dac 空间不足拦截

Signed-off-by: zhongning5 <zhongning5@huawei.com>
2024-10-07 06:03:32 +00:00 · 2023-11-15 21:08:13 +08:00 · 2023-11-15 21:08:13 +08:00 · 3d6020e0ba
commit 3d6020e0ba
parent 0af68c1d5d
7 changed files with 41 additions and 23 deletions
--- a/begetd.gni
+++ b/begetd.gni
@ -33,8 +33,6 @@ declare_args() {

  startup_init_feature_decode_group_file = false

-  startup_init_test_performance = true
-
  # log display control
  config_ohos_startup_init_lite_no_log = false

--- a/services/param/adapter/param_dac.c
+++ b/services/param/adapter/param_dac.c
@ -176,17 +176,18 @@ static int LoadOneParam_(const uint32_t *context, const char *name, const char *
        auditData->memberNum = 1;
        auditData->members[0] = auditData->dacData.gid;
    }
-    AddSecurityLabel(auditData);
-    return 0;
+
+    return AddSecurityLabel(auditData);
 }

 static int LoadParamLabels(const char *fileName)
 {
+    int result = -1;
    ParamAuditData *auditData = (ParamAuditData *)calloc(1,
        sizeof(ParamAuditData) + sizeof(uid_t) * MAX_MEMBER_IN_GROUP);
    if (auditData == NULL) {
        PARAM_LOGE("Failed to alloc memory %s", fileName);
-        return 0;
+        return result;
    }
    uint32_t infoCount = 0;
    FILE *fp = fopen(fileName, "r");
@ -194,14 +195,18 @@ static int LoadParamLabels(const char *fileName)
    char *buff = (char *)calloc(1, buffSize);
    while (fp != NULL && buff != NULL && fgets(buff, buffSize, fp) != NULL) {
        buff[buffSize - 1] = '\0';
-        int ret = SplitParamString(buff, NULL, 0, LoadOneParam_, (const uint32_t *)auditData);
-        if (ret != 0) {
-            PARAM_LOGE("Failed to split string %s fileName %s", buff, fileName);
-            continue;
+        result = SplitParamString(buff, NULL, 0, LoadOneParam_, (const uint32_t *)auditData);
+        if (result != 0) {
+            PARAM_LOGE("Failed to split string %s fileName %s, result is:%d", buff, fileName, result);
+            break;
        }
        infoCount++;
    }
-    PARAM_LOGI("Load parameter label total %u success %s", infoCount, fileName);
+
+    if (result == 0) {
+        PARAM_LOGI("Load parameter label total %u success %s", infoCount, fileName);
+    }
+
    if (fp != NULL) {
        (void)fclose(fp);
    }
@ -211,7 +216,7 @@ static int LoadParamLabels(const char *fileName)
    if (auditData != NULL) {
        free(auditData);
    }
-    return 0;
+    return result;
 }

 static int ProcessParamFile(const char *fileName, void *context)
@ -255,7 +260,10 @@ static int DacGetParamSecurityLabel(const char *path)
        }
        if ((stat(fileName, &st) == 0) && !S_ISDIR(st.st_mode)) {
            count++;
-            ProcessParamFile(fileName, NULL);
+            ret = ProcessParamFile(fileName, NULL);
+            if (ret != 0) {
+                return ret;
+            };
        }
    }
    PARAM_LOGV("Get parameter security label dac number is %d, from %s.", count, path);
--- a/services/param/base/BUILD.gn
+++ b/services/param/base/BUILD.gn
@ -119,9 +119,6 @@ if (defined(ohos_lite)) {
      defines += [ "__MUSL__" ]
    }

-    if (startup_init_test_performance) {
-      defines += [ "PARAM_TEST_PERFORMANCE" ]
-    }
    if (!startup_init_with_param_base) {
      ldflags = [ "-nostdlib" ]
      configs -= inherited_configs
@ -162,7 +159,10 @@ if (defined(ohos_lite)) {
    defines = [ "_GNU_SOURCE" ]
    deps = []

