Gitiles
Code Review Sign In
review.blissroms.org / packages_modules_Connectivity / 790c83e38799cdeb332c8210f95f846cdc2f0355 / . / service / src / com / android / server / BpfNetMaps.java
blob: a6909c079defdbb9f34968a82c3a35cf85160a08 [file] [log] [blame]
Wayne Ma0ea3bdc2022-01-12 01:12:11 +0800[diff] [blame]1/*
2 * Copyright (C) 2022 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package com.android.server;
18
19import android.os.ServiceSpecificException;
20import android.system.Os;
21import android.util.Log;
22
23/**
24 * BpfNetMaps is responsible for providing traffic controller relevant functionality.
25 *
26 * {@hide}
27 */
28public class BpfNetMaps {
29 private static final String TAG = "BpfNetMaps";
30
Wayne Ma790c83e2022-01-13 10:35:05 +0800[diff] [blame^]31 static {
32 System.loadLibrary("traffic_controller_jni");
33 native_init();
34 }
35
Wayne Ma0ea3bdc2022-01-12 01:12:11 +0800[diff] [blame]36 /**
37 * Add naughty app bandwidth rule for specific app
38 *
39 * @param uid uid of target app
40 * @throws ServiceSpecificException in case of failure, with an error code indicating the
41 * cause of the failure.
42 */
43 public void addNaughtyApp(final int uid) {
44 final int err = native_addNaughtyApp(uid);
45 if (err != 0) {
46 throw new ServiceSpecificException(-err, "Unable to add naughty app: "
47 + Os.strerror(-err));
48 }
49 }
50
51 /**
52 * Remove naughty app bandwidth rule for specific app
53 *
54 * @param uid uid of target app
55 * @throws ServiceSpecificException in case of failure, with an error code indicating the
56 * cause of the failure.
57 */
58 public void removeNaughtyApp(final int uid) {
59 final int err = native_removeNaughtyApp(uid);
60 if (err != 0) {
61 throw new ServiceSpecificException(-err, "Unable to remove naughty app: "
62 + Os.strerror(-err));
63 }
64 }
65
66 /**
67 * Add nice app bandwidth rule for specific app
68 *
69 * @param uid uid of target app
70 * @throws ServiceSpecificException in case of failure, with an error code indicating the
71 * cause of the failure.
72 */
73 public void addNiceApp(final int uid) {
74 final int err = native_addNiceApp(uid);
75 if (err != 0) {
76 throw new ServiceSpecificException(-err, "Unable to add nice app: "
77 + Os.strerror(-err));
78 }
79 }
80
81 /**
82 * Remove nice app bandwidth rule for specific app
83 *
84 * @param uid uid of target app
85 * @throws ServiceSpecificException in case of failure, with an error code indicating the
86 * cause of the failure.
87 */
88 public void removeNiceApp(final int uid) {
89 final int err = native_removeNiceApp(uid);
90 if (err != 0) {
91 throw new ServiceSpecificException(-err, "Unable to remove nice app: "
92 + Os.strerror(-err));
93 }
94 }
95
96 /**
97 * Set target firewall child chain
98 *
99 * @param childChain target chain to enable
100 * @param enable whether to enable or disable child chain.
101 * @throws ServiceSpecificException in case of failure, with an error code indicating the
102 * cause of the failure.
103 */
104 public void setChildChain(final int childChain, final boolean enable) {
105 final int err = native_setChildChain(childChain, enable);
106 if (err != 0) {
107 throw new ServiceSpecificException(-err, "Unable to set child chain: "
108 + Os.strerror(-err));
109 }
110 }
111
112 /**
113 * Replaces the contents of the specified UID-based firewall chain.
114 *
115 * The chain may be an allowlist chain or a denylist chain. A denylist chain contains DROP
116 * rules for the specified UIDs and a RETURN rule at the end. An allowlist chain contains RETURN
117 * rules for the system UID range (0 to {@code UID_APP} - 1), RETURN rules for for the specified
118 * UIDs, and a DROP rule at the end. The chain will be created if it does not exist.
119 *
120 * @param chainName The name of the chain to replace.
121 * @param isAllowlist Whether this is an allowlist or denylist chain.
122 * @param uids The list of UIDs to allow/deny.
123 * @return true if the chain was successfully replaced, false otherwise.
124 */
125 public int replaceUidChain(final String chainName, final boolean isAllowlist,
126 final int[] uids) {
127 final int err = native_replaceUidChain(chainName, isAllowlist, uids);
128 if (err != 0) {
129 Log.e(TAG, "replaceUidChain failed: " + Os.strerror(-err));
130 }
131 return -err;
132 }
133
134 /**
135 * Set firewall rule for uid
136 *
137 * @param childChain target chain
138 * @param uid uid to allow/deny
139 * @param firewallRule either FIREWALL_RULE_ALLOW or FIREWALL_RULE_DENY
140 * @throws ServiceSpecificException in case of failure, with an error code indicating the
141 * cause of the failure.
