apmanager: add DHCP firewall rule per interface basis
With the recent update in permission_broker to allow firewall rules per
interface basis, update apmanager to dynamically request/release DHCP
port access when an AP service is started/terminated. And only request
the port access for the interface that AP service is running on.
BUG=chromium:450408
TEST=USE="asan clang" FEATURES=test emerge-$BOARD apmanager
Run security_Firewall test
Manual Test:
1. Use "iptables -S" command to verify no firewall rule is added
for port 67 when AP service is not started.
2. Start an AP service, verify firewall rule for port 67 is added
for the wifi interface (wlan0 for wolf device) and client can
connect to it with IP connectivity.
3. Stop the AP service, verify firewall rule for port 67 is deleted.
CQ-DEPEND=CL:252931
Change-Id: If7a5150d224ff1a5085b5e8032a162e8ca07c545
Reviewed-on: https://chromium-review.googlesource.com/252941
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Zeping Qiu <zqiu@chromium.org>
Commit-Queue: Zeping Qiu <zqiu@chromium.org>
diff --git a/firewall_manager.h b/firewall_manager.h
index 092162f..0f81332 100644
--- a/firewall_manager.h
+++ b/firewall_manager.h
@@ -5,6 +5,7 @@
#ifndef APMANAGER_FIREWALL_MANAGER_H_
#define APMANAGER_FIREWALL_MANAGER_H_
+#include <set>
#include <string>
#include <base/macros.h>
@@ -20,7 +21,11 @@
FirewallManager();
~FirewallManager();
- void Start(const scoped_refptr<dbus::Bus>& bus);
+ void Init(const scoped_refptr<dbus::Bus>& bus);
+
+ // Request/release DHCP port access for the specified interface.
+ void RequestDHCPPortAccess(const std::string& interface);
+ void ReleaseDHCPPortAccess(const std::string& interface);
private:
// Setup lifeline pipe to allow the remote firewall server
@@ -32,11 +37,16 @@
void OnServiceNameChanged(const std::string& old_owner,
const std::string& new_owner);
- // Add all required firewall rules for apmanager.
- void AddFirewallRules();
- void AddUdpPortRule(uint16_t port);
+ // This is called when a new instance of permission_broker is detected. Since
+ // the new instance doesn't have any knowledge of previously port access
+ // requests, re-issue those requests to permission_broker to get in sync.
+ void RequestAllPortsAccess();
- // DBus proxy for shill manager.
+ // Request/release UDP port access for the specified interface and port.
+ void RequestUdpPortAccess(const std::string& interface, uint16_t port);
+ void ReleaseUdpPortAccess(const std::string& interface, uint16_t port);
+
+ // DBus proxy for permission_broker.
std::unique_ptr<org::chromium::PermissionBrokerProxy>
permission_broker_proxy_;
// File descriptors for the two end of the pipe use for communicating with
@@ -45,6 +55,9 @@
int lifeline_read_fd_;
int lifeline_write_fd_;
+ // List of interfaces with DHCP port access.
+ std::set<std::string> dhcp_access_interfaces_;
+
DISALLOW_COPY_AND_ASSIGN(FirewallManager);
};