Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Startup Init Lite
提交
b6093ae0
S
Startup Init Lite
项目概览
OpenHarmony
/
Startup Init Lite
大约 1 年 前同步成功
通知
3
Star
37
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
S
Startup Init Lite
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
未验证
提交
b6093ae0
编写于
8月 16, 2022
作者:
O
openharmony_ci
提交者:
Gitee
8月 16, 2022
浏览文件
操作
浏览文件
下载
差异文件
!1070 seccomp使能模块插件化
Merge pull request !1070 from 夏不白/seccomp_plugin
上级
302d07e4
ec6bb8b9
变更
13
隐藏空白更改
内联
并排
Showing
13 changed file
with
182 addition
and
59 deletion
+182
-59
interfaces/innerkits/seccomp/BUILD.gn
interfaces/innerkits/seccomp/BUILD.gn
+34
-24
services/init/init_common_service.c
services/init/init_common_service.c
+6
-13
services/init/standard/BUILD.gn
services/init/standard/BUILD.gn
+0
-3
services/modules/BUILD.gn
services/modules/BUILD.gn
+6
-0
services/modules/seccomp/BUILD.gn
services/modules/seccomp/BUILD.gn
+32
-5
services/modules/seccomp/scripts/generate_code_from_policy.py
...ices/modules/seccomp/scripts/generate_code_from_policy.py
+1
-1
services/modules/seccomp/seccomp_policy.c
services/modules/seccomp/seccomp_policy.c
+57
-3
services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy
...odules/seccomp/seccomp_policy/renderer_arm.seccomp.policy
+1
-0
services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy
...ules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy
+1
-0
services/modules/seccomp/seccomp_policy/system_arm.seccomp.policy
.../modules/seccomp/seccomp_policy/system_arm.seccomp.policy
+3
-0
services/modules/seccomp/seccomp_policy/system_arm64.seccomp.policy
...odules/seccomp/seccomp_policy/system_arm64.seccomp.policy
+3
-0
services/modules/seccomp/seccomp_policy_static.c
services/modules/seccomp/seccomp_policy_static.c
+29
-0
test/unittest/seccomp/seccomp_unittest.cpp
test/unittest/seccomp/seccomp_unittest.cpp
+9
-10
未找到文件。
interfaces/innerkits/seccomp/BUILD.gn
浏览文件 @
b6093ae0
...
...
@@ -17,28 +17,38 @@ config("seccomp_public_config") {
include_dirs = [ "//base/startup/init/interfaces/innerkits/seccomp/include" ]
}
ohos_shared_library("seccomp") {
sources = [ "//base/startup/init/services/modules/seccomp/seccomp_policy.c" ]
public_configs = [ ":seccomp_public_config" ]
include_dirs = [ "//base/startup/init/services/modules/seccomp" ]
deps = [
"//base/startup/init/interfaces/innerkits:libbegetutil",
"//base/startup/init/services/modules/seccomp:appspawn_filter",
"//base/startup/init/services/modules/seccomp:nwebspawn_filter",
"//base/startup/init/services/modules/seccomp:system_filter",
]
license_file = "//base/startup/init/LICENSE"
part_name = "init"
install_enable = true
install_images = [
"system",
"updater",
"ramdisk",
]
if (defined(build_seccomp) && build_seccomp) {
ohos_shared_library("seccomp") {
sources =
[ "//base/startup/init/services/modules/seccomp/seccomp_policy.c" ]
public_configs = [ ":seccomp_public_config" ]
include_dirs = [
"//base/startup/init/interfaces/innerkits/include",
"//base/startup/init/services/modules/seccomp",
"//base/startup/init/services/modules",
"//base/startup/init/services/log",
]
deps = [
"//base/startup/init/interfaces/innerkits:libbegetutil",
"//base/startup/init/services/modules/seccomp:appspawn_filter",
"//base/startup/init/services/modules/seccomp:nwebspawn_filter",
"//base/startup/init/services/modules/seccomp:system_filter",
]
license_file = "//base/startup/init/LICENSE"
part_name = "init"
install_enable = true
install_images = [
"system",
"updater",
]
}
} else {
group("seccomp") {
}
}
services/init/init_common_service.c
浏览文件 @
b6093ae0
...
