1d9f0492fSopenharmony_ci/*
2d9f0492fSopenharmony_ci * Copyright (c) 2021 Huawei Device Co., Ltd.
3d9f0492fSopenharmony_ci * Licensed under the Apache License, Version 2.0 (the "License");
4d9f0492fSopenharmony_ci * you may not use this file except in compliance with the License.
5d9f0492fSopenharmony_ci * You may obtain a copy of the License at
6d9f0492fSopenharmony_ci *
7d9f0492fSopenharmony_ci * http://www.apache.org/licenses/LICENSE-2.0
8d9f0492fSopenharmony_ci *
9d9f0492fSopenharmony_ci * Unless required by applicable law or agreed to in writing, software
10d9f0492fSopenharmony_ci * distributed under the License is distributed on an "AS IS" BASIS,
11d9f0492fSopenharmony_ci * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12d9f0492fSopenharmony_ci * See the License for the specific language governing permissions and
13d9f0492fSopenharmony_ci * limitations under the License.
14d9f0492fSopenharmony_ci */
15d9f0492fSopenharmony_ci
16d9f0492fSopenharmony_ci#ifndef BASE_STARTUP_PARAM_SECURITY_H
17d9f0492fSopenharmony_ci#define BASE_STARTUP_PARAM_SECURITY_H
18d9f0492fSopenharmony_ci#include <stdint.h>
19d9f0492fSopenharmony_ci#ifndef __LINUX__
20d9f0492fSopenharmony_ci#include <sys/socket.h>
21d9f0492fSopenharmony_ci#endif
22d9f0492fSopenharmony_ci#include <sys/types.h>
23d9f0492fSopenharmony_ci#ifdef PARAM_SUPPORT_SELINUX
24d9f0492fSopenharmony_ci#include "selinux_parameter.h"
25d9f0492fSopenharmony_ci#endif
26d9f0492fSopenharmony_ci
27d9f0492fSopenharmony_ci#include "beget_ext.h"
28d9f0492fSopenharmony_ci
29d9f0492fSopenharmony_ci#ifdef __cplusplus
30d9f0492fSopenharmony_ci#if __cplusplus
31d9f0492fSopenharmony_ciextern "C" {
32d9f0492fSopenharmony_ci#endif
33d9f0492fSopenharmony_ci#endif
34d9f0492fSopenharmony_ci
35d9f0492fSopenharmony_ci#define DAC_GROUP_START 3
36d9f0492fSopenharmony_ci#define DAC_OTHER_START 6
37d9f0492fSopenharmony_ci#define DAC_READ 0x0100  // 4
38d9f0492fSopenharmony_ci#define DAC_WRITE 0x0080 // 2
39d9f0492fSopenharmony_ci#define DAC_WATCH 0x0040 // 1
40d9f0492fSopenharmony_ci#define DAC_ALL_PERMISSION 0777
41d9f0492fSopenharmony_ci
42d9f0492fSopenharmony_ci#define LABEL_ALL_PERMISSION 0x04
43d9f0492fSopenharmony_ci#define LABEL_CHECK_IN_ALL_PROCESS 0x02
44d9f0492fSopenharmony_ci#define LABEL_INIT_FOR_INIT 0x01
45d9f0492fSopenharmony_ci
46d9f0492fSopenharmony_ci#define SELINUX_CONTENT_LEN 64
47d9f0492fSopenharmony_ci#define SYS_UID_INDEX      1000
48d9f0492fSopenharmony_ci
49d9f0492fSopenharmony_ci#define DAC_RESULT_PERMISSION 0
50d9f0492fSopenharmony_ci
51d9f0492fSopenharmony_ci#define USER_BUFFER_LEN 64
52d9f0492fSopenharmony_ci#define GROUP_FORMAT "const.%u_%u"
53d9f0492fSopenharmony_ci
54d9f0492fSopenharmony_ci#define INVALID_SELINUX_INDEX ((uint32_t)-1)
55d9f0492fSopenharmony_ci
56d9f0492fSopenharmony_citypedef struct UserCred {
57d9f0492fSopenharmony_ci    pid_t pid;
58d9f0492fSopenharmony_ci    uid_t uid;
59d9f0492fSopenharmony_ci    gid_t gid;
60d9f0492fSopenharmony_ci} UserCred;
61d9f0492fSopenharmony_ci
62d9f0492fSopenharmony_citypedef enum {
63d9f0492fSopenharmony_ci    PARAM_SECURITY_DAC = 0,
64d9f0492fSopenharmony_ci#ifdef PARAM_SUPPORT_SELINUX
65d9f0492fSopenharmony_ci    PARAM_SECURITY_SELINUX,
66d9f0492fSopenharmony_ci#endif
67d9f0492fSopenharmony_ci    PARAM_SECURITY_MAX
68d9f0492fSopenharmony_ci} ParamSecurityType;
69d9f0492fSopenharmony_ci
70d9f0492fSopenharmony_citypedef struct {
71d9f0492fSopenharmony_ci    int32_t sockFd;
72d9f0492fSopenharmony_ci    UserCred cred;
73d9f0492fSopenharmony_ci    uint32_t flags[PARAM_SECURITY_MAX];
74d9f0492fSopenharmony_ci} ParamSecurityLabel;
75d9f0492fSopenharmony_ci
76d9f0492fSopenharmony_citypedef struct {
77d9f0492fSopenharmony_ci    pid_t pid;
78d9f0492fSopenharmony_ci    uid_t uid;
79d9f0492fSopenharmony_ci    gid_t gid;
80d9f0492fSopenharmony_ci    uint16_t mode;
81d9f0492fSopenharmony_ci    uint8_t paramType;
82d9f0492fSopenharmony_ci} ParamDacData;
