diff --git a/LICENSE b/LICENSE
index 8eddf19d0568ff3af1bcd1ca9163e875da8cbc0d..21795c929b88afa5e7b1a2a84e620d9cf123b910 100644
--- a/LICENSE
+++ b/LICENSE
@@ -9,5 +9,6 @@
./container_escape_detection
./module_sample
./pac/
+ ./dec
As for the specific use of the licenses, please refer to the relevant description in the documents.
diff --git a/OAT.xml b/OAT.xml
index f4ef13823b6d0d5a44d2d5a611e565e8231992e8..dfa276cdb30319b153acd22e192be2350b397128 100644
--- a/OAT.xml
+++ b/OAT.xml
@@ -66,7 +66,9 @@ Note:If the text contains special characters, please escape them according to th
-
+
+
+
@@ -76,7 +78,9 @@ Note:If the text contains special characters, please escape them according to th
-
+
+
+
@@ -99,7 +103,8 @@ Note:If the text contains special characters, please escape them according to th
-
+
+
diff --git a/README.OpenSource b/README.OpenSource
deleted file mode 100644
index 05419d13577726f0e435c87239fb9e111777428b..0000000000000000000000000000000000000000
--- a/README.OpenSource
+++ /dev/null
@@ -1,11 +0,0 @@
-[
- {
- "Name": "linux-5.10",
- "License": "GPL-2.0+",
- "License File": "newip/third_party/linux-5.10/LICENSES",
- "Version Number": "5.10.93",
- "Owner": "tanyanying@huawei.com",
- "Upstream URL": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/?h=linux-5.10.y",
- "Description": "linux kernel 5.10"
- }
-]
diff --git a/code_sign/Makefile b/code_sign/Makefile
index 8a2af5bf3941c86c0b687a032108ccf6dd28e633..0fc5dde76000e286987370aac5d9ab0fd7f89b64 100644
--- a/code_sign/Makefile
+++ b/code_sign/Makefile
@@ -9,6 +9,7 @@ obj-$(CONFIG_SECURITY_CODE_SIGN) += \
code_sign_ext.o
ccflags-$(CONFIG_SECURITY_CODE_SIGN) += \
+ -I$(srctree)/fs/verity \
-I$(srctree)/fs/code_sign \
-I$(srctree)/security/selinux/include \
-I$(srctree)/security/selinux \
diff --git a/code_sign/code_sign_elf.c b/code_sign/code_sign_elf.c
index 9c9a3dccffd6692d261c26a639eecffe4c093492..0745061b11aea5ef4086549b35e9ba362d20f3a0 100644
--- a/code_sign/code_sign_elf.c
+++ b/code_sign/code_sign_elf.c
@@ -4,14 +4,22 @@
*/
#include
+#include
#include
#include
-#include "dsmm_developer.h"
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 6, 0)
+#include
+#endif
+
#include "code_sign_elf.h"
#include "code_sign_log.h"
#include "verify_cert_chain.h"
+#ifdef CONFIG_SECURITY_XPM
+#include "dsmm_developer.h"
+#endif
+
#define SIGN_HEAD_SIZE (sizeof(sign_head_t))
static void parse_sign_head(sign_head_t *out, char *ptr)
@@ -197,12 +205,20 @@ out:
int elf_file_enable_fs_verity(struct file *file)
{
+#ifdef CONFIG_SECURITY_XPM
/* developer mode */
if (get_developer_mode_state() != STATE_ON) {
code_sign_log_info("developer mode off, elf not allowed to execute");
return -EINVAL;
}
+#else
+ code_sign_log_info("developer mode off, elf not allowed to execute");
+ return -EINVAL;
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
mm_segment_t fs;
+#endif
char *path_buf = kzalloc(PATH_MAX, GFP_KERNEL);
if (!path_buf) {
code_sign_log_error("alloc mem for path_buf failed");
@@ -245,10 +261,10 @@ int elf_file_enable_fs_verity(struct file *file)
err = -ENOMEM;
goto filp_close_out;
}
-
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
fs = get_fs();
set_fs(KERNEL_DS);
-
+#endif
ssize_t cnt = vfs_read(fp, sign_head_ptr, SIGN_HEAD_SIZE, &pos);
if (cnt != SIGN_HEAD_SIZE) {
code_sign_log_error("read sign head from file failed: return value %lu, expect %u bytes",
@@ -278,7 +294,9 @@ int elf_file_enable_fs_verity(struct file *file)
release_sign_head_out:
kfree(sign_head_ptr);
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
set_fs(fs);
+#endif
filp_close_out:
filp_close(fp, NULL);
release_path_buf_out:
diff --git a/code_sign/code_sign_ext.c b/code_sign/code_sign_ext.c
index afe042278473faa5d1b794d8c8ec62856332e1be..16abbaf803ceb3eb8429e090f4e0c99f35ceaf34 100644
--- a/code_sign/code_sign_ext.c
+++ b/code_sign/code_sign_ext.c
@@ -24,10 +24,14 @@ static inline int check_code_sign_descriptor(const struct inode *inode,
if (!desc->cs_version)
return 0;
-
- if (desc->__reserved1 ||
- memchr_inv(desc->__reserved2, 0, sizeof(desc->__reserved2)))
+
+ // when calc pgtypeinfo_size, trans bit size to byte size
+ u32 pgtypeinfo_size_bytes = le32_to_cpu(desc->pgtypeinfo_size) / 8;
+ if (le64_to_cpu(desc->pgtypeinfo_off) > le64_to_cpu(desc->data_size) - pgtypeinfo_size_bytes) {
+ code_sign_log_error("Wrong offset: %llu (pgtypeinfo_off) > %llu (data_size) - %u (pgtypeinfo_size)",
+ le64_to_cpu(desc->pgtypeinfo_off), le64_to_cpu(desc->data_size), pgtypeinfo_size_bytes);
return -EINVAL;
+ }
if (le64_to_cpu(desc->data_size) > inode->i_size) {
code_sign_log_error("Wrong data_size: %llu (desc) > %lld (inode)",
@@ -67,11 +71,11 @@ void code_sign_before_measurement(void *_desc, int *ret)
{
struct code_sign_descriptor *desc = CAST_CODE_SIGN_DESC(_desc);
- if (desc->cs_version) {
- // replace version with cs_version
- desc->version = desc->cs_version;
+ if (desc->cs_version == 1) {
+ *ret = desc->cs_version;
desc->cs_version = 0;
- *ret = desc->version;
+ } else {
+ *ret = desc->cs_version;
}
}
@@ -79,7 +83,7 @@ void code_sign_after_measurement(void *_desc, int version)
{
struct code_sign_descriptor *desc = CAST_CODE_SIGN_DESC(_desc);
- if (version) {
+ if (version == 1) {
// restore cs_version
desc->cs_version = desc->version;
desc->version = version;
diff --git a/code_sign/code_sign_ioctl.c b/code_sign/code_sign_ioctl.c
index 16e640c6a648268ab8af7a35d9f7ed10254cac24..8e2efdd221ac4fbb699d02792cedfeb551f1a12a 100644
--- a/code_sign/code_sign_ioctl.c
+++ b/code_sign/code_sign_ioctl.c
@@ -8,11 +8,12 @@
#include
#include
#include
+#include
#include "avc.h"
#include "objsec.h"
-#include "dsmm_developer.h"
#include "code_sign_ioctl.h"
#include "code_sign_log.h"
+#define MAX_SIGNING_LENGTH 2048
DEFINE_SPINLOCK(cert_chain_tree_lock);
struct rb_root cert_chain_tree = RB_ROOT;
@@ -71,8 +72,11 @@ int code_sign_check_caller(char *caller)
u32 sid = current_sid(), context_len;
char *context = NULL;
int rc;
-
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
rc = security_sid_to_context(&selinux_state, sid, &context, &context_len);
+#else
+ rc = security_sid_to_context(sid, &context, &context_len);
+#endif
if (rc)
return -EINVAL;
@@ -180,11 +184,17 @@ int code_sign_avc_has_perm(u16 tclass, u32 requested)
struct av_decision avd;
u32 sid = current_sid();
int rc, rc2;
-
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
rc = avc_has_perm_noaudit(&selinux_state, sid, sid, tclass, requested,
AVC_STRICT, &avd);
rc2 = avc_audit(&selinux_state, sid, sid, tclass, requested, &avd, rc,
NULL, AVC_STRICT);
+#else
+ rc = avc_has_perm_noaudit(sid, sid, tclass, requested,
+ AVC_STRICT, &avd);
+ rc2 = avc_audit(sid, sid, tclass, requested, &avd, rc,
+ NULL);
+#endif
if (rc2)
return rc2;
