diff --git a/services/param/adapter/param_selinux.c b/services/param/adapter/param_selinux.c index 0f9a80af301488c418c83c85cb4490cdf10cce59..8c5000d6aaa8d42a25dc66d2534d3f765105dfdf 100644 --- a/services/param/adapter/param_selinux.c +++ b/services/param/adapter/param_selinux.c @@ -216,14 +216,16 @@ static int SelinuxCheckParamPermission(const ParamSecurityLabel *srcLabel, const SelinuxSpace *selinuxSpace = &GetParamWorkSpace()->selinuxSpace; int ret = DAC_RESULT_FORBIDED; // check + SrcInfo info = { 0 }; struct ucred uc; - uc.pid = srcLabel->cred.pid; - uc.uid = srcLabel->cred.uid; - uc.gid = srcLabel->cred.gid; + info.uc.pid = srcLabel->cred.pid; + info.uc.uid = srcLabel->cred.uid; + info.uc.gid = srcLabel->cred.gid; + info.sockFd = srcLabel->sockFd; if (mode == DAC_WRITE) { PARAM_CHECK(selinuxSpace->setParamCheck != NULL, return ret, "Invalid setParamCheck"); const char *context = GetSelinuxContent(name); - ret = selinuxSpace->setParamCheck(name, context, &uc); + ret = selinuxSpace->setParamCheck(name, context, &info); } else { #ifndef STARTUP_INIT_TEST ret = SelinuxReadParamCheck(name); @@ -232,7 +234,7 @@ static int SelinuxCheckParamPermission(const ParamSecurityLabel *srcLabel, const #endif } if (ret != 0) { - PARAM_LOGW("Selinux check name %s pid %d uid %d %d result %d", name, uc.pid, uc.uid, uc.gid, ret); + PARAM_LOGW("Selinux check name %s pid %d uid %d %d result %d", name, info.uc.pid, info.uc.uid, info.uc.gid, ret); ret = DAC_RESULT_FORBIDED; } else { ret = DAC_RESULT_PERMISSION; diff --git a/services/param/include/param_security.h b/services/param/include/param_security.h index 9150c466da757bd4b5e63ccc46b5d96048242e34..ad6de9b9f736bbb90e556286e738b625443a380b 100644 --- a/services/param/include/param_security.h +++ b/services/param/include/param_security.h @@ -66,6 +66,7 @@ typedef enum { } ParamSecurityType; typedef struct { + int32_t sockFd; UserCred cred; uint32_t flags[PARAM_SECURITY_MAX]; } ParamSecurityLabel; @@ -96,11 +97,11 @@ typedef struct { } ParamSecurityOps; typedef int (*RegisterSecurityOpsPtr)(ParamSecurityOps *ops, int isInit); -typedef int (*SelinuxSetParamCheck)(const char *paraName, const char *destContext, struct ucred *uc); +typedef int (*SelinuxSetParamCheck)(const char *paraName, const char *destContext, int32_t sockFd, struct ucred *uc); typedef struct SelinuxSpace_ { void *selinuxHandle; void (*setSelinuxLogCallback)(void); - int (*setParamCheck)(const char *paraName, const char *destContext, struct ucred *uc); + int (*setParamCheck)(const char *paraName, const char *destContext, const SrcInfo *info); const char *(*getParamLabel)(const char *paraName); int (*initParamSelinux)(void); int (*readParamCheck)(const char *paraName); diff --git a/services/param/linux/param_service.c b/services/param/linux/param_service.c index 780cdf4f68272ca25cbaf52d5efcd58766f034dc..b7981b4ecf33623995ad24ccb2434256c15e74d0 100755 --- a/services/param/linux/param_service.c +++ b/services/param/linux/param_service.c @@ -168,6 +168,7 @@ static int HandleParamSet(const ParamTaskPtr worker, const ParamMessage *msg) PARAM_LOGE("Failed to get opt %d", errno); return SendResponseMsg(worker, msg, -1); } + srcLabel.sockFd = LE_GetSocketFd(worker); srcLabel.cred.uid = cr.uid; srcLabel.cred.pid = cr.pid; srcLabel.cred.gid = cr.gid; diff --git a/test/unittest/param/param_stub.cpp b/test/unittest/param/param_stub.cpp index 9b059e62b5865977476149caa0331a6e3433f62f..2faafae9c70f8313895dc2087d48fea4c9a6d6a7 100644 --- a/test/unittest/param/param_stub.cpp +++ b/test/unittest/param/param_stub.cpp @@ -61,7 +61,7 @@ static const char *forbitWriteParamName[] = { "test.persmission.watch" }; -static int TestSetParamCheck(const char *paraName, const char *context, struct ucred *uc) +static int TestSetParamCheck(const char *paraName, const char *context, const SrcInfo *info) { // forbid to read ohos.servicectrl. for (size_t i = 0; i < ARRAY_LENGTH(forbitWriteParamName); i++) {