diff options
| author | Lorenzo Colitti <lorenzo@google.com> | 2016-03-02 13:30:41 +0000 |
|---|---|---|
| committer | Android (Google) Code Review <android-gerrit@google.com> | 2016-03-02 13:30:41 +0000 |
| commit | 0434d459827861734d1228736a426b14b01595ab (patch) | |
| tree | bc947a702245959939b6801030defd3b76df99b7 /server/FirewallController.cpp | |
| parent | 9fbf60d5a2bec3ea6079e360e00c0c26ed44a245 (diff) | |
| parent | 77862190b093552da949e2506d99005f955dc432 (diff) | |
Merge changes I2dc1a074,Ic83d8160,I246696c4 into nyc-dev
* changes:
Move SockDiagTest into system/netd/server.
Add an RPC to replace a UID firewall rule.
Allow finer-grained locking, and use it in FirewallCmd.
Diffstat (limited to 'server/FirewallController.cpp')
| -rw-r--r-- | server/FirewallController.cpp | 42 |
1 files changed, 41 insertions, 1 deletions
diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp index 1aa56b0c..c0c52301 100644 --- a/server/FirewallController.cpp +++ b/server/FirewallController.cpp @@ -22,12 +22,15 @@ #define LOG_TAG "FirewallController" #define LOG_NDEBUG 0 +#include <android-base/stringprintf.h> #include <cutils/log.h> #include <private/android_filesystem_config.h> #include "NetdConstants.h" #include "FirewallController.h" +using android::base::StringAppendF; + const char* FirewallController::TABLE = "filter"; const char* FirewallController::LOCAL_INPUT = "fw_INPUT"; @@ -50,6 +53,8 @@ const char* FirewallController::ICMPV6_TYPES[] = { "redirect", }; +const int MAX_SYSTEM_UID = AID_APP - 1; + FirewallController::FirewallController(void) { // If no rules are set, it's in BLACKLIST mode mFirewallType = BLACKLIST; @@ -297,7 +302,7 @@ int FirewallController::createChain(const char* childChain, // create default white list for system uid range char uidStr[16]; - sprintf(uidStr, "0-%d", AID_APP - 1); + sprintf(uidStr, "0-%d", MAX_SYSTEM_UID); res |= execIptables(V4V6, "-A", childChain, "-m", "owner", "--uid-owner", uidStr, "-j", "RETURN", NULL); @@ -306,3 +311,38 @@ int FirewallController::createChain(const char* childChain, } return res; } + +std::string FirewallController::makeUidRules( + const char *name, bool isWhitelist, const std::vector<int32_t>& uids) { + const char *action = isWhitelist ? "RETURN" : "DROP"; + const char *defaultAction = isWhitelist ? "DROP" : "RETURN"; + + std::string commands; + + StringAppendF(&commands, "*filter\n:%s -\n", name); + + if (isWhitelist) { + // Always whitelist system UIDs. + StringAppendF(&commands, + "-A %s -m owner --uid-owner %d-%d -j %s\n", name, 0, MAX_SYSTEM_UID, action); + } + + for (auto uid : uids) { + StringAppendF(&commands, "-A %s -m owner --uid-owner %d -j %s\n", name, uid, action); + } + + // If it's a blacklist chain that blacklists nothing, then don't add a default action. + if (isWhitelist || uids.size() > 0) { + StringAppendF(&commands, "-A %s -j %s\n", name, defaultAction); + } + + StringAppendF(&commands, "COMMIT\n\x04"); // EOT. + + return commands; +} + +int FirewallController::replaceUidChain( + const char *name, bool isWhitelist, const std::vector<int32_t>& uids) { + std::string commands = makeUidRules(name, isWhitelist, uids); + return execIptablesRestore(V4V6, commands.c_str()); +} |