Files
startup_init_lite/services/init/include/init_service.h
T
Qin Fandong 55582482ab init: support selinux
此提交使 init 进程有支持 SELinux 的能力。

1. 启动时加载策略并根据策略文件设置进程安全上下文
2. 根据配置文件中的 secon 字段的值设置进程的安全上下文

仅在编译时有宏定义 WITH_SELINUX 时会将此功能引入,而仅在 BUILD.gn 中编译 L2 系统(ohos_executable("init"))时会定义宏 WITH_SELINUX ,因此不影响 L2 以下的系统。

services/BUILD.gn
编译配置,编译此功能时定义宏 -DWITH_SELINUX 并链接到库 libload_policy 、 librestorecon 、 libselinux 。

services/init/standard/init.c
启动时加载策略并根据策略文件设置进程安全上下文。调用接口 load_policy 和 restorencon 。

services/init/include/init_service.h
结构体 Service 中增加了成员字符数组 secon 对应配置文件的新字段 secon 。

services/include/param/init_selinux_param.h
定义了 SELinux 功能需要使用的宏。

services/init/init_service_manager.c
将配置文件的字段 secon 读到内存中。

services/init/standard/init_service.c
根据内存中读到的每个服务的 secon 字段,设置该服务进程的安全上下文。

Signed-off-by: Qin Fandong <qinfd@superred.com.cn>
2021-10-21 09:44:13 +08:00

107 lines
3.0 KiB
C
Executable File

/*
* Copyright (c) 2020-2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef BASE_STARTUP_INITLITE_SERVICE_H
#define BASE_STARTUP_INITLITE_SERVICE_H
#include <sys/types.h>
#include "cJSON.h"
#include "init_cmds.h"
#include "init_service_socket.h"
#ifdef WITH_SELINUX
# include "init_selinux_param.h"
#endif // WITH_SELINUX
#include "list.h"
#ifdef __cplusplus
#if __cplusplus
extern "C" {
#endif
#endif
// return value
#define SERVICE_FAILURE (-1)
#define SERVICE_SUCCESS 0
// service attributes
#define SERVICE_ATTR_INVALID 0x001 // option invalid
#define SERVICE_ATTR_ONCE 0x002 // do not restart when it exits
#define SERVICE_ATTR_NEED_RESTART 0x004 // will restart in the near future
#define SERVICE_ATTR_NEED_STOP 0x008 // will stop in reap
#define SERVICE_ATTR_IMPORTANT 0x010 // will reboot if it crash
#define SERVICE_ATTR_CRITICAL 0x020 // critical, will reboot if it crash 4 times in 4 minutes
#define SERVICE_ATTR_DISABLED 0x040 // disabled
#define SERVICE_ATTR_CONSOLE 0x080 // console
#define SERVICE_ATTR_DYNAMIC 0x100 // dynamic service
#define MAX_SERVICE_NAME 32
#define MAX_WRITEPID_FILES 100
#define FULL_CAP 0xFFFFFFFF
// init
#define DEFAULT_UMASK_INIT 022
#define CAP_NUM 2
#define SERVICES_ARR_NAME_IN_JSON "services"
typedef struct {
uid_t uID;
gid_t *gIDArray;
int gIDCnt;
unsigned int *caps;
unsigned int capsCnt;
} Perms;
typedef struct {
int count;
char **argv;
} ServiceArgs;
typedef struct {
ListNode node;
char name[MAX_SERVICE_NAME + 1];
#ifdef WITH_SELINUX
char secon[MAX_SECON_LEN];
#endif // WITH_SELINUX
int pid;
int crashCnt;
time_t firstCrashTime;
unsigned int attribute;
int importance;
Perms servPerm;
ServiceArgs pathArgs;
ServiceArgs writePidArgs;
CmdLines *restartArg;
ServiceSocket *socketCfg;
} Service;
int ServiceStart(Service *service);
int ServiceStop(Service *service);
void ServiceReap(Service *service);
void ReapService(Service *service);
void NotifyServiceChange(const char *serviceName, const char *change);
int IsForbidden(const char *fieldStr);
int SetImportantValue(Service *curServ, const char *attrName, int value, int flag);
int GetServiceCaps(const cJSON *curArrItem, Service *curServ);
int ServiceExec(const Service *service);
#ifdef __cplusplus
#if __cplusplus
}
#endif
#endif
#endif // BASE_STARTUP_INITLITE_SERVICE_H