[connman] D-Bus method to reload firewall configurations. JB#44071

This commit adds a D-Bus method "Reload" to net.connman.Firewall
interface using path "/". With this method call firewall.c is requested
to load all new configurations from CONFIGDIR/firewall.d/. Access to the
method is granted for root and privileged.

The config files must have a firewall.conf suffix and if the file is read
properly the rules will be taken into use immediatedly. This is done for
all connected services also, which get the new rules added into their
firewall and enabled in iptables. If a service is not connected
(firewall is not enabled) the rules are just added to the end.

No sorting of rules is done yet. The rules are read in firewall
configuration file order (alphabetical) only when connman is (re)started.

This also contains a change to read each firewall configuration file
into a sorted list. This list is first used to check if the
configuration file is already used or not. If configuration file is
already read, it will not be re-read.

connman/include/access.h

@@ -51,6 +51,8 @@ struct connman_access_tech_policy;
 struct connman_access_tech_policy_impl;
 struct connman_access_manager_policy;
 struct connman_access_manager_policy_impl;
+struct connman_access_firewall_policy;
+struct connman_access_firewall_policy_impl;
 
 struct connman_access_driver {
 	const char *name;
@@ -90,6 +92,16 @@ struct connman_access_driver {
 		(const struct connman_access_tech_policy_impl *policy,
 			const char *name, const char *sender,
 			enum connman_access default_access);
+
+	/* Firewall */
+	struct connman_access_firewall_policy_impl *(*firewall_policy_create)
+		(const char *spec);
+	void (*firewall_policy_free)
+		(struct connman_access_firewall_policy_impl *policy);
+	enum connman_access (*firewall_manage)
+		(const struct connman_access_firewall_policy_impl *policy,
+			const char *name, const char *sender,
+			enum connman_access default_access);
 };
 
 int connman_access_driver_register(const struct connman_access_driver *d);

connman/include/dbus.h

@@ -48,6 +48,9 @@ extern "C" {
 #define CONNMAN_NOTIFICATION_INTERFACE	CONNMAN_SERVICE ".Notification"
 #define CONNMAN_PEER_INTERFACE		CONNMAN_SERVICE ".Peer"
 
+#define CONNMAN_FIREWALL_INTERFACE	CONNMAN_SERVICE ".Firewall"
+#define CONNMAN_FIREWALL_PATH		"/"
+
 #define CONNMAN_PRIVILEGE_MODIFY	1
 #define CONNMAN_PRIVILEGE_SECRET	2
 

connman/plugins/sailfish_access.c

@@ -42,10 +42,18 @@ struct connman_access_tech_policy_impl {
 	DAPolicy *impl;
 };
 
+struct connman_access_firewall_policy_impl {
+	DAPolicy *impl;
+};
+
 enum sailfish_tech_access_action {
 	TECH_ACCESS_SET_PROPERTY = 1
 };
 
+enum sailfish_firewall_access_action {
+	FIREWALL_ACCESS_RELOAD = 1
+};
+
 #define CONNMAN_BUS DA_BUS_SYSTEM
 #define DRIVER_NAME "sailfish"
 
@@ -113,6 +121,15 @@ static const DA_ACTION tech_policy_actions [] = {
         { NULL }
 };
 
+static const char *firewall_policy_default =
+	DA_POLICY_VERSION ";"
+	"Reload(*)=deny;"
+	"group(privileged)=allow";
+static const DA_ACTION firewall_policy_actions [] = {
+        { "Reload", FIREWALL_ACCESS_RELOAD, 1 },
+        { NULL }
+};
+
 static void sailfish_access_service_policy_free
 				(struct connman_access_service_policy_impl *p)
 {
@@ -306,6 +323,53 @@ static enum connman_access sailfish_access_tech_set_property
 		default_access) : CONNMAN_ACCESS_DENY;
 }
 
