diff --git a/appdata-sandbox-app.json b/appdata-sandbox-app.json old mode 100755 new mode 100644 index 8a104e794812ba994916117251620a6f75e529c0..029d97eadeca87075e1442469ec4c9ed3ded2518 --- a/appdata-sandbox-app.json +++ b/appdata-sandbox-app.json @@ -72,7 +72,7 @@ "src-path" : "/vendor/etc/hiai", "sandbox-path" : "/vendor/etc/hiai" }, { - "src-path" : "/data/local/shader_cache/cloud/common", + "src-path" : "/data/app/el1/public/shader_cache/cloud/common", "sandbox-path" : "/data/storage/shader_cache/common" }, { "src-path" : "/data/service/el0/public/for-all-app", @@ -132,6 +132,9 @@ "src-path" : "/data/app/el1/bundle/public/", "sandbox-path" : "/data/storage/el1/bundle", "check-action-status": "true" + }, { + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/storage/el1/bundle/arkwebcore" }, { "src-path" : "/data/misc", "sandbox-path" : "/data/storage/el1/bundle/misc" @@ -142,10 +145,10 @@ "src-path" : "/data/app/el1//aot_compiler/ark_profile/", "sandbox-path" : "/data/storage/ark-profile" }, { - "src-path" : "/data/local/shader_cache/local/", + "src-path" : "/data/app/el1//shader_cache/", "sandbox-path" : "/data/storage/shader_cache/local" }, { - "src-path" : "/data/local/shader_cache/cloud/", + "src-path" : "/data/app/el1/public/shader_cache/cloud/", "sandbox-path" : "/data/storage/shader_cache/cloud" }, { "src-path" : "/data/service/el1/public/themes//a/app", @@ -156,9 +159,6 @@ }, { "src-path" : "/data/service/el1//utdtypes/utd", "sandbox-path" : "/data/utd" - }, { - "src-path" : "/data/app/el1/bundle/public/", - "sandbox-path" : "/mnt/nweb/tmp" }, { "src-path" : "/mnt/hmdfs/", "sandbox-path" : "/mnt/hmdfs/" @@ -169,10 +169,6 @@ "src-path" : "/mnt/data//media_fuse", "sandbox-path" : "/data/storage/el2/media" }], - "symbol-links" : [{ - "target-name" : "/mnt/nweb/tmp", - "link-name" : "/data/storage/el1/bundle/arkwebcore" - }], "mount-groups": ["el2", "el3", "el4"] } }, @@ -269,8 +265,11 @@ }, { "name": "ohos.permission.ACCESS_SHADER_CACHE_DIR", "mount-paths": [{ - "src-path": "/data/local/shader_cache", - "sandbox-path": "/data/storage/shader_caches" + "src-path": "/data/service/el1/public/shader_cache/local", + "sandbox-path": "/data/storage/shader_caches/local" + }, { + "src-path": "/data/app/el1/public/shader_cache/cloud", + "sandbox-path": "/data/storage/shader_caches/cloud" }] }, { "name": "ohos.permission.ACCESS_HIVIEWX", @@ -375,6 +374,15 @@ "sandbox-path": "/data/bms_app_clone/", "sandbox-flags": ["bind", "rec"] }] + }, { + "name": "ohos.permission.ACCESS_MEDIALIB_RESTORE", + "sandbox-switch": "ON", + "gids": ["user_data_rw"], + "mount-paths": [{ + "src-path": "/storage/media//local/files/.backup", + "sandbox-path": "/data/storage/el2/base/files/mediadata/", + "sandbox-flags": ["bind", "rec"] + }] }], "spawn-flag": [{ "name": "START_FLAGS_BACKUP", @@ -423,6 +431,12 @@ "src-path": "/system/app", "sandbox-path": "/system/app" }] + }, { + "name": "CUSTOM_SANDBOX_HAP", + "mount-paths": [{ + "src-path": "/tmp", + "sandbox-path": "/tmp" + }] }], "package-name": [{ "name": "com.ohos.medialibrary.medialibrarydata", diff --git a/appdata-sandbox-gpu.json b/appdata-sandbox-gpu.json index 78a5f8123420552c3a88374d155885dd4e7c7294..5e1c977e2e81e59317353fde0e4f3447fe8bd0e9 100644 --- a/appdata-sandbox-gpu.json +++ b/appdata-sandbox-gpu.json @@ -41,7 +41,7 @@ "src-path" : "/vendor/etc/vulkan/icd.d", "sandbox-path" : "/vendor/etc/vulkan/icd.d" }, { - "src-path" : "/data/local/shader_cache/cloud/common", + "src-path" : "/data/app/el1/public/shader_cache/cloud/common", "sandbox-path" : "/data/storage/shader_cache/common" }], "symbol-links" : [{ @@ -79,10 +79,10 @@ "src-path" : "/module_update/ArkWebCore/app/", "sandbox-path" : "/module_update/ArkWebCore/app/" }, { - "src-path" : "/data/local/shader_cache/local/", + "src-path" : "/data/app/el1//shader_cache/", "sandbox-path" : "/data/storage/shader_cache/local" }, { - "src-path" : "/data/local/shader_cache/cloud/", + "src-path" : "/data/app/el1/public/shader_cache/cloud/", "sandbox-path" : "/data/storage/shader_cache/cloud" }] } diff --git a/appdata-sandbox-render.json b/appdata-sandbox-render.json index cd571760281f75c2b9e5477b4f4e69efa84bac82..d305f3adee570ca000fc52396a5a7b7a475ffe92 100644 --- a/appdata-sandbox-render.json +++ b/appdata-sandbox-render.json @@ -29,12 +29,6 @@ }, { "src-path" : "/system/lib64", "sandbox-path" : "/system/lib64" - }, { - "src-path" : "/data/app/el1/bundle/public/", - "sandbox-path" : "/data/storage/el1/bundle/arkwebcore" - }, { - "src-path" : "/system/app/", - "sandbox-path" : "/system/app/" }, { "src-path" : "/vendor/", "sandbox-path" : "/vendor/", @@ -43,9 +37,6 @@ }, { "src-path" : "/system/app/NWeb", "sandbox-path" : "/system/app/NWeb" - }, { - "src-path" : "/module_update/ArkWebCore/app/", - "sandbox-path" : "/module_update/ArkWebCore/app/" }], "symbol-links" : [{ "target-name" : "/system/etc", @@ -72,7 +63,16 @@ "mount-groups" : [] }, "app-variable": { - "mount-groups": [] + "mount-paths": [{ + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/storage/el1/bundle/arkwebcore" + }, { + "src-path" : "/system/app/", + "sandbox-path" : "/system/app/" + }, { + "src-path" : "/module_update/ArkWebCore/app/", + "sandbox-path" : "/module_update/ArkWebCore/app/" + }] } } } \ No newline at end of file diff --git a/interfaces/innerkits/client/appspawn_msg.c b/interfaces/innerkits/client/appspawn_msg.c index a14f0db06a6a2f535059e918652d84d134e64a2e..ab871cb74511a8df717eca26a9f097ce7f0b49cb 100644 --- a/interfaces/innerkits/client/appspawn_msg.c +++ b/interfaces/innerkits/client/appspawn_msg.c @@ -552,6 +552,11 @@ int AppSpawnClientAddPermission(AppSpawnClientHandle handle, AppSpawnReqMsgHandl APPSPAWN_CHECK(permission != NULL, return APPSPAWN_ARG_INVALID, "Invalid permission "); APPSPAWN_CHECK(reqNode->permissionFlags != NULL, return APPSPAWN_ARG_INVALID, "No permission tlv "); + // Don't need to transmit sandbox permission in nwebspawn mode + if (reqMgr->type == CLIENT_FOR_NWEBSPAWN) { + return 0; + } + int32_t maxIndex = GetMaxPermissionIndex(handle); int index = GetPermissionIndex(handle, permission); APPSPAWN_CHECK(index >= 0 && index < maxIndex, diff --git a/interfaces/innerkits/include/appspawn.h b/interfaces/innerkits/include/appspawn.h index 7372aff20a424a01b2fde50cfc21b0bae67e6552..3bf66bfa1be45d9e3eb30adf9d2463149be556db 100644 --- a/interfaces/innerkits/include/appspawn.h +++ b/interfaces/innerkits/include/appspawn.h @@ -295,6 +295,7 @@ int AppSpawnClientAddPermission(AppSpawnClientHandle handle, AppSpawnReqMsgHandl #define MSG_EXT_NAME_JIT_PERMISSIONS "Permissions" #define MSG_EXT_NAME_USERID "uid" #define MSG_EXT_NAME_EXTENSION_TYPE "ExtensionType" +#define MSG_EXT_NAME_PARENT_UID "ParentUid" int AppSpawnReqMsgAddExtInfo(AppSpawnReqMsgHandle reqHandle, const char *name, const uint8_t *value, uint32_t valueLen); diff --git a/interfaces/innerkits/permission/appspawn_mount_permission.c b/interfaces/innerkits/permission/appspawn_mount_permission.c index 0f62627ce1b5f2aa9a06e3fb0d3906a4bd8d8769..dfa399149c90055db87ebe966240157e5dcc5d11 100644 --- a/interfaces/innerkits/permission/appspawn_mount_permission.c +++ b/interfaces/innerkits/permission/appspawn_mount_permission.c @@ -104,10 +104,9 @@ static PermissionManager *GetPermissionMgrByType(AppSpawnClientType type) static int LoadPermissionConfig(PermissionManager *mgr) { - int ret = ParseJsonConfig("etc/sandbox", - mgr->type == CLIENT_FOR_APPSPAWN ? APP_SANDBOX_FILE_NAME : RENDER_SANDBOX_FILE_NAME, - ParseAppSandboxConfig, mgr); - APPSPAWN_CHECK(ret == 0, return 0, "Load sandbox fail %{public}d", ret); + (void)ParseJsonConfig("etc/sandbox", + mgr->type == CLIENT_FOR_APPSPAWN ? APP_SANDBOX_FILE_NAME : RENDER_SANDBOX_FILE_NAME, + ParseAppSandboxConfig, mgr); mgr->maxPermissionIndex = PermissionRenumber(&mgr->permissionQueue); return 0; } diff --git a/modules/module_engine/include/appspawn_hook.h b/modules/module_engine/include/appspawn_hook.h index edd26738ccf27e9fe7861e3a697fed9a9894a6f0..b2f5a8e6a4dc0cc8c239496418b2816d022d48a0 100644 --- a/modules/module_engine/include/appspawn_hook.h +++ b/modules/module_engine/include/appspawn_hook.h @@ -196,7 +196,7 @@ int AddVariableReplaceHandler(const char *name, ReplaceVarHandler handler); typedef struct TagAppSpawnSandboxCfg AppSpawnSandboxCfg; typedef int (*ProcessExpandSandboxCfg)(const SandboxContext *context, - const AppSpawnSandboxCfg *appSandBox, const char *name); + const AppSpawnSandboxCfg *appSandbox, const char *name); #define EXPAND_CFG_HANDLER_PRIO_START 3 /** diff --git a/modules/sandbox/BUILD.gn b/modules/sandbox/BUILD.gn index 274d8e56f16eb48d9dc9d4feea8ae345bf8f4a18..194a49573d6fc1b1acd644ad5ce5095d7d1d5be7 100644 --- a/modules/sandbox/BUILD.gn +++ b/modules/sandbox/BUILD.gn @@ -26,6 +26,7 @@ if (defined(appspawn_sandbox_new) && appspawn_sandbox_new) { "sandbox_expand.c", "sandbox_load.c", "sandbox_manager.c", + "sandbox_shared.c", ] include_dirs = [ @@ -70,7 +71,7 @@ if (defined(appspawn_sandbox_new) && appspawn_sandbox_new) { } if (dlp_permission_enable) { - cflags_cc = [ "-DWITH_DLP" ] + cflags = [ "-DWITH_DLP" ] external_deps += [ "dlp_permission_service:libdlp_fuse" ] } } diff --git a/modules/sandbox/appspawn_sandbox.c b/modules/sandbox/appspawn_sandbox.c index 595eac96789312af359fd13d9303bc55b0115b72..5a60c778975351966e36063cad931c9e8457d26d 100644 --- a/modules/sandbox/appspawn_sandbox.c +++ b/modules/sandbox/appspawn_sandbox.c @@ -272,6 +272,12 @@ APPSPAWN_STATIC int CheckSandboxMountNode(const SandboxContext *context, APPSPAWN_LOGW("Invalid mount config section %{public}s", section->name); return 0; } + + if (sandboxNode->createSandboxPath == 0 && access(sandboxNode->source, F_OK) != 0) { + APPSPAWN_LOGW("Invalid mount config source %{public}s", sandboxNode->source); + return 0; + } + // special handle wps and don't use /data/app/xxx/ config if (CHECK_FLAGS_BY_INDEX(operation, SANDBOX_TAG_SPAWN_FLAGS)) { // flags-point if (context->bundleHasWps && @@ -547,248 +553,6 @@ static int DoSandboxNodeMount(const SandboxContext *context, const SandboxSectio return 0; } -static bool IsUnlockStatus(uint32_t uid) -{ - const int userIdBase = UID_BASE; - uid = uid / userIdBase; - if (uid == 0) { // uid = 0 不涉及加密目录的挂载 - return true; - } - - char lockStatusParam[LOCK_STATUS_PARAM_SIZE] = {0}; - char userLockStatus[LOCK_STATUS_SIZE] = {0}; - int ret = snprintf_s(lockStatusParam, sizeof(lockStatusParam), sizeof(lockStatusParam) - 1, - "startup.appspawn.lockstatus_%u", uid); - APPSPAWN_CHECK(ret > 0, return false, "get lock status param failed, errno %{public}d", errno); - ret = GetParameter(lockStatusParam, "1", userLockStatus, sizeof(userLockStatus)); - APPSPAWN_LOGI("get