| /* |
| * Copyright (C) 2013 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package com.android.server.firewall; |
| |
| import android.app.AppGlobals; |
| import android.content.ComponentName; |
| import android.content.Intent; |
| import android.content.IntentFilter; |
| import android.content.pm.ApplicationInfo; |
| import android.content.pm.IPackageManager; |
| import android.content.pm.PackageManager; |
| import android.os.Environment; |
| import android.os.FileObserver; |
| import android.os.Handler; |
| import android.os.Looper; |
| import android.os.Message; |
| import android.os.RemoteException; |
| import android.util.ArrayMap; |
| import android.util.Slog; |
| import android.util.Xml; |
| import com.android.internal.util.ArrayUtils; |
| import com.android.internal.util.XmlUtils; |
| import com.android.server.EventLogTags; |
| import com.android.server.IntentResolver; |
| import org.xmlpull.v1.XmlPullParser; |
| import org.xmlpull.v1.XmlPullParserException; |
| |
| import java.io.File; |
| import java.io.FileInputStream; |
| import java.io.FileNotFoundException; |
| import java.io.IOException; |
| import java.util.ArrayList; |
| import java.util.Arrays; |
| import java.util.HashMap; |
| import java.util.List; |
| |
| public class IntentFirewall { |
| static final String TAG = "IntentFirewall"; |
| |
| // e.g. /data/system/ifw or /data/secure/system/ifw |
| private static final File RULES_DIR = new File(Environment.getSystemSecureDirectory(), "ifw"); |
| |
| private static final int LOG_PACKAGES_MAX_LENGTH = 150; |
| private static final int LOG_PACKAGES_SUFFICIENT_LENGTH = 125; |
| |
| private static final String TAG_RULES = "rules"; |
| private static final String TAG_ACTIVITY = "activity"; |
| private static final String TAG_SERVICE = "service"; |
| private static final String TAG_BROADCAST = "broadcast"; |
| |
| private static final int TYPE_ACTIVITY = 0; |
| private static final int TYPE_BROADCAST = 1; |
| private static final int TYPE_SERVICE = 2; |
| |
| private static final HashMap<String, FilterFactory> factoryMap; |
| |
| private final AMSInterface mAms; |
| |
| private final RuleObserver mObserver; |
| |
| private FirewallIntentResolver mActivityResolver = new FirewallIntentResolver(); |
| private FirewallIntentResolver mBroadcastResolver = new FirewallIntentResolver(); |
| private FirewallIntentResolver mServiceResolver = new FirewallIntentResolver(); |
| |
| static { |
| FilterFactory[] factories = new FilterFactory[] { |
| AndFilter.FACTORY, |
| OrFilter.FACTORY, |
| NotFilter.FACTORY, |
| |
| StringFilter.ACTION, |
| StringFilter.COMPONENT, |
| StringFilter.COMPONENT_NAME, |
| StringFilter.COMPONENT_PACKAGE, |
| StringFilter.DATA, |
| StringFilter.HOST, |
| StringFilter.MIME_TYPE, |
| StringFilter.SCHEME, |
| StringFilter.PATH, |
| StringFilter.SSP, |
| |
| CategoryFilter.FACTORY, |
| SenderFilter.FACTORY, |
| SenderPackageFilter.FACTORY, |
| SenderPermissionFilter.FACTORY, |
| PortFilter.FACTORY |
| }; |
| |
| // load factor ~= .75 |
| factoryMap = new HashMap<String, FilterFactory>(factories.length * 4 / 3); |
| for (int i=0; i<factories.length; i++) { |
| FilterFactory factory = factories[i]; |
| factoryMap.put(factory.getTagName(), factory); |
| } |
| } |
| |
| public IntentFirewall(AMSInterface ams, Handler handler) { |
| mAms = ams; |
| mHandler = new FirewallHandler(handler.getLooper()); |
| File rulesDir = getRulesDir(); |
| rulesDir.mkdirs(); |
| |
| readRulesDir(rulesDir); |
| |
| mObserver = new RuleObserver(rulesDir); |
| mObserver.startWatching(); |
| } |
| |
| /** |
| * This is called from ActivityManager to check if a start activity intent should be allowed. |
| * It is assumed the caller is already holding the global ActivityManagerService lock. |
| */ |
| public boolean checkStartActivity(Intent intent, int callerUid, int callerPid, |
| String resolvedType, ApplicationInfo resolvedApp) { |
| return checkIntent(mActivityResolver, intent.getComponent(), TYPE_ACTIVITY, intent, |
| callerUid, callerPid, resolvedType, resolvedApp.uid); |
| } |
| |
| public boolean checkService(ComponentName resolvedService, Intent intent, int callerUid, |