...
@@ -33,6 +33,7 @@
#include "init_adapter.h"
#include "init_cmds.h"
#include "init_log.h"
#include "init_cmdexecutor.h"
#include "init_jobs_internal.h"
#include "init_service.h"
#include "init_service_manager.h"
...
...
@@ -54,7 +55,6 @@
#endif // WITH_SELINUX
#ifdef WITH_SECCOMP
#include "seccomp_policy.h"
#define APPSPAWN_NAME ("appspawn")
#define NWEBSPAWN_NAME ("nwebspawn")
#endif
...
...
@@ -73,19 +73,15 @@ static int SetAllAmbientCapability(void)
return
SERVICE_SUCCESS
;
}
#ifdef WITH_SECCOMP
static
int
SetSystemSeccompPolicy
(
const
Service
*
service
)
static
void
SetSystemSeccompPolicy
(
const
Service
*
service
)
{
#ifdef WITH_SECCOMP
if
(
strncmp
(
APPSPAWN_NAME
,
service
->
name
,
strlen
(
APPSPAWN_NAME
))
\
&&
strncmp
(
NWEBSPAWN_NAME
,
service
->
name
,
strlen
(
NWEBSPAWN_NAME
)))
{
if
(
!
SetSeccompPolicy
(
SYSTEM
))
{
INIT_LOGE
(
"init seccomp failed, name is %s
\n
"
,
service
->
name
);
return
SERVICE_FAILURE
;
}
PluginExecCmdByName
(
"SetSeccompPolicy"
,
"start"
);
}
return
SERVICE_SUCCESS
;
}
#endif
}
#ifndef OHOS_LITE
/**
...
...
@@ -342,10 +338,7 @@ static int InitServicePropertys(Service *service)
INIT_CHECK_ONLY_ELOG
(
BindCpuCore
(
service
)
==
SERVICE_SUCCESS
,
"binding core number failed for service %s"
,
service
->
name
);
#ifdef WITH_SECCOMP
INIT_ERROR_CHECK
(
SetSystemSeccompPolicy
(
service
)
==
SERVICE_SUCCESS
,
return
-
1
,
"service %s exit! set seccomp failed! err %d."
,
service
->
name
,
errno
);
#endif
SetSystemSeccompPolicy
(
service
);
// permissions
INIT_ERROR_CHECK
(
SetPerms
(
service
)
==
SERVICE_SUCCESS
,
return
-
1
,
...
...
services/init/standard/BUILD.gn
浏览文件 @
b6093ae0
...
...
@@ -99,9 +99,6 @@ ohos_executable("init") {
if (build_seccomp) {
cflags += [ "-DWITH_SECCOMP" ]
include_dirs +=
[ "//base/startup/init/interfaces/innerkits/seccomp/include" ]
deps += [ "//base/startup/init/services/modules/seccomp:seccomp_static" ]
}
if (build_selinux) {
...
...
services/modules/BUILD.gn
浏览文件 @
b6093ae0
...
...
@@ -18,11 +18,17 @@ group("static_modules") {
"bootevent:libbootevent_static",
"init_hook:inithook",
]
if (build_seccomp) {
deps += [ "seccomp:libseccomp_static" ]
}
}
}
group("modulesgroup") {
if (!defined(ohos_lite)) {
deps = [ "bootchart:bootchart" ]
if (build_seccomp) {
deps += [ "seccomp:seccomp_module" ]
}
}
}
services/modules/seccomp/BUILD.gn
浏览文件 @
b6093ae0
...
...
