r24625: {} adding in iptables API wrapper class from Droidwall (projects/android/trunk/Orbot/src/org/torproject/android/service)

15 Apr 2011

Author: n8fr8
Date: 2011-04-15 05:57:52 +0000 (Fri, 15 Apr 2011)
New Revision: 24625

Added:
   projects/android/trunk/Orbot/src/org/torproject/android/service/Api.java
Log:
adding in iptables API wrapper class from Droidwall


Added: projects/android/trunk/Orbot/src/org/torproject/android/service/Api.java
===================================================================

--- projects/android/trunk/Orbot/src/org/torproject/android/service/Api.java	                        (rev 0)
+++ projects/android/trunk/Orbot/src/org/torproject/android/service/Api.java	2011-04-15 05:57:52 UTC (rev 24625)
@@ -0,0 +1,1052 @@
+/**
+ * Contains shared programming interfaces.
+ * All iptables "communication" is handled by this class.
+ * 
+ * Copyright (C) 2009-2010  Rodrigo Zechin Rosauro
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * @author Rodrigo Zechin Rosauro
+ * @version 1.0
+ */
+
+package org.torproject.android.service;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.OutputStreamWriter;
+import java.io.StringReader;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.StringTokenizer;
+
+import org.torproject.android.R;
+
+import android.Manifest;
+import android.app.AlertDialog;
+import android.content.Context;
+import android.content.Intent;
+import android.content.SharedPreferences;
+import android.content.SharedPreferences.Editor;
+import android.content.pm.ApplicationInfo;
+import android.content.pm.PackageManager;
+import android.util.Log;
+import android.widget.Toast;
+
+/**
+ * Contains shared programming interfaces.
+ * All iptables "communication" is handled by this class.
+ */
+public final class Api {
+	/** application version string */
+	public static final String VERSION = "1.5.1-dev";
+	/** special application UID used to indicate "any application" */
+	public static final int SPECIAL_UID_ANY	= -10;
+	/** special application UID used to indicate the Linux Kernel */
+	public static final int SPECIAL_UID_KERNEL	= -11;
+	/** root script filename */
+	private static final String SCRIPT_FILE = "droidwall.sh";
+	
+	// Preferences
+	public static final String PREFS_NAME 		= "DroidWallPrefs";
+	public static final String PREF_3G_UIDS		= "AllowedUids3G";
+	public static final String PREF_WIFI_UIDS	= "AllowedUidsWifi";
+	public static final String PREF_PASSWORD 	= "Password";
+	public static final String PREF_MODE 		= "BlockMode";
+	public static final String PREF_ENABLED		= "Enabled";
+	public static final String PREF_LOGENABLED	= "LogEnabled";
+	// Modes
+	public static final String MODE_WHITELIST = "whitelist";
+	public static final String MODE_BLACKLIST = "blacklist";
+	// Messages
+	public static final String STATUS_CHANGED_MSG 	= "com.googlecode.droidwall.intent.action.STATUS_CHANGED";
+	public static final String TOGGLE_REQUEST_MSG	= "com.googlecode.droidwall.intent.action.TOGGLE_REQUEST";
+	public static final String STATUS_EXTRA			= "com.googlecode.droidwall.intent.extra.STATUS";
+	
+	// Cached applications
+	public static DroidApp applications[] = null;
+	// Do we have root access?
+	private static boolean hasroot = false;
+	// Flag indicating if this is an ARMv6 device (-1: unknown, 0: no,  1: yes)
+	private static int isARMv6 = -1;
+
+    /**
+     * Display a simple alert box
+     * @param ctx context
+     * @param msg message
+     */
+	public static void alert(Context ctx, CharSequence msg) {
+    	if (ctx != null) {
+        	new AlertDialog.Builder(ctx)
+        	.setNeutralButton(android.R.string.ok, null)
+        	.setMessage(msg)
+        	.show();
+    	}
+    }
+	/**
+	 * Check if this is an ARMv6 device
+	 * @return true if this is ARMv6
+	 */
+	private static boolean isARMv6() {
+		if (isARMv6 == -1) {
+			BufferedReader r = null;
+			try {
+				isARMv6 = 0;
+				r = new BufferedReader(new FileReader("/proc/cpuinfo"));
+				for (String line = r.readLine(); line != null; line = r.readLine()) {
+					if (line.startsWith("Processor") && line.contains("ARMv6")) {
+						isARMv6 = 1;
+						break;
+					} else if (line.startsWith("CPU architecture") && (line.contains("6TE") || line.contains("5TE"))) {
+						isARMv6 = 1;
+						break;
+					}
+				}
+			} catch (Exception ex) {
+			} finally {
+				if (r != null) try {r.close();} catch (Exception ex) {}
+			}
+		}
+		return (isARMv6 == 1);
+	}
+	/**
+	 * Create the generic shell script header used to determine which iptables binary to use.
