feat: integrate deepin-security-loader for dde-lock#68
Conversation
There was a problem hiding this comment.
Sorry @xionglinlin, you have reached your weekly rate limit of 500000 diff characters.
Please try again later or upgrade to continue using Sourcery
deepin pr auto review你好!我是CodeGeeX。我已仔细审查了你提供的Git Diff,该Diff主要实现了通过 整体来看,该功能的设计思路清晰(Wrapper脚本 -> Loader提权 -> 业务进程握手),但代码在安全性、逻辑严谨性、性能和代码规范上存在一些需要改进的地方。以下是详细的审查意见: 一、 代码安全这是本次审查最关键的部分,涉及提权和D-Bus鉴权,极易成为提权漏洞的攻击面。
二、 语法与逻辑
三、 代码性能
四、 改进后的代码示例针对核心问题,提供以下修改建议代码: 1. // ... 头文件保持不变 ...
QCommandLineOption fd1Opt("fd1", "fd1 from security loader", "fd1");
cmdParser.addOption(fd1Opt);
QCommandLineOption fd2Opt("fd2", "fd2 from security loader", "fd2");
cmdParser.addOption(fd2Opt);
// 删除: QStringList xddd = app->arguments();
cmdParser.process(*app);
int fd1 = cmdParser.isSet(fd1Opt) ? cmdParser.value(fd1Opt).toInt() : -1;
int fd2 = cmdParser.isSet(fd2Opt) ? cmdParser.value(fd2Opt).toInt() : -1;
// 安全提示:此处应增加对FD有效性的校验逻辑
if (fd1 >= 0 && fcntl(fd1, F_GETFD) != -1 && fd2 >= 0 && fcntl(fd2, F_GETFD) != -1) {
SecurityLoaderHelper::instance().doSecurityLoader(fd1, fd2);
} else {
qCWarning(secLoader) << "Invalid fd1 or fd2 passed from command line";
}
// ...2. bool SecurityLoaderHelper::performHandshake(int fd1, int fd2)
{
if (m_destList.isEmpty()) {
qCInfo(secLoader) << "No D-Bus interfaces loaded, skipping handshake";
return true;
}
qCInfo(secLoader) << "Performing loader handshake...";
QDBusConnection systemBus = QDBusConnection::systemBus();
if (!systemBus.isConnected()) {
qCWarning(secLoader) << "Cannot connect to system bus";
return false;
}
// 删除无意义的 isServiceRegistered 调用
QString uniqueName = systemBus.baseService();
qCInfo(secLoader) << "System Bus UniqueName:" << uniqueName;
QJsonObject request;
request["UniqueName"] = uniqueName;
request["DestList"] = m_destList;
QJsonDocument doc(request);
QByteArray jsonData = doc.toJson(QJsonDocument::Compact);
qCInfo(secLoader) << "Sending request with" << m_destList.size() << "interfaces";
// 写入 fd1
QFile fd1File;
if (!fd1File.open(fd1, QIODevice::WriteOnly)) {
qCWarning(secLoader) << "Cannot open fd1 for writing";
return false;
}
fd1File.write(jsonData);
fd1File.close(); // 关闭QFile句柄
// 读取 fd2 (建议增加超时机制,此处仅为同步读取的改进)
QFile fd2File;
if (!fd2File.open(fd2, QIODevice::ReadOnly)) {
qCWarning(secLoader) << "Cannot open fd2 for reading";
return false;
}
// TODO: 实际生产环境中,管道读取应配合 QSocketNotifier + QTimer 防止阻塞
QByteArray response = fd2File.readAll();
fd2File.close(); // 关闭QFile句柄
// 显式关闭底层文件描述符,防止泄漏
::close(fd1);
::close(fd2);
QJsonParseError parseError;
QJsonDocument responseDoc = QJsonDocument::fromJson(response, &parseError);
if (parseError.error != QJsonParseError::NoError) {
qCWarning(secLoader) << "Invalid JSON response from loader:" << parseError.errorString();
return false;
}
QJsonObject result = responseDoc.object();
if (result["Result"].toBool()) {
qCInfo(secLoader) << "Loader handshake completed successfully";
return true;
} else {
qCWarning(secLoader) << "Loader authorization response:" << result["Message"].toString();
return false;