@@ -134,10 +134,11 @@ ohos_prebuilt_seccomp("nwebspawn_filter") {
]
}
ohos_s
tatic_library("seccomp_static
") {
sources = [ "
//base/startup/init/services/modules/seccomp/
seccomp_policy.c" ]
ohos_s
hared_library("seccomp_module
") {
sources = [ "seccomp_policy.c" ]
include_dirs = [
"//base/startup/init/services/modules",
"//base/startup/init/interfaces/innerkits/include",
"//base/startup/init/interfaces/innerkits/seccomp/include",
"//base/startup/init/services/modules/seccomp",
...
...
@@ -147,10 +148,36 @@ ohos_static_library("seccomp_static") {
":appspawn_filter",
":nwebspawn_filter",
":system_filter",
"//base/startup/init/interfaces/innerkits:libbegetutil",
]
license_file = "//base/startup/init/LICENSE"
cflags = [ "-DSECCOMP_PLUGIN" ]
part_name = INIT_PART
subsystem_name = "startup"
external_deps = [ "init:libinit_module_engine" ]
part_name = "init"
if (target_cpu == "arm64") {
module_install_dir = "lib64/init"
} else {
module_install_dir = "lib/init"
}
install_images = [
"system",
"ramdisk",
"updater",
]
}
config("libseccomp_static_config") {
include_dirs = [
"//base/startup/init/services/modules",
"//base/startup/init/services/modules/seccomp",
"//base/startup/init/interfaces/innerkits/seccomp/include",
]
}
ohos_source_set("libseccomp_static") {
sources = [ "seccomp_policy_static.c" ]
public_configs = [ ":libseccomp_static_config" ]
public_configs += [ "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_exported_config" ]
}
services/modules/seccomp/scripts/generate_code_from_policy.py
浏览文件 @
b6093ae0
...
...
@@ -452,7 +452,7 @@ class GenBpfPolicy:
self
.
gen_range_list
(
syscall_nr_list
)
range_size
=
(
int
)((
len
(
self
.
syscall_nr_range
)
-
1
)
/
127
)
+
1
alone_range_cnt
=
self
.
count_alone_range
()
if
alone_range_cnt
>=
len
(
self
.
syscall_nr_range
)
/
2
:
if
alone_range_cnt
==
len
(
self
.
syscall_nr_range
)
:
#Scattered distribution
self
.
gen_transverse_bpf_policy
()
return
...
...
services/modules/seccomp/seccomp_policy.c
浏览文件 @
b6093ae0
...
...
@@ -15,7 +15,10 @@
#include "seccomp_policy.h"
#include "seccomp_filters.h"
#include "seccomp_utils.h"
#include "plugin_adapter.h"
#ifdef SECCOMP_PLUGIN
#include "init_module_engine.h"
#endif
#include <sys/syscall.h>
#include <unistd.h>
...
...
@@ -35,7 +38,7 @@ static bool IsSupportFilterFlag(unsigned int filterFlag)
errno
=
0
;
long
ret
=
syscall
(
__NR_seccomp
,
SECCOMP_SET_MODE_FILTER
,
filterFlag
,
NULL
);
if
(
ret
!=
-
1
||
errno
!=
EFAULT
)
{
SECCOMP
_LOGE
(
"not support seccomp flag %u"
,
filterFlag
);
PLUGIN
_LOGE
(
"not support seccomp flag %u"
,
filterFlag
);
return
false
;
}
...
...
@@ -59,7 +62,7 @@ static bool InstallSeccompPolicy(const struct sock_filter* filter, size_t filter
}
if
(
syscall
(
__NR_seccomp
,
SECCOMP_SET_MODE_FILTER
,
flag
,
&
prog
)
!=
0
)
{
SECCOMP
_LOGE
(
"SetSeccompFilter failed"
);
PLUGIN
_LOGE
(
"SetSeccompFilter failed"
);
return
false
;
}
...
