selinux hook

Signed-off-by: N cheng_jinsong <chengjinsong2@huawei.com>

selinux hook
Signed-off-by: N cheng_jinsong <chengjinsong2@huawei.com>
ab8e7102 · cheng_jinsong · 7cf030e7 · ab8e7102 · ab8e7102 · ab8e7102
14 changed file
--- a/services/init/include/init_service.h
+++ b/services/init/include/init_service.h
@@ -24,9 +24,6 @@
 #include "init_cmds.h"
 #include "init_service_file.h"
 #include "init_service_socket.h"
-#ifdef WITH_SELINUX
-#   include "init_selinux_param.h"
-#endif // WITH_SELINUX
 #include "list.h"
 #include "loop_event.h"
 #ifdef __cplusplus
@@ -125,9 +122,6 @@ typedef struct {

 typedef struct Service_ {
    char *name;
-#ifdef WITH_SELINUX
-    char *secon;
-#endif // WITH_SELINUX
    int pid;
    int crashCnt;
    time_t firstCrashTime;

--- a/services/init/init_common_cmds.c
+++ b/services/init/init_common_cmds.c
@@ -36,9 +36,6 @@
 #include "init_cmdexecutor.h"
 #include "init_service_manager.h"
 #include "init_utils.h"
-#ifdef WITH_SELINUX
-#include "policycoreutils.h"
-#endif
 #include "securec.h"

 static char *AddOneArg(const char *param, size_t paramLen)
@@ -323,11 +320,7 @@ static void DoMkDir(const struct CmdArgs *ctx)
        return;
    }

-#ifdef WITH_SELINUX
-    if (RestoreconRecurse(ctx->argv[0])) {
-        INIT_LOGE("DoMkDir, Restorecon failed for '%s', err %d.", ctx->argv[0], errno);
-    }
-#endif
+    PluginExecCmdByName("restoreContentRecurse", ctx->argv[0]);

    if (ctx->argc <= 1) {
        return;

--- a/services/init/init_common_service.c
+++ b/services/init/init_common_service.c
@@ -32,6 +32,7 @@
 #include "init.h"
 #include "init_adapter.h"
 #include "init_cmds.h"
+#include "init_cmdexecutor.h"
 #include "init_log.h"
 #include "init_cmdexecutor.h"
 #include "init_jobs_internal.h"
@@ -49,11 +50,6 @@
 #include "bootstage.h"
 #endif

-#ifdef WITH_SELINUX
-#include "init_selinux_param.h"
-#include <selinux/selinux.h>
-#endif // WITH_SELINUX
-
 #ifdef WITH_SECCOMP
 #define APPSPAWN_NAME ("appspawn")
 #define NWEBSPAWN_NAME ("nwebspawn")
@@ -216,24 +212,6 @@ static int WritePid(const Service *service)
    return SERVICE_SUCCESS;
 }

-void SetSecon(Service *service)
-{
-#ifdef WITH_SELINUX
-    if (service->secon != NULL) {
-        if (setexeccon(service->secon) < 0) {
-            INIT_LOGE("failed to set service %s's secon (%s).", service->name, service->secon);
-            _exit(PROCESS_EXIT_CODE);
-        } else {
-            INIT_LOGI("service %s secon set to %s.", service->name, service->secon);
-        }
-    } else {
-        INIT_ERROR_CHECK(!(setexeccon("u:r:limit_domain:s0") < 0), _exit(PROCESS_EXIT_CODE),
-            "failed to set service %s's secon (%s).", service->name, "u:r:limit_domain:s0");
-        INIT_LOGE("Please set secon field in service %s's cfg file, limit_domain will be blocked", service->name);
-    }
-#endif // WITH_SELINUX
-}
-
 void CloseServiceFds(Service *service, bool needFree)
 {
    if (service == NULL) {
@@ -347,7 +325,7 @@ static int InitServicePropertys(Service *service)
    // write pid
    INIT_ERROR_CHECK(WritePid(service) == SERVICE_SUCCESS, return -1,
        "service %s exit! write pid failed!", service->name);
-    SetSecon(service);
+    PluginExecCmdByName("setServiceContent", service->name);
    return 0;
 }


