blob: 497f4cc1eb496d16b2841490af87ad735411ed40 [file] [log] [blame]
// Copyright 2015 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef LORGNETTE_FIREWALL_MANAGER_H_
#define LORGNETTE_FIREWALL_MANAGER_H_
#include <memory>
#include <set>
#include <string>
#include <base/files/scoped_file.h>
#include <base/memory/weak_ptr.h>
#include "permission_broker/dbus-proxies.h"
namespace lorgnette {
class FirewallManager;
// Class representing access to an open port. When it goes out of scope,
// it will release the port.
class PortToken {
public:
PortToken(base::WeakPtr<FirewallManager> firewall_manager, uint16_t port);
PortToken(const PortToken&) = delete;
PortToken& operator=(const PortToken&) = delete;
PortToken(PortToken&&);
~PortToken();
private:
base::WeakPtr<FirewallManager> firewall_manager_;
uint16_t port_;
};
// Class for managing required firewall rules for lorgnette.
class FirewallManager final {
public:
explicit FirewallManager(const std::string& interface);
FirewallManager(const FirewallManager&) = delete;
FirewallManager& operator=(const FirewallManager&) = delete;
~FirewallManager() = default;
void Init(const scoped_refptr<dbus::Bus>& bus);
// Request port access for all well-known Canon scanner port.
PortToken RequestPixmaPortAccess();
// Request UDP port access for the specified port.
PortToken RequestUdpPortAccess(uint16_t port);
private:
// ReleaseUdpPortAccess() should be private so that users don't free ports
// they didn't request, but PortToken's destructor needs access to it.
friend PortToken::~PortToken();
// Setup lifeline pipe to allow the remote firewall server
// (permission_broker) to monitor this process, so it can remove the firewall
// rules in case this process crashes.
bool SetupLifelinePipe();
void OnServiceAvailable(bool service_available);
void OnServiceNameChanged(const std::string& old_owner,
const std::string& new_owner);
void SendPortAccessRequest(uint16_t port);
// This is called when a new instance of permission_broker is detected. Since
// the new instance doesn't have any knowledge of previously port access
// requests, re-issue those requests to permission_broker to get in sync.
void RequestAllPortsAccess();
void ReleaseUdpPortAccess(uint16_t port);
// DBus proxy for permission_broker.
std::unique_ptr<org::chromium::PermissionBrokerProxy>
permission_broker_proxy_;
// File descriptors for the two end of the pipe use for communicating with
// remote firewall server (permission_broker), where the remote firewall
// server will use the read end of the pipe to detect when this process exits.
base::ScopedFD lifeline_read_;
base::ScopedFD lifeline_write_;
// The interface on which to request network access.
std::string interface_;
// The set of ports for which access has been requested.
std::set<uint16_t> requested_ports_;
// Keep as the last member variable.
base::WeakPtrFactory<FirewallManager> weak_factory_{this};
};
} // namespace lorgnette
#endif // LORGNETTE_FIREWALL_MANAGER_H_