!593 fix：解决param get不到数据问题

Merge pull request !593 from Mupceet/paramget

interfaces/innerkits/syspara/param_comm.c

@@ -144,7 +144,7 @@ static int GetSha256Value(const char *input, char *udid, int udidSize)
     mbedtls_sha256_context context;
     mbedtls_sha256_init(&context);
     mbedtls_sha256_starts_ret(&context, 0);
-    mbedtls_sha256_update_ret(&context, (const unsigned char)input, strlen(input));
+    mbedtls_sha256_update_ret(&context, (const unsigned char *)input, strlen(input));
     mbedtls_sha256_finish_ret(&context, hash);
 
     for (size_t i = 0; i < HASH_LENGTH; i++) {
@@ -194,6 +194,9 @@ const char *GetSerial_(void)
 
 int GetDevUdid_(char *udid, int size)
 {
+    if (size < UDID_LEN || udid == NULL) {
+        return EC_FAILURE;
+    }
     const char *manufacture = GetManufacture_();
     const char *model = GetProductModel_();
     const char *sn = GetSerial_();

services/begetctl/param_cmd.c

@@ -110,9 +110,12 @@ int SetParamShellPrompt(BShellHandle shell, const char *param)
     }
     // check parameter
     int ret = SysCheckParamExist(realParameter);
-    if (ret != 0) {
+    if (ret == PARAM_CODE_NOT_FOUND) {
         BShellEnvOutput(shell, "Error: parameter \'%s\' not found\r\n", realParameter);
         return -1;
+    } else if (ret != 0 && ret != PARAM_CODE_NODE_EXIST) {
+        BShellEnvOutput(shell, "Error: Forbid to enter parameters \'%s\'\r\n", realParameter);
+        return -1;
     }
     if (strcmp(realParameter, "#") == 0) {
         ret = BShellEnvSetParam(shell, PARAM_REVERESD_NAME_CURR_PARAMETER,
@@ -223,14 +226,19 @@ static int32_t BShellParamCmdLs(BShellHandle shell, int32_t argc, char *argv[])
             BShellEnvOutput(shell, "Error: Forbid to list parameters\r\n");
         }
     } else {
-        ParamHandle handle;
-        ret = SystemFindParameter(prefix, &handle);
-        if (ret != PARAM_CODE_NOT_FOUND && ret != 0 && ret != PARAM_CODE_NODE_EXIST) {
-            BShellEnvOutput(shell, "Error: Forbid to list parameters\r\n");
-        } else if (ret == 0) {
-            ShowParamForCmdLs(handle, (void *)shell);
+        ret = SysCheckParamExist(prefix);
+        if (ret == 0) {
+            ParamHandle handle;
+            ret = SystemFindParameter(prefix, &handle);
+            if (ret != 0) {
+                BShellEnvOutput(shell, "Error: Forbid to list parameters\r\n");
+            } else {
+                ShowParamForCmdLs(handle, (void *)shell);
+            }
         } else if (ret == PARAM_CODE_NODE_EXIST) {
             ShowParam(shell, prefix, NULL);
+        } else if (ret != PARAM_CODE_NOT_FOUND) {
+            BShellEnvOutput(shell, "Error: Forbid to list parameters\r\n");
         } else {
             BShellEnvOutput(shell, "Parameter %s not found\r\n", prefix);
         }

services/param/BUILD.gn

@@ -201,7 +201,10 @@ if (defined(ohos_lite)) {
     ]
     include_dirs = param_include_dirs
 
-    defines = [ "_GNU_SOURCE" ]
+    defines = [
+      "_GNU_SOURCE",
+      "INIT_AGENT",
+    ]
     if (build_selinux) {
       sources += [ "adapter/param_selinux.c" ]
       defines += [

services/param/adapter/param_dac.c

@@ -25,7 +25,7 @@
 #include "param_utils.h"
 