| int callerPid, String resolvedType, ApplicationInfo resolvedApp) { |
| return checkIntent(mServiceResolver, resolvedService, TYPE_SERVICE, intent, callerUid, |
| callerPid, resolvedType, resolvedApp.uid); |
| } |
| |
| public boolean checkBroadcast(Intent intent, int callerUid, int callerPid, |
| String resolvedType, int receivingUid) { |
| return checkIntent(mBroadcastResolver, intent.getComponent(), TYPE_BROADCAST, intent, |
| callerUid, callerPid, resolvedType, receivingUid); |
| } |
| |
| public boolean checkIntent(FirewallIntentResolver resolver, ComponentName resolvedComponent, |
| int intentType, Intent intent, int callerUid, int callerPid, String resolvedType, |
| int receivingUid) { |
| boolean log = false; |
| boolean block = false; |
| |
| // For the first pass, find all the rules that have at least one intent-filter or |
| // component-filter that matches this intent |
| List<Rule> candidateRules; |
| candidateRules = resolver.queryIntent(intent, resolvedType, false, 0); |
| if (candidateRules == null) { |
| candidateRules = new ArrayList<Rule>(); |
| } |
| resolver.queryByComponent(resolvedComponent, candidateRules); |
| |
| // For the second pass, try to match the potentially more specific conditions in each |
| // rule against the intent |
| for (int i=0; i<candidateRules.size(); i++) { |
| Rule rule = candidateRules.get(i); |
| if (rule.matches(this, resolvedComponent, intent, callerUid, callerPid, resolvedType, |
| receivingUid)) { |
| block |= rule.getBlock(); |
| log |= rule.getLog(); |
| |
| // if we've already determined that we should both block and log, there's no need |
| // to continue trying rules |
| if (block && log) { |
| break; |
| } |
| } |
| } |
| |
| if (log) { |
| logIntent(intentType, intent, callerUid, resolvedType); |
| } |
| |
| return !block; |
| } |
| |
| private static void logIntent(int intentType, Intent intent, int callerUid, |
| String resolvedType) { |
| // The component shouldn't be null, but let's double check just to be safe |
| ComponentName cn = intent.getComponent(); |
| String shortComponent = null; |
| if (cn != null) { |
| shortComponent = cn.flattenToShortString(); |
| } |
| |
| String callerPackages = null; |
| int callerPackageCount = 0; |
| IPackageManager pm = AppGlobals.getPackageManager(); |
| if (pm != null) { |
| try { |
| String[] callerPackagesArray = pm.getPackagesForUid(callerUid); |
| if (callerPackagesArray != null) { |
| callerPackageCount = callerPackagesArray.length; |
| callerPackages = joinPackages(callerPackagesArray); |
| } |
| } catch (RemoteException ex) { |
| Slog.e(TAG, "Remote exception while retrieving packages", ex); |
| } |
| } |
| |
| EventLogTags.writeIfwIntentMatched(intentType, shortComponent, callerUid, |
| callerPackageCount, callerPackages, intent.getAction(), resolvedType, |
| intent.getDataString(), intent.getFlags()); |
| } |
| |
| /** |
| * Joins a list of package names such that the resulting string is no more than |
| * LOG_PACKAGES_MAX_LENGTH. |
| * |
| * Only full package names will be added to the result, unless every package is longer than the |
| * limit, in which case one of the packages will be truncated and added. In this case, an |
| * additional '-' character will be added to the end of the string, to denote the truncation. |
| * |
| * If it encounters a package that won't fit in the remaining space, it will continue on to the |
| * next package, unless the total length of the built string so far is greater than |
| * LOG_PACKAGES_SUFFICIENT_LENGTH, in which case it will stop and return what it has. |
| */ |
| private static String joinPackages(String[] packages) { |
| boolean first = true; |
| StringBuilder sb = new StringBuilder(); |
| for (int i=0; i<packages.length; i++) { |
| String pkg = packages[i]; |
| |
| // + 1 length for the comma. This logic technically isn't correct for the first entry, |
| // but it's not critical. |
| if (sb.length() + pkg.length() + 1 < LOG_PACKAGES_MAX_LENGTH) { |
| if (!first) { |
| sb.append(','); |
| } else { |
| first = false; |
| } |
| sb.append(pkg); |
| } else if (sb.length() >= LOG_PACKAGES_SUFFICIENT_LENGTH) { |
