add check groupid in service for parameter set

Signed-off-by: cheng_jinsong <chengjinsong2@huawei.com>
2024-11-28 02:41:12 +00:00 · 2023-04-21 17:32:51 +08:00 · 2023-04-21 17:32:51 +08:00 · 0012e71e9e
commit 0012e71e9e
parent 14d375280a
5 changed files with 78 additions and 25 deletions
--- a/services/include/init_utils.h
+++ b/services/include/init_utils.h
@ -93,6 +93,8 @@ INIT_LOCAL_API int StringToULL(const char *str, unsigned long long int *out);
 INIT_LOCAL_API int StringToLL(const char *str, long long int *out);
 void CloseStdio(void);
 void RedirectStdio(int fd);
+
+int GetServiceGroupIdByPid(pid_t pid, gid_t *gids, uint32_t gidSize);
 #ifdef __cplusplus
 #if __cplusplus
 }
--- a/services/include/param/sys_param.h
+++ b/services/include/param/sys_param.h
@ -17,6 +17,7 @@
 #define BASE_STARTUP_INIT_SYS_PARAM_H
 #include <stdarg.h>
 #include <stdint.h>
+#include <unistd.h>
 #ifdef __cplusplus
 #if __cplusplus
 extern "C" {
@ -30,6 +31,7 @@ typedef struct {
    uint8_t updaterMode;
    void (*logFunc)(int logLevel, uint32_t domain, const char *tag, const char *fmt, va_list vargs);
    int (*setfilecon)(const char *name, const char *content);
+    int (*getServiceGroupIdByPid)(pid_t pid, gid_t *gids, uint32_t gidSize);
 } PARAM_WORKSPACE_OPS;

 /**
--- a/services/init/init_service_manager.c
+++ b/services/init/init_service_manager.c
@ -1196,3 +1196,15 @@ int GetKillServiceSig(const char *name)
    }
    return SIGKILL;
 }
+
+int GetServiceGroupIdByPid(pid_t pid, gid_t *gids, uint32_t gidSize)
+{
+    Service *service = GetServiceByPid(pid);
+    if (service != NULL) {
+        int ret = memcpy_s(gids, gidSize * sizeof(gid_t),
+            service->servPerm.gIDArray, service->servPerm.gIDCnt * sizeof(gid_t));
+        INIT_ERROR_CHECK(ret == 0, return 0, "Failed get copy gids");
+        return service->servPerm.gIDCnt;
+    }
+    return 0;
+}
--- a/services/param/base/param_base.c
+++ b/services/param/base/param_base.c
@ -99,8 +99,15 @@ static int CheckNeedInit(int onlyRead, const PARAM_WORKSPACE_OPS *ops)
 {
    if (ops != NULL) {
        g_paramWorkSpace.ops.updaterMode = ops->updaterMode;
-        if (g_paramWorkSpace.ops.logFunc == NULL && ops->logFunc != NULL) {
-            g_paramWorkSpace.ops.logFunc = ops->logFunc;
+        if (ops->getServiceGroupIdByPid != NULL) {
+            g_paramWorkSpace.ops.getServiceGroupIdByPid = ops->getServiceGroupIdByPid;
+        }
+        if (ops->logFunc != NULL) {
+            if (onlyRead == 0) {
+                g_paramWorkSpace.ops.logFunc = ops->logFunc;
+            } else if (g_paramWorkSpace.ops.logFunc == NULL) {
+                g_paramWorkSpace.ops.logFunc = ops->logFunc;
+            }
        }
 #ifdef PARAM_SUPPORT_SELINUX
        g_paramWorkSpace.ops.setfilecon = ops->setfilecon;
@ -495,6 +502,32 @@ static int CheckUserInGroup(WorkSpace *space, gid_t groupId, uid_t uid)
    return -1;
 }