 #define USER_BUFFER_LEN 64
-#define GROUP_FORMAT "ohos.group"
+#define GROUP_FORMAT "const.group"
 
 #define OCT_BASE 8
 static void GetUserIdByName(uid_t *uid, const char *name, uint32_t nameLen)
@@ -160,6 +160,7 @@ static int CheckFilePermission(const ParamSecurityLabel *localLabel, const char
 
 static int CheckUserInGroup(WorkSpace *space, gid_t groupId, uid_t uid)
 {
+#ifdef __MUSL__
     static char buffer[USER_BUFFER_LEN] = {0};
     uint32_t labelIndex = 0;
     int ret = sprintf_s(buffer, sizeof(buffer) - 1, "%s.%d.%d", GROUP_FORMAT, groupId, uid);
@@ -172,6 +173,9 @@ static int CheckUserInGroup(WorkSpace *space, gid_t groupId, uid_t uid)
         return 0;
     }
     return -1;
+#else
+    return 0;
+#endif
 }
 
 static int DacCheckParamPermission(const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode)
@@ -245,6 +249,10 @@ static void AddGroupUser(int uid, int gid, int mode, const char *format)
 
 void LoadGroupUser(void)
 {
+#ifndef __MUSL__
+    return;
+#endif
+
 #if !(defined __LITEOS_A__ || defined __LITEOS_M__)
     PARAM_LOGV("LoadGroupUser ");
     uid_t uid = 0;
@@ -263,7 +271,7 @@ void LoadGroupUser(void)
         while (data->gr_mem[index]) { // user in this group
             GetUserIdByName(&uid, data->gr_mem[index], strlen(data->gr_mem[index]));
             PARAM_LOGV("LoadGroupUser %s gid %d uid %d user %s", data->gr_name, data->gr_gid, uid, data->gr_mem[index]);
-            AddGroupUser(uid, data->gr_gid, 0550, "ohos.group"); // 0550 read and watch
+            AddGroupUser(uid, data->gr_gid, 0550, GROUP_FORMAT); // 0550 read and watch
             index++;
         }
     }

services/param/adapter/param_selinux.c

@@ -73,8 +73,7 @@ static int InitLocalSecurityLabel(ParamSecurityLabel *security, int isInit)
         PARAM_CHECK(g_selinuxSpace.destroyParamList != NULL,
             return -1, "Failed to dlsym destroyParamList %s", dlerror());
     }
-    if (isInit) {
-        // log
+    if (isInit) { // log
         g_selinuxSpace.setSelinuxLogCallback();
     }
 #endif
@@ -87,9 +86,8 @@ static int FreeLocalSecurityLabel(ParamSecurityLabel *srcLabel)
     return 0;
 }
 
-static int SelinuxGetParamSecurityLabel(const char *path)
+static int SelinuxGetAllLabel(int readOnly)
 {
-    UNUSED(path);
     PARAM_CHECK(g_selinuxSpace.getParamList != NULL, return DAC_RESULT_FORBIDED, "Invalid getParamList");
     ParamContextsList *head = g_selinuxSpace.getParamList();
     ParamContextsList *node = head;
@@ -100,20 +98,25 @@ static int SelinuxGetParamSecurityLabel(const char *path)
             node = node->next;
             continue;
         }
-        int ret = AddWorkSpace(node->info.paraContext, 0, PARAM_WORKSPACE_DEF);
+        int ret = AddWorkSpace(node->info.paraContext, readOnly, PARAM_WORKSPACE_DEF);
         PARAM_CHECK(ret == 0, continue,
-            "Failed to add selinx workspace %s %s", node->info.paraName, node->info.paraContext);
+            "Failed to add selinux workspace %s %s", node->info.paraName, node->info.paraContext);
         node = node->next;
         count++;
     }
-    g_selinuxSpace.destroyParamList(&head);
-    int ret = AddWorkSpace(WORKSPACE_NAME_DEF_SELINUX, 0, PARAM_WORKSPACE_MAX);
-    PARAM_CHECK(ret == 0, return -1,
-        "Failed to add selinx workspace %s %s", node->info.paraName, node->info.paraContext);
 
