1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <sys/socket.h>
17 #include <sys/types.h>
18
19 #include "netfirewall_service.h"
20 #include "ipc_skeleton.h"
21 #include "bundle_constants.h"
22 #include "iremote_object.h"
23 #include "net_event_report.h"
24 #include "net_manager_constants.h"
25 #include "net_manager_ext_constants.h"
26 #include "netfirewall_default_rule_parser.h"
27 #include "netfirewall_db_helper.h"
28 #include "netfirewall_hisysevent.h"
29 #include "netmanager_base_common_utils.h"
30 #include "netmanager_base_permission.h"
31 #include "netmanager_hitrace.h"
32 #include "netmgr_ext_log_wrapper.h"
33 #include "system_ability_definition.h"
34 #include "netsys_controller.h"
35 #include "netfirewall_intercept_recorder.h"
36
37 namespace OHOS {
38 namespace NetManagerStandard {
39 constexpr int64_t QUERY_USER_ID_DELAY_TIME_MS = 300000L;
40 constexpr int32_t QUERY_USER_MAX_RETRY_TIMES = 100;
41 constexpr int64_t SET_POLICY_DELAY_TIME_MS = 500000L;
42
43 namespace {
44 const std::string PUSH_RESULT_SUCCESS = "Success";
45 const std::string PUSH_RESULT_FAILD = "Faild";
46 const std::string PUSH_RESULT_UNKONW = "Unkonw";
47 } // namespace
48
49 const bool REGISTER_LOCAL_RESULT_NETFIREWALL =
50 SystemAbility::MakeAndRegisterAbility(DelayedSingleton<NetFirewallService>::GetInstance().get());
51
52 std::shared_ptr<ffrt::queue> NetFirewallService::ffrtServiceHandler_;
53
NetFirewallService()54 NetFirewallService::NetFirewallService() : SystemAbility(COMM_FIREWALL_MANAGER_SYS_ABILITY_ID, true)
55 {
56 NETMGR_EXT_LOG_I("NetFirewallService()");
57 }
58
~NetFirewallService()59 NetFirewallService::~NetFirewallService()
60 {
61 NETMGR_EXT_LOG_I("~NetFirewallService()");
62 }
63
SetCurrentUserId(int32_t userId)64 void NetFirewallService::SetCurrentUserId(int32_t userId)
65 {
66 currentUserId_ = userId;
67 NetFirewallInterceptRecorder::GetInstance()->SetCurrentUserId(currentUserId_);
68 // set current userid to native
69 NetFirewallRuleNativeHelper::GetInstance().SetCurrentUserId(currentUserId_);
70 }
71
GetCurrentAccountId()72 int32_t NetFirewallService::GetCurrentAccountId()
73 {
74 std::vector<int32_t> accountIds;
75 auto ret = AccountSA::OsAccountManager::QueryActiveOsAccountIds(accountIds);
76 if (ret != ERR_OK || accountIds.empty()) {
77 NETMGR_EXT_LOG_E("query active user failed errCode=%{public}d", ret);
78 return FIREWALL_ERR_INTERNAL;
79 }
80 SetCurrentUserId(accountIds.front());
81 return currentUserId_;
82 }
83
IsSameNetFirewallPolicy(const sptr<NetFirewallPolicy> & inPolicy,const sptr<NetFirewallPolicy> & outPolicy)84 bool NetFirewallService::IsSameNetFirewallPolicy(const sptr<NetFirewallPolicy> &inPolicy,
85 const sptr<NetFirewallPolicy> &outPolicy)
86 {
87 return (inPolicy->isOpen == outPolicy->isOpen &&
88 inPolicy->inAction == outPolicy->inAction &&
89 inPolicy->outAction == outPolicy->outAction);
90 }
91
92 /**
93 * Turn on or off the firewall
94 *
95 * @param userId User id
96 * @param policy The firewall status to be set
97 * @return Returns 0 success. Otherwise fail
98 */
