Add networking permissions control of hap apps

The appspawn fork a hap process and set a flag(0 or 1) to the libnetsys_client, Judge whether the flag in libnetsys_client is 1 in the socket() and name_from_dns_search() interface, Do not create a AF_INET or AF_INET6 socket or query DNS if the flag is 0 Signed-off-by: N maosiping <maosiping@huawei.com>

Add networking permissions control of hap apps
The appspawn fork a hap process and set a flag(0 or 1) to the libnetsys_client, Judge whether the flag in libnetsys_client is 1 in the socket() and name_from_dns_search() interface, Do not create a AF_INET or AF_INET6 socket or query DNS if the flag is 0 Signed-off-by: N maosiping <maosiping@huawei.com>
c2dd0aa2 · maosiping · 00b747c7 · c2dd0aa2 · c2dd0aa2 · c2dd0aa2
隐藏空白更改
内联并排

Showing with 56 addition and 1 deletion

musl_template.gni musl_template.gni +4 -1

src/network/lookup_name.c src/network/lookup_name.c +11 -0

src/network/socket.c src/network/socket.c +41 -0

未找到文件。
--- a/musl_template.gni
+++ b/musl_template.gni
@@ -182,7 +182,10 @@ template("musl_libs") {
      defines += [ "BROKEN_VFP_ASM" ]
    }
    if (is_standard_system) {
-      defines += [ "OHOS_DNS_PROXY_BY_NETSYS=1" ]
+      defines += [
+        "OHOS_DNS_PROXY_BY_NETSYS=1",
+        "OHOS_PERMISSION_INTERNET=1",
+      ]
    }

    dynamic_list =

--- a/src/network/lookup_name.c
+++ b/src/network/lookup_name.c
@@ -15,6 +15,10 @@
 #include "stdio_impl.h"
 #include "syscall.h"

+#if OHOS_PERMISSION_INTERNET
+uint8_t is_allow_internet(void);
+#endif
+
 static int is_valid_hostname(const char *host)
 {
 	const unsigned char *s;
@@ -168,6 +172,13 @@ static int name_from_dns(struct address buf[static MAXADDRS], char canon[static

 static int name_from_dns_search(struct address buf[static MAXADDRS], char canon[static 256], const char *name, int family)
 {
+#if OHOS_PERMISSION_INTERNET
+	if (is_allow_internet() == 0) {
+		errno = EPERM;
+		return -1;
+	}
+#endif
+
 	char search[256];
 	struct resolvconf conf;
 	size_t l, dots;

--- a/src/network/socket.c
+++ b/src/network/socket.c
 #include <sys/socket.h>
 #include <fcntl.h>
 #include <errno.h>
+#include <dlfcn.h>
+#include <stdint.h>
+#include <stddef.h>
 #include "syscall.h"

+#if OHOS_PERMISSION_INTERNET
+typedef uint8_t (*AllowFunc)(void);
+static const char *LIB_NETSYS_CLIENT_NAME = "libnetsys_client.z.so";
+static const char *ALLOW_SOCKET_FUNC_NAME = "IsAllowInternet";
+
+/*
+ * Read a flag from netsys_client, there is only one place to set this flag, is the
+ * founction named DoStartup in startup_appspawn.
+ * */
+uint8_t is_allow_internet(void)
+{
+	static uint8_t first_time = 1;
+	static uint8_t allow = 1;
+
+	if (!first_time) {
+		return allow;
+	}
+
+	void *handler = dlopen(LIB_NETSYS_CLIENT_NAME, RTLD_LAZY);
+	if (handler != NULL) {
+		AllowFunc func = (AllowFunc)dlsym(handler, ALLOW_SOCKET_FUNC_NAME);
+		if (func != NULL && func() == 0) {
+			allow = 0;
+		}
+		dlclose(handler);
+	}
+	first_time = 0;
+	return allow;
+}
+#endif
+
 int socket(int domain, int type, int protocol)
 {
+#if OHOS_PERMISSION_INTERNET
+	if ((domain == AF_INET || domain == AF_INET6) && is_allow_internet() == 0) {
+		errno = EPERM;
+		return -1;
+	}
+#endif
+
 	int s = socketcall(socket, domain, type, protocol, 0, 0, 0);
 	if (s<0 && (errno==EINVAL || errno==EPROTONOSUPPORT)
 	    && (type&(SOCK_CLOEXEC|SOCK_NONBLOCK))) {