2. 程式人生 > >Android 8.1移植:針對某個APK做到wifi和gprs分別做到允許和禁止兩種策略

Android 8.1移植:針對某個APK做到wifi和gprs分別做到允許和禁止兩種策略

阿新 發佈:2018-12-30

在MTK平臺JB5開始後預設有該功能,昨天在檢視8.1的程式碼時發現沒有該功能,現在我把移植流程記錄下來,親測驗證ok。

1.frameworks
frameworks/base/core/java/android/os/INetworkManagementService.aidl

void setFirewallUidChainRule(int uid, int networkType, boolean allow); //zrx add
void clearFirewallChain(String chain);   //zrx add

frameworks/base/services/core/java/com/android/server/NetworkManagementService.java

 //add by zrx

    /**
     * @hide
     * @param uid
     * @param networkType
     * @param allow
     */
    public void setFirewallUidChainRule(int uid, int networkType, boolean allow) {
        //enforceSystemUid();
        final String MOBILE = "mobile";
        final String WIFI = "wifi";

        final
 
 String rule = allow ? "allow" : "deny";
        final String chain = (networkType == 1) ? WIFI : MOBILE;

        try {
            mConnector.execute("firewall", "set_uid_fw_rule", uid, chain, rule);
        } catch (NativeDaemonConnectorException e) {
            throw e.rethrowAsParcelableException();
        }
    }

    /**
     * @internal
 
 Configure firewall rule by uid and chain
     * @hide
     */
    public void clearFirewallChain(String chain) {
        //enforceSystemUid();
        try {
            mConnector.execute("firewall", "clear_fw_chain", chain);
        } catch (NativeDaemonConnectorException e) {
            throw e.rethrowAsParcelableException();
        }
    }
    //add by zrx

上面兩個函式是提供給上層呼叫的,setFirewallUidChainRule和clearFirewallChain為設定和清空相應的APP的限制

2.system/netd/server/路徑
CommandListener.cpp

int CommandListener::FirewallCmd::runCommand(SocketClient *cli, int argc,char **argv) { 
//add  by zrx 在cli->sendMsg(ResponseCode::CommandSyntaxError, "Unknown command", false);之前加上
      if (!strcmp(argv[1], "set_uid_fw_rule")) {
        if (argc != 5) {
            cli->sendMsg(ResponseCode::CommandSyntaxError,
                         "Usage: firewall set_uid_fw_rule <uid> <mobile|wifi> <allow|deny>",
                         false);
            return 0;
        }

        int uid = atoi(argv[2]);
        FirewallChinaRule chain = parseChain(argv[3]);
        FirewallRule rule = parseRule(argv[4]);

        int res = gCtls->firewallCtrl.setUidFwRule(uid, chain, rule);
        return sendGenericOkFail(cli, res);
    }

    if (!strcmp(argv[1], "clear_fw_chain")) {
        if (argc != 3) {
            cli->sendMsg(ResponseCode::CommandSyntaxError,
                         "Usage: firewall clear_fw_chain <chain>",
                         false);
            return 0;
        }

        const char* chain = argv[2];

        int res = gCtls->firewallCtrl.clearFwChain(chain);
        return sendGenericOkFail(cli, res);
    }   
    //add  by zrx

    cli->sendMsg(ResponseCode::CommandSyntaxError, "Unknown command", false);
    return 0;
}

FirewallChinaRule CommandListener::FirewallCmd::parseChain(const char* arg) {
    if (!strcmp(arg, "mobile")) {
            return MOBILE;
    } else {
            return WIFI;
    }
}

CommandListener.h宣告parseChain函式

    int sendGenericOkFail(SocketClient *cli, int cond);
        static FirewallRule parseRule(const char* arg);
        static FirewallType parseFirewallType(const char* arg);
        static ChildChain parseChildChain(const char* arg);
        // zrx add: Support enhanced firewall @{
        static FirewallChinaRule parseChain(const char* arg);

