1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <sys/socket.h>
17 #include <sys/types.h>
18
19 #include "netfirewall_rule_native_helper.h"
20 #include "net_manager_constants.h"
21 #include "netfirewall_db_helper.h"
22 #include "netmgr_ext_log_wrapper.h"
23 #include "netfirewall_rule_manager.h"
24 #include "netfirewall_policy_manager.h"
25 #include "netfirewall_default_rule_parser.h"
26 #include "netmanager_hitrace.h"
27 #include "os_account_manager.h"
28
29
30 namespace OHOS {
31 namespace NetManagerStandard {
GetInstance()32 NetFirewallRuleManager &NetFirewallRuleManager::GetInstance()
33 {
34 static NetFirewallRuleManager instance;
35 return instance;
36 }
37
NetFirewallRuleManager()38 NetFirewallRuleManager::NetFirewallRuleManager()
39 {
40 NETMGR_EXT_LOG_I("NetFirewallRuleManager()");
41 }
42
~NetFirewallRuleManager()43 NetFirewallRuleManager::~NetFirewallRuleManager()
44 {
45 NETMGR_EXT_LOG_I("~NetFirewallRuleManager()");
46 }
47
AddNetFirewallRule(const sptr<NetFirewallRule> & rule,int32_t & ruleId)48 int32_t NetFirewallRuleManager::AddNetFirewallRule(const sptr<NetFirewallRule> &rule, int32_t &ruleId)
49 {
50 if (rule == nullptr) {
51 NETMGR_EXT_LOG_E("AddNetFirewallRule rule is null");
52 return FIREWALL_ERR_PARAMETER_ERROR;
53 }
54 return AddNetFirewallRule(rule, true, ruleId);
55 }
56
AddNetFirewallRule(const sptr<NetFirewallRule> & rule,bool isNotify,int32_t & ruleId)57 int32_t NetFirewallRuleManager::AddNetFirewallRule(const sptr<NetFirewallRule> &rule, bool isNotify, int32_t &ruleId)
58 {
59 std::lock_guard<std::shared_mutex> locker(setFirewallRuleMutex_);
60 int32_t ret = CheckRuleConstraint(rule);
61 if (ret != FIREWALL_OK) {
62 NETMGR_EXT_LOG_E("addNetFirewallRule error code=%{public}d", ret);
63 } else {
64 ruleId = NetFirewallDbHelper::GetInstance().AddFirewallRuleRecord(*rule);
65 NETMGR_EXT_LOG_I("AddNetFirewallRule:: dbRuleId: %{public}d.", ruleId);
66 if (ruleId < 0) {
67 ret = FIREWALL_ERR_INTERNAL;
68 } else {
69 allUserRule_++;
70 UpdateUserRuleSize(rule->userId, true);
71 }
72 }
73 if (ret == FIREWALL_OK && isNotify && rule->isEnabled) {
74 ret = DistributeRulesToNative(rule->ruleType);
75 }
76 return ret;
77 }
78
AddDefaultNetFirewallRule(int32_t userId)79 int32_t NetFirewallRuleManager::AddDefaultNetFirewallRule(int32_t userId)
80 {
81 if (!userRuleSize_.empty() && userRuleSize_.count(userId) && userRuleSize_.at(userId) > 0) {
82 NETMGR_EXT_LOG_W("AddDefaultNetFirewallRule , current user rule is exist.");
83 return 0;
84 }
85 std::vector<sptr<NetFirewallRule>> rules;
86 NetFirewallDefaultRuleParser::GetDefaultRules(rules);
87 if (rules.empty()) {
88 return FIREWALL_SUCCESS;
89 }
90 maxDefaultRuleSize_ = static_cast<int64_t>(rules.size());
91
92 int32_t ret = FIREWALL_OK;
93 int32_t ruleId = 0;
94 for (const auto &rule : rules) {
95 ret = AddNetFirewallRule(rule, false, ruleId);
96 if (ret != FIREWALL_SUCCESS) {
97 NETMGR_EXT_LOG_W("AddDefaultNetFirewallRule error, ret=%{public}d", ret);
98 return ret;
99 }
100 }
