!240 parsing fortify

Merge pull request !240 from fundavid/parse_fortify

services/key_enable/utils/include/key_utils.h

@@ -22,6 +22,12 @@
 
 #include <sys/types.h>
 
+#ifdef KEY_ENABLE_UTILS_TEST
+#include <string>
+extern const std::string PROC_CMDLINE_FILE_PATH;
+extern int32_t g_isRdDevice;
+#endif
+
 typedef int32_t KeySerial;
 
 #ifdef __cplusplus

services/key_enable/utils/src/devices_security.cpp

@@ -23,7 +23,6 @@
 #include <securec.h>
 
 #include "log.h"
-#include "parameter.h"
 
 using namespace OHOS::Security::CodeSign;
 
@@ -34,29 +33,46 @@ enum DeviceMode {
 };
 
 constexpr int32_t CMDLINE_MAX_BUF_LEN = 4096;
+#ifndef KEY_ENABLE_UTILS_TEST
 static const std::string PROC_CMDLINE_FILE_PATH = "/proc/cmdline";
 static int32_t g_isRdDevice = NOT_INITIALIZE;
+#else
+const std::string PROC_CMDLINE_FILE_PATH = "/data/test/tmp/cmdline";
+int32_t g_isRdDevice = NOT_INITIALIZE;
+#endif
 
-static bool CheckDeviceMode(char *buf, ssize_t bunLen)
+static bool CheckDeviceMode(char *buf, ssize_t bufLen)
 {
-    if (strstr(buf, "oemmode=rd")) {
+    bool status = false;
+    char *onStr = strstr(buf, "oemmode=rd");
+    char *offStr = strstr(buf, "oemmode=user");
+    char *statusStr = strstr(buf, "oemmode=");
+    if (onStr == nullptr && offStr == nullptr) {
+        LOG_INFO(LABEL, "Not rd mode, cmdline = %{private}s", buf);
+    } else if (offStr != nullptr && statusStr != nullptr && offStr != statusStr) {
+        LOG_ERROR(LABEL, "cmdline attacked, cmdline = %{private}s", buf);
+    } else if (onStr != nullptr && offStr == nullptr) {
+        status = true;
         LOG_DEBUG(LABEL, "Oemode is rd");
-        return true;
-    } else {
-        LOG_DEBUG(LABEL, "Not rd mode, cmdline = %{private}s", buf);
     }
-    return false;
+    return status;
 }
 
-static int32_t CheckEfuseStatus(char *buf, ssize_t bunLen)
+static bool CheckEfuseStatus(char *buf, ssize_t bufLen)
 {
-    if (strstr(buf, "efuse_status=1")) {
+    bool status = false;
+    char *onStr = strstr(buf, "efuse_status=1");
+    char *offStr = strstr(buf, "efuse_status=0");
+    char *statusStr = strstr(buf, "efuse_status=");
+    if (onStr == nullptr && offStr == nullptr) {
+        LOG_INFO(LABEL, "device is efused, cmdline = %{private}s", buf);
+    } else if (offStr != nullptr && statusStr != nullptr && offStr != statusStr) {
+        LOG_ERROR(LABEL, "cmdline attacked, cmdline = %{private}s", buf);
+    } else if (onStr != nullptr && offStr == nullptr) {
+        status = true;
         LOG_DEBUG(LABEL, "device is not efused");
-        return true;
-    } else {
-        LOG_DEBUG(LABEL, "Not efused, cmdline = %{private}s", buf);
     }
-    return false;
+    return status;
 }
 
 static void ParseCMDLine()