SetNetFirewallPolicy(const int32_t userId,const sptr<NetFirewallPolicy> & policy)99 int32_t NetFirewallService::SetNetFirewallPolicy(const int32_t userId, const sptr<NetFirewallPolicy> &policy)
100 {
101 NETMGR_EXT_LOG_I("SetNetFirewallPolicy userId=%{public}d isOpen=%{public}d, in=%{public}d, out=%{public}d",
102 userId, policy->isOpen, policy->inAction, policy->outAction);
103 int32_t ret = CheckUserExist(userId);
104 if (ret != FIREWALL_SUCCESS) {
105 return ret;
106 }
107
108 sptr<NetFirewallPolicy> policyTemp = sptr<NetFirewallPolicy>::MakeSptr();
109 NetFirewallPolicyManager::GetInstance().LoadPolicyFormPreference(userId, policyTemp);
110 if (IsSameNetFirewallPolicy(policy, policyTemp)) {
111 NETMGR_EXT_LOG_W("SetNetFirewallPolicy is same userId=%{public}d, ignore.", userId);
112 return FIREWALL_SUCCESS;
113 }
114
115 ret = NetFirewallPolicyManager::GetInstance().SetNetFirewallPolicy(userId, policy);
116 if (ret != FIREWALL_SUCCESS) {
117 return ret;
118 }
119
120 // save default action to bpf
121 if (policy->isOpen) {
122 NetsysController::GetInstance().SetFirewallDefaultAction(userId, policy->inAction, policy->outAction);
123 } else {
124 NetFirewallPolicyManager::GetInstance().InitNetfirewallPolicy();
125 }
126
127 // update rules
128 if (policyTemp->isOpen != policy->isOpen) {
129 NetFirewallRuleManager::GetInstance().OpenOrCloseNativeFirewall(
130 NetFirewallPolicyManager::GetInstance().IsFirewallOpen());
131 }
132 return ret;
133 }
134
135 /**
136 * Query firewall status
137 *
138 * @param userId User id
139 * @param status status of user userId
140 * @return Returns 0 success. Otherwise fail
141 */
GetNetFirewallPolicy(const int32_t userId,sptr<NetFirewallPolicy> & policy)142 int32_t NetFirewallService::GetNetFirewallPolicy(const int32_t userId, sptr<NetFirewallPolicy> &policy)
143 {
144 NETMGR_EXT_LOG_I("GetNetFirewallPolicy");
145 int32_t ret = CheckUserExist(userId);
146 if (ret != FIREWALL_SUCCESS) {
147 return ret;
148 }
149 NetFirewallPolicyManager::GetInstance().GetNetFirewallPolicy(userId, policy);
150 return FIREWALL_SUCCESS;
151 }
152
AddNetFirewallRule(const sptr<NetFirewallRule> & rule,int32_t & ruleId)153 int32_t NetFirewallService::AddNetFirewallRule(const sptr<NetFirewallRule> &rule, int32_t &ruleId)
154 {
155 return NetFirewallRuleManager::GetInstance().AddNetFirewallRule(rule, ruleId);
156 }
157
AddDefaultNetFirewallRule(int32_t userId)158 int32_t NetFirewallService::AddDefaultNetFirewallRule(int32_t userId)
159 {
160 return NetFirewallRuleManager::GetInstance().AddDefaultNetFirewallRule(userId);
161 }
162
UpdateNetFirewallRule(const sptr<NetFirewallRule> & rule)163 int32_t NetFirewallService::UpdateNetFirewallRule(const sptr<NetFirewallRule> &rule)
164 {
165 return NetFirewallRuleManager::GetInstance().UpdateNetFirewallRule(rule);
166 }
167
DeleteNetFirewallRule(const int32_t userId,const int32_t ruleId)168 int32_t NetFirewallService::DeleteNetFirewallRule(const int32_t userId, const int32_t ruleId)
169 {
170 return NetFirewallRuleManager::GetInstance().DeleteNetFirewallRule(userId, ruleId);
171 }
172