101 std::lock_guard<std::shared_mutex> locker(setFirewallRuleMutex_);
102 return DistributeRulesToNative();
103 }
104
UpdateNetFirewallRule(const sptr<NetFirewallRule> & rule)105 int32_t NetFirewallRuleManager::UpdateNetFirewallRule(const sptr<NetFirewallRule> &rule)
106 {
107 if (rule == nullptr) {
108 NETMGR_EXT_LOG_E("UpdateNetFirewallRule rule is null");
109 return FIREWALL_ERR_PARAMETER_ERROR;
110 }
111 NETMGR_EXT_LOG_I("UpdateNetFirewallRule");
112 std::lock_guard<std::shared_mutex> locker(setFirewallRuleMutex_);
113 NetFirewallRule oldRule;
114 int32_t ret = CheckRuleConstraint(rule);
115 if (ret == FIREWALL_SUCCESS) {
116 ret = CheckRuleExist(rule->ruleId, oldRule);
117 if (ret == FIREWALL_SUCCESS) {
118 ret = NetFirewallDbHelper::GetInstance().UpdateFirewallRuleRecord(*rule);
119 }
120 }
121 if (ret != FIREWALL_SUCCESS) {
122 return ret;
123 }
124 if (oldRule.ruleId <= 0 || (!oldRule.isEnabled && !rule->isEnabled)) {
125 return FIREWALL_SUCCESS;
126 }
127 if (oldRule.isEnabled && (rule->ruleType != oldRule.ruleType || !rule->isEnabled)) {
128 ret = DistributeRulesToNative(oldRule.ruleType);
129 }
130 if (rule->isEnabled) {
131 ret += DistributeRulesToNative(rule->ruleType);
132 }
133 return ret;
134 }
135
DeleteNetFirewallRule(const int32_t userId,const int32_t ruleId)136 int32_t NetFirewallRuleManager::DeleteNetFirewallRule(const int32_t userId, const int32_t ruleId)
137 {
138 NETMGR_EXT_LOG_I("DeleteNetFirewallRule");
139 std::lock_guard<std::shared_mutex> locker(setFirewallRuleMutex_);
140 int32_t ret = CheckUserExist(userId);
141 if (ret != FIREWALL_SUCCESS) {
142 return ret;
143 }
144
145 NetFirewallRule oldRule;
146 ret = CheckRuleExist(ruleId, oldRule);
147 if (ret != FIREWALL_SUCCESS) {
148 return ret;
149 }
150 ret = NetFirewallDbHelper::GetInstance().DeleteFirewallRuleRecord(userId, ruleId);
151 if (ret != FIREWALL_SUCCESS) {
152 NETMGR_EXT_LOG_E("DeleteFirewallRuleRecord error");
153 return FIREWALL_ERR_INTERNAL;
154 }
155 allUserRule_--;
156 if (oldRule.ruleId > 0) {
157 UpdateUserRuleSize(userId, false);
158 }
159 if (oldRule.ruleId <= 0 || !oldRule.isEnabled) {
160 return FIREWALL_SUCCESS;
161 }
162 return DistributeRulesToNative(oldRule.ruleType);
163 }
164
DeleteNetFirewallRuleByUserId(const int32_t userId)165 int32_t NetFirewallRuleManager::DeleteNetFirewallRuleByUserId(const int32_t userId)
166 {
167 NETMGR_EXT_LOG_I("DeleteNetFirewallRule");
168 std::lock_guard<std::shared_mutex> locker(setFirewallRuleMutex_);
169 int32_t ret = NetFirewallDbHelper::GetInstance().DeleteFirewallRuleRecordByUserId(userId);
170 if (ret != FIREWALL_SUCCESS) {
171 NETMGR_EXT_LOG_E("DeleteFirewallRuleRecord error");
172 return FIREWALL_ERR_INTERNAL;
173 }
174 // reset
175 allUserRule_ = userRuleSize_.count(userId) ? (allUserRule_ - userRuleSize_.at(userId)) : 0;
176 DeleteUserRuleSize(userId);
177 return FIREWALL_SUCCESS;
178 }
179
DeleteNetFirewallRuleByAppId(const int32_t appUid)180 int32_t NetFirewallRuleManager::DeleteNetFirewallRuleByAppId(const int32_t appUid)
