1 /* 2 * Copyright (c) 2021 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #ifndef BASE_STARTUP_PARAM_SECURITY_H 17 #define BASE_STARTUP_PARAM_SECURITY_H 18 #include <stdint.h> 19 #include <sys/types.h> 20 #ifdef __cplusplus 21 #if __cplusplus 22 extern "C" { 23 #endif 24 #endif 25 26 #define DAC_GROUP_START 3 27 #define DAC_OTHER_START 6 28 #define DAC_READ 0x0100 29 #define DAC_WRITE 0x0080 30 #define DAC_WATCH 0x0040 31 #define DAC_ALL_PERMISSION 0777 32 33 #define LABEL_ALL_PERMISSION 0x04 34 #define LABEL_CHECK_FOR_ALL_PROCESS 0x02 35 #define LABEL_INIT_FOR_INIT 0x01 36 37 #define LABEL_IS_CLIENT_CHECK_PERMITTED(label) \ 38 ((label) != NULL) && ((((label)->flags & (LABEL_CHECK_FOR_ALL_PROCESS)) == (LABEL_CHECK_FOR_ALL_PROCESS)) && \ 39 (((label)->flags & (LABEL_ALL_PERMISSION)) != (LABEL_ALL_PERMISSION))) 40 41 #define LABEL_IS_ALL_PERMITTED(label) \ 42 (((label) == NULL) || ((label)->flags & LABEL_ALL_PERMISSION) == (LABEL_ALL_PERMISSION)) 43 44 typedef enum { 45 DAC_RESULT_PERMISSION = 0, 46 DAC_RESULT_INVALID_PARAM = 1000, 47 DAC_RESULT_FORBIDED, 48 } DAC_RESULT; 49 50 typedef struct UserCred { 51 pid_t pid; 52 uid_t uid; 53 gid_t gid; 54 } UserCred; 55 56 typedef struct { 57 uint32_t flags; 58 UserCred cred; 59 } ParamSecurityLabel; 60 61 typedef struct { 62 pid_t pid; 63 uid_t uid; 64 gid_t gid; 65 uint32_t mode; // 访问权限 66 } ParamDacData; 67 68 typedef struct { 69 ParamDacData dacData; 70 const char *name; 71 const char *label; 72 } ParamAuditData; 73 74 typedef int (*SecurityLabelFunc)(const ParamAuditData *auditData, void *context); 75 76 typedef struct { 77 int (*securityInitLabel)(ParamSecurityLabel **label, int isInit); 78 int (*securityGetLabel)(SecurityLabelFunc label, const char *path, void *context); 79 int (*securityCheckFilePermission)(const ParamSecurityLabel *label, const char *fileName, int flags); 80 int (*securityCheckParamPermission)(const ParamSecurityLabel *srcLabel, 81 const ParamAuditData *auditData, uint32_t mode); 82 int (*securityEncodeLabel)(const ParamSecurityLabel *srcLabel, char *buffer, uint32_t *bufferSize); 83 int (*securityDecodeLabel)(ParamSecurityLabel **srcLabel, const char *buffer, uint32_t bufferSize); 84 int (*securityFreeLabel)(ParamSecurityLabel *srcLabel); 85 } ParamSecurityOps; 86 87 typedef int (*RegisterSecurityOpsPtr)(ParamSecurityOps *ops, int isInit); 88 89 int RegisterSecurityOps(ParamSecurityOps *ops, int isInit); 90 91 typedef struct { 92 SecurityLabelFunc label; 93 void *context; 94 } LabelFuncContext; 95 96 int GetParamSecurityAuditData(const char *name, int type, ParamAuditData *auditData); 97 98 #ifdef PARAM_SUPPORT_SELINUX 99 #ifdef PARAM_SUPPORT_DAC 100 #error param security only support one. 101 #endif 102 #else 103 #define PARAM_SUPPORT_DAC 1 // default support dac 104 #endif 105 106 #ifdef __cplusplus 107 #if __cplusplus 108 } 109 #endif 110 #endif 111 #endif // BASE_STARTUP_PARAM_SECURITY_H