IntentFirewall.java revision 49782e46c0eb85a25ae2abcf80880c48dbab5aea
1/* 2 * Copyright (C) 2013 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17package com.android.server.firewall; 18 19import android.app.AppGlobals; 20import android.content.ComponentName; 21import android.content.Intent; 22import android.content.IntentFilter; 23import android.content.pm.ApplicationInfo; 24import android.content.pm.IPackageManager; 25import android.content.pm.PackageManager; 26import android.os.Environment; 27import android.os.FileObserver; 28import android.os.Handler; 29import android.os.Message; 30import android.os.RemoteException; 31import android.util.ArrayMap; 32import android.util.Slog; 33import android.util.Xml; 34import com.android.internal.util.ArrayUtils; 35import com.android.internal.util.XmlUtils; 36import com.android.server.EventLogTags; 37import com.android.server.IntentResolver; 38import org.xmlpull.v1.XmlPullParser; 39import org.xmlpull.v1.XmlPullParserException; 40 41import java.io.File; 42import java.io.FileInputStream; 43import java.io.FileNotFoundException; 44import java.io.IOException; 45import java.util.ArrayList; 46import java.util.Arrays; 47import java.util.HashMap; 48import java.util.List; 49 50public class IntentFirewall { 51 static final String TAG = "IntentFirewall"; 52 53 // e.g. /data/system/ifw or /data/secure/system/ifw 54 private static final File RULES_DIR = new File(Environment.getSystemSecureDirectory(), "ifw"); 55 56 private static final int LOG_PACKAGES_MAX_LENGTH = 150; 57 private static final int LOG_PACKAGES_SUFFICIENT_LENGTH = 125; 58 59 private static final String TAG_RULES = "rules"; 60 private static final String TAG_ACTIVITY = "activity"; 61 private static final String TAG_SERVICE = "service"; 62 private static final String TAG_BROADCAST = "broadcast"; 63 64 private static final int TYPE_ACTIVITY = 0; 65 private static final int TYPE_BROADCAST = 1; 66 private static final int TYPE_SERVICE = 2; 67 68 private static final HashMap<String, FilterFactory> factoryMap; 69 70 private final AMSInterface mAms; 71 72 private final RuleObserver mObserver; 73 74 private FirewallIntentResolver mActivityResolver = new FirewallIntentResolver(); 75 private FirewallIntentResolver mBroadcastResolver = new FirewallIntentResolver(); 76 private FirewallIntentResolver mServiceResolver = new FirewallIntentResolver(); 77 78 static { 79 FilterFactory[] factories = new FilterFactory[] { 80 AndFilter.FACTORY, 81 OrFilter.FACTORY, 82 NotFilter.FACTORY, 83 84 StringFilter.ACTION, 85 StringFilter.COMPONENT, 86 StringFilter.COMPONENT_NAME, 87 StringFilter.COMPONENT_PACKAGE, 88 StringFilter.DATA, 89 StringFilter.HOST, 90 StringFilter.MIME_TYPE, 91 StringFilter.SCHEME, 92 StringFilter.PATH, 93 StringFilter.SSP, 94 95 CategoryFilter.FACTORY, 96 SenderFilter.FACTORY, 97 SenderPermissionFilter.FACTORY, 98 PortFilter.FACTORY 99 }; 100 101 // load factor ~= .75 102 factoryMap = new HashMap<String, FilterFactory>(factories.length * 4 / 3); 103 for (int i=0; i<factories.length; i++) { 104 FilterFactory factory = factories[i]; 105 factoryMap.put(factory.getTagName(), factory); 106 } 107 } 108 109 public IntentFirewall(AMSInterface ams) { 110 mAms = ams; 111 File rulesDir = getRulesDir(); 112 rulesDir.mkdirs(); 113 114 readRulesDir(rulesDir); 115 116 mObserver = new RuleObserver(rulesDir); 117 mObserver.startWatching(); 118 } 119 120 /** 121 * This is called from ActivityManager to check if a start activity intent should be allowed. 