181 {
182 NETMGR_EXT_LOG_I("DeleteNetFirewallRuleByAppId");
183 std::lock_guard<std::shared_mutex> locker(setFirewallRuleMutex_);
184 std::vector<NetFirewallRule> rules;
185 NetFirewallDbHelper::GetInstance().QueryEnabledFirewallRules(GetCurrentAccountId(), appUid, rules);
186 if (rules.empty()) {
187 NETMGR_EXT_LOG_I("DeleteNetFirewallRuleByAppId: current appUid has no rule");
188 return FIREWALL_SUCCESS;
189 }
190 int32_t ret = NetFirewallDbHelper::GetInstance().DeleteFirewallRuleRecordByAppId(appUid);
191 if (ret != FIREWALL_SUCCESS) {
192 NETMGR_EXT_LOG_E("DeleteNetFirewallRuleByAppId error");
193 return FIREWALL_ERR_INTERNAL;
194 }
195 allUserRule_ = 0;
196 userRuleSize_.clear();
197 bool hasEnabledIpRule = false;
198 bool hasEnabledDomainRule = false;
199 bool hasEnabledDnsRule = false;
200 for (const auto &rule : rules) {
201 if (!rule.isEnabled) {
202 continue;
203 }
204 if (rule.ruleType == NetFirewallRuleType::RULE_DNS) {
205 hasEnabledDnsRule = true;
206 } else if (rule.ruleType == NetFirewallRuleType::RULE_DOMAIN) {
207 hasEnabledDomainRule = true;
208 } else if (rule.ruleType == NetFirewallRuleType::RULE_IP) {
209 hasEnabledIpRule = true;
210 }
211 }
212 if (hasEnabledDnsRule) {
213 ret = DistributeRulesToNative(NetFirewallRuleType::RULE_DNS);
214 }
215 if (hasEnabledDomainRule) {
216 ret += DistributeRulesToNative(NetFirewallRuleType::RULE_DOMAIN);
217 }
218 if (hasEnabledIpRule) {
219 ret += DistributeRulesToNative(NetFirewallRuleType::RULE_IP);
220 }
221 return ret;
222 }
223
GetEnabledNetFirewallRules(std::vector<NetFirewallRule> & ruleList,NetFirewallRuleType type)224 int32_t NetFirewallRuleManager::GetEnabledNetFirewallRules(std::vector<NetFirewallRule> &ruleList,
225 NetFirewallRuleType type)
226 {
227 NETMGR_EXT_LOG_I("GetEnabledNetFirewallRules:: type=%{public}d", static_cast<int32_t>(type));
228 int32_t ret = NetFirewallDbHelper::GetInstance().QueryAllUserEnabledFirewallRules(ruleList, type);
229 if (ret < 0) {
230 NETMGR_EXT_LOG_E("GetEnabledNetFirewallRules error");
231 return FIREWALL_ERR_INTERNAL;
232 }
233 return FIREWALL_SUCCESS;
234 }
235
GetNetFirewallRules(const int32_t userId,const sptr<RequestParam> & requestParam,sptr<FirewallRulePage> & info)236 int32_t NetFirewallRuleManager::GetNetFirewallRules(const int32_t userId, const sptr<RequestParam> &requestParam,
237 sptr<FirewallRulePage> &info)
238 {
239 if (requestParam == nullptr) {
240 NETMGR_EXT_LOG_E("GetNetFirewallRules requestParam is null");
241 return FIREWALL_ERR_PARAMETER_ERROR;
242 }
243 if (info == nullptr) {
244 NETMGR_EXT_LOG_E("GetNetFirewallRules info is null");
245 return FIREWALL_ERR_INTERNAL;
246 }
247 NETMGR_EXT_LOG_I("GetNetFirewallRules");
248 std::shared_lock<std::shared_mutex> locker(setFirewallRuleMutex_);
249 int32_t ret = CheckUserExist(userId);
250 if (ret != FIREWALL_SUCCESS) {
251 return ret;
252 }
253 info->page = requestParam->page;
254 info->pageSize = requestParam->pageSize;
