From ed5764fe22c1786b14247e3795b18f00a368a705 Mon Sep 17 00:00:00 2001 From: zzhcharmer Date: Wed, 26 Feb 2025 19:04:39 +0800 Subject: [PATCH] custom seccomp Signed-off-by: zzhcharmer --- BUILD.gn | 3 +++ appspawn.gni | 1 + bundle.json | 3 ++- interfaces/innerkits/include/appspawn.h | 1 + modules/common/BUILD.gn | 3 +++ modules/common/appspawn_adapter.cpp | 9 ++++++++- 6 files changed, 18 insertions(+), 2 deletions(-) diff --git a/BUILD.gn b/BUILD.gn index 90f10d88..6f87d6a3 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -32,6 +32,9 @@ config("appspawn_config") { if (appspawn_seccomp_privilege) { cflags += [ "-DSECCOMP_PRIVILEGE" ] } + if (appspawn_custom_sandbox) { + cflags += [ "-DCUSTOM_SANDBOX" ] + } } } diff --git a/appspawn.gni b/appspawn.gni index dd383ed4..cc2fd8e3 100644 --- a/appspawn.gni +++ b/appspawn.gni @@ -35,6 +35,7 @@ declare_args() { appspawn_support_prefork = true appspawn_support_code_signature = true appspawn_allow_internet_permission = false + appspawn_custom_sandbox = false } if (!defined(global_parts_info) || diff --git a/bundle.json b/bundle.json index 2e91919a..8deb812f 100644 --- a/bundle.json +++ b/bundle.json @@ -27,7 +27,8 @@ "appspawn_seccomp_privilege", "appspawn_support_prefork", "appspawn_support_code_signature", - "appspawn_allow_internet_permission" + "appspawn_allow_internet_permission", + "appspawn_custom_sandbox" ], "rom": "296KB", "ram": "13125KB", diff --git a/interfaces/innerkits/include/appspawn.h b/interfaces/innerkits/include/appspawn.h index 1abb96d7..833609ee 100644 --- a/interfaces/innerkits/include/appspawn.h +++ b/interfaces/innerkits/include/appspawn.h @@ -198,6 +198,7 @@ typedef enum { APP_FLAGS_TEMP_JIT = 28, APP_FLAGS_PRE_INSTALLED_HAP = 29, APP_FLAGS_GET_ALL_PROCESSES = 30, + APP_FLAGS_CUSTOM_SANDBOX = 31, MAX_FLAGS_INDEX = 63, } AppFlagsIndex; diff --git a/modules/common/BUILD.gn b/modules/common/BUILD.gn index a8441284..c4c6900f 100644 --- a/modules/common/BUILD.gn +++ b/modules/common/BUILD.gn @@ -62,6 +62,9 @@ ohos_shared_library("appspawn_common") { if (appspawn_seccomp_privilege) { cflags += [ "-DSECCOMP_PRIVILEGE" ] } + if (appspawn_custom_sandbox) { + cflags += [ "-DCUSTOM_SANDBOX" ] + } external_deps += [ "init:seccomp" ] } diff --git a/modules/common/appspawn_adapter.cpp b/modules/common/appspawn_adapter.cpp index e53b3af4..b9703a10 100644 --- a/modules/common/appspawn_adapter.cpp +++ b/modules/common/appspawn_adapter.cpp @@ -199,6 +199,13 @@ int SetSeccompFilter(const AppSpawnMgr *content, const AppSpawningCtx *property) } #endif +#ifdef CUSTOM_SANDBOX + // Set seccomp policy for custom process. + if (CheckAppMsgFlagsSet(property, APP_FLAGS_CUSTOM_SANDBOX) != 0) { + appName = APP_CUSTOM; + } +#endif + // Set seccomp policy for input method security mode. if (CheckAppMsgFlagsSet(property, APP_FLAGS_ISOLATED_SANDBOX) != 0) { appName = IMF_EXTENTOIN_NAME; @@ -213,7 +220,7 @@ int SetSeccompFilter(const AppSpawnMgr *content, const AppSpawningCtx *property) APPSPAWN_LOGE("Failed to set %{public}s seccomp filter and exit %{public}d", appName, errno); return -EINVAL; } - APPSPAWN_LOGV("SetSeccompFilter success for %{public}s", GetProcessName(property)); + APPSPAWN_LOGV("SetSeccompPolicyWithName success for %{public}s", appName); #endif return 0; } -- Gitee