Skip to content

S
Startup Init Lite

OpenHarmony / Startup Init Lite
大约 1 年 前同步成功

通知 3
Star 37
Fork 0
S
Startup Init Lite

体验新版 GitCode,发现更多精彩内容 >>

提交 b2c66323 编写于 作者: X xlei1030
浏览文件
操作

针对读取param进行权限管控 

Signed-off-by: Nxlei1030 <xionglei6@huawei.com>
上级 85a97645
显示空白变更内容
内联 并排
Showing with 33 addition and 0 deletion
services/BUILD.gn
浏览文件 @ b2c66323
...@@ -63,6 +63,11 @@ if (defined(ohos_lite)) { ...@@ -63,6 +63,11 @@ if (defined(ohos_lite)) {
cflags = [ "-Wall" ] cflags = [ "-Wall" ]
if (build_selinux) {
external_deps = [ "selinux:libparaperm_checker_static" ]
defines += [ "WITH_SELINUX" ]
}
deps = [ deps = [
"//base/hiviewdfx/hilog_lite/frameworks/featured:hilog_shared", "//base/hiviewdfx/hilog_lite/frameworks/featured:hilog_shared",
"//base/startup/init_lite/initsync:initsync", "//base/startup/init_lite/initsync:initsync",
......
services/param/BUILD.gn
浏览文件 @ b2c66323
...@@ -62,6 +62,11 @@ ohos_static_library("param_service") { ...@@ -62,6 +62,11 @@ ohos_static_library("param_service") {
} }
} }
if (build_selinux) {
external_deps = [ "selinux:libparaperm_checker_static" ]
defines += [ "WITH_SELINUX" ]
}
deps = [ deps = [
"//base/startup/init_lite/services/log:init_log", "//base/startup/init_lite/services/log:init_log",
"//base/startup/init_lite/services/loopevent:loopevent", "//base/startup/init_lite/services/loopevent:loopevent",
...@@ -108,6 +113,11 @@ ohos_shared_library("param_client") { ...@@ -108,6 +113,11 @@ ohos_shared_library("param_client") {
} }
} }
if (build_selinux) {
external_deps = [ "selinux:libparaperm_checker_static" ]
defines += [ "WITH_SELINUX" ]
}
deps = [ deps = [
"//base/startup/init_lite/services/log:agent_log", "//base/startup/init_lite/services/log:agent_log",
"//third_party/bounds_checking_function:libsec_static", "//third_party/bounds_checking_function:libsec_static",
......
services/param/adapter/param_dac.c
浏览文件 @ b2c66323
...@@ -85,6 +85,9 @@ static int InitLocalSecurityLabel(ParamSecurityLabel **security, int isInit) ...@@ -85,6 +85,9 @@ static int InitLocalSecurityLabel(ParamSecurityLabel **security, int isInit)
*security = &g_localSecurityLabel; *security = &g_localSecurityLabel;
// support check write permission in client // support check write permission in client
(*security)->flags |= LABEL_CHECK_FOR_ALL_PROCESS; (*security)->flags |= LABEL_CHECK_FOR_ALL_PROCESS;
#ifdef WITH_SELINUX
(*security)->flags = 0;
#endif
return 0; return 0;
} }
......
services/param/manager/param_manager.c
浏览文件 @ b2c66323
...@@ -14,6 +14,9 @@ ...@@ -14,6 +14,9 @@
*/ */
#include "param_manager.h" #include "param_manager.h"
#ifdef WITH_SELINUX
#include "selinux_parameter.h"
#endif
#include <ctype.h> #include <ctype.h>
...@@ -240,6 +243,18 @@ int CheckParamPermission(const ParamWorkSpace *workSpace, ...@@ -240,6 +243,18 @@ int CheckParamPermission(const ParamWorkSpace *workSpace,
return 0; return 0;
} }
PARAM_CHECK(name != NULL && srcLabel != NULL, return -1, "Invalid param"); PARAM_CHECK(name != NULL && srcLabel != NULL, return -1, "Invalid param");
#ifdef WITH_SELINUX
SetSelinuxLogCallback();
if (srcLabel != NULL && mode == DAC_WRITE) {
PARAM_LOGI("selinux SetParamCheck name %s, pid: %d", name, srcLabel->cred.pid);
struct ucred uc;
uc.pid = srcLabel->cred.pid;
uc.uid = srcLabel->cred.uid;
uc.gid = srcLabel->cred.gid;
int ret = SetParamCheck(name, &uc);
PARAM_LOGI("pid: %d SetParamCheck %s, result: %d", srcLabel->cred.pid, name, ret);
}
#endif
if (workSpace->paramSecurityOps.securityCheckParamPermission == NULL) { if (workSpace->paramSecurityOps.securityCheckParamPermission == NULL) {
return DAC_RESULT_FORBIDED; return DAC_RESULT_FORBIDED;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册