--- a/services/init/init_service_manager.c
+++ b/services/init/init_service_manager.c
@@ -35,10 +35,6 @@
 #include "init_param.h"
 #endif

-#ifdef WITH_SELINUX
-#   include "init_selinux_param.h"
-#endif // WITH_SELINUX
-
 #ifndef OHOS_LITE
 #include "hookmgr.h"
 #include "bootstage.h"
@@ -124,12 +120,6 @@ void ReleaseService(Service *service)
    if (service == NULL) {
        return;
    }
-#ifdef WITH_SELINUX
-    if (service->secon != NULL) {
-        free(service->secon);
-        service->secon = NULL;
-    }
-#endif
    FreeServiceArg(&service->pathArgs);
    FreeServiceArg(&service->writePidArgs);
    FreeServiceArg(&service->capsArgs);
@@ -801,16 +791,7 @@ static void ParseOneServiceArgs(const cJSON *curItem, Service *service)
 int ParseOneService(const cJSON *curItem, Service *service)
 {
    INIT_CHECK_RETURN_VALUE(curItem != NULL && service != NULL, SERVICE_FAILURE);
-    int ret = 0;
-#ifdef WITH_SELINUX
-    size_t strLen = 0;
-    char *fieldStr = GetStringValue(curItem, SECON_STR_IN_CFG, &strLen);
-    if (fieldStr != NULL) {
-        service->secon = strdup(fieldStr);
-        INIT_ERROR_CHECK(service->secon != NULL, return -1, "Failed to get secon for service %s", service->name);
-    }
-#endif // WITH_SELINUX
-    ret = GetServiceArgs(curItem, "path", MAX_PATH_ARGS_CNT, &service->pathArgs);
+    int ret = GetServiceArgs(curItem, "path", MAX_PATH_ARGS_CNT, &service->pathArgs);
    INIT_ERROR_CHECK(ret == 0, return SERVICE_FAILURE, "Failed to get path for service %s", service->name);
    if ((service->pathArgs.count > 0) && IsForbidden(service->pathArgs.argv[0])) {
        INIT_LOGE("Service %s is forbidden.", service->name);

--- a/services/init/init_service_socket.c
+++ b/services/init/init_service_socket.c
@@ -22,12 +22,10 @@
 #include <sys/stat.h>
 #include <sys/uio.h>

+#include "init_cmdexecutor.h"
 #include "init_log.h"
 #include "init_service.h"
 #include "loop_event.h"
-#ifdef WITH_SELINUX
-#include "policycoreutils.h"
-#endif
 #include "securec.h"
 #define SOCKET_BUFF_SIZE (256 * 1024)

@@ -143,11 +141,7 @@ static int CreateSocket(ServiceSocket *sockopt)
    }
    INIT_LOGI("CreateSocket %s success", sockopt->name);

-#ifdef WITH_SELINUX
-    if (RestoreconRecurse(HOS_SOCKET_DIR)) {
-        INIT_LOGE("DoRestorecon failed for '%s', err %d.", sockopt->name, errno);
-    }
-#endif
+    PluginExecCmdByName("restoreContentRecurse", HOS_SOCKET_DIR);
    return sockopt->sockFd;
 }


--- a/services/init/standard/init.c
+++ b/services/init/standard/init.c
@@ -44,10 +44,6 @@
 #include "fd_holder_internal.h"
 #include "sandbox.h"
 #include "sandbox_namespace.h"
-#ifdef WITH_SELINUX
-#include <policycoreutils.h>
-#include <selinux/selinux.h>
-#endif // WITH_SELINUX
 #include "bootstage.h"

 static bool g_enableSandbox;
@@ -233,21 +229,6 @@ void SystemPrepare(void)
    }
 }

