src.com.android.server.firewall.IntentFirewall Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of android-all Show documentation
Show all versions of android-all Show documentation
A library jar that provides APIs for Applications written for the Google Android Platform.
/*
* Copyright (C) 2013 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.android.server.firewall;
import android.annotation.NonNull;
import android.app.AppGlobals;
import android.content.ComponentName;
import android.content.Intent;
import android.content.IntentFilter;
import android.content.pm.ApplicationInfo;
import android.content.pm.IPackageManager;
import android.content.pm.PackageManager;
import android.content.pm.PackageManagerInternal;
import android.os.Environment;
import android.os.FileObserver;
import android.os.Handler;
import android.os.Looper;
import android.os.Message;
import android.os.RemoteException;
import android.util.ArrayMap;
import android.util.Slog;
import android.util.Xml;
import com.android.internal.util.ArrayUtils;
import com.android.internal.util.XmlUtils;
import com.android.server.EventLogTags;
import com.android.server.IntentResolver;
import com.android.server.LocalServices;
import com.android.server.pm.Computer;
import org.xmlpull.v1.XmlPullParser;
import org.xmlpull.v1.XmlPullParserException;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
public class IntentFirewall {
static final String TAG = "IntentFirewall";
// e.g. /data/system/ifw or /data/secure/system/ifw
private static final File RULES_DIR = new File(Environment.getDataSystemDirectory(), "ifw");
private static final int LOG_PACKAGES_MAX_LENGTH = 150;
private static final int LOG_PACKAGES_SUFFICIENT_LENGTH = 125;
private static final String TAG_RULES = "rules";
private static final String TAG_ACTIVITY = "activity";
private static final String TAG_SERVICE = "service";
private static final String TAG_BROADCAST = "broadcast";
private static final int TYPE_ACTIVITY = 0;
private static final int TYPE_BROADCAST = 1;
private static final int TYPE_SERVICE = 2;
private static final HashMap factoryMap;
private final AMSInterface mAms;
private final RuleObserver mObserver;
@NonNull
private PackageManagerInternal mPackageManager;
private FirewallIntentResolver mActivityResolver = new FirewallIntentResolver();
private FirewallIntentResolver mBroadcastResolver = new FirewallIntentResolver();
private FirewallIntentResolver mServiceResolver = new FirewallIntentResolver();
static {
FilterFactory[] factories = new FilterFactory[] {
AndFilter.FACTORY,
OrFilter.FACTORY,
NotFilter.FACTORY,
StringFilter.ACTION,
StringFilter.COMPONENT,
StringFilter.COMPONENT_NAME,
StringFilter.COMPONENT_PACKAGE,
StringFilter.DATA,
StringFilter.HOST,
StringFilter.MIME_TYPE,
StringFilter.SCHEME,
StringFilter.PATH,
StringFilter.SSP,
CategoryFilter.FACTORY,
SenderFilter.FACTORY,
SenderPackageFilter.FACTORY,
SenderPermissionFilter.FACTORY,
PortFilter.FACTORY
};
// load factor ~= .75
factoryMap = new HashMap(factories.length * 4 / 3);
for (int i=0; i candidateRules;
candidateRules = resolver.queryIntent(getPackageManager().snapshot(), intent, resolvedType,
false /*defaultOnly*/, 0);
if (candidateRules == null) {
candidateRules = new ArrayList();
}
resolver.queryByComponent(resolvedComponent, candidateRules);
// For the second pass, try to match the potentially more specific conditions in each
// rule against the intent
for (int i=0; i= LOG_PACKAGES_SUFFICIENT_LENGTH) {
return sb.toString();
}
}
if (sb.length() == 0 && packages.length > 0) {
String pkg = packages[0];
// truncating from the end - the last part of the package name is more likely to be
// interesting/unique
return pkg.substring(pkg.length() - LOG_PACKAGES_MAX_LENGTH + 1) + '-';
}
return null;
}
public static File getRulesDir() {
return RULES_DIR;
}
/**
* Reads rules from all xml files (*.xml) in the given directory, and replaces our set of rules
* with the newly read rules.
