!1654 fix new sandbox bug

Merge pull request !1654 from nianyuu/master
2024-11-23 15:10:44 +00:00 · 2024-11-06 03:26:48 +00:00 · 2024-11-06 03:26:48 +00:00 · 364f3d290e
commit 364f3d290e
parent 61386951b5 0c1add43c4
5 changed files with 19 additions and 12 deletions
--- a/appdata-sandbox-app.json
+++ b/appdata-sandbox-app.json
@ -89,9 +89,6 @@
            }, {
                "src-path" : "/system/app/SystemResources",
                "sandbox-path" : "/data/global/systemResources"
-            }, {
-                "src-path" : "/data/misc",
-                "sandbox-path" : "/data/storage/el1/bundle/misc"
            }, {
                "src-path" : "/data/service/el1/public/cert_manager_service/certificates/user_open",
                "sandbox-path" : "/data/certificates/user_cacerts"
@ -129,6 +126,9 @@
                "src-path" : "/data/app/el1/bundle/public/<PackageName>",
                "sandbox-path" : "/data/storage/el1/bundle",
                "check-action-status": "true"
+            }, {
+                "src-path" : "/data/misc",
+                "sandbox-path" : "/data/storage/el1/bundle/misc"
            }, {
                "src-path" : "/data/local/ark-cache/<PackageName>",
                "sandbox-path" : "/data/storage/ark-cache"
--- a/modules/sandbox/appspawn_sandbox.c
+++ b/modules/sandbox/appspawn_sandbox.c
@ -102,11 +102,11 @@ int SandboxMountPath(const MountArg *arg)

    int ret = mount(arg->originPath, arg->destinationPath, arg->fsType, arg->mountFlags, arg->options);
    if (ret != 0) {
-        if (arg->originPath != NULL && strstr(arg->originPath, "/data/app/el2/") != NULL) {
-            CheckDirRecursive(arg->originPath);
-        }
        APPSPAWN_LOGW("errno is: %{public}d, bind mount %{public}s => %{public}s",
            errno, arg->originPath, arg->destinationPath);
+        if (strstr(arg->originPath, "/data/app/el1/") != NULL || strstr(arg->originPath, "/data/app/el2/") != NULL) {
+            CheckDirRecursive(arg->originPath);
+        }
        return errno;
    }
    ret = mount(NULL, arg->destinationPath, NULL, arg->mountSharedFlag, NULL);
@ -467,11 +467,13 @@ static int DoSandboxPathNodeMount(const SandboxContext *context,
    }
    CreateDemandSrc(context, sandboxNode, &args);

+    int ret = 0;
    if (CHECK_FLAGS_BY_INDEX(operation, MOUNT_PATH_OP_UNMOUNT)) {  // unmount this deps
        APPSPAWN_LOGV("umount2 %{public}s", args.destinationPath);
-        umount2(args.destinationPath, MNT_DETACH);
+        ret = umount2(args.destinationPath, MNT_DETACH);
+        APPSPAWN_CHECK_ONLY_LOG(ret == 0, "Failed to umount %{public}s errno %{public}d", args.destinationPath, errno);
    }
-    int ret = 0;
+
    ret = DoSandboxMountByCategory(context, sandboxNode, &args, operation);
    if (ret != 0 && sandboxNode->checkErrorFlag) {
        APPSPAWN_LOGE("Failed to mount config, section: %{public}s result: %{public}d category: %{public}d",
--- a/modules/sandbox/sandbox_load.c
+++ b/modules/sandbox/sandbox_load.c
@ -677,6 +677,7 @@ int LoadAppSandboxConfig(AppSpawnSandboxCfg *sandbox, RunMode mode)
 {
    APPSPAWN_CHECK_ONLY_EXPER(sandbox != NULL, return APPSPAWN_ARG_INVALID);
    const char *sandboxName = GetSandboxNameByMode(mode);
+    APPSPAWN_LOGV("Get sandboxName %{public}s by mode %{public}d", sandboxName, mode);
    if (sandbox->depGroupNodes != NULL) {
        APPSPAWN_LOGW("Sandbox has been load");
        return 0;
--- a/modules/sandbox/sandbox_manager.c
+++ b/modules/sandbox/sandbox_manager.c
@ -495,7 +495,7 @@ APPSPAWN_STATIC int PreLoadIsoLatedSandboxCfg(AppSpawnMgr *content)
    APPSPAWN_CHECK_ONLY_EXPER(sandbox != NULL, return APPSPAWN_SYSTEM_ERROR);
    OH_ListAddTail(&content->extData, &sandbox->extData.node);

-    // load app sandbox config
+    // load isolated sandbox config
    LoadAppSandboxConfig(sandbox, MODE_FOR_NATIVE_SPAWN);
    sandbox->maxPermissionIndex = PermissionRenumber(&sandbox->permissionQueue);

@ -515,8 +515,12 @@ APPSPAWN_STATIC int PreLoadSandboxCfg(AppSpawnMgr *content)
    APPSPAWN_CHECK_ONLY_EXPER(sandbox != NULL, return APPSPAWN_SYSTEM_ERROR);
    OH_ListAddTail(&content->extData, &sandbox->extData.node);

-    // load app sandbox config
+    // load app/nweb sandbox config
+    if (IsNWebSpawnMode(content)) {
+        LoadAppSandboxConfig(sandbox, MODE_FOR_NWEB_SPAWN);
+    } else {
        LoadAppSandboxConfig(sandbox, MODE_FOR_APP_SPAWN);
+    }
    sandbox->maxPermissionIndex = PermissionRenumber(&sandbox->permissionQueue);

    content->content.sandboxNsFlags = 0;
--- a/modules/sandbox/sandbox_utils.cpp
+++ b/modules/sandbox/sandbox_utils.cpp
@ -287,7 +287,7 @@ int32_t SandboxUtils::DoAppSandboxMountOnce(const char *originPath, const char *
    }

    ret = mount(nullptr, destinationPath, nullptr, mountSharedFlag, nullptr);
-    APPSPAWN_CHECK(ret == 0, return ret, "errno is: %{public}d, private mount to %{public}s %{public}u failed",
+    APPSPAWN_CHECK(ret == 0, return ret, "errno is: %{public}d, private mount to %{public}s '%{public}u' failed",
        errno, destinationPath, mountSharedFlag);
    return 0;
 }