param %{public}s %{public}s", lockStatusParam, userLockStatus); - if (ret > 0 && (strcmp(userLockStatus, "0") == 0)) { // 0:解密状态 1:加密状态 - return true; - } - return false; -} - -static void MountDir(AppSpawnMsgDacInfo *info, const char *bundleName, const char *rootPath, const char *targetPath) -{ - if (info == NULL || bundleName == NULL || rootPath == NULL || targetPath == NULL) { - return; - } - - const int userIdBase = UID_BASE; - char path[MAX_SANDBOX_BUFFER] = {0}; - int ret = snprintf_s(path, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s%u/%s%s", rootPath, - info->uid / userIdBase, bundleName, targetPath); - if (ret <= 0) { - APPSPAWN_LOGE("snprintf_s path failed, errno %{public}d", errno); - return; - } - - if (access(path, F_OK) == 0) { - return; - } - - ret = MakeDirRec(path, DIR_MODE, 1); - APPSPAWN_CHECK(ret == 0, return, "mkdir %{public}s failed, ret %{public}d", path, ret); - - if (mount(path, path, NULL, MS_BIND | MS_REC, NULL) != 0) { - APPSPAWN_LOGI("bind mount %{public}s failed, error %{public}d", path, errno); - return; - } - if (mount(NULL, path, NULL, MS_SHARED, NULL) != 0) { - APPSPAWN_LOGI("mount path %{public}s to shared failed, errno %{public}d", path, errno); - } else { - APPSPAWN_LOGI("mount path %{public}s to shared success", path); - } -} - -static const MountSharedTemplate MOUNT_SHARED_MAP[] = { - {"/data/storage/el2", NULL}, - {"/data/storage/el3", NULL}, - {"/data/storage/el4", NULL}, - {"/data/storage/el5", "ohos.permission.PROTECT_SCREEN_LOCK_DATA"}, -}; - -static int MountInShared(const AppSpawnMsgDacInfo *info, const char *rootPath, const char *src, const char *target) -{ - if (info == NULL) { - return APPSPAWN_ARG_INVALID; - } - - char path[MAX_SANDBOX_BUFFER] = {0}; - int ret = snprintf_s(path, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s/%u/app-root/%s", rootPath, - info->uid / UID_BASE, target); - if (ret <= 0) { - APPSPAWN_LOGE("snprintf_s path failed, errno %{public}d", errno); - return APPSPAWN_ERROR_UTILS_MEM_FAIL; - } - - char currentUserPath[MAX_SANDBOX_BUFFER] = {0}; - ret = snprintf_s(currentUserPath, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s/currentUser", path); - if (ret <= 0) { - APPSPAWN_LOGE("snprintf_s currentUserPath failed, errno %{public}d", errno); - return APPSPAWN_ERROR_UTILS_MEM_FAIL; - } - - if (access(currentUserPath, F_OK) == 0) { - return 0; - } - - ret = MakeDirRec(path, DIR_MODE, 1); - if (ret != 0) { - APPSPAWN_LOGE("mkdir %{public}s failed, ret %{public}d", path, ret); - return APPSPAWN_SANDBOX_ERROR_MKDIR_FAIL; - } - - if (mount(src, path, NULL, MS_BIND | MS_REC, NULL) != 0) { - APPSPAWN_LOGI("bind mount %{public}s to %{public}s failed, error %{public}d", src, path, errno); - return APPSPAWN_SANDBOX_ERROR_MOUNT_FAIL; - } - if (mount(NULL, path, NULL, MS_SHARED, NULL) != 0) { - APPSPAWN_LOGI("mount path %{public}s to shared failed, errno %{public}d", path, errno); - return APPSPAWN_SANDBOX_ERROR_MOUNT_FAIL; - } - - return 0; -} - -static int SharedMountInSharefs(const AppSpawnMsgDacInfo *info, const char *rootPath, - const char *src, const char *target) -{ - char currentUserPath[MAX_SANDBOX_BUFFER] = {0}; - int ret = snprintf_s(currentUserPath, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s/currentUser", target); - if (ret <= 0) { - APPSPAWN_LOGE("snprintf_s currentUserPath failed, errno %{public}d", errno); - return APPSPAWN_ERROR_UTILS_MEM_FAIL; - } - - if (access(currentUserPath, F_OK) == 0) { - return 0; - } - - ret = MakeDirRec(target, DIR_MODE, 1); - if (ret != 0) { - APPSPAWN_LOGE("mkdir %{public}s failed, ret %{public}d", target, ret); - return APPSPAWN_SANDBOX_ERROR_MKDIR_FAIL; - } - - char options[OPTIONS_MAX_LEN] = {0}; - ret = snprintf_s(options, OPTIONS_MAX_LEN, OPTIONS_MAX_LEN - 1, "override_support_delete,user_id=%d", - info->uid / UID_BASE); - if (ret <= 0) { - APPSPAWN_LOGE("snprintf_s options failed, errno %{public}d", errno); - return APPSPAWN_ERROR_UTILS_MEM_FAIL; - } - - if (mount(src, target, "sharefs", MS_NODEV, options) != 0) { - APPSPAWN_LOGE("sharefs mount %{public}s to %{public}s failed, error %{public}d", - src, target, errno); - return APPSPAWN_SANDBOX_ERROR_MOUNT_FAIL; - } - if (mount(NULL, target, NULL, MS_SHARED, NULL) != 0) { - APPSPAWN_LOGE("mount path %{public}s to shared failed, errno %{public}d", target, errno); - return APPSPAWN_SANDBOX_ERROR_MOUNT_FAIL; - } - - return 0; -} - -static void UpdateStorageDir(const SandboxContext *context, AppSpawnSandboxCfg *sandbox, const AppSpawnMsgDacInfo *info) -{ - const char mntUser[] = "/mnt/user"; - const char nosharefsDocs[] = "nosharefs/docs"; - const char sharefsDocs[] = "sharefs/docs"; - const char rootPath[] = "/mnt/sandbox"; - const char userPath[] = "/storage/Users"; - - /* /mnt/user//nosharefs/Docs */ - char nosharefsDocsDir[MAX_SANDBOX_BUFFER] = {0}; - int ret = snprintf_s(nosharefsDocsDir, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s/%d/%s", - mntUser, info->uid / UID_BASE, nosharefsDocs); - if (ret <= 0) { - APPSPAWN_LOGE("snprintf_s nosharefsDocsDir failed, errno %{public}d", errno); - return; - } - - /* /mnt/user//sharefs/Docs */ - char sharefsDocsDir[MAX_SANDBOX_BUFFER] = {0}; - ret = snprintf_s(sharefsDocsDir, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s/%d/%s", - mntUser, info->uid / UID_BASE, sharefsDocs); - if (ret <= 0) { - APPSPAWN_LOGE("snprintf_s sharefsDocsDir failed, errno %{public}d", errno); - return; - } - - int index = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_ACCESS_MANAGER_MODE); - int res = CheckSandboxCtxPermissionFlagSet(context, index); - if (res == 0) { - char storageUserPath[MAX_SANDBOX_BUFFER] = {0}; - ret = snprintf_s(storageUserPath, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s/%d/app-root/%s", rootPath, - info->uid / UID_BASE, userPath); - if (ret <= 0) { - APPSPAWN_LOGE("snprintf_s storageUserPath failed, errno %{public}d", errno); - return; - } - /* mount /mnt/user//sharefs/docs to /mnt/sandbox//app-root/storage/Users */ - ret = SharedMountInSharefs(info, rootPath, sharefsDocsDir, storageUserPath); - } else { - /* mount /mnt/user//nosharefs/docs to /mnt/sandbox//app-root/storage/Users */ - ret = MountInShared(info, rootPath, nosharefsDocsDir, userPath); - } - if (ret != 0) { - APPSPAWN_LOGE("Update storage dir, ret %{public}d", ret); - } - APPSPAWN_LOGI("Update %{public}s storage dir success", res == 0 ? "sharefs dir" : "no sharefs dir"); -} - -static void MountDirToShared(const SandboxContext *context, AppSpawnSandboxCfg *sandbox) -{ - const char rootPath[] = "/mnt/sandbox/"; - const char nwebPath[] = "/mnt/nweb"; - const char nwebTmpPath[] = "/mnt/nweb/tmp"; - const char appRootName[] = "app-root"; - AppSpawnMsgDacInfo *info = (AppSpawnMsgDacInfo *)GetSandboxCtxMsgInfo(context, TLV_DAC_INFO); - if (info == NULL || context->bundleName == NULL) { - return; - } - - UpdateStorageDir(context, sandbox, info); - - MountDir(info, appRootName, rootPath, nwebPath); - MountDir(info, appRootName, rootPath, nwebTmpPath); - - if (IsUnlockStatus(info->uid)) { - return; - } - - int length = sizeof(MOUNT_SHARED_MAP) / sizeof(MOUNT_SHARED_MAP[0]); - for (int i = 0; i < length; i++) { - if (MOUNT_SHARED_MAP[i].permission == NULL) { - MountDir(info, context->bundleName, rootPath, MOUNT_SHARED_MAP[i].sandboxPath); - } else { - int index = GetPermissionIndexInQueue(&sandbox->permissionQueue, MOUNT_SHARED_MAP[i].permission); - APPSPAWN_LOGV("mount dir on lock mountPermissionFlags %{public}d", index); - if (CheckSandboxCtxPermissionFlagSet(context, index)) { - MountDir(info, context->bundleName, rootPath, MOUNT_SHARED_MAP[i].sandboxPath); - } - } - } - char lockSbxPathStamp[MAX_SANDBOX_BUFFER] = { 0 }; - int ret = 0; - if (CheckSandboxCtxMsgFlagSet(context, APP_FLAGS_ISOLATED_SANDBOX_TYPE) != 0) { - ret = snprintf_s(lockSbxPathStamp, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s%d/isolated/%s_locked", - rootPath, info->uid / UID_BASE, context->bundleName); - } else { - ret = snprintf_s(lockSbxPathStamp, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s%d/%s_locked", - rootPath, info->uid / UID_BASE, context->bundleName); - } - if (ret <= 0) { - APPSPAWN_LOGE("snprintf_s lock sandbox path stamp failed"); - return; - } - - CreateSandboxDir(lockSbxPathStamp, FILE_MODE); -} - static int UpdateMountPathDepsPath(const SandboxContext *context, SandboxNameGroupNode *groupNode) { PathMountNode *depNode = groupNode->depNode; @@ -943,7 +707,9 @@ static int SetSandboxPermissionConfig(const SandboxContext *context, const AppSp APPSPAWN_LOGV("SetSandboxPermissionConfig permission %{public}d %{public}s", permissionNode->permissionIndex, permissionNode->section.name); - int ret = MountSandboxConfig(context, sandbox, &permissionNode->section, MOUNT_PATH_OP_NONE); + uint32_t operation = 0; + SetMountPathOperation(&operation, MOUNT_PATH_OP_REPLACE_BY_SANDBOX); + int ret = MountSandboxConfig(context, sandbox, &permissionNode->section, operation); APPSPAWN_CHECK_ONLY_EXPER(ret == 0, return ret); node = node->next; } @@ -1168,7 +934,8 @@ int StagedMountSystemConst(AppSpawnSandboxCfg *sandbox, const AppSpawningCtx *pr SandboxContext *context = GetSandboxContext(); APPSPAWN_CHECK_ONLY_EXPER(context != NULL, return APPSPAWN_SYSTEM_ERROR); int ret = InitSandboxContext(context, sandbox, property, nwebspawn); - APPSPAWN_CHECK_ONLY_EXPER(ret == 0, return ret); + APPSPAWN_CHECK_ONLY_EXPER(ret == 0, DeleteSandboxContext(context); + return ret); if (IsSandboxMounted(sandbox, "system-const", context->rootPath) && IsADFPermission(sandbox, property) != true) { APPSPAWN_LOGV("Sandbox system-const %{public}s has been mount", context->rootPath); @@ -1367,9 +1134,10 @@ int StagedMountPreUnShare(const SandboxContext *context, AppSpawnSandboxCfg *san APPSPAWN_CHECK(sandbox != NULL && context != NULL, return -1, "Invalid sandbox or context"); APPSPAWN_LOGV("Set sandbox config before unshare group count %{public}d", sandbox->depNodeCount); - MountDirToShared(context, sandbox); int ret = StagedDepGroupMounts(context, sandbox); - + if (ret != 0) { + APPSPAWN_LOGE("Failed to set dep group mount points, ret: %{public}d", ret); + } return ret; } @@ -1448,7 +1216,8 @@ int MountSandboxConfigs(AppSpawnSandboxCfg *sandbox, const AppSpawningCtx *prope SandboxContext *context = GetSandboxContext(); APPSPAWN_CHECK_ONLY_EXPER(context != NULL, return APPSPAWN_SYSTEM_ERROR); int ret = InitSandboxContext(context, sandbox, property, nwebspawn); - APPSPAWN_CHECK_ONLY_EXPER(ret == 0, return ret); + APPSPAWN_CHECK_ONLY_EXPER(ret == 0, DeleteSandboxContext(context); + return ret); APPSPAWN_LOGV("Set sandbox config %{public}s sandboxNsFlags 