+	 * @param ctx context
+	 * @return script header
+	 */
+	private static String scriptHeader(Context ctx) {
+		final String dir = ctx.getDir("bin",0).getAbsolutePath();
+		final String myiptables = dir + (isARMv6() ? "/iptables_g1" : "/iptables_n1");
+		return "" +
+			"IPTABLES=iptables\n" +
+			"BUSYBOX=busybox\n" +
+			"GREP=grep\n" +
+			"ECHO=echo\n" +
+			"# Try to find busybox\n" +
+			"if " + dir + "/busybox_g1 --help >/dev/null 2>/dev/null ; then\n" +
+			"	BUSYBOX="+dir+"/busybox_g1\n" +
+			"	GREP=\"$BUSYBOX grep\"\n" +
+			"	ECHO=\"$BUSYBOX echo\"\n" +
+			"elif busybox --help >/dev/null 2>/dev/null ; then\n" +
+			"	BUSYBOX=busybox\n" +
+			"elif /system/xbin/busybox --help >/dev/null 2>/dev/null ; then\n" +
+			"	BUSYBOX=/system/xbin/busybox\n" +
+			"elif /system/bin/busybox --help >/dev/null 2>/dev/null ; then\n" +
+			"	BUSYBOX=/system/bin/busybox\n" +
+			"fi\n" +
+			"# Try to find grep\n" +
+			"if ! $ECHO 1 | $GREP -q 1 >/dev/null 2>/dev/null ; then\n" +
+			"	if $ECHO 1 | $BUSYBOX grep -q 1 >/dev/null 2>/dev/null ; then\n" +
+			"		GREP=\"$BUSYBOX grep\"\n" +
+			"	fi\n" +
+			"	# Grep is absolutely required\n" +
+			"	if ! $ECHO 1 | $GREP -q 1 >/dev/null 2>/dev/null ; then\n" +
+			"		$ECHO The grep command is required. DroidWall will not work.\n" +
+			"		exit 1\n" +
+			"	fi\n" +
+			"fi\n" +
+			"# Try to find iptables\n" +
+			"if " + myiptables + " --version >/dev/null 2>/dev/null ; then\n" +
+			"	IPTABLES="+myiptables+"\n" +
+			"fi\n" +
+			"";
+	}
+	/**
+	 * Copies a raw resource file, given its ID to the given location
+	 * @param ctx context
+	 * @param resid resource id
+	 * @param file destination file
+	 * @param mode file permissions (E.g.: "755")
+	 * @throws IOException on error
+	 * @throws InterruptedException when interrupted
+	 */
+	private static void copyRawFile(Context ctx, int resid, File file, String mode) throws IOException, InterruptedException
+	{
+		final String abspath = file.getAbsolutePath();
+		// Write the iptables binary
+		final FileOutputStream out = new FileOutputStream(file);
+		final InputStream is = ctx.getResources().openRawResource(resid);
+		byte buf[] = new byte[1024];
+		int len;
+		while ((len = is.read(buf)) > 0) {
+			out.write(buf, 0, len);
+		}
+		out.close();
+		is.close();
+		// Change the permissions
+		Runtime.getRuntime().exec("chmod "+mode+" "+abspath).waitFor();
+	}
+    /**
+     * Purge and re-add all rules (internal implementation).
+     * @param ctx application context (mandatory)
+     * @param uidsWifi list of selected UIDs for WIFI to allow or disallow (depending on the working mode)
+     * @param uids3g list of selected UIDs for 2G/3G to allow or disallow (depending on the working mode)
+     * @param showErrors indicates if errors should be alerted
+     */
+	private static boolean applyIptablesRulesImpl(Context ctx, List<Integer> uidsWifi, List<Integer> uids3g, boolean showErrors) {
+		if (ctx == null) {
+			return false;
+		}
+		assertBinaries(ctx, showErrors);
+		final String ITFS_WIFI[] = {"tiwlan+", "wlan+", "eth+"};
+		final String ITFS_3G[] = {"rmnet+","pdp+","ppp+","uwbr+","wimax+","vsnet+"};
+		final SharedPreferences prefs = ctx.getSharedPreferences(PREFS_NAME, 0);
+		final boolean whitelist = prefs.getString(PREF_MODE, MODE_WHITELIST).equals(MODE_WHITELIST);
+		final boolean blacklist = !whitelist;
+		final boolean logenabled = ctx.getSharedPreferences(PREFS_NAME, 0).getBoolean(PREF_LOGENABLED, false);
+
+    	final StringBuilder script = new StringBuilder();
+		try {
+			int code;
+			script.append(scriptHeader(ctx));
+			script.append("" +
+				"$IPTABLES --version || exit 1\n" +
+				"# Create the droidwall chains if necessary\n" +
+				"$IPTABLES -L droidwall >/dev/null 2>/dev/null || $IPTABLES --new droidwall || exit 2\n" +
+				"$IPTABLES -L droidwall-3g >/dev/null 2>/dev/null || $IPTABLES --new droidwall-3g || exit 3\n" +
+				"$IPTABLES -L droidwall-wifi >/dev/null 2>/dev/null || $IPTABLES --new droidwall-wifi || exit 4\n" +
+				"$IPTABLES -L droidwall-reject >/dev/null 2>/dev/null || $IPTABLES --new droidwall-reject || exit 5\n" +
+				"# Add droidwall chain to OUTPUT chain if necessary\n" +
+				"$IPTABLES -L OUTPUT | $GREP -q droidwall || $IPTABLES -A OUTPUT -j droidwall || exit 6\n" +
+				"# Flush existing rules\n" +
+				"$IPTABLES -F droidwall || exit 7\n" +
+				"$IPTABLES -F droidwall-3g || exit 8\n" +
+				"$IPTABLES -F droidwall-wifi || exit 9\n" +
+				"$IPTABLES -F droidwall-reject || exit 10\n" +
+			"");
+			// Check if logging is enabled
+			if (logenabled) {
+				script.append("" +
+					"# Create the log and reject rules (ignore errors on the LOG target just in case it is not available)\n" +
+					"$IPTABLES -A droidwall-reject -j LOG --log-prefix \"[DROIDWALL] \" --log-uid\n" +
