diff --git a/BUILD.gn b/BUILD.gn index 2c0227e7beda4a1226893f84a588d20b8949f4d6..5e725b35929805e97f71c7bcb4489e482c42f650 100755 --- a/BUILD.gn +++ b/BUILD.gn @@ -33,13 +33,21 @@ config("appspawn_config") { "${aafwk_path}/frameworks/kits/ability/native/include", "${aafwk_path}/services/abilitymgr/include", "${distributedschedule_path}/services/dtbschedmgr/include", + "//base/security/access_token/interfaces/innerkits/token_setproc/include", ] + + if (build_selinux) { + cflags = [ "-DWITH_SELINUX" ] + } } ohos_executable("appspawn") { sources = [ "${appspawn_path}/src/main.cpp" ] configs = [ ":appspawn_config" ] - deps = [ "${appspawn_path}:appspawn_server" ] + deps = [ + "${appspawn_path}:appspawn_server", + "//base/security/access_token/interfaces/innerkits/token_setproc:libtoken_setproc", + ] external_deps = [ "hiviewdfx_hilog_native:libhilog" ] install_enable = true @@ -72,6 +80,9 @@ ohos_static_library("appspawn_server") { "safwk:system_ability_fwk", "samgr_standard:samgr_proxy", ] + if (build_selinux) { + external_deps += [ "selinux:libhap_restorecon" ] + } subsystem_name = "${subsystem_name}" part_name = "${part_name}" diff --git a/interfaces/innerkits/include/client_socket.h b/interfaces/innerkits/include/client_socket.h index 2706a7c31bef2a7a6b966492e579eb6ffaa405cf..7bcb0c7f774b962c13b1184395ac1e4d75e9d6b5 100644 --- a/interfaces/innerkits/include/client_socket.h +++ b/interfaces/innerkits/include/client_socket.h @@ -87,6 +87,7 @@ public: static constexpr int LEN_PROC_NAME = 256; // process name length static constexpr int LEN_SO_PATH = 256; // load so lib static constexpr int MAX_GIDS = 64; + static constexpr int APL_MAX_LEN = 32; struct AppProperty { uint32_t uid; // the UNIX uid that the child process setuid() to after fork() @@ -95,6 +96,8 @@ public: uint32_t gidCount; // the size of gidTable char processName[LEN_PROC_NAME]; // process name char soPath[LEN_SO_PATH]; // so lib path + uint32_t accessTokenId; + char apl[APL_MAX_LEN]; }; private: diff --git a/src/appspawn_server.cpp b/src/appspawn_server.cpp index b4ef590d359acad7d84ccaf87a6bb3bb78a22e58..ddef21a5a97af0dfe366dd067959eb9fb623c4a1 100644 --- a/src/appspawn_server.cpp +++ b/src/appspawn_server.cpp @@ -35,6 +35,10 @@ #include "if_system_ability_manager.h" #include "iservice_registry.h" #include "system_ability_definition.h" +#include "token_setproc.h" +#ifdef WITH_SELINUX +#include "hap_restorecon.h" +#endif #include #include @@ -572,6 +576,21 @@ int32_t AppSpawnServer::SetAppSandboxProperty(const ClientSocket::AppProperty *a return ERR_OK; } +void AppSpawnServer::SetAppAccessToken(const ClientSocket::AppProperty *appProperty) +{ + int32_t ret = SetSelfTokenID(appProperty->accessTokenId); + if (ret != 0) { + HiLog::Error(LABEL, "AppSpawnServer::Failed to set access token id, errno = %{public}d", errno); + } +#ifdef WITH_SELINUX + HapContext hapContext; + ret = hapContext.HapDomainSetcontext(appProperty->apl, appProperty->processName); + if (ret != 0) { + HiLog::Error(LABEL, "AppSpawnServer::Failed to hap domain set context, errno = %{public}d", errno); + } +#endif +} + bool AppSpawnServer::SetAppProcProperty(int