122 * It is assumed the caller is already holding the global ActivityManagerService lock. 123 */ 124 public boolean checkStartActivity(Intent intent, int callerUid, int callerPid, 125 String resolvedType, ApplicationInfo resolvedApp) { 126 return checkIntent(mActivityResolver, intent.getComponent(), TYPE_ACTIVITY, intent, 127 callerUid, callerPid, resolvedType, resolvedApp.uid); 128 } 129 130 public boolean checkService(ComponentName resolvedService, Intent intent, int callerUid, 131 int callerPid, String resolvedType, ApplicationInfo resolvedApp) { 132 return checkIntent(mServiceResolver, resolvedService, TYPE_SERVICE, intent, callerUid, 133 callerPid, resolvedType, resolvedApp.uid); 134 } 135 136 public boolean checkBroadcast(Intent intent, int callerUid, int callerPid, 137 String resolvedType, int receivingUid) { 138 return checkIntent(mBroadcastResolver, intent.getComponent(), TYPE_BROADCAST, intent, 139 callerUid, callerPid, resolvedType, receivingUid); 140 } 141 142 public boolean checkIntent(FirewallIntentResolver resolver, ComponentName resolvedComponent, 143 int intentType, Intent intent, int callerUid, int callerPid, String resolvedType, 144 int receivingUid) { 145 boolean log = false; 146 boolean block = false; 147 148 // For the first pass, find all the rules that have at least one intent-filter or 149 // component-filter that matches this intent 150 List<Rule> candidateRules; 151 candidateRules = resolver.queryIntent(intent, resolvedType, false, 0); 152 if (candidateRules == null) { 153 candidateRules = new ArrayList<Rule>(); 154 } 155 resolver.queryByComponent(resolvedComponent, candidateRules); 156 157 // For the second pass, try to match the potentially more specific conditions in each 158 // rule against the intent 159 for (int i=0; i<candidateRules.size(); i++) { 160 Rule rule = candidateRules.get(i); 161 if (rule.matches(this, resolvedComponent, intent, callerUid, callerPid, resolvedType, 162 receivingUid)) { 163 block |= rule.getBlock(); 164 log |= rule.getLog(); 165 166 // if we've already determined that we should both block and log, there's no need 167 // to continue trying rules 168 if (block && log) { 169 break; 170 } 171 } 172 } 173 174 if (log) { 175 logIntent(intentType, intent, callerUid, resolvedType); 176 } 177 178 return !block; 179 } 180 181 private static void logIntent(int intentType, Intent intent, int callerUid, 182 String resolvedType) { 183 // The component shouldn't be null, but let's double check just to be safe 184 ComponentName cn = intent.getComponent(); 185 String shortComponent = null; 186 if (cn != null) { 187 shortComponent = cn.flattenToShortString(); 188 } 189 190 String callerPackages = null; 191 int callerPackageCount = 0; 192 IPackageManager pm = AppGlobals.getPackageManager(); 193 if (pm != null) { 194 try { 195 String[] callerPackagesArray = pm.getPackagesForUid(callerUid); 196 if (callerPackagesArray != null) { 197 callerPackageCount = callerPackagesArray.length; 198 callerPackages = joinPackages(callerPackagesArray); 199 } 200 } catch (RemoteException ex) { 201 Slog.e(TAG, "Remote exception while retrieving packages", ex); 202 } 203 } 204 205 EventLogTags.writeIfwIntentMatched(intentType, shortComponent, callerUid, 206 callerPackageCount, callerPackages, intent.getAction(), resolvedType, 207 intent.getDataString(), intent.getFlags()); 208 } 209 210 /** 211 * Joins a list of package names such that the resulting string is no more than 212 * LOG_PACKAGES_MAX_LENGTH. 213 * 214 * Only full package names will be added to the result, unless every package is longer than the 215 * limit, in which case one of the packages will be truncated and added. In this case, an 216 * additional '-' character will be added to the end of the string, to denote the truncation. 217 * 218 * If it encounters a package that won't fit in the remaining space, it will continue on to the 219 * next package, unless the total length of the built string so far is greater than 220 * LOG_PACKAGES_SUFFICIENT_LENGTH, in which case it will stop and return what it has. 221 */ 222 private static String joinPackages(String[] packages) { 223 boolean first = true; 224 StringBuilder sb = new StringBuilder(); 225 for (int i=0; i<packages.length; i++) { 226 String pkg = packages[i]; 227 228 // + 1 length for the comma. This logic technically isn't correct for the first entry, 229 // but it's not critical. 