!866 fix bug for deny selinux policy

Merge pull request !866 from Mupceet/initselinux

!866 fix bug for deny selinux policy
Merge pull request !866 from Mupceet/initselinux
89deabc9 · openharmony_ci · Gitee · 514d6cd0 · fd4b59bf · 89deabc9
8 changed file
--- a/scripts/param_cfg_to_code.py
+++ b/scripts/param_cfg_to_code.py
@@ -107,6 +107,8 @@ def WriteMapToCode(codeName, dict):
        f.write('#endif' + os.linesep)
        f.write('#endif' + os.linesep)
        f.write('#endif // PARAM_LITE_DEF_CFG_' + os.linesep)
+        f.write(os.linesep)
+        f.truncate()
    except IOError:
        print("Error: open or write file %s fail"%{codeName})
    else:

--- a/services/include/param/init_param.h
+++ b/services/include/param/init_param.h
@@ -71,6 +71,7 @@ typedef enum {
 *
 */
 void InitParamService(void);
+void LoadSpecialParam(void);

 /**
 * Init 接口

--- a/services/init/standard/init.c
+++ b/services/init/standard/init.c
@@ -379,6 +379,9 @@ void SystemConfig(void)
    // load SELinux context and policy
    // Do not move position!
    SystemLoadSelinux();
+
+    LoadSpecialParam();
+
    // parse parameters
    HookMgrExecute(GetBootStageHookMgr(), INIT_PRE_PARAM_LOAD, (void *)&timingStat, (void *)&options);
    InitLoadParamFiles();

--- a/services/modules/BUILD.gn
+++ b/services/modules/BUILD.gn
@@ -24,9 +24,8 @@ if (!defined(ohos_lite)) {
    ]

    deps = [
-      "//base/startup/init_lite/services/param/base:parameterbase",
-      "//base/startup/init_lite/services/utils:libinit_utils",
-      "//third_party/bounds_checking_function:libsec_static",
+      "//base/startup/init_lite/interfaces/innerkits:libbegetutil",
+      "//third_party/bounds_checking_function:libsec_shared",
      "//third_party/cJSON:cjson_static",
    ]


--- a/services/param/adapter/param_selinux.c
+++ b/services/param/adapter/param_selinux.c
@@ -23,6 +23,8 @@
 #include "param_base.h"
 #ifdef PARAM_SUPPORT_SELINUX
 #include "selinux_parameter.h"
+#include <policycoreutils.h>
+#include <selinux/selinux.h>
 #endif

 #ifdef __aarch64__
@@ -67,6 +69,9 @@ static int InitLocalSecurityLabel(ParamSecurityLabel *security, int isInit)
        g_selinuxSpace.initParamSelinux = (void (*)())dlsym(handle, "InitParamSelinux");
        PARAM_CHECK(g_selinuxSpace.initParamSelinux != NULL, return -1, "Failed to dlsym initParamSelinux ");
    }
+    if (g_selinuxSpace.readParamCheck == NULL) {
+        g_selinuxSpace.readParamCheck = (int (*)(const char *))dlsym(handle, "ReadParamCheck");
+    }
    if (g_selinuxSpace.destroyParamList == NULL) {
        g_selinuxSpace.destroyParamList =
            (void (*)(ParamContextsList **))dlsym(handle, "DestroyParamList");
@@ -84,11 +89,25 @@ static int FreeLocalSecurityLabel(ParamSecurityLabel *srcLabel)
    return 0;
 }

+static void SetSelinuxFileCon(const char *name, const char *context)
+{
+    static char buffer[FILENAME_LEN_MAX] = {0};
+    int len = ParamSprintf(buffer, sizeof(buffer), "%s/%s", PARAM_STORAGE_PATH, context);
+    if (len > 0) {
+        buffer[len] = '\0';
+        PARAM_LOGI("setfilecon name %s path: %s %s ", name, context, buffer);
+        if (setfilecon(buffer, context) < 0) {
+            PARAM_LOGE("Failed to setfilecon %s ", context);
+        }
+    }
+}
+
 static int SelinuxGetAllLabel(int readOnly)
 {
    PARAM_CHECK(g_selinuxSpace.getParamList != NULL, return DAC_RESULT_FORBIDED, "Invalid getParamList");
    ParamContextsList *head = g_selinuxSpace.getParamList();
    ParamContextsList *node = head;
+
    int count = 0;
    while (node != NULL) {
        PARAM_LOGV("GetParamSecurityLabel name %s content %s", node->info.paraName, node->info.paraContext);
@@ -97,15 +116,27 @@ static int SelinuxGetAllLabel(int readOnly)
            continue;
        }
        int ret = AddWorkSpace(node->info.paraContext, readOnly, PARAM_WORKSPACE_DEF);
-        PARAM_CHECK(ret == 0, continue,
-            "Failed to add selinux workspace %s %s", node->info.paraName, node->info.paraContext);
-        node = node->next;
+        if (ret != 0) {
+            PARAM_LOGE("Forbid to add selinux workspace %s %s", node->info.paraName, node->info.paraContext);
+            node = node->next;
+            continue;
+        }
        count++;
+        if (readOnly != 0) {
+            node = node->next;
+            continue;
+        }
+        // set selinx label
+        SetSelinuxFileCon(node->info.paraName, node->info.paraContext);
+        node = node->next;
    }

