1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <sys/socket.h>
17 #include <sys/types.h>
18
19 #include "netfirewall_service.h"
20 #include "ipc_skeleton.h"
21 #include "bundle_constants.h"
22 #include "iremote_object.h"
23 #include "net_event_report.h"
24 #include "net_manager_center.h"
25 #include "net_manager_constants.h"
26 #include "net_manager_ext_constants.h"
27 #include "netfirewall_default_rule_parser.h"
28 #include "netfirewall_db_helper.h"
29 #include "netfirewall_hisysevent.h"
30 #include "netmanager_base_common_utils.h"
31 #include "netmanager_base_permission.h"
32 #include "netmanager_hitrace.h"
33 #include "netmgr_ext_log_wrapper.h"
34 #include "system_ability_definition.h"
35 #include "netsys_controller.h"
36 #include "netfirewall_intercept_recorder.h"
37
38 namespace OHOS {
39 namespace NetManagerStandard {
40 constexpr int64_t QUERY_USER_ID_DELAY_TIME_MS = 300L;
41 constexpr int32_t QUERY_USER_MAX_RETRY_TIMES = 100;
42
43 namespace {
44 const std::string PUSH_RESULT_SUCCESS = "Success";
45 const std::string PUSH_RESULT_FAILD = "Faild";
46 const std::string PUSH_RESULT_UNKONW = "Unkonw";
47 } // namespace
48
49 const bool REGISTER_LOCAL_RESULT_NETFIREWALL =
50 SystemAbility::MakeAndRegisterAbility(DelayedSingleton<NetFirewallService>::GetInstance().get());
51
52 std::shared_ptr<ffrt::queue> NetFirewallService::ffrtServiceHandler_;
53
NetFirewallService()54 NetFirewallService::NetFirewallService() : SystemAbility(COMM_FIREWALL_MANAGER_SYS_ABILITY_ID, true)
55 {
56 NETMGR_EXT_LOG_I("NetFirewallService()");
57 }
58
~NetFirewallService()59 NetFirewallService::~NetFirewallService()
60 {
61 NETMGR_EXT_LOG_I("~NetFirewallService()");
62 }
63
SetCurrentUserId(int32_t userId)64 void NetFirewallService::SetCurrentUserId(int32_t userId)
65 {
66 currentUserId_ = userId;
67 NetFirewallPolicyManager::GetInstance().SetCurrentUserId(currentUserId_);
68 NetFirewallInterceptRecorder::GetInstance()->SetCurrentUserId(currentUserId_);
69 // set current userid to native
70 NetFirewallRuleNativeHelper::GetInstance().SetCurrentUserId(currentUserId_);
71 }
72
GetCurrentAccountId()73 int32_t NetFirewallService::GetCurrentAccountId()
74 {
75 std::vector<int32_t> accountIds;
76 auto ret = AccountSA::OsAccountManager::QueryActiveOsAccountIds(accountIds);
77 if (ret != ERR_OK || accountIds.empty()) {
78 NETMGR_EXT_LOG_E("query active user failed errCode=%{public}d", ret);
79 return FIREWALL_ERR_INTERNAL;
80 }
81 SetCurrentUserId(accountIds.front());
82 return currentUserId_;
83 }
84
85 /**
86 * Turn on or off the firewall
87 *
88 * @param userId User id
89 * @param policy The firewall status to be set
90 * @return Returns 0 success. Otherwise fail
91 */
SetNetFirewallPolicy(const int32_t userId,const sptr<NetFirewallPolicy> & policy)92 int32_t NetFirewallService::SetNetFirewallPolicy(const int32_t userId, const sptr<NetFirewallPolicy> &policy)
93 {
94 NETMGR_EXT_LOG_I("SetNetFirewallPolicy userId=%{public}d isOpen= %{public}d, inAction=%{public}d", userId,
95 policy->isOpen, policy->inAction);
96 int32_t ret = CheckUserExist(userId);
97 if (ret != FIREWALL_SUCCESS) {
98 return ret;
99 }
100 ret = NetFirewallPolicyManager::GetInstance().SetNetFirewallPolicy(userId, policy);
101 if (ret != FIREWALL_SUCCESS) {
102 return ret;
103 }
104
105 if (userId == currentUserId_) {
106 // If the firewall switch status of the current user has changed, determine whether to issue it
107 if (NetFirewallPolicyManager::GetInstance().IsFirewallStatusChange(policy)) {
108 // netfirewall rules to native
109 NetFirewallRuleManager::GetInstance().OpenOrCloseNativeFirewall(policy->isOpen);
110 }
