From 98fd309ef9847664213bf4ba963467fc00f328a2 Mon Sep 17 00:00:00 2001 From: RomanKubiak Date: Thu, 16 Jul 2015 16:57:24 +0200 Subject: [PATCH] Added the README.md file for github Added license info to files Using unique_ptr<> in manager Broke up the process() method in manager Change-Id: I980d281d7decae6d1e23b9f5937117449ac627e3 --- README.md | 15 +++ config/setrules.sh | 19 +++- include/logger/backend-file.hpp | 28 ++++- include/logger/backend-syslog.hpp | 24 +++++ include/nether_CynaraBackend.h | 24 +++++ include/nether_FileBackend.h | 24 +++++ include/nether_Manager.h | 32 +++++- include/nether_Netlink.h | 24 +++++ include/nether_PolicyBackend.h | 24 +++++ include/nether_Types.h | 25 +++++ include/nether_Utils.h | 25 +++++ nether.cbp | 8 +- src/CMakeLists.txt | 21 ++-- src/logger/backend-file.cpp | 30 +++++- src/logger/backend-journal.cpp | 2 +- src/logger/backend-syslog.cpp | 26 ++++- src/nether_CynaraBackend.cpp | 28 ++++- src/nether_FileBackend.cpp | 24 +++++ src/nether_Main.cpp | 29 ++++++ src/nether_Manager.cpp | 213 ++++++++++++++++++++++---------------- src/nether_Netlink.cpp | 24 +++++ src/nether_NetworkUtils.cpp | 55 +++++++--- 22 files changed, 596 insertions(+), 128 deletions(-) create mode 100644 README.md mode change 100755 => 100644 config/setrules.sh diff --git a/README.md b/README.md new file mode 100644 index 0000000..58650fa --- /dev/null +++ b/README.md @@ -0,0 +1,15 @@ +# nether + +An application firewall that enforces the "internet" +privileges in Tizen. It uses Cynara as a policy backend +and the NFQUEUE target in netfilter to make decisiions +about outgoing connections and network packets. + +The policy backend can be re-implemented by overloading +the NetherPolicyBackend class (there is a simple File based +backend included for testing). + +A default policy can be specified in case the policy +backend stops working. + + diff --git a/config/setrules.sh b/config/setrules.sh old mode 100755 new mode 100644 index 94e6e40..9c2d168 --- a/config/setrules.sh +++ b/config/setrules.sh @@ -1,3 +1,20 @@ +# +# Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved +# +# Contact: Roman Kubiak (r.kubiak@samsung.com) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License +# #!/bin/bash DENY_CHAIN="NETHER-DENY" ALLOWLOG_CHAIN="NETHER-ALLOWLOG" @@ -30,7 +47,7 @@ function clean { function create { echo "Creating chain" echo - runcmd iptables -N $DENY_CHAIN + runcmd iptables -N $DENY_CHAIN runcmd iptables -N $ALLOWLOG_CHAIN runcmd iptables -A $DENY_CHAIN -j AUDIT --type REJECT runcmd iptables -A $DENY_CHAIN -j REJECT diff --git a/include/logger/backend-file.hpp b/include/logger/backend-file.hpp index 9a108d1..2fc4822 100644 --- a/include/logger/backend-file.hpp +++ b/include/logger/backend-file.hpp @@ -1,3 +1,27 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief File backend for logger + */ + #ifndef COMMON_LOGGER_BACKEND_FILE_HPP #define COMMON_LOGGER_BACKEND_FILE_HPP @@ -7,14 +31,14 @@ namespace logger { class FileBackend : public LogBackend { public: - FileBackend(const std::string &_filePath) : filePath(_filePath) {} + FileBackend(const std::string &filePath) : mfilePath(filePath) {} void log(LogLevel logLevel, const std::string& file, const unsigned int& line, const std::string& func, const std::string& message) override; private: - std::string filePath; + std::string mfilePath; }; } // namespace logger diff --git a/include/logger/backend-syslog.hpp b/include/logger/backend-syslog.hpp index 23450b5..045fdec 100644 --- a/include/logger/backend-syslog.hpp +++ b/include/logger/backend-syslog.hpp @@ -1,3 +1,27 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief Syslog backend for logger + */ + #ifndef COMMON_LOGGER_BACKEND_SYSLOG_HPP #define COMMON_LOGGER_BACKEND_SYSLOG_HPP diff --git a/include/nether_CynaraBackend.h b/include/nether_CynaraBackend.h index 1242797..a8bc88e 100644 --- a/include/nether_CynaraBackend.h +++ b/include/nether_CynaraBackend.h @@ -1,3 +1,27 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief Cynara policy backend for nether + */ + #ifndef NETHER_CYNARA_BACKEND_H #define NETHER_CYNARA_BACKEND_H diff --git a/include/nether_FileBackend.h b/include/nether_FileBackend.h index 4060153..213b87f 100644 --- a/include/nether_FileBackend.h +++ b/include/nether_FileBackend.h @@ -1,3 +1,27 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief File policy backend for nether + */ + #ifndef NETHER_FILE_BACKEND_H #define NETHER_FILE_BACKEND_H diff --git a/include/nether_Manager.h b/include/nether_Manager.h index 8e58d56..aa8630e 100644 --- a/include/nether_Manager.h +++ b/include/nether_Manager.h @@ -1,3 +1,27 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief Manager class implementation for nether + */ + #ifndef NETHER_MANAGER_H #define NETHER_MANAGER_H @@ -19,9 +43,11 @@ class NetherManager : public NetherVerdictListener, public NetherProcessedPacket void packetReceived (const NetherPacket &packet); private: - NetherPolicyBackend *netherPrimaryPolicyBackend, *netherBackupPolicyBackend; - NetherDummyBackend *netherFallbackPolicyBackend; - NetherNetlink *netherNetlink; + void handleSignal(); + const bool handleNetlinkpacket(); + void setupSelectSockets(fd_set &watchedReadDescriptorsSet, fd_set &watchedWriteDescriptorsSet, struct timeval &timeoutSpecification); + std::unique_ptr netherPrimaryPolicyBackend, netherBackupPolicyBackend, netherFallbackPolicyBackend; + std::unique_ptr netherNetlink; NetherConfig netherConfig; int netlinkDescriptor, backendDescriptor, signalDescriptor; sigset_t signalMask; diff --git a/include/nether_Netlink.h b/include/nether_Netlink.h index 8b934a7..eac959c 100644 --- a/include/nether_Netlink.h +++ b/include/nether_Netlink.h @@ -1,3 +1,27 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief netlink handler class for nether + */ + #ifndef NETHER_NETLINK_H #define NETHER_NETLINK_H diff --git a/include/nether_PolicyBackend.h b/include/nether_PolicyBackend.h index 55879bf..222780c 100644 --- a/include/nether_PolicyBackend.h +++ b/include/nether_PolicyBackend.h @@ -1,3 +1,27 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief definition of a policy backend class + */ + #ifndef NETHER_POLICY_BACKEND_H #define NETHER_POLICY_BACKEND_H diff --git a/include/nether_Types.h b/include/nether_Types.h index 624abe8..e3ce8c0 100644 --- a/include/nether_Types.h +++ b/include/nether_Types.h @@ -1,3 +1,28 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief types used in nether + */ + + #ifndef NETHER_TYPES_H #define NETHER_TYPES_H diff --git a/include/nether_Utils.h b/include/nether_Utils.h index 5d654e9..90505a4 100644 --- a/include/nether_Utils.h +++ b/include/nether_Utils.h @@ -1,3 +1,28 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief utility functions + */ + + #ifndef NETHER_UTILS_H #define NETHER_UTILS_H #include "nether_Types.h" diff --git a/nether.cbp b/nether.cbp index aeedfa5..5ee498d 100644 --- a/nether.cbp +++ b/nether.cbp @@ -69,6 +69,10 @@ + + + + @@ -89,6 +93,9 @@ + + + @@ -99,7 +106,6 @@ - diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 3585b3d..d6bc873 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -6,13 +6,13 @@ PKG_CHECK_MODULES (LOGGER libsystemd-journal QUIET) ADD_EXECUTABLE(nether ${NETHER_SOURCES} ${VASUM_LOGGER}) -INCLUDE_DIRECTORIES ( - ../include - ${EXTERNAL_INCLUDE_DIRS} - ${CYNARA_INCLUDE_DIRS} - ${NETFILTER_INCLUDE_DIRS} - ${LOGGER_INCLUDE_DIRS} - ) +INCLUDE_DIRECTORIES(../include + ${EXTERNAL_INCLUDE_DIRS} + ${CYNARA_INCLUDE_DIRS} + ${NETFILTER_INCLUDE_DIRS} + ${LOGGER_INCLUDE_DIRS} +) + if(CYNARA_FOUND) ADD_DEFINITIONS (-DHAVE_CYNARA=${CYNARA_FOUND}) endif() @@ -25,6 +25,7 @@ IF(CMAKE_BUILD_TYPE MATCHES DEBUG) ADD_DEFINITIONS (-D_DEBUG=1) ENDIF(CMAKE_BUILD_TYPE MATCHES DEBUG) -TARGET_LINK_LIBRARIES(nether ${CYNARA_LIBRARIES} - ${NETFILTER_LIBRARIES} - ${LOGGER_LIBRARIES} ) \ No newline at end of file +TARGET_LINK_LIBRARIES(nether ${CYNARA_LIBRARIES} + ${NETFILTER_LIBRARIES} + ${LOGGER_LIBRARIES} +) diff --git a/src/logger/backend-file.cpp b/src/logger/backend-file.cpp index fcfd1bf..f5828e8 100644 --- a/src/logger/backend-file.cpp +++ b/src/logger/backend-file.cpp @@ -1,3 +1,27 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief File backend for logger + */ + #include "logger/config.hpp" #include "logger/formatter.hpp" #include "logger/backend-file.hpp" @@ -12,11 +36,11 @@ void FileBackend::log(LogLevel logLevel, const std::string& func, const std::string& message) { - std::ofstream out(filePath, std::ios::app); + std::ofstream out(mfilePath, std::ios::app); out << LogFormatter::getHeader(logLevel, file, line, func); out << message; - out << "\n"; + out << std::endl; } -} +} // namespace logger diff --git a/src/logger/backend-journal.cpp b/src/logger/backend-journal.cpp index 85cb46f..af147cd 100644 --- a/src/logger/backend-journal.cpp +++ b/src/logger/backend-journal.cpp @@ -69,4 +69,4 @@ void SystemdJournalBackend::log(LogLevel logLevel, } } // namespace logger -#endif \ No newline at end of file +#endif // HAVE_SYSTEMD_JOURNAL diff --git a/src/logger/backend-syslog.cpp b/src/logger/backend-syslog.cpp index 0542e46..42e8ca0 100644 --- a/src/logger/backend-syslog.cpp +++ b/src/logger/backend-syslog.cpp @@ -1,3 +1,27 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief Syslog backend for logger + */ + #include "logger/config.hpp" #include "logger/formatter.hpp" #include "logger/backend-syslog.hpp" @@ -39,4 +63,4 @@ void SyslogBackend::log(LogLevel logLevel, syslog(toSyslogPriority(logLevel), "%s %s", LogFormatter::getHeader(logLevel, file, line, func).c_str(), message.c_str()); } -} +} // namespace logger diff --git a/src/nether_CynaraBackend.cpp b/src/nether_CynaraBackend.cpp index 10b426e..e3ec282 100644 --- a/src/nether_CynaraBackend.cpp +++ b/src/nether_CynaraBackend.cpp @@ -1,6 +1,30 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief Cynara policy backend for nether + */ + #include "nether_CynaraBackend.h" -// #ifdef HAVE_CYNARA +#ifdef HAVE_CYNARA NetherCynaraBackend::NetherCynaraBackend(const NetherConfig &netherConfig) : NetherPolicyBackend(netherConfig), currentCynaraDescriptor(0), @@ -153,4 +177,4 @@ const bool NetherCynaraBackend::processEvents() LOGW("cynara_async_process failed " << cynaraErrorCodeToString(ret)); return (false); } -//#endif +#endif diff --git a/src/nether_FileBackend.cpp b/src/nether_FileBackend.cpp index b73281e..a6c6f81 100644 --- a/src/nether_FileBackend.cpp +++ b/src/nether_FileBackend.cpp @@ -1,3 +1,27 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief File policy backend for nether + */ + #include "nether_FileBackend.h" NetherFileBackend::NetherFileBackend (const NetherConfig &netherConfig) diff --git a/src/nether_Main.cpp b/src/nether_Main.cpp index 1ab5e9b..08b98fa 100644 --- a/src/nether_Main.cpp +++ b/src/nether_Main.cpp @@ -1,3 +1,27 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief nether main program + */ + #include "nether_Types.h" #include "nether_Utils.h" #include "nether_Manager.h" @@ -114,6 +138,11 @@ int main(int argc, char *argv[]) case logfileBackend: logger::Logger::setLogBackend (new logger::FileBackend(netherConfig.logBackendArgs)); break; +#if defined(HAVE_SYSTEMD_JOURNAL) + case journalBackend: + logger::Logger::setLogBackend (new logger::SystemdJournalBackend()); + break; +#endif default: logger::Logger::setLogBackend (new logger::StderrBackend(false)); break; diff --git a/src/nether_Manager.cpp b/src/nether_Manager.cpp index 0ec0ae6..5f78bdf 100644 --- a/src/nether_Manager.cpp +++ b/src/nether_Manager.cpp @@ -1,3 +1,27 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief Manager class implementation for nether + */ + #include "nether_Manager.h" #include "nether_CynaraBackend.h" #include "nether_FileBackend.h" @@ -9,24 +33,20 @@ NetherManager::NetherManager(const NetherConfig &_netherConfig) netherBackupPolicyBackend(nullptr), netherFallbackPolicyBackend(nullptr) { - netherNetlink = new NetherNetlink(netherConfig); + netherNetlink = std::unique_ptr (new NetherNetlink(netherConfig)); netherNetlink->setListener (this); - netherPrimaryPolicyBackend = getPolicyBackend (netherConfig); + netherPrimaryPolicyBackend = std::unique_ptr (getPolicyBackend (netherConfig)); netherPrimaryPolicyBackend->setListener (this); - netherBackupPolicyBackend = getPolicyBackend (netherConfig, false); + netherBackupPolicyBackend = std::unique_ptr (getPolicyBackend (netherConfig, false)); netherBackupPolicyBackend->setListener (this); - netherFallbackPolicyBackend = new NetherDummyBackend(netherConfig); + netherFallbackPolicyBackend = std::unique_ptr (new NetherDummyBackend(netherConfig)); } NetherManager::~NetherManager() { - deleteAndZero (netherPrimaryPolicyBackend); - deleteAndZero (netherBackupPolicyBackend); - deleteAndZero (netherFallbackPolicyBackend); - deleteAndZero (netherNetlink); close (signalDescriptor); } @@ -80,43 +100,13 @@ const bool NetherManager::initialize() } const bool NetherManager::process() -{ - NetherPacket receivedPacket; - int packetReadSize; - ssize_t signalRead; - struct signalfd_siginfo signalfdSignalInfo; +{ fd_set watchedReadDescriptorsSet, watchedWriteDescriptorsSet; struct timeval timeoutSpecification; - char packetBuffer[NETHER_PACKET_BUFFER_SIZE] __attribute__ ((aligned)); - while (1) + for (;;) { - FD_ZERO (&watchedReadDescriptorsSet); - FD_ZERO (&watchedWriteDescriptorsSet); - - /* Always listen for signals */ - FD_SET (signalDescriptor, &watchedReadDescriptorsSet); - - if ((netlinkDescriptor = netherNetlink->getDescriptor()) >= 0) - { - FD_SET(netlinkDescriptor, &watchedReadDescriptorsSet); - } - - if ((backendDescriptor = netherPrimaryPolicyBackend->getDescriptor()) >= 0) - { - if (netherPrimaryPolicyBackend->getDescriptorStatus() == readOnly) - { - FD_SET(backendDescriptor, &watchedReadDescriptorsSet); - } - else if (netherPrimaryPolicyBackend->getDescriptorStatus() == readWrite) - { - FD_SET(backendDescriptor, &watchedReadDescriptorsSet); - FD_SET(backendDescriptor, &watchedWriteDescriptorsSet); - } - } - - timeoutSpecification.tv_sec = 240; - timeoutSpecification.tv_usec = 0; + setupSelectSockets (watchedReadDescriptorsSet, watchedWriteDescriptorsSet, timeoutSpecification); if (select (FD_SETSIZE, &watchedReadDescriptorsSet, &watchedWriteDescriptorsSet, NULL, &timeoutSpecification) < 0) { @@ -126,60 +116,15 @@ const bool NetherManager::process() if (FD_ISSET(signalDescriptor, &watchedReadDescriptorsSet)) { - LOGD("received signal"); - signalRead = read (signalDescriptor, &signalfdSignalInfo, sizeof(struct signalfd_siginfo)); - - if (signalRead != sizeof(struct signalfd_siginfo)) - { - LOGW("Received