230 if (sb.length() + pkg.length() + 1 < LOG_PACKAGES_MAX_LENGTH) { 231 if (!first) { 232 sb.append(','); 233 } else { 234 first = false; 235 } 236 sb.append(pkg); 237 } else if (sb.length() >= LOG_PACKAGES_SUFFICIENT_LENGTH) { 238 return sb.toString(); 239 } 240 } 241 if (sb.length() == 0 && packages.length > 0) { 242 String pkg = packages[0]; 243 // truncating from the end - the last part of the package name is more likely to be 244 // interesting/unique 245 return pkg.substring(pkg.length() - LOG_PACKAGES_MAX_LENGTH + 1) + '-'; 246 } 247 return null; 248 } 249 250 public static File getRulesDir() { 251 return RULES_DIR; 252 } 253 254 /** 255 * Reads rules from all xml files (*.xml) in the given directory, and replaces our set of rules 256 * with the newly read rules. 257 * 258 * We only check for files ending in ".xml", to allow for temporary files that are atomically 259 * renamed to .xml 260 * 261 * All calls to this method from the file observer come through a handler and are inherently 262 * serialized 263 */ 264 private void readRulesDir(File rulesDir) { 265 FirewallIntentResolver[] resolvers = new FirewallIntentResolver[3]; 266 for (int i=0; i<resolvers.length; i++) { 267 resolvers[i] = new FirewallIntentResolver(); 268 } 269 270 File[] files = rulesDir.listFiles(); 271 if (files != null) { 272 for (int i=0; i<files.length; i++) { 273 File file = files[i]; 274 275 if (file.getName().endsWith(".xml")) { 276 readRules(file, resolvers); 277 } 278 } 279 } 280 281 Slog.i(TAG, "Read new rules (A:" + resolvers[TYPE_ACTIVITY].filterSet().size() + 282 " B:" + resolvers[TYPE_BROADCAST].filterSet().size() + 283 " S:" + resolvers[TYPE_SERVICE].filterSet().size() + ")"); 284 285 synchronized (mAms.getAMSLock()) { 286 mActivityResolver = resolvers[TYPE_ACTIVITY]; 287 mBroadcastResolver = resolvers[TYPE_BROADCAST]; 288 mServiceResolver = resolvers[TYPE_SERVICE]; 289 } 290 } 291 292 /** 293 * Reads rules from the given file and add them to the given resolvers 294 */ 295 private void readRules(File rulesFile, FirewallIntentResolver[] resolvers) { 296 // some temporary lists to hold the rules while we parse the xml file, so that we can 297 // add the rules all at once, after we know there weren't any major structural problems 298 // with the xml file 299 List<List<Rule>> rulesByType = new ArrayList<List<Rule>>(3); 300 for (int i=0; i<3; i++) { 301 rulesByType.add(new ArrayList<Rule>()); 302 } 303 304 FileInputStream fis; 305 try { 306 fis = new FileInputStream(rulesFile); 307 } catch (FileNotFoundException ex) { 308 // Nope, no rules. Nothing else to do! 309 return; 310 } 311 312 try { 313 XmlPullParser parser = Xml.newPullParser(); 314 315 parser.setInput(fis, null); 316 317 XmlUtils.beginDocument(parser, TAG_RULES); 318 319 int outerDepth = parser.getDepth(); 320 while (XmlUtils.nextElementWithin(parser, outerDepth)) { 321 int ruleType = -1; 322 323 String tagName = parser.getName(); 324 if (tagName.equals(TAG_ACTIVITY)) { 325 ruleType = TYPE_ACTIVITY; 326 } else if (tagName.equals(TAG_BROADCAST)) { 327 ruleType = TYPE_BROADCAST; 328 } else if (tagName.equals(TAG_SERVICE)) { 329 ruleType = TYPE_SERVICE; 330 } 331 332 if (ruleType != -1) { 333 Rule rule = new Rule(); 334 335 List<Rule> rules = rulesByType.get(ruleType); 336 337 // if we get an error while parsing a particular rule, we'll just ignore 338 // that rule and continue on with the next rule 339 try { 340 rule.readFromXml(parser); 341 } catch (XmlPullParserException ex) { 342 Slog.e(TAG, "Error reading an intent firewall rule from " + rulesFile, ex); 343 continue; 344 } 345 346 rules.add(rule); 347 } 348 } 349 } catch (XmlPullParserException ex) { 350 // if there was an error outside of a specific rule, then there are probably 351 // structural problems with the xml file, and we should completely ignore it 352 Slog.e(TAG, "Error reading intent firewall rules from " + rulesFile, ex); 353 return; 354 } catch (IOException ex) { 355 Slog.e(TAG, "Error reading intent firewall rules from " + rulesFile, ex); 356 return; 357 } finally { 358 try { 359 fis.close(); 360 } catch (IOException ex) { 361 Slog.e(TAG, "Error while closing " + rulesFile, ex); 362 } 363 } 364 365 for (int ruleType=0; ruleType<rulesByType.size(); ruleType++) { 366 List<Rule> rules = rulesByType.get(ruleType); 367 FirewallIntentResolver