add appdate mount in new sandbox

Signed-off-by: wangfeng <wangfeng277@huawei.com>
2024-11-22 22:50:21 +00:00 · 2024-11-18 21:23:01 +08:00 · 2024-11-18 21:23:01 +08:00 · 16edede17b
commit 16edede17b
parent 168e9fba23
11 changed files with 192 additions and 42 deletions
--- a/appdata-sandbox-app.json
+++ b/appdata-sandbox-app.json
@ -175,14 +175,8 @@
            "name": "ohos.permission.FILE_ACCESS_MANAGER",
            "sandbox-switch": "ON",
            "gids": ["file_manager", "user_data_rw"],
-            "mount-paths": [{
-                "src-path": "/storage/media/<currentUserId>/local/files/Docs",
-                "sandbox-path": "/storage/Users/<currentUserId>"
-            }, {
-                "src-path": "/storage/media/<currentUserId>/local/files/.Recent",
-                "sandbox-path": "/storage/Users/<currentUserId>/.Recent"
-            }],
-            "mount-groups": [ "user-public", "Users" ]
+            "mount-paths": [],
+            "mount-groups": [ "user-public", "file_manager_recent" ]
        }, {
            "name": "ohos.permission.READ_IMAGEVIDEO",
            "sandbox-switch": "ON",
@ -194,18 +188,11 @@
        }, {
            "name": "ohos.permission.FILE_CROSS_APP",
            "gids": ["file_manager"],
-            "mount-paths": [{
-                "src-path": "/storage/media/<currentUserId>/local/files/Docs",
-                "sandbox-path": "/storage/Users/<currentUserId>"
-            }, {
-                "src-path": "/data/app/el1/<currentUserId>/base",
-                "sandbox-path": "/storage/Users/<currentUserId>/appdata/el1",
-                "category": "dac_override"
-            }, {
-                "src-path": "/data/app/el2/<currentUserId>/base",
-                "sandbox-path": "/storage/Users/<currentUserId>/appdata/el2",
-                "category": "dac_override"
-            }],
+            "mount-paths": [],
+            "mount-groups": [ "user-public" ]
+        }, {
+            "name": "ohos.permission.FILE_ACCESS_COMMON_DIR",
+            "mount-paths": [],
            "mount-groups": [ "user-public" ]
        }, {
            "name": "ohos.permission.ACTIVATE_THEME_PACKAGE",
@ -453,6 +440,13 @@
            "src-path": "/storage/media/<currentUserId>/local/files/Docs",
            "sandbox-path": "<deps-path>/currentUser"
        }]
+    },  {
+        "name": "file_manager_recent",
+        "type": "app-variable",
+        "mount-paths": [{
+            "src-path": "/storage/media/<currentUserId>/local/files/.Recent",
+            "sandbox-path": "/storage/Users/<currentUserId>/.Recent"
+        }]
    }, {
        "name": "el2",
        "type": "app-variable",
--- a/interfaces/innerkits/include/appspawn.h
+++ b/interfaces/innerkits/include/appspawn.h
@ -185,6 +185,7 @@ typedef enum {
    APP_FLAGS_ISOLATED_DATAGROUP,
    APP_FLAGS_TEMP_JIT = 28,
    APP_FLAGS_PRE_INSTALLED_HAP = 29,
+    APP_FLAGS_GET_ALL_PROCESSES = 30,
    MAX_FLAGS_INDEX = 63,
 } AppFlagsIndex;

--- a/interfaces/innerkits/permission/appspawn_mount_permission.c
+++ b/interfaces/innerkits/permission/appspawn_mount_permission.c
@ -106,7 +106,7 @@ static int LoadPermissionConfig(PermissionManager *mgr)
 {
    int ret = ParseJsonConfig("etc/sandbox",
        mgr->type == CLIENT_FOR_APPSPAWN ? APP_SANDBOX_FILE_NAME : WEB_SANDBOX_FILE_NAME, ParseAppSandboxConfig, mgr);
-    APPSPAWN_CHECK(ret == 0, return ret, "Load sandbox fail %{public}d", ret);
+    APPSPAWN_CHECK(ret == 0, return 0, "Load sandbox fail %{public}d", ret);
    mgr->maxPermissionIndex = PermissionRenumber(&mgr->permissionQueue);
    return 0;
 }
--- a/modules/common/appspawn_adapter.cpp
+++ b/modules/common/appspawn_adapter.cpp
@ -175,22 +175,13 @@ int SetSeccompFilter(const AppSpawnMgr *content, const AppSpawningCtx *property)