FirewallController.cpp對setUidFwRule和clearFwChain函式新增

// zrx add Support tencent firewall @{
const char* FirewallController::FIREWALL = "firewall";
const char* FirewallController::FIREWALL_MOBILE = "mobile";
const char* FirewallController::FIREWALL_WIFI = "wifi";
//@}

/****************************************************************************
* zrx add: support tencent firewall
* set FIREWALL_MOBILE and FIREWALL_WIFI rule to reject packets based on uid
*****************************************************************************/
int FirewallController::setUidFwRule(int uid, FirewallChinaRule chain, FirewallRule rule) {
    char uidStr[16];
    int res = 0;
    const char* op;
    const char* fwChain;

    sprintf(uidStr, "%d", uid);

    if (rule == ALLOW) {
        op = "-I";
    } else {
        op = "-D";
    }

    if(chain == MOBILE) {
        fwChain = "mobile";
    }else{
        fwChain = "wifi";
    }
 //在8.1上用execIptablesRestore函式,但因為我對C++語言不精通,我就把6.0上的execIptables函式移植過來了。
    res |= execIptables(V4, op, fwChain, "-m", "owner", "--uid-owner", uidStr,
            "-j", "REJECT", "--reject-with", "icmp-net-prohibited", NULL);
    res |= execIptables(V6, op, fwChain, "-m", "owner", "--uid-owner", uidStr,
            "-j", "REJECT", "--reject-with", "icmp6-adm-prohibited", NULL);

    return res;
}


/************************************************************
* zrx add: support tencent firewall
* flush FIREWALL_MOBILE and FIREWALL_WIFI
************************************************************/
int FirewallController::clearFwChain(const char* chain) {
    int res = 0;

    if(chain != NULL){
        if(strlen(chain) > 0){
            res |= execIptables(V4V6, "-F", chain, NULL);
        }else{
            ALOGD("Clear all chain");
            res |= execIptables(V4V6, "-F", NULL);
        }
    }else{
        ALOGE("Chain is NULL");
    }

    return res;
}

int FirewallController::setupIptablesHooks(void) {
     // zrx add: Support enhanced firewall @{
    int res = 0;
    res |= execIptables(V4V6, "-F", FIREWALL, NULL);
    res |= execIptables(V4V6, "-A", FIREWALL, "-o", "ppp+", "-j", FIREWALL_MOBILE, NULL);
    res |= execIptables(V4V6, "-A", FIREWALL, "-o", "ccmni+", "-j", FIREWALL_MOBILE, NULL);
    res |= execIptables(V4V6, "-A", FIREWALL, "-o", "ccemni+", "-j", FIREWALL_MOBILE, NULL);
    res |= execIptables(V4V6, "-A", FIREWALL, "-o", "usb+", "-j", FIREWALL_MOBILE, NULL);
    res |= execIptables(V4V6, "-A", FIREWALL, "-o", "cc2mni+", "-j", FIREWALL_MOBILE, NULL);
    res |= execIptables(V4V6, "-A", FIREWALL, "-o", "wlan+", "-j", FIREWALL_WIFI, NULL);
    //@}
    res |= createChain(LOCAL_DOZABLE, getFirewallType(DOZABLE));
    res |= createChain(LOCAL_STANDBY, getFirewallType(STANDBY));
    res |= createChain(LOCAL_POWERSAVE, getFirewallType(POWERSAVE));
    return res;
}

FirewallController.h

enum FirewallChinaRule { MOBILE, WIFI };//zrx add

public:
    FirewallController();
    int setupIptablesHooks(void);
    int enableFirewall(FirewallType);
    int disableFirewall(void);
    int isFirewallEnabled(void);
    // zrx add, Support enhanced firewall @{
    static const char* FIREWALL;
    static const char* FIREWALL_MOBILE;
    static const char* FIREWALL_WIFI;
    int setUidFwRule(int, FirewallChinaRule, FirewallRule);
    int clearFwChain(const char* chain);
    //@}
    //add  by zrx

