firewalld: Monitor permission_broker lifetime.

If/when permission_broker exits, plug all firewall holes. BUG=None TEST=Manual: deploy to device, punch a hole. TEST='restart permission_broker', holes are punched. Change-Id: I3885b2338ad25f79c50a7f8c0aa4375e092ecceb Reviewed-on: https://chromium-review.googlesource.com/253790 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org> Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
author: Jorge Lucangeli Obes <jorgelo@chromium.org> 2015-02-25 14:14:29 -0800
committer: Gilad Arnold <garnold@google.com> 2015-08-10 23:11:52 -0700
commit: 650d229bfc31be30636c2ac62f242952e4f583d4 (patch)
tree: b4cc337718829bd8e55ca1bf210c74e7910a9bef
parent: 40653d0e058ff0f7908b28874224bbb085e99905 (diff)
download: firewalld-650d229bfc31be30636c2ac62f242952e4f583d4.tar.gz
4 files changed, 43 insertions, 4 deletions
diff --git a/firewall_service.cc b/firewall_service.cc
index 0b02967..2bc5645 100644
--- a/firewall_service.cc
+++ b/firewall_service.cc
@@ -11,11 +11,27 @@ namespace firewalld {
 
 FirewallService::FirewallService(const scoped_refptr<dbus::Bus>& bus)
     : org::chromium::FirewalldAdaptor(&iptables_),
-      dbus_object_{nullptr, bus, dbus::ObjectPath{kFirewallServicePath}} {}
+      dbus_object_{nullptr, bus, dbus::ObjectPath{kFirewallServicePath}},
+      weak_ptr_factory_{this} {}
 
 void FirewallService::RegisterAsync(const CompletionAction& callback) {
   RegisterWithDBusObject(&dbus_object_);
+
+  // Track permission_broker's lifetime so that we can close firewall holes
+  // if/when permission_broker exits.
+  permission_broker_.reset(
+      new org::chromium::PermissionBroker::ObjectManagerProxy(
+          dbus_object_.GetBus()));
+  permission_broker_->SetPermissionBrokerRemovedCallback(
+      base::Bind(&FirewallService::OnPermissionBrokerRemoved,
+                 weak_ptr_factory_.GetWeakPtr()));
+
   dbus_object_.RegisterAsync(callback);
 }
 
+void FirewallService::OnPermissionBrokerRemoved(const dbus::ObjectPath& path) {
+  LOG(INFO) << "permission_broker died, plugging all firewall holes";
+  iptables_.PlugAllHoles();
+}
+
 }  // namespace firewalld
diff --git a/firewall_service.h b/firewall_service.h
index 208ef81..6ffc2c0 100644
--- a/firewall_service.h
+++ b/firewall_service.h
@@ -8,8 +8,11 @@
 #include <base/callback.h>
 #include <base/macros.h>
 #include <base/memory/scoped_ptr.h>
+#include <base/memory/weak_ptr.h>
 #include <chromeos/dbus/dbus_object.h>
 
+#include "permission_broker/dbus-proxies.h"
+
 #include "firewalld/dbus_adaptor/org.chromium.Firewalld.h"
 #include "firewalld/iptables.h"
 
@@ -27,9 +30,14 @@ class FirewallService : public org::chromium::FirewalldAdaptor {
   void RegisterAsync(const CompletionAction& callback);
 
  private:
+  void OnPermissionBrokerRemoved(const dbus::ObjectPath& path);
+
   chromeos::dbus_utils::DBusObject dbus_object_;
+  std::unique_ptr<org::chromium::PermissionBroker::ObjectManagerProxy>
+      permission_broker_;
   IpTables iptables_;
 
+  base::WeakPtrFactory<FirewallService> weak_ptr_factory_;
   DISALLOW_COPY_AND_ASSIGN(FirewallService);
 };
 
diff --git a/firewalld.gyp b/firewalld.gyp
index 2a7ea3c..692112a 100644
--- a/firewalld.gyp
+++ b/firewalld.gyp
@@ -16,6 +16,20 @@
         'firewall_service.cc',
         'iptables.cc',
       ],
+      'actions': [
+        {
+          'action_name': 'generate-permission_broker-proxies',
+          'variables': {
+            'dbus_service_config': '<(platform2_root)/permission_broker/dbus_bindings/dbus-service-config.json',
+            'proxy_output_file': 'include/permission_broker/dbus-proxies.h',
+            'dbus_adaptors_out_dir': '',
+          },
+          'sources': [
+            '<(platform2_root)/permission_broker/dbus_bindings/org.chromium.PermissionBroker.xml',
+          ],
+          'includes': ['../common-mk/generate-dbus-proxies.gypi'],
+        },
+      ],
     },
     {
       'target_name': 'firewalld-dbus-adaptor',
@@ -34,7 +48,7 @@
       'type': 'executable',
       'dependencies': [
         'libfirewalld',
-        'firewalld-dbus-adaptor'
+        'firewalld-dbus-adaptor',
       ],
       'sources': ['main.cc'],
     },
diff --git a/iptables.h b/iptables.h
index 92a891d..f1d0624 100644
--- a/iptables.h
+++ b/iptables.h
@@ -39,6 +39,9 @@ class IpTables : public org::chromium::FirewalldInterface {
   bool RemoveVpnSetup(const std::vector<std::string>& usernames,
                       const std::string& interface) override;
 
+  // Close all outstanding firewall holes.
+  void PlugAllHoles();
+
  protected:
   // Test-only.
   explicit IpTables(const std::string& ip4_path, const std::string& ip6_path);
@@ -55,8 +58,6 @@ class IpTables : public org::chromium::FirewalldInterface {
                 std::set<Hole>* holes,
                 ProtocolEnum protocol);
 
-  void PlugAllHoles();
-
   bool AddAcceptRules(ProtocolEnum protocol,
                       uint16_t port,
                       const std::string& interface);
author	Jorge Lucangeli Obes <jorgelo@chromium.org>	2015-02-25 14:14:29 -0800
committer	Gilad Arnold <garnold@google.com>	2015-08-10 23:11:52 -0700
commit	650d229bfc31be30636c2ac62f242952e4f583d4 (patch)
tree	b4cc337718829bd8e55ca1bf210c74e7910a9bef
parent	40653d0e058ff0f7908b28874224bbb085e99905 (diff)
download	firewalld-650d229bfc31be30636c2ac62f242952e4f583d4.tar.gz