提交 a802e446 编写于 作者: C cheng_jinsong

实时打开workspace

Signed-off-by: Ncheng_jinsong <chengjinsong2@huawei.com>
上级 2f868912
......@@ -24,9 +24,11 @@ const.build. = root:root:0775
const.SystemCapability. = root:root:0775
const.product. = root:root:0775
persist.init. = root:root:0775
appspawn. = root:root:0750
startup.uevent. = root:root:0775
ohos.dev. = ueventd:ueventd:0775
startup.appspawn. = root:root:0750
startup.uevent. = ueventd:ueventd:0775
persist.init.debug. = root:root:0775:int
persist.appspawn. = root:root:0775
#udid and sn, only read
ohos.boot.sn = root:deviceprivate:0750
......
......@@ -26,7 +26,7 @@ const_postinstall_param=4096
const_postinstall_fstab_param=4096
const_allow_param=4096
const_allow_mock_param=4096
device_public_param=30720
devinfo_public_param=30720
security_param=4096
sys_param=4096
bootevent_param=4096
......
......@@ -230,6 +230,11 @@ static int CheckUserInGroup(WorkSpace *space, gid_t groupId, uid_t uid)
static int DacCheckParamPermission(const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode)
{
#ifndef STARTUP_INIT_TEST
if (srcLabel->cred.uid == 0) {
return DAC_RESULT_PERMISSION;
}
#endif
int ret = DAC_RESULT_FORBIDED;
uint32_t labelIndex = 0;
// get dac label
......@@ -257,7 +262,7 @@ static int DacCheckParamPermission(const ParamSecurityLabel *srcLabel, const cha
}
if (ret != DAC_RESULT_PERMISSION) {
PARAM_LOGW("Param '%s' label gid:%d uid:%d mode 0%o", name, srcLabel->cred.gid, srcLabel->cred.uid, localMode);
PARAM_LOGW("Cfg label %s gid:%d uid:%d mode 0%o ", node->data, node->gid, node->uid, node->mode);
PARAM_LOGW("Cfg label %d gid:%d uid:%d mode 0%o ", labelIndex, node->gid, node->uid, node->mode);
#ifndef STARTUP_INIT_TEST
ret = DAC_RESULT_PERMISSION;
#endif
......
......@@ -23,8 +23,6 @@
#include "param_base.h"
#ifdef PARAM_SUPPORT_SELINUX
#include "selinux_parameter.h"
#include <policycoreutils.h>
#include <selinux/selinux.h>
#endif
#ifdef __aarch64__
......@@ -78,7 +76,6 @@ static int InitSelinuxOpsForInit(SelinuxSpace *selinuxSpace)
if (selinuxSpace->setSelinuxLogCallback != NULL) {
selinuxSpace->setSelinuxLogCallback();
}
PARAM_LOGI("Load selinux lib success.");
return ret;
}
......@@ -106,7 +103,7 @@ static int InitLocalSecurityLabel(ParamSecurityLabel *security, int isInit)
selinuxSpace->initParamSelinux();
}
#endif
PARAM_LOGV("Load selinux lib success.");
PARAM_LOGI("Load selinux lib success.");
return 0;
}
......@@ -123,7 +120,7 @@ static void SetSelinuxFileCon(const char *name, const char *context)
int len = ParamSprintf(buffer, sizeof(buffer), "%s/%s", PARAM_STORAGE_PATH, context);
if (len > 0) {
buffer[len] = '\0';
PARAM_LOGI("setfilecon name %s path: %s %s ", name, context, buffer);
PARAM_LOGV("setfilecon name %s path: %s %s ", name, context, buffer);
if (GetParamWorkSpace()->ops.setfilecon(buffer, context) < 0) {
PARAM_LOGE("Failed to setfilecon %s ", context);
}
......@@ -233,24 +230,33 @@ static const char *GetSelinuxContent(const char *name)
}
}
