openharmony/startup_init
1
0
Fork 0
mirror of https://gitee.com/openharmony/startup_init synced 2024-11-27 10:20:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

!2833 完善seccomp构建模板

Browse Source 
Merge pull request !2833 from 夏不白/seccomp_template_make_better
This commit is contained in:
openharmony_ci 2024-06-05 14:04:25 +00:00 committed by Gitee
commit 43e19fff30
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 169 additions and 155 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
interfaces/innerkits/seccomp/include/seccomp_policy.h
View File

@ -29,6 +29,7 @@ extern "C" {
#define APPSPAWN_NAME "appspawn"
#define NWEBSPAWN_NAME "nwebspawn"
#define APP_NAME "app"
#define IMF_EXTENTOIN_NAME "imf_secure_mode"
typedef enum {
SYSTEM_SA, // system service process

323
services/modules/seccomp/scripts/seccomp_policy_fixer.gni
View File

@ -15,172 +15,185 @@ import("//build/config/python.gni")
import("//build/ohos.gni")
template("ohos_prebuilt_seccomp") {
assert(defined(invoker.sources), "source must be defined for ${target_name}.")
assert(defined(invoker.filtername),
"source must be defined for ${target_name}.")
assert(
defined(invoker.process_type) &&
(invoker.process_type == "app" || invoker.process_type == "system"),
"process_type must be defined for ${target_name}, and the type must be app or system")
_seccomp_filter_target = "gen_${target_name}"
_output_name = "${invoker.filtername}_filter"
_seccomp_filter_file = target_gen_dir + "/${_output_name}.c"
_syscall_to_nr_arm_name = "${target_name}_syscall_to_nr_arm"
_syscall_to_nr_arm64_name = "${target_name}_syscall_to_nr_arm64"
_syscall_to_nr_riscv64_name = "${target_name}_syscall_to_nr_riscv64"
_blocklist_file_name = "//base/startup/init/services/modules/seccomp/seccomp_policy/${invoker.process_type}.blocklist.seccomp.policy"
_key_process_file_name = "//base/startup/init/services/modules/seccomp/seccomp_policy/privileged_process.seccomp.policy"
action(_syscall_to_nr_arm_name) {
script = "${clang_base_path}/bin/clang"
output_dir =
target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_arm"
args = [
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm"),
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
"-dD",
"-E",
"-Wall",
"-nostdinc",
"-o",
rebase_path(output_dir),
rebase_path(
"//base/startup/init/services/modules/seccomp/gen_syscall_name_nrs.c"),
]
outputs = [ output_dir ]
}
action(_syscall_to_nr_arm64_name) {
script = "${clang_base_path}/bin/clang"
output_dir =
target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_arm64"
args = [
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm64"),
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
"-dD",
"-E",
"-Wall",
"-nostdinc",
"-o",
rebase_path(output_dir),
rebase_path(
"//base/startup/init/services/modules/seccomp/gen_syscall_name_nrs.c"),
]
outputs = [ output_dir ]
}
action(_syscall_to_nr_riscv64_name) {
script = "${clang_base_path}/bin/clang"
output_dir =
target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_riscv64"
args = [
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-riscv"),
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
"-dD",
"-E",
"-Wall",
"-nostdinc",
"-o",
rebase_path(output_dir),
rebase_path(
"//base/startup/init/services/modules/seccomp/gen_syscall_name_nrs.c"),
]
outputs = [ output_dir ]
}
action(_seccomp_filter_target) {
script = "//base/startup/init/services/modules/seccomp/scripts/generate_code_from_policy.py"
sources = invoker.sources
sources += get_target_outputs(":${_syscall_to_nr_arm_name}")
sources += get_target_outputs(":${_syscall_to_nr_arm64_name}")
sources += get_target_outputs(":${_syscall_to_nr_riscv64_name}")
uid_is_root = false
if (defined(invoker.uid_is_root)) {
uid_is_root = invoker.uid_is_root
} else {
uid_is_root = false
}
if (invoker.process_type == "system" && invoker.filtername != "appspawn" &&
invoker.filtername != "nwebspawn" && uid_is_root == false) {
sources += [ "//base/startup/init/services/modules/seccomp/seccomp_policy/system_uid_filter.seccomp.policy" ]
if (!build_seccomp) {
group(target_name) {
not_needed(invoker, "*")
}
} else {
assert(defined(invoker.sources),
"source must be defined for ${target_name}.")
assert(defined(invoker.filtername),
"source must be defined for ${target_name}.")
assert(
defined(invoker.process_type) &&
(invoker.process_type == "app" || invoker.process_type == "system"),
"process_type must be defined for ${target_name}, and the type must be app or system")
deps = [
":${_syscall_to_nr_arm64_name}",
":${_syscall_to_nr_arm_name}",
":${_syscall_to_nr_riscv64_name}",
]
_seccomp_filter_target = "gen_${target_name}"
_output_name = "${invoker.filtername}_filter"
_seccomp_filter_file = target_gen_dir + "/${_output_name}.c"
_syscall_to_nr_arm_name = "${target_name}_syscall_to_nr_arm"