0x%{public}x", context->rootPath, context->sandboxNsFlags); diff --git a/modules/sandbox/appspawn_sandbox.h b/modules/sandbox/appspawn_sandbox.h index d6b8cb0a6bcb1d9aa75a3824b805eed1291dafbe..8abb7640e9d4caf9dba4d2e046427f57a0b63c20 100644 --- a/modules/sandbox/appspawn_sandbox.h +++ b/modules/sandbox/appspawn_sandbox.h @@ -38,18 +38,20 @@ extern "C" { #define PARAMETER_PACKAGE_NAME "" #define PARAMETER_USER_ID "" +#define PARAMETER_HOST_USER_ID "" #define PARAMETER_PACKAGE_INDEX "" #define ARK_WEB_PERSIST_PACKAGE_NAME "persist.arkwebcore.package_name" #define PARAMETER_ARK_WEB_PACKAGE_INDEX "" #define SHAREFS_OPTION_USER ",user_id=" -#define FILE_MODE 0711 -#define MAX_SANDBOX_BUFFER 256 -#define OPTIONS_MAX_LEN 256 -#define APP_FLAGS_SECTION 0x80000000 -#define BASIC_MOUNT_FLAGS (MS_REC | MS_BIND) -#define INVALID_UID ((uint32_t)-1) -#define PARAM_BUFFER_SIZE 128 +#define FILE_MODE 0711 +#define MAX_SANDBOX_BUFFER 256 +#define OPTIONS_MAX_LEN 256 +#define APP_FLAGS_SECTION 0x80000000 +#define FILE_MANAGER_GID 1006 +#define BASIC_MOUNT_FLAGS (MS_REC | MS_BIND) +#define INVALID_UID ((uint32_t)-1) +#define PARAM_BUFFER_SIZE 128 #ifdef APPSPAWN_64 #define APPSPAWN_LIB_NAME "lib64" @@ -122,10 +124,11 @@ typedef struct { typedef struct TagPathMountNode { SandboxMountNode sandboxNode; - char *source; // source 目录,一般是全局的fs 目录 - char *target; // 沙盒化后的目录 - mode_t destMode; // "dest-mode": "S_IRUSR | S_IWOTH | S_IRWXU " 默认值:0 - uint32_t mountSharedFlag : 1; // "mount-shared-flag" : "true", 默认值:false + char *source; // source 目录,一般是全局的fs 目录 + char *target; // 沙盒化后的目录 + mode_t destMode; // "dest-mode": "S_IRUSR | S_IWOTH | S_IRWXU " 默认值:0 + uint32_t mountSharedFlag : 1; // "mount-shared-flag" : "true", 默认值:false + uint32_t createSandboxPath : 1; // "create-sandbox-path" : "true", 默认值 : true uint32_t createDemand : 1; uint32_t checkErrorFlag : 1; uint32_t category; @@ -322,7 +325,7 @@ typedef struct { char name[0]; } AppSandboxExpandAppCfgNode; int ProcessExpandAppSandboxConfig(const SandboxContext *context, - const AppSpawnSandboxCfg *appSandBox, const char *name); + const AppSpawnSandboxCfg *appSandbox, const char *name); void AddDefaultExpandAppSandboxConfigHandle(void); void ClearExpandAppSandboxConfigHandle(void); @@ -411,6 +414,11 @@ __attribute__((always_inline)) inline int IsPathEmpty(const char *path) return 0; } +__attribute__((always_inline)) inline bool CheckPath(const char *name) +{ + return name != NULL && strcmp(name, ".") != 0 && strcmp(name, "..") != 0 && strstr(name, "/") == NULL; +} + #ifdef __cplusplus } #endif diff --git a/modules/sandbox/sandbox_cfgvar.c b/modules/sandbox/sandbox_cfgvar.c index 11268230d4c03ea2219fbafc94ddeebf0fa3d803..6c88524f124ee40dfa14304ece23158d2c8b0a31 100644 --- a/modules/sandbox/sandbox_cfgvar.c +++ b/modules/sandbox/sandbox_cfgvar.c @@ -68,6 +68,25 @@ static int VarCurrentUseIdReplace(const SandboxContext *context, return 0; } +static int VarCurrentHostUserIdReplace(const SandboxContext *context, + const char *buffer, uint32_t bufferLen, uint32_t *realLen, const VarExtraData *extraData) +{ + int uid = 0; + int len = 0; + char *hostUid = + (char *)GetAppSpawnMsgExtInfo(context->message, MSG_EXT_NAME_PARENT_UID, NULL); + if (hostUid != NULL) { + uid = atoi(hostUid); + len = sprintf_s((char *)buffer, bufferLen, "%d", uid / UID_BASE); + } else { + len = sprintf_s((char *)buffer, bufferLen, "%s", "hostUserId"); + } + APPSPAWN_CHECK(len > 0 && ((uint32_t)len < bufferLen), + return -1, "Failed to format path app: %{public}s", context->bundleName); + *realLen = (uint32_t)len; + return 0; +} + static int VarArkWebPackageNameReplace(const SandboxContext *context, const char *buffer, uint32_t bufferLen, uint32_t *realLen, const VarExtraData *extraData) @@ -348,6 +367,7 @@ void AddDefaultVariable(void) { AddVariableReplaceHandler(PARAMETER_PACKAGE_NAME, VarPackageNameReplace); AddVariableReplaceHandler(PARAMETER_USER_ID, VarCurrentUseIdReplace); + AddVariableReplaceHandler(PARAMETER_HOST_USER_ID, VarCurrentHostUserIdReplace); AddVariableReplaceHandler(PARAMETER_PACKAGE_INDEX, VarPackageNameIndexReplace); AddVariableReplaceHandler(PARAMETER_ARK_WEB_PACKAGE_INDEX, VarArkWebPackageNameReplace); /* diff --git a/modules/sandbox/sandbox_debug_mode.c b/modules/sandbox/sandbox_debug_mode.c index 4f7b354474983f0a0e848bbf11dcad88b7e250d2..69a0cc31b1412b64572907f3969ab4f6a80473a6 100644 --- a/modules/sandbox/sandbox_debug_mode.c +++ b/modules/sandbox/sandbox_debug_mode.c @@ -25,8 +25,8 @@ #include "appspawn_utils.h" #include "modulemgr.h" -#define DEBUG_MNT_TMP_ROOT "/mnt/debugtmp" -#define DEBUG_MNT_SHAREFS_ROOT "/mnt/debug" +#define DEBUG_MNT_TMP_ROOT "/mnt/debugtmp/" +#define DEBUG_MNT_SHAREFS_ROOT "/mnt/debug/" #define DEBUG_HAP_DIR "debug_hap" typedef struct TagRemoveDebugDirInfo { @@ -63,7 +63,7 @@ static int RemoveDebugBaseConfig(SandboxSection *section, const char *debugRootP char targetPath[PATH_MAX_LEN] = {0}; ret = snprintf_s(targetPath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s%s", debugRootPath, ((PathMountNode *)sandboxNode)->target); - APPSPAWN_CHECK(ret >= 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, + APPSPAWN_CHECK(ret > 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, "snprintf_s targetPath failed, errno: %{public}d", errno); UmountAndRmdirDir(targetPath); node = node->next; @@ -106,27 +106,27 @@ static int ConvertUserIdPath(const AppSpawningCtx *property, char *debugRootPath if (userId == NULL) { AppSpawnMsgDacInfo *dacInfo = (AppSpawnMsgDacInfo *)GetAppProperty(property, TLV_DAC_INFO); APPSPAWN_CHECK(dacInfo != NULL, return APPSPAWN_TLV_NONE, "No tlv %{public}d in msg", TLV_DAC_INFO); - ret = snprintf_s(debugRootPath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s%d", DEBUG_MNT_SHAREFS_ROOT, + ret = snprintf_s(debugRootPath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s%d/", DEBUG_MNT_SHAREFS_ROOT, dacInfo->uid / UID_BASE); - APPSPAWN_CHECK(ret >= 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, + APPSPAWN_CHECK(ret > 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, "snprintf_s debugRootPath failed, errno: %{public}d", errno); - ret = snprintf_s(debugTmpRootPath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s%d", DEBUG_MNT_TMP_ROOT, + ret = snprintf_s(debugTmpRootPath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s%d/", DEBUG_MNT_TMP_ROOT, dacInfo->uid / UID_BASE); - APPSPAWN_CHECK(ret >= 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, + APPSPAWN_CHECK(ret > 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, "snprintf_s debugTmpRootPath failed, errno: %{public}d", errno); } else { - ret = snprintf_s(debugRootPath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s%s", DEBUG_MNT_SHAREFS_ROOT, uid); - APPSPAWN_CHECK(ret >= 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, + ret = snprintf_s(debugRootPath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s%s/", DEBUG_MNT_SHAREFS_ROOT, userId); + APPSPAWN_CHECK(ret > 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, "snprintf_s debugRootPath failed, errno: %{public}d", errno); - ret = snprintf_s(debugTmpRootPath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s%s", DEBUG_MNT_TMP_ROOT, uid); - APPSPAWN_CHECK(ret >= 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, + ret = snprintf_s(debugTmpRootPath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s%s/", DEBUG_MNT_TMP_ROOT, userId); + APPSPAWN_CHECK(ret > 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, "snprintf_s debugTmpRootPath failed, errno: %{public}d", errno); } - return ret; + return 0; } -static int UnintallPrivateDirs(const AppSpawnMgr *content, const AppSpawningCtx *property, - RemoveDebugDirInfo *removeDebugDirInfo) +static int UninstallPrivateDirs(const AppSpawnMgr *content, const AppSpawningCtx *property, + RemoveDebugDirInfo *removeDebugDirInfo) { AppSpawnMsgDacInfo *dacInfo = (AppSpawnMsgDacInfo *)GetAppProperty(property, TLV_DAC_INFO); APPSPAWN_CHECK(dacInfo != NULL, return APPSPAWN_TLV_NONE, "No tlv %{public}d in msg", TLV_DAC_INFO); @@ -134,13 +134,13 @@ static int UnintallPrivateDirs(const AppSpawnMgr *content, const AppSpawningCtx char uidPath[PATH_MAX_LEN] = {0}; /* snprintf_s /mnt/debugtmp/ */ int ret = snprintf_s(uidPath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s%d/", DEBUG_MNT_TMP_ROOT, dacInfo->uid / UID_BASE); - APPSPAWN_CHECK(ret >= 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, + APPSPAWN_CHECK(ret > 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, "snprintf_s /mnt/debugtmp/ failed, errno: %{public}d", errno); /* snprintf_s /mnt/debugtmp//debug_hap/ */ ret = snprintf_s(removeDebugDirInfo->debugTmpPath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s%s", removeDebugDirInfo->debugTmpPath, removeDebugDirInfo->context->rootPath + strlen(uidPath)); - APPSPAWN_CHECK(ret >= 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, + APPSPAWN_CHECK(ret > 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, "snprintf_s /mnt/debugtmp//debug_hap/ failed, errno: %{public}d", errno); ret = RemoveDebugAppVarConfig(removeDebugDirInfo->sandboxCfg, removeDebugDirInfo->debugTmpPath); @@ -149,24 +149,24 @@ static int UnintallPrivateDirs(const AppSpawnMgr *content, const AppSpawningCtx ret = RemoveDebugPermissionConfig(removeDebugDirInfo->context, removeDebugDirInfo->sandboxCfg, removeDebugDirInfo->debugTmpPath); APPSPAWN_CHECK(ret == 0, return ret, "Failed to remove debug permission config"); - + /* umount and remove dir /mnt/debug//debug_hap/ */ ret = snprintf_s(removeDebugDirInfo->debugPath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s%s/", removeDebugDirInfo->debugPath, removeDebugDirInfo->context->rootPath + strlen(uidPath)); - APPSPAWN_CHECK(ret >= 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, + APPSPAWN_CHECK(ret > 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, "snprintf_s /mnt/debug//debug_hap/ failed, errno: %{public}d", errno); UmountAndRmdirDir(removeDebugDirInfo->debugPath); return 0; } -static int UnintallAllDirs(const AppSpawnMgr *content, const AppSpawningCtx *property, - RemoveDebugDirInfo *removeDebugDirInfo) +static int UninstallAllDirs(const AppSpawnMgr *content, const AppSpawningCtx *property, + RemoveDebugDirInfo *removeDebugDirInfo) { /* snprintf_s /mnt/debugtmp//debug_hap */ int ret = snprintf_s(removeDebugDirInfo->debugTmpPath + strlen(removeDebugDirInfo->debugTmpPath), PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s/", "debug_hap"); - APPSPAWN_CHECK(ret >= 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, + APPSPAWN_CHECK(ret > 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, "snprintf_s /mnt/debugtmp//debug_hap