• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2012 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef _FIREWALL_CONTROLLER_H
18 #define _FIREWALL_CONTROLLER_H
19 
20 #include <set>
21 #include <string>
22 #include <vector>
23 
24 #include <utils/RWLock.h>
25 
26 #include "NetdConstants.h"
27 
28 enum FirewallRule { DENY, ALLOW };
29 
30 // WHITELIST means the firewall denies all by default, uids must be explicitly ALLOWed
31 // BLACKLIST means the firewall allows all by default, uids must be explicitly DENYed
32 
33 enum FirewallType { WHITELIST, BLACKLIST };
34 
35 enum ChildChain { NONE, DOZABLE, STANDBY, POWERSAVE, INVALID_CHAIN };
36 
37 #define PROTOCOL_TCP 6
38 #define PROTOCOL_UDP 17
39 
40 /*
41  * Simple firewall that drops all packets except those matching explicitly
42  * defined ALLOW rules.
43  *
44  * Methods in this class must be called when holding a write lock on |lock|, and may not call
45  * any other controller without explicitly managing that controller's lock. There are currently
46  * no such methods.
47  */
48 class FirewallController {
49 public:
50     FirewallController();
51 
52     int setupIptablesHooks(void);
53 
54     int enableFirewall(FirewallType);
55     int disableFirewall(void);
56     int isFirewallEnabled(void);
57 
58     /* Match traffic going in/out over the given iface. */
59     int setInterfaceRule(const char*, FirewallRule);
60     /* Match traffic owned by given UID. This is specific to a particular chain. */
61     int setUidRule(ChildChain, int, FirewallRule);
62 
63     int enableChildChains(ChildChain, bool);
64 
65     int replaceUidChain(const char*, bool, const std::vector<int32_t>&);
66 
67     static std::string makeCriticalCommands(IptablesTarget target, const char* chainName);
68 
69     static const char* TABLE;
70 
71     static const char* LOCAL_INPUT;
72     static const char* LOCAL_OUTPUT;
73     static const char* LOCAL_FORWARD;
74 
75     static const char* LOCAL_DOZABLE;
76     static const char* LOCAL_STANDBY;
77     static const char* LOCAL_POWERSAVE;
78 
79     static const char* ICMPV6_TYPES[];
80 
81     android::RWLock lock;
82 
83 protected:
84     friend class FirewallControllerTest;
85     std::string makeUidRules(IptablesTarget target, const char *name, bool isWhitelist,
86                              const std::vector<int32_t>& uids);
87     static int (*execIptablesRestore)(IptablesTarget target, const std::string& commands);
88 
89 private:
90     FirewallType mFirewallType;
91     std::set<std::string> mIfaceRules;
92     int attachChain(const char*, const char*);
93     int detachChain(const char*, const char*);
94     int createChain(const char*, FirewallType);
95     FirewallType getFirewallType(ChildChain);
96 };
97 
98 #endif
99