未验证 提交 e5bdc477 编写于 作者: O openharmony_ci 提交者: Gitee

!1535 fix:同步修复seccomp模块内存泄漏问题到monthly1018分支

Merge pull request !1535 from 夏不白/cherry-pick-1668839929
...@@ -26,6 +26,7 @@ ...@@ -26,6 +26,7 @@
#include <linux/audit.h> #include <linux/audit.h>
#include <linux/seccomp.h> #include <linux/seccomp.h>
#include <linux/filter.h> #include <linux/filter.h>
#include <limits.h>
#ifndef SECCOMP_SET_MODE_FILTER #ifndef SECCOMP_SET_MODE_FILTER
#define SECCOMP_SET_MODE_FILTER (1) #define SECCOMP_SET_MODE_FILTER (1)
...@@ -39,6 +40,13 @@ ...@@ -39,6 +40,13 @@
#define FILTER_NAME_FORMAT "g_%sSeccompFilter" #define FILTER_NAME_FORMAT "g_%sSeccompFilter"
#define FILTER_SIZE_STRING "Size" #define FILTER_SIZE_STRING "Size"
typedef enum {
SECCOMP_SUCCESS,
INPUT_ERROR,
RETURN_NULL,
RETURN_ERROR
} SeccompErrorCode;
static bool IsSupportFilterFlag(unsigned int filterFlag) static bool IsSupportFilterFlag(unsigned int filterFlag)
{ {
errno = 0; errno = 0;
...@@ -75,43 +83,101 @@ static bool InstallSeccompPolicy(const struct sock_filter* filter, size_t filter ...@@ -75,43 +83,101 @@ static bool InstallSeccompPolicy(const struct sock_filter* filter, size_t filter
return true; return true;
} }
bool SetSeccompPolicyWithName(const char *filterName) static char *GetFilterFileByName(const char *filterName)
{ {
char filterLibPath[512] = {0}; size_t maxFilterNameLen = PATH_MAX - strlen(FILTER_LIB_PATH_FORMAT) + strlen("%s") - 1;
char filterVaribleName[512] = {0}; if (filterName == NULL && strlen(filterName) > maxFilterNameLen) {
struct sock_filter *filterPtr = NULL; return NULL;
size_t *filterSize = NULL; }
char filterLibPath[PATH_MAX] = {0};
int rc = snprintf_s(filterLibPath, sizeof(filterLibPath), \ int rc = snprintf_s(filterLibPath, sizeof(filterLibPath), \
strlen(filterName) + strlen(FILTER_LIB_PATH_FORMAT) - strlen("%s"), \ strlen(filterName) + strlen(FILTER_LIB_PATH_FORMAT) - strlen("%s"), \
FILTER_LIB_PATH_FORMAT, filterName); FILTER_LIB_PATH_FORMAT, filterName);
PLUGIN_CHECK(rc != -1, return false, "snprintf_s filterLibPath failed"); if (rc == -1) {
return NULL;
}
rc = snprintf_s(filterVaribleName, sizeof(filterVaribleName), \ return realpath(filterLibPath, NULL);
}
static int GetSeccompPolicy(const char *filterName, int **handler,
char *filterLibRealPath, struct sock_fprog *prog)
{
char filterVaribleName[PATH_MAX] = {0};
struct sock_filter *filter = NULL;
size_t *filterSize = NULL;
void *policyHanlder = NULL;
int ret = SECCOMP_SUCCESS;
do {
int rc = snprintf_s(filterVaribleName, sizeof(filterVaribleName), \
strlen(filterName) + strlen(FILTER_NAME_FORMAT) - strlen("%s"), \ strlen(filterName) + strlen(FILTER_NAME_FORMAT) - strlen("%s"), \
FILTER_NAME_FORMAT, filterName); FILTER_NAME_FORMAT, filterName);
PLUGIN_CHECK(rc != -1, return false, "snprintf_s faiVribleName failed"); if (rc == -1) {
const char *filterLibRealPath = realpath(filterLibPath, NULL); ret = RETURN_ERROR;
PLUGIN_CHECK(filterLibRealPath != NULL, return false, "format filter lib real path failed"); break;
}
policyHanlder = dlopen(filterLibRealPath, RTLD_LAZY);
if (policyHanlder == NULL) {
ret = RETURN_NULL;
break;
}
void *handler = dlopen(filterLibRealPath, RTLD_LAZY); filter = (struct sock_filter *)dlsym(policyHanlder, filterVaribleName);
PLUGIN_CHECK(handler != NULL, return false, "dlopen %s failed", filterLibRealPath); if (filter == NULL) {
ret = RETURN_NULL;
break;
}
filterPtr = (struct sock_filter *)dlsym(handler, filterVaribleName); rc = strcat_s(filterVaribleName, strlen(filterVaribleName) + \
PLUGIN_CHECK(filterPtr != NULL, dlclose(handler); strlen(FILTER_SIZE_STRING) + 1, FILTER_SIZE_STRING);
return false, "dlsym %s failed", filterVaribleName); if (rc != 0) {
ret = RETURN_ERROR;
break;
}
rc = strcat_s(filterVaribleName, strlen(filterVaribleName) + strlen(FILTER_SIZE_STRING) + 1, FILTER_SIZE_STRING); filterSize = (size_t *)dlsym(policyHanlder, filterVaribleName);
PLUGIN_CHECK(rc == 0, dlclose(handler); if (filterSize == NULL) {
return false, "strcat_s filterVaribleName failed"); ret = RETURN_NULL;
break;
}
} while (0);
filterSize = (size_t *)dlsym(handler, filterVaribleName); *handler = (int *)policyHanlder;
PLUGIN_CHECK(filterSize != NULL, dlclose(handler); prog->filter = filter;
return false, "dlsym %s failed", filterVaribleName); if (filterSize != NULL) {
prog->len = (unsigned short)(*filterSize);
}
bool ret = InstallSeccompPolicy(filterPtr, *filterSize, SECCOMP_FILTER_FLAG_LOG); return ret;
}
bool SetSeccompPolicyWithName(const char *filterName)
{
void *handler = NULL;
char *filterLibRealPath = NULL;
struct sock_fprog prog = {0};
bool ret = false;
filterLibRealPath = GetFilterFileByName(filterName);
PLUGIN_CHECK(filterLibRealPath != NULL, return false, "get filter file name faield");
int retCode = GetSeccompPolicy(filterName, (int **)&handler, filterLibRealPath, &prog);
if (retCode == SECCOMP_SUCCESS) {
ret = InstallSeccompPolicy(prog.filter, prog.len, SECCOMP_FILTER_FLAG_LOG);
} else {
PLUGIN_LOGE("GetSeccompPolicy failed return is %d", retCode);
}
if (handler != NULL) {
dlclose(handler); dlclose(handler);
}
if (filterLibRealPath != NULL) {
free(filterLibRealPath);
}
return ret; return ret;
} }
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册