aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2020-04-05 19:38:11 -0600
committerJason A. Donenfeld <Jason@zx2c4.com>2020-04-05 19:38:11 -0600
commite189f9942d54b6900f7140c1f4a41312cb6889eb (patch)
treed4e9d8b78f29c0dbf5f730ec12515d7db2389a95
parenthighlighter: insist on 256-bit keys, not 257-bit or 258-bit (diff)
downloadwireguard-tools-master.tar.xz
wireguard-tools-master.zip
wg-quick: android: support application whitelistHEADmaster
Prior we only supported a blacklist, but actually a whitelist is an easier algorithm because that's internally how netd considers it, so we don't need to find range spans. This commit adds an IncludedApplications key. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-rw-r--r--src/wg-quick/android.c73
1 files changed, 48 insertions, 25 deletions
diff --git a/src/wg-quick/android.c b/src/wg-quick/android.c
index 54ea81c..540925a 100644
--- a/src/wg-quick/android.c
+++ b/src/wg-quick/android.c
@@ -782,31 +782,49 @@ static uid_t *get_uid_list(const char *selected_applications)
return uid_list;
}
-static void set_users(unsigned int netid, const char *excluded_applications)
+static void set_users(unsigned int netid, const char *excluded_applications, const char *included_applications)
{
- _cleanup_free_ uid_t *excluded_uids = get_uid_list(excluded_applications);
+ _cleanup_free_ uid_t *uids = NULL;
unsigned int args_per_command = 0;
_cleanup_free_ char *ranges = NULL;
char range[22];
uid_t start;
- for (start = 0; *excluded_uids; start = *excluded_uids + 1, ++excluded_uids) {
- if (start > *excluded_uids - 1)
- continue;
- else if (start == *excluded_uids - 1)
- snprintf(range, sizeof(range), "%u", start);
- else
- snprintf(range, sizeof(range), "%u-%u", start, *excluded_uids - 1);
- ranges = concat_and_free(ranges, " ", range);
- if (++args_per_command % 18 == 0) {
- cndc("network users add %u %s", netid, ranges);
- free(ranges);
- ranges = NULL;
- }
+ if (excluded_applications && included_applications) {
+ fprintf(stderr, "Error: only one of ExcludedApplications and IncludedApplications may be specified, but not both\n");
+ exit(EEXIST);
}
- if (start < 99999) {
- snprintf(range, sizeof(range), "%u-99999", start);
- ranges = concat_and_free(ranges, " ", range);
+
+ if (excluded_applications || !included_applications) {
+ uids = get_uid_list(excluded_applications);
+ for (start = 0; *uids; start = *uids + 1, ++uids) {
+ if (start > *uids - 1)
+ continue;
+ else if (start == *uids - 1)
+ snprintf(range, sizeof(range), "%u", start);
+ else
+ snprintf(range, sizeof(range), "%u-%u", start, *uids - 1);
+ ranges = concat_and_free(ranges, " ", range);
+ if (++args_per_command % 18 == 0) {
+ cndc("network users add %u %s", netid, ranges);
+ free(ranges);
+ ranges = NULL;
+ }
+ }
+ if (start < 99999) {
+ snprintf(range, sizeof(range), "%u-99999", start);
+ ranges = concat_and_free(ranges, " ", range);
+ }
+ } else {
+ for (uids = get_uid_list(included_applications); *uids; ++uids) {
+ snprintf(range, sizeof(range), "%u", *uids);
+ ranges = concat_and_free(ranges, " ", range);
+ if (++args_per_command % 18 == 0) {
+ cndc("network users add %u %s", netid, ranges);
+ free(ranges);
+ ranges = NULL;
+ }
+ }
}
if (ranges)
@@ -1063,7 +1081,8 @@ static void cmd_usage(const char *program)
" IP addresses (with an optional CIDR mask) to be set for the interface.\n"