@@ -207,13 +217,14 @@ int parse_cert_source(unsigned long args, struct cert_source **_source)
goto copy_source_failed;
}
- if (info.path_len > CERT_CHAIN_PATH_LEN_MAX || info.issuer_length == 0 || info.signing_length == 0) {
+ if (info.path_len > CERT_CHAIN_PATH_LEN_MAX || info.issuer_length == 0 || info.signing_length == 0
+ || info.issuer_length > MAX_SIGNING_LENGTH || info.signing_length > MAX_SIGNING_LENGTH) {
code_sign_log_error("invalid path len or subject or issuer");
ret = -EINVAL;
goto copy_source_failed;
}
- source->subject = kzalloc(info.signing_length, GFP_KERNEL);
+ source->subject = kzalloc(info.signing_length + 1, GFP_KERNEL);
if (!source->subject) {
ret = -ENOMEM;
goto copy_source_failed;
@@ -225,7 +236,7 @@ int parse_cert_source(unsigned long args, struct cert_source **_source)
goto copy_subject_failed;
}
- source->issuer = kzalloc(info.issuer_length, GFP_KERNEL);
+ source->issuer = kzalloc(info.issuer_length + 1, GFP_KERNEL);
if (!source->issuer) {
ret = -ENOMEM;
goto copy_subject_failed;
@@ -288,10 +299,8 @@ long code_sign_ioctl(struct file *filp, unsigned int cmd, unsigned long args)
if (ret == 1) {
// developer cert
- if (get_developer_mode_state() == STATE_ON) {
- code_sign_log_debug("add developer cert");
- ret = cert_chain_insert(&dev_cert_chain_tree, source);
- }
+ code_sign_log_debug("add developer cert");
+ ret = cert_chain_insert(&dev_cert_chain_tree, source);
} else {
code_sign_log_debug("add release cert");
ret = cert_chain_insert(&cert_chain_tree, source);
@@ -314,10 +323,8 @@ long code_sign_ioctl(struct file *filp, unsigned int cmd, unsigned long args)
if (ret == 1) {
// developer cert
- if (get_developer_mode_state() == STATE_ON) {
- code_sign_log_debug("remove developer cert");
- ret = cert_chain_remove(&dev_cert_chain_tree, source);
- }
+ code_sign_log_debug("remove developer cert");
+ ret = cert_chain_remove(&dev_cert_chain_tree, source);
} else {
code_sign_log_debug("remove release cert");
ret = cert_chain_remove(&cert_chain_tree, source);
diff --git a/code_sign/verify_cert_chain.c b/code_sign/verify_cert_chain.c
index 908dd6babb36cd9abf191993ad4dd1757a64498c..8163da9f934949e0d9b7262911b8521c1306e7ba 100644
--- a/code_sign/verify_cert_chain.c
+++ b/code_sign/verify_cert_chain.c
@@ -6,15 +6,19 @@
#include
#include
#include
+#include
#include
#include
#include "objsec.h"
-#include "dsmm_developer.h"
#include "code_sign_ext.h"
#include "code_sign_ioctl.h"
#include "code_sign_log.h"
#include "verify_cert_chain.h"
+#ifdef CONFIG_SECURITY_XPM
+#include "dsmm_developer.h"
+#endif
+
/*
* Find the key (X.509 certificate) to use to verify a PKCS#7 message. PKCS#7
* uses the issuer's name and the issuing certificate serial number for
@@ -118,7 +122,7 @@ static struct cert_source *find_matched_source(const struct x509_certificate *si
}
void code_sign_verify_certchain(const void *raw_pkcs7, size_t pkcs7_len,
- struct cs_info *cs_info, int *ret)
+ struct fsverity_info *vi, int *ret)
{
struct pkcs7_message *pkcs7;
struct pkcs7_signed_info *sinfo;
@@ -144,11 +148,13 @@ void code_sign_verify_certchain(const void *raw_pkcs7, size_t pkcs7_len,
bool is_dev_mode = false;
+#ifdef CONFIG_SECURITY_XPM
// developer mode && developer proc
if (get_developer_mode_state() == STATE_ON) {
code_sign_log_info("developer mode on");
is_dev_mode = true;
}
+#endif
for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
/* Find the key for the signature if there is one */
@@ -199,7 +205,7 @@ void code_sign_verify_certchain(const void *raw_pkcs7, size_t pkcs7_len,
}
if (cert_chain_depth_without_root == (source->max_path_depth - 1)) {
code_sign_log_info("cert subject and issuer trusted");
- set_file_ownerid(cs_info, source->path_type, pkcs7->signed_infos);
+ set_file_ownerid(&vi->fcs_info, source->path_type, pkcs7->signed_infos);
*ret = source->path_type;
goto exit;
} else {
diff --git a/code_sign/verify_cert_chain.h b/code_sign/verify_cert_chain.h
index eb5a8dd24192a48bd5f5320715d2eca033873354..b2f7b06381d706d65a58a8d17da9763f892b6724 100644
--- a/code_sign/verify_cert_chain.h
+++ b/code_sign/verify_cert_chain.h
@@ -7,11 +7,12 @@
#define _VERIFY_CERT_CHAIN_H
#include
+#include "fsverity_private.h"
/*
* verify_cert_chain.c
*/
void code_sign_verify_certchain(const void *raw_pkcs7, size_t pkcs7_len,
- struct cs_info *cs_info, int *ret);
+ struct fsverity_info *vi, int *ret);
#endif /* _VERIFY_CERT_CHAIN_H */
diff --git a/container_escape_detection/core/ced_detection.c b/container_escape_detection/core/ced_detection.c
index 3f0ff8c6d20d42299720bedc7df80204cbdc49c1..b8f291715ca41979e2459e5e65760144ac2a8b62 100644
--- a/container_escape_detection/core/ced_detection.c
+++ b/container_escape_detection/core/ced_detection.c
@@ -9,6 +9,7 @@
#include "objsec.h"
#include "ced_detection.h"
#include "ced_detection_points.h"
+#include
enum ced_event_type {
EVENT_OK,
@@ -40,13 +41,21 @@ static int ced_avc_has_perm(u16 tclass, u32 requested)
struct av_decision avd;
int rc;
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0))
if (!selinux_initialized(&selinux_state))
return 1;
-
+#else
+ if (!selinux_initialized())
+ return 1;
+#endif
u32 sid = current_sid();
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0))
rc = avc_has_perm_noaudit(&selinux_state, sid, sid, tclass, requested,
AVC_STRICT, &avd);
-
+#else
+ rc = avc_has_perm_noaudit(sid, sid, tclass, requested,
+ AVC_STRICT, &avd);
+#endif
return rc;
}
diff --git a/container_escape_detection/include/ced_detection_points.h b/container_escape_detection/include/ced_detection_points.h
index 45eb2babca36f19bb75c7d1c26ec652528e9314d..cf62cb285b8296df7dab88c3866c9ce7ef8f137d 100644
--- a/container_escape_detection/include/ced_detection_points.h
+++ b/container_escape_detection/include/ced_detection_points.h
@@ -29,7 +29,7 @@ static inline void cred_info_record(struct cred_info *info, const struct cred *c
info->egid = cred->egid.val;
info->fsuid = cred->fsuid.val;
- memcpy(&info->cap_effective.cap[0], &cred->cap_effective.cap[0], sizeof(info->cap_effective.cap));
+ memcpy(&info->cap_effective, &cred->cap_effective, sizeof(kernel_cap_t));
}
struct ns_info {
diff --git a/dec/Kconfig b/dec/Kconfig
new file mode 100644
index 0000000000000000000000000000000000000000..9f9cbda17d8db0c87fcb90434d4a5b9d82705277
--- /dev/null
+++ b/dec/Kconfig
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2024 Huawei Device Co., Ltd.
+#
+config SECURITY_DEC
+ bool "Data enhance control features"
+
+ default y
+ help
+ This option enables file operation permission verification
+ at VFS layer.
+
+ If unsure, say N.
diff --git a/dec/Makefile b/dec/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..efd9cfef5993875569cbca81e83f99d476f471b7
--- /dev/null
+++ b/dec/Makefile
@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2024 Huawei Device Co., Ltd.
