openharmony/startup_init
1
0
Fork 0
mirror of https://gitee.com/openharmony/startup_init synced 2024-12-03 16:34:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of gitee.com:openharmony/startup_init_lite into master_ccSigned-off-by: Mupceet <laiguizhong@huawei.com>

Browse Source
This commit is contained in:
Mupceet 2022-05-12 10:06:05 +00:00 committed by Gitee
commit 371f660cb2
13 changed files with 131 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
interfaces/innerkits/syspara/param_comm.c
View File

@ -144,7 +144,7 @@ static int GetSha256Value(const char *input, char *udid, int udidSize)
mbedtls_sha256_context context;
mbedtls_sha256_init(&context);
mbedtls_sha256_starts_ret(&context, 0);
mbedtls_sha256_update_ret(&context, (const unsigned char)input, strlen(input));
mbedtls_sha256_update_ret(&context, (const unsigned char *)input, strlen(input));
mbedtls_sha256_finish_ret(&context, hash);
for (size_t i = 0; i < HASH_LENGTH; i++) {
@ -194,6 +194,9 @@ const char *GetSerial_(void)
int GetDevUdid_(char *udid, int size)
{
if (size < UDID_LEN || udid == NULL) {
return EC_FAILURE;
}
const char *manufacture = GetManufacture_();
const char *model = GetProductModel_();
const char *sn = GetSerial_();

22
services/begetctl/param_cmd.c
View File

@ -112,9 +112,12 @@ int SetParamShellPrompt(BShellHandle shell, const char *param)
}
// check parameter
int ret = SysCheckParamExist(realParameter);
if (ret != 0) {
if (ret == PARAM_CODE_NOT_FOUND) {
BShellEnvOutput(shell, "Error: parameter \'%s\' not found\r\n", realParameter);
return -1;
} else if (ret != 0 && ret != PARAM_CODE_NODE_EXIST) {
BShellEnvOutput(shell, "Error: Forbid to enter parameters \'%s\'\r\n", realParameter);
return -1;
}
if (strcmp(realParameter, "#") == 0) {
ret = BShellEnvSetParam(shell, PARAM_REVERESD_NAME_CURR_PARAMETER,
@ -225,14 +228,19 @@ static int32_t BShellParamCmdLs(BShellHandle shell, int32_t argc, char *argv[])
BShellEnvOutput(shell, "Error: Forbid to list parameters\r\n");
}
} else {
ParamHandle handle;
ret = SystemFindParameter(prefix, &handle);
if (ret != PARAM_CODE_NOT_FOUND && ret != 0 && ret != PARAM_CODE_NODE_EXIST) {
BShellEnvOutput(shell, "Error: Forbid to list parameters\r\n");
} else if (ret == 0) {
ShowParamForCmdLs(handle, (void *)shell);
ret = SysCheckParamExist(prefix);
if (ret == 0) {
ParamHandle handle;
ret = SystemFindParameter(prefix, &handle);
if (ret != 0) {
BShellEnvOutput(shell, "Error: Forbid to list parameters\r\n");
} else {
ShowParamForCmdLs(handle, (void *)shell);
}
} else if (ret == PARAM_CODE_NODE_EXIST) {
ShowParam(shell, prefix, NULL);
} else if (ret != PARAM_CODE_NOT_FOUND) {
BShellEnvOutput(shell, "Error: Forbid to list parameters\r\n");
} else {
BShellEnvOutput(shell, "Parameter %s not found\r\n", prefix);
}

1
services/etc/group
View File

@ -73,4 +73,5 @@ msdp:x:6699:
misc:x:9998:
app:x:10000:
useriam:x:1088:
backup:x:1089:
net_manager:x:1099:

2
services/etc/param/ohos.para
View File

@ -46,7 +46,7 @@ const.build.product=default
const.product.hardwareversion=default
const.product.bootloader.version=bootloader
const.product.cpu.abilist=default
const.product.software.version=OpenHarmony 3.2.2.2
const.product.software.version=OpenHarmony 3.2.2.3
const.product.incremental.version=default
const.product.firstapiversion=1
const.product.build.type=default

1
services/etc/passwd
View File

@ -75,4 +75,5 @@ msdp:x:6699:6699:::/bin/false
misc:x:9998:9998:::/bin/false
app:x:10000:10000:::/bin/false
useriam:x:1088:1088:::/bin/false
backup:x:1089:1089:::/bin/false
net_manager:x:1099:1099:::/bin/false

