Gitiles
Code Review Sign In
review.blissroms.org / packages_modules_Connectivity / 0ea3bdc88bce6b71e5dfd9bbb2f5db62ccc81c54 / . / service / src / com / android / server / BpfNetMaps.java
blob: bc63eef698c08e2f6e1606cf93e5d85f71534343 [file] [log] [blame]
Wayne Ma0ea3bdc2022-01-12 01:12:11 +0800[diff] [blame^]1/*
2 * Copyright (C) 2022 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package com.android.server;
18
19import android.os.ServiceSpecificException;
20import android.system.Os;
21import android.util.Log;
22
23/**
24 * BpfNetMaps is responsible for providing traffic controller relevant functionality.
25 *
26 * {@hide}
27 */
28public class BpfNetMaps {
29 private static final String TAG = "BpfNetMaps";
30
31 /**
32 * Add naughty app bandwidth rule for specific app
33 *
34 * @param uid uid of target app
35 * @throws ServiceSpecificException in case of failure, with an error code indicating the
36 * cause of the failure.
37 */
38 public void addNaughtyApp(final int uid) {
39 final int err = native_addNaughtyApp(uid);
40 if (err != 0) {
41 throw new ServiceSpecificException(-err, "Unable to add naughty app: "
42 + Os.strerror(-err));
43 }
44 }
45
46 /**
47 * Remove naughty app bandwidth rule for specific app
48 *
49 * @param uid uid of target app
50 * @throws ServiceSpecificException in case of failure, with an error code indicating the
51 * cause of the failure.
52 */
53 public void removeNaughtyApp(final int uid) {
54 final int err = native_removeNaughtyApp(uid);
55 if (err != 0) {
56 throw new ServiceSpecificException(-err, "Unable to remove naughty app: "
57 + Os.strerror(-err));
58 }
59 }
60
61 /**
62 * Add nice app bandwidth rule for specific app
63 *
64 * @param uid uid of target app
65 * @throws ServiceSpecificException in case of failure, with an error code indicating the
66 * cause of the failure.
67 */
68 public void addNiceApp(final int uid) {
69 final int err = native_addNiceApp(uid);
70 if (err != 0) {
71 throw new ServiceSpecificException(-err, "Unable to add nice app: "
72 + Os.strerror(-err));
73 }
74 }
75
76 /**
77 * Remove nice app bandwidth rule for specific app
78 *
79 * @param uid uid of target app
80 * @throws ServiceSpecificException in case of failure, with an error code indicating the
81 * cause of the failure.
82 */
83 public void removeNiceApp(final int uid) {
84 final int err = native_removeNiceApp(uid);
85 if (err != 0) {
86 throw new ServiceSpecificException(-err, "Unable to remove nice app: "
87 + Os.strerror(-err));
88 }
89 }
90
91 /**
92 * Set target firewall child chain
93 *
94 * @param childChain target chain to enable
95 * @param enable whether to enable or disable child chain.
96 * @throws ServiceSpecificException in case of failure, with an error code indicating the
97 * cause of the failure.
98 */
99 public void setChildChain(final int childChain, final boolean enable) {
100 final int err = native_setChildChain(childChain, enable);
101 if (err != 0) {
102 throw new ServiceSpecificException(-err, "Unable to set child chain: "
103 + Os.strerror(-err));
104 }
105 }
106
107 /**
108 * Replaces the contents of the specified UID-based firewall chain.
109 *
110 * The chain may be an allowlist chain or a denylist chain. A denylist chain contains DROP
111 * rules for the specified UIDs and a RETURN rule at the end. An allowlist chain contains RETURN
112 * rules for the system UID range (0 to {@code UID_APP} - 1), RETURN rules for for the specified
113 * UIDs, and a DROP rule at the end. The chain will be created if it does not exist.
114 *
115 * @param chainName The name of the chain to replace.
116 * @param isAllowlist Whether this is an allowlist or denylist chain.
117 * @param uids The list of UIDs to allow/deny.
118 * @return true if the chain was successfully replaced, false otherwise.
119 */
120 public int replaceUidChain(final String chainName, final boolean isAllowlist,
121 final int[] uids) {
122 final int err = native_replaceUidChain(chainName, isAllowlist, uids);
123 if (err != 0) {
124 Log.e(TAG, "replaceUidChain failed: " + Os.strerror(-err));
125 }
126 return -err;
127 }
128
129 /**
130 * Set firewall rule for uid
131 *
132 * @param childChain target chain
133 * @param uid uid to allow/deny
134 * @param firewallRule either FIREWALL_RULE_ALLOW or FIREWALL_RULE_DENY
135 * @throws ServiceSpecificException in case of failure, with an error code indicating the
136 * cause of the failure.
