| <html devsite> |
| <head> |
| <title>Network Stack Configuration Tools</title> |
| <meta name="project_path" value="/_project.yaml" /> |
| <meta name="book_path" value="/_book.yaml" /> |
| </head> |
| <body> |
| <!-- |
| Copyright 2017 The Android Open Source Project |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <p>The Android operating system contains standard Linux networking utilities |
| such as <code>ifconfig</code>, <code>ip</code>, and <code>ip6tables</code>. |
| These utilities reside on the system image and enable configuration of the |
| entire Linux networking stack. On devices running Android 7.x and earlier, |
| vendor code is allowed to call these binaries directly, which presents the |
| following problems:</p> |
| |
| <ul> |
| <li>Because network utilities are updated in the system image, they do not |
| provide a stable implementation.</li> |
| <li>The scope of the networking utilities is so broad it is difficult to evolve |
| the system image while guaranteeing predictable behaviour.</li> |
| </ul> |
| |
| <p>On devices running Android 8.0, the vendor partition can remain the same |
| while the system partition receives an update. To achieve this, Android 8.0 |
| provides the ability to define a stable, versioned interface while also using |
| SELinux restrictions to keep the interdependency of vendor and system image to a |
| known good set.</p> |
| |
| <p>Vendors can use the platform-provided network configuration utilities to |
| configure the Linux networking stack, but these utilities do not yet include a |
| HIDL interface wrapper. To define such an interface, Android 8.0 includes the |
| <code>netutils-wrapper-1.0</code> tool. |
| </p> |
| |
| <h2 id="netutils-wrapper">Netutils wrapper</h2> |
| <p>The <code>netutils</code> wrapper utility provides a subset of the Linux |
| network stack configuration that is not affected by system partition updates. |
| Android 8.0 contains version 1.0 of the wrappers, which allows you to pass the |
| same arguments as the wrapped utilities, installed in the system partition at |
| <code>/system/bin</code> as follows:</p> |
| |
| <pre class="prettyprint"> |
| u:object_r:system_file:s0 /system/bin/ip-wrapper-1.0 -> netutils-wrapper-1.0 |
| u:object_r:system_file:s0 /system/bin/ip6tables-wrapper-1.0 -> netutils-wrapper-1.0 |
| u:object_r:system_file:s0 /system/bin/iptables-wrapper-1.0 -> netutils-wrapper-1.0 |
| u:object_r:system_file:s0 /system/bin/ndc-wrapper-1.0 -> netutils-wrapper-1.0 |
| u:object_r:netutils_wrapper_exec:s0 /system/bin/netutils-wrapper-1.0 |
| u:object_r:system_file:s0 /system/bin/tc-wrapper-1.0 -> netutils-wrapper-1.0 |
| </pre> |
| |
| <p>Symlinks show the networking utilities wrapped by the <code>netutils</code> |
| wrapper, which include:</p> |
| <ul> |
| <li><code>ip</code></li> |
| <li><code>iptables</code></li> |
| <li><code>ip6tables</code></li> |
| <li><code>ndc</code></li> |
| <li><code>tc</code></li> |
| </ul> |
| |
| <p>To use these utilities in Android 8.0 and later, vendor implementations must |
| adhere to the following rules:</p> |
| <ul> |
| <li>Vendor processes must not execute |
| <code>/system/bin/netutils-wrapper-1.0</code> directly; attempts to do so will |
| result in error.</li> |
| <li>All utilities wrapped by <code>netutils-wrapper-1.0</code> must be launched |
| using their symlinks. For example, change the vendor code that did this before |
| (<code>/system/bin/ip <FOO> <BAR></code>) to |
| <code>/system/bin/ip-wrapper-1.0 <FOO> <BAR></code>.</li> |
| <li>Executing the wrappers without domain transition is prohibited in platform |
| SELinux policy. This rule must not be changed and is tested against in the |
| <a href="/compatibility/cts.html">Android Compatibility Test Suite (CTS)</a>. |
| </li> |
| <li>Executing the utilities directly (e.g., |
| <code>/system/bin/ip <FOO> <BAR></code>) from the vendor processes |
| is also prohibited in the platform SELinux policies. This rule must not be |
| changed and is tested against in CTS.</li> |
