Set Security Label For AOT Files

Issue:https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/IAL8CF Signed-off-by: wu_zhang_da <wuzhangda@huawei.com> Change-Id: Ia99bdb47c4e09f943f19a489713b144c1b89cc75
2024-10-06 23:54:03 +00:00 · 2024-08-20 15:23:31 +08:00 · 2024-08-20 15:23:31 +08:00 · 019e386c0b
commit 019e386c0b
parent 3614686182
8 changed files with 55 additions and 1 deletions
--- a/ecmascript/compiler/file_generators.cpp
+++ b/ecmascript/compiler/file_generators.cpp
@ -21,6 +21,7 @@
 #include "ecmascript/pgo_profiler/pgo_profiler_manager.h"
 #include "ecmascript/platform/code_sign.h"
 #include "ecmascript/platform/directory.h"
+#include "ecmascript/platform/os.h"
 #include "ecmascript/snapshot/mem/snapshot.h"
 #include "ecmascript/stackmap/ark_stackmap_builder.h"
 #include "ecmascript/stackmap/llvm/llvm_stackmap_parser.h"
@ -665,6 +666,7 @@ bool AOTFileGenerator::SaveAOTFile(const std::string &filename, const std::strin
        LOG_COMPILER(ERROR) << "Fail to set an file mode:" << filename;
        return false;
    }
+    SetSecurityLabel(filename);
    panda::ecmascript::CodeSignatureForAOTFile(filename, appSignature);
    return true;
 }
@ -790,6 +792,7 @@ bool AOTFileGenerator::SaveSnapshotFile()
        LOG_COMPILER(ERROR) << "Fail to set ai file mode:" << aiPath;
        return false;
    }
+    SetSecurityLabel(aiPath.c_str());
    return true;
 }
 }  // namespace panda::ecmascript::kungfu
--- a/ecmascript/ohos/ohos_pgo_processor.h
+++ b/ecmascript/ohos/ohos_pgo_processor.h
@ -19,6 +19,7 @@
 #include "ecmascript/compiler/aot_compiler_preprocessor.h"
 #include "ecmascript/log_wrapper.h"
 #include "ecmascript/ohos/ohos_pkg_args.h"
+#include "ecmascript/platform/os.h"

 namespace panda::ecmascript::kungfu {
 class OhosPgoProcessor {
@ -50,6 +51,7 @@ public:
        ASSERT(mainPkgArgs != nullptr);
        // all ohos ap(s) merged into the merged ap file.
        cOptions.profilerIn_ = mainPkgArgs->GetMergedApPath();
+        SetSecurityLabel(cOptions.profilerIn_);
        ASSERT(!cOptions.profilerIn_.empty());
        return true;
    }
--- a/ecmascript/pgo_profiler/pgo_profiler_encoder.cpp
+++ b/ecmascript/pgo_profiler/pgo_profiler_encoder.cpp
@ -32,6 +32,7 @@
 #include "ecmascript/platform/file.h"
 #include "ecmascript/platform/mutex.h"
 #include "ecmascript/taskpool/taskpool.h"
+#include "ecmascript/platform/os.h"

 namespace panda::ecmascript::pgo {
 void PGOProfilerEncoder::Destroy()
@ -69,6 +70,9 @@ bool PGOProfilerEncoder::ResetOutPath(const std::string &profileFileName)
    if (realOutPath_.compare(realOutPath_.length() - suffixLength, suffixLength, ApNameUtils::AP_SUFFIX)) {
        realOutPath_ += "/" + profileFileName;
    }
+
+    SetSecurityLabel(realOutPath_);
+
    LOG_ECMA(INFO) << "Save profiler to file:" << realOutPath_;
    return true;
 }
--- a/ecmascript/platform/os.h
+++ b/ecmascript/platform/os.h
@ -18,9 +18,13 @@

 #include <cstddef>
 #include <cstdint>
+#include <string>
 #include "ecmascript/common.h"

 namespace panda::ecmascript {
+const char XATTR_KEY[] = {"user.security"};
+const std::string DEFAULT_DATA_LEVEL = "s1";
+const int DEFAULT_DATA_LENGTH = 2;
 size_t MallocUsableSize(void *p);
 uint32_t NumberOfCpuCore();
 size_t PhysicalSize();
@ -28,6 +32,7 @@ int PrctlSetVMA(const void *p, const size_t size, const char *tag);
 long PtracePeektext(int pid, uintptr_t addr);
 PUBLIC_API void BindSmallCpuCore();
 PUBLIC_API void BindMidCpuCore();
+PUBLIC_API void SetSecurityLabel(const std::string& path);
 void PUBLIC_API *PageMapExecFortSpace(void *addr, size_t size, int prot);
 }  // namespace panda::ecmascript
 #endif  // ECMASCRIPT_PLATFORM_OS_H
--- a/ecmascript/platform/unix/linux/os.cpp
+++ b/ecmascript/platform/unix/linux/os.cpp
@ -21,6 +21,8 @@
 #include <sys/prctl.h>
 #include <sys/ptrace.h>
 #include <sys/sysinfo.h>
+#include <sys/types.h>
+#include <sys/xattr.h>
 #include <unistd.h>

