openharmony/startup_appspawn
1
0
Fork 0
mirror of https://gitee.com/openharmony/startup_appspawn synced 2024-11-27 01:00:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

modify:The execution of the preunshare phase depends on the mounted mount point

Browse Source 
Signed-off-by: wangfeng <wangfeng277@huawei.com>
This commit is contained in:
wangfeng 2024-09-19 22:29:29 +08:00
parent 9812df4c4c
commit 0487064ecd
2 changed files with 196 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

234
modules/sandbox/appspawn_sandbox.c
View File

@ -129,7 +129,7 @@ static int BuildRootPath(char *buffer, uint32_t bufferLen, const AppSpawnSandbox
} else {
len = sprintf_s(buffer + currLen, bufferLen - currLen, "%d", uid);
}
APPSPAWN_CHECK(len > 0 && (uint32_t)(len < (bufferLen - currLen)), return ret,
APPSPAWN_CHECK(len > 0 && ((uint32_t)len < (bufferLen - currLen)), return ret,
"Failed to format root path %{public}s", sandbox->rootPath);
currLen += (uint32_t)len;
}
@ -615,6 +615,21 @@ static void MountDirToShared(const SandboxContext *context, AppSpawnSandboxCfg *
}
}
}
char lockSbxPathStamp[MAX_SANDBOX_BUFFER] = { 0 };
int ret = 0;
if (CheckSpawningMsgFlagSet(context, APP_FLAGS_ISOLATED_SANDBOX_TYPE) != 0) {
ret = snprintf_s(lockSbxPathStamp, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s%d/isolated/%s_locked",
rootPath, info->uid / UID_BASE, context->bundleName);
} else {
ret = snprintf_s(lockSbxPathStamp, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s%d/%s_locked",
rootPath, info->uid / UID_BASE, context->bundleName);
}
if (ret <= 0) {
APPSPAWN_LOGE("snprintf_s lock sandbox path stamp failed");
return;
}
CreateSandboxDir(lockSbxPathStamp, FILE_MODE);
}
static int UpdateMountPathDepsPath(const SandboxContext *context, SandboxNameGroupNode *groupNode)
@ -691,6 +706,9 @@ static int MountSandboxConfig(const SandboxContext *context,
continue;
}
SandboxNameGroupNode *groupNode = (SandboxNameGroupNode *)section->nameGroups[i];
if (groupNode->depMounted != 1) {
SetMountPathOperation(&operation, MOUNT_PATH_OP_REPLACE_BY_SANDBOX);
}
SetMountPathOperation(&operation, SANDBOX_TAG_NAME_GROUP);
ret = DoSandboxNodeMount(context, &groupNode->section, operation);
APPSPAWN_CHECK(ret == 0, return ret,
@ -1014,51 +1032,189 @@ int StagedMountSystemConst(AppSpawnSandboxCfg *sandbox, const AppSpawningCtx *pr
return ret;
}
static int MountDepGroups(const SandboxContext *context, SandboxNameGroupNode *groupNode)
{
/**
* unshare前处理mount-paths-deps
* 1.mount-paths-deps节点;
* 2.json文件中路径的变量值;
* 3.deps-mode的值是否是not-exists
* not-exist则判断mount-paths.src-path是否存在mount-paths-deps中的目录
* mount-paths-deps中的目录
* always则创建并挂载mount-paths-deps中的目录;
* deps-mode默认值为always;
*
*/
int ret = 0;
if (groupNode == NULL || groupNode->depNode == NULL) {
return 0;
}
ret = UpdateMountPathDepsPath(context, groupNode);
APPSPAWN_CHECK(ret == 0, return ret, "Failed to updata deps path name groups %{public}s", groupNode->section.name);
if (groupNode->depMode == MOUNT_MODE_NOT_EXIST && CheckAndCreateDepPath(context, groupNode)) {
return 0;
}
uint32_t operation = 0;
SetMountPathOperation(&operation, MOUNT_PATH_OP_UNMOUNT);
groupNode->depMounted = 1;
ret = DoSandboxPathNodeMount(context, &groupNode->section, groupNode->depNode, operation);
if (ret != 0) {
APPSPAWN_LOGE("Mount deps root fail %{public}s", groupNode->section.name);
