!919 修改param检查规格

Merge pull request !919 from Mupceet/initdac

services/etc/param/ohos.para.dac

@@ -31,3 +31,5 @@ persist.window.boot. = root:system:0775
 debug.bytrace.   = root:system:0775
 
 persist.distributed_hardware.device_manager. = system:system:0775
+bootevent. = samgr:samgr:0777
+hw_sc. = root:root:0777

services/param/adapter/param_dac.c

@@ -237,8 +237,13 @@ static int DacCheckParamPermission(const ParamSecurityLabel *srcLabel, const cha
     if ((node->mode & localMode) != 0) {
         ret = DAC_RESULT_PERMISSION;
     }
-    PARAM_LOGV("Param '%s' label gid:%d uid:%d mode 0%o", name, srcLabel->cred.gid, srcLabel->cred.uid, localMode);
-    PARAM_LOGV("Cfg label %d gid:%d uid:%d mode 0%o result %d", labelIndex, node->gid, node->uid, node->mode, ret);
+    if (ret != DAC_RESULT_PERMISSION) {
+        PARAM_LOGW("Param '%s' label gid:%d uid:%d mode 0%o", name, srcLabel->cred.gid, srcLabel->cred.uid, localMode);
+        PARAM_LOGW("Cfg label %d gid:%d uid:%d mode 0%o ", labelIndex, node->gid, node->uid, node->mode);
+#ifndef STARTUP_INIT_TEST
+        ret = DAC_RESULT_PERMISSION;
+#endif
+    }
     return ret;
 }
 

services/param/adapter/param_selinux.c

@@ -193,7 +193,10 @@ static int SelinuxCheckParamPermission(const ParamSecurityLabel *srcLabel, const
 #endif
     }
     if (ret != 0) {
-        PARAM_LOGI("Selinux check name %s pid %d uid %d %d result %d", name, uc.pid, uc.uid, uc.gid, ret);
+        PARAM_LOGW("Selinux check name %s pid %d uid %d %d result %d", name, uc.pid, uc.uid, uc.gid, ret);
+        ret = DAC_RESULT_FORBIDED;
+    } else {
+        ret = DAC_RESULT_PERMISSION;
     }
     return ret;
 }

services/param/base/param_base.c

@@ -299,12 +299,11 @@ INIT_INNER_API int CheckParamPermission(const ParamSecurityLabel *srcLabel, cons
                 continue;
             }
             if (ops->securityCheckParamPermission == NULL) {
-                ret = DAC_RESULT_FORBIDED;
                 continue;
             }
             ret = ops->securityCheckParamPermission(srcLabel, name, mode);
-            PARAM_LOGV("CheckParamPermission %s %s ret %d", ops->name, name, ret);
-            if (ret == DAC_RESULT_PERMISSION) {
+            if (ret == DAC_RESULT_FORBIDED) {
+                PARAM_LOGW("CheckParamPermission %s %s FORBID", ops->name, name);
                 break;
             }
         }

services/param/include/param_utils.h

@@ -101,6 +101,7 @@ typedef struct cmdLineInfo {
 #define PARAM_LOGI(fmt, ...) STARTUP_LOGI(PARAN_DOMAIN, PARAN_LABEL, fmt, ##__VA_ARGS__)
 #define PARAM_LOGE(fmt, ...) STARTUP_LOGE(PARAN_DOMAIN, PARAN_LABEL, fmt, ##__VA_ARGS__)
 #define PARAM_LOGV(fmt, ...) STARTUP_LOGV(PARAN_DOMAIN, PARAN_LABEL, fmt, ##__VA_ARGS__)
+#define PARAM_LOGW(fmt, ...) STARTUP_LOGW(PARAN_DOMAIN, PARAN_LABEL, fmt, ##__VA_ARGS__)
 
 #define PARAM_CHECK(retCode, exper, ...) \
     if (!(retCode)) {                \

test/unittest/param/client_unittest.cpp

@@ -135,8 +135,9 @@ static void TestPermission()
     EXPECT_EQ(ret, testResult);
 #endif
     u_int32_t len = sizeof(tmp);
+    SetTestPermissionResult(DAC_RESULT_FORBIDED);
     ret = SystemGetParameter(testName, tmp, &len);
-    EXPECT_EQ(ret, testResult);
+    EXPECT_EQ(ret, DAC_RESULT_FORBIDED);
     RegisterSecurityOps(0);
     SetTestPermissionResult(0); // recover testpermission result
 }

test/unittest/param/watcher_agent_unittest.cpp

@@ -61,7 +61,7 @@ public:
         ret = SystemWatchParameter("test.permission.watcher.tes^^^^t1*", TestParameterChange, nullptr);
         EXPECT_NE(ret, 0);
         ret = SystemWatchParameter("test.permission.read.test1*", TestParameterChange, nullptr);
-        EXPECT_EQ(ret, 0);
+        EXPECT_EQ(ret, DAC_RESULT_FORBIDED);
         return 0;
     }
 
@@ -78,7 +78,7 @@ public:
         ret = SystemWatchParameter("test.permission.watcher.tes^^^^t1*", nullptr, nullptr);
         EXPECT_NE(ret, 0);
         ret = SystemWatchParameter("test.permission.read.test1*", nullptr, nullptr);
-        EXPECT_EQ(ret, 0);
+        EXPECT_EQ(ret, DAC_RESULT_FORBIDED);
         return 0;
     }