255 ret = NetFirewallDbHelper::GetInstance().QueryFirewallRule(userId, requestParam, info);
256 if (ret < 0) {
257 NETMGR_EXT_LOG_E("QueryAllFirewallRuleRecord error");
258 return FIREWALL_ERR_INTERNAL;
259 }
260 return FIREWALL_SUCCESS;
261 }
262
GetNetFirewallRule(const int32_t userId,const int32_t ruleId,sptr<NetFirewallRule> & rule)263 int32_t NetFirewallRuleManager::GetNetFirewallRule(const int32_t userId, const int32_t ruleId,
264 sptr<NetFirewallRule> &rule)
265 {
266 if (rule == nullptr) {
267 NETMGR_EXT_LOG_E("GetNetFirewallRule rule is null");
268 return FIREWALL_ERR_INTERNAL;
269 }
270 NETMGR_EXT_LOG_I("GetNetFirewallRule userId=%{public}d ruleId=%{public}d", userId, ruleId);
271 std::shared_lock<std::shared_mutex> locker(setFirewallRuleMutex_);
272 int32_t ret = CheckUserExist(userId);
273 if (ret != FIREWALL_SUCCESS) {
274 return ret;
275 }
276
277 std::vector<struct NetFirewallRule> outRules;
278 ret = NetFirewallDbHelper::GetInstance().QueryFirewallRuleRecord(ruleId, userId, outRules);
279 if (ret < 0) {
280 NETMGR_EXT_LOG_E("QueryFirewallRuleRecord error");
281 return FIREWALL_ERR_INTERNAL;
282 }
283 if (outRules.size() > 0) {
284 const NetFirewallRule &outRule = outRules[0];
285 rule->userId = outRule.userId;
286 rule->ruleId = outRule.ruleId;
287 rule->ruleName = outRule.ruleName;
288 rule->ruleDescription = outRule.ruleDescription;
289 rule->ruleAction = outRule.ruleAction;
290 rule->ruleDirection = outRule.ruleDirection;
291 rule->ruleType = outRule.ruleType;
292 rule->appUid = outRule.appUid;
293 rule->protocol = outRule.protocol;
294 rule->dns = outRule.dns;
295 rule->localIps.assign(outRule.localIps.begin(), outRule.localIps.end());
296 rule->remoteIps.assign(outRule.remoteIps.begin(), outRule.remoteIps.end());
297 rule->localPorts.assign(outRule.localPorts.begin(), outRule.localPorts.end());
298 rule->remotePorts.assign(outRule.remotePorts.begin(), outRule.remotePorts.end());
299 } else {
300 NETMGR_EXT_LOG_E("QueryFirewallRuleRecord size is 0");
301 return FIREWALL_ERR_NO_RULE;
302 }
303 return FIREWALL_SUCCESS;
304 }
305
CheckUserExist(const int32_t userId)306 int32_t NetFirewallRuleManager::CheckUserExist(const int32_t userId)
307 {
308 AccountSA::OsAccountInfo accountInfo;
309 if (AccountSA::OsAccountManager::QueryOsAccountById(userId, accountInfo) != ERR_OK) {
310 NETMGR_EXT_LOG_E("QueryOsAccountById error, userId: %{public}d.", userId);
311 return FIREWALL_ERR_NO_USER;
312 }
313 return FIREWALL_SUCCESS;
314 }
315
CheckRuleExist(const int32_t ruleId,NetFirewallRule & oldRule)316 int32_t NetFirewallRuleManager::CheckRuleExist(const int32_t ruleId, NetFirewallRule &oldRule)
317 {
318 bool isExist = NetFirewallDbHelper::GetInstance().IsFirewallRuleExist(ruleId, oldRule);
319 if (!isExist) {
320 NETMGR_EXT_LOG_E("Query ruleId: %{public}d is not exist.", ruleId);
321 return FIREWALL_ERR_NO_RULE;
322 }
323 return FIREWALL_SUCCESS;
324 }
325
GetAllRuleConstraint(const int32_t userId)326 int32_t NetFirewallRuleManager::GetAllRuleConstraint(const int32_t userId)
