Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Startup Init Lite
提交
f85f4abf
S
Startup Init Lite
项目概览
OpenHarmony
/
Startup Init Lite
12 个月 前同步成功
通知
3
Star
37
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
S
Startup Init Lite
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
f85f4abf
编写于
3月 03, 2022
作者:
X
xionglei6
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
fix:增加selinux属性校验
Signed-off-by:
N
xionglei6
<
xionglei6@huawei.com
>
上级
b2c66323
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
55 addition
and
27 deletion
+55
-27
services/BUILD.gn
services/BUILD.gn
+0
-5
services/param/BUILD.gn
services/param/BUILD.gn
+9
-11
services/param/manager/param_manager.c
services/param/manager/param_manager.c
+46
-11
未找到文件。
services/BUILD.gn
浏览文件 @
f85f4abf
...
...
@@ -63,11 +63,6 @@ if (defined(ohos_lite)) {
cflags = [ "-Wall" ]
if (build_selinux) {
external_deps = [ "selinux:libparaperm_checker_static" ]
defines += [ "WITH_SELINUX" ]
}
deps = [
"//base/hiviewdfx/hilog_lite/frameworks/featured:hilog_shared",
"//base/startup/init_lite/initsync:initsync",
...
...
services/param/BUILD.gn
浏览文件 @
f85f4abf
...
...
@@ -41,11 +41,15 @@ ohos_static_library("param_service") {
"//base/startup/init_lite/services/log",
"//base/startup/init_lite/interfaces/innerkits/include",
"//base/startup/init_lite/services/loopevent/include",
"//base/security/selinux/interfaces/policycoreutils/include",
"//third_party/libuv/include",
"//third_party/cJSON",
]
defines = [ "PARAM_SUPPORT_SAVE_PERSIST" ]
if (build_selinux) {
defines += [ "WITH_SELINUX" ]
}
if (defined(boot_kernel_extended_cmdline)) {
defines += [ "BOOT_EXTENDED_CMDLINE=\"${boot_kernel_extended_cmdline}\"" ]
...
...
@@ -62,11 +66,6 @@ ohos_static_library("param_service") {
}
}
if (build_selinux) {
external_deps = [ "selinux:libparaperm_checker_static" ]
defines += [ "WITH_SELINUX" ]
}
deps = [
"//base/startup/init_lite/services/log:init_log",
"//base/startup/init_lite/services/loopevent:loopevent",
...
...
@@ -95,13 +94,17 @@ ohos_shared_library("param_client") {
"//base/startup/init_lite/services/log",
"//base/startup/init_lite/interfaces/innerkits/include",
"//base/hiviewdfx/hilog/interfaces/native/innerkits/include",
"//base/security/selinux/interfaces/policycoreutils/include",
"//base/startup/init_lite/services/loopevent/include",
]
defines = [ "INIT_AGENT" ]
defines += [ "_GNU_SOURCE" ]
if (build_selinux) {
defines += [ "WITH_SELINUX" ]
}
if (param_security == "selinux") {
sources += [ "adapter/param_selinux.c" ]
defines += [ "PARAM_SUPPORT_SELINUX" ]
...
...
@@ -113,11 +116,6 @@ ohos_shared_library("param_client") {
}
}
if (build_selinux) {
external_deps = [ "selinux:libparaperm_checker_static" ]
defines += [ "WITH_SELINUX" ]
}
deps = [
"//base/startup/init_lite/services/log:agent_log",
"//third_party/bounds_checking_function:libsec_static",
...
...
services/param/manager/param_manager.c
浏览文件 @
f85f4abf
...
...
@@ -14,12 +14,13 @@
*/
#include "param_manager.h"
#include <ctype.h>
#include <dlfcn.h>
#ifdef WITH_SELINUX
#include "selinux_parameter.h"
#endif
#include <ctype.h>
#if !defined PARAM_SUPPORT_SELINUX && !defined PARAM_SUPPORT_DAC
static
ParamSecurityLabel
g_defaultSecurityLabel
;
#endif
...
...
