From ecdca37c6d225852f1d84f1eb4db284654661c69 Mon Sep 17 00:00:00 2001
From: yangjindong-y50044362 <yangjindong4@huawei.com>
Date: Wed, 21 Aug 2024 17:06:59 +0800
Subject: [PATCH] =?UTF-8?q?code=5Fsign=E6=A8=A1=E5=9D=97=E9=80=82=E9=85=8D?=
 =?UTF-8?q?linux6.6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: yangjindong-y50044362 <yangjindong4@huawei.com>
---
 code_sign/code_sign_elf.c     | 24 +++++++++++++++++++++---
 code_sign/code_sign_ext.c     | 10 ++++++----
 code_sign/code_sign_ioctl.c   | 27 ++++++++++++++++-----------
 code_sign/verify_cert_chain.c |  8 +++++++-
 4 files changed, 50 insertions(+), 19 deletions(-)

diff --git a/code_sign/code_sign_elf.c b/code_sign/code_sign_elf.c
index 9c9a3dc..0745061 100644
--- a/code_sign/code_sign_elf.c
+++ b/code_sign/code_sign_elf.c
@@ -4,14 +4,22 @@
  */
 
 #include <asm/byteorder.h>
+#include <linux/version.h>
 #include <linux/fsverity.h>
 #include <linux/slab.h>
 
-#include "dsmm_developer.h"
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 6, 0)
+#include <linux/pagemap.h>
+#endif
+
 #include "code_sign_elf.h"
 #include "code_sign_log.h"
 #include "verify_cert_chain.h"
 
+#ifdef CONFIG_SECURITY_XPM
+#include "dsmm_developer.h"
+#endif
+
 #define SIGN_HEAD_SIZE (sizeof(sign_head_t))
 
 static void parse_sign_head(sign_head_t *out, char *ptr)
@@ -197,12 +205,20 @@ out:
 
 int elf_file_enable_fs_verity(struct file *file)
 {
+#ifdef CONFIG_SECURITY_XPM
 	/* developer mode */
 	if (get_developer_mode_state() != STATE_ON) {
 		code_sign_log_info("developer mode off, elf not allowed to execute");
 		return -EINVAL;
 	}
+#else
+	code_sign_log_info("developer mode off, elf not allowed to execute");
+	return -EINVAL;
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
 	mm_segment_t fs;
+#endif
 	char *path_buf = kzalloc(PATH_MAX, GFP_KERNEL);
 	if (!path_buf) {
 		code_sign_log_error("alloc mem for path_buf failed");
@@ -245,10 +261,10 @@ int elf_file_enable_fs_verity(struct file *file)
 		err = -ENOMEM;
 		goto filp_close_out;
 	}
-
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
 	fs = get_fs();
 	set_fs(KERNEL_DS);
-
+#endif
 	ssize_t cnt = vfs_read(fp, sign_head_ptr, SIGN_HEAD_SIZE, &pos);
 	if (cnt != SIGN_HEAD_SIZE) {
 		code_sign_log_error("read sign head from file failed: return value %lu, expect %u bytes",
@@ -278,7 +294,9 @@ int elf_file_enable_fs_verity(struct file *file)
 
 release_sign_head_out:
 	kfree(sign_head_ptr);
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
 	set_fs(fs);
+#endif
 filp_close_out:
 	filp_close(fp, NULL);
 release_path_buf_out:
diff --git a/code_sign/code_sign_ext.c b/code_sign/code_sign_ext.c
index 4811b26..8aa9f57 100644
--- a/code_sign/code_sign_ext.c
+++ b/code_sign/code_sign_ext.c
@@ -25,9 +25,11 @@ static inline int check_code_sign_descriptor(const struct inode *inode,
 	if (!desc->cs_version)
 		return 0;
 
-	if (le64_to_cpu(desc->pgtypeinfo_off) > le64_to_cpu(desc->data_size) - le32_to_cpu(desc->pgtypeinfo_size)) {
-		code_sign_log_error("Wrong offset: %llu (pgtypeinfo_off) > %llu (data_size) - %u (pgtypeinfo_size)",
-				le64_to_cpu(desc->pgtypeinfo_off), le64_to_cpu(desc->data_size), le32_to_cpu(desc->pgtypeinfo_size));
+	// when calc pgtypeinfo_size, trans bit size to byte size
+	u32 pgtypeinfo_size_bytes = le32_to_cpu(desc->pgtypeinfo_size) / 8;
+	if (le64_to_cpu(desc->pgtypeinfo_off) > le64_to_cpu(desc->data_size) - pgtypeinfo_size_bytes) {
+		code_sign_log_error("Wrong offset: %llu (pgtypeinfo_off) > %llu (data_size) - %u (pgtypeinfo_size)", 
+		le64_to_cpu(desc->pgtypeinfo_off), le64_to_cpu(desc->data_size), pgtypeinfo_size_bytes);
 		return -EINVAL;
 	}
 