failed, errno: %{public}d", errno); char debugTmpPackagePath[PATH_MAX_LEN] = {0}; @@ -185,15 +185,17 @@ static int UnintallAllDirs(const AppSpawnMgr *content, const AppSpawningCtx *pro /* snprintf_s /mnt/debugtmp//debug_hap/ */ ret = snprintf_s(debugTmpPackagePath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s%s", removeDebugDirInfo->debugTmpPath, entry->d_name); - APPSPAWN_CHECK(ret >= 0, closedir(dir); return APPSPAWN_ERROR_UTILS_MEM_FAIL, + APPSPAWN_CHECK(ret > 0, closedir(dir); return APPSPAWN_ERROR_UTILS_MEM_FAIL, "snprintf_s /mnt/debugtmp//debug_hap/ failed, errno: %{public}d", errno); ret = RemoveDebugAppVarConfig(removeDebugDirInfo->sandboxCfg, debugTmpPackagePath); - APPSPAWN_CHECK(ret == 0, closedir(dir); return ret, "Failed to remove app variable config"); + APPSPAWN_CHECK(ret == 0, closedir(dir); + return ret, "Failed to remove app variable config"); ret = RemoveDebugPermissionConfig(removeDebugDirInfo->context, removeDebugDirInfo->sandboxCfg, debugTmpPackagePath); - APPSPAWN_CHECK(ret == 0, closedir(dir); return ret, "Failed to remove debug permission config"); + APPSPAWN_CHECK(ret == 0, closedir(dir); + return ret, "Failed to remove debug permission config"); /** * umount and remove dir /mnt/debug//debug_hap/ @@ -201,7 +203,7 @@ static int UnintallAllDirs(const AppSpawnMgr *content, const AppSpawningCtx *pro */ ret = snprintf_s(debugPackagePath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s%s", DEBUG_MNT_SHAREFS_ROOT, debugTmpPackagePath + strlen(DEBUG_MNT_TMP_ROOT)); - APPSPAWN_CHECK(ret >= 0, closedir(dir); return APPSPAWN_ERROR_UTILS_MEM_FAIL, + APPSPAWN_CHECK(ret > 0, closedir(dir); return APPSPAWN_ERROR_UTILS_MEM_FAIL, "snprintf_s /mnt/debug//debug_hap/ failed, errno: %{public}d", errno); UmountAndRmdirDir(debugPackagePath); } @@ -220,15 +222,16 @@ static int UninstallDebugSandbox(AppSpawnMgr *content, AppSpawningCtx *property) APPSPAWN_CHECK(ret == 0, return ret, "Failed to convert userid path"); AppSpawnSandboxCfg *sandboxCfg = GetAppSpawnSandbox(content, EXT_DATA_DEBUG_HAP_SANDBOX); - APPSPAWN_CHECK_ONLY_EXPER(sandboxCfg != NULL, return APPSPAWN_SANDBOX_INVALID, + APPSPAWN_CHECK(sandboxCfg != NULL, return APPSPAWN_SANDBOX_INVALID, "Failed to get sandbox for %{public}s", GetProcessName(property)); SandboxContext *context = GetSandboxContext(); // Need free after mounting each time - APPSPAWN_CHECK(ret == 0, return ret, "Failed to convert userid path"); + APPSPAWN_CHECK_ONLY_EXPER(context != NULL, return APPSPAWN_ERROR_UTILS_MEM_FAIL); ret = InitDebugSandboxContext(context, sandboxCfg, property, IsNWebSpawnMode(content)); - APPSPAWN_CHECK_ONLY_EXPER(ret == 0, DeleteSandboxContext(context); return ret); + APPSPAWN_CHECK_ONLY_EXPER(ret == 0, DeleteSandboxContext(context); + return ret); - RemoveDebugDirInfo removeDebugdirInfo = { + RemoveDebugDirInfo removeDebugDirInfo = { .debugPath = debugRootPath, .debugTmpPath = debugTmpRootPath, .context = context, @@ -236,9 +239,9 @@ static int UninstallDebugSandbox(AppSpawnMgr *content, AppSpawningCtx *property) }; // If the message request carries package name information, it is necessary to obtain the actual package name if (GetBundleName(property) != NULL) { - ret = UnintallPrivateDirs(content, property, &removeDebugdirInfo); + ret = UninstallPrivateDirs(content, property, &removeDebugDirInfo); } else { // Traverse directories from debugTmpRootPath directory - ret = UnintallAllDirs(content, property, &removeDebugdirInfo); + ret = UninstallAllDirs(content, property, &removeDebugDirInfo); } APPSPAWN_CHECK_ONLY_LOG(ret == 0, "Failed to uninstall debug hap dir, ret: %{public}d", ret); @@ -276,13 +279,12 @@ static int SetDebugPermissionConfig(const SandboxContext *context, const AppSpaw APPSPAWN_LOGV("SetSandboxPermissionConfig permission %{public}d %{public}s", permissionNode->permissionIndex, permissionNode->section.name); - uint32_t operation = MOUNT_PATH_OP_UNMOUNT; + uint32_t operation = MOUNT_PATH_OP_NONE; if (CheckSandboxCtxMsgFlagSet(context, APP_FLAGS_ATOMIC_SERVICE)) { SetMountPathOperation(&operation, MOUNT_PATH_OP_UNMOUNT); } - int ret = MountSandboxConfig(context, sandbox, section, operation); - APPSPAWN_CHECK(ret == 0, return ret, "Set debug app-variable config fail result: %{public}d, app: %{public}s", - ret, context->bundleName); + int ret = MountSandboxConfig(context, sandbox, &permissionNode->section, operation); + APPSPAWN_CHECK_ONLY_EXPER(ret == 0, return ret); node = node->next; } return 0; @@ -302,7 +304,7 @@ static int SetDebugAutomicTmpRootPath(SandboxContext *context, const AppSpawning APPSPAWN_CHECK(ret > 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, "snprintf_s debugAutomicRootPath failed"); context->rootPath = strdup(debugAutomicRootPath); if (context->rootPath == NULL) { - APPSPAWN_LOGE("Failed to strdup root path, rootPath: %{public}s', errno: %{public}d", context->rootPath, errno); + DeleteSandboxContext(context); return APPSPAWN_SYSTEM_ERROR; } APPSPAWN_LOGI("Set automic sandbox root: %{public}s", context->rootPath); @@ -312,7 +314,7 @@ static int SetDebugAutomicTmpRootPath(SandboxContext *context, const AppSpawning static int InitDebugSandboxContext(SandboxContext *context, const AppSpawnSandboxCfg *sandbox, const AppSpawningCtx *property, int nwebspawn) { - if (GetBundleName(property) != NULL) { + if (GetBundleName(property) == NULL) { APPSPAWN_LOGI("No need init sandbox context"); return 0; } @@ -335,7 +337,7 @@ static int MountDebugTmpConfig(const SandboxContext *context, const AppSpawnSand static int MountDebugDirBySharefs(const SandboxContext *context, const AppSpawnSandboxCfg *sandbox) { - if (context->rootPath = NULL) { + if (context->rootPath == NULL) { APPSPAWN_LOGE("sandbox root is null"); return APPSPAWN_SANDBOX_INVALID; } @@ -398,7 +400,8 @@ static int InstallDebugSandbox(AppSpawnMgr *content, AppSpawningCtx *property) SandboxContext *context = GetSandboxContext(); // Need free after mounting each time APPSPAWN_CHECK_ONLY_EXPER(context != NULL, return APPSPAWN_SYSTEM_ERROR); int ret = InitDebugSandboxContext(context, sandboxCfg, property, IsNWebSpawnMode(content)); - APPSPAWN_CHECK_ONLY_EXPER(context != NULL, DeleteSandboxContext(context); return ret); + APPSPAWN_CHECK_ONLY_EXPER(ret == 0, DeleteSandboxContext(context); + return ret); do { ret = MountDebugTmpConfig(context, sandboxCfg); diff --git a/modules/sandbox/sandbox_expand.c b/modules/sandbox/sandbox_expand.c index 38f5e116160cde8138e21c5b93f4e625f96f264d..717b1c41a74e582cbbb2e892441b9565d69f558e 100644 --- a/modules/sandbox/sandbox_expand.c +++ b/modules/sandbox/sandbox_expand.c @@ -18,21 +18,17 @@ #include #include +#include "securec.h" #include "appspawn_msg.h" #include "appspawn_sandbox.h" #include "appspawn_utils.h" #include "json_utils.h" -#include "securec.h" +#include "appspawn_permission.h" +#include "sandbox_shared.h" -#define SANDBOX_GROUP_PATH "/data/storage/el2/group/" #define SANDBOX_INSTALL_PATH "/data/storage/el1/bundle/" #define SANDBOX_OVERLAY_PATH "/data/storage/overlay/" -static inline bool CheckPath(const char *name) -{ - return name != NULL && strcmp(name, ".") != 0 && strcmp(name, "..") != 0 && strstr(name, "/") == NULL; -} - APPSPAWN_STATIC int MountAllHsp(const SandboxContext *context, const cJSON *hsps) { APPSPAWN_CHECK(context != NULL && hsps != NULL, return -1, "Invalid context or hsps"); @@ -75,52 +71,58 @@ APPSPAWN_STATIC int MountAllHsp(const SandboxContext *context, const cJSON *hsps return ret; } -static inline char *GetLastPath(const char *libPhysicalPath) +APPSPAWN_STATIC int MountAllGroup(const SandboxContext *context, const AppSpawnSandboxCfg *appSandbox, + const cJSON *groups) { - char *tmp = GetLastStr(libPhysicalPath, "/"); - return tmp + 1; -} - -APPSPAWN_STATIC int MountAllGroup(const SandboxContext *context, const cJSON *groups) -{ - APPSPAWN_CHECK(context != NULL && groups != NULL, return -1, "Invalid context or group"); + APPSPAWN_CHECK(context != NULL && groups != NULL && appSandbox != NULL, return APPSPAWN_SANDBOX_INVALID, + "Invalid context or group"); mode_t mountFlags = MS_REC | MS_BIND; mode_t mountSharedFlag = MS_SLAVE; if (CheckAppSpawnMsgFlag(context->message, TLV_MSG_FLAGS, APP_FLAGS_ISOLATED_SANDBOX)) { - APPSPAWN_LOGV("MountAllGroup falsg is isolated"); + APPSPAWN_LOGV("Data group flags is isolated"); mountSharedFlag |= MS_REMOUNT | MS_NODEV | MS_RDONLY | MS_BIND; } int ret = 0; - cJSON *dataGroupIds = cJSON_GetObjectItemCaseSensitive(groups, "dataGroupId"); - cJSON *gids = cJSON_GetObjectItemCaseSensitive(groups, "gid"); - cJSON *dirs = cJSON_GetObjectItemCaseSensitive(groups, "dir"); - APPSPAWN_CHECK(dataGroupIds != NULL && cJSON_IsArray(dataGroupIds), - return 0, "MountAllGroup: invalid dataGroupIds"); - APPSPAWN_CHECK(gids != NULL && cJSON_IsArray(gids), return -1, "MountAllGroup: invalid gids"); - APPSPAWN_CHECK(dirs != NULL && cJSON_IsArray(dirs), return -1, "MountAllGroup: invalid dirs"); - int count = cJSON_GetArraySize(dataGroupIds); - APPSPAWN_CHECK(count == cJSON_GetArraySize(gids), return -1, "MountAllGroup: sizes are not same"); - APPSPAWN_CHECK(count == cJSON_GetArraySize(dirs), return -1, "MountAllGroup: sizes are not same"); - - APPSPAWN_LOGI("MountAllGroup: app: %{public}s, count: %{public}d", context->bundleName, count); - for (int i = 0; i < count; i++) { - cJSON *dirJson = cJSON_GetArrayItem(dirs, i); - APPSPAWN_CHECK(dirJson != NULL && cJSON_IsString(dirJson), return -1, "MountAllGroup: invalid dirJson"); - const char *libPhysicalPath = cJSON_GetStringValue(dirJson); - APPSPAWN_CHECK(!CheckPath(libPhysicalPath), return -1, "MountAllGroup: path error"); - - char *dataGroupUuid = GetLastPath(libPhysicalPath); - int len = sprintf_s(context->buffer[0].buffer, context->buffer[0].bufferLen, "%s%s%s", - context->rootPath, SANDBOX_GROUP_PATH, dataGroupUuid); - APPSPAWN_CHECK(len > 0, return -1, "Failed to format install path"); - APPSPAWN_LOGV("MountAllGroup src: '%{public}s' =>'%{public}s'", libPhysicalPath, context->buffer[0].buffer); + // Iterate through the array (assuming groups is an array) + cJSON *item = NULL; + cJSON_ArrayForEach(item, groups) { + // Check if the item is valid + APPSPAWN_CHECK(IsValidDataGroupItem(item), return APPSPAWN_ARG_INVALID, + "Element is not a valid data group item"); + + cJSON *dirItem = cJSON_GetObjectItemCaseSensitive(item, "dir"); + cJSON *uuidItem = cJSON_GetObjectItemCaseSensitive(item, "uuid"); + if (dirItem == NULL || !cJSON_IsString(dirItem) || uuidItem == NULL || !cJSON_IsString(uuidItem)) { + APPSPAWN_LOGE("Data group element is invalid"); + return APPSPAWN_ARG_INVALID; + } - CreateSandboxDir(context->buffer[0].buffer, FILE_MODE); - MountArg mountArg = {libPhysicalPath, context->buffer[0].buffer, NULL, mountFlags, NULL, mountSharedFlag}; - ret = SandboxMountPath(&mountArg); - if (ret != 0) { - APPSPAWN_LOGV("mount datagroup failed"); + const char *srcPath = dirItem->valuestring; + APPSPAWN_CHECK(!CheckPath(srcPath), return APPSPAWN_ARG_INVALID, "src path %{public}s is invalid", srcPath); + + int elxValue = GetElxInfoFromDir(srcPath); + APPSPAWN_CHECK((elxValue >= EL2 && elxValue < ELX_MAX), return APPSPAWN_ARG_INVALID, "Get elx value failed"); + + const DataGroupSandboxPathTemplate *templateItem = GetDataGroupArgTemplate(elxValue); + APPSPAWN_CHECK(templateItem != NULL, return APPSPAWN_ARG_INVALID, "Get data group arg template failed"); + + // If permission isn't null, need check permission flag + if (templateItem->permission != NULL) { + int index = GetPermissionIndexInQueue(&appSandbox->permissionQueue, templateItem->permission); + APPSPAWN_LOGV("mount dir no lock mount permission flag %{public}d", index); + if (!CheckSandboxCtxPermissionFlagSet(context, (uint32_t)index)) { + continue; + } } + (void)memset_s(context->buffer[0].buffer, context->buffer[0].bufferLen, 0, context->buffer[0].bufferLen); + int len = snprintf_s(context->buffer[0].buffer, context->buffer[0].bufferLen, context->buffer[0].bufferLen - 1, + "%s%s%s", context->rootPath, templateItem->sandboxPath, uuidItem->valuestring); + APPSPAWN_CHECK(len > 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, "Get data group arg template failed"); + ret = CreateSandboxDir(context->buffer[0].buffer, FILE_MODE); + APPSPAWN_CHECK(ret == 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, "Mkdir sandbox dir failed"); + MountArg mountArg = {srcPath, context->buffer[0].buffer, NULL, mountFlags, NULL, mountSharedFlag}; + ret = SandboxMountPath(&mountArg); + APPSPAWN_CHECK_ONLY_LOG(ret == 0, "mount datagroup failed"); } return 0; } @@ -210,7 +212,7 @@ static inline cJSON *GetJsonObjFromProperty(const SandboxContext *context, const return root; } -static int ProcessHSPListConfig(const SandboxContext *context, const AppSpawnSandboxCfg *appSandBox, const char *name) +static int ProcessHSPListConfig(const SandboxContext *context, const AppSpawnSandboxCfg *appSandbox, const char *name) { cJSON *root = GetJsonObjFromProperty(context, name); APPSPAWN_CHECK_ONLY_EXPER(root != NULL, return 0); @@ -219,17 +221,17 @@ static int ProcessHSPListConfig(const SandboxContext *context, const AppSpawnSan return ret; } -static int ProcessDataGroupConfig(const SandboxContext *context, const AppSpawnSandboxCfg *appSandBox, const char *name) +static int ProcessDataGroupConfig(const SandboxContext *context, const AppSpawnSandboxCfg *appSandbox, const char *name) { cJSON *root = GetJsonObjFromProperty(context, name); APPSPAWN_CHECK_ONLY_EXPER(root != NULL, return 0); - int ret = MountAllGroup(context, root); + int ret = MountAllGroup(context, appSandbox, root); cJSON_Delete(root); return ret; } static int ProcessOverlayAppConfig(const SandboxContext *context, - const AppSpawnSandboxCfg *appSandBox, const char *name) + const AppSpawnSandboxCfg *appSandbox, const char *name) { uint32_t size = 0; char *extInfo = (char *)GetAppSpawnMsgExtInfo(context->message, name, &size); @@ -284,14 +286,14 @@ int RegisterExpandSandboxCfgHandler(const char *name, int prio, ProcessExpandSan return 0; } -int ProcessExpandAppSandboxConfig(const SandboxContext *context, const AppSpawnSandboxCfg *appSandBox, const char *name) +int ProcessExpandAppSandboxConfig(const SandboxContext *context, const AppSpawnSandboxCfg *appSandbox, const char *name) { - APPSPAWN_CHECK_ONLY_EXPER(context != NULL && appSandBox != NULL, return APPSPAWN_ARG_INVALID); + APPSPAWN_CHECK_ONLY_EXPER(context != NULL && appSandbox != NULL, return APPSPAWN_ARG_INVALID); APPSPAWN_CHECK_ONLY_EXPER(name != NULL, return APPSPAWN_ARG_INVALID); APPSPAWN_LOGV("ProcessExpandAppSandboxConfig %{public}s.", name); const AppSandboxExpandAppCfgNode *node = GetAppSandboxExpandAppCfg(name); if (node != NULL && node->cfgHandle != NULL) { - return node->cfgHandle(context, appSandBox, name); + return node->cfgHandle(context, appSandbox, name); } return 0; } diff --git a/modules/sandbox/sandbox_load.c b/modules/sandbox/sandbox_load.c index 9ed25882d9294dd20e932d8d2aed51925a4c1dfc..8a6741a752d0deadd560f6d4c8716c091551a800 100644 --- a/modules/sandbox/sandbox_load.c +++ b/modules/sandbox/sandbox_load.c @@ -46,7 +46,8 @@ static const SandboxFlagInfo FLAGE_POINT_MAP[] = { {"START_FLAGS_BACKUP", (unsigned long)APP_FLAGS_BACKUP_EXTENSION}, {"DLP_MANAGER", (unsigned long)APP_FLAGS_DLP_MANAGER}, {"DEVELOPER_MODE", (unsigned long)APP_FLAGS_DEVELOPER_MODE}, - {"PREINSTALLED_HAP", (unsigned long)APP_FLAGS_PRE_INSTALLED_HAP} + {"PREINSTALLED_HAP", (unsigned long)APP_FLAGS_PRE_INSTALLED_HAP}, + {"CUSTOM_SANDBOX_HAP", (unsigned long)APP_FLAGS_CUSTOM_SANDBOX} }; static const SandboxFlagInfo MOUNT_MODE_MAP[] = { @@ -227,7 +228,7 @@ static PathMountNode *DecodeMountPathConfig(const SandboxSection *section, const sandboxNode->destMode = GetChmodFromJson(config); sandboxNode->mountSharedFlag = GetBoolValueFromJsonObj(config, "mount-shared-flag", false); sandboxNode->checkErrorFlag = GetBoolValueFromJsonObj(config, "check-action-status", false); - + sandboxNode->createSandboxPath = GetBoolValueFromJsonObj(config, "create-sandbox-path", true); sandboxNode->category = GetMountCategory(GetStringFromJsonObj(config, "category")); const char *value = GetStringFromJsonObj(config, "app-apl-name"); if (value != NULL) { @@ -502,6 +503,23 @@ static int ParsePermissionConfig(AppSpawnSandboxCfg *sandbox, const char *name, return 0; } +static int AddSpawnerPermissionNode(AppSpawnSandboxCfg *sandbox) +{ + uint32_t permissionCount = ARRAY_LENGTH(g_spawnerPermissionList); + for (uint32_t i = 0; i < permissionCount; i++) { + SandboxPermissionNode *node = + (SandboxPermissionNode *)GetSandboxSection(&sandbox->permissionQueue, g_spawnerPermissionList[i]); + if (node == NULL) { + node = CreateSandboxPermissionNode(g_spawnerPermissionList[i]); + } + APPSPAWN_CHECK_ONLY_EXPER(node != NULL, return -1); + + // success, insert section + AddSandboxSection(&node->section, &sandbox->permissionQueue); + } + return 0; +} + static SandboxNameGroupNode *ParseNameGroup(AppSpawnSandboxCfg *sandbox, const cJSON *groupConfig) { char *name = GetStringFromJsonObj(groupConfig, "name"); @@ -647,10 +665,13 @@ APPSPAWN_STATIC int ParseAppSandboxConfig(const cJSON *root, ParseJsonContext *c // conditional cJSON *json = cJSON_GetObjectItemCaseSensitive(root, "conditional"); if (json != NULL) { - // permission + // sandbox permission cJSON *config = cJSON_GetObjectItemCaseSensitive(json, "permission"); ret = ParseConditionalConfig(sandbox, config, "permission", ParsePermissionConfig); APPSPAWN_CHECK_ONLY_EXPER(ret == 0, return ret); + // sandbox permission + ret = AddSpawnerPermissionNode(sandbox); + APPSPAWN_CHECK_ONLY_EXPER(ret == 0, return ret); // spawn-flag config = cJSON_GetObjectItemCaseSensitive(json, "spawn-flag"); ret = ParseConditionalConfig(sandbox, config, "spawn-flag", ParseSpawnFlagsConfig); @@ -702,19 +723,14 @@ int LoadAppSandboxConfig(AppSpawnSandboxCfg *sandbox, ExtDataType type) } ParseJsonContext context = {}; context.sandboxCfg = sandbox; - int ret = ParseJsonConfig("etc/sandbox", sandboxName, ParseAppSandboxConfig, &context); - if (ret == APPSPAWN_SANDBOX_NONE) { - APPSPAWN_LOGW("No sandbox config"); - ret = 0; - } - APPSPAWN_CHECK_ONLY_EXPER(ret == 0, return ret); + (void)ParseJsonConfig("etc/sandbox", sandboxName, ParseAppSandboxConfig, &context); sandbox->pidNamespaceSupport = AppSandboxPidNsIsSupport(); sandbox->appFullMountEnable = CheckAppFullMountEnable(); APPSPAWN_LOGI("Sandbox pidNamespaceSupport: %{public}d appFullMountEnable: %{public}d", sandbox->pidNamespaceSupport, sandbox->appFullMountEnable); uint32_t depNodeCount = sandbox->depNodeCount; - APPSPAWN_CHECK_ONLY_EXPER(depNodeCount > 0, return ret); + APPSPAWN_CHECK_ONLY_EXPER(depNodeCount > 0, return 0); sandbox->depGroupNodes = (SandboxNameGroupNode **)calloc(1, sizeof(SandboxNameGroupNode *) * depNodeCount); APPSPAWN_CHECK(sandbox->depGroupNodes != NULL, return APPSPAWN_SYSTEM_ERROR, "Failed alloc memory "); diff --git a/modules/sandbox/sandbox_manager.c b/modules/sandbox/sandbox_manager.c index 5da123f6cc2e39fb42fd512baa954124b8b5cb93..333f86cdda27d3370426c7f58cc4b4004ad7ba47 100644 --- a/modules/sandbox/sandbox_manager.c +++ b/modules/sandbox/sandbox_manager.c @@ -17,13 +17,14 @@ #define _GNU_SOURCE #include +#include "securec.h" #include "appspawn_manager.h" #include "appspawn_permission.h" #include "appspawn_sandbox.h" #include "appspawn_utils.h" #include "modulemgr.h" #include "parameter.h" -#include "securec.h" +#include "sandbox_shared.h" static void FreePathMountNode(SandboxMountNode *node) { @@ -500,7 +501,7 @@ static int PreLoadSandboxCfgByType(AppSpawnMgr *content, ExtDataType type) sandbox->maxPermissionIndex = PermissionRenumber(&sandbox->permissionQueue); content->content.sandboxNsFlags = 0; - if (sandbox->pidNamespaceSupport) { + if (IsNWebSpawnMode(content) || sandbox->pidNamespaceSupport) { content->content.sandboxNsFlags = sandbox->sandboxNsFlags; } return 0; @@ -586,19 +587,15 @@ static ExtDataType GetSandboxType(AppSpawnMgr *content, AppSpawningCtx *property } /** - * @brief ɳ价 + * ɳ价 * 1.ǷͨhapExtDataTypeΪEXT_DATA_APP_SANDBOX - * 2.ǷͨhaphapЯAPP_FLAGS_ISOLATED_SANDBOX_TYPE־λExtDataTypeΪEXT_DATA_ISOLATED_SANDBOX - * 3.rendeṛExtDataTypeΪEXT_DATA_RENDER_SANDBOX - * 4.gpụExtDataTypeΪEXT_DATA_GPU_SANDBOX - * 5.ӦýʱЯAPP_FLAG_DEBUGABLEλ˿ģʽҪExtDataTypeΪEXT_DATA_DEBUG_HAP_SANDBOX - - * @param content appspawn global content - * @param property app property - * @return int + * 2.ǷͨhaphapЯAPP_FLAGS_ISOLATED_SANDBOX_TYPE־λExtDataTypeΪEXT_DATA_ISOLATED_SANDBOX + * 3.ǷrendeṛExtDataTypeΪEXT_DATA_RENDER_SANDBOX + * 4.