137 */
138 public void setUidRule(final int childChain, final int uid,
139 final int firewallRule) {
140 final int err = native_setUidRule(childChain, uid, firewallRule);
141 if (err != 0) {
142 throw new ServiceSpecificException(-err, "Unable to set uid rule: "
143 + Os.strerror(-err));
144 }
145 }
146
147 /**
148 * Add ingress interface filtering rules to a list of UIDs
149 *
150 * For a given uid, once a filtering rule is added, the kernel will only allow packets from the
151 * allowed interface and loopback to be sent to the list of UIDs.
152 *
153 * Calling this method on one or more UIDs with an existing filtering rule but a different
154 * interface name will result in the filtering rule being updated to allow the new interface
155 * instead. Otherwise calling this method will not affect existing rules set on other UIDs.
156 *
157 * @param ifName the name of the interface on which the filtering rules will allow packets to
158 be received.
159 * @param uids an array of UIDs which the filtering rules will be set
160 * @throws ServiceSpecificException in case of failure, with an error code indicating the
161 * cause of the failure.
162 */
163 public void addUidInterfaceRules(final String ifName, final int[] uids) {
164 final int err = native_addUidInterfaceRules(ifName, uids);
165 if (err != 0) {
166 throw new ServiceSpecificException(-err, "Unable to add uid interface rules: "
167 + Os.strerror(-err));
168 }
169 }
170
171 /**
172 * Remove ingress interface filtering rules from a list of UIDs
173 *
174 * Clear the ingress interface filtering rules from the list of UIDs which were previously set
175 * by addUidInterfaceRules(). Ignore any uid which does not have filtering rule.
176 *
177 * @param uids an array of UIDs from which the filtering rules will be removed
178 * @throws ServiceSpecificException in case of failure, with an error code indicating the
179 * cause of the failure.
180 */
181 public void removeUidInterfaceRules(final int[] uids) {
182 final int err = native_removeUidInterfaceRules(uids);
183 if (err != 0) {
184 throw new ServiceSpecificException(-err, "Unable to remove uid interface rules: "
185 + Os.strerror(-err));
186 }
187 }
188
189 /**
190 * Request netd to change the current active network stats map.
191 * @throws ServiceSpecificException in case of failure, with an error code indicating the
192 * cause of the failure.
193 */
194 public void swapActiveStatsMap() {
195 final int err = native_swapActiveStatsMap();
196 if (err != 0) {
197 throw new ServiceSpecificException(-err, "Unable to swap active stats map: "
198 + Os.strerror(-err));
199 }
200 }
201
202 /**
203 * Assigns android.permission.INTERNET and/or android.permission.UPDATE_DEVICE_STATS to the uids
204 * specified. Or remove all permissions from the uids.
205 *
206 * @param permission The permission to grant, it could be either PERMISSION_INTERNET and/or
207 * PERMISSION_UPDATE_DEVICE_STATS. If the permission is NO_PERMISSIONS, then
208 * revoke all permissions for the uids.
209 * @param uids uid of users to grant permission
210 */
211 public void setNetPermForUids(final int permission, final int[] uids) {
212 native_setPermissionForUids(permission, uids);
213 }
214
215 /**
216 * Set counter set for uid
217 *
218 * @param counterSet either SET_DEFAULT or SET_FOREGROUND
219 * @param uid uid to foreground/background
220 */
221 public int setCounterSet(final int counterSet, final int uid) {
222 final int err = native_setCounterSet(counterSet, uid);
223 if (err != 0) {
224 Log.e(TAG, "setCounterSet failed: " + Os.strerror(-err));
225 }
226 return -err;
227 }
228
229 /**
230 * Reset Uid stats
231 * @param tag default 0
232 * @param uid given uid to be clear
233 */
234 public int deleteTagData(final int tag, final int uid) {
235 final int err = native_deleteTagData(tag, uid);
236 if (err != 0) {
237 Log.e(TAG, "deleteTagData failed: " + Os.strerror(-err));
238 }
239 return -err;
240 }
241
242 private native int native_addNaughtyApp(int uid);
243 private native int native_removeNaughtyApp(int uid);
244 private native int native_addNiceApp(int uid);
245 private native int native_removeNiceApp(int uid);
246 private native int native_setChildChain(int childChain, boolean enable);
247 private native int native_replaceUidChain(String name, boolean isAllowlist, int[] uids);
248 private native int native_setUidRule(int childChain, int uid, int firewallRule);
249 private native int native_addUidInterfaceRules(String ifName, int[] uids);
250 private native int native_removeUidInterfaceRules(int[] uids);
251 private native int native_swapActiveStatsMap();
252 private native void native_setPermissionForUids(int permission, int[] uids);
253 private native int native_setCounterSet(int counterSet, int uid);
254 private native int native_deleteTagData(int tag, int uid);
255}