!369 Add:针对读取param进行权限管控

Merge pull request !369 from 熊磊/CJ_0303

!369 Add:针对读取param进行权限管控
Merge pull request !369 from 熊磊/CJ_0303
82a23350 · openharmony_ci · Gitee · fbed4b59 · 9ab3e1f8 · 82a23350
9 changed file
--- a/services/begetctl/BUILD.gn
+++ b/services/begetctl/BUILD.gn
@@ -55,6 +55,7 @@ ohos_executable("begetctl") {
      "//base/startup/init_lite/interfaces/innerkits:libbeget_proxy",
      "//base/startup/init_lite/services/loopevent:loopevent",
      "//base/startup/init_lite/services/param/watcher:param_watcheragent",
+      "//base/startup/syspara_lite/interfaces/innerkits/native/syspara:syspara",
    ]
    defines += [
      "OHOS_SERVICE_DUMP",
@@ -62,6 +63,15 @@ ohos_executable("begetctl") {
    ]
  }

+  if (build_selinux) {
+    include_dirs += [
+      "//third_party/selinux/libselinux/include/",
+      "//base/security/selinux/interfaces/policycoreutils/include/",
+    ]
+    deps += [ "//third_party/selinux:libselinux" ]
+    defines += [ "WITH_SELINUX" ]
+  }
+
  symlink_target_name = [
    "misc_daemon",
    "reboot",
@@ -113,6 +123,7 @@ ohos_executable("paramshell") {
      "//base/startup/init_lite/interfaces/innerkits:libbeget_proxy",
      "//base/startup/init_lite/services/loopevent:loopevent",
      "//base/startup/init_lite/services/param/watcher:param_watcheragent",
+      "//base/startup/syspara_lite/interfaces/innerkits/native/syspara:syspara",
    ]
    defines += [
      "OHOS_SERVICE_DUMP",

--- a/services/begetctl/param_cmd.c
+++ b/services/begetctl/param_cmd.c
@@ -28,6 +28,10 @@
 #include "param_utils.h"
 #include "shell_utils.h"
 #include "sys_param.h"
+#ifdef WITH_SELINUX
+#include <policycoreutils.h>
+#include <selinux/selinux.h>
+#endif // WITH_SELINUX

 #define MASK_LENGTH_MAX 4
 pid_t g_shellPid = 0;
@@ -389,6 +393,9 @@ static int32_t BShellParamCmdShell(BShellHandle shell, int32_t argc, char *argv[
    if (pid == 0) {
        setuid(2000); // 2000 shell group
        setgid(2000); // 2000 shell group
+#ifdef WITH_SELINUX
+        setcon("u:r:normal_hap_domain:s0");
+#endif
        if (argc >= 2) { // 2 min argc
            char *args[] = {SHELL_NAME, argv[1], NULL};
            ret = execv(CMD_PATH, args);

--- a/services/loopevent/include/loop_event.h
+++ b/services/loopevent/include/loop_event.h
@@ -124,6 +124,7 @@ LE_STATUS LE_AcceptStreamClient(const LoopHandle loopHandle,
 LE_STATUS LE_Send(const LoopHandle loopHandle,
    const TaskHandle taskHandle, const BufferHandle handle, uint32_t buffLen);
 void LE_CloseStreamTask(const LoopHandle loopHandle, const TaskHandle taskHandle);
+int LE_GetSocketFd(const TaskHandle taskHandle);

 /**
 * 异步事件服务

--- a/services/loopevent/task/le_streamtask.c
+++ b/services/loopevent/task/le_streamtask.c
@@ -244,4 +244,10 @@ void LE_CloseStreamTask(const LoopHandle loopHandle, const TaskHandle taskHandle
 {
    LE_CHECK(loopHandle != NULL && taskHandle != NULL, return, "Invalid parameters");
    LE_CloseTask(loopHandle, taskHandle);
+}
+
+int LE_GetSocketFd(const TaskHandle taskHandle)
+{
+    LE_CHECK(taskHandle != NULL, return -1, "Invalid parameters");
+    return GetSocketFd(taskHandle);
 }
\ No newline at end of file
--- a/services/param/BUILD.gn
+++ b/services/param/BUILD.gn
@@ -41,11 +41,15 @@ ohos_static_library("param_service") {
    "//base/startup/init_lite/services/log",
    "//base/startup/init_lite/interfaces/innerkits/include",
    "//base/startup/init_lite/services/loopevent/include",
+    "//base/security/selinux/interfaces/policycoreutils/include",
    "//third_party/libuv/include",
    "//third_party/cJSON",
  ]

