Android Q 关闭没有用到的网络端口
客户要求:为了防止设备被网络攻击,设备在出厂时需要关闭没有用的网络端口
这个需求,比较奇怪。咨询客户能否提供需要打开的网络端口列表,客户也无法提供。最后通过iptale指令按照如下思路进行操作
添加iptable.sh脚本,开机之后执行指定的路由策略
1)
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P INPUT DROP
//以上整体思路是再filter 表把INPUT OUT FORWARD 链上 所有包都DROP
2)
iptables -t filter -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT //再filter表INPUT链只对 终端出去的相关联的回来的包ACCEPT
//以下就是针对需要放行的协议和port 做ACCEPT
3)
iptables -t filter -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 49151:65535 -j ACCEPT
iptables -t filter -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -t filter -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
iptables -t filter -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 580 -j ACCEPT
iptables -t filter -I OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -I INPUT -p udp --sport 53 -j ACCEPT
iptables -t filter -I OUTPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -t filter -I INPUT -p icmp --icmp-type 0 -j ACCEP
文件路径
android/system/sepolicy/prebuilts/api/29.0/private/bpfloader.te
android/system/sepolicy/private/bpfloader.te
diff --git a/prebuilts/api/29.0/private/bpfloader.te b/prebuilts/api/29.0/private/bpfloader.te
index 00d4c79..4c8dfff 100644
--- a/prebuilts/api/29.0/private/bpfloader.te
+++ b/prebuilts/api/29.0/private/bpfloader.te
@@ -13,16 +13,21 @@ allow bpfloader devpts:chr_file {
read write };
allow bpfloader self:bpf {
prog_load prog_run map_read map_write map_create };
allow bpfloader self:global_capability_class_set sys_admin;
-
+allow bpfloader shell_exec:file {
read execute getattr execute_no_trans };
+allow bpfloader self:capability {
net_admin net_raw };
+allow bpfloader system_file:file {
execute execute_no_trans lock };
+allow bpfloader self:{
rawip_socket tcp_socket udp_socket } {
create getattr getopt setopt };
+allow bpfloader usermodehelper:file {
read open };
+allow bpfloader proc_net:file {
getattr setattr };
###
### Neverallow rules
###
neverallow {
domain -bpfloader } *:bpf {
map_create prog_load };
neverallow {
domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run;
neverallow {
domain -bpfloader -init } bpfloader_exec:file {
execute execute_no_trans };
-neverallow bpfloader domain:{
tcp_socket udp_socket rawip_socket } *;
+#neverallow bpfloader domain:{
tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
-neverallow {
domain -system_server -netd -bpfloader} *:bpf {
map_read map_write };
+neverallow {
domain -system_server -netd -bpfloader } *:bpf {
map_read map_write };
# No domain should be allowed to ptrace bpfloader
neverallow {
domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 00d4c79..4c8dfff 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -13,16 +13,21 @@ allow bpfloader devpts:chr_file {
read write };
allow bpfloader self:bpf {
prog_load prog_run map_read map_write map_create };
allow bpfloader self:global_capability_class_set sys_admin;
-
+allow bpfloader shell_exec:file {
read execute getattr execute_no_trans };
+allow bpfloader self:capability {
net_admin net_raw };
+allow bpfloader system_file:file {
execute execute_no_trans lock };
+allow bpfloader self:{
rawip_socket tcp_socket udp_socket } {
create getattr getopt setopt };
+allow bpfloader usermodehelper:file {
read open };
+allow bpfloader proc_net:file {
getattr setattr };
###
### Neverallow rules
###
neverallow {
domain -bpfloader } *:bpf {
map_create prog_load };
neverallow {
domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run;
neverallow {
domain -bpfloader -init } bpfloader_exec:file {
execute execute_no_trans };
-neverallow bpfloader domain:{
tcp_socket udp_socket rawip_socket } *;
+#neverallow bpfloader domain:{
tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