5
services/param/BUILD.gn
View File

@ -201,7 +201,10 @@ if (defined(ohos_lite)) {
]
include_dirs = param_include_dirs
defines = [ "_GNU_SOURCE" ]
defines = [
"_GNU_SOURCE",
"INIT_AGENT",
]
if (build_selinux) {
sources += [ "adapter/param_selinux.c" ]
defines += [

12
services/param/adapter/param_dac.c
View File

@ -25,7 +25,7 @@
#include "param_utils.h"
#define USER_BUFFER_LEN 64
#define GROUP_FORMAT "ohos.group"
#define GROUP_FORMAT "const.group"
#define OCT_BASE 8
static void GetUserIdByName(uid_t *uid, const char *name, uint32_t nameLen)
@ -160,6 +160,7 @@ static int CheckFilePermission(const ParamSecurityLabel *localLabel, const char
static int CheckUserInGroup(WorkSpace *space, gid_t groupId, uid_t uid)
{
#ifdef __MUSL__
static char buffer[USER_BUFFER_LEN] = {0};
uint32_t labelIndex = 0;
int ret = sprintf_s(buffer, sizeof(buffer) - 1, "%s.%d.%d", GROUP_FORMAT, groupId, uid);
@ -172,6 +173,9 @@ static int CheckUserInGroup(WorkSpace *space, gid_t groupId, uid_t uid)
return 0;
}
return -1;
#else
return 0;
#endif
}
static int DacCheckParamPermission(const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode)
@ -245,6 +249,10 @@ static void AddGroupUser(int uid, int gid, int mode, const char *format)
void LoadGroupUser(void)
{
#ifndef __MUSL__
return;
#endif
#if !(defined __LITEOS_A__ || defined __LITEOS_M__)
PARAM_LOGV("LoadGroupUser ");
uid_t uid = 0;
@ -263,7 +271,7 @@ void LoadGroupUser(void)
while (data->gr_mem[index]) { // user in this group
GetUserIdByName(&uid, data->gr_mem[index], strlen(data->gr_mem[index]));
PARAM_LOGV("LoadGroupUser %s gid %d uid %d user %s", data->gr_name, data->gr_gid, uid, data->gr_mem[index]);
AddGroupUser(uid, data->gr_gid, 0550, "ohos.group"); // 0550 read and watch
AddGroupUser(uid, data->gr_gid, 0550, GROUP_FORMAT); // 0550 read and watch
index++;
}
}

49
services/param/adapter/param_selinux.c
View File

@ -73,8 +73,7 @@ static int InitLocalSecurityLabel(ParamSecurityLabel *security, int isInit)
PARAM_CHECK(g_selinuxSpace.destroyParamList != NULL,
return -1, "Failed to dlsym destroyParamList %s", dlerror());
}
if (isInit) {
// log
if (isInit) { // log
g_selinuxSpace.setSelinuxLogCallback();
}
#endif
@ -87,9 +86,8 @@ static int FreeLocalSecurityLabel(ParamSecurityLabel *srcLabel)
return 0;
}
static int SelinuxGetParamSecurityLabel(const char *path)
static int SelinuxGetAllLabel(int readOnly)
{
UNUSED(path);
PARAM_CHECK(g_selinuxSpace.getParamList != NULL, return DAC_RESULT_FORBIDED, "Invalid getParamList");
ParamContextsList *head = g_selinuxSpace.getParamList();
ParamContextsList *node = head;
@ -100,20 +98,25 @@ static int SelinuxGetParamSecurityLabel(const char *path)
node = node->next;
continue;
}
int ret = AddWorkSpace(node->info.paraContext, 0, PARAM_WORKSPACE_DEF);
int ret = AddWorkSpace(node->info.paraContext, readOnly, PARAM_WORKSPACE_DEF);
PARAM_CHECK(ret == 0, continue,
"Failed to add selinx workspace %s %s", node->info.paraName, node->info.paraContext);
"Failed to add selinux workspace %s %s", node->info.paraName, node->info.paraContext);
node = node->next;
count++;
}
g_selinuxSpace.destroyParamList(&head);
int ret = AddWorkSpace(WORKSPACE_NAME_DEF_SELINUX, 0, PARAM_WORKSPACE_MAX);
PARAM_CHECK(ret == 0, return -1,
"Failed to add selinx workspace %s %s", node->info.paraName, node->info.paraContext);
int ret = AddWorkSpace(WORKSPACE_NAME_DEF_SELINUX, readOnly, PARAM_WORKSPACE_MAX);
PARAM_CHECK(ret == 0, return -1,
"Failed to add selinux workspace %s %s", node->info.paraName, node->info.paraContext);
return 0;
}
static int SelinuxGetParamSecurityLabel(const char *path)
{
UNUSED(path);
return SelinuxGetAllLabel(0);
}
static int CheckFilePermission(const ParamSecurityLabel *localLabel, const char *fileName, int flags)
{
UNUSED(flags);
@ -121,12 +124,26 @@ static int CheckFilePermission(const ParamSecurityLabel *localLabel, const char
return 0;
}
static int SelinuxReadParamCheck(const char *name)
{
int ret = DAC_RESULT_FORBIDED;
PARAM_CHECK(g_selinuxSpace.getParamLabel != NULL, return ret, "Invalid getParamLabel");
const char *label = g_selinuxSpace.getParamLabel(name);
if (label == NULL) { // open file with readonly
ret = AddWorkSpace(WORKSPACE_NAME_DEF_SELINUX, 1, PARAM_WORKSPACE_MAX);
} else {
ret = AddWorkSpace(label, 1, PARAM_WORKSPACE_MAX);
}
if (ret != 0) {
return DAC_RESULT_FORBIDED;
}
return DAC_RESULT_PERMISSION;
}
static int SelinuxCheckParamPermission(const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode)
{
int ret = DAC_RESULT_FORBIDED;
PARAM_CHECK(g_selinuxSpace.setParamCheck != NULL, return ret, "Invalid setParamCheck");
PARAM_CHECK(g_selinuxSpace.readParamCheck != NULL, return ret, "Invalid readParamCheck");
// check
struct ucred uc;
uc.pid = srcLabel->cred.pid;
@ -136,7 +153,7 @@ static int SelinuxCheckParamPermission(const ParamSecurityLabel *srcLabel, const
ret = g_selinuxSpace.setParamCheck(name, &uc);
} else {
#ifndef STARTUP_INIT_TEST
ret = 0;
ret = SelinuxReadParamCheck(name);
#else
ret = g_selinuxSpace.readParamCheck(name);
#endif
@ -168,6 +185,12 @@ const char *GetSelinuxContent(const char *name)
return g_selinuxSpace.getParamLabel(name);
}
void OpenPermissionWorkSpace(void)
{
// open workspace by readonly
SelinuxGetAllLabel(1);
}
#if defined STARTUP_INIT_TEST || defined LOCAL_TEST
void SetSelinuxOps(const SelinuxSpace *space)
{

