commit 390e4ea8106f9e741bc80fb962aaee94d5b28cbb
author Amith Yamasani <yamasani@google.com> Sat Apr 25 19:08:57 2015 -0700
committer Amith Yamasani <yamasani@google.com> Wed Apr 29 13:39:59 2015 -0700
tree b3a629995d71760ee9c5adbdd4f3ac0042954a26
parent 52e673f59eecf3e24b3b257bec0f977da5c35325

Blacklist uids for network access

FirewallController can now be in blacklist mode (aka disabled)
or whitelist mode (aka enabled).

Some of the methods don't do anything when in blacklist mode.

Uid rules updated to allow dropping packets to uids that
shouldn't get any network access, usually for idle apps.

Added a wait option to iptables calls to make sure it doesn't
fail if there's contention. Fixes a flakiness I was seeing in
removing rules.

Bug: 20066058
Change-Id: I815bcb45aa06d04020e902df8c67bb3894e98f40

server/FirewallController.h

diff --git a/server/FirewallController.h b/server/FirewallController.h
index 158e0fa..8051a73 100644
--- a/server/FirewallController.h
+++ b/server/FirewallController.h
@@ -19,7 +19,12 @@
 
 #include <string>
 
-enum FirewallRule { ALLOW, DENY };
+enum FirewallRule { DENY, ALLOW };
+
+// WHITELIST means the firewall denies all by default, uids must be explicitly ALLOWed
+// BLACKLIST means the firewall allows all by default, uids must be explicitly DENYed
+
+enum FirewallType { WHITELIST, BLACKLIST };
 
 #define PROTOCOL_TCP 6
 #define PROTOCOL_UDP 17
@@ -34,7 +39,7 @@
 
     int setupIptablesHooks(void);
 
-    int enableFirewall(void);
+    int enableFirewall(FirewallType);
     int disableFirewall(void);
     int isFirewallEnabled(void);
 
@@ -51,6 +56,8 @@
     static const char* LOCAL_OUTPUT;
     static const char* LOCAL_FORWARD;
 
+private:
+    FirewallType firewallType;
 };
 
 #endif