1/*
2 * Copyright (c) 2021 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16#ifndef BASE_STARTUP_PARAM_SECURITY_H
17#define BASE_STARTUP_PARAM_SECURITY_H
18#include <stdint.h>
19#ifndef __LINUX__
20#include <sys/socket.h>
21#endif
22#include <sys/types.h>
23#ifdef PARAM_SUPPORT_SELINUX
24#include "selinux_parameter.h"
25#endif
26
27#include "beget_ext.h"
28
29#ifdef __cplusplus
30#if __cplusplus
31extern "C" {
32#endif
33#endif
34
35#define DAC_GROUP_START 3
36#define DAC_OTHER_START 6
37#define DAC_READ 0x0100  // 4
38#define DAC_WRITE 0x0080 // 2
39#define DAC_WATCH 0x0040 // 1
40#define DAC_ALL_PERMISSION 0777
41
42#define LABEL_ALL_PERMISSION 0x04
43#define LABEL_CHECK_IN_ALL_PROCESS 0x02
44#define LABEL_INIT_FOR_INIT 0x01
45
46#define SELINUX_CONTENT_LEN 64
47#define SYS_UID_INDEX      1000
48
49#define DAC_RESULT_PERMISSION 0
50
51#define USER_BUFFER_LEN 64
52#define GROUP_FORMAT "const.%u_%u"
53
54#define INVALID_SELINUX_INDEX ((uint32_t)-1)
55
56typedef struct UserCred {
57    pid_t pid;
58    uid_t uid;
59    gid_t gid;
60} UserCred;
61
62typedef enum {
63    PARAM_SECURITY_DAC = 0,
64#ifdef PARAM_SUPPORT_SELINUX
65    PARAM_SECURITY_SELINUX,
66#endif
67    PARAM_SECURITY_MAX
68} ParamSecurityType;
69
70typedef struct {
71    int32_t sockFd;
72    UserCred cred;
73    uint32_t flags[PARAM_SECURITY_MAX];
74} ParamSecurityLabel;
75
76typedef struct {
77    pid_t pid;
78    uid_t uid;
79    gid_t gid;
80    uint16_t mode;
81    uint8_t paramType;
82} ParamDacData;
83
84typedef struct {
85    ParamDacData dacData;
86    const char *name;
87#ifdef PARAM_SUPPORT_SELINUX
88    char label[SELINUX_CONTENT_LEN];
89    uint32_t selinuxIndex;
90#endif
91    uint32_t memberNum;
92    uid_t members[1];
93} ParamAuditData;
94
95struct WorkSpace_;
96typedef struct ParamLabelIndex_ {
97    uint32_t selinuxLabelIndex;
98    uint32_t dacLabelIndex;
99    struct WorkSpace_ *workspace;
100} ParamLabelIndex;
101
102typedef struct {
103    char name[10];
104    int (*securityInitLabel)(ParamSecurityLabel *label, int isInit);
105    int (*securityGetLabel)(const char *path);
106    int (*securityCheckFilePermission)(const ParamSecurityLabel *label, const char *fileName, int flags);
107    int (*securityCheckParamPermission)(const ParamLabelIndex *labelIndex,
108        const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode);
109    int (*securityFreeLabel)(ParamSecurityLabel *srcLabel);
110} ParamSecurityOps;
111
112typedef int (*RegisterSecurityOpsPtr)(ParamSecurityOps *ops, int isInit);
113typedef struct SelinuxSpace_ {
114    void *selinuxHandle;
115#ifdef PARAM_SUPPORT_SELINUX
116    void (*setSelinuxLogCallback)(void);
117    int (*setParamCheck)(const char *paraName, const char *destContext, const SrcInfo *info);
118    const char *(*getParamLabel)(const char *paraName);
119    int (*initParamSelinux)(int isInit);
120    int (*readParamCheck)(const char *paraName);
121    ParamContextsList *(*getParamList)(void);
122    void (*destroyParamList)(ParamContextsList **list);
123    int (*getParamLabelIndex)(const char *paraName);
124#endif
125} SelinuxSpace;
126
127#ifdef PARAM_SUPPORT_SELINUX
128INIT_LOCAL_API int RegisterSecuritySelinuxOps(ParamSecurityOps *ops, int isInit);
129#endif
130
131INIT_LOCAL_API ParamSecurityOps *GetParamSecurityOps(int type);
132INIT_LOCAL_API int RegisterSecurityDacOps(ParamSecurityOps *ops, int isInit);
133INIT_LOCAL_API int RegisterSecurityOps(int onlyRead);
134
135#ifdef STARTUP_INIT_TEST
136STATIC_INLINE int DacCheckParamPermission(const ParamLabelIndex *labelIndex,
137    const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode);
138STATIC_INLINE int SelinuxCheckParamPermission(const ParamLabelIndex *labelIndex,
139    const ParamSecurityLabel *srcLabel, const char *name, uint32_t mode);
140#endif
141#ifdef __cplusplus
142#if __cplusplus
143}
144#endif
145#endif
146#endif  // BASE_STARTUP_PARAM_SECURITY_H
147