Firewall-related commands porting
Test: runtest frameworks-net passes
Test: manual testing of firewall works
Change-Id: Ic19c3872988a2b5dd315feb57e0757797d00a6ac
diff --git a/core/java/android/net/NetworkPolicyManager.java b/core/java/android/net/NetworkPolicyManager.java
index d5fb2e7..299b232 100644
--- a/core/java/android/net/NetworkPolicyManager.java
+++ b/core/java/android/net/NetworkPolicyManager.java
@@ -91,16 +91,16 @@
public static final int MASK_ALL_NETWORKS = 0b11110000;
public static final int FIREWALL_RULE_DEFAULT = 0;
- public static final int FIREWALL_RULE_ALLOW = 1;
- public static final int FIREWALL_RULE_DENY = 2;
+ public static final int FIREWALL_RULE_ALLOW = INetd.FIREWALL_RULE_ALLOW;
+ public static final int FIREWALL_RULE_DENY = INetd.FIREWALL_RULE_DENY;
- public static final int FIREWALL_TYPE_WHITELIST = 0;
- public static final int FIREWALL_TYPE_BLACKLIST = 1;
+ public static final int FIREWALL_TYPE_WHITELIST = INetd.FIREWALL_WHITELIST;
+ public static final int FIREWALL_TYPE_BLACKLIST = INetd.FIREWALL_BLACKLIST;
- public static final int FIREWALL_CHAIN_NONE = 0;
- public static final int FIREWALL_CHAIN_DOZABLE = 1;
- public static final int FIREWALL_CHAIN_STANDBY = 2;
- public static final int FIREWALL_CHAIN_POWERSAVE = 3;
+ public static final int FIREWALL_CHAIN_NONE = INetd.FIREWALL_CHAIN_NONE;
+ public static final int FIREWALL_CHAIN_DOZABLE = INetd.FIREWALL_CHAIN_DOZABLE;
+ public static final int FIREWALL_CHAIN_STANDBY = INetd.FIREWALL_CHAIN_STANDBY;
+ public static final int FIREWALL_CHAIN_POWERSAVE = INetd.FIREWALL_CHAIN_POWERSAVE;
public static final String FIREWALL_CHAIN_NAME_NONE = "none";
public static final String FIREWALL_CHAIN_NAME_DOZABLE = "dozable";
diff --git a/services/core/java/com/android/server/NetworkManagementService.java b/services/core/java/com/android/server/NetworkManagementService.java
index ab50059..0acd1c1 100644
--- a/services/core/java/com/android/server/NetworkManagementService.java
+++ b/services/core/java/com/android/server/NetworkManagementService.java
@@ -1929,10 +1929,11 @@
public void setFirewallEnabled(boolean enabled) {
enforceSystemUid();
try {
- mConnector.execute("firewall", "enable", enabled ? "whitelist" : "blacklist");
+ mNetdService.firewallSetFirewallType(
+ enabled ? INetd.FIREWALL_WHITELIST : INetd.FIREWALL_BLACKLIST);
mFirewallEnabled = enabled;
- } catch (NativeDaemonConnectorException e) {
- throw e.rethrowAsParcelableException();
+ } catch (RemoteException | ServiceSpecificException e) {
+ throw new IllegalStateException(e);
}
}
@@ -1946,11 +1947,11 @@
public void setFirewallInterfaceRule(String iface, boolean allow) {
enforceSystemUid();
Preconditions.checkState(mFirewallEnabled);
- final String rule = allow ? "allow" : "deny";
try {
- mConnector.execute("firewall", "set_interface_rule", iface, rule);
- } catch (NativeDaemonConnectorException e) {
- throw e.rethrowAsParcelableException();
+ mNetdService.firewallSetInterfaceRule(iface,
+ allow ? INetd.FIREWALL_RULE_ALLOW : INetd.FIREWALL_RULE_DENY);
+ } catch (RemoteException | ServiceSpecificException e) {
+ throw new IllegalStateException(e);
}
}
@@ -1961,7 +1962,7 @@
int[] exemptUids;
int numUids = 0;
-
+ if (DBG) Slog.d(TAG, "Closing sockets after enabling chain " + chainName);
if (getFirewallType(chain) == FIREWALL_TYPE_WHITELIST) {
// Close all sockets on all non-system UIDs...
