mirror of
https://gitee.com/openharmony/startup_init
synced 2024-10-07 14:13:52 +00:00
55582482ab
此提交使 init 进程有支持 SELinux 的能力。
1. 启动时加载策略并根据策略文件设置进程安全上下文
2. 根据配置文件中的 secon 字段的值设置进程的安全上下文
仅在编译时有宏定义 WITH_SELINUX 时会将此功能引入,而仅在 BUILD.gn 中编译 L2 系统(ohos_executable("init"))时会定义宏 WITH_SELINUX ,因此不影响 L2 以下的系统。
services/BUILD.gn
编译配置,编译此功能时定义宏 -DWITH_SELINUX 并链接到库 libload_policy 、 librestorecon 、 libselinux 。
services/init/standard/init.c
启动时加载策略并根据策略文件设置进程安全上下文。调用接口 load_policy 和 restorencon 。
services/init/include/init_service.h
结构体 Service 中增加了成员字符数组 secon 对应配置文件的新字段 secon 。
services/include/param/init_selinux_param.h
定义了 SELinux 功能需要使用的宏。
services/init/init_service_manager.c
将配置文件的字段 secon 读到内存中。
services/init/standard/init_service.c
根据内存中读到的每个服务的 secon 字段,设置该服务进程的安全上下文。
Signed-off-by: Qin Fandong <qinfd@superred.com.cn>
83 lines
5.6 KiB
XML
83 lines
5.6 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
||
<!-- Copyright (c) 2021 Huawei Device Co., Ltd.
|
||
|
||
Licensed under the Apache License, Version 2.0 (the "License");
|
||
you may not use this file except in compliance with the License.
|
||
You may obtain a copy of the License at
|
||
|
||
http://www.apache.org/licenses/LICENSE-2.0
|
||
|
||
Unless required by applicable law or agreed to in writing, software
|
||
distributed under the License is distributed on an "AS IS" BASIS,
|
||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
See the License for the specific language governing permissions and
|
||
limitations under the License.
|
||
|
||
This is the configuration file template for OpenHarmony OSS Audit Tool, please copy it to your project root dir and modify it refer to OpenHarmony/tools_oat/README.
|
||
|
||
-->
|
||
|
||
<configuration>
|
||
<oatconfig>
|
||
<licensefile></licensefile>
|
||
<policylist>
|
||
<policy name="projectPolicy" desc="">
|
||
<policyitem type="copyright" name="北京万里红科技有限公司" path=".*" rule="may" group="defaultGroup" filefilter="copyrightPolicyFilter" desc=""/>
|
||
<!--policyitem type="compatibility" name="GPL-2.0+" path="abc/.*" desc="Process that runs independently, invoked by the X process."/-->
|
||
<!--policyitem type="license" name="LGPL" path="abc/.*" desc="Dynamically linked by module X"/-->
|
||
<!--policyitem type="copyright" name="xxx" path="abc/.*" rule="may" group="defaultGroup" filefilter="copyrightPolicyFilter" desc="Developed by X Company"/-->
|
||
</policy>
|
||
</policylist>
|
||
<filefilterlist>
|
||
<filefilter name="defaultFilter" desc="Files not to check">
|
||
<!--filteritem type="filename" name="*.uvwxyz" desc="Describe the reason for filtering scan results"/-->
|
||
<!--filteritem type="filepath" name="abcdefg/.*.uvwxyz" desc="Describe the reason for filtering scan results"/-->
|
||
<!--filteritem type="filepath" name="projectroot/[a-zA-Z0-9]{20,}.sh" desc="Temp files"/-->
|
||
</filefilter>
|
||
<filefilter name="defaultPolicyFilter" desc="Filters for compatibility,license header policies">
|
||
<filteritem type="filename" name="*.cfg" desc="config file,can not add license head"/>
|
||
<filteritem type="filename" name="passwd" desc="config file,can not add license head"/>
|
||
<filteritem type="filename" name="group" desc="config file,can not add license head"/>
|
||
</filefilter>
|
||
<filefilter name="copyrightPolicyFilter" desc="Filters for copyright header policies">
|
||
<filteritem type="filename" name="*.cfg" desc="config file,can not add license head"/>
|
||
<filteritem type="filename" name="passwd" desc="config file,can not add license head"/>
|
||
<filteritem type="filename" name="group" desc="config file,can not add license head"/>
|
||
</filefilter>
|
||
<filefilter name="licenseFileNamePolicyFilter" desc="Filters for LICENSE file policies">
|
||
<!--filteritem type="filename" name="*.uvwxyz" desc="Describe the reason for filtering scan results"/-->
|
||
<!--filteritem type="filepath" name="abcdefg/.*.uvwxyz" desc="Describe the reason for filtering scan results"/-->
|
||
<!--filteritem type="filepath" name="projectroot/[a-zA-Z0-9]{20,}.sh" desc="Temp files"/-->
|
||
</filefilter>
|
||
<filefilter name="readmeFileNamePolicyFilter" desc="Filters for README file policies">
|
||
<!--filteritem type="filename" name="*.uvwxyz" desc="Describe the reason for filtering scan results"/-->
|
||
<!--filteritem type="filepath" name="abcdefg/.*.uvwxyz" desc="Describe the reason for filtering scan results"/-->
|
||
<!--filteritem type="filepath" name="projectroot/[a-zA-Z0-9]{20,}.sh" desc="Temp files"/-->
|
||
</filefilter>
|
||
<filefilter name="readmeOpenSourcefileNamePolicyFilter" desc="Filters for README.OpenSource file policies">
|
||
<!--filteritem type="filename" name="*.uvwxyz" desc="Describe the reason for filtering scan results"/-->
|
||
<!--filteritem type="filepath" name="abcdefg/.*.uvwxyz" desc="Describe the reason for filtering scan results"/-->
|
||
<!--filteritem type="filepath" name="projectroot/[a-zA-Z0-9]{20,}.sh" desc="Temp files"/-->
|
||
</filefilter>
|
||
<filefilter name="binaryFileTypePolicyFilter" desc="Filters for binary file policies">
|
||
<!--filteritem type="filename" name="*.uvwxyz" desc="Describe the reason for filtering scan results"/-->
|
||
<!--filteritem type="filepath" name="abcdefg/.*.uvwxyz" desc="Describe the reason for filtering scan results"/-->
|
||
<!--filteritem type="filepath" name="projectroot/[a-zA-Z0-9]{20,}.sh" desc="Temp files"/-->
|
||
<filteritem type="filname" name="*.jpg|*.png|*.gif|*.pdf" desc="already checked"/>
|
||
<filteritem type="filepath" name="services/test/unittest/test_data/proc/*" desc="启动功能UT测试的资源文件"/>
|
||
</filefilter>
|
||
|
||
</filefilterlist>
|
||
<licensematcherlist>
|
||
<!--licensematcher name="uvwxyz License" desc="If the scanning result is InvalidLicense, you can define matching rules here. Note that quotation marks must be escaped.">
|
||
<licensetext name="
|
||
uvwxyz license textA xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||
" desc=""/>
|
||
<licensetext name="
|
||
uvwxyz license textB xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||
" desc=""/>
|
||
</licensematcher-->
|
||
</licensematcherlist>
|
||
</oatconfig>
|
||
</configuration>
|