+					"$IPTABLES -A droidwall-reject -j REJECT || exit 11\n" +
+				"");
+			} else {
+				script.append("" +
+					"# Create the reject rule (log disabled)\n" +
+					"$IPTABLES -A droidwall-reject -j REJECT || exit 11\n" +
+				"");
+			}
+			if (whitelist && logenabled) {
+				script.append("# Allow DNS lookups on white-list for a better logging (ignore errors)\n");
+				script.append("$IPTABLES -A droidwall -p udp --dport 53 -j RETURN\n");
+			}
+			script.append("# Main rules (per interface)\n");
+			for (final String itf : ITFS_3G) {
+				script.append("$IPTABLES -A droidwall -o ").append(itf).append(" -j droidwall-3g || exit\n");
+			}
+			for (final String itf : ITFS_WIFI) {
+				script.append("$IPTABLES -A droidwall -o ").append(itf).append(" -j droidwall-wifi || exit\n");
+			}
+			
+			script.append("# Filtering rules\n");
+			final String targetRule = (whitelist ? "RETURN" : "droidwall-reject");
+			final boolean any_3g = uids3g.indexOf(SPECIAL_UID_ANY) >= 0;
+			final boolean any_wifi = uidsWifi.indexOf(SPECIAL_UID_ANY) >= 0;
+			if (whitelist && !any_wifi) {
+				// When "white listing" wifi, we need to ensure that the dhcp and wifi users are allowed
+				int uid = android.os.Process.getUidForName("dhcp");
+				if (uid != -1) {
+					script.append("# dhcp user\n");
+					script.append("$IPTABLES -A droidwall-wifi -m owner --uid-owner ").append(uid).append(" -j RETURN || exit\n");
+				}
+				uid = android.os.Process.getUidForName("wifi");
+				if (uid != -1) {
+					script.append("# wifi user\n");
+					script.append("$IPTABLES -A droidwall-wifi -m owner --uid-owner ").append(uid).append(" -j RETURN || exit\n");
+				}
+			}
+			if (any_3g) {
+				if (blacklist) {
+					/* block any application on this interface */
+					script.append("$IPTABLES -A droidwall-3g -j ").append(targetRule).append(" || exit\n");
+				}
+			} else {
+				/* release/block individual applications on this interface */
+				for (final Integer uid : uids3g) {
+					if (uid >= 0) script.append("$IPTABLES -A droidwall-3g -m owner --uid-owner ").append(uid).append(" -j ").append(targetRule).append(" || exit\n");
+				}
+			}
+			if (any_wifi) {
+				if (blacklist) {
+					/* block any application on this interface */
+					script.append("$IPTABLES -A droidwall-wifi -j ").append(targetRule).append(" || exit\n");
+				}
+			} else {
+				/* release/block individual applications on this interface */
+				for (final Integer uid : uidsWifi) {
+					if (uid >= 0) script.append("$IPTABLES -A droidwall-wifi -m owner --uid-owner ").append(uid).append(" -j ").append(targetRule).append(" || exit\n");
+				}
+			}
+			if (whitelist) {
+				if (!any_3g) {
+					if (uids3g.indexOf(SPECIAL_UID_KERNEL) >= 0) {
+						script.append("# hack to allow kernel packets on white-list\n");
+						script.append("$IPTABLES -A droidwall-3g -m owner --uid-owner 0:999999999 -j droidwall-reject || exit\n");
+					} else {
+						script.append("$IPTABLES -A droidwall-3g -j droidwall-reject || exit\n");
+					}
+				}
+				if (!any_wifi) {
+					if (uidsWifi.indexOf(SPECIAL_UID_KERNEL) >= 0) {
+						script.append("# hack to allow kernel packets on white-list\n");
+						script.append("$IPTABLES -A droidwall-wifi -m owner --uid-owner 0:999999999 -j droidwall-reject || exit\n");
+					} else {
+						script.append("$IPTABLES -A droidwall-wifi -j droidwall-reject || exit\n");
+					}
+				}
+			} else {
+				if (uids3g.indexOf(SPECIAL_UID_KERNEL) >= 0) {
+					script.append("# hack to BLOCK kernel packets on black-list\n");
+					script.append("$IPTABLES -A droidwall-3g -m owner --uid-owner 0:999999999 -j RETURN || exit\n");
+					script.append("$IPTABLES -A droidwall-3g -j droidwall-reject || exit\n");
+				}
+				if (uidsWifi.indexOf(SPECIAL_UID_KERNEL) >= 0) {
+					script.append("# hack to BLOCK kernel packets on black-list\n");
+					script.append("$IPTABLES -A droidwall-wifi -m owner --uid-owner 0:999999999 -j RETURN || exit\n");
+					script.append("$IPTABLES -A droidwall-wifi -j droidwall-reject || exit\n");
+				}
+			}
+	    	final StringBuilder res = new StringBuilder();
+			code = runScriptAsRoot(ctx, script.toString(), res);
+			if (showErrors && code != 0) {
+				String msg = res.toString();
+				Log.e("DroidWall", msg);
+				// Remove unnecessary help message from output
+				if (msg.indexOf("\nTry `iptables -h' or 'iptables --help' for more information.") != -1) {
+					msg = msg.replace("\nTry `iptables -h' or 'iptables --help' for more information.", "");
+				}
+				alert(ctx, "Error applying iptables rules. Exit code: " + code + "\n\n" + msg.trim());
+			} else {
+				return true;
+			}
+		} catch (Exception e) {
+			if (showErrors) alert(ctx, "error refreshing iptables: " + e);
+		}
+		return false;
+    }
+    /**
+     * Purge and re-add all saved rules (not in-memory ones).
