1 /*
2  * Copyright (C) 2012 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <ctype.h>
18 #include <errno.h>
19 #include <fcntl.h>
20 #include <netdb.h>
21 #include <net/if.h>
22 #include <netinet/in.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <sys/wait.h>
26 
27 #define LOG_TAG "Netd"
28 
29 #include <android-base/stringprintf.h>
30 #include <cutils/sockets.h>
31 #include <log/log.h>
32 
33 #include "Controllers.h"
34 #include "NetdConstants.h"
35 #include "IptablesRestoreController.h"
36 
execIptablesRestoreWithOutput(IptablesTarget target,const std::string & commands,std::string * output)37 int execIptablesRestoreWithOutput(IptablesTarget target, const std::string& commands,
38                                   std::string *output) {
39     return android::net::gCtls->iptablesRestoreCtrl.execute(target, commands, output);
40 }
41 
execIptablesRestore(IptablesTarget target,const std::string & commands)42 int execIptablesRestore(IptablesTarget target, const std::string& commands) {
43     return execIptablesRestoreWithOutput(target, commands, nullptr);
44 }
45 
execIptablesRestoreCommand(IptablesTarget target,const std::string & table,const std::string & command,std::string * output)46 int execIptablesRestoreCommand(IptablesTarget target, const std::string& table,
47                                const std::string& command, std::string *output) {
48     std::string fullCmd = android::base::StringPrintf("*%s\n%s\nCOMMIT\n", table.c_str(),
49                                                       command.c_str());
50     return execIptablesRestoreWithOutput(target, fullCmd, output);
51 }
52 
53 /*
54  * Check an interface name for plausibility. This should e.g. help against
55  * directory traversal.
56  */
isIfaceName(const std::string & name)57 bool isIfaceName(const std::string& name) {
58     size_t i;
59     if ((name.empty()) || (name.size() > IFNAMSIZ)) {
60         return false;
61     }
62 
63     /* First character must be alphanumeric */
64     if (!isalnum(name[0])) {
65         return false;
66     }
67 
68     for (i = 1; i < name.size(); i++) {
69         if (!isalnum(name[i]) && (name[i] != '_') && (name[i] != '-')
70                 && (name[i] != ':') && (name[i] != '.')) {
71             return false;
72         }
73     }
74 
75     return true;
76 }
77 
parsePrefix(const char * prefix,uint8_t * family,void * address,int size,uint8_t * prefixlen)78 int parsePrefix(const char *prefix, uint8_t *family, void *address, int size, uint8_t *prefixlen) {
79     if (!prefix || !family || !address || !prefixlen) {
80         return -EFAULT;
81     }
82 
83     // Find the '/' separating address from prefix length.
84     const char *slash = strchr(prefix, '/');
85     const char *prefixlenString = slash + 1;
86     if (!slash || !*prefixlenString)
87         return -EINVAL;
88 
89     // Convert the prefix length to a uint8_t.
90     char *endptr;
91     unsigned templen;
92     templen = strtoul(prefixlenString, &endptr, 10);
93     if (*endptr || templen > 255) {
94         return -EINVAL;
95     }
96     *prefixlen = templen;
97 
98     // Copy the address part of the prefix to a local buffer. We have to copy
99     // because inet_pton and getaddrinfo operate on null-terminated address
100     // strings, but prefix is const and has '/' after the address.
101     std::string addressString(prefix, slash - prefix);
102 
103     // Parse the address.
104     addrinfo *res;
105     addrinfo hints = {
106         .ai_flags = AI_NUMERICHOST,
107     };
108     int ret = getaddrinfo(addressString.c_str(), nullptr, &hints, &res);
109     if (ret || !res) {
110         return -EINVAL;  // getaddrinfo return values are not errno values.
111     }
112 
113     // Convert the address string to raw address bytes.
114     void *rawAddress;
115     int rawLength;
116     switch (res[0].ai_family) {
117         case AF_INET: {
118             if (*prefixlen > 32) {
119                 return -EINVAL;
120             }
121             sockaddr_in *sin = (sockaddr_in *) res[0].ai_addr;
122             rawAddress = &sin->sin_addr;
123             rawLength = 4;
124             break;
125         }
126         case AF_INET6: {
127             if (*prefixlen > 128) {
128                 return -EINVAL;
129             }
130             sockaddr_in6 *sin6 = (sockaddr_in6 *) res[0].ai_addr;
131             rawAddress = &sin6->sin6_addr;
132             rawLength = 16;
133             break;
134         }
135         default: {
136             freeaddrinfo(res);
137             return -EAFNOSUPPORT;
138         }
139     }
140 
141     if (rawLength > size) {
142         freeaddrinfo(res);
143         return -ENOSPC;
144     }
145 
146     *family = res[0].ai_family;
147     memcpy(address, rawAddress, rawLength);
148     freeaddrinfo(res);
149 
150     return rawLength;
151 }
152 
blockSigpipe()153 void blockSigpipe() {
154     sigset_t mask;
155 
156     sigemptyset(&mask);
157     sigaddset(&mask, SIGPIPE);
158     if (sigprocmask(SIG_BLOCK, &mask, nullptr) != 0) ALOGW("WARNING: SIGPIPE not blocked");
159 }
160 
setCloseOnExec(const char * sock)161 void setCloseOnExec(const char *sock) {
162     int fd = android_get_control_socket(sock);
163     int flags = fcntl(fd, F_GETFD, 0);
164     if (flags == -1) {
165         ALOGE("Can't get fd flags for control socket %s", sock);
166         flags = 0;
167     }
168     flags |= FD_CLOEXEC;
169     if (fcntl(fd, F_SETFD, flags) == -1) {
170         ALOGE("Can't set control socket %s to FD_CLOEXEC", sock);
171     }
172 }
173 
174 // SIGTERM with timeout first, if fail, SIGKILL
stopProcess(int pid,const char * processName)175 void stopProcess(int pid, const char* processName) {
176     int err = kill(pid, SIGTERM);
177     if (err) {
178         err = errno;
179     }
180     if (err == ESRCH) {
181         // This means that someone else inside netd called this helper function,
182         // which is a programming error. There's no point in calling waitpid() here since we
183         // know that the process is gone.
184         ALOGE("%s child process %d unexpectedly disappeared", processName, pid);
185         return;
186     }
187     if (err) {
188         ALOGE("Error killing %s child process %d: %s", processName, pid, strerror(err));
189     }
190     int status = 0;
191     int ret = 0;
192     for (int count = 0; ret == 0 && count < 50; count++) {
193         usleep(100000); // sleep 0.1s to wait for process stop.
194         ret = waitpid(pid, &status, WNOHANG);
195     }
196     if (ret == 0) {
197         ALOGE("Failed to SIGTERM %s pid=%d, try SIGKILL", processName, pid);
198         kill(pid, SIGKILL);
199         ret = waitpid(pid, &status, 0);
200     }
201     if (ret == -1) {
202         ALOGE("Error waiting for %s child process %d: %s", processName, pid, strerror(errno));
203     } else {
204         ALOGD("%s process %d terminated status=%d", processName, pid, status);
205     }
206 }
207