Age | Commit message (Collapse) | Author |
|
This CL tries to remove as much duplicated code from the IpTables class
as possible. The basic construct of running the same command with
different executables/options is extracted into a helper function.
Moreover, the unit tests are simplified by mocking one function call
higher and removing a lot of set-up duplication.
Bug: 26911013
Change-Id: Iecdacab2ef6ffa5631c877835bdfb0bf7191536c
|
|
Looks like IPv6 is working correctly, so re-enable that too.
Bug: 26911013
Change-Id: Iad0390e3a41a429460794b7c243ebca59cf64146
|
|
Currently only IPv4 traffic is handled by third party VPNs. Extend
the UID_MATCH and route setup to IPv6.
Bug: chromium:522003
TEST=`FEATURES=test emerge-link firewalld`
TEST=manual
Change-Id: I9352506e98e1fdcace093d443e2fa2b95887d720
|
|
The new libchrome has been ported from Chromium and some APIs have
changed. Make necessary changes at call sites.
Change-Id: Ib36ec8f828bfafcdaa57399cc1be12b00161b7ed
|
|
There is no longer a reliance on RTTI in libbrillo, so disable RTTI
in the rest of Brillo codebase.
Bug: 26292405
Change-Id: I9ef4ac224141dcabb69f79e076286ee711ad0b00
|
|
BUG: 24872993
Change-Id: I24f57bbed2d5f7f543d18d05e66a33cebce364d0
|
|
libchromeos is transitioning to libbrillo and chromeos namespaces
and include directory is changing to brillo.
Bug: 24872993
Change-Id: Icc70ef99c10acc983a9c261faaa983e26536ad04
|
|
It's unneeded since the executable is labelled in the filesystem.
Bug: 24571067
Change-Id: I336894cb4d18ee3ea8f77b15dd95938e3426f0b7
|
|
BUG=24073089
TEST=mm on Mac host
Change-Id: Iea411b01cfa25f73ced5bde5f0c4fabdfb2f3f56
|
|
Android is using <service>.rc instead of init.<service>.rc.
Bug: 24465893
Change-Id: I87809e0f9b176b8cb605e90e3e3ef0e6e9a1a0a5
|
|
Interface name that starts or ends with period is still not allowed.
Bug: 24382217
TEST=Manual test using apmanager
TEST=Unittests on Chrome OS
Change-Id: Iac5a7febd8b365759c4a21ccb8dc60c1ded60bbb
|
|
Now there is a better way to install the init scripts using LOCAL_INIT_RC
instead of manually copying the file with PREBUILT rule.
Change-Id: Ie0f23ec30890dc163063e1592eb3388669f3dfbf
|
|
Our gyp build rules now support building from .dbus-xml files.
BUG=b/23380180
TEST=Built on ChromeOS with this change.
Change-Id: I689a75b478de1410f59a56d242d001e41d62124d
|
|
Now the DBus header generation in AOSP has stabilized, we should resolve
these differences.
Bug: 23426296
Change-Id: I7de2d63efdc3a5f5d2479a3a9d6f08fc8ce9b7bb
|
|
This is not needed since chromeos-base/firewalld now depends on
chromeos-base/permission_broker-client for that.
[This landed in CrOS but was not ported to AOSP; builds successfully.]
Change-Id: I3e759c222ca65242931de4c42afeeaa18393bad5
|
|
Bug: 23380180
Change-Id: I112a65d225e5a7192cccd43f39b89e38b52116f5
|
|
This puts firewalld back in the 'main' class, but initially disabled. It
is only enabled once initial firewall setup is completed.
Bug: 23064386
Change-Id: I1d8a530153c5dc624a7d499cc10b840b46294af0
|
|
We now want firewalld to launch only after the base firewall setup has
been configured, so we need to use a special trigger for that.
Bug: 23064386
Change-Id: Ic07cea72b91ccd9913bf7cfa744a2fc911b8e4c2
|
|
__ANDROID__ is defined automatically by the toolchain.
Bug: 23358460
Change-Id: I7487625802deb48ff31da8410125fa910a88ca74
|
|
Bug: 22388998
Change-Id: I425c44b931be9965493a874cb1f386d0f188e9b0
|
|
Bug: 22608897
Change-Id: Ic9131ca64383a96cab47807daeb8257693e5eaa2
|
|
The assumes everything up to the .xml suffix is part of the interface
name, so we should be using the .dbus.xml variant here.
Bug: 23193215
Change-Id: I098b78b3fcff42f6b752bf0fd2d2f284ee7503a2
|
|
Bug: 23313270
Change-Id: Ia6beb7398e7dddfcf799acb00dc0d899f2b82003
|
|
This better matches the suggested practice.
