1 /* 2 * Copyright (C) 2012 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <errno.h> 18 #include <stdio.h> 19 #include <stdlib.h> 20 #include <string.h> 21 22 #define LOG_TAG "FirewallController" 23 #define LOG_NDEBUG 0 24 25 #include <android-base/stringprintf.h> 26 #include <cutils/log.h> 27 28 #include "NetdConstants.h" 29 #include "FirewallController.h" 30 31 using android::base::StringAppendF; 32 33 auto FirewallController::execIptables = ::execIptables; 34 auto FirewallController::execIptablesSilently = ::execIptablesSilently; 35 auto FirewallController::execIptablesRestore = ::execIptablesRestore; 36 37 const char* FirewallController::TABLE = "filter"; 38 39 const char* FirewallController::LOCAL_INPUT = "fw_INPUT"; 40 const char* FirewallController::LOCAL_OUTPUT = "fw_OUTPUT"; 41 const char* FirewallController::LOCAL_FORWARD = "fw_FORWARD"; 42 43 const char* FirewallController::LOCAL_DOZABLE = "fw_dozable"; 44 const char* FirewallController::LOCAL_STANDBY = "fw_standby"; 45 const char* FirewallController::LOCAL_POWERSAVE = "fw_powersave"; 46 47 // ICMPv6 types that are required for any form of IPv6 connectivity to work. Note that because the 48 // fw_dozable chain is called from both INPUT and OUTPUT, this includes both packets that we need 49 // to be able to send (e.g., RS, NS), and packets that we need to receive (e.g., RA, NA). 50 const char* FirewallController::ICMPV6_TYPES[] = { 51 "packet-too-big", 52 "router-solicitation", 53 "router-advertisement", 54 "neighbour-solicitation", 55 "neighbour-advertisement", 56 "redirect", 57 }; 58 59 FirewallController::FirewallController(void) { 60 // If no rules are set, it's in BLACKLIST mode 61 mFirewallType = BLACKLIST; 62 } 63 64 int FirewallController::setupIptablesHooks(void) { 65 int res = 0; 66 // child chains are created but not attached, they will be attached explicitly. 67 FirewallType firewallType = getFirewallType(DOZABLE); 68 res |= createChain(LOCAL_DOZABLE, LOCAL_INPUT, firewallType); 69 70 firewallType = getFirewallType(STANDBY); 71 res |= createChain(LOCAL_STANDBY, LOCAL_INPUT, firewallType); 72 73 firewallType = getFirewallType(POWERSAVE); 74 res |= createChain(LOCAL_POWERSAVE, LOCAL_INPUT, firewallType); 75 76 return res; 77 } 78 79 int FirewallController::enableFirewall(FirewallType ftype) { 80 int res = 0; 81 if (mFirewallType != ftype) { 82 // flush any existing rules 83 disableFirewall(); 84 85 if (ftype == WHITELIST) { 86 // create default rule to drop all traffic 87 res |= execIptables(V4V6, "-A", LOCAL_INPUT, "-j", "DROP", NULL); 88 res |= execIptables(V4V6, "-A", LOCAL_OUTPUT, "-j", "REJECT", NULL); 89 res |= execIptables(V4V6, "-A", LOCAL_FORWARD, "-j", "REJECT", NULL); 90 } 91 92 // Set this after calling disableFirewall(), since it defaults to WHITELIST there 93 mFirewallType = ftype; 94 } 95 return res; 96 } 97 98 int FirewallController::disableFirewall(void) { 99 int res = 0; 100 101 mFirewallType = WHITELIST; 102 103 // flush any existing rules 104 res |= execIptables(V4V6, "-F", LOCAL_INPUT, NULL); 105 res |= execIptables(V4V6, "-F", LOCAL_OUTPUT, NULL); 106 res |= execIptables(V4V6, "-F", LOCAL_FORWARD, NULL); 107 108 return res; 109 } 110 111 int FirewallController::enableChildChains(ChildChain chain, bool enable) { 112 int res = 0; 113 const char* name; 114 switch(chain) { 115 case DOZABLE: 116 name = LOCAL_DOZABLE; 117 break; 118 case STANDBY: 119 name = LOCAL_STANDBY; 120 break; 121 case POWERSAVE: 