fix：增加selinux属性校验

Signed-off-by: Nxionglei6 <xionglei6@huawei.com>

services/BUILD.gn

@@ -63,11 +63,6 @@ if (defined(ohos_lite)) {
 
     cflags = [ "-Wall" ]
 
-    if (build_selinux) {
-      external_deps = [ "selinux:libparaperm_checker_static" ]
-      defines += [ "WITH_SELINUX" ]
-    }
-
     deps = [
       "//base/hiviewdfx/hilog_lite/frameworks/featured:hilog_shared",
       "//base/startup/init_lite/initsync:initsync",

services/param/BUILD.gn

@@ -41,11 +41,15 @@ ohos_static_library("param_service") {
     "//base/startup/init_lite/services/log",
     "//base/startup/init_lite/interfaces/innerkits/include",
     "//base/startup/init_lite/services/loopevent/include",
+    "//base/security/selinux/interfaces/policycoreutils/include",
     "//third_party/libuv/include",
     "//third_party/cJSON",
   ]
 
   defines = [ "PARAM_SUPPORT_SAVE_PERSIST" ]
+  if (build_selinux) {
+    defines += [ "WITH_SELINUX" ]
+  }
 
   if (defined(boot_kernel_extended_cmdline)) {
     defines += [ "BOOT_EXTENDED_CMDLINE=\"${boot_kernel_extended_cmdline}\"" ]
@@ -62,11 +66,6 @@ ohos_static_library("param_service") {
     }
   }
 
-  if (build_selinux) {
-    external_deps = [ "selinux:libparaperm_checker_static" ]
-    defines += [ "WITH_SELINUX" ]
-  }
-
   deps = [
     "//base/startup/init_lite/services/log:init_log",
     "//base/startup/init_lite/services/loopevent:loopevent",
@@ -95,13 +94,17 @@ ohos_shared_library("param_client") {
     "//base/startup/init_lite/services/log",
     "//base/startup/init_lite/interfaces/innerkits/include",
     "//base/hiviewdfx/hilog/interfaces/native/innerkits/include",
+    "//base/security/selinux/interfaces/policycoreutils/include",
     "//base/startup/init_lite/services/loopevent/include",
   ]
 
   defines = [ "INIT_AGENT" ]
-
   defines += [ "_GNU_SOURCE" ]
 
+  if (build_selinux) {
+    defines += [ "WITH_SELINUX" ]
+  }
+
   if (param_security == "selinux") {
     sources += [ "adapter/param_selinux.c" ]
     defines += [ "PARAM_SUPPORT_SELINUX" ]
@@ -113,11 +116,6 @@ ohos_shared_library("param_client") {
     }
   }
 
-  if (build_selinux) {
-    external_deps = [ "selinux:libparaperm_checker_static" ]
-    defines += [ "WITH_SELINUX" ]
-  }
-
   deps = [
     "//base/startup/init_lite/services/log:agent_log",
     "//third_party/bounds_checking_function:libsec_static",

services/param/manager/param_manager.c

@@ -14,12 +14,13 @@
  */
 
 #include "param_manager.h"
+
+#include <ctype.h>
+#include <dlfcn.h>
 #ifdef WITH_SELINUX
 #include "selinux_parameter.h"
 #endif
 
-#include <ctype.h>
-
 #if !defined PARAM_SUPPORT_SELINUX && !defined PARAM_SUPPORT_DAC
 static ParamSecurityLabel g_defaultSecurityLabel;
 #endif
@@ -234,6 +235,46 @@ int TraversalParam(const ParamWorkSpace *workSpace,
     return TraversalTrieNode(&workSpace->paramSpace, root, ProcessParamTraversal, &context);
 }
 
+#ifdef WITH_SELINUX
+void *g_selinuxHandle = NULL;
+int CheckParamPermissionWithSelinux(const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode)
+{
+    if (srcLabel == NULL || mode != DAC_WRITE) {
+        return DAC_RESULT_PERMISSION;
+    }
+    static void (*setSelinuxLogCallback)();
+    static int (*setParamCheck)(const char *paraName, struct ucred *uc);
+    g_selinuxHandle = dlopen("/system/lib/libparaperm_checker_static.so", RTLD_LAZY);
+    if (g_selinuxHandle == NULL) {
+        PARAM_LOGE("Failed to dlopen libparaperm_checker_static.so, %s\n", dlerror());
+        return DAC_RESULT_FORBIDED;
+    }
+    if (setSelinuxLogCallback == NULL) {
+        setSelinuxLogCallback = (void (*)())dlsym(g_selinuxHandle, "SetSelinuxLogCallback");
+        if (setSelinuxLogCallback == NULL) {
+            PARAM_LOGE("Failed to dlsym setSelinuxLogCallback, %s\n", dlerror());
+            return DAC_RESULT_FORBIDED;
+        }
+    }
+    (*setSelinuxLogCallback)();
+
+    if (setParamCheck == NULL) {
+        setParamCheck = (int (*)(const char *paraName, struct ucred *uc))dlsym(g_selinuxHandle, "SetParamCheck");
+        if (setParamCheck == NULL) {
+            PARAM_LOGE("Failed to dlsym setParamCheck, %s\n", dlerror());
+            return DAC_RESULT_FORBIDED;
+        }
+    }
+    struct ucred uc;
+    uc.pid = srcLabel->cred.pid;
+    uc.uid = srcLabel->cred.uid;
+    uc.gid = srcLabel->cred.gid;
+    int ret = setParamCheck(name, &uc);
+    PARAM_LOGI("Selinux check name %s pid %d uid %d %d result %d", name, uc.pid, uc.uid, uc.gid, ret);
+    return ret;
+}
+#endif
+
 int CheckParamPermission(const ParamWorkSpace *workSpace,
     const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode)
 {
@@ -244,15 +285,9 @@ int CheckParamPermission(const ParamWorkSpace *workSpace,
     }
     PARAM_CHECK(name != NULL && srcLabel != NULL, return -1, "Invalid param");
 #ifdef WITH_SELINUX
-    SetSelinuxLogCallback();
-    if (srcLabel != NULL && mode == DAC_WRITE) {
-        PARAM_LOGI("selinux SetParamCheck name %s, pid: %d", name, srcLabel->cred.pid);
-        struct ucred uc;
-        uc.pid = srcLabel->cred.pid;
-        uc.uid = srcLabel->cred.uid;
-        uc.gid = srcLabel->cred.gid;
-        int ret = SetParamCheck(name, &uc);
-        PARAM_LOGI("pid: %d SetParamCheck %s, result: %d", srcLabel->cred.pid, name, ret);
+    int ret = CheckParamPermissionWithSelinux(srcLabel, name, mode);
+    if (ret == DAC_RESULT_PERMISSION) {
+        return DAC_RESULT_PERMISSION;
     }
 #endif
     if (workSpace->paramSecurityOps.securityCheckParamPermission == NULL) {