Android Q cierra los puertos de red no utilizados
Requisitos del cliente: para evitar que el dispositivo sea atacado por la red, el dispositivo debe cerrar el puerto de red inútil cuando sale de fábrica
Este requisito es bastante extraño. Pregúntele al cliente si puede proporcionar una lista de puertos de red que deben abrirse, pero el cliente no puede proporcionarla. Finalmente, use el comando iptale para operar de acuerdo con las siguientes ideas
Agregue el script iptable.sh para ejecutar la política de enrutamiento especificada después del arranque
1)
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P INPUT DROP
//以上整体思路是再filter 表把INPUT OUT FORWARD 链上 所有包都DROP
2)
iptables -t filter -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT //再filter表INPUT链只对 终端出去的相关联的回来的包ACCEPT
//以下就是针对需要放行的协议和port 做ACCEPT
3)
iptables -t filter -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 49151:65535 -j ACCEPT
iptables -t filter -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -t filter -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
iptables -t filter -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 580 -j ACCEPT
iptables -t filter -I OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -I INPUT -p udp --sport 53 -j ACCEPT
iptables -t filter -I OUTPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -t filter -I INPUT -p icmp --icmp-type 0 -j ACCEP
Ruta del archivo
android/system/sepolicy/prebuilds/api/29.0/private/bpfloader.te
android/system/sepolicy/private/bpfloader.te
diff --git a/prebuilts/api/29.0/private/bpfloader.te b/prebuilts/api/29.0/private/bpfloader.te
index 00d4c79..4c8dfff 100644
--- a/prebuilts/api/29.0/private/bpfloader.te
+++ b/prebuilts/api/29.0/private/bpfloader.te
@@ -13,16 +13,21 @@ allow bpfloader devpts:chr_file {
read write };
allow bpfloader self:bpf {
prog_load prog_run map_read map_write map_create };
allow bpfloader self:global_capability_class_set sys_admin;
-
+allow bpfloader shell_exec:file {
read execute getattr execute_no_trans };
+allow bpfloader self:capability {
net_admin net_raw };
+allow bpfloader system_file:file {
execute execute_no_trans lock };
+allow bpfloader self:{
rawip_socket tcp_socket udp_socket } {
create getattr getopt setopt };
+allow bpfloader usermodehelper:file {
read open };
+allow bpfloader proc_net:file {
getattr setattr };
###
### Neverallow rules
###
neverallow {
domain -bpfloader } *:bpf {
map_create prog_load };
neverallow {
domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run;
neverallow {
domain -bpfloader -init } bpfloader_exec:file {
execute execute_no_trans };
-neverallow bpfloader domain:{
tcp_socket udp_socket rawip_socket } *;
+#neverallow bpfloader domain:{
tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
-neverallow {
domain -system_server -netd -bpfloader} *:bpf {
map_read map_write };
+neverallow {
domain -system_server -netd -bpfloader } *:bpf {
map_read map_write };
# No domain should be allowed to ptrace bpfloader
neverallow {
domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 00d4c79..4c8dfff 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -13,16 +13,21 @@ allow bpfloader devpts:chr_file {
read write };
allow bpfloader self:bpf {
prog_load prog_run map_read map_write map_create };
allow bpfloader self:global_capability_class_set sys_admin;
-
+allow bpfloader shell_exec:file {
read execute getattr execute_no_trans };
+allow bpfloader self:capability {
net_admin net_raw };
+allow bpfloader system_file:file {
execute execute_no_trans lock };
+allow bpfloader self:{
rawip_socket tcp_socket udp_socket } {
create getattr getopt setopt };
+allow bpfloader usermodehelper:file {
read open };
+allow bpfloader proc_net:file {
getattr setattr };
###
### Neverallow rules
###
neverallow {
domain -bpfloader } *:bpf {
map_create prog_load };
neverallow {
domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run;
neverallow {