ranges = new UidRange[] {
@@ -2031,26 +2032,14 @@
setFirewallChainState(chain, enable);
}
- final String operation = enable ? "enable_chain" : "disable_chain";
- final String chainName;
- switch(chain) {
- case FIREWALL_CHAIN_STANDBY:
- chainName = FIREWALL_CHAIN_NAME_STANDBY;
- break;
- case FIREWALL_CHAIN_DOZABLE:
- chainName = FIREWALL_CHAIN_NAME_DOZABLE;
- break;
- case FIREWALL_CHAIN_POWERSAVE:
- chainName = FIREWALL_CHAIN_NAME_POWERSAVE;
- break;
- default:
- throw new IllegalArgumentException("Bad child chain: " + chain);
+ if (chain == FIREWALL_CHAIN_NONE) {
+ throw new IllegalArgumentException("Bad child chain: " + chain);
}
try {
- mConnector.execute("firewall", operation, chainName);
- } catch (NativeDaemonConnectorException e) {
- throw e.rethrowAsParcelableException();
+ mNetdService.firewallEnableChildChain(chain, enable);
+ } catch (RemoteException | ServiceSpecificException e) {
+ throw new IllegalStateException(e);
}
// Close any sockets that were opened by the affected UIDs. This has to be done after
@@ -2058,12 +2047,24 @@
// the connection and race with the iptables commands that enable the firewall. All
// whitelist and blacklist chains allow RSTs through.
if (enable) {
- if (DBG) Slog.d(TAG, "Closing sockets after enabling chain " + chainName);
- closeSocketsForFirewallChainLocked(chain, chainName);
+ closeSocketsForFirewallChainLocked(chain, getFirewallChainName(chain));
}
}
}
+ private String getFirewallChainName(int chain) {
+ switch (chain) {
+ case FIREWALL_CHAIN_STANDBY:
+ return FIREWALL_CHAIN_NAME_STANDBY;
+ case FIREWALL_CHAIN_DOZABLE:
+ return FIREWALL_CHAIN_NAME_DOZABLE;
+ case FIREWALL_CHAIN_POWERSAVE:
+ return FIREWALL_CHAIN_NAME_POWERSAVE;
+ default:
+ throw new IllegalArgumentException("Bad child chain: " + chain);
+ }
+ }
+
private int getFirewallType(int chain) {
switch (chain) {
case FIREWALL_CHAIN_STANDBY:
@@ -2136,11 +2137,11 @@
private void setFirewallUidRuleLocked(int chain, int uid, int rule) {
if (updateFirewallUidRuleLocked(chain, uid, rule)) {
+ final int ruleType = getFirewallRuleType(chain, rule);
try {
- mConnector.execute("firewall", "set_uid_rule", getFirewallChainName(chain), uid,
- getFirewallRuleName(chain, rule));
- } catch (NativeDaemonConnectorException e) {
- throw e.rethrowAsParcelableException();
+ mNetdService.firewallSetUidRule(chain, uid, ruleType);
+ } catch (RemoteException | ServiceSpecificException e) {
+ throw new IllegalStateException(e);
}
}
}
@@ -2206,18 +2207,19 @@
}
}
- public @NonNull String getFirewallChainName(int chain) {
- switch (chain) {
- case FIREWALL_CHAIN_STANDBY:
- return FIREWALL_CHAIN_NAME_STANDBY;
- case FIREWALL_CHAIN_DOZABLE:
- return FIREWALL_CHAIN_NAME_DOZABLE;
- case FIREWALL_CHAIN_POWERSAVE:
- return FIREWALL_CHAIN_NAME_POWERSAVE;
- case FIREWALL_CHAIN_NONE:
- return FIREWALL_CHAIN_NAME_NONE;
- default:
- throw new IllegalArgumentException("Unknown chain:" + chain);
+ private int getFirewallRuleType(int chain, int rule) {
+ if (getFirewallType(chain) == FIREWALL_TYPE_WHITELIST) {
+ if (rule == NetworkPolicyManager.FIREWALL_RULE_ALLOW) {
+ return INetd.FIREWALL_RULE_ALLOW;
+ } else {
+ return INetd.FIREWALL_RULE_DENY;
+ }
+ } else { // Blacklist mode
+ if (rule == NetworkPolicyManager.FIREWALL_RULE_DENY) {
+ return INetd.FIREWALL_RULE_DENY;
+ } else {
+ return INetd.FIREWALL_RULE_ALLOW;
+ }
}
}