--- /dev/null
+# nether
+
+An application firewall that enforces the "internet"
+privileges in Tizen. It uses Cynara as a policy backend
+and the NFQUEUE target in netfilter to make decisiions
+about outgoing connections and network packets.
+
+The policy backend can be re-implemented by overloading
+the NetherPolicyBackend class (there is a simple File based
+backend included for testing).
+
+A default policy can be specified in case the policy
+backend stops working.
+
+
+#
+# Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+#
+# Contact: Roman Kubiak (r.kubiak@samsung.com)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+#
#!/bin/bash
DENY_CHAIN="NETHER-DENY"
ALLOWLOG_CHAIN="NETHER-ALLOWLOG"
function create {
echo "Creating chain"
echo
- runcmd iptables -N $DENY_CHAIN
+ runcmd iptables -N $DENY_CHAIN
runcmd iptables -N $ALLOWLOG_CHAIN
runcmd iptables -A $DENY_CHAIN -j AUDIT --type REJECT
runcmd iptables -A $DENY_CHAIN -j REJECT
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief File backend for logger
+ */
+
#ifndef COMMON_LOGGER_BACKEND_FILE_HPP
#define COMMON_LOGGER_BACKEND_FILE_HPP
class FileBackend : public LogBackend {
public:
- FileBackend(const std::string &_filePath) : filePath(_filePath) {}
+ FileBackend(const std::string &filePath) : mfilePath(filePath) {}
void log(LogLevel logLevel,
const std::string& file,
const unsigned int& line,
const std::string& func,
const std::string& message) override;
private:
- std::string filePath;
+ std::string mfilePath;
};
} // namespace logger
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief Syslog backend for logger
+ */
+
#ifndef COMMON_LOGGER_BACKEND_SYSLOG_HPP
#define COMMON_LOGGER_BACKEND_SYSLOG_HPP
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief Cynara policy backend for nether
+ */
+
#ifndef NETHER_CYNARA_BACKEND_H
#define NETHER_CYNARA_BACKEND_H
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief File policy backend for nether
+ */
+
#ifndef NETHER_FILE_BACKEND_H
#define NETHER_FILE_BACKEND_H
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief Manager class implementation for nether
+ */
+
#ifndef NETHER_MANAGER_H
#define NETHER_MANAGER_H
void packetReceived (const NetherPacket &packet);
private:
- NetherPolicyBackend *netherPrimaryPolicyBackend, *netherBackupPolicyBackend;
- NetherDummyBackend *netherFallbackPolicyBackend;
- NetherNetlink *netherNetlink;
+ void handleSignal();
+ const bool handleNetlinkpacket();
+ void setupSelectSockets(fd_set &watchedReadDescriptorsSet, fd_set &watchedWriteDescriptorsSet, struct timeval &timeoutSpecification);
+ std::unique_ptr <NetherPolicyBackend> netherPrimaryPolicyBackend, netherBackupPolicyBackend, netherFallbackPolicyBackend;
+ std::unique_ptr <NetherNetlink> netherNetlink;
NetherConfig netherConfig;
int netlinkDescriptor, backendDescriptor, signalDescriptor;
sigset_t signalMask;
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief netlink handler class for nether
+ */
+
#ifndef NETHER_NETLINK_H\r
#define NETHER_NETLINK_H\r
\r
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief definition of a policy backend class
+ */
+
#ifndef NETHER_POLICY_BACKEND_H
#define NETHER_POLICY_BACKEND_H
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief types used in nether
+ */
+
+
#ifndef NETHER_TYPES_H
#define NETHER_TYPES_H
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief utility functions
+ */
+
+
#ifndef NETHER_UTILS_H
