未验证 提交 f4777e40 编写于 作者: O openharmony_ci 提交者: Gitee

!413 增加socket权限管控

Merge pull request !413 from maosiping/master
...@@ -182,7 +182,10 @@ template("musl_libs") { ...@@ -182,7 +182,10 @@ template("musl_libs") {
defines += [ "BROKEN_VFP_ASM" ] defines += [ "BROKEN_VFP_ASM" ]
} }
if (is_standard_system) { if (is_standard_system) {
defines += [ "OHOS_DNS_PROXY_BY_NETSYS=1" ] defines += [
"OHOS_DNS_PROXY_BY_NETSYS=1",
"OHOS_PERMISSION_INTERNET=1",
]
} }
if (enable_musl_log) { if (enable_musl_log) {
......
...@@ -15,6 +15,10 @@ ...@@ -15,6 +15,10 @@
#include "stdio_impl.h" #include "stdio_impl.h"
#include "syscall.h" #include "syscall.h"
#if OHOS_PERMISSION_INTERNET
uint8_t is_allow_internet(void);
#endif
static int is_valid_hostname(const char *host) static int is_valid_hostname(const char *host)
{ {
const unsigned char *s; const unsigned char *s;
...@@ -168,6 +172,13 @@ static int name_from_dns(struct address buf[static MAXADDRS], char canon[static ...@@ -168,6 +172,13 @@ static int name_from_dns(struct address buf[static MAXADDRS], char canon[static
static int name_from_dns_search(struct address buf[static MAXADDRS], char canon[static 256], const char *name, int family) static int name_from_dns_search(struct address buf[static MAXADDRS], char canon[static 256], const char *name, int family)
{ {
#if OHOS_PERMISSION_INTERNET
if (is_allow_internet() == 0) {
errno = EPERM;
return -1;
}
#endif
char search[256]; char search[256];
struct resolvconf conf; struct resolvconf conf;
size_t l, dots; size_t l, dots;
......
#include <sys/socket.h> #include <sys/socket.h>
#include <fcntl.h> #include <fcntl.h>
#include <errno.h> #include <errno.h>
#include <dlfcn.h>
#include <stdint.h>
#include <stddef.h>
#include "syscall.h" #include "syscall.h"
#if OHOS_PERMISSION_INTERNET
typedef uint8_t (*AllowFunc)(void);
static const char *LIB_NETSYS_CLIENT_NAME = "libnetsys_client.z.so";
static const char *ALLOW_SOCKET_FUNC_NAME = "IsAllowInternet";
/*
* Read a flag from netsys_client, there is only one place to set this flag, is the
* founction named DoStartup in startup_appspawn.
* */
uint8_t is_allow_internet(void)
{
static uint8_t first_time = 1;
static uint8_t allow = 1;
if (!first_time) {
return allow;
}
void *handler = dlopen(LIB_NETSYS_CLIENT_NAME, RTLD_LAZY);
if (handler != NULL) {
AllowFunc func = (AllowFunc)dlsym(handler, ALLOW_SOCKET_FUNC_NAME);
if (func != NULL && func() == 0) {
allow = 0;
}
dlclose(handler);
}
first_time = 0;
return allow;
}
#endif
int socket(int domain, int type, int protocol) int socket(int domain, int type, int protocol)
{ {
#if OHOS_PERMISSION_INTERNET
if ((domain == AF_INET || domain == AF_INET6) && is_allow_internet() == 0) {
errno = EPERM;
return -1;
}
#endif
int s = socketcall(socket, domain, type, protocol, 0, 0, 0); int s = socketcall(socket, domain, type, protocol, 0, 0, 0);
if (s<0 && (errno==EINVAL || errno==EPROTONOSUPPORT) if (s<0 && (errno==EINVAL || errno==EPROTONOSUPPORT)
&& (type&(SOCK_CLOEXEC|SOCK_NONBLOCK))) { && (type&(SOCK_CLOEXEC|SOCK_NONBLOCK))) {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册