+    int ret = AddWorkSpace(WORKSPACE_NAME_DEF_SELINUX, readOnly, PARAM_WORKSPACE_MAX);
+    PARAM_CHECK(ret == 0, return -1,
+        "Failed to add selinux workspace %s %s", node->info.paraName, node->info.paraContext);
     return 0;
 }
 
+static int SelinuxGetParamSecurityLabel(const char *path)
+{
+    UNUSED(path);
+    return SelinuxGetAllLabel(0);
+}
+
 static int CheckFilePermission(const ParamSecurityLabel *localLabel, const char *fileName, int flags)
 {
     UNUSED(flags);
@@ -121,12 +124,26 @@ static int CheckFilePermission(const ParamSecurityLabel *localLabel, const char
     return 0;
 }
 
+static int SelinuxReadParamCheck(const char *name)
+{
+    int ret = DAC_RESULT_FORBIDED;
+    PARAM_CHECK(g_selinuxSpace.getParamLabel != NULL, return ret, "Invalid getParamLabel");
+    const char *label = g_selinuxSpace.getParamLabel(name);
+    if (label == NULL) { // open file with readonly
+        ret = AddWorkSpace(WORKSPACE_NAME_DEF_SELINUX, 1, PARAM_WORKSPACE_MAX);
+    } else {
+        ret = AddWorkSpace(label, 1, PARAM_WORKSPACE_MAX);
+    }
+    if (ret != 0) {
+        return DAC_RESULT_FORBIDED;
+    }
+    return DAC_RESULT_PERMISSION;
+}
+
 static int SelinuxCheckParamPermission(const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode)
 {
     int ret = DAC_RESULT_FORBIDED;
     PARAM_CHECK(g_selinuxSpace.setParamCheck != NULL, return ret, "Invalid setParamCheck");
-    PARAM_CHECK(g_selinuxSpace.readParamCheck != NULL, return ret, "Invalid readParamCheck");
-
     // check
     struct ucred uc;
     uc.pid = srcLabel->cred.pid;
@@ -135,7 +152,7 @@ static int SelinuxCheckParamPermission(const ParamSecurityLabel *srcLabel, const
     if (mode == DAC_WRITE) {
         ret = g_selinuxSpace.setParamCheck(name, &uc);
     } else {
-        ret = 0;
+        ret = SelinuxReadParamCheck(name);
     }
     if (ret != 0) {
         PARAM_LOGI("Selinux check name %s pid %d uid %d %d result %d", name, uc.pid, uc.uid, uc.gid, ret);
@@ -164,6 +181,12 @@ const char *GetSelinuxContent(const char *name)
     return g_selinuxSpace.getParamLabel(name);
 }
 
+void OpenPermissionWorkSpace(void)
+{
+    // open workspace by readonly
+    SelinuxGetAllLabel(1);
+}
+
 #if defined STARTUP_INIT_TEST || defined LOCAL_TEST
 void SetSelinuxOps(const SelinuxSpace *space)
 {

services/param/include/param_osadp.h

@@ -53,6 +53,8 @@ extern "C" {
 #endif
 #define PARAM_WORKSPACE_SMALL PARAM_WORKSPACE_MAX
 #define PARAM_WORKSPACE_DEF PARAM_WORKSPACE_MAX
+#define DAC_DEFAULT_GROUP 0
+#define DAC_DEFAULT_USER 0
 #else
 #define PARAM_WORKSPACE_MAX (80 * 1024)
 #define PARAM_WORKSPACE_SMALL (1024 * 10)
@@ -63,6 +65,8 @@ extern "C" {
 #define DAC_DEFAULT_MODE 0774
 #define PARAM_WORKSPACE_DEF (1024 * 30)
 #endif
+#define DAC_DEFAULT_GROUP 2000
+#define DAC_DEFAULT_USER 0
 #endif
 
