55582482ab
此提交使 init 进程有支持 SELinux 的能力。
1. 启动时加载策略并根据策略文件设置进程安全上下文
2. 根据配置文件中的 secon 字段的值设置进程的安全上下文
仅在编译时有宏定义 WITH_SELINUX 时会将此功能引入,而仅在 BUILD.gn 中编译 L2 系统(ohos_executable("init"))时会定义宏 WITH_SELINUX ,因此不影响 L2 以下的系统。
services/BUILD.gn
编译配置,编译此功能时定义宏 -DWITH_SELINUX 并链接到库 libload_policy 、 librestorecon 、 libselinux 。
services/init/standard/init.c
启动时加载策略并根据策略文件设置进程安全上下文。调用接口 load_policy 和 restorencon 。
services/init/include/init_service.h
结构体 Service 中增加了成员字符数组 secon 对应配置文件的新字段 secon 。
services/include/param/init_selinux_param.h
定义了 SELinux 功能需要使用的宏。
services/init/init_service_manager.c
将配置文件的字段 secon 读到内存中。
services/init/standard/init_service.c
根据内存中读到的每个服务的 secon 字段,设置该服务进程的安全上下文。
Signed-off-by: Qin Fandong <qinfd@superred.com.cn>
20 KiB
init_lite
Introduction
The init_lite module starts system service processes from the time the kernel loads the first user-space process to the time the first application is started. In addition to loading key system processes, the module needs to configure their permissions during the startup and keep the specified process alive after sub-processes are started. If a process exits abnormally, the module needs to restart it, and to perform system reset for a special process.
Directory Structure
base/startup/init_lite/ # init_lite module
├── LICENSE
└── services
├── include # Header files for the init_lite module
├── src # Source files for the init_lite module
└── test # Source files of the test cases for the init_lite module
└── unittest
vendor
└──huawei
└──camera
└──init_configs # init_lite configuration files (in JSON format, and deployed in /etc/init.cfg after image burning)
Constraints
Currently, the init_lite module applies only to small-system devices reference memory ≥ 1 MB, for example, Hi3516D V300 and Hi3518E V300.
Usage
init divides the system startup into three phases:
pre-init: operations required before system services are started, for example, mounting a file system, creating a folder, and modifying permissions
init: operations required for starting system services.
post-init: operations required after system services are started.
In the init.cfg file, each of the preceding phases is represented by a job, which corresponds to a command set. The init_lite module initializes the system by executing the commands in each job in sequence. Jobs are executed in the following sequence: pre-init > init > post-init. All jobs are stored in the jobs array in the init.cfg file.
In addition to the jobs array, the init.cfg file also provides a services array, which is used to store the names, executable file paths, permissions, and other attribute information of the key system services that need to be started by the init process.
The file is stored in /vendor/hisilicon/hispark_aries/init_configs/ under /etc/. It is in JSON format, and its size cannot exceed 100 KB.
The format and content of the init.cfg file are as follows:
{
"jobs" : [{
"name" : "pre-init",
"cmds" : [
"mkdir /testdir",
"chmod 0700 /testdir",
"chown 99 99 /testdir",
"mkdir /testdir2",
"mount vfat /dev/mmcblk0p0 /testdir2 noexec nosuid"
]
}, {
"name" : "init",
"cmds" : [
"start service1",
"start service2"
]
}, {
"name" : "post-init",
"cmds" : []
}
],
"services" : [{
"name" : "service1",
"path" : "/bin/process1",
"uid" : 1,
"gid" : 1,
"secon" : "u:r:untrusted_app:s0",
"once" : 0,
"importance" : 1,
"caps" : [0, 1, 2, 5]
}, {
"name" : "service2",
"path" : "/bin/process2",
"uid" : 2,
"gid" : 2,
"secon" : "u:r:untrusted_app:s0",
"once" : 1,
"importance" : 0,
"caps" : []
}
]
}
Table 1 Job description
A single job can hold a maximum of 30 commands only **start**, **mkdir**, **chmod**, **chown**, **mount**, and **loadcfg** are supported currently. The command name and parameters 128 bytes or less must be separated by only one space.
Table 2 Commands supported by a job
Table 3 Elements in the services array