service/jni/com_android_server_BpfNetMaps.cpp

/*
 * Copyright (C) 2022 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#define LOG_TAG "TrafficControllerJni"

#include "TrafficController.h"

#include <bpf_shared.h>
#include <jni.h>
#include <log/log.h>
#include <nativehelper/JNIHelp.h>
#include <nativehelper/ScopedUtfChars.h>
#include <nativehelper/ScopedPrimitiveArray.h>
#include <netjniutils/netjniutils.h>
#include <net/if.h>
#include <private/android_filesystem_config.h>
#include <unistd.h>
#include <vector>


using android::net::TrafficController;
using android::netdutils::Status;

using UidOwnerMatchType::PENALTY_BOX_MATCH;
using UidOwnerMatchType::HAPPY_BOX_MATCH;

static android::net::TrafficController mTc;

namespace android {

#define CHECK_LOG(status) \
  do { \
    if (!isOk(status)) \
      ALOGE("%s failed, error code = %d", __func__, status.code()); \
  } while (0)

static void native_init(JNIEnv* env, jclass clazz) {
  Status status = mTc.start();
  CHECK_LOG(status);
  if (!isOk(status)) {
    uid_t uid = getuid();
    ALOGE("BpfNetMaps jni init failure as uid=%d", uid);
    // TODO: Fix tests to not use this jni lib, so we can unconditionally abort()
    if (uid == AID_SYSTEM || uid == AID_NETWORK_STACK) abort();
  }
}

static jint native_addNaughtyApp(JNIEnv* env, jobject self, jint uid) {
  const uint32_t appUids = static_cast<uint32_t>(abs(uid));
  Status status = mTc.updateUidOwnerMap(appUids, PENALTY_BOX_MATCH,
      TrafficController::IptOp::IptOpInsert);
  CHECK_LOG(status);
  return (jint)status.code();
}

static jint native_removeNaughtyApp(JNIEnv* env, jobject self, jint uid) {
  const uint32_t appUids = static_cast<uint32_t>(abs(uid));
  Status status = mTc.updateUidOwnerMap(appUids, PENALTY_BOX_MATCH,
      TrafficController::IptOp::IptOpDelete);
  CHECK_LOG(status);
  return (jint)status.code();
}

static jint native_addNiceApp(JNIEnv* env, jobject self, jint uid) {
  const uint32_t appUids = static_cast<uint32_t>(abs(uid));
  Status status = mTc.updateUidOwnerMap(appUids, HAPPY_BOX_MATCH,
      TrafficController::IptOp::IptOpInsert);
  CHECK_LOG(status);
  return (jint)status.code();
}

static jint native_removeNiceApp(JNIEnv* env, jobject self, jint uid) {
  const uint32_t appUids = static_cast<uint32_t>(abs(uid));
  Status status = mTc.updateUidOwnerMap(appUids, HAPPY_BOX_MATCH,
      TrafficController::IptOp::IptOpDelete);
  CHECK_LOG(status);
  return (jint)status.code();
}

static jint native_replaceUidChain(JNIEnv* env, jobject self, jstring name, jboolean isAllowlist,
                                   jintArray jUids) {
    const ScopedUtfChars chainNameUtf8(env, name);
    if (chainNameUtf8.c_str() == nullptr) return -EINVAL;
    const std::string chainName(chainNameUtf8.c_str());

    ScopedIntArrayRO uids(env, jUids);
    if (uids.get() == nullptr) return -EINVAL;

    size_t size = uids.size();
    static_assert(sizeof(*(uids.get())) == sizeof(int32_t));
    std::vector<int32_t> data ((int32_t *)&uids[0], (int32_t*)&uids[size]);
    int res = mTc.replaceUidOwnerMap(chainName, isAllowlist, data);
    if (res) ALOGE("%s failed, error code = %d", __func__, res);
    return (jint)res;
}

static jint native_setUidRule(JNIEnv* env, jobject self, jint childChain, jint uid,
                              jint firewallRule) {
    auto chain = static_cast<ChildChain>(childChain);
    auto rule = static_cast<FirewallRule>(firewallRule);
    FirewallType fType = mTc.getFirewallType(chain);

    int res = mTc.changeUidOwnerRule(chain, uid, rule, fType);
    if (res) ALOGE("%s failed, error code = %d", __func__, res);
    return (jint)res;
}

static jint native_addUidInterfaceRules(JNIEnv* env, jobject self, jstring ifName,
                                        jintArray jUids) {
    // Null ifName is a wildcard to allow apps to receive packets on all interfaces and ifIndex is
    // set to 0.
    int ifIndex = 0;
    if (ifName != nullptr) {
        const ScopedUtfChars ifNameUtf8(env, ifName);
        const std::string interfaceName(ifNameUtf8.c_str());
        ifIndex = if_nametoindex(interfaceName.c_str());
    }