327 {
328 int64_t rowCount = 0;
329 if (allUserRule_ <= 0) {
330 NetFirewallDbHelper::GetInstance().QueryFirewallRuleAllCount(rowCount);
331 allUserRule_ = rowCount;
332 }
333 if (!userRuleSize_.count(userId)) {
334 rowCount = 0;
335 NetFirewallDbHelper::GetInstance().QueryFirewallRuleByUserIdCount(userId, rowCount);
336 userRuleSize_.insert({ userId, rowCount });
337 }
338 allUserDomain_ = NetFirewallDbHelper::GetInstance().QueryFirewallRuleAllDomainCount();
339 NETMGR_EXT_LOG_I(
340 "GetAllRuleConstraint userId=%{public}d rowCount=%{public}d allUserRule=%{public}d allUserDomain=%{public}d",
341 userId, static_cast<int32_t>(userRuleSize_.at(userId)), static_cast<int32_t>(allUserRule_), allUserDomain_);
342 return FIREWALL_SUCCESS;
343 }
344
CheckRuleConstraint(const sptr<NetFirewallRule> & rule)345 int32_t NetFirewallRuleManager::CheckRuleConstraint(const sptr<NetFirewallRule> &rule)
346 {
347 int32_t ret = CheckUserExist(rule->userId);
348 if (ret != FIREWALL_SUCCESS) {
349 return ret;
350 }
351 int32_t userId = rule->userId;
352 GetAllRuleConstraint(userId);
353 if (userRuleSize_.at(userId) < maxDefaultRuleSize_) {
354 NETMGR_EXT_LOG_I("current user db size is not max than default rule size, ignore check.");
355 return FIREWALL_SUCCESS;
356 }
357
358 if (allUserRule_ + 1 > FIREWALL_ALL_USER_MAX_RULE || userRuleSize_.at(userId) + 1 > FIREWALL_USER_MAX_RULE) {
359 NETMGR_EXT_LOG_E("check rule constraint error, rule is large.");
360 return FIREWALL_ERR_EXCEED_MAX_RULE;
361 }
362 int32_t domainsCount = NetFirewallDbHelper::GetInstance().QueryFirewallRuleDomainByUserIdCount(userId);
363 int32_t size = static_cast<int32_t>(rule->domains.size());
364 if (domainsCount + size > FIREWALL_SINGLE_USER_MAX_DOMAIN) {
365 return FIREWALL_ERR_EXCEED_MAX_DOMAIN;
366 }
367 domainsCount = NetFirewallDbHelper::GetInstance().QueryFirewallRuleAllFuzzyDomainCount();
368 if (allUserDomain_ + size > FIREWALL_ALL_USER_MAX_DOMAIN ||
369 domainsCount + size > FIREWALL_ALL_USER_MAX_FUZZY_DOMAIN) {
370 NETMGR_EXT_LOG_E(
371 "check rule constraint domain number is more than max, all domain=%{public}d all fuzzy=%{public}d",
372 allUserDomain_, static_cast<int32_t>(domainsCount));
373 return FIREWALL_ERR_EXCEED_ALL_MAX_DOMAIN;
374 }
375 // DNS rule check duplicate
376 if (NetFirewallDbHelper::GetInstance().IsDnsRuleExist(rule)) {
377 NETMGR_EXT_LOG_E("check rule constraint, the dns rule is exist");
378 return FIREWALL_ERR_DNS_RULE_DUPLICATION;
379 }
380 return FIREWALL_SUCCESS;
381 }
382
CheckAccountExist(int32_t userId)383 bool NetFirewallRuleManager::CheckAccountExist(int32_t userId)
384 {
385 AccountSA::OsAccountInfo accountInfo;
386 if (AccountSA::OsAccountManager::QueryOsAccountById(userId, accountInfo) != ERR_OK) {
387 NETMGR_EXT_LOG_E("QueryOsAccountById error, userId: %{public}d.", userId);
388 return false;
389 }
390
391 if (accountInfo.GetType() == AccountSA::OsAccountType::GUEST) {
392 NETMGR_EXT_LOG_W("The guest account.");
393 }
394 return true;
