Merge "Firewall-related commands porting" am: 1acfa7de1b

am: 6ba18c6b03 Change-Id: I15cedc624dc20168edc8feecf78affb9fad5482b
2018-10-24 19:49:58 -07:00
parent 0103338bfb 6ba18c6b03
commit b87796365e
2 changed files with 53 additions and 51 deletions
--- a/core/java/android/net/NetworkPolicyManager.java
+++ b/core/java/android/net/NetworkPolicyManager.java
@@ -91,16 +91,16 @@ public class NetworkPolicyManager {
    public static final int MASK_ALL_NETWORKS     = 0b11110000;

    public static final int FIREWALL_RULE_DEFAULT = 0;
-    public static final int FIREWALL_RULE_ALLOW = 1;
-    public static final int FIREWALL_RULE_DENY = 2;
+    public static final int FIREWALL_RULE_ALLOW = INetd.FIREWALL_RULE_ALLOW;
+    public static final int FIREWALL_RULE_DENY = INetd.FIREWALL_RULE_DENY;

-    public static final int FIREWALL_TYPE_WHITELIST = 0;
-    public static final int FIREWALL_TYPE_BLACKLIST = 1;
+    public static final int FIREWALL_TYPE_WHITELIST = INetd.FIREWALL_WHITELIST;
+    public static final int FIREWALL_TYPE_BLACKLIST = INetd.FIREWALL_BLACKLIST;

-    public static final int FIREWALL_CHAIN_NONE = 0;
-    public static final int FIREWALL_CHAIN_DOZABLE = 1;
-    public static final int FIREWALL_CHAIN_STANDBY = 2;
-    public static final int FIREWALL_CHAIN_POWERSAVE = 3;
+    public static final int FIREWALL_CHAIN_NONE = INetd.FIREWALL_CHAIN_NONE;
+    public static final int FIREWALL_CHAIN_DOZABLE = INetd.FIREWALL_CHAIN_DOZABLE;
+    public static final int FIREWALL_CHAIN_STANDBY = INetd.FIREWALL_CHAIN_STANDBY;
+    public static final int FIREWALL_CHAIN_POWERSAVE = INetd.FIREWALL_CHAIN_POWERSAVE;

    public static final String FIREWALL_CHAIN_NAME_NONE = "none";
    public static final String FIREWALL_CHAIN_NAME_DOZABLE = "dozable";
--- a/services/core/java/com/android/server/NetworkManagementService.java
+++ b/services/core/java/com/android/server/NetworkManagementService.java
@@ -1929,10 +1929,11 @@ public class NetworkManagementService extends INetworkManagementService.Stub
    public void setFirewallEnabled(boolean enabled) {
        enforceSystemUid();
        try {
-            mConnector.execute("firewall", "enable", enabled ? "whitelist" : "blacklist");
+            mNetdService.firewallSetFirewallType(
+                    enabled ? INetd.FIREWALL_WHITELIST : INetd.FIREWALL_BLACKLIST);
            mFirewallEnabled = enabled;
-        } catch (NativeDaemonConnectorException e) {
-            throw e.rethrowAsParcelableException();
+        } catch (RemoteException | ServiceSpecificException e) {
+            throw new IllegalStateException(e);
        }
    }

@@ -1946,11 +1947,11 @@ public class NetworkManagementService extends INetworkManagementService.Stub
    public void setFirewallInterfaceRule(String iface, boolean allow) {
        enforceSystemUid();
        Preconditions.checkState(mFirewallEnabled);
-        final String rule = allow ? "allow" : "deny";
        try {
-            mConnector.execute("firewall", "set_interface_rule", iface, rule);
-        } catch (NativeDaemonConnectorException e) {
-            throw e.rethrowAsParcelableException();
+            mNetdService.firewallSetInterfaceRule(iface,
+                    allow ? INetd.FIREWALL_RULE_ALLOW : INetd.FIREWALL_RULE_DENY);
+        } catch (RemoteException | ServiceSpecificException e) {
+            throw new IllegalStateException(e);
        }
    }

@@ -1961,7 +1962,7 @@ public class NetworkManagementService extends INetworkManagementService.Stub
        int[] exemptUids;

        int numUids = 0;
-
+        if (DBG) Slog.d(TAG, "Closing sockets after enabling chain " + chainName);
        if (getFirewallType(chain) == FIREWALL_TYPE_WHITELIST) {
            // Close all sockets on all non-system UIDs...
            ranges = new UidRange[] {
@@ -2031,26 +2032,14 @@ public class NetworkManagementService extends INetworkManagementService.Stub
                setFirewallChainState(chain, enable);
            }

