From 0e40146249e5bdfe45b7f0924de05a61b240fa8f Mon Sep 17 00:00:00 2001 From: steven_q Date: Mon, 21 Feb 2022 11:27:54 +0800 Subject: [PATCH] add service selinux interface and fix bug Signed-off-by: steven_q Change-Id: Ic235d0564d5fb4b601a0b34cc69e522b7c460ad6 Signed-off-by: steven_q --- BUILD.gn | 128 ++++++++- .../policycoreutils/include/hap_restorecon.h | 2 - .../include/paraperm_checker.h | 2 +- .../policycoreutils/include/selinux_error.h | 24 +- .../policycoreutils/include/selinux_klog.h | 7 +- .../include/selinux_parameter.h | 3 - .../policycoreutils/include/service_checker.h | 61 +++++ .../policycoreutils/src/hap_restorecon.cpp | 41 ++- interfaces/policycoreutils/src/load_policy.c | 2 +- .../policycoreutils/src/paraperm_checker.cpp | 11 +- interfaces/policycoreutils/src/restorecon.c | 9 +- .../policycoreutils/src/selinux_error.cpp | 44 +++ interfaces/policycoreutils/src/selinux_klog.c | 5 + .../policycoreutils/src/service_checker.cpp | 257 ++++++++++++++++++ interfaces/tools/hap_restorecon/test.cpp | 26 +- interfaces/tools/param_check/test.cpp | 14 +- interfaces/tools/service_check/test.cpp | 139 ++++++++++ sepolicy/base/public/attributes | 8 + sepolicy/base/public/glb_te_def.spt | 20 +- sepolicy/base/public/hdf_service.te | 15 + sepolicy/base/public/service.te | 15 + sepolicy/base/system/access_vectors | 15 +- sepolicy/base/system/security_classes | 2 + sepolicy/hdf_service_contexts | 15 + sepolicy/service_contexts | 15 + test/selinux_test.c | 9 +- test/unittest/src/selinux_unit_test.cpp | 4 +- 27 files changed, 780 insertions(+), 113 deletions(-) create mode 100644 interfaces/policycoreutils/include/service_checker.h create mode 100644 interfaces/policycoreutils/src/selinux_error.cpp create mode 100644 interfaces/policycoreutils/src/service_checker.cpp create mode 100644 interfaces/tools/service_check/test.cpp create mode 100644 sepolicy/base/public/hdf_service.te create mode 100644 sepolicy/base/public/service.te create mode 100644 sepolicy/hdf_service_contexts create mode 100644 sepolicy/service_contexts diff --git a/BUILD.gn b/BUILD.gn index 1d35578bf..43f5b0167 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -52,7 +52,8 @@ ohos_shared_library("libload_policy") { cflags = [ "-D_GNU_SOURCE", "-DUSE_PCRE2", - "-w", + "-Wall", + "-Werror", ] install_enable = true install_images = [ @@ -90,7 +91,8 @@ ohos_shared_library("librestorecon") { cflags = [ "-D_GNU_SOURCE", "-DUSE_PCRE2", - "-w", + "-Wall", + "-Werror", ] install_enable = true install_images = [ @@ -117,6 +119,7 @@ ohos_shared_library("libhap_restorecon") { public_configs = [ ":selinux_core_config" ] deps = [ + ":libselinux_error_static", "$THIRD_PARTY_SELINUX_DIR:libselinux", "//utils/native/base:utils", ] @@ -127,7 +130,8 @@ ohos_shared_library("libhap_restorecon") { cflags = [ "-D_GNU_SOURCE", - "-w", + "-Wall", + "-Werror", ] install_enable = true license_file = "$SELINUX_ROOT_DIR/LICENSE" @@ -135,8 +139,23 @@ ohos_shared_library("libhap_restorecon") { subsystem_name = "security" } -ohos_static_library("libselinux_klog") { - output_name = "libselinux_klog" +ohos_static_library("libselinux_error_static") { + output_name = "libselinux_error_static" + sources = + [ "$SELINUX_ROOT_DIR/interfaces/policycoreutils/src/selinux_error.cpp" ] + include_dirs = [ "$SELINUX_ROOT_DIR/interfaces/policycoreutils/include" ] + + cflags = [ + "-D_GNU_SOURCE", + "-w", + ] + + part_name = "selinux" + subsystem_name = "security" +} + +ohos_static_library("libselinux_klog_static") { + output_name = "libselinux_klog_static" sources = [ "$SELINUX_ROOT_DIR/interfaces/policycoreutils/src/selinux_klog.c" ] include_dirs = [ "$SELINUX_ROOT_DIR/interfaces/policycoreutils/include" ] @@ -145,7 +164,8 @@ ohos_static_library("libselinux_klog") { cflags = [ "-D_GNU_SOURCE", - "-w", + "-Wall", + "-Werror", ] part_name = "selinux" @@ -167,14 +187,45 @@ ohos_static_library("libparaperm_checker_static") { public_configs = [ ":selinux_core_config" ] deps = [ - ":libselinux_klog", + ":libselinux_klog_static", "$THIRD_PARTY_SELINUX_DIR:libselinux", "//third_party/bounds_checking_function:libsec_static", ] cflags = [ "-D_GNU_SOURCE", - "-w", + "-Wall", + "-Werror", + ] + + part_name = "selinux" + subsystem_name = "security" +} + +ohos_static_library("libservice_checker_static") { + output_name = "libservice_checker_static" + sources = + [ "$SELINUX_ROOT_DIR/interfaces/policycoreutils/src/service_checker.cpp" ] + include_dirs = [ + "$SELINUX_ROOT_DIR/interfaces/policycoreutils/include", + "$LIBSELINUX_ROOT_DIR/include", + "$LIBSELINUX_ROOT_DIR/src", + "//third_party/FreeBSD", + "//third_party/bounds_checking_function/include", + ] + + public_configs = [ ":selinux_core_config" ] + deps = [ + ":libselinux_error_static", + ":libselinux_klog_static", + "$THIRD_PARTY_SELINUX_DIR:libselinux", + "//third_party/bounds_checking_function:libsec_static", + ] + + cflags = [ + "-D_GNU_SOURCE", + "-Wall", + "-Werror", ] part_name = "selinux" @@ -194,7 +245,8 @@ ohos_executable("load_policy") { cflags = [ "-D_GNU_SOURCE", "-DUSE_PCRE2", - "-w", + "-Wall", + "-Werror", ] license_file = "$SELINUX_ROOT_DIR/LICENSE" part_name = "selinux" @@ -218,7 +270,8 @@ ohos_executable("restorecon") { cflags = [ "-D_GNU_SOURCE", "-DUSE_PCRE2", - "-w", + "-Wall", + "-Werror", ] license_file = "$SELINUX_ROOT_DIR/LICENSE" part_name = "selinux" @@ -232,11 +285,15 @@ ohos_executable("hap_restorecon") { "$SELINUX_ROOT_DIR/interfaces/policycoreutils/include", "$LIBSELINUX_ROOT_DIR/include", ] - deps = [ ":libhap_restorecon" ] + deps = [ + ":libhap_restorecon", + ":libselinux_error_static", + ] cflags = [ "-D_GNU_SOURCE", - "-w", + "-Wall", + "-Werror", ] license_file = "$SELINUX_ROOT_DIR/LICENSE" part_name = "selinux" @@ -252,12 +309,37 @@ ohos_executable("param_check") { ] deps = [ ":libparaperm_checker_static", + ":libselinux_error_static", "$THIRD_PARTY_SELINUX_DIR:libselinux", ] cflags = [ "-D_GNU_SOURCE", - "-w", + "-Wall", + "-Werror", + ] + license_file = "$SELINUX_ROOT_DIR/LICENSE" + part_name = "selinux" + subsystem_name = "security" +} + +ohos_executable("service_check") { + install_enable = true + sources = [ "$SELINUX_ROOT_DIR/interfaces/tools/service_check/test.cpp" ] + include_dirs = [ + "$SELINUX_ROOT_DIR/interfaces/policycoreutils/include", + "$LIBSELINUX_ROOT_DIR/include", + ] + deps = [ + ":libselinux_error_static", + ":libservice_checker_static", + "$THIRD_PARTY_SELINUX_DIR:libselinux", + ] + + cflags = [ + "-D_GNU_SOURCE", + "-Wall", + "-Werror", ] license_file = "$SELINUX_ROOT_DIR/LICENSE" part_name = "selinux" @@ -279,7 +361,8 @@ ohos_executable("selinux_test") { cflags = [ "-D_GNU_SOURCE", "-DUSE_PCRE2", - "-w", + "-Wall", + "-Werror", ] license_file = "$SELINUX_ROOT_DIR/LICENSE" part_name = "selinux" @@ -359,6 +442,20 @@ ohos_prebuilt_etc("parameter_contexts") { relative_install_dir = "selinux/targeted/contexts/" } +ohos_prebuilt_etc("service_contexts") { + source = "$SELINUX_ROOT_DIR/sepolicy/service_contexts" + license_file = "$SELINUX_ROOT_DIR/LICENSE" + part_name = "selinux" + relative_install_dir = "selinux/targeted/contexts/" +} + +ohos_prebuilt_etc("hdf_service_contexts") { + source = "$SELINUX_ROOT_DIR/sepolicy/hdf_service_contexts" + license_file = "$SELINUX_ROOT_DIR/LICENSE" + part_name = "selinux" + relative_install_dir = "selinux/targeted/contexts/" +} + ohos_prebuilt_etc("file_contexts") { deps = [ ":build_file_contexts_bin" ] source = target_out_dir + "/file_contexts" @@ -386,6 +483,9 @@ group("selinux_group") { "//base/security/selinux:restorecon", "//base/security/selinux:sehap_contexts", "//base/security/selinux:selinux_test", + "//base/security/selinux:service_check", + "//base/security/selinux:service_contexts", + "//base/security/selinux:hdf_service_contexts", "//third_party/selinux:checkpolicy($host_toolchain)", "//third_party/selinux:chkcon", "//third_party/selinux:getenforce", diff --git a/interfaces/policycoreutils/include/hap_restorecon.h b/interfaces/policycoreutils/include/hap_restorecon.h index 1ccb21944..482b5bee6 100644 --- a/interfaces/policycoreutils/include/hap_restorecon.h +++ b/interfaces/policycoreutils/include/hap_restorecon.h @@ -16,10 +16,8 @@ #ifndef HAP_RESTORECON_H #define HAP_RESTORECON_H -#include #include #include -#include #include #include diff --git a/interfaces/policycoreutils/include/paraperm_checker.h b/interfaces/policycoreutils/include/paraperm_checker.h index ef5d50e99..53e3a8818 100644 --- a/interfaces/policycoreutils/include/paraperm_checker.h +++ b/interfaces/policycoreutils/include/paraperm_checker.h @@ -16,7 +16,7 @@ #ifndef PARAPERM_CHECKER_H #define PARAPERM_CHECKER_H -#include +#include #include "selinux_parameter.h" typedef struct ParameterInfo { diff --git a/interfaces/policycoreutils/include/selinux_error.h b/interfaces/policycoreutils/include/selinux_error.h index cd2c5e619..576c607a9 100644 --- a/interfaces/policycoreutils/include/selinux_error.h +++ b/interfaces/policycoreutils/include/selinux_error.h @@ -20,21 +20,23 @@ namespace Selinux { enum Errno { SELINUX_SUCC, SELINUX_ARG_INVALID, - SELINUX_TYPE_SET_ERR, - SELINUX_TYPE_INVALID, - SELINUX_KEY_NOT_FOUND, - SELINUX_GET_CONTEXTS_ERROR, - SELINUX_SET_CONTEXTS_ERROR, - SELINUX_CONTEXTS_LOAD_ERR, - SELINUX_PTR_NULL, SELINUX_PATH_INVAILD, - SELINUX_FILE_INVAILD, - SELINUX_FILE_ERR, + SELINUX_STAT_INVAILD, + SELINUX_PTR_NULL, + SELINUX_KEY_NOT_FOUND, + SELINUX_GET_CONTEXT_ERROR, + SELINUX_SET_CONTEXT_ERROR, + SELINUX_SET_CONTEXT_TYPE_ERROR, + SELINUX_CHECK_CONTEXT_ERROR, + SELINUX_CONTEXTS_FILE_LOAD_ERROR, + SELINUX_FTS_OPEN_ERROR, SELINUX_FTS_ELOOP, - SELINUX_SETCON_ERR, - SELINUX_GETCON_ERR, + SELINUX_UNKNOWN_ERROR, SELINUX_PERMISSION_DENY, + SELINUX_ERROR_MAX, }; + +const char *GetErrStr(int errNo); } // namespace Selinux #endif // SELINUX_ERROE_H diff --git a/interfaces/policycoreutils/include/selinux_klog.h b/interfaces/policycoreutils/include/selinux_klog.h index f6abfce9a..c5e631a67 100755 --- a/interfaces/policycoreutils/include/selinux_klog.h +++ b/interfaces/policycoreutils/include/selinux_klog.h @@ -15,11 +15,6 @@ #ifndef SELINUX_KLOG_H #define SELINUX_KLOG_H -#include -#include -#include -#include "securec.h" - #ifdef __cplusplus #if __cplusplus extern "C" { @@ -33,7 +28,7 @@ typedef enum SelinuxKLogLevel { SELINUX_KWARN, SELINUX_KINFO, SELINUX_KAVC -}; +} SelinuxKLogLevel; void