1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <sys/socket.h>
17 #include <sys/types.h>
18
19 #include "netfirewall_service.h"
20 #include "ipc_skeleton.h"
21 #include "bundle_constants.h"
22 #include "iremote_object.h"
23 #include "net_event_report.h"
24 #include "net_manager_center.h"
25 #include "net_manager_constants.h"
26 #include "net_manager_ext_constants.h"
27 #include "netfirewall_default_rule_parser.h"
28 #include "netfirewall_db_helper.h"
29 #include "netfirewall_hisysevent.h"
30 #include "netmanager_base_common_utils.h"
31 #include "netmanager_base_permission.h"
32 #include "netmanager_hitrace.h"
33 #include "netmgr_ext_log_wrapper.h"
34 #include "system_ability_definition.h"
35 #include "netsys_controller.h"
36 #include "netfirewall_intercept_recorder.h"
37
38 namespace OHOS {
39 namespace NetManagerStandard {
40 constexpr int64_t QUERY_USER_ID_DELAY_TIME_MS = 300L;
41 constexpr int32_t QUERY_USER_MAX_RETRY_TIMES = 100;
42 constexpr int64_t SET_POLICY_DELAY_TIME_MS = 500000L;
43
44 namespace {
45 const std::string PUSH_RESULT_SUCCESS = "Success";
46 const std::string PUSH_RESULT_FAILD = "Faild";
47 const std::string PUSH_RESULT_UNKONW = "Unkonw";
48 } // namespace
49
50 const bool REGISTER_LOCAL_RESULT_NETFIREWALL =
51 SystemAbility::MakeAndRegisterAbility(DelayedSingleton<NetFirewallService>::GetInstance().get());
52
53 std::shared_ptr<ffrt::queue> NetFirewallService::ffrtServiceHandler_;
54
NetFirewallService()55 NetFirewallService::NetFirewallService() : SystemAbility(COMM_FIREWALL_MANAGER_SYS_ABILITY_ID, true)
56 {
57 NETMGR_EXT_LOG_I("NetFirewallService()");
58 }
59
~NetFirewallService()60 NetFirewallService::~NetFirewallService()
61 {
62 NETMGR_EXT_LOG_I("~NetFirewallService()");
63 }
64
SetCurrentUserId(int32_t userId)65 void NetFirewallService::SetCurrentUserId(int32_t userId)
66 {
67 currentUserId_ = userId;
68 NetFirewallInterceptRecorder::GetInstance()->SetCurrentUserId(currentUserId_);
69 // set current userid to native
70 NetFirewallRuleNativeHelper::GetInstance().SetCurrentUserId(currentUserId_);
71 }
72
GetCurrentAccountId()73 int32_t NetFirewallService::GetCurrentAccountId()
74 {
75 std::vector<int32_t> accountIds;
76 auto ret = AccountSA::OsAccountManager::QueryActiveOsAccountIds(accountIds);
77 if (ret != ERR_OK || accountIds.empty()) {
78 NETMGR_EXT_LOG_E("query active user failed errCode=%{public}d", ret);
79 return FIREWALL_ERR_INTERNAL;
80 }
81 SetCurrentUserId(accountIds.front());
82 return currentUserId_;
83 }
84
IsSameNetFirewallPolicy(const sptr<NetFirewallPolicy> & inPolicy,const sptr<NetFirewallPolicy> & outPolicy)85 bool NetFirewallService::IsSameNetFirewallPolicy(const sptr<NetFirewallPolicy> &inPolicy,
86 const sptr<NetFirewallPolicy> &outPolicy)
87 {
88 return (inPolicy->isOpen == outPolicy->isOpen &&
89 inPolicy->inAction == outPolicy->inAction &&
90 inPolicy->outAction == outPolicy->outAction);
91 }
92
93 /**
94 * Turn on or off the firewall
95 *
96 * @param userId User id
97 * @param policy The firewall status to be set
98 * @return Returns 0 success. Otherwise fail
99 */
