From f9a73afe0ddfa6d5bf907e6a37b9081a6c3b96e4 Mon Sep 17 00:00:00 2001 From: JerryH1011 Date: Sat, 30 Jul 2022 11:36:11 +0800 Subject: [PATCH 1/2] =?UTF-8?q?feat:=20=E6=B7=BB=E5=8A=A0=E7=B3=BB?= =?UTF-8?q?=E7=BB=9F=E8=BF=9B=E7=A8=8Bseccomp-BPF=E4=BD=BF=E8=83=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: JerryH1011 Change-Id: Idd1b9ac1156264852c4ce04c42ca3afd3cab8fe7 --- BUILD.gn | 15 ++++++++++++++- standard/appspawn_service.c | 20 ++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/BUILD.gn b/BUILD.gn index 25fc7e48..3964cfee 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -31,6 +31,7 @@ config("appspawn_config") { "//base/startup/init/services/loopevent/include", "//base/startup/init/interfaces/innerkits/include", "//third_party/json/include", + "//base/startup/init/services/modules/seccomp/include", ] if (build_selinux) { @@ -99,8 +100,14 @@ ohos_static_library("appspawn_server") { external_deps += [ "selinux:libhap_restorecon" ] } + cflags = [] + #if (build_seccomp) { + cflags += [ "-DWITH_SECCOMP" ] + deps += [ "//base/startup/init/services/modules/seccomp:seccomp" ] + #} + if (appspawn_report_event) { - cflags = [ "-DREPORT_EVENT" ] + cflags += [ "-DREPORT_EVENT" ] deps += [ "adapter/sysevent:event_reporter" ] } @@ -145,6 +152,12 @@ ohos_static_library("nwebspawn_server") { external_deps += [ "selinux:libhap_restorecon" ] } + cflags = [] + #if (build_seccomp) { + cflags += [ "-DWITH_SECCOMP" ] + deps += [ "//base/startup/init/services/modules/seccomp:seccomp" ] + #} + subsystem_name = "${subsystem_name}" part_name = "${part_name}" } diff --git a/standard/appspawn_service.c b/standard/appspawn_service.c index 071d952e..f9e828d2 100644 --- a/standard/appspawn_service.c +++ b/standard/appspawn_service.c @@ -28,6 +28,10 @@ #include "parameter.h" #include "securec.h" +#ifdef WITH_SECCOMP +#include "seccomp_policy.h" +#endif + #ifdef REPORT_EVENT #include "event_reporter.h" #endif @@ -447,6 +451,17 @@ static void NotifyResToParent(struct AppSpawnContent_ *content, AppSpawnClient * close(fd); } +#ifdef WITH_SECCOMP +bool SetUidGidFliter(void) +{ + if (!SetSeccompPolicy(APPSPAWN)) { + APPSPAWN_LOGE("SetSeccompPolicy APPSPAWN failed"); + return false; + } + return true; +} +#endif + static void AppSpawnInit(AppSpawnContent *content) { AppSpawnContentExt *appSpawnContent = (AppSpawnContentExt *)content; @@ -461,6 +476,11 @@ static void AppSpawnInit(AppSpawnContent *content) // set private function SetContentFunction(content); + // set uid gid filetr +#ifdef WITH_SECCOMP + APPSPAWN_CHECK(SetUidGidFliter() == true, return, "SetUidGidFliter failed"); +#endif + // load app sandbox config LoadAppSandboxConfig(); } -- Gitee From e90df1e9f1949be1663d525bd7eefa7b3a283136 Mon Sep 17 00:00:00 2001 From: JerryH1011 Date: Sat, 30 Jul 2022 11:36:46 +0800 Subject: [PATCH 2/2] =?UTF-8?q?feat:=20webview=E6=B8=B2=E6=9F=93=E8=BF=9B?= =?UTF-8?q?=E7=A8=8Bseccomp-BPF=E7=B3=BB=E7=BB=9F=E8=B0=83=E7=94=A8?= =?UTF-8?q?=E6=9D=83=E9=99=90=E7=AE=A1=E6=8E=A7=E4=BD=BF=E8=83=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: JerryH1011 Change-Id: I77a917726f0bd6ebb57c3e93aecf8f9247572422 --- common/appspawn_server.c | 8 ++++++++ common/appspawn_server.h | 3 +++ standard/appspawn_process.c | 19 +++++++++++++++++++ 3 files changed, 30 insertions(+) diff --git a/common/appspawn_server.c b/common/appspawn_server.c index 0d369e2f..b3a20cf1 100644 --- a/common/appspawn_server.c +++ b/common/appspawn_server.c @@ -93,6 +93,14 @@ int DoStartApp(struct AppSpawnContent_ *content, AppSpawnClient *client, char *l return ret, "Failed to set setProcessName"); } +#ifdef WITH_SECCOMP + if (content->setSeccompFilter) { + ret = content->setSeccompFilter(content, client); + APPSPAWN_CHECK(ret == 0, NotifyResToParent(content, client, ret); + return ret, "Failed to set setSeccompFilter"); + } +#endif + if (content->setUidGid) { ret = content->setUidGid(content, client); APPSPAWN_CHECK(ret == 0, NotifyResToParent(content, client, ret); diff --git a/common/appspawn_server.h b/common/appspawn_server.h index 39f46cdd..24d10c10 100644 --- a/common/appspawn_server.h +++ b/common/appspawn_server.h @@ -79,6 +79,9 @@ typedef struct AppSpawnContent_ { #ifdef ASAN_DETECTOR int (*getWrapBundleNameValue)(struct AppSpawnContent_ *content, AppSpawnClient *client); #endif +#ifdef WITH_SECCOMP + int (*setSeccompFilter)(struct AppSpawnContent_ *content, AppSpawnClient *client); +#endif } AppSpawnContent; AppSpawnContent *AppSpawnCreateContent(const char *socketName, char *longProcName, uint32_t longProcNameLen, int cold); diff --git a/standard/appspawn_process.c b/standard/appspawn_process.c index 26a26ff0..1def0946 100644 --- a/standard/appspawn_process.c +++ b/standard/appspawn_process.c @@ -31,6 +31,9 @@ #include "securec.h" #include "parameter.h" +#ifdef WITH_SECCOMP +#include "seccomp_policy.h" +#endif #define DEVICE_NULL_STR "/dev/null" @@ -376,6 +379,19 @@ int GetAppSpawnClientFromArg(int argc, char *const argv[], AppSpawnClientExt *cl return 0; } +#ifdef WITH_SECCOMP +static int SetSeccompFilter(struct AppSpawnContent_ *content, AppSpawnClient *client) +{ +#ifdef NWEB_SPAWN + if (!SetSeccompPolicy(NWEBSPAWN)) { + APPSPAWN_LOGE("init seccomp failed"); + return -1; + } +#endif + return 0; +} +#endif + void SetContentFunction(AppSpawnContent *content) { APPSPAWN_LOGI("SetContentFunction"); @@ -391,4 +407,7 @@ void SetContentFunction(AppSpawnContent *content) #ifdef ASAN_DETECTOR content->getWrapBundleNameValue = GetWrapBundleNameValue; #endif +#ifdef WITH_SECCOMP + content->setSeccompFilter = SetSeccompFilter; +#endif } -- Gitee