diff --git a/LICENSE b/LICENSE
index 8eddf19d0568ff3af1bcd1ca9163e875da8cbc0d..21795c929b88afa5e7b1a2a84e620d9cf123b910 100644
--- a/LICENSE
+++ b/LICENSE
@@ -9,5 +9,6 @@
./container_escape_detection
./module_sample
./pac/
+ ./dec
As for the specific use of the licenses, please refer to the relevant description in the documents.
diff --git a/OAT.xml b/OAT.xml
index f4ef13823b6d0d5a44d2d5a611e565e8231992e8..dfa276cdb30319b153acd22e192be2350b397128 100644
--- a/OAT.xml
+++ b/OAT.xml
@@ -66,7 +66,9 @@ Note:If the text contains special characters, please escape them according to th
-
+
+
+
@@ -76,7 +78,9 @@ Note:If the text contains special characters, please escape them according to th
-
+
+
+
@@ -99,7 +103,8 @@ Note:If the text contains special characters, please escape them according to th
-
+
+
diff --git a/code_sign/code_sign_ext.c b/code_sign/code_sign_ext.c
index afe042278473faa5d1b794d8c8ec62856332e1be..4811b26c4dbcd45b481793456b876d3ac4be07f8 100644
--- a/code_sign/code_sign_ext.c
+++ b/code_sign/code_sign_ext.c
@@ -25,9 +25,11 @@ static inline int check_code_sign_descriptor(const struct inode *inode,
if (!desc->cs_version)
return 0;
- if (desc->__reserved1 ||
- memchr_inv(desc->__reserved2, 0, sizeof(desc->__reserved2)))
+ if (le64_to_cpu(desc->pgtypeinfo_off) > le64_to_cpu(desc->data_size) - le32_to_cpu(desc->pgtypeinfo_size)) {
+ code_sign_log_error("Wrong offset: %llu (pgtypeinfo_off) > %llu (data_size) - %u (pgtypeinfo_size)",
+ le64_to_cpu(desc->pgtypeinfo_off), le64_to_cpu(desc->data_size), le32_to_cpu(desc->pgtypeinfo_size));
return -EINVAL;
+ }
if (le64_to_cpu(desc->data_size) > inode->i_size) {
code_sign_log_error("Wrong data_size: %llu (desc) > %lld (inode)",
@@ -67,11 +69,11 @@ void code_sign_before_measurement(void *_desc, int *ret)
{
struct code_sign_descriptor *desc = CAST_CODE_SIGN_DESC(_desc);
- if (desc->cs_version) {
- // replace version with cs_version
- desc->version = desc->cs_version;
+ if (desc->cs_version == 1) {
desc->cs_version = 0;
- *ret = desc->version;
+ *ret = desc->cs_version;
+ } else {
+ *ret = desc->cs_version;
}
}
@@ -79,7 +81,7 @@ void code_sign_after_measurement(void *_desc, int version)
{
struct code_sign_descriptor *desc = CAST_CODE_SIGN_DESC(_desc);
- if (version) {
+ if (version == 1) {
// restore cs_version
desc->cs_version = desc->version;
desc->version = version;
diff --git a/dec/Kconfig b/dec/Kconfig
new file mode 100644
index 0000000000000000000000000000000000000000..9f9cbda17d8db0c87fcb90434d4a5b9d82705277
--- /dev/null
+++ b/dec/Kconfig
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2024 Huawei Device Co., Ltd.
+#
+config SECURITY_DEC
+ bool "Data enhance control features"
+
+ default y
+ help
+ This option enables file operation permission verification
+ at VFS layer.
+
+ If unsure, say N.
diff --git a/dec/Makefile b/dec/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..efd9cfef5993875569cbca81e83f99d476f471b7
--- /dev/null
+++ b/dec/Makefile
@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2024 Huawei Device Co., Ltd.
+#
+obj-$(CONFIG_SECURITY_DEC) += \
+ dec_misc.o
+
+ccflags-$(CONFIG_SECURITY_DEC) += \
+ -I$(srctree)/fs/dec
+
+$(addprefix $(obj)/,$(obj-y)): $(obj)/flask.h
+
+quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h
+ cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h
+
+targets += flask.h av_permissions.h
+$(obj)/flask.h: $(srctree)/security/selinux/include/classmap.h FORCE
+ $(call if_changed,flask)
diff --git a/dec/apply_dec.sh b/dec/apply_dec.sh
new file mode 100644
index 0000000000000000000000000000000000000000..6f63fb5e8d525b0bec012df1732819a53e08cdfc
--- /dev/null
+++ b/dec/apply_dec.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+#
+
+set -e
+
+OHOS_SOURCE_ROOT=$1
+KERNEL_BUILD_ROOT=$2
+PRODUCT_NAME=$3
+KERNEL_VERSION=$4
+DEC_SOURCE_ROOT=$OHOS_SOURCE_ROOT/kernel/linux/common_modules/dec
+
+function main()
+{
+ pushd .