GetNetFirewallRules(const int32_t userId,const sptr<RequestParam> & requestParam,sptr<FirewallRulePage> & info)173 int32_t NetFirewallService::GetNetFirewallRules(const int32_t userId, const sptr<RequestParam> &requestParam,
174 sptr<FirewallRulePage> &info)
175 {
176 return NetFirewallRuleManager::GetInstance().GetNetFirewallRules(userId, requestParam, info);
177 }
178
GetNetFirewallRule(const int32_t userId,const int32_t ruleId,sptr<NetFirewallRule> & rule)179 int32_t NetFirewallService::GetNetFirewallRule(const int32_t userId, const int32_t ruleId, sptr<NetFirewallRule> &rule)
180 {
181 return NetFirewallRuleManager::GetInstance().GetNetFirewallRule(userId, ruleId, rule);
182 }
183
GetInterceptRecords(const int32_t userId,const sptr<RequestParam> & requestParam,sptr<InterceptRecordPage> & info)184 int32_t NetFirewallService::GetInterceptRecords(const int32_t userId, const sptr<RequestParam> &requestParam,
185 sptr<InterceptRecordPage> &info)
186 {
187 NETMGR_EXT_LOG_I("GetInterceptRecords");
188 int32_t ret = CheckUserExist(userId);
189 if (ret != FIREWALL_SUCCESS) {
190 return ret;
191 }
192 // Cache data writing to avoid not being able to access new data
193 NetFirewallInterceptRecorder::GetInstance()->SyncRecordCache();
194 return NetFirewallInterceptRecorder::GetInstance()->GetInterceptRecords(userId, requestParam, info);
195 }
196
CheckUserExist(const int32_t userId)197 int32_t NetFirewallService::CheckUserExist(const int32_t userId)
198 {
199 AccountSA::OsAccountInfo accountInfo;
200 if (AccountSA::OsAccountManager::QueryOsAccountById(userId, accountInfo) != ERR_OK) {
201 NETMGR_EXT_LOG_E("QueryOsAccountById error, userId: %{public}d.", userId);
202 return FIREWALL_ERR_NO_USER;
203 }
204 return FIREWALL_SUCCESS;
205 }
206
Dump(int32_t fd,const std::vector<std::u16string> & args)207 int32_t NetFirewallService::Dump(int32_t fd, const std::vector<std::u16string> &args)
208 {
209 std::string result;
210 GetDumpMessage(result);
211 NETMGR_EXT_LOG_I("NetFirewall dump fd: %{public}d, content: %{public}s", fd, result.c_str());
212 int32_t ret = dprintf(fd, "%s\n", result.c_str());
213 if (ret < 0) {
214 NETMGR_EXT_LOG_E("dprintf failed, errno[%{public}d]", errno);
215 return FIREWALL_ERR_INTERNAL;
216 }
217 return FIREWALL_SUCCESS;
218 }
219
GetDumpMessage(std::string & message)220 void NetFirewallService::GetDumpMessage(std::string &message)
221 {
222 message.append("NetFirewall Info:\n");
223 message.append("\tServiceRunningState: " + GetServiceState() + "\n");
224 message.append("\tSpendTimeMSec: " + std::to_string(serviceSpendTime_) + "ms" + "\n");
225 std::map<int32_t, bool> firewallStateMap;
226 GetAllUserFirewallState(firewallStateMap);
227 message.append("\t");
228 for (const auto &pair : firewallStateMap) {
229 std::string userId = std::to_string(pair.first);
230 std::string state = pair.second ? "Enable" : "Disable";
231 message.append("UserId: " + userId + " " + state + ", ");
232 }
233 message.append("\n");
234 message.append("\tLastRulePushTime: " + GetLastRulePushTime() + "\n");
235 message.append("\tLastRulePushResult: " + GetLastRulePushResult() + "\n");