122 name = LOCAL_POWERSAVE; 123 break; 124 default: 125 return res; 126 } 127 128 if (enable) { 129 res |= attachChain(name, LOCAL_INPUT); 130 res |= attachChain(name, LOCAL_OUTPUT); 131 } else { 132 res |= detachChain(name, LOCAL_INPUT); 133 res |= detachChain(name, LOCAL_OUTPUT); 134 } 135 return res; 136 } 137 138 int FirewallController::isFirewallEnabled(void) { 139 // TODO: verify that rules are still in place near top 140 return -1; 141 } 142 143 int FirewallController::setInterfaceRule(const char* iface, FirewallRule rule) { 144 if (mFirewallType == BLACKLIST) { 145 // Unsupported in BLACKLIST mode 146 return -1; 147 } 148 149 if (!isIfaceName(iface)) { 150 errno = ENOENT; 151 return -1; 152 } 153 154 const char* op; 155 if (rule == ALLOW) { 156 op = "-I"; 157 } else { 158 op = "-D"; 159 } 160 161 int res = 0; 162 res |= execIptables(V4V6, op, LOCAL_INPUT, "-i", iface, "-j", "RETURN", NULL); 163 res |= execIptables(V4V6, op, LOCAL_OUTPUT, "-o", iface, "-j", "RETURN", NULL); 164 return res; 165 } 166 167 int FirewallController::setEgressSourceRule(const char* addr, FirewallRule rule) { 168 if (mFirewallType == BLACKLIST) { 169 // Unsupported in BLACKLIST mode 170 return -1; 171 } 172 173 IptablesTarget target = V4; 174 if (strchr(addr, ':')) { 175 target = V6; 176 } 177 178 const char* op; 179 if (rule == ALLOW) { 180 op = "-I"; 181 } else { 182 op = "-D"; 183 } 184 185 int res = 0; 186 res |= execIptables(target, op, LOCAL_INPUT, "-d", addr, "-j", "RETURN", NULL); 187 res |= execIptables(target, op, LOCAL_OUTPUT, "-s", addr, "-j", "RETURN", NULL); 188 return res; 189 } 190 191 int FirewallController::setEgressDestRule(const char* addr, int protocol, int port, 192 FirewallRule rule) { 193 if (mFirewallType == BLACKLIST) { 194 // Unsupported in BLACKLIST mode 195 return -1; 196 } 197 198 IptablesTarget target = V4; 199 if (strchr(addr, ':')) { 200 target = V6; 201 } 202 203 char protocolStr[16]; 204 sprintf(protocolStr, "%d", protocol); 205 206 char portStr[16]; 207 sprintf(portStr, "%d", port); 208 209 const char* op; 210 if (rule == ALLOW) { 211 op = "-I"; 212 } else { 213 op = "-D"; 214 } 215 216 int res = 0; 217 res |= execIptables(target, op, LOCAL_INPUT, "-s", addr, "-p", protocolStr, 218 "--sport", portStr, "-j", "RETURN", NULL); 219 res |= execIptables(target, op, LOCAL_OUTPUT, "-d", addr, "-p", protocolStr, 220 "--dport", portStr, "-j", "RETURN", NULL); 221 return res; 222 } 223 224 FirewallType FirewallController::getFirewallType(ChildChain chain) { 225 switch(chain) { 226 case DOZABLE: 227 return WHITELIST; 228 case STANDBY: 229 return BLACKLIST; 230 case POWERSAVE: 231 return WHITELIST; 232 case NONE: 233 return mFirewallType; 234 default: 235 return BLACKLIST; 236 } 237 } 238 239 int FirewallController::setUidRule(ChildChain chain, int uid, FirewallRule rule) { 240 char uidStr[16]; 241 sprintf(uidStr, "%d", uid); 242 243 const char* op; 244 const char* target; 245 FirewallType firewallType = getFirewallType(chain); 246 if (firewallType == WHITELIST) { 247 target = "RETURN"; 248 // When adding, insert RETURN rules at the front, before the catch-all DROP at the end. 249 op = (rule == ALLOW)? "-I" : "-D"; 250 } else { // BLACKLIST mode 251 target = "DROP"; 252 // When adding, append DROP rules at the end, after the RETURN rule that matches TCP RSTs. 253 op = (rule == DENY)? "-A" : "-D"; 254 } 255 256 int res = 0; 257 switch(chain) { 258 case DOZABLE: 259 res |= execIptables(V4V6, op, LOCAL_DOZABLE, "-m", "owner", "--uid-owner", 260 uidStr, "-j", target, NULL); 261 break; 262 case STANDBY: 263 res |= execIptables(V4V6, op, LOCAL_STANDBY, "-m", "owner", "--uid-owner", 264 uidStr, "-j", target, NULL); 265 break; 266 case POWERSAVE: 267 res |= execIptables(V4V6, op, LOCAL_POWERSAVE, "-m", "owner", "--uid-owner", 268 uidStr, "-j", target, NULL); 269 break; 270 case NONE: 271 res |= execIptables(V4V6, op, LOCAL_INPUT, "-m", "owner", "--uid-owner", uidStr, 272 "-j", target, NULL); 273 res |= execIptables(V4V6, op, LOCAL_OUTPUT, "-m", "owner", "--uid-owner", uidStr, 274 "-j", target, NULL); 275 break; 276 default: 277 ALOGW("Unknown child chain: %d", chain); 278 break; 279 } 280 return res; 281 } 282 283 int FirewallController::attachChain(const char* childChain, const char* parentChain) { 284 return execIptables(V4V6, "-t", TABLE, "-A", parentChain, "-j", childChain, NULL); 285 } 286 287 int FirewallController::detachChain(const char* childChain, const char* parentChain) { 288 return execIptables(V4V6, "-t", TABLE, "-D", parentChain, "-j", childChain, NULL); 289 } 290 291 int FirewallController::createChain(const char* childChain, 292 const char* parentChain, FirewallType type) { 293 execIptablesSilently(V4V6, "-t", TABLE, "-D", parentChain, "-j", childChain, NULL); 294 std::vector<int32_t> uids; 295 return replaceUidChain(childChain, type == WHITELIST, uids); 296 } 297 298 std::string FirewallController::makeUidRules(IptablesTarget target, const char *name, 299 bool isWhitelist, const std::vector<int32_t>& uids) { 300 std::string commands; 301 StringAppendF(&commands, "*filter\n:%s -\n", name); 302 303 // Always allow networking on loopback. 304 StringAppendF(&commands, "-A %s -i lo -o lo -j RETURN\n", name); 305 306 // Allow TCP RSTs so we can cleanly close TCP connections of apps that no longer have network 307 // access. Both incoming and outgoing RSTs are allowed. 308 StringAppendF(&commands, "-A %s -p tcp --tcp-flags RST RST -j RETURN\n", name); 309 310 if (isWhitelist) { 311 // Allow ICMPv6 packets necessary to make IPv6 connectivity work. http://b/23158230 . 312 if (target == V6) { 313 for (size_t i = 0; i < ARRAY_SIZE(ICMPV6_TYPES); i++) { 314 StringAppendF(&commands, "-A %s -p icmpv6 --icmpv6-type %s -j RETURN\n", 315 name, ICMPV6_TYPES[i]); 316 } 317 } 318 319 // Always whitelist system UIDs. 320 StringAppendF(&commands, 321 "-A %s -m owner --uid-owner %d-%d -j RETURN\n", name, 0, MAX_SYSTEM_UID); 322 } 323 324 // Whitelist or blacklist the specified UIDs. 325 const char *action = isWhitelist ? "RETURN" : "DROP"; 326 for (auto uid : uids) { 327 StringAppendF(&commands, "-A %s -m owner --uid-owner %d -j %s\n", name, uid, action); 328 } 329 330 // If it's a whitelist chain, add a default DROP at the end. This is not necessary for a 331 // blacklist chain, because all user-defined chains implicitly RETURN at the end. 332 if (isWhitelist) { 333 StringAppendF(&commands, "-A %s -j DROP\n", name); 334 } 335 336 StringAppendF(&commands, "COMMIT\n\x04"); // EOT. 337 338 return commands; 339 } 340 341 int FirewallController::replaceUidChain( 342 const char *name, bool isWhitelist, const std::vector<int32_t>& uids) { 343 std::string commands4 = makeUidRules(V4, name, isWhitelist, uids); 344 std::string commands6 = makeUidRules(V6, name, isWhitelist, uids); 345 return execIptablesRestore(V4, commands4.c_str()) | execIptablesRestore(V6, commands6.c_str()); 346 } 347