SetNetFirewallPolicy(const int32_t userId,const sptr<NetFirewallPolicy> & policy)100 int32_t NetFirewallService::SetNetFirewallPolicy(const int32_t userId, const sptr<NetFirewallPolicy> &policy)
101 {
102 NETMGR_EXT_LOG_I("SetNetFirewallPolicy userId=%{public}d isOpen= %{public}d, inAction=%{public}d", userId,
103 policy->isOpen, policy->inAction);
104 int32_t ret = CheckUserExist(userId);
105 if (ret != FIREWALL_SUCCESS) {
106 return ret;
107 }
108
109 sptr<NetFirewallPolicy> policyTemp = sptr<NetFirewallPolicy>::MakeSptr();
110 NetFirewallPolicyManager::GetInstance().LoadPolicyFormPreference(userId, policyTemp);
111 if (IsSameNetFirewallPolicy(policy, policyTemp)) {
112 NETMGR_EXT_LOG_W("SetNetFirewallPolicy is same userId=%{public}d, ignore.", userId);
113 return FIREWALL_SUCCESS;
114 }
115
116 ret = NetFirewallPolicyManager::GetInstance().SetNetFirewallPolicy(userId, policy);
117 if (ret != FIREWALL_SUCCESS) {
118 return ret;
119 }
120
121 // save default action to bpf
122 if (policy->isOpen) {
123 NetsysController::GetInstance().SetFirewallDefaultAction(userId, policy->inAction, policy->outAction);
124 } else {
125 NetFirewallPolicyManager::GetInstance().InitNetfirewallPolicy();
126 }
127
128 // update rules
129 if (NetFirewallPolicyManager::GetInstance().IsNetFirewallOpen(userId) != policy->isOpen) {
130 NetFirewallRuleManager::GetInstance().OpenOrCloseNativeFirewall(
131 NetFirewallPolicyManager::GetInstance().IsFirewallOpen());
132 }
133 return ret;
134 }
135
136 /**
137 * Query firewall status
138 *
139 * @param userId User id
140 * @param status status of user userId
141 * @return Returns 0 success. Otherwise fail
142 */
GetNetFirewallPolicy(const int32_t userId,sptr<NetFirewallPolicy> & policy)143 int32_t NetFirewallService::GetNetFirewallPolicy(const int32_t userId, sptr<NetFirewallPolicy> &policy)
144 {
145 NETMGR_EXT_LOG_I("GetNetFirewallPolicy");
146 int32_t ret = CheckUserExist(userId);
147 if (ret != FIREWALL_SUCCESS) {
148 return ret;
149 }
150 NetFirewallPolicyManager::GetInstance().GetNetFirewallPolicy(userId, policy);
151 return FIREWALL_SUCCESS;
152 }
153
AddNetFirewallRule(const sptr<NetFirewallRule> & rule,int32_t & ruleId)154 int32_t NetFirewallService::AddNetFirewallRule(const sptr<NetFirewallRule> &rule, int32_t &ruleId)
155 {
156 return NetFirewallRuleManager::GetInstance().AddNetFirewallRule(rule, ruleId);
157 }
158
AddDefaultNetFirewallRule(int32_t userId)159 int32_t NetFirewallService::AddDefaultNetFirewallRule(int32_t userId)
160 {
161 return NetFirewallRuleManager::GetInstance().AddDefaultNetFirewallRule(userId);
162 }
163
UpdateNetFirewallRule(const sptr<NetFirewallRule> & rule)164 int32_t NetFirewallService::UpdateNetFirewallRule(const sptr<NetFirewallRule> &rule)
165 {
166 return NetFirewallRuleManager::GetInstance().UpdateNetFirewallRule(rule);
167 }
168
DeleteNetFirewallRule(const int32_t userId,const int32_t ruleId)169 int32_t NetFirewallService::DeleteNetFirewallRule(const int32_t userId, const int32_t ruleId)
170 {
171 return NetFirewallRuleManager::GetInstance().DeleteNetFirewallRule(userId, ruleId);
172 }