  defines = [ "PARAM_SUPPORT_SAVE_PERSIST" ]
+  if (build_selinux) {
+    defines += [ "WITH_SELINUX" ]
+  }

  if (defined(boot_kernel_extended_cmdline)) {
    defines += [ "BOOT_EXTENDED_CMDLINE=\"${boot_kernel_extended_cmdline}\"" ]
@@ -90,13 +94,17 @@ ohos_shared_library("param_client") {
    "//base/startup/init_lite/services/log",
    "//base/startup/init_lite/interfaces/innerkits/include",
    "//base/hiviewdfx/hilog/interfaces/native/innerkits/include",
+    "//base/security/selinux/interfaces/policycoreutils/include",
    "//base/startup/init_lite/services/loopevent/include",
  ]

  defines = [ "INIT_AGENT" ]
-
  defines += [ "_GNU_SOURCE" ]

+  if (build_selinux) {
+    defines += [ "WITH_SELINUX" ]
+  }
+
  if (param_security == "selinux") {
    sources += [ "adapter/param_selinux.c" ]
    defines += [ "PARAM_SUPPORT_SELINUX" ]

--- a/services/param/adapter/param_dac.c
+++ b/services/param/adapter/param_dac.c
@@ -85,6 +85,9 @@ static int InitLocalSecurityLabel(ParamSecurityLabel **security, int isInit)
    *security = &g_localSecurityLabel;
    // support check write permission in client
    (*security)->flags |= LABEL_CHECK_FOR_ALL_PROCESS;
+#ifdef WITH_SELINUX
+    (*security)->flags = 0;
+#endif
    return 0;
 }


--- a/services/param/manager/param_manager.c
+++ b/services/param/manager/param_manager.c
@@ -16,6 +16,10 @@
 #include "param_manager.h"

 #include <ctype.h>
+#include <dlfcn.h>
+#ifdef WITH_SELINUX
+#include "selinux_parameter.h"
+#endif

 #if !defined PARAM_SUPPORT_SELINUX && !defined PARAM_SUPPORT_DAC
 static ParamSecurityLabel g_defaultSecurityLabel;
@@ -231,6 +235,45 @@ int TraversalParam(const ParamWorkSpace *workSpace,
    return TraversalTrieNode(&workSpace->paramSpace, root, ProcessParamTraversal, &context);
 }