@@ -70,8 +72,8 @@ void code_sign_before_measurement(void *_desc, int *ret)
 	struct code_sign_descriptor *desc = CAST_CODE_SIGN_DESC(_desc);
 
 	if (desc->cs_version == 1) {
-		desc->cs_version = 0;
 		*ret = desc->cs_version;
+		desc->cs_version = 0;
 	} else {
 		*ret = desc->cs_version;
 	}
diff --git a/code_sign/code_sign_ioctl.c b/code_sign/code_sign_ioctl.c
index 16e640c..7f8d810 100644
--- a/code_sign/code_sign_ioctl.c
+++ b/code_sign/code_sign_ioctl.c
@@ -8,9 +8,9 @@
 #include <linux/spinlock.h>
 #include <linux/types.h>
 #include <linux/compat.h>
+#include <linux/version.h>
 #include "avc.h"
 #include "objsec.h"
-#include "dsmm_developer.h"
 #include "code_sign_ioctl.h"
 #include "code_sign_log.h"
 
@@ -71,8 +71,11 @@ int code_sign_check_caller(char *caller)
 	u32 sid = current_sid(), context_len;
 	char *context = NULL;
 	int rc;
-
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
 	rc = security_sid_to_context(&selinux_state, sid, &context, &context_len);
+#else
+	rc = security_sid_to_context(sid, &context, &context_len);
+#endif
 	if (rc)
 		return -EINVAL;
 
@@ -180,11 +183,17 @@ int code_sign_avc_has_perm(u16 tclass, u32 requested)
 	struct av_decision avd;
 	u32 sid = current_sid();
 	int rc, rc2;
-
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
 	rc = avc_has_perm_noaudit(&selinux_state, sid, sid, tclass, requested,
 		AVC_STRICT, &avd);
 	rc2 = avc_audit(&selinux_state, sid, sid, tclass, requested, &avd, rc,
 		NULL, AVC_STRICT);
+#else
+	rc = avc_has_perm_noaudit(sid, sid, tclass, requested,
+		AVC_STRICT, &avd);
+	rc2 = avc_audit(sid, sid, tclass, requested, &avd, rc,
+		NULL);
+#endif
 	if (rc2)
 		return rc2;
 
@@ -288,10 +297,8 @@ long code_sign_ioctl(struct file *filp, unsigned int cmd, unsigned long args)
 
 			if (ret == 1) {
 				// developer cert
-				if (get_developer_mode_state() == STATE_ON) {
-					code_sign_log_debug("add developer cert");
-					ret = cert_chain_insert(&dev_cert_chain_tree, source);
-				}
+				code_sign_log_debug("add developer cert");
+				ret = cert_chain_insert(&dev_cert_chain_tree, source);
 			} else {
 				code_sign_log_debug("add release cert");
 				ret = cert_chain_insert(&cert_chain_tree, source);
@@ -314,10 +321,8 @@ long code_sign_ioctl(struct file *filp, unsigned int cmd, unsigned long args)
 
 			if (ret == 1) {
 				// developer cert
-				if (get_developer_mode_state() == STATE_ON) {
-					code_sign_log_debug("remove developer cert");
-					ret = cert_chain_remove(&dev_cert_chain_tree, source);
-				}
+				code_sign_log_debug("remove developer cert");
+				ret = cert_chain_remove(&dev_cert_chain_tree, source);
 			} else {
 				code_sign_log_debug("remove release cert");
 				ret = cert_chain_remove(&cert_chain_tree, source);
diff --git a/code_sign/verify_cert_chain.c b/code_sign/verify_cert_chain.c
index 908dd6b..3e9d096 100644
--- a/code_sign/verify_cert_chain.c
+++ b/code_sign/verify_cert_chain.c
@@ -6,15 +6,19 @@
 #include <linux/cred.h>
 #include <linux/key.h>
 #include <linux/slab.h>
+#include <linux/version.h>
 #include <linux/verification.h>
 #include <crypto/pkcs7.h>
 #include "objsec.h"
-#include "dsmm_developer.h"
 #include "code_sign_ext.h"
 #include "code_sign_ioctl.h"
 #include "code_sign_log.h"
 #include "verify_cert_chain.h"
 
+#ifdef CONFIG_SECURITY_XPM
+#include "dsmm_developer.h"
+#endif
+
 /*
  * Find the key (X.509 certificate) to use to verify a PKCS#7 message.  PKCS#7
  * uses the issuer's name and the issuing certificate serial number for
@@ -144,11 +148,13 @@ void code_sign_verify_certchain(const void *raw_pkcs7, size_t pkcs7_len,
 
 	bool is_dev_mode = false;
 
+#ifdef CONFIG_SECURITY_XPM
 	// developer mode && developer proc
 	if (get_developer_mode_state() == STATE_ON) {
 		code_sign_log_info("developer mode on");
 		is_dev_mode = true;
 	}
+#endif
 
 	for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
 		/* Find the key for the signature if there is one */
-- 
Gitee