...
@@ -85,3 +88,54 @@ bool SetSeccompPolicy(PolicyType policy)
return
ret
;
}
#ifdef SECCOMP_PLUGIN
static
int
DoSetSeccompPolicyStart
(
void
)
{
bool
ret
=
false
;
ret
=
SetSeccompPolicy
(
SYSTEM
);
PLUGIN_CHECK
(
ret
==
true
,
return
-
1
,
"SetSeccompPolicy failed"
);
return
0
;
}
static
int
DoSetSeccompPolicyCmd
(
int
id
,
const
char
*
name
,
int
argc
,
const
char
**
argv
)
{
PLUGIN_LOGI
(
"DoBootchartCmd argc %d %s"
,
argc
,
name
);
PLUGIN_CHECK
(
argc
>=
1
,
return
-
1
,
"Invalid parameter"
);
if
(
strcmp
(
argv
[
0
],
"start"
)
==
0
)
{
return
DoSetSeccompPolicyStart
();
}
return
0
;
}
static
int32_t
g_executorId
=
-
1
;
static
int
SetSeccompPolicyInit
(
void
)
{
if
(
g_executorId
==
-
1
)
{
g_executorId
=
AddCmdExecutor
(
"SetSeccompPolicy"
,
DoSetSeccompPolicyCmd
);
PLUGIN_LOGI
(
"SetSeccompPolicy executorId %d"
,
g_executorId
);
}
return
0
;
}
static
void
SetSeccompPolicyExit
(
void
)
{
PLUGIN_LOGI
(
"SetSeccompPolicy executorId %d"
,
g_executorId
);
if
(
g_executorId
!=
-
1
)
{
RemoveCmdExecutor
(
"SetSeccompPolicy"
,
g_executorId
);
}
}
MODULE_CONSTRUCTOR
(
void
)
{
PLUGIN_LOGI
(
"DoSetSeccompPolicyStart now ..."
);
SetSeccompPolicyInit
();
}
MODULE_DESTRUCTOR
(
void
)
{
PLUGIN_LOGI
(
"DoSetSeccompPolicyStop now ..."
);
SetSeccompPolicyExit
();
}
#endif
services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy
浏览文件 @
b6093ae0
...
...
@@ -161,6 +161,7 @@ statx
prlimit64
cacheflush
set_tls
sched_setscheduler
@allowListWithArgs
getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD
...
...
services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy
浏览文件 @
b6093ae0
...
...
@@ -131,6 +131,7 @@ madvise
getrandom
statx
prlimit64
sched_setscheduler
@allowListWithArgs
getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD
...
...
services/modules/seccomp/seccomp_policy/system_arm.seccomp.policy
浏览文件 @
b6093ae0
...
...
@@ -216,6 +216,9 @@ setsockopt
getsockopt
sendmsg
recvmsg
semget
add_key
keyctl
inotify_add_watch
inotify_rm_watch
openat
...
...
services/modules/seccomp/seccomp_policy/system_arm64.seccomp.policy
浏览文件 @
b6093ae0
...
...
@@ -197,6 +197,7 @@ getgid
getegid
gettid
sysinfo
semget
socket
socketpair
bind
...
...
@@ -216,6 +217,8 @@ readahead
brk
munmap
mremap
add_key
keyctl
clone
execve
mmap
...