236 }
237
GetServiceState()238 std::string NetFirewallService::GetServiceState()
239 {
240 return (state_ == ServiceRunningState::STATE_RUNNING) ? "Running" : "Stop";
241 }
242
GetLastRulePushTime()243 std::string NetFirewallService::GetLastRulePushTime()
244 {
245 currentSetRuleSecond_ = NetFirewallRuleManager::GetInstance().GetCurrentSetRuleSecond();
246 if (currentSetRuleSecond_ == 0) {
247 return PUSH_RESULT_UNKONW;
248 }
249 return std::to_string(currentSetRuleSecond_);
250 }
251
GetLastRulePushResult()252 std::string NetFirewallService::GetLastRulePushResult()
253 {
254 lastRulePushResult_ = NetFirewallRuleManager::GetInstance().GetLastRulePushResult();
255 if (lastRulePushResult_ == FIREWALL_SUCCESS) {
256 return PUSH_RESULT_SUCCESS;
257 }
258 if (lastRulePushResult_ < 0) {
259 return PUSH_RESULT_UNKONW;
260 }
261 return PUSH_RESULT_FAILD;
262 }
263
GetAllUserFirewallState(std::map<int32_t,bool> & firewallStateMap)264 int32_t NetFirewallService::GetAllUserFirewallState(std::map<int32_t, bool> &firewallStateMap)
265 {
266 std::vector<AccountSA::OsAccountInfo> osAccountInfos;
267 AccountSA::OsAccountManager::QueryAllCreatedOsAccounts(osAccountInfos);
268 size_t size = osAccountInfos.size();
269 for (const auto &info : osAccountInfos) {
270 int32_t userId = info.GetLocalId();
271 firewallStateMap[userId] = NetFirewallPolicyManager::GetInstance().IsNetFirewallOpen(userId);
272 }
273 return FIREWALL_SUCCESS;
274 }
275
OnStart()276 void NetFirewallService::OnStart()
277 {
278 NETMGR_EXT_LOG_I("OnStart()");
279 uint64_t startServiceTime = GetCurrentMilliseconds();
280 if (state_ == ServiceRunningState::STATE_RUNNING) {
281 NETMGR_EXT_LOG_I("PcfirewallService is already running.");
282 return;
283 }
284
285 if (!REGISTER_LOCAL_RESULT_NETFIREWALL) {
286 NETMGR_EXT_LOG_E("Register to local sa manager failed");
287 return;
288 }
289 if (!isServicePublished_) {
290 if (!Publish(DelayedSingleton<NetFirewallService>::GetInstance().get())) {
291 NETMGR_EXT_LOG_E("Register to sa manager failed");
292 return;
293 }
294 isServicePublished_ = true;
295 }
296
297 state_ = ServiceRunningState::STATE_RUNNING;
298
299 AddSystemAbilityListener(COMM_NETSYS_NATIVE_SYS_ABILITY_ID);
300 AddSystemAbilityListener(COMMON_EVENT_SERVICE_ID);
301 if (OnInit() != FIREWALL_SUCCESS) {
302 NETMGR_EXT_LOG_E("Init data failed");
303 return;
304 }
305 serviceSpendTime_ = GetCurrentMilliseconds() - startServiceTime;
306 }
307
OnInit()308 int32_t NetFirewallService::OnInit()
309 {
310 InitServiceHandler();
311 InitQueryUserId(QUERY_USER_MAX_RETRY_TIMES);
312 SubscribeCommonEvent();
313 NetFirewallInterceptRecorder::GetInstance()->RegisterInterceptCallback();
314 return FIREWALL_SUCCESS;
315 }
316
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)317 void NetFirewallService::OnAddSystemAbility(int32_t systemAbilityId, const std::string &deviceId)
318 {
319 NETMGR_EXT_LOG_I("OnAddSystemAbility systemAbilityId:%{public}d added!", systemAbilityId);
320 if (systemAbilityId == COMM_NETSYS_NATIVE_SYS_ABILITY_ID) {
321 if (hasSaRemoved_) {