_syscall_to_nr_arm64_name = "${target_name}_syscall_to_nr_arm64"
_syscall_to_nr_riscv64_name = "${target_name}_syscall_to_nr_riscv64"
_blocklist_file_name = "//base/startup/init/services/modules/seccomp/seccomp_policy/${invoker.process_type}.blocklist.seccomp.policy"
_key_process_file_name = "//base/startup/init/services/modules/seccomp/seccomp_policy/privileged_process.seccomp.policy"
if (build_variant == "root") {
seccomp_is_debug = "true"
} else {
seccomp_is_debug = "false"
}
args = []
foreach(source, sources) {
args += [
"--src-files",
rebase_path(source),
action(_syscall_to_nr_arm_name) {
script = "${clang_base_path}/bin/clang"
output_dir =
target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_arm"
args = [
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm"),
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
"-dD",
"-E",
"-Wall",
"-nostdinc",
"-o",
rebase_path(output_dir),
rebase_path(
"//base/startup/init/services/modules/seccomp/gen_syscall_name_nrs.c"),
]
}
args += [
"--blocklist-file",
rebase_path(_blocklist_file_name),
"--dst-file",
rebase_path(_seccomp_filter_file),
"--filter-name",
invoker.filtername,
"--target-cpu",
invoker.target_cpu,
"--keyprocess-file",
rebase_path(_key_process_file_name),
"--is-debug",
seccomp_is_debug,
]
outputs = [ _seccomp_filter_file ]
}
ohos_shared_library(target_name) {
output_name = _output_name
deps = [ ":${_seccomp_filter_target}" ]
sources = get_target_outputs(":${_seccomp_filter_target}")
relative_install_dir = "seccomp"
if (defined(invoker.include_dirs)) {
include_dirs = invoker.include_dirs
outputs = [ output_dir ]
}
if (defined(invoker.install_enable)) {
install_enable = invoker.install_enable
action(_syscall_to_nr_arm64_name) {
script = "${clang_base_path}/bin/clang"
output_dir =
target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_arm64"
args = [
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm64"),
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
"-dD",
"-E",
"-Wall",
"-nostdinc",
"-o",
rebase_path(output_dir),
rebase_path(
"//base/startup/init/services/modules/seccomp/gen_syscall_name_nrs.c"),
]
outputs = [ output_dir ]
}
action(_syscall_to_nr_riscv64_name) {
script = "${clang_base_path}/bin/clang"
output_dir =
target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_riscv64"
args = [
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-riscv"),
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
"-dD",
"-E",
"-Wall",
"-nostdinc",
"-o",
rebase_path(output_dir),
rebase_path(
"//base/startup/init/services/modules/seccomp/gen_syscall_name_nrs.c"),
]
outputs = [ output_dir ]
}
action(_seccomp_filter_target) {
script = "//base/startup/init/services/modules/seccomp/scripts/generate_code_from_policy.py"
sources = invoker.sources
sources += get_target_outputs(":${_syscall_to_nr_arm_name}")
sources += get_target_outputs(":${_syscall_to_nr_arm64_name}")
sources += get_target_outputs(":${_syscall_to_nr_riscv64_name}")
uid_is_root = false
if (defined(invoker.uid_is_root)) {
uid_is_root = invoker.uid_is_root
} else {
uid_is_root = false
}
if (invoker.process_type == "system" &&
invoker.filtername != "appspawn" &&
invoker.filtername != "nwebspawn" && uid_is_root == false) {
sources += [ "//base/startup/init/services/modules/seccomp/seccomp_policy/system_uid_filter.seccomp.policy" ]
}
deps = [
":${_syscall_to_nr_arm64_name}",
":${_syscall_to_nr_arm_name}",
":${_syscall_to_nr_riscv64_name}",
]
if (build_variant == "root") {
seccomp_is_debug = "true"
} else {
seccomp_is_debug = "false"
}
args = []
foreach(source, sources) {
args += [
"--src-files",
rebase_path(source),
]
}
args += [
"--blocklist-file",
rebase_path(_blocklist_file_name),
"--dst-file",
rebase_path(_seccomp_filter_file),
"--filter-name",
invoker.filtername,
"--target-cpu",
invoker.target_cpu,
"--keyprocess-file",
rebase_path(_key_process_file_name),
"--is-debug",
seccomp_is_debug,
]
outputs = [ _seccomp_filter_file ]
}
if (defined(invoker.part_name)) {
part_name = invoker.part_name
}
ohos_shared_library(target_name) {
output_name = _output_name
deps = [ ":${_seccomp_filter_target}" ]
sources = get_target_outputs(":${_seccomp_filter_target}")
sanitize = {
cfi = true
cfi_cross_dso = true
debug = false
}
if (defined(invoker.subsystem_name)) {
subsystem_name = invoker.subsystem_name
}
relative_install_dir = "seccomp"
if (defined(invoker.install_images)) {
install_images = invoker.install_images
if (defined(invoker.include_dirs)) {
include_dirs = invoker.include_dirs
}
if (defined(invoker.install_enable)) {
install_enable = invoker.install_enable
}
if (defined(invoker.part_name)) {
part_name = invoker.part_name
}
if (defined(invoker.subsystem_name)) {
subsystem_name = invoker.subsystem_name
}
if (defined(invoker.install_images)) {
install_images = invoker.install_images
}
}
}
}