 #include "ecmascript/log_wrapper.h"
@ -100,4 +102,19 @@ void *PageMapExecFortSpace(void *addr, size_t size, int prot)
    }
    return res;
 }
+
+void SetSecurityLabel(const std::string& path)
+{
+    const std::string dataLevel = DEFAULT_DATA_LEVEL;
+    auto xattrValueSize = getxattr(path.c_str(), XATTR_KEY, nullptr, 0);
+    if (xattrValueSize == static_cast<ssize_t>(DEFAULT_DATA_LENGTH)) {
+        char xattrValue[DEFAULT_DATA_LENGTH + 1];
+        xattrValueSize = getxattr(path.c_str(), XATTR_KEY, xattrValue, xattrValueSize);
+        xattrValue[DEFAULT_DATA_LENGTH] = '\0';
+    }
+
+    if (setxattr(path.c_str(), XATTR_KEY, dataLevel.c_str(), dataLevel.size(), 0) < 0) {
+        LOG_ECMA(WARN) << "set label failed! level: " << dataLevel << ", file: " << path;
+    }
+}
 }  // namespace panda::ecmascript
--- a/ecmascript/platform/unix/mac/os.cpp
+++ b/ecmascript/platform/unix/mac/os.cpp
@ -18,6 +18,8 @@
 #include <ctime>
 #include <malloc/malloc.h>
 #include <sys/sysctl.h>
+#include <sys/types.h>
+#include <sys/xattr.h>
 #include <unistd.h>

 #include "ecmascript/log_wrapper.h"
@ -41,7 +43,7 @@ size_t PhysicalSize()
    mib[1] = HW_MEMSIZE;
    int64_t size = 0;
    size_t bufferLength = sizeof(size);
-    if (sysctl(mib, MIB_LENGTH, &size, &bufferLength, NULL, 0) != 0) {
+    if (sysctl(mib, MIB_LENGTH, &size, &bufferLength, nullptr, 0) != 0) {
        LOG_ECMA(FATAL) << "sysctl error";
    }
    return static_cast<size_t>(size);
@ -72,4 +74,19 @@ void *PageMapExecFortSpace(void *addr, [[maybe_unused]] size_t size, [[maybe_unu
    // basically no op
    return addr;
 }
+
+void SetSecurityLabel(const std::string& path)
+{
+    const std::string dataLevel = DEFAULT_DATA_LEVEL;
+    auto xattrValueSize = getxattr(path.c_str(), XATTR_KEY, nullptr, 0, 0, 0);
+    if (xattrValueSize == static_cast<ssize_t>(DEFAULT_DATA_LENGTH)) {
+        char xattrValue[DEFAULT_DATA_LENGTH + 1];
+        xattrValueSize = getxattr(path.c_str(), XATTR_KEY, xattrValue, xattrValueSize, 0, 0);
+        xattrValue[DEFAULT_DATA_LENGTH] = '\0';
+    }
+
+    if (setxattr(path.c_str(), XATTR_KEY, dataLevel.c_str(), dataLevel.size(), 0, 0) < 0) {
+        LOG_ECMA(WARN) << "set label failed! level: " << dataLevel << ", file: " << path;
+    }
+}
 }  // namespace panda::ecmascript
--- a/ecmascript/platform/windows/os.cpp
+++ b/ecmascript/platform/windows/os.cpp
@ -68,4 +68,9 @@ void *PageMapExecFortSpace(void *addr, [[maybe_unused]] size_t size, [[maybe_unu
    // basically no op
    return addr;
 }
+
+void SetSecurityLabel([[maybe_unused]] const std::string& path)
+{
+    LOG_ECMA(INFO) << "Set Security Label in windows not support";
+}
 }  // namespace panda::ecmascript
--- a/libark_jsruntime.map
+++ b/libark_jsruntime.map
@ -133,6 +133,7 @@
      panda::ecmascript::BigInt::Int32ToBigInt*;
      panda::ecmascript::BindSmallCpuCore*;
      panda::ecmascript::BindMidCpuCore*;
+      panda::ecmascript::SetSecurityLabel*;
      panda::ecmascript::ClassHelper::MatchFieldType*;
      panda::ecmascript::ConstantPool::GetMethodFromCache*;
      panda::ecmascript::ConstantPool::GetStringFromCacheForJit*;