openharmony/startup_appspawn
1
0
Fork 0
mirror of https://gitee.com/openharmony/startup_appspawn synced 2024-11-27 01:00:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add sandbox dir

Browse Source 
Signed-off-by: wangfeng <wangfeng277@huawei.com>
This commit is contained in:
wangfeng 2023-11-04 20:08:48 +08:00
parent e50ca93262
commit 36713f9562
6 changed files with 165 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
BUILD.gn
View File

@ -77,6 +77,7 @@ ohos_executable("appspawn") {
"hilog:libhilog",
"hitrace:hitrace_meter",
"init:libbegetutil",
"os_account:os_account_innerkits",
"resource_management:global_resmgr",
]
if (build_selinux) {
@ -141,6 +142,7 @@ ohos_static_library("appspawn_server") {
"hilog:libhilog",
"init:libbegetutil",
"netmanager_base:netsys_client",
"os_account:os_account_innerkits",
]
if (!defined(global_parts_info) ||

66
appdata-sandbox.json
View File

@ -585,6 +585,72 @@
"sandbox-flags": [ "bind", "rec" ]
}
]
}],
"ohos.permission.FILE_CROSS_APP":[{
"sandbox-switch": "ON",
"sandbox-root": "/mnt/sandbox/<PackageName>",
"gids": [1009],
"mount-paths": [{
"src-path": "/storage/media/<currentUserId>/local/files/Docs",
"sandbox-path": "/storage/Users/<currentUserId>",
"sandbox-flags": [ "bind", "rec" ]
},
{
"src-path": "/storage/media/<currentUserId>/local/files/Download",
"sandbox-path": "/storage/Users/<currentUserId>/Download",
"sandbox-flags": [ "bind", "rec" ]
},
{
"src-path": "/storage/media/<currentUserId>/local/files/Documents",
"sandbox-path": "/storage/Users/<currentUserId>/Documents",
"sandbox-flags": [ "bind", "rec" ]
},
{
"src-path": "/storage/media/<currentUserId>/local/files/Desktop",
"sandbox-path": "/storage/Users/<currentUserId>/Desktop",
"sandbox-flags": [ "bind", "rec" ]
},
{
"src-path": "/data/app/el1/<currentUserId>/base",
"sandbox-path": "/storage/Users/<currentUserId>/appdata/el1",
"sandbox-flags": [ "bind", "rec" ]
},
{
"src-path": "/data/app/el2/<currentUserId>/base",
"sandbox-path": "/storage/Users/<currentUserId>/appdata/el2",
"sandbox-flags": [ "bind", "rec" ]
},
{
"src-path": "/data/service/el1/public/storage_daemon/share/public",
"sandbox-path": "/storage/Share",
"sandbox-flags": [ "bind", "rec" ]
},
{
"src-path": "/mnt/data/external",
"sandbox-path": "/storage/External",
"sandbox-flags": [ "bind", "rec" ]
},
{
"src-path": "/data/app/el1/<currentUserId>/base",
"sandbox-path": "/data/storage/el1/base",
"sandbox-flags": [ "bind", "rec" ]
},
{
"src-path": "/data/app/el1/<currentUserId>/database",
"sandbox-path": "/data/storage/el1/database",
"sandbox-flags": [ "bind", "rec" ]
},
{
"src-path": "/data/app/el2/<currentUserId>/base",
"sandbox-path": "/data/storage/el2/base",
"sandbox-flags": [ "bind", "rec" ]
},
{
"src-path": "/data/app/el2/<currentUserId>/database",
"sandbox-path": "/data/storage/el2/database",
"sandbox-flags": [ "bind", "rec" ]
}
]
}]
}]
}

3
bundle.json
View File

@ -45,7 +45,8 @@
"hisysevent",
"security_component_manager",
"netmanager",
"ace_engine"
"ace_engine",
"os_account"
],
"third_party": [
"bounds_checking_function",

1
test/unittest/BUILD.gn
View File

@ -130,6 +130,7 @@ ohos_unittest("AppSpawn_ut") {
"init:seccomp",
"ipc:ipc_core",
"napi:ace_napi",
"os_account:os_account_innerkits",
"resource_management:global_resmgr",
]

6
util/include/sandbox_utils.h
View File

@ -93,6 +93,12 @@ private:
static int32_t SetPermissionAppSandboxProperty(ClientSocket::AppProperty *appProperty);
static int32_t DoAddGid(ClientSocket::AppProperty *appProperty,
nlohmann::json &appConfig, const char* permissionName, const std::string &section);
static void ConvertSandboxName(const ClientSocket::AppProperty *appProperty, const std::string &section,
std::string &sandboxPath);
static bool GetProductDeviceType();
static int32_t SetSandboxProperty(ClientSocket::AppProperty *appProperty, std::string &sandboxPackagePath);
static int32_t ChangeCurrentDir(std::string &sandboxPackagePath, const std::string &bundleName,
bool sandboxSharedStatus);
private:
static nlohmann::json appNamespaceConfig_;
static std::vector<nlohmann::json> appSandboxConfig_;