NetdConstants.cpp實現execIptables函式

//zrx add
const char * const IPTABLES_PATH = "/system/bin/iptables";
const char * const IP6TABLES_PATH = "/system/bin/ip6tables";
static void logExecError(const char* argv[], int res, int status) {
    const char** argp = argv;
    std::string args = "";
    while (*argp) {
        args += *argp;
        args += ' ';
        argp++;
    }
    ALOGE("exec() res=%d, status=%d for %s", res, status, args.c_str());
}

static int execIptablesCommand(int argc, const char *argv[], bool silent) {
    int res;
    int status;

    ALOGI("execIptablesCommand android_fork_execvp enter");
    res = android_fork_execvp(argc, (char **)argv, &status, false,
        !silent);
    ALOGI("execIptablesCommand android_fork_execvp exit");
    if (res || !WIFEXITED(status) || WEXITSTATUS(status)) {
        if (!silent) {
            logExecError(argv, res, status);
        }
        if (res)
            return res;
        if (!WIFEXITED(status))
            return ECHILD;
    }
    return WEXITSTATUS(status);
}

static int execIptables(IptablesTarget target, bool silent, va_list args) {
    /* Read arguments from incoming va_list; we expect the list to be NULL terminated. */
    std::list<const char*> argsList;
    argsList.push_back(NULL);
    const char* arg;

    // Wait to avoid failure due to another process holding the lock
    argsList.push_back("-w");

    do {
        arg = va_arg(args, const char *);
        argsList.push_back(arg);
    } while (arg);

    int i = 0;
    const char* argv[argsList.size()];
    std::list<const char*>::iterator it;
    for (it = argsList.begin(); it != argsList.end(); it++, i++) {
        argv[i] = *it;
    }

    int res = 0;
    if (target == V4 || target == V4V6) {
        argv[0] = IPTABLES_PATH;
        res |= execIptablesCommand(argsList.size(), argv, silent);
    }
    if (target == V6 || target == V4V6) {
        argv[0] = IP6TABLES_PATH;
        res |= execIptablesCommand(argsList.size(), argv, silent);
    }
    return res;
}

int execIptables(IptablesTarget target, ...) {
    va_list args;
    va_start(args, target);
    int res = execIptables(target, false, args);
    va_end(args);
    return res;
}

int execIptablesSilently(IptablesTarget target, ...) {
    va_list args;
    va_start(args, target);
    int res = execIptables(target, true, args);
    va_end(args);
    return res;
}
//zrx add

NetdConstants.h

int execIptables(IptablesTarget target, ...); //zrx add
int execIptablesSilently(IptablesTarget target, ...);//zrx add

Controllers.cpp

static const std::vector<const char*> FILTER_INPUT = {
        // Bandwidth should always be early in input chain, to make sure we
        // correctly count incoming traffic against data plan.
        BandwidthController::LOCAL_INPUT,
        // zrx add: Support enhanced firewall @{
        FirewallController::FIREWALL,
        ///@}
        FirewallController::LOCAL_INPUT,
};

static const std::vector<const char*> FILTER_OUTPUT = {
        OEM_IPTABLES_FILTER_OUTPUT,
        // zrx add: Support enhanced firewall @{
        FirewallController::FIREWALL,
        ///@}
        FirewallController::LOCAL_OUTPUT,
        StrictController::LOCAL_OUTPUT,
        BandwidthController::LOCAL_OUTPUT,
};

// zrx add:  @{
static const std::vector<const char*> FILTER_FIREWALL = {
        FirewallController::FIREWALL_MOBILE,
        FirewallController::FIREWALL_WIFI,
        NULL,
};///@}

void Controllers::initChildChains() {
    /*
     * This is the only time we touch top-level chains in iptables; controllers
     * should only mutate rules inside of their children chains, as created by
     * the constants above.
     *
     * Modules should never ACCEPT packets (except in well-justified cases);
     * they should instead defer to any remaining modules using RETURN, or
     * otherwise DROP/REJECT.
     */