-void SystemLoadSelinux(void)
-{
-#ifdef WITH_SELINUX
-    // load selinux policy and context
-    if (LoadPolicy() < 0) {
-        INIT_LOGE("main, load_policy failed.");
-    } else {
-        INIT_LOGI("main, load_policy success.");
-    }
-
-    setcon("u:r:init:s0");
-    (void)RestoreconRecurse("/dev");
-#endif // WITH_SELINUX
-}
-
 #define INIT_BOOTSTAGE_HOOK_NAME "bootstage"
 static HOOK_MGR *bootStageHookMgr = NULL;

@@ -363,7 +344,7 @@ void SystemConfig(void)

    // load SELinux context and policy
    // Do not move position!
-    SystemLoadSelinux();
+    PluginExecCmdByName("loadSelinuxPolicy", "");

    LoadSpecialParam();


--- a/services/init/standard/init_cmdexecutor.c
+++ b/services/init/standard/init_cmdexecutor.c
@@ -29,7 +29,7 @@ static int g_cmdId = 0;
 int AddCmdExecutor(const char *cmdName, CmdExecutor execCmd)
 {
    INIT_ERROR_CHECK(cmdName != NULL, return -1, "Invalid input param");
-    INIT_LOGI("AddCmdExecutor %s", cmdName);
+    INIT_LOGI("AddCmdExecutor '%s'", cmdName);
    PluginCmd *cmd = NULL;
    InitGroupNode *groupNode = GetGroupNode(NODE_TYPE_CMDS, cmdName);
    if (groupNode == NULL) {

--- a/services/init/standard/init_cmds.c
+++ b/services/init/standard/init_cmds.c
@@ -33,6 +33,7 @@

 #include "bootstage.h"
 #include "fs_manager/fs_manager.h"
+#include "init_cmdexecutor.h"
 #include "init_jobs_internal.h"
 #include "init_log.h"
 #include "init_param.h"
@@ -41,9 +42,6 @@
 #include "sandbox.h"
 #include "sandbox_namespace.h"
 #include "securec.h"
-#ifdef WITH_SELINUX
-#include <policycoreutils.h>
-#endif
 #include "fscrypt_utils.h"

 #define FSCRYPT_POLICY_BUF_SIZE (60)
@@ -306,16 +304,11 @@ static void DoUmountFstabFile(const struct CmdArgs *ctx)

 static void DoRestorecon(const struct CmdArgs *ctx)
 {
-#ifdef WITH_SELINUX
    if (ctx->argc != 1) {
        INIT_LOGE("DoRestorecon invalid arguments.");
        return;
    }
-
-    if (RestoreconRecurse(ctx->argv[0])) {
-        INIT_LOGE("DoRestorecon failed for '%s', err %d.", ctx->argv[0], errno);
-    }
-#endif
+    PluginExecCmdByName("restoreContentRecurse", ctx->argv[0]);
    return;
 }


--- a/services/modules/BUILD.gn
+++ b/services/modules/BUILD.gn
@@ -22,6 +22,9 @@ group("static_modules") {
      deps += [ "seccomp:libseccomp_static" ]
    }
  }
+  if (build_selinux) {
+    deps += [ "selinux:libselinuxadp_static" ]
+  }
 }

 group("modulesgroup") {
@@ -31,4 +34,7 @@ group("modulesgroup") {
      deps += [ "seccomp:seccomp_module" ]
    }
  }
+  if (build_selinux) {
+    deps += [ "selinux:selinuxadp" ]
+  }
 }
--- a/services/modules/init_hook/param_hook.c
+++ b/services/modules/init_hook/param_hook.c
@@ -34,7 +34,10 @@ const ParamCmdInfo *GetServiceCtl(size_t *size)
    static const ParamCmdInfo installParam[] = {
        {"ohos.servicectrl.install", "install", "install" },
        {"ohos.servicectrl.uninstall", "uninstall", "uninstall" },
-        {"ohos.servicectrl.clear", "clear", "clear" }
+        {"ohos.servicectrl.clear", "clear", "clear" },
+        {"ohos.servicectrl.save", "save.bootevent", "save.bootevent" },
+        {"ohos.servicectrl.bootchart", "bootchart", "bootchart" },
+        {"ohos.servicectrl.timer_start", "timer_start", "timer_start " },
    };
    *size = ARRAY_LENGTH(installParam);
    return installParam;