    ScopedIntArrayRO uids(env, jUids);
    if (uids.get() == nullptr) return -EINVAL;

    size_t size = uids.size();
    static_assert(sizeof(*(uids.get())) == sizeof(int32_t));
    std::vector<int32_t> data ((int32_t *)&uids[0], (int32_t*)&uids[size]);
    Status status = mTc.addUidInterfaceRules(ifIndex, data);
    CHECK_LOG(status);
    return (jint)status.code();
}

static jint native_removeUidInterfaceRules(JNIEnv* env, jobject self, jintArray jUids) {
    ScopedIntArrayRO uids(env, jUids);
    if (uids.get() == nullptr) return -EINVAL;

    size_t size = uids.size();
    static_assert(sizeof(*(uids.get())) == sizeof(int32_t));
    std::vector<int32_t> data ((int32_t *)&uids[0], (int32_t*)&uids[size]);
    Status status = mTc.removeUidInterfaceRules(data);
    CHECK_LOG(status);
    return (jint)status.code();
}

static jint native_updateUidLockdownRule(JNIEnv* env, jobject self, jint uid, jboolean add) {
    Status status = mTc.updateUidLockdownRule(uid, add);
    CHECK_LOG(status);
    return (jint)status.code();
}

static jint native_swapActiveStatsMap(JNIEnv* env, jobject self) {
    Status status = mTc.swapActiveStatsMap();
    CHECK_LOG(status);
    return (jint)status.code();
}

static void native_setPermissionForUids(JNIEnv* env, jobject self, jint permission,
                                        jintArray jUids) {
    ScopedIntArrayRO uids(env, jUids);
    if (uids.get() == nullptr) return;

    size_t size = uids.size();
    static_assert(sizeof(*(uids.get())) == sizeof(uid_t));
    std::vector<uid_t> data ((uid_t *)&uids[0], (uid_t*)&uids[size]);
    mTc.setPermissionForUids(permission, data);
}

static void native_dump(JNIEnv* env, jobject self, jobject javaFd, jboolean verbose) {
    int fd = netjniutils::GetNativeFileDescriptor(env, javaFd);
    if (fd < 0) {
        jniThrowExceptionFmt(env, "java/io/IOException", "Invalid file descriptor");
        return;
    }
    mTc.dump(fd, verbose);
}

/*
 * JNI registration.
 */
// clang-format off
static const JNINativeMethod gMethods[] = {
    /* name, signature, funcPtr */
    {"native_init", "()V",
    (void*)native_init},
    {"native_addNaughtyApp", "(I)I",
    (void*)native_addNaughtyApp},
    {"native_removeNaughtyApp", "(I)I",
    (void*)native_removeNaughtyApp},
    {"native_addNiceApp", "(I)I",
    (void*)native_addNiceApp},
    {"native_removeNiceApp", "(I)I",
    (void*)native_removeNiceApp},
    {"native_replaceUidChain", "(Ljava/lang/String;Z[I)I",
    (void*)native_replaceUidChain},
    {"native_setUidRule", "(III)I",
    (void*)native_setUidRule},
    {"native_addUidInterfaceRules", "(Ljava/lang/String;[I)I",
    (void*)native_addUidInterfaceRules},
    {"native_removeUidInterfaceRules", "([I)I",
    (void*)native_removeUidInterfaceRules},
    {"native_updateUidLockdownRule", "(IZ)I",
    (void*)native_updateUidLockdownRule},
    {"native_swapActiveStatsMap", "()I",
    (void*)native_swapActiveStatsMap},
    {"native_setPermissionForUids", "(I[I)V",
    (void*)native_setPermissionForUids},
    {"native_dump", "(Ljava/io/FileDescriptor;Z)V",
    (void*)native_dump},
};
// clang-format on

int register_com_android_server_BpfNetMaps(JNIEnv* env) {
    return jniRegisterNativeMethods(env, "com/android/server/BpfNetMaps",
                                    gMethods, NELEM(gMethods));
}

}; // namespace android