    // Create chains for child modules.
    createChildChains(V4V6, "filter", "INPUT", FILTER_INPUT, true);
    // zrx add:  @{
    createChildChains(V4V6, "filter", "firewall", FILTER_FIREWALL,true); 
    ///@}
    createChildChains(V4V6, "filter", "FORWARD", FILTER_FORWARD, true);
    createChildChains(V4V6, "raw", "PREROUTING", RAW_PREROUTING, true);
    createChildChains(V4V6, "mangle", "FORWARD", MANGLE_FORWARD, true);
    createChildChains(V4V6, "mangle", "INPUT", MANGLE_INPUT, true);
    createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING, true);
    createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING, true);

    createChildChains(V4, "filter", "OUTPUT", FILTER_OUTPUT, false);
    createChildChains(V6, "filter", "OUTPUT", FILTER_OUTPUT, false);
    createChildChains(V4, "mangle", "POSTROUTING", MANGLE_POSTROUTING, false);
    createChildChains(V6, "mangle", "POSTROUTING", MANGLE_POSTROUTING, false);
}

4.上層app驗證

import android.os.INetworkManagementService;
import android.os.ServiceManager;

private INetworkManagementService mNetworkService;
mNetworkService = INetworkManagementService.Stub.asInterface(
                    ServiceManager.getService(Context.NETWORKMANAGEMENT_SERVICE));
//允許系統瀏覽器上網功能
try {
       mNetworkService.setFirewallUidChainRule(10057,1, false);//uid通過eng版本cat /data/system/packages.xml獲得,1為允許wifi,2或者其他數字代表gprs,false為不禁止,true為允許禁止
       mNetworkService.setFirewallUidChainRule(10057,2, false);
    } catch (Exception e) {
        // TODO: handle exception
        e.printStackTrace();
    }

//禁止系統瀏覽器上網功能
 mNetworkService.setFirewallUidChainRule(10057,1, true);
       mNetworkService.setFirewallUidChainRule(10057,2, true);
    } catch (Exception e) {
        // TODO: handle exception
        e.printStackTrace();
    }

最後還需要在AndroidManifest.xml中加上android:sharedUserId=”android.uid.system”這個屬性。

相關推薦

Android 8.1移植針對某個APK做到wifigprs分別做到允許禁止策略

在MTK平臺JB5開始後預設有該功能,昨天在檢視8.1的程式碼時發現沒有該功能,現在我把移植流程記錄下來,親測驗證ok。 1.frameworks frameworks/base/core/java/android/os/INetworkManagement

移植rtl8188 wifi模組到android 8.1(android o)

一、驅動部分 1、rtl8188eu/rtl8188fu驅動,修改對應目錄下的makefile,適應平臺 2、檢測模組電壓、時鐘是否正確。硬體正常的話,可以用lsusb檢視到模組的廠商ID和裝置ID。 3、載入驅動後, ifconfig -a可以看到網口,用iw命令測試wi

Android 8.1.0 模擬器

模擬器 1.0 roi andro logs ges blog .com images Android 8.1.0 模擬器

平均數編碼針對某個分類特征類別基數特別大的編碼方式

target tar ane 計算 決策樹 原理 beta family 基於 原文:https://zhuanlan.zhihu.com/p/26308272   插入一條信息:特征編碼一定要考慮是否需要距離度量,編碼方式對距離度量的適應:例如:我們用one-hot編碼顏

Android 8.1 關機

之前傳送Intent i = new Intent("android.intent.action.ACTION_REQUEST_SHUTDOWN");會報 android.content.ActivityNotFoundException: No Activity found to

Android 8.1 新增屬性SystemProperties.set可執行許可權

在Android 8.1由於selinux許可權的限制。預設SystemProperties.set執行報avc denied,即使給 app android:sharedUserId="android.uid.system"許可權也不行,如果想執行必須修改一些檔案。 device/

RK3288 android 7.1 預裝可解除安裝APK

RK3288 android 7.1 預裝可解除安裝APK 平臺 需求 實現 後續 平臺 RK3288 + Android 7.1 需求 ROM 中整合可解除安裝APK, 需滿足要求:

