Implement firewall for Wrigley

Wrigley is not using any kind of authentication for connections to it,
so we must firewall it using iptables.  Leverage the OEM hooks in netd
for accomplishing this.

Also move the diagnostics port forwarding into here from
wrigley-diag.sh.

Bug: 5045218
Change-Id: I4482fb86bdaf6e333bb4cef4f4a9aaa803d06372

device.mk

@@ -17,6 +17,7 @@
 $(call inherit-product, device/moto/wingray/device_base.mk)
 
 PRODUCT_COPY_FILES += \
+    device/moto/stingray/oem-iptables-init.sh:system/bin/oem-iptables-init.sh \
     device/moto/stingray/ril/tty2ttyd:system/bin/tty2ttyd \
     device/moto/stingray/ril/base64:system/bin/base64 \
     device/moto/stingray/ril/libb64.so:system/lib/libb64.so \
@@ -41,6 +42,7 @@ PRODUCT_COPY_FILES += \
     device/moto/stingray/ril/mm-wrigley-qc-dump.sh:system/bin/mm-wrigley-qc-dump.sh \
     device/moto/stingray/ril/wrigley-dump.sh:system/bin/wrigley-dump.sh \
     device/moto/stingray/ril/wrigley-diag.sh:system/bin/wrigley-diag.sh \
+    device/moto/stingray/ril/wrigley-iptables.sh:system/bin/wrigley-iptables.sh \
     device/moto/stingray/ril/wrigley-fetch-mpr.sh:system/bin/wrigley-fetch-mpr.sh
 ifneq ($(TARGET_BUILD_VARIANT),user)
 PRODUCT_COPY_FILES += \
@@ -71,6 +73,7 @@ PRODUCT_PACKAGES += \
     mm-wrigley-qc-dump \
     wrigley-dump \
     wrigley-diag \
+    wrigley-iptables \
     wrigley-fetch-mpr
 
 # Overrides

oem-iptables-init.sh

@@ -0,0 +1,3 @@
+#!/system/bin/sh
+
+logwrapper /system/bin/wrigley-iptables.sh

ril/wrigley-diag.sh

@@ -1,25 +1,8 @@
 #!/system/bin/sh
 
-isBlanFound=0
-
-for iface in `ls /sys/class/net` ; do
-    desc=`cat /sys/class/net/$iface/description`
-    case $desc in
-        "Motorola BLAN Interface")
-            echo "Found Motorola BLAN at $iface"
-            echo "Forwarding ports for Wrigley diagnostics"
-            echo 1 > /proc/sys/net/ipv4/ip_forward;
-            /system/bin/iptables -t nat -A PREROUTING -p tcp -i $iface -d 192.168.16.2 --dport 11006 -j DNAT --to 192.168.20.2:11006;
-            /system/bin/iptables -A FORWARD -p tcp -i $iface -d 192.168.20.2 --dport 11006 -j ACCEPT;
-            /system/bin/iptables -P FORWARD ACCEPT
-            isBlanFound=1;
-            break
-        ;;
-        *)
-            echo "$iface is not the Motorola BLAN";
-            continue
-        ;;
-    esac
-done
-
-case $isBlanFound in 0) echo "Could not find Motorola BLAN";; esac
+# Enable IP forwarding so the Wrigley can talk to diagnostics utilities
+# running on an attached host machine (typically Windows).
+echo 1 > /proc/sys/net/ipv4/ip_forward
+# We must also set ro.allow.ip.fwd=1 to prevent
+# system/netd/TetherController.cpp from setting this back to 0.
+setprop ro.allow.ip.fwd 1