+     * This is much faster than just calling "applyIptablesRules", since it don't need to read installed applications.
+     * @param ctx application context (mandatory)
+     * @param showErrors indicates if errors should be alerted
+     */
+	public static boolean applySavedIptablesRules(Context ctx, boolean showErrors) {
+		if (ctx == null) {
+			return false;
+		}
+		final SharedPreferences prefs = ctx.getSharedPreferences(PREFS_NAME, 0);
+		final String savedUids_wifi = prefs.getString(PREF_WIFI_UIDS, "");
+		final String savedUids_3g = prefs.getString(PREF_3G_UIDS, "");
+		final List<Integer> uids_wifi = new LinkedList<Integer>();
+		if (savedUids_wifi.length() > 0) {
+			// Check which applications are allowed on wifi
+			final StringTokenizer tok = new StringTokenizer(savedUids_wifi, "|");
+			while (tok.hasMoreTokens()) {
+				final String uid = tok.nextToken();
+				if (!uid.equals("")) {
+					try {
+						uids_wifi.add(Integer.parseInt(uid));
+					} catch (Exception ex) {
+					}
+				}
+			}
+		}
+		final List<Integer> uids_3g = new LinkedList<Integer>();
+		if (savedUids_3g.length() > 0) {
+			// Check which applications are allowed on 2G/3G
+			final StringTokenizer tok = new StringTokenizer(savedUids_3g, "|");
+			while (tok.hasMoreTokens()) {
+				final String uid = tok.nextToken();
+				if (!uid.equals("")) {
+					try {
+						uids_3g.add(Integer.parseInt(uid));
+					} catch (Exception ex) {
+					}
+				}
+			}
+		}
+		return applyIptablesRulesImpl(ctx, uids_wifi, uids_3g, showErrors);
+	}
+	
+    /**
+     * Purge and re-add all rules.
+     * @param ctx application context (mandatory)
+     * @param showErrors indicates if errors should be alerted
+     */
+	public static boolean applyIptablesRules(Context ctx, boolean showErrors) {
+		if (ctx == null) {
+			return false;
+		}
+		saveRules(ctx);
+		return applySavedIptablesRules(ctx, showErrors);
+    }
+	
+	/**
+	 * Save current rules using the preferences storage.
+	 * @param ctx application context (mandatory)
+	 */
+	public static void saveRules(Context ctx) {
+		final SharedPreferences prefs = ctx.getSharedPreferences(PREFS_NAME, 0);
+		final DroidApp[] apps = getApps(ctx);
+		// Builds a pipe-separated list of names
+		final StringBuilder newuids_wifi = new StringBuilder();
+		final StringBuilder newuids_3g = new StringBuilder();
+		for (int i=0; i<apps.length; i++) {
+			if (apps[i].selected_wifi) {
+				if (newuids_wifi.length() != 0) newuids_wifi.append('|');
+				newuids_wifi.append(apps[i].uid);
+			}
+			if (apps[i].selected_3g) {
+				if (newuids_3g.length() != 0) newuids_3g.append('|');
+				newuids_3g.append(apps[i].uid);
+			}
+		}
+		// save the new list of UIDs
+		final Editor edit = prefs.edit();
+		edit.putString(PREF_WIFI_UIDS, newuids_wifi.toString());
+		edit.putString(PREF_3G_UIDS, newuids_3g.toString());
+		edit.commit();
+    }
+    
+    /**
+     * Purge all iptables rules.