142 */
143 public void setUidRule(final int childChain, final int uid,
144 final int firewallRule) {
145 final int err = native_setUidRule(childChain, uid, firewallRule);
146 if (err != 0) {
147 throw new ServiceSpecificException(-err, "Unable to set uid rule: "
148 + Os.strerror(-err));
149 }
150 }
151
152 /**
153 * Add ingress interface filtering rules to a list of UIDs
154 *
155 * For a given uid, once a filtering rule is added, the kernel will only allow packets from the
156 * allowed interface and loopback to be sent to the list of UIDs.
157 *
158 * Calling this method on one or more UIDs with an existing filtering rule but a different
159 * interface name will result in the filtering rule being updated to allow the new interface
160 * instead. Otherwise calling this method will not affect existing rules set on other UIDs.
161 *
162 * @param ifName the name of the interface on which the filtering rules will allow packets to
163 be received.
164 * @param uids an array of UIDs which the filtering rules will be set
165 * @throws ServiceSpecificException in case of failure, with an error code indicating the
166 * cause of the failure.
167 */
168 public void addUidInterfaceRules(final String ifName, final int[] uids) {
169 final int err = native_addUidInterfaceRules(ifName, uids);
170 if (err != 0) {
171 throw new ServiceSpecificException(-err, "Unable to add uid interface rules: "
172 + Os.strerror(-err));
173 }
174 }
175
176 /**
177 * Remove ingress interface filtering rules from a list of UIDs
178 *
179 * Clear the ingress interface filtering rules from the list of UIDs which were previously set
180 * by addUidInterfaceRules(). Ignore any uid which does not have filtering rule.
181 *
182 * @param uids an array of UIDs from which the filtering rules will be removed
183 * @throws ServiceSpecificException in case of failure, with an error code indicating the
184 * cause of the failure.
185 */
186 public void removeUidInterfaceRules(final int[] uids) {
187 final int err = native_removeUidInterfaceRules(uids);
188 if (err != 0) {
189 throw new ServiceSpecificException(-err, "Unable to remove uid interface rules: "
190 + Os.strerror(-err));
191 }
192 }
193
194 /**
195 * Request netd to change the current active network stats map.
196 * @throws ServiceSpecificException in case of failure, with an error code indicating the
197 * cause of the failure.
198 */
199 public void swapActiveStatsMap() {
200 final int err = native_swapActiveStatsMap();
201 if (err != 0) {
202 throw new ServiceSpecificException(-err, "Unable to swap active stats map: "
203 + Os.strerror(-err));
204 }
205 }
206
207 /**
208 * Assigns android.permission.INTERNET and/or android.permission.UPDATE_DEVICE_STATS to the uids
209 * specified. Or remove all permissions from the uids.
210 *
211 * @param permission The permission to grant, it could be either PERMISSION_INTERNET and/or
212 * PERMISSION_UPDATE_DEVICE_STATS. If the permission is NO_PERMISSIONS, then
213 * revoke all permissions for the uids.
214 * @param uids uid of users to grant permission
215 */
216 public void setNetPermForUids(final int permission, final int[] uids) {
217 native_setPermissionForUids(permission, uids);
218 }
219
220 /**
221 * Set counter set for uid
222 *
223 * @param counterSet either SET_DEFAULT or SET_FOREGROUND
224 * @param uid uid to foreground/background
225 */
226 public int setCounterSet(final int counterSet, final int uid) {
227 final int err = native_setCounterSet(counterSet, uid);
228 if (err != 0) {
229 Log.e(TAG, "setCounterSet failed: " + Os.strerror(-err));
230 }
231 return -err;
232 }
233
234 /**
235 * Reset Uid stats
236 * @param tag default 0
237 * @param uid given uid to be clear
238 */
239 public int deleteTagData(final int tag, final int uid) {
240 final int err = native_deleteTagData(tag, uid);
241 if (err != 0) {
242 Log.e(TAG, "deleteTagData failed: " + Os.strerror(-err));
243 }
244 return -err;
245 }
246
Wayne Ma790c83e2022-01-13 10:35:05 +0800[diff] [blame^]247 private static native void native_init();
Wayne Ma0ea3bdc2022-01-12 01:12:11 +0800[diff] [blame]248 private native int native_addNaughtyApp(int uid);
249 private native int native_removeNaughtyApp(int uid);
250 private native int native_addNiceApp(int uid);
251 private native int native_removeNiceApp(int uid);
252 private native int native_setChildChain(int childChain, boolean enable);
253 private native int native_replaceUidChain(String name, boolean isAllowlist, int[] uids);
254 private native int native_setUidRule(int childChain, int uid, int firewallRule);
255 private native int native_addUidInterfaceRules(String ifName, int[] uids);
256 private native int native_removeUidInterfaceRules(int[] uids);
257 private native int native_swapActiveStatsMap();
258 private native void native_setPermissionForUids(int permission, int[] uids);
259 private native int native_setCounterSet(int counterSet, int uid);
260 private native int native_deleteTagData(int tag, int uid);
261}