+
+ if [ ! -d "$KERNEL_BUILD_ROOT/fs/dec" ]; then
+ mkdir $KERNEL_BUILD_ROOT/fs/dec
+ fi
+
+ cd $KERNEL_BUILD_ROOT/fs/dec
+ ln -s -f $(realpath --relative-to=$KERNEL_BUILD_ROOT/fs/dec $DEC_SOURCE_ROOT)/* ./
+
+ popd
+}
+
+main
diff --git a/dec/dec_misc.c b/dec/dec_misc.c
new file mode 100644
index 0000000000000000000000000000000000000000..534ce5ce622bf8c82e28feefafbad0c13945fd12
--- /dev/null
+++ b/dec/dec_misc.c
@@ -0,0 +1,122 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "dec_misc.h"
+
+static int vfs_deal_policy_cmd(unsigned int cmd, void __user *arg)
+{
+ pr_info("vfs dec deal policy cmd:%u\n", cmd);
+ int ret = 0;
+ struct dec_policy_info info = { 0 };
+
+ ret = copy_from_user(&info, arg, sizeof(info));
+ if (ret != 0) {
+ pr_err("copy from user failed\n");
+ return -EFAULT;
+ }
+
+ pr_info("tokenid:%lu path_num:%u persist_flag:%d\n", info.tokenid, info.path_num, info.persist_flag);
+
+ return ret;
+}
+
+static int vfs_destroy_dec_policy(void __user *arg)
+{
+ int ret = 0;
+ uint64_t tokenid;
+
+ ret = copy_from_user(&tokenid, arg, sizeof(tokenid));
+ if (ret != 0) {
+ pr_err("destroy dec policy copy from caller failed\n");
+ return -EFAULT;
+ }
+
+ pr_info("destroy dec policy tokenid:%ld\n", tokenid);
+ return 0;
+}
+
+static long dec_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+{
+ pr_info("dec ioctl cmd:%u\n", cmd);
+ int ret = 0;
+
+ switch (cmd) {
+ case SET_DEC_POLICY_CMD:
+ case DEL_DEC_POLICY_CMD:
+ case QUERY_DEC_POLICY_CMD:
+ case CHECK_DEC_POLICY_CMD:
+ case CONSTRAINT_DEC_POLICY_CMD:
+ case DENY_DEC_POLICY_CMD:
+ ret = vfs_deal_policy_cmd(cmd, (void __user *)arg);
+ break;
+ case DESTROY_DEC_POLICY_CMD:
+ ret = vfs_destroy_dec_policy((void __user *)arg);
+ break;
+ default:
+ ret = -EINVAL;
+ break;
+ }
+
+ return 0;
+}
+
+static int dec_open(struct inode *inode, struct file *filp)
+{
+ pr_info("dec open\n");
+ return 0;
+}
+
+static int dec_release(struct inode *inode, struct file *filp)
+{
+ pr_info("dec close\n");
+ return 0;
+}
+
+static const struct file_operations dec_fops = {
+ .owner = THIS_MODULE,
+ .open = dec_open,
+ .release = dec_release,
+ .unlocked_ioctl = dec_ioctl,
+ .compat_ioctl = dec_ioctl,
+};
+
+static struct miscdevice dec_misc = {
+ .minor = MISC_DYNAMIC_MINOR,
+ .name = "dec",
+ .fops = &dec_fops,
+};
+
+static int __init dec_init(void)
+{
+ int err = 0;
+
+ err = misc_register(&dec_misc);
+ if (err < 0) {
+ pr_err("dec device init failed\n");
+ return err;
+ }
+
+ pr_err("dec device init success\n");
+ return 0;
+}
+
+static void __exit dec_exit(void)
+{
+ misc_deregister(&dec_misc);
+ pr_info("dec exited");
+}
+
+/* module entry points */
+module_init(dec_init);
+module_exit(dec_exit);
+
+MODULE_LICENSE("GPL");
diff --git a/dec/dec_misc.h b/dec/dec_misc.h
new file mode 100644
index 0000000000000000000000000000000000000000..1154ece0904126309605e2195957acd9689e8a0e
--- /dev/null
+++ b/dec/dec_misc.h
@@ -0,0 +1,54 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ */
+
+#ifndef _DEC_MISC_H