incomplete signal information, ignore"); - continue; - } - - if (signalfdSignalInfo.ssi_signo == SIGHUP) - { - LOGI("SIGHUP received, reloading"); - if (!netherPrimaryPolicyBackend->reload()) - LOGW("primary backend failed to reload"); - if (!netherBackupPolicyBackend->reload()) - LOGW("backup backend failed to reload"); - if (!netherNetlink->reload()) - LOGW("netlink failed to reload"); - continue; - } + handleSignal(); } if (FD_ISSET(netlinkDescriptor, &watchedReadDescriptorsSet)) { - LOGD("netlink descriptor active"); - - /* some data arrives on netlink, read it */ - if ((packetReadSize = recv(netlinkDescriptor, packetBuffer, sizeof(packetBuffer), 0)) >= 0) - { - /* try to process the packet using netfilter_queue library, fetch packet info - needed for making a decision about it */ - if (netherNetlink->processPacket (packetBuffer, packetReadSize)) - { - continue; - } - else - { - /* if we can't process the incoming packets, it's bad. Let's exit now */ - LOGE("Failed to process netlink received packet, refusing to continue"); - break; - } - } - - if (packetReadSize < 0 && errno == ENOBUFS) - { - LOGI("NetherManager::process losing packets! [bad things might happen]"); - continue; - } - - LOGE("NetherManager::process recv failed " << strerror(errno)); - break; + if (!handleNetlinkpacket()) + break; } else if (FD_ISSET(backendDescriptor, &watchedReadDescriptorsSet) || FD_ISSET(backendDescriptor, &watchedWriteDescriptorsSet)) { - LOGD("policy backend descriptor active"); netherPrimaryPolicyBackend->processEvents(); } else @@ -189,6 +134,96 @@ const bool NetherManager::process() } } +void NetherManager::handleSignal() +{ + LOGD("received signal"); + ssize_t signalRead; + struct signalfd_siginfo signalfdSignalInfo; + + signalRead = read (signalDescriptor, &signalfdSignalInfo, sizeof(struct signalfd_siginfo)); + + if (signalRead != sizeof(struct signalfd_siginfo)) + { + LOGW("Received incomplete signal information, ignore"); + return; + } + + if (signalfdSignalInfo.ssi_signo == SIGHUP) + { + LOGI("SIGHUP received, reloading"); + if (!netherPrimaryPolicyBackend->reload()) + LOGW("primary backend failed to reload"); + if (!netherBackupPolicyBackend->reload()) + LOGW("backup backend failed to reload"); + if (!netherNetlink->reload()) + LOGW("netlink failed to reload"); + } +} + +const bool NetherManager::handleNetlinkpacket() +{ + LOGD("netlink descriptor active"); + int packetReadSize; + NetherPacket receivedPacket; + char packetBuffer[NETHER_PACKET_BUFFER_SIZE] __attribute__ ((aligned)); + + /* some data arrives on netlink, read it */ + if ((packetReadSize = recv(netlinkDescriptor, packetBuffer, sizeof(packetBuffer), 0)) >= 0) + { + /* try to process the packet using netfilter_queue library, fetch packet info + needed for making a decision about it */ + if (netherNetlink->processPacket (packetBuffer, packetReadSize)) + { + return (true); + } + else + { + /* if we can't process the incoming packets, it's bad. Let's exit now */ + LOGE("Failed to process netlink received packet, refusing to continue"); + return (false); + } + } + + if (packetReadSize < 0 && errno == ENOBUFS) + { + LOGI("NetherManager::process losing packets! [bad things might happen]"); + return (true); + } + + LOGE("NetherManager::process recv failed " << strerror(errno)); + return (false); +} + +void NetherManager::setupSelectSockets(fd_set &watchedReadDescriptorsSet, fd_set &watchedWriteDescriptorsSet, struct timeval &timeoutSpecification) +{ + FD_ZERO (&watchedReadDescriptorsSet); + FD_ZERO (&watchedWriteDescriptorsSet); + + /* Always listen for signals */ + FD_SET (signalDescriptor, &watchedReadDescriptorsSet); + + if ((netlinkDescriptor = netherNetlink->getDescriptor()) >= 0) + { + FD_SET(netlinkDescriptor, &watchedReadDescriptorsSet); + } + + if ((backendDescriptor = netherPrimaryPolicyBackend->getDescriptor()) >= 0) + { + if (netherPrimaryPolicyBackend->getDescriptorStatus() == readOnly) + { + FD_SET(backendDescriptor, &watchedReadDescriptorsSet); + } + else if (netherPrimaryPolicyBackend->getDescriptorStatus() == readWrite) + { + FD_SET(backendDescriptor, &watchedReadDescriptorsSet); + FD_SET(backendDescriptor, &watchedWriteDescriptorsSet); + } + } + + timeoutSpecification.tv_sec = 240; + timeoutSpecification.tv_usec = 0; +} + NetherConfig &NetherManager::getConfig() { return (netherConfig); diff --git a/src/nether_Netlink.cpp b/src/nether_Netlink.cpp index ed2dd67..2326cab 100644 --- a/src/nether_Netlink.cpp +++ b/src/nether_Netlink.cpp @@ -1,3 +1,27 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief netlink handler class for nether + */ + #include "nether_Netlink.h" NetherNetlink::NetherNetlink(NetherConfig &netherConfig) diff --git a/src/nether_NetworkUtils.cpp b/src/nether_NetworkUtils.cpp index c6e1072..2d2c4d2 100644 --- a/src/nether_NetworkUtils.cpp +++ b/src/nether_NetworkUtils.cpp @@ -1,3 +1,27 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Roman Kubiak (r.kubiak@samsung.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file + * @author Roman Kubiak (r.kubiak@samsung.com) + * @brief Network utility functions for nether + */ + #include #include #include "nether_Utils.h" @@ -14,9 +38,9 @@ void decodePacket(NetherPacket &packet, unsigned char *payload) { - uint8_t ip_version = (payload[0] >> 4) & 0x0F; + uint8_t ipVersion = (payload[0] >> 4) & 0x0F; - switch(ip_version) + switch(ipVersion) { case 4: packet.protocolType = IPv4; @@ -35,23 +59,23 @@ void decodePacket(NetherPacket &packet, unsigned char *payload) void decodeIPv6Packet(NetherPacket &packet, unsigned char *payload) { - const uint16_t start_of_ip_payload = 40; - uint8_t next_proto; + const uint16_t startOfIpPayload = 40; + uint8_t nextProto; memcpy(packet.localAddress, &payload[8], NETHER_NETWORK_IPV6_ADDR_LEN); memcpy(packet.remoteAddress, &payload[24], NETHER_NETWORK_IPV6_ADDR_LEN); - next_proto = payload[6]; + nextProto = payload[6]; - switch(next_proto) + switch(nextProto) { case IP_PROTOCOL_UDP: packet.transportType = UDP; - decodeUdp(packet, &payload[start_of_ip_payload]); + decodeUdp(packet, &payload[startOfIpPayload]); break; case IP_PROTOCOL_TCP: packet.transportType = TCP; - decodeTcp(packet, &payload[start_of_ip_payload]); + decodeTcp(packet, &payload[startOfIpPayload]); break; case IP_PROTOCOL_ICMP: packet.transportType = ICMP; @@ -67,24 +91,25 @@ void decodeIPv6Packet(NetherPacket &packet, unsigned char *payload) void decodeIPv4Packet(NetherPacket &packet, unsigned char *payload) { - uint16_t start_of_ip_payload = 0; - uint8_t next_proto; + uint16_t startOfIpPayload = 0; + uint8_t nextProto; - start_of_ip_payload = (payload[0]&0x0F) << 2; + startOfIpPayload = (payload[0]&0x0F) << 2; memcpy(packet.localAddress, &payload[12], NETHER_NETWORK_IPV4_ADDR_LEN); memcpy(packet.remoteAddress, &payload[16], NETHER_NETWORK_IPV4_ADDR_LEN); - next_proto = payload[9]; - switch(next_proto) + nextProto = payload[9]; + + switch(nextProto) { case IP_PROTOCOL_UDP: packet.transportType = UDP; - decodeUdp(packet, &payload[start_of_ip_payload]); + decodeUdp(packet, &payload[startOfIpPayload]); break; case IP_PROTOCOL_TCP: packet.transportType = TCP; - decodeTcp(packet, &payload[start_of_ip_payload]); + decodeTcp(packet, &payload[startOfIpPayload]); break; case IP_PROTOCOL_ICMP: packet.transportType = ICMP; -- 2.7.4