SetSelinuKLogLevel(int logLevel); int SelinuKLog(int logLevel, const char *fmt, ...); diff --git a/interfaces/policycoreutils/include/selinux_parameter.h b/interfaces/policycoreutils/include/selinux_parameter.h index 062227712..46ea5206c 100644 --- a/interfaces/policycoreutils/include/selinux_parameter.h +++ b/interfaces/policycoreutils/include/selinux_parameter.h @@ -16,9 +16,6 @@ #ifndef SELINUX_PARAMETER_H #define SELINUX_PARAMETER_H -#include -#include -#include #include #ifdef __cplusplus diff --git a/interfaces/policycoreutils/include/service_checker.h b/interfaces/policycoreutils/include/service_checker.h new file mode 100644 index 000000000..77e94d4d0 --- /dev/null +++ b/interfaces/policycoreutils/include/service_checker.h @@ -0,0 +1,61 @@ +/* + * Copyright (c) 2021 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef SERVICE_CHECKER_H +#define SERVICE_CHECKER_H + +#include +#include +#include + +struct ServiceInfo { + std::string serviceName = ""; + std::string serviceContext = ""; +}; + +class ServiceChecker { +public: + ServiceChecker(bool isHdf) : isHdf_(isHdf) + { + if (isHdf) { + serviceClass_ = "hdf_devmgr_class"; + } else { + serviceClass_ = "samgr_class"; + } + SetSelinuxLogCallback(); + } + ~ServiceChecker() {}; + + int ListServiceCheck(const pid_t &callingPid); + + int GetServiceCheck(const pid_t &callingPid, const std::string &serviceName); + + int GetRemoteServiceCheck(const pid_t &callingPid, const std::string &remoteServiceName); + + int AddServiceCheck(const pid_t &callingPid, const std::string &serviceName); + +protected: +private: + void SetSelinuxLogCallback(); + bool ServiceContextsLoad(); + int CheckPerm(const pid_t &callingPid, const std::string &serviceName, std::string action); + int GetServiceContext(const std::string &serviceName, std::string &context); + + bool isHdf_ = false; + std::string serviceClass_ = ""; + std::unordered_map serviceMap; +}; + +#endif // SERVICE_CHECKER_H diff --git a/interfaces/policycoreutils/src/hap_restorecon.cpp b/interfaces/policycoreutils/src/hap_restorecon.cpp index 1a7c69542..ddfd9613b 100644 --- a/interfaces/policycoreutils/src/hap_restorecon.cpp +++ b/interfaces/policycoreutils/src/hap_restorecon.cpp @@ -14,20 +14,16 @@ */ #include "hap_restorecon.h" -#include "callbacks.h" -#include "selinux_error.h" -#include "selinux_log.h" -#include #include #include -#include #include #include #include #include #include -#include -#include +#include "callbacks.h" +#include "selinux_error.h" +#include "selinux_log.h" using namespace Selinux; @@ -39,7 +35,7 @@ static const std::string NAME_PREFIX = "name="; static const std::string DOMAIN_PREFIX = "domain="; static const std::string TYPE_PREFIX = "type="; static const std::string PATH_PREFIX = "/data/app/"; -static const int CONTEXTS_LENGTH_MIN = 20; +static const int CONTEXTS_LENGTH_MIN = 20; // sizeof("apl=x domain= type=") static pthread_once_t FC_ONCE = PTHREAD_ONCE_INIT; } // namespace @@ -168,11 +164,12 @@ int HapContext::TypeSet(std::unordered_map::iterator type = iter->second.type; } if (type.size() == 0) { - return -SELINUX_TYPE_INVALID; + SELINUX_LOG_ERROR(LABEL, "type is empty in contexts file"); + return -SELINUX_ARG_INVALID; } if (context_type_set(con, type.c_str())) { - SELINUX_LOG_ERROR(LABEL, "Set type for %{public}s fail", type.c_str()); - return -SELINUX_TYPE_SET_ERR; + SELINUX_LOG_ERROR(LABEL, "%{public}s %{public}s", GetErrStr(SELINUX_SET_CONTEXT_TYPE_ERROR), type.c_str()); + return -SELINUX_SET_CONTEXT_TYPE_ERROR; } return SELINUX_SUCC; } @@ -181,7 +178,7 @@ int HapContext::HapContextsLookup(bool isDomain, const std::string &apl, const s { if (sehapContextsBuff.empty()) { if (!HapContextsLoad()) { - return -SELINUX_CONTEXTS_LOAD_ERR; + return -SELINUX_CONTEXTS_FILE_LOAD_ERROR; } } @@ -229,7 +226,7 @@ int HapContext::HapLabelLookup(const std::string &apl, const std::string &packag // check whether the context is valid if (security_check_context(secontext) < 0) { context_free(con); - return -SELINUX_TYPE_INVALID; + return -SELINUX_CHECK_CONTEXT_ERROR; } freecon(*secontextPtr); @@ -256,7 +253,7 @@ int HapContext::RestoreconSb(const std::string &pathname, const struct stat *sb, if (lgetfilecon(pathname.c_str(), &oldSecontext) < 0) { freecon(secontext); freecon(oldSecontext); - return -SELINUX_GET_CONTEXTS_ERROR; + return -SELINUX_GET_CONTEXT_ERROR; } int res = HapLabelLookup(apl, packageName, &secontext); @@ -270,7 +267,7 @@ int HapContext::RestoreconSb(const std::string &pathname, const struct stat *sb, if (lsetfilecon(pathname.c_str(), secontext) < 0) { freecon(secontext); freecon(oldSecontext); - return -SELINUX_SET_CONTEXTS_ERROR; + return -SELINUX_SET_CONTEXT_ERROR; } } @@ -323,7 +320,7 @@ int HapContext::HapFileRestorecon(const std::string &pathNameOrig, const std::st bool recurse = (flags & SELINUX_HAP_RESTORECON_RECURSE) ? true : false; if (!recurse) { if (lstat(realPath, &sb) < 0) { - return -SELINUX_FILE_INVAILD; + return -SELINUX_STAT_INVAILD; } int res = RestoreconSb(realPath, &sb, apl, packageName); @@ -338,7 +335,9 @@ int HapContext::HapFileRestorecon(const std::string &pathNameOrig, const std::st int ftsFlags = FTS_PHYSICAL | FTS_NOCHDIR; FTS *fts = fts_open(paths, ftsFlags, NULL); if (fts == nullptr) { - return -SELINUX_FILE_ERR; + SELINUX_LOG_ERROR(LABEL, "%{public}s on %{public}s: %{public}s", GetErrStr(SELINUX_FTS_OPEN_ERROR), paths[0], + strerror(errno)); + return -SELINUX_FTS_OPEN_ERROR; } FTSENT *ftsent = nullptr; @@ -346,7 +345,7 @@ int HapContext::HapFileRestorecon(const std::string &pathNameOrig, const std::st while ((ftsent = fts_read(fts)) != NULL) { switch (ftsent->fts_info) { case FTS_DC: - SELINUX_LOG_ERROR(LABEL, "Cycle on %{public}s", ftsent->fts_path); + SELINUX_LOG_ERROR(LABEL, "%{public}s on %{public}s", GetErrStr(SELINUX_FTS_ELOOP), ftsent->fts_path); (void)fts_close(fts); return -SELINUX_FTS_ELOOP; case FTS_DP: @@ -388,7 +387,7 @@ int HapContext::HapDomainSetcontext(const std::string &apl, const std::string &p char *typeContext = nullptr; if (getcon(&typeContext)) { - return -SELINUX_GETCON_ERR; + return -SELINUX_GET_CONTEXT_ERROR; } context_t con = nullptr; @@ -418,14 +417,14 @@ int HapContext::HapDomainSetcontext(const std::string &apl, const std::string &p if (security_check_context(typeContext) < 0) { freecon(oldTypeContext); context_free(con); - return -SELINUX_TYPE_INVALID; + return -SELINUX_CHECK_CONTEXT_ERROR; } if (strcmp(typeContext, oldTypeContext)) { if (setcon(typeContext) < 0) { freecon(oldTypeContext); context_free(con); - return -SELINUX_SETCON_ERR; + return -SELINUX_SET_CONTEXT_ERROR; } } SELINUX_LOG_INFO(LABEL, "Hap setcon finish for %{public}s", packageName.c_str()); diff --git a/interfaces/policycoreutils/src/load_policy.c b/interfaces/policycoreutils/src/load_policy.c index ddaf2de02..c607b3a4b 100644 --- a/interfaces/policycoreutils/src/load_policy.c +++ b/interfaces/policycoreutils/src/load_policy.c @@ -16,7 +16,7 @@ #include #include #include -#include +#include int load_policy(void) { diff --git a/interfaces/policycoreutils/src/paraperm_checker.cpp b/interfaces/policycoreutils/src/paraperm_checker.cpp index 6fa9bbd3f..07bbb6b26 100644 --- a/interfaces/policycoreutils/src/paraperm_checker.cpp +++ b/interfaces/policycoreutils/src/paraperm_checker.cpp @@ -14,18 +14,13 @@ */ #include "paraperm_checker.h" -#include -#include -#include #include #include -#include #include #include #include #include #include -#include #include #include #include @@ -247,7 +242,7 @@ int GetParamLabel(const char *paraName, const char **context) if (paraInfo.empty()) { if (!ParameterContextsLoad()) { - return -SELINUX_CONTEXTS_LOAD_ERR; + return -SELINUX_CONTEXTS_FILE_LOAD_ERROR; } } std::string name(paraName); @@ -283,7 +278,7 @@ int ReadParamCheck(const char *paraName) int rc = getcon(&srcContext); if (rc < 0) { selinux_log(SELINUX_ERROR, "getcon failed!\n"); - return -SELINUX_GETCON_ERR; + return -SELINUX_GET_CONTEXT_ERROR; } AuditMsg msg; @@ -322,7 +317,7 @@ int SetParamCheck(const char *paraName, struct ucred *uc) int rc = getpidcon(uc->pid, &srcContext); if (rc < 0) { selinux_log(SELINUX_ERROR, "getpidcon failed!\n"); - return -SELINUX_GETCON_ERR; + return -SELINUX_GET_CONTEXT_ERROR; } const char *destContext = nullptr; if (GetParamLabel(paraName, &destContext) != 0) { diff --git a/interfaces/policycoreutils/src/restorecon.c b/interfaces/policycoreutils/src/restorecon.c index 9dc7da7c2..8b6bb4c82 100644 --- a/interfaces/policycoreutils/src/restorecon.c +++ b/interfaces/policycoreutils/src/restorecon.c @@ -13,15 +13,10 @@ * limitations under the License. */ -#include -#include -#include #include #include #include #include -#include -#include #include typedef struct restore_opts { @@ -39,7 +34,7 @@ static int restore_init(restore_opts_t * opts) if (!(opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, sizeof(selinux_opts) / - sizeof(selinux_opts)))) { + sizeof(selinux_opts[0])))) { return -1; } @@ -48,12 +43,12 @@ static int restore_init(restore_opts_t * opts) SELINUX_RESTORECON_REALPATH | SELINUX_RESTORECON_RECURSE; selinux_restorecon_set_sehandle(opts->hnd); + return 0; } int restorecon(void) { restore_opts_t opts; - int i = 0; int errors = 0; memset_s(&opts, sizeof(opts), 0, sizeof(opts)); diff --git a/interfaces/policycoreutils/src/selinux_error.cpp b/interfaces/policycoreutils/src/selinux_error.cpp new file mode 100644 index 000000000..333fa0114 --- /dev/null +++ b/interfaces/policycoreutils/src/selinux_error.cpp @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2021 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "selinux_error.h" +#include + +namespace Selinux { +static const char *g_selinuxErrMsg[SELINUX_ERROR_MAX] = { + [SELINUX_SUCC] = "success", + [SELINUX_ARG_INVALID] = "argument is invalid", + [SELINUX_PATH_INVAILD] = "path is invalid", + [SELINUX_STAT_INVAILD] = "stat failed", + [SELINUX_PTR_NULL] = "ptr is null", + [SELINUX_KEY_NOT_FOUND] = "cannot find key in contexts file", + [SELINUX_GET_CONTEXT_ERROR] = "get context failed", + [SELINUX_SET_CONTEXT_ERROR] = "set context failed", + [SELINUX_SET_CONTEXT_TYPE_ERROR] = "set context type failed", + [SELINUX_CHECK_CONTEXT_ERROR] = "check context failed, context may not define", + [SELINUX_CONTEXTS_FILE_LOAD_ERROR] = "load contexts file failed", + [SELINUX_FTS_OPEN_ERROR] = "fts_open