From aff997547dbdf2ce4838aeb5806995c1a30054a0 Mon Sep 17 00:00:00 2001 From: Mupceet Date: Thu, 7 Jul 2022 12:37:13 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=94=B9param=E6=A3=80=E6=9F=A5?= =?UTF-8?q?=E8=A7=84=E6=A0=BC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mupceet Change-Id: I0a90188e137e4e61f050088f5d7ed19261ab431e --- services/etc/param/ohos.para.dac | 2 ++ services/param/adapter/param_dac.c | 9 +++++++-- services/param/adapter/param_selinux.c | 5 ++++- services/param/base/param_base.c | 5 ++--- services/param/include/param_utils.h | 1 + test/unittest/param/client_unittest.cpp | 3 ++- test/unittest/param/watcher_agent_unittest.cpp | 4 ++-- 7 files changed, 20 insertions(+), 9 deletions(-) diff --git a/services/etc/param/ohos.para.dac b/services/etc/param/ohos.para.dac index 29754afd..d58ba849 100755 --- a/services/etc/param/ohos.para.dac +++ b/services/etc/param/ohos.para.dac @@ -31,3 +31,5 @@ persist.window.boot. = root:system:0775 debug.bytrace. = root:system:0775 persist.distributed_hardware.device_manager. = system:system:0775 +bootevent. = samgr:samgr:0777 +hw_sc. = root:root:0777 diff --git a/services/param/adapter/param_dac.c b/services/param/adapter/param_dac.c index 8a81c601..b488940f 100644 --- a/services/param/adapter/param_dac.c +++ b/services/param/adapter/param_dac.c @@ -237,8 +237,13 @@ static int DacCheckParamPermission(const ParamSecurityLabel *srcLabel, const cha if ((node->mode & localMode) != 0) { ret = DAC_RESULT_PERMISSION; } - PARAM_LOGV("Param '%s' label gid:%d uid:%d mode 0%o", name, srcLabel->cred.gid, srcLabel->cred.uid, localMode); - PARAM_LOGV("Cfg label %d gid:%d uid:%d mode 0%o result %d", labelIndex, node->gid, node->uid, node->mode, ret); + if (ret != DAC_RESULT_PERMISSION) { + PARAM_LOGW("Param '%s' label gid:%d uid:%d mode 0%o", name, srcLabel->cred.gid, srcLabel->cred.uid, localMode); + PARAM_LOGW("Cfg label %d gid:%d uid:%d mode 0%o ", labelIndex, node->gid, node->uid, node->mode); +#ifndef STARTUP_INIT_TEST + ret = DAC_RESULT_PERMISSION; +#endif + } return ret; } diff --git a/services/param/adapter/param_selinux.c b/services/param/adapter/param_selinux.c index 9ee8fb23..12c6b3af 100644 --- a/services/param/adapter/param_selinux.c +++ b/services/param/adapter/param_selinux.c @@ -193,7 +193,10 @@ static int SelinuxCheckParamPermission(const ParamSecurityLabel *srcLabel, const #endif } if (ret != 0) { - PARAM_LOGI("Selinux check name %s pid %d uid %d %d result %d", name, uc.pid, uc.uid, uc.gid, ret); + PARAM_LOGW("Selinux check name %s pid %d uid %d %d result %d", name, uc.pid, uc.uid, uc.gid, ret); + ret = DAC_RESULT_FORBIDED; + } else { + ret = DAC_RESULT_PERMISSION; } return ret; } diff --git a/services/param/base/param_base.c b/services/param/base/param_base.c index fa3ac084..7e9d6d7e 100644 --- a/services/param/base/param_base.c +++ b/services/param/base/param_base.c @@ -299,12 +299,11 @@ INIT_INNER_API int CheckParamPermission(const ParamSecurityLabel *srcLabel, cons continue; } if (ops->securityCheckParamPermission == NULL) { - ret = DAC_RESULT_FORBIDED; continue; } ret = ops->securityCheckParamPermission(srcLabel, name, mode); - PARAM_LOGV("CheckParamPermission %s %s ret %d", ops->name, name, ret); - if (ret == DAC_RESULT_PERMISSION) { + if (ret == DAC_RESULT_FORBIDED) { + PARAM_LOGW("CheckParamPermission %s %s FORBID", ops->name, name); break; } } diff --git a/services/param/include/param_utils.h b/services/param/include/param_utils.h index e2fbecdb..4585cd74 100644 --- a/services/param/include/param_utils.h +++ b/services/param/include/param_utils.h @@ -101,6 +101,7 @@ typedef struct cmdLineInfo { #define PARAM_LOGI(fmt, ...) STARTUP_LOGI(PARAN_DOMAIN, PARAN_LABEL, fmt, ##__VA_ARGS__) #define PARAM_LOGE(fmt, ...) STARTUP_LOGE(PARAN_DOMAIN, PARAN_LABEL, fmt, ##__VA_ARGS__) #define PARAM_LOGV(fmt, ...) STARTUP_LOGV(PARAN_DOMAIN, PARAN_LABEL, fmt, ##__VA_ARGS__) +#define PARAM_LOGW(fmt, ...) STARTUP_LOGW(PARAN_DOMAIN, PARAN_LABEL, fmt, ##__VA_ARGS__) #define PARAM_CHECK(retCode, exper, ...) \ if (!(retCode)) { \ diff --git a/test/unittest/param/client_unittest.cpp b/test/unittest/param/client_unittest.cpp index 9944c14f..91794cf7 100644 --- a/test/unittest/param/client_unittest.cpp +++ b/test/unittest/param/client_unittest.cpp @@ -135,8 +135,9 @@ static void TestPermission() EXPECT_EQ(ret, testResult); #endif u_int32_t len = sizeof(tmp); + SetTestPermissionResult(DAC_RESULT_FORBIDED); ret = SystemGetParameter(testName, tmp, &len); - EXPECT_EQ(ret, testResult); + EXPECT_EQ(ret, DAC_RESULT_FORBIDED); RegisterSecurityOps(0); SetTestPermissionResult(0); // recover testpermission result } diff --git a/test/unittest/param/watcher_agent_unittest.cpp b/test/unittest/param/watcher_agent_unittest.cpp index 394fcc81..c8aca076 100644 --- a/test/unittest/param/watcher_agent_unittest.cpp +++ b/test/unittest/param/watcher_agent_unittest.cpp @@ -61,7 +61,7 @@ public: ret = SystemWatchParameter("test.permission.watcher.tes^^^^t1*", TestParameterChange, nullptr); EXPECT_NE(ret, 0); ret = SystemWatchParameter("test.permission.read.test1*", TestParameterChange, nullptr); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, DAC_RESULT_FORBIDED); return 0; } @@ -78,7 +78,7 @@ public: ret = SystemWatchParameter("test.permission.watcher.tes^^^^t1*", nullptr, nullptr); EXPECT_NE(ret, 0); ret = SystemWatchParameter("test.permission.read.test1*", nullptr, nullptr); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, DAC_RESULT_FORBIDED); return 0; } -- GitLab