111 if (NetFirewallPolicyManager::GetInstance().IsFirewallActionChange(policy)) {
112 NetsysController::GetInstance().SetFirewallDefaultAction(policy->inAction, policy->outAction);
113 }
114 NetFirewallPolicyManager::GetInstance().SetCurrentUserFirewallPolicy(policy);
115 }
116
117 return ret;
118 }
119
120 /**
121 * Query firewall status
122 *
123 * @param userId User id
124 * @param status status of user userId
125 * @return Returns 0 success. Otherwise fail
126 */
GetNetFirewallPolicy(const int32_t userId,sptr<NetFirewallPolicy> & policy)127 int32_t NetFirewallService::GetNetFirewallPolicy(const int32_t userId, sptr<NetFirewallPolicy> &policy)
128 {
129 NETMGR_EXT_LOG_I("GetNetFirewallPolicy");
130 int32_t ret = CheckUserExist(userId);
131 if (ret != FIREWALL_SUCCESS) {
132 return ret;
133 }
134 NetFirewallPolicyManager::GetInstance().GetNetFirewallPolicy(userId, policy);
135 return FIREWALL_SUCCESS;
136 }
137
AddNetFirewallRule(const sptr<NetFirewallRule> & rule,int32_t & ruleId)138 int32_t NetFirewallService::AddNetFirewallRule(const sptr<NetFirewallRule> &rule, int32_t &ruleId)
139 {
140 return NetFirewallRuleManager::GetInstance().AddNetFirewallRule(rule, ruleId);
141 }
142
AddDefaultNetFirewallRule(int32_t userId)143 int32_t NetFirewallService::AddDefaultNetFirewallRule(int32_t userId)
144 {
145 return NetFirewallRuleManager::GetInstance().AddDefaultNetFirewallRule(userId);
146 }
147
UpdateNetFirewallRule(const sptr<NetFirewallRule> & rule)148 int32_t NetFirewallService::UpdateNetFirewallRule(const sptr<NetFirewallRule> &rule)
149 {
150 return NetFirewallRuleManager::GetInstance().UpdateNetFirewallRule(rule);
151 }
152
DeleteNetFirewallRule(const int32_t userId,const int32_t ruleId)153 int32_t NetFirewallService::DeleteNetFirewallRule(const int32_t userId, const int32_t ruleId)
154 {
155 return NetFirewallRuleManager::GetInstance().DeleteNetFirewallRule(userId, ruleId);
156 }
157
GetNetFirewallRules(const int32_t userId,const sptr<RequestParam> & requestParam,sptr<FirewallRulePage> & info)158 int32_t NetFirewallService::GetNetFirewallRules(const int32_t userId, const sptr<RequestParam> &requestParam,
159 sptr<FirewallRulePage> &info)
160 {
161 return NetFirewallRuleManager::GetInstance().GetNetFirewallRules(userId, requestParam, info);
162 }
163
GetNetFirewallRule(const int32_t userId,const int32_t ruleId,sptr<NetFirewallRule> & rule)164 int32_t NetFirewallService::GetNetFirewallRule(const int32_t userId, const int32_t ruleId, sptr<NetFirewallRule> &rule)
165 {
166 return NetFirewallRuleManager::GetInstance().GetNetFirewallRule(userId, ruleId, rule);
167 }
168
GetInterceptRecords(const int32_t userId,const sptr<RequestParam> & requestParam,sptr<InterceptRecordPage> & info)169 int32_t NetFirewallService::GetInterceptRecords(const int32_t userId, const sptr<RequestParam> &requestParam,
170 sptr<InterceptRecordPage> &info)
171 {
172 NETMGR_EXT_LOG_I("GetInterceptRecords");
173 int32_t ret = CheckUserExist(userId);
174 if (ret != FIREWALL_SUCCESS) {
175 return ret;
176 }
177 // Cache data writing to avoid not being able to access new data
178 NetFirewallInterceptRecorder::GetInstance()->SyncRecordCache();
179 return NetFirewallInterceptRecorder::GetInstance()->GetInterceptRecords(userId, requestParam, info);
180 }
181
CheckUserExist(const int32_t userId)182 int32_t NetFirewallService::CheckUserExist(const int32_t userId)
183 {
184 AccountSA::OsAccountInfo accountInfo;
185 if (AccountSA::OsAccountManager::QueryOsAccountById(userId, accountInfo) != ERR_OK) {
186 NETMGR_EXT_LOG_E("QueryOsAccountById error, userId: %{public}d.", userId);
187 return FIREWALL_ERR_NO_USER;
