add process pidNsInit

Signed-off-by: c30043414 <caobaolong5@huawei.com>
2024-11-27 09:11:04 +00:00 · 2024-02-19 14:49:55 +08:00 · 2024-02-19 14:49:55 +08:00 · 6cb7605887
commit 6cb7605887
parent bbc95aedf5
3 changed files with 45 additions and 0 deletions
--- a/BUILD.gn
+++ b/BUILD.gn
@ -195,11 +195,19 @@ if (!defined(ohos_lite)) {
    subsystem_name = "${subsystem_name}"
    part_name = "${part_name}"
  }
+
+  ohos_executable("pid_ns_init") {
+    sources = [ "${appspawn_path}/standard/pid_ns_init.c" ]
+    install_enable = true
+    subsystem_name = "${subsystem_name}"
+    part_name = "${part_name}"
+  }
 }

 group("appspawn_all") {
  deps = []
  if (!defined(ohos_lite)) {
+    deps += [ ":pid_ns_init" ]
    deps += [ ":appspawn" ]
    deps += [ ":appspawn.rc" ]
    deps += [ ":appspawn_helper" ]
--- a/standard/appspawn_process.c
+++ b/standard/appspawn_process.c
@ -33,6 +33,7 @@
 #include <sched.h>

 #include "securec.h"
+#include "selinux/selinux.h"
 #include "parameter.h"
 #include "limits.h"
 #include "string.h"
@ -43,6 +44,9 @@

 #define DEVICE_NULL_STR "/dev/null"

+#define PID_NS_INIT_UID 100000  // reserved for pid_ns_init process, avoid app, render proc, etc.
+#define PID_NS_INIT_GID 100000
+
 // ide-asan
 static int SetAsanEnabledEnv(struct AppSpawnContent_ *content, AppSpawnClient *client)
 {
@ -588,6 +592,15 @@ static int EnablePidNs(AppSpawnContent *content)
    int ret = unshare(CLONE_NEWPID);
    APPSPAWN_CHECK(ret == 0, return -1, "unshare CLONE_NWEPID failed, errno=%{public}d", errno);

+    pid_t pid = fork();
+    if (pid == 0) {
+        setuid(PID_NS_INIT_UID);
+        setgid(PID_NS_INIT_GID);
+        setcon("u:r:pid_ns_init:s0");
+        char* argv[] = {"/system/bin/pid_ns_init", NULL};
+        execve("/system/bin/pid_ns_init", argv, NULL);
+    }
+
    APPSPAWN_LOGI("Enable pid namespace success.");
    return 0;
 }
--- a/standard/pid_ns_init.c
+++ b/standard/pid_ns_init.c
@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2024-2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <unistd.h>
+
+int main()
+{
+    while (1) {
+        pause();
+    }
+    return 0;
+}