resolver = resolvers[ruleType]; 368 369 for (int ruleIndex=0; ruleIndex<rules.size(); ruleIndex++) { 370 Rule rule = rules.get(ruleIndex); 371 for (int i=0; i<rule.getIntentFilterCount(); i++) { 372 resolver.addFilter(rule.getIntentFilter(i)); 373 } 374 for (int i=0; i<rule.getComponentFilterCount(); i++) { 375 resolver.addComponentFilter(rule.getComponentFilter(i), rule); 376 } 377 } 378 } 379 } 380 381 static Filter parseFilter(XmlPullParser parser) throws IOException, XmlPullParserException { 382 String elementName = parser.getName(); 383 384 FilterFactory factory = factoryMap.get(elementName); 385 386 if (factory == null) { 387 throw new XmlPullParserException("Unknown element in filter list: " + elementName); 388 } 389 return factory.newFilter(parser); 390 } 391 392 /** 393 * Represents a single activity/service/broadcast rule within one of the xml files. 394 * 395 * Rules are matched against an incoming intent in two phases. The goal of the first phase 396 * is to select a subset of rules that might match a given intent. 397 * 398 * For the first phase, we use a combination of intent filters (via an IntentResolver) 399 * and component filters to select which rules to check. If a rule has multiple intent or 400 * component filters, only a single filter must match for the rule to be passed on to the 401 * second phase. 402 * 403 * In the second phase, we check the specific conditions in each rule against the values in the 404 * intent. All top level conditions (but not filters) in the rule must match for the rule as a 405 * whole to match. 406 * 407 * If the rule matches, then we block or log the intent, as specified by the rule. If multiple 408 * rules match, we combine the block/log flags from any matching rule. 409 */ 410 private static class Rule extends AndFilter { 411 private static final String TAG_INTENT_FILTER = "intent-filter"; 412 private static final String TAG_COMPONENT_FILTER = "component-filter"; 413 private static final String ATTR_NAME = "name"; 414 415 private static final String ATTR_BLOCK = "block"; 416 private static final String ATTR_LOG = "log"; 417 418 private final ArrayList<FirewallIntentFilter> mIntentFilters = 419 new ArrayList<FirewallIntentFilter>(1); 420 private final ArrayList<ComponentName> mComponentFilters = new ArrayList<ComponentName>(0); 421 private boolean block; 422 private boolean log; 423 424 @Override 425 public Rule readFromXml(XmlPullParser parser) throws IOException, XmlPullParserException { 426 block = Boolean.parseBoolean(parser.getAttributeValue(null, ATTR_BLOCK)); 427 log = Boolean.parseBoolean(parser.getAttributeValue(null, ATTR_LOG)); 428 429 super.readFromXml(parser); 430 return this; 431 } 432 433 @Override 434 protected void readChild(XmlPullParser parser) throws IOException, XmlPullParserException { 435 String currentTag = parser.getName(); 436 437 if (currentTag.equals(TAG_INTENT_FILTER)) { 438 FirewallIntentFilter intentFilter = new FirewallIntentFilter(this); 439 intentFilter.readFromXml(parser); 440 mIntentFilters.add(intentFilter); 441 } else if (currentTag.equals(TAG_COMPONENT_FILTER)) { 442 String componentStr = parser.getAttributeValue(null, ATTR_NAME); 443 if (componentStr == null) { 444 throw new XmlPullParserException("Component name must be specified.", 445 parser, null); 446 } 447 448 ComponentName componentName = ComponentName.unflattenFromString(componentStr); 449 if (componentName == null) { 450 throw new XmlPullParserException("Invalid component name: " + componentStr); 451 } 452 453 mComponentFilters.add(componentName); 454 } else { 455 super.readChild(parser); 456 } 457 } 458 459 public int getIntentFilterCount() { 460 return mIntentFilters.size(); 461 } 462 463 public FirewallIntentFilter getIntentFilter(int index) { 464 return mIntentFilters.get(index); 465 } 466 467 public int getComponentFilterCount() { 468 return mComponentFilters.size(); 469 } 470 471 public ComponentName getComponentFilter(int index) { 472 return mComponentFilters.get(index); 473 } 474 public boolean getBlock() { 475 return block; 