188 }
189 return FIREWALL_SUCCESS;
190 }
191
Dump(int32_t fd,const std::vector<std::u16string> & args)192 int32_t NetFirewallService::Dump(int32_t fd, const std::vector<std::u16string> &args)
193 {
194 std::string result;
195 GetDumpMessage(result);
196 NETMGR_EXT_LOG_I("NetFirewall dump fd: %{public}d, content: %{public}s", fd, result.c_str());
197 int32_t ret = dprintf(fd, "%s\n", result.c_str());
198 if (ret < 0) {
199 NETMGR_EXT_LOG_E("dprintf failed, errno[%{public}d]", errno);
200 return FIREWALL_ERR_INTERNAL;
201 }
202 return FIREWALL_SUCCESS;
203 }
204
GetDumpMessage(std::string & message)205 void NetFirewallService::GetDumpMessage(std::string &message)
206 {
207 message.append("NetFirewall Info:\n");
208 message.append("\tServiceRunningState: " + GetServiceState() + "\n");
209 message.append("\tSpendTimeMSec: " + std::to_string(serviceSpendTime_) + "ms" + "\n");
210 std::map<int32_t, bool> firewallStateMap;
211 GetAllUserFirewallState(firewallStateMap);
212 message.append("\t");
213 for (const auto &pair : firewallStateMap) {
214 std::string userId = std::to_string(pair.first);
215 std::string state = pair.second ? "Enable" : "Disable";
216 message.append("UserId: " + userId + " " + state + ", ");
217 }
218 message.append("\n");
219 message.append("\tLastRulePushTime: " + GetLastRulePushTime() + "\n");
220 message.append("\tLastRulePushResult: " + GetLastRulePushResult() + "\n");
221 }
222
GetServiceState()223 std::string NetFirewallService::GetServiceState()
224 {
225 return (state_ == ServiceRunningState::STATE_RUNNING) ? "Running" : "Stop";
226 }
227
GetLastRulePushTime()228 std::string NetFirewallService::GetLastRulePushTime()
229 {
230 currentSetRuleSecond_ = NetFirewallRuleManager::GetInstance().GetCurrentSetRuleSecond();
231 if (currentSetRuleSecond_ == 0) {
232 return PUSH_RESULT_UNKONW;
233 }
234 return std::to_string(currentSetRuleSecond_);
235 }
236
GetLastRulePushResult()237 std::string NetFirewallService::GetLastRulePushResult()
238 {
239 lastRulePushResult_ = NetFirewallRuleManager::GetInstance().GetLastRulePushResult();
240 if (lastRulePushResult_ == FIREWALL_SUCCESS) {
241 return PUSH_RESULT_SUCCESS;
242 }
243 if (lastRulePushResult_ < 0) {
244 return PUSH_RESULT_UNKONW;
245 }
246 return PUSH_RESULT_FAILD;
247 }
248
GetAllUserFirewallState(std::map<int32_t,bool> & firewallStateMap)249 int32_t NetFirewallService::GetAllUserFirewallState(std::map<int32_t, bool> &firewallStateMap)
250 {
251 std::vector<AccountSA::OsAccountInfo> osAccountInfos;
252 AccountSA::OsAccountManager::QueryAllCreatedOsAccounts(osAccountInfos);
253 size_t size = osAccountInfos.size();
254 for (const auto &info : osAccountInfos) {
255 int32_t userId = info.GetLocalId();
256 firewallStateMap[userId] = NetFirewallPolicyManager::GetInstance().IsNetFirewallOpen(userId);
257 }
258 return FIREWALL_SUCCESS;
259 }
260
OnStart()261 void NetFirewallService::OnStart()
262 {
263 NETMGR_EXT_LOG_I("OnStart()");
264 uint64_t startServiceTime = GetCurrentMilliseconds();
265 if (state_ == ServiceRunningState::STATE_RUNNING) {
266 NETMGR_EXT_LOG_I("PcfirewallService is already running.");
267 return;
268 }
269
270 if (!REGISTER_LOCAL_RESULT_NETFIREWALL) {
271 NETMGR_EXT_LOG_E("Register to local sa manager failed");
272 return;
273 }
274 if (!isServicePublished_) {
275 if (!Publish(DelayedSingleton<NetFirewallService>::GetInstance().get())) {
276 NETMGR_EXT_LOG_E("Register to sa manager failed");
277 return;
278 }
279 isServicePublished_ = true;
280 }
281
282 state_ = ServiceRunningState::STATE_RUNNING;
283
284 AddSystemAbilityListener(COMM_NETSYS_NATIVE_SYS_ABILITY_ID);