Change-Id: I7f12c1f0da9730d0aa83ceabb2841ae415a20b3c
|
|
This will cause DBus proxies to be generated, along with corresponding
pkg_config files. An upcoming ebuild change will actually install them
to the sysroot.
[Copied over from https://chromium-review.googlesource.com/293616/]
Bug: 22827985
Change-Id: I4a5140b985d73a817e36c26b38871ef8b114288d
|
|
There's code in Chrome OS platform2 (such as permission_broker) that
depends on firewalld's DBus interface definition XML file. To avoid
build woes once we migrate Chrome OS to build firewalld from AOSP, this
adds a symlink to ensure that those dependent packages won't break. This
should be removed once all dependent packages are upgraded accordingly.
Bug: 22827985
Change-Id: Ib9a5e574db5d63526a6ebd3814095864d2eb4b9e
|
|
Building of firewalld depends on DBus bindings generator, which
currently isn't available on other hosts (notably, Darwin).
Bug: 22827985
Change-Id: I39e7b41658752090e684885bec2c905fad33aa98
|
|
* Drop firewalld/ prefix from #include paths.
* Rename the DBus interface definition to have a .dbus.xml suffix;
needed for it to be picked up by the build infrastructure.
* Add __BRILLO__ preprocessor symbol for conditionally:
1) Removing support for Permission Broker (currently not available and
no concrete porting plan yet).
2) Disable dropping privileges in minijail invocations (yet to be
figured out).
3) Adapting DBus bindings header paths (slightly different).
4) Adapting helper utility paths (iptables, iproute2).
5) Making punching of IPv6 firewall rules optional and autodetected.
* Re-license everything to AOSP and add NOTICE and
MODULE_LICENSE_APACHE2.
* Added Android.mk for building all the targets we need, including
init.firewalld.rc with proper SELinux attributes (when supported).
Bug: 22827985
Change-Id: I05f74f80f95f689b4bbf60a2708e76ef5495b96e
|
|
BUG=None
TEST=Package builds fine.
Change-Id: I2ac510b748302fdaf93ecbd8c1b6a8af6ec23376
Reviewed-on: https://chromium-review.googlesource.com/291375
Tested-by: Gilad Arnold <garnold@chromium.org>
Reviewed-by: Alex Vakulenko <avakulenko@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Gilad Arnold <garnold@chromium.org>
|
|
When multiple processes use `iptables` to modify the firewall, the
command grabs an exclusive lock for the table being modified. If the
lock cannot be obtained (another instance of iptables is running),
the current instance fails with an error.
By adding -w we make it wait for the other lock to be released before
proceeding.
BUG=brillo:1240
TEST=`FEATURES=test emerge-gizmo firewalld`
test_that -b gizmo <ip> security_Firewall
Change-Id: If147f6869d2df0e8f355323a265718f1cb8d617f
Reviewed-on: https://chromium-review.googlesource.com/285512
Reviewed-by: Vitaly Buka <vitalybuka@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Alex Vakulenko <avakulenko@chromium.org>
Commit-Queue: Alex Vakulenko <avakulenko@chromium.org>
|
|
Added ObjectManager to firewalld to allow permission_broker to track the
lifetime of the top D-Bus service object and restart permission_broker
if firewall crashes/restarts.
This will also allow to wait for Firewalld to come up and finish initialization
before permission_broker D-Bus appears on the bus, which would eliminate
weird race condiftions when web server asks permission_broker to open
TCP ports too early (before firewalld is up and running).
BUG=brillo:1240
TEST=`FEATURES=test emerge-link firewalld permission_broker apmanager webserver`
Change-Id: I1f575b74c6a1e8e75cd4d33b6b70dda5b95f5339
Reviewed-on: https://chromium-review.googlesource.com/284975
Tested-by: Alex Vakulenko <avakulenko@chromium.org>
Reviewed-by: Vitaly Buka <vitalybuka@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Alex Vakulenko <avakulenko@chromium.org>
|
|
This header pulls in glib dependencies which aren't used in these
codebases.
BUG=chromium:508218
TEST=trybots
Change-Id: Iecf8dfcdd8064b1feb694382eea55c3f0df572d3
Reviewed-on: https://chromium-review.googlesource.com/284053
Tested-by: Christopher Wiley <wiley@chromium.org>
Reviewed-by: Alex Vakulenko <avakulenko@chromium.org>
Commit-Queue: Christopher Wiley <wiley@chromium.org>
Trybot-Ready: Christopher Wiley <wiley@chromium.org>
|
|
permission_broker uses firewalld to modify firewall rules. The firewall
rules must be modified only once the global firewall rules have been
configured at system startup.
