diff --git a/services/BUILD.gn b/services/BUILD.gn index 5a289ac90e38e16b8dff4fc39f7bfd7e8cb8f796..f0ffcb113ac5db4ec2590f809d9779149def0824 100755 --- a/services/BUILD.gn +++ b/services/BUILD.gn @@ -63,11 +63,6 @@ if (defined(ohos_lite)) { cflags = [ "-Wall" ] - if (build_selinux) { - external_deps = [ "selinux:libparaperm_checker_static" ] - defines += [ "WITH_SELINUX" ] - } - deps = [ "//base/hiviewdfx/hilog_lite/frameworks/featured:hilog_shared", "//base/startup/init_lite/initsync:initsync", diff --git a/services/param/BUILD.gn b/services/param/BUILD.gn index 2b97846a37f24a87f97f731e86ff8e56a6e91305..6c39476ef1e104df90f3cf4f551892307524ae31 100755 --- a/services/param/BUILD.gn +++ b/services/param/BUILD.gn @@ -41,11 +41,15 @@ ohos_static_library("param_service") { "//base/startup/init_lite/services/log", "//base/startup/init_lite/interfaces/innerkits/include", "//base/startup/init_lite/services/loopevent/include", + "//base/security/selinux/interfaces/policycoreutils/include", "//third_party/libuv/include", "//third_party/cJSON", ] defines = [ "PARAM_SUPPORT_SAVE_PERSIST" ] + if (build_selinux) { + defines += [ "WITH_SELINUX" ] + } if (defined(boot_kernel_extended_cmdline)) { defines += [ "BOOT_EXTENDED_CMDLINE=\"${boot_kernel_extended_cmdline}\"" ] @@ -62,11 +66,6 @@ ohos_static_library("param_service") { } } - if (build_selinux) { - external_deps = [ "selinux:libparaperm_checker_static" ] - defines += [ "WITH_SELINUX" ] - } - deps = [ "//base/startup/init_lite/services/log:init_log", "//base/startup/init_lite/services/loopevent:loopevent", @@ -95,13 +94,17 @@ ohos_shared_library("param_client") { "//base/startup/init_lite/services/log", "//base/startup/init_lite/interfaces/innerkits/include", "//base/hiviewdfx/hilog/interfaces/native/innerkits/include", + "//base/security/selinux/interfaces/policycoreutils/include", "//base/startup/init_lite/services/loopevent/include", ] defines = [ "INIT_AGENT" ] - defines += [ "_GNU_SOURCE" ] + if (build_selinux) { + defines += [ "WITH_SELINUX" ] + } + if (param_security == "selinux") { sources += [ "adapter/param_selinux.c" ] defines += [ "PARAM_SUPPORT_SELINUX" ] @@ -113,11 +116,6 @@ ohos_shared_library("param_client") { } } - if (build_selinux) { - external_deps = [ "selinux:libparaperm_checker_static" ] - defines += [ "WITH_SELINUX" ] - } - deps = [ "//base/startup/init_lite/services/log:agent_log", "//third_party/bounds_checking_function:libsec_static", diff --git a/services/param/manager/param_manager.c b/services/param/manager/param_manager.c index c4694746da93ea15bf49520105d402bddf14de53..30f0480614774948547c35213b5e6f4e582c71cd 100755 --- a/services/param/manager/param_manager.c +++ b/services/param/manager/param_manager.c @@ -14,12 +14,13 @@ */ #include "param_manager.h" + +#include +#include #ifdef WITH_SELINUX #include "selinux_parameter.h" #endif -#include - #if !defined PARAM_SUPPORT_SELINUX && !defined PARAM_SUPPORT_DAC static ParamSecurityLabel g_defaultSecurityLabel; #endif @@ -234,6 +235,46 @@ int TraversalParam(const ParamWorkSpace *workSpace, return TraversalTrieNode(&workSpace->paramSpace, root, ProcessParamTraversal, &context); } +#ifdef WITH_SELINUX +void *g_selinuxHandle = NULL; +int CheckParamPermissionWithSelinux(const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode) +{ + if (srcLabel == NULL || mode != DAC_WRITE) { + return DAC_RESULT_PERMISSION; + } + static void (*setSelinuxLogCallback)(); + static int (*setParamCheck)(const char *paraName, struct ucred *uc); + g_selinuxHandle = dlopen("/system/lib/libparaperm_checker_static.so", RTLD_LAZY); + if (g_selinuxHandle == NULL) { + PARAM_LOGE("Failed to dlopen libparaperm_checker_static.so, %s\n", dlerror()); + return DAC_RESULT_FORBIDED; + } + if (setSelinuxLogCallback == NULL) { + setSelinuxLogCallback = (void (*)())dlsym(g_selinuxHandle, "SetSelinuxLogCallback"); + if (setSelinuxLogCallback == NULL) { + PARAM_LOGE("Failed to dlsym setSelinuxLogCallback, %s\n", dlerror()); + return DAC_RESULT_FORBIDED; + } + } + (*setSelinuxLogCallback)(); + + if (setParamCheck == NULL) { + setParamCheck = (int (*)(const char *paraName, struct ucred *uc))dlsym(g_selinuxHandle, "SetParamCheck"); + if (setParamCheck == NULL) { + PARAM_LOGE("Failed to dlsym setParamCheck, %s\n", dlerror()); + return DAC_RESULT_FORBIDED; + } + } + struct ucred uc; + uc.pid = srcLabel->cred.pid; + uc.uid = srcLabel->cred.uid; + uc.gid = srcLabel->cred.gid; + int ret = setParamCheck(name, &uc); + PARAM_LOGI("Selinux check name %s pid %d uid %d %d result %d", name, uc.pid, uc.uid, uc.gid, ret); + return ret; +} +#endif + int CheckParamPermission(const ParamWorkSpace *workSpace, const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode) { @@ -244,15 +285,9 @@ int CheckParamPermission(const ParamWorkSpace *workSpace, } PARAM_CHECK(name != NULL && srcLabel != NULL, return -1, "Invalid param"); #ifdef WITH_SELINUX - SetSelinuxLogCallback(); - if (srcLabel != NULL && mode == DAC_WRITE) { - PARAM_LOGI("selinux SetParamCheck name %s, pid: %d", name, srcLabel->cred.pid); - struct ucred uc; - uc.pid = srcLabel->cred.pid; - uc.uid = srcLabel->cred.uid; - uc.gid = srcLabel->cred.gid; - int ret = SetParamCheck(name, &uc); - PARAM_LOGI("pid: %d SetParamCheck %s, result: %d", srcLabel->cred.pid, name, ret); + int ret = CheckParamPermissionWithSelinux(srcLabel, name, mode); + if (ret == DAC_RESULT_PERMISSION) { + return DAC_RESULT_PERMISSION; } #endif if (workSpace->paramSecurityOps.securityCheckParamPermission == NULL) {