+#
+obj-$(CONFIG_SECURITY_DEC) += \
+ dec_misc.o
+
+ccflags-$(CONFIG_SECURITY_DEC) += \
+ -I$(srctree)/fs/dec
+
+$(addprefix $(obj)/,$(obj-y)): $(obj)/flask.h
+
+quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h
+ cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h
+
+targets += flask.h av_permissions.h
+$(obj)/flask.h: $(srctree)/security/selinux/include/classmap.h FORCE
+ $(call if_changed,flask)
diff --git a/dec/apply_dec.sh b/dec/apply_dec.sh
new file mode 100644
index 0000000000000000000000000000000000000000..6f63fb5e8d525b0bec012df1732819a53e08cdfc
--- /dev/null
+++ b/dec/apply_dec.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+#
+
+set -e
+
+OHOS_SOURCE_ROOT=$1
+KERNEL_BUILD_ROOT=$2
+PRODUCT_NAME=$3
+KERNEL_VERSION=$4
+DEC_SOURCE_ROOT=$OHOS_SOURCE_ROOT/kernel/linux/common_modules/dec
+
+function main()
+{
+ pushd .
+
+ if [ ! -d "$KERNEL_BUILD_ROOT/fs/dec" ]; then
+ mkdir $KERNEL_BUILD_ROOT/fs/dec
+ fi
+
+ cd $KERNEL_BUILD_ROOT/fs/dec
+ ln -s -f $(realpath --relative-to=$KERNEL_BUILD_ROOT/fs/dec $DEC_SOURCE_ROOT)/* ./
+
+ popd
+}
+
+main
diff --git a/dec/dec_misc.c b/dec/dec_misc.c
new file mode 100644
index 0000000000000000000000000000000000000000..534ce5ce622bf8c82e28feefafbad0c13945fd12
--- /dev/null
+++ b/dec/dec_misc.c
@@ -0,0 +1,122 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "dec_misc.h"
+
+static int vfs_deal_policy_cmd(unsigned int cmd, void __user *arg)
+{
+ pr_info("vfs dec deal policy cmd:%u\n", cmd);
+ int ret = 0;
+ struct dec_policy_info info = { 0 };
+
+ ret = copy_from_user(&info, arg, sizeof(info));
+ if (ret != 0) {
+ pr_err("copy from user failed\n");
+ return -EFAULT;
+ }
+
+ pr_info("tokenid:%lu path_num:%u persist_flag:%d\n", info.tokenid, info.path_num, info.persist_flag);
+
+ return ret;
+}
+
+static int vfs_destroy_dec_policy(void __user *arg)
+{
+ int ret = 0;
+ uint64_t tokenid;
+
+ ret = copy_from_user(&tokenid, arg, sizeof(tokenid));
+ if (ret != 0) {
+ pr_err("destroy dec policy copy from caller failed\n");
+ return -EFAULT;
+ }
+
+ pr_info("destroy dec policy tokenid:%ld\n", tokenid);
+ return 0;
+}
+
+static long dec_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+{
+ pr_info("dec ioctl cmd:%u\n", cmd);
+ int ret = 0;
+
+ switch (cmd) {
+ case SET_DEC_POLICY_CMD:
+ case DEL_DEC_POLICY_CMD:
+ case QUERY_DEC_POLICY_CMD:
+ case CHECK_DEC_POLICY_CMD:
+ case CONSTRAINT_DEC_POLICY_CMD:
+ case DENY_DEC_POLICY_CMD:
+ ret = vfs_deal_policy_cmd(cmd, (void __user *)arg);
+ break;
+ case DESTROY_DEC_POLICY_CMD:
+ ret = vfs_destroy_dec_policy((void __user *)arg);
+ break;
+ default:
+ ret = -EINVAL;
+ break;
+ }
+
+ return 0;
+}
+
+static int dec_open(struct inode *inode, struct file *filp)
+{
+ pr_info("dec open\n");
+ return 0;
+}
+
+static int dec_release(struct inode *inode, struct file *filp)
+{
+ pr_info("dec close\n");
+ return 0;
+}
+
+static const struct file_operations dec_fops = {
+ .owner = THIS_MODULE,
+ .open = dec_open,
+ .release = dec_release,
+ .unlocked_ioctl = dec_ioctl,
+ .compat_ioctl = dec_ioctl,
+};
+
+static struct miscdevice dec_misc = {
+ .minor = MISC_DYNAMIC_MINOR,
+ .name = "dec",
+ .fops = &dec_fops,
+};
+
+static int __init dec_init(void)
+{
+ int err = 0;
+
+ err = misc_register(&dec_misc);
+ if (err < 0) {
+ pr_err("dec device init failed\n");
+ return err;
+ }
+
+ pr_err("dec device init success\n");
+ return 0;
+}
+
+static void __exit dec_exit(void)
+{
+ misc_deregister(&dec_misc);
+ pr_info("dec exited");
+}
+
+/* module entry points */
+module_init(dec_init);
+module_exit(dec_exit);
+
+MODULE_LICENSE("GPL");
diff --git a/dec/dec_misc.h b/dec/dec_misc.h
new file mode 100644
index 0000000000000000000000000000000000000000..1154ece0904126309605e2195957acd9689e8a0e
--- /dev/null
+++ b/dec/dec_misc.h
@@ -0,0 +1,54 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ */
+
+#ifndef _DEC_MISC_H
+#define _DEC_MISC_H
+
+#include
+#include
+#include
+
+#define MAX_PATH_NUM 8
+
+#define DEV_DEC_MINOR 0x25
+#define DEC_IOCTL_BASE 's'
+#define SET_POLICY_ID 1
+#define DEL_POLICY_ID 2
+#define QUERY_POLICY_ID 3
+#define CHECK_POLICY_ID 4
+#define DESTROY_POLICY_ID 5
+#define CONSTRAINT_POLICY_ID 6
+#define DENY_POLICY_ID 7
+
+struct path_info {
+ char* path;
+ uint32_t path_len;
+ uint32_t mode;
+ bool ret_flag;
+};
+
+struct dec_policy_info {
+ uint64_t tokenid;
+ struct path_info path[MAX_PATH_NUM];
+ uint32_t path_num;
+ bool persist_flag;
+};
+
+#define SET_DEC_POLICY_CMD \
+ _IOWR(DEC_IOCTL_BASE, SET_POLICY_ID, struct dec_policy_info)
+#define DEL_DEC_POLICY_CMD \
+ _IOWR(DEC_IOCTL_BASE, DEL_POLICY_ID, struct dec_policy_info)
+#define QUERY_DEC_POLICY_CMD \
+ _IOWR(DEC_IOCTL_BASE, QUERY_POLICY_ID, struct dec_policy_info)
+#define CHECK_DEC_POLICY_CMD \
+ _IOWR(DEC_IOCTL_BASE, CHECK_POLICY_ID, struct dec_policy_info)
+#define CONSTRAINT_DEC_POLICY_CMD \
+ _IOW(DEC_IOCTL_BASE, CONSTRAINT_POLICY_ID, struct dec_policy_info)
+#define DENY_DEC_POLICY_CMD \
+ _IOWR(DEC_IOCTL_BASE, DENY_POLICY_ID, struct dec_policy_info)
+#define DESTROY_DEC_POLICY_CMD \
+ _IOW(DEC_IOCTL_BASE, DESTROY_POLICY_ID, uint64_t)
+
+#endif /* _DEC_MISC_H */
\ No newline at end of file
diff --git a/memory_security/src/hideaddr.c b/memory_security/src/hideaddr.c
index c34bbcd38f4632eeb78c6db0e6a5373f7a948128..5d77c4e9e40a11f5454b22b0f0e984425d1fb215 100644
--- a/memory_security/src/hideaddr.c
+++ b/memory_security/src/hideaddr.c
@@ -17,6 +17,7 @@
#include "avc.h"
#include "objsec.h"
#include "hideaddr.h"
+#include
static bool is_anon_exec(struct vm_area_struct *vma)
{
@@ -44,8 +45,13 @@ static int hideaddr_avc_has_perm(u16 tclass, u32 requested, struct seq_file *m)
u32 secid;
security_cred_getsecid(task->cred, &secid);
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0))
return avc_has_perm_noaudit(&selinux_state, secid, secid, tclass, requested,
AVC_STRICT, &avd);
+#else
+ return avc_has_perm_noaudit(secid, secid, tclass, requested,
+ AVC_STRICT, &avd);
+#endif
}
static void hideaddr_header_prefix(unsigned long *start, unsigned long *end,
diff --git a/memory_security/src/jit_memory.c b/memory_security/src/jit_memory.c