#define NETHER_UTILS_H
#include "nether_Types.h"
<Add option="-fexceptions" />
<Add option="-fPIC" />
</Compiler>
+ <Unit filename="CMakeLists.txt" />
+ <Unit filename="config/nether.policy" />
+ <Unit filename="config/nether.rules" />
+ <Unit filename="config/setrules.sh" />
<Unit filename="include/logger/backend-file.hpp" />
<Unit filename="include/logger/backend-journal.hpp" />
<Unit filename="include/logger/backend-null.hpp" />
<Unit filename="include/nether_PolicyBackend.h" />
<Unit filename="include/nether_Types.h" />
<Unit filename="include/nether_Utils.h" />
+ <Unit filename="packaging/nether.manifest" />
+ <Unit filename="packaging/nether.spec" />
+ <Unit filename="src/CMakeLists.txt" />
<Unit filename="src/logger/backend-file.cpp" />
<Unit filename="src/logger/backend-journal.cpp" />
<Unit filename="src/logger/backend-stderr.cpp" />
<Unit filename="src/logger/logger-scope.cpp" />
<Unit filename="src/logger/logger.cpp" />
<Unit filename="src/nether_CynaraBackend.cpp" />
- <Unit filename="src/nether_DummyBackend.cpp" />
<Unit filename="src/nether_FileBackend.cpp" />
<Unit filename="src/nether_Main.cpp" />
<Unit filename="src/nether_Manager.cpp" />
ADD_EXECUTABLE(nether ${NETHER_SOURCES} ${VASUM_LOGGER})
-INCLUDE_DIRECTORIES (
- ../include
- ${EXTERNAL_INCLUDE_DIRS}
- ${CYNARA_INCLUDE_DIRS}
- ${NETFILTER_INCLUDE_DIRS}
- ${LOGGER_INCLUDE_DIRS}
- )
+INCLUDE_DIRECTORIES(../include
+ ${EXTERNAL_INCLUDE_DIRS}
+ ${CYNARA_INCLUDE_DIRS}
+ ${NETFILTER_INCLUDE_DIRS}
+ ${LOGGER_INCLUDE_DIRS}
+)
+
if(CYNARA_FOUND)
ADD_DEFINITIONS (-DHAVE_CYNARA=${CYNARA_FOUND})
endif()
ADD_DEFINITIONS (-D_DEBUG=1)
ENDIF(CMAKE_BUILD_TYPE MATCHES DEBUG)
-TARGET_LINK_LIBRARIES(nether ${CYNARA_LIBRARIES}
- ${NETFILTER_LIBRARIES}
- ${LOGGER_LIBRARIES} )
\ No newline at end of file
+TARGET_LINK_LIBRARIES(nether ${CYNARA_LIBRARIES}
+ ${NETFILTER_LIBRARIES}
+ ${LOGGER_LIBRARIES}
+)
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief File backend for logger
+ */
+
#include "logger/config.hpp"
#include "logger/formatter.hpp"
#include "logger/backend-file.hpp"
const std::string& func,
const std::string& message)
{
- std::ofstream out(filePath, std::ios::app);
+ std::ofstream out(mfilePath, std::ios::app);
out << LogFormatter::getHeader(logLevel, file, line, func);
out << message;
- out << "\n";
+ out << std::endl;
}
-}
+} // namespace logger
}
} // namespace logger
-#endif
\ No newline at end of file
+#endif // HAVE_SYSTEMD_JOURNAL
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief Syslog backend for logger
+ */
+
#include "logger/config.hpp"
#include "logger/formatter.hpp"
#include "logger/backend-syslog.hpp"
syslog(toSyslogPriority(logLevel), "%s %s", LogFormatter::getHeader(logLevel, file, line, func).c_str(), message.c_str());
}
-}
+} // namespace logger
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief Cynara policy backend for nether
+ */
+
#include "nether_CynaraBackend.h"
-// #ifdef HAVE_CYNARA
+#ifdef HAVE_CYNARA
NetherCynaraBackend::NetherCynaraBackend(const NetherConfig &netherConfig)
: NetherPolicyBackend(netherConfig), currentCynaraDescriptor(0),
LOGW("cynara_async_process failed " << cynaraErrorCodeToString(ret));
return (false);
}
-//#endif
+#endif
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief File policy backend for nether
+ */
+
#include "nether_FileBackend.h"
NetherFileBackend::NetherFileBackend (const NetherConfig &netherConfig)