-            final String operation = enable ? "enable_chain" : "disable_chain";
-            final String chainName;
-            switch(chain) {
-                case FIREWALL_CHAIN_STANDBY:
-                    chainName = FIREWALL_CHAIN_NAME_STANDBY;
-                    break;
-                case FIREWALL_CHAIN_DOZABLE:
-                    chainName = FIREWALL_CHAIN_NAME_DOZABLE;
-                    break;
-                case FIREWALL_CHAIN_POWERSAVE:
-                    chainName = FIREWALL_CHAIN_NAME_POWERSAVE;
-                    break;
-                default:
-                    throw new IllegalArgumentException("Bad child chain: " + chain);
+            if (chain == FIREWALL_CHAIN_NONE) {
+                throw new IllegalArgumentException("Bad child chain: " + chain);
            }

            try {
-                mConnector.execute("firewall", operation, chainName);
-            } catch (NativeDaemonConnectorException e) {
-                throw e.rethrowAsParcelableException();
+                mNetdService.firewallEnableChildChain(chain, enable);
+            } catch (RemoteException | ServiceSpecificException e) {
+                throw new IllegalStateException(e);
            }

            // Close any sockets that were opened by the affected UIDs. This has to be done after
@@ -2058,12 +2047,24 @@ public class NetworkManagementService extends INetworkManagementService.Stub
            // the connection and race with the iptables commands that enable the firewall. All
            // whitelist and blacklist chains allow RSTs through.
            if (enable) {
-                if (DBG) Slog.d(TAG, "Closing sockets after enabling chain " + chainName);
-                closeSocketsForFirewallChainLocked(chain, chainName);
+                closeSocketsForFirewallChainLocked(chain, getFirewallChainName(chain));
            }
        }
    }

+    private String getFirewallChainName(int chain) {
+        switch (chain) {
+            case FIREWALL_CHAIN_STANDBY:
+                return FIREWALL_CHAIN_NAME_STANDBY;
+            case FIREWALL_CHAIN_DOZABLE:
+                return FIREWALL_CHAIN_NAME_DOZABLE;
+            case FIREWALL_CHAIN_POWERSAVE:
+                return FIREWALL_CHAIN_NAME_POWERSAVE;
+            default:
+                throw new IllegalArgumentException("Bad child chain: " + chain);
+        }
+    }
+
    private int getFirewallType(int chain) {
        switch (chain) {
            case FIREWALL_CHAIN_STANDBY:
@@ -2136,11 +2137,11 @@ public class NetworkManagementService extends INetworkManagementService.Stub

    private void setFirewallUidRuleLocked(int chain, int uid, int rule) {
        if (updateFirewallUidRuleLocked(chain, uid, rule)) {
+            final int ruleType = getFirewallRuleType(chain, rule);
            try {
-                mConnector.execute("firewall", "set_uid_rule", getFirewallChainName(chain), uid,
-                        getFirewallRuleName(chain, rule));
-            } catch (NativeDaemonConnectorException e) {
-                throw e.rethrowAsParcelableException();
+                mNetdService.firewallSetUidRule(chain, uid, ruleType);
+            } catch (RemoteException | ServiceSpecificException e) {
+                throw new IllegalStateException(e);
            }
        }
    }
@@ -2206,18 +2207,19 @@ public class NetworkManagementService extends INetworkManagementService.Stub
        }
    }

-    public @NonNull String getFirewallChainName(int chain) {
-        switch (chain) {
-            case FIREWALL_CHAIN_STANDBY:
-                return FIREWALL_CHAIN_NAME_STANDBY;
-            case FIREWALL_CHAIN_DOZABLE:
-                return FIREWALL_CHAIN_NAME_DOZABLE;
-            case FIREWALL_CHAIN_POWERSAVE:
-                return FIREWALL_CHAIN_NAME_POWERSAVE;
-            case FIREWALL_CHAIN_NONE:
-                return FIREWALL_CHAIN_NAME_NONE;
-            default:
-                throw new IllegalArgumentException("Unknown chain:" + chain);
+    private int getFirewallRuleType(int chain, int rule) {
+        if (getFirewallType(chain) == FIREWALL_TYPE_WHITELIST) {
+            if (rule == NetworkPolicyManager.FIREWALL_RULE_ALLOW) {
+                return INetd.FIREWALL_RULE_ALLOW;
+            } else {
+                return INetd.FIREWALL_RULE_DENY;
+            }
+        } else { // Blacklist mode
+            if (rule == NetworkPolicyManager.FIREWALL_RULE_DENY) {
+                return INetd.FIREWALL_RULE_DENY;
+            } else {
+                return INetd.FIREWALL_RULE_ALLOW;
+            }
        }
    }