Home | History | Annotate | Download | only in server 
      1 /*
      2  * Copyright (C) 2012 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 #ifndef _FIREWALL_CONTROLLER_H
     18 #define _FIREWALL_CONTROLLER_H
     19 
     20 #include <set>
     21 #include <string>
     22 #include <vector>
     23 
     24 #include <utils/RWLock.h>
     25 
     26 #include "NetdConstants.h"
     27 
     28 enum FirewallRule { DENY, ALLOW };
     29 
     30 // WHITELIST means the firewall denies all by default, uids must be explicitly ALLOWed
     31 // BLACKLIST means the firewall allows all by default, uids must be explicitly DENYed
     32 
     33 enum FirewallType { WHITELIST, BLACKLIST };
     34 
     35 enum ChildChain { NONE, DOZABLE, STANDBY, POWERSAVE, INVALID_CHAIN };
     36 
     37 #define PROTOCOL_TCP 6
     38 #define PROTOCOL_UDP 17
     39 
     40 /*
     41  * Simple firewall that drops all packets except those matching explicitly
     42  * defined ALLOW rules.
     43  *
     44  * Methods in this class must be called when holding a write lock on |lock|, and may not call
     45  * any other controller without explicitly managing that controller's lock. There are currently
     46  * no such methods.
     47  */
     48 class FirewallController {
     49 public:
     50     FirewallController();
     51 
     52     int setupIptablesHooks(void);
     53 
     54     int enableFirewall(FirewallType);
     55     int disableFirewall(void);
     56     int isFirewallEnabled(void);
     57 
     58     /* Match traffic going in/out over the given iface. */
     59     int setInterfaceRule(const char*, FirewallRule);
     60     /* Match traffic owned by given UID. This is specific to a particular chain. */
     61     int setUidRule(ChildChain, int, FirewallRule);
     62 
     63     int enableChildChains(ChildChain, bool);
     64 
     65     int replaceUidChain(const char*, bool, const std::vector<int32_t>&);
     66 
     67     static std::string makeCriticalCommands(IptablesTarget target, const char* chainName);
     68 
     69     static const char* TABLE;
     70 
     71     static const char* LOCAL_INPUT;
     72     static const char* LOCAL_OUTPUT;
     73     static const char* LOCAL_FORWARD;
     74 
     75     static const char* LOCAL_DOZABLE;
     76     static const char* LOCAL_STANDBY;
     77     static const char* LOCAL_POWERSAVE;
     78 
     79     static const char* ICMPV6_TYPES[];
     80 
     81     android::RWLock lock;
     82 
     83 protected:
     84     friend class FirewallControllerTest;
     85     std::string makeUidRules(IptablesTarget target, const char *name, bool isWhitelist,
     86                              const std::vector<int32_t>& uids);
     87     static int (*execIptablesRestore)(IptablesTarget target, const std::string& commands);
     88 
     89 private:
     90     FirewallType mFirewallType;
     91     bool mUseBpfOwnerMatch;
     92     std::set<std::string> mIfaceRules;
     93     int attachChain(const char*, const char*);
     94     int detachChain(const char*, const char*);
     95     int createChain(const char*, FirewallType);
     96     FirewallType getFirewallType(ChildChain);
     97 };
     98 
     99 #endif
    100