| return sb.toString(); |
| } |
| } |
| if (sb.length() == 0 && packages.length > 0) { |
| String pkg = packages[0]; |
| // truncating from the end - the last part of the package name is more likely to be |
| // interesting/unique |
| return pkg.substring(pkg.length() - LOG_PACKAGES_MAX_LENGTH + 1) + '-'; |
| } |
| return null; |
| } |
| |
| public static File getRulesDir() { |
| return RULES_DIR; |
| } |
| |
| /** |
| * Reads rules from all xml files (*.xml) in the given directory, and replaces our set of rules |
| * with the newly read rules. |
| * |
| * We only check for files ending in ".xml", to allow for temporary files that are atomically |
| * renamed to .xml |
| * |
| * All calls to this method from the file observer come through a handler and are inherently |
| * serialized |
| */ |
| private void readRulesDir(File rulesDir) { |
| FirewallIntentResolver[] resolvers = new FirewallIntentResolver[3]; |
| for (int i=0; i<resolvers.length; i++) { |
| resolvers[i] = new FirewallIntentResolver(); |
| } |
| |
| File[] files = rulesDir.listFiles(); |
| if (files != null) { |
| for (int i=0; i<files.length; i++) { |
| File file = files[i]; |
| |
| if (file.getName().endsWith(".xml")) { |
| readRules(file, resolvers); |
| } |
| } |
| } |
| |
| Slog.i(TAG, "Read new rules (A:" + resolvers[TYPE_ACTIVITY].filterSet().size() + |
| " B:" + resolvers[TYPE_BROADCAST].filterSet().size() + |
| " S:" + resolvers[TYPE_SERVICE].filterSet().size() + ")"); |
| |
| synchronized (mAms.getAMSLock()) { |
| mActivityResolver = resolvers[TYPE_ACTIVITY]; |
| mBroadcastResolver = resolvers[TYPE_BROADCAST]; |
| mServiceResolver = resolvers[TYPE_SERVICE]; |
| } |
| } |
| |
| /** |
| * Reads rules from the given file and add them to the given resolvers |
| */ |
| private void readRules(File rulesFile, FirewallIntentResolver[] resolvers) { |
| // some temporary lists to hold the rules while we parse the xml file, so that we can |
| // add the rules all at once, after we know there weren't any major structural problems |
| // with the xml file |
| List<List<Rule>> rulesByType = new ArrayList<List<Rule>>(3); |
| for (int i=0; i<3; i++) { |
| rulesByType.add(new ArrayList<Rule>()); |
| } |
| |
| FileInputStream fis; |
| try { |
| fis = new FileInputStream(rulesFile); |
| } catch (FileNotFoundException ex) { |
| // Nope, no rules. Nothing else to do! |
| return; |
| } |
| |
| try { |
| XmlPullParser parser = Xml.newPullParser(); |
| |
| parser.setInput(fis, null); |
| |
| XmlUtils.beginDocument(parser, TAG_RULES); |
| |
| int outerDepth = parser.getDepth(); |
| while (XmlUtils.nextElementWithin(parser, outerDepth)) { |
| int ruleType = -1; |
| |
| String tagName = parser.getName(); |
| if (tagName.equals(TAG_ACTIVITY)) { |
| ruleType = TYPE_ACTIVITY; |
| } else if (tagName.equals(TAG_BROADCAST)) { |
| ruleType = TYPE_BROADCAST; |
| } else if (tagName.equals(TAG_SERVICE)) { |
| ruleType = TYPE_SERVICE; |
| } |
| |
| if (ruleType != -1) { |
| Rule rule = new Rule(); |
| |
| List<Rule> rules = rulesByType.get(ruleType); |
| |
| // if we get an error while parsing a particular rule, we'll just ignore |
| // that rule and continue on with the next rule |
| try { |
| rule.readFromXml(parser); |
| } catch (XmlPullParserException ex) { |
| Slog.e(TAG, "Error reading an intent firewall rule from " + rulesFile, ex); |
| continue; |
| } |
| |
| rules.add(rule); |
| } |
| } |
| } catch (XmlPullParserException ex) { |
| // if there was an error outside of a specific rule, then there are probably |
| // structural problems with the xml file, and we should completely ignore it |
| Slog.e(TAG, "Error reading intent firewall rules from " + rulesFile, ex); |
| return; |
| } catch (IOException ex) { |
| Slog.e(TAG, "Error reading intent firewall rules from " + rulesFile, ex); |
| return; |
| } finally { |
| try { |
| fis.close(); |
| } catch (IOException ex) { |
| Slog.e(TAG, "Error while closing " + rulesFile, ex); |
| } |
| } |
| |
| for (int ruleType=0; ruleType<rulesByType.size(); ruleType++) { |
| List<Rule> rules = rulesByType.get(ruleType); |