395 }
396
ExtractIpRules(const std::vector<NetFirewallRule> & rules,std::vector<sptr<NetFirewallIpRule>> & ipRules)397 bool NetFirewallRuleManager::ExtractIpRules(const std::vector<NetFirewallRule> &rules,
398 std::vector<sptr<NetFirewallIpRule>> &ipRules)
399 {
400 if (rules.empty()) {
401 return false;
402 }
403 for (const auto &rule : rules) {
404 if (!NetFirewallPolicyManager::GetInstance().GetNetFirewallStatus(rule.userId)) {
405 continue;
406 }
407 if (rule.ruleType != NetFirewallRuleType::RULE_IP) {
408 continue;
409 }
410 sptr<NetFirewallIpRule> ipRule = new (std::nothrow) NetFirewallIpRule();
411 if (ipRule == nullptr) {
412 NETMGR_EXT_LOG_E("ExtractIpRules ipRule is null");
413 return false;
414 }
415 ipRule->userId = rule.userId;
416 ipRule->ruleDirection = rule.ruleDirection;
417 ipRule->ruleAction = rule.ruleAction;
418 ipRule->appUid = rule.appUid;
419 ipRule->localIps = rule.localIps;
420 ipRule->remoteIps = rule.remoteIps;
421 ipRule->protocol = rule.protocol;
422 ipRule->localPorts = rule.localPorts;
423 ipRule->remotePorts = rule.remotePorts;
424 ipRules.emplace_back(std::move(ipRule));
425 }
426 return ipRules.size() > 0;
427 }
428
ExtractDomainRules(const std::vector<NetFirewallRule> & rules,std::vector<sptr<NetFirewallDomainRule>> & domainRules)429 bool NetFirewallRuleManager::ExtractDomainRules(const std::vector<NetFirewallRule> &rules,
430 std::vector<sptr<NetFirewallDomainRule>> &domainRules)
431 {
432 if (rules.empty()) {
433 return false;
434 }
435 for (const auto &rule : rules) {
436 if (!NetFirewallPolicyManager::GetInstance().GetNetFirewallStatus(rule.userId)) {
437 continue;
438 }
439 if (rule.ruleType != NetFirewallRuleType::RULE_DOMAIN) {
440 continue;
441 }
442 sptr<NetFirewallDomainRule> domainRule = new (std::nothrow) NetFirewallDomainRule();
443 if (domainRule == nullptr) {
444 NETMGR_EXT_LOG_E("ExtractDomainRules domainRule is null");
445 return false;
446 }
447 domainRule->userId = rule.userId;
448 domainRule->appUid = rule.appUid;
449 domainRule->ruleAction = rule.ruleAction;
450 domainRule->domains = rule.domains;
451 domainRules.emplace_back(std::move(domainRule));
452 }
453 return domainRules.size() > 0;
454 }
455
ExtractDnsRules(const std::vector<NetFirewallRule> & rules,std::vector<sptr<NetFirewallDnsRule>> & dnsRules)456 bool NetFirewallRuleManager::ExtractDnsRules(const std::vector<NetFirewallRule> &rules,
457 std::vector<sptr<NetFirewallDnsRule>> &dnsRules)
458 {
459 if (rules.empty()) {
460 return false;
461 }
462 for (const auto &rule : rules) {
463 if (!NetFirewallPolicyManager::GetInstance().GetNetFirewallStatus(rule.userId)) {
464 continue;
465 }
466 if (rule.ruleType != NetFirewallRuleType::RULE_DNS) {
467 continue;
468 }
469 sptr<NetFirewallDnsRule> dnsRule = new (std::nothrow) NetFirewallDnsRule();
470 if (dnsRule == nullptr) {
471 NETMGR_EXT_LOG_E("ExtractDnsRules dnsRule is null");
472 return false;
473 }
474 dnsRule->userId = rule.userId;
475 dnsRule->appUid = rule.appUid;