index 0fc0bee268878a5715dfadaf1db3af6386f595a8..e34b6ab0cbe380bf5841bdb76be3d6e1d3339a84 100644
--- a/memory_security/src/jit_memory.c
+++ b/memory_security/src/jit_memory.c
@@ -11,6 +11,7 @@
#include "jit_space_list.h"
#include "avc.h"
#include "objsec.h"
+#include
DEFINE_SPINLOCK(list_lock);
@@ -25,8 +26,13 @@ static bool jit_avc_has_perm(u16 tclass, u32 requested, struct task_struct *task
u32 secid;
security_cred_getsecid(task->cred, &secid);
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0))
return (avc_has_perm_noaudit(&selinux_state, secid, secid, tclass, requested,
AVC_STRICT, &avd) == 0);
+#else
+ return (avc_has_perm_noaudit(secid, secid, tclass, requested,
+ AVC_STRICT, &avd) == 0);
+#endif
}
void find_jit_memory(struct task_struct *task, unsigned long start, unsigned long size, int *err)
diff --git a/newip/examples/check_nip_enable.c b/newip/examples/check_nip_enable.c
index d8947925e5964567868057fd279a18b90478d796..7273a20f49d655b11656ba6eeec2e2fbc55aa03e 100644
--- a/newip/examples/check_nip_enable.c
+++ b/newip/examples/check_nip_enable.c
@@ -19,7 +19,7 @@
int g_nip_enable = NIP_ENABLE_INVALID;
-void _check_nip_enable(void)
+static void _check_nip_enable(void)
{
char tmp[NIP_DISABLE_LENTH];
FILE *fn = fopen(NIP_DISABLE_PATH, "r");
@@ -42,7 +42,7 @@ void _check_nip_enable(void)
g_nip_enable = atoi(tmp) ? 0 : 1;
}
-int check_nip_enable(void)
+static int check_nip_enable(void)
{
if (g_nip_enable == NIP_ENABLE_INVALID) {
_check_nip_enable();
diff --git a/newip/examples/get_af_ninet.c b/newip/examples/get_af_ninet.c
index a3f8449de3a815472c5cc7cfe2c5f3528007ba6d..214c64cd58a5bcb51eac9fb0ef583fe682c4e21e 100644
--- a/newip/examples/get_af_ninet.c
+++ b/newip/examples/get_af_ninet.c
@@ -18,7 +18,7 @@
int g_af_ninet;
-void _get_af_ninet(void)
+static void _get_af_ninet(void)
{
char tmp[AF_NINET_LENTH];
FILE *fn = fopen(AF_NINET_PATH, "r");
@@ -41,7 +41,7 @@ void _get_af_ninet(void)
g_af_ninet = atoi(tmp);
}
-int get_af_ninet(void)
+static int get_af_ninet(void)
{
if (g_af_ninet == 0)
_get_af_ninet();
diff --git a/newip/examples/nip_addr.c b/newip/examples/nip_addr.c
index 9fb3feea934842af7cff41100bdd21c71470eb5f..5ca27440df135236ae0b136cf7270186a584b031 100644
--- a/newip/examples/nip_addr.c
+++ b/newip/examples/nip_addr.c
@@ -24,7 +24,7 @@
* ioctl(fd, SIOGIFINDEX, &ifr);
* ifr.ifr_ifindex; ===> ifindex
*/
-int nip_add_addr(int ifindex, const struct nip_addr *addr, int opt)
+static int nip_add_addr(int ifindex, const struct nip_addr *addr, int opt)
{
int fd, ret;
struct nip_ifreq ifrn;
@@ -37,7 +37,7 @@ int nip_add_addr(int ifindex, const struct nip_addr *addr, int opt)
ifrn.ifrn_addr = *addr;
ifrn.ifrn_ifindex = ifindex;
- ret = ioctl(fd, opt, &ifrn);
+ ret = ioctl(fd, (unsigned long)opt, &ifrn);
if (ret < 0 && errno != EEXIST) { // ignore File Exists error
printf("cfg newip addr fail, ifindex=%d, opt=%d, ret=%d.\n", ifindex, opt, ret);
close(fd);
@@ -48,16 +48,16 @@ int nip_add_addr(int ifindex, const struct nip_addr *addr, int opt)
return 0;
}
-void cmd_help(void)
+static void cmd_help(void)
{
/* nip_addr wlan0 add 01 (在wlan0上配置地址01) */
/* nip_addr wlan0 del 01 (在wlan0上删除地址01) */
printf("[cmd example] nip_addr { add | del } \n");
}
-int parse_name(char **argv, int *ifindex, char *dev)
+static int parse_name(char **argv, int *ifindex, char *dev)
{
- int len = strlen(*argv);
+ size_t len = strlen(*argv);
memset(dev, 0, ARRAY_LEN);
if (!len || len >= (ARRAY_LEN - 1))
@@ -73,10 +73,10 @@ int parse_name(char **argv, int *ifindex, char *dev)
return nip_get_ifindex(dev, ifindex);
}
-int parse_cmd(char **argv, int *opt)
+static int parse_cmd(char **argv, int *opt)
{
char cmd[ARRAY_LEN];
- int len = strlen(*argv);
+ size_t len = strlen(*argv);
memset(cmd, 0, ARRAY_LEN);
if (!len || len >= (ARRAY_LEN - 1))
diff --git a/newip/examples/nip_addr_cfg_demo.c b/newip/examples/nip_addr_cfg_demo.c
index 308725f8399793c2e57fd7d068cef9b8e300c6a7..dcf08379e3640e68d51dd7df692869bc2c9c917f 100644
--- a/newip/examples/nip_addr_cfg_demo.c
+++ b/newip/examples/nip_addr_cfg_demo.c
@@ -24,7 +24,7 @@
* ioctl(fd, SIOGIFINDEX, &ifr);
* ifr.ifr_ifindex; ===> ifindex
*/
-int nip_add_addr(int ifindex, const unsigned char *addr, unsigned char addr_len)
+static int nip_add_addr(int ifindex, const unsigned char *addr, unsigned char addr_len)
{
int fd, ret;
struct nip_ifreq ifrn;
diff --git a/newip/examples/nip_lib.c b/newip/examples/nip_lib.c
index 5169540126abe06b3c5579be30725027c53d2bf5..7a007eb0ac142fb0c6813187b41e23e473fcecdb 100644
--- a/newip/examples/nip_lib.c
+++ b/newip/examples/nip_lib.c
@@ -46,7 +46,7 @@ int32_t nip_get_ifindex(const char *ifname, int *ifindex)
return 0;
}
-int nip_addr_fmt(char *addr_str, struct nip_addr *sap, int addrlen_input)
+static int nip_addr_fmt(unsigned char *addr_str, struct nip_addr *sap, int addrlen_input)
{
unsigned char first_byte;
int addrlen, i;
@@ -93,7 +93,7 @@ int nip_addr_fmt(char *addr_str, struct nip_addr *sap, int addrlen_input)
return 1;
}
- sap->bitlen = addrlen * NIP_ADDR_LEN_8;
+ sap->bitlen = (unsigned char)(addrlen * NIP_ADDR_LEN_8);
printf("*************************************************\n");
printf("Newip addr len=%d\n", addrlen);
for (i = 0; i < addrlen; i++) {
@@ -108,7 +108,7 @@ int nip_addr_fmt(char *addr_str, struct nip_addr *sap, int addrlen_input)
int nip_get_addr(char **args, struct nip_addr *addr)
{
- unsigned int len;
+ size_t len;
char *sp = *args;
int addrlen_input = 0;
__u8 addr_str[INDEX_MAX] = {0};
diff --git a/newip/examples/nip_route.c b/newip/examples/nip_route.c
index d9162527bc5c62a79a5787373eef0951f837b8b1..d01648858b722287d52c6de2ab6d506fd6295727 100644
--- a/newip/examples/nip_route.c
+++ b/newip/examples/nip_route.c
@@ -26,7 +26,7 @@
* ioctl(fd, SIOGIFINDEX, &ifr);
* ifr.ifr_ifindex; ===> ifindex
*/
-int nip_route_add(int ifindex, const struct nip_addr *dst_addr,
+static int nip_route_add(int ifindex, const struct nip_addr *dst_addr,
const struct nip_addr *gateway_addr, __u8 gateway_flag, int opt)
{
int fd, ret;
@@ -46,7 +46,7 @@ int nip_route_add(int ifindex, const struct nip_addr *dst_addr,
