From f17ec2ed0ef11c256e3aea9f51a0a29a7ab8e17a Mon Sep 17 00:00:00 2001 From: xionglei6 Date: Tue, 25 Jan 2022 15:19:18 +0800 Subject: [PATCH 1/4] =?UTF-8?q?Add:=20=E9=85=8D=E7=BD=AE=E8=BF=9B=E7=A8=8B?= =?UTF-8?q?=E6=9C=8D=E5=8A=A1=E7=9A=84AccessToken?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: xionglei6 --- services/BUILD.gn | 4 +++ services/init/include/init_service.h | 6 ++++- services/init/init_common_service.c | 30 ++--------------------- services/init/init_service_manager.c | 20 ++++++++++++--- services/init/lite/init_service.c | 10 ++++++++ services/init/standard/init_cmds.c | 7 ++++++ services/init/standard/init_service.c | 35 +++++++++++++++++++++++++++ test/unittest/BUILD.gn | 4 +++ 8 files changed, 83 insertions(+), 33 deletions(-) diff --git a/services/BUILD.gn b/services/BUILD.gn index 0e162434c..23e3e3109 100755 --- a/services/BUILD.gn +++ b/services/BUILD.gn @@ -121,6 +121,8 @@ if (defined(ohos_lite)) { sources += init_common_sources include_dirs = [ + "//base/security/access_token/interfaces/innerkits/token_setproc/include", + "//base/security/access_token/interfaces/innerkits/nativetoken/include", "//base/startup/init_lite/services/include/param", "//base/startup/init_lite/services/include", "//base/startup/init_lite/services/init/include", @@ -134,6 +136,8 @@ if (defined(ohos_lite)) { "//third_party/bounds_checking_function/include", ] deps = [ + "//base/security/access_token/interfaces/innerkits/nativetoken:libnativetoken", + "//base/security/access_token/interfaces/innerkits/token_setproc:libtoken_setproc", "//base/startup/init_lite/interfaces/innerkits:libfsmanager_static", "//base/startup/init_lite/services/log:init_log", "//base/startup/init_lite/services/loopevent:loopevent", diff --git a/services/init/include/init_service.h b/services/init/include/init_service.h index 40e3db19e..135ecab02 100755 --- a/services/init/include/init_service.h +++ b/services/init/include/init_service.h @@ -15,6 +15,7 @@ #ifndef BASE_STARTUP_INITLITE_SERVICE_H #define BASE_STARTUP_INITLITE_SERVICE_H #include +#include #include "cJSON.h" #include "init_cmds.h" @@ -114,6 +115,7 @@ typedef struct Service_ { int importance; int startMode : 4; // startCondition/ startBoot / startNormal int endMode : 4; // preFork/ fork / exec / ready + uint64_t tokenId; char apl[MAX_APL_NAME + 1]; ServiceArgs capsArgs; Perms servPerm; @@ -140,6 +142,8 @@ int GetServiceCaps(const cJSON *curArrItem, Service *curServ); int ServiceExec(const Service *service); void CloseServiceFds(Service *service, bool needFree); int UpdaterServiceFds(Service *service, int *fds, size_t fdCount); +int SetAccessToken(const Service *service); +void GetAccessToken(void); #ifdef __cplusplus #if __cplusplus @@ -147,4 +151,4 @@ int UpdaterServiceFds(Service *service, int *fds, size_t fdCount); #endif #endif -#endif // BASE_STARTUP_INITLITE_SERVICE_H \ No newline at end of file +#endif // BASE_STARTUP_INITLITE_SERVICE_H diff --git a/services/init/init_common_service.c b/services/init/init_common_service.c index 85a7c95dc..222b40cd8 100755 --- a/services/init/init_common_service.c +++ b/services/init/init_common_service.c @@ -59,32 +59,6 @@ static int SetAllAmbientCapability(void) return SERVICE_SUCCESS; } -int __attribute__((weak)) SetSelfTokenID(uint64_t tokenID) -{ - return SERVICE_SUCCESS; -} - -uint64_t __attribute__((weak)) GetAccessTokenId(const