diff options
| author | Lorenzo Colitti <lorenzo@google.com> | 2016-02-26 11:38:47 +0900 |
|---|---|---|
| committer | Lorenzo Colitti <lorenzo@google.com> | 2016-03-02 14:11:00 +0900 |
| commit | 89faa349525ad1110b6fa3f2149e6ef825c65662 (patch) | |
| tree | 1073d62088c2d5c73011e151be39f00d42f1fac0 /server/FirewallController.cpp | |
| parent | ddf2d5bc87fe6de7cae2b73a17dbaf35033565ca (diff) | |
| download | platform_system_netd-89faa349525ad1110b6fa3f2149e6ef825c65662.tar.gz platform_system_netd-89faa349525ad1110b6fa3f2149e6ef825c65662.tar.bz2 platform_system_netd-89faa349525ad1110b6fa3f2149e6ef825c65662.zip | |
Add an RPC to replace a UID firewall rule.
Also add a binder_test that exercises binder RPCs to the real
netd service running on the device
Bug: 21725996
Bug: 27239233
Change-Id: Ic83d81605021a0578d6cd32f889290be61d76125
Diffstat (limited to 'server/FirewallController.cpp')
| -rw-r--r-- | server/FirewallController.cpp | 42 |
1 files changed, 41 insertions, 1 deletions
diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp index cf5a7de26..6a9c77678 100644 --- a/server/FirewallController.cpp +++ b/server/FirewallController.cpp @@ -22,12 +22,15 @@ #define LOG_TAG "FirewallController" #define LOG_NDEBUG 0 +#include <android-base/stringprintf.h> #include <cutils/log.h> #include <private/android_filesystem_config.h> #include "NetdConstants.h" #include "FirewallController.h" +using android::base::StringAppendF; + const char* FirewallController::TABLE = "filter"; const char* FirewallController::LOCAL_INPUT = "fw_INPUT"; @@ -49,6 +52,8 @@ const char* FirewallController::ICMPV6_TYPES[] = { "redirect", }; +const int MAX_SYSTEM_UID = AID_APP - 1; + FirewallController::FirewallController(void) { // If no rules are set, it's in BLACKLIST mode mFirewallType = BLACKLIST; @@ -284,7 +289,7 @@ int FirewallController::createChain(const char* childChain, // create default white list for system uid range char uidStr[16]; - sprintf(uidStr, "0-%d", AID_APP - 1); + sprintf(uidStr, "0-%d", MAX_SYSTEM_UID); res |= execIptables(V4V6, "-A", childChain, "-m", "owner", "--uid-owner", uidStr, "-j", "RETURN", NULL); @@ -293,3 +298,38 @@ int FirewallController::createChain(const char* childChain, } return res; } + +std::string FirewallController::makeUidRules( + const char *name, bool isWhitelist, const std::vector<int32_t>& uids) { + const char *action = isWhitelist ? "RETURN" : "DROP"; + const char *defaultAction = isWhitelist ? "DROP" : "RETURN"; + + std::string commands; + + StringAppendF(&commands, "*filter\n:%s -\n", name); + + if (isWhitelist) { + // Always whitelist system UIDs. + StringAppendF(&commands, + "-A %s -m owner --uid-owner %d-%d -j %s\n", name, 0, MAX_SYSTEM_UID, action); + } + + for (auto uid : uids) { + StringAppendF(&commands, "-A %s -m owner --uid-owner %d -j %s\n", name, uid, action); + } + + // If it's a blacklist chain that blacklists nothing, then don't add a default action. + if (isWhitelist || uids.size() > 0) { + StringAppendF(&commands, "-A %s -j %s\n", name, defaultAction); + } + + StringAppendF(&commands, "COMMIT\n\x04"); // EOT. + + return commands; +} + +int FirewallController::replaceUidChain( + const char *name, bool isWhitelist, const std::vector<int32_t>& uids) { + std::string commands = makeUidRules(name, isWhitelist, uids); + return execIptablesRestore(V4V6, commands.c_str()); +} |