+     * @param ctx mandatory context
+     * @param showErrors indicates if errors should be alerted
+     * @return true if the rules were purged
+     */
+	public static boolean purgeIptables(Context ctx, boolean showErrors) {
+    	StringBuilder res = new StringBuilder();
+		try {
+			assertBinaries(ctx, showErrors);
+			int code = runScriptAsRoot(ctx, scriptHeader(ctx) +
+					"$IPTABLES -F droidwall\n" +
+					"$IPTABLES -F droidwall-reject\n" +
+					"$IPTABLES -F droidwall-3g\n" +
+					"$IPTABLES -F droidwall-wifi\n", res);
+			if (code == -1) {
+				if (showErrors) alert(ctx, "error purging iptables. exit code: " + code + "\n" + res);
+				return false;
+			}
+			return true;
+		} catch (Exception e) {
+			if (showErrors) alert(ctx, "error purging iptables: " + e);
+			return false;
+		}
+    }
+	
+	/**
+	 * Display iptables rules output
+	 * @param ctx application context
+	 */
+	public static void showIptablesRules(Context ctx) {
+		try {
+    		final StringBuilder res = new StringBuilder();
+			runScriptAsRoot(ctx, scriptHeader(ctx) +
+								 "$ECHO $IPTABLES\n" +
+								 "$IPTABLES -L -v\n", res);
+			alert(ctx, res);
+		} catch (Exception e) {
+			alert(ctx, "error: " + e);
+		}
+	}
+
+	/**
+	 * Display logs
+	 * @param ctx application context
+     * @return true if the clogs were cleared
+	 */
+	public static boolean clearLog(Context ctx) {
+		try {
+			final StringBuilder res = new StringBuilder();
+			int code = runScriptAsRoot(ctx, "dmesg -c >/dev/null || exit\n", res);
+			if (code != 0) {
+				alert(ctx, res);
+				return false;
+			}
+			return true;
+		} catch (Exception e) {
+			alert(ctx, "error: " + e);
+		}
+		return false;
+	}
+	/**
+	 * Display logs
+	 * @param ctx application context
+	 */
+	public static void showLog(Context ctx) {
+		try {
+    		StringBuilder res = new StringBuilder();
+			int code = runScriptAsRoot(ctx, scriptHeader(ctx) +
+					"dmesg | $GREP DROIDWALL\n", res);
+			if (code != 0) {
+				if (res.length() == 0) {
+					res.append("Log is empty");
+				}
+				alert(ctx, res);
+				return;
+			}
+			final BufferedReader r = new BufferedReader(new StringReader(res.toString()));
+			final Integer unknownUID = -99;
+			res = new StringBuilder();
+			String line;
+			int start, end;
+			Integer appid;
+			final HashMap<Integer, LogInfo> map = new HashMap<Integer, LogInfo>();
+			LogInfo loginfo = null;
+			while ((line = r.readLine()) != null) {
+				if (line.indexOf("[DROIDWALL]") == -1) continue;
+				appid = unknownUID;
+				if (((start=line.indexOf("UID=")) != -1) && ((end=line.indexOf(" ", start)) != -1)) {
+					appid = Integer.parseInt(line.substring(start+4, end));
+				}
+				loginfo = map.get(appid);
+				if (loginfo == null) {
+					loginfo = new LogInfo();
+					map.put(appid, loginfo);
+				}
+				loginfo.totalBlocked += 1;
+				if (((start=line.indexOf("DST=")) != -1) && ((end=line.indexOf(" ", start)) != -1)) {
+					String dst = line.substring(start+4, end);
+					if (loginfo.dstBlocked.containsKey(dst)) {
+						loginfo.dstBlocked.put(dst, loginfo.dstBlocked.get(dst) + 1);
+					} else {
+						loginfo.dstBlocked.put(dst, 1);
+					}
+				}
+			}
+			final DroidApp[] apps = getApps(ctx);
+			for (Integer id : map.keySet()) {
+				res.append("App ID ");
+				if (id != unknownUID) {
+					res.append(id);
+					for (DroidApp app : apps) {
+						if (app.uid == id) {
+							res.append(" (").append(app.names[0]);
+							if (app.names.length > 1) {
+								res.append(", ...)");
+							} else {
+								res.append(")");
+							}
+							break;
+						}
+					}
+				} else {
+					res.append("(kernel)");
+				}
+				loginfo = map.get(id);
+				res.append(" - Blocked ").append(loginfo.totalBlocked).append(" packets");
+				if (loginfo.dstBlocked.size() > 0) {
+					res.append(" (");
+					boolean first = true;
+					for (String dst : loginfo.dstBlocked.keySet()) {
+						if (!first) {
+							res.append(", ");
+						}
+						res.append(loginfo.dstBlocked.get(dst)).append(" packets for ").append(dst);
+						first = false;
+					}
+					res.append(")");
+				}
+				res.append("\n\n");
+			}
+			if (res.length() == 0) {
+				res.append("Log is empty");
+			}
+			alert(ctx, res);
+		} catch (Exception e) {
+			alert(ctx, "error: " + e);
+		}
+	}
+
+    /**
+     * @param ctx application context (mandatory)
+     * @return a list of applications
+     */
+	public static DroidApp[] getApps(Context ctx) {
+		if (applications != null) {
+			// return cached instance
+			return applications;
+		}
+		final SharedPreferences prefs = ctx.getSharedPreferences(PREFS_NAME, 0);
+		// allowed application names separated by pipe '|' (persisted)
+		final String savedUids_wifi = prefs.getString(PREF_WIFI_UIDS, "");
+		final String savedUids_3g = prefs.getString(PREF_3G_UIDS, "");
+		int selected_wifi[] = new int[0];
+		int selected_3g[] = new int[0];
+		if (savedUids_wifi.length() > 0) {
+			// Check which applications are allowed
+			final StringTokenizer tok = new StringTokenizer(savedUids_wifi, "|");
+			selected_wifi = new int[tok.countTokens()];
+			for (int i=0; i<selected_wifi.length; i++) {
+				final String uid = tok.nextToken();
+				if (!uid.equals("")) {
+					try {
+						selected_wifi[i] = Integer.parseInt(uid);
+					} catch (Exception ex) {
+						selected_wifi[i] = -1;
+					}
+				}
+			}
+			// Sort the array to allow using "Arrays.binarySearch" later
+			Arrays.sort(selected_wifi);
+		}
+		if (savedUids_3g.length() > 0) {
+			// Check which applications are allowed
+			final StringTokenizer tok = new StringTokenizer(savedUids_3g, "|");
+			selected_3g = new int[tok.countTokens()];
+			for (int i=0; i<selected_3g.length; i++) {
+				final String uid = tok.nextToken();
+				if (!uid.equals("")) {
+					try {
+						selected_3g[i] = Integer.parseInt(uid);
+					} catch (Exception ex) {
+						selected_3g[i] = -1;
+					}
+				}
+			}
+			// Sort the array to allow using "Arrays.binarySearch" later
+			Arrays.sort(selected_3g);
+		}
+		try {
+			final PackageManager pkgmanager = ctx.getPackageManager();
+			final List<ApplicationInfo> installed = pkgmanager.getInstalledApplications(0);
+			final HashMap<Integer, DroidApp> map = new HashMap<Integer, DroidApp>();
+			final Editor edit = prefs.edit();
+			boolean changed = false;
+			String name = null;
+			String cachekey = null;
+			DroidApp app = null;
+			for (final ApplicationInfo apinfo : installed) {
+				app = map.get(apinfo.uid);
+				// filter applications which are not allowed to access the Internet
+				if (app == null && PackageManager.PERMISSION_GRANTED != pkgmanager.checkPermission(Manifest.permission.INTERNET, apinfo.packageName)) {
+					continue;
+				}
+				// try to get the application label from our cache - getApplicationLabel() is horribly slow!!!!