476 dnsRule->primaryDns = rule.dns.primaryDns;
477 dnsRule->standbyDns = rule.dns.standbyDns;
478 dnsRules.emplace_back(std::move(dnsRule));
479 }
480 return dnsRules.size() > 0;
481 }
482
HandleIpTypeForDistributeRules(std::vector<NetFirewallRule> & rules)483 int32_t NetFirewallRuleManager::HandleIpTypeForDistributeRules(std::vector<NetFirewallRule> &rules)
484 {
485 std::vector<sptr<NetFirewallIpRule>> ipRules;
486 if (ExtractIpRules(rules, ipRules)) {
487 NetFirewallRuleNativeHelper::GetInstance().SetFirewallIpRules(ipRules);
488 } else {
489 NetFirewallRuleNativeHelper::GetInstance().ClearFirewallRules(NetFirewallRuleType::RULE_IP);
490 }
491 return FIREWALL_SUCCESS;
492 }
493
HandleDnsTypeForDistributeRules(std::vector<NetFirewallRule> & rules)494 int32_t NetFirewallRuleManager::HandleDnsTypeForDistributeRules(std::vector<NetFirewallRule> &rules)
495 {
496 std::vector<sptr<NetFirewallDnsRule>> dnsRules;
497 if (ExtractDnsRules(rules, dnsRules)) {
498 NetFirewallRuleNativeHelper::GetInstance().SetFirewallDnsRules(dnsRules);
499 } else {
500 NetFirewallRuleNativeHelper::GetInstance().ClearFirewallRules(NetFirewallRuleType::RULE_DNS);
501 }
502 return FIREWALL_SUCCESS;
503 }
504
HandleDomainTypeForDistributeRules(std::vector<NetFirewallRule> & rules)505 int32_t NetFirewallRuleManager::HandleDomainTypeForDistributeRules(std::vector<NetFirewallRule> &rules)
506 {
507 std::vector<sptr<NetFirewallDomainRule>> domainRules;
508 NetFirewallRuleNativeHelper::GetInstance().ClearFirewallRules(NetFirewallRuleType::RULE_DOMAIN);
509 if (ExtractDomainRules(rules, domainRules)) {
510 NetFirewallRuleNativeHelper::GetInstance().SetFirewallDomainRules(domainRules);
511 }
512 return FIREWALL_SUCCESS;
513 }
514
GetCurrentAccountId()515 int32_t NetFirewallRuleManager::GetCurrentAccountId()
516 {
517 std::vector<int32_t> accountIds;
518 auto ret = AccountSA::OsAccountManager::QueryActiveOsAccountIds(accountIds);
519 if (ret != ERR_OK || accountIds.empty()) {
520 NETMGR_EXT_LOG_E("query active user failed errCode=%{public}d", ret);
521 return FIREWALL_ERR_INTERNAL;
522 }
523 return accountIds.front();
524 }
525
OpenOrCloseNativeFirewall(bool isOpen)526 int32_t NetFirewallRuleManager::OpenOrCloseNativeFirewall(bool isOpen)
527 {
528 std::lock_guard<std::shared_mutex> locker(setFirewallRuleMutex_);
529 NETMGR_EXT_LOG_I("OpenOrCloseNativeFirewall: isOpen=%{public}d", isOpen);
530 NetmanagerHiTrace::NetmanagerStartSyncTrace("OpenOrCloseNativeFirewall");
531 if (!isOpen) {
532 NETMGR_EXT_LOG_I("OpenOrCloseNativeFirewall: firewall disabled");
533 NetFirewallRuleNativeHelper::GetInstance().ClearFirewallRules(NetFirewallRuleType::RULE_ALL);
534 return FIREWALL_SUCCESS;
535 }
536 NetFirewallPolicyManager::GetInstance().InitNetfirewallPolicy();
537 int32_t ret = SetRulesToNativeByType(NetFirewallRuleType::RULE_ALL);
538 SetNetFirewallDumpMessage(ret);
539 NetmanagerHiTrace::NetmanagerFinishSyncTrace("OpenOrCloseNativeFirewall");
540 return ret;
541 }
542