--- a/services/modules/selinux/BUILD.gn
+++ b/services/modules/selinux/BUILD.gn
+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//base/startup/init/begetd.gni")
+import("//build/ohos.gni")
+
+ohos_shared_library("selinuxadp") {
+  sources = [ "selinux_adp.c" ]
+  defines = [ "_GNU_SOURCE" ]
+  include_dirs = [
+    ".",
+    "..",
+    "../init_hook",
+    "//base/startup/init/services/include/param",
+    "//third_party/selinux/libselinux/include/",
+    "//base/security/selinux/interfaces/policycoreutils/include/",
+  ]
+  deps = [
+    "//base/security/selinux:libload_policy",
+    "//base/security/selinux:librestorecon",
+    "//third_party/bounds_checking_function:libsec_shared",
+    "//third_party/selinux:libselinux",
+  ]
+
+  external_deps = [ "init:libinit_module_engine" ]
+
+  part_name = "init"
+  if (target_cpu == "arm64") {
+    module_install_dir = "lib64/init"
+  } else {
+    module_install_dir = "lib/init"
+  }
+  install_images = [
+    "system",
+    "updater",
+  ]
+}
+
+config("selinux_static_config") {
+  include_dirs = [ "." ]
+}
+
+ohos_source_set("libselinuxadp_static") {
+  sources = [ "selinux_static.c" ]
+  defines = [ "_GNU_SOURCE" ]
+  include_dirs = [
+    ".",
+    "..",
+    "../init_hook",
+    "//base/startup/init/services/include/param",
+    "//third_party/selinux/libselinux/include/",
+    "//base/security/selinux/interfaces/policycoreutils/include/",
+  ]
+  public_configs = [ ":selinux_static_config" ]
+  public_configs += [ "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_exported_config" ]
+}
--- a/services/modules/selinux/selinux_adp.c
+++ b/services/modules/selinux/selinux_adp.c
+/*
+ * Copyright (c) 2022 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include "selinux_adp.h"
+
+#include <errno.h>
+
+#include "init_hook.h"
+#include "init_module_engine.h"
+#include "plugin_adapter.h"
+
+#include <policycoreutils.h>
+#include <selinux/selinux.h>
+
+#define CMD_RESTORE_INDEX 2
+static int LoadSelinuxPolicy(int id, const char *name, int argc, const char **argv)
+{
+    UNUSED(id);
+    UNUSED(name);
+    UNUSED(argc);
+    UNUSED(argv);
+    PLUGIN_LOGI("LoadSelinuxPolicy ");
+    // load selinux policy and context
+    if (LoadPolicy() < 0) {
+        PLUGIN_LOGE("main, load_policy failed.");
+    } else {
+        PLUGIN_LOGI("main, load_policy success.");
+    }
+
+    setcon("u:r:init:s0");
+    (void)RestoreconRecurse("/dev");
+    return 0;
+}
+
+static int SetServiceContent(int id, const char *name, int argc, const char **argv)
+{
+    PLUGIN_CHECK(name != NULL && argc >= 1 && argv != NULL, return -1, "Invalid parameter");
+    ServiceExtData *data = GetServiceExtData(argv[0], HOOK_ID_SELINUX);
+    if (data != NULL) {
+        if (setexeccon((char *)data->data) < 0) {
+            PLUGIN_LOGE("failed to set service %s's secon (%s).", argv[0], (char *)data->data);
+            _exit(PROCESS_EXIT_CODE);
+        } else {
+            PLUGIN_LOGI("Set content %s to %s.", (char *)data->data, argv[0]);
+        }
+    } else {
+        PLUGIN_CHECK(!(setexeccon("u:r:limit_domain:s0") < 0), _exit(PROCESS_EXIT_CODE),