| <li>Any vendor domain (process) that needs to launch a wrapper must add the |
| following domain transition rule in the SELinux policy: |
| <code>domain_auto_trans(<var>VENDOR-DOMAIN-NAME</var>, netutils_wrapper_exec, |
| netutils_wrapper)</code>.</li> |
| </ul> |
| |
| <aside class="note"><strong>Note:</strong> For details on Android 8.0 SELinux, |
| see <a href="/security/selinux/images/SELinux_Treble.pdf">SELinux for Android |
| 8.0</a>.</aside> |
| |
| <h2 id="netutils-wrapper-filters">Netutils wrapper filters</h2> |
| <p>Wrapped utilities can be used to configure almost any aspect of the Linux |
| networking stack. However, to ensure it is possible to maintain a stable |
| interface and allow updates to the system partition, only certain combinations |
| of command line arguments are allowed; other commands will be rejected.</p> |
| |
| <h3 id="vendor-interfaces-and-chains">Vendor interfaces and chains</h3> |
| <p>The wrapper has a concept of <em>vendor interfaces</em>. These are interfaces |
| typically managed by vendor code, such as cellular data interfaces. Typically, |
| other types of interfaces (such as Wi-Fi) are managed by the HALs and the |
| framework. The wrapper recognizes vendor interfaces by name (using a regular |
| expression) and allows vendor code to perform many operations on them. |
| Currently, vendor interfaces are:</p> |
| <ul> |
| <li>Interfaces whose names end in "oem" followed by a number, such as |
| <code>oem0</code> or <code>r_oem1234</code>.</li> |
| <li>Interfaces used by current SOC and OEM implementations, such as |
| <code>rmnet_data[0-9]</code>.</li> |
| </ul> |
| |
| <p>Names of interfaces that are typically managed by the framework (such as |
| <code>wlan0</code>) are never vendor interfaces.</p> |
| |
| <p>The wrapper has a similar concept of <em>vendor chains</em>. These are used |
| in <code>iptables</code> commands and are also recognized by name. Currently, |
| vendor chains:</p> |
| <ul> |
| <li>Start with <code>oem_</code>.</li> |
| <li>Are used by current SOC and OEM implementations, e.g., chains starting in |
| <code>nm_</code> or <code>qcom_</code>.</li> |
| </ul> |
| |
| <h3 id="allowed-commands">Allowed commands</h3> |
| <p>Currently allowed commands are listed below. Restrictions are implemented via |
| a set of regular expressions on the executed command lines. For details, refer |
| to <code>system/netd/netutils_wrappers/NetUtilsWrapper-1.0.cpp</code>.</p> |
| |
| <h4 id="ip">ip</h4> |
| <p>The <code>ip</code> command is used to configure IP addresses, routing, IPsec |
| encryption, and a number of other network parameters. The wrapper allows the |
| following commands:</p> |
| <ul> |
| <li>Add and remove IP addresses from vendor-managed interfaces.</li> |
| <li>Configure IPsec encryption.</li> |
| </ul> |
| |
| <h4 id="iptables-ip6tables">iptables/ip6tables</h4> |
| <p>The <code>iptables</code> and <code>ip6tables</code> commands are used to |
| configure firewalling, packet mangling, NAT, and other per-packet processing. |
| The wrapper allows the following commands:</p> |
| <ul> |
| <li>Add and delete vendor chains.</li> |
| <li>Add and delete rules in any chain that refers to packets going into |
| (<code>-i</code>) or out of (<code>-o</code>) a vendor interface.</li> |
| <li>Jump to a vendor chain from any point in any other chain.</li> |
| </ul> |
| |
| <h4 id="ndc">ndc</h4> |
| <p><code>ndc</code> is used to communicate to the <code>netd</code> daemon that |
| performs most network configuration on Android. The wrapper allows the following |
| commands:</p> |
| <ul> |
| <li>Create and destroy OEM networks (<code>oemXX</code>).</li> |
| <li>Add vendor-managed interfaces to OEM networks.</li> |
| <li>Add routes to OEM networks.</li> |
| <li>Enable or disable IP forwarding globally and on vendor interfaces.</li> |
| </ul> |
| |
| <h4 id="tc">tc</h4> |
| <p>The <code>tc</code> command is used to configure traffic queueing and shaping |
| on vendor interfaces.</p> |
| |
| </body> |
| </html> |