add logs before and after enforcing code signature

Match-id-e907cc270cbd46cd45671db74b07c499a6605b24
2025-02-26 00:45:51 +00:00 · 2023-06-15 21:43:54 +08:00 · 2023-06-15 21:43:54 +08:00 · 9794c655a0
commit 9794c655a0
parent 23dd379e52
2 changed files with 65 additions and 57 deletions
--- a/bundle.json
+++ b/bundle.json
@ -33,6 +33,7 @@
        "safwk",
        "huks",
        "eventhandler",
+        "common",
        "access_token"
      ],
      "third_party": [
@ -64,4 +65,4 @@
      "test": [ "//base/security/code_signature/test:testgroup" ]
    }
  }
-}
+}
--- a/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp
+++ b/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp
@ -43,18 +43,24 @@ namespace CodeSign {
 constexpr uint32_t DEFAULT_HASH_ALGORITHEM = FS_VERITY_HASH_ALG_SHA256;
 constexpr uint32_t HASH_PAGE_SIZE = 4096;

+#define NOT_SATISFIED_RETURN(CONDITION, ERROR_CODE, LOG_MESSAGE, ...) do { \
+    if (!(CONDITION)) { \
+        LOG_ERROR(LABEL, LOG_MESSAGE, ##__VA_ARGS__); \
+        return (ERROR_CODE); \
+    } \
+} while (0)
+
 int32_t CodeSignUtils::EnforceCodeSignForApp(const EntryMap &entryPath,
    const std::string &signatureFile)
 {
+    LOG_INFO(LABEL, "Start to enforce");
    // no files to enable, return directly
    if (entryPath.empty()) {
        return CS_SUCCESS;
    }

-    if (!CheckFilePathValid(signatureFile, Constants::ENABLE_SIGNATURE_FILE_BASE_PATH)) {
-        LOG_ERROR(LABEL, "Signature file is invalid.");
-        return CS_ERR_FILE_PATH;
-    }
+    NOT_SATISFIED_RETURN(CheckFilePathValid(signatureFile, Constants::ENABLE_SIGNATURE_FILE_BASE_PATH),
+        CS_ERR_FILE_PATH, "Signature file is invalid.");

    // check whether fs-verity is supported by kernel
    auto iter = entryPath.begin();
@ -65,10 +71,7 @@ int32_t CodeSignUtils::EnforceCodeSignForApp(const EntryMap &entryPath,

    std::unique_ptr<AbilityBase::Extractor> extractor = std::make_unique<AbilityBase::Extractor>(signatureFile);
    std::vector<std::string> signatureFileList;
-    if (!extractor->Init()) {
-        LOG_ERROR(LABEL, "Init extractor failed.");
-        return CS_ERR_EXTRACT_FILES;
-    }
+    NOT_SATISFIED_RETURN(extractor->Init(), CS_ERR_EXTRACT_FILES, "Init extractor failed.");
    // Get signature file entry name
    extractor->GetSpecifiedTypeFiles(signatureFileList, Constants::FSV_SIG_SUFFIX);

@ -76,30 +79,27 @@ int32_t CodeSignUtils::EnforceCodeSignForApp(const EntryMap &entryPath,
        const std::string &entryName = pathPair.first;
        const std::string &targetFile = pathPair.second;
        LOG_DEBUG(LABEL, "Enable entry %{public}s, path = %{public}s", entryName.c_str(), targetFile.c_str());
-        if (!CheckFilePathValid(targetFile, Constants::ENABLE_APP_BASE_PATH)) {
-            LOG_ERROR(LABEL, "App file is invalid.");
-            return CS_ERR_FILE_PATH;
-        }
+        NOT_SATISFIED_RETURN(CheckFilePathValid(targetFile, Constants::ENABLE_APP_BASE_PATH),
+            CS_ERR_FILE_PATH, "App file is invalid.");
+
        const std::string &signatureEntry = entryName + Constants::FSV_SIG_SUFFIX;
-        if (std::find(signatureFileList.begin(), signatureFileList.end(), signatureEntry) == signatureFileList.end()) {
-            LOG_ERROR(LABEL, "Fail to find signature for %{public}s", entryName.c_str());
-            return CS_ERR_NO_SIGNATURE;
-        }
+        NOT_SATISFIED_RETURN(
+            std::find(signatureFileList.begin(), signatureFileList.end(), signatureEntry) != signatureFileList.end(),
+            CS_ERR_NO_SIGNATURE, "Fail to find signature for %{public}s", entryName.c_str());
+
        std::unique_ptr<uint8_t[]> signatureBuffer = nullptr;
        size_t signatureSize;
-        if (!extractor->ExtractToBufByName(signatureEntry, signatureBuffer, signatureSize)) {
-            LOG_ERROR(LABEL, "Extract signture failed.");
-            return CS_ERR_EXTRACT_FILES;
-        }
-        if (signatureSize > UINT32_MAX) {
-            LOG_ERROR(LABEL, "Signature is too long.");
-            return CS_ERR_INVALID_SIGNATURE;
-        }
+        NOT_SATISFIED_RETURN(extractor->ExtractToBufByName(signatureEntry, signatureBuffer, signatureSize),
+            CS_ERR_EXTRACT_FILES, "Extract signature failed.");
+
+        NOT_SATISFIED_RETURN(signatureSize < UINT32_MAX, CS_ERR_INVALID_SIGNATURE, "Signature is too long.");
+
        ret = EnforceCodeSignForFile(targetFile, signatureBuffer.get(), static_cast<const uint32_t>(signatureSize));
        if (ret != CS_SUCCESS) {
            return ret;
        }
    }
+    LOG_INFO(LABEL, "Enforcing app complete");
    return CS_SUCCESS;
 }

