param_selinux.c 5.6 KB
Newer Older
S
sun_fan 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
/*
 * Copyright (c) 2021 Huawei Device Co., Ltd.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <sys/stat.h>

18
#include "init_utils.h"
S
sun_fan 已提交
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57
#include "param_security.h"
#include "param_utils.h"

#define SELINUX_LABEL_LEN 128
typedef struct SELinuxSecurityLabel {
    ParamSecurityLabel securityLabel;
    char label[SELINUX_LABEL_LEN];
} SELinuxSecurityLabel;

static SELinuxSecurityLabel g_localSecurityLabel = {};

static int InitLocalSecurityLabel(ParamSecurityLabel **security, int isInit)
{
    UNUSED(isInit);
    PARAM_LOGI("TestDacGetLabel uid:%d gid:%d euid: %d egid: %d ", getuid(), getgid(), geteuid(), getegid());
    g_localSecurityLabel.securityLabel.cred.pid = getpid();
    g_localSecurityLabel.securityLabel.cred.uid = geteuid();
    g_localSecurityLabel.securityLabel.cred.gid = getegid();
    *security = &g_localSecurityLabel.securityLabel;
    return 0;
}

static int FreeLocalSecurityLabel(ParamSecurityLabel *srcLabel)
{
    return 0;
}

static int EncodeSecurityLabel(const ParamSecurityLabel *srcLabel, char *buffer, uint32_t *bufferSize)
{
    PARAM_CHECK(bufferSize != NULL, return -1, "Invalid param");
    if (buffer == NULL) {
        *bufferSize = sizeof(SELinuxSecurityLabel);
        return 0;
    }
    PARAM_CHECK(*bufferSize >= sizeof(SELinuxSecurityLabel), return -1, "Invalid buffersize %u", *bufferSize);
    *bufferSize = sizeof(SELinuxSecurityLabel);
    return memcpy_s(buffer, *bufferSize, srcLabel, sizeof(SELinuxSecurityLabel));
}

4
411148299@qq.com 已提交
58
static int DecodeSecurityLabel(ParamSecurityLabel **srcLabel, const char *buffer, uint32_t bufferSize)
S
sun_fan 已提交
59 60 61 62 63 64 65 66 67 68 69
{
    PARAM_CHECK(bufferSize >= sizeof(SELinuxSecurityLabel), return -1, "Invalid buffersize %u", bufferSize);
    PARAM_CHECK(srcLabel != NULL && buffer != NULL, return -1, "Invalid param");
    *srcLabel = &((SELinuxSecurityLabel *)buffer)->securityLabel;
    return 0;
}

static int LoadParamLabels(const char *fileName, SecurityLabelFunc label, void *context)
{
    FILE *fp = fopen(fileName, "r");
    PARAM_CHECK(fp != NULL, return -1, "Open file %s fail", fileName);
4
411148299@qq.com 已提交
70 71 72

    SubStringInfo *info = calloc(1, sizeof(SubStringInfo) * (SUBSTR_INFO_DAC + 1));
    char *buff = (char *)calloc(1, PARAM_BUFFER_SIZE);
S
sun_fan 已提交
73
    int infoCount = 0;
4
411148299@qq.com 已提交
74 75 76
    ParamAuditData auditData = {0};
    while (info != NULL && buff != NULL && fgets(buff, PARAM_BUFFER_SIZE, fp) != NULL) {
        buff[PARAM_BUFFER_SIZE - 1] = '\0';
S
sun_fan 已提交
77 78 79 80 81 82
        int subStrNumber = GetSubStringInfo(buff, strlen(buff), ' ', info, SUBSTR_INFO_DAC + 1);
        if (subStrNumber <= SUBSTR_INFO_DAC) {
            continue;
        }
        auditData.name = info[SUBSTR_INFO_NAME].value;
        auditData.label = info[SUBSTR_INFO_LABEL].value;
4
411148299@qq.com 已提交
83
        int ret = label(&auditData, context);
S
sun_fan 已提交
84 85 86
        PARAM_CHECK(ret == 0, continue, "Failed to write param info %d %s", ret, buff);
        infoCount++;
    }
4
411148299@qq.com 已提交
87 88 89 90 91 92
    if (buff) {
        free(buff);
    }
    if (info) {
        free(info);
    }
S
sun_fan 已提交
93 94 95 96 97 98 99 100 101 102 103 104 105 106
    (void)fclose(fp);
    PARAM_LOGI("Load parameter info %d success %s", infoCount, fileName);
    return 0;
}

static int ProcessParamFile(const char *fileName, void *context)
{
    LabelFuncContext *cxt = (LabelFuncContext *)context;
    return LoadParamLabels(fileName, cxt->label, cxt->context);
}

static int GetParamSecurityLabel(SecurityLabelFunc label, const char *path, void *context)
{
    PARAM_CHECK(label != NULL, return -1, "Invalid param");
4
411148299@qq.com 已提交
107
    int ret;
S
sun_fan 已提交
108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124
    struct stat st;
    LabelFuncContext cxt = { label, context };
    if ((stat(path, &st) == 0) && !S_ISDIR(st.st_mode)) {
        ret = ProcessParamFile(path, &cxt);
    } else {
        ret = ReadFileInDir(path, ".para.selinux", ProcessParamFile, &cxt);
    }
    return ret;
}

static int CheckFilePermission(const ParamSecurityLabel *localLabel, const char *fileName, int flags)
{
    UNUSED(flags);
    PARAM_CHECK(localLabel != NULL && fileName != NULL, return -1, "Invalid param");
    return 0;
}

4
411148299@qq.com 已提交
125
static int CheckParamPermission(const ParamSecurityLabel *srcLabel, const ParamAuditData *auditData, uint32_t mode)
S
sun_fan 已提交
126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155
{
    PARAM_LOGI("CheckParamPermission ");
    PARAM_CHECK(srcLabel != NULL && auditData != NULL && auditData->name != NULL, return -1, "Invalid param");
    return 0;
}

PARAM_STATIC int RegisterSecuritySelinuxOps(ParamSecurityOps *ops, int isInit)
{
    PARAM_CHECK(ops != NULL, return -1, "Invalid param");
    ops->securityGetLabel = NULL;
    ops->securityDecodeLabel = NULL;
    ops->securityEncodeLabel = NULL;
    ops->securityInitLabel = InitLocalSecurityLabel;
    ops->securityCheckFilePermission = CheckFilePermission;
    ops->securityCheckParamPermission = CheckParamPermission;
    ops->securityFreeLabel = FreeLocalSecurityLabel;
    if (isInit) {
        ops->securityGetLabel = GetParamSecurityLabel;
        ops->securityDecodeLabel = DecodeSecurityLabel;
    } else {
        ops->securityEncodeLabel = EncodeSecurityLabel;
    }
    return 0;
}
#ifdef PARAM_SUPPORT_SELINUX
int RegisterSecurityOps(ParamSecurityOps *ops, int isInit)
{
    return RegisterSecuritySelinuxOps(ops, isInit);
}
#endif