+				cachekey = "cache.label."+apinfo.packageName;
+				name = prefs.getString(cachekey, "");
+				if (name.length() == 0) {
+					// get label and put on cache
+					name = pkgmanager.getApplicationLabel(apinfo).toString();
+					edit.putString(cachekey, name);
+					changed = true;
+				}
+				if (app == null) {
+					app = new DroidApp();
+					app.uid = apinfo.uid;
+					app.names = new String[] { name };
+					map.put(apinfo.uid, app);
+				} else {
+					final String newnames[] = new String[app.names.length + 1];
+					System.arraycopy(app.names, 0, newnames, 0, app.names.length);
+					newnames[app.names.length] = name;
+					app.names = newnames;
+				}
+				// check if this application is selected
+				if (!app.selected_wifi && Arrays.binarySearch(selected_wifi, app.uid) >= 0) {
+					app.selected_wifi = true;
+				}
+				if (!app.selected_3g && Arrays.binarySearch(selected_3g, app.uid) >= 0) {
+					app.selected_3g = true;
+				}
+			}
+			if (changed) {
+				edit.commit();
+			}
+			/* add special applications to the list */
+			final DroidApp special[] = {
+				new DroidApp(SPECIAL_UID_ANY,"(Any application) - Same as selecting all applications", false, false),
+				new DroidApp(SPECIAL_UID_KERNEL,"(Kernel) - Linux kernel", false, false),
+				new DroidApp(android.os.Process.getUidForName("root"), "(root) - Applications running as root", false, false),
+				new DroidApp(android.os.Process.getUidForName("media"), "Media server", false, false),
+				new DroidApp(android.os.Process.getUidForName("vpn"), "VPN networking", false, false),
+				new DroidApp(android.os.Process.getUidForName("shell"), "Linux shell", false, false),
+			};
+			for (int i=0; i<special.length; i++) {
+				app = special[i];
+				if (app.uid != -1 && !map.containsKey(app.uid)) {
+					// check if this application is allowed
+					if (Arrays.binarySearch(selected_wifi, app.uid) >= 0) {
+						app.selected_wifi = true;
+					}
+					if (Arrays.binarySearch(selected_3g, app.uid) >= 0) {
+						app.selected_3g = true;
+					}
+					map.put(app.uid, app);
+				}
+			}
+			applications = new DroidApp[map.size()];
+			int index = 0;
+			for (DroidApp application : map.values()) applications[index++] = application;
+			return applications;
+		} catch (Exception e) {
+			alert(ctx, "error: " + e);
+		}
+		return null;
+	}
+	/**
+	 * Check if we have root access
+	 * @param ctx mandatory context
+     * @param showErrors indicates if errors should be alerted
+	 * @return boolean true if we have root
+	 */
+	public static boolean hasRootAccess(Context ctx, boolean showErrors) {
+		if (hasroot) return true;
+		final StringBuilder res = new StringBuilder();
+		try {
+			// Run an empty script just to check root access
+			if (runScriptAsRoot(ctx, "exit 0", res) == 0) {
+				hasroot = true;
+				return true;
+			}
+		} catch (Exception e) {
+		}
+		if (showErrors) {
+			alert(ctx, "Could not acquire root access.\n" +
+				"You need a rooted phone to run DroidWall.\n\n" +
+				"If this phone is already rooted, please make sure DroidWall has enough permissions to execute the \"su\" command.\n" +
+				"Error message: " + res.toString());
+		}
+		return false;
+	}
+    /**
+     * Runs a script, wither as root or as a regular user (multiple commands separated by "\n").
+	 * @param ctx mandatory context
+     * @param script the script to be executed
+     * @param res the script output response (stdout + stderr)
+     * @param timeout timeout in milliseconds (-1 for none)
+     * @return the script exit code
+     */
+	public static int runScript(Context ctx, String script, StringBuilder res, long timeout, boolean asroot) {
+		final File file = new File(ctx.getDir("bin",0), SCRIPT_FILE);
+		final ScriptRunner runner = new ScriptRunner(file, script, res, asroot);
+		runner.start();
+		try {
+			if (timeout > 0) {
+				runner.join(timeout);
+			} else {
+				runner.join();
+			}
+			if (runner.isAlive()) {
+				// Timed-out
+				runner.interrupt();
+				runner.join(150);
+				runner.destroy();
+				runner.join(50);
+			}
+		} catch (InterruptedException ex) {}
+		return runner.exitcode;
+	}
+    /**
+     * Runs a script as root (multiple commands separated by "\n").