rt.rtmsg_flags |= RTF_GATEWAY;
}
- ret = ioctl(fd, opt, &rt);
+ ret = ioctl(fd, (unsigned long)opt, &rt);
if (ret < 0 && errno != EEXIST) { // ignore File Exists error
close(fd);
return -1;
@@ -56,7 +56,7 @@ int nip_route_add(int ifindex, const struct nip_addr *dst_addr,
return 0;
}
-void cmd_help(void)
+static void cmd_help(void)
{
/* nip_route add 02 wlan0
* (配置目的地址02设备路由,出口是wlan0)
@@ -70,9 +70,9 @@ void cmd_help(void)
printf("nip_route { add | del } \n");
}
-int parse_name(char **argv, int *ifindex, char *dev)
+static int parse_name(char **argv, int *ifindex, char *dev)
{
- int len = strlen(*argv);
+ size_t len = strlen(*argv);
memset(dev, 0, ARRAY_LEN);
if (len >= (ARRAY_LEN - 1) || !len)
@@ -88,9 +88,9 @@ int parse_name(char **argv, int *ifindex, char *dev)
return nip_get_ifindex(dev, ifindex);
}
-int parse_cmd(char **argv, int *opt)
+static int parse_cmd(char **argv, int *opt)
{
- int len = strlen(*argv);
+ size_t len = strlen(*argv);
char cmd[ARRAY_LEN];
memset(cmd, 0, ARRAY_LEN);
@@ -111,7 +111,7 @@ int parse_cmd(char **argv, int *opt)
return 0;
}
-int parse_args(char **argv, int *opt, __u8 *gateway_flag, int *ifindex,
+static int parse_args(char **argv, int *opt, __u8 *gateway_flag, int *ifindex,
struct nip_addr *dst_addr, struct nip_addr *gateway_addr, char *dev, int argc)
{
/* 配置参数1解析: { add | del } */
diff --git a/newip/examples/nip_route_cfg_demo.c b/newip/examples/nip_route_cfg_demo.c
index b5a0a1ee3de69b05a2ebb1f44dbab46f88b7e2cf..d7bc3a84b67b1f491640dc0cc36c5be87d5317ed 100644
--- a/newip/examples/nip_route_cfg_demo.c
+++ b/newip/examples/nip_route_cfg_demo.c
@@ -27,7 +27,7 @@
* ioctl(fd, SIOGIFINDEX, &ifr);
* ifr.ifr_ifindex; ===> ifindex
*/
-int nip_route_add(int ifindex, const unsigned char *dst_addr, uint8_t dst_addr_len,
+static int nip_route_add(int ifindex, const unsigned char *dst_addr, uint8_t dst_addr_len,
const unsigned char *gateway_addr, uint8_t gateway_addr_len)
{
int fd, ret;
diff --git a/newip/examples/nip_tcp_client_demo.c b/newip/examples/nip_tcp_client_demo.c
index b96a47ca3ca4fb0f9b0a56b28dfd041052eab648..391f048c7741308e82d6186f6b1301e4fdcb884c 100644
--- a/newip/examples/nip_tcp_client_demo.c
+++ b/newip/examples/nip_tcp_client_demo.c
@@ -24,7 +24,7 @@
#include
#include
-int _send(int cfd, int pkt_num)
+static int _send(int cfd, int pkt_num)
{
char buf[BUFLEN] = {0};
struct timeval sys_time;
@@ -44,7 +44,7 @@ int _send(int cfd, int pkt_num)
return 0;
}
-int _recv(int cfd, int pkt_num, int *success)
+static int _recv(int cfd, int pkt_num, int *success)
{
char buf[BUFLEN] = {0};
fd_set readfds;
@@ -61,7 +61,7 @@ int _recv(int cfd, int pkt_num, int *success)
}
if (FD_ISSET(cfd, &readfds)) {
- int ret;
+ ssize_t ret;
int no = 0;
ret = recv(cfd, buf, PKTLEN, MSG_WAITALL);
@@ -75,7 +75,7 @@ int _recv(int cfd, int pkt_num, int *success)
printf("Received --%s sock %d success:%6d/%6d/no=%6d\n",
buf, cfd, *success, pkt_num + 1, no);
} else {
- printf("recv fail, ret=%d\n", ret);
+ printf("recv fail, ret=%zd\n", ret);
return -1;
}
}
@@ -83,7 +83,7 @@ int _recv(int cfd, int pkt_num, int *success)
return 0;
}
-void *send_recv(void *args)
+static void *send_recv(void *args)
{
int cfd = ((struct thread_args *)args)->cfd;
int success = 0;
diff --git a/newip/examples/nip_tcp_server_demo.c b/newip/examples/nip_tcp_server_demo.c
index 5c05ffbb4c6818acbb022fcc6b208db04720a6c6..f3c9423ae2a61078bd4e91b8074e25af06f4f099 100644
--- a/newip/examples/nip_tcp_server_demo.c
+++ b/newip/examples/nip_tcp_server_demo.c
@@ -22,14 +22,15 @@
#include "nip_lib.h"
#include "newip_route.h"
-void *recv_send(void *args)
+static void *recv_send(void *args)
{
- int cfd, ret;
+ int cfd;
+ ssize_t ret;
char buf[BUFLEN] = {0};
memcpy(&cfd, args, sizeof(int));
for (int i = 0; i < PKTCNT; i++) {
- int recv_num = recv(cfd, buf, PKTLEN, MSG_WAITALL);
+ ssize_t recv_num = recv(cfd, buf, PKTLEN, MSG_WAITALL);
if (recv_num < 0) {
perror("recv");
@@ -37,13 +38,13 @@ void *recv_send(void *args)
} else if (recv_num == 0) { /* no data */
;
} else {
- printf("Received -- %s --:%d\n", buf, recv_num);
+ printf("Received -- %s --:%zd\n", buf, recv_num);
ret = send(cfd, buf, recv_num, 0);
if (ret < 0) {
perror("send");
goto END;
}
- printf("Sending -- %s --:%d\n", buf, recv_num);
+ printf("Sending -- %s --:%zd\n", buf, recv_num);
}
}
END: close(cfd);
diff --git a/newip/examples/nip_udp_client_demo.c b/newip/examples/nip_udp_client_demo.c
index 05ffa62503feffe13822956360ce8c73381e008d..efad5d25b71df0410b3c1fe5ce85283389db4b09 100644
--- a/newip/examples/nip_udp_client_demo.c
+++ b/newip/examples/nip_udp_client_demo.c
@@ -23,7 +23,7 @@
#include "nip_lib.h"
#include "newip_route.h"
-int _sendto(int cfd, struct sockaddr_nin *si_server, int pkt_num)
+static int _sendto(int cfd, struct sockaddr_nin *si_server, int pkt_num)
{
char buf[BUFLEN] = {0};
struct timeval sys_time;
@@ -44,7 +44,7 @@ int _sendto(int cfd, struct sockaddr_nin *si_server, int pkt_num)
return 0;
}
-int _recvfrom(int cfd, struct sockaddr_nin *si_server, int pkt_num, int *success)
+static int _recvfrom(int cfd, struct sockaddr_nin *si_server, int pkt_num, int *success)
{
char buf[BUFLEN] = {0};
fd_set readfds;
@@ -62,7 +62,7 @@ int _recvfrom(int cfd, struct sockaddr_nin *si_server, int pkt_num, int *success
}
if (FD_ISSET(cfd, &readfds)) {
- int ret;
+ ssize_t ret;
int no = 0;
ret = recvfrom(cfd, buf, BUFLEN, 0, (struct sockaddr *)si_server, &slen);
@@ -73,7 +73,7 @@ int _recvfrom(int cfd, struct sockaddr_nin *si_server, int pkt_num, int *success
printf("Received --%s sock %d success:%6d/%6d/no=%6d\n",
buf, cfd, *success, pkt_num + 1, no);
} else {
- printf("client recvfrom fail, ret=%d\n", ret);
+ printf("client recvfrom fail, ret=%zd\n", ret);
return -1;
}
}
@@ -81,7 +81,7 @@ int _recvfrom(int cfd, struct sockaddr_nin *si_server, int pkt_num, int *success
return 0;
}
-void *send_recv(void *args)
+static void *send_recv(void *args)
{
int success = 0;
int cfd = ((struct thread_args *)args)->cfd;
diff --git a/newip/examples/nip_udp_server_demo.c b/newip/examples/nip_udp_server_demo.c
index fb2eb1a171544cf860069735693966c2cbb7b0b7..40f767bfa33acecc23a1974077062fe11a3644a3 100644
