Iptables Complete the Networked Control (cont.), independent native process monitoring.

Previous post: http://www.cnblogs.com/oscar1011/p/5243877.html

Iptables to do before the network control, has been brooding, want to know the system of netd and so on how to do those commands, and can listen to.

There has been a recent opportunity to do some research on this part.

All you have to do is 3 parts, 1. Native process, this part has to be written in C + +,

2. Framework interface. Used to communicate with the native process.

3. SELinux permissions are configured primarily to give the Natvie process

The framework communicates with native this part is also a very interesting place, looked at the system source code, many modules use the local socket to carry on the upper and lower level communication. The advantage is high stability, and the other should be easy to package, independent.

1. Here is a brief introduction to the part of the native process,

The main function of native is to receive commands and execute commands, receive commands from the framework transport, and execute the corresponding shell commands.

Here are two out-of-the-box classes to use, the Frameworkcommand class, for registering cmd, presumably for forwarding commands.

The other is Frameworklistener, which is used to register the socket listener, which needs to pass in a string to listen for the corresponding name of the socket. The upper layer also needs to use the socket for communication. The socket should correspond to those used in the following framework.

The following is the Code section

1#include <stdio.h>2#incldue <stdlib.h>3 #defineLog_tag "TEST"4 5#include"CommandListener.h"6 7 intMain () {8 9Commandlistener *cl;TenCL =NewCommandlistener (); OneCl->startlistener ();//Start listening . A      while(1){ -SleepTen);//loops to prevent the process from exiting -Aloge ("Sleep 10s"); the     } -  -     return 0; -}

main.cpp

1#include"CommandListener.h"2 3 4 Commandlistener::commandlistener ()5: Frameworklistener ("Test",true) {6Registercmd (NewFirsttestcmd ());//Register to test7 }8 9commandlistener::~Commandlistener () {Ten } One  A //the communication behind the firsttest here will be used - Commandlistener::firsttestcmd::firsttestcmd () -: Testcommand ("firsttest") the { } -  - intCommandlistener::firsttestcmd::runcommand (Socketclient *CLI, -                                          intargcChar**argv) { +Aloge ("Test%d", argc); -     //processing of input parameters +Cli->sendmsg ("1");//return the appropriate information according to the situation A     return 0; at}

CommandListener.cpp

1 " TestCommand.h " 2 3 testcommand::testcommand (constchar *cmd):4               Frameworkcommand (cmd)  {5 }

TestCommand.cpp

　　

2.framework Interface Section

This section is simple, just create a thread in the service, get to the socket, and provide an open interface for the app to call. Get the socket output stream code as follows:

1 New Localsocket (); 2 NULL ; 3 New Localsocketaddress ("Test", LocalSocketAddress.Namespace.RESERVED); 4 5 Socket.connect (LSA); 6 os = socket.getoutputstream (); 7 os.write ("5 firsttest ABC  cdf\0". GetBytes (Standardcharsets.utf_8));

While writing to this stream also has the format limit, must be "number + space + registered cmd+ space + content" structure. Because when the native receives the data, it will need to return a data, if not the "number" to be numbered, it is likely to cause the information will not correspond. The return listener for the data is typically a thread that is set up to listen separately.

3.selinux Permissions

This piece to tell the truth, study for several days, feel some place still difficult to understand. The settings for these permissions directly affect the functionality of the native process. And there are a lot of permissions, you have to study the required permissions to add, modify the directory generally two places, external/sepolicy and device below corresponds to the developer of a configuration path.

At least 3 places to declare the type of the native process, because the socket is used, but also to declare the socket, after all, Linux under the universe is classified as a file. There is also a permission statement for the test process, which is not written here, after all, they are not very understanding, provincial misleading. Small partners that need to work on their own

　　

/dev/socket/test    u:object_r:test_socket:s0/system/bin/test    u:object_r:test_exec:s0

sepolicy/file_contexts

1 type test_socket, File_type;

Sepolicy/file.te

Iptables completes the networked control (cont.), independent native process monitoring.