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief nether main program
+ */
+
#include "nether_Types.h"
#include "nether_Utils.h"
#include "nether_Manager.h"
case logfileBackend:
logger::Logger::setLogBackend (new logger::FileBackend(netherConfig.logBackendArgs));
break;
+#if defined(HAVE_SYSTEMD_JOURNAL)
+ case journalBackend:
+ logger::Logger::setLogBackend (new logger::SystemdJournalBackend());
+ break;
+#endif
default:
logger::Logger::setLogBackend (new logger::StderrBackend(false));
break;
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief Manager class implementation for nether
+ */
+
#include "nether_Manager.h"
#include "nether_CynaraBackend.h"
#include "nether_FileBackend.h"
netherBackupPolicyBackend(nullptr),
netherFallbackPolicyBackend(nullptr)
{
- netherNetlink = new NetherNetlink(netherConfig);
+ netherNetlink = std::unique_ptr<NetherNetlink> (new NetherNetlink(netherConfig));
netherNetlink->setListener (this);
- netherPrimaryPolicyBackend = getPolicyBackend (netherConfig);
+ netherPrimaryPolicyBackend = std::unique_ptr<NetherPolicyBackend> (getPolicyBackend (netherConfig));
netherPrimaryPolicyBackend->setListener (this);
- netherBackupPolicyBackend = getPolicyBackend (netherConfig, false);
+ netherBackupPolicyBackend = std::unique_ptr<NetherPolicyBackend> (getPolicyBackend (netherConfig, false));
netherBackupPolicyBackend->setListener (this);
- netherFallbackPolicyBackend = new NetherDummyBackend(netherConfig);
+ netherFallbackPolicyBackend = std::unique_ptr<NetherPolicyBackend> (new NetherDummyBackend(netherConfig));
}
NetherManager::~NetherManager()
{
- deleteAndZero (netherPrimaryPolicyBackend);
- deleteAndZero (netherBackupPolicyBackend);
- deleteAndZero (netherFallbackPolicyBackend);
- deleteAndZero (netherNetlink);
close (signalDescriptor);
}
}
const bool NetherManager::process()
-{
- NetherPacket receivedPacket;
- int packetReadSize;
- ssize_t signalRead;
- struct signalfd_siginfo signalfdSignalInfo;\r
+{\r
fd_set watchedReadDescriptorsSet, watchedWriteDescriptorsSet;\r
struct timeval timeoutSpecification;\r
- char packetBuffer[NETHER_PACKET_BUFFER_SIZE] __attribute__ ((aligned));\r
\r
- while (1)\r
+ for (;;)\r
{\r
- FD_ZERO (&watchedReadDescriptorsSet);
- FD_ZERO (&watchedWriteDescriptorsSet);
-
- /* Always listen for signals */
- FD_SET (signalDescriptor, &watchedReadDescriptorsSet);
-
- if ((netlinkDescriptor = netherNetlink->getDescriptor()) >= 0)
- {\r
- FD_SET(netlinkDescriptor, &watchedReadDescriptorsSet);
- }
-
- if ((backendDescriptor = netherPrimaryPolicyBackend->getDescriptor()) >= 0)
- {
- if (netherPrimaryPolicyBackend->getDescriptorStatus() == readOnly)
- {
- FD_SET(backendDescriptor, &watchedReadDescriptorsSet);
- }
- else if (netherPrimaryPolicyBackend->getDescriptorStatus() == readWrite)
- {
- FD_SET(backendDescriptor, &watchedReadDescriptorsSet);
- FD_SET(backendDescriptor, &watchedWriteDescriptorsSet);
- }
- }
-\r
- timeoutSpecification.tv_sec = 240;\r
- timeoutSpecification.tv_usec = 0;
+ setupSelectSockets (watchedReadDescriptorsSet, watchedWriteDescriptorsSet, timeoutSpecification);
\r
if (select (FD_SETSIZE, &watchedReadDescriptorsSet, &watchedWriteDescriptorsSet, NULL, &timeoutSpecification) < 0)\r
{\r
if (FD_ISSET(signalDescriptor, &watchedReadDescriptorsSet))
{
- LOGD("received signal");
- signalRead = read (signalDescriptor, &signalfdSignalInfo, sizeof(struct signalfd_siginfo));
-
- if (signalRead != sizeof(struct signalfd_siginfo))
- {