static int SelinuxReadParamCheck(const char *name)
static int CheckContentPermission(const char *name, const char *label)
{
PARAM_CHECK(name != NULL && label != NULL, return DAC_RESULT_FORBIDED, "The label is null");
int ret = DAC_RESULT_FORBIDED;
SelinuxSpace *selinuxSpace = &GetParamWorkSpace()->selinuxSpace;
if (selinuxSpace->readParamCheck != NULL) {
ret = selinuxSpace->readParamCheck(name);
PARAM_LOGI("SelinuxReadParamCheck name %s ret %d", name, ret);
return ret;
char buffer[FILENAME_LEN_MAX] = {0};
int size = ParamSprintf(buffer, sizeof(buffer), "%s/%s", PARAM_STORAGE_PATH, label);
PARAM_CHECK(size > 0, return -1, "Failed to format file name %s", label);
buffer[size] = '\0';
if (access(buffer, R_OK) == 0) {
ret = AddWorkSpace(label, 1, PARAM_WORKSPACE_MAX);
}
PARAM_LOGW("SelinuxReadParamCheck name %s label %s", name, GetSelinuxContent(name));
WorkSpace *space = GetWorkSpace(name);
if (space == NULL) {
PARAM_LOGW("SelinuxReadParamCheck name %s label %s forbid", name, GetSelinuxContent(name));
if (ret != 0) {
PARAM_LOGE("SelinuxReadParamCheck name %s label %s ", name, label);
return DAC_RESULT_FORBIDED;
}
return DAC_RESULT_PERMISSION;
}
static int SelinuxReadParamCheck(const char *name)
{
const char *label = GetSelinuxContent(name);
if (label == NULL) {
return CheckContentPermission(name, WORKSPACE_NAME_DEF_SELINUX);
}
return CheckContentPermission(name, label);
}
static int SelinuxCheckParamPermission(const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode)
{
SelinuxSpace *selinuxSpace = &GetParamWorkSpace()->selinuxSpace;
......@@ -273,8 +279,8 @@ static int SelinuxCheckParamPermission(const ParamSecurityLabel *srcLabel, const
#endif
}
if (ret != 0) {
PARAM_LOGW("Selinux check name %s pid %d uid %d %d result %d", name, info.uc.pid,
info.uc.uid, info.uc.gid, ret);
PARAM_LOGW("Selinux check name %s in %s info [%d %d %d] result %d",
name, GetSelinuxContent(name), info.uc.pid, info.uc.uid, info.uc.gid, ret);
ret = DAC_RESULT_FORBIDED;
} else {
ret = DAC_RESULT_PERMISSION;
......@@ -287,6 +293,13 @@ static int UpdaterCheckParamPermission(const ParamSecurityLabel *srcLabel, const
return DAC_RESULT_PERMISSION;
}
static int OpenPermissionWorkSpace(const char *path)
{
UNUSED(path);
// open workspace by readonly
return SelinuxGetAllLabel(1);
}
INIT_LOCAL_API int RegisterSecuritySelinuxOps(ParamSecurityOps *ops, int isInit)
{
PARAM_CHECK(GetParamWorkSpace() != NULL, return -1, "Invalid workspace");
......@@ -303,12 +316,8 @@ INIT_LOCAL_API int RegisterSecuritySelinuxOps(ParamSecurityOps *ops, int isInit)
ops->securityFreeLabel = FreeLocalSecurityLabel;
if (isInit != 0) {
ops->securityGetLabel = SelinuxGetParamSecurityLabel;
} else {
ops->securityGetLabel = OpenPermissionWorkSpace;
}
return ret;
}
INIT_LOCAL_API void OpenPermissionWorkSpace(void)
{
// open workspace by readonly
SelinuxGetAllLabel(1);
}
......@@ -100,7 +100,9 @@ static int CheckNeedInit(int onlyRead, const PARAM_WORKSPACE_OPS *ops)
{
if (ops != NULL) {
g_paramWorkSpace.ops.updaterMode = ops->updaterMode;