124
util/src/sandbox_utils.cpp
View File

@ -33,6 +33,8 @@
#include "appspawn_server.h"
#include "appspawn_service.h"
#include "appspawn_mount_permission.h"
#include "parameter.h"
#include "os_account_manager.h"
#ifdef WITH_SELINUX
#include "hap_restorecon.h"
@ -41,6 +43,9 @@
using namespace std;
using namespace OHOS;
static constexpr int MAX_VALUE_LENGTH = PARAM_CONST_VALUE_LEN_MAX;
static constexpr int FILE_CROSS_APP_MODE = 0x02;
namespace OHOS {
namespace AppSpawn {
namespace {
@ -431,6 +436,20 @@ static uint32_t ConvertFlagStr(const std::string &flagStr)
return 0;
}
void SandboxUtils::ConvertSandboxName(const ClientSocket::AppProperty *appProperty, const std::string &section,
std::string &sandboxPath)
{
if (sandboxPath.find(std::to_string(appProperty->uid / UID_BASE)) != std::string::npos) {
if (section.compare("permission") == 0 && appProperty->mountPermissionFlags == FILE_CROSS_APP_MODE) {
std::string shortName;
OHOS::AccountSA::OsAccountManager::GetOsAccountShortName(shortName);
sandboxPath = replace_all(sandboxPath, std::to_string(appProperty->uid / UID_BASE), shortName.c_str());
} else {
sandboxPath = replace_all(sandboxPath, g_userId, std::to_string(appProperty->uid / UID_BASE));
}
}
}
int SandboxUtils::DoAllMntPointsMount(const ClientSocket::AppProperty *appProperty,
nlohmann::json &appConfig, const std::string &section)
{
@ -463,6 +482,7 @@ int SandboxUtils::DoAllMntPointsMount(const ClientSocket::AppProperty *appProper
std::string srcPath = ConvertToRealPath(appProperty, mntPoint[g_srcPath].get<std::string>());
std::string sandboxPath = sandboxRoot + ConvertToRealPath(appProperty,
mntPoint[g_sandBoxPath].get<std::string>());
ConvertSandboxName(appProperty, section, sandboxPath);
unsigned long mountFlags = GetMountFlagsFromConfig(mntPoint[g_sandBoxFlags].get<std::vector<std::string>>());
std::string fsType = (mntPoint.find(g_fsType) != mntPoint.end()) ? mntPoint[g_fsType].get<std::string>() : "";
const char* fsTypePoint = fsType.empty() ? nullptr : fsType.c_str();
@ -1080,6 +1100,65 @@ int32_t SandboxUtils::SetBundleResourceAppSandboxProperty(const ClientSocket::Ap
return ret;
}
bool SandboxUtils::GetProductDeviceType()
{
char value[MAX_VALUE_LENGTH];
int32_t ret = GetParameter("const.product.deviceType", "0", value, MAX_VALUE_LENGTH);
APPSPAWN_CHECK(ret > 0 && (!strcmp(value, "2in1")), return false, "Not device type %{public}s", value);
return true;
}
int32_t SandboxUtils::SetSandboxProperty(ClientSocket::AppProperty *appProperty,
std::string &sandboxPackagePath)
{
int32_t ret = 0;
const std::string bundleName = appProperty->bundleName;
ret = SetCommonAppSandboxProperty(appProperty, sandboxPackagePath);
APPSPAWN_CHECK(ret == 0, return ret, "SetCommonAppSandboxProperty failed, packagename is %{public}s",
bundleName.c_str());
if (CheckBundleNameForPrivate(bundleName)) {
ret = SetPrivateAppSandboxProperty(appProperty);
APPSPAWN_CHECK(ret == 0, return ret, "SetPrivateAppSandboxProperty failed, packagename is %{public}s",
bundleName.c_str());
}
ret = SetPermissionAppSandboxProperty(appProperty);
APPSPAWN_CHECK(ret == 0, return ret, "SetPermissionAppSandboxProperty failed, packagename is %{public}s",
bundleName.c_str());
ret = SetOverlayAppSandboxProperty(appProperty, sandboxPackagePath);
APPSPAWN_CHECK(ret == 0, return ret, "SetOverlayAppSandboxProperty failed, packagename is %s",
bundleName.c_str());
ret = SetBundleResourceAppSandboxProperty(appProperty, sandboxPackagePath);
APPSPAWN_CHECK(ret == 0, return ret, "SetBundleResourceAppSandboxProperty failed, packagename is %s",
bundleName.c_str());
return ret;
}
int32_t SandboxUtils::ChangeCurrentDir(std::string &sandboxPackagePath, const std::string &bundleName,
bool sandboxSharedStatus)
{
int32_t ret = 0;
ret = chdir(sandboxPackagePath.c_str());
APPSPAWN_CHECK(ret == 0, return ret, "chdir failed, packagename is %{public}s, path is %{public}s",