domain -bpfloader -init } bpfloader_exec:file {
execute execute_no_trans };
-neverallow bpfloader domain:{
tcp_socket udp_socket rawip_socket } *;
+#neverallow bpfloader domain:{
tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
-neverallow {
domain -system_server -netd -bpfloader} *:bpf {
map_read map_write };
+neverallow {
domain -system_server -netd -bpfloader } *:bpf {
map_read map_write };
# No domain should be allowed to ptrace bpfloader
neverallow {
domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
android/dispositivo/qcom/sepolicy/private/file_contexts
diff --git a/private/file_contexts b/private/file_contexts
index 5fe111a..ef9195d 100755
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -64,3 +64,5 @@
/data/misc/mirrorlinkserver(/.*)? u:object_r:mirrorlink_data_file:s0
#added by caigaopeng for dxdlog
/system/bin/dxd_log.sh u:object_r:dumpstate_exec:s0
+#added by hhuiming for udp/tcp
+/system/bin/iptables_kirin.sh u:object_r:bpfloader_exec:s0
android/device/qcom/common/rootdir/Android.mk
android/device/qcom/common/rootdir/etc/iptables_kirin.sh
diff --git a/rootdir/Android.mk b/rootdir/Android.mk
index 11082eb..53a95e8 100755
--- a/rootdir/Android.mk
+++ b/rootdir/Android.mk
@@ -361,3 +361,11 @@ LOCAL_MODULE_CLASS := ETC
LOCAL_SRC_FILES := etc/default_dmc.cfg
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR_ETC)/init
include $(BUILD_PREBUILT)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := iptables_kirin.sh
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_CLASS := ETC
+LOCAL_SRC_FILES := etc/iptables_kirin.sh
+LOCAL_MODULE_PATH := $(TARGET_OUT_EXECUTABLES)
+include $(BUILD_PREBUILT)
diff --git a/rootdir/etc/iptables_kirin.sh b/rootdir/etc/iptables_kirin.sh
new file mode 100644
index 0000000..226405c
--- /dev/null
+++ b/rootdir/etc/iptables_kirin.sh
@@ -0,0 +1,25 @@
+#!/system/bin/sh
+case "$1" in
+ start)
+ echo "Step 1 : Drop all packets from the FORWARD and INPUT "
+ iptables -t filter -P FORWARD DROP
+ iptables -t filter -P INPUT DROP
+ echo "Step 2 : OUTPUT response packets are displayed"
+ iptables -t filter -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ echo "Step 3 : Enable 49151~65535 Port"
+ iptables -t filter -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 49151:65535 -j ACCEPT
+ echo "Step 4 : Enable ssh, SNTP, DNS, DHCP Port"
+ iptables -t filter -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+ iptables -t filter -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
+ iptables -t filter -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 580 -j ACCEPT
+ iptables -t filter -I OUTPUT -p udp --dport 53 -j ACCEPT
+ iptables -t filter -I INPUT -p udp --sport 53 -j ACCEPT
+ echo "Step 5 : Enable ping command"
+ iptables -t filter -I OUTPUT -p icmp --icmp-type 8 -j ACCEPT
+ iptables -t filter -I INPUT -p icmp --icmp-type 0 -j ACCEPT
+ iptables -t filter -I INPUT -p udp --sport 5353 -j DROP
+ iptables -t filter -I INPUT -p udp --dport 5353 -j DROP
+ ;;
+ *)
+ ;;
+esac
android/device/qcom/msm8937_64/init.target.rc
android/device/qcom/msm8937_64/msm8937_64.mk
diff --git a/init.target.rc b/init.target.rc
index a1ae529..e838a65 100755
--- a/init.target.rc
+++ b/init.target.rc
@@ -113,6 +113,14 @@ service qrngp /system/bin/qrngp -f
on property:sys.boot_completed=1
start qrngp
+ start iptables_kirin
+
+service iptables_kirin /system/bin/iptables_kirin.sh start
+ class late_start
+ user root
+ group root
+ disabled
+ oneshot
service vendor.qseecomd /vendor/bin/qseecomd
class core
diff --git a/msm8937_64.mk b/msm8937_64.mk
index dd54b88..ec99e83 100755
--- a/msm8937_64.mk
+++ b/msm8937_64.mk
@@ -538,7 +538,8 @@ PRODUCT_PACKAGES += \
qxdm_log.sh \
tcpdump \
default_dmc.cfg
-
+#added by hhuiming for udp/tcp port
+PRODUCT_PACKAGES += iptables_kirin.sh
###################################################################################
# This is the End of target.mk file.