diff --git a/appdata-sandbox-render.json b/appdata-sandbox-render.json index cd571760281f75c2b9e5477b4f4e69efa84bac82..a75a80b9fa86cebae1d91e1a82a398ff166d6a67 100644 --- a/appdata-sandbox-render.json +++ b/appdata-sandbox-render.json @@ -29,12 +29,6 @@ }, { "src-path" : "/system/lib64", "sandbox-path" : "/system/lib64" - }, { - "src-path" : "/data/app/el1/bundle/public/", - "sandbox-path" : "/data/storage/el1/bundle/arkwebcore" - }, { - "src-path" : "/system/app/", - "sandbox-path" : "/system/app/" }, { "src-path" : "/vendor/", "sandbox-path" : "/vendor/", @@ -43,9 +37,6 @@ }, { "src-path" : "/system/app/NWeb", "sandbox-path" : "/system/app/NWeb" - }, { - "src-path" : "/module_update/ArkWebCore/app/", - "sandbox-path" : "/module_update/ArkWebCore/app/" }], "symbol-links" : [{ "target-name" : "/system/etc", @@ -72,7 +63,16 @@ "mount-groups" : [] }, "app-variable": { - "mount-groups": [] + "mount-path": [{ + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/storage/el1/bundle/arkwebcore" + }, { + "src-path" : "/system/app/", + "sandbox-path" : "/system/app/" + }, { + "src-path" : "/module_update/ArkWebCore/app/", + "sandbox-path" : "/module_update/ArkWebCore/app/" + }] } } } \ No newline at end of file diff --git a/interfaces/innerkits/client/appspawn_msg.c b/interfaces/innerkits/client/appspawn_msg.c index a14f0db06a6a2f535059e918652d84d134e64a2e..ab871cb74511a8df717eca26a9f097ce7f0b49cb 100644 --- a/interfaces/innerkits/client/appspawn_msg.c +++ b/interfaces/innerkits/client/appspawn_msg.c @@ -552,6 +552,11 @@ int AppSpawnClientAddPermission(AppSpawnClientHandle handle, AppSpawnReqMsgHandl APPSPAWN_CHECK(permission != NULL, return APPSPAWN_ARG_INVALID, "Invalid permission "); APPSPAWN_CHECK(reqNode->permissionFlags != NULL, return APPSPAWN_ARG_INVALID, "No permission tlv "); + // Don't need to transmit sandbox permission in nwebspawn mode + if (reqMgr->type == CLIENT_FOR_NWEBSPAWN) { + return 0; + } + int32_t maxIndex = GetMaxPermissionIndex(handle); int index = GetPermissionIndex(handle, permission); APPSPAWN_CHECK(index >= 0 && index < maxIndex, diff --git a/interfaces/innerkits/permission/appspawn_mount_permission.c b/interfaces/innerkits/permission/appspawn_mount_permission.c index 0f62627ce1b5f2aa9a06e3fb0d3906a4bd8d8769..dfa399149c90055db87ebe966240157e5dcc5d11 100644 --- a/interfaces/innerkits/permission/appspawn_mount_permission.c +++ b/interfaces/innerkits/permission/appspawn_mount_permission.c @@ -104,10 +104,9 @@ static PermissionManager *GetPermissionMgrByType(AppSpawnClientType type) static int LoadPermissionConfig(PermissionManager *mgr) { - int ret = ParseJsonConfig("etc/sandbox", - mgr->type == CLIENT_FOR_APPSPAWN ? APP_SANDBOX_FILE_NAME : RENDER_SANDBOX_FILE_NAME, - ParseAppSandboxConfig, mgr); - APPSPAWN_CHECK(ret == 0, return 0, "Load sandbox fail %{public}d", ret); + (void)ParseJsonConfig("etc/sandbox", + mgr->type == CLIENT_FOR_APPSPAWN ? APP_SANDBOX_FILE_NAME : RENDER_SANDBOX_FILE_NAME, + ParseAppSandboxConfig, mgr); mgr->maxPermissionIndex = PermissionRenumber(&mgr->permissionQueue); return 0; } diff --git a/modules/sandbox/appspawn_sandbox.h