" - MTU: an optional MTU for the interface; if unspecified, auto-calculated.\n"
" - DNS: an optional DNS server to use while the device is up.\n"
- " - ExcludedApplications: optional applications to exclude from the tunnel.\n\n"
+ " - ExcludedApplications: optional blacklist of applications to exclude from the tunnel.\n\n"
+ " - IncludedApplications: optional whitelist of applications to include in the tunnel.\n\n"
" See wg-quick(8) for more info and examples.\n");
}
@@ -1077,7 +1096,7 @@ static void cmd_up_cleanup(void)
free(cleanup_iface);
}
-static void cmd_up(const char *iface, const char *config, unsigned int mtu, const char *addrs, const char *dnses, const char *excluded_applications)
+static void cmd_up(const char *iface, const char *config, unsigned int mtu, const char *addrs, const char *dnses, const char *excluded_applications, const char *included_applications)
{
DEFINE_CMD(c);
unsigned int netid = 0;
@@ -1099,7 +1118,7 @@ static void cmd_up(const char *iface, const char *config, unsigned int mtu, cons
set_dnses(netid, dnses);
set_routes(iface, netid);
set_mtu(iface, mtu);
- set_users(netid, excluded_applications);
+ set_users(netid, excluded_applications, included_applications);
broadcast_change();
free(cleanup_iface);
@@ -1131,7 +1150,7 @@ static void cmd_down(const char *iface)
exit(EXIT_SUCCESS);
}
-static void parse_options(char **iface, char **config, unsigned int *mtu, char **addrs, char **dnses, char **excluded_applications, const char *arg)
+static void parse_options(char **iface, char **config, unsigned int *mtu, char **addrs, char **dnses, char **excluded_applications, char **included_applications, const char *arg)
{
_cleanup_fclose_ FILE *file = NULL;
_cleanup_free_ char *line = NULL;
@@ -1215,6 +1234,9 @@ static void parse_options(char **iface, char **config, unsigned int *mtu, char *
} else if (!strncasecmp(clean, "ExcludedApplications=", 21) && j > 4) {
*excluded_applications = concat_and_free(*excluded_applications, ",", clean + 21);
continue;
+ } else if (!strncasecmp(clean, "IncludedApplications=", 21) && j > 4) {
+ *included_applications = concat_and_free(*included_applications, ",", clean + 21);
+ continue;
} else if (!strncasecmp(clean, "MTU=", 4) && j > 4) {
*mtu = atoi(clean + 4);
continue;
@@ -1240,17 +1262,18 @@ int main(int argc, char *argv[])
_cleanup_free_ char *addrs = NULL;
_cleanup_free_ char *dnses = NULL;
_cleanup_free_ char *excluded_applications = NULL;
+ _cleanup_free_ char *included_applications = NULL;
unsigned int mtu;
if (argc == 2 && (!strcmp(argv[1], "help") || !strcmp(argv[1], "--help") || !strcmp(argv[1], "-h")))
cmd_usage(argv[0]);
else if (argc == 3 && !strcmp(argv[1], "up")) {
auto_su(argc, argv);
- parse_options(&iface, &config, &mtu, &addrs, &dnses, &excluded_applications, argv[2]);
- cmd_up(iface, config, mtu, addrs, dnses, excluded_applications);
+ parse_options(&iface, &config, &mtu, &addrs, &dnses, &excluded_applications, &included_applications, argv[2]);
+ cmd_up(iface, config, mtu, addrs, dnses, excluded_applications, included_applications);
} else if (argc == 3 && !strcmp(argv[1], "down")) {
auto_su(argc, argv);
- parse_options(&iface, &config, &mtu, &addrs, &dnses, &excluded_applications, argv[2]);
+ parse_options(&iface, &config, &mtu, &addrs, &dnses, &excluded_applications, &included_applications, argv[2]);
cmd_down(iface);
} else {
cmd_usage(argv[0]);