diff --git a/appdata-sandbox64.json b/appdata-sandbox64.json new file mode 100644 index 0000000000000000000000000000000000000000..76fbf915e4e5bea21426cc38568f950d5035be7c --- /dev/null +++ b/appdata-sandbox64.json @@ -0,0 +1,249 @@ +{ + "common" : [{ + "top-sandbox-switch": "ON", + "app-base" : [{ + "sandbox-root" : "/mnt/sandbox/", + "mount-kind-paths": [{ + "src-path" : "/system/lib/media/", + "sandbox-path" : "/testapp/app", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true", + "kind-name": "normal" + }, { + "src-path" : "/system/lib/module/", + "sandbox-path" : "/testapp/private", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true", + "kind-name": "system_basic" + }], + "mount-bind-paths" : [{ + "src-path" : "/config", + "sandbox-path" : "/config", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/dev", + "sandbox-path" : "/dev", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/proc", + "sandbox-path" : "/proc", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/sys", + "sandbox-path" : "/sys", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/sys_prod", + "sandbox-path" : "/sys_prod", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/app", + "sandbox-path" : "/system/app", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/fonts", + "sandbox-path" : "/system/fonts", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib64", + "sandbox-path" : "/system/lib64", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/data", + "sandbox-path" : "/system/data", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/usr", + "sandbox-path" : "/system/usr", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/profile", + "sandbox-path" : "/system/profile", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/bin", + "sandbox-path" : "/system/bin", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/etc", + "sandbox-path" : "/system/etc", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/storage/el1/bundle", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + }, { + "src-path" : "/data/app/el2//base/", + "sandbox-path" : "/data/storage/el2/base", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + }, { + "src-path" : "/data/app/el2//database/", + "sandbox-path" : "/data/storage/el2/database", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + }, { + "src-path" : "/data/app/el1//base/", + "sandbox-path" : "/data/storage/el1/base", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + }, { + "src-path" : "/mnt/hmdfs/", + "sandbox-path" : "/mnt/hmdfs/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/mnt/hmdfs//account/merge_view/data/", + "sandbox-path" : "/data/storage/el2/distributedfiles", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/mnt/hmdfs//non_account/merge_view/data/", + "sandbox-path" : "/data/storage/el2/auth_groups", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/data/app/el1/bundle/public/com.ohos.nweb", + "sandbox-path" : "/data/storage/el1/bundle/nweb", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/data/app/el1/bundle/public/ohos.global.systemres", + "sandbox-path" : "/data/storage/el1/bundle/ohos.global.systemres", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + } + ], + "symbol-links" : [{ + "target-name" : "/system/bin", + "link-name" : "/bin", + "check-action-status": "false" + }, { + "target-name" : "/system/lib", + "link-name" : "/lib", + "check-action-status": "false" + }, { + "target-name" : "/system/etc", + "link-name" : "/etc", + "check-action-status": "false" + }, { + "target-name" : "/system/bin/init", + "link-name" : "/init", + "check-action-status": "false" + }, { + "target-name" : "/sys/kernel/debug", + "link-name" : "/d", + "check-action-status": "false" + } + ] + }], + "app-resources" : [{ + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/data/app/el1/bundle/public/com.ohos.nweb", + "sandbox-path" : "/data/storage/el1/bundle/nweb", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/data/app/el1/bundle/public/ohos.global.systemres", + "sandbox-path" : "/data/storage/el1/bundle/ohos.global.systemres", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + } + ], + "symbol-links" : [ + ] + }] + }], + "individual" : [{ + "com.ohos.medialibrary.MediaLibraryDataA" : [{ + "sandbox-switch": "ON", + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/storage/media/", + "sandbox-path" : "/storage/media", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + } + ], + "symbol-links" : [] + }], + "com.ohos.medialibrary.MediaScannerAbilityA" : [{ + "sandbox-switch": "ON", + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/storage/media/", + "sandbox-path" : "/storage/media", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + } + ], + "symbol-links" : [] + }], + "com.ohos.launcher" : [{ + "sandbox-switch": "ON", + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/accounts/account_0/applications/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + }, { + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/bundles/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + } + ], + "symbol-links" : [] + }], + "com.ohos.permissionmanager" : [{ + "sandbox-switch": "ON", + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/accounts/account_0/applications/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + }, { + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/bundles/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + } + ], + "symbol-links" : [] + }], + "ohos.samples.ecg" : [{ + "sandbox-switch": "OFF", + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/accounts/account_0/applications/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + }, { + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/bundles/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + } + ], + "symbol-links" : [] + }] + }] +} \ No newline at end of file diff --git a/bundle.json b/bundle.json index 616ce543e05da76944c632195d785102eb7b035a..8f5599c3fb5ee10634f898a16e78bd227ff98501 100644 --- a/bundle.json +++ b/bundle.json @@ -42,6 +42,7 @@ "//base/startup/appspawn_standard:appspawn.rc", "//base/startup/appspawn_standard:appspawn_server", "//base/startup/appspawn_standard:nweb", + "//base/startup/appspawn_standard/etc:etc_files", "//base/startup/appspawn_standard/interfaces/innerkits:appspawn_socket_client" ], "inner_kits": [ diff --git a/etc/BUILD.gn b/etc/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..c3d7da9ba0f4adf99031c7ba9565a85675471e02 --- /dev/null +++ b/etc/BUILD.gn @@ -0,0 +1,32 @@ +# Copyright (c) 2020-2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//base/startup/appspawn_standard/appspawn.gni") +import("//build/ohos.gni") + +ohos_prebuilt_etc("appdata-sandbox.json") { + if (target_cpu == "arm64") { + source = "//base/startup/appspawn_standard/appdata-sandbox64.json" + } else { + source = "//base/startup/appspawn_standard/appdata-sandbox.json" + } + + relative_install_dir = "init" + subsystem_name = "${subsystem_name}" + part_name = "${part_name}" + module_install_dir = "etc/sandbox" +} + +group("etc_files") { + deps = [ ":appdata-sandbox.json" ] +} diff --git a/util/include/sandbox_utils.h b/util/include/sandbox_utils.h index 7632267ed738a383c46ec948d2821436d1946cd3..9490fb6e06ff78b06f5bc4eff6c3ed5b121895cb 100644 --- a/util/include/sandbox_utils.h +++ b/util/include/sandbox_utils.h @@ -21,6 +21,7 @@ #include #include "nlohmann/json.hpp" #include "client_socket.h" +#include "appspawn_adapter.h" namespace OHOS { namespace AppSpawn { @@ -48,6 +49,7 @@ private: std::string &sandboxPackagePath); static void DoSandboxChmod(nlohmann::json jsonConfig, std::string &sandboxRoot); static int DoAllMntPointsMount(const ClientSocket::AppProperty *appProperty, nlohmann::json &appConfig); + static int DoAllMntAplMount(const ClientSocket::AppProperty *appProperty, nlohmann::json &appConfig); static int DoAllSymlinkPointslink(const ClientSocket::AppProperty *appProperty, nlohmann::json &appConfig); static std::string ConvertToRealPath(const ClientSocket::AppProperty *appProperty, std::string sandboxRoot); static std::string