 // support futex

services/param/include/param_security.h

@@ -102,6 +102,7 @@ int GetParamSecurityAuditData(const char *name, int type, ParamAuditData *auditD
 
 int RegisterSecurityDacOps(ParamSecurityOps *ops, int isInit);
 void LoadGroupUser(void);
+void OpenPermissionWorkSpace(void);
 
 typedef int (*SelinuxSetParamCheck)(const char *paraName, struct ucred *uc);
 typedef struct SelinuxSpace_ {

services/param/manager/param_manager.c

@@ -155,8 +155,8 @@ int InitParamWorkSpace(int onlyRead)
         // add default dac policy
         ParamAuditData auditData = {};
         auditData.name = "#";
-        auditData.dacData.gid = 0; // for root
-        auditData.dacData.uid = 0; // for root
+        auditData.dacData.gid = DAC_DEFAULT_GROUP; // 2000 for shell
+        auditData.dacData.uid = DAC_DEFAULT_USER; // for root
         auditData.dacData.mode = DAC_DEFAULT_MODE; // 0774 default mode
         ret = AddSecurityLabel(&auditData);
         PARAM_CHECK(ret == 0, return ret, "Failed to add default dac label");
@@ -213,7 +213,18 @@ int ReadParamWithCheck(const char *name, uint32_t op, ParamHandle *handle)
     *handle = -1;
     int ret = CheckParamPermission(&g_paramWorkSpace.securityLabel, name, op);
     PARAM_CHECK(ret == 0, return ret, "Forbid to access parameter %s", name);
+#ifdef PARAM_SUPPORT_SELINUX
+    if (ret == DAC_RESULT_PERMISSION) {
+        const char *label = GetSelinuxContent(name);
+        if (label != NULL) {
+            AddWorkSpace(label, 1, PARAM_WORKSPACE_DEF);
+        } else {
+            AddWorkSpace(WORKSPACE_NAME_DEF_SELINUX, 1, PARAM_WORKSPACE_DEF);
+        }
+    }
+#endif
     WorkSpace *space = GetWorkSpace(name);
+    PARAM_CHECK(space != NULL, return PARAM_CODE_INVALID_PARAM, "Invalid workSpace");
     ParamTrieNode *node = FindTrieNode(space, name, strlen(name), NULL);
     if (node != NULL && node->dataIndex != 0) {
         *handle = GetParamHandle(space, node->dataIndex, name);
@@ -407,6 +418,7 @@ int AddSecurityLabel(const ParamAuditData *auditData)
     PARAM_WORKSPACE_CHECK(&g_paramWorkSpace, return -1, "Invalid space");
     PARAM_CHECK(auditData != NULL && auditData->name != NULL, return -1, "Invalid auditData");
     WorkSpace *workSpace = GetWorkSpace(WORKSPACE_NAME_DAC);
+    PARAM_CHECK(workSpace != NULL, return PARAM_CODE_INVALID_PARAM, "Invalid workSpace");
     int ret = CheckParamName(auditData->name, 1);
     PARAM_CHECK(ret == 0, return ret, "Illegal param name \"%s\"", auditData->name);
 
@@ -500,6 +512,10 @@ int SystemTraversalParameter(const char *prefix, TraversalParamPtr traversalPara
         }
         context.prefix = (char *)prefix;
     }
+#ifdef PARAM_SUPPORT_SELINUX
+    // open all workspace
+    OpenPermissionWorkSpace();
+#endif
     WorkSpace *workSpace = GetFristWorkSpace();
     if (workSpace != NULL && strcmp(workSpace->fileName, WORKSPACE_NAME_DAC) == 0) {
         workSpace = GetNextWorkSpace(workSpace);
@@ -541,16 +557,6 @@ int CheckParamPermission(const ParamSecurityLabel *srcLabel, const char *name, u
             }
         }
     }
-#ifdef PARAM_SUPPORT_SELINUX
-    if (ret == DAC_RESULT_PERMISSION && mode != DAC_WRITE) { // open workspace for client read
-        const char *label = GetSelinuxContent(name);
-        if (label != NULL) {
-            AddWorkSpace(label, 1, PARAM_WORKSPACE_DEF);
-        } else {
-            ret = DAC_RESULT_FORBIDED;
-        }
-    }
-#endif
     return ret;
 }
 
