diff options
| author | Lorenzo Colitti <lorenzo@google.com> | 2017-07-18 21:44:04 +0900 |
|---|---|---|
| committer | Lorenzo Colitti <lorenzo@google.com> | 2017-07-18 21:47:33 +0900 |
| commit | 6ee2598e23e10a11ed98f4f23cf63638c8524104 (patch) | |
| tree | 73d698a7613c4329071bb935ca82fc6c34d9fc7a /server/StrictController.cpp | |
| parent | 28e4da0438e22cc5169bf987385305fa6ecbcf99 (diff) | |
Move the last StrictController command to iptables-restore
Bug: 28362720
Test: unit tests pass
Change-Id: I8a4d2b8ea66799c6c3205b00f04ee1999fc7c68b
Diffstat (limited to 'server/StrictController.cpp')
| -rw-r--r-- | server/StrictController.cpp | 52 |
1 files changed, 23 insertions, 29 deletions
diff --git a/server/StrictController.cpp b/server/StrictController.cpp index eae523cc..ea25b2ea 100644 --- a/server/StrictController.cpp +++ b/server/StrictController.cpp @@ -33,7 +33,6 @@ #include "NetdConstants.h" #include "StrictController.h" -auto StrictController::execIptables = ::execIptables; auto StrictController::execIptablesRestore = ::execIptablesRestore; const char* StrictController::LOCAL_OUTPUT = "st_OUTPUT"; @@ -42,6 +41,7 @@ const char* StrictController::LOCAL_CLEAR_CAUGHT = "st_clear_caught"; const char* StrictController::LOCAL_PENALTY_LOG = "st_penalty_log"; const char* StrictController::LOCAL_PENALTY_REJECT = "st_penalty_reject"; +using android::base::Join; using android::base::StringPrintf; StrictController::StrictController(void) { @@ -129,8 +129,8 @@ int StrictController::enableStrict(void) { CMD_V4V6("-A %s -p udp -j %s", LOCAL_CLEAR_DETECT, LOCAL_CLEAR_CAUGHT); CMD_V4V6("COMMIT\n"); - res |= execIptablesRestore(V4, android::base::Join(v4, '\n')); - res |= execIptablesRestore(V6, android::base::Join(v6, '\n')); + res |= execIptablesRestore(V4, Join(v4, '\n')); + res |= execIptablesRestore(V6, Join(v6, '\n')); #undef CMD_V4 #undef CMD_V6 @@ -151,44 +151,38 @@ int StrictController::disableStrict(void) { CLEAR_CHAIN(LOCAL_CLEAR_DETECT), "COMMIT\n" }; - const std::string commands = android::base::Join(commandList, '\n'); + const std::string commands = Join(commandList, '\n'); return execIptablesRestore(V4V6, commands); #undef CLEAR_CHAIN } int StrictController::setUidCleartextPenalty(uid_t uid, StrictPenalty penalty) { - char uidStr[16]; - sprintf(uidStr, "%d", uid); - - int res = 0; + std::vector<std::string> commands; if (penalty == ACCEPT) { // Clean up any old rules - execIptables(V4V6, "-D", LOCAL_OUTPUT, - "-m", "owner", "--uid-owner", uidStr, - "-j", LOCAL_CLEAR_DETECT, NULL); - execIptables(V4V6, "-D", LOCAL_CLEAR_CAUGHT, - "-m", "owner", "--uid-owner", uidStr, - "-j", LOCAL_PENALTY_LOG, NULL); - execIptables(V4V6, "-D", LOCAL_CLEAR_CAUGHT, - "-m", "owner", "--uid-owner", uidStr, - "-j", LOCAL_PENALTY_REJECT, NULL); - + commands = { + "*filter", + StringPrintf("-D %s -m owner --uid-owner %d -j %s", + LOCAL_OUTPUT, uid, LOCAL_CLEAR_DETECT), + StringPrintf("-D %s -m owner --uid-owner %d -j %s", + LOCAL_CLEAR_CAUGHT, uid, LOCAL_PENALTY_LOG), + StringPrintf("-D %s -m owner --uid-owner %d -j %s", + LOCAL_CLEAR_CAUGHT, uid, LOCAL_PENALTY_REJECT), + }; } else { // Always take a detour to investigate this UID - res |= execIptables(V4V6, "-I", LOCAL_OUTPUT, - "-m", "owner", "--uid-owner", uidStr, - "-j", LOCAL_CLEAR_DETECT, NULL); - + commands.push_back("*filter"); + commands.push_back(StringPrintf("-I %s -m owner --uid-owner %d -j %s", + LOCAL_OUTPUT, uid, LOCAL_CLEAR_DETECT)); if (penalty == LOG) { - res |= execIptables(V4V6, "-I", LOCAL_CLEAR_CAUGHT, - "-m", "owner", "--uid-owner", uidStr, - "-j", LOCAL_PENALTY_LOG, NULL); + commands.push_back(StringPrintf("-I %s -m owner --uid-owner %d -j %s", + LOCAL_CLEAR_CAUGHT, uid, LOCAL_PENALTY_LOG)); } else if (penalty == REJECT) { - res |= execIptables(V4V6, "-I", LOCAL_CLEAR_CAUGHT, - "-m", "owner", "--uid-owner", uidStr, - "-j", LOCAL_PENALTY_REJECT, NULL); + commands.push_back(StringPrintf("-I %s -m owner --uid-owner %d -j %s", + LOCAL_CLEAR_CAUGHT, uid, LOCAL_PENALTY_REJECT)); } } + commands.push_back("COMMIT\n"); - return res; + return execIptablesRestore(V4V6, Join(commands, "\n")); } |