 #ifdef SECCOMP_PRIVILEGE
    if (IsDeveloperModeOpen()) {
-        static GetPermissionFunc getPermissionFuncPtr = nullptr;
-        if (getPermissionFuncPtr == nullptr) {
-            getPermissionFuncPtr = reinterpret_cast<GetPermissionFunc>(dlsym(nullptr, GET_PERMISSION_INDEX));
-            if (getPermissionFuncPtr == nullptr) {
-                APPSPAWN_LOGE("Failed to dlsym get permission errno is %{public}d", errno);
-                return -EINVAL;
-            }
-        }
-        int32_t index = getPermissionFuncPtr(nullptr, GET_ALL_PROCESSES);
-        if (CheckAppPermissionFlagSet(property, static_cast<uint32_t>(index)) != 0) {
+        if (CheckAppMsgFlagsSet(property, APP_FLAGS_GET_ALL_PROCESSES) != 0) {
            appName = APP_PRIVILEGE;
        }
    }
 #endif

-    if (CheckAppSpawnMsgFlag(property->message, TLV_MSG_FLAGS, APP_FLAGS_ISOLATED_SANDBOX) != 0) {
+    if (CheckAppMsgFlagsSet(property, APP_FLAGS_ISOLATED_SANDBOX) != 0) {
        appName = IMF_EXTENTOIN_NAME;
    }

--- a/modules/common/appspawn_encaps.c
+++ b/modules/common/appspawn_encaps.c
@ -278,12 +278,14 @@ APPSPAWN_STATIC int SpawnSetEncapsPermissions(AppSpawnMgr *content, AppSpawningC

    int ret = EnableEncapsForProc(encapsFileFd);
    if (ret != 0) {
+        close(encapsFileFd);
        return 0;         // Can't enable encaps ability
    }

    char *encapsInfoStr = NULL;
    ret = SpawnBuildEncaps(content, property, &encapsInfoStr);
    if (ret != 0) {
+        close(encapsFileFd);
        APPSPAWN_LOGW("Build encaps object failed, ret: %{public}d", ret);
        return 0;        // Can't set permission encpas ability
    }
--- a/modules/sandbox/appspawn_sandbox.c
+++ b/modules/sandbox/appspawn_sandbox.c
@ -392,7 +392,6 @@ APPSPAWN_STATIC const char *GetRealSrcPath(const SandboxContext *context, const
 // 设置挂载参数options
 static int32_t SetMountArgsOption(const SandboxContext *context, uint32_t category, uint32_t operation, MountArg *args)
 {
-    args->options = "";
    if ((category != MOUNT_TMP_DAC_OVERRIDE) && (category != MOUNT_TMP_DAC_OVERRIDE_DELETE)) {
        return 0;
    }
@ -612,9 +611,130 @@ static const MountSharedTemplate MOUNT_SHARED_MAP[] = {
    {"/data/storage/el3", NULL},
    {"/data/storage/el4", NULL},
    {"/data/storage/el5", "ohos.permission.PROTECT_SCREEN_LOCK_DATA"},
-    {"/storage/Users", "ohos.permission.FILE_ACCESS_MANAGER"},
 };

