Android之防火墙功能的实现

需求：可以控制某个应用访问WIFI或移动网络的功能。

Android自带防火墙原理是：一旦开启防火墙，所有的应用都不能访问网络（包括WIFI和移动网络），所以不能满足需求，故需要在原生基础上新增两个方法来实现该功能，方法声明在frameworks/base/core/java/android/os目录下的INetworkManagementService.aidl中：

interface INetworkManagementService{    . . .        void setMobileDataUidRule(int uid, boolean allow); //根据应用的uid设置是否允许它访问移动网络        void setWifiDataUidRule(int uid, boolean allow); //根据应用的uid设置是否允许它访问WIFI网络    . . .}

方法的实现是在frameworks/base/services/core/java/com/android/server目录下的NetworkManagementService.java中：

public class NetworkManagementService extends INetworkManagementService.Stub implements Watchdog.Monitor {    . . .    @Override    public void setMobileDataUidRule(int uid, boolean allow) {        enforceSystemUid(); // 校验调用者是否是系统uid        try {            mConnector.execute("firewall", "set_mobile_data_uid_rule", uid, rule);        } catch (NativeDaemonConnectorException e) {            throw e.rethrowAsParcelableException();        }    }    @Override    public void setWifiDataUidRule(int uid, boolean allow) {        enforceSystemUid();        try {            mConnector.execute("firewall", "set_wifi_data_uid_rule", uid, rule);        } catch (NativeDaemonConnectorException e) {            throw e.rethrowAsParcelableException();        }    }    . . .}

下面又通过socket通信方式调用到system/netd层的system/netd/server目录下的CommandListener.cpp中：

CommandListener::CommandListener() : FrameworkListener("netd", true) {    . . .    sFirewallCtrl->initIptableFirewall();// 开机初始化    . . .}int CommandListener::FirewallCmd::runCommand(SocketClient *cli, int argc, char **argv) {    . . .    if (!strcmp(argv[1], "set_mobile_data_uid_rule")) {        if (argc != 4) {            cli->sendMsg(ResponseCode::CommandSyntaxError,                    "Usage: firewall set_mobile_data_uid_rule <1000> ",                    false);            return 0;        }        int uid = atoi(argv[2]);        FirewallRule rule = parseRule(argv[3]);        int res = sFirewallCtrl->setMobileDataUidRule(uid, rule);        return sendGenericOkFail(cli, res);    }    if (!strcmp(argv[1], "set_wifi_data_uid_rule")) {        if (argc != 4) {            cli->sendMsg(ResponseCode::CommandSyntaxError,                    "Usage: firewall set_wifi_data_uid_rule <1000> ",                    false);            return 0;        }        int uid = atoi(argv[2]);        FirewallRule rule = parseRule(argv[3]);        int res = sFirewallCtrl->setWifiDataUidRule(uid, rule);        return sendGenericOkFail(cli, res);    }    . . .}

上面代码又调用到system/netd/server目录下的FirewallController.cpp中：

. . .#include const char* op_3g;const char* op_wifi;. . .int FirewallController::initIptableFirewall(void) {    int res = 0;    char property[PROPERTY_VALUE_MAX];    property_get("ro.hardware", property, "qcom");    if (strncmp("qcom", property, 4) == 0) { // 高通平台        op_3g = "rmnet+";        op_wifi = "wlan0";    } else if (strncmp("mt", property, 2) == 0 || strncmp("MT", property, 2) == 0) {        op_3g = "ccmni+"; // MTK平台        op_wifi = "wlan0";    } else {        op_3g = "rmnet+";        op_wifi = "wlan0";    }    // 新建一个drop_wall链表    res |= execIptables(V4V6, "-w", "-N", "drop_wall", NULL);    // 把新建的drop_wall链表添加到OUTPUT链表目录下    res |= execIptables(V4V6, "-w", "-A", "OUTPUT", "-j", "drop_wall", NULL);}int FirewallController::setMobileDataUidRule(int uid, FirewallRule rule) {    char uidStr[16];    sprintf(uidStr, "%d", uid);    const char* op;    if (rule == ALLOW) {        op = "-D";// 删除链表中的规则    } else {        op = "-A";// 添加规则到链表    }    int res = 0;    res |= execIptables(V4V6, "-w", op, "drop_wall", "-o", op_3g, "-m", "owner",            "--uid-owner", uidStr, "-j", "REJECT", NULL);    return res;}int FirewallController::setWifiDataUidRule(int uid, FirewallRule rule) {    char uidStr[16];    sprintf(uidStr, "%d", uid);    const char* op;    if (rule == ALLOW) {        op = "-D";// 删除链表中的规则    } else {        op = "-A";// 添加规则到链表    }    int res = 0;    res |= execIptables(V4V6, "-w", op, "drop_wall", "-o", op_wifi, "-m", "owner",            "--uid-owner", uidStr, "-j", "REJECT", NULL);    return res;}. . .

方法声明在system/netd/server目录下的FirewallController.h中：

class FirewallController {    public:        . . .        int initIptableFirewall(void);        int setMobileDataUidRule(int, FirewallRule);        int setWifiDataUidRule(int, FirewallRule);        . . .}

到这里方法就添加完毕了，下面看调用，调用者必须是系统uid，要把aidl文件拷贝到android.os包下，由于NetworkManagementService是隐藏的，故需要使用方式的方式调用：

public static void setUidNetworkState(int uid, boolean enabled) {    try {        Method method = Class.forName("android.os.ServiceManager").getMethod("getService", String.class);        IBinder binder = (IBinder) method.invoke(null, new Object[] {"network_management"});        INetworkManagementService service = INetworkManagementService.Stub.asInterface(binder);        if (service != null) {            service.setMobileDataUidRule(uid, enabled);            service.setWifiDataUidRule(uid, enabled);        }    } catch (Exception e) {        e.printStackTrace();    }}

另外，网络端口的查看方式：

adb shellnetcfg

代码实现方式：

ConnectivityManager manager = (ConnectivityManager) getSystemService(Context.CONNECTIVITY_SERVICE);Network[] networks = manager.getAllNetworks();for (Network item : networks) {    NetworkInfo info = manager.getNetworkInfo(item);    if (info.getType() == ConnectivityManager.TYPE_WIFI) {        String wifi = manager.getLinkProperties(item)                .getInterfaceName();        System.out.println("zyf wifi:" + wifi);    } else if (info.getType() == ConnectivityManager.TYPE_MOBILE) {        String mobile = manager.getLinkProperties(item)                .getInterfaceName();        System.out.println("zyf mobile:" + mobile);    }}

更多相关文章

随机推荐