From 74319db0004a828bcdc2a4c72ac56fd603ce0c09 Mon Sep 17 00:00:00 2001 From: Brian Date: Mon, 1 Jul 2024 20:24:12 +0800 Subject: [PATCH 01/15] =?UTF-8?q?rss=20=E6=B7=BB=E5=8A=A0=20ioctl=20?= =?UTF-8?q?=E6=9D=83=E9=99=90?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Brian --- qos_auth/include/auth_ctrl.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/qos_auth/include/auth_ctrl.h b/qos_auth/include/auth_ctrl.h index 3fa0be5..f2e04ee 100644 --- a/qos_auth/include/auth_ctrl.h +++ b/qos_auth/include/auth_ctrl.h @@ -14,7 +14,8 @@ #define SYSTEM_UID 1000 #define SUPER_UID SYSTEM_UID -#define super_uid(uid) (uid == ROOT_UID || uid == SYSTEM_UID) +#define RESOURCE_SCHEDULE_SERVICE_UID 1096 +#define super_uid(uid) (uid == ROOT_UID || uid == SYSTEM_UID || uid == RESOURCE_SCHEDULE_SERVICE_UID) enum ioctl_abi_format_auth{ AUTH_IOCTL_ABI_ARM32, -- Gitee From 626464dcd5ad485649ac0fb322650f02853f9f92 Mon Sep 17 00:00:00 2001 From: yeyuning Date: Fri, 26 Jul 2024 20:26:01 +0800 Subject: [PATCH 02/15] =?UTF-8?q?=E4=B8=8D=E8=A7=A3=E5=8E=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: yeyuning Change-Id: I56b612316f3d63e16dee0b1303aa312ded86f8ad --- code_sign/code_sign_ext.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/code_sign/code_sign_ext.c b/code_sign/code_sign_ext.c index afe0422..4811b26 100644 --- a/code_sign/code_sign_ext.c +++ b/code_sign/code_sign_ext.c @@ -25,9 +25,11 @@ static inline int check_code_sign_descriptor(const struct inode *inode, if (!desc->cs_version) return 0; - if (desc->__reserved1 || - memchr_inv(desc->__reserved2, 0, sizeof(desc->__reserved2))) + if (le64_to_cpu(desc->pgtypeinfo_off) > le64_to_cpu(desc->data_size) - le32_to_cpu(desc->pgtypeinfo_size)) { + code_sign_log_error("Wrong offset: %llu (pgtypeinfo_off) > %llu (data_size) - %u (pgtypeinfo_size)", + le64_to_cpu(desc->pgtypeinfo_off), le64_to_cpu(desc->data_size), le32_to_cpu(desc->pgtypeinfo_size)); return -EINVAL; + } if (le64_to_cpu(desc->data_size) > inode->i_size) { code_sign_log_error("Wrong data_size: %llu (desc) > %lld (inode)", @@ -67,11 +69,11 @@ void code_sign_before_measurement(void *_desc, int *ret) { struct code_sign_descriptor *desc = CAST_CODE_SIGN_DESC(_desc); - if (desc->cs_version) { - // replace version with cs_version - desc->version = desc->cs_version; + if (desc->cs_version == 1) { desc->cs_version = 0; - *ret = desc->version; + *ret = desc->cs_version; + } else { + *ret = desc->cs_version; } } @@ -79,7 +81,7 @@ void code_sign_after_measurement(void *_desc, int version) { struct code_sign_descriptor *desc = CAST_CODE_SIGN_DESC(_desc); - if (version) { + if (version == 1) { // restore cs_version desc->cs_version = desc->version; desc->version = version; -- Gitee From 65f9a61caa76a0289a7627898e9ba280d4f16687 Mon Sep 17 00:00:00 2001 From: ligongshao Date: Thu, 1 Aug 2024 16:04:50 +0800 Subject: [PATCH 03/15] common add mac Signed-off-by: ligongshao Change-Id: I4ce475213751ac2239aea974653c58d6a0e13d90 Signed-off-by: ligongshao --- LICENSE | 1 + OAT.xml | 11 +++-- dec/Kconfig | 12 +++++ dec/Makefile | 17 +++++++ dec/apply_dec.sh | 28 +++++++++++ dec/dec_misc.c | 122 +++++++++++++++++++++++++++++++++++++++++++++++ dec/dec_misc.h | 54 +++++++++++++++++++++ 7 files changed, 242 insertions(+), 3 deletions(-) create mode 100644 dec/Kconfig create mode 100644 dec/Makefile create mode 100644 dec/apply_dec.sh create mode 100644 dec/dec_misc.c create mode 100644 dec/dec_misc.h diff --git a/LICENSE b/LICENSE index 8eddf19..21795c9 100644 --- a/LICENSE +++ b/LICENSE @@ -9,5 +9,6 @@ ./container_escape_detection ./module_sample ./pac/ + ./dec As for the specific use of the licenses, please refer to the relevant description in the documents. diff --git a/OAT.xml b/OAT.xml index f4ef138..dfa276c 100644 --- a/OAT.xml +++ b/OAT.xml @@ -66,7 +66,9 @@ Note:If the text contains special characters, please escape them according to th - + + + @@ -76,7 +78,9 @@ Note:If the text contains special characters, please escape them according to th - + + + @@ -99,7 +103,8 @@ Note:If the text contains special characters, please escape them according to th - + + diff --git a/dec/Kconfig b/dec/Kconfig new file mode 100644 index 0000000..9f9cbda --- /dev/null +++ b/dec/Kconfig @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) 2024 Huawei Device Co., Ltd. +# +config SECURITY_DEC + bool "Data enhance control features" + + default y + help + This option enables file operation permission verification + at VFS layer. + + If unsure, say N. diff --git a/dec/Makefile b/dec/Makefile new file mode 100644 index 0000000..efd9cfe --- /dev/null +++ b/dec/Makefile @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) 2024 Huawei Device Co., Ltd. +# +obj-$(CONFIG_SECURITY_DEC) += \ + dec_misc.o + +ccflags-$(CONFIG_SECURITY_DEC) += \ + -I$(srctree)/fs/dec + +$(addprefix $(obj)/,$(obj-y)): $(obj)/flask.h + +quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h + cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h + +targets += flask.h av_permissions.h +$(obj)/flask.h: $(srctree)/security/selinux/include/classmap.h FORCE + $(call if_changed,flask) diff --git a/dec/apply_dec.sh b/dec/apply_dec.sh new file mode 100644 index 0000000..6f63fb5 --- /dev/null +++ b/dec/apply_dec.sh @@ -0,0 +1,28 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright (c) 2023 Huawei Device Co., Ltd. +# + +set -e + +OHOS_SOURCE_ROOT=$1 +KERNEL_BUILD_ROOT=$2 +PRODUCT_NAME=$3 +KERNEL_VERSION=$4 +DEC_SOURCE_ROOT=$OHOS_SOURCE_ROOT/kernel/linux/common_modules/dec + +function main() +{ + pushd . + + if [ ! -d "$KERNEL_BUILD_ROOT/fs/dec" ]; then + mkdir $KERNEL_BUILD_ROOT/fs/dec + fi + + cd $KERNEL_BUILD_ROOT/fs/dec + ln -s -f $(realpath --relative-to=$KERNEL_BUILD_ROOT/fs/dec $DEC_SOURCE_ROOT)/* ./ + + popd +} + +main diff --git a/dec/dec_misc.c b/dec/dec_misc.c new file mode 100644 index 0000000..534ce5c --- /dev/null +++ b/dec/dec_misc.c @@ -0,0 +1,122 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + */ + +#include +#include +#include +#include +#include +#include + +#include "dec_misc.h" + +static int vfs_deal_policy_cmd(unsigned int cmd, void __user *arg) +{ + pr_info("vfs dec deal policy cmd:%u\n", cmd); + int ret = 0; + struct dec_policy_info info = { 0 }; + + ret = copy_from_user(&info, arg, sizeof(info)); + if (ret != 0) { + pr_err("copy from user failed\n"); + return -EFAULT; + } + + pr_info("tokenid:%lu path_num:%u persist_flag:%d\n", info.tokenid, info.path_num, info.persist_flag); + + return ret; +} + +static int vfs_destroy_dec_policy(void __user *arg) +{ + int ret = 0; + uint64_t tokenid; + + ret = copy_from_user(&tokenid, arg, sizeof(tokenid)); + if (ret != 0) { + pr_err("destroy dec policy copy from caller failed\n"); + return -EFAULT; + } + + pr_info("destroy dec policy tokenid:%ld\n", tokenid); + return 0; +} + +static long dec_ioctl(struct file *file, unsigned int cmd, unsigned long arg) +{ + pr_info("dec ioctl cmd:%u\n", cmd); + int ret = 0; + + switch (cmd) { + case SET_DEC_POLICY_CMD: + case DEL_DEC_POLICY_CMD: + case QUERY_DEC_POLICY_CMD: + case CHECK_DEC_POLICY_CMD: + case CONSTRAINT_DEC_POLICY_CMD: + case DENY_DEC_POLICY_CMD: + ret = vfs_deal_policy_cmd(cmd, (void __user *)arg); + break; + case DESTROY_DEC_POLICY_CMD: + ret = vfs_destroy_dec_policy((void __user *)arg); + break; + default: + ret = -EINVAL; + break; + } + + return 0; +} + +static int dec_open(struct inode *inode, struct file *filp) +{ + pr_info("dec open\n"); + return 0; +} + +static int dec_release(struct inode *inode, struct file *filp) +{ + pr_info("dec close\n"); + return 0; +} + +static const struct file_operations dec_fops = { + .owner = THIS_MODULE, + .open = dec_open, + .release = dec_release, + .unlocked_ioctl = dec_ioctl, + .compat_ioctl = dec_ioctl, +}; + +static struct miscdevice dec_misc = { + .minor = MISC_DYNAMIC_MINOR, + .name = "dec", + .fops = &dec_fops, +}; + +static int __init dec_init(void) +{ + int err = 0; + + err = misc_register(&dec_misc); + if (err < 0) { + pr_err("dec device init failed\n"); + return err; + } + + pr_err("dec device init success\n"); + return 0; +} + +static void __exit dec_exit(void) +{ + misc_deregister(&dec_misc); + pr_info("dec exited"); +} + +/* module entry points */ +module_init(dec_init); +module_exit(dec_exit); + +MODULE_LICENSE("GPL"); diff --git a/dec/dec_misc.h b/dec/dec_misc.h new file mode 100644 index 0000000..1154ece --- /dev/null +++ b/dec/dec_misc.h @@ -0,0 +1,54 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + */ + +#ifndef _DEC_MISC_H +#define _DEC_MISC_H + +#include +#include +#include + +#define MAX_PATH_NUM 8 + +#define DEV_DEC_MINOR 0x25 +#define DEC_IOCTL_BASE 's' +#define SET_POLICY_ID 1 +#define DEL_POLICY_ID 2 +#define QUERY_POLICY_ID 3 +#define CHECK_POLICY_ID 4 +#define DESTROY_POLICY_ID 5 +#define CONSTRAINT_POLICY_ID 6 +#define DENY_POLICY_ID 7 + +struct path_info { + char* path; + uint32_t path_len; + uint32_t mode; + bool ret_flag; +}; + +struct dec_policy_info { + uint64_t tokenid; + struct path_info path[MAX_PATH_NUM]; + uint32_t path_num; + bool persist_flag; +}; + +#define SET_DEC_POLICY_CMD \ + _IOWR(DEC_IOCTL_BASE, SET_POLICY_ID, struct dec_policy_info) +#define DEL_DEC_POLICY_CMD \ + _IOWR(DEC_IOCTL_BASE, DEL_POLICY_ID, struct dec_policy_info) +#define QUERY_DEC_POLICY_CMD \ + _IOWR(DEC_IOCTL_BASE, QUERY_POLICY_ID, struct dec_policy_info) +#define CHECK_DEC_POLICY_CMD \ + _IOWR(DEC_IOCTL_BASE, CHECK_POLICY_ID, struct dec_policy_info) +#define CONSTRAINT_DEC_POLICY_CMD \ + _IOW(DEC_IOCTL_BASE, CONSTRAINT_POLICY_ID, struct dec_policy_info) +#define DENY_DEC_POLICY_CMD \ + _IOWR(DEC_IOCTL_BASE, DENY_POLICY_ID, struct dec_policy_info) +#define DESTROY_DEC_POLICY_CMD \ + _IOW(DEC_IOCTL_BASE, DESTROY_POLICY_ID, uint64_t) + +#endif /* _DEC_MISC_H */ \ No newline at end of file -- Gitee From 33abe981362861c1d0d67101c19b2a035852f21a Mon Sep 17 00:00:00 2001 From: negegne Date: Mon, 5 Aug 2024 18:02:50 +0800 Subject: [PATCH 04/15] add thread name to ucollection Signed-off-by: negegne --- ucollection/ucollection_process_cpu.c | 1 + ucollection/unified_collection_data.h | 1 + 2 files changed, 2 insertions(+) diff --git a/ucollection/ucollection_process_cpu.c b/ucollection/ucollection_process_cpu.c index db12fbe..79d0cf8 100644 --- a/ucollection/ucollection_process_cpu.c +++ b/ucollection/ucollection_process_cpu.c @@ -96,6 +96,7 @@ static void get_thread_load(struct task_struct *task, int cur_count, do_div(utime, NS_TO_MS); do_div(stime, NS_TO_MS); thread_cpu_item.tid = task->pid; + strcpy(thread_cpu_item.name, task->comm); thread_cpu_item.cpu_usage_utime = utime; thread_cpu_item.cpu_usage_stime = stime; thread_cpu_item.cpu_load_time = 0; diff --git a/ucollection/unified_collection_data.h b/ucollection/unified_collection_data.h index 67e270f..e261dd9 100644 --- a/ucollection/unified_collection_data.h +++ b/ucollection/unified_collection_data.h @@ -39,6 +39,7 @@ struct ucollection_process_thread_count { struct ucollection_thread_cpu_item { int tid; + char name[16]; // 16 : max length of thread name unsigned long long cpu_usage_utime; unsigned long long cpu_usage_stime; unsigned long long cpu_load_time; -- Gitee From 4f1953a75dd3021fdbe1afccab6e761982edba36 Mon Sep 17 00:00:00 2001 From: yeyuning Date: Mon, 19 Aug 2024 15:51:56 +0800 Subject: [PATCH 05/15] skipping xpm check not elf file Signed-off-by: yeyuning Change-Id: I817b906944ae8de8af20ba22e9c8167ee3d781dd --- code_sign/code_sign_ext.c | 10 +++--- code_sign/code_sign_ioctl.c | 4 +-- xpm/validator/elf_code_segment_info.c | 49 ++++++++++++++++++++++++--- 3 files changed, 52 insertions(+), 11 deletions(-) diff --git a/code_sign/code_sign_ext.c b/code_sign/code_sign_ext.c index 4811b26..16abbaf 100644 --- a/code_sign/code_sign_ext.c +++ b/code_sign/code_sign_ext.c @@ -24,10 +24,12 @@ static inline int check_code_sign_descriptor(const struct inode *inode, if (!desc->cs_version) return 0; - - if (le64_to_cpu(desc->pgtypeinfo_off) > le64_to_cpu(desc->data_size) - le32_to_cpu(desc->pgtypeinfo_size)) { + + // when calc pgtypeinfo_size, trans bit size to byte size + u32 pgtypeinfo_size_bytes = le32_to_cpu(desc->pgtypeinfo_size) / 8; + if (le64_to_cpu(desc->pgtypeinfo_off) > le64_to_cpu(desc->data_size) - pgtypeinfo_size_bytes) { code_sign_log_error("Wrong offset: %llu (pgtypeinfo_off) > %llu (data_size) - %u (pgtypeinfo_size)", - le64_to_cpu(desc->pgtypeinfo_off), le64_to_cpu(desc->data_size), le32_to_cpu(desc->pgtypeinfo_size)); + le64_to_cpu(desc->pgtypeinfo_off), le64_to_cpu(desc->data_size), pgtypeinfo_size_bytes); return -EINVAL; } @@ -70,8 +72,8 @@ void code_sign_before_measurement(void *_desc, int *ret) struct code_sign_descriptor *desc = CAST_CODE_SIGN_DESC(_desc); if (desc->cs_version == 1) { - desc->cs_version = 0; *ret = desc->cs_version; + desc->cs_version = 0; } else { *ret = desc->cs_version; } diff --git a/code_sign/code_sign_ioctl.c b/code_sign/code_sign_ioctl.c index 16e640c..79f1238 100644 --- a/code_sign/code_sign_ioctl.c +++ b/code_sign/code_sign_ioctl.c @@ -213,7 +213,7 @@ int parse_cert_source(unsigned long args, struct cert_source **_source) goto copy_source_failed; } - source->subject = kzalloc(info.signing_length, GFP_KERNEL); + source->subject = kzalloc(info.signing_length + 1, GFP_KERNEL); if (!source->subject) { ret = -ENOMEM; goto copy_source_failed; @@ -225,7 +225,7 @@ int parse_cert_source(unsigned long args, struct cert_source **_source) goto copy_subject_failed; } - source->issuer = kzalloc(info.issuer_length, GFP_KERNEL); + source->issuer = kzalloc(info.issuer_length + 1, GFP_KERNEL); if (!source->issuer) { ret = -ENOMEM; goto copy_subject_failed; diff --git a/xpm/validator/elf_code_segment_info.c b/xpm/validator/elf_code_segment_info.c index dbbb1a0..385ad3c 100644 --- a/xpm/validator/elf_code_segment_info.c +++ b/xpm/validator/elf_code_segment_info.c @@ -225,7 +225,7 @@ static int get_elf64_info(struct elfhdr *elf_ehdr, struct elf_info *elf_info) return 0; } -static int elf_check_and_get_code_segment_offset(struct file *file, struct elf_info *elf_info) +static int elf_check_and_get_code_segment_offset(struct file *file, struct elf_info *elf_info, bool *skip) { uint16_t type; struct elfhdr *elf_ehdr = &elf_info->elf_ehdr; @@ -235,8 +235,11 @@ static int elf_check_and_get_code_segment_offset(struct file *file, struct elf_i if (ret < 0) return ret; - if (memcmp(elf_ehdr->e_ident, ELFMAG, SELFMAG) != 0) - return -ENOEXEC; + if (memcmp(elf_ehdr->e_ident, ELFMAG, SELFMAG) != 0) { + // when the file is not an ELF file, skip checking + *skip = true; + return 0; + } type = elf16_get_value(elf_ehdr, elf_ehdr->e_type); if (type != ET_EXEC && type != ET_DYN) @@ -287,16 +290,52 @@ static int find_elf_code_segment_info(const char *phdr_info, struct elf_info *el return 0; } +static int handle_skip_case(struct file *file, struct exec_file_signature_info **code_segment_info) { + struct exec_file_signature_info *tmp_info = NULL; + if (*code_segment_info == NULL) { + tmp_info = kzalloc(sizeof(struct exec_file_signature_info), GFP_KERNEL); + if (tmp_info == NULL) { + return -ENOMEM; + } + } else { + tmp_info = *code_segment_info; + } + + if (tmp_info->code_segments == NULL) { + tmp_info->code_segments = kzalloc(sizeof(struct exec_segment_info), GFP_KERNEL); + if (tmp_info->code_segments == NULL) { + if (*code_segment_info == NULL) { + kfree(tmp_info); + tmp_info = NULL; + } + return -ENOMEM; + } + tmp_info->code_segment_count = 1; + } + + tmp_info->code_segments[0].file_offset = 0; + tmp_info->code_segments[0].size = file_inode(file)->i_size; + + if (*code_segment_info == NULL) { + *code_segment_info = tmp_info; + } + return 0; +} + int parse_elf_code_segment_info(struct file *file, struct exec_file_signature_info **code_segment_info) { const char *phdr_info; struct elf_info elf_info = {0}; int ret; - - ret = elf_check_and_get_code_segment_offset(file, &elf_info); + bool skip = false; + ret = elf_check_and_get_code_segment_offset(file, &elf_info, &skip); if (ret < 0) return ret; + + if (skip) { + return handle_skip_case(file, code_segment_info); + } phdr_info = kzalloc(elf_info.e_phsize, GFP_KERNEL); if (phdr_info == NULL) -- Gitee From 36a41c6a71712ae7709de71d6cd6e7c408c5c0f7 Mon Sep 17 00:00:00 2001 From: cbl Date: Thu, 29 Aug 2024 17:03:20 +0800 Subject: [PATCH 06/15] =?UTF-8?q?=E5=AE=89=E5=85=A8=E7=89=B9=E6=80=A7?= =?UTF-8?q?=E9=80=82=E9=85=8Dlinux=E5=86=85=E6=A0=B86.6=20Signed-off-by:?= =?UTF-8?q?=20cbl=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- container_escape_detection/core/ced_detection.c | 13 +++++++++++-- .../include/ced_detection_points.h | 2 +- memory_security/src/hideaddr.c | 6 ++++++ memory_security/src/jit_memory.c | 6 ++++++ 4 files changed, 24 insertions(+), 3 deletions(-) diff --git a/container_escape_detection/core/ced_detection.c b/container_escape_detection/core/ced_detection.c index 3f0ff8c..b8f2917 100644 --- a/container_escape_detection/core/ced_detection.c +++ b/container_escape_detection/core/ced_detection.c @@ -9,6 +9,7 @@ #include "objsec.h" #include "ced_detection.h" #include "ced_detection_points.h" +#include enum ced_event_type { EVENT_OK, @@ -40,13 +41,21 @@ static int ced_avc_has_perm(u16 tclass, u32 requested) struct av_decision avd; int rc; +#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)) if (!selinux_initialized(&selinux_state)) return 1; - +#else + if (!selinux_initialized()) + return 1; +#endif u32 sid = current_sid(); +#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)) rc = avc_has_perm_noaudit(&selinux_state, sid, sid, tclass, requested, AVC_STRICT, &avd); - +#else + rc = avc_has_perm_noaudit(sid, sid, tclass, requested, + AVC_STRICT, &avd); +#endif return rc; } diff --git a/container_escape_detection/include/ced_detection_points.h b/container_escape_detection/include/ced_detection_points.h index 45eb2ba..cf62cb2 100644 --- a/container_escape_detection/include/ced_detection_points.h +++ b/container_escape_detection/include/ced_detection_points.h @@ -29,7 +29,7 @@ static inline void cred_info_record(struct cred_info *info, const struct cred *c info->egid = cred->egid.val; info->fsuid = cred->fsuid.val; - memcpy(&info->cap_effective.cap[0], &cred->cap_effective.cap[0], sizeof(info->cap_effective.cap)); + memcpy(&info->cap_effective, &cred->cap_effective, sizeof(kernel_cap_t)); } struct ns_info { diff --git a/memory_security/src/hideaddr.c b/memory_security/src/hideaddr.c index c34bbcd..5d77c4e 100644 --- a/memory_security/src/hideaddr.c +++ b/memory_security/src/hideaddr.c @@ -17,6 +17,7 @@ #include "avc.h" #include "objsec.h" #include "hideaddr.h" +#include static bool is_anon_exec(struct vm_area_struct *vma) { @@ -44,8 +45,13 @@ static int hideaddr_avc_has_perm(u16 tclass, u32 requested, struct seq_file *m) u32 secid; security_cred_getsecid(task->cred, &secid); +#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)) return avc_has_perm_noaudit(&selinux_state, secid, secid, tclass, requested, AVC_STRICT, &avd); +#else + return avc_has_perm_noaudit(secid, secid, tclass, requested, + AVC_STRICT, &avd); +#endif } static void hideaddr_header_prefix(unsigned long *start, unsigned long *end, diff --git a/memory_security/src/jit_memory.c b/memory_security/src/jit_memory.c index 0fc0bee..e34b6ab 100644 --- a/memory_security/src/jit_memory.c +++ b/memory_security/src/jit_memory.c @@ -11,6 +11,7 @@ #include "jit_space_list.h" #include "avc.h" #include "objsec.h" +#include DEFINE_SPINLOCK(list_lock); @@ -25,8 +26,13 @@ static bool jit_avc_has_perm(u16 tclass, u32 requested, struct task_struct *task u32 secid; security_cred_getsecid(task->cred, &secid); +#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)) return (avc_has_perm_noaudit(&selinux_state, secid, secid, tclass, requested, AVC_STRICT, &avd) == 0); +#else + return (avc_has_perm_noaudit(secid, secid, tclass, requested, + AVC_STRICT, &avd) == 0); +#endif } void find_jit_memory(struct task_struct *task, unsigned long start, unsigned long size, int *err) -- Gitee From 200315367b3094a7b0b0fc7e3ddf05d0e4da6b28 Mon Sep 17 00:00:00 2001 From: cbl Date: Fri, 6 Sep 2024 15:35:11 +0800 Subject: [PATCH 07/15] =?UTF-8?q?code=5Fsign=20=E9=80=82=E9=85=8D6.6?= =?UTF-8?q?=E5=86=85=E6=A0=B8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: cbl --- code_sign/code_sign_elf.c | 24 +++++++++++++++++++++--- code_sign/code_sign_ioctl.c | 31 +++++++++++++++++++------------ code_sign/verify_cert_chain.c | 8 +++++++- 3 files changed, 47 insertions(+), 16 deletions(-) diff --git a/code_sign/code_sign_elf.c b/code_sign/code_sign_elf.c index 9c9a3dc..0745061 100644 --- a/code_sign/code_sign_elf.c +++ b/code_sign/code_sign_elf.c @@ -4,14 +4,22 @@ */ #include +#include #include #include -#include "dsmm_developer.h" +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 6, 0) +#include +#endif + #include "code_sign_elf.h" #include "code_sign_log.h" #include "verify_cert_chain.h" +#ifdef CONFIG_SECURITY_XPM +#include "dsmm_developer.h" +#endif + #define SIGN_HEAD_SIZE (sizeof(sign_head_t)) static void parse_sign_head(sign_head_t *out, char *ptr) @@ -197,12 +205,20 @@ out: int elf_file_enable_fs_verity(struct file *file) { +#ifdef CONFIG_SECURITY_XPM /* developer mode */ if (get_developer_mode_state() != STATE_ON) { code_sign_log_info("developer mode off, elf not allowed to execute"); return -EINVAL; } +#else + code_sign_log_info("developer mode off, elf not allowed to execute"); + return -EINVAL; +#endif + +#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0) mm_segment_t fs; +#endif char *path_buf = kzalloc(PATH_MAX, GFP_KERNEL); if (!path_buf) { code_sign_log_error("alloc mem for path_buf failed"); @@ -245,10 +261,10 @@ int elf_file_enable_fs_verity(struct file *file) err = -ENOMEM; goto filp_close_out; } - +#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0) fs = get_fs(); set_fs(KERNEL_DS); - +#endif ssize_t cnt = vfs_read(fp, sign_head_ptr, SIGN_HEAD_SIZE, &pos); if (cnt != SIGN_HEAD_SIZE) { code_sign_log_error("read sign head from file failed: return value %lu, expect %u bytes", @@ -278,7 +294,9 @@ int elf_file_enable_fs_verity(struct file *file) release_sign_head_out: kfree(sign_head_ptr); +#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0) set_fs(fs); +#endif filp_close_out: filp_close(fp, NULL); release_path_buf_out: diff --git a/code_sign/code_sign_ioctl.c b/code_sign/code_sign_ioctl.c index 16e640c..f877d81 100644 --- a/code_sign/code_sign_ioctl.c +++ b/code_sign/code_sign_ioctl.c @@ -8,11 +8,12 @@ #include #include #include +#include #include "avc.h" #include "objsec.h" -#include "dsmm_developer.h" #include "code_sign_ioctl.h" #include "code_sign_log.h" +#define MAX_SIGNING_LENGTH 2048 DEFINE_SPINLOCK(cert_chain_tree_lock); struct rb_root cert_chain_tree = RB_ROOT; @@ -71,8 +72,11 @@ int code_sign_check_caller(char *caller) u32 sid = current_sid(), context_len; char *context = NULL; int rc; - +#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0) rc = security_sid_to_context(&selinux_state, sid, &context, &context_len); +#else + rc = security_sid_to_context(sid, &context, &context_len); +#endif if (rc) return -EINVAL; @@ -180,11 +184,17 @@ int code_sign_avc_has_perm(u16 tclass, u32 requested) struct av_decision avd; u32 sid = current_sid(); int rc, rc2; - +#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0) rc = avc_has_perm_noaudit(&selinux_state, sid, sid, tclass, requested, AVC_STRICT, &avd); rc2 = avc_audit(&selinux_state, sid, sid, tclass, requested, &avd, rc, NULL, AVC_STRICT); +#else + rc = avc_has_perm_noaudit(sid, sid, tclass, requested, + AVC_STRICT, &avd); + rc2 = avc_audit(sid, sid, tclass, requested, &avd, rc, + NULL); +#endif if (rc2) return rc2; @@ -207,7 +217,8 @@ int parse_cert_source(unsigned long args, struct cert_source **_source) goto copy_source_failed; } - if (info.path_len > CERT_CHAIN_PATH_LEN_MAX || info.issuer_length == 0 || info.signing_length == 0) { + if (info.path_len > CERT_CHAIN_PATH_LEN_MAX || info.issuer_length == 0 || info.signing_length == 0 + || info.issuer_length > MAX_SIGNING_LENGTH || info.signing_length > MAX_SIGNING_LENGTH) { code_sign_log_error("invalid path len or subject or issuer"); ret = -EINVAL; goto copy_source_failed; @@ -288,10 +299,8 @@ long code_sign_ioctl(struct file *filp, unsigned int cmd, unsigned long args) if (ret == 1) { // developer cert - if (get_developer_mode_state() == STATE_ON) { - code_sign_log_debug("add developer cert"); - ret = cert_chain_insert(&dev_cert_chain_tree, source); - } + code_sign_log_debug("add developer cert"); + ret = cert_chain_insert(&dev_cert_chain_tree, source); } else { code_sign_log_debug("add release cert"); ret = cert_chain_insert(&cert_chain_tree, source); @@ -314,10 +323,8 @@ long code_sign_ioctl(struct file *filp, unsigned int cmd, unsigned long args) if (ret == 1) { // developer cert - if (get_developer_mode_state() == STATE_ON) { - code_sign_log_debug("remove developer cert"); - ret = cert_chain_remove(&dev_cert_chain_tree, source); - } + code_sign_log_debug("remove developer cert"); + ret = cert_chain_remove(&dev_cert_chain_tree, source); } else { code_sign_log_debug("remove release cert"); ret = cert_chain_remove(&cert_chain_tree, source); diff --git a/code_sign/verify_cert_chain.c b/code_sign/verify_cert_chain.c index 908dd6b..3e9d096 100644 --- a/code_sign/verify_cert_chain.c +++ b/code_sign/verify_cert_chain.c @@ -6,15 +6,19 @@ #include #include #include +#include #include #include #include "objsec.h" -#include "dsmm_developer.h" #include "code_sign_ext.h" #include "code_sign_ioctl.h" #include "code_sign_log.h" #include "verify_cert_chain.h" +#ifdef CONFIG_SECURITY_XPM +#include "dsmm_developer.h" +#endif + /* * Find the key (X.509 certificate) to use to verify a PKCS#7 message. PKCS#7 * uses the issuer's name and the issuing certificate serial number for @@ -144,11 +148,13 @@ void code_sign_verify_certchain(const void *raw_pkcs7, size_t pkcs7_len, bool is_dev_mode = false; +#ifdef CONFIG_SECURITY_XPM // developer mode && developer proc if (get_developer_mode_state() == STATE_ON) { code_sign_log_info("developer mode on"); is_dev_mode = true; } +#endif for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { /* Find the key for the signature if there is one */ -- Gitee From 3a555cabc36531a3629cbddd88de86323954364a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=9B=A2=E8=BE=89?= Date: Thu, 12 Sep 2024 18:25:54 +0800 Subject: [PATCH 08/15] =?UTF-8?q?xpm=E6=A8=A1=E5=9D=97=E9=80=82=E9=85=8Dli?= =?UTF-8?q?nux6.6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 团辉 --- xpm/core/xpm_security_hooks.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/xpm/core/xpm_security_hooks.c b/xpm/core/xpm_security_hooks.c index 5fe5b37..bb60507 100644 --- a/xpm/core/xpm_security_hooks.c +++ b/xpm/core/xpm_security_hooks.c @@ -5,6 +5,7 @@ #include #include +#include #include "avc.h" #include "objsec.h" @@ -182,8 +183,13 @@ static int xpm_avc_has_perm(u16 tclass, u32 requested) struct av_decision avd; u32 sid = current_sid(); +#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)) return avc_has_perm_noaudit(&selinux_state, sid, sid, tclass, requested, AVC_STRICT, &avd); +#else + return avc_has_perm_noaudit(sid, sid, tclass, requested, + AVC_STRICT, &avd); +#endif } static int xpm_validate_signature(struct vm_area_struct *vma, @@ -361,7 +367,7 @@ static int xpm_mprotect_check(struct vm_area_struct *vma, return xpm_common_check(vma, prot); } -static struct security_hook_list xpm_hooks[] __lsm_ro_after_init = { +static struct security_hook_list xpm_hooks[] __ro_after_init = { LSM_HOOK_INIT(mmap_region, xpm_mmap_check), LSM_HOOK_INIT(file_mprotect, xpm_mprotect_check), }; -- Gitee From 350758b887853ed6ab8bfa5e6687017b40033f40 Mon Sep 17 00:00:00 2001 From: shiyunli Date: Tue, 15 Oct 2024 16:12:51 +0800 Subject: [PATCH 09/15] fix Signed-off-by: shiyunli --- xpm/core/xpm_security_hooks.c | 11 +++++++++-- xpm/validator/exec_signature_info.c | 14 ++++++++------ 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/xpm/core/xpm_security_hooks.c b/xpm/core/xpm_security_hooks.c index bb60507..ba12873 100644 --- a/xpm/core/xpm_security_hooks.c +++ b/xpm/core/xpm_security_hooks.c @@ -309,14 +309,21 @@ static int xpm_check_prot(struct vm_area_struct *vma, unsigned long prot) /* check for xpm region vma prot */ if (vma->vm_flags & VM_XPM) { - if (is_anon || (prot & PROT_EXEC)) { - xpm_log_error("xpm region mmap not allow anonymous or exec permission"); + if (is_anon) { + vma->vm_flags &= ~VM_XPM; + goto next_check; + } + + if ((prot & PROT_WRITE) || (prot & PROT_EXEC)) { + xpm_log_error("xpm region mmap not allow write or exec permission"); + report_mmap_event("xpm_check", TYPE_ABC, vma, prot); return -EPERM; } return 0; } +next_check: /* check for anonymous vma prot, anonymous executable permission need * controled by selinux */ diff --git a/xpm/validator/exec_signature_info.c b/xpm/validator/exec_signature_info.c index 9c02c4f..2d0f02e 100644 --- a/xpm/validator/exec_signature_info.c +++ b/xpm/validator/exec_signature_info.c @@ -486,13 +486,15 @@ static void insert_new_signature_info(struct inode *file_node, int type, RB_CLEAR_NODE(&new_info->rb_node); if ((*old_info) != NULL) { write_lock(verity->lock); - rb_erase_node(verity->root, verity->node_count, *old_info); - (*old_info)->type |= FILE_SIGNATURE_DELETE; - write_unlock(verity->lock); - if (atomic_sub_return(1, &(*old_info)->reference) <= 0) { - kfree(*old_info); - *old_info = NULL; + if ((*old_info) != NULL) { + if (atomic_sub_return(1, &(*old_info)->reference) <= 0) { + rb_erase_node(verity->root, verity->node_count, *old_info); + (*old_info)->type |= FILE_SIGNATURE_DELETE; + kfree(*old_info); + *old_info = NULL; + } } + write_unlock(verity->lock); } write_lock(verity->lock); -- Gitee From 03ed4f4dc57719a41a235dab536fc245b21ce39d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=96=BD=E8=BF=90=E7=90=86?= Date: Thu, 17 Oct 2024 13:20:42 +0000 Subject: [PATCH 10/15] update xpm/core/xpm_security_hooks.c. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 施运理 --- xpm/core/xpm_security_hooks.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/xpm/core/xpm_security_hooks.c b/xpm/core/xpm_security_hooks.c index ba12873..bb60507 100644 --- a/xpm/core/xpm_security_hooks.c +++ b/xpm/core/xpm_security_hooks.c @@ -309,21 +309,14 @@ static int xpm_check_prot(struct vm_area_struct *vma, unsigned long prot) /* check for xpm region vma prot */ if (vma->vm_flags & VM_XPM) { - if (is_anon) { - vma->vm_flags &= ~VM_XPM; - goto next_check; - } - - if ((prot & PROT_WRITE) || (prot & PROT_EXEC)) { - xpm_log_error("xpm region mmap not allow write or exec permission"); - report_mmap_event("xpm_check", TYPE_ABC, vma, prot); + if (is_anon || (prot & PROT_EXEC)) { + xpm_log_error("xpm region mmap not allow anonymous or exec permission"); return -EPERM; } return 0; } -next_check: /* check for anonymous vma prot, anonymous executable permission need * controled by selinux */ -- Gitee From 8083d4c0533585c84b06408007fd3d702cdc584c Mon Sep 17 00:00:00 2001 From: luyifan <842825214@qq.com> Date: Tue, 5 Nov 2024 10:44:08 +0800 Subject: [PATCH 11/15] Xpm: check secure shield and disable jit Signed-off-by: luyifan<842825214@qq.com> --- xpm/Makefile | 4 ++- xpm/core/xpm_security_hooks.c | 20 +++++++++----- xpm/secureshield/dsmm_secureshield.c | 40 ++++++++++++++++++++++++++++ xpm/secureshield/dsmm_secureshield.h | 10 +++++++ 4 files changed, 67 insertions(+), 7 deletions(-) create mode 100644 xpm/secureshield/dsmm_secureshield.c create mode 100644 xpm/secureshield/dsmm_secureshield.h diff --git a/xpm/Makefile b/xpm/Makefile index 3fddf33..61163a2 100644 --- a/xpm/Makefile +++ b/xpm/Makefile @@ -14,7 +14,8 @@ obj-$(CONFIG_SECURITY_XPM) += \ core/xpm_report.o \ validator/elf_code_segment_info.o \ validator/exec_signature_info.o \ - developer/dsmm_developer.o + developer/dsmm_developer.o \ + secureshield/dsmm_secureshield.o obj-$(CONFIG_SECURITY_XPM_DEBUG) += \ core/xpm_debugfs.o @@ -23,6 +24,7 @@ ccflags-$(CONFIG_SECURITY_XPM) += \ -I$(srctree)/security/xpm/core \ -I$(srctree)/security/xpm/validator \ -I$(srctree)/security/xpm/developer \ + -I$(srctree)/security/xpm/secureshield \ -I$(srctree)/security/selinux/include \ -I$(srctree)/security/selinux \ -I$(srctree)/fs \ diff --git a/xpm/core/xpm_security_hooks.c b/xpm/core/xpm_security_hooks.c index bb60507..103a7c6 100644 --- a/xpm/core/xpm_security_hooks.c +++ b/xpm/core/xpm_security_hooks.c @@ -12,6 +12,7 @@ #include "exec_signature_info.h" #include "fsverity_private.h" #include "code_sign_ext.h" +#include "dsmm_secureshield.h" #include "xpm_common.h" #include "xpm_debugfs.h" #include "xpm_log.h" @@ -319,15 +320,22 @@ static int xpm_check_prot(struct vm_area_struct *vma, unsigned long prot) /* check for anonymous vma prot, anonymous executable permission need * controled by selinux + * in secure shield mode, all anon + x is forbidden + * in default mode, temporarily allow anon + x allocation */ - if (is_anon && (prot & PROT_EXEC)) { - ret = xpm_avc_has_perm(SECCLASS_XPM, XPM__EXEC_ANON_MEM); - if (ret) { - report_mmap_event(ANON_EXEC, TYPE_ANON, vma, prot); - return -EPERM; + if (vma_is_anonymous(vma) && (prot & PROT_EXEC)) { + if (dsmm_is_secureshield_enabled()) { + ret = -EPERM; + report_mmap_event(ANON_EXEC, TYPE_ANON, vma, prot); + } else { + ret = xpm_avc_has_perm(SECCLASS_XPM, XPM__EXEC_ANON_MEM); + if (ret) { + ret = 0; + report_mmap_event(ANON_EXEC, TYPE_ANON, vma, prot); + } } - return 0; + return ret; } /* check for non-anonymous vma prot */ diff --git a/xpm/secureshield/dsmm_secureshield.c b/xpm/secureshield/dsmm_secureshield.c new file mode 100644 index 0000000..c983bdc --- /dev/null +++ b/xpm/secureshield/dsmm_secureshield.c @@ -0,0 +1,40 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + */ + +#include + +#include "dsmm_secureshield.h" +#include "xpm_log.h" + +#define STATE_UNINT 0 +#define STATE_ON 1 +#define STATE_OFF 2 + +static uint32_t secureshield_state = STATE_UNINT; +static int init_secureshield_state(void) +{ + if (strstr(saved_command_line, "advsecmode.state=1")) { + secureshield_state = STATE_ON; + } else { + // secureshield is defaultly set to off + secureshield_state = STATE_OFF; + } + xpm_log_info("secureshield init to %d", secureshield_state); + return secureshield_state; +} + +static int get_secureshield_state(void) +{ + if (secureshield_state == STATE_UNINT) { + return init_secureshield_state(); + } else { + return secureshield_state; + } +} + +bool dsmm_is_secureshield_enabled(void) +{ + return get_secureshield_state() == STATE_ON; +} \ No newline at end of file diff --git a/xpm/secureshield/dsmm_secureshield.h b/xpm/secureshield/dsmm_secureshield.h new file mode 100644 index 0000000..4cd0ccb --- /dev/null +++ b/xpm/secureshield/dsmm_secureshield.h @@ -0,0 +1,10 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + */ +#ifndef _DSMM_SECURESHIELD_H +#define _DSMM_SECURESHIELD_H + +bool dsmm_is_secureshield_enabled(void); + +#endif /* _DSMM_SECURESHIELD_H */ \ No newline at end of file -- Gitee From 8ba9c835815e34dcfb2fdf2d5a2bf2d0c6ef9726 Mon Sep 17 00:00:00 2001 From: zhangshuqi Date: Tue, 31 Dec 2024 10:31:03 +0800 Subject: [PATCH 12/15] delete useless opensource file Signed-off-by: zhangshuqi --- README.OpenSource | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 README.OpenSource diff --git a/README.OpenSource b/README.OpenSource deleted file mode 100644 index 05419d1..0000000 --- a/README.OpenSource +++ /dev/null @@ -1,11 +0,0 @@ -[ - { - "Name": "linux-5.10", - "License": "GPL-2.0+", - "License File": "newip/third_party/linux-5.10/LICENSES", - "Version Number": "5.10.93", - "Owner": "tanyanying@huawei.com", - "Upstream URL": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/?h=linux-5.10.y", - "Description": "linux kernel 5.10" - } -] -- Gitee From 1d61b5b771babdf338d29b02cabf94655536fe8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=9B=A2=E8=BE=89?= Date: Mon, 6 Jan 2025 20:37:33 +0800 Subject: [PATCH 13/15] =?UTF-8?q?code=20sign=20=E7=BC=96=E8=AF=91=E4=BE=9D?= =?UTF-8?q?=E8=B5=96=E9=97=AE=E9=A2=98=E4=BF=AE=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 团辉 --- code_sign/Makefile | 1 + code_sign/verify_cert_chain.c | 4 ++-- code_sign/verify_cert_chain.h | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/code_sign/Makefile b/code_sign/Makefile index 8a2af5b..0fc5dde 100644 --- a/code_sign/Makefile +++ b/code_sign/Makefile @@ -9,6 +9,7 @@ obj-$(CONFIG_SECURITY_CODE_SIGN) += \ code_sign_ext.o ccflags-$(CONFIG_SECURITY_CODE_SIGN) += \ + -I$(srctree)/fs/verity \ -I$(srctree)/fs/code_sign \ -I$(srctree)/security/selinux/include \ -I$(srctree)/security/selinux \ diff --git a/code_sign/verify_cert_chain.c b/code_sign/verify_cert_chain.c index 3e9d096..8163da9 100644 --- a/code_sign/verify_cert_chain.c +++ b/code_sign/verify_cert_chain.c @@ -122,7 +122,7 @@ static struct cert_source *find_matched_source(const struct x509_certificate *si } void code_sign_verify_certchain(const void *raw_pkcs7, size_t pkcs7_len, - struct cs_info *cs_info, int *ret) + struct fsverity_info *vi, int *ret) { struct pkcs7_message *pkcs7; struct pkcs7_signed_info *sinfo; @@ -205,7 +205,7 @@ void code_sign_verify_certchain(const void *raw_pkcs7, size_t pkcs7_len, } if (cert_chain_depth_without_root == (source->max_path_depth - 1)) { code_sign_log_info("cert subject and issuer trusted"); - set_file_ownerid(cs_info, source->path_type, pkcs7->signed_infos); + set_file_ownerid(&vi->fcs_info, source->path_type, pkcs7->signed_infos); *ret = source->path_type; goto exit; } else { diff --git a/code_sign/verify_cert_chain.h b/code_sign/verify_cert_chain.h index eb5a8dd..b2f7b06 100644 --- a/code_sign/verify_cert_chain.h +++ b/code_sign/verify_cert_chain.h @@ -7,11 +7,12 @@ #define _VERIFY_CERT_CHAIN_H #include +#include "fsverity_private.h" /* * verify_cert_chain.c */ void code_sign_verify_certchain(const void *raw_pkcs7, size_t pkcs7_len, - struct cs_info *cs_info, int *ret); + struct fsverity_info *vi, int *ret); #endif /* _VERIFY_CERT_CHAIN_H */ -- Gitee From a85997b59537776397ad52219eeeee812f15f297 Mon Sep 17 00:00:00 2001 From: liangbotong Date: Tue, 14 Jan 2025 11:12:39 +0800 Subject: [PATCH 14/15] Clean code warnings for NewIP Signed-off-by: liangbotong --- newip/examples/check_nip_enable.c | 4 ++-- newip/examples/get_af_ninet.c | 4 ++-- newip/examples/nip_addr.c | 14 +++++++------- newip/examples/nip_addr_cfg_demo.c | 2 +- newip/examples/nip_lib.c | 6 +++--- newip/examples/nip_route.c | 16 ++++++++-------- newip/examples/nip_route_cfg_demo.c | 2 +- newip/examples/nip_tcp_client_demo.c | 10 +++++----- newip/examples/nip_tcp_server_demo.c | 11 ++++++----- newip/examples/nip_udp_client_demo.c | 10 +++++----- newip/examples/nip_udp_server_demo.c | 9 +++++---- newip/src/common/nip_addr.c | 2 +- newip/src/common/nip_checksum.c | 6 +++--- newip/src/common/nip_hdr_decap.c | 2 +- newip/src/common/nip_hdr_encap.c | 2 +- .../src/linux-5.10/net/newip/tcp_nip_parameter.c | 14 +++++++------- .../linux-5.10/net/newip/ninet_hashtables.c | 2 +- .../linux-5.10/net/newip/tcp_nip_output.c | 2 +- 18 files changed, 60 insertions(+), 58 deletions(-) diff --git a/newip/examples/check_nip_enable.c b/newip/examples/check_nip_enable.c index d894792..7273a20 100644 --- a/newip/examples/check_nip_enable.c +++ b/newip/examples/check_nip_enable.c @@ -19,7 +19,7 @@ int g_nip_enable = NIP_ENABLE_INVALID; -void _check_nip_enable(void) +static void _check_nip_enable(void) { char tmp[NIP_DISABLE_LENTH]; FILE *fn = fopen(NIP_DISABLE_PATH, "r"); @@ -42,7 +42,7 @@ void _check_nip_enable(void) g_nip_enable = atoi(tmp) ? 0 : 1; } -int check_nip_enable(void) +static int check_nip_enable(void) { if (g_nip_enable == NIP_ENABLE_INVALID) { _check_nip_enable(); diff --git a/newip/examples/get_af_ninet.c b/newip/examples/get_af_ninet.c index a3f8449..214c64c 100644 --- a/newip/examples/get_af_ninet.c +++ b/newip/examples/get_af_ninet.c @@ -18,7 +18,7 @@ int g_af_ninet; -void _get_af_ninet(void) +static void _get_af_ninet(void) { char tmp[AF_NINET_LENTH]; FILE *fn = fopen(AF_NINET_PATH, "r"); @@ -41,7 +41,7 @@ void _get_af_ninet(void) g_af_ninet = atoi(tmp); } -int get_af_ninet(void) +static int get_af_ninet(void) { if (g_af_ninet == 0) _get_af_ninet(); diff --git a/newip/examples/nip_addr.c b/newip/examples/nip_addr.c index 9fb3fee..5ca2744 100644 --- a/newip/examples/nip_addr.c +++ b/newip/examples/nip_addr.c @@ -24,7 +24,7 @@ * ioctl(fd, SIOGIFINDEX, &ifr); * ifr.ifr_ifindex; ===> ifindex */ -int nip_add_addr(int ifindex, const struct nip_addr *addr, int opt) +static int nip_add_addr(int ifindex, const struct nip_addr *addr, int opt) { int fd, ret; struct nip_ifreq ifrn; @@ -37,7 +37,7 @@ int nip_add_addr(int ifindex, const struct nip_addr *addr, int opt) ifrn.ifrn_addr = *addr; ifrn.ifrn_ifindex = ifindex; - ret = ioctl(fd, opt, &ifrn); + ret = ioctl(fd, (unsigned long)opt, &ifrn); if (ret < 0 && errno != EEXIST) { // ignore File Exists error printf("cfg newip addr fail, ifindex=%d, opt=%d, ret=%d.\n", ifindex, opt, ret); close(fd); @@ -48,16 +48,16 @@ int nip_add_addr(int ifindex, const struct nip_addr *addr, int opt) return 0; } -void cmd_help(void) +static void cmd_help(void) { /* nip_addr wlan0 add 01 (在wlan0上配置地址01) */ /* nip_addr wlan0 del 01 (在wlan0上删除地址01) */ printf("[cmd example] nip_addr { add | del } \n"); } -int parse_name(char **argv, int *ifindex, char *dev) +static int parse_name(char **argv, int *ifindex, char *dev) { - int len = strlen(*argv); + size_t len = strlen(*argv); memset(dev, 0, ARRAY_LEN); if (!len || len >= (ARRAY_LEN - 1)) @@ -73,10 +73,10 @@ int parse_name(char **argv, int *ifindex, char *dev) return nip_get_ifindex(dev, ifindex); } -int parse_cmd(char **argv, int *opt) +static int parse_cmd(char **argv, int *opt) { char cmd[ARRAY_LEN]; - int len = strlen(*argv); + size_t len = strlen(*argv); memset(cmd, 0, ARRAY_LEN); if (!len || len >= (ARRAY_LEN - 1)) diff --git a/newip/examples/nip_addr_cfg_demo.c b/newip/examples/nip_addr_cfg_demo.c index 308725f..dcf0837 100644 --- a/newip/examples/nip_addr_cfg_demo.c +++ b/newip/examples/nip_addr_cfg_demo.c @@ -24,7 +24,7 @@ * ioctl(fd, SIOGIFINDEX, &ifr); * ifr.ifr_ifindex; ===> ifindex */ -int nip_add_addr(int ifindex, const unsigned char *addr, unsigned char addr_len) +static int nip_add_addr(int ifindex, const unsigned char *addr, unsigned char addr_len) { int fd, ret; struct nip_ifreq ifrn; diff --git a/newip/examples/nip_lib.c b/newip/examples/nip_lib.c index 5169540..7a007eb 100644 --- a/newip/examples/nip_lib.c +++ b/newip/examples/nip_lib.c @@ -46,7 +46,7 @@ int32_t nip_get_ifindex(const char *ifname, int *ifindex) return 0; } -int nip_addr_fmt(char *addr_str, struct nip_addr *sap, int addrlen_input) +static int nip_addr_fmt(unsigned char *addr_str, struct nip_addr *sap, int addrlen_input) { unsigned char first_byte; int addrlen, i; @@ -93,7 +93,7 @@ int nip_addr_fmt(char *addr_str, struct nip_addr *sap, int addrlen_input) return 1; } - sap->bitlen = addrlen * NIP_ADDR_LEN_8; + sap->bitlen = (unsigned char)(addrlen * NIP_ADDR_LEN_8); printf("*************************************************\n"); printf("Newip addr len=%d\n", addrlen); for (i = 0; i < addrlen; i++) { @@ -108,7 +108,7 @@ int nip_addr_fmt(char *addr_str, struct nip_addr *sap, int addrlen_input) int nip_get_addr(char **args, struct nip_addr *addr) { - unsigned int len; + size_t len; char *sp = *args; int addrlen_input = 0; __u8 addr_str[INDEX_MAX] = {0}; diff --git a/newip/examples/nip_route.c b/newip/examples/nip_route.c index d916252..d016488 100644 --- a/newip/examples/nip_route.c +++ b/newip/examples/nip_route.c @@ -26,7 +26,7 @@ * ioctl(fd, SIOGIFINDEX, &ifr); * ifr.ifr_ifindex; ===> ifindex */ -int nip_route_add(int ifindex, const struct nip_addr *dst_addr, +static int nip_route_add(int ifindex, const struct nip_addr *dst_addr, const struct nip_addr *gateway_addr, __u8 gateway_flag, int opt) { int fd, ret; @@ -46,7 +46,7 @@ int nip_route_add(int ifindex, const struct nip_addr *dst_addr, rt.rtmsg_flags |= RTF_GATEWAY; } - ret = ioctl(fd, opt, &rt); + ret = ioctl(fd, (unsigned long)opt, &rt); if (ret < 0 && errno != EEXIST) { // ignore File Exists error close(fd); return -1; @@ -56,7 +56,7 @@ int nip_route_add(int ifindex, const struct nip_addr *dst_addr, return 0; } -void cmd_help(void) +static void cmd_help(void) { /* nip_route add 02 wlan0 * (配置目的地址02设备路由,出口是wlan0) @@ -70,9 +70,9 @@ void cmd_help(void) printf("nip_route { add | del } \n"); } -int parse_name(char **argv, int *ifindex, char *dev) +static int parse_name(char **argv, int *ifindex, char *dev) { - int len = strlen(*argv); + size_t len = strlen(*argv); memset(dev, 0, ARRAY_LEN); if (len >= (ARRAY_LEN - 1) || !len) @@ -88,9 +88,9 @@ int parse_name(char **argv, int *ifindex, char *dev) return nip_get_ifindex(dev, ifindex); } -int parse_cmd(char **argv, int *opt) +static int parse_cmd(char **argv, int *opt) { - int len = strlen(*argv); + size_t len = strlen(*argv); char cmd[ARRAY_LEN]; memset(cmd, 0, ARRAY_LEN); @@ -111,7 +111,7 @@ int parse_cmd(char **argv, int *opt) return 0; } -int parse_args(char **argv, int *opt, __u8 *gateway_flag, int *ifindex, +static int parse_args(char **argv, int *opt, __u8 *gateway_flag, int *ifindex, struct nip_addr *dst_addr, struct nip_addr *gateway_addr, char *dev, int argc) { /* 配置参数1解析: { add | del } */ diff --git a/newip/examples/nip_route_cfg_demo.c b/newip/examples/nip_route_cfg_demo.c index b5a0a1e..d7bc3a8 100644 --- a/newip/examples/nip_route_cfg_demo.c +++ b/newip/examples/nip_route_cfg_demo.c @@ -27,7 +27,7 @@ * ioctl(fd, SIOGIFINDEX, &ifr); * ifr.ifr_ifindex; ===> ifindex */ -int nip_route_add(int ifindex, const unsigned char *dst_addr, uint8_t dst_addr_len, +static int nip_route_add(int ifindex, const unsigned char *dst_addr, uint8_t dst_addr_len, const unsigned char *gateway_addr, uint8_t gateway_addr_len) { int fd, ret; diff --git a/newip/examples/nip_tcp_client_demo.c b/newip/examples/nip_tcp_client_demo.c index b96a47c..391f048 100644 --- a/newip/examples/nip_tcp_client_demo.c +++ b/newip/examples/nip_tcp_client_demo.c @@ -24,7 +24,7 @@ #include #include -int _send(int cfd, int pkt_num) +static int _send(int cfd, int pkt_num) { char buf[BUFLEN] = {0}; struct timeval sys_time; @@ -44,7 +44,7 @@ int _send(int cfd, int pkt_num) return 0; } -int _recv(int cfd, int pkt_num, int *success) +static int _recv(int cfd, int pkt_num, int *success) { char buf[BUFLEN] = {0}; fd_set readfds; @@ -61,7 +61,7 @@ int _recv(int cfd, int pkt_num, int *success) } if (FD_ISSET(cfd, &readfds)) { - int ret; + ssize_t ret; int no = 0; ret = recv(cfd, buf, PKTLEN, MSG_WAITALL); @@ -75,7 +75,7 @@ int _recv(int cfd, int pkt_num, int *success) printf("Received --%s sock %d success:%6d/%6d/no=%6d\n", buf, cfd, *success, pkt_num + 1, no); } else { - printf("recv fail, ret=%d\n", ret); + printf("recv fail, ret=%zd\n", ret); return -1; } } @@ -83,7 +83,7 @@ int _recv(int cfd, int pkt_num, int *success) return 0; } -void *send_recv(void *args) +static void *send_recv(void *args) { int cfd = ((struct thread_args *)args)->cfd; int success = 0; diff --git a/newip/examples/nip_tcp_server_demo.c b/newip/examples/nip_tcp_server_demo.c index 5c05ffb..f3c9423 100644 --- a/newip/examples/nip_tcp_server_demo.c +++ b/newip/examples/nip_tcp_server_demo.c @@ -22,14 +22,15 @@ #include "nip_lib.h" #include "newip_route.h" -void *recv_send(void *args) +static void *recv_send(void *args) { - int cfd, ret; + int cfd; + ssize_t ret; char buf[BUFLEN] = {0}; memcpy(&cfd, args, sizeof(int)); for (int i = 0; i < PKTCNT; i++) { - int recv_num = recv(cfd, buf, PKTLEN, MSG_WAITALL); + ssize_t recv_num = recv(cfd, buf, PKTLEN, MSG_WAITALL); if (recv_num < 0) { perror("recv"); @@ -37,13 +38,13 @@ void *recv_send(void *args) } else if (recv_num == 0) { /* no data */ ; } else { - printf("Received -- %s --:%d\n", buf, recv_num); + printf("Received -- %s --:%zd\n", buf, recv_num); ret = send(cfd, buf, recv_num, 0); if (ret < 0) { perror("send"); goto END; } - printf("Sending -- %s --:%d\n", buf, recv_num); + printf("Sending -- %s --:%zd\n", buf, recv_num); } } END: close(cfd); diff --git a/newip/examples/nip_udp_client_demo.c b/newip/examples/nip_udp_client_demo.c index 05ffa62..efad5d2 100644 --- a/newip/examples/nip_udp_client_demo.c +++ b/newip/examples/nip_udp_client_demo.c @@ -23,7 +23,7 @@ #include "nip_lib.h" #include "newip_route.h" -int _sendto(int cfd, struct sockaddr_nin *si_server, int pkt_num) +static int _sendto(int cfd, struct sockaddr_nin *si_server, int pkt_num) { char buf[BUFLEN] = {0}; struct timeval sys_time; @@ -44,7 +44,7 @@ int _sendto(int cfd, struct sockaddr_nin *si_server, int pkt_num) return 0; } -int _recvfrom(int cfd, struct sockaddr_nin *si_server, int pkt_num, int *success) +static int _recvfrom(int cfd, struct sockaddr_nin *si_server, int pkt_num, int *success) { char buf[BUFLEN] = {0}; fd_set readfds; @@ -62,7 +62,7 @@ int _recvfrom(int cfd, struct sockaddr_nin *si_server, int pkt_num, int *success } if (FD_ISSET(cfd, &readfds)) { - int ret; + ssize_t ret; int no = 0; ret = recvfrom(cfd, buf, BUFLEN, 0, (struct sockaddr *)si_server, &slen); @@ -73,7 +73,7 @@ int _recvfrom(int cfd, struct sockaddr_nin *si_server, int pkt_num, int *success printf("Received --%s sock %d success:%6d/%6d/no=%6d\n", buf, cfd, *success, pkt_num + 1, no); } else { - printf("client recvfrom fail, ret=%d\n", ret); + printf("client recvfrom fail, ret=%zd\n", ret); return -1; } } @@ -81,7 +81,7 @@ int _recvfrom(int cfd, struct sockaddr_nin *si_server, int pkt_num, int *success return 0; } -void *send_recv(void *args) +static void *send_recv(void *args) { int success = 0; int cfd = ((struct thread_args *)args)->cfd; diff --git a/newip/examples/nip_udp_server_demo.c b/newip/examples/nip_udp_server_demo.c index fb2eb1a..40f767b 100644 --- a/newip/examples/nip_udp_server_demo.c +++ b/newip/examples/nip_udp_server_demo.c @@ -24,10 +24,11 @@ #include "nip_lib.h" #include "newip_route.h" -void *recv_send(void *args) +static void *recv_send(void *args) { char buf[BUFLEN] = {0}; - int fd, ret, recv_num; + int fd; + ssize_t recv_num, ret; int count = 0; socklen_t slen; struct sockaddr_nin si_remote; @@ -39,7 +40,7 @@ void *recv_send(void *args) memset(&si_remote, 0, sizeof(si_remote)); recv_num = recvfrom(fd, buf, BUFLEN, 0, (struct sockaddr *)&si_remote, &slen); if (recv_num < 0) { - printf("server recvfrom fail, ret=%d\n", ret); + printf("server recvfrom fail, recv_num=%zd\n", recv_num); goto END; } else if (recv_num == 0) { /* no data */ ; @@ -49,7 +50,7 @@ void *recv_send(void *args) slen = sizeof(si_remote); ret = sendto(fd, buf, BUFLEN, 0, (struct sockaddr *)&si_remote, slen); if (ret < 0) { - printf("server sendto fail, ret=%d\n", ret); + printf("server sendto fail, ret=%zd\n", ret); goto END; } printf("Sending -- %s -- to 0x%0x:%d\n", buf, diff --git a/newip/src/common/nip_addr.c b/newip/src/common/nip_addr.c index 31105bc..d61d879 100644 --- a/newip/src/common/nip_addr.c +++ b/newip/src/common/nip_addr.c @@ -424,7 +424,7 @@ unsigned char *decode_nip_addr(struct nip_buff *nbuf, struct nip_addr *addr) addr->NIP_ADDR_FIELD8[i] = *nbuf->data; nip_buff_pull(nbuf, sizeof(unsigned char)); } - addr->bitlen = addr_len * NIP_ADDR_BIT_LEN_8; + addr->bitlen = (unsigned char)(addr_len * NIP_ADDR_BIT_LEN_8); ret = nip_addr_invalid(addr); if (ret) diff --git a/newip/src/common/nip_checksum.c b/newip/src/common/nip_checksum.c index a5ecef1..47f196a 100644 --- a/newip/src/common/nip_checksum.c +++ b/newip/src/common/nip_checksum.c @@ -14,7 +14,7 @@ #define USHORT_PAYLOAD 16 #define NIP_CHECKSUM_UINT8_PAYLOAD 8 -unsigned int _nip_check_sum(const unsigned char *data, unsigned short data_len) +static unsigned int _nip_check_sum(const unsigned char *data, unsigned short data_len) { unsigned int i = 0; unsigned int sum = 0; @@ -30,10 +30,10 @@ unsigned int _nip_check_sum(const unsigned char *data, unsigned short data_len) return sum; } -unsigned int _nip_header_chksum(struct nip_pseudo_header *chksum_header) +static unsigned int _nip_header_chksum(struct nip_pseudo_header *chksum_header) { int i, j; - int addr_len; + unsigned short addr_len; unsigned char pseudo_header[NIP_HDR_MAX] = {0}; unsigned short hdr_len = 0; diff --git a/newip/src/common/nip_hdr_decap.c b/newip/src/common/nip_hdr_decap.c index abec609..1637fdc 100644 --- a/newip/src/common/nip_hdr_decap.c +++ b/newip/src/common/nip_hdr_decap.c @@ -285,7 +285,7 @@ int nip_hdr_parse(unsigned char *rcv_buf, unsigned int buf_len, struct nip_hdr_d if (buf_len < nbuf.remaining_len) return -NIP_HDR_RCV_BUF_READ_OUT_RANGE; - niph->hdr_real_len = buf_len - nbuf.remaining_len; + niph->hdr_real_len = (unsigned char)(buf_len - nbuf.remaining_len); ret = nip_hdr_check(niph); if (ret < 0) return ret; diff --git a/newip/src/common/nip_hdr_encap.c b/newip/src/common/nip_hdr_encap.c index b971834..4e9e11c 100644 --- a/newip/src/common/nip_hdr_encap.c +++ b/newip/src/common/nip_hdr_encap.c @@ -53,7 +53,7 @@ static inline void _nip_hdr_len_encap(struct nip_hdr_encap *head) static inline void _nip_update_hdr_len(struct nip_hdr_encap *head) { - *head->hdr_len_pos = head->hdr_buf_pos; + *head->hdr_len_pos = (unsigned char)head->hdr_buf_pos; } static inline void _nip_hdr_nexthdr_encap(struct nip_hdr_encap *head) diff --git a/newip/src/linux-5.10/net/newip/tcp_nip_parameter.c b/newip/src/linux-5.10/net/newip/tcp_nip_parameter.c index 3964fac..7a794a8 100644 --- a/newip/src/linux-5.10/net/newip/tcp_nip_parameter.c +++ b/newip/src/linux-5.10/net/newip/tcp_nip_parameter.c @@ -171,7 +171,7 @@ int get_dup_ack_snd_max(void) /* RTT timestamp parameters */ /*********************************************************************************************/ int g_rtt_tstamp_rto_up = 100; // rtt_tstamp >= 100 ==> shorten rto -module_param_named(rtt_tstamp_rto_up, g_rtt_tstamp_rto_up, int, 0644); +module_param_named(rtt_tstamp_rto_up, g_rtt_tstamp_rto_up, int, 0644); int get_rtt_tstamp_rto_up(void) { @@ -179,7 +179,7 @@ int get_rtt_tstamp_rto_up(void) } int g_rtt_tstamp_high = 30; // rtt_tstamp >= 30 ==> ssthresh = 100K -module_param_named(rtt_tstamp_high, g_rtt_tstamp_high, int, 0644); +module_param_named(rtt_tstamp_high, g_rtt_tstamp_high, int, 0644); int get_rtt_tstamp_high(void) { @@ -187,7 +187,7 @@ int get_rtt_tstamp_high(void) } int g_rtt_tstamp_mid_high = 20; // rtt_tstamp >= 20 ==> ssthresh = 250K -module_param_named(rtt_tstamp_mid_high, g_rtt_tstamp_mid_high, int, 0644); +module_param_named(rtt_tstamp_mid_high, g_rtt_tstamp_mid_high, int, 0644); int get_rtt_tstamp_mid_high(void) { @@ -198,7 +198,7 @@ int get_rtt_tstamp_mid_high(void) * rtt_tstamp < 10 ==> ssthresh = 1.5M */ int g_rtt_tstamp_mid_low = 10; -module_param_named(rtt_tstamp_mid_low, g_rtt_tstamp_mid_low, int, 0644); +module_param_named(rtt_tstamp_mid_low, g_rtt_tstamp_mid_low, int, 0644); int get_rtt_tstamp_mid_low(void) { @@ -206,7 +206,7 @@ int get_rtt_tstamp_mid_low(void) } int g_ack_to_nxt_snd_tstamp = 500; -module_param_named(ack_to_nxt_snd_tstamp, g_ack_to_nxt_snd_tstamp, int, 0644); +module_param_named(ack_to_nxt_snd_tstamp, g_ack_to_nxt_snd_tstamp, int, 0644); int get_ack_to_nxt_snd_tstamp(void) { @@ -359,7 +359,7 @@ bool get_nip_debug(void) /* Debugging of threshold change */ bool g_rtt_ssthresh_debug; -module_param_named(rtt_ssthresh_debug, g_rtt_ssthresh_debug, bool, 0644); +module_param_named(rtt_ssthresh_debug, g_rtt_ssthresh_debug, bool, 0644); bool get_rtt_ssthresh_debug(void) { @@ -368,7 +368,7 @@ bool get_rtt_ssthresh_debug(void) /* Debugging of packet retransmission after ACK */ bool g_ack_retrans_debug; -module_param_named(ack_retrans_debug, g_ack_retrans_debug, bool, 0644); +module_param_named(ack_retrans_debug, g_ack_retrans_debug, bool, 0644); bool get_ack_retrans_debug(void) { diff --git a/newip/third_party/linux-5.10/net/newip/ninet_hashtables.c b/newip/third_party/linux-5.10/net/newip/ninet_hashtables.c index 33f7c5e..ee52eeb 100644 --- a/newip/third_party/linux-5.10/net/newip/ninet_hashtables.c +++ b/newip/third_party/linux-5.10/net/newip/ninet_hashtables.c @@ -343,7 +343,7 @@ found: return sk; } -static inline int nip_tcp_compute_score(struct sock *sk, struct net *net, +static int nip_tcp_compute_score(struct sock *sk, struct net *net, const unsigned short hnum, const struct nip_addr *daddr, const int dif, int sdif) diff --git a/newip/third_party/linux-5.10/net/newip/tcp_nip_output.c b/newip/third_party/linux-5.10/net/newip/tcp_nip_output.c index 0f957ae..875684d 100644 --- a/newip/third_party/linux-5.10/net/newip/tcp_nip_output.c +++ b/newip/third_party/linux-5.10/net/newip/tcp_nip_output.c @@ -79,7 +79,7 @@ static bool tcp_nip_write_xmit(struct sock *sk, unsigned int mss_now, int nonagl int push_one, gfp_t gfp); /* Calculate MSS not accounting any TCP options. */ -static inline int __tcp_nip_mtu_to_mss(struct sock *sk, int pmtu) +static int __tcp_nip_mtu_to_mss(struct sock *sk, int pmtu) { const struct tcp_sock *tp = tcp_sk(sk); const struct inet_connection_sock *icsk = inet_csk(sk); -- Gitee From 6e639c8c25042045e06773c1501c8ae512dcbd3b Mon Sep 17 00:00:00 2001 From: edwardcaoyue Date: Thu, 13 Mar 2025 21:58:05 +0800 Subject: [PATCH 15/15] avoid rt qos Signed-off-by: edwardcaoyue --- qos_auth/auth_ctl/qos_ctrl.c | 6 ++++++ qos_auth/include/auth_ctrl.h | 1 + 2 files changed, 7 insertions(+) diff --git a/qos_auth/auth_ctl/qos_ctrl.c b/qos_auth/auth_ctl/qos_ctrl.c index 2304edf..73bc107 100644 --- a/qos_auth/auth_ctl/qos_ctrl.c +++ b/qos_auth/auth_ctl/qos_ctrl.c @@ -256,6 +256,12 @@ int qos_apply(struct qos_ctrl_data *data) qts = (struct qos_task_struct *) &p->qts; + if (rt_task(p) && qts->in_qos == NO_QOS) { + pr_err("[QOS_CTRL] can not apply qos for native rt task\n"); + ret = -ALREADY_RT_TASK; + goto out_unlock; + } + /* effective qos must in range [NO_QOS, NR_QOS) */ if (qts->in_qos != NO_QOS) { if (qts->in_qos == level) { diff --git a/qos_auth/include/auth_ctrl.h b/qos_auth/include/auth_ctrl.h index f2e04ee..7301cac 100644 --- a/qos_auth/include/auth_ctrl.h +++ b/qos_auth/include/auth_ctrl.h @@ -72,6 +72,7 @@ enum auth_err_no { PID_DUPLICATE, PID_NOT_EXIST, INVALID_AUTH, + ALREADY_RT_TASK, QOS_THREAD_NUM_EXCEED_LIMIT, }; -- Gitee