DistributeRulesToNative(NetFirewallRuleType type)543 int32_t NetFirewallRuleManager::DistributeRulesToNative(NetFirewallRuleType type)
544 {
545 NETMGR_EXT_LOG_I("DistributeRulesToNative: type=%{public}d", (int)type);
546 NetmanagerHiTrace::NetmanagerStartSyncTrace("DistributeRulesToNative");
547 if (!NetFirewallPolicyManager::GetInstance().IsFirewallOpen()) {
548 NETMGR_EXT_LOG_I("DistributeRulesToNative: firewall disabled");
549 NetFirewallRuleNativeHelper::GetInstance().ClearFirewallRules(NetFirewallRuleType::RULE_ALL);
550 return FIREWALL_SUCCESS;
551 }
552
553 int32_t ret = SetRulesToNativeByType(type);
554 NetmanagerHiTrace::NetmanagerFinishSyncTrace("DistributeRulesToNative");
555 SetNetFirewallDumpMessage(ret);
556 return ret;
557 }
558
SetRulesToNativeByType(const NetFirewallRuleType type)559 int32_t NetFirewallRuleManager::SetRulesToNativeByType(const NetFirewallRuleType type)
560 {
561 int32_t ret = FIREWALL_SUCCESS;
562 std::vector<NetFirewallRule> rules;
563 GetEnabledNetFirewallRules(rules, type);
564 switch (type) {
565 case NetFirewallRuleType::RULE_IP:
566 ret = HandleIpTypeForDistributeRules(rules);
567 break;
568 case NetFirewallRuleType::RULE_DNS:
569 ret = HandleDnsTypeForDistributeRules(rules);
570 break;
571 case NetFirewallRuleType::RULE_DOMAIN:
572 ret = HandleDomainTypeForDistributeRules(rules);
573 break;
574 case NetFirewallRuleType::RULE_ALL: {
575 if (rules.empty()) {
576 break;
577 }
578 NetFirewallRuleNativeHelper::GetInstance().ClearFirewallRules(NetFirewallRuleType::RULE_ALL);
579 // set default action to bpf map
580 NetFirewallPolicyManager::GetInstance().InitNetfirewallPolicy();
581 ret = HandleIpTypeForDistributeRules(rules);
582 ret += HandleDnsTypeForDistributeRules(rules);
583 ret += HandleDomainTypeForDistributeRules(rules);
584 break;
585 }
586 default:
587 break;
588 }
589 return ret;
590 }
591
UpdateUserRuleSize(const int32_t userId,bool isInc)592 void NetFirewallRuleManager::UpdateUserRuleSize(const int32_t userId, bool isInc)
593 {
594 if (!userRuleSize_.count(userId)) {
595 return;
596 }
597 int64_t old = userRuleSize_.at(userId);
598 userRuleSize_.at(userId) = isInc ? (old + 1) : (old - 1);
599 }
600
DeleteUserRuleSize(const int32_t userId)601 void NetFirewallRuleManager::DeleteUserRuleSize(const int32_t userId)
602 {
603 if (!userRuleSize_.empty() && userRuleSize_.count(userId)) {
604 userRuleSize_.erase(userId);
605 }
606 }
607
SetNetFirewallDumpMessage(const int32_t result)608 void NetFirewallRuleManager::SetNetFirewallDumpMessage(const int32_t result)
609 {
610 if (result == FIREWALL_SUCCESS) {
611 currentSetRuleSecond_ = GetCurrentMilliseconds();
612 }
613 lastRulePushResult_ = result;
614 }
615
GetCurrentSetRuleSecond()616 uint64_t NetFirewallRuleManager::GetCurrentSetRuleSecond()
617 {
618 return currentSetRuleSecond_;
619 }
620
GetLastRulePushResult()621 int64_t NetFirewallRuleManager::GetLastRulePushResult()
622 {
623 return lastRulePushResult_;
624 }
625 } // namespace NetManagerStandard
626 } // namespace OHOS
627