From 22eb43939a8bcae2ed7f89d37abf023fc33c485f Mon Sep 17 00:00:00 2001 From: cyBerta Date: Mon, 30 Dec 2019 07:09:31 +0100 Subject: initial firewall implementation to fix #8939 --- .../de/blinkt/openvpn/core/OpenVPNService.java | 6 + .../main/java/se/leap/bitmaskclient/utils/Cmd.java | 93 ++++++++++++ .../leap/bitmaskclient/utils/FirewallHelper.java | 167 +++++++++++++++++++++ 3 files changed, 266 insertions(+) create mode 100644 app/src/main/java/se/leap/bitmaskclient/utils/Cmd.java create mode 100644 app/src/main/java/se/leap/bitmaskclient/utils/FirewallHelper.java (limited to 'app') diff --git a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java index 0863cc8e..724fd0fd 100644 --- a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java +++ b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java @@ -47,6 +47,7 @@ import de.blinkt.openvpn.core.connection.Obfs4Connection; import se.leap.bitmaskclient.R; import se.leap.bitmaskclient.VpnNotificationManager; import se.leap.bitmaskclient.pluggableTransports.Shapeshifter; +import se.leap.bitmaskclient.utils.FirewallHelper; import static de.blinkt.openvpn.core.ConnectionStatus.LEVEL_CONNECTED; import static de.blinkt.openvpn.core.ConnectionStatus.LEVEL_WAITING_FOR_USER_INPUT; @@ -89,6 +90,7 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac private Runnable mOpenVPNThread; private VpnNotificationManager notificationManager; private Shapeshifter shapeshifter; + private FirewallHelper firewallHelper; private static final int PRIORITY_MIN = -2; private static final int PRIORITY_DEFAULT = 0; @@ -192,6 +194,7 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac VpnStatus.removeStateListener(this); } } + firewallHelper.shutdownFirewall(); } private boolean runningOnAndroidTV() { @@ -446,6 +449,8 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac mProcessThread.start(); } + firewallHelper.startFirewall(); + new Handler(getMainLooper()).post(() -> { if (mDeviceStateReceiver != null) { unregisterDeviceStateReceiver(); @@ -513,6 +518,7 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac super.onCreate(); notificationManager = new VpnNotificationManager(this, this); notificationManager.createOpenVpnNotificationChannel(); + firewallHelper = new FirewallHelper(); } @Override diff --git a/app/src/main/java/se/leap/bitmaskclient/utils/Cmd.java b/app/src/main/java/se/leap/bitmaskclient/utils/Cmd.java new file mode 100644 index 00000000..a72658a4 --- /dev/null +++ b/app/src/main/java/se/leap/bitmaskclient/utils/Cmd.java @@ -0,0 +1,93 @@ +/** + * Copyright (c) 2019 LEAP Encryption Access Project and contributers + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +package se.leap.bitmaskclient.utils; + +import android.support.annotation.WorkerThread; +import android.util.Log; + +import java.io.IOException; +import java.io.InputStreamReader; +import java.io.OutputStreamWriter; + +public class Cmd { + + private static final String TAG = Cmd.class.getSimpleName(); + + @WorkerThread + public static int runBlockingCmd(String[] cmds, StringBuilder log) throws Exception { + return runCmd(cmds, log, true); + } + + @WorkerThread + private static int runCmd(String[] cmds, StringBuilder log, + boolean waitFor) throws Exception { + + int exitCode = -1; + Process proc = Runtime.getRuntime().exec("sh"); + OutputStreamWriter out = new OutputStreamWriter(proc.getOutputStream()); + + try { + for (String cmd : cmds) { + Log.d(TAG, "executing CMD: " + cmd); + out.write(cmd); + out.write("\n"); + } + + out.flush(); + out.write("exit\n"); + out.flush(); + } catch (IOException e) { + e.printStackTrace(); + } finally { + out.close(); + } + + if (waitFor) { + // Consume the "stdout" + InputStreamReader reader = new InputStreamReader(proc.getInputStream()); + readToLogString(reader, log); + + // Consume the "stderr" + reader = new InputStreamReader(proc.getErrorStream()); + readToLogString(reader, log); + + try { + exitCode = proc.waitFor(); + } catch (InterruptedException e) { + e.printStackTrace(); + } + } + + return exitCode; + } + + private static void readToLogString(InputStreamReader reader, StringBuilder log) throws IOException { + final char buf[] = new char[10]; + int read = 0; + try { + while ((read = reader.read(buf)) != -1) { + if (log != null) + log.append(buf, 0, read); + } + } catch (IOException e) { + reader.close(); + throw new IOException(e); + } + reader.close(); + } +} diff --git a/app/src/main/java/se/leap/bitmaskclient/utils/FirewallHelper.java b/app/src/main/java/se/leap/bitmaskclient/utils/FirewallHelper.java new file mode 100644 index 00000000..43a5296f --- /dev/null +++ b/app/src/main/java/se/leap/bitmaskclient/utils/FirewallHelper.java @@ -0,0 +1,167 @@ +package se.leap.bitmaskclient.utils; +/** + * Copyright (c) 2019 LEAP Encryption Access Project and contributers + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +import android.os.AsyncTask; +import android.text.TextUtils; +import android.util.Log; + +import java.lang.ref.WeakReference; + +import static se.leap.bitmaskclient.utils.Cmd.runBlockingCmd; + +interface FirewallCallback { + void onFirewallStarted(boolean success); + void onFirewallStopped(boolean success); +} + + +public class FirewallHelper implements FirewallCallback { + private static String BITMASK_CHAIN = "bitmask_fw"; + private static final String TAG = FirewallHelper.class.getSimpleName(); + + + @Override + public void onFirewallStarted(boolean success) { + Log.d(TAG, "Firewall started " + success); + } + + @Override + public void onFirewallStopped(boolean success) { + Log.d(TAG, "Firewall stopped " + success); + } + + + static class StartFirewallTask extends AsyncTask { + + WeakReference callbackWeakReference; + + public StartFirewallTask(FirewallCallback callback) { + callbackWeakReference = new WeakReference<>(callback); + } + + @Override + protected Boolean doInBackground(Void... voids) { + if (requestSU()) { + Log.d(TAG, "su acquired"); + StringBuilder log = new StringBuilder(); + String[] bitmaskChain = new String[]{ + "su", + "ip6tables --list " + BITMASK_CHAIN }; + try { + boolean hasBitmaskChain = runBlockingCmd(bitmaskChain, log) == 0; + Log.d(TAG, log.toString()); + if (!hasBitmaskChain) { + String[] createChain = new String[]{ + "su", + "ip6tables --new-chain " + BITMASK_CHAIN, + "ip6tables --insert OUTPUT --jump " + BITMASK_CHAIN }; + log = new StringBuilder(); + int success = runBlockingCmd(createChain, log); + Log.d(TAG, "added " + BITMASK_CHAIN + " to ip6tables: " + success); + Log.d(TAG, log.toString()); + if (success != 0) { + return false; + } + } + + log = new StringBuilder(); + String[] addRules = new String[] { + "su", + "ip6tables --append " + BITMASK_CHAIN + " -p tcp --jump REJECT", + "ip6tables --append " + BITMASK_CHAIN + " -p udp --jump REJECT" }; + boolean successResult = runBlockingCmd(addRules, log) == 0; + Log.d(TAG, log.toString()); + return successResult; + } catch (Exception e) { + e.printStackTrace(); + Log.e(TAG, log.toString()); + } + }; + return false; + } + + @Override + protected void onPostExecute(Boolean result) { + super.onPostExecute(result); + FirewallCallback callback = callbackWeakReference.get(); + if (callback != null) { + callback.onFirewallStarted(result); + } + } + } + + static class ShutdownFirewallTask extends AsyncTask { + + @Override + protected Boolean doInBackground(Void... voids) { + + if (requestSU()) { + StringBuilder log = new StringBuilder(); + String[] deleteChain = new String[]{ + "su", + "ip6tables --delete OUTPUT --jump " + BITMASK_CHAIN, + "ip6tables --flush " + BITMASK_CHAIN, + "ip6tables --delete-chain " + BITMASK_CHAIN + }; + try { + runBlockingCmd(deleteChain, log); + } catch (Exception e) { + e.printStackTrace(); + Log.e(TAG, log.toString()); + } + + } + + return null; + } + } + + + public void startFirewall() { + StartFirewallTask task = new StartFirewallTask(this); + task.execute(); + } + + public void shutdownFirewall() { + ShutdownFirewallTask task = new ShutdownFirewallTask(); + task.execute(); + } + + public static boolean hasSU() { + StringBuilder log = new StringBuilder(); + + try { + String suCommand = "su -v"; + runBlockingCmd(new String[]{suCommand}, log); + } catch (Exception e) { + return false; + } + + return !TextUtils.isEmpty(log) && !log.toString().contains("su: not found"); + } + + public static boolean requestSU() { + try { + String suCommand = "su"; + return runBlockingCmd(new String[]{suCommand}, null) == 0; + } catch (Exception e) { + return false; + } + } + +} -- cgit v1.2.3