}
return ret;
}
static int SetSystemConstDepGroups(const SandboxContext *context, AppSpawnSandboxCfg *sandbox)
{
SandboxSection *section = GetSandboxSection(&sandbox->requiredQueue, "system-const");
if (section == NULL || section->nameGroups == NULL) {
return 0;
}
int ret = 0;
for (uint32_t i = 0; i < section->number; i++) {
if (section->nameGroups[i] == NULL) {
continue;
}
SandboxNameGroupNode *groupNode = (SandboxNameGroupNode *)section->nameGroups[i];
ret = MountDepGroups(context, groupNode);
APPSPAWN_CHECK(ret == 0, return ret, "Failed to mount deps groups");
}
return ret;
}
static int SetAppVariableDepGroups(const SandboxContext *context, AppSpawnSandboxCfg *sandbox)
{
SandboxSection *section = GetSandboxSection(&sandbox->requiredQueue, "app-variable");
if (section == NULL || section->nameGroups == NULL) {
return 0;
}
int ret = 0;
for (uint32_t i = 0; i < section->number; i++) {
if (section->nameGroups[i] == NULL) {
continue;
}
SandboxNameGroupNode *groupNode = (SandboxNameGroupNode *)section->nameGroups[i];
ret = MountDepGroups(context, groupNode);
APPSPAWN_CHECK(ret == 0, return ret, "Failed to mount deps groups");
}
return ret;
}
static int SetSpawnFlagsDepGroups(const SandboxContext *context, AppSpawnSandboxCfg *sandbox)
{
ListNode *node = sandbox->spawnFlagsQueue.front.next;
int ret = 0;
while (node != &sandbox->spawnFlagsQueue.front) {
SandboxFlagsNode *sandboxNode = (SandboxFlagsNode *)ListEntry(node, SandboxMountNode, node);
// match flags point
if (sandboxNode->flagIndex == 0 || !CheckSpawningMsgFlagSet(context, sandboxNode->flagIndex)) {
node = node->next;
continue;
}
if (sandboxNode->section.nameGroups == NULL) {
node = node->next;
continue;
}
for (uint32_t i = 0; i < sandboxNode->section.number; i++) {
if (sandboxNode->section.nameGroups[i] == NULL) {
continue;
}
SandboxNameGroupNode *groupNode = (SandboxNameGroupNode *)sandboxNode->section.nameGroups[i];
ret = MountDepGroups(context, groupNode);
APPSPAWN_CHECK(ret == 0, return ret, "Failed to mount deps groups");
}
node = node->next;
}
return ret;
}
static int SetPackageNameDepGroups(const SandboxContext *context, AppSpawnSandboxCfg *sandbox)
{
SandboxPackageNameNode *sandboxNode =
(SandboxPackageNameNode *)GetSandboxSection(&sandbox->packageNameQueue, context->bundleName);
if (sandboxNode == NULL || sandboxNode->section.nameGroups == NULL) {
return 0;
}
int ret = 0;
for (uint32_t i = 0; i < sandboxNode->section.number; i++) {
if (sandboxNode->section.nameGroups[i] == NULL) {
continue;
}
SandboxNameGroupNode *groupNode = (SandboxNameGroupNode *)sandboxNode->section.nameGroups[i];
ret = MountDepGroups(context, groupNode);
APPSPAWN_CHECK(ret == 0, return ret, "Failed to mount deps groups");
}
return ret;
}
static int SetPermissionDepGroups(const SandboxContext *context, AppSpawnSandboxCfg *sandbox)
{
ListNode *node = sandbox->permissionQueue.front.next;
int ret = 0;
while (node != &sandbox->permissionQueue.front) {
SandboxPermissionNode *permissionNode = (SandboxPermissionNode *)ListEntry(node, SandboxMountNode, node);
// match flags point
if (!CheckSpawningPermissionFlagSet(context, permissionNode->permissionIndex)) {
node = node->next;
continue;
}
if (permissionNode->section.nameGroups == NULL) {
node = node->next;
continue;
}
for (uint32_t i = 0; i < permissionNode->section.number; i++) {