connectFd, const ClientSocket::AppProperty *appProperty, char *longProcName, int64_t longProcNameLen, const int32_t fd[FDLEN2]) { @@ -602,6 +621,8 @@ bool AppSpawnServer::SetAppProcProperty(int connectFd, const ClientSocket::AppPr return false; } + SetAppAccessToken(appProperty); + ret = SetProcessName(longProcName, longProcNameLen, appProperty->processName, strlen(appProperty->processName) + 1); if (FAILED(ret)) { NotifyResToParentProc(fd[1], ret); diff --git a/src/include/appspawn_server.h b/src/include/appspawn_server.h index bb61bb830b2e29f8bddee8f21770f8da50c81637..7edb20287b7460d58a3ff40e3e8b09156a5fc932 100644 --- a/src/include/appspawn_server.h +++ b/src/include/appspawn_server.h @@ -165,6 +165,7 @@ private: void LoadAceLib(); + void SetAppAccessToken(const ClientSocket::AppProperty *appProperty); private: const std::string deviceNull_ = "/dev/null"; std::string socketName_ {}; diff --git a/test/unittest/app_spawn_server_test/BUILD.gn b/test/unittest/app_spawn_server_test/BUILD.gn index 57ed7ac2d04ac04bb7826e761131a18117ae1744..81954a61bdac3adeb1cca6510ee2474473eb6a5a 100755 --- a/test/unittest/app_spawn_server_test/BUILD.gn +++ b/test/unittest/app_spawn_server_test/BUILD.gn @@ -17,8 +17,9 @@ import("//build/test.gni") ohos_unittest("AppSpawnServerOverrideTest") { module_out_path = "${module_output_path}" - include_dirs = [] - + include_dirs = [ + "//base/security/access_token/interfaces/innerkits/token_setproc/include", + ] sources = [ "${appspawn_path}/src/appspawn_server.cpp", "${appspawn_path}/src/socket/appspawn_socket.cpp", @@ -31,8 +32,10 @@ ohos_unittest("AppSpawnServerOverrideTest") { "app_spawn_server_override_test.cpp", ] - deps = [ "${appspawn_path}/test:appspawn_test_source" ] - + deps = [ + "${appspawn_path}/test:appspawn_test_source", + "//base/security/access_token/interfaces/innerkits/token_setproc:libtoken_setproc", + ] external_deps = [ "ability_runtime:app_manager", "ability_runtime:want", @@ -44,13 +47,19 @@ ohos_unittest("AppSpawnServerOverrideTest") { "safwk:system_ability_fwk", "samgr_standard:samgr_proxy", ] + + if (build_selinux) { + external_deps += [ "selinux:libhap_restorecon" ] + cflags = [ "-DWITH_SELINUX" ] + } } ohos_unittest("AppSpawnServerMockTest") { module_out_path = "${module_output_path}" - include_dirs = [] - + include_dirs = [ + "//base/security/access_token/interfaces/innerkits/token_setproc/include", + ] sources = [ "${appspawn_path}/src/appspawn_msg_peer.cpp", "${appspawn_path}/src/appspawn_server.cpp", @@ -63,8 +72,10 @@ ohos_unittest("AppSpawnServerMockTest") { "app_spawn_server_mock_test.cpp", ] - deps = [ "${appspawn_path}/test:appspawn_test_source" ] - + deps = [ + "${appspawn_path}/test:appspawn_test_source", + "//base/security/access_token/interfaces/innerkits/token_setproc:libtoken_setproc", + ] external_deps = [ "ability_runtime:app_manager", "ability_runtime:want", @@ -76,6 +87,11 @@ ohos_unittest("AppSpawnServerMockTest") { "safwk:system_ability_fwk", "samgr_standard:samgr_proxy", ] + + if (build_selinux) { + external_deps += [ "selinux:libhap_restorecon" ] + cflags = [ "-DWITH_SELINUX" ] + } } group("unittest") {