- LOGW("Received incomplete signal information, ignore");
- continue;
- }
-
- if (signalfdSignalInfo.ssi_signo == SIGHUP)
- {
- LOGI("SIGHUP received, reloading");
- if (!netherPrimaryPolicyBackend->reload())
- LOGW("primary backend failed to reload");
- if (!netherBackupPolicyBackend->reload())
- LOGW("backup backend failed to reload");
- if (!netherNetlink->reload())
- LOGW("netlink failed to reload");
- continue;
- }
+ handleSignal();
}\r
if (FD_ISSET(netlinkDescriptor, &watchedReadDescriptorsSet))\r
{
- LOGD("netlink descriptor active");
-
- /* some data arrives on netlink, read it */\r
- if ((packetReadSize = recv(netlinkDescriptor, packetBuffer, sizeof(packetBuffer), 0)) >= 0)\r
- {
- /* try to process the packet using netfilter_queue library, fetch packet info
- needed for making a decision about it */\r
- if (netherNetlink->processPacket (packetBuffer, packetReadSize))
- {
- continue;
- }
- else
- {
- /* if we can't process the incoming packets, it's bad. Let's exit now */
- LOGE("Failed to process netlink received packet, refusing to continue");
- break;
- }\r
- }
-\r
- if (packetReadSize < 0 && errno == ENOBUFS)\r
- {\r
- LOGI("NetherManager::process losing packets! [bad things might happen]");\r
- continue;\r
- }\r
-\r
- LOGE("NetherManager::process recv failed " << strerror(errno));\r
- break;\r
+ if (!handleNetlinkpacket())
+ break;\r
}
else if (FD_ISSET(backendDescriptor, &watchedReadDescriptorsSet) || FD_ISSET(backendDescriptor, &watchedWriteDescriptorsSet))
{
- LOGD("policy backend descriptor active");
netherPrimaryPolicyBackend->processEvents();
}
else
}
}
+void NetherManager::handleSignal()
+{
+ LOGD("received signal");
+ ssize_t signalRead;
+ struct signalfd_siginfo signalfdSignalInfo;
+
+ signalRead = read (signalDescriptor, &signalfdSignalInfo, sizeof(struct signalfd_siginfo));
+
+ if (signalRead != sizeof(struct signalfd_siginfo))
+ {
+ LOGW("Received incomplete signal information, ignore");
+ return;
+ }
+
+ if (signalfdSignalInfo.ssi_signo == SIGHUP)
+ {
+ LOGI("SIGHUP received, reloading");
+ if (!netherPrimaryPolicyBackend->reload())
+ LOGW("primary backend failed to reload");
+ if (!netherBackupPolicyBackend->reload())
+ LOGW("backup backend failed to reload");
+ if (!netherNetlink->reload())
+ LOGW("netlink failed to reload");
+ }
+}
+
+const bool NetherManager::handleNetlinkpacket()
+{
+ LOGD("netlink descriptor active");
+ int packetReadSize;
+ NetherPacket receivedPacket;
+ char packetBuffer[NETHER_PACKET_BUFFER_SIZE] __attribute__ ((aligned));
+
+ /* some data arrives on netlink, read it */\r
+ if ((packetReadSize = recv(netlinkDescriptor, packetBuffer, sizeof(packetBuffer), 0)) >= 0)\r
+ {
+ /* try to process the packet using netfilter_queue library, fetch packet info
+ needed for making a decision about it */\r
+ if (netherNetlink->processPacket (packetBuffer, packetReadSize))
+ {
+ return (true);
+ }
+ else
+ {
+ /* if we can't process the incoming packets, it's bad. Let's exit now */
+ LOGE("Failed to process netlink received packet, refusing to continue");
+ return (false);
+ }\r
+ }
+\r
+ if (packetReadSize < 0 && errno == ENOBUFS)\r
+ {\r
+ LOGI("NetherManager::process losing packets! [bad things might happen]");\r
+ return (true);\r
+ }\r
+\r
+ LOGE("NetherManager::process recv failed " << strerror(errno));\r
+ return (false);
+}
+
+void NetherManager::setupSelectSockets(fd_set &watchedReadDescriptorsSet, fd_set &watchedWriteDescriptorsSet, struct timeval &timeoutSpecification)
