未验证 提交 89deabc9 编写于 作者: O openharmony_ci 提交者: Gitee

!866 fix bug for deny selinux policy

Merge pull request !866 from Mupceet/initselinux
......@@ -107,6 +107,8 @@ def WriteMapToCode(codeName, dict):
f.write('#endif' + os.linesep)
f.write('#endif' + os.linesep)
f.write('#endif // PARAM_LITE_DEF_CFG_' + os.linesep)
f.write(os.linesep)
f.truncate()
except IOError:
print("Error: open or write file %s fail"%{codeName})
else:
......
......@@ -71,6 +71,7 @@ typedef enum {
*
*/
void InitParamService(void);
void LoadSpecialParam(void);
/**
* Init 接口
......
......@@ -379,6 +379,9 @@ void SystemConfig(void)
// load SELinux context and policy
// Do not move position!
SystemLoadSelinux();
LoadSpecialParam();
// parse parameters
HookMgrExecute(GetBootStageHookMgr(), INIT_PRE_PARAM_LOAD, (void *)&timingStat, (void *)&options);
InitLoadParamFiles();
......
......@@ -24,9 +24,8 @@ if (!defined(ohos_lite)) {
]
deps = [
"//base/startup/init_lite/services/param/base:parameterbase",
"//base/startup/init_lite/services/utils:libinit_utils",
"//third_party/bounds_checking_function:libsec_static",
"//base/startup/init_lite/interfaces/innerkits:libbegetutil",
"//third_party/bounds_checking_function:libsec_shared",
"//third_party/cJSON:cjson_static",
]
......
......@@ -23,6 +23,8 @@
#include "param_base.h"
#ifdef PARAM_SUPPORT_SELINUX
#include "selinux_parameter.h"
#include <policycoreutils.h>
#include <selinux/selinux.h>
#endif
#ifdef __aarch64__
......@@ -67,6 +69,9 @@ static int InitLocalSecurityLabel(ParamSecurityLabel *security, int isInit)
g_selinuxSpace.initParamSelinux = (void (*)())dlsym(handle, "InitParamSelinux");
PARAM_CHECK(g_selinuxSpace.initParamSelinux != NULL, return -1, "Failed to dlsym initParamSelinux ");
}
if (g_selinuxSpace.readParamCheck == NULL) {
g_selinuxSpace.readParamCheck = (int (*)(const char *))dlsym(handle, "ReadParamCheck");
}
if (g_selinuxSpace.destroyParamList == NULL) {
g_selinuxSpace.destroyParamList =
(void (*)(ParamContextsList **))dlsym(handle, "DestroyParamList");
......@@ -84,11 +89,25 @@ static int FreeLocalSecurityLabel(ParamSecurityLabel *srcLabel)
return 0;
}
static void SetSelinuxFileCon(const char *name, const char *context)
{
static char buffer[FILENAME_LEN_MAX] = {0};
int len = ParamSprintf(buffer, sizeof(buffer), "%s/%s", PARAM_STORAGE_PATH, context);
if (len > 0) {
buffer[len] = '\0';
PARAM_LOGI("setfilecon name %s path: %s %s ", name, context, buffer);
if (setfilecon(buffer, context) < 0) {
PARAM_LOGE("Failed to setfilecon %s ", context);
}
}
}
static int SelinuxGetAllLabel(int readOnly)
{
PARAM_CHECK(g_selinuxSpace.getParamList != NULL, return DAC_RESULT_FORBIDED, "Invalid getParamList");
ParamContextsList *head = g_selinuxSpace.getParamList();
ParamContextsList *node = head;
int count = 0;
while (node != NULL) {
PARAM_LOGV("GetParamSecurityLabel name %s content %s", node->info.paraName, node->info.paraContext);
......@@ -97,15 +116,27 @@ static int SelinuxGetAllLabel(int readOnly)
continue;
}
int ret = AddWorkSpace(node->info.paraContext, readOnly, PARAM_WORKSPACE_DEF);
PARAM_CHECK(ret == 0, continue,
"Failed to add selinux workspace %s %s", node->info.paraName, node->info.paraContext);