173
GetNetFirewallRules(const int32_t userId,const sptr<RequestParam> & requestParam,sptr<FirewallRulePage> & info)174 int32_t NetFirewallService::GetNetFirewallRules(const int32_t userId, const sptr<RequestParam> &requestParam,
175 sptr<FirewallRulePage> &info)
176 {
177 return NetFirewallRuleManager::GetInstance().GetNetFirewallRules(userId, requestParam, info);
178 }
179
GetNetFirewallRule(const int32_t userId,const int32_t ruleId,sptr<NetFirewallRule> & rule)180 int32_t NetFirewallService::GetNetFirewallRule(const int32_t userId, const int32_t ruleId, sptr<NetFirewallRule> &rule)
181 {
182 return NetFirewallRuleManager::GetInstance().GetNetFirewallRule(userId, ruleId, rule);
183 }
184
GetInterceptRecords(const int32_t userId,const sptr<RequestParam> & requestParam,sptr<InterceptRecordPage> & info)185 int32_t NetFirewallService::GetInterceptRecords(const int32_t userId, const sptr<RequestParam> &requestParam,
186 sptr<InterceptRecordPage> &info)
187 {
188 NETMGR_EXT_LOG_I("GetInterceptRecords");
189 int32_t ret = CheckUserExist(userId);
190 if (ret != FIREWALL_SUCCESS) {
191 return ret;
192 }
193 // Cache data writing to avoid not being able to access new data
194 NetFirewallInterceptRecorder::GetInstance()->SyncRecordCache();
195 return NetFirewallInterceptRecorder::GetInstance()->GetInterceptRecords(userId, requestParam, info);
196 }
197
CheckUserExist(const int32_t userId)198 int32_t NetFirewallService::CheckUserExist(const int32_t userId)
199 {
200 AccountSA::OsAccountInfo accountInfo;
201 if (AccountSA::OsAccountManager::QueryOsAccountById(userId, accountInfo) != ERR_OK) {
202 NETMGR_EXT_LOG_E("QueryOsAccountById error, userId: %{public}d.", userId);
203 return FIREWALL_ERR_NO_USER;
204 }
205 return FIREWALL_SUCCESS;
206 }
207
Dump(int32_t fd,const std::vector<std::u16string> & args)208 int32_t NetFirewallService::Dump(int32_t fd, const std::vector<std::u16string> &args)
209 {
210 std::string result;
211 GetDumpMessage(result);
212 NETMGR_EXT_LOG_I("NetFirewall dump fd: %{public}d, content: %{public}s", fd, result.c_str());
213 int32_t ret = dprintf(fd, "%s\n", result.c_str());
214 if (ret < 0) {
215 NETMGR_EXT_LOG_E("dprintf failed, errno[%{public}d]", errno);
216 return FIREWALL_ERR_INTERNAL;
217 }
218 return FIREWALL_SUCCESS;
219 }
220
GetDumpMessage(std::string & message)221 void NetFirewallService::GetDumpMessage(std::string &message)
222 {
223 message.append("NetFirewall Info:\n");
224 message.append("\tServiceRunningState: " + GetServiceState() + "\n");
225 message.append("\tSpendTimeMSec: " + std::to_string(serviceSpendTime_) + "ms" + "\n");
226 std::map<int32_t, bool> firewallStateMap;
227 GetAllUserFirewallState(firewallStateMap);
228 message.append("\t");
229 for (const auto &pair : firewallStateMap) {
230 std::string userId = std::to_string(pair.first);
231 std::string state = pair.second ? "Enable" : "Disable";
232 message.append("UserId: " + userId + " " + state + ", ");
233 }
234 message.append("\n");
235 message.append("\tLastRulePushTime: " + GetLastRulePushTime() + "\n");
236 message.append("\tLastRulePushResult: " + GetLastRulePushResult() + "\n");