--- a/newip/examples/nip_udp_server_demo.c
+++ b/newip/examples/nip_udp_server_demo.c
@@ -24,10 +24,11 @@
#include "nip_lib.h"
#include "newip_route.h"
-void *recv_send(void *args)
+static void *recv_send(void *args)
{
char buf[BUFLEN] = {0};
- int fd, ret, recv_num;
+ int fd;
+ ssize_t recv_num, ret;
int count = 0;
socklen_t slen;
struct sockaddr_nin si_remote;
@@ -39,7 +40,7 @@ void *recv_send(void *args)
memset(&si_remote, 0, sizeof(si_remote));
recv_num = recvfrom(fd, buf, BUFLEN, 0, (struct sockaddr *)&si_remote, &slen);
if (recv_num < 0) {
- printf("server recvfrom fail, ret=%d\n", ret);
+ printf("server recvfrom fail, recv_num=%zd\n", recv_num);
goto END;
} else if (recv_num == 0) { /* no data */
;
@@ -49,7 +50,7 @@ void *recv_send(void *args)
slen = sizeof(si_remote);
ret = sendto(fd, buf, BUFLEN, 0, (struct sockaddr *)&si_remote, slen);
if (ret < 0) {
- printf("server sendto fail, ret=%d\n", ret);
+ printf("server sendto fail, ret=%zd\n", ret);
goto END;
}
printf("Sending -- %s -- to 0x%0x:%d\n", buf,
diff --git a/newip/src/common/nip_addr.c b/newip/src/common/nip_addr.c
index 31105bc57918de2dba7c451bfc31f4aba5a36fdb..d61d879ad0da76369c19cc88bed1ee41bc9d63b6 100644
--- a/newip/src/common/nip_addr.c
+++ b/newip/src/common/nip_addr.c
@@ -424,7 +424,7 @@ unsigned char *decode_nip_addr(struct nip_buff *nbuf, struct nip_addr *addr)
addr->NIP_ADDR_FIELD8[i] = *nbuf->data;
nip_buff_pull(nbuf, sizeof(unsigned char));
}
- addr->bitlen = addr_len * NIP_ADDR_BIT_LEN_8;
+ addr->bitlen = (unsigned char)(addr_len * NIP_ADDR_BIT_LEN_8);
ret = nip_addr_invalid(addr);
if (ret)
diff --git a/newip/src/common/nip_checksum.c b/newip/src/common/nip_checksum.c
index a5ecef1f3c0dc20d28d931cf6764e35d1d110238..47f196a88d7d8a48cdb962adbd76aff59d65d5c5 100644
--- a/newip/src/common/nip_checksum.c
+++ b/newip/src/common/nip_checksum.c
@@ -14,7 +14,7 @@
#define USHORT_PAYLOAD 16
#define NIP_CHECKSUM_UINT8_PAYLOAD 8
-unsigned int _nip_check_sum(const unsigned char *data, unsigned short data_len)
+static unsigned int _nip_check_sum(const unsigned char *data, unsigned short data_len)
{
unsigned int i = 0;
unsigned int sum = 0;
@@ -30,10 +30,10 @@ unsigned int _nip_check_sum(const unsigned char *data, unsigned short data_len)
return sum;
}
-unsigned int _nip_header_chksum(struct nip_pseudo_header *chksum_header)
+static unsigned int _nip_header_chksum(struct nip_pseudo_header *chksum_header)
{
int i, j;
- int addr_len;
+ unsigned short addr_len;
unsigned char pseudo_header[NIP_HDR_MAX] = {0};
unsigned short hdr_len = 0;
diff --git a/newip/src/common/nip_hdr_decap.c b/newip/src/common/nip_hdr_decap.c
index abec609d3179d956adcbdca898b682490c34c385..1637fdc46b6c0107d11d06edf2693a940b66a66e 100644
--- a/newip/src/common/nip_hdr_decap.c
+++ b/newip/src/common/nip_hdr_decap.c
@@ -285,7 +285,7 @@ int nip_hdr_parse(unsigned char *rcv_buf, unsigned int buf_len, struct nip_hdr_d
if (buf_len < nbuf.remaining_len)
return -NIP_HDR_RCV_BUF_READ_OUT_RANGE;
- niph->hdr_real_len = buf_len - nbuf.remaining_len;
+ niph->hdr_real_len = (unsigned char)(buf_len - nbuf.remaining_len);
ret = nip_hdr_check(niph);
if (ret < 0)
return ret;
diff --git a/newip/src/common/nip_hdr_encap.c b/newip/src/common/nip_hdr_encap.c
index b9718346ab18b1e14a5c3901f2959d9a4bbf5cee..4e9e11c11e8483ca2cffb4103ecfec248d4528c9 100644
--- a/newip/src/common/nip_hdr_encap.c
+++ b/newip/src/common/nip_hdr_encap.c
@@ -53,7 +53,7 @@ static inline void _nip_hdr_len_encap(struct nip_hdr_encap *head)
static inline void _nip_update_hdr_len(struct nip_hdr_encap *head)
{
- *head->hdr_len_pos = head->hdr_buf_pos;
+ *head->hdr_len_pos = (unsigned char)head->hdr_buf_pos;
}
static inline void _nip_hdr_nexthdr_encap(struct nip_hdr_encap *head)
diff --git a/newip/src/linux-5.10/net/newip/tcp_nip_parameter.c b/newip/src/linux-5.10/net/newip/tcp_nip_parameter.c
index 3964fac8b055713f1b8cf7b01fbe5267a4613296..7a794a83e528182745a9e7e794c70b5243a92b7f 100644
--- a/newip/src/linux-5.10/net/newip/tcp_nip_parameter.c
+++ b/newip/src/linux-5.10/net/newip/tcp_nip_parameter.c
@@ -171,7 +171,7 @@ int get_dup_ack_snd_max(void)
/* RTT timestamp parameters */
/*********************************************************************************************/
int g_rtt_tstamp_rto_up = 100; // rtt_tstamp >= 100 ==> shorten rto
-module_param_named(rtt_tstamp_rto_up, g_rtt_tstamp_rto_up, int, 0644);
+module_param_named(rtt_tstamp_rto_up, g_rtt_tstamp_rto_up, int, 0644);
int get_rtt_tstamp_rto_up(void)
{
@@ -179,7 +179,7 @@ int get_rtt_tstamp_rto_up(void)
}
int g_rtt_tstamp_high = 30; // rtt_tstamp >= 30 ==> ssthresh = 100K
-module_param_named(rtt_tstamp_high, g_rtt_tstamp_high, int, 0644);
+module_param_named(rtt_tstamp_high, g_rtt_tstamp_high, int, 0644);
int get_rtt_tstamp_high(void)
{
@@ -187,7 +187,7 @@ int get_rtt_tstamp_high(void)
}
int g_rtt_tstamp_mid_high = 20; // rtt_tstamp >= 20 ==> ssthresh = 250K
-module_param_named(rtt_tstamp_mid_high, g_rtt_tstamp_mid_high, int, 0644);
+module_param_named(rtt_tstamp_mid_high, g_rtt_tstamp_mid_high, int, 0644);
int get_rtt_tstamp_mid_high(void)
{
@@ -198,7 +198,7 @@ int get_rtt_tstamp_mid_high(void)
* rtt_tstamp < 10 ==> ssthresh = 1.5M
*/
int g_rtt_tstamp_mid_low = 10;
-module_param_named(rtt_tstamp_mid_low, g_rtt_tstamp_mid_low, int, 0644);
+module_param_named(rtt_tstamp_mid_low, g_rtt_tstamp_mid_low, int, 0644);
int get_rtt_tstamp_mid_low(void)
{
@@ -206,7 +206,7 @@ int get_rtt_tstamp_mid_low(void)
}
int g_ack_to_nxt_snd_tstamp = 500;
-module_param_named(ack_to_nxt_snd_tstamp, g_ack_to_nxt_snd_tstamp, int, 0644);
+module_param_named(ack_to_nxt_snd_tstamp, g_ack_to_nxt_snd_tstamp, int, 0644);
int get_ack_to_nxt_snd_tstamp(void)
{
@@ -359,7 +359,7 @@ bool get_nip_debug(void)
/* Debugging of threshold change */
bool g_rtt_ssthresh_debug;
-module_param_named(rtt_ssthresh_debug, g_rtt_ssthresh_debug, bool, 0644);
+module_param_named(rtt_ssthresh_debug, g_rtt_ssthresh_debug, bool, 0644);
bool get_rtt_ssthresh_debug(void)
{
@@ -368,7 +368,7 @@ bool get_rtt_ssthresh_debug(void)
/* Debugging of packet retransmission after ACK */
