针对读取param进行权限管控

Signed-off-by: N xlei1030 <xionglei6@huawei.com>

针对读取param进行权限管控
Signed-off-by: N xlei1030 <xionglei6@huawei.com>
b2c66323 · xlei1030 · 85a97645 · b2c66323 · b2c66323 · b2c66323
4 changed file
--- a/services/BUILD.gn
+++ b/services/BUILD.gn
@@ -63,6 +63,11 @@ if (defined(ohos_lite)) {

    cflags = [ "-Wall" ]

+    if (build_selinux) {
+      external_deps = [ "selinux:libparaperm_checker_static" ]
+      defines += [ "WITH_SELINUX" ]
+    }
+
    deps = [
      "//base/hiviewdfx/hilog_lite/frameworks/featured:hilog_shared",
      "//base/startup/init_lite/initsync:initsync",

--- a/services/param/BUILD.gn
+++ b/services/param/BUILD.gn
@@ -62,6 +62,11 @@ ohos_static_library("param_service") {
    }
  }

+  if (build_selinux) {
+    external_deps = [ "selinux:libparaperm_checker_static" ]
+    defines += [ "WITH_SELINUX" ]
+  }
+
  deps = [
    "//base/startup/init_lite/services/log:init_log",
    "//base/startup/init_lite/services/loopevent:loopevent",
@@ -108,6 +113,11 @@ ohos_shared_library("param_client") {
    }
  }

+  if (build_selinux) {
+    external_deps = [ "selinux:libparaperm_checker_static" ]
+    defines += [ "WITH_SELINUX" ]
+  }
+
  deps = [
    "//base/startup/init_lite/services/log:agent_log",
    "//third_party/bounds_checking_function:libsec_static",

--- a/services/param/adapter/param_dac.c
+++ b/services/param/adapter/param_dac.c
@@ -85,6 +85,9 @@ static int InitLocalSecurityLabel(ParamSecurityLabel **security, int isInit)
    *security = &g_localSecurityLabel;
    // support check write permission in client
    (*security)->flags |= LABEL_CHECK_FOR_ALL_PROCESS;
+#ifdef WITH_SELINUX
+    (*security)->flags = 0;
+#endif
    return 0;
 }


--- a/services/param/manager/param_manager.c
+++ b/services/param/manager/param_manager.c
@@ -14,6 +14,9 @@
 */

 #include "param_manager.h"
+#ifdef WITH_SELINUX
+#include "selinux_parameter.h"
+#endif

 #include <ctype.h>

@@ -240,6 +243,18 @@ int CheckParamPermission(const ParamWorkSpace *workSpace,
        return 0;
    }
    PARAM_CHECK(name != NULL && srcLabel != NULL, return -1, "Invalid param");
+#ifdef WITH_SELINUX
+    SetSelinuxLogCallback();
+    if (srcLabel != NULL && mode == DAC_WRITE) {
+        PARAM_LOGI("selinux SetParamCheck name %s, pid: %d", name, srcLabel->cred.pid);
+        struct ucred uc;
+        uc.pid = srcLabel->cred.pid;
+        uc.uid = srcLabel->cred.uid;
+        uc.gid = srcLabel->cred.gid;
+        int ret = SetParamCheck(name, &uc);
+        PARAM_LOGI("pid: %d SetParamCheck %s, result: %d", srcLabel->cred.pid, name, ret);
+    }
+#endif
    if (workSpace->paramSecurityOps.securityCheckParamPermission == NULL) {
        return DAC_RESULT_FORBIDED;
    }