237 }
238
GetServiceState()239 std::string NetFirewallService::GetServiceState()
240 {
241 return (state_ == ServiceRunningState::STATE_RUNNING) ? "Running" : "Stop";
242 }
243
GetLastRulePushTime()244 std::string NetFirewallService::GetLastRulePushTime()
245 {
246 currentSetRuleSecond_ = NetFirewallRuleManager::GetInstance().GetCurrentSetRuleSecond();
247 if (currentSetRuleSecond_ == 0) {
248 return PUSH_RESULT_UNKONW;
249 }
250 return std::to_string(currentSetRuleSecond_);
251 }
252
GetLastRulePushResult()253 std::string NetFirewallService::GetLastRulePushResult()
254 {
255 lastRulePushResult_ = NetFirewallRuleManager::GetInstance().GetLastRulePushResult();
256 if (lastRulePushResult_ == FIREWALL_SUCCESS) {
257 return PUSH_RESULT_SUCCESS;
258 }
259 if (lastRulePushResult_ < 0) {
260 return PUSH_RESULT_UNKONW;
261 }
262 return PUSH_RESULT_FAILD;
263 }
264
GetAllUserFirewallState(std::map<int32_t,bool> & firewallStateMap)265 int32_t NetFirewallService::GetAllUserFirewallState(std::map<int32_t, bool> &firewallStateMap)
266 {
267 std::vector<AccountSA::OsAccountInfo> osAccountInfos;
268 AccountSA::OsAccountManager::QueryAllCreatedOsAccounts(osAccountInfos);
269 size_t size = osAccountInfos.size();
270 for (const auto &info : osAccountInfos) {
271 int32_t userId = info.GetLocalId();
272 firewallStateMap[userId] = NetFirewallPolicyManager::GetInstance().IsNetFirewallOpen(userId);
273 }
274 return FIREWALL_SUCCESS;
275 }
276
OnStart()277 void NetFirewallService::OnStart()
278 {
279 NETMGR_EXT_LOG_I("OnStart()");
280 uint64_t startServiceTime = GetCurrentMilliseconds();
281 if (state_ == ServiceRunningState::STATE_RUNNING) {
282 NETMGR_EXT_LOG_I("PcfirewallService is already running.");
283 return;
284 }
285
286 if (!REGISTER_LOCAL_RESULT_NETFIREWALL) {
287 NETMGR_EXT_LOG_E("Register to local sa manager failed");
288 return;
289 }
290 if (!isServicePublished_) {
291 if (!Publish(DelayedSingleton<NetFirewallService>::GetInstance().get())) {
292 NETMGR_EXT_LOG_E("Register to sa manager failed");
293 return;
294 }
295 isServicePublished_ = true;
296 }
297
298 state_ = ServiceRunningState::STATE_RUNNING;
299
300 AddSystemAbilityListener(COMM_NETSYS_NATIVE_SYS_ABILITY_ID);
301 AddSystemAbilityListener(COMMON_EVENT_SERVICE_ID);
302 if (OnInit() != FIREWALL_SUCCESS) {
303 NETMGR_EXT_LOG_E("Init data failed");
304 return;
305 }
306 serviceSpendTime_ = GetCurrentMilliseconds() - startServiceTime;
307 }
308
OnInit()309 int32_t NetFirewallService::OnInit()
310 {
311 InitServiceHandler();
312 InitQueryUserId(QUERY_USER_MAX_RETRY_TIMES);
313 SubscribeCommonEvent();
314 NetFirewallInterceptRecorder::GetInstance()->RegisterInterceptCallback();
315 return FIREWALL_SUCCESS;
316 }
317
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)318 void NetFirewallService::OnAddSystemAbility(int32_t systemAbilityId, const std::string &deviceId)
319 {
320 NETMGR_EXT_LOG_I("OnAddSystemAbility systemAbilityId:%{public}d added!", systemAbilityId);
321 if (systemAbilityId == COMM_NETSYS_NATIVE_SYS_ABILITY_ID) {
322 if (hasSaRemoved_) {