+	 * @param ctx mandatory context
+     * @param script the script to be executed
+     * @param res the script output response (stdout + stderr)
+     * @param timeout timeout in milliseconds (-1 for none)
+     * @return the script exit code
+     */
+	public static int runScriptAsRoot(Context ctx, String script, StringBuilder res, long timeout) {
+		return runScript(ctx, script, res, timeout, true);
+    }
+    /**
+     * Runs a script as root (multiple commands separated by "\n") with a default timeout of 20 seconds.
+	 * @param ctx mandatory context
+     * @param script the script to be executed
+     * @param res the script output response (stdout + stderr)
+     * @param timeout timeout in milliseconds (-1 for none)
+     * @return the script exit code
+     * @throws IOException on any error executing the script, or writing it to disk
+     */
+	public static int runScriptAsRoot(Context ctx, String script, StringBuilder res) throws IOException {
+		return runScriptAsRoot(ctx, script, res, 40000);
+	}
+    /**
+     * Runs a script as a regular user (multiple commands separated by "\n") with a default timeout of 20 seconds.
+	 * @param ctx mandatory context
+     * @param script the script to be executed
+     * @param res the script output response (stdout + stderr)
+     * @param timeout timeout in milliseconds (-1 for none)
+     * @return the script exit code
+     * @throws IOException on any error executing the script, or writing it to disk
+     */
+	public static int runScript(Context ctx, String script, StringBuilder res) throws IOException {
+		return runScript(ctx, script, res, 40000, false);
+	}
+	/**
+	 * Asserts that the binary files are installed in the cache directory.
+	 * @param ctx context
+     * @param showErrors indicates if errors should be alerted
+	 * @return false if the binary files could not be installed
+	 */
+	public static boolean assertBinaries(Context ctx, boolean showErrors) {
+		boolean changed = false;
+		try {
+			// Check iptables_g1
+			File file = new File(ctx.getDir("bin",0), "iptables_g1");
+			if ((!file.exists()) && isARMv6()) {
+				copyRawFile(ctx, R.raw.iptables_g1, file, "755");
+				changed = true;
+			}
+			// Check iptables_n1
+			file = new File(ctx.getDir("bin",0), "iptables_n1");
+			if ((!file.exists()) && (!isARMv6())) {
+				copyRawFile(ctx, R.raw.iptables_n1, file, "755");
+				changed = true;
+			}
+			// Check busybox
+			file = new File(ctx.getDir("bin",0), "busybox_g1");
+			if (!file.exists()) {
+				copyRawFile(ctx, R.raw.busybox_g1, file, "755");
+				changed = true;
+			}
+			if (changed) {
+				Toast.makeText(ctx, R.string.status_install_success, Toast.LENGTH_LONG).show();
+			}
+		} catch (Exception e) {
+			if (showErrors) alert(ctx, "Error installing binary files: " + e);
+			return false;
+		}
+		return true;
+	}
+	/**
+	 * Check if the firewall is enabled
+	 * @param ctx mandatory context
+	 * @return boolean
+	 */
+	public static boolean isEnabled(Context ctx) {
+		if (ctx == null) return false;
+		return ctx.getSharedPreferences(PREFS_NAME, 0).getBoolean(PREF_ENABLED, false);
+	}
+	
+	/**
+	 * Defines if the firewall is enabled and broadcasts the new status
+	 * @param ctx mandatory context
+	 * @param enabled enabled flag
+	 */
+	public static void setEnabled(Context ctx, boolean enabled) {
+		if (ctx == null) return;
+		final SharedPreferences prefs = ctx.getSharedPreferences(PREFS_NAME, 0);
+		if (prefs.getBoolean(PREF_ENABLED, false) == enabled) {
+			return;
+		}
+		final Editor edit = prefs.edit();
+		edit.putBoolean(PREF_ENABLED, enabled);
+		if (!edit.commit()) {
+			alert(ctx, "Error writing to preferences");
+			return;
+		}
+		/* notify */
+		final Intent message = new Intent(Api.STATUS_CHANGED_MSG);
+        message.putExtra(Api.STATUS_EXTRA, enabled);
+        ctx.sendBroadcast(message);
+	}
+	/**
+	 * Called when an application in removed (un-installed) from the system.
+	 * This will look for that application in the selected list and update the persisted values if necessary
+	 * @param ctx mandatory app context
+	 * @param uid UID of the application that has been removed
+	 */
+	public static void applicationRemoved(Context ctx, int uid) {
+		final SharedPreferences prefs = ctx.getSharedPreferences(PREFS_NAME, 0);
+		final Editor editor = prefs.edit();
+		// allowed application names separated by pipe '|' (persisted)
+		final String savedUids_wifi = prefs.getString(PREF_WIFI_UIDS, "");
+		final String savedUids_3g = prefs.getString(PREF_3G_UIDS, "");
+		final String uid_str = uid + "";
+		boolean changed = false;
+		// look for the removed application in the "wi-fi" list
+		if (savedUids_wifi.length() > 0) {
+			final StringBuilder newuids = new StringBuilder();
+			final StringTokenizer tok = new StringTokenizer(savedUids_wifi, "|");
+			while (tok.hasMoreTokens()) {
+				final String token = tok.nextToken();
+				if (uid_str.equals(token)) {
+					Log.d("DroidWall", "Removing UID " + token + " from the wi-fi list (package removed)!");
+					changed = true;
+				} else {
+					if (newuids.length() > 0) newuids.append('|');
+					newuids.append(token);
+				}
+			}
+			if (changed) {
+				editor.putString(PREF_WIFI_UIDS, newuids.toString());
+			}
+		}
+		// look for the removed application in the "3g" list
+		if (savedUids_3g.length() > 0) {
+			final StringBuilder newuids = new StringBuilder();
+			final StringTokenizer tok = new StringTokenizer(savedUids_3g, "|");
+			while (tok.hasMoreTokens()) {
+				final String token = tok.nextToken();
+				if (uid_str.equals(token)) {
+					Log.d("DroidWall", "Removing UID " + token + " from the 3G list (package removed)!");
+					changed = true;
+				} else {
+					if (newuids.length() > 0) newuids.append('|');
+					newuids.append(token);
+				}
+			}
+			if (changed) {
+				editor.putString(PREF_3G_UIDS, newuids.toString());
+			}
+		}
+		// if anything has changed, save the new prefs...