83d9f0492fSopenharmony_ci
84d9f0492fSopenharmony_citypedef struct {
85d9f0492fSopenharmony_ci    ParamDacData dacData;
86d9f0492fSopenharmony_ci    const char *name;
87d9f0492fSopenharmony_ci#ifdef PARAM_SUPPORT_SELINUX
88d9f0492fSopenharmony_ci    char label[SELINUX_CONTENT_LEN];
89d9f0492fSopenharmony_ci    uint32_t selinuxIndex;
90d9f0492fSopenharmony_ci#endif
91d9f0492fSopenharmony_ci    uint32_t memberNum;
92d9f0492fSopenharmony_ci    uid_t members[1];
93d9f0492fSopenharmony_ci} ParamAuditData;
94d9f0492fSopenharmony_ci
95d9f0492fSopenharmony_cistruct WorkSpace_;
96d9f0492fSopenharmony_citypedef struct ParamLabelIndex_ {
97d9f0492fSopenharmony_ci    uint32_t selinuxLabelIndex;
98d9f0492fSopenharmony_ci    uint32_t dacLabelIndex;
99d9f0492fSopenharmony_ci    struct WorkSpace_ *workspace;
100d9f0492fSopenharmony_ci} ParamLabelIndex;
101d9f0492fSopenharmony_ci
102d9f0492fSopenharmony_citypedef struct {
103d9f0492fSopenharmony_ci    char name[10];
104d9f0492fSopenharmony_ci    int (*securityInitLabel)(ParamSecurityLabel *label, int isInit);
105d9f0492fSopenharmony_ci    int (*securityGetLabel)(const char *path);
106d9f0492fSopenharmony_ci    int (*securityCheckFilePermission)(const ParamSecurityLabel *label, const char *fileName, int flags);
107d9f0492fSopenharmony_ci    int (*securityCheckParamPermission)(const ParamLabelIndex *labelIndex,
108d9f0492fSopenharmony_ci        const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode);
109d9f0492fSopenharmony_ci    int (*securityFreeLabel)(ParamSecurityLabel *srcLabel);
110d9f0492fSopenharmony_ci} ParamSecurityOps;
111d9f0492fSopenharmony_ci
112d9f0492fSopenharmony_citypedef int (*RegisterSecurityOpsPtr)(ParamSecurityOps *ops, int isInit);
113d9f0492fSopenharmony_citypedef struct SelinuxSpace_ {
114d9f0492fSopenharmony_ci    void *selinuxHandle;
115d9f0492fSopenharmony_ci#ifdef PARAM_SUPPORT_SELINUX
116d9f0492fSopenharmony_ci    void (*setSelinuxLogCallback)(void);
117d9f0492fSopenharmony_ci    int (*setParamCheck)(const char *paraName, const char *destContext, const SrcInfo *info);
118d9f0492fSopenharmony_ci    const char *(*getParamLabel)(const char *paraName);
119d9f0492fSopenharmony_ci    int (*initParamSelinux)(int isInit);
120d9f0492fSopenharmony_ci    int (*readParamCheck)(const char *paraName);
121d9f0492fSopenharmony_ci    ParamContextsList *(*getParamList)(void);
122d9f0492fSopenharmony_ci    void (*destroyParamList)(ParamContextsList **list);
123d9f0492fSopenharmony_ci    int (*getParamLabelIndex)(const char *paraName);
124d9f0492fSopenharmony_ci#endif
125d9f0492fSopenharmony_ci} SelinuxSpace;
126d9f0492fSopenharmony_ci
127d9f0492fSopenharmony_ci#ifdef PARAM_SUPPORT_SELINUX
128d9f0492fSopenharmony_ciINIT_LOCAL_API int RegisterSecuritySelinuxOps(ParamSecurityOps *ops, int isInit);
129d9f0492fSopenharmony_ci#endif
130d9f0492fSopenharmony_ci
131d9f0492fSopenharmony_ciINIT_LOCAL_API ParamSecurityOps *GetParamSecurityOps(int type);
132d9f0492fSopenharmony_ciINIT_LOCAL_API int RegisterSecurityDacOps(ParamSecurityOps *ops, int isInit);
133d9f0492fSopenharmony_ciINIT_LOCAL_API int RegisterSecurityOps(int onlyRead);
134d9f0492fSopenharmony_ci
135d9f0492fSopenharmony_ci#ifdef STARTUP_INIT_TEST
136d9f0492fSopenharmony_ciSTATIC_INLINE int DacCheckParamPermission(const ParamLabelIndex *labelIndex,
137d9f0492fSopenharmony_ci    const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode);
138d9f0492fSopenharmony_ciSTATIC_INLINE int SelinuxCheckParamPermission(const ParamLabelIndex *labelIndex,
139d9f0492fSopenharmony_ci    const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode);
140d9f0492fSopenharmony_ci#endif
141d9f0492fSopenharmony_ci#ifdef __cplusplus
142d9f0492fSopenharmony_ci#if __cplusplus
143d9f0492fSopenharmony_ci}
144d9f0492fSopenharmony_ci#endif
145d9f0492fSopenharmony_ci#endif
146d9f0492fSopenharmony_ci#endif  // BASE_STARTUP_PARAM_SECURITY_H
147