322 NETMGR_EXT_LOG_I("native reboot, reset firewall rules.");
323 NetFirewallRuleManager::GetInstance().OpenOrCloseNativeFirewall(
324 NetFirewallPolicyManager::GetInstance().IsFirewallOpen());
325 NetFirewallInterceptRecorder::GetInstance()->RegisterInterceptCallback();
326 hasSaRemoved_ = false;
327 }
328 // After the universal service is launched, you can register for broadcast monitoring
329 } else if (systemAbilityId == COMMON_EVENT_SERVICE_ID && subscriber_ == nullptr) {
330 SubscribeCommonEvent();
331 }
332 }
333
InitUsersOnBoot()334 bool NetFirewallService::InitUsersOnBoot()
335 {
336 std::vector<int32_t> userIds;
337 if (AccountSA::OsAccountManager::QueryActiveOsAccountIds(userIds) != ERR_OK || userIds.empty()) {
338 NETMGR_EXT_LOG_E("PcfirewallService: failed to get current userIds");
339 return false;
340 }
341 SetCurrentUserId(userIds.front());
342 NETMGR_EXT_LOG_I("PcfirewallService::get current userIds success, Current userId: %{public}d",
343 currentUserId_.load());
344 InitQueryNetFirewallRules();
345 return true;
346 }
347
InitQueryUserId(int32_t times)348 void NetFirewallService::InitQueryUserId(int32_t times)
349 {
350 times--;
351 bool ret = InitUsersOnBoot();
352 if (!ret && times > 0) {
353 NETMGR_EXT_LOG_I("InitQueryUserId failed");
354 ffrtServiceHandler_->submit([this, times]() { InitQueryUserId(times); },
355 ffrt::task_attr().delay(QUERY_USER_ID_DELAY_TIME_MS).name("InitQueryUserId"));
356 }
357 }
358
InitQueryNetFirewallRules()359 void NetFirewallService::InitQueryNetFirewallRules()
360 {
361 NetFirewallRuleManager::GetInstance().OpenOrCloseNativeFirewall(
362 NetFirewallPolicyManager::GetInstance().IsFirewallOpen());
363 }
364
InitServiceHandler()365 void NetFirewallService::InitServiceHandler()
366 {
367 if (ffrtServiceHandler_ != nullptr) {
368 NETMGR_EXT_LOG_E("InitServiceHandler already init.");
369 return;
370 }
371 ffrtServiceHandler_ =
372 std::make_shared<ffrt::queue>("NetFirewallService", ffrt::queue_attr().qos(ffrt::qos_utility));
373 NETMGR_EXT_LOG_I("InitServiceHandler succeeded.");
374 }
375
OnStop()376 void NetFirewallService::OnStop()
377 {
378 if (state_ != ServiceRunningState::STATE_RUNNING) {
379 return;
380 }
381 NetFirewallInterceptRecorder::GetInstance()->SyncRecordCache();
382 ffrtServiceHandler_.reset();
383 ffrtServiceHandler_ = nullptr;
384 if (subscriber_ != nullptr) {
385 bool unSubscribeResult = OHOS::EventFwk::CommonEventManager::UnSubscribeCommonEvent(subscriber_);
386 subscriber_ = nullptr;
387 NETMGR_EXT_LOG_I("UnregisterSubscriber end, unSubscribeResult = %{public}d", unSubscribeResult);
388 }
389 NetFirewallInterceptRecorder::GetInstance()->UnRegisterInterceptCallback();
390 state_ = ServiceRunningState::STATE_NOT_START;
391 NETMGR_EXT_LOG_I("OnStop end.");
392 }
393
OnRemoveSystemAbility(int32_t systemAbilityId,const std::string & deviceId)394 void NetFirewallService::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string &deviceId)
395 {
396 NETMGR_EXT_LOG_I("OnRemoveSystemAbility systemAbilityId:%{public}d removed!", systemAbilityId);
397 if (systemAbilityId == COMM_NETSYS_NATIVE_SYS_ABILITY_ID) {
