patchpanel: Extract patchpanel-client into its own subdir
Move patchpanel-client into its own package. By doing so,
patchpanel-util will be removed from patchpanel-client.
Systems that previously use patchpanel-util need to update
its build rule to use patchpanel-util.
This is done to avoid dependency loops (e.g. chromium:2359478).
Other system can depend on patchpanel-client instead of
patchpanel after this patch.
BUG=b:166193772
TEST=./build_packages --board=atlas;
TEST=FEATURES=test emerge-atlas patchpanel-client \
patchpanel permission_broker system-proxy \
vm_host_tools
TEST=/usr/libexec/fuzzers/patchpanel_client_fuzzer
TEST=tryjob --hwtest
TEST=tast run <DUT> platform.Firewall
TEST=Crostini and ARC running
Cq-Depend: chromium:2382997
Change-Id: I6244b4808c75a75b69b0276aa10489b1d2501025
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2384496
Tested-by: Jason Jeremy Iman <jasongustaman@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Yusuke Sato <yusukes@chromium.org>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Hugo Benichi <hugobenichi@google.com>
Reviewed-by: Garrick Evans <garrick@chromium.org>
Commit-Queue: Jason Jeremy Iman <jasongustaman@chromium.org>
diff --git a/patchpanel/dbus/client.h b/patchpanel/dbus/client.h
new file mode 100644
index 0000000..cefeddc
--- /dev/null
+++ b/patchpanel/dbus/client.h
@@ -0,0 +1,102 @@
+// Copyright 2019 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef PATCHPANEL_DBUS_CLIENT_H_
+#define PATCHPANEL_DBUS_CLIENT_H_
+
+#include <memory>
+#include <set>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "base/files/scoped_file.h"
+#include <brillo/brillo_export.h>
+#include <dbus/bus.h>
+#include <dbus/object_proxy.h>
+#include <patchpanel/proto_bindings/patchpanel_service.pb.h>
+
+namespace patchpanel {
+
+// Simple wrapper around patchpanel DBus API. All public functions are blocking
+// DBus calls to patchpaneld. The method names and protobuf schema used by
+// patchpanel DBus API are defined in platform2/system_api/dbus/patchpanel.
+// Access control for clients is defined in platform2/patchpanel/dbus.
+class BRILLO_EXPORT Client {
+ public:
+ static std::unique_ptr<Client> New();
+
+ Client(const scoped_refptr<dbus::Bus>& bus, dbus::ObjectProxy* proxy)
+ : bus_(std::move(bus)), proxy_(proxy) {}
+ ~Client();
+
+ bool NotifyArcStartup(pid_t pid);
+ bool NotifyArcShutdown();
+
+ std::vector<NetworkDevice> NotifyArcVmStartup(uint32_t cid);
+ bool NotifyArcVmShutdown(uint32_t cid);
+
+ bool NotifyTerminaVmStartup(uint32_t cid,
+ NetworkDevice* device,
+ IPv4Subnet* container_subnet);
+ bool NotifyTerminaVmShutdown(uint32_t cid);
+
+ bool NotifyPluginVmStartup(uint64_t vm_id,
+ int subnet_index,
+ NetworkDevice* device);
+ bool NotifyPluginVmShutdown(uint64_t vm_id);
+
+ // Reset the VPN routing intent mark on a socket to the default policy for
+ // the current uid. This is in general incorrect to call this method for
+ // a socket that is already connected.
+ bool DefaultVpnRouting(int socket);
+
+ // Mark a socket to be always routed through a VPN if there is one.
+ // Must be called before the socket is connected.
+ bool RouteOnVpn(int socket);
+
+ // Mark a socket to be always routed through the physical network.
+ // Must be called before the socket is connected.
+ bool BypassVpn(int socket);
+
+ // Sends a ConnectNamespaceRequest for the given namespace pid. Returns a
+ // pair with a valid ScopedFD and the ConnectNamespaceResponse proto message
+ // received if the request succeeded. Closing the ScopedFD will teardown the
+ // veth and routing setup and free the allocated IPv4 subnet.
+ std::pair<base::ScopedFD, patchpanel::ConnectNamespaceResponse>
+ ConnectNamespace(pid_t pid,
+ const std::string& outbound_ifname,
+ bool forward_user_traffic);
+
+ // Gets the traffic counters kept by patchpanel. |devices| is the set of
+ // interfaces (shill devices) for which counters should be returned, any
+ // unknown interfaces will be ignored. If |devices| is empty, counters for all
+ // known interfaces will be returned.
+ std::vector<TrafficCounter> GetTrafficCounters(
+ const std::set<std::string>& devices);
+
+ // Sends a ModifyPortRuleRequest to modify iptables ingress rules.
+ // This should only be called by permission_broker's 'devbroker'.
+ bool ModifyPortRule(patchpanel::ModifyPortRuleRequest::Operation op,
+ patchpanel::ModifyPortRuleRequest::RuleType type,
+ patchpanel::ModifyPortRuleRequest::Protocol proto,
+ const std::string& input_ifname,
+ const std::string& input_dst_ip,
+ uint32_t input_dst_port,
+ const std::string& dst_ip,
+ uint32_t dst_port);
+
+ private:
+ scoped_refptr<dbus::Bus> bus_;
+ dbus::ObjectProxy* proxy_ = nullptr; // owned by bus_
+
+ bool SendSetVpnIntentRequest(int socket,
+ SetVpnIntentRequest::VpnRoutingPolicy policy);
+
+ DISALLOW_COPY_AND_ASSIGN(Client);
+};
+
+} // namespace patchpanel
+
+#endif // PATCHPANEL_DBUS_CLIENT_H_