+            "failed to set service %s's secon (%s).", argv[0], "u:r:limit_domain:s0");
+        PLUGIN_LOGE("Please set secon field in service %s's cfg file, limit_domain will be blocked", argv[0]);
+    }
+    return 0;
+}
+
+static int RestoreContentRecurse(int id, const char *name, int argc, const char **argv)
+{
+    PLUGIN_CHECK(name != NULL && argc >= 1 && argv != NULL, return -1, "Invalid parameter");
+    PLUGIN_LOGV("RestoreContentRecurse path %s", argv[0]);
+    if (RestoreconRecurse(argv[0])) {
+        PLUGIN_LOGE("restoreContentRecurse failed for '%s', err %d.", argv[0], errno);
+    }
+    return 0;
+}
+
+static int32_t selinuxAdpCmdIds[3] = {0}; // 3 cmd count
+static void SelinuxAdpInit(void)
+{
+    selinuxAdpCmdIds[0] = AddCmdExecutor("loadSelinuxPolicy", LoadSelinuxPolicy);
+    selinuxAdpCmdIds[1] = AddCmdExecutor("setServiceContent", SetServiceContent);
+    selinuxAdpCmdIds[CMD_RESTORE_INDEX] = AddCmdExecutor("restoreContentRecurse", RestoreContentRecurse);
+}
+
+static void SelinuxAdpExit(void)
+{
+    if (selinuxAdpCmdIds[0] != -1) {
+        RemoveCmdExecutor("loadSelinuxPolicy", selinuxAdpCmdIds[0]);
+    }
+    if (selinuxAdpCmdIds[1] != -1) {
+        RemoveCmdExecutor("setServiceContent", selinuxAdpCmdIds[1]);
+    }
+    if (selinuxAdpCmdIds[CMD_RESTORE_INDEX] != -1) {
+        RemoveCmdExecutor("restoreContentRecurse", selinuxAdpCmdIds[CMD_RESTORE_INDEX]);
+    }
+}
+
+MODULE_CONSTRUCTOR(void)
+{
+    PLUGIN_LOGI("SelinuxAdp init now ...");
+    SelinuxAdpInit();
+}
+
+MODULE_DESTRUCTOR(void)
+{
+    PLUGIN_LOGI("SelinuxAdp exit now ...");
+    SelinuxAdpExit();
+}
\ No newline at end of file
--- a/services/modules/selinux/selinux_adp.h
+++ b/services/modules/selinux/selinux_adp.h
+/*
+ * Copyright (c) 2022 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef _PLUGIN_SELINUX_ADP_H
+#define _PLUGIN_SELINUX_ADP_H
+
+# define SECON_STR_IN_CFG      ("secon")
+// https://github.com/xelerance/Openswan/blob/86dff2b/include/pluto/state.h#L222
+# define MAX_SECON_LEN         (257)
+
+#endif /* _PLUGIN_SELINUX_ADP_H */
--- a/services/modules/selinux/selinux_static.c
+++ b/services/modules/selinux/selinux_static.c
+/*
+ * Copyright (c) 2022 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include "selinux_adp.h"
+
+#include "init_hook.h"
+#include "init_module_engine.h"
+#include "plugin_adapter.h"
+
+static int SelinuxHook(const HOOK_INFO *hookInfo, void *cookie)
+{
+    PLUGIN_LOGI("Install selinuxadp.");
+    InitModuleMgrInstall("selinuxadp");
+    return 0;
+}
+
+static void ServiceParseBootEventHook(SERVICE_PARSE_CTX *serviceParseCtx)
+{
+    char *fieldStr = cJSON_GetStringValue(cJSON_GetObjectItem(serviceParseCtx->serviceNode, SECON_STR_IN_CFG));
+    PLUGIN_CHECK(fieldStr != NULL, return, "No secon item in %s", serviceParseCtx->serviceName);
+    PLUGIN_LOGV("Cfg %s for %s", fieldStr, serviceParseCtx->serviceName);
+    AddServiceExtData(serviceParseCtx->serviceName, HOOK_ID_SELINUX, fieldStr, strlen(fieldStr) + 1);
+}
+
+MODULE_CONSTRUCTOR(void)
+{
+    InitAddServiceParseHook(ServiceParseBootEventHook);
+    InitAddGlobalInitHook(0, SelinuxHook);
+}
\ No newline at end of file