g_paramWorkSpace.ops.logFunc = ops->logFunc;
if (g_paramWorkSpace.ops.logFunc == NULL) {
g_paramWorkSpace.ops.logFunc = ops->logFunc;
}
#ifdef PARAM_SUPPORT_SELINUX
g_paramWorkSpace.ops.setfilecon = ops->setfilecon;
#endif
......@@ -175,10 +177,6 @@ INIT_INNER_API int InitParamWorkSpace(int onlyRead, const PARAM_WORKSPACE_OPS *o
auditData.dacData.paramType = PARAM_TYPE_STRING;
ret = AddSecurityLabel(&auditData);
PARAM_CHECK(ret == 0, return ret, "Failed to add default dac label");
} else {
#ifdef PARAM_SUPPORT_SELINUX
OpenPermissionWorkSpace();
#endif
}
return ret;
}
......@@ -245,4 +243,54 @@ void InitParameterClient(void)
PARAM_WORKSPACE_OPS ops = {0};
ops.updaterMode = 0;
InitParamWorkSpace(1, &ops);
}
\ No newline at end of file
}
INIT_LOCAL_API int AddWorkSpace(const char *name, int onlyRead, uint32_t spaceSize)
{
ParamWorkSpace *paramSpace = GetParamWorkSpace();
PARAM_CHECK(paramSpace != NULL, return -1, "Invalid workspace");
int ret = 0;
// check exist
#ifdef PARAM_SUPPORT_SELINUX
const char *realName = name;
#else
const char *realName = WORKSPACE_NAME_NORMAL;
#endif
WORKSPACE_RW_LOCK(*paramSpace);
HashNode *node = OH_HashMapGet(paramSpace->workSpaceHashHandle, (const void *)realName);
if (node != NULL) {
WORKSPACE_RW_UNLOCK(*paramSpace);
return 0;
}
if (onlyRead == 0) {
PARAM_LOGI("AddWorkSpace %s spaceSize: %u onlyRead %s", name, spaceSize, onlyRead ? "true" : "false");
}
WorkSpace *workSpace = NULL;
do {
ret = -1;
const size_t size = strlen(realName) + 1;
workSpace = (WorkSpace *)malloc(sizeof(WorkSpace) + size);
PARAM_CHECK(workSpace != NULL, break, "Failed to create workspace for %s", realName);
workSpace->flags = 0;
workSpace->area = NULL;
OH_ListInit(&workSpace->node);
ret = ParamStrCpy(workSpace->fileName, size, realName);
PARAM_CHECK(ret == 0, break, "Failed to copy file name %s", realName);
HASHMAPInitNode(&workSpace->hashNode);
ret = InitWorkSpace(workSpace, onlyRead, spaceSize);
PARAM_CHECK(ret == 0, break, "Failed to init workspace %s", realName);
ret = OH_HashMapAdd(paramSpace->workSpaceHashHandle, &workSpace->hashNode);
PARAM_CHECK(ret == 0, CloseWorkSpace(workSpace);
workSpace = NULL;
break, "Failed to add hash node");
OH_ListAddTail(&paramSpace->workSpaceList, &workSpace->node);
ret = 0;
workSpace = NULL;
} while (0);
if (workSpace != NULL) {
free(workSpace);
}
WORKSPACE_RW_UNLOCK(*paramSpace);
PARAM_LOGV("AddWorkSpace %s %s", name, ret == 0 ? "success" : "fail");
return ret;
}
......@@ -473,54 +473,6 @@ INIT_LOCAL_API int SplitParamString(char *line, const char *exclude[], uint32_t
return result(context, name, value);
}
INIT_LOCAL_API int AddWorkSpace(const char *name, int onlyRead, uint32_t spaceSize)
{
ParamWorkSpace *paramSpace = GetParamWorkSpace();
PARAM_CHECK(paramSpace != NULL, return -1, "Invalid workspace");
int ret = 0;
// check exist
#ifdef PARAM_SUPPORT_SELINUX
const char *realName = name;
#else
const char *realName = WORKSPACE_NAME_NORMAL;
#endif
WORKSPACE_RW_LOCK(*paramSpace);