+static int MountInShared(const AppSpawnMsgDacInfo *info, const char *rootPath, const char *src, const char *target)
+{
+    if (info == NULL) {
+        return APPSPAWN_ARG_INVALID;
+    }
+
+    char path[MAX_SANDBOX_BUFFER] = {0};
+    int ret = snprintf_s(path, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s/%u/app-root/%s", rootPath,
+                         info->uid / UID_BASE, target);
+    if (ret <= 0) {
+        return APPSPAWN_ERROR_UTILS_MEM_FAIL;
+    }
+
+    char currentUserPath[MAX_SANDBOX_BUFFER] = {0};
+    ret = snprintf_s(currentUserPath, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s/currentUser", path);
+    if (ret <= 0) {
+        return APPSPAWN_ERROR_UTILS_MEM_FAIL;
+    }
+
+    if (access(currentUserPath, F_OK) == 0) {
+        return 0;
+    }
+
+    ret = MakeDirRec(path, DIR_MODE, 1);
+    if (ret != 0) {
+        return APPSPAWN_SANDBOX_ERROR_MKDIR_FAIL;
+    }
+
+    if (mount(src, path, NULL, MS_BIND | MS_REC, NULL) != 0) {
+        APPSPAWN_LOGI("bind mount %{public}s to %{public}s failed, error %{public}d", src, path, errno);
+        return APPSPAWN_SANDBOX_ERROR_MOUNT_FAIL;
+    }
+    if (mount(NULL, path, NULL, MS_SHARED, NULL) != 0) {
+        APPSPAWN_LOGI("mount path %{public}s to shared failed, errno %{public}d", path, errno);
+        return APPSPAWN_SANDBOX_ERROR_MOUNT_FAIL;
+    }
+
+    return 0;
+}
+
+static int SharedMountInSharefs(const AppSpawnMsgDacInfo *info, const char *rootPath,
+                                const char *src, const char *target)
+{
+    char currentUserPath[MAX_SANDBOX_BUFFER] = {0};
+    int ret = snprintf_s(currentUserPath, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s/currentUser", target);
+    if (ret <= 0) {
+        return APPSPAWN_ERROR_UTILS_MEM_FAIL;
+    }
+
+    if (access(currentUserPath, F_OK) == 0) {
+        return 0;
+    }
+
+    ret = MakeDirRec(target, DIR_MODE, 1);
+    if (ret != 0) {
+        return APPSPAWN_SANDBOX_ERROR_MKDIR_FAIL;
+    }
+
+    char options[OPTIONS_MAX_LEN] = {0};
+    ret = snprintf_s(options, OPTIONS_MAX_LEN, OPTIONS_MAX_LEN - 1, "override_support_delete,user_id=%d",
+                     info->uid / UID_BASE);
+    if (ret <= 0) {
+        return APPSPAWN_ERROR_UTILS_MEM_FAIL;
+    }
+
+    if (mount(src, target, "sharefs", MS_NODEV, options) != 0) {
+        APPSPAWN_LOGE("sharefs mount %{public}s to %{public}s failed, error %{public}d",
+                      src, target, errno);
+        return APPSPAWN_SANDBOX_ERROR_MOUNT_FAIL;
+    }
+    if (mount(NULL, target, NULL, MS_SHARED, NULL) != 0) {
+        APPSPAWN_LOGE("mount path %{public}s to shared failed, errno %{public}d", target, errno);
+        return APPSPAWN_SANDBOX_ERROR_MOUNT_FAIL;
+    }
+
+    return 0;
+}
+
+static void UpdateStorageDir(const SandboxContext *context, AppSpawnSandboxCfg *sandbox, const AppSpawnMsgDacInfo *info)
+{
+    const char mntUser[] = "/mnt/user";
+    const char nosharefsDocs[] = "nosharefs/docs";
+    const char sharefsDocs[] = "sharefs/docs";
+    const char rootPath[] = "/mnt/sandbox";
+    const char userPath[] = "/storage/Users";
+
+    /* /mnt/user/<currentUserId>/nosharefs/Docs */
+    char nosharefsDocsDir[MAX_SANDBOX_BUFFER] = {0};
+    int ret = snprintf_s(nosharefsDocsDir, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s/%d/%s",
+                         mntUser, info->uid / UID_BASE, nosharefsDocs);
+    if (ret <= 0) {
+        return;
+    }
+
+    /* /mnt/user/<currentUserId>/sharefs/Docs */
+    char sharefsDocsDir[MAX_SANDBOX_BUFFER] = {0};
+    ret = snprintf_s(sharefsDocsDir, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s/%d/%s",
+                     mntUser, info->uid / UID_BASE, sharefsDocs);
+    if (ret <= 0) {
+        return;
+    }
+
+    int index = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_ACCESS_MANAGER_MODE);
+    int res = CheckSpawningPermissionFlagSet(context, index);
+    if (res == 0) {
+        char storageUserPath[MAX_SANDBOX_BUFFER] = {0};
+        ret = snprintf_s(storageUserPath, MAX_SANDBOX_BUFFER, MAX_SANDBOX_BUFFER - 1, "%s/%d/app-root/%s", rootPath,
+                         info->uid / UID_BASE, userPath);
+        if (ret <= 0) {
+            return;
+        }
+        /* mount /mnt/user/<currentUserId>/sharefs/docs to /mnt/sandbox/<currentUserId>/app-root/storage/Users */
+        ret = SharedMountInSharefs(info, rootPath, sharefsDocsDir, storageUserPath);
+    } else {
+        /* mount /mnt/user/<currentUserId>/nosharefs/docs to /mnt/sandbox/<currentUserId>/app-root/storage/Users */
+        ret = MountInShared(info, rootPath, nosharefsDocsDir, userPath);
+    }
+    if (ret != 0) {
+        APPSPAWN_LOGE("Update storage dir, ret %{public}d", ret);
+    }
+}
+
 static void MountDirToShared(const SandboxContext *context, AppSpawnSandboxCfg *sandbox)
 {
    const char rootPath[] = "/mnt/sandbox/";
@ -625,6 +745,9 @@ static void MountDirToShared(const SandboxContext *context, AppSpawnSandboxCfg *
    if (info == NULL || context->bundleName == NULL) {
        return;
    }
+
+    UpdateStorageDir(context, sandbox, info);
+
    MountDir(info, appRootName, rootPath, nwebPath);
    MountDir(info, appRootName, rootPath, nwebTmpPath);

