/* * Copyright (C) 2012 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include #include #include #include #define LOG_TAG "FirewallController" #define LOG_NDEBUG 0 #include #include #include "NetdConstants.h" #include "FirewallController.h" const char* FirewallController::TABLE = "filter"; const char* FirewallController::LOCAL_INPUT = "fw_INPUT"; const char* FirewallController::LOCAL_OUTPUT = "fw_OUTPUT"; const char* FirewallController::LOCAL_FORWARD = "fw_FORWARD"; const char* FirewallController::LOCAL_DOZABLE = "fw_dozable"; const char* FirewallController::LOCAL_STANDBY = "fw_standby"; // ICMPv6 types that are required for any form of IPv6 connectivity to work. Note that because the // fw_dozable chain is called from both INPUT and OUTPUT, this includes both packets that we need // to be able to send (e.g., RS, NS), and packets that we need to receive (e.g., RA, NA). const char* FirewallController::ICMPV6_TYPES[] = { "packet-too-big", "router-solicitation", "router-advertisement", "neighbour-solicitation", "neighbour-advertisement", "redirect", }; FirewallController::FirewallController(void) { // If no rules are set, it's in BLACKLIST mode mFirewallType = BLACKLIST; } int FirewallController::setupIptablesHooks(void) { int res = 0; // child chains are created but not attached, they will be attached explicitly. FirewallType firewallType = getFirewallType(DOZABLE); res |= createChain(LOCAL_DOZABLE, LOCAL_INPUT, firewallType); firewallType = getFirewallType(STANDBY); res |= createChain(LOCAL_STANDBY, LOCAL_INPUT, firewallType); return res; } int FirewallController::enableFirewall(FirewallType ftype) { int res = 0; if (mFirewallType != ftype) { // flush any existing rules disableFirewall(); if (ftype == WHITELIST) { // create default rule to drop all traffic res |= execIptables(V4V6, "-A", LOCAL_INPUT, "-j", "DROP", NULL); res |= execIptables(V4V6, "-A", LOCAL_OUTPUT, "-j", "REJECT", NULL); res |= execIptables(V4V6, "-A", LOCAL_FORWARD, "-j", "REJECT", NULL); } // Set this after calling disableFirewall(), since it defaults to WHITELIST there mFirewallType = ftype; } return res; } int FirewallController::disableFirewall(void) { int res = 0; mFirewallType = WHITELIST; // flush any existing rules res |= execIptables(V4V6, "-F", LOCAL_INPUT, NULL); res |= execIptables(V4V6, "-F", LOCAL_OUTPUT, NULL); res |= execIptables(V4V6, "-F", LOCAL_FORWARD, NULL); return res; } int FirewallController::enableChildChains(ChildChain chain, bool enable) { int res = 0; const char* name; switch(chain) { case DOZABLE: name = LOCAL_DOZABLE; break; case STANDBY: name = LOCAL_STANDBY; break; default: return res; } if (enable) { res |= attachChain(name, LOCAL_INPUT); res |= attachChain(name, LOCAL_OUTPUT); } else { res |= detachChain(name, LOCAL_INPUT); res |= detachChain(name, LOCAL_OUTPUT); } return res; } int FirewallController::isFirewallEnabled(void) { // TODO: verify that rules are still in place near top return -1; } int FirewallController::setInterfaceRule(const char* iface, FirewallRule rule) { if (mFirewallType == BLACKLIST) { // Unsupported in BLACKLIST mode return -1; } if (!isIfaceName(iface)) { errno = ENOENT; return -1; } const char* op; if (rule == ALLOW) { op = "-I"; } else { op = "-D"; } int res = 0; res |= execIptables(V4V6, op, LOCAL_INPUT, "-i", iface, "-j", "RETURN", NULL); res |= execIptables(V4V6, op, LOCAL_OUTPUT, "-o", iface, "-j", "RETURN", NULL); return res; } int FirewallController::setEgressSourceRule(const char* addr, FirewallRule rule) { if (mFirewallType == BLACKLIST) { // Unsupported in BLACKLIST mode return -1; } IptablesTarget