}
}3. Wrapper 脚本安全加固 ( #!/bin/bash
# ... 注释保持不变 ...
REAL_BINARY="/usr/libexec/deepin/dde-lock"
LOADER="/usr/bin/deepin-security-loader"
LOADER_EXEC="/usr/bin/deepin-security-loader-exec"
log_to_journal() {
logger -t dde-lock -p user.info "$1"
}
log_to_journal "dde-lock launched with args: $*"
# 安全校验:确保目标二进制属于root且没有异常权限
check_binary_security() {
local bin="$1"
if [ ! -f "$bin" ]; then return 1; fi
# 检查属主是否为root,且未开启others写权限
local perms=$(stat -c "%U %a" "$bin" 2>/dev/null)
if [[ "$perms" != root\ * ]] || [[ "${perms: -1}" =~ [wxs] ]]; then
log_to_journal "Security warning: $bin has unsafe permissions: $perms"
return 1
fi
return 0
}
if [ -x "$LOADER" ] && [ -x "$LOADER_EXEC" ]; then
if getcap "$LOADER_EXEC" 2>/dev/null | grep -q cap_setgid; then
if check_binary_security "$REAL_BINARY"; then
log_to_journal "Using deepin-security-loader with authorization groups"
exec "$LOADER" --group deepin-daemon -- "$REAL_BINARY" "$@"
fi
fi
fi
log_to_journal "Fallback: launching directly without security loader"
if check_binary_security "$REAL_BINARY"; then
exec "$REAL_BINARY" "$@"
else
log_to_journal "Critical: Refusing to execute insecure binary $REAL_BINARY"
exit 1
fi总结该Diff的核心风险点在于FD来源未校验和握手过程可能死锁。强烈建议在 |
Synchronize source files from linuxdeepin/dde-session-shell. Source-pull-request: linuxdeepin/dde-session-shell#68
1. Add SecurityLoaderHelper class to handle loader handshake protocol 2. Move dde-lock binary to /usr/libexec/deepin for loader wrapping 3. Create loader wrapper script that launches dde-lock via deepin- security-loader 4. Define permission configuration for authorized D-Bus interfaces 5. Update build system and packaging to support new installation layout 6. Support receiving file descriptors from loader for authorization Log: dde-lock now integrates with deepin-security-loader for system authorization Influence: 1. Test dde-lock launch with security loader available 2. Test dde-lock launch without security loader (fallback) 3. Verify D-Bus authorization for Lastore1 and Authenticate1 interfaces 4. Test wrapper script error handling and logging 5. Verify installation paths in /usr/libexec/deepin and /usr/bin 6. Test package dependency on deepin-security-loader feat: 集成 deepin-security-loader 到 dde-lock 1. 添加 SecurityLoaderHelper 类处理加载器握手协议 2. 将 dde-lock 二进制移至 /usr/libexec/deepin 供加载器包装 3. 创建加载器包装脚本,通过 deepin-security-loader 启动 dde-lock 4. 定义授权 D-Bus 接口的权限配置 5. 更新构建系统和打包配置以支持新的安装布局 6. 支持从加载器接收文件描述符进行授权 Log: dde-lock 现已集成 deepin-security-loader 实现系统授权 Influence: 1. 测试安全加载器可用时的 dde-lock 启动 2. 测试无安全加载器时 dde-lock 的降级启动 3. 验证对 Lastore1 和 Authenticate1 接口的 D-Bus 授权 4. 测试包装脚本的错误处理和日志记录 5. 验证 /usr/libexec/deepin 和 /usr/bin 的安装路径 6. 测试对 deepin-security-loader 的软件包依赖 PMS: TASK-390841 Change-Id: Iee9371e11f9525b5bae506412db914298f8cbb99
Synchronize source files from linuxdeepin/dde-session-shell. Source-pull-request: linuxdeepin/dde-session-shell#68
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mhduiy, xionglinlin The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Synchronize source files from linuxdeepin/dde-session-shell. Source-pull-request: linuxdeepin/dde-session-shell#68
Log: dde-lock now integrates with deepin-security-loader for system authorization
Influence:
feat: 集成 deepin-security-loader 到 dde-lock
Log: dde-lock 现已集成 deepin-security-loader 实现系统授权
Influence:
PMS: TASK-390841
Change-Id: Iee9371e11f9525b5bae506412db914298f8cbb99