Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / connectivity / apmanager / 1810c01237329106f339ac4bdf6baa58efa76917^! / . / firewall_manager.h
commit1810c01237329106f339ac4bdf6baa58efa76917[log] [tgz]
authorPeter Qiu <zqiu@chromium.org>Thu Feb 05 14:35:41 2015 -0800
committerChromeOS Commit Bot <chromeos-commit-bot@chromium.org>Tue Feb 10 23:07:24 2015 +0000
tree7042c0d923e67b1ae26fffab8fd07b093c35093d
parente26578570050855a533c4df6e2b0e7c979964e5a [diff] [blame]
apmanager: add firewall rules during run time

Use permission_broker to add firewall rules when apmanager starts.
Also remove the temporary hack in webservd upstart script for
adding firewall rules on behalf of apmanager.

BUG=chromium:450408
TEST=Verify firewall rule for UDP port 67 (DHCP port) is added
     when apmanager starts, and removed after apmanager is
     terminated.
     Run security_Firewall autotest.
CQ-DEPEND=CL:246272,CL:247141,CL:247210

Change-Id: I4b25dc753a12ff91ed68d712f096ed570e635ad8
Reviewed-on: https://chromium-review.googlesource.com/246699
Reviewed-by: Alex Vakulenko <avakulenko@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Zeping Qiu <zqiu@chromium.org>
Tested-by: Zeping Qiu <zqiu@chromium.org>

diff --git a/firewall_manager.h b/firewall_manager.h
new file mode 100644
index 0000000..092162f
--- /dev/null
+++ b/firewall_manager.h

@@ -0,0 +1,53 @@
+// Copyright 2015 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef APMANAGER_FIREWALL_MANAGER_H_
+#define APMANAGER_FIREWALL_MANAGER_H_
+
+#include <string>
+
+#include <base/macros.h>
+#include <base/memory/scoped_ptr.h>
+
+#include "permission_broker/dbus-proxies.h"
+
+// Class for managing required firewall rules for apmanager.
+namespace apmanager {
+
+class FirewallManager final {
+ public:
+  FirewallManager();
+  ~FirewallManager();
+
+  void Start(const scoped_refptr<dbus::Bus>& bus);
+
+ private:
+  // Setup lifeline pipe to allow the remote firewall server
+  // (permission_broker) to monitor this process, so it can remove the firewall
+  // rules in case this process crashes.
+  bool SetupLifelinePipe();
+
+  void OnServiceAvailable(bool service_available);
+  void OnServiceNameChanged(const std::string& old_owner,
+                            const std::string& new_owner);
+
+  // Add all required firewall rules for apmanager.
+  void AddFirewallRules();
+  void AddUdpPortRule(uint16_t port);
+
+  // DBus proxy for shill manager.
+  std::unique_ptr<org::chromium::PermissionBrokerProxy>
+      permission_broker_proxy_;
+  // File descriptors for the two end of the pipe use for communicating with
+  // remote firewall server (permission_broker), where the remote firewall
+  // server will use the read end of the pipe to detect when this process exits.
+  int lifeline_read_fd_;
+  int lifeline_write_fd_;
+
+  DISALLOW_COPY_AND_ASSIGN(FirewallManager);
+};
+
+}  // namespace apmanager
+
+#endif  // APMANAGER_FIREWALL_MANAGER_H_