target = V4; if (strchr(addr, ':')) { target = V6; } const char* op; if (rule == ALLOW) { op = "-I"; } else { op = "-D"; } int res = 0; res |= execIptables(target, op, LOCAL_INPUT, "-d", addr, "-j", "RETURN", NULL); res |= execIptables(target, op, LOCAL_OUTPUT, "-s", addr, "-j", "RETURN", NULL); return res; } int FirewallController::setEgressDestRule(const char* addr, int protocol, int port, FirewallRule rule) { if (mFirewallType == BLACKLIST) { // Unsupported in BLACKLIST mode return -1; } IptablesTarget target = V4; if (strchr(addr, ':')) { target = V6; } char protocolStr[16]; sprintf(protocolStr, "%d", protocol); char portStr[16]; sprintf(portStr, "%d", port); const char* op; if (rule == ALLOW) { op = "-I"; } else { op = "-D"; } int res = 0; res |= execIptables(target, op, LOCAL_INPUT, "-s", addr, "-p", protocolStr, "--sport", portStr, "-j", "RETURN", NULL); res |= execIptables(target, op, LOCAL_OUTPUT, "-d", addr, "-p", protocolStr, "--dport", portStr, "-j", "RETURN", NULL); return res; } FirewallType FirewallController::getFirewallType(ChildChain chain) { switch(chain) { case DOZABLE: return WHITELIST; case STANDBY: return BLACKLIST; case NONE: return mFirewallType; default: return BLACKLIST; } } int FirewallController::setUidRule(ChildChain chain, int uid, FirewallRule rule) { char uidStr[16]; sprintf(uidStr, "%d", uid); const char* op; const char* target; FirewallType firewallType = getFirewallType(chain); if (firewallType == WHITELIST) { target = "RETURN"; op = (rule == ALLOW)? "-I" : "-D"; } else { // BLACKLIST mode target = "DROP"; op = (rule == DENY)? "-I" : "-D"; } int res = 0; switch(chain) { case DOZABLE: res |= execIptables(V4V6, op, LOCAL_DOZABLE, "-m", "owner", "--uid-owner", uidStr, "-j", target, NULL); break; case STANDBY: res |= execIptables(V4V6, op, LOCAL_STANDBY, "-m", "owner", "--uid-owner", uidStr, "-j", target, NULL); break; case NONE: res |= execIptables(V4V6, op, LOCAL_INPUT, "-m", "owner", "--uid-owner", uidStr, "-j", target, NULL); res |= execIptables(V4V6, op, LOCAL_OUTPUT, "-m", "owner", "--uid-owner", uidStr, "-j", target, NULL); break; default: ALOGW("Unknown child chain: %d", chain); break; } return res; } int FirewallController::attachChain(const char* childChain, const char* parentChain) { return execIptables(V4V6, "-t", TABLE, "-A", parentChain, "-j", childChain, NULL); } int FirewallController::detachChain(const char* childChain, const char* parentChain) { return execIptables(V4V6, "-t", TABLE, "-D", parentChain, "-j", childChain, NULL); } int FirewallController::createChain(const char* childChain, const char* parentChain, FirewallType type) { // Order is important, otherwise later steps may fail. execIptablesSilently(V4V6, "-t", TABLE, "-D", parentChain, "-j", childChain, NULL); execIptablesSilently(V4V6, "-t", TABLE, "-F", childChain, NULL); execIptablesSilently(V4V6, "-t", TABLE, "-X", childChain, NULL); int res = 0; res |= execIptables(V4V6, "-t", TABLE, "-N", childChain, NULL); if (type == WHITELIST) { // Allow ICMPv6 packets necessary to make IPv6 connectivity work. http://b/23158230 . for (size_t i = 0; i < ARRAY_SIZE(ICMPV6_TYPES); i++) { res |= execIptables(V6, "-A", childChain, "-p", "icmpv6", "--icmpv6-type", ICMPV6_TYPES[i], "-j", "RETURN", NULL); } // create default white list for system uid range char uidStr[16]; sprintf(uidStr, "0-%d", AID_APP - 1); res |= execIptables(V4V6, "-A", childChain, "-m", "owner", "--uid-owner", uidStr, "-j", "RETURN", NULL); // create default rule to drop all traffic res |= execIptables(V4V6, "-A", childChain, "-j", "DROP", NULL); } return res; }