diff --git a/modules/common/appspawn_adapter.cpp b/modules/common/appspawn_adapter.cpp index 67bc381a4f9e5fb57ca325a55fc86cdee6749c6e..0f61499af485001038724b44e38eb71a027abc1b 100644 --- a/modules/common/appspawn_adapter.cpp +++ b/modules/common/appspawn_adapter.cpp @@ -155,78 +155,78 @@ int SetSelinuxCon(const AppSpawnMgr *content, const AppSpawningCtx *property) int SetUidGidFilter(const AppSpawnMgr *content) { -#ifdef WITH_SECCOMP - bool ret = false; - if (IsNWebSpawnMode(content)) { - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { - APPSPAWN_LOGE("Failed to set no new privs"); - } - ret = SetSeccompPolicyWithName(INDIVIDUAL, NWEBSPAWN_NAME); - } else { -#ifdef SECCOMP_PRIVILEGE - if (IsDeveloperModeOpen()) { - return 0; - } -#endif - ret = SetSeccompPolicyWithName(INDIVIDUAL, APPSPAWN_NAME); - } - if (!ret) { - APPSPAWN_LOGE("Failed to set APPSPAWN seccomp filter and exit"); - _exit(0x7f); - } - APPSPAWN_LOGV("SetUidGidFilter success"); -#endif +// #ifdef WITH_SECCOMP +// bool ret = false; +// if (IsNWebSpawnMode(content)) { +// if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { +// APPSPAWN_LOGE("Failed to set no new privs"); +// } +// ret = SetSeccompPolicyWithName(INDIVIDUAL, NWEBSPAWN_NAME); +// } else { +// #ifdef SECCOMP_PRIVILEGE +// if (IsDeveloperModeOpen()) { +// return 0; +// } +// #endif +// ret = SetSeccompPolicyWithName(INDIVIDUAL, APPSPAWN_NAME); +// } +// if (!ret) { +// APPSPAWN_LOGE("Failed to set APPSPAWN seccomp filter and exit"); +// _exit(0x7f); +// } +// APPSPAWN_LOGV("SetUidGidFilter success"); +// #endif return 0; } int SetSeccompFilter(const AppSpawnMgr *content, const AppSpawningCtx *property) { -#ifdef WITH_SECCOMP - APPSPAWN_CHECK(property != nullptr, return 0, "property is NULL"); - const char *appName = APP_NAME; - SeccompFilterType type = APP; +// #ifdef WITH_SECCOMP +// APPSPAWN_CHECK(property != nullptr, return 0, "property is NULL"); +// const char *appName = APP_NAME; +// SeccompFilterType type = APP; - if (IsNWebSpawnMode(content)) { - uint32_t len = 0; - std::string processType = - reinterpret_cast(GetAppPropertyExt(property, MSG_EXT_NAME_PROCESS_TYPE, &len)); - if (processType == "render") { - return 0; - } - } +// if (IsNWebSpawnMode(content)) { +// uint32_t len = 0; +// std::string processType = +// reinterpret_cast(GetAppPropertyExt(property, MSG_EXT_NAME_PROCESS_TYPE, &len)); +// if (processType == "render") { +// return 0; +// } +// } -#ifdef SECCOMP_PRIVILEGE - if (IsDeveloperModeOpen()) { - // Enable high permission seccomp policy for hishell in developer mode. - if (CheckAppMsgFlagsSet(property, APP_FLAGS_GET_ALL_PROCESSES) != 0) { - appName = APP_PRIVILEGE; - } - } -#endif +// #ifdef SECCOMP_PRIVILEGE +// if (IsDeveloperModeOpen()) { +// // Enable high permission seccomp policy for hishell in developer mode. +// if (CheckAppMsgFlagsSet(property, APP_FLAGS_GET_ALL_PROCESSES) != 0) { +// appName = APP_PRIVILEGE; +// } +// } +// #endif -#ifdef CUSTOM_SANDBOX - // Set seccomp policy for custom process. - if (CheckAppMsgFlagsSet(property, APP_FLAGS_CUSTOM_SANDBOX) != 0) { - appName = APP_CUSTOM; - } -#endif +// #ifdef CUSTOM_SANDBOX +// // Set seccomp policy for custom process. +// if (CheckAppMsgFlagsSet(property, APP_FLAGS_CUSTOM_SANDBOX) != 0) { +// appName = APP_CUSTOM; +// } +// #endif - // Set seccomp policy for input method security mode. - if (CheckAppMsgFlagsSet(property, APP_FLAGS_ISOLATED_SANDBOX) != 0) { - appName = IMF_EXTENTOIN_NAME; - } +// // Set seccomp policy for input method security mode. +// if (CheckAppMsgFlagsSet(property, APP_FLAGS_ISOLATED_SANDBOX) != 0) { +// appName = IMF_EXTENTOIN_NAME; +// } - // Set seccomp policy for atomic service process. - if (CheckAppMsgFlagsSet(property, APP_FLAGS_ATOMIC_SERVICE) != 0) { - appName = APP_ATOMIC; - } +// // Set seccomp policy for atomic service process. +// if (CheckAppMsgFlagsSet(property, APP_FLAGS_ATOMIC_SERVICE) != 0) { +// appName = APP_ATOMIC; +// } - if (!SetSeccompPolicyWithName(type, appName)) { - APPSPAWN_LOGE("Failed to set %{public}s seccomp filter and exit %{public}d", appName, errno); - return -EINVAL; - } - APPSPAWN_LOGV("SetSeccompPolicyWithName success for %{public}s", appName); -#endif +// if (!SetSeccompPolicyWithName(type, appName)) { +// APPSPAWN_LOGE("Failed to set %{public}s seccomp filter and exit %{public}d", appName, errno); +// return -EINVAL; +// } +// APPSPAWN_LOGV("SetSeccompPolicyWithName success for %{public}s", appName); +// #endif return 0; } diff --git a/modules/nweb_adapter/nwebspawn_adapter.cpp b/modules/nweb_adapter/nwebspawn_adapter.cpp index 6a54d3d087bc925d181ae3237ec31a5299b5f51d..349a838e21b76d067096735a42e93e083d7bfe7e 100644 --- a/modules/nweb_adapter/nwebspawn_adapter.cpp +++ b/modules/nweb_adapter/nwebspawn_adapter.cpp @@ -53,18 +53,18 @@ namespace { static bool SetSeccompPolicyForRenderer(void *nwebRenderHandle) { -#ifdef WITH_SECCOMP - if (IsEnableSeccomp()) { - using SeccompFuncType = bool (*)(void); - SeccompFuncType funcSetRendererSeccompPolicy = - reinterpret_cast(dlsym(nwebRenderHandle, "SetRendererSeccompPolicy")); - if (funcSetRendererSeccompPolicy != nullptr && funcSetRendererSeccompPolicy()) { - return true; - } - APPSPAWN_LOGE("SetRendererSeccompPolicy dlsym errno: %{public}d", errno); - return false; - } -#endif +// #ifdef WITH_SECCOMP +// if (IsEnableSeccomp()) { +// using SeccompFuncType = bool (*)(void); +// SeccompFuncType funcSetRendererSeccompPolicy = +// reinterpret_cast(dlsym(nwebRenderHandle, "SetRendererSeccompPolicy")); +// if (funcSetRendererSeccompPolicy != nullptr && funcSetRendererSeccompPolicy()) { +// return true; +// } +// APPSPAWN_LOGE("SetRendererSeccompPolicy dlsym errno: %{public}d", errno); +// return false; +// } +// #endif return true; }