@ -1079,7 +1202,7 @@ static int MountDepGroups(const SandboxContext *context, SandboxNameGroupNode *g
    }

    ret = UpdateMountPathDepsPath(context, groupNode);
-    APPSPAWN_CHECK(ret == 0, return ret, "Failed to updata deps path name groups %{public}s", groupNode->section.name);
+    APPSPAWN_CHECK(ret == 0, return ret, "Failed to update deps path name groups %{public}s", groupNode->section.name);

    if (groupNode->depMode == MOUNT_MODE_NOT_EXIST && CheckAndCreateDepPath(context, groupNode)) {
        return 0;
--- a/modules/sandbox/appspawn_sandbox.h
+++ b/modules/sandbox/appspawn_sandbox.h
@ -72,6 +72,7 @@ extern "C" {
 #define ACCESS_DLP_FILE_MODE "ohos.permission.ACCESS_DLP_FILE"
 #define FILE_ACCESS_MANAGER_MODE "ohos.permission.FILE_ACCESS_MANAGER"
 #define READ_WRITE_USER_FILE_MODE "ohos.permission.READ_WRITE_USER_FILE"
+#define GET_ALL_PROCESSES_MODE "ohos.permission.GET_ALL_PROCESSES"

 typedef enum SandboxTag {
    SANDBOX_TAG_MOUNT_PATH = 0,
--- a/modules/sandbox/sandbox_manager.c
+++ b/modules/sandbox/sandbox_manager.c
@ -648,7 +648,23 @@ static int AppendPackageNameGids(const AppSpawnSandboxCfg *sandbox, AppSpawningC
    return 0;
 }

-static int SetSandboxPermissionFlag(AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property)
+static void UpdateMsgFlagsWithPermission(AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property)
+{
+    int32_t allProcessIndex = GetPermissionIndexInQueue(&sandbox->permissionQueue, GET_ALL_PROCESSES_MODE);
+    int res = CheckAppPermissionFlagSet(property, (uint32_t)allProcessIndex);
+    if (res == 0) {
+        APPSPAWN_LOGV("Don't need set GET_ALL_PROCESSES_MODE flag");
+        return;
+    }
+
+    int ret = SetAppSpawnMsgFlag(property->message, TLV_MSG_FLAGS, APP_FLAGS_GET_ALL_PROCESSES);
+    if (ret != 0) {
+        APPSPAWN_LOGE("Set GET_ALL_PROCESSES_MODE flag failed");
+    }
+    return;
+}
+
+static int UpdatePermissionFlags(AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property)
 {
    int32_t index = 0;
    if (sandbox->appFullMountEnable) {
@ -694,13 +710,16 @@ int SpawnPrepareSandboxCfg(AppSpawnMgr *content, AppSpawningCtx *property)
    AppSpawnSandboxCfg *sandbox = GetAppSpawnSandbox(content, type);
    content->content.sandboxType = type;
    APPSPAWN_CHECK(sandbox != NULL, return -1, "Failed to get sandbox for %{public}s", GetProcessName(property));
-    int ret = SetSandboxPermissionFlag(sandbox, property);
+
+    int ret = UpdatePermissionFlags(sandbox, property);
    if (ret != 0) {
        APPSPAWN_LOGW("set sandbox permission flag failed.");
        return APPSPAWN_SANDBOX_ERROR_SET_PERMISSION_FLAG_FAIL;
    }
-    APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property));
+    UpdateMsgFlagsWithPermission(sandbox, property);
+
    ret = AppendGids(sandbox, property);
+    APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property));
    ret = StagedMountSystemConst(sandbox, property, IsNWebSpawnMode(content));
    APPSPAWN_CHECK(ret == 0, return ret, "Failed to mount system-const for %{public}s", GetProcessName(property));
    return 0;
--- a/modules/sandbox/sandbox_utils.cpp
+++ b/modules/sandbox/sandbox_utils.cpp
@ -135,6 +135,7 @@ namespace {
    const std::string ACCESS_DLP_FILE_MODE = "ohos.permission.ACCESS_DLP_FILE";
    const std::string FILE_ACCESS_MANAGER_MODE = "ohos.permission.FILE_ACCESS_MANAGER";
    const std::string READ_WRITE_USER_FILE_MODE = "ohos.permission.READ_WRITE_USER_FILE";
+    const std::string GET_ALL_PROCESSES_MODE = "ohos.permission.GET_ALL_PROCESSES";
    const std::string ARK_WEB_PERSIST_PACKAGE_NAME = "persist.arkwebcore.package_name";