@ -141,49 +141,56 @@ int32_t CodeSignUtils::EnforceCodeSignForFile(const std::string &path, const Byt
 int32_t CodeSignUtils::EnforceCodeSignForFile(const std::string &path, const uint8_t *signature,
    const uint32_t size)
 {
+    LOG_INFO(LABEL, "Start to enforce");
    if ((signature == nullptr) || (size == 0)) {
        return CS_ERR_NO_SIGNATURE;
    }
+
    std::string realPath;
-    if (!OHOS::PathToRealPath(path, realPath)) {
-        LOG_INFO(LABEL, "Get real path failed, path = %{public}s", path.c_str());
-        return CS_ERR_FILE_PATH;
-    }
+    NOT_SATISFIED_RETURN(OHOS::PathToRealPath(path, realPath), CS_ERR_FILE_PATH,
+        "Get real path failed, path = %{public}s", path.c_str());
+
    int fd = open(realPath.c_str(), O_RDONLY);
    if (fd < 0) {
        LOG_ERROR(LABEL, "Open file failed, path = %{public}s, errno = <%{public}d, %{public}s>",
            realPath.c_str(), errno, strerror(errno));
        return CS_ERR_FILE_OPEN;
    }
-    int32_t ret = IsFsVerityEnabled(fd);
-    if (ret == CS_SUCCESS) {
-        close(fd);
-        LOG_INFO(LABEL, "Fs-verity has been enabled.");
-        return CS_SUCCESS;
-    } else if (ret == CS_ERR_FILE_INVALID) {
-        close(fd);
-        return CS_ERR_FILE_INVALID;
-    }
-    struct fsverity_enable_arg arg = {};
-    arg.version = 1;    // version of fs-verity, must be 1
-    arg.hash_algorithm = DEFAULT_HASH_ALGORITHEM;
-    arg.block_size = HASH_PAGE_SIZE;
-    arg.salt_ptr = 0;
-    arg.salt_size = 0;
-    arg.sig_size = size;
-    arg.sig_ptr = reinterpret_cast<uintptr_t>(signature);
-    StartTrace(HITRACE_TAG_ACCESS_CONTROL, CODE_SIGN_ENABLE_START);
-    int error = ioctl(fd, FS_IOC_ENABLE_VERITY, &arg);
-    FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
-    if (error < 0) {
-        close(fd);
-        LOG_ERROR(LABEL, "Enable fs-verity failed, errno = <%{public}d, %{public}s>",
-            errno, strerror(errno));
-        ReportEnableError(path, errno);
-        return CS_ERR_ENABLE;
-    }
+
+    int32_t ret;
+    do {
+        ret = IsFsVerityEnabled(fd);
+        if (ret == CS_SUCCESS) {
+            LOG_INFO(LABEL, "Fs-verity has been enabled.");
+            break;
+        } else if (ret == CS_ERR_FILE_INVALID) {
+            break;
+        }
+
+        struct fsverity_enable_arg arg = {};
+        arg.version = 1;    // version of fs-verity, must be 1
+        arg.hash_algorithm = DEFAULT_HASH_ALGORITHEM;
+        arg.block_size = HASH_PAGE_SIZE;
+        arg.salt_ptr = 0;
+        arg.salt_size = 0;
+        arg.sig_size = size;
+        arg.sig_ptr = reinterpret_cast<uintptr_t>(signature);
+
+        StartTrace(HITRACE_TAG_ACCESS_CONTROL, CODE_SIGN_ENABLE_START);
+        int error = ioctl(fd, FS_IOC_ENABLE_VERITY, &arg);
+        FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
+        if (error < 0) {
+            LOG_ERROR(LABEL, "Enable fs-verity failed, errno = <%{public}d, %{public}s>",
+                errno, strerror(errno));
+            ReportEnableError(path, errno);
+            ret = CS_ERR_ENABLE;
+            break;
+        }
+        ret = CS_SUCCESS;
+    } while (0);
    close(fd);
-    return CS_SUCCESS;
+    LOG_INFO(LABEL, "Enforcing file complete");
+    return ret;
 }
 }
 }