b/modules/sandbox/appspawn_sandbox.h index 6c6b31d01072484d95434d45ee453d094cc55492..a391077747585363f884060c15d9c8772201eca5 100644 --- a/modules/sandbox/appspawn_sandbox.h +++ b/modules/sandbox/appspawn_sandbox.h @@ -48,6 +48,7 @@ extern "C" { #define MAX_SANDBOX_BUFFER 256 #define OPTIONS_MAX_LEN 256 #define APP_FLAGS_SECTION 0x80000000 +#define FILE_MANAGER_GID 1006 #define BASIC_MOUNT_FLAGS (MS_REC | MS_BIND) #define INVALID_UID ((uint32_t)-1) #define PARAM_BUFFER_SIZE 128 diff --git a/modules/sandbox/sandbox_load.c b/modules/sandbox/sandbox_load.c index 5b783924cfae0345b0ad7eb8c2d4dafbb4ff1036..04232a28303a5eb55933e7a3abb3262b0a78978a 100644 --- a/modules/sandbox/sandbox_load.c +++ b/modules/sandbox/sandbox_load.c @@ -723,19 +723,14 @@ int LoadAppSandboxConfig(AppSpawnSandboxCfg *sandbox, ExtDataType type) } ParseJsonContext context = {}; context.sandboxCfg = sandbox; - int ret = ParseJsonConfig("etc/sandbox", sandboxName, ParseAppSandboxConfig, &context); - if (ret == APPSPAWN_SANDBOX_NONE) { - APPSPAWN_LOGW("No sandbox config"); - ret = 0; - } - APPSPAWN_CHECK_ONLY_EXPER(ret == 0, return ret); + (void)ParseJsonConfig("etc/sandbox", sandboxName, ParseAppSandboxConfig, &context); sandbox->pidNamespaceSupport = AppSandboxPidNsIsSupport(); sandbox->appFullMountEnable = CheckAppFullMountEnable(); APPSPAWN_LOGI("Sandbox pidNamespaceSupport: %{public}d appFullMountEnable: %{public}d", sandbox->pidNamespaceSupport, sandbox->appFullMountEnable); uint32_t depNodeCount = sandbox->depNodeCount; - APPSPAWN_CHECK_ONLY_EXPER(depNodeCount > 0, return ret); + APPSPAWN_CHECK_ONLY_EXPER(depNodeCount > 0, return 0); sandbox->depGroupNodes = (SandboxNameGroupNode **)calloc(1, sizeof(SandboxNameGroupNode *) * depNodeCount); APPSPAWN_CHECK(sandbox->depGroupNodes != NULL, return APPSPAWN_SYSTEM_ERROR, "Failed alloc memory "); diff --git a/modules/sandbox/sandbox_manager.c b/modules/sandbox/sandbox_manager.c index 161887fe7adaf751896dd71f7835ae4a1ad77117..bda7e17a5a6836eb116fc5cab697f4ead243b820 100644 --- a/modules/sandbox/sandbox_manager.c +++ b/modules/sandbox/sandbox_manager.c @@ -716,8 +716,12 @@ static void UpdateMsgFlagsWithPermission(AppSpawnSandboxCfg *sandbox, AppSpawnin return; } -static int UpdatePermissionFlags(AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property) +static int UpdatePermissionFlags(AppSpawnMgr *content, AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property) { + if (IsNWebSpawnMode(content)) { + return 0; + } + int32_t index = 0; if (sandbox->appFullMountEnable) { index = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_CROSS_APP_MODE); @@ -762,7 +766,7 @@ int SpawnPrepareSandboxCfg(AppSpawnMgr *content, AppSpawningCtx *property) APPSPAWN_CHECK(sandbox != NULL, return -1, "Failed to get sandbox for %{public}s", GetProcessName(property)); content->content.sandboxType = type; - int ret = UpdatePermissionFlags(sandbox, property); + int ret = UpdatePermissionFlags(content, sandbox, property); if (ret != 0) { APPSPAWN_LOGW("set sandbox permission flag failed."); return APPSPAWN_SANDBOX_ERROR_SET_PERMISSION_FLAG_FAIL;