    int ret = AddWorkSpace(WORKSPACE_NAME_DEF_SELINUX, readOnly, PARAM_WORKSPACE_MAX);
    PARAM_CHECK(ret == 0, return -1,
        "Failed to add selinux workspace %s", WORKSPACE_NAME_DEF_SELINUX);
+    if (readOnly == 0) {
+        SetSelinuxFileCon(WORKSPACE_NAME_DEF_SELINUX, WORKSPACE_NAME_DEF_SELINUX);
+    }
    PARAM_LOGI("SelinuxGetAllLabel count %d", count);
    return 0;
 }
@@ -126,10 +157,15 @@ static int CheckFilePermission(const ParamSecurityLabel *localLabel, const char
 static int SelinuxReadParamCheck(const char *name)
 {
    int ret = DAC_RESULT_FORBIDED;
+    if (g_selinuxSpace.readParamCheck != NULL) {
+        ret = g_selinuxSpace.readParamCheck(name);
+        PARAM_LOGI("SelinuxReadParamCheck name %s ret %d", name, ret);
+    }
    const char *label = GetSelinuxContent(name);
    if (label == NULL) { // open file with readonly
        ret = AddWorkSpace(WORKSPACE_NAME_DEF_SELINUX, 1, PARAM_WORKSPACE_MAX);
    } else {
+        PARAM_LOGI("SelinuxReadParamCheck name %s label %s", name, label);
        ret = AddWorkSpace(label, 1, PARAM_WORKSPACE_MAX);
    }
    if (ret != 0) {

--- a/services/param/base/param_trie.c
+++ b/services/param/base/param_trie.c
@@ -23,7 +23,7 @@
 #include "param_osadp.h"
 #include "param_utils.h"

-int GetRealFileName(WorkSpace *workSpace, char *buffer, uint32_t size)
+static int GetRealFileName(WorkSpace *workSpace, char *buffer, uint32_t size)
 {
    int ret = ParamSprintf(buffer, size, "%s/%s", PARAM_STORAGE_PATH, workSpace->fileName);
    PARAM_CHECK(ret > 0, return -1, "Failed to copy file name %s", workSpace->fileName);

--- a/services/param/linux/BUILD.gn
+++ b/services/param/linux/BUILD.gn
@@ -111,6 +111,10 @@ if (defined(ohos_lite)) {
    }

    if (build_selinux) {
+      include_dirs += [
+        "//third_party/selinux/libselinux/include/",
+        "//base/security/selinux/interfaces/policycoreutils/include/",
+      ]
      defines += [ "PARAM_SUPPORT_SELINUX" ]
    }
    part_name = "init"
@@ -121,11 +125,17 @@ if (defined(ohos_lite)) {
    sources = param_client_sources
    include_dirs = param_include_dirs
    public_configs = [ ":exported_header_files" ]
+    deps = []
    defines = [
      "_GNU_SOURCE",
      "INIT_AGENT",
    ]
    if (build_selinux) {
+      deps += [
+        "//base/security/selinux:libload_policy",
+        "//base/security/selinux:librestorecon",
+        "//third_party/selinux:libselinux",
+      ]
      defines += [
        "PARAM_SUPPORT_SELINUX",
        "PARAMWORKSPACE_NEED_MUTEX",

--- a/services/param/linux/param_service.c
+++ b/services/param/linux/param_service.c
@@ -391,12 +391,6 @@ void InitParamService(void)
        ret = ParamServerCreate(&g_paramService.serverTask, &info);
        PARAM_CHECK(ret == 0, return, "Failed to create server");
    }
-    // read selinux label
-    LoadSelinuxLabel();
-    // from cmdline
-    LoadParamFromCmdLine();
-    // from build
-    LoadParamFromBuild();

    // init trigger space
    ret = InitTriggerWorkSpace();
@@ -405,6 +399,16 @@ void InitParamService(void)
    RegisterTriggerExec(TRIGGER_PARAM_WATCH, ExecuteWatchTrigger_);
 }

+void LoadSpecialParam(void)
+{
+    // read selinux label
+    LoadSelinuxLabel();
+    // from cmdline
+    LoadParamFromCmdLine();
+    // from build
+    LoadParamFromBuild();
+}
+
 int StartParamService(void)
 {
    return ParamServiceStart();