test/unittest/BUILD.gn

@@ -364,12 +364,21 @@ ohos_unittest("jit_code_sign_unittest") {
 
 ohos_unittest("key_enable_utils_unittest") {
   module_out_path = "security/code_signature"
-  sources = [ "key_enable_utils_test.cpp" ]
+  sources = [
+    "${code_signature_root_dir}/services/key_enable/utils/src/devices_security.cpp",
+    "key_enable_utils_test.cpp",
+  ]
+  defines = [ "KEY_ENABLE_UTILS_TEST" ]
+  configs = [ "${code_signature_root_dir}:common_utils_config" ]
   include_dirs =
       [ "${code_signature_root_dir}/services/key_enable/utils/include" ]
   deps = [
     "${code_signature_root_dir}/services/key_enable/utils:libkey_enable_utils",
   ]
+  external_deps = [
+    "c_utils:utils",
+    "hilog:libhilog",
+  ]
 }
 
 ohos_unittest("cert_chain_verifier_unittest") {

test/unittest/key_enable_utils_test.cpp

@@ -26,6 +26,13 @@ namespace OHOS {
 namespace Security {
 namespace CodeSign {
 
+static const std::string RD_DEVICE_1 = "oemmode=rd efuse_status=0";
+static const std::string RD_DEVICE_2 = "oemmode=user efuse_status=1";
+static const std::string NOT_RD_DEVICE = "oemmode=user efuse_status=0";
+static const std::string DEVICE_MODE_ATTACKED = "oemmode=rd oemmode=user";
+static const std::string EFUSED_ATTACKED = "efuse_status=1 efuse_status=0";
+constexpr int32_t NOT_INITIALIZE = 0;
+
 class KeyEnableUtilsTest : public testing::Test {
 public:
     KeyEnableUtilsTest() {};
@@ -36,6 +43,21 @@ public:
     void TearDown() {};
 };
 
+static bool OverWriteCMDLine(const std::string &content)
+{
+    FILE *file = fopen(PROC_CMDLINE_FILE_PATH.c_str(), "w+");
+    if (file == nullptr) {
+        return false;
+    }
+    size_t result = fwrite(content.c_str(), 1, content.size(), file);
+    if (result != content.size()) {
+        (void)fclose(file);
+        return false;
+    }
+    (void)fclose(file);
+    return true;
+}
+
 /**
  * @tc.name: KeyEnableUtilsTest_0001
  * @tc.desc: check status of device
@@ -44,7 +66,20 @@ public:
  */
 HWTEST_F(KeyEnableUtilsTest, KeyEnableUtilsTest_0001, TestSize.Level0)
 {
+    ASSERT_EQ(OverWriteCMDLine(RD_DEVICE_1), true);
     EXPECT_EQ(IsRdDevice(), true);
+    g_isRdDevice = NOT_INITIALIZE;
+    ASSERT_EQ(OverWriteCMDLine(RD_DEVICE_2), true);
+    EXPECT_EQ(IsRdDevice(), true);
+    g_isRdDevice = NOT_INITIALIZE;
+    ASSERT_EQ(OverWriteCMDLine(NOT_RD_DEVICE), true);
+    EXPECT_EQ(IsRdDevice(), false);
+    g_isRdDevice = NOT_INITIALIZE;
+    ASSERT_EQ(OverWriteCMDLine(DEVICE_MODE_ATTACKED), true);
+    EXPECT_EQ(IsRdDevice(), false);
+    g_isRdDevice = NOT_INITIALIZE;
+    ASSERT_EQ(OverWriteCMDLine(EFUSED_ATTACKED), true);
+    EXPECT_EQ(IsRdDevice(), false);
 }
 } // namespace CodeSign
 } // namespace Security

test/unittest/resources/ohos_test.xml

@@ -161,6 +161,14 @@
             <option name="shell" value="rm -rf /data/test/tmp"/>
         </cleaner>
     </target>
+    <target name="key_enable_utils_unittest">
+        <preparer>
+            <option name="shell" value="mkdir -p /data/test/tmp"/>
+        </preparer>
+        <cleaner>
+            <option name="shell" value="rm -rf /data/test/tmp"/>
+        </cleaner>
+    </target>
     <target name="rust_key_enable_unittest">
         <preparer>
             <option name="shell" value="mkdir -p /data/test/tmp"/>