diff options
author | cyberta <cyberta@riseup.net> | 2020-01-24 14:21:34 -0600 |
---|---|---|
committer | cyberta <cyberta@riseup.net> | 2020-01-24 14:21:34 -0600 |
commit | 0fe9d37a223b388103e2924e6d1a28bcb0ae38fd (patch) | |
tree | 655c25f7cc02ac0fa374ecc8a00cab840553e3ee /app/src/main/java/se/leap/bitmaskclient/firewall | |
parent | 2ff2358861bcd0c05586f972724ef76e5a67060c (diff) |
rearrange firewalling code, move to separate package
Diffstat (limited to 'app/src/main/java/se/leap/bitmaskclient/firewall')
4 files changed, 209 insertions, 0 deletions
diff --git a/app/src/main/java/se/leap/bitmaskclient/firewall/FirewallCallback.java b/app/src/main/java/se/leap/bitmaskclient/firewall/FirewallCallback.java new file mode 100644 index 00000000..f6ccd227 --- /dev/null +++ b/app/src/main/java/se/leap/bitmaskclient/firewall/FirewallCallback.java @@ -0,0 +1,7 @@ +package se.leap.bitmaskclient.firewall; + +interface FirewallCallback { + void onFirewallStarted(boolean success); + void onFirewallStopped(boolean success); + void onSuRequested(boolean success); +} diff --git a/app/src/main/java/se/leap/bitmaskclient/firewall/FirewallManager.java b/app/src/main/java/se/leap/bitmaskclient/firewall/FirewallManager.java new file mode 100644 index 00000000..a3be46e6 --- /dev/null +++ b/app/src/main/java/se/leap/bitmaskclient/firewall/FirewallManager.java @@ -0,0 +1,73 @@ +package se.leap.bitmaskclient.firewall; +/** + * Copyright (c) 2019 LEAP Encryption Access Project and contributers + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +import android.content.Context; + +import de.blinkt.openvpn.core.VpnStatus; +import se.leap.bitmaskclient.utils.PreferenceHelper; + + +public class FirewallManager implements FirewallCallback { + public static String BITMASK_CHAIN = "bitmask_fw"; + static final String TAG = FirewallManager.class.getSimpleName(); + + private Context context; + + public FirewallManager(Context context) { + this.context = context; + } + + + @Override + public void onFirewallStarted(boolean success) { + if (success) { + VpnStatus.logInfo("[FIREWALL] Custom rules established"); + } else { + VpnStatus.logError("[FIREWALL] Could not establish custom rules."); + } + } + + @Override + public void onFirewallStopped(boolean success) { + if (success) { + VpnStatus.logInfo("[FIREWALL] Custom rules deleted"); + } else { + VpnStatus.logError("[FIREWALL] Could not delete custom rules"); + } + } + + @Override + public void onSuRequested(boolean success) { + PreferenceHelper.setSuPermission(context, success); + if (!success) { + VpnStatus.logError("[FIREWALL] Root permission needed to execute custom firewall rules."); + } + } + + + public void startFirewall() { + StartFirewallTask task = new StartFirewallTask(this); + task.execute(); + } + + public void shutdownFirewall() { + ShutdownFirewallTask task = new ShutdownFirewallTask(this); + task.execute(); + } + +} diff --git a/app/src/main/java/se/leap/bitmaskclient/firewall/ShutdownFirewallTask.java b/app/src/main/java/se/leap/bitmaskclient/firewall/ShutdownFirewallTask.java new file mode 100644 index 00000000..50fa77cd --- /dev/null +++ b/app/src/main/java/se/leap/bitmaskclient/firewall/ShutdownFirewallTask.java @@ -0,0 +1,55 @@ +package se.leap.bitmaskclient.firewall; + +import android.os.AsyncTask; +import android.util.Log; + +import java.lang.ref.WeakReference; + +import static se.leap.bitmaskclient.firewall.FirewallManager.BITMASK_CHAIN; +import static se.leap.bitmaskclient.utils.Cmd.runBlockingCmd; + +class ShutdownFirewallTask extends AsyncTask<Void, Boolean, Boolean> { + + private