*
* We only check for files ending in ".xml", to allow for temporary files that are atomically
* renamed to .xml
*
* All calls to this method from the file observer come through a handler and are inherently
* serialized
*/
private void readRulesDir(File rulesDir) {
FirewallIntentResolver[] resolvers = new FirewallIntentResolver[3];
for (int i=0; i> rulesByType = new ArrayList>(3);
for (int i=0; i<3; i++) {
rulesByType.add(new ArrayList());
}
FileInputStream fis;
try {
fis = new FileInputStream(rulesFile);
} catch (FileNotFoundException ex) {
// Nope, no rules. Nothing else to do!
return;
}
try {
XmlPullParser parser = Xml.newPullParser();
parser.setInput(fis, null);
XmlUtils.beginDocument(parser, TAG_RULES);
int outerDepth = parser.getDepth();
while (XmlUtils.nextElementWithin(parser, outerDepth)) {
int ruleType = -1;
String tagName = parser.getName();
if (tagName.equals(TAG_ACTIVITY)) {
ruleType = TYPE_ACTIVITY;
} else if (tagName.equals(TAG_BROADCAST)) {
ruleType = TYPE_BROADCAST;
} else if (tagName.equals(TAG_SERVICE)) {
ruleType = TYPE_SERVICE;
}
if (ruleType != -1) {
Rule rule = new Rule();
List rules = rulesByType.get(ruleType);
// if we get an error while parsing a particular rule, we'll just ignore
// that rule and continue on with the next rule
try {
rule.readFromXml(parser);
} catch (XmlPullParserException ex) {
Slog.e(TAG, "Error reading an intent firewall rule from " + rulesFile, ex);
continue;
}
rules.add(rule);
}
}
} catch (XmlPullParserException ex) {
// if there was an error outside of a specific rule, then there are probably
// structural problems with the xml file, and we should completely ignore it
Slog.e(TAG, "Error reading intent firewall rules from " + rulesFile, ex);
return;
} catch (IOException ex) {
Slog.e(TAG, "Error reading intent firewall rules from " + rulesFile, ex);
return;
} finally {
try {
fis.close();
} catch (IOException ex) {
Slog.e(TAG, "Error while closing " + rulesFile, ex);
}
}
for (int ruleType=0; ruleType rules = rulesByType.get(ruleType);
FirewallIntentResolver resolver = resolvers[ruleType];
for (int ruleIndex=0; ruleIndex mIntentFilters =
new ArrayList(1);
private final ArrayList mComponentFilters = new ArrayList(0);
private boolean block;
private boolean log;
@Override
public Rule readFromXml(XmlPullParser parser) throws IOException, XmlPullParserException {
block = Boolean.parseBoolean(parser.getAttributeValue(null, ATTR_BLOCK));
log = Boolean.parseBoolean(parser.getAttributeValue(null, ATTR_LOG));
super.readFromXml(parser);
return this;
}
@Override
protected void readChild(XmlPullParser parser) throws IOException, XmlPullParserException {
String currentTag = parser.getName();
if (currentTag.equals(TAG_INTENT_FILTER)) {
FirewallIntentFilter intentFilter = new FirewallIntentFilter(this);
intentFilter.readFromXml(parser);
mIntentFilters.add(intentFilter);
} else if (currentTag.equals(TAG_COMPONENT_FILTER)) {
String componentStr = parser.getAttributeValue(null, ATTR_NAME);
if (componentStr == null) {
throw new XmlPullParserException("Component name must be specified.",
parser, null);
}
ComponentName componentName = ComponentName.unflattenFromString(componentStr);
if (componentName == null) {
throw new XmlPullParserException("Invalid component name: " + componentStr);
}
mComponentFilters.add(componentName);
} else {
super.readChild(parser);
}
}
public int getIntentFilterCount() {
return mIntentFilters.size();
}
public FirewallIntentFilter getIntentFilter(int index) {
return mIntentFilters.get(index);
}
public int getComponentFilterCount() {
return mComponentFilters.size();
}
public ComponentName getComponentFilter(int index) {
return mComponentFilters.get(index);
}
public boolean getBlock() {
return block;
}
public boolean getLog() {
return log;
