1 /*
2  * Copyright (c) 2021 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #ifndef BASE_STARTUP_PARAM_SECURITY_H
17 #define BASE_STARTUP_PARAM_SECURITY_H
18 #include <stdint.h>
19 #ifndef __LINUX__
20 #include <sys/socket.h>
21 #endif
22 #include <sys/types.h>
23 #ifdef PARAM_SUPPORT_SELINUX
24 #include "selinux_parameter.h"
25 #endif
26 
27 #include "beget_ext.h"
28 
29 #ifdef __cplusplus
30 #if __cplusplus
31 extern "C" {
32 #endif
33 #endif
34 
35 #define DAC_GROUP_START 3
36 #define DAC_OTHER_START 6
37 #define DAC_READ 0x0100  // 4
38 #define DAC_WRITE 0x0080 // 2
39 #define DAC_WATCH 0x0040 // 1
40 #define DAC_ALL_PERMISSION 0777
41 
42 #define LABEL_ALL_PERMISSION 0x04
43 #define LABEL_CHECK_IN_ALL_PROCESS 0x02
44 #define LABEL_INIT_FOR_INIT 0x01
45 
46 #define SELINUX_CONTENT_LEN 64
47 #define SYS_UID_INDEX      1000
48 
49 #define DAC_RESULT_PERMISSION 0
50 
51 #define USER_BUFFER_LEN 64
52 #define GROUP_FORMAT "const.%u_%u"
53 
54 #define INVALID_SELINUX_INDEX ((uint32_t)-1)
55 
56 typedef struct UserCred {
57     pid_t pid;
58     uid_t uid;
59     gid_t gid;
60 } UserCred;
61 
62 typedef enum {
63     PARAM_SECURITY_DAC = 0,
64 #ifdef PARAM_SUPPORT_SELINUX
65     PARAM_SECURITY_SELINUX,
66 #endif
67     PARAM_SECURITY_MAX
68 } ParamSecurityType;
69 
70 typedef struct {
71     int32_t sockFd;
72     UserCred cred;
73     uint32_t flags[PARAM_SECURITY_MAX];
74 } ParamSecurityLabel;
75 
76 typedef struct {
77     pid_t pid;
78     uid_t uid;
79     gid_t gid;
80     uint16_t mode;
81     uint8_t paramType;
82 } ParamDacData;
83 
84 typedef struct {
85     ParamDacData dacData;
86     const char *name;
87 #ifdef PARAM_SUPPORT_SELINUX
88     char label[SELINUX_CONTENT_LEN];
89     uint32_t selinuxIndex;
90 #endif
91     uint32_t memberNum;
92     uid_t members[1];
93 } ParamAuditData;
94 
95 struct WorkSpace_;
96 typedef struct ParamLabelIndex_ {
97     uint32_t selinuxLabelIndex;
98     uint32_t dacLabelIndex;
99     struct WorkSpace_ *workspace;
100 } ParamLabelIndex;
101 
102 typedef struct {
103     char name[10];
104     int (*securityInitLabel)(ParamSecurityLabel *label, int isInit);
105     int (*securityGetLabel)(const char *path);
106     int (*securityCheckFilePermission)(const ParamSecurityLabel *label, const char *fileName, int flags);
107     int (*securityCheckParamPermission)(const ParamLabelIndex *labelIndex,
108         const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode);
109     int (*securityFreeLabel)(ParamSecurityLabel *srcLabel);
110 } ParamSecurityOps;
111 
112 typedef int (*RegisterSecurityOpsPtr)(ParamSecurityOps *ops, int isInit);
113 typedef struct SelinuxSpace_ {
114     void *selinuxHandle;
115 #ifdef PARAM_SUPPORT_SELINUX
116     void (*setSelinuxLogCallback)(void);
117     int (*setParamCheck)(const char *paraName, const char *destContext, const SrcInfo *info);
118     const char *(*getParamLabel)(const char *paraName);
119     int (*initParamSelinux)(int isInit);
120     int (*readParamCheck)(const char *paraName);
121     ParamContextsList *(*getParamList)(void);
122     void (*destroyParamList)(ParamContextsList **list);
123     int (*getParamLabelIndex)(const char *paraName);
124 #endif
125 } SelinuxSpace;
126 
127 #ifdef PARAM_SUPPORT_SELINUX
128 INIT_LOCAL_API int RegisterSecuritySelinuxOps(ParamSecurityOps *ops, int isInit);
129 #endif
130 
131 INIT_LOCAL_API ParamSecurityOps *GetParamSecurityOps(int type);
132 INIT_LOCAL_API int RegisterSecurityDacOps(ParamSecurityOps *ops, int isInit);
133 INIT_LOCAL_API int RegisterSecurityOps(int onlyRead);
134 
135 #ifdef STARTUP_INIT_TEST
136 STATIC_INLINE int DacCheckParamPermission(const ParamLabelIndex *labelIndex,
137     const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode);
138 STATIC_INLINE int SelinuxCheckParamPermission(const ParamLabelIndex *labelIndex,
139     const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode);
140 #endif
141 #ifdef __cplusplus
142 #if __cplusplus
143 }
144 #endif
145 #endif
146 #endif  // BASE_STARTUP_PARAM_SECURITY_H
147