node = node->next;
if (ret != 0) {
PARAM_LOGE("Forbid to add selinux workspace %s %s", node->info.paraName, node->info.paraContext);
node = node->next;
continue;
}
count++;
if (readOnly != 0) {
node = node->next;
continue;
}
// set selinx label
SetSelinuxFileCon(node->info.paraName, node->info.paraContext);
node = node->next;
}
int ret = AddWorkSpace(WORKSPACE_NAME_DEF_SELINUX, readOnly, PARAM_WORKSPACE_MAX);
PARAM_CHECK(ret == 0, return -1,
"Failed to add selinux workspace %s", WORKSPACE_NAME_DEF_SELINUX);
if (readOnly == 0) {
SetSelinuxFileCon(WORKSPACE_NAME_DEF_SELINUX, WORKSPACE_NAME_DEF_SELINUX);
}
PARAM_LOGI("SelinuxGetAllLabel count %d", count);
return 0;
}
......@@ -126,10 +157,15 @@ static int CheckFilePermission(const ParamSecurityLabel *localLabel, const char
static int SelinuxReadParamCheck(const char *name)
{
int ret = DAC_RESULT_FORBIDED;
if (g_selinuxSpace.readParamCheck != NULL) {
ret = g_selinuxSpace.readParamCheck(name);
PARAM_LOGI("SelinuxReadParamCheck name %s ret %d", name, ret);
}
const char *label = GetSelinuxContent(name);
if (label == NULL) { // open file with readonly
ret = AddWorkSpace(WORKSPACE_NAME_DEF_SELINUX, 1, PARAM_WORKSPACE_MAX);
} else {
PARAM_LOGI("SelinuxReadParamCheck name %s label %s", name, label);
ret = AddWorkSpace(label, 1, PARAM_WORKSPACE_MAX);
}
if (ret != 0) {
......
......@@ -23,7 +23,7 @@
#include "param_osadp.h"
#include "param_utils.h"
int GetRealFileName(WorkSpace *workSpace, char *buffer, uint32_t size)
static int GetRealFileName(WorkSpace *workSpace, char *buffer, uint32_t size)
{
int ret = ParamSprintf(buffer, size, "%s/%s", PARAM_STORAGE_PATH, workSpace->fileName);
PARAM_CHECK(ret > 0, return -1, "Failed to copy file name %s", workSpace->fileName);
......
......@@ -111,6 +111,10 @@ if (defined(ohos_lite)) {
}
if (build_selinux) {
include_dirs += [
"//third_party/selinux/libselinux/include/",
"//base/security/selinux/interfaces/policycoreutils/include/",
]
defines += [ "PARAM_SUPPORT_SELINUX" ]
}
part_name = "init"
......@@ -121,11 +125,17 @@ if (defined(ohos_lite)) {
sources = param_client_sources
include_dirs = param_include_dirs
public_configs = [ ":exported_header_files" ]
deps = []
defines = [
"_GNU_SOURCE",
"INIT_AGENT",
]
if (build_selinux) {
deps += [
"//base/security/selinux:libload_policy",
"//base/security/selinux:librestorecon",
"//third_party/selinux:libselinux",
]
defines += [
"PARAM_SUPPORT_SELINUX",
"PARAMWORKSPACE_NEED_MUTEX",
......
......@@ -391,12 +391,6 @@ void InitParamService(void)
ret = ParamServerCreate(&g_paramService.serverTask, &info);
PARAM_CHECK(ret == 0, return, "Failed to create server");
}
// read selinux label
LoadSelinuxLabel();
// from cmdline
LoadParamFromCmdLine();
// from build
LoadParamFromBuild();
// init trigger space
ret = InitTriggerWorkSpace();
......@@ -405,6 +399,16 @@ void InitParamService(void)
RegisterTriggerExec(TRIGGER_PARAM_WATCH, ExecuteWatchTrigger_);
}
void LoadSpecialParam(void)
{
// read selinux label
LoadSelinuxLabel();
// from cmdline
LoadParamFromCmdLine();
// from build
LoadParamFromBuild();
}
int StartParamService(void)
{
return ParamServiceStart();
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册