285 AddSystemAbilityListener(COMMON_EVENT_SERVICE_ID);
286 if (OnInit() != FIREWALL_SUCCESS) {
287 NETMGR_EXT_LOG_E("Init data failed");
288 return;
289 }
290 serviceSpendTime_ = GetCurrentMilliseconds() - startServiceTime;
291 }
292
OnInit()293 int32_t NetFirewallService::OnInit()
294 {
295 InitServiceHandler();
296 InitQueryUserId(QUERY_USER_MAX_RETRY_TIMES);
297 SubscribeCommonEvent();
298 NetFirewallInterceptRecorder::GetInstance()->RegisterInterceptCallback();
299 return FIREWALL_SUCCESS;
300 }
301
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)302 void NetFirewallService::OnAddSystemAbility(int32_t systemAbilityId, const std::string &deviceId)
303 {
304 NETMGR_EXT_LOG_I("OnAddSystemAbility systemAbilityId:%{public}d added!", systemAbilityId);
305 if (systemAbilityId == COMM_NETSYS_NATIVE_SYS_ABILITY_ID) {
306 if (hasSaRemoved_) {
307 NETMGR_EXT_LOG_I("native reboot, reset firewall rules.");
308 NetFirewallRuleManager::GetInstance().OpenOrCloseNativeFirewall(
309 NetFirewallPolicyManager::GetInstance().IsCurrentFirewallOpen());
310 NetFirewallInterceptRecorder::GetInstance()->RegisterInterceptCallback();
311 hasSaRemoved_ = false;
312 }
313 // After the universal service is launched, you can register for broadcast monitoring
314 } else if (systemAbilityId == COMMON_EVENT_SERVICE_ID && subscriber_ != nullptr) {
315 RegisterSubscribeCommonEvent();
316 }
317 }
318
InitUsersOnBoot()319 bool NetFirewallService::InitUsersOnBoot()
320 {
321 std::vector<int32_t> userIds;
322 if (AccountSA::OsAccountManager::QueryActiveOsAccountIds(userIds) != ERR_OK || userIds.empty()) {
323 NETMGR_EXT_LOG_E("PcfirewallService: failed to get current userIds");
324 return false;
325 }
326 SetCurrentUserId(userIds.front());
327 NETMGR_EXT_LOG_I("PcfirewallService::get current userIds success, Current userId: %{public}d",
328 currentUserId_.load());
329 InitQueryNetFirewallRules();
330 return true;
331 }
332
InitQueryUserId(int32_t times)333 void NetFirewallService::InitQueryUserId(int32_t times)
334 {
335 times--;
336 bool ret = InitUsersOnBoot();
337 if (!ret && times > 0) {
338 NETMGR_EXT_LOG_I("InitQueryUserId failed");
339 ffrtServiceHandler_->submit([this, times]() { InitQueryUserId(times); },
340 ffrt::task_attr().delay(QUERY_USER_ID_DELAY_TIME_MS).name("InitQueryUserId"));
341 }
342 }
343
InitQueryNetFirewallRules()344 void NetFirewallService::InitQueryNetFirewallRules()
345 {
346 NetFirewallRuleManager::GetInstance().OpenOrCloseNativeFirewall(
347 NetFirewallPolicyManager::GetInstance().IsCurrentFirewallOpen());
348 }
349
InitServiceHandler()350 void NetFirewallService::InitServiceHandler()
351 {
352 if (ffrtServiceHandler_ != nullptr) {
353 NETMGR_EXT_LOG_E("InitServiceHandler already init.");
354 return;
355 }
356 ffrtServiceHandler_ =
357 std::make_shared<ffrt::queue>("NetFirewallService", ffrt::queue_attr().qos(ffrt::qos_utility));
358 NETMGR_EXT_LOG_I("InitServiceHandler succeeded.");
359 }
360
OnStop()361 void NetFirewallService::OnStop()
362 {
363 if (state_ != ServiceRunningState::STATE_RUNNING) {
364 return;
365 }
366 NetFirewallInterceptRecorder::GetInstance()->SyncRecordCache();
367 ffrtServiceHandler_.reset();
368 ffrtServiceHandler_ = nullptr;
369 if (subscriber_ != nullptr) {
370 bool unSubscribeResult = OHOS::EventFwk::CommonEventManager::UnSubscribeCommonEvent(subscriber_);
371 subscriber_ = nullptr;
372 NETMGR_EXT_LOG_I("UnregisterSubscriber end, unSubscribeResult = %{public}d", unSubscribeResult);
373 }
374 NetFirewallInterceptRecorder::GetInstance()->UnRegisterInterceptCallback();
375 state_ = ServiceRunningState::STATE_NOT_START;
376 NETMGR_EXT_LOG_I("OnStop end.");
377 }