398 hasSaRemoved_ = true;
399 } else if (systemAbilityId == COMMON_EVENT_SERVICE_ID && subscriber_ != nullptr) {
400 OHOS::EventFwk::CommonEventManager::UnSubscribeCommonEvent(subscriber_);
401 subscriber_ = nullptr;
402 }
403 }
404
SubscribeCommonEvent()405 void NetFirewallService::SubscribeCommonEvent()
406 {
407 EventFwk::MatchingSkills matchingSkills;
408 matchingSkills.AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_USER_REMOVED);
409 matchingSkills.AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_USER_SWITCHED);
410 matchingSkills.AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED);
411 EventFwk::CommonEventSubscribeInfo subscribeInfo(matchingSkills);
412 // 1 means CORE_EVENT_PRIORITY
413 subscribeInfo.SetPriority(1);
414 subscriber_ = std::make_shared<ReceiveMessage>(subscribeInfo, shared_from_this());
415 RegisterSubscribeCommonEvent();
416 }
417
RegisterSubscribeCommonEvent()418 void NetFirewallService::RegisterSubscribeCommonEvent()
419 {
420 // If the universal service has not been loaded yet, registering for broadcasting will fail
421 if (subscriber_ == nullptr) {
422 NETMGR_EXT_LOG_E("subscriber is nullptr");
423 return;
424 }
425 if (!EventFwk::CommonEventManager::SubscribeCommonEvent(subscriber_)) {
426 NETMGR_EXT_LOG_E("SubscribeCommonEvent fail");
427 subscriber_ = nullptr;
428 }
429 }
430
OnReceiveEvent(const EventFwk::CommonEventData & eventData)431 void NetFirewallService::ReceiveMessage::OnReceiveEvent(const EventFwk::CommonEventData &eventData)
432 {
433 const auto &action = eventData.GetWant().GetAction();
434 const auto &data = eventData.GetData();
435 const auto &code = eventData.GetCode();
436 NETMGR_EXT_LOG_I("NetVReceiveMessage::OnReceiveEvent(), event:[%{public}s], data:[%{public}s], code:[%{public}d]",
437 action.c_str(), data.c_str(), code);
438 int32_t userId = code;
439 if (action == EventFwk::CommonEventSupport::COMMON_EVENT_USER_REMOVED) {
440 NetFirewallRuleManager::GetInstance().DeleteNetFirewallRuleByUserId(userId);
441 NetFirewallPolicyManager::GetInstance().ClearFirewallPolicy(userId);
442 NetFirewallDbHelper::GetInstance().DeleteInterceptRecord(userId);
443 NetFirewallRuleManager::GetInstance().DeleteUserRuleSize(userId);
444 return;
445 }
446 if (action == EventFwk::CommonEventSupport::COMMON_EVENT_USER_SWITCHED) {
447 // Old user cache cleaning
448 NetFirewallInterceptRecorder::GetInstance()->SyncRecordCache();
449 netfirewallService_->SetCurrentUserId(userId);
450 return;
451 }
452 if (action == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED) {
453 if (eventData.GetWant().GetIntParam(AppExecFwk::Constants::UID, 0) < 0) {
454 NETMGR_EXT_LOG_E("error:deletedUid < 0!,return");
455 return;
456 }
457 uint32_t deletedUid = static_cast<uint32_t>(eventData.GetWant().GetIntParam(AppExecFwk::Constants::UID, 0));
458 NETMGR_EXT_LOG_I("NetFirewallService: deletedUid %{public}d", deletedUid);
459 NetFirewallRuleManager::GetInstance().DeleteNetFirewallRuleByAppId(deletedUid);
460 }
461 }
462 } // namespace NetManagerStandard
463 } // namespace OHOS
464