ril/wrigley-iptables.sh

@@ -0,0 +1,95 @@
+#!/system/bin/sh
+
+#### DESCRIPTION ####
+# This script sets up any static iptables rules required for the Wrigley.  For
+# this to work, we require hooks in system/netd/ to jump to a special "oem"
+# chain for any tables/chains we want to modify.
+
+# NOTE: This script is called every time the netd service is started.  To
+# handle the case where netd has crashed/stopped and is restarted, attempt to
+# flush any chains we create before adding to them; this will avoid duplicate
+# rules.  We don't attempt to delete our additions to the base "hook" chains,
+# because that's netd's job.  So, for each sub-chain we create in here, we do
+# -N (new) to handle the case where we've never been called before, and we do
+# -F (flush) to handle the case where we have been called before.  Both no-op
+# gracefully.
+
+# NOTE: The firewalling rules done in here for protecting specific ports from
+# unauthorized access are necessary for security, but should be replaced by a
+# connection-based authentication scheme instead.  By using iptables, we are
+# creating compatibility issues with Google's Ice Cream Sandwich, and are
+# adding unnecessary latency to all packets that go through Netfilter.  If it
+# were not for the current implementation, we would only need a hook in the
+# nat/PREROUTING chain, and the hooks in filter/OUTPUT & filter/FORWARD could
+# go away.
+# TODO: Implement a connection-based auth scheme for Wrigley control and
+# TODO: diagnostics ports.
+
+# NOTE: Our usage of the static 192.168.20.0/24 for the Wrigley IP address can
+# cause conflicts with DHCP-assigned WiFi addresses.  When coupled with the
+# firewall below, this ensures that WiFi will not work if we get assigned an
+# address in that range.
+# TODO: Find a way to blacklist the range above in the WiFi driver, so that we
+# TODO: reject attempts from a WiFi AP to assign anything in that range to us.
+
+IPTABLES="/system/bin/iptables"
+
+#### filter OUTPUT ####
+# Setup an explicit sub-chain for 192.168.20.2.  This way we only burden all
+# other packets with a single check for the IP address.
+$IPTABLES -F oem_out_wrigley # No-op on 1st inst of this script
+$IPTABLES -N oem_out_wrigley # No-op on 2nd-Nth inst of this script
+$IPTABLES -A oem_out -d 192.168.20.2 -j oem_out_wrigley
+
+# Setup diff rules for sensitive ports vs other ports.  There are more
+# non-sensitive than sensitive ports, and the non-sensitive list is fairly
+# dynamic.  So, do a blacklist instead of a whitelist.
+$IPTABLES -F oem_out_wrigley_sens # No-op on 1st inst of this script
+$IPTABLES -F oem_out_wrigley_other # No-op on 1st inst of this script
+$IPTABLES -N oem_out_wrigley_sens # No-op on 2nd-Nth inst of this script
+$IPTABLES -N oem_out_wrigley_other # No-op on 2nd-Nth inst of this script
+$IPTABLES -A oem_out_wrigley -p tcp --dport 3265 -j oem_out_wrigley_sens
+$IPTABLES -A oem_out_wrigley -p tcp --dport 3267 -j oem_out_wrigley_sens
+$IPTABLES -A oem_out_wrigley -p tcp --dport 11000 -j oem_out_wrigley_sens
+$IPTABLES -A oem_out_wrigley -j oem_out_wrigley_other
+
+# Sensitive ports only allow root and radio to access them.
+$IPTABLES -A oem_out_wrigley_sens -m owner --uid-owner 0 -j ACCEPT
+$IPTABLES -A oem_out_wrigley_sens -m owner --uid-owner 1001 -j ACCEPT
+$IPTABLES -A oem_out_wrigley_sens -j REJECT
+
+# Other ports allow root, radio, and shell to access them.
+$IPTABLES -A oem_out_wrigley_other -m owner --uid-owner 0 -j ACCEPT
+$IPTABLES -A oem_out_wrigley_other -m owner --uid-owner 1001 -j ACCEPT
+$IPTABLES -A oem_out_wrigley_other -m owner --uid-owner 2000 -j ACCEPT
+$IPTABLES -A oem_out_wrigley_other -j REJECT
+
+#### filter FORWARD ####
+# We only want forwarding in BP Tools Mode.
+case $(getprop ro.bootmode) in
+bp-tools)
+    # Only allow forwarding on non-sensitive ports.  There are more
+    # non-sensitive than sensitive ports, and the non-sensitive list is fairly
+    # dynamic.  So, do a blacklist instead of a whitelist.
+    $IPTABLES -F oem_fwd_wrigley # No-op on 1st inst of this script
+    $IPTABLES -N oem_fwd_wrigley # No-op on 2nd-Nth inst of this script
+    $IPTABLES -A oem_fwd -d 192.168.20.2 -j oem_fwd_wrigley
+    $IPTABLES -A oem_fwd -s 192.168.20.2 -j oem_fwd_wrigley
+    $IPTABLES -A oem_fwd_wrigley -p tcp --dport 3265 -j REJECT
+    $IPTABLES -A oem_fwd_wrigley -p tcp --dport 3267 -j REJECT
+    $IPTABLES -A oem_fwd_wrigley -p tcp --dport 11000 -j REJECT
+    $IPTABLES -A oem_fwd_wrigley -j ACCEPT
+    ;;
+*)
+    $IPTABLES -A oem_fwd -d 192.168.20.2 -j REJECT
+    ;;
+esac
+
+#### nat PREROUTING ####
+case $(getprop ro.bootmode) in
+bp-tools)
+    # We must rewrite the destination address for our SUAPI logger port to the
+    # address of the BLAN, because legacy tools (RTA/PST) rely on this.
+    $IPTABLES -t nat -A oem_nat_pre -p tcp -d 192.168.16.2 --dport 11006 -j DNAT --to 192.168.20.2:11006
+    ;;
+esac