char *processname, char **dcap, int dacpNum, char *apl) -{ - return SERVICE_SUCCESS; -} - -static int SetAccessToken(const Service *service) -{ - INIT_ERROR_CHECK(service != NULL, return SERVICE_FAILURE, "%s failed", service->name); - INIT_ERROR_CHECK(service->capsArgs.count > 0, return SERVICE_SUCCESS, - "%s invalid, count is %d", service->name, service->capsArgs.count); - WaitForFile("/dev/ioctl_device", WAIT_MAX_SECOND); - uint64_t tokenId = GetAccessTokenId(service->name, service->capsArgs.argv, service->capsArgs.count, - (char *)service->apl); - if (tokenId == 0) { - INIT_LOGE("Set totken id %lld of service \' %s \' failed", service->name, tokenId); - return SERVICE_FAILURE; - } - int ret = SetSelfTokenID(tokenId); - return ret == 0 ? SERVICE_SUCCESS : SERVICE_FAILURE; -} - static int SetPerms(const Service *service) { INIT_CHECK_RETURN_VALUE(KeepCapability() == 0, SERVICE_FAILURE); @@ -138,8 +112,6 @@ static int SetPerms(const Service *service) return SERVICE_FAILURE; } } - int ret = SetAccessToken(service); - INIT_CHECK_ONLY_ELOG(ret == 0, "set access token failed for service %s", service->name); return SERVICE_SUCCESS; } @@ -273,6 +245,8 @@ int ServiceStart(Service *service) } int pid = fork(); if (pid == 0) { + INIT_CHECK_ONLY_ELOG(SetAccessToken(service) == SERVICE_SUCCESS, + "set access token failed for service %s", service->name); // deal start job if (service->serviceJobs.jobsName[JOB_ON_START] != NULL) { DoJobNow(service->serviceJobs.jobsName[JOB_ON_START]); diff --git a/services/init/init_service_manager.c b/services/init/init_service_manager.c index 278887fbf..ded6832d9 100755 --- a/services/init/init_service_manager.c +++ b/services/init/init_service_manager.c @@ -168,6 +168,7 @@ void ReleaseService(Service *service) } FreeServiceArg(&service->pathArgs); FreeServiceArg(&service->writePidArgs); + FreeServiceArg(&service->capsArgs); if (service->servPerm.caps != NULL) { free(service->servPerm.caps); @@ -230,7 +231,12 @@ static int GetServiceArgs(const cJSON *argJson, const char *name, int maxCount, for (int i = 0; i < count + 1; ++i) { args->argv[i] = NULL; } - args->count = count + 1; + // ServiceArgs have a variety of uses, some requiring a NULL ending, some not + if (strcmp(name, D_CAPS_STR_IN_CFG) != 0) { + args->count = count + 1; + } else { + args->count = count; + } for (int i = 0; i < count; ++i) { char *curParam = cJSON_GetStringValue(cJSON_GetArrayItem(obj, i)); INIT_ERROR_CHECK(curParam != NULL, return SERVICE_FAILURE, "Invalid arg %d", i); @@ -662,8 +668,9 @@ int ParseOneService(const cJSON *curItem, Service *service) ret = GetServiceAttr(curItem, service, CONSOLE_STR_IN_CFG, SERVICE_ATTR_CONSOLE, NULL); INIT_ERROR_CHECK(ret == 0, return SERVICE_FAILURE, "Failed to get console for service %s", service->name); - ret = GetServiceArgs(curItem, "writepid", MAX_WRITEPID_FILES, &service->writePidArgs); - INIT_CHECK_ONLY_ELOG(ret == 0, "No writepid arg for service %s", service->name); + (void)GetServiceArgs(curItem, "writepid", MAX_WRITEPID_FILES, &service->writePidArgs); + (void)GetServiceArgs(curItem, D_CAPS_STR_IN_CFG, MAX_WRITEPID_FILES, &service->capsArgs); + (void)GetStringItem(curItem, APL_STR_IN_CFG, service->apl, MAX_APL_NAME); ret = GetServiceCaps(curItem, service); INIT_ERROR_CHECK(ret == 0, return SERVICE_FAILURE, "Failed to get caps for service %s", service->name); ret = GetDynamicService(curItem, service); @@ -869,4 +876,9 @@ void StartAllServices(int startMode) } #endif INIT_LOGI("StartAllServices %d finsh", startMode); -} \ No newline at end of file +} + +void LoadAccessTokenId(void) +{ + GetAccessToken(); +} diff --git a/services/init/lite/init_service.c b/services/init/lite/init_service.c index cc53ef5c9..f91385e1d 100755 --- a/services/init/lite/init_service.c +++ b/services/init/lite/init_service.c @@ -74,3 +74,13 @@ int ServiceExec(const Service *service) } return SERVICE_SUCCESS; } + +int SetAccessToken(const Service *service) +{ + return SERVICE_SUCCESS; +} + +void GetAccessToken(void) +{ + return; +} diff --git a/services/init/standard/init_cmds.c b/services/init/standard/init_cmds.c index 7aff1ec02..eaa1b935e 100755 --- a/services/init/standard/init_cmds.c +++ b/services/init/standard/init_cmds.c @@ -276,6 +276,12 @@ static void DoRestorecon(const struct CmdArgs *ctx) return; } +static void DoLoadAccessTokenId(const struct CmdArgs *ctx) +{ + INIT_LOGI("load access token id : %s", ctx->argv[0]); + LoadAccessTokenId(); +} + static const struct CmdTable g_cmdTable[] = { { "exec ", 1, 10, DoExec }, { "mknode ", 1, 5, DoMakeNode }, @@ -286,6 +292,7 @@ static const struct CmdTable g_cmdTable[] = { { "setparam ", 2, 2, DoSetParam }, { "load_persist_params ", 1, 1, DoLoadPersistParams }, { "load_param ", 1, 2, DoLoadDefaultParams }, + { "load_access_token_id ", 1, 1, DoLoadAccessTokenId }, { "ifup ", 1, 1, DoIfup }, { "mount_fstab ", 1, 1, DoMountFstabFile }, { "umount_fstab ", 1, 1, DoUmountFstabFile }, diff --git a/services/init/standard/init_service.c b/services/init/standard/init_service.c index ab860aee1..9eff59c5e 100755 --- a/services/init/standard/init_service.c +++ b/services/init/standard/init_service.c @@ -19,11 +19,14 @@ #include #include +#include "init_group_manager.h" #include "init.h" #include "init_log.h" #include "init_param.h" #include "init_utils.h" #include "securec.h" +#include "token_setproc.h" +#include "nativetoken_kit.h" #define MIN_IMPORTANT_LEVEL (-20) #define MAX_IMPORTANT_LEVEL 19 @@ -79,3 +82,35 @@ int ServiceExec(const Service *service) } return SERVICE_SUCCESS; } + +int SetAccessToken(const Service *service) +{ + INIT_ERROR_CHECK(service != NULL, return SERVICE_FAILURE, "%s failed", service->name); + int ret = SetSelfTokenID(service->tokenId); + INIT_LOGI("%s: token id %lld, set token id result %d", service->name, service->tokenId, ret); + return ret == 0 ? SERVICE_SUCCESS : SERVICE_FAILURE; +} + +void GetAccessToken(void) +{ + InitGroupNode *node = GetNextGroupNode(NODE_TYPE_SERVICES, NULL); + while (node != NULL) { + Service *service = node->data.service; + if (service != NULL) { + if (service->capsArgs.count == 0) { + service->capsArgs.argv = NULL; + } + if (strlen(service->apl) == 0) { + (void)strncpy_s(service->apl, sizeof(service->apl), + "system_core", sizeof(service->apl) - 1); + } + uint64_t tokenId = GetAccessTokenId(service->name, (const char **)service->capsArgs.argv, + service->capsArgs.count, service->apl); + if (tokenId == 0) { + INIT_LOGE("Set totken id %lld of service \' %s \' failed", service->name, tokenId); + } + service->tokenId = tokenId; + } + node = GetNextGroupNode(NODE_TYPE_SERVICES, node); + } +} diff --git a/test/unittest/BUILD.gn b/test/unittest/BUILD.gn index 9de91ec41..5b99f0a4d 