@@ -609,7 +615,10 @@ void SystemDumpParameters(int verbose)
     if (ret != PARAM_CODE_NOT_FOUND && ret != 0 && ret != PARAM_CODE_NODE_EXIST) {
         PARAM_CHECK(ret == 0, return, "Forbid to dump parameters");
     }
-
+#ifdef PARAM_SUPPORT_SELINUX
+    // open all workspace
+    OpenPermissionWorkSpace();
+#endif
     PARAM_DUMP("Dump all paramters begin ...\n");
     if (verbose) {
         PARAM_DUMP("Local sercurity information\n");
@@ -649,6 +658,8 @@ int AddWorkSpace(const char *name, int onlyRead, uint32_t spaceSize)
         const size_t size = strlen(realName) + 1;
         workSpace = (WorkSpace *)malloc(sizeof(WorkSpace) + size);
         PARAM_CHECK(workSpace != NULL, break, "Failed to create workspace for %s", realName);
+        workSpace->flags = 0;
+        workSpace->area = NULL;
         ListInit(&workSpace->node);
         ret = strcpy_s(workSpace->fileName, size, realName);
         PARAM_CHECK(ret == 0, break, "Failed to copy file name %s", realName);
@@ -667,7 +678,7 @@ int AddWorkSpace(const char *name, int onlyRead, uint32_t spaceSize)
         free(workSpace);
     }
     WORKSPACE_RW_UNLOCK(g_paramWorkSpace);
-    PARAM_LOGI("AddWorkSpace %s success", name);
+    PARAM_LOGI("AddWorkSpace %s %s", name, ret == 0 ? "success" : "fail");
     return ret;
 }
 
@@ -776,14 +787,23 @@ int SysCheckParamExist(const char *name)
 {
     PARAM_WORKSPACE_CHECK(&g_paramWorkSpace, return -1, "Invalid space");
     PARAM_CHECK(name != NULL, return -1, "The name or handle is null");
-    ParamHandle handle;
-    int ret = ReadParamWithCheck(name, DAC_READ, &handle);
-    PARAM_LOGI("SysCheckParamExist %s result %d", name, ret);
-    if (ret == PARAM_CODE_NODE_EXIST) {
-        return 0;
+#ifdef PARAM_SUPPORT_SELINUX
+    // open all workspace
+    OpenPermissionWorkSpace();
+#endif
+    WorkSpace *workSpace = GetFristWorkSpace();
+    while (workSpace != NULL) {
+        PARAM_LOGV("SysCheckParamExist name %s in space %s", name, workSpace->fileName);
+        WorkSpace *next = GetNextWorkSpace(workSpace);
+        ParamTrieNode *node = FindTrieNode(workSpace, name, strlen(name), NULL);
+        if (node != NULL && node->dataIndex != 0) {
+            return 0;
+        } else if (node != NULL) {
+            return PARAM_CODE_NODE_EXIST;
+        }
+        workSpace = next;
     }
-    PARAM_CHECK(ret == 0, return ret, "Forbid to access parameter %s", name);
-    return ret;
+    return PARAM_CODE_NOT_FOUND;
 }
 