323 NETMGR_EXT_LOG_I("native reboot, reset firewall rules.");
324 NetFirewallRuleManager::GetInstance().OpenOrCloseNativeFirewall(
325 NetFirewallPolicyManager::GetInstance().IsFirewallOpen());
326 NetFirewallInterceptRecorder::GetInstance()->RegisterInterceptCallback();
327 hasSaRemoved_ = false;
328 }
329 // After the universal service is launched, you can register for broadcast monitoring
330 } else if (systemAbilityId == COMMON_EVENT_SERVICE_ID && subscriber_ == nullptr) {
331 SubscribeCommonEvent();
332 }
333 }
334
InitUsersOnBoot()335 bool NetFirewallService::InitUsersOnBoot()
336 {
337 std::vector<int32_t> userIds;
338 if (AccountSA::OsAccountManager::QueryActiveOsAccountIds(userIds) != ERR_OK || userIds.empty()) {
339 NETMGR_EXT_LOG_E("PcfirewallService: failed to get current userIds");
340 return false;
341 }
342 SetCurrentUserId(userIds.front());
343 NETMGR_EXT_LOG_I("PcfirewallService::get current userIds success, Current userId: %{public}d",
344 currentUserId_.load());
345 InitQueryNetFirewallRules();
346 return true;
347 }
348
InitQueryUserId(int32_t times)349 void NetFirewallService::InitQueryUserId(int32_t times)
350 {
351 times--;
352 bool ret = InitUsersOnBoot();
353 if (!ret && times > 0) {
354 NETMGR_EXT_LOG_I("InitQueryUserId failed");
355 ffrtServiceHandler_->submit([this, times]() { InitQueryUserId(times); },
356 ffrt::task_attr().delay(QUERY_USER_ID_DELAY_TIME_MS).name("InitQueryUserId"));
357 }
358 }
359
InitQueryNetFirewallRules()360 void NetFirewallService::InitQueryNetFirewallRules()
361 {
362 NetFirewallRuleManager::GetInstance().OpenOrCloseNativeFirewall(
363 NetFirewallPolicyManager::GetInstance().IsFirewallOpen());
364 }
365
InitServiceHandler()366 void NetFirewallService::InitServiceHandler()
367 {
368 if (ffrtServiceHandler_ != nullptr) {
369 NETMGR_EXT_LOG_E("InitServiceHandler already init.");
370 return;
371 }
372 ffrtServiceHandler_ =
373 std::make_shared<ffrt::queue>("NetFirewallService", ffrt::queue_attr().qos(ffrt::qos_utility));
374 NETMGR_EXT_LOG_I("InitServiceHandler succeeded.");
375 }
376
OnStop()377 void NetFirewallService::OnStop()
378 {
379 if (state_ != ServiceRunningState::STATE_RUNNING) {
380 return;
381 }
382 NetFirewallInterceptRecorder::GetInstance()->SyncRecordCache();
383 ffrtServiceHandler_.reset();
384 ffrtServiceHandler_ = nullptr;
385 if (subscriber_ != nullptr) {
386 bool unSubscribeResult = OHOS::EventFwk::CommonEventManager::UnSubscribeCommonEvent(subscriber_);
387 subscriber_ = nullptr;
388 NETMGR_EXT_LOG_I("UnregisterSubscriber end, unSubscribeResult = %{public}d", unSubscribeResult);
389 }
390 NetFirewallInterceptRecorder::GetInstance()->UnRegisterInterceptCallback();
391 state_ = ServiceRunningState::STATE_NOT_START;
392 NETMGR_EXT_LOG_I("OnStop end.");
393 }
394
OnRemoveSystemAbility(int32_t systemAbilityId,const std::string & deviceId)395 void NetFirewallService::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string &deviceId)
396 {
397 NETMGR_EXT_LOG_I("OnRemoveSystemAbility systemAbilityId:%{public}d removed!", systemAbilityId);
398 if (systemAbilityId == COMM_NETSYS_NATIVE_SYS_ABILITY_ID) {