476 } 477 478 public boolean getLog() { 479 return log; 480 } 481 } 482 483 private static class FirewallIntentFilter extends IntentFilter { 484 private final Rule rule; 485 486 public FirewallIntentFilter(Rule rule) { 487 this.rule = rule; 488 } 489 } 490 491 private static class FirewallIntentResolver 492 extends IntentResolver<FirewallIntentFilter, Rule> { 493 @Override 494 protected boolean allowFilterResult(FirewallIntentFilter filter, List<Rule> dest) { 495 return !dest.contains(filter.rule); 496 } 497 498 @Override 499 protected boolean isPackageForFilter(String packageName, FirewallIntentFilter filter) { 500 return true; 501 } 502 503 @Override 504 protected FirewallIntentFilter[] newArray(int size) { 505 return new FirewallIntentFilter[size]; 506 } 507 508 @Override 509 protected Rule newResult(FirewallIntentFilter filter, int match, int userId) { 510 return filter.rule; 511 } 512 513 @Override 514 protected void sortResults(List<Rule> results) { 515 // there's no need to sort the results 516 return; 517 } 518 519 public void queryByComponent(ComponentName componentName, List<Rule> candidateRules) { 520 Rule[] rules = mRulesByComponent.get(componentName); 521 if (rules != null) { 522 candidateRules.addAll(Arrays.asList(rules)); 523 } 524 } 525 526 public void addComponentFilter(ComponentName componentName, Rule rule) { 527 Rule[] rules = mRulesByComponent.get(componentName); 528 rules = ArrayUtils.appendElement(Rule.class, rules, rule); 529 mRulesByComponent.put(componentName, rules); 530 } 531 532 private final ArrayMap<ComponentName, Rule[]> mRulesByComponent = 533 new ArrayMap<ComponentName, Rule[]>(0); 534 } 535 536 final Handler mHandler = new Handler() { 537 @Override 538 public void handleMessage(Message msg) { 539 readRulesDir(getRulesDir()); 540 } 541 }; 542 543 /** 544 * Monitors for the creation/deletion/modification of any .xml files in the rule directory 545 */ 546 private class RuleObserver extends FileObserver { 547 private static final int MONITORED_EVENTS = FileObserver.CREATE|FileObserver.MOVED_TO| 548 FileObserver.CLOSE_WRITE|FileObserver.DELETE|FileObserver.MOVED_FROM; 549 550 public RuleObserver(File monitoredDir) { 551 super(monitoredDir.getAbsolutePath(), MONITORED_EVENTS); 552 } 553 554 @Override 555 public void onEvent(int event, String path) { 556 if (path.endsWith(".xml")) { 557 // we wait 250ms before taking any action on an event, in order to dedup multiple 558 // events. E.g. a delete event followed by a create event followed by a subsequent 559 // write+close event 560 mHandler.removeMessages(0); 561 mHandler.sendEmptyMessageDelayed(0, 250); 562 } 563 } 564 } 565 566 /** 567 * This interface contains the methods we need from ActivityManagerService. This allows AMS to 568 * export these methods to us without making them public, and also makes it easier to test this 569 * component. 570 */ 571 public interface AMSInterface { 572 int checkComponentPermission(String permission, int pid, int uid, 573 int owningUid, boolean exported); 574 Object getAMSLock(); 575 } 576 577 /** 578 * Checks if the caller has access to a component 579 * 580 * @param permission If present, the caller must have this permission 581 * @param pid The pid of the caller 582 * @param uid The uid of the caller 583 * @param owningUid The uid of the application that owns the component 584 * @param exported Whether the component is exported 585 * @return True if the caller can access the described component 586 */ 587 boolean checkComponentPermission(String permission, int pid, int uid, int owningUid, 588 boolean exported) { 589 return mAms.checkComponentPermission(permission, pid, uid, owningUid, exported) == 590 PackageManager.PERMISSION_GRANTED; 591 } 592 593 boolean signaturesMatch(int uid1, int uid2) { 594 try { 595 IPackageManager pm = AppGlobals.getPackageManager(); 596 return pm.checkUidSignatures(uid1, uid2) == PackageManager.SIGNATURE_MATCH; 597 } catch (RemoteException ex) { 598 Slog.e(TAG, "Remote exception while checking signatures", ex); 599 return false; 600 } 601 } 602 603} 604