HashNode *node = OH_HashMapGet(paramSpace->workSpaceHashHandle, (const void *)realName);
if (node != NULL) {
WORKSPACE_RW_UNLOCK(*paramSpace);
return 0;
}
PARAM_LOGV("AddWorkSpace %s spaceSize: %u onlyRead %s", name, spaceSize, onlyRead ? "true" : "false");
WorkSpace *workSpace = NULL;
do {
ret = -1;
const size_t size = strlen(realName) + 1;
workSpace = (WorkSpace *)malloc(sizeof(WorkSpace) + size);
PARAM_CHECK(workSpace != NULL, break, "Failed to create workspace for %s", realName);
workSpace->flags = 0;
workSpace->area = NULL;
OH_ListInit(&workSpace->node);
ret = ParamStrCpy(workSpace->fileName, size, realName);
PARAM_CHECK(ret == 0, break, "Failed to copy file name %s", realName);
HASHMAPInitNode(&workSpace->hashNode);
ret = InitWorkSpace(workSpace, onlyRead, spaceSize);
PARAM_CHECK(ret == 0, break, "Failed to init workspace %s", realName);
ret = OH_HashMapAdd(paramSpace->workSpaceHashHandle, &workSpace->hashNode);
PARAM_CHECK(ret == 0, CloseWorkSpace(workSpace);
workSpace = NULL;
break, "Failed to add hash node");
OH_ListAddTail(&paramSpace->workSpaceList, &workSpace->node);
ret = 0;
workSpace = NULL;
} while (0);
if (workSpace != NULL) {
free(workSpace);
}
WORKSPACE_RW_UNLOCK(*paramSpace);
PARAM_LOGV("AddWorkSpace %s %s", name, ret == 0 ? "success" : "fail");
return ret;
}
INIT_LOCAL_API uint32_t ReadCommitId(ParamNode *entry)
{
uint32_t commitId = ATOMIC_LOAD_EXPLICIT(&entry->commitId, memory_order_acquire);
......@@ -578,24 +530,27 @@ INIT_LOCAL_API int CheckParamPermission(const ParamSecurityLabel *srcLabel, cons
ParamWorkSpace *paramSpace = GetParamWorkSpace();
PARAM_CHECK(paramSpace != NULL, return DAC_RESULT_FORBIDED, "Invalid workspace");
int ret = DAC_RESULT_PERMISSION;
// for root, all permission
if (srcLabel->cred.uid != 0) {
for (int i = 0; i < PARAM_SECURITY_MAX; i++) {
if (PARAM_TEST_FLAG(paramSpace->securityLabel.flags[i], LABEL_ALL_PERMISSION)) {
continue;
}
ParamSecurityOps *ops = GetParamSecurityOps(i);
if (ops == NULL) {
continue;
}
if (ops->securityCheckParamPermission == NULL) {
continue;
}
ret = ops->securityCheckParamPermission(srcLabel, name, mode);
if (ret == DAC_RESULT_FORBIDED) {
PARAM_LOGW("CheckParamPermission %s %s FORBID", ops->name, name);
break;
}
PARAM_LOGV("CheckParamPermission mode 0x%x name: %s uid:%d pid:%d",
mode, name, (int)srcLabel->cred.uid, (int)srcLabel->cred.pid);
// for root, all permission, but for appspawn must to check
if (srcLabel->cred.uid == 0 && srcLabel->cred.pid == 1) {
return DAC_RESULT_PERMISSION;
}
for (int i = 0; i < PARAM_SECURITY_MAX; i++) {
if (PARAM_TEST_FLAG(paramSpace->securityLabel.flags[i], LABEL_ALL_PERMISSION)) {
continue;
}
ParamSecurityOps *ops = GetParamSecurityOps(i);
if (ops == NULL) {
continue;
}
if (ops->securityCheckParamPermission == NULL) {
continue;
}
ret = ops->securityCheckParamPermission(srcLabel, name, mode);
if (ret == DAC_RESULT_FORBIDED) {
PARAM_LOGW("CheckParamPermission %s %s FORBID", ops->name, name);
break;
}
}
return ret;
......