399 hasSaRemoved_ = true;
400 } else if (systemAbilityId == COMMON_EVENT_SERVICE_ID && subscriber_ != nullptr) {
401 OHOS::EventFwk::CommonEventManager::UnSubscribeCommonEvent(subscriber_);
402 subscriber_ = nullptr;
403 }
404 }
405
SubscribeCommonEvent()406 void NetFirewallService::SubscribeCommonEvent()
407 {
408 EventFwk::MatchingSkills matchingSkills;
409 matchingSkills.AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_USER_REMOVED);
410 matchingSkills.AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_USER_SWITCHED);
411 matchingSkills.AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED);
412 EventFwk::CommonEventSubscribeInfo subscribeInfo(matchingSkills);
413 // 1 means CORE_EVENT_PRIORITY
414 subscribeInfo.SetPriority(1);
415 subscriber_ = std::make_shared<ReceiveMessage>(subscribeInfo, shared_from_this());
416 RegisterSubscribeCommonEvent();
417 }
418
RegisterSubscribeCommonEvent()419 void NetFirewallService::RegisterSubscribeCommonEvent()
420 {
421 // If the universal service has not been loaded yet, registering for broadcasting will fail
422 if (subscriber_ == nullptr) {
423 NETMGR_EXT_LOG_E("subscriber is nullptr");
424 return;
425 }
426 if (!EventFwk::CommonEventManager::SubscribeCommonEvent(subscriber_)) {
427 NETMGR_EXT_LOG_E("SubscribeCommonEvent fail");
428 subscriber_ = nullptr;
429 }
430 }
431
OnReceiveEvent(const EventFwk::CommonEventData & eventData)432 void NetFirewallService::ReceiveMessage::OnReceiveEvent(const EventFwk::CommonEventData &eventData)
433 {
434 const auto &action = eventData.GetWant().GetAction();
435 const auto &data = eventData.GetData();
436 const auto &code = eventData.GetCode();
437 NETMGR_EXT_LOG_I("NetVReceiveMessage::OnReceiveEvent(), event:[%{public}s], data:[%{public}s], code:[%{public}d]",
438 action.c_str(), data.c_str(), code);
439 int32_t userId = code;
440 if (action == EventFwk::CommonEventSupport::COMMON_EVENT_USER_REMOVED) {
441 NetFirewallRuleManager::GetInstance().DeleteNetFirewallRuleByUserId(userId);
442 NetFirewallPolicyManager::GetInstance().ClearFirewallPolicy(userId);
443 NetFirewallDbHelper::GetInstance().DeleteInterceptRecord(userId);
444 NetFirewallRuleManager::GetInstance().DeleteUserRuleSize(userId);
445 return;
446 }
447 if (action == EventFwk::CommonEventSupport::COMMON_EVENT_USER_SWITCHED) {
448 // Old user cache cleaning
449 NetFirewallInterceptRecorder::GetInstance()->SyncRecordCache();
450 netfirewallService_->SetCurrentUserId(userId);
451 return;
452 }
453 if (action == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED) {
454 if (eventData.GetWant().GetIntParam(AppExecFwk::Constants::UID, 0) < 0) {
455 NETMGR_EXT_LOG_E("error:deletedUid < 0!,return");
456 return;
457 }
458 uint32_t deletedUid = static_cast<uint32_t>(eventData.GetWant().GetIntParam(AppExecFwk::Constants::UID, 0));
459 NETMGR_EXT_LOG_I("NetFirewallService: deletedUid %{public}d", deletedUid);
460 NetFirewallRuleManager::GetInstance().DeleteNetFirewallRuleByAppId(deletedUid);
461 }
462 }
463 } // namespace NetManagerStandard
464 } // namespace OHOS
465