diff --git a/adapter/appspawn_sandbox.cpp b/adapter/appspawn_sandbox.cpp index 980ee2dacbb34287010d07fd24eab941c9ce095c..a82b89c154fa260c87dba20e221b6dece9d0f0c6 100644 --- a/adapter/appspawn_sandbox.cpp +++ b/adapter/appspawn_sandbox.cpp @@ -43,7 +43,11 @@ bool g_isPrivAppSandboxCreated = false; bool g_isAppSandboxCreated = false; namespace { +#ifdef __aarch64__ + const std::string APP_JSON_CONFIG("/system/etc/sandbox/appdata-sandbox64.json"); +#else const std::string APP_JSON_CONFIG("/system/etc/sandbox/appdata-sandbox.json"); +#endif const std::string PRODUCT_JSON_CONFIG("/system/etc/sandbox/product-sandbox.json"); } diff --git a/appdata-sandbox.json b/appdata-sandbox.json index f27629e096a20e63a82b02522b51d36893d3f66b..0e24f8b90b6af095c07f6ea4ef5fef0a31eb8638 100644 --- a/appdata-sandbox.json +++ b/appdata-sandbox.json @@ -29,8 +29,43 @@ "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" }, { - "src-path" : "/system", - "sandbox-path" : "/system", + "src-path" : "/system/app", + "sandbox-path" : "/system/app", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/fonts", + "sandbox-path" : "/system/fonts", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib", + "sandbox-path" : "/system/lib", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/data", + "sandbox-path" : "/system/data", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/usr", + "sandbox-path" : "/system/usr", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/profile", + "sandbox-path" : "/system/profile", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/bin", + "sandbox-path" : "/system/bin", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/etc", + "sandbox-path" : "/system/etc", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" }, { diff --git a/appdata-sandbox64.json b/appdata-sandbox64.json new file mode 100644 index 0000000000000000000000000000000000000000..aaa5cd16cbb839bd9aa9cd21cb578a67b14dac88 --- /dev/null +++ b/appdata-sandbox64.json @@ -0,0 +1,231 @@ +{ + "common" : [{ + "top-sandbox-switch": "ON", + "app-base" : [{ + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/config", + "sandbox-path" : "/config", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/dev", + "sandbox-path" : "/dev", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/proc", + "sandbox-path" : "/proc", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/sys", + "sandbox-path" : "/sys", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/sys_prod", + "sandbox-path" : "/sys_prod", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/app", + "sandbox-path" : "/system/app", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/fonts", + "sandbox-path" : "/system/fonts", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib", + "sandbox-path" : "/lib", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib64", + "sandbox-path" : "/system/lib64", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/data", + "sandbox-path" : "/system/data", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/usr", + "sandbox-path" : "/system/usr", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/profile", + "sandbox-path" : "/system/profile", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/bin", + "sandbox-path" : "/system/bin", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/etc", + "sandbox-path" : "/system/etc", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/storage/el1/bundle", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + }, { + "src-path" : "/data/app/el2//base/", + "sandbox-path" : "/data/storage/el2/base", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + },{ + "src-path" : "/data/app/el1//database/", + "sandbox-path" : "/data/storage/el1/database", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + }, { + "src-path" : "/data/app/el2//database/", + "sandbox-path" : "/data/storage/el2/database", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + }, { + "src-path" : "/data/app/el1//base/", + "sandbox-path" : "/data/storage/el1/base", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + }, { + "src-path" : "/mnt/hmdfs/", + "sandbox-path" : "/mnt/hmdfs/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/mnt/hmdfs//account/merge_view/data/", + "sandbox-path" : "/data/storage/el2/distributedfiles", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/mnt/hmdfs//non_account/merge_view/data/", + "sandbox-path" : "/data/storage/el2/auth_groups", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/data/app/el1/bundle/public/com.ohos.nweb", + "sandbox-path" : "/data/storage/el1/bundle/nweb", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/data/app/el1/bundle/public/ohos.global.systemres", + "sandbox-path" : "/data/storage/el1/bundle/ohos.global.systemres", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + } + ], + "symbol-links" : [{ + "target-name" : "/system/bin", + "link-name" : "/bin", + "check-action-status": "false" + }, { + "target-name" : "/system/lib64", + "link-name" : "/lib64", + "check-action-status": "false" + }, { + "target-name" : "/system/etc", + "link-name" : "/etc", + "check-action-status": "false" + }, { + "target-name" : "/system/bin/init", + "link-name" : "/init", + "check-action-status": "false" + }, { + "target-name" : "/sys/kernel/debug", + "link-name" : "/d", + "check-action-status": "false" + } + ] + }], + "app-resources" : [{ + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/data/app/el1/bundle/public/com.ohos.nweb", + "sandbox-path" : "/data/storage/el1/bundle/nweb", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/data/app/el1/bundle/public/ohos.global.systemres", + "sandbox-path" : "/data/storage/el1/bundle/ohos.global.systemres", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + } + ], + "symbol-links" : [ + ] + }] + }], + "individual" : [{ + "com.ohos.medialibrary.MediaLibraryDataA" : [{ + "sandbox-switch": "ON", + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/storage/media/", + "sandbox-path" : "/storage/media", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + } + ], + "symbol-links" : [] + }], + "com.ohos.medialibrary.MediaScannerAbilityA" : [{ + "sandbox-switch": "ON", + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/storage/media/", + "sandbox-path" : "/storage/media", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + } + ], + "symbol-links" : [] + }], + "com.ohos.launcher" : [{ + "sandbox-switch": "ON", + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/bundles/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + } + ], + "symbol-links" : [] + }], + "com.ohos.permissionmanager" : [{ + "sandbox-switch": "ON", + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/bundles/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + } + ], + "symbol-links" : [] + }], + "ohos.samples.ecg" : [{ + "sandbox-switch": "OFF", + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/bundles/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + } + ], + "symbol-links" : [] + }] + }] +} \ No newline at end of file diff --git a/bundle.json b/bundle.json index 616ce543e05da76944c632195d785102eb7b035a..8f5599c3fb5ee10634f898a16e78bd227ff98501 100644 --- a/bundle.json +++ b/bundle.json @@ -42,6 +42,7 @@ "//base/startup/appspawn_standard:appspawn.rc", "//base/startup/appspawn_standard:appspawn_server", "//base/startup/appspawn_standard:nweb", + "//base/startup/appspawn_standard/etc:etc_files", "//base/startup/appspawn_standard/interfaces/innerkits:appspawn_socket_client" ], "inner_kits": [ diff --git a/etc/BUILD.gn b/etc/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..b13ce794544df053c07feaf23cf54c2e5b9f5a20 --- /dev/null +++ b/etc/BUILD.gn @@ -0,0 +1,33 @@ +# Copyright (c) 2020-2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//base/startup/appspawn_standard/appspawn.gni") +import("//build/ohos.gni") + +ohos_prebuilt_etc("appdata-sandbox.json") { + if (target_cpu == "arm64") { + source = "//base/startup/appspawn_standard/appdata-sandbox64.json" + } else { + source = "//base/startup/appspawn_standard/appdata-sandbox.json" + } + + subsystem_name = "${subsystem_name}" + part_name = "${part_name}" + module_install_dir = "etc/sandbox" +} + +group("etc_files") { + deps = [ + ":appdata-sandbox.json", + ] +} \ No newline at end of file diff --git a/util/src/sandbox_utils.cpp b/util/src/sandbox_utils.cpp index ad1ad18b18a7f48604642e7e68d646d1db41050e..3db172c789c86bf7207f590bd2d7f5f5dd98445a 100644 --- a/util/src/sandbox_utils.cpp +++ b/util/src/sandbox_utils.cpp @@ -66,9 +66,9 @@ namespace { const char *WARGNAR_DEVICE_PATH = "/3rdmodem"; const char *APP_BASE = "app-base"; const char *APP_RESOURCES = "app-resources"; + const char *APP_APL_NAME = "app-apl-name"; } - nlohmann::json SandboxUtils::appSandboxConfig_; nlohmann::json SandboxUtils::productSandboxConfig_; @@ -275,6 +275,15 @@ int SandboxUtils::DoAllMntPointsMount(const ClientSocket::AppProperty *appProper continue; } + if (mntPoint[APP_APL_NAME] != nullptr) { + std::string app_apl_name = mntPoint[APP_APL_NAME]; + const char * p_app_apl = nullptr; + p_app_apl = app_apl_name.c_str(); + if (!strcmp(p_app_apl, appProperty->apl)) { + continue; + } + } + std::string srcPath = ConvertToRealPath(appProperty, mntPoint[SRC_PATH].get()); std::string sandboxPath = sandboxRoot + ConvertToRealPath(appProperty, mntPoint[SANDBOX_PATH].get());