-neverallow {
domain -system_server -netd -bpfloader} *:bpf {
map_read map_write };
+neverallow {
domain -system_server -netd -bpfloader } *:bpf {
map_read map_write };
# No domain should be allowed to ptrace bpfloader
neverallow {
domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
android/device/qcom/sepolicy/private/file_contexts
diff --git a/private/file_contexts b/private/file_contexts
index 5fe111a..ef9195d 100755
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -64,3 +64,5 @@
/data/misc/mirrorlinkserver(/.*)? u:object_r:mirrorlink_data_file:s0
#added by caigaopeng for dxdlog
/system/bin/dxd_log.sh u:object_r:dumpstate_exec:s0
+#added by hhuiming for udp/tcp
+/system/bin/iptables_kirin.sh u:object_r:bpfloader_exec:s0
android/device/qcom/common/rootdir/Android.mk
android/device/qcom/common/rootdir/etc/iptables_kirin.sh
diff --git a/rootdir/Android.mk b/rootdir/Android.mk
index 11082eb..53a95e8 100755
--- a/rootdir/Android.mk
+++ b/rootdir/Android.mk
@@ -361,3 +361,11 @@ LOCAL_MODULE_CLASS := ETC
LOCAL_SRC_FILES := etc/default_dmc.cfg
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR_ETC)/init
include $(BUILD_PREBUILT)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := iptables_kirin.sh
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_CLASS := ETC
+LOCAL_SRC_FILES := etc/iptables_kirin.sh
+LOCAL_MODULE_PATH := $(TARGET_OUT_EXECUTABLES)
+include $(BUILD_PREBUILT)
diff --git a/rootdir/etc/iptables_kirin.sh b/rootdir/etc/iptables_kirin.sh
new file mode 100644
index 0000000..226405c
--- /dev/null
+++ b/rootdir/etc/iptables_kirin.sh
@@ -0,0 +1,25 @@
+#!/system/bin/sh
+case "$1" in
+ start)
+ echo "Step 1 : Drop all packets from the FORWARD and INPUT "
+ iptables -t filter -P FORWARD DROP
+ iptables -t filter -P INPUT DROP
+ echo "Step 2 : OUTPUT response packets are displayed"
+ iptables -t filter -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ echo "Step 3 : Enable 49151~65535 Port"
+ iptables -t filter -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 49151:65535 -j ACCEPT
+ echo "Step 4 : Enable ssh, SNTP, DNS, DHCP Port"
+ iptables -t filter -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+ iptables -t filter -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
+ iptables -t filter -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 580 -j ACCEPT
+ iptables -t filter -I OUTPUT -p udp --dport 53 -j ACCEPT
+ iptables -t filter -I INPUT -p udp --sport 53 -j ACCEPT
+ echo "Step 5 : Enable ping command"
+ iptables -t filter -I OUTPUT -p icmp --icmp-type 8 -j ACCEPT
+ iptables -t filter -I INPUT -p icmp --icmp-type 0 -j ACCEPT
+ iptables -t filter -I INPUT -p udp --sport 5353 -j DROP
+ iptables -t filter -I INPUT -p udp --dport 5353 -j DROP
+ ;;
+ *)
+ ;;
+esac
android/device/qcom/msm8937_64/init.target.rc
android/device/qcom/msm8937_64/msm8937_64.mk
diff --git a/init.target.rc b/init.target.rc
index a1ae529..e838a65 100755
--- a/init.target.rc
+++ b/init.target.rc
@@ -113,6 +113,14 @@ service qrngp /system/bin/qrngp -f
on property:sys.boot_completed=1
start qrngp
+ start iptables_kirin
+
+service iptables_kirin /system/bin/iptables_kirin.sh start
+ class late_start
+ user root
+ group root
+ disabled
+ oneshot
service vendor.qseecomd /vendor/bin/qseecomd
class core
diff --git a/msm8937_64.mk b/msm8937_64.mk
index dd54b88..ec99e83 100755
--- a/msm8937_64.mk
+++ b/msm8937_64.mk
@@ -538,7 +538,8 @@ PRODUCT_PACKAGES += \
qxdm_log.sh \
tcpdump \
default_dmc.cfg
-
+#added by hhuiming for udp/tcp port
+PRODUCT_PACKAGES += iptables_kirin.sh
###################################################################################
# This is the End of target.mk file.