+static struct connman_access_firewall_policy_impl *
+		sailfish_access_firewall_policy_create(const char *spec)
+{
+	DAPolicy *impl;
+
+	if (!spec || !spec[0]) {
+		/* Empty policy = use default */
+		spec = firewall_policy_default;
+	}
+
+	/* Parse the policy string */
+	impl = da_policy_new_full(spec, firewall_policy_actions);
+	if (impl) {
+		/* String is usable */
+		struct connman_access_firewall_policy_impl *p =
+			g_slice_new0(
+				struct connman_access_firewall_policy_impl);
+
+		p->impl = impl;
+		return p;
+	} else {
+		DBG("invalid spec \"%s\"", spec);
+		return NULL;
+	}
+}
+
+static void sailfish_access_firewall_policy_free
+			(struct connman_access_firewall_policy_impl *p)
+{
+	da_policy_unref(p->impl);
+	g_slice_free(struct connman_access_firewall_policy_impl, p);
+}
+
+static enum connman_access sailfish_access_firewall_manage
+		(const struct connman_access_firewall_policy_impl *policy,
+			const char *name, const char *sender,
+			enum connman_access default_access)
+{
+	/* Don't unref this one: */
+	DAPeer* peer = da_peer_get(CONNMAN_BUS, sender);
+
+	/* Reject the access if the peer is gone */
+	return peer ? (enum connman_access)da_policy_check(policy->impl,
+		&peer->cred, FIREWALL_ACCESS_RELOAD, name,
+		(DA_ACCESS)default_access) : CONNMAN_ACCESS_DENY;
+}
+
 static const struct connman_access_driver sailfish_connman_access_driver = {
 	.name                   = DRIVER_NAME,
 	.default_service_policy = service_policy_default,
@@ -318,7 +382,10 @@ static const struct connman_access_driver sailfish_connman_access_driver = {
 	.manager_policy_check   = sailfish_access_manager_policy_check,
 	.tech_policy_create     = sailfish_access_tech_policy_create,
 	.tech_policy_free       = sailfish_access_tech_policy_free,
-	.tech_set_property      = sailfish_access_tech_set_property
+	.tech_set_property      = sailfish_access_tech_set_property,
+	.firewall_policy_create = sailfish_access_firewall_policy_create,
+	.firewall_policy_free   = sailfish_access_firewall_policy_free,
+	.firewall_manage        = sailfish_access_firewall_manage
 };
 
 static int sailfish_access_init()

connman/src/access.c

@@ -34,6 +34,11 @@ struct connman_access_tech_policy {
 	const struct connman_access_driver *driver;
 };
 
+struct connman_access_firewall_policy {
+	struct connman_access_firewall_policy_impl *impl;
+	const struct connman_access_driver *driver;
+};
+
 #define DRIVER_NAME_SEPARATOR     ':'
 #define DRIVER_NAME_SEPARATOR_STR ":"
 
@@ -333,6 +338,52 @@ enum connman_access __connman_access_tech_set_property
 	return default_access;
 }
 
+/* Firewall */
+struct connman_access_firewall_policy *__connman_access_firewall_policy_create
+							(const char *spec)
+{
+	struct connman_access_firewall_policy *p = NULL;
+	const struct connman_access_driver *driver =
+		access_get_driver(spec, &spec);
+
+	if (driver && driver->firewall_policy_create) {
+		struct connman_access_firewall_policy_impl *impl =
+			driver->firewall_policy_create(spec);
+
+		if (impl) {
+			p = g_slice_new(struct connman_access_firewall_policy);
+			p->impl = impl;
+			p->driver = driver;
+		}
+	}
+
+	return p;
+}
+
+void __connman_access_firewall_policy_free(
+			struct connman_access_firewall_policy *p)
+{
+	if (p) {
+		if (p->driver->firewall_policy_free)
+			p->driver->firewall_policy_free(p->impl);
+
+		g_slice_free(struct connman_access_firewall_policy, p);
+	}
+}
+
+
+enum connman_access __connman_access_firewall_manage
+			(const struct connman_access_firewall_policy *p,
+			const char *name, const char *sender,
+			enum connman_access default_access)
+{
+	if (p && p->driver->firewall_manage)
+		return p->driver->firewall_manage(p->impl, name, sender,
+							default_access);
+
+	return default_access;
+}
+
 /*
  * Local Variables:
  * mode: C

connman/src/connman.h

@@ -1154,6 +1154,15 @@ enum connman_access __connman_access_tech_set_property
 			const char *name, const char *sender,
 			enum connman_access default_access);
 
+struct connman_access_firewall_policy *__connman_access_firewall_policy_create
+		(const char *spec);
+void __connman_access_firewall_policy_free
+		(struct connman_access_firewall_policy *policy);
+enum connman_access __connman_access_firewall_manage
+		(const struct connman_access_firewall_policy *policy,
+			const char *name, const char *sender,
+			enum connman_access default_access);
+
 int __connman_util_get_random(uint64_t *val);
 unsigned int __connman_util_random_delay_ms(unsigned int secs);
 int __connman_util_init(void);