!1393 适配高权限场景下app与appspawn的seccomp策略

Merge pull request !1393 from 夏不白/sudo_seccomp
2024-11-27 01:00:38 +00:00 · 2024-10-11 14:02:36 +00:00 · 2024-10-11 14:02:36 +00:00 · b407a0c3f3
commit b407a0c3f3
parent 7e295e2331 6e8bb335d9
7 changed files with 43 additions and 1 deletions
--- a/BUILD.gn
+++ b/BUILD.gn
@ -29,6 +29,9 @@ config("appspawn_config") {

  if (build_seccomp) {
    cflags += [ "-DWITH_SECCOMP" ]
+    if (appspawn_seccomp_privilege) {
+      cflags += [ "-DSECCOMP_PRIVILEGE" ]
+    }
  }
 }

--- a/appspawn.gni
+++ b/appspawn.gni
@ -30,4 +30,5 @@ declare_args() {
  appspawn_use_encaps = false
  enable_appspawn_dump_catcher = true
  appspawn_unittest_coverage = false
+  appspawn_seccomp_privilege = false
 }
--- a/bundle.json
+++ b/bundle.json
@ -22,7 +22,8 @@
            "appspawn_support_nweb",
            "appspawn_support_cj",
            "appspawn_support_native",
-            "appspawn_use_encaps"
+            "appspawn_use_encaps",
+            "appspawn_seccomp_privilege"
        ],
        "rom": "296KB",
        "ram": "13125KB",
--- a/modules/common/BUILD.gn
+++ b/modules/common/BUILD.gn
@ -56,6 +56,9 @@ ohos_shared_library("appspawn_common") {
  }
  if (build_seccomp) {
    defines += [ "WITH_SECCOMP" ]
+    if (appspawn_seccomp_privilege) {
+      cflags += [ "-DSECCOMP_PRIVILEGE" ]
+    }
    external_deps += [ "init:seccomp" ]
  }

--- a/modules/common/appspawn_adapter.cpp
+++ b/modules/common/appspawn_adapter.cpp
@ -31,6 +31,12 @@
 #ifdef WITH_SECCOMP
 #include "seccomp_policy.h"
 #include <sys/prctl.h>
+#ifdef SECCOMP_PRIVILEGE
+#include <dlfcn.h>
+#define GET_ALL_PROCESSES "ohos.permission.GET_ALL_PROCESSES"
+#define GET_PERMISSION_INDEX "GetPermissionIndex"
+using GetPermissionFunc = int32_t (*)(void *, const char *);
+#endif
 #endif
 #define MSG_EXT_NAME_PROCESS_TYPE "ProcessType"
 #define NWEBSPAWN_SERVER_NAME "nwebspawn"
@ -135,6 +141,11 @@ int SetUidGidFilter(const AppSpawnMgr *content)
        }
        ret = SetSeccompPolicyWithName(INDIVIDUAL, NWEBSPAWN_NAME);
    } else {
+#ifdef SECCOMP_PRIVILEGE
+        if (IsDeveloperModeOpen()) {
+            return 0;
+        }
+#endif
        ret = SetSeccompPolicyWithName(INDIVIDUAL, APPSPAWN_NAME);
    }
    if (!ret) {
@ -162,6 +173,23 @@ int SetSeccompFilter(const AppSpawnMgr *content, const AppSpawningCtx *property)
        }
    }

+#ifdef SECCOMP_PRIVILEGE
+    if (IsDeveloperModeOpen()) {
+        static GetPermissionFunc getPermissionFuncPtr = nullptr;
+        if (getPermissionFuncPtr == nullptr) {
+            getPermissionFuncPtr = reinterpret_cast<GetPermissionFunc>(dlsym(nullptr, GET_PERMISSION_INDEX));
+            if (getPermissionFuncPtr == nullptr) {
+                APPSPAWN_LOGE("Failed to dlsym get permission errno is %{public}d", errno);
+                return -EINVAL;
+            }
+        }
+        int32_t index = getPermissionFuncPtr(nullptr, GET_ALL_PROCESSES);
+        if (CheckAppPermissionFlagSet(property, static_cast<uint32_t>(index)) != 0) {
+            appName = APP_PRIVILEGE;
+        }
+    }
+#endif
+
    if (CheckAppSpawnMsgFlag(property->message, TLV_MSG_FLAGS, APP_FLAGS_ISOLATED_SANDBOX) != 0) {
        appName = IMF_EXTENTOIN_NAME;
    }
--- a/modules/nweb_adapter/BUILD.gn
+++ b/modules/nweb_adapter/BUILD.gn
@ -43,6 +43,9 @@ ohos_shared_library("appspawn_nweb") {
  ]
  if (build_seccomp) {
    cflags += [ "-DWITH_SECCOMP" ]
+    if (appspawn_seccomp_privilege) {
+      cflags += [ "-DSECCOMP_PRIVILEGE" ]
+    }
    external_deps += [ "init:seccomp" ]
  }
  subsystem_name = "${subsystem_name}"
--- a/standard/BUILD.gn
+++ b/standard/BUILD.gn
@ -31,6 +31,9 @@ config("appspawn_server_config") {

  if (build_seccomp) {
    cflags += [ "-DWITH_SECCOMP" ]
+    if (appspawn_seccomp_privilege) {
+      cflags += [ "-DSECCOMP_PRIVILEGE" ]
+    }
  }
  configs = [ "${appspawn_path}:appspawn_config" ]
 }