if (permissionNode->section.nameGroups[i] == NULL) {
continue;
}
SandboxNameGroupNode *groupNode = (SandboxNameGroupNode *)permissionNode->section.nameGroups[i];
ret = MountDepGroups(context, groupNode);
APPSPAWN_CHECK(ret == 0, return ret, "Failed to mount deps groups");
}
node = node->next;
}
return ret;
}
// The execution of the preunshare phase depends on the mounted mount point
static int StagedDepGroupMounts(const SandboxContext *context, AppSpawnSandboxCfg *sandbox)
{
int ret = SetSystemConstDepGroups(context, sandbox);
APPSPAWN_CHECK(ret == 0, return ret, "Failed to set system const deps groups");
ret = SetAppVariableDepGroups(context, sandbox);
APPSPAWN_CHECK(ret == 0, return ret, "Failed to set app variable deps groups");
ret = SetSpawnFlagsDepGroups(context, sandbox);
APPSPAWN_CHECK(ret == 0, return ret, "Failed to set spawn flags deps groups");
ret = SetPackageNameDepGroups(context, sandbox);
APPSPAWN_CHECK(ret == 0, return ret, "Failed to set package name deps groups");
ret = SetPermissionDepGroups(context, sandbox);
APPSPAWN_CHECK(ret == 0, return ret, "Failed to set permission deps groups");
return ret;
}
int StagedMountPreUnShare(const SandboxContext *context, AppSpawnSandboxCfg *sandbox)
{
APPSPAWN_CHECK(sandbox != NULL && context != NULL, return -1, "Invalid sandbox or context");
APPSPAWN_LOGV("Set sandbox config before unshare group count %{public}d", sandbox->depNodeCount);
MountDirToShared(context, sandbox);
/**
* unshare前处理mount-paths-deps
* root-dir global.sandbox-root
* src-dir "/mnt/sandbox/app-common/<currentUserId>"
* mount-paths-deps,mount-paths-deps
* src = mount-paths-deps.src-path
* dst = root-dir + mount-paths-deps.sandbox-path
* no-exist,mount-paths src()
mount-paths-deps.src-path .shared方式挂载mount-paths-deps
* always,shared方式挂载mount-paths-deps
* always
*
*/
int ret = 0;
for (uint32_t i = 0; i < sandbox->depNodeCount; i++) {
SandboxNameGroupNode *groupNode = sandbox->depGroupNodes[i];
if (groupNode == NULL || groupNode->depNode == NULL) {
continue;
}
APPSPAWN_LOGV("Set sandbox deps config %{public}s ", groupNode->section.name);
// change source and target to real path
ret = UpdateMountPathDepsPath(context, groupNode);
APPSPAWN_CHECK(ret == 0, return ret,
"Failed to update deps path name group %{public}s", groupNode->section.name);
int ret = StagedDepGroupMounts(context, sandbox);
if (groupNode->depMode == MOUNT_MODE_NOT_EXIST && CheckAndCreateDepPath(context, groupNode)) {
continue;
}
uint32_t operation = 0;
SetMountPathOperation(&operation, MOUNT_PATH_OP_UNMOUNT);
groupNode->depMounted = 1;
ret = DoSandboxPathNodeMount(context, &groupNode->section, groupNode->depNode, operation);
if (ret != 0) {
APPSPAWN_LOGE("Mount deps root fail %{public}s", groupNode->section.name);
return ret;
}
}
return 0;
return ret;
}
static int SetAppVariableConfig(const SandboxContext *context, const AppSpawnSandboxCfg *sandbox)

1
modules/sandbox/sandbox_load.c
View File

@ -534,6 +534,7 @@ static SandboxNameGroupNode *ParseNameGroup(AppSpawnSandboxCfg *sandbox, const c
// "type": "system-const",
// "caps": ["shared"],
node->destType = GetNameGroupTypeFromConfig(groupConfig, "type", SANDBOX_TAG_INVALID);
node->depMounted = 0;
// success, insert section
AddSandboxSection(&node->section, &sandbox->nameGroupsQueue);
return node;