failed", + [SELINUX_FTS_ELOOP] = "fts ELOOP", + [SELINUX_UNKNOWN_ERROR] = "unknown error", + [SELINUX_PERMISSION_DENY] = "permission denied", +}; + +const char *GetErrStr(int errNo) +{ + int errIndex = std::abs(errNo); + errIndex = errIndex >= SELINUX_ERROR_MAX ? SELINUX_UNKNOWN_ERROR : errIndex; + return g_selinuxErrMsg[errIndex]; +} +} // namespace Selinux diff --git a/interfaces/policycoreutils/src/selinux_klog.c b/interfaces/policycoreutils/src/selinux_klog.c index afa63fc0f..36fb28024 100755 --- a/interfaces/policycoreutils/src/selinux_klog.c +++ b/interfaces/policycoreutils/src/selinux_klog.c @@ -14,6 +14,9 @@ */ #include "selinux_klog.h" +#include +#include +#include "securec.h" static int g_logLevel = SELINUX_KERROR; static const char *LOG_LEVEL_STR[] = {"ERROR", "WARNING", "INFO", "AVC"}; @@ -55,6 +58,7 @@ int SelinuKLog(int logLevel, const char *fmt, ...) if (vsnprintf_s(tmpFmt, MAX_LOG_SIZE, MAX_LOG_SIZE - 1, fmt, vargs) == -1) { close(g_fd); g_fd = -1; + va_end(vargs); return -1; } @@ -69,6 +73,7 @@ int SelinuKLog(int logLevel, const char *fmt, ...) if (res == -1) { close(g_fd); g_fd = -1; + va_end(vargs); return -1; } va_end(vargs); diff --git a/interfaces/policycoreutils/src/service_checker.cpp b/interfaces/policycoreutils/src/service_checker.cpp new file mode 100644 index 000000000..49511b16c --- /dev/null +++ b/interfaces/policycoreutils/src/service_checker.cpp @@ -0,0 +1,257 @@ +/* + * Copyright (c) 2021 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "service_checker.h" +#include +#include +#include +#include +#include "selinux_klog.h" +#include "selinux_error.h" +#include "callbacks.h" +#include "securec.h" + +using namespace Selinux; + +namespace { +static const std::string SERVICE_CONTEXTS_FILE = "/system/etc/selinux/targeted/contexts/service_contexts"; +static const std::string HDF_SERVICE_CONTEXTS_FILE = "/system/etc/selinux/targeted/contexts/hdf_service_contexts"; +static const std::string OBJECT_PREFIX = "u:object_r:"; +static const std::string SUBJECT_PREFIX = "u:r:"; +static const int CONTEXTS_LENGTH_MIN = 16; // sizeof("x u:object_r:x:s0") +static pthread_once_t FC_ONCE = PTHREAD_ONCE_INIT; +} // namespace + +struct AuditMsg { + pid_t pid; + const char *name; +}; + +static int SelinuxAuditCallback(void *data, security_class_t, char *buf, size_t len) +{ + if (data == nullptr || buf == nullptr) { + return -1; + } + auto *msg = reinterpret_cast(data); + if (!msg || !msg->name) { + selinux_log(SELINUX_ERROR, "audit msg invalid argument\n"); + return -1; + } + if (snprintf_s(buf, len, len - 1, "service=%s pid=%d", msg->name, msg->pid) <= 0) { + return -1; + } + return 0; +} + +static void SelinuxSetCallback() +{ + union selinux_callback cb; + cb.func_log = SelinuKLog; + selinux_set_callback(SELINUX_CB_LOG, cb); + cb.func_audit = SelinuxAuditCallback; + selinux_set_callback(SELINUX_CB_AUDIT, cb); +} + +static bool CouldSkip(const std::string &line) +{ + if (line.size() < CONTEXTS_LENGTH_MIN) { + return true; + } + int i = 0; + while (isspace(line[i++])) + ; + if (line[i] == '#') { + return true; + } + if (line.find(OBJECT_PREFIX) == line.npos) { + return true; + } + return false; +} + +static bool StartWith(const std::string &dst, const std::string &prefix) +{ + return dst.compare(0, prefix.size(), prefix) == 0; +} + +static struct ServiceInfo DecodeString(const std::string &line) +{ + std::stringstream input(line); + struct ServiceInfo contextBuff = {"", ""}; + std::string name; + if (input >> name) { + contextBuff.serviceName = name; + } + std::string context; + if (input >> context) { + if (StartWith(context, OBJECT_PREFIX)) { + contextBuff.serviceContext = context; + } + } + return contextBuff; +} + +static int CheckServiceNameValid(const std::string &serviceName) +{ + if (serviceName.empty() || serviceName[0] == '.') { + return -SELINUX_ARG_INVALID; + } + return SELINUX_SUCC; +} + +void ServiceChecker::SetSelinuxLogCallback() +{ + SetSelinuKLogLevel(SELINUX_KINFO); + __selinux_once(FC_ONCE, SelinuxSetCallback); + return; +} + +bool ServiceChecker::ServiceContextsLoad() +{ + // load service_contexts file + std::string name; + if (isHdf_) { + name = HDF_SERVICE_CONTEXTS_FILE; + } else { + name = SERVICE_CONTEXTS_FILE; + } + std::ifstream contextsFile(name); + if (contextsFile) { + int lineNum = 0; + std::string line; + while (getline(contextsFile, line)) { + lineNum++; + if (CouldSkip(line)) + continue; + struct ServiceInfo tmpContext = DecodeString(line); + if (!tmpContext.serviceContext.empty() && !tmpContext.serviceName.empty()) { + serviceMap.emplace(tmpContext.serviceName, tmpContext); + } else { + selinux_log(SELINUX_ERROR, "service_contexts read fail in line %d\n", lineNum); + } + } + } else { + selinux_log(SELINUX_ERROR, "Load service_contexts fail, no such file: %s\n", name.c_str()); + return false; + } + selinux_log(SELINUX_INFO, "Load service_contexts succes: %s\n", name.c_str()); + contextsFile.close(); + return true; +} + +int ServiceChecker::GetServiceContext(const std::string &serviceName, std::string &context) +{ + if (CheckServiceNameValid(serviceName) != 0) { + selinux_log(SELINUX_ERROR, "serviceName invalid!