......@@ -44,6 +44,7 @@ extern "C" {
#endif
#endif
#define PARAM_WORKSPACE_INVALID ((uint32_t)-1)
#define PARAM_WORKSPACE_MIN (4096)
#if (defined __LITEOS_A__ || defined __LITEOS_M__)
#define DAC_DEFAULT_MODE 0777
......
......@@ -118,7 +118,6 @@ INIT_LOCAL_API int RegisterSecuritySelinuxOps(ParamSecurityOps *ops, int isInit)
INIT_LOCAL_API ParamSecurityOps *GetParamSecurityOps(int type);
INIT_LOCAL_API void LoadGroupUser(void);
INIT_LOCAL_API int RegisterSecurityDacOps(ParamSecurityOps *ops, int isInit);
INIT_LOCAL_API void OpenPermissionWorkSpace(void);
INIT_LOCAL_API int RegisterSecurityOps(int onlyRead);
#ifdef __cplusplus
......
......@@ -33,6 +33,10 @@ typedef enum {
PARAM_CODE_ERROR_MAP_FILE,
} PARAM_INNER_CODE;
#ifndef PARAM_BUFFER_MAX
#define PARAM_BUFFER_MAX (0x01 << 16)
#endif
struct CmdLineEntry {
char *key;
int set;
......@@ -43,7 +47,6 @@ typedef struct cmdLineInfo {
int (*processor)(const char *name, const char *value, int);
} cmdLineInfo;
#define PARAM_BUFFER_MAX (0x01 << 16)
#define FILENAME_LEN_MAX 255
#define MS_UNIT 1000
#ifndef UNUSED
......
......@@ -34,6 +34,7 @@ param_include_dirs = [
"//base/startup/init/services/init/include",
"//base/startup/init/services/log",
"//base/startup/init/services/modules/init_hook",
"//base/startup/init/interfaces/innerkits/include/syspara",
"//base/startup/init/interfaces/innerkits/init_module_engine/include",
"//base/startup/init/services/loopevent/include",
"//third_party/bounds_checking_function/include",
......@@ -118,6 +119,21 @@ if (defined(ohos_lite)) {
if (param_base_log) {
defines += [ "PARAM_BASE_LOG" ]
}
if (defined(ohos_build_type)) {
defines += [ "BUILD_TYPE=\"${ohos_build_type}\"" ]
}
if (defined(ohos_version)) {
defines += [ "INCREMENTAL_VERSION=\"${ohos_version}\"" ]
}
if (defined(ohos_build_user)) {
defines += [ "BUILD_USER=\"${ohos_build_user}\"" ]
}
if (defined(ohos_build_time)) {
defines += [ "BUILD_TIME=\"${ohos_build_time}\"" ]
}
if (defined(ohos_build_host)) {
defines += [ "BUILD_HOST=\"${ohos_build_host}\"" ]
}
if (build_selinux) {
include_dirs += [
......
......@@ -95,7 +95,7 @@ static int SendResponseMsg(ParamTaskPtr worker, const ParamMessage *msg, int res
response->result = result;
response->msg.msgSize = sizeof(ParamResponseMessage);
ParamTaskSendMsg(worker, (ParamMessage *)response);
PARAM_LOGI("SendResponseMsg msgId %d", msg->id.msgId);
PARAM_LOGI("SendResponseMsg msgId %d result %d", msg->id.msgId, result);
return 0;
}
......