-    include_dirs += [ "//third_party/bounds_checking_function/include" ]
+    include_dirs += [
+      "//base/startup/init/services/init/include",
+      "//third_party/bounds_checking_function/include",
+    ]
    if (build_selinux) {
      include_dirs += [
        "//third_party/selinux/libselinux/include/",
--- a/services/param/base/param_trie.c
+++ b/services/param/base/param_trie.c
@ -363,7 +363,7 @@ INIT_LOCAL_API int AddParamEntry(uint32_t index, uint8_t type, const char *name,
    ParamNode *entry = (ParamNode *)GetTrieNode(workSpace, node->dataIndex);
    if (entry == NULL) {
        uint32_t offset = AddParamNode(workSpace, type, name, strlen(name), value, strlen(value));
-        PARAM_CHECK(offset != 0, return PARAM_CODE_MEMORY_NOT_ENOUGH, "Failed to allocate name %s", name);
+        PARAM_CHECK(offset > 0, return PARAM_CODE_REACHED_MAX, "Failed to allocate name %s", name);
        SaveIndex(&node->dataIndex, offset);
    }
    return 0;
@ -385,7 +385,7 @@ INIT_LOCAL_API int AddSecurityLabel(const ParamAuditData *auditData)
    uint32_t offset = node->labelIndex;
    if (node->labelIndex == 0) {  // can not support update for label
        offset = AddParamSecurityNode(workSpace, auditData);
-        PARAM_CHECK(offset != 0, return PARAM_CODE_MEMORY_NOT_ENOUGH, "Failed to add label");
+        PARAM_CHECK(offset > 0, return PARAM_CODE_REACHED_MAX, "Failed to add label");
        SaveIndex(&node->labelIndex, offset);
    } else {
        ParamSecurityNode *label = (ParamSecurityNode *)GetTrieNode(workSpace, node->labelIndex);
--- a/services/param/include/param_osadp.h
+++ b/services/param/include/param_osadp.h
@ -85,11 +85,7 @@ extern "C" {
 #define PARAM_WORKSPACE_DEF PARAM_WORKSPACE_MAX
 #else // __LITEOS_A__
 #define DAC_DEFAULT_MODE 0774
-#ifdef PARAM_TEST_PERFORMANCE
-#define PARAM_WORKSPACE_MAX (1024 * 1024 * 10)
-#else
 #define PARAM_WORKSPACE_MAX (80 * 1024)
-#endif
 #define PARAM_WORKSPACE_SMALL (1024 * 10)
 #define PARAM_WORKSPACE_DEF (1024 * 30)
 #define PARAM_WORKSPACE_DAC (1024 * 20)
--- a/services/param/manager/param_manager.c
+++ b/services/param/manager/param_manager.c
@ -470,6 +470,7 @@ static int UpdateParam(const WorkSpace *workSpace, uint32_t *dataIndex, const ch

 INIT_LOCAL_API int WriteParam(const char *name, const char *value, uint32_t *dataIndex, int mode)
 {
+    int flag = 0;
    PARAM_LOGV("WriteParam %s", name);
    ParamWorkSpace *paramSpace = GetParamWorkSpace();
    PARAM_CHECK(paramSpace != NULL, return PARAM_WORKSPACE_NOT_INIT, "Invalid paramSpace");
@ -477,6 +478,11 @@ INIT_LOCAL_API int WriteParam(const char *name, const char *value, uint32_t *dat
    PARAM_CHECK(value != NULL && name != NULL, return PARAM_CODE_INVALID_PARAM, "Invalid name or value");
    WorkSpace *workSpace = GetWorkSpaceByName(name);
    PARAM_CHECK(workSpace != NULL, return PARAM_CODE_INVALID_PARAM, "Invalid workSpace");
+#ifdef PARAM_SUPPORT_SELINUX
+    if (strcmp(workSpace->fileName, WORKSPACE_NAME_DEF_SELINUX) == 0) {
+        flag = 1;
+    }
+#endif
    ParamTrieNode *node = FindTrieNode(workSpace, name, strlen(name), NULL);
    int ret = 0;
    if (node != NULL && node->dataIndex != 0) {
@ -501,6 +507,11 @@ INIT_LOCAL_API int WriteParam(const char *name, const char *value, uint32_t *dat
        PARAM_CHECK(ret == 0, return ret, "Invalid param value param: %s=%s", name, value);
        PARAMSPACE_AREA_RW_LOCK(workSpace);
        ret = AddParam((WorkSpace *)workSpace, type, name, value, dataIndex);
+        if ((ret == PARAM_CODE_REACHED_MAX) && (flag == 1)) {
+            PARAM_LOGE("Add node %s to space %s failed! memory is not enough, system reboot!",
+                name, workSpace->fileName);
+            ExecReboot("panic");
+        }
        PARAMSPACE_AREA_RW_UNLOCK(workSpace);
    }
    return ret;
--- a/services/param/manager/param_server.c
+++ b/services/param/manager/param_server.c
@ -22,6 +22,8 @@
 #include "init_module_engine.h"
 #endif
 #include "securec.h"
+#include "init_cmds.h"
+#include "init_param.h"

 /**
 * Loading system parameter from /proc/cmdline by the following rules:
@ -257,7 +259,10 @@ static int LoadSecurityLabel(const char *fileName)
    // load security label
    ParamSecurityOps *ops = GetParamSecurityOps(PARAM_SECURITY_DAC);
    if (ops != NULL && ops->securityGetLabel != NULL) {
-        ops->securityGetLabel(fileName);
+        if (ops->securityGetLabel(fileName) == PARAM_CODE_REACHED_MAX) {
+            PARAM_LOGE("Load Security Lable failed! system reboot!");
+            ExecReboot("panic");
+        };
    }
 #endif
    return 0;