• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2021 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #ifndef BASE_STARTUP_PARAM_SECURITY_H
17 #define BASE_STARTUP_PARAM_SECURITY_H
18 #include <stdint.h>
19 #ifndef __LINUX__
20 #include <sys/socket.h>
21 #endif
22 #include <sys/types.h>
23 #ifdef PARAM_SUPPORT_SELINUX
24 #include "selinux_parameter.h"
25 #endif
26 
27 #include "beget_ext.h"
28 
29 #ifdef __cplusplus
30 #if __cplusplus
31 extern "C" {
32 #endif
33 #endif
34 
35 #define DAC_GROUP_START 3
36 #define DAC_OTHER_START 6
37 #define DAC_READ 0x0100  // 4
38 #define DAC_WRITE 0x0080 // 2
39 #define DAC_WATCH 0x0040 // 1
40 #define DAC_ALL_PERMISSION 0777
41 
42 #define LABEL_ALL_PERMISSION 0x04
43 #define LABEL_CHECK_IN_ALL_PROCESS 0x02
44 #define LABEL_INIT_FOR_INIT 0x01
45 
46 #define SELINUX_CONTENT_LEN 64
47 #define SYS_UID_INDEX      1000
48 
49 #define DAC_RESULT_PERMISSION 0
50 
51 #define USER_BUFFER_LEN 64
52 #define GROUP_FORMAT "const.%u_%u"
53 
54 #define INVALID_SELINUX_INDEX ((uint32_t)-1)
55 
56 typedef struct UserCred {
57     pid_t pid;
58     uid_t uid;
59     gid_t gid;
60 } UserCred;
61 
62 typedef enum {
63     PARAM_SECURITY_DAC = 0,
64 #ifdef PARAM_SUPPORT_SELINUX
65     PARAM_SECURITY_SELINUX,
66 #endif
67     PARAM_SECURITY_MAX
68 } ParamSecurityType;
69 
70 typedef struct {
71     int32_t sockFd;
72     UserCred cred;
73     uint32_t flags[PARAM_SECURITY_MAX];
74 } ParamSecurityLabel;
75 
76 typedef struct {
77     pid_t pid;
78     uid_t uid;
79     gid_t gid;
80     uint16_t mode;
81     uint8_t paramType;
82 } ParamDacData;
83 
84 typedef struct {
85     ParamDacData dacData;
86     const char *name;
87 #ifdef PARAM_SUPPORT_SELINUX
88     char label[SELINUX_CONTENT_LEN];
89     uint32_t selinuxIndex;
90 #endif
91 } ParamAuditData;
92 
93 struct WorkSpace_;
94 typedef struct ParamLabelIndex_ {
95     uint32_t selinuxLabelIndex;
96     uint32_t dacLabelIndex;
97     struct WorkSpace_ *workspace;
98 } ParamLabelIndex;
99 
100 typedef struct {
101     char name[10];
102     int (*securityInitLabel)(ParamSecurityLabel *label, int isInit);
103     int (*securityGetLabel)(const char *path);
104     int (*securityCheckFilePermission)(const ParamSecurityLabel *label, const char *fileName, int flags);
105     int (*securityCheckParamPermission)(const ParamLabelIndex *labelIndex,
106         const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode);
107     int (*securityFreeLabel)(ParamSecurityLabel *srcLabel);
108 } ParamSecurityOps;
109 
110 typedef int (*RegisterSecurityOpsPtr)(ParamSecurityOps *ops, int isInit);
111 typedef struct SelinuxSpace_ {
112     void *selinuxHandle;
113 #ifdef PARAM_SUPPORT_SELINUX
114     void (*setSelinuxLogCallback)(void);
115     int (*setParamCheck)(const char *paraName, const char *destContext, const SrcInfo *info);
116     const char *(*getParamLabel)(const char *paraName);
117     int (*initParamSelinux)(int isInit);
118     int (*readParamCheck)(const char *paraName);
119     ParamContextsList *(*getParamList)(void);
120     void (*destroyParamList)(ParamContextsList **list);
121     int (*getParamLabelIndex)(const char *paraName);
122 #endif
123 } SelinuxSpace;
124 
125 #ifdef PARAM_SUPPORT_SELINUX
126 INIT_LOCAL_API int RegisterSecuritySelinuxOps(ParamSecurityOps *ops, int isInit);
127 #endif
128 
129 INIT_LOCAL_API ParamSecurityOps *GetParamSecurityOps(int type);
130 INIT_LOCAL_API void LoadGroupUser(void);
131 INIT_LOCAL_API int RegisterSecurityDacOps(ParamSecurityOps *ops, int isInit);
132 INIT_LOCAL_API int RegisterSecurityOps(int onlyRead);
133 
134 #ifdef STARTUP_INIT_TEST
135 STATIC_INLINE int DacCheckParamPermission(const ParamLabelIndex *labelIndex,
136     const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode);
137 STATIC_INLINE int SelinuxCheckParamPermission(const ParamLabelIndex *labelIndex,
138     const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode);
139 #endif
140 #ifdef __cplusplus
141 #if __cplusplus
142 }
143 #endif
144 #endif
145 #endif  // BASE_STARTUP_PARAM_SECURITY_H
146