bool g_ack_retrans_debug;
-module_param_named(ack_retrans_debug, g_ack_retrans_debug, bool, 0644);
+module_param_named(ack_retrans_debug, g_ack_retrans_debug, bool, 0644);
bool get_ack_retrans_debug(void)
{
diff --git a/newip/third_party/linux-5.10/net/newip/ninet_hashtables.c b/newip/third_party/linux-5.10/net/newip/ninet_hashtables.c
index 33f7c5ebc83437bf2f2d2a6665f21ae469fe58bc..ee52eeb6a77784a14255657eeae73673c38186e8 100644
--- a/newip/third_party/linux-5.10/net/newip/ninet_hashtables.c
+++ b/newip/third_party/linux-5.10/net/newip/ninet_hashtables.c
@@ -343,7 +343,7 @@ found:
return sk;
}
-static inline int nip_tcp_compute_score(struct sock *sk, struct net *net,
+static int nip_tcp_compute_score(struct sock *sk, struct net *net,
const unsigned short hnum,
const struct nip_addr *daddr,
const int dif, int sdif)
diff --git a/newip/third_party/linux-5.10/net/newip/tcp_nip_output.c b/newip/third_party/linux-5.10/net/newip/tcp_nip_output.c
index 0f957ae423d035edde5adef6da96928ff6178c56..875684debece4ed47e248018cf485017d0f2af02 100644
--- a/newip/third_party/linux-5.10/net/newip/tcp_nip_output.c
+++ b/newip/third_party/linux-5.10/net/newip/tcp_nip_output.c
@@ -79,7 +79,7 @@ static bool tcp_nip_write_xmit(struct sock *sk, unsigned int mss_now, int nonagl
int push_one, gfp_t gfp);
/* Calculate MSS not accounting any TCP options. */
-static inline int __tcp_nip_mtu_to_mss(struct sock *sk, int pmtu)
+static int __tcp_nip_mtu_to_mss(struct sock *sk, int pmtu)
{
const struct tcp_sock *tp = tcp_sk(sk);
const struct inet_connection_sock *icsk = inet_csk(sk);
diff --git a/qos_auth/auth_ctl/qos_ctrl.c b/qos_auth/auth_ctl/qos_ctrl.c
index 2304edf9b911ce788cc1e5ba5a35bca25c7a263c..73bc107f1d698b6b7f8ac7a39a85fe0251f259b6 100644
--- a/qos_auth/auth_ctl/qos_ctrl.c
+++ b/qos_auth/auth_ctl/qos_ctrl.c
@@ -256,6 +256,12 @@ int qos_apply(struct qos_ctrl_data *data)
qts = (struct qos_task_struct *) &p->qts;
+ if (rt_task(p) && qts->in_qos == NO_QOS) {
+ pr_err("[QOS_CTRL] can not apply qos for native rt task\n");
+ ret = -ALREADY_RT_TASK;
+ goto out_unlock;
+ }
+
/* effective qos must in range [NO_QOS, NR_QOS) */
if (qts->in_qos != NO_QOS) {
if (qts->in_qos == level) {
diff --git a/qos_auth/include/auth_ctrl.h b/qos_auth/include/auth_ctrl.h
index 3fa0be5586e768e4ca9d32631be970bad509378a..7301cacc2d126c5e9723af698e6ffd0fed00e4b3 100644
--- a/qos_auth/include/auth_ctrl.h
+++ b/qos_auth/include/auth_ctrl.h
@@ -14,7 +14,8 @@
#define SYSTEM_UID 1000
#define SUPER_UID SYSTEM_UID
-#define super_uid(uid) (uid == ROOT_UID || uid == SYSTEM_UID)
+#define RESOURCE_SCHEDULE_SERVICE_UID 1096
+#define super_uid(uid) (uid == ROOT_UID || uid == SYSTEM_UID || uid == RESOURCE_SCHEDULE_SERVICE_UID)
enum ioctl_abi_format_auth{
AUTH_IOCTL_ABI_ARM32,
@@ -71,6 +72,7 @@ enum auth_err_no {
PID_DUPLICATE,
PID_NOT_EXIST,
INVALID_AUTH,
+ ALREADY_RT_TASK,
QOS_THREAD_NUM_EXCEED_LIMIT,
};
diff --git a/ucollection/ucollection_process_cpu.c b/ucollection/ucollection_process_cpu.c
index db12fbe786b4627622463bb0b63142bdc9617c9e..79d0cf8d41eaf54a857739c803ced1e1c4da9b42 100644
--- a/ucollection/ucollection_process_cpu.c
+++ b/ucollection/ucollection_process_cpu.c
@@ -96,6 +96,7 @@ static void get_thread_load(struct task_struct *task, int cur_count,
do_div(utime, NS_TO_MS);
do_div(stime, NS_TO_MS);
thread_cpu_item.tid = task->pid;
+ strcpy(thread_cpu_item.name, task->comm);
thread_cpu_item.cpu_usage_utime = utime;
thread_cpu_item.cpu_usage_stime = stime;
thread_cpu_item.cpu_load_time = 0;
diff --git a/ucollection/unified_collection_data.h b/ucollection/unified_collection_data.h
index 67e270fa488152d668575677652ddd18150e8669..e261dd9cf4bceafd66ffeb7434b19da4e69ebe73 100644
--- a/ucollection/unified_collection_data.h
+++ b/ucollection/unified_collection_data.h
@@ -39,6 +39,7 @@ struct ucollection_process_thread_count {
struct ucollection_thread_cpu_item {
int tid;
+ char name[16]; // 16 : max length of thread name
unsigned long long cpu_usage_utime;
unsigned long long cpu_usage_stime;
unsigned long long cpu_load_time;
diff --git a/xpm/Makefile b/xpm/Makefile
index 3fddf33f57573afd5f0f23f7007b3b7771bbc6cd..61163a23062bb6129f8d210bbf98f6e2e35b81ae 100644
--- a/xpm/Makefile
+++ b/xpm/Makefile
@@ -14,7 +14,8 @@ obj-$(CONFIG_SECURITY_XPM) += \
core/xpm_report.o \
validator/elf_code_segment_info.o \
validator/exec_signature_info.o \
- developer/dsmm_developer.o
+ developer/dsmm_developer.o \
+ secureshield/dsmm_secureshield.o
obj-$(CONFIG_SECURITY_XPM_DEBUG) += \
core/xpm_debugfs.o
@@ -23,6 +24,7 @@ ccflags-$(CONFIG_SECURITY_XPM) += \
-I$(srctree)/security/xpm/core \
-I$(srctree)/security/xpm/validator \
-I$(srctree)/security/xpm/developer \
+ -I$(srctree)/security/xpm/secureshield \
-I$(srctree)/security/selinux/include \
-I$(srctree)/security/selinux \
-I$(srctree)/fs \
diff --git a/xpm/core/xpm_security_hooks.c b/xpm/core/xpm_security_hooks.c
index 5fe5b37757acce3295cc8190221bfc48bbba040c..103a7c6bfb25eac4b95bc41476c4bc3f575b75e8 100644
--- a/xpm/core/xpm_security_hooks.c
+++ b/xpm/core/xpm_security_hooks.c
@@ -5,12 +5,14 @@
#include
#include
+#include
#include "avc.h"
#include "objsec.h"
#include "exec_signature_info.h"
#include "fsverity_private.h"
#include "code_sign_ext.h"
+#include "dsmm_secureshield.h"
#include "xpm_common.h"
#include "xpm_debugfs.h"
#include "xpm_log.h"
@@ -182,8 +184,13 @@ static int xpm_avc_has_perm(u16 tclass, u32 requested)
struct av_decision avd;
u32 sid = current_sid();
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0))
return avc_has_perm_noaudit(&selinux_state, sid, sid, tclass, requested,
AVC_STRICT, &avd);
+#else
+ return avc_has_perm_noaudit(sid, sid, tclass, requested,
+ AVC_STRICT, &avd);
+#endif
}
static int xpm_validate_signature(struct vm_area_struct *vma,
@@ -313,15 +320,22 @@ static int xpm_check_prot(struct vm_area_struct *vma, unsigned long prot)
/* check for anonymous vma prot, anonymous executable permission need
* controled by selinux
+ * in secure shield mode, all anon + x is forbidden
+ * in default mode, temporarily allow anon + x allocation
*/
