Make firewallReplaceUidChain match the behaviour of createChain.
The behaviour of the firewallReplaceUidChain was incorrect in
several ways:
1. It was missing the "always allow TCP RST packets" rules which
were added in http://ag/963000 .
2. It included a RETURN statement at the end of blacklist chains,
which is superfluous since all user-defined chains implicitly
return, and became incorrect when http://ag/963000 switched the
behaviour of blacklist chains from inserting new rules at the
beginning to appending them at the end.
3. It was missing the rules to allow the types of ICMPv6 packets
that are critical in maintaining connectivity.
By itself, this change is a no-op since nothing currently calls
firewallReplaceUidRule.
Bug: 26675191
Change-Id: I985e6861812908cbe7eaf0f54ca0ad39c22bbfeb
diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp
index 7bb883d..2d2e3b6 100644
--- a/server/FirewallController.cpp
+++ b/server/FirewallController.cpp
@@ -321,28 +321,39 @@
return res;
}
-std::string FirewallController::makeUidRules(
- const char *name, bool isWhitelist, const std::vector<int32_t>& uids) {
- const char *action = isWhitelist ? "RETURN" : "DROP";
- const char *defaultAction = isWhitelist ? "DROP" : "RETURN";
-
+std::string FirewallController::makeUidRules(IptablesTarget target, const char *name,
+ bool isWhitelist, const std::vector<int32_t>& uids) {
std::string commands;
-
StringAppendF(&commands, "*filter\n:%s -\n", name);
+ // Allow TCP RSTs so we can cleanly close TCP connections of apps that no longer have network
+ // access. Both incoming and outgoing RSTs are allowed.
+ StringAppendF(&commands, "-A %s -p tcp --tcp-flags RST RST -j RETURN\n", name);
+
if (isWhitelist) {
+ // Allow ICMPv6 packets necessary to make IPv6 connectivity work. http://b/23158230 .
+ if (target == V6) {
+ for (size_t i = 0; i < ARRAY_SIZE(ICMPV6_TYPES); i++) {
+ StringAppendF(&commands, "-A %s -p icmpv6 --icmpv6-type %s -j RETURN\n",
+ name, ICMPV6_TYPES[i]);
+ }
+ }
+
// Always whitelist system UIDs.
StringAppendF(&commands,
- "-A %s -m owner --uid-owner %d-%d -j %s\n", name, 0, MAX_SYSTEM_UID, action);
+ "-A %s -m owner --uid-owner %d-%d -j RETURN\n", name, 0, MAX_SYSTEM_UID);
}
+ // Whitelist or blacklist the specified UIDs.
+ const char *action = isWhitelist ? "RETURN" : "DROP";
for (auto uid : uids) {
StringAppendF(&commands, "-A %s -m owner --uid-owner %d -j %s\n", name, uid, action);
}
- // If it's a blacklist chain that blacklists nothing, then don't add a default action.
- if (isWhitelist || uids.size() > 0) {
- StringAppendF(&commands, "-A %s -j %s\n", name, defaultAction);
+ // If it's a whitelist chain, add a default DROP at the end. This is not necessary for a
+ // blacklist chain, because all user-defined chains implicitly RETURN at the end.
+ if (isWhitelist) {
+ StringAppendF(&commands, "-A %s -j DROP\n", name);
}
StringAppendF(&commands, "COMMIT\n\x04"); // EOT.
@@ -352,6 +363,7 @@
int FirewallController::replaceUidChain(
const char *name, bool isWhitelist, const std::vector<int32_t>& uids) {
- std::string commands = makeUidRules(name, isWhitelist, uids);
- return execIptablesRestore(V4V6, commands.c_str());
+ std::string commands4 = makeUidRules(V4, name, isWhitelist, uids);
+ std::string commands6 = makeUidRules(V6, name, isWhitelist, uids);
+ return execIptablesRestore(V4, commands4.c_str()) | execIptablesRestore(V6, commands6.c_str());
}