...
services/modules/seccomp/seccomp_
utils.h
→
services/modules/seccomp/seccomp_
policy_static.c
浏览文件 @
b6093ae0
/*
* Copyright (c) 2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef BASE_STARTUP_SECCOMP_UTILS_H
#define BASE_STARTUP_SECCOMP_UTILS_H
#include <stddef.h>
#include <stdint.h>
#include "beget_ext.h"
#ifdef __cplusplus
#if __cplusplus
extern
"C"
{
#endif
#endif
#ifndef SECCOMP_DOMAIN
#define SECCOMP_DOMAIN (BASE_DOMAIN + 0xe)
#endif
#define SECCOMP_LABEL "SECCOMP"
#define SECCOMP_LOGI(fmt, ...) STARTUP_LOGI(SECCOMP_DOMAIN, SECCOMP_LABEL, fmt, ##__VA_ARGS__)
#define SECCOMP_LOGE(fmt, ...) STARTUP_LOGE(SECCOMP_DOMAIN, SECCOMP_LABEL, fmt, ##__VA_ARGS__)
#define SECCOMP_LOGV(fmt, ...) STARTUP_LOGV(SECCOMP_DOMAIN, SECCOMP_LABEL, fmt, ##__VA_ARGS__)
#ifdef INIT_AGENT
#define SECCOMP_DUMP printf
#else
#define SECCOMP_DUMP SECCOMP_LOGI
#endif
#ifdef __cplusplus
#if __cplusplus
}
#endif
#endif
#endif
\ No newline at end of file
/*
* Copyright (c) 2022 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <string.h>
#include "init_module_engine.h"
#include "plugin_adapter.h"
static
int
SeccompHook
(
const
HOOK_INFO
*
info
,
void
*
cookie
)
{
InitModuleMgrInstall
(
"seccomp_module"
);
PLUGIN_LOGI
(
"seccomp enabled."
);
return
0
;
}
MODULE_CONSTRUCTOR
(
void
)
{
InitAddPostPersistParamLoadHook
(
0
,
SeccompHook
);
}
test/unittest/seccomp/seccomp_unittest.cpp
浏览文件 @
b6093ae0
...
...
@@ -31,7 +31,8 @@
#include <asm/unistd.h>
#include <syscall.h>
#include <climits>
#include <linux/openat2.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include "seccomp_policy.h"
...
...
@@ -137,15 +138,13 @@ public:
}
#if defined __aarch64__
static
bool
Check
Openat2
()
static
bool
Check
Shmget
()
{
struct
open_how
how
=
{};
int
fd
=
syscall
(
__NR_openat2
,
AT_FDCWD
,
"."
,
&
how
);
if
(
fd
==
-
1
)
{
int
fd
=
shmget
(
1
,
4096
,
0666
);
if
(
fd
<
0
)
{
return
false
;
}
close
(
fd
);
return
true
;
}
...
...
@@ -182,7 +181,7 @@ public:
static
bool
CheckSetresuidArgsOutOfRange
()
{
int
ret
=
syscall
(
__NR_setresuid
,
1000
,
1000
,
10
00
);
int
ret
=
syscall
(
__NR_setresuid
,
800
,
800
,
8
00
);
if
(
ret
==
0
)
{
return
true
;
}
...
...
@@ -193,7 +192,7 @@ public:
void
TestSystemSycall
()
{
// system blocklist
int
ret
=
CheckSyscall
(
SYSTEM
,
Check
Openat2
,
false
);
int
ret
=
CheckSyscall
(
SYSTEM
,
Check
Shmget
,
false
);
EXPECT_EQ
(
ret
,
0
);
// system allowlist
...
...
@@ -242,7 +241,7 @@ public:
static
bool
CheckSetresuid32ArgsOutOfRange
()
{
int
ret
=
syscall
(
__NR_setresuid32
,
1000
,
1000
,
10
00
);
int
ret
=
syscall
(
__NR_setresuid32
,
800
,
800
,
8
00
);
if
(
ret
==
0
)
{
return
true
;
}
...
...
@@ -283,6 +282,6 @@ HWTEST_F(SeccompUnitTest, TestSystemSycall, TestSize.Level1)
HWTEST_F
(
SeccompUnitTest
,
TestSetUidGidFilter
,
TestSize
.
Level1
)
{
SeccompUnitTest
test
;
test
.
TestS
ystemSycall
();
test
.
TestS
etUidGidFilter
();
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录