4
services/param/include/param_osadp.h
View File

@ -53,6 +53,8 @@ extern "C" {
#endif
#define PARAM_WORKSPACE_SMALL PARAM_WORKSPACE_MAX
#define PARAM_WORKSPACE_DEF PARAM_WORKSPACE_MAX
#define DAC_DEFAULT_GROUP 0
#define DAC_DEFAULT_USER 0
#else
#define PARAM_WORKSPACE_MAX (80 * 1024)
#define PARAM_WORKSPACE_SMALL (1024 * 10)
@ -63,6 +65,8 @@ extern "C" {
#define DAC_DEFAULT_MODE 0774
#define PARAM_WORKSPACE_DEF (1024 * 30)
#endif
#define DAC_DEFAULT_GROUP 2000
#define DAC_DEFAULT_USER 0
#endif
// support futex

1
services/param/include/param_security.h
View File

@ -102,6 +102,7 @@ int GetParamSecurityAuditData(const char *name, int type, ParamAuditData *auditD
int RegisterSecurityDacOps(ParamSecurityOps *ops, int isInit);
void LoadGroupUser(void);
void OpenPermissionWorkSpace(void);
typedef int (*SelinuxSetParamCheck)(const char *paraName, struct ucred *uc);
typedef struct SelinuxSpace_ {