378
OnRemoveSystemAbility(int32_t systemAbilityId,const std::string & deviceId)379 void NetFirewallService::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string &deviceId)
380 {
381 NETMGR_EXT_LOG_I("OnRemoveSystemAbility systemAbilityId:%{public}d removed!", systemAbilityId);
382 if (systemAbilityId == COMM_NETSYS_NATIVE_SYS_ABILITY_ID) {
383 hasSaRemoved_ = true;
384 } else if (systemAbilityId == COMMON_EVENT_SERVICE_ID) {
385 OHOS::EventFwk::CommonEventManager::UnSubscribeCommonEvent(subscriber_);
386 subscriber_ = nullptr;
387 }
388 }
389
SubscribeCommonEvent()390 void NetFirewallService::SubscribeCommonEvent()
391 {
392 EventFwk::MatchingSkills matchingSkills;
393 matchingSkills.AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_USER_REMOVED);
394 matchingSkills.AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_USER_SWITCHED);
395 matchingSkills.AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED);
396 EventFwk::CommonEventSubscribeInfo subscribeInfo(matchingSkills);
397 // 1 means CORE_EVENT_PRIORITY
398 subscribeInfo.SetPriority(1);
399 subscriber_ = std::make_shared<ReceiveMessage>(subscribeInfo, shared_from_this());
400 RegisterSubscribeCommonEvent();
401 }
402
RegisterSubscribeCommonEvent()403 void NetFirewallService::RegisterSubscribeCommonEvent()
404 {
405 // If the universal service has not been loaded yet, registering for broadcasting will fail
406 if (!EventFwk::CommonEventManager::SubscribeCommonEvent(subscriber_)) {
407 NETMGR_EXT_LOG_E("SubscribeCommonEvent fail");
408 subscriber_ = nullptr;
409 }
410 }
411
OnReceiveEvent(const EventFwk::CommonEventData & eventData)412 void NetFirewallService::ReceiveMessage::OnReceiveEvent(const EventFwk::CommonEventData &eventData)
413 {
414 const auto &action = eventData.GetWant().GetAction();
415 const auto &data = eventData.GetData();
416 const auto &code = eventData.GetCode();
417 NETMGR_EXT_LOG_I("NetVReceiveMessage::OnReceiveEvent(), event:[%{public}s], data:[%{public}s], code:[%{public}d]",
418 action.c_str(), data.c_str(), code);
419 int32_t userId = code;
420 if (action == EventFwk::CommonEventSupport::COMMON_EVENT_USER_REMOVED) {
421 NetFirewallRuleManager::GetInstance().DeleteNetFirewallRuleByUserId(userId);
422 NetFirewallPolicyManager::GetInstance().ClearFirewallPolicy(userId);
423 NetFirewallDbHelper::GetInstance().DeleteInterceptRecord(userId);
424 NetFirewallRuleManager::GetInstance().DeleteUserRuleSize(userId);
425 return;
426 }
427 if (action == EventFwk::CommonEventSupport::COMMON_EVENT_USER_SWITCHED) {
428 // Old user cache cleaning
429 NetFirewallInterceptRecorder::GetInstance()->SyncRecordCache();
430 NetFirewallPolicyManager::GetInstance().ClearCurrentFirewallPolicy();
431 netfirewallService_->SetCurrentUserId(userId);
432 // Old user native bpf cleaning
433 NetFirewallRuleNativeHelper::GetInstance().ClearFirewallRules(NetFirewallRuleType::RULE_ALL);
434 NetFirewallRuleManager::GetInstance().OpenOrCloseNativeFirewall(
435 NetFirewallPolicyManager::GetInstance().IsCurrentFirewallOpen());
436 return;
437 }
438 if (action == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED) {
439 if (eventData.GetWant().GetIntParam(AppExecFwk::Constants::UID, 0) < 0) {
440 NETMGR_EXT_LOG_E("error:deletedUid < 0!,return");
441 return;
442 }
443 uint32_t deletedUid = static_cast<uint32_t>(eventData.GetWant().GetIntParam(AppExecFwk::Constants::UID, 0));
444 NETMGR_EXT_LOG_I("NetFirewallService: deletedUid %{public}d", deletedUid);
445 NetFirewallRuleManager::GetInstance().DeleteNetFirewallRuleByAppId(deletedUid);
446 }
447 }
448 } // namespace NetManagerStandard
449 } // namespace OHOS
450