+#ifdef WITH_SELINUX
+static void *g_selinuxHandle = NULL;
+static int CheckParamPermissionWithSelinux(const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode)
+{
+    static void (*setSelinuxLogCallback)();
+    static int (*setParamCheck)(const char *paraName, struct ucred *uc);
+    g_selinuxHandle = dlopen("/system/lib/libparaperm_checker.z.so", RTLD_LAZY);
+    if (g_selinuxHandle == NULL) {
+        PARAM_LOGE("Failed to dlopen libparaperm_checker.z.so, %s\n", dlerror());
+        return DAC_RESULT_FORBIDED;
+    }
+    if (setSelinuxLogCallback == NULL) {
+        setSelinuxLogCallback = (void (*)())dlsym(g_selinuxHandle, "SetSelinuxLogCallback");
+        if (setSelinuxLogCallback == NULL) {
+            PARAM_LOGE("Failed to dlsym setSelinuxLogCallback, %s\n", dlerror());
+            return DAC_RESULT_FORBIDED;
+        }
+    }
+    (*setSelinuxLogCallback)();
+
+    if (setParamCheck == NULL) {
+        setParamCheck = (int (*)(const char *paraName, struct ucred *uc))dlsym(g_selinuxHandle, "SetParamCheck");
+        if (setParamCheck == NULL) {
+            PARAM_LOGE("Failed to dlsym setParamCheck, %s\n", dlerror());
+            return DAC_RESULT_FORBIDED;
+        }
+    }
+    struct ucred uc;
+    uc.pid = srcLabel->cred.pid;
+    uc.uid = srcLabel->cred.uid;
+    uc.gid = srcLabel->cred.gid;
+    int ret = setParamCheck(name, &uc);
+    if (ret != 0) {
+        PARAM_LOGI("Selinux check name %s pid %d uid %d %d result %d", name, uc.pid, uc.uid, uc.gid, ret);
+    }
+    return ret;
+}
+#endif
+
 int CheckParamPermission(const ParamWorkSpace *workSpace,
    const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode)
 {
@@ -240,6 +283,14 @@ int CheckParamPermission(const ParamWorkSpace *workSpace,
        return 0;
    }
    PARAM_CHECK(name != NULL && srcLabel != NULL, return -1, "Invalid param");
+#ifdef WITH_SELINUX
+    if (mode == DAC_WRITE) {
+        int ret = CheckParamPermissionWithSelinux(srcLabel, name, mode);
+        if (ret == DAC_RESULT_PERMISSION) {
+            return DAC_RESULT_PERMISSION;
+        }
+    }
+#endif
    if (workSpace->paramSecurityOps.securityCheckParamPermission == NULL) {
        return DAC_RESULT_FORBIDED;
    }

--- a/services/param/manager/param_message.c
+++ b/services/param/manager/param_message.c
@@ -25,10 +25,12 @@
 int ConntectServer(int fd, const char *servername)
 {
    PARAM_CHECK(fd >= 0, return -1, "Invalid fd %d", fd);
+    int opt = 1;
+    int ret = setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &opt, sizeof(opt));
    PARAM_CHECK(servername != NULL, return -1, "Invalid servername");
    struct sockaddr_un addr;
    /* fill socket address structure with server's address */
-    int ret = memset_s(&addr, sizeof(addr), 0, sizeof(addr));
+    ret = memset_s(&addr, sizeof(addr), 0, sizeof(addr));
    PARAM_CHECK(ret == 0, return -1, "Failed to memset server address");
    addr.sun_family = AF_UNIX;
    ret = sprintf_s(addr.sun_path, sizeof(addr.sun_path) - 1, "%s", servername);

--- a/services/param/service/param_service.c
+++ b/services/param/service/param_service.c
@@ -24,9 +24,12 @@
 #include <sys/msg.h>
 #include <sys/stat.h>
 #include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>

 #include "init_param.h"
 #include "init_utils.h"
+#include "loop_event.h"
 #include "param_message.h"
 #include "param_manager.h"
 #include "param_request.h"
@@ -339,7 +342,17 @@ static int HandleParamSet(const ParamTaskPtr worker, const ParamMessage *msg)
        PARAM_CHECK(ret == 0, return ret,
            "Failed to decode param %d name %s %s", ret, msg->key, valueContent->content);
    }
-
+    if (srcLabel != NULL) {
+        struct ucred cr = {-1, -1, -1};
+        socklen_t crSize = sizeof(cr);
+        if (getsockopt(LE_GetSocketFd(worker), SOL_SOCKET, SO_PEERCRED, &cr, &crSize) < 0) {
+            PARAM_LOGE("Failed to get opt %d", errno);
+            return SendResponseMsg(worker, msg, -1);
+        }
+        srcLabel->cred.uid = cr.uid;
+        srcLabel->cred.pid = cr.pid;
+        srcLabel->cred.gid = cr.gid;
+    }
    ret = SystemSetParam(msg->key, valueContent->content, srcLabel);
    if (srcLabel != NULL && g_paramWorkSpace.paramSecurityOps.securityFreeLabel != NULL) {
        g_paramWorkSpace.paramSecurityOps.securityFreeLabel(srcLabel);