From d0172bbae967f6a61a9df1d8bfa4f426cb95ea80 Mon Sep 17 00:00:00 2001 From: xionglei6 Date: Tue, 22 Mar 2022 14:26:47 +0800 Subject: [PATCH] appspawn: add sandbox test Signed-off-by: xionglei6 --- BUILD.gn | 3 ++ src/appspawn_server.cpp | 56 +++++++++++++++++++- src/include/appspawn_server.h | 4 ++ test/unittest/app_spawn_server_test/BUILD.gn | 4 ++ 4 files changed, 65 insertions(+), 2 deletions(-) diff --git a/BUILD.gn b/BUILD.gn index c59f4a43..cadcdf7b 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -36,6 +36,7 @@ config("appspawn_config") { "//base/security/access_token/interfaces/innerkits/token_setproc/include", "//base/startup/init_lite/services/log", "//base/startup/init_lite/interfaces/innerkits/include", + "//base/startup/init_lite/interfaces/innerkits/sandbox/include", "//base/startup/syspara_lite/interfaces/innerkits/native/syspara/include", ] @@ -73,6 +74,7 @@ ohos_static_library("appspawn_server") { "${aafwk_path}/frameworks/kits/appkit:appkit_native", "//base/startup/init_lite/interfaces/innerkits:libbegetutil", "//base/startup/init_lite/services/log:init_log", + "//base/startup/init_lite/interfaces/innerkits/sandbox:libsandbox", "//base/startup/syspara_lite/interfaces/innerkits/native/syspara:syspara", "//utils/native/base:utils", ] @@ -150,6 +152,7 @@ ohos_static_library("nwebspawn_server") { "//base/startup/init_lite/interfaces/innerkits:libbegetutil", "//base/startup/init_lite/interfaces/innerkits/socket:libsocket_static", "//base/startup/init_lite/services/log:init_log", + "//base/startup/init_lite/interfaces/innerkits/sandbox:libsandbox", "//base/startup/syspara_lite/interfaces/innerkits/native/syspara:syspara", "//utils/native/base:utils", ] diff --git a/src/appspawn_server.cpp b/src/appspawn_server.cpp index 0c6814d4..0b39f5c0 100644 --- a/src/appspawn_server.cpp +++ b/src/appspawn_server.cpp @@ -43,6 +43,8 @@ #include "parameter.h" #include "parameters.h" #include "beget_ext.h" +#include "sandbox.h" +#include "sandbox_namespace.h" #ifdef WITH_SELINUX #include "hap_restorecon.h" #endif @@ -343,6 +345,40 @@ int AppSpawnServer::DoColdStartApp(ClientSocket::AppProperty *appProperty, int f return 0; } +void AppSpawnServer::RegisterSandbox(const char *sandbox) +{ + if (sandbox == NULL) { + HiLog::Error(LABEL, "AppSpawnServer::invalid parameters"); + return; + } + InitDefaultNamespace(); + if (!InitSandboxWithName(sandbox)) { + CloseDefaultNamespace(); + HiLog::Error(LABEL, "AppSpawnServer::Failed to init sandbox with name %s", sandbox); + return; + } + + DumpSandboxByName(sandbox); + if (PrepareSandbox(sandbox) != 0) { + HiLog::Error(LABEL, "AppSpawnServer::Failed to prepare sandbox %s", sandbox); + DestroySandbox(sandbox); + CloseDefaultNamespace(); + return; + } + if (EnterDefaultNamespace() < 0) { + HiLog::Error(LABEL, "AppSpawnServer::Failed to set default namespace"); + DestroySandbox(sandbox); + CloseDefaultNamespace(); + return; + } + CloseDefaultNamespace(); + if (strcmp(sandbox, "app") == 0) { + isAppSandboxCreated_ = true; + } else if (strcmp(sandbox, "priv-app") == 0) { + isPrivAppSandboxCreated_ = true; + } +} + int AppSpawnServer::StartApp(char *longProcName, int64_t longProcNameLen, ClientSocket::AppProperty *appProperty, int connectFd, pid_t &pid) { @@ -357,6 +393,16 @@ int AppSpawnServer::StartApp(char *longProcName, int64_t longProcNameLen, } InstallSigHandler(); + if (isPrivAppSandboxCreated_ == false) { + if (strcmp("system_basic", appProperty->apl) == 0) { + RegisterSandbox("priv-app"); + } + } + if (isAppSandboxCreated_ == false) { + if (strcmp("normal", appProperty->apl) == 0) { + RegisterSandbox("app"); + } + } pid = fork(); if (pid < 0) { HiLog::Error(LABEL, "AppSpawnServer::Failed to fork new process, errno = %{public}d", errno); @@ -364,6 +410,13 @@ int AppSpawnServer::StartApp(char *longProcName, int64_t longProcNameLen, close(fd[1]); return -errno; } else if (pid == 0) { + if (strcmp("system_basic", appProperty->apl) == 0) { + EnterSandbox("priv-app"); + } else if (strcmp("normal", appProperty->apl) == 0) { + EnterSandbox("app"); + } else { + HiLog::Error(LABEL, "AppSpawnServer::Failed to match appspawn sandbox"); + } InitDebugParams(appProperty); SpecialHandle(appProperty); // close socket connection and peer socket in child process @@ -866,8 +919,7 @@ int32_t AppSpawnServer::SetAppSandboxProperty(const ClientSocket::AppProperty *a int rc = 0; // create /mnt/sandbox/ path, later put it to rootfs module - std::string sandboxPackagePath = "/mnt/sandbox/"; - mkdir(sandboxPackagePath.c_str(), FILE_MODE); + std::string sandboxPackagePath = "/"; sandboxPackagePath += appProperty->bundleName; mkdir(sandboxPackagePath.c_str(), FILE_MODE); diff --git a/src/include/appspawn_server.h b/src/include/appspawn_server.h index cda398e7..a2802847 100644 --- a/src/include/appspawn_server.h +++ b/src/include/appspawn_server.h @@ -195,6 +195,8 @@ private: void HandleSignal(); void QuickExitMain(); + + void RegisterSandbox(const char *sandbox); private: const std::string deviceNull_ = "/dev/null"; std::string socketName_ {}; @@ -209,6 +211,8 @@ private: bool isChildDie_ { false }; pid_t childPid_ {}; std::map appMap_; + bool isAppSandboxCreated_ {false}; + bool isPrivAppSandboxCreated_ {false}; #ifdef NWEB_SPAWN void *nwebHandle = nullptr; #endif diff --git a/test/unittest/app_spawn_server_test/BUILD.gn b/test/unittest/app_spawn_server_test/BUILD.gn index 83a07f4e..95ac6bbe 100644 --- a/test/unittest/app_spawn_server_test/BUILD.gn +++ b/test/unittest/app_spawn_server_test/BUILD.gn @@ -21,6 +21,7 @@ ohos_unittest("AppSpawnServerOverrideTest") { "//base/security/access_token/interfaces/innerkits/token_setproc/include", "//base/startup/init_lite/services/log", "//base/startup/init_lite/interfaces/innerkits/include", + "//base/startup/init_lite/interfaces/innerkits/sandbox/include", "//base/startup/syspara_lite/interfaces/innerkits/native/syspara/include", ] @@ -41,6 +42,7 @@ ohos_unittest("AppSpawnServerOverrideTest") { "//base/security/access_token/interfaces/innerkits/token_setproc:libtoken_setproc", "//base/startup/init_lite/interfaces/innerkits:libbegetutil", "//base/startup/init_lite/services/log:init_log", + "//base/startup/init_lite/interfaces/innerkits/sandbox:libsandbox", "//base/startup/syspara_lite/interfaces/innerkits/native/syspara:syspara", ] @@ -68,6 +70,7 @@ ohos_unittest("AppSpawnServerMockTest") { "//base/security/access_token/interfaces/innerkits/token_setproc/include", "//base/startup/init_lite/services/log", "//base/startup/init_lite/interfaces/innerkits/include", + "//base/startup/init_lite/interfaces/innerkits/sandbox/include", "//base/startup/syspara_lite/interfaces/innerkits/native/syspara/include", ] @@ -89,6 +92,7 @@ ohos_unittest("AppSpawnServerMockTest") { "//base/startup/init_lite/interfaces/innerkits:libbegetutil", "//base/startup/init_lite/interfaces/innerkits/socket:libsocket_static", "//base/startup/init_lite/services/log:init_log", + "//base/startup/init_lite/interfaces/innerkits/sandbox:libsandbox", "//base/startup/syspara_lite/interfaces/innerkits/native/syspara:syspara", ] -- Gitee