| FirewallIntentResolver resolver = resolvers[ruleType]; |
| |
| for (int ruleIndex=0; ruleIndex<rules.size(); ruleIndex++) { |
| Rule rule = rules.get(ruleIndex); |
| for (int i=0; i<rule.getIntentFilterCount(); i++) { |
| resolver.addFilter(rule.getIntentFilter(i)); |
| } |
| for (int i=0; i<rule.getComponentFilterCount(); i++) { |
| resolver.addComponentFilter(rule.getComponentFilter(i), rule); |
| } |
| } |
| } |
| } |
| |
| static Filter parseFilter(XmlPullParser parser) throws IOException, XmlPullParserException { |
| String elementName = parser.getName(); |
| |
| FilterFactory factory = factoryMap.get(elementName); |
| |
| if (factory == null) { |
| throw new XmlPullParserException("Unknown element in filter list: " + elementName); |
| } |
| return factory.newFilter(parser); |
| } |
| |
| /** |
| * Represents a single activity/service/broadcast rule within one of the xml files. |
| * |
| * Rules are matched against an incoming intent in two phases. The goal of the first phase |
| * is to select a subset of rules that might match a given intent. |
| * |
| * For the first phase, we use a combination of intent filters (via an IntentResolver) |
| * and component filters to select which rules to check. If a rule has multiple intent or |
| * component filters, only a single filter must match for the rule to be passed on to the |
| * second phase. |
| * |
| * In the second phase, we check the specific conditions in each rule against the values in the |
| * intent. All top level conditions (but not filters) in the rule must match for the rule as a |
| * whole to match. |
| * |
| * If the rule matches, then we block or log the intent, as specified by the rule. If multiple |
| * rules match, we combine the block/log flags from any matching rule. |
| */ |
| private static class Rule extends AndFilter { |
| private static final String TAG_INTENT_FILTER = "intent-filter"; |
| private static final String TAG_COMPONENT_FILTER = "component-filter"; |
| private static final String ATTR_NAME = "name"; |
| |
| private static final String ATTR_BLOCK = "block"; |
| private static final String ATTR_LOG = "log"; |
| |
| private final ArrayList<FirewallIntentFilter> mIntentFilters = |
| new ArrayList<FirewallIntentFilter>(1); |
| private final ArrayList<ComponentName> mComponentFilters = new ArrayList<ComponentName>(0); |
| private boolean block; |
| private boolean log; |
| |
| @Override |
| public Rule readFromXml(XmlPullParser parser) throws IOException, XmlPullParserException { |
| block = Boolean.parseBoolean(parser.getAttributeValue(null, ATTR_BLOCK)); |
| log = Boolean.parseBoolean(parser.getAttributeValue(null, ATTR_LOG)); |
| |
| super.readFromXml(parser); |
| return this; |
| } |
| |
| @Override |
| protected void readChild(XmlPullParser parser) throws IOException, XmlPullParserException { |
| String currentTag = parser.getName(); |
| |
| if (currentTag.equals(TAG_INTENT_FILTER)) { |
| FirewallIntentFilter intentFilter = new FirewallIntentFilter(this); |
| intentFilter.readFromXml(parser); |
| mIntentFilters.add(intentFilter); |
| } else if (currentTag.equals(TAG_COMPONENT_FILTER)) { |
| String componentStr = parser.getAttributeValue(null, ATTR_NAME); |
| if (componentStr == null) { |
| throw new XmlPullParserException("Component name must be specified.", |
| parser, null); |
| } |
| |
| ComponentName componentName = ComponentName.unflattenFromString(componentStr); |
| if (componentName == null) { |
| throw new XmlPullParserException("Invalid component name: " + componentStr); |
| } |
| |
| mComponentFilters.add(componentName); |
| } else { |
| super.readChild(parser); |
| } |
| } |
| |
| public int getIntentFilterCount() { |
| return mIntentFilters.size(); |
| } |
| |
| public FirewallIntentFilter getIntentFilter(int index) { |
| return mIntentFilters.get(index); |
| } |
| |
| public int getComponentFilterCount() { |
| return mComponentFilters.size(); |
| } |
| |
| public ComponentName getComponentFilter(int index) { |
| return mComponentFilters.get(index); |
| } |
| public boolean getBlock() { |
| return block; |
| } |
| |
| public boolean getLog() { |
| return log; |
| } |
| } |
| |
