diff --git a/musl_template.gni b/musl_template.gni index d90b2dbba0a75e6cc6d9e89be260baf7dc0eef19..5f1074e41958af1c4a4657241e0e642be407a67a 100644 --- a/musl_template.gni +++ b/musl_template.gni @@ -182,7 +182,10 @@ template("musl_libs") { defines += [ "BROKEN_VFP_ASM" ] } if (is_standard_system) { - defines += [ "OHOS_DNS_PROXY_BY_NETSYS=1" ] + defines += [ + "OHOS_DNS_PROXY_BY_NETSYS=1", + "OHOS_PERMISSION_INTERNET=1", + ] } if (enable_musl_log) { diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c index c93263a9d5542918f9462d41448b9756d92adc39..a39db083700213fe3d2ca5ad475a4e7c864aca71 100644 --- a/src/network/lookup_name.c +++ b/src/network/lookup_name.c @@ -15,6 +15,10 @@ #include "stdio_impl.h" #include "syscall.h" +#if OHOS_PERMISSION_INTERNET +uint8_t is_allow_internet(void); +#endif + static int is_valid_hostname(const char *host) { const unsigned char *s; @@ -168,6 +172,13 @@ static int name_from_dns(struct address buf[static MAXADDRS], char canon[static static int name_from_dns_search(struct address buf[static MAXADDRS], char canon[static 256], const char *name, int family) { +#if OHOS_PERMISSION_INTERNET + if (is_allow_internet() == 0) { + errno = EPERM; + return -1; + } +#endif + char search[256]; struct resolvconf conf; size_t l, dots; diff --git a/src/network/socket.c b/src/network/socket.c index a2e92d908265651a02e8e7bf544ea2dcd2e7ea82..82ab71e4d23db5e26c105a8860104a0ef8ed7303 100644 --- a/src/network/socket.c +++ b/src/network/socket.c @@ -1,10 +1,51 @@ #include #include #include +#include +#include +#include #include "syscall.h" +#if OHOS_PERMISSION_INTERNET +typedef uint8_t (*AllowFunc)(void); +static const char *LIB_NETSYS_CLIENT_NAME = "libnetsys_client.z.so"; +static const char *ALLOW_SOCKET_FUNC_NAME = "IsAllowInternet"; + +/* + * Read a flag from netsys_client, there is only one place to set this flag, is the + * founction named DoStartup in startup_appspawn. + * */ +uint8_t is_allow_internet(void) +{ + static uint8_t first_time = 1; + static uint8_t allow = 1; + + if (!first_time) { + return allow; + } + + void *handler = dlopen(LIB_NETSYS_CLIENT_NAME, RTLD_LAZY); + if (handler != NULL) { + AllowFunc func = (AllowFunc)dlsym(handler, ALLOW_SOCKET_FUNC_NAME); + if (func != NULL && func() == 0) { + allow = 0; + } + dlclose(handler); + } + first_time = 0; + return allow; +} +#endif + int socket(int domain, int type, int protocol) { +#if OHOS_PERMISSION_INTERNET + if ((domain == AF_INET || domain == AF_INET6) && is_allow_internet() == 0) { + errno = EPERM; + return -1; + } +#endif + int s = socketcall(socket, domain, type, protocol, 0, 0, 0); if (s<0 && (errno==EINVAL || errno==EPROTONOSUPPORT) && (type&(SOCK_CLOEXEC|SOCK_NONBLOCK))) {