100755 --- a/test/unittest/BUILD.gn +++ b/test/unittest/BUILD.gn @@ -162,9 +162,13 @@ ohos_unittest("init_ut") { "//third_party/bounds_checking_function/include", "//third_party/libuv/include", "//third_party/cJSON", + "//base/security/access_token/interfaces/innerkits/token_setproc/include", + "//base/security/access_token/interfaces/innerkits/nativetoken/include", ] deps = [ + "//base/security/access_token/interfaces/innerkits/nativetoken:libnativetoken", + "//base/security/access_token/interfaces/innerkits/token_setproc:libtoken_setproc", "//base/startup/syspara_lite/interfaces/innerkits/native/syspara:syspara", "//third_party/bounds_checking_function:libsec_static", "//third_party/cJSON:cjson_static", From 884eb45ef9643e4e4837b90eb7afc969cfc5d41c Mon Sep 17 00:00:00 2001 From: xionglei6 Date: Tue, 25 Jan 2022 15:39:30 +0800 Subject: [PATCH 2/4] =?UTF-8?q?=E4=BF=AE=E6=94=B9bug?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: xionglei6 --- services/init/include/init_service_manager.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/init/include/init_service_manager.h b/services/init/include/init_service_manager.h index 8040ceefb..c46852925 100755 --- a/services/init/include/init_service_manager.h +++ b/services/init/include/init_service_manager.h @@ -56,7 +56,7 @@ void StopAllServices(int flags); void ParseAllServices(const cJSON *fileRoot); void ReleaseService(Service *service); void StartAllServices(int startMode); - +void LoadAccessTokenId(void); #ifdef OHOS_SERVICE_DUMP void DumpAllServices(); #endif From abeac076caaf52682b572548ef62865033bd237f Mon Sep 17 00:00:00 2001 From: xionglei6 Date: Tue, 25 Jan 2022 15:42:50 +0800 Subject: [PATCH 3/4] =?UTF-8?q?=E4=BF=AE=E6=94=B9bug?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: xionglei6 --- services/init/include/init_service_manager.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/init/include/init_service_manager.h b/services/init/include/init_service_manager.h index c46852925..5b313a021 100755 --- a/services/init/include/init_service_manager.h +++ b/services/init/include/init_service_manager.h @@ -33,6 +33,8 @@ extern "C" { #define CRITICAL_STR_IN_CFG "critical" #define DISABLED_STR_IN_CFG "disabled" #define CONSOLE_STR_IN_CFG "console" +#define D_CAPS_STR_IN_CFG "d-caps" +#define APL_STR_IN_CFG "apl" #define MAX_SERVICES_CNT_IN_FILE 100 From 30ae0b1cbbeed45dfd34dcfdce77a9f560530f73 Mon Sep 17 00:00:00 2001 From: xionglei6 Date: Tue, 25 Jan 2022 17:18:37 +0800 Subject: [PATCH 4/4] =?UTF-8?q?=E4=BF=AE=E6=94=B9bug?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: xionglei6 --- services/init/init_common_service.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/init/init_common_service.c b/services/init/init_common_service.c index 222b40cd8..834e71b9e 100755 --- a/services/init/init_common_service.c +++ b/services/init/init_common_service.c @@ -245,8 +245,8 @@ int ServiceStart(Service *service) } int pid = fork(); if (pid == 0) { - INIT_CHECK_ONLY_ELOG(SetAccessToken(service) == SERVICE_SUCCESS, - "set access token failed for service %s", service->name); + INIT_CHECK_ONLY_ELOG(SetAccessToken(service) == SERVICE_SUCCESS, + "set access token failed for service %s", service->name); // deal start job if (service->serviceJobs.jobsName[JOB_ON_START] != NULL) { DoJobNow(service->serviceJobs.jobsName[JOB_ON_START]);