- if (is_anon && (prot & PROT_EXEC)) {
- ret = xpm_avc_has_perm(SECCLASS_XPM, XPM__EXEC_ANON_MEM);
- if (ret) {
- report_mmap_event(ANON_EXEC, TYPE_ANON, vma, prot);
- return -EPERM;
+ if (vma_is_anonymous(vma) && (prot & PROT_EXEC)) {
+ if (dsmm_is_secureshield_enabled()) {
+ ret = -EPERM;
+ report_mmap_event(ANON_EXEC, TYPE_ANON, vma, prot);
+ } else {
+ ret = xpm_avc_has_perm(SECCLASS_XPM, XPM__EXEC_ANON_MEM);
+ if (ret) {
+ ret = 0;
+ report_mmap_event(ANON_EXEC, TYPE_ANON, vma, prot);
+ }
}
- return 0;
+ return ret;
}
/* check for non-anonymous vma prot */
@@ -361,7 +375,7 @@ static int xpm_mprotect_check(struct vm_area_struct *vma,
return xpm_common_check(vma, prot);
}
-static struct security_hook_list xpm_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list xpm_hooks[] __ro_after_init = {
LSM_HOOK_INIT(mmap_region, xpm_mmap_check),
LSM_HOOK_INIT(file_mprotect, xpm_mprotect_check),
};
diff --git a/xpm/secureshield/dsmm_secureshield.c b/xpm/secureshield/dsmm_secureshield.c
new file mode 100644
index 0000000000000000000000000000000000000000..c983bdcc1d43f4a8fcae0ca1cce87814fca37ea1
--- /dev/null
+++ b/xpm/secureshield/dsmm_secureshield.c
@@ -0,0 +1,40 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ */
+
+#include
+
+#include "dsmm_secureshield.h"
+#include "xpm_log.h"
+
+#define STATE_UNINT 0
+#define STATE_ON 1
+#define STATE_OFF 2
+
+static uint32_t secureshield_state = STATE_UNINT;
+static int init_secureshield_state(void)
+{
+ if (strstr(saved_command_line, "advsecmode.state=1")) {
+ secureshield_state = STATE_ON;
+ } else {
+ // secureshield is defaultly set to off
+ secureshield_state = STATE_OFF;
+ }
+ xpm_log_info("secureshield init to %d", secureshield_state);
+ return secureshield_state;
+}
+
+static int get_secureshield_state(void)
+{
+ if (secureshield_state == STATE_UNINT) {
+ return init_secureshield_state();
+ } else {
+ return secureshield_state;
+ }
+}
+
+bool dsmm_is_secureshield_enabled(void)
+{
+ return get_secureshield_state() == STATE_ON;
+}
\ No newline at end of file
diff --git a/xpm/secureshield/dsmm_secureshield.h b/xpm/secureshield/dsmm_secureshield.h
new file mode 100644
index 0000000000000000000000000000000000000000..4cd0ccb45fd1324aeb90ecc9a8e4ab6314e436b1
--- /dev/null
+++ b/xpm/secureshield/dsmm_secureshield.h
@@ -0,0 +1,10 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ */
+#ifndef _DSMM_SECURESHIELD_H
+#define _DSMM_SECURESHIELD_H
+
+bool dsmm_is_secureshield_enabled(void);
+
+#endif /* _DSMM_SECURESHIELD_H */
\ No newline at end of file
diff --git a/xpm/validator/elf_code_segment_info.c b/xpm/validator/elf_code_segment_info.c
index dbbb1a0f95cbe39ff57681071be2f61237a477ea..385ad3c863fab2707fc29676e836d1a36966b3aa 100644
--- a/xpm/validator/elf_code_segment_info.c
+++ b/xpm/validator/elf_code_segment_info.c
@@ -225,7 +225,7 @@ static int get_elf64_info(struct elfhdr *elf_ehdr, struct elf_info *elf_info)
return 0;
}
-static int elf_check_and_get_code_segment_offset(struct file *file, struct elf_info *elf_info)
+static int elf_check_and_get_code_segment_offset(struct file *file, struct elf_info *elf_info, bool *skip)
{
uint16_t type;
struct elfhdr *elf_ehdr = &elf_info->elf_ehdr;
@@ -235,8 +235,11 @@ static int elf_check_and_get_code_segment_offset(struct file *file, struct elf_i
if (ret < 0)
return ret;
- if (memcmp(elf_ehdr->e_ident, ELFMAG, SELFMAG) != 0)
- return -ENOEXEC;
+ if (memcmp(elf_ehdr->e_ident, ELFMAG, SELFMAG) != 0) {
+ // when the file is not an ELF file, skip checking
+ *skip = true;
+ return 0;
+ }
type = elf16_get_value(elf_ehdr, elf_ehdr->e_type);
if (type != ET_EXEC && type != ET_DYN)
@@ -287,16 +290,52 @@ static int find_elf_code_segment_info(const char *phdr_info, struct elf_info *el
return 0;
}
+static int handle_skip_case(struct file *file, struct exec_file_signature_info **code_segment_info) {
+ struct exec_file_signature_info *tmp_info = NULL;
+ if (*code_segment_info == NULL) {
+ tmp_info = kzalloc(sizeof(struct exec_file_signature_info), GFP_KERNEL);
+ if (tmp_info == NULL) {
+ return -ENOMEM;
+ }
+ } else {
+ tmp_info = *code_segment_info;
+ }
+
+ if (tmp_info->code_segments == NULL) {
+ tmp_info->code_segments = kzalloc(sizeof(struct exec_segment_info), GFP_KERNEL);
+ if (tmp_info->code_segments == NULL) {
+ if (*code_segment_info == NULL) {
+ kfree(tmp_info);
+ tmp_info = NULL;
+ }
+ return -ENOMEM;
+ }
+ tmp_info->code_segment_count = 1;
+ }
+
+ tmp_info->code_segments[0].file_offset = 0;
+ tmp_info->code_segments[0].size = file_inode(file)->i_size;
+
+ if (*code_segment_info == NULL) {
+ *code_segment_info = tmp_info;
+ }
+ return 0;
+}
+
int parse_elf_code_segment_info(struct file *file,
struct exec_file_signature_info **code_segment_info)
{
const char *phdr_info;
struct elf_info elf_info = {0};
int ret;
-
- ret = elf_check_and_get_code_segment_offset(file, &elf_info);
+ bool skip = false;
+ ret = elf_check_and_get_code_segment_offset(file, &elf_info, &skip);
if (ret < 0)
return ret;
+
+ if (skip) {
+ return handle_skip_case(file, code_segment_info);
+ }
phdr_info = kzalloc(elf_info.e_phsize, GFP_KERNEL);
if (phdr_info == NULL)
diff --git a/xpm/validator/exec_signature_info.c b/xpm/validator/exec_signature_info.c
index 9c02c4ffaf60bb70b26367b4ac2e1c0644e99609..2d0f02e2462ce53c7a7cf9e60e15b7b29b9a4a0b 100644
--- a/xpm/validator/exec_signature_info.c
+++ b/xpm/validator/exec_signature_info.c
@@ -486,13 +486,15 @@ static void insert_new_signature_info(struct inode *file_node, int type,
RB_CLEAR_NODE(&new_info->rb_node);
if ((*old_info) != NULL) {
write_lock(verity->lock);
- rb_erase_node(verity->root, verity->node_count, *old_info);
- (*old_info)->type |= FILE_SIGNATURE_DELETE;
- write_unlock(verity->lock);
- if (atomic_sub_return(1, &(*old_info)->reference) <= 0) {
- kfree(*old_info);
- *old_info = NULL;
+ if ((*old_info) != NULL) {
+ if (atomic_sub_return(1, &(*old_info)->reference) <= 0) {
+ rb_erase_node(verity->root, verity->node_count, *old_info);
+ (*old_info)->type |= FILE_SIGNATURE_DELETE;
+ kfree(*old_info);
+ *old_info = NULL;
+ }
}
+ write_unlock(verity->lock);
}
write_lock(verity->lock);