GetSbxPathByConfig(const ClientSocket::AppProperty *appProperty, nlohmann::json &config); @@ -55,7 +57,6 @@ private: static bool CheckAppSandboxSwitchStatus(const ClientSocket::AppProperty *appProperty); static bool GetSbxSwitchStatusByConfig(nlohmann::json &config); static unsigned long GetMountFlagsFromConfig(const std::vector &vec); - private: static nlohmann::json appSandboxConfig_; }; diff --git a/util/src/sandbox_utils.cpp b/util/src/sandbox_utils.cpp index cd3cf164702cdd4a529331b819dfb5520e3c51ee..e3d95d8f15aa909532f33f0aff889abe86756cb1 100644 --- a/util/src/sandbox_utils.cpp +++ b/util/src/sandbox_utils.cpp @@ -66,9 +66,10 @@ namespace { const char *WARGNAR_DEVICE_PATH = "/3rdmodem"; const char *APP_BASE = "app-base"; const char *APP_RESOURCES = "app-resources"; + const char *KIND_NAME = "kind-name"; + const char *MOUNT_KIND_PREFIX = "mount-kind-paths"; } - nlohmann::json SandboxUtils::appSandboxConfig_; void SandboxUtils::StoreJsonConfig(nlohmann::json &appSandboxConfig) @@ -108,6 +109,7 @@ int32_t SandboxUtils::DoAppSandboxMountOnce(const std::string originPath, const MakeDirRecursive(destinationPath, FILE_MODE); ret = mount(originPath.c_str(), destinationPath.c_str(), NULL, mountFlags, NULL); + APPSPAWN_LOGI("1589533 mount src_to_dest errno is : %d", errno); if (ret) { HiLog::Error(LABEL, "bind mount %{public}s to %{public}s failed %{public}d", originPath.c_str(), destinationPath.c_str(), errno); @@ -242,6 +244,60 @@ bool SandboxUtils::GetSbxSwitchStatusByConfig(nlohmann::json &config) return true; } +int SandboxUtils::DoAllMntAplMount(const ClientSocket::AppProperty *appProperty, nlohmann::json &appConfig) +{ + if (appConfig.find(MOUNT_KIND_PREFIX) == appConfig.end()) { + HiLog::Debug(LABEL, "mount config is not found, maybe reuslt sandbox launch failed" + "app name is %{public}s", appProperty->bundleName); + return 0; + } + + nlohmann::json mountPoints = appConfig[MOUNT_KIND_PREFIX]; + std::string sandboxRoot = GetSbxPathByConfig(appProperty, appConfig); + int mountPointSize = mountPoints.size(); + + for (int i = 0; i < mountPointSize; i++) { + nlohmann::json mntPoint = mountPoints[i]; + std::string APP_KIND = mntPoint[KIND_NAME]; + const char *p_app_kind = nullptr; + p_app_kind = APP_KIND.c_str(); + + // if not defined + if (!strcmp(p_app_kind, appProperty->apl)) { + if (strcmp(p_app_kind, "normal") || strcmp(p_app_kind, "system_basic")) { + continue; + } + } + + // Check the validity of the mount configuration + if (mntPoint.find(SRC_PATH) == mntPoint.end() || mntPoint.find(SANDBOX_PATH) == mntPoint.end() + || mntPoint.find(SANDBOX_FLAGS) == mntPoint.end()) { + HiLog::Error(LABEL, "read mount config failed, app name is %{public}s", appProperty->bundleName); + continue; + } + + std::string srcPath = ConvertToRealPath(appProperty, mntPoint[SRC_PATH].get()); + std::string sandboxPath = sandboxRoot + ConvertToRealPath(appProperty, + mntPoint[SANDBOX_PATH].get()); + unsigned long mountFlags = GetMountFlagsFromConfig(mntPoint[SANDBOX_FLAGS].get>()); + + int ret = DoAppSandboxMountOnce(srcPath.c_str(), sandboxPath.c_str(), mountFlags); + if (ret) { + HiLog::Error(LABEL, "DoAppSandboxMountOnce failed, %{public}s", sandboxPath.c_str()); + + std::string actionStatus = STATUS_CHECK; + (void)JsonUtils::GetStringFromJson(mntPoint, ACTION_STATUS, actionStatus); + if (actionStatus == STATUS_CHECK) { + return ret; + } + } + + DoSandboxChmod(mntPoint, sandboxRoot); + } + + return 0; +} + int SandboxUtils::DoAllMntPointsMount(const ClientSocket::AppProperty *appProperty, nlohmann::json &appConfig) { if (appConfig.find(MOUNT_PREFIX) == appConfig.end()) { @@ -354,9 +410,10 @@ int32_t SandboxUtils::DoSandboxFileCommonBind(const ClientSocket::AppProperty *a { nlohmann::json commonConfig = wholeConfig[COMMON_PREFIX][0]; int ret = 0; - + int test = 0; if (commonConfig.find(APP_BASE) != commonConfig.end()) { ret = DoAllMntPointsMount(appProperty, commonConfig[APP_BASE][0]); + test = DoAllMntAplMount(appProperty, commonConfig[APP_BASE][0]); if (ret) { return ret; }