ǷgpụExtDataTypeΪEXT_DATA_GPU_SANDBOX + * 5.hapУЯAPP_FLAG_DEBUGABLE־λͬʱ˿ģʽExtDataTypeΪEXT_DATA_DEBUG_HAP_SANDBOX */ -int SpawnBuildSandboxEnv(AppSpawnMgr *content, AppSpawningCtx *property) +static int SpawnBuildSandboxEnv(AppSpawnMgr *content, AppSpawningCtx *property) { // Don't build sandbox env if (CheckAppMsgFlagsSet(property, APP_FLAGS_NO_SANDBOX)) { @@ -719,8 +716,12 @@ static void UpdateMsgFlagsWithPermission(AppSpawnSandboxCfg *sandbox, AppSpawnin return; } -static int UpdatePermissionFlags(AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property) +static int UpdatePermissionFlags(AppSpawnMgr *content, AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property) { + if (IsNWebSpawnMode(content)) { + return 0; + } + int32_t index = 0; if (sandbox->appFullMountEnable) { index = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_CROSS_APP_MODE); @@ -760,13 +761,12 @@ int SpawnPrepareSandboxCfg(AppSpawnMgr *content, AppSpawningCtx *property) APPSPAWN_CHECK_ONLY_EXPER(content != NULL, return -1); APPSPAWN_CHECK_ONLY_EXPER(property != NULL, return -1); APPSPAWN_LOGV("Prepare sandbox config %{public}s", GetProcessName(property)); - ExtDataType type = CheckAppMsgFlagsSet(property, APP_FLAGS_ISOLATED_SANDBOX_TYPE) ? EXT_DATA_ISOLATED_SANDBOX : - EXT_DATA_APP_SANDBOX; + ExtDataType type = GetSandboxType(content, property); AppSpawnSandboxCfg *sandbox = GetAppSpawnSandbox(content, type); - content->content.sandboxType = type; APPSPAWN_CHECK(sandbox != NULL, return -1, "Failed to get sandbox for %{public}s", GetProcessName(property)); + content->content.sandboxType = type; - int ret = UpdatePermissionFlags(sandbox, property); + int ret = UpdatePermissionFlags(content, sandbox, property); if (ret != 0) { APPSPAWN_LOGW("set sandbox permission flag failed."); return APPSPAWN_SANDBOX_ERROR_SET_PERMISSION_FLAG_FAIL; @@ -780,6 +780,26 @@ int SpawnPrepareSandboxCfg(AppSpawnMgr *content, AppSpawningCtx *property) return 0; } +static int SpawnMountDirToShared(AppSpawnMgr *content, AppSpawningCtx *property) +{ + ExtDataType type = GetSandboxType(content, property); + AppSpawnSandboxCfg *appSandbox = GetAppSpawnSandbox(content, type); + APPSPAWN_CHECK(appSandbox != NULL, return APPSPAWN_SANDBOX_INVALID, + "Failed to get sandbox cfg for %{public}s", GetProcessName(property)); + content->content.sandboxType = type; + + SandboxContext *context = GetSandboxContext(); // need free after mount + APPSPAWN_CHECK_ONLY_EXPER(context != NULL, return APPSPAWN_SYSTEM_ERROR); + int ret = InitSandboxContext(context, appSandbox, property, IsNWebSpawnMode(content)); // need free after mount + APPSPAWN_CHECK_ONLY_EXPER(ret == 0, DeleteSandboxContext(context); + return ret); + + ret = MountDirsToShared(content, context, appSandbox); + APPSPAWN_CHECK_ONLY_LOG(ret == 0, "Failed to mount dirs to shared"); + DeleteSandboxContext(context); + return ret; +} + APPSPAWN_STATIC int SandboxUnmountPath(const AppSpawnMgr *content, const AppSpawnedProcessInfo *appInfo) { APPSPAWN_CHECK_ONLY_EXPER(content != NULL, return -1); @@ -802,6 +822,7 @@ MODULE_CONSTRUCTOR(void) (void)AddServerStageHook(STAGE_SERVER_EXIT, HOOK_PRIO_SANDBOX, SandboxHandleServerExit); (void)AddServerStageHook(STAGE_SERVER_EXIT, HOOK_PRIO_SANDBOX, IsolatedSandboxHandleServerExit); (void)AddAppSpawnHook(STAGE_PARENT_PRE_FORK, HOOK_PRIO_SANDBOX, SpawnPrepareSandboxCfg); + (void)AddAppSpawnHook(STAGE_PARENT_PRE_FORK, HOOK_PRIO_SANDBOX, SpawnMountDirToShared); (void)AddAppSpawnHook(STAGE_CHILD_EXECUTE, HOOK_PRIO_SANDBOX, SpawnBuildSandboxEnv); (void)AddProcessMgrHook(STAGE_SERVER_APP_DIED, 0, SandboxUnmountPath); } diff --git a/modules/sandbox/sandbox_shared.c b/modules/sandbox/sandbox_shared.c new file mode 100644 index 0000000000000000000000000000000000000000..983a9390fd525e454fe790cc833c71e061ad01d9 --- /dev/null +++ b/modules/sandbox/sandbox_shared.c @@ -0,0 +1,531 @@ +/* + * Copyright (C) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "sandbox_shared.h" + +#include +#include "securec.h" + +#include "appspawn_sandbox.h" +#include "appspawn_permission.h" +#include "appspawn_utils.h" +#include "parameter.h" + +#define USER_ID_SIZE 16 +#define DIR_MODE 0711 +#define LOCK_STATUS_SIZE 16 + +#define DATA_GROUP_SOCKET_TYPE "DataGroup" +#define GROUPLIST_KEY_DATAGROUPID "dataGroupId" +#define GROUPLIST_KEY_GID "gid" +#define GROUPLIST_KEY_DIR "dir" +#define GROUPLIST_KEY_UUID "uuid" + +static const MountSharedTemplate MOUNT_SHARED_MAP[] = { + {"/data/storage/el2", NULL}, + {"/data/storage/el3", NULL}, + {"/data/storage/el4", NULL}, + {"/data/storage/el5", "ohos.permission.PROTECT_SCREEN_LOCK_DATA"}, +}; + +static const DataGroupSandboxPathTemplate DATA_GROUP_SANDBOX_PATH_MAP[] = { + {"el2", EL2, "/data/storage/el2/group/", NULL}, + {"el3", EL3, "/data/storage/el3/group/", NULL}, + {"el4", EL4, "/data/storage/el4/group/", NULL}, + {"el5", EL5, "/data/storage/el5/group/", "ohos.permission.PROTECT_SCREEN_LOCK_DATA"}, +}; + +bool IsValidDataGroupItem(cJSON *item) +{ + // Check if the item contains the specified key and if the value corresponding to the key is a string + cJSON *datagroupId = cJSON_GetObjectItem(item, GROUPLIST_KEY_DATAGROUPID); + cJSON *gid = cJSON_GetObjectItem(item, GROUPLIST_KEY_GID); + cJSON *dir = cJSON_GetObjectItem(item, GROUPLIST_KEY_DIR); + cJSON *uuid = cJSON_GetObjectItem(item, GROUPLIST_KEY_UUID); + + if (datagroupId && cJSON_IsString(datagroupId) && + gid && cJSON_IsString(gid) && + dir && cJSON_IsString(dir) && + uuid && cJSON_IsString(uuid)) { + return true; + } + return false; +} + +int GetElxInfoFromDir(const char *path) +{ + int ret = ELX_MAX; + if (path == NULL) { + return ret; + } + uint32_t count = ARRAY_LENGTH(DATA_GROUP_SANDBOX_PATH_MAP); + for (uint32_t i = 0; i < count; ++i) { + if (strstr(path, DATA_GROUP_SANDBOX_PATH_MAP[i].elxName) != NULL) { + return DATA_GROUP_SANDBOX_PATH_MAP[i].category; + } + } + APPSPAWN_LOGE("Get elx info from dir failed, path %{public}s", path); + return ret; +} + +const DataGroupSandboxPathTemplate *GetDataGroupArgTemplate(uint32_t category) +{ + uint32_t count = ARRAY_LENGTH(DATA_GROUP_SANDBOX_PATH_MAP); + if (category > count) { + APPSPAWN_LOGE("category %{public}d is out of range", category); + return NULL; + } + for (uint32_t i = 0; i < count; ++i) { + if (DATA_GROUP_SANDBOX_PATH_MAP[i].category == category) { + return &DATA_GROUP_SANDBOX_PATH_MAP[i]; + } + } + return NULL; +} + +static bool IsUnlockStatus(uint32_t uid) +{ + const int userIdBase = UID_BASE; + uid = uid / userIdBase; + if (uid == 0) { + return true; + } + char lockStatusParam[PARAM_BUFFER_SIZE] = {0}; + int ret = snprintf_s(lockStatusParam, PARAM_BUFFER_SIZE, PARAM_BUFFER_SIZE - 1, + "startup.appspawn.lockstatus_%u", uid); + APPSPAWN_CHECK(ret > 0, return APPSPAWN_ERROR_UTILS_MEM_FAIL, + "Format lock status param failed, errno: %{public}d", errno); + + char userLockStatus[LOCK_STATUS_SIZE] = {0}; + ret = GetParameter(lockStatusParam, "1", userLockStatus, sizeof(userLockStatus)); + APPSPAWN_LOGI("Get param %{public}s %{public}s", lockStatusParam, userLockStatus); + if (ret > 0 && (strcmp(userLockStatus, "0") == 0)) { // 0:unlock status 1:lock status + return true; + } + return false; +} + +static bool SetSandboxPathShared(const char *sandboxPath) +{ + int ret = mount(NULL, sandboxPath, NULL, MS_SHARED, NULL); + if (ret != 0) { + APPSPAWN_LOGW("Need to mount %{public}s to shared, errno %{public}d", sandboxPath, errno); + return false; + } + return true; +} + +static int MountWithFileMgr(const AppDacInfo *info) +{ + /* /mnt/user//nosharefs/docs */ + char nosharefsDocsDir[PATH_MAX_LEN] = {0}; + int ret = snprintf_s(nosharefsDocsDir, PATH_MAX_LEN, PATH_MAX_LEN - 1, "/mnt/user/%u/nosharefs/docs", + info->uid / UID_BASE); + if (ret <= 0) { + APPSPAWN_LOGE("snprintf nosharefsDocsDir failed, errno %{public}d", errno); + return APPSPAWN_ERROR_UTILS_MEM_FAIL; + } + + /* /mnt/sandbox/uid / UID_BASE); + if (ret <= 0) { + APPSPAWN_LOGE("snprintf storageUserPath failed, errno %{public}d", errno); + return APPSPAWN_ERROR_UTILS_MEM_FAIL; + } + + // Check whether the directory is a shared mount point + if (SetSandboxPathShared(storageUserPath)) { + APPSPAWN_LOGV("shared mountpoint is exist"); + return 0; + } + + ret = CreateSandboxDir(storageUserPath, DIR_MODE); + if (ret != 0) { + APPSPAWN_LOGE("mkdir %{public}s failed, errno %{public}d", storageUserPath, errno); + return APPSPAWN_SANDBOX_ERROR_MKDIR_FAIL; + } + + MountArg arg = { + .originPath = nosharefsDocsDir, + .destinationPath = storageUserPath, + .fsType = NULL, + .mountFlags = MS_BIND | MS_REC, + .options = NULL, + .mountSharedFlag = MS_SHARED + }; + ret = SandboxMountPath(&arg); + if (ret != 0) { + APPSPAWN_LOGE("mount %{public}s shared failed, ret %{public}d", storageUserPath, ret); + } + return ret; +} + +static int MountWithOther(const AppDacInfo *info) +{ + /* /mnt/user//sharefs/docs */ + char sharefsDocsDir[PATH_MAX_LEN] = {0}; + int ret = snprintf_s(sharefsDocsDir, PATH_MAX_LEN, PATH_MAX_LEN - 1, "/mnt/user/%u/sharefs/docs", + info->uid / UID_BASE); + if (ret <= 0) { + APPSPAWN_LOGE("snprintf sharefsDocsDir failed, errno %{public}d", errno); + return APPSPAWN_ERROR_UTILS_MEM_FAIL; + } + + /* /mnt/sandbox/uid / UID_BASE); + if (ret <= 0) { + APPSPAWN_LOGE("snprintf storageUserPath failed, errno %{public}d", errno); + return APPSPAWN_ERROR_UTILS_MEM_FAIL; + } + + // Check whether the directory is a shared mount point + if (SetSandboxPathShared(storageUserPath)) { + APPSPAWN_LOGV("shared mountpoint is exist"); + return 0; + } + + ret = CreateSandboxDir(storageUserPath, DIR_MODE); + if (ret != 0) { + APPSPAWN_LOGE("mkdir %{public}s failed, errno %{public}d", storageUserPath, errno); + return APPSPAWN_SANDBOX_ERROR_MKDIR_FAIL; + } + + char options[PATH_MAX_LEN] = {0}; + ret = snprintf_s(options, PATH_MAX_LEN, PATH_MAX_LEN - 1, "override_support_delete,user_id=%u", + info->uid / UID_BASE); + if (ret <= 0) { + APPSPAWN_LOGE("snprintf options failed, errno %{public}d", errno); + return APPSPAWN_ERROR_UTILS_MEM_FAIL; + } + + MountArg arg = { + .originPath = sharefsDocsDir, + .destinationPath = storageUserPath, + .fsType = "sharefs", + .mountFlags = MS_NODEV, + .options = options, + .mountSharedFlag = MS_SHARED + }; + ret = SandboxMountPath(&arg); + if (ret != 0) { + APPSPAWN_LOGE("mount %{public}s shared failed, ret %{public}d", storageUserPath, ret); + } + return ret; +} + +static void MountStorageUsers(const SandboxContext *context, AppSpawnSandboxCfg *sandbox, const AppDacInfo *info) +{ + int ret = 0; + int index = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_ACCESS_MANAGER_MODE); + int checkRes = CheckSandboxCtxPermissionFlagSet(context, (uint32_t)index); + if (checkRes == 0) { + /* mount /mnt/user//sharefs/docs to /mnt/sandbox//app-root/storage/Users */ + ret = MountWithOther(info); + } else { + /* mount /mnt/user//nosharefs/docs to /mnt/sandbox//app-root/storage/Users */ + ret = MountWithFileMgr(info); + } + if (ret != 0) { + APPSPAWN_LOGE("Update %{public}s storage dir failed, ret %{public}d", + checkRes == 0 ? "sharefs dir" : "no sharefs dir", ret); + } else { + APPSPAWN_LOGI("Update %{public}s storage dir success", checkRes == 0 ? "sharefs dir" : "no sharefs dir"); + } +} + +static int MountSharedMapItem(const char *bundleNamePath, const char *sandboxPathItem) +{ + /* /mnt/sandbox///data/storage/el */ + char sandboxPath[PATH_MAX_LEN] = {0}; + int ret = snprintf_s(sandboxPath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s%s", + bundleNamePath, sandboxPathItem); + if (ret <= 0) { + APPSPAWN_LOGE("snprintf sandboxPath failed, errno %{public}d", errno); + return APPSPAWN_ERROR_UTILS_MEM_FAIL; + } + + // Check whether the directory is a shared mount point + if (SetSandboxPathShared(sandboxPath)) { + APPSPAWN_LOGV("shared mountpoint is exist"); + return 0; + } + + ret = CreateSandboxDir(sandboxPath, DIR_MODE); + if (ret != 0) { + APPSPAWN_LOGE("mkdir %{public}s failed, errno %{public}d", sandboxPath, errno); + return APPSPAWN_SANDBOX_ERROR_MKDIR_FAIL; + } + + MountArg arg = { + .originPath = sandboxPath, + .destinationPath = sandboxPath, + .fsType = NULL, + .mountFlags = MS_BIND | MS_REC, + .options = NULL, + .mountSharedFlag = MS_SHARED + }; + ret = SandboxMountPath(&arg); + if (ret != 0) { + APPSPAWN_LOGE("mount %{public}s shared failed, ret %{public}d", sandboxPath, ret); + } + return ret; +} + +static void MountSharedMap(const SandboxContext *context, AppSpawnSandboxCfg *sandbox, const char *bundleNamePath) +{ + int length = sizeof(MOUNT_SHARED_MAP) / sizeof(MOUNT_SHARED_MAP[0]); + for (int i = 0; i < length; i++) { + if (MOUNT_SHARED_MAP[i].permission == NULL) { + MountSharedMapItem(bundleNamePath, MOUNT_SHARED_MAP[i].sandboxPath); + } else { + int index = GetPermissionIndexInQueue(&sandbox->permissionQueue, MOUNT_SHARED_MAP[i].permission); + APPSPAWN_LOGV("mount dir on lock mountPermissionFlags %{public}d", index); + if (CheckSandboxCtxPermissionFlagSet(context, (uint32_t)index)) { + MountSharedMapItem(bundleNamePath, MOUNT_SHARED_MAP[i].sandboxPath); + } + } + } + APPSPAWN_LOGI("mount shared map success"); +} + +static int DataGroupCtxNodeCompare(ListNode *node, void *data) +{ + DataGroupCtx *existingNode = (DataGroupCtx *)ListEntry(node, DataGroupCtx, node); + DataGroupCtx *newNode = (DataGroupCtx *)data; + if (existingNode == NULL || newNode == NULL) { + APPSPAWN_LOGE("Invalid param"); + return APPSPAWN_ARG_INVALID; + } + + // compare src path and sandbox path + bool isSrcPathEqual = (strcmp(existingNode->srcPath.path, newNode->srcPath.path) == 0); + bool isDestPathEqual = (strcmp(existingNode->destPath.path, newNode->destPath.path) == 0); + + return (isSrcPathEqual && isDestPathEqual) ? 0 : 1; +} + +static int AddDataGroupItemToQueue(AppSpawnMgr *content, const char *srcPath, const char *destPath) +{ + DataGroupCtx *dataGroupNode = (DataGroupCtx *)calloc(1, sizeof(DataGroupCtx)); + APPSPAWN_CHECK(dataGroupNode != NULL, return APPSPAWN_ERROR_UTILS_MEM_FAIL, "Calloc dataGroupNode failed"); + if (strcpy_s(dataGroupNode->srcPath.path, PATH_MAX_LEN - 1, srcPath) != EOK || + strcpy_s(dataGroupNode->destPath.path, PATH_MAX_LEN - 1, destPath) != EOK) { + APPSPAWN_LOGE("strcpy dataGroupNode path failed"); + free(dataGroupNode); + dataGroupNode = NULL; + return APPSPAWN_ERROR_UTILS_MEM_FAIL; + } + dataGroupNode->srcPath.pathLen = strlen(dataGroupNode->srcPath.path); + dataGroupNode->destPath.pathLen = strlen(dataGroupNode->destPath.path); + ListNode *node = OH_ListFind(&content->dataGroupCtxQueue, (void *)dataGroupNode, DataGroupCtxNodeCompare); + if (node != NULL) { + APPSPAWN_LOGI("DataGroupCtxNode %{public}s is exist", dataGroupNode->srcPath.path); + free(dataGroupNode); + dataGroupNode = NULL; + return 0; + } + OH_ListInit(&dataGroupNode->node); + OH_ListAddTail(&content->dataGroupCtxQueue, &dataGroupNode->node); + return 0; +} + +static inline cJSON *GetJsonObjFromExtInfo(const SandboxContext *context, const char *name) +{ + uint32_t size = 0; + char *extInfo = (char *)(GetAppSpawnMsgExtInfo(context->message, name, &size)); + if (size == 0 || extInfo == NULL) { + return NULL; + } + APPSPAWN_LOGV("Get json name %{public}s value %{public}s", name, extInfo); + cJSON *extInfoJson = cJSON_Parse(extInfo); // need to free + APPSPAWN_CHECK(extInfoJson != NULL, return NULL, "Invalid ext info %{public}s for %{public}s", extInfo, name); + return extInfoJson; +} + +static void DumpDataGroupCtxQueue(const ListNode *front) +{ + if (front == NULL) { + return; + } + + uint32_t count = 0; + ListNode *node = front->next; + while (node != front && node != NULL) { + DataGroupCtx *dataGroupNode = (DataGroupCtx *)ListEntry(node, DataGroupCtx, node); + count++; + APPSPAWN_LOGV(" ************************************** %{public}d", count); + APPSPAWN_LOGV(" srcPath: %{public}s", dataGroupNode->srcPath.path); + APPSPAWN_LOGV(" destPath: %{public}s", dataGroupNode->destPath.path); + node = node->next; + } +} + +static int ParseDataGroupList(AppSpawnMgr *content, SandboxContext *context, const AppSpawnSandboxCfg *appSandbox, + const char *bundleNamePath) +{ + int ret = 0; + cJSON *dataGroupList = GetJsonObjFromExtInfo(context, DATA_GROUP_SOCKET_TYPE); + if (dataGroupList == NULL) { + return APPSPAWN_ARG_INVALID; + } + + // Iterate through the array (assuming groups is an array) + cJSON *item = NULL; + cJSON_ArrayForEach(item, dataGroupList) { + // Check if the item is valid + APPSPAWN_CHECK(IsValidDataGroupItem(item), break, "Element is not a valid data group item"); + + cJSON *dirItem = cJSON_GetObjectItemCaseSensitive(item, "dir"); + cJSON *uuidItem = cJSON_GetObjectItemCaseSensitive(item, "uuid"); + if (dirItem == NULL || !cJSON_IsString(dirItem) || uuidItem == NULL || !cJSON_IsString(uuidItem)) { + APPSPAWN_LOGE("Data group element is invalid"); + break; + } + + const char *srcPath = dirItem->valuestring; + APPSPAWN_CHECK(!CheckPath(srcPath), break, "src path %{public}s is invalid", srcPath); + + int elxValue = GetElxInfoFromDir(srcPath); + APPSPAWN_CHECK((elxValue >= EL2 && elxValue < ELX_MAX), break, "Get elx value failed"); + + const DataGroupSandboxPathTemplate *templateItem = GetDataGroupArgTemplate(elxValue); + APPSPAWN_CHECK(templateItem != NULL, break, "Get data group arg template failed"); + + // If permission isn't null, need check permission flag + if (templateItem->permission != NULL) { + int index = GetPermissionIndexInQueue(&appSandbox->permissionQueue, templateItem->permission); + APPSPAWN_LOGV("mount dir no lock mount permission flag %{public}d", index); + if (!CheckSandboxCtxPermissionFlagSet(context, (uint32_t)index)) { + continue; + } + } + // sandboxPath: /mnt/sandbox///data/storage/el/group/ + char targetPath[PATH_MAX_LEN] = {0}; + int len = snprintf_s(targetPath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "%s%s%s", + bundleNamePath, templateItem->sandboxPath, uuidItem->valuestring); + APPSPAWN_CHECK(len > 0, break, "Failed to format targetPath"); + + ret = AddDataGroupItemToQueue(content, srcPath, targetPath); + if (ret != 0) { + APPSPAWN_LOGE("Add datagroup item to dataGroupCtxQueue failed, el%{public}d", elxValue); + OH_ListRemoveAll(&content->dataGroupCtxQueue, NULL); + break; + } + } + cJSON_Delete(dataGroupList); + + DumpDataGroupCtxQueue(&content->dataGroupCtxQueue); + return ret; +} + +int UpdateDataGroupDirs(AppSpawnMgr *content) +{ + if (content == NULL) { + return APPSPAWN_ARG_INVALID; + } + + int ret = 0; + ListNode *node = content->dataGroupCtxQueue.next; + while (node != &content->dataGroupCtxQueue && node != NULL) { + DataGroupCtx *dataGroupNode = (DataGroupCtx *)ListEntry(node, DataGroupCtx, node); + MountArg args = { + .originPath = dataGroupNode->srcPath.path, + .destinationPath = dataGroupNode->destPath.path, + .fsType = NULL, + .mountFlags = MS_BIND | MS_REC, + .options = NULL, + .mountSharedFlag = MS_SHARED + }; + ret = SandboxMountPath(&args); + if (ret != 0) { + APPSPAWN_LOGE("Shared mount %{public}s to %{public}s failed, errno %{public}d", args.originPath, + args.destinationPath, ret); + } + node = node->next; + } + OH_ListRemoveAll(&content->dataGroupCtxQueue, NULL); + return 0; +} + +static int CreateSharedStamp(AppSpawnMsgDacInfo *info, SandboxContext *context) +{ + char lockSbxPathStamp[PATH_MAX_LEN] = {0}; + int ret = 0; + if (CheckSandboxCtxMsgFlagSet(context, APP_FLAGS_ISOLATED_SANDBOX_TYPE) != 0) { + ret = snprintf_s(lockSbxPathStamp, PATH_MAX_LEN, PATH_MAX_LEN - 1, + "/mnt/sandbox/%d/isolated/%s_locked", info->uid / UID_BASE, context->bundleName); + } else { + ret = snprintf_s(lockSbxPathStamp, PATH_MAX_LEN, PATH_MAX_LEN - 1, + "/mnt/sandbox/%d/%s_locked", info->uid / UID_BASE, context->bundleName); + } + if (ret <= 0) { + APPSPAWN_LOGE("Failed to format lock sandbox path stamp"); + return APPSPAWN_ERROR_UTILS_MEM_FAIL; + } + ret = CreateSandboxDir(lockSbxPathStamp, DIR_MODE); + if (ret != 0) { + APPSPAWN_LOGE("Mkdir %{public}s failed, errno: %{public}d", lockSbxPathStamp, errno); + } + return ret; +} + +int MountDirsToShared(AppSpawnMgr *content, SandboxContext *context, AppSpawnSandboxCfg *sandbox) +{ + if (content == NULL || context == NULL || sandbox == NULL) { + APPSPAWN_LOGE("Input paramters invalid"); + return APPSPAWN_SANDBOX_INVALID; + } + + AppSpawnMsgDacInfo *info = (AppSpawnMsgDacInfo *)GetSandboxCtxMsgInfo(context, TLV_DAC_INFO); + AppSpawnMsgBundleInfo *bundleInfo = (AppSpawnMsgBundleInfo *)GetSandboxCtxMsgInfo(context, TLV_BUNDLE_INFO); + if (info == NULL || bundleInfo == NULL) { + APPSPAWN_LOGE("Info or bundleInfo invalid"); + return APPSPAWN_SANDBOX_INVALID; + } + + if (IsUnlockStatus(info->uid)) { + return 0; + } + + /* /mnt/sandbox// */ + char bundleNamePath[PATH_MAX_LEN] = {0}; + int ret = snprintf_s(bundleNamePath, PATH_MAX_LEN, PATH_MAX_LEN - 1, + "/mnt/sandbox/%u/%s", info->uid / UID_BASE, bundleInfo->bundleName); + if (ret < 0) { + APPSPAWN_LOGE("Failed to format lock sandbox path stamp"); + return APPSPAWN_ERROR_UTILS_MEM_FAIL; + } + + MountSharedMap(context, sandbox, bundleNamePath); + MountStorageUsers(context, sandbox, info); + ParseDataGroupList(content, context, sandbox, bundleNamePath); + + ret = CreateSharedStamp(info, context); + if (ret != 0) { + APPSPAWN_LOGE("mkdir lockSbxPathStamp failed, ret: %{public}d", ret); + } + return ret; +} + +MODULE_CONSTRUCTOR(void) +{ +#ifdef APPSPAWN_SANDBOX_NEW + (void)AddServerStageHook(STAGE_SERVER_LOCK, HOOK_PRIO_COMMON, UpdateDataGroupDirs); +#endif +} diff --git a/modules/sandbox/sandbox_shared.h b/modules/sandbox/sandbox_shared.h new file mode 100644 index 0000000000000000000000000000000000000000..74c067c60d10a6f4684fcf4618b21bc15eae415f --- /dev/null +++ b/modules/sandbox/sandbox_shared.h @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef SANDBOX_SHARED_H +#define SANDBOX_SHARED_H + +#include "appspawn.h" +#include "appspawn_hook.h" +#include "appspawn_manager.h" +#include "appspawn_utils.h" +#include "json_utils.h" +#include "list.h" + +#ifdef __cplusplus +extern "C" { +#endif + +enum { + EL2 = 0, + EL3, + EL4, + EL5, + ELX_MAX +}; + +typedef struct DataGroupSandboxPathTemplate { + const char *elxName; + uint32_t category; + const char *sandboxPath; + const char *permission; +} DataGroupSandboxPathTemplate; + +/** + * @brief DataGroup expand info + */ +bool IsValidDataGroupItem(cJSON *item); +int GetElxInfoFromDir(const char *path); +const DataGroupSandboxPathTemplate *GetDataGroupArgTemplate(uint32_t category); + +/** + * @brief Mount the dirs as shared before device unlocking + */ +int MountDirsToShared(AppSpawnMgr *content, SandboxContext *context, AppSpawnSandboxCfg *sandbox); + +#ifdef __cplusplus +} +#endif +#endif // SANDBOX_SHARED_H diff --git a/standard/appspawn_appmgr.c b/standard/appspawn_appmgr.c index 7785eca2a145959e381f949d143d8ba3670c051c..55b02dc6a777721497f9f6c7124fa5315f9d5ce2 100644 --- a/standard/appspawn_appmgr.c +++ b/standard/appspawn_appmgr.c @@ -61,9 +61,7 @@ AppSpawnMgr *CreateAppSpawnMgr(int mode) OH_ListInit(&appMgr->appQueue); OH_ListInit(&appMgr->diedQueue); OH_ListInit(&appMgr->appSpawnQueue); -#ifndef APPSPAWN_SANDBOX_NEW OH_ListInit(&appMgr->dataGroupCtxQueue); -#endif appMgr->diedAppCount = 0; OH_ListInit(&appMgr->extData); g_appSpawnMgr = appMgr; @@ -104,9 +102,7 @@ void DeleteAppSpawnMgr(AppSpawnMgr *mgr) OH_ListRemoveAll(&mgr->diedQueue, NULL); OH_ListRemoveAll(&mgr->appSpawnQueue, SpawningQueueDestroy); OH_ListRemoveAll(&mgr->extData, ExtDataDestroy); -#ifndef APPSPAWN_SANDBOX_NEW OH_ListRemoveAll(&mgr->dataGroupCtxQueue, NULL); -#endif #ifdef APPSPAWN_HISYSEVENT DeleteHisyseventInfo(mgr->hisyseventInfo); #endif diff --git a/standard/appspawn_manager.h b/standard/appspawn_manager.h index 3c16cb2ff448b60cc9c749ea9aa1b61bfe4571a2..a83acae695a196eda6003eaaea83018bf2c838f1 100644 --- a/standard/appspawn_manager.h +++ b/standard/appspawn_manager.h @@ -111,7 +111,6 @@ typedef struct SpawnTime { int maxAppspawnTime; } SpawnTime; -#ifndef APPSPAWN_SANDBOX_NEW typedef struct TagPathBuffer { uint32_t pathLen; char path[PATH_MAX_LEN]; @@ -124,7 +123,6 @@ typedef struct TagDataGroupCtx { PathBuffer srcPath; PathBuffer destPath; } DataGroupCtx; -#endif typedef struct TagAppSpawnMgr { AppSpawnContent content; @@ -140,9 +138,7 @@ typedef struct TagAppSpawnMgr { struct timespec perLoadEnd; struct ListNode extData; struct SpawnTime spawnTime; -#ifndef APPSPAWN_SANDBOX_NEW struct ListNode dataGroupCtxQueue; -#endif #ifdef APPSPAWN_HISYSEVENT AppSpawnHisyseventInfo *hisyseventInfo; #endif diff --git a/standard/appspawn_service.c b/standard/appspawn_service.c index 70dae3e8a60b32f5792dc0117778faddd5256bce..9285b873e6a0b0c194c600faa0c00541936aaf30 100644 --- a/standard/appspawn_service.c +++ b/standard/appspawn_service.c @@ -1748,11 +1748,9 @@ static void ProcessAppSpawnLockStatusMsg(AppSpawnMsgNode *message) #ifdef APPSPAWN_HISYSEVENT ReportKeyEvent(strcmp(userLockStatus, "0") == 0 ? UNLOCK_SUCCESS : LOCK_SUCCESS); #endif -#ifndef APPSPAWN_SANDBOX_NEW if (strcmp(userLockStatus, "0") == 0) { ServerStageHookExecute(STAGE_SERVER_LOCK, GetAppSpawnContent()); } -#endif } APPSPAWN_STATIC int AppSpawnReqMsgFdGet(AppSpawnConnection *connection, AppSpawnMsgNode *message, diff --git a/test/unittest/app_spawn_standard_test/BUILD.gn b/test/unittest/app_spawn_standard_test/BUILD.gn index 7a06607118a33ef289d08cf7de5c4e421c64dea0..354507f43a5e94c7adae47c7ca148f5ce1e640c1 100644 --- a/test/unittest/app_spawn_standard_test/BUILD.gn +++ b/test/unittest/app_spawn_standard_test/BUILD.gn @@ -143,6 +143,7 @@ ohos_unittest("AppSpawn_ut") { if (defined(appspawn_sandbox_new) && appspawn_sandbox_new) { sources += [ + "${appspawn_path}/modules/sandbox/sandbox_shared.c", "${appspawn_path}/test/unittest/app_spawn_standard_test/app_spawn_sandbox_new_mount_test.cpp", "${appspawn_path}/test/unittest/app_spawn_standard_test/app_spawn_sandbox_new_test.cpp", ] @@ -337,6 +338,7 @@ ohos_unittest("AppSpawn_coldrun_ut") { if (defined(appspawn_sandbox_new) && appspawn_sandbox_new) { defines += [ "APPSPAWN_SANDBOX_NEW" ] + sources += [ "${appspawn_path}/modules/sandbox/sandbox_shared.c" ] } else { sources += [ "${appspawn_path}/modules/sandbox/sandbox_shared_mount.cpp", @@ -523,6 +525,7 @@ ohos_unittest("AppSpawn_common_ut") { if (defined(appspawn_sandbox_new) && appspawn_sandbox_new) { defines += [ "APPSPAWN_SANDBOX_NEW" ] + sources += [ "${appspawn_path}/modules/sandbox/sandbox_shared.c" ] } else { sources += [ "${appspawn_path}/modules/sandbox/sandbox_shared_mount.cpp", diff --git a/test/unittest/app_spawn_standard_test/app_spawn_module_interface_test.cpp b/test/unittest/app_spawn_standard_test/app_spawn_module_interface_test.cpp index 292572319171c81cf74f7f43402dc6e53d105fc6..c7797f71f45d501076612464bf2124ddfb32ea30 100644 --- a/test/unittest/app_spawn_standard_test/app_spawn_module_interface_test.cpp +++ b/test/unittest/app_spawn_standard_test/app_spawn_module_interface_test.cpp @@ -327,7 +327,7 @@ HWTEST_F(AppSpawnModuleInterfaceTest, App_Spawn_ParseJsonConfig_001, TestSize.Le { int ret = 0; #ifdef APPSPAWN_SANDBOX_NEW - ret = ParseJsonConfig("etc/sandbox", WEB_SANDBOX_FILE_NAME, TestParseAppSandboxConfig, nullptr); + ret = ParseJsonConfig("etc/sandbox", RENDER_SANDBOX_FILE_NAME, TestParseAppSandboxConfig, nullptr); EXPECT_EQ(ret, 0); ret = ParseJsonConfig("etc/sandbox", APP_SANDBOX_FILE_NAME, TestParseAppSandboxConfig, nullptr); EXPECT_EQ(ret, 0); diff --git a/test/unittest/app_spawn_standard_test/app_spawn_sandbox_new_test.cpp b/test/unittest/app_spawn_standard_test/app_spawn_sandbox_new_test.cpp index a41201daa6f857f5f89c4d0927556e67bdb20048..75fc2b2fac5d51509fb4ae45ea138a9f622728c4 100644 --- a/test/unittest/app_spawn_standard_test/app_spawn_sandbox_new_test.cpp +++ b/test/unittest/app_spawn_standard_test/app_spawn_sandbox_new_test.cpp @@ -709,7 +709,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Permission_01, TestSize.Level0) } static int ProcessTestExpandConfig(const SandboxContext *context, - const AppSpawnSandboxCfg *appSandBox, const char *name) + const AppSpawnSandboxCfg *appSandbox, const char *name) { uint32_t size = 0; char *extInfo = (char *)GetAppSpawnMsgExtInfo(context->message, name, &size); @@ -2268,13 +2268,13 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_sandbox, TestSize.Level0) SandboxMountNode node = {}; char source[] = {"/data/app/el5//database/"}; char target[] = {"/data/storage/el1/database"}; - const PathMountNode sandboxNode = {node, nullptr, nullptr, 0, false, 1, 1, 0, nullptr, {}}; + const PathMountNode sandboxNode = {node, nullptr, nullptr, 0, false, 1, 1, 1, 0, nullptr, {}}; const MountArg args = {"/data/xxx/xxx", nullptr, nullptr, 0, nullptr, 0}; CreateDemandSrc(contextTest, &sandboxNode, &args); char apl[] = "apl"; - const PathMountNode sandboxNode1 = {node, source, nullptr, 0, false, 1, 1, 0, nullptr, {}}; - const PathMountNode sandboxNode2 = {node, nullptr, target, 0, false, 1, 1, 0, nullptr, {}}; - const PathMountNode sandboxNode3 = {node, source, target, 0, false, 1, 1, 0, apl, {}}; + const PathMountNode sandboxNode1 = {node, source, nullptr, 0, false, 1, 1, 1, 0, nullptr, {}}; + const PathMountNode sandboxNode2 = {node, nullptr, target, 0, false, 1, 1, 1, 0, nullptr, {}}; + const PathMountNode sandboxNode3 = {node, source, target, 0, false, 1, 1, 1, 0, apl, {}}; struct ListNode front; char name[] = {"test"}; const SandboxSection section = {node, front, name, 16, 16, nullptr, 1, 1, nullptr}; @@ -2302,7 +2302,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_sandbox_001, TestSize.Level0) SandboxContext context1 = {{{}}, "test.example.ohos.com", nullptr, 1, 1, 1, 1, 1, 1, 1, rootPath}; char source1[] = {"/xxx/xxx/xxx"}; uint32_t operation = 0x1 << SANDBOX_TAG_SPAWN_FLAGS; - const PathMountNode sandboxNode4 = {node, source1, target, 0, false, 1, 1, 0, apl, {}}; + const PathMountNode sandboxNode4 = {node, source1, target, 0, false, 1, 1, 1, 0, apl, {}}; context1.bundleHasWps = 1; int res = CheckSandboxMountNode(&context1, §ion, &sandboxNode4, operation); EXPECT_EQ(res, 1); @@ -2311,17 +2311,17 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_sandbox_001, TestSize.Level0) EXPECT_EQ(res, 1); char source2[] = "/data/app/xxx"; - const PathMountNode sandboxNode5 = {node, source2, target, 0, false, 1, 1, 0, apl, {}}; + const PathMountNode sandboxNode5 = {node, source2, target, 0, false, 1, 1, 1, 0, apl, {}}; res = CheckSandboxMountNode(&context1, §ion, &sandboxNode5, operation); EXPECT_EQ(res, 1); char source3[] = "/data/app/base"; - const PathMountNode sandboxNode6 = {node, source3, target, 0, false, 1, 1, 0, apl, {}}; + const PathMountNode sandboxNode6 = {node, source3, target, 0, false, 1, 1, 1, 0, apl, {}}; res = CheckSandboxMountNode(&context1, §ion, &sandboxNode6, operation); EXPECT_EQ(res, 1); char source4[] = "/data/app/"; - const PathMountNode sandboxNode7 = {node, source4, target, 0, false, 1, 1, 0, apl, {}}; + const PathMountNode sandboxNode7 = {node, source4, target, 0, false, 1, 1, 1, 0, apl, {}}; res = CheckSandboxMountNode(&context1, §ion, &sandboxNode7, operation); EXPECT_EQ(res, 1); } diff --git a/test/unittest/app_spawn_standard_test/app_spawn_sandboxmgr_test.cpp b/test/unittest/app_spawn_standard_test/app_spawn_sandboxmgr_test.cpp index 272847a292e581135616adbbd89d1f5d63d2ae07..3a63ac1c0f42af73412f4e44ac10e8faf5146470 100644 --- a/test/unittest/app_spawn_standard_test/app_spawn_sandboxmgr_test.cpp +++ b/test/unittest/app_spawn_standard_test/app_spawn_sandboxmgr_test.cpp @@ -628,7 +628,7 @@ HWTEST_F(AppSpawnSandboxMgrTest, App_Spawn_AddVariableReplaceHandler_001, TestSi * */ static int TestProcessExpandSandboxCfg(const SandboxContext *context, - const AppSpawnSandboxCfg *appSandBox, const char *name) + const AppSpawnSandboxCfg *appSandbox, const char *name) { return 0; } diff --git a/util/include/appspawn_utils.h b/util/include/appspawn_utils.h old mode 100755 new mode 100644 index 6b585c580eee466d6964fdf651786a84608e0ab1..2ab428c73b7dc0a697ed517bb2de610df4563c88 --- a/util/include/appspawn_utils.h +++ b/util/include/appspawn_utils.h @@ -100,6 +100,11 @@ typedef struct TagAppSpawnCommonEnv { int developerModeEnable; } AppSpawnCommonEnv; +/* spawner permission */ +static const char *g_spawnerPermissionList[] = { + "ohos.permission.FOWNER" +}; + typedef enum { APPSPAWN_OK = 0, APPSPAWN_SYSTEM_ERROR = 0xD000000, @@ -110,7 +115,6 @@ typedef enum { APPSPAWN_TLV_NONE, APPSPAWN_SANDBOX_NONE, APPSPAWN_SANDBOX_LOAD_FAIL, - APPSPAWN_SANDBOX_INVALID, APPSPAWN_SANDBOX_MOUNT_FAIL, // 0xD00000a APPSPAWN_SPAWN_TIMEOUT, // 0xD00000a APPSPAWN_CHILD_CRASH, // 0xD00000b @@ -128,6 +132,7 @@ typedef enum { APPSPAWN_ERROR_UTILS_CREATE_JSON_FAIL, APPSPAWN_ERROR_UTILS_ADD_JSON_FAIL, /* sandbox errno num */ + APPSPAWN_SANDBOX_INVALID, APPSPAWN_SANDBOX_ERROR_MKDIR_FAIL, APPSPAWN_SANDBOX_ERROR_MOUNT_FAIL, APPSPAWN_SANDBOX_ERROR_SET_PERMISSION_FLAG_FAIL,