPermission(Permission permission) {
     if (permission == mPermission) {
         return 0;
     }
+    if (mInterfaces.empty()) {
+        mPermission = permission;
+        return 0;
+    }
+
+    destroySocketsLackingPermission(permission);
     for (const std::string& interface : mInterfaces) {
         if (int ret = RouteController::modifyPhysicalNetworkPermission(mNetId, interface.c_str(),
                                                                        mPermission, permission)) {
@@ -87,6 +111,10 @@ int PhysicalNetwork::setPermission(Permission permission) {
             }
         }
     }
+    // Destroy sockets again in case any were opened after we called destroySocketsLackingPermission
+    // above and before we changed the permissions. These sockets won't be able to send any RST
+    // packets because they are now no longer routed, but at least the apps will get errors.
+    destroySocketsLackingPermission(permission);
     mPermission = permission;
     return 0;
 }

diff --git a/server/PhysicalNetwork.h b/server/PhysicalNetwork.h
@@ -46,6 +46,7 @@ class PhysicalNetwork : public Network {
     Type getType() const override;
     int addInterface(const std::string& interface) override WARN_UNUSED_RESULT;
     int removeInterface(const std::string& interface) override WARN_UNUSED_RESULT;
+    int destroySocketsLackingPermission(Permission permission);
 
     Delegate* const mDelegate;
     Permission mPermission;