    const std::string& getArkWebPackageName()
@ -1599,7 +1600,23 @@ static inline int EnableSandboxNamespace(AppSpawningCtx *appProperty, uint32_t s
    return 0;
 }

-int32_t SandboxUtils::SetPermissionWithParam(AppSpawningCtx *appProperty)
+void SandboxUtils::UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty)
+{
+    int32_t processIndex = GetPermissionIndex(nullptr, GET_ALL_PROCESSES_MODE.c_str());
+    if ((CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(processIndex)) == 0)) {
+        APPSPAWN_LOGV("Don't need set GET_ALL_PROCESSES_MODE flag");
+        return;
+    }
+
+    int ret = SetAppSpawnMsgFlag(appProperty->message, TLV_MSG_FLAGS, APP_FLAGS_GET_ALL_PROCESSES);
+    if (ret != 0) {
+        APPSPAWN_LOGV("Set GET_ALL_PROCESSES_MODE flag failed");
+    }
+
+    return;
+}
+
+int32_t SandboxUtils::UpdatePermissionFlags(AppSpawningCtx *appProperty)
 {
    int32_t index = 0;
    int32_t appFullMountStatus = CheckAppFullMountEnable();
@ -1658,10 +1675,11 @@ int32_t SandboxUtils::SetAppSandboxProperty(AppSpawningCtx *appProperty, uint32_
    int rc = EnableSandboxNamespace(appProperty, sandboxNsFlags);
    APPSPAWN_CHECK(rc == 0, return rc, "unshare failed, packagename is %{public}s", bundleName.c_str());

-    if (SetPermissionWithParam(appProperty) != 0) {
+    if (UpdatePermissionFlags(appProperty) != 0) {
        APPSPAWN_LOGW("Set app permission flag fail.");
        return -1;
    }
+    UpdateMsgFlagsWithPermission(appProperty);

    // check app sandbox switch
    if ((CheckTotalSandboxSwitchStatus(appProperty) == false) ||
--- a/modules/sandbox/sandbox_utils.h
+++ b/modules/sandbox/sandbox_utils.h
@ -107,7 +107,8 @@ private:
    static int32_t DoAddGid(AppSpawningCtx *appProperty, nlohmann::json &appConfig,
                            const char* permissionName, const std::string &section);
    static int32_t CheckAppFullMountEnable();
-    static int32_t SetPermissionWithParam(AppSpawningCtx *appProperty);
+    static void UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty);
+    static int32_t UpdatePermissionFlags(AppSpawningCtx *appProperty);
    static int32_t SetSandboxProperty(AppSpawningCtx *appProperty, std::string &sandboxPackagePath);
    static int32_t ChangeCurrentDir(std::string &sandboxPackagePath, const std::string &bundleName,
                                    bool sandboxSharedStatus);
--- a/util/include/appspawn_utils.h
+++ b/util/include/appspawn_utils.h
@ -155,7 +155,7 @@ int EnableNewNetNamespace(void);
 #endif

 #ifndef OHOS_LITE
-#define APPSPAWN_DOMAIN (0xD002C00 + 0x11)
+#define APPSPAWN_DOMAIN (0xD002C00 + 0x11)  // 0xD002C11
 #ifndef APPSPAWN_LABEL
 #define APPSPAWN_LABEL "APPSPAWN"
 #endif