+STATIC_INLINE int DacCheckGroupPermission(const ParamSecurityLabel *srcLabel, uint32_t mode, ParamSecurityNode *node)
+{
+    uint32_t localMode = (mode & (DAC_READ | DAC_WRITE | DAC_WATCH)) >> DAC_GROUP_START;
+    if (srcLabel->cred.gid == node->gid) {
+        if ((node->mode & localMode) != 0) {
+            return DAC_RESULT_PERMISSION;
+        }
+    }
+    if (mode != DAC_WRITE || g_paramWorkSpace.ops.getServiceGroupIdByPid == NULL) {
+        return DAC_RESULT_FORBIDED;
+    }
+    gid_t gids[64] = { 0 }; // max gid number
+    const uint32_t gidNumber = g_paramWorkSpace.ops.getServiceGroupIdByPid(
+        srcLabel->cred.pid, gids, sizeof(gids) / sizeof(gids[0]));
+    for (uint32_t index = 0; index < gidNumber; index++) {
+        PARAM_LOGV("DacCheckGroupPermission gid %u", gids[index]);
+        if (gids[index] != node->gid) {
+            continue;
+        }
+        if ((node->mode & localMode) != 0) {
+            return DAC_RESULT_PERMISSION;
+        }
+    }
+    return DAC_RESULT_FORBIDED;
+}
+
 STATIC_INLINE int DacCheckParamPermission(const ParamLabelIndex *labelIndex,
    const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode)
 {
@ -503,8 +536,6 @@ STATIC_INLINE int DacCheckParamPermission(const ParamLabelIndex *labelIndex,
        return DAC_RESULT_PERMISSION;
    }
 #endif
-
-    int ret = DAC_RESULT_FORBIDED;
    // get dac label
    WorkSpace *space = g_paramWorkSpace.workSpace[WORKSPACE_INDEX_DAC];
    ParamSecurityNode *node = (ParamSecurityNode *)GetTrieNode(space, labelIndex->dacLabelIndex);
@ -517,30 +548,35 @@ STATIC_INLINE int DacCheckParamPermission(const ParamLabelIndex *labelIndex,
    uint32_t localMode = (mode & (DAC_READ | DAC_WRITE | DAC_WATCH)) >> DAC_OTHER_START;
    // 1, check other
    if ((node->mode & localMode) != 0) {
-        ret = DAC_RESULT_PERMISSION;
-    } else {
-        if (srcLabel->cred.uid == node->uid) { // 2, check uid
-            localMode = mode & (DAC_READ | DAC_WRITE | DAC_WATCH);
-        } else if (srcLabel->cred.gid == node->gid) { // 3, check gid
-            localMode = (mode & (DAC_READ | DAC_WRITE | DAC_WATCH)) >> DAC_GROUP_START;
-        } else if (CheckUserInGroup(space, node->gid, srcLabel->cred.uid) == 0) {  // 4, check user in group
-            localMode = (mode & (DAC_READ | DAC_WRITE | DAC_WATCH)) >> DAC_GROUP_START;
-        }
+        return DAC_RESULT_PERMISSION;
+    }
+    // 2, check uid
+    if (srcLabel->cred.uid == node->uid) {
+        localMode = mode & (DAC_READ | DAC_WRITE | DAC_WATCH);
        if ((node->mode & localMode) != 0) {
-            ret = DAC_RESULT_PERMISSION;
-        } else {
-            PARAM_LOGW("Param '%s' label gid:%d uid:%d mode 0%o",
-                name, srcLabel->cred.gid, srcLabel->cred.uid, localMode);
-            PARAM_LOGW("Cfg label %u gid:%d uid:%d mode 0%o ",
-                labelIndex->dacLabelIndex, node->gid, node->uid, node->mode);
-#ifndef __MUSL__
-#ifndef STARTUP_INIT_TEST
-        ret = DAC_RESULT_PERMISSION;
-#endif
-#endif
+            return DAC_RESULT_PERMISSION;
        }
    }
-    return ret;
+    // 3, check gid
+    if (DacCheckGroupPermission(srcLabel, mode, node) == DAC_RESULT_PERMISSION) {
+        return DAC_RESULT_PERMISSION;
+    }
+    // 4, check user in group
+    if (CheckUserInGroup(space, node->gid, srcLabel->cred.uid) == 0) {
+        localMode = (mode & (DAC_READ | DAC_WRITE | DAC_WATCH)) >> DAC_GROUP_START;
+        if ((node->mode & localMode) != 0) {
+            return DAC_RESULT_PERMISSION;
+        }
+    }
+    // forbid
+    PARAM_LOGW("Param '%s' label gid:%d uid:%d mode 0%x", name, srcLabel->cred.gid, srcLabel->cred.uid, mode);
+    PARAM_LOGW("Cfg label %u gid:%d uid:%d mode 0%x ", labelIndex->dacLabelIndex, node->gid, node->uid, node->mode);
+#ifndef __MUSL__
+#ifndef STARTUP_INIT_TEST
+    return DAC_RESULT_PERMISSION;
+#endif
+#endif
+    return DAC_RESULT_FORBIDED;
 }

 #ifdef PARAM_SUPPORT_SELINUX
--- a/services/param/linux/param_service.c
+++ b/services/param/linux/param_service.c
@ -379,6 +379,7 @@ void InitParamService(void)
    ops.updaterMode = InUpdaterMode();
    // init open log
    ops.logFunc = InitLog;
+    ops.getServiceGroupIdByPid = GetServiceGroupIdByPid;
 #ifdef PARAM_SUPPORT_SELINUX
    ops.setfilecon = setfilecon;
 #endif