WeakReference<FirewallCallback> callbackWeakReference; + + ShutdownFirewallTask(FirewallCallback callback) { + callbackWeakReference = new WeakReference<>(callback); + } + + @Override + protected Boolean doInBackground(Void... voids) { + boolean success; + StringBuilder log = new StringBuilder(); + String[] deleteChain = new String[]{ + "su", + "id", + "ip6tables --delete OUTPUT --jump " + BITMASK_CHAIN, + "ip6tables --flush " + BITMASK_CHAIN, + "ip6tables --delete-chain " + BITMASK_CHAIN + }; + try { + success = runBlockingCmd(deleteChain, log) == 0; + } catch (Exception e) { + e.printStackTrace(); + Log.e(FirewallManager.TAG, log.toString()); + return false; + } + + try { + boolean allowSu = log.toString().contains("uid=0"); + callbackWeakReference.get().onSuRequested(allowSu); + } catch (Exception e) { + //ignore + } + return success; + } + + @Override + protected void onPostExecute(Boolean result) { + super.onPostExecute(result); + FirewallCallback callback = callbackWeakReference.get(); + if (callback != null) { + callback.onFirewallStopped(result); + } + } +} diff --git a/app/src/main/java/se/leap/bitmaskclient/firewall/StartFirewallTask.java b/app/src/main/java/se/leap/bitmaskclient/firewall/StartFirewallTask.java new file mode 100644 index 00000000..9b3a125f --- /dev/null +++ b/app/src/main/java/se/leap/bitmaskclient/firewall/StartFirewallTask.java @@ -0,0 +1,74 @@ +package se.leap.bitmaskclient.firewall; + +import android.os.AsyncTask; +import android.util.Log; + +import java.lang.ref.WeakReference; + +import static se.leap.bitmaskclient.firewall.FirewallManager.BITMASK_CHAIN; +import static se.leap.bitmaskclient.utils.Cmd.runBlockingCmd; + +class StartFirewallTask extends AsyncTask<Void, Boolean, Boolean> { + + private WeakReference<FirewallCallback> callbackWeakReference; + + StartFirewallTask(FirewallCallback callback) { + callbackWeakReference = new WeakReference<>(callback); + } + + @Override + protected Boolean doInBackground(Void... voids) { + StringBuilder log = new StringBuilder(); + String[] bitmaskChain = new String[]{ + "su", + "id", + "ip6tables --list " + BITMASK_CHAIN }; + + + try { + boolean hasBitmaskChain = runBlockingCmd(bitmaskChain, log) == 0; + boolean allowSu = log.toString().contains("uid=0"); + try { + callbackWeakReference.get().onSuRequested(allowSu); + Thread.sleep(1000); + } catch (Exception e) { + //ignore + } + + boolean success; + log = new StringBuilder(); + if (!hasBitmaskChain) { + String[] createChainAndRules = new String[]{ + "su", + "ip6tables --new-chain " + BITMASK_CHAIN, + "ip6tables --insert OUTPUT --jump " + BITMASK_CHAIN, + "ip6tables --append " + BITMASK_CHAIN + " -p tcp --jump REJECT", + "ip6tables --append " + BITMASK_CHAIN + " -p udp --jump REJECT" + }; + success = runBlockingCmd(createChainAndRules, log) == 0; + Log.d(FirewallManager.TAG, "added " + BITMASK_CHAIN + " to ip6tables: " + success); + Log.d(FirewallManager.TAG, log.toString()); + return success; + } else { + String[] addRules = new String[] { + "su", + "ip6tables --append " + BITMASK_CHAIN + " -p tcp --jump REJECT", + "ip6tables --append " + BITMASK_CHAIN + " -p udp --jump REJECT" }; + return runBlockingCmd(addRules, log) == 0; + } + } catch (Exception e) { + e.printStackTrace(); + Log.e(FirewallManager.TAG, log.toString()); + } + return false; + } + + @Override + protected void onPostExecute(Boolean result) { + super.onPostExecute(result); + FirewallCallback callback = callbackWeakReference.get(); + if (callback != null) { + callback.onFirewallStarted(result); + } + } +} |