+#define _DEC_MISC_H
+
+#include
+#include
+#include
+
+#define MAX_PATH_NUM 8
+
+#define DEV_DEC_MINOR 0x25
+#define DEC_IOCTL_BASE 's'
+#define SET_POLICY_ID 1
+#define DEL_POLICY_ID 2
+#define QUERY_POLICY_ID 3
+#define CHECK_POLICY_ID 4
+#define DESTROY_POLICY_ID 5
+#define CONSTRAINT_POLICY_ID 6
+#define DENY_POLICY_ID 7
+
+struct path_info {
+ char* path;
+ uint32_t path_len;
+ uint32_t mode;
+ bool ret_flag;
+};
+
+struct dec_policy_info {
+ uint64_t tokenid;
+ struct path_info path[MAX_PATH_NUM];
+ uint32_t path_num;
+ bool persist_flag;
+};
+
+#define SET_DEC_POLICY_CMD \
+ _IOWR(DEC_IOCTL_BASE, SET_POLICY_ID, struct dec_policy_info)
+#define DEL_DEC_POLICY_CMD \
+ _IOWR(DEC_IOCTL_BASE, DEL_POLICY_ID, struct dec_policy_info)
+#define QUERY_DEC_POLICY_CMD \
+ _IOWR(DEC_IOCTL_BASE, QUERY_POLICY_ID, struct dec_policy_info)
+#define CHECK_DEC_POLICY_CMD \
+ _IOWR(DEC_IOCTL_BASE, CHECK_POLICY_ID, struct dec_policy_info)
+#define CONSTRAINT_DEC_POLICY_CMD \
+ _IOW(DEC_IOCTL_BASE, CONSTRAINT_POLICY_ID, struct dec_policy_info)
+#define DENY_DEC_POLICY_CMD \
+ _IOWR(DEC_IOCTL_BASE, DENY_POLICY_ID, struct dec_policy_info)
+#define DESTROY_DEC_POLICY_CMD \
+ _IOW(DEC_IOCTL_BASE, DESTROY_POLICY_ID, uint64_t)
+
+#endif /* _DEC_MISC_H */
\ No newline at end of file
diff --git a/qos_auth/include/auth_ctrl.h b/qos_auth/include/auth_ctrl.h
index 3fa0be5586e768e4ca9d32631be970bad509378a..f2e04ee959666450efe3eece4a1e547df9c29178 100644
--- a/qos_auth/include/auth_ctrl.h
+++ b/qos_auth/include/auth_ctrl.h
@@ -14,7 +14,8 @@
#define SYSTEM_UID 1000
#define SUPER_UID SYSTEM_UID
-#define super_uid(uid) (uid == ROOT_UID || uid == SYSTEM_UID)
+#define RESOURCE_SCHEDULE_SERVICE_UID 1096
+#define super_uid(uid) (uid == ROOT_UID || uid == SYSTEM_UID || uid == RESOURCE_SCHEDULE_SERVICE_UID)
enum ioctl_abi_format_auth{
AUTH_IOCTL_ABI_ARM32,
diff --git a/ucollection/ucollection_process_cpu.c b/ucollection/ucollection_process_cpu.c
index db12fbe786b4627622463bb0b63142bdc9617c9e..79d0cf8d41eaf54a857739c803ced1e1c4da9b42 100644
--- a/ucollection/ucollection_process_cpu.c
+++ b/ucollection/ucollection_process_cpu.c
@@ -96,6 +96,7 @@ static void get_thread_load(struct task_struct *task, int cur_count,
do_div(utime, NS_TO_MS);
do_div(stime, NS_TO_MS);
thread_cpu_item.tid = task->pid;
+ strcpy(thread_cpu_item.name, task->comm);
thread_cpu_item.cpu_usage_utime = utime;
thread_cpu_item.cpu_usage_stime = stime;
thread_cpu_item.cpu_load_time = 0;
diff --git a/ucollection/unified_collection_data.h b/ucollection/unified_collection_data.h
index 67e270fa488152d668575677652ddd18150e8669..e261dd9cf4bceafd66ffeb7434b19da4e69ebe73 100644
--- a/ucollection/unified_collection_data.h
+++ b/ucollection/unified_collection_data.h
@@ -39,6 +39,7 @@ struct ucollection_process_thread_count {
struct ucollection_thread_cpu_item {
int tid;
+ char name[16]; // 16 : max length of thread name
unsigned long long cpu_usage_utime;
unsigned long long cpu_usage_stime;
unsigned long long cpu_load_time;