bundleName.c_str(), sandboxPackagePath.c_str());
if (sandboxSharedStatus) {
ret = chroot(sandboxPackagePath.c_str());
APPSPAWN_CHECK(ret == 0, return ret, "chroot failed, path is %{public}s errno is %{public}d",
sandboxPackagePath.c_str(), errno);
return ret;
}
ret = syscall(SYS_pivot_root, sandboxPackagePath.c_str(), sandboxPackagePath.c_str());
APPSPAWN_CHECK(ret == 0, return ret, "errno is %{public}d, pivot root failed, packagename is %{public}s",
errno, bundleName.c_str());
ret = umount2(".", MNT_DETACH);
APPSPAWN_CHECK(ret == 0, return ret, "MNT_DETACH failed, packagename is %{public}s", bundleName.c_str());
return ret;
}
int32_t SandboxUtils::SetAppSandboxProperty(AppSpawnClient *client)
{
APPSPAWN_CHECK(client != NULL, return -1, "Invalid appspwn client");
@ -1093,6 +1172,7 @@ int32_t SandboxUtils::SetAppSandboxProperty(AppSpawnClient *client)
bool sandboxSharedStatus = GetSandboxPrivateSharedStatus(bundleName);
sandboxPackagePath += bundleName;
MakeDirRecursive(sandboxPackagePath.c_str(), FILE_MODE);
int rc = 0;
// when CLONE_NEWPID is enabled, CLONE_NEWNS must be enabled.
if (!(client->cloneFlags & CLONE_NEWPID)) {
@ -1101,6 +1181,10 @@ int32_t SandboxUtils::SetAppSandboxProperty(AppSpawnClient *client)
APPSPAWN_CHECK(rc == 0, return rc, "unshare failed, packagename is %{public}s", bundleName.c_str());
}
if (GetProductDeviceType()) {
appProperty->mountPermissionFlags |= FILE_CROSS_APP_MODE;
}
// check app sandbox switch
if ((CheckTotalSandboxSwitchStatus(appProperty) == false) ||
(CheckAppSandboxSwitchStatus(appProperty) == false)) {
@ -1109,44 +1193,12 @@ int32_t SandboxUtils::SetAppSandboxProperty(AppSpawnClient *client)
rc = DoSandboxRootFolderCreate(appProperty, sandboxPackagePath);
}
APPSPAWN_CHECK(rc == 0, return rc, "DoSandboxRootFolderCreate failed, %{public}s", bundleName.c_str());
rc = SetCommonAppSandboxProperty(appProperty, sandboxPackagePath);
APPSPAWN_CHECK(rc == 0, return rc, "SetCommonAppSandboxProperty failed, packagename is %{public}s",
bundleName.c_str());
if (CheckBundleNameForPrivate(bundleName)) {
rc = SetPrivateAppSandboxProperty(appProperty);
APPSPAWN_CHECK(rc == 0, return rc, "SetPrivateAppSandboxProperty failed, packagename is %{public}s",
bundleName.c_str());
}
rc = SetPermissionAppSandboxProperty(appProperty);
APPSPAWN_CHECK(rc == 0, return rc, "SetPermissionAppSandboxProperty failed, packagename is %{public}s",
bundleName.c_str());
rc = SetOverlayAppSandboxProperty(appProperty, sandboxPackagePath);
APPSPAWN_CHECK(rc == 0, return rc, "SetOverlayAppSandboxProperty failed, packagename is %s",
bundleName.c_str());
rc = SetBundleResourceAppSandboxProperty(appProperty, sandboxPackagePath);
APPSPAWN_CHECK(rc == 0, return rc, "SetBundleResourceAppSandboxProperty failed, packagename is %s",
bundleName.c_str());
rc = SetSandboxProperty(appProperty, sandboxPackagePath);
APPSPAWN_CHECK(rc == 0, return rc, "SetSandboxProperty failed, %{public}s", bundleName.c_str());
#ifndef APPSPAWN_TEST
rc = chdir(sandboxPackagePath.c_str());
APPSPAWN_CHECK(rc == 0, return rc, "chdir failed, packagename is %{public}s, path is %{public}s",
bundleName.c_str(), sandboxPackagePath.c_str());
if (sandboxSharedStatus) {
rc = chroot(sandboxPackagePath.c_str());
APPSPAWN_CHECK(rc == 0, return rc, "chroot failed, path is %{public}s errno is %{public}d",
sandboxPackagePath.c_str(), errno);
return 0;
}
rc = syscall(SYS_pivot_root, sandboxPackagePath.c_str(), sandboxPackagePath.c_str());
APPSPAWN_CHECK(rc == 0, return rc, "errno is %{public}d, pivot root failed, packagename is %{public}s",
errno, bundleName.c_str());
rc = umount2(".", MNT_DETACH);
APPSPAWN_CHECK(rc == 0, return rc, "MNT_DETACH failed, packagename is %{public}s", bundleName.c_str());
rc = ChangeCurrentDir(sandboxPackagePath, bundleName, sandboxSharedStatus);
APPSPAWN_CHECK(rc == 0, return rc, "change current dir failed");
#endif
return 0;
}