Made firewalld wait till both iptables and ip6tables upstart jobs
finish and made permission_broker upstart job to be fully dependent
on firewalld.
BUG=brillo:1240
TEST=`USE="wifi_bootstrapping peerd buffet" ./build_packages && \
./build_image --noenable_rootfs_verification test && \
cros flash <link-ip-address>`
TEST=`./build_packages --board=gizmo && \
./build_image --noenable_rootfs_verification test && \
cros flash 100.96.49.59`
TEST=`test_that -b link 100.96.49.59 security_Firewall`
Change-Id: Ia4cc5f156182ceebcc4eb35da1a32ea5b376823c
Reviewed-on: https://chromium-review.googlesource.com/284818
Trybot-Ready: Alex Vakulenko <avakulenko@chromium.org>
Tested-by: Alex Vakulenko <avakulenko@chromium.org>
Reviewed-by: Vitaly Buka <vitalybuka@chromium.org>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Alex Vakulenko <avakulenko@chromium.org>
|
|
libchrome r334380 has the following breaking changes that need to be fixed:
- base::JSONWriter::Write() and base::JSONWriter::WriteWithOptions() take
"const base::Value&" instead of "const base::Value*"
- base::JSONReader::Read() and base::JSONReader::ReadAndReturnError()
return a scoped_ptr<base::Value> instead of base::Value*
- base/safe_strerror_posix.h is moved to base/posix/safe_strerror.h
- safe_strerror() is now in "base" namespace
- StartsWithASCII(), EndsWith(), StringToUpperASCII(), LowerCaseEqualsASCII()
are now in "base" namespace
- ObserverList<T> is now in "base" namespace
- base::PrintTo(base::FilePath) used in gtest is now moved to libchrome-test
library and as such, unit test runners need to link to this library now.
- crypto::RSAPrivateKey::CreateSensitive() is now removed from //crypto, so
some of tests in chromeos-login that used that function had to be changed
to use crypto::GenerateRSAKeyPairNSS() directly.
- UnixDomanSocket class is now in "base" namespace
- Pickle class is now in "base" namespace
BUG=chromium:496469
TEST=`./build_packages`
CQ-DEPEND=CL:277662
Change-Id: I36e5fbf2e36a92068873ffbd44020c862a3ed9e3
Reviewed-on: https://chromium-review.googlesource.com/277671
Reviewed-by: Alex Vakulenko <avakulenko@chromium.org>
Commit-Queue: Alex Vakulenko <avakulenko@chromium.org>
Trybot-Ready: Alex Vakulenko <avakulenko@chromium.org>
Tested-by: Alex Vakulenko <avakulenko@chromium.org>
|
|
BUG=chromium:487019
TEST=Unit tests, platform_Firewall
CQ-DEPEND=CL:270621
Change-Id: Ic49e7d7912d96f9cec29cf2a3f34f50e71c02391
Reviewed-on: https://chromium-review.googlesource.com/270170
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Bartosz Fabianowski <bartfab@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
|
|
This CL paves the way to launch 'ip(6)tables' using Minijail. We cannot
use the current approach of providing test-only binaries because Minijail
will not work when running as non-root (such as in unit tests). Therefore,
we need to mock {Add|Delete}Accept.
Also add an Exec() method to wrap the Minijail invocation in the future,
and clean up some of the unit tests.
BUG=chromium:487019
TEST=Existing unit tests.
Change-Id: I6ddf41bf5c2e8e7fa8f6369d08a3fb37ad2edeb6
Reviewed-on: https://chromium-review.googlesource.com/270341
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Bartosz Fabianowski <bartfab@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
|
|
This CL adds unit test for ApplyVpnSetup routine added to firewalld
for supporting third party VPN in chrome OS.
BUG=chromium:460418
TEST=Ran the unit test
Change-Id: Ice71477f6c3ab9ee76de48ced94d535e015e00fb
Reviewed-on: https://chromium-review.googlesource.com/256302
Tested-by: Prabhu Kaliamoorthi <kaliamoorthi@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Prabhu Kaliamoorthi <kaliamoorthi@chromium.org>
Commit-Queue: Prabhu Kaliamoorthi <kaliamoorthi@chromium.org>
|
|
Previously, interface names could only contain alphanumerics.