+		if (changed) {
+			editor.commit();
+			if (isEnabled(ctx)) {
+				// .. and also re-apply the rules if the firewall is enabled
+				applySavedIptablesRules(ctx, false);
+			}
+		}
+	}
+
+    /**
+     * Small structure to hold an application info
+     */
+	public static final class DroidApp {
+		/** linux user id */
+    	int uid;
+    	/** application names belonging to this user id */
+    	String names[];
+    	/** indicates if this application is selected for wifi */
+    	boolean selected_wifi;
+    	/** indicates if this application is selected for 3g */
+    	boolean selected_3g;
+    	/** toString cache */
+    	String tostr;
+    	
+    	public DroidApp() {
+    	}
+    	public DroidApp(int uid, String name, boolean selected_wifi, boolean selected_3g) {
+    		this.uid = uid;
+    		this.names = new String[] {name};
+    		this.selected_wifi = selected_wifi;
+    		this.selected_3g = selected_3g;
+    	}
+    	/**
+    	 * Screen representation of this application
+    	 */
+    	@Override
+    	public String toString() {
+    		if (tostr == null) {
+        		final StringBuilder s = new StringBuilder();
+        		if (uid > 0) s.append(uid + ": ");
+        		for (int i=0; i<names.length; i++) {
+        			if (i != 0) s.append(", ");
+        			s.append(names[i]);
+        		}
+        		s.append("\n");
+        		tostr = s.toString();
+    		}
+    		return tostr;
+    	}
+    }
+    /**
+     * Small internal structure used to hold log information
+     */
+	private static final class LogInfo {
+		private int totalBlocked; // Total number of packets blocked
+		private HashMap<String, Integer> dstBlocked; // Number of packets blocked per destination IP address
+		private LogInfo() {
+			this.dstBlocked = new HashMap<String, Integer>();
+		}
+	}
+	/**
+	 * Internal thread used to execute scripts (as root or not).
+	 */
+	private static final class ScriptRunner extends Thread {
+		private final File file;
+		private final String script;
+		private final StringBuilder res;
+		private final boolean asroot;
+		public int exitcode = -1;
+		private Process exec;
+		
+		/**
+		 * Creates a new script runner.
+		 * @param file temporary script file
+		 * @param script script to run
+		 * @param res response output
+		 * @param asroot if true, executes the script as root
+		 */
+		public ScriptRunner(File file, String script, StringBuilder res, boolean asroot) {
+			this.file = file;
+			this.script = script;
+			this.res = res;
+			this.asroot = asroot;
+		}
+		@Override
+		public void run() {
+			try {
+				file.createNewFile();
+				final String abspath = file.getAbsolutePath();
+				// make sure we have execution permission on the script file
+				Runtime.getRuntime().exec("chmod 777 "+abspath).waitFor();
+				// Write the script to be executed
+				final OutputStreamWriter out = new OutputStreamWriter(new FileOutputStream(file));
+				if (new File("/system/bin/sh").exists()) {
+					out.write("#!/system/bin/sh\n");
+				}
+				out.write(script);
+				if (!script.endsWith("\n")) out.write("\n");
+				out.write("exit\n");
+				out.flush();
+				out.close();
+				if (this.asroot) {
+					// Create the "su" request to run the script
+					exec = Runtime.getRuntime().exec("su -c "+abspath);
+				} else {
+					// Create the "sh" request to run the script
+					exec = Runtime.getRuntime().exec("sh "+abspath);
+				}
+				InputStreamReader r = new InputStreamReader(exec.getInputStream());
+				final char buf[] = new char[1024];
+				int read = 0;
+				// Consume the "stdout"
+				while ((read=r.read(buf)) != -1) {
+					if (res != null) res.append(buf, 0, read);
+				}
+				// Consume the "stderr"
+				r = new InputStreamReader(exec.getErrorStream());
+				read=0;
+				while ((read=r.read(buf)) != -1) {
+					if (res != null) res.append(buf, 0, read);
+				}
+				// get the process exit code
+				if (exec != null) this.exitcode = exec.waitFor();
+			} catch (InterruptedException ex) {
+				if (res != null) res.append("\nOperation timed-out");
+			} catch (Exception ex) {
+				if (res != null) res.append("\n" + ex);
+			} finally {
+				destroy();
+			}
+		}
+		/**
+		 * Destroy this script runner
+		 */
+		public synchronized void destroy() {
+			if (exec != null) exec.destroy();
+			exec = null;
+		}
+	}
+}

    

Nathan Freitas

tags

participants (1)