Android 8.1 非系統程序設定系統域屬性問題

1. 程序間通過設定屬性進行互動 Android 系統開發中經常需要通過屬性在各個程序間傳遞資訊,通過一個程序 set_property,另一個程序 get_property 達到程序間通訊的需求。 屬性獲取沒有限制,但是如果需要程序可以進行設定屬性操作,則需要做一些處理。因為在

Android 8.1 原始碼_核心篇 -- 深入研究 PackageManagerService 系列(1

開篇 前言 如果你真正的深入分析過 PackageManagerService,你會發現 PackageManagerService 的原始碼真的很大,而且邏輯、結構都甚為複雜。對 PackageManagerService 系列的原始碼分析是基於 Android

Android 8.1 獲取wifi mac地址方法

安卓8.1更新了獲取WIFI地址的方法,使用之前的方法獲取不到地址 private String getWifiMacAddress() { String str = ""; String macSerial = "";

Mac 10.14 編譯Android 8.1原始碼及刷入nexus 6p

環境準備 官網 描述得已經相當清楚了 ,這裡稍微總結一下: 建立區分大小寫的磁碟映像 mac系統預設是不區分大小寫的,所以我們需要建立一個區分大小寫的檔案系統 hdiutil create -type SPARSE -fs 'Case-sensitive Journaled HFS+' -size 6

Android 8.0 行為變更-針對所有 API 級別的應用

這些行為變更適用於 在 Android 8.0 平臺上執行的 所有應用,無論這些應用是針對哪個 API 級別構建。所有開發者都應檢視這些變更,並修改其應用以正確支援這些變更。 轉載請標明出處 :http://blog.csdn.net/Jiang_Rong_Tao/article

android 8.1 vts環境測試

VTS 測試,首先需要搭建測試環境,我們需要以下這些元件: 64-bit Ubuntu Linux Java 8Python 2.7 ADB 1.0.39具體的搭建步驟是: 安裝Java8(JDK8)sudo add-apt-repository ppa:webupd8te

Android 8.1 App Standby

App Standby黑白名單配置流程 如圖所示,可選擇優化和不優化 程式碼路徑:packages\apps\Settings\src\com\android\settings\fuelgauge\HightPowerDetail @Override public

android 8.1 MTK 預設儲存(插入sdcard時預設sdcard)

1.修改獲取預設儲存路徑的方法 vendor/mediatek/proprietary/frameworks/base/core/java/com/mediatek/storage/StorageManagerEx.java method: getDefau

Android 8.1上狀態列新增截圖功能

1.需求 客戶要求在狀態列新增截圖功能。。 實現效果如下: 實現步驟 步驟1 在配置檔案alps\vendor\mediatek\proprietary\packages\apps\SystemUI\res\values\config.xml新增\screens

Android 8.1 Handler 原始碼解析

原始碼解析,如需轉載,請註明作者:Yuloran (t.cn/EGU6c76) 一. 前言 基於Android 8.1(API27) 原始碼,分析 Handler 的工作流程。 在 Android 系統中,Zygote 程序是首個 java 程序,同時也是所有 java 程序的父程序。上層應用

Android 8.1 新增選單項

由於工作的原因,許多時間我們需要定製自己的Settings,需要對Settings中的選單項進行增加和刪除。 1.增加選單項 第一,首先在AndroidManifest.xml中新增activity 其具體屬性的解析如下: 第二,在包com.and

Android 8.1 之省電模式分析

1. 功能概述 Battery saver是Google在Android L上新增的選項,這個功能是在Setting -> Battery (–> more (androidO以前的路徑)) –> Battery saver,這個功能主要是為

Android 8.0 高通程式碼預製apk可解除安裝,恢復出廠設定apk可恢復

1:做個指令碼去實現拷貝APK都data/app目錄下面:#!/vendor/bin/shsleep 1cp /system/pre_install/RunUiTest/RunUiTest.apk /data/app/chmod 777 /data/app/RunUiTest