BUG=none
TEST=ran iptables unit tests
Change-Id: I19951389f7fef54f74568592f6988fd5da1b164b
Reviewed-on: https://chromium-review.googlesource.com/255152
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Aaron Kemp <kemp@google.com>
Commit-Queue: Aaron Kemp <kemp@google.com>
|
|
If/when permission_broker exits, plug all firewall holes.
BUG=None
TEST=Manual: deploy to device, punch a hole.
TEST='restart permission_broker', holes are punched.
Change-Id: I3885b2338ad25f79c50a7f8c0aa4375e092ecceb
Reviewed-on: https://chromium-review.googlesource.com/253790
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
|
|
This CL adds routines to firewalld that enable network traffic to
be marked based on user id and masquerading rules for network
interfaces.
BUG=chromium:458075
TEST=Manual testing
Change-Id: I81e08f1c20bf99887ac87c9970fcc2a58dcd2355
Reviewed-on: https://chromium-review.googlesource.com/249111
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Prabhu Kaliamoorthi <kaliamoorthi@chromium.org>
Commit-Queue: Prabhu Kaliamoorthi <kaliamoorthi@chromium.org>
|
|
BUG=brillo:252
TEST=Unit tests.
Change-Id: I784472ce5f0c7d0649b38e48bd23b3acba9ffbbc
Reviewed-on: https://chromium-review.googlesource.com/249982
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Alex Vakulenko <avakulenko@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
|
|
This is the first patch in a two-patch series. It adds support for specifying
interfaces to firewalld. The next patch will make permission_broker use this
support.
BUG=brillo:185
TEST=unit tests
TEST=platform_Firewall
Change-Id: Ic3247a20a55427e85a4fb1ff4beadb813f8e9b7c
Reviewed-on: https://chromium-review.googlesource.com/249360
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Zeping Qiu <zqiu@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
|
|
BUG=None
TEST=None
Change-Id: I1779fd99987455ddf04ebce1fa7878ec8a0522a3
Reviewed-on: https://chromium-review.googlesource.com/247803
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
|
|
BUG=chromium:435400
TEST=Deploy, reboot, firewalld is running.
Change-Id: I1f10e5ccb606dd6b1f24a41e3556b8ae8002844c
Reviewed-on: https://chromium-review.googlesource.com/246272
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Zeping Qiu <zqiu@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
|
|
Some other rule on the system might drop the pacakges before the accept rule
gets to them, so insert the rule at the beginning of the chain.
BUG=chromium:435400
TEST=Unit tests pass, Autotest passes.
Change-Id: I16e61cbe4e3e53db1ab2b436dbbace7ebe26b1c7
Reviewed-on: https://chromium-review.googlesource.com/247141
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Zeping Qiu <zqiu@chromium.org>
|
|
BUG=chromium:435400
TEST=unit tests
Change-Id: I4afa4264332ed3ef2eb0e4fafbbb7917e5c995ba
Reviewed-on: https://chromium-review.googlesource.com/244492
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Chris Masone <cmasone@chromium.org>
|
|
Also, make {Add|Delete}AllowRule non-static since they always use
|executable_path_|.
BUG=chromium:435400
TEST=Add firewall hole via D-Bus, check 'iptables -S', see firewall hole.
TEST=Stop daemon, check 'iptables -S', firewall hole is gone.
Change-Id: Id6d0db376d34ba21997b29dc45aef435590b55fa
Reviewed-on: https://chromium-review.googlesource.com/241716
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
|
|
BUG=chromium:435400
TEST=With overlay CL, 'start firewalld', 'stop firewalld' work.
Change-Id: I0277f1c219a495def465f52b8b0180a412f141cc
Reviewed-on: https://chromium-review.googlesource.com/241479
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
|
|
BUG=chromium:435400
TEST=emerge-expresso firewalld; file is present in build root.
Change-Id: I329f5ecc1aba67e9abbe46a8a50f574e4cf67ef8
Reviewed-on: https://chromium-review.googlesource.com/238761
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
|
|
BUG=chromium:435400
TEST=New unit tests pass.
TEST=dbus-send --system --dest=org.chromium.firewalld --print-reply \
/org/chromium/firewalld \
org.chromium.firewalld.PunchUdpHole uint16:53 succeeds.
TEST='iptables -S' shows the new rule.
TEST=dbus-send --system --dest=org.chromium.firewalld --print-reply \
/org/chromium/firewalld \
org.chromium.firewalld.PlugUdpHole uint16:53 success.
TEST='iptables -S' no longer shows the new rule.
TEST=TCP 80 works as well.
Change-Id: I5a3d0b52038e2adba0b695471daeb06101eabcb1
Reviewed-on: https://chromium-review.googlesource.com/234433
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
|