@@ -234,6 +235,46 @@ int TraversalParam(const ParamWorkSpace *workSpace,
return
TraversalTrieNode
(
&
workSpace
->
paramSpace
,
root
,
ProcessParamTraversal
,
&
context
);
}
#ifdef WITH_SELINUX
void
*
g_selinuxHandle
=
NULL
;
int
CheckParamPermissionWithSelinux
(
const
ParamSecurityLabel
*
srcLabel
,
const
char
*
name
,
uint32_t
mode
)
{
if
(
srcLabel
==
NULL
||
mode
!=
DAC_WRITE
)
{
return
DAC_RESULT_PERMISSION
;
}
static
void
(
*
setSelinuxLogCallback
)();
static
int
(
*
setParamCheck
)(
const
char
*
paraName
,
struct
ucred
*
uc
);
g_selinuxHandle
=
dlopen
(
"/system/lib/libparaperm_checker_static.so"
,
RTLD_LAZY
);
if
(
g_selinuxHandle
==
NULL
)
{
PARAM_LOGE
(
"Failed to dlopen libparaperm_checker_static.so, %s
\n
"
,
dlerror
());
return
DAC_RESULT_FORBIDED
;
}
if
(
setSelinuxLogCallback
==
NULL
)
{
setSelinuxLogCallback
=
(
void
(
*
)())
dlsym
(
g_selinuxHandle
,
"SetSelinuxLogCallback"
);
if
(
setSelinuxLogCallback
==
NULL
)
{
PARAM_LOGE
(
"Failed to dlsym setSelinuxLogCallback, %s
\n
"
,
dlerror
());
return
DAC_RESULT_FORBIDED
;
}
}
(
*
setSelinuxLogCallback
)();
if
(
setParamCheck
==
NULL
)
{
setParamCheck
=
(
int
(
*
)(
const
char
*
paraName
,
struct
ucred
*
uc
))
dlsym
(
g_selinuxHandle
,
"SetParamCheck"
);
if
(
setParamCheck
==
NULL
)
{
PARAM_LOGE
(
"Failed to dlsym setParamCheck, %s
\n
"
,
dlerror
());
return
DAC_RESULT_FORBIDED
;
}
}
struct
ucred
uc
;
uc
.
pid
=
srcLabel
->
cred
.
pid
;
uc
.
uid
=
srcLabel
->
cred
.
uid
;
uc
.
gid
=
srcLabel
->
cred
.
gid
;
int
ret
=
setParamCheck
(
name
,
&
uc
);
PARAM_LOGI
(
"Selinux check name %s pid %d uid %d %d result %d"
,
name
,
uc
.
pid
,
uc
.
uid
,
uc
.
gid
,
ret
);
return
ret
;
}
#endif
int
CheckParamPermission
(
const
ParamWorkSpace
*
workSpace
,
const
ParamSecurityLabel
*
srcLabel
,
const
char
*
name
,
uint32_t
mode
)
{
...
...
@@ -244,15 +285,9 @@ int CheckParamPermission(const ParamWorkSpace *workSpace,
}
PARAM_CHECK
(
name
!=
NULL
&&
srcLabel
!=
NULL
,
return
-
1
,
"Invalid param"
);
#ifdef WITH_SELINUX
SetSelinuxLogCallback
();
if
(
srcLabel
!=
NULL
&&
mode
==
DAC_WRITE
)
{
PARAM_LOGI
(
"selinux SetParamCheck name %s, pid: %d"
,
name
,
srcLabel
->
cred
.
pid
);
struct
ucred
uc
;
uc
.
pid
=
srcLabel
->
cred
.
pid
;
uc
.
uid
=
srcLabel
->
cred
.
uid
;
uc
.
gid
=
srcLabel
->
cred
.
gid
;
int
ret
=
SetParamCheck
(
name
,
&
uc
);
PARAM_LOGI
(
"pid: %d SetParamCheck %s, result: %d"
,
srcLabel
->
cred
.
pid
,
name
,
ret
);
int
ret
=
CheckParamPermissionWithSelinux
(
srcLabel
,
name
,
mode
);
if
(
ret
==
DAC_RESULT_PERMISSION
)
{
return
DAC_RESULT_PERMISSION
;
}
#endif
if
(
workSpace
->
paramSecurityOps
.
securityCheckParamPermission
==
NULL
)
{
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录