| private static class FirewallIntentFilter extends IntentFilter { |
| private final Rule rule; |
| |
| public FirewallIntentFilter(Rule rule) { |
| this.rule = rule; |
| } |
| } |
| |
| private static class FirewallIntentResolver |
| extends IntentResolver<FirewallIntentFilter, Rule> { |
| @Override |
| protected boolean allowFilterResult(FirewallIntentFilter filter, List<Rule> dest) { |
| return !dest.contains(filter.rule); |
| } |
| |
| @Override |
| protected boolean isPackageForFilter(String packageName, FirewallIntentFilter filter) { |
| return true; |
| } |
| |
| @Override |
| protected FirewallIntentFilter[] newArray(int size) { |
| return new FirewallIntentFilter[size]; |
| } |
| |
| @Override |
| protected Rule newResult(FirewallIntentFilter filter, int match, int userId) { |
| return filter.rule; |
| } |
| |
| @Override |
| protected void sortResults(List<Rule> results) { |
| // there's no need to sort the results |
| return; |
| } |
| |
| public void queryByComponent(ComponentName componentName, List<Rule> candidateRules) { |
| Rule[] rules = mRulesByComponent.get(componentName); |
| if (rules != null) { |
| candidateRules.addAll(Arrays.asList(rules)); |
| } |
| } |
| |
| public void addComponentFilter(ComponentName componentName, Rule rule) { |
| Rule[] rules = mRulesByComponent.get(componentName); |
| rules = ArrayUtils.appendElement(Rule.class, rules, rule); |
| mRulesByComponent.put(componentName, rules); |
| } |
| |
| private final ArrayMap<ComponentName, Rule[]> mRulesByComponent = |
| new ArrayMap<ComponentName, Rule[]>(0); |
| } |
| |
| final FirewallHandler mHandler; |
| |
| private final class FirewallHandler extends Handler { |
| public FirewallHandler(Looper looper) { |
| super(looper, null, true); |
| } |
| |
| @Override |
| public void handleMessage(Message msg) { |
| readRulesDir(getRulesDir()); |
| } |
| }; |
| |
| /** |
| * Monitors for the creation/deletion/modification of any .xml files in the rule directory |
| */ |
| private class RuleObserver extends FileObserver { |
| private static final int MONITORED_EVENTS = FileObserver.CREATE|FileObserver.MOVED_TO| |
| FileObserver.CLOSE_WRITE|FileObserver.DELETE|FileObserver.MOVED_FROM; |
| |
| public RuleObserver(File monitoredDir) { |
| super(monitoredDir.getAbsolutePath(), MONITORED_EVENTS); |
| } |
| |
| @Override |
| public void onEvent(int event, String path) { |
| if (path.endsWith(".xml")) { |
| // we wait 250ms before taking any action on an event, in order to dedup multiple |
| // events. E.g. a delete event followed by a create event followed by a subsequent |
| // write+close event |
| mHandler.removeMessages(0); |
| mHandler.sendEmptyMessageDelayed(0, 250); |
| } |
| } |
| } |
| |
| /** |
| * This interface contains the methods we need from ActivityManagerService. This allows AMS to |
| * export these methods to us without making them public, and also makes it easier to test this |
| * component. |
| */ |
| public interface AMSInterface { |
| int checkComponentPermission(String permission, int pid, int uid, |
| int owningUid, boolean exported); |
| Object getAMSLock(); |
| } |
| |
| /** |
| * Checks if the caller has access to a component |
| * |
| * @param permission If present, the caller must have this permission |
| * @param pid The pid of the caller |
| * @param uid The uid of the caller |
| * @param owningUid The uid of the application that owns the component |
| * @param exported Whether the component is exported |
| * @return True if the caller can access the described component |
| */ |
| boolean checkComponentPermission(String permission, int pid, int uid, int owningUid, |
| boolean exported) { |
| return mAms.checkComponentPermission(permission, pid, uid, owningUid, exported) == |
| PackageManager.PERMISSION_GRANTED; |
| } |
| |
| boolean signaturesMatch(int uid1, int uid2) { |
| try { |
| IPackageManager pm = AppGlobals.getPackageManager(); |
| return pm.checkUidSignatures(uid1, uid2) == PackageManager.SIGNATURE_MATCH; |
| } catch (RemoteException ex) { |
| Slog.e(TAG, "Remote exception while checking signatures", ex); |
| return false; |
| } |
| } |
| |
| } |