\n"); + return -SELINUX_ARG_INVALID; + } + + if (serviceMap.empty()) { + if (!ServiceContextsLoad()) { + return -SELINUX_CONTEXTS_FILE_LOAD_ERROR; + } + } + + auto iter = serviceMap.find(serviceName); + if (iter != serviceMap.end()) { + selinux_log(SELINUX_INFO, "find context: %s\n", iter->second.serviceContext.c_str()); + context = iter->second.serviceContext; + return SELINUX_SUCC; + } + selinux_log(SELINUX_ERROR, "service %s's context not found!\n", serviceName.c_str()); + return -SELINUX_KEY_NOT_FOUND; +} + +static int GetCallingContext(const pid_t &pid, std::string &context) +{ + char *srcContext = nullptr; + int rc = getpidcon(pid, &srcContext); + if (rc < 0) { + selinux_log(SELINUX_ERROR, "getpidcon failed!\n"); + return -SELINUX_GET_CONTEXT_ERROR; + } + context = std::string(srcContext); + freecon(srcContext); + return SELINUX_SUCC; +} + +static int GetThisContext(std::string &context) +{ + char *con = nullptr; + int rc = getcon(&con); + if (rc < 0) { + selinux_log(SELINUX_ERROR, "getcon failed!\n"); + return -SELINUX_GET_CONTEXT_ERROR; + } + context = std::string(con); + freecon(con); + return SELINUX_SUCC; +} + +int ServiceChecker::CheckPerm(const pid_t &callingPid, const std::string &serviceName, std::string action) +{ + std::string srcContext = ""; + int ret = GetCallingContext(callingPid, srcContext); + if (ret < 0) { + return ret; + } + std::string destContext = ""; + if (action == "list") { + ret = GetThisContext(destContext); + } else { + ret = GetServiceContext(serviceName, destContext); + } + if (ret < 0) { + return ret; + } + + if (security_check_context(srcContext.c_str()) < 0 || security_check_context(destContext.c_str()) < 0) { + selinux_log(SELINUX_ERROR, "%s\n", GetErrStr(SELINUX_CHECK_CONTEXT_ERROR)); + return -SELINUX_CHECK_CONTEXT_ERROR; + } + + AuditMsg msg; + msg.name = serviceName.c_str(); + msg.pid = callingPid; + selinux_log(SELINUX_INFO, "srcContext[%s] %s service[%s] destContext[%s]\n", srcContext.c_str(), action.c_str(), + msg.name, destContext.c_str()); + int res = + selinux_check_access(srcContext.c_str(), destContext.c_str(), serviceClass_.c_str(), action.c_str(), &msg); + return res == 0 ? SELINUX_SUCC : -SELINUX_PERMISSION_DENY; +} + +int ServiceChecker::ListServiceCheck(const pid_t &callingPid) +{ + return CheckPerm(callingPid, serviceClass_, "list"); +} + +int ServiceChecker::GetServiceCheck(const pid_t &callingPid, const std::string &serviceName) +{ + return CheckPerm(callingPid, serviceName, "get"); +} + +int ServiceChecker::GetRemoteServiceCheck(const pid_t &callingPid, const std::string &remoteServiceName) +{ + if (isHdf_) { + selinux_log(SELINUX_ERROR, "hdf service has no permission to get remote!\n"); + return -SELINUX_PERMISSION_DENY; + } + return CheckPerm(callingPid, remoteServiceName, "get_remote"); +} + +int ServiceChecker::AddServiceCheck(const pid_t &callingPid, const std::string &serviceName) +{ + return CheckPerm(callingPid, serviceName, "add"); +} diff --git a/interfaces/tools/hap_restorecon/test.cpp b/interfaces/tools/hap_restorecon/test.cpp index e6aa5fa88..f22d67416 100644 --- a/interfaces/tools/hap_restorecon/test.cpp +++ b/interfaces/tools/hap_restorecon/test.cpp @@ -13,14 +13,15 @@ * limitations under the License. */ -#include "hap_restorecon.h" - -#include -#include #include +#include #include #include #include +#include "hap_restorecon.h" +#include "selinux_error.h" + +using namespace Selinux; static const int ALARM_TIME_S = 5; struct testInput { @@ -35,24 +36,25 @@ struct testInput { static void PrintUsage() { printf("Usage:\n"); - printf("hap_restorecon -p /data/app/test -n com.ohos.test -a normal -r 0\n"); + printf("hap_restorecon -p /data/app/el1/100/base/com.ohos.test -n com.ohos.test -a normal -r 0\n"); printf("hap_restorecon -d -n com.ohos.test -a normal\n"); printf("\n"); printf("Options:\n"); - printf(" -h (--help) Show the help information. [eg: hap_restorecon -h]\n"); - printf(" -p (--path) path to restorecon. [eg: -p /data/app/test]\n"); + printf(" -h (--help) show the help information. [eg: hap_restorecon -h]\n"); + printf(" -p (--path) path to restorecon. [eg: -p " + "/data/app/el1/100/base/com.ohos.test]\n"); printf(" -r (--recurse) recurse? [eg: -r 0]\n"); printf(" -a (--apl) apl info. [eg: -a normal]\n"); printf(" -n (--name) package name. [eg: -n com.ohos.test]\n"); printf(" -d (--domain) setcon domian. [eg: -d]\n"); - printf(" -m (--multipath) paths to restorecon. [eg: -m /data/app/test1 " - "/data/app/tes2]\n"); + printf(" -m (--multipath) paths to restorecon. [eg: -m " + "/data/app/el1/100/base/com.ohos.test1 " + "/data/app/el1/100/base/com.ohos.test2]\n"); printf("\n"); } static void SetOptions(int argc, char *argv[], const option *options, testInput &input) { - const char *command = argv[1]; int index = 0; const char *optStr = "hda:p:n:r:m:"; int para = 0; @@ -121,10 +123,10 @@ int main(int argc, char *argv[]) } else { res = test.HapFileRestorecon(testCmd.multiPath, testCmd.apl, testCmd.name, atoi(testCmd.recurse.c_str())); } - std::cout << "restorecon res: " << res << std::endl; + std::cout << GetErrStr(res) << std::endl; } else { res = test.HapDomainSetcontext(testCmd.apl, testCmd.name); - std::cout << "setcon res: " << res << std::endl; + std::cout << GetErrStr(res) << std::endl; sleep(ALARM_TIME_S); } exit(0); diff --git a/interfaces/tools/param_check/test.cpp b/interfaces/tools/param_check/test.cpp index 50846f212..76a0b3572 100644 --- a/interfaces/tools/param_check/test.cpp +++ b/interfaces/tools/param_check/test.cpp @@ -13,15 +13,14 @@ * limitations under the License. */ -#include -#include #include #include -#include +#include #include -#include -#include #include "selinux_parameter.h" +#include "selinux_error.h" + +using namespace Selinux; const static long USEC_PER_SEC = 1000000L; struct testInput { @@ -114,7 +113,6 @@ static void PrintUsage() static void SetOptions(int argc, char *argv[], const option *options, testInput &input) { - const char *command = argv[1]; int index = 0; const char *optStr = "lhrwn:p:g:"; int para = 0; @@ -181,14 +179,14 @@ int main(int argc, char *argv[]) gettimeofday(&start, nullptr); if (testCmd.read) { res = ReadParamCheck(testCmd.paraName.c_str()); - std::cout << "ReadParamCheck res: " << res << std::endl; + std::cout << GetErrStr(res) << std::endl; } else { struct ucred uc; uc.pid = atoi(testCmd.pid.c_str()); uc.uid = 0; uc.gid = 0; res = SetParamCheck(testCmd.paraName.c_str(), &uc); - std::cout << "SetParamCheck res: " << res << std::endl; + std::cout << GetErrStr(res) << std::endl; } gettimeofday(&end, nullptr); timersub(&end, &start, &diff); diff --git a/interfaces/tools/service_check/test.cpp b/interfaces/tools/service_check/test.cpp new file mode 100644 index 000000000..e5552df94 --- /dev/null +++ b/interfaces/tools/service_check/test.cpp @@ -0,0 +1,139 @@ +/* + * Copyright (c) 2021 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include +#include "service_checker.h" +#include "selinux_error.h" + +using namespace Selinux; + +static std::unique_ptr g_service = nullptr; + +struct testInput { + char cmd = '\0'; + bool isHdf = false; +}; + +static void PrintUsage() +{ + std::cout << "Usage:" << std::endl; + std::cout << "step 1:" << std::endl; + std::cout << "service_check (-d) -a|-g|-r|-l" << std::endl; + std::cout << "step 2:" << std::endl; + std::cout << "input service name and press 'enter' to continue, or ctrl+C to end process" << std::endl; + std::cout << "" << std::endl; + std::cout << "Options:" << std::endl; + std::cout << " -h (--help) show the help information. [eg: service_check -h]" << std::endl; + std::cout << "***********************optinal*************************************************" << std::endl; + std::cout << " -d (--isHdf) service or hdf_service. [eg: service_check -d]" << std::endl; + std::cout << "***********************requered: 1 in 4****************************************" << std::endl; + std::cout << " -a (--add) add service check. [eg: service_check -a]" << std::endl; + std::cout << " -g (--get) get service check. [eg: service_check -g]" << std::endl; + std::cout << " -r (--get_remote) get remote service check. [eg: service_check -r]" << std::endl; + std::cout << " -l (--list) list service check. [eg: service_check -l]" << std::endl; + std::cout << "" << std::endl; +} + +static void SetOptions(int argc, char *argv[], const option *options, testInput &input) +{ + int index = 0; + const char *optStr = "dhlagr"; + int para = 0; + while ((para = getopt_long(argc, argv, optStr, options, &index)) != -1) { + switch (para) { + case 'h': { + PrintUsage(); + exit(0); + } + case 'd': { + input.isHdf = true; + break; + } + case 'a': { + input.cmd = 'a'; + break; + } + case 'g': { + input.cmd = 'g'; + break; + } + case 'r': { + input.cmd = 'r'; + break; + } + case 'l': { + input.cmd = 'l'; + break; + } + default: + std::cout << "Try 'service_check -h' for more information." << std::endl; + exit(-1); + } + } +} + +int main(int argc, char *argv[]) +{ + struct option options[] = { + {"help", no_argument, nullptr, 'h'}, {"add", no_argument, nullptr, 'a'}, + {"get", no_argument, nullptr, 'g'}, {"get_remote", no_argument, nullptr, 'r'}, + {"isHdf", no_argument, nullptr, 'd'}, {"list", no_argument, nullptr, 'l'}, + {nullptr, no_argument, nullptr, 0}, + }; + + if (argc == 1) { + PrintUsage(); + exit(0); + } + + testInput input; + SetOptions(argc, argv, options, input); + if (input.isHdf) { + g_service = std::make_unique(true); + } else { + g_service = std::make_unique(false); + } + std::string serName; + switch (input.cmd) { + case 'a': { + while (std::cin >> serName) { + std::cout << GetErrStr(g_service->AddServiceCheck(getpid(), serName)) << std::endl; + } + exit(0); + } + case 'g': { + while (std::cin >> serName) { + std::cout << GetErrStr(g_service->GetServiceCheck(getpid(), serName)) << std::endl; + } + exit(0); + } + case 'r': { + while (std::cin >> serName) { + std::cout << GetErrStr(g_service->GetRemoteServiceCheck(getpid(), serName)) << std::endl; + } + exit(0); + } + case 'l': { + std::cout << GetErrStr(g_service->ListServiceCheck(getpid())) << std::endl; + exit(0); + } + default: + exit(-1); + } + + exit(0); +} diff --git a/sepolicy/base/public/attributes b/sepolicy/base/public/attributes index 98679781a..fc1b828ac 100644 --- a/sepolicy/base/public/attributes +++ b/sepolicy/base/public/attributes @@ -61,6 +61,14 @@ attribute sysfs_type; # i.e. ohos_param attribute parameter_type; +# All types of services. +# i.e. bms_service +attribute samgr_type; + +# All types of hdf_services. +# i.e. camera_service +attribute hdf_devmgr_type; + # Type of all processes in the hap format. # i.e. com.ohos.setting attribute hapdomain; diff --git a/sepolicy/base/public/glb_te_def.spt b/sepolicy/base/public/glb_te_def.spt index 1ea4ba750..f5fcd9795 100644 --- a/sepolicy/base/public/glb_te_def.spt +++ b/sepolicy/base/public/glb_te_def.spt @@ -12,26 +12,26 @@ # limitations under the License. define(`domain_transition_pattern',` - allow $1 $2:file { getattr open map read execute ioctl }; - allow $1 $3:process transition; - allow $1 $3:process { noatsecure siginh rlimitinh }; + allow $1 $2:file { getattr open map read execute ioctl }; + allow $1 $3:process transition; + allow $1 $3:process { noatsecure siginh rlimitinh }; ') define(`domain_auto_transition_pattern',` - domain_transition_pattern($1,$2,$3) - type_transition $1 $2:process $3; + domain_transition_pattern($1,$2,$3) + type_transition $1 $2:process $3; ') define(`init_daemon_domain', ` - domain_auto_transition_pattern(init, $1_exec, $1) + domain_auto_transition_pattern(init, $1_exec, $1) ') define(`appspawn _daemon_domain', ` - domain_auto_transition_pattern(appspawn, $1_exec, $1) + domain_auto_transition_pattern(appspawn, $1_exec, $1) ') define(`binder_call', ` - allow $1 $2:binder {call transfer}; - allow $2 $1:binder transfer; - allow $1 $2:fd use; + allow $1 $2:binder {call transfer}; + allow $2 $1:binder transfer; + allow $1 $2:fd use; ') diff --git a/sepolicy/base/public/hdf_service.te b/sepolicy/base/public/hdf_service.te new file mode 100644 index 000000000..f95530dbb --- /dev/null +++ b/sepolicy/base/public/hdf_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type hdf_usbd_service, hdf_devmgr_type; +type hdf_wlan_hal_service, hdf_devmgr_type; diff --git a/sepolicy/base/public/service.te b/sepolicy/base/public/service.te new file mode 100644 index 000000000..ade441934 --- /dev/null +++ b/sepolicy/base/public/service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type ams_service, samgr_type; +type bms_service, samgr_type; diff --git a/sepolicy/base/system/access_vectors b/sepolicy/base/system/access_vectors index bbde5a2fb..80529df0d 100644 --- a/sepolicy/base/system/access_vectors +++ b/sepolicy/base/system/access_vectors @@ -493,5 +493,18 @@ class xdp_socket inherits socket class parameter_service { - set + set +} +class samgr_class +{ + add + get + get_remote + list +} +class hdf_devmgr_class +{ + add + get + list } \ No newline at end of file diff --git a/sepolicy/base/system/security_classes b/sepolicy/base/system/security_classes index 17ecde169..a61af086f 100644 --- a/sepolicy/base/system/security_classes +++ b/sepolicy/base/system/security_classes @@ -104,3 +104,5 @@ class process2 class bpf class xdp_socket class parameter_service +class samgr_class +class hdf_devmgr_class diff --git a/sepolicy/hdf_service_contexts b/sepolicy/hdf_service_contexts new file mode 100644 index 000000000..a968ee195 --- /dev/null +++ b/sepolicy/hdf_service_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +usbd u:object_r:hdf_usbd_service:s0 +wlan_hal_service u:object_r:hdf_wlan_hal_service:s0 diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts new file mode 100644 index 000000000..639bc798d --- /dev/null +++ b/sepolicy/service_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ams u:object_r:ams_service:s0 +bms u:object_r:bms_service:s0 diff --git a/test/selinux_test.c b/test/selinux_test.c index a7525ed67..eae0946af 100644 --- a/test/selinux_test.c +++ b/test/selinux_test.c @@ -13,13 +13,9 @@ * limitations under the License. */ -#include -#include -#include -#include -#include #include #include +#include #define BUFFLEN (1000) @@ -31,6 +27,7 @@ int OpenFile(char *file) fp = fopen(file, "r"); if (fp != NULL) { if (memset_s(buf, sizeof(buf), 0, BUFFLEN) != 0) { + fclose(fp); return 0; } @@ -44,7 +41,7 @@ int OpenFile(char *file) int main(int argc, char *argv[]) { - const sleepSeconds = 1; + const int sleepSeconds = 1; char *files[] = { "/data/abcd.txt", "/data/abcd2.txt", diff --git a/test/unittest/src/selinux_unit_test.cpp b/test/unittest/src/selinux_unit_test.cpp index d567d018b..2fbd50eb1 100644 --- a/test/unittest/src/selinux_unit_test.cpp +++ b/test/unittest/src/selinux_unit_test.cpp @@ -256,7 +256,7 @@ HWTEST_F(SelinuxUnitTest, HapFileRestorecon003, TestSize.Level1) ASSERT_EQ(true, CreateDirectory(TEST_SUB_PATH_1)); // apl=system_core name=com.ohos.test domain= type= int ret = test.HapFileRestorecon(TEST_SUB_PATH_1, TEST_APL, "com.ohos.test", 0); - ASSERT_EQ(-SELINUX_TYPE_INVALID, ret); + ASSERT_EQ(-SELINUX_ARG_INVALID, ret); ASSERT_EQ(true, RemoveDirectory(TEST_PATH)); } @@ -622,7 +622,7 @@ HWTEST_F(SelinuxUnitTest, HapDomainSetcontext002, TestSize.Level1) { // apl=system_core name=com.ohos.test domain= type= int ret = test.HapDomainSetcontext(TEST_APL, "com.ohos.test"); - ASSERT_EQ(-SELINUX_TYPE_INVALID, ret); + ASSERT_EQ(-SELINUX_ARG_INVALID, ret); } /** -- Gitee