bugfix：将appspawn对uid的限制在不小于10000

Signed-off-by: N xiacong <xiacong4@huawei.com> Change-Id: Ia47ab4fc623f2c6a7dfceeed29fe27bd93312168

bugfix：将appspawn对uid的限制在不小于10000
Signed-off-by: N xiacong <xiacong4@huawei.com> Change-Id: Ia47ab4fc623f2c6a7dfceeed29fe27bd93312168
770b4006 · xiacong · 32508fd0 · 770b4006 · 770b4006 · 770b4006
3 changed file
--- a/services/modules/seccomp/BUILD.gn
+++ b/services/modules/seccomp/BUILD.gn
@@ -55,6 +55,8 @@ ohos_prebuilt_seccomp("appspawn_filter") {
  part_name = INIT_PART
  subsystem_name = "startup"

+  include_dirs = [ "." ]
+
  install_enable = true
  install_images = [ "system" ]
 }

--- a/services/modules/seccomp/seccomp_policy/spawn.seccomp.policy
+++ b/services/modules/seccomp/seccomp_policy/spawn.seccomp.policy
@@ -14,11 +14,26 @@
 @returnValue
 TRAP

+@headFiles
+"seccomp_policy_constants.h"
+
 @mode
 ONLY_CHECK_ARGS

 @allowListWithArgs
-setresuid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return TRAP;arm64
-setresgid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return TRAP;arm64
-setresuid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return TRAP;arm
-setresgid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return TRAP;arm
\ No newline at end of file
+setresuid: if arg0 >= APP_UID_START && arg1 >= APP_UID_START && arg2 >= APP_UID_START; return ALLOW; else return TRAP;arm64
+setresgid: if arg0 >= APP_UID_START && arg1 >= APP_UID_START && arg2 >= APP_UID_START; return ALLOW; else return TRAP;arm64
+setresuid32: if arg0 >= APP_UID_START && arg1 >= APP_UID_START && arg2 >= APP_UID_START; return ALLOW; else return TRAP;arm
+setresgid32: if arg0 >= APP_UID_START && arg1 >= APP_UID_START && arg2 >= APP_UID_START; return ALLOW; else return TRAP;arm
+setuid: if arg0 >= APP_UID_START; return ALLOW; else return TRAP;all
+setgid: if arg0 >= APP_UID_START; return ALLOW; else return TRAP;all
+setuid32: if arg0 >= APP_UID_START; return ALLOW; else return TRAP;arm
+setgid32: if arg0 >= APP_UID_START; return ALLOW; else return TRAP;arm
+setreuid: if arg0 >= APP_UID_START && arg1 >= APP_UID_START; return ALLOW; else return TRAP;all
+setregid: if arg0 >= APP_UID_START && arg1 >= APP_UID_START; return ALLOW; else return TRAP;all
+setreuid32: if arg0 >= APP_UID_START && arg1 >= APP_UID_START; return ALLOW; else return TRAP;arm
+setregid32: if arg0 >= APP_UID_START && arg1 >= APP_UID_START; return ALLOW; else return TRAP;arm
+setfsuid: if arg0 >= APP_UID_START; return ALLOW; else return TRAP;all
+setfsgid: if arg0 >= APP_UID_START; return ALLOW; else return TRAP;all
+setfsuid32: if arg0 >= APP_UID_START; return ALLOW; else return TRAP;arm
+setfsgid32: if arg0 >= APP_UID_START; return ALLOW; else return TRAP;arm
\ No newline at end of file
--- a/services/modules/seccomp/seccomp_policy_constants.h
+++ b/services/modules/seccomp/seccomp_policy_constants.h
@@ -25,6 +25,8 @@ extern "C" {
 #define START_UID_FOR_RENDER_PROCESS (1000000)
 #define END_UID_FOR_RENDER_PROCESS (1099999)

+#define APP_UID_START (10000)
+
 #ifdef __cplusplus
 #if __cplusplus
 }