 int SystemGetParameterCommitId(ParamHandle handle, uint32_t *commitId)
@@ -823,6 +843,7 @@ int GetParamSecurityAuditData(const char *name, int type, ParamAuditData *auditD
     uint32_t labelIndex = 0;
     // get from dac
     WorkSpace *space = GetWorkSpace(WORKSPACE_NAME_DAC);
+    PARAM_CHECK(space != NULL, return -1, "Invalid workSpace");
     FindTrieNode(space, name, strlen(name), &labelIndex);
     ParamSecruityNode *node = (ParamSecruityNode *)GetTrieNode(space, labelIndex);
     PARAM_CHECK(node != NULL, return DAC_RESULT_FORBIDED, "Can not get security label %d", labelIndex);
@@ -852,14 +873,18 @@ int CheckParameterSet(const char *name, const char *value, const ParamSecurityLa
     PARAM_CHECK(ret == 0, return ret, "Illegal param value %s", value);
     *ctrlService = 0;
 
-#ifndef PARAM_SUPPORT_SELINUX
-    if ((getpid() != 1) && ((srcLabel->flags[0] & LABEL_CHECK_IN_ALL_PROCESS) != LABEL_CHECK_IN_ALL_PROCESS)) {
+    if (getpid() != 1) { // none init
+#ifdef PARAM_SUPPORT_SELINUX
         *ctrlService |= PARAM_NEED_CHECK_IN_SERVICE;
-#ifndef STARTUP_INIT_TEST
         return 0;
+#else
+        if ((srcLabel->flags[0] & LABEL_CHECK_IN_ALL_PROCESS) != LABEL_CHECK_IN_ALL_PROCESS) {
+            *ctrlService |= PARAM_NEED_CHECK_IN_SERVICE;
+            return 0;
+        }
 #endif
     }
-#endif
+
     char *key = GetServiceCtrlName(name, value);
     ret = CheckParamPermission(srcLabel, (key == NULL) ? name : key, DAC_WRITE);
     if (key != NULL) {  // ctrl param

services/param/manager/param_trie.c

@@ -105,6 +105,7 @@ int InitWorkSpace(WorkSpace *workSpace, int onlyRead, uint32_t spaceSize)
     }
     workSpace->compareTrieNode = CompareParamTrieNode;
     workSpace->allocTrieNode = AllocateParamTrieNode;
+    workSpace->area = NULL;
     int ret = InitWorkSpace_(workSpace, spaceSize, onlyRead);
     PARAM_CHECK(ret == 0, return ret, "Failed to init workspace  %s", workSpace->fileName);
     PARAMSPACE_AREA_INIT_LOCK(workSpace);
@@ -397,7 +398,7 @@ void SaveIndex(uint32_t *index, uint32_t offset)
 
 ParamTrieNode *FindTrieNode(WorkSpace *workSpace, const char *key, uint32_t keyLen, uint32_t *matchLabel)
 {
-    PARAM_CHECK(workSpace != NULL, return NULL, "Invalid workSpace");
+    PARAM_CHECK(workSpace != NULL && workSpace->area != NULL, return NULL, "Invalid workSpace");
     ParamTrieNode *node = NULL;
     PARAMSPACE_AREA_RD_LOCK(workSpace);
     node = FindTrieNode_(workSpace, key, keyLen, matchLabel);

test/unittest/param/param_unittest.cpp

@@ -78,7 +78,7 @@ public:
         const char *value = "2001";
         uint32_t labelIndex = 0;
         SystemWriteParam(name, value);
-        // 获取到跟属性
+        // get root
         WorkSpace *workspace = GetWorkSpace(WORKSPACE_NAME_DAC);
         (void)FindTrieNode(workspace, name, strlen(name), &labelIndex);
         ParamSecruityNode *node = (ParamSecruityNode *)GetTrieNode(workspace, labelIndex);
@@ -86,7 +86,7 @@ public:
             EXPECT_EQ(1, 0);
             return 0;
         }
-        EXPECT_EQ(node->gid, 0);
+        EXPECT_EQ(node->gid, DAC_DEFAULT_GROUP);
         return 0;
     }