......@@ -84,8 +84,14 @@ int SystemTraversalParameter(const char *prefix, TraversalParamPtr traversalPara
ParamWorkSpace *paramSpace = GetParamWorkSpace();
PARAM_CHECK(paramSpace != NULL, return -1, "Invalid paramSpace");
PARAM_WORKSPACE_CHECK(paramSpace, return -1, "Invalid space");
PARAM_CHECK(traversalParameter != NULL, return -1, "The param is null");
#ifdef PARAM_SUPPORT_SELINUX // load security label
ParamSecurityOps *ops = GetParamSecurityOps(PARAM_SECURITY_SELINUX);
if (ops != NULL && ops->securityGetLabel != NULL) {
ops->securityGetLabel(NULL);
}
#endif
ParamTraversalContext context = {traversalParameter, cookie, "#"};
if (!(prefix == NULL || strlen(prefix) == 0)) {
ParamHandle handle = 0;
......
......@@ -158,7 +158,7 @@ PARAM_STATIC void TimerCallbackForSave(const ParamTaskPtr timer, void *context)
UNUSED(context);
UNUSED(timer);
PARAM_LOGV("TimerCallbackForSave ");
// for liteos-a,we must cycle check
// for liteos-a must cycle check
#if (!defined(PARAM_SUPPORT_CYCLE_CHECK) || defined(PARAM_SUPPORT_REAL_CHECK))
ParamTimerClose(g_persistWorkSpace.saveTimer);
g_persistWorkSpace.saveTimer = NULL;
......
......@@ -22,9 +22,7 @@
using namespace testing::ext;
using namespace std;
extern "C" {
void OpenPermissionWorkSpace(void);
}
namespace init_ut {
class SelinuxUnitTest : public ::testing::Test {
public:
......@@ -90,9 +88,6 @@ public:
{
int ret = RegisterSecuritySelinuxOps(&clientParamSercurityOps, 0);
EXPECT_EQ(ret, 0);
if (clientParamSercurityOps.securityGetLabel != nullptr) {
EXPECT_EQ(1, 0);
}
if (clientParamSercurityOps.securityCheckFilePermission == nullptr) {
EXPECT_EQ(1, 0);
return -1;
......@@ -183,6 +178,5 @@ HWTEST_F(SelinuxUnitTest, TestClientDacCheckParaPermission, TestSize.Level0)
SelinuxUnitTest test;
test.TestClientSelinuxCheckParaPermissionWrite("aaa.bbb.bbb.ccc", "user:group1:r");
test.TestClientSelinuxCheckParaPermissionRead("aaa.bbb.bbb.ccc", "user:group1:r");
OpenPermissionWorkSpace();
}
}
\ No newline at end of file
......@@ -23,6 +23,7 @@
#include "init_param.h"
#include "ueventd.h"
#include "ueventd_read_cfg.h"
#include "securec.h"
typedef struct {
int inited;
......@@ -63,6 +64,7 @@ static void *ThreadRun(void *data)
{
DeviceParameterCtrl *parameterCtrl = (DeviceParameterCtrl *)data;
INIT_LOGV("[uevent] ThreadRun %d %d", parameterCtrl->empty, parameterCtrl->shutdown);
char paramName[PARAM_NAME_LEN_MAX] = {0};
while (1) {
pthread_mutex_lock(&(parameterCtrl->lock));
while (parameterCtrl->empty) {
......@@ -88,7 +90,8 @@ static void *ThreadRun(void *data)
parameterCtrl->empty = 0;
const char *paramValue = (config->action == ACTION_ADD) ? "added" : "removed";
INIT_LOGI("[uevent] SystemSetParameter %s act %s", config->parameter, paramValue);
if (SystemSetParameter(config->parameter, paramValue) != 0) {
size_t len = sprintf_s(paramName, sizeof(paramName), "startup.uevent.%s", config->parameter);
if ((len <= 0) || (SystemSetParameter(paramName, paramValue) != 0)) {
INIT_LOGE("[uevent] SystemSetParameter %s failed", config->parameter);
pthread_mutex_lock(&(parameterCtrl->parameterLock));
OH_ListAddTail(&parameterCtrl->parameterList, &config->paramNode);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册