diff options
author | Jorge Lucangeli Obes <jorgelo@chromium.org> | 2015-02-25 14:14:29 -0800 |
---|---|---|
committer | Gilad Arnold <garnold@google.com> | 2015-08-10 23:11:52 -0700 |
commit | 650d229bfc31be30636c2ac62f242952e4f583d4 (patch) | |
tree | b4cc337718829bd8e55ca1bf210c74e7910a9bef | |
parent | 40653d0e058ff0f7908b28874224bbb085e99905 (diff) | |
download | firewalld-650d229bfc31be30636c2ac62f242952e4f583d4.tar.gz |
firewalld: Monitor permission_broker lifetime.
If/when permission_broker exits, plug all firewall holes.
BUG=None
TEST=Manual: deploy to device, punch a hole.
TEST='restart permission_broker', holes are punched.
Change-Id: I3885b2338ad25f79c50a7f8c0aa4375e092ecceb
Reviewed-on: https://chromium-review.googlesource.com/253790
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
-rw-r--r-- | firewall_service.cc | 18 | ||||
-rw-r--r-- | firewall_service.h | 8 | ||||
-rw-r--r-- | firewalld.gyp | 16 | ||||
-rw-r--r-- | iptables.h | 5 |
4 files changed, 43 insertions, 4 deletions
diff --git a/firewall_service.cc b/firewall_service.cc index 0b02967..2bc5645 100644 --- a/firewall_service.cc +++ b/firewall_service.cc @@ -11,11 +11,27 @@ namespace firewalld { FirewallService::FirewallService(const scoped_refptr<dbus::Bus>& bus) : org::chromium::FirewalldAdaptor(&iptables_), - dbus_object_{nullptr, bus, dbus::ObjectPath{kFirewallServicePath}} {} + dbus_object_{nullptr, bus, dbus::ObjectPath{kFirewallServicePath}}, + weak_ptr_factory_{this} {} void FirewallService::RegisterAsync(const CompletionAction& callback) { RegisterWithDBusObject(&dbus_object_); + + // Track permission_broker's lifetime so that we can close firewall holes + // if/when permission_broker exits. + permission_broker_.reset( + new org::chromium::PermissionBroker::ObjectManagerProxy( + dbus_object_.GetBus())); + permission_broker_->SetPermissionBrokerRemovedCallback( + base::Bind(&FirewallService::OnPermissionBrokerRemoved, + weak_ptr_factory_.GetWeakPtr())); + dbus_object_.RegisterAsync(callback); } +void FirewallService::OnPermissionBrokerRemoved(const dbus::ObjectPath& path) { + LOG(INFO) << "permission_broker died, plugging all firewall holes"; + iptables_.PlugAllHoles(); +} + } // namespace firewalld diff --git a/firewall_service.h b/firewall_service.h index 208ef81..6ffc2c0 100644 --- a/firewall_service.h +++ b/firewall_service.h @@ -8,8 +8,11 @@ #include <base/callback.h> #include <base/macros.h> #include <base/memory/scoped_ptr.h> +#include <base/memory/weak_ptr.h> #include <chromeos/dbus/dbus_object.h> +#include "permission_broker/dbus-proxies.h" + #include "firewalld/dbus_adaptor/org.chromium.Firewalld.h" #include "firewalld/iptables.h" @@ -27,9 +30,14 @@ class FirewallService : public org::chromium::FirewalldAdaptor { void RegisterAsync(const CompletionAction& callback); private: + void OnPermissionBrokerRemoved(const dbus::ObjectPath& path); + chromeos::dbus_utils::DBusObject dbus_object_; + std::unique_ptr<org::chromium::PermissionBroker::ObjectManagerProxy> + permission_broker_; IpTables iptables_; + base::WeakPtrFactory<FirewallService> weak_ptr_factory_; DISALLOW_COPY_AND_ASSIGN(FirewallService); }; diff --git a/firewalld.gyp b/firewalld.gyp index 2a7ea3c..692112a 100644 --- a/firewalld.gyp +++ b/firewalld.gyp @@ -16,6 +16,20 @@ 'firewall_service.cc', 'iptables.cc', ], + 'actions': [ + { + 'action_name': 'generate-permission_broker-proxies', + 'variables': { + 'dbus_service_config': '<(platform2_root)/permission_broker/dbus_bindings/dbus-service-config.json', + 'proxy_output_file': 'include/permission_broker/dbus-proxies.h', + 'dbus_adaptors_out_dir': '', + }, + 'sources': [ + '<(platform2_root)/permission_broker/dbus_bindings/org.chromium.PermissionBroker.xml', + ], + 'includes': ['../common-mk/generate-dbus-proxies.gypi'], + }, + ], }, { 'target_name': 'firewalld-dbus-adaptor', @@ -34,7 +48,7 @@ 'type': 'executable', 'dependencies': [ 'libfirewalld', - 'firewalld-dbus-adaptor' + 'firewalld-dbus-adaptor', ], 'sources': ['main.cc'], }, @@ -39,6 +39,9 @@ class IpTables : public org::chromium::FirewalldInterface { bool RemoveVpnSetup(const std::vector<std::string>& usernames, const std::string& interface) override; + // Close all outstanding firewall holes. + void PlugAllHoles(); + protected: // Test-only. explicit IpTables(const std::string& ip4_path, const std::string& ip6_path); @@ -55,8 +58,6 @@ class IpTables : public org::chromium::FirewalldInterface { std::set<Hole>* holes, ProtocolEnum protocol); - void PlugAllHoles(); - bool AddAcceptRules(ProtocolEnum protocol, uint16_t port, const std::string& interface); |