75
services/param/manager/param_manager.c
View File

@ -155,8 +155,8 @@ int InitParamWorkSpace(int onlyRead)
// add default dac policy
ParamAuditData auditData = {};
auditData.name = "#";
auditData.dacData.gid = 0; // for root
auditData.dacData.uid = 0; // for root
auditData.dacData.gid = DAC_DEFAULT_GROUP; // 2000 for shell
auditData.dacData.uid = DAC_DEFAULT_USER; // for root
auditData.dacData.mode = DAC_DEFAULT_MODE; // 0774 default mode
ret = AddSecurityLabel(&auditData);
PARAM_CHECK(ret == 0, return ret, "Failed to add default dac label");
@ -213,7 +213,18 @@ int ReadParamWithCheck(const char *name, uint32_t op, ParamHandle *handle)
*handle = -1;
int ret = CheckParamPermission(&g_paramWorkSpace.securityLabel, name, op);
PARAM_CHECK(ret == 0, return ret, "Forbid to access parameter %s", name);
#ifdef PARAM_SUPPORT_SELINUX
if (ret == DAC_RESULT_PERMISSION) {
const char *label = GetSelinuxContent(name);
if (label != NULL) {
AddWorkSpace(label, 1, PARAM_WORKSPACE_DEF);
} else {
AddWorkSpace(WORKSPACE_NAME_DEF_SELINUX, 1, PARAM_WORKSPACE_DEF);
}
}
#endif
WorkSpace *space = GetWorkSpace(name);
PARAM_CHECK(space != NULL, return PARAM_CODE_INVALID_PARAM, "Invalid workSpace");
ParamTrieNode *node = FindTrieNode(space, name, strlen(name), NULL);
if (node != NULL && node->dataIndex != 0) {
*handle = GetParamHandle(space, node->dataIndex, name);
@ -407,6 +418,7 @@ int AddSecurityLabel(const ParamAuditData *auditData)
PARAM_WORKSPACE_CHECK(&g_paramWorkSpace, return -1, "Invalid space");
PARAM_CHECK(auditData != NULL && auditData->name != NULL, return -1, "Invalid auditData");
WorkSpace *workSpace = GetWorkSpace(WORKSPACE_NAME_DAC);
PARAM_CHECK(workSpace != NULL, return PARAM_CODE_INVALID_PARAM, "Invalid workSpace");
int ret = CheckParamName(auditData->name, 1);
PARAM_CHECK(ret == 0, return ret, "Illegal param name \"%s\"", auditData->name);
@ -500,6 +512,10 @@ int SystemTraversalParameter(const char *prefix, TraversalParamPtr traversalPara
}
context.prefix = (char *)prefix;
}
#ifdef PARAM_SUPPORT_SELINUX
// open all workspace
OpenPermissionWorkSpace();
#endif
WorkSpace *workSpace = GetFristWorkSpace();
if (workSpace != NULL && strcmp(workSpace->fileName, WORKSPACE_NAME_DAC) == 0) {
workSpace = GetNextWorkSpace(workSpace);
@ -541,16 +557,6 @@ int CheckParamPermission(const ParamSecurityLabel *srcLabel, const char *name, u
}
}
}
#ifdef PARAM_SUPPORT_SELINUX
if (ret == DAC_RESULT_PERMISSION && mode != DAC_WRITE) { // open workspace for client read
const char *label = GetSelinuxContent(name);
if (label != NULL) {
AddWorkSpace(label, 1, PARAM_WORKSPACE_DEF);
} else {
ret = DAC_RESULT_FORBIDED;
}
}
#endif
return ret;
}
@ -609,7 +615,10 @@ void SystemDumpParameters(int verbose)
if (ret != PARAM_CODE_NOT_FOUND && ret != 0 && ret != PARAM_CODE_NODE_EXIST) {
PARAM_CHECK(ret == 0, return, "Forbid to dump parameters");
}
#ifdef PARAM_SUPPORT_SELINUX
// open all workspace
OpenPermissionWorkSpace();
#endif
PARAM_DUMP("Dump all paramters begin ...\n");
if (verbose) {
PARAM_DUMP("Local sercurity information\n");
@ -649,6 +658,8 @@ int AddWorkSpace(const char *name, int onlyRead, uint32_t spaceSize)
const size_t size = strlen(realName) + 1;
workSpace = (WorkSpace *)malloc(sizeof(WorkSpace) + size);
PARAM_CHECK(workSpace != NULL, break, "Failed to create workspace for %s", realName);
workSpace->flags = 0;
workSpace->area = NULL;
ListInit(&workSpace->node);
ret = strcpy_s(workSpace->fileName, size, realName);
PARAM_CHECK(ret == 0, break, "Failed to copy file name %s", realName);
@ -667,7 +678,7 @@ int AddWorkSpace(const char *name, int onlyRead, uint32_t spaceSize)
free(workSpace);
}
WORKSPACE_RW_UNLOCK(g_paramWorkSpace);
PARAM_LOGI("AddWorkSpace %s success", name);
PARAM_LOGI("AddWorkSpace %s %s", name, ret == 0 ? "success" : "fail");
return ret;
}
@ -776,14 +787,23 @@ int SysCheckParamExist(const char *name)
{
PARAM_WORKSPACE_CHECK(&g_paramWorkSpace, return -1, "Invalid space");
PARAM_CHECK(name != NULL, return -1, "The name or handle is null");
ParamHandle handle;
int ret = ReadParamWithCheck(name, DAC_READ, &handle);
PARAM_LOGI("SysCheckParamExist %s result %d", name, ret);
if (ret == PARAM_CODE_NODE_EXIST) {
return 0;
#ifdef PARAM_SUPPORT_SELINUX
// open all workspace
OpenPermissionWorkSpace();
#endif
WorkSpace *workSpace = GetFristWorkSpace();
while (workSpace != NULL) {
PARAM_LOGV("SysCheckParamExist name %s in space %s", name, workSpace->fileName);
WorkSpace *next = GetNextWorkSpace(workSpace);
ParamTrieNode *node = FindTrieNode(workSpace, name, strlen(name), NULL);
if (node != NULL && node->dataIndex != 0) {
return 0;
} else if (node != NULL) {
return PARAM_CODE_NODE_EXIST;
}
workSpace = next;
}
PARAM_CHECK(ret == 0, return ret, "Forbid to access parameter %s", name);
return ret;
return PARAM_CODE_NOT_FOUND;
}
int SystemGetParameterCommitId(ParamHandle handle, uint32_t *commitId)
@ -823,6 +843,7 @@ int GetParamSecurityAuditData(const char *name, int type, ParamAuditData *auditD
uint32_t labelIndex = 0;
// get from dac
WorkSpace *space = GetWorkSpace(WORKSPACE_NAME_DAC);
PARAM_CHECK(space != NULL, return -1, "Invalid workSpace");
FindTrieNode(space, name, strlen(name), &labelIndex);
ParamSecruityNode *node = (ParamSecruityNode *)GetTrieNode(space, labelIndex);
PARAM_CHECK(node != NULL, return DAC_RESULT_FORBIDED, "Can not get security label %d", labelIndex);
@ -852,14 +873,18 @@ int CheckParameterSet(const char *name, const char *value, const ParamSecurityLa
PARAM_CHECK(ret == 0, return ret, "Illegal param value %s", value);
*ctrlService = 0;
#ifndef PARAM_SUPPORT_SELINUX
if ((getpid() != 1) && ((srcLabel->flags[0] & LABEL_CHECK_IN_ALL_PROCESS) != LABEL_CHECK_IN_ALL_PROCESS)) {
if (getpid() != 1) { // none init
#ifdef PARAM_SUPPORT_SELINUX
*ctrlService |= PARAM_NEED_CHECK_IN_SERVICE;
#ifndef STARTUP_INIT_TEST
return 0;
#else
if ((srcLabel->flags[0] & LABEL_CHECK_IN_ALL_PROCESS) != LABEL_CHECK_IN_ALL_PROCESS) {
*ctrlService |= PARAM_NEED_CHECK_IN_SERVICE;
return 0;
}
#endif
}
#endif
char *key = GetServiceCtrlName(name, value);
ret = CheckParamPermission(srcLabel, (key == NULL) ? name : key, DAC_WRITE);
if (key != NULL) { // ctrl param