+{
+ FD_ZERO (&watchedReadDescriptorsSet);
+ FD_ZERO (&watchedWriteDescriptorsSet);
+
+ /* Always listen for signals */
+ FD_SET (signalDescriptor, &watchedReadDescriptorsSet);
+
+ if ((netlinkDescriptor = netherNetlink->getDescriptor()) >= 0)
+ {\r
+ FD_SET(netlinkDescriptor, &watchedReadDescriptorsSet);
+ }
+
+ if ((backendDescriptor = netherPrimaryPolicyBackend->getDescriptor()) >= 0)
+ {
+ if (netherPrimaryPolicyBackend->getDescriptorStatus() == readOnly)
+ {
+ FD_SET(backendDescriptor, &watchedReadDescriptorsSet);
+ }
+ else if (netherPrimaryPolicyBackend->getDescriptorStatus() == readWrite)
+ {
+ FD_SET(backendDescriptor, &watchedReadDescriptorsSet);
+ FD_SET(backendDescriptor, &watchedWriteDescriptorsSet);
+ }
+ }
+\r
+ timeoutSpecification.tv_sec = 240;\r
+ timeoutSpecification.tv_usec = 0;
+}
+
NetherConfig &NetherManager::getConfig()
{
return (netherConfig);
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief netlink handler class for nether
+ */
+
#include "nether_Netlink.h"\r
\r
NetherNetlink::NetherNetlink(NetherConfig &netherConfig)\r
+/*
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Roman Kubiak (r.kubiak@samsung.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+/**
+ * @file
+ * @author Roman Kubiak (r.kubiak@samsung.com)
+ * @brief Network utility functions for nether
+ */
+
#include <netdb.h>
#include <linux/types.h>
#include "nether_Utils.h"
void decodePacket(NetherPacket &packet, unsigned char *payload)
{
- uint8_t ip_version = (payload[0] >> 4) & 0x0F;
+ uint8_t ipVersion = (payload[0] >> 4) & 0x0F;
- switch(ip_version)
+ switch(ipVersion)
{
case 4:
packet.protocolType = IPv4;
void decodeIPv6Packet(NetherPacket &packet, unsigned char *payload)
{
- const uint16_t start_of_ip_payload = 40;
- uint8_t next_proto;
+ const uint16_t startOfIpPayload = 40;
+ uint8_t nextProto;
memcpy(packet.localAddress, &payload[8], NETHER_NETWORK_IPV6_ADDR_LEN);
memcpy(packet.remoteAddress, &payload[24], NETHER_NETWORK_IPV6_ADDR_LEN);
- next_proto = payload[6];
+ nextProto = payload[6];
- switch(next_proto)
+ switch(nextProto)
{
case IP_PROTOCOL_UDP:
packet.transportType = UDP;
- decodeUdp(packet, &payload[start_of_ip_payload]);
+ decodeUdp(packet, &payload[startOfIpPayload]);
break;
case IP_PROTOCOL_TCP:
packet.transportType = TCP;
- decodeTcp(packet, &payload[start_of_ip_payload]);
+ decodeTcp(packet, &payload[startOfIpPayload]);
break;
case IP_PROTOCOL_ICMP:
packet.transportType = ICMP;
void decodeIPv4Packet(NetherPacket &packet, unsigned char *payload)
{
- uint16_t start_of_ip_payload = 0;
- uint8_t next_proto;
+ uint16_t startOfIpPayload = 0;
+ uint8_t nextProto;
- start_of_ip_payload = (payload[0]&0x0F) << 2;
+ startOfIpPayload = (payload[0]&0x0F) << 2;
memcpy(packet.localAddress, &payload[12], NETHER_NETWORK_IPV4_ADDR_LEN);
memcpy(packet.remoteAddress, &payload[16], NETHER_NETWORK_IPV4_ADDR_LEN);
- next_proto = payload[9];
- switch(next_proto)
+ nextProto = payload[9];
+
+ switch(nextProto)
{
case IP_PROTOCOL_UDP:
packet.transportType = UDP;
- decodeUdp(packet, &payload[start_of_ip_payload]);
+ decodeUdp(packet, &payload[startOfIpPayload]);
break;
case IP_PROTOCOL_TCP:
packet.transportType = TCP;
- decodeTcp(packet, &payload[start_of_ip_payload]);
+ decodeTcp(packet, &payload[startOfIpPayload]);
break;
case IP_PROTOCOL_ICMP:
packet.transportType = ICMP;
projects / platform / core / security / nether.git / commitdiff