Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / a73576568ec540edc247f9bb7ef80f0301d8b71b^! / . / server / FirewallController.cpp
commita73576568ec540edc247f9bb7ef80f0301d8b71b[log] [tgz]
authorLorenzo Colitti <lorenzo@google.com>Tue Apr 25 00:16:36 2017 +0900
committerLorenzo Colitti <lorenzo@google.com>Tue Apr 25 16:20:54 2017 +0900
tree1c28db7c558dc50c47e6fcb8cd60d64ab95ec022
parent018e4a94bd38c09dc8d5cb678ec114de32203fa2 [diff] [blame]
Use IptablesRestoreController for UID rule updates.

Bug: 32073253
Test: netd_{unit,integration}_test passes
Test: bullhead builds, boots
Test: fw_powersave chain correctly updated when updating battery optimization whitelist
Test: fw_powersave chain correctly updated when bringing apps into foreground
Change-Id: I964b7664718f353057047c66e69351169b5cf453

diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp
index e2ddc74..4693206 100644
--- a/server/FirewallController.cpp
+++ b/server/FirewallController.cpp

@@ -173,9 +173,6 @@
 }
 
 int FirewallController::setUidRule(ChildChain chain, int uid, FirewallRule rule) {
-    char uidStr[16];
-    sprintf(uidStr, "%d", uid);
-
     const char* op;
     const char* target;
     FirewallType firewallType = getFirewallType(chain);
@@ -189,31 +186,33 @@
         op = (rule == DENY)? "-A" : "-D";
     }
 
-    int res = 0;
+    std::vector<std::string> chainNames;
     switch(chain) {
         case DOZABLE:
-            res |= execIptables(V4V6, op, LOCAL_DOZABLE, "-m", "owner", "--uid-owner",
-                    uidStr, "-j", target, NULL);
+            chainNames = { LOCAL_DOZABLE };
             break;
         case STANDBY:
-            res |= execIptables(V4V6, op, LOCAL_STANDBY, "-m", "owner", "--uid-owner",
-                    uidStr, "-j", target, NULL);
+            chainNames = { LOCAL_STANDBY };
             break;
         case POWERSAVE:
-            res |= execIptables(V4V6, op, LOCAL_POWERSAVE, "-m", "owner", "--uid-owner",
-                    uidStr, "-j", target, NULL);
+            chainNames = { LOCAL_POWERSAVE };
             break;
         case NONE:
-            res |= execIptables(V4V6, op, LOCAL_INPUT, "-m", "owner", "--uid-owner", uidStr,
-                    "-j", target, NULL);
-            res |= execIptables(V4V6, op, LOCAL_OUTPUT, "-m", "owner", "--uid-owner", uidStr,
-                    "-j", target, NULL);
+            chainNames = { LOCAL_INPUT, LOCAL_OUTPUT };
             break;
         default:
             ALOGW("Unknown child chain: %d", chain);
-            break;
+            return -1;
     }
-    return res;
+
+    std::string command = "*filter\n";
+    for (std::string chainName : chainNames) {
+        StringAppendF(&command, "%s %s -m owner --uid-owner %d -j %s\n",
+                      op, chainName.c_str(), uid, target);
+    }
+    StringAppendF(&command, "COMMIT\n");
+
+    return execIptablesRestore(V4V6, command);
 }
 
 int FirewallController::attachChain(const char* childChain, const char* parentChain) {