}
}
private static class FirewallIntentFilter extends IntentFilter {
private final Rule rule;
public FirewallIntentFilter(Rule rule) {
this.rule = rule;
}
}
private static class FirewallIntentResolver
extends IntentResolver {
@Override
protected boolean allowFilterResult(FirewallIntentFilter filter, List dest) {
return !dest.contains(filter.rule);
}
@Override
protected boolean isPackageForFilter(String packageName, FirewallIntentFilter filter) {
return true;
}
@Override
protected FirewallIntentFilter[] newArray(int size) {
return new FirewallIntentFilter[size];
}
@Override
protected Rule newResult(@NonNull Computer computer, FirewallIntentFilter filter,
int match, int userId, long customFlags) {
return filter.rule;
}
@Override
protected void sortResults(List results) {
// there's no need to sort the results
return;
}
@Override
protected IntentFilter getIntentFilter(@NonNull FirewallIntentFilter input) {
return input;
}
public void queryByComponent(ComponentName componentName, List candidateRules) {
Rule[] rules = mRulesByComponent.get(componentName);
if (rules != null) {
candidateRules.addAll(Arrays.asList(rules));
}
}
public void addComponentFilter(ComponentName componentName, Rule rule) {
Rule[] rules = mRulesByComponent.get(componentName);
rules = ArrayUtils.appendElement(Rule.class, rules, rule);
mRulesByComponent.put(componentName, rules);
}
private final ArrayMap mRulesByComponent =
new ArrayMap(0);
}
final FirewallHandler mHandler;
private final class FirewallHandler extends Handler {
public FirewallHandler(Looper looper) {
super(looper, null, true);
}
@Override
public void handleMessage(Message msg) {
readRulesDir(getRulesDir());
}
};
/**
* Monitors for the creation/deletion/modification of any .xml files in the rule directory
*/
private class RuleObserver extends FileObserver {
private static final int MONITORED_EVENTS = FileObserver.CREATE|FileObserver.MOVED_TO|
FileObserver.CLOSE_WRITE|FileObserver.DELETE|FileObserver.MOVED_FROM;
public RuleObserver(File monitoredDir) {
super(monitoredDir.getAbsolutePath(), MONITORED_EVENTS);
}
@Override
public void onEvent(int event, String path) {
if (path != null && path.endsWith(".xml")) {
// we wait 250ms before taking any action on an event, in order to dedup multiple
// events. E.g. a delete event followed by a create event followed by a subsequent
// write+close event
mHandler.removeMessages(0);
mHandler.sendEmptyMessageDelayed(0, 250);
}
}
}
/**
* This interface contains the methods we need from ActivityManagerService. This allows AMS to
* export these methods to us without making them public, and also makes it easier to test this
* component.
*/
public interface AMSInterface {
int checkComponentPermission(String permission, int pid, int uid,
int owningUid, boolean exported);
Object getAMSLock();
}
/**
* Checks if the caller has access to a component
*
* @param permission If present, the caller must have this permission
* @param pid The pid of the caller
* @param uid The uid of the caller
* @param owningUid The uid of the application that owns the component
* @param exported Whether the component is exported
* @return True if the caller can access the described component
*/
boolean checkComponentPermission(String permission, int pid, int uid, int owningUid,
boolean exported) {
return mAms.checkComponentPermission(permission, pid, uid, owningUid, exported) ==
PackageManager.PERMISSION_GRANTED;
}
boolean signaturesMatch(int uid1, int uid2) {
try {
IPackageManager pm = AppGlobals.getPackageManager();
return pm.checkUidSignatures(uid1, uid2) == PackageManager.SIGNATURE_MATCH;
} catch (RemoteException ex) {
Slog.e(TAG, "Remote exception while checking signatures", ex);
return false;
}
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy