From 6079a6776e84242ac1db2c0b1a441a9263a7ba16 Mon Sep 17 00:00:00 2001 From: chen Date: Mon, 9 May 2022 20:55:47 +0800 Subject: [PATCH] fixed 54d150f from https://gitee.com/hdcck/distributedschedule_samgr/pulls/163 fixed 46e1188 from https://gitee.com/hdcck/distributedschedule_samgr/pulls/159 fixed 5efd514 from https://gitee.com/hdcck/distributedschedule_samgr/pulls/158 fixed c235aa8 from https://gitee.com/hdcck/distributedschedule_samgr/pulls/157 fixed fc27f73 from https://gitee.com/hdcck/distributedschedule_samgr/pulls/156 fixed 8b990bb from https://gitee.com/hdcck/distributedschedule_samgr/pulls/155 fixed c8a4948 from https://gitee.com/hdcck/distributedschedule_samgr/pulls/154 fixed eb6f83b from https://gitee.com/hdcck/distributedschedule_samgr/pulls/153 fixed d9d9fe6 from https://gitee.com/hdcck/distributedschedule_samgr/pulls/152 fixed 7536305 from https://gitee.com/hdcck/distributedschedule_samgr/pulls/150 add se Signed-off-by: chen Change-Id: I48ad041b3a98c5de60234f5550bf278b470c565b --- services/samgr/native/BUILD.gn | 5 + services/samgr/native/samgr_standard.cfg | 2 +- services/samgr/native/samgr_standard_musl.cfg | 3 +- .../source/system_ability_manager_stub.cpp | 105 +++++++++++++++++- 4 files changed, 111 insertions(+), 4 deletions(-) diff --git a/services/samgr/native/BUILD.gn b/services/samgr/native/BUILD.gn index 26fdf8d5..49803cd7 100644 --- a/services/samgr/native/BUILD.gn +++ b/services/samgr/native/BUILD.gn @@ -82,6 +82,11 @@ ohos_executable("samgr") { "ipc:libdbinder", "utils_base:utils", ] + + if (build_selinux) { + external_deps += [ "selinux:libservice_checker" ] + defines = [ "WITH_SELINUX" ] + } public_deps = [ "//third_party/libxml2:libxml2" ] part_name = "samgr_standard" } diff --git a/services/samgr/native/samgr_standard.cfg b/services/samgr/native/samgr_standard.cfg index 8a6256aa..3811f208 100644 --- a/services/samgr/native/samgr_standard.cfg +++ b/services/samgr/native/samgr_standard.cfg @@ -4,7 +4,7 @@ "path" : ["/system/bin/samgr"], "critical" : [1, 1, 60], "uid" : "system", - "gid" : ["system"], + "gid" : ["system", "readproc"], "start-mode" : "boot" } ] diff --git a/services/samgr/native/samgr_standard_musl.cfg b/services/samgr/native/samgr_standard_musl.cfg index 154574db..99d5e27d 100644 --- a/services/samgr/native/samgr_standard_musl.cfg +++ b/services/samgr/native/samgr_standard_musl.cfg @@ -2,9 +2,8 @@ "services" : [{ "name" : "samgr", "path" : ["/system/bin/samgr"], - "critical" : [1, 1, 60], "uid" : "samgr", - "gid" : ["samgr"], + "gid" : ["samgr", "readproc"], "secon" : "u:r:samgr:s0", "start-mode" : "boot" } diff --git a/services/samgr/native/source/system_ability_manager_stub.cpp b/services/samgr/native/source/system_ability_manager_stub.cpp index 44dc4033..1a62561f 100644 --- a/services/samgr/native/source/system_ability_manager_stub.cpp +++ b/services/samgr/native/source/system_ability_manager_stub.cpp @@ -24,8 +24,57 @@ #include "system_ability_manager.h" #include "tools.h" -using namespace OHOS::Security; +#ifdef WITH_SELINUX +#include "service_checker.h" +#endif + +namespace { +#ifdef WITH_SELINUX + std::unique_ptr selinuxChecker_ = std::make_unique(false); +#endif + + bool CheckGetSAPermission(const int32_t said) + { +#ifdef WITH_SELINUX + auto callingPid = OHOS::IPCSkeleton::GetCallingPid(); + return selinuxChecker_->GetServiceCheck(callingPid, std::to_string(said)) == 0; +#else + return true; // if not support selinux, not check selinux permission +#endif + } + + bool CheckAddOrRemovePermission(const int32_t said) + { +#ifdef WITH_SELINUX + auto callingPid = OHOS::IPCSkeleton::GetCallingPid(); + return selinuxChecker_->AddServiceCheck(callingPid, std::to_string(said)) == 0; +#else + return true; // if not support selinux, not check selinux permission +#endif + } + + bool CheckGetRemoteSAPermission(const int32_t said) + { +#ifdef WITH_SELINUX + auto callingPid = OHOS::IPCSkeleton::GetCallingPid(); + return selinuxChecker_->GetRemoteServiceCheck(callingPid, std::to_string(said)) == 0; +#else + return true; // if not support selinux, not check selinux permission +#endif + } + + bool CheckListSAPermission() + { +#ifdef WITH_SELINUX + auto callingPid = OHOS::IPCSkeleton::GetCallingPid(); + return selinuxChecker_->ListServiceCheck(callingPid) == 0; +#else + return true; // if not support selinux, not check selinux permission +#endif + } +} +using namespace OHOS::Security; namespace OHOS { SystemAbilityManagerStub::SystemAbilityManagerStub() { @@ -54,6 +103,7 @@ SystemAbilityManagerStub::SystemAbilityManagerStub() memberFuncMap_[LOAD_SYSTEM_ABILITY_TRANSACTION] = &SystemAbilityManagerStub::LoadSystemAbilityInner; } + int32_t SystemAbilityManagerStub::OnRemoteRequest(uint32_t code, MessageParcel& data, MessageParcel& reply, MessageOption &option) { @@ -86,6 +136,12 @@ int32_t SystemAbilityManagerStub::ListSystemAbilityInner(MessageParcel& data, Me HILOGE("ListSystemAbilityInner PERMISSION DENIED!"); return ERR_PERMISSION_DENIED; } + + if (!CheckListSAPermission()) { + HILOGE("ListSystemAbilityInner selinux permission denied!"); + return ERR_PERMISSION_DENIED; + } + int32_t dumpFlag = 0; bool ret = data.ReadInt32(dumpFlag); if (!ret) { @@ -189,6 +245,11 @@ int32_t SystemAbilityManagerStub::CheckRemtSystemAbilityInner(MessageParcel& dat return ERR_NULL_OBJECT; } + if (!CheckGetRemoteSAPermission(systemAbilityId)) { + HILOGE("CheckRemtSystemAbilityInner selinux permission denied!, SA : %{public}d", systemAbilityId); + return ERR_PERMISSION_DENIED; + } + std::string deviceId; bool ret = data.ReadString(deviceId); if (!ret) { @@ -216,6 +277,12 @@ int32_t SystemAbilityManagerStub::AddOndemandSystemAbilityInner(MessageParcel& d HILOGW("SystemAbilityManagerStub::AddOndemandSystemAbilityInner read systemAbilityId failed!"); return ERR_NULL_OBJECT; } + + if (!CheckAddOrRemovePermission(systemAbilityId)) { + HILOGE("AddOndemandSystemAbilityInner selinux permission denied! SA : %{public}d", systemAbilityId); + return ERR_PERMISSION_DENIED; + } + std::u16string localManagerName = data.ReadString16(); if (localManagerName.empty()) { HILOGW("SystemAbilityManagerStub::AddOndemandSystemAbilityInner read localName failed!"); @@ -240,6 +307,12 @@ int32_t SystemAbilityManagerStub::CheckSystemAbilityImmeInner(MessageParcel& dat HILOGW("SystemAbilityManagerStub::CheckSystemAbilityImmeInner read systemAbilityId failed!"); return ERR_NULL_OBJECT; } + + if (!CheckGetSAPermission(systemAbilityId)) { + HILOGE("CheckSystemAbilityImmeInner selinux permission denied! SA : %{public}d", systemAbilityId); + return ERR_PERMISSION_DENIED; + } + bool isExist = false; bool ret = data.ReadBool(isExist); if (!ret) { @@ -295,6 +368,12 @@ int32_t SystemAbilityManagerStub::AddSystemAbilityInner(MessageParcel& data, Mes HILOGW("SystemAbilityManagerStub::AddSystemAbilityExtraInner read systemAbilityId failed!"); return ERR_NULL_OBJECT; } + + if (!CheckAddOrRemovePermission(systemAbilityId)) { + HILOGE("AddSystemAbilityInner selinux permission denied! SA : %{public}d", systemAbilityId); + return ERR_PERMISSION_DENIED; + } + auto object = data.ReadRemoteObject(); if (object == nullptr) { HILOGW("SystemAbilityManagerStub::AddSystemAbilityExtraInner readParcelable failed!"); @@ -323,6 +402,12 @@ int32_t SystemAbilityManagerStub::GetSystemAbilityInner(MessageParcel& data, Mes HILOGW("SystemAbilityManagerStub::GetSystemAbilityInner read systemAbilityId failed!"); return ERR_NULL_OBJECT; } + + if (!CheckGetSAPermission(systemAbilityId)) { + HILOGE("GetSystemAbilityInner selinux permission denied! SA : %{public}d", systemAbilityId); + return ERR_PERMISSION_DENIED; + } + bool ret = reply.WriteRemoteObject(GetSystemAbility(systemAbilityId)); if (!ret) { HILOGW("SystemAbilityManagerStub:GetSystemAbilityInner write reply failed."); @@ -338,6 +423,12 @@ int32_t SystemAbilityManagerStub::CheckSystemAbilityInner(MessageParcel& data, M HILOGW("SystemAbilityManagerStub::CheckSystemAbilityInner read systemAbilityId failed!"); return ERR_NULL_OBJECT; } + + if (!CheckGetSAPermission(systemAbilityId)) { + HILOGE("CheckSystemAbilityInner selinux permission denied! SA : %{public}d", systemAbilityId); + return ERR_PERMISSION_DENIED; + } + bool ret = reply.WriteRemoteObject(CheckSystemAbility(systemAbilityId)); if (!ret) { return ERR_FLATTEN_OBJECT; @@ -356,6 +447,12 @@ int32_t SystemAbilityManagerStub::RemoveSystemAbilityInner(MessageParcel& data, HILOGW("SystemAbilityManagerStub::RemoveSystemAbilityInner read systemAbilityId failed!"); return ERR_NULL_OBJECT; } + + if (!CheckAddOrRemovePermission(systemAbilityId)) { + HILOGE("RemoveSystemAbilityInner selinux permission denied!SA : %{public}d", systemAbilityId); + return ERR_PERMISSION_DENIED; + } + int32_t result = RemoveSystemAbility(systemAbilityId); HILOGI("SystemAbilityManagerStub::RemoveSystemAbilityInner result is %{public}d", result); bool ret = reply.WriteInt32(result); @@ -402,6 +499,12 @@ int32_t SystemAbilityManagerStub::LoadSystemAbilityInner(MessageParcel& data, Me HILOGW("SystemAbilityManagerStub::LoadSystemAbilityInner read systemAbilityId failed!"); return ERR_INVALID_VALUE; } + + if (!CheckGetSAPermission(systemAbilityId)) { + HILOGE("LoadSystemAbilityInner selinux permission denied!SA : %{public}d", systemAbilityId); + return ERR_PERMISSION_DENIED; + } + sptr remoteObject = data.ReadRemoteObject(); if (remoteObject == nullptr) { HILOGW("SystemAbilityManagerStub::LoadSystemAbilityInner read callback failed!"); -- Gitee