3
services/param/manager/param_trie.c
View File

@ -105,6 +105,7 @@ int InitWorkSpace(WorkSpace *workSpace, int onlyRead, uint32_t spaceSize)
}
workSpace->compareTrieNode = CompareParamTrieNode;
workSpace->allocTrieNode = AllocateParamTrieNode;
workSpace->area = NULL;
int ret = InitWorkSpace_(workSpace, spaceSize, onlyRead);
PARAM_CHECK(ret == 0, return ret, "Failed to init workspace %s", workSpace->fileName);
PARAMSPACE_AREA_INIT_LOCK(workSpace);
@ -397,7 +398,7 @@ void SaveIndex(uint32_t *index, uint32_t offset)
ParamTrieNode *FindTrieNode(WorkSpace *workSpace, const char *key, uint32_t keyLen, uint32_t *matchLabel)
{
PARAM_CHECK(workSpace != NULL, return NULL, "Invalid workSpace");
PARAM_CHECK(workSpace != NULL && workSpace->area != NULL, return NULL, "Invalid workSpace");
ParamTrieNode *node = NULL;
PARAMSPACE_AREA_RD_LOCK(workSpace);
node = FindTrieNode_(workSpace, key, keyLen, matchLabel);

4
test/unittest/param/param_unittest.cpp
View File

@ -78,7 +78,7 @@ public:
const char *value = "2001";
uint32_t labelIndex = 0;
SystemWriteParam(name, value);
// 获取到跟属性
// get root
WorkSpace *workspace = GetWorkSpace(WORKSPACE_NAME_DAC);
(void)FindTrieNode(workspace, name, strlen(name), &labelIndex);
ParamSecruityNode *node = (ParamSecruityNode *)GetTrieNode(workspace, labelIndex);
@ -86,7 +86,7 @@ public:
EXPECT_EQ(1, 0);
return 0;
}
EXPECT_EQ(node->gid, 0);
EXPECT_EQ(node->gid, DAC_DEFAULT_GROUP);
return 0;
}