From 40994ab4eb1cb2bb93bc3ff683bd0a4bbb78c72a Mon Sep 17 00:00:00 2001 From: zhangkaixiang Date: Thu, 4 Jan 2024 13:53:07 +0000 Subject: [PATCH] add user id for sandbox root dir Signed-off-by: zhangkaixiang Change-Id: Ib496af3736c5303bc481e4cba57ce52c8ea2ef59 --- appdata-sandbox.json | 26 +------------------------- etc/sandbox/appdata_sandbox_fixer.py | 4 ++-- standard/appspawn_service.c | 9 +++++++-- util/src/sandbox_utils.cpp | 6 +++--- 4 files changed, 13 insertions(+), 32 deletions(-) diff --git a/appdata-sandbox.json b/appdata-sandbox.json index 1c861bd5..6b15cd8b 100755 --- a/appdata-sandbox.json +++ b/appdata-sandbox.json @@ -2,7 +2,6 @@ "common" : [{ "top-sandbox-switch": "ON", "app-base" : [{ - "sandbox-root" : "/mnt/sandbox/", "sandbox-ns-flags": [ "pid" ], "mount-paths" : [{ "src-path" : "/config", @@ -95,7 +94,7 @@ "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "true" }, { - "src-path" : "/mnt/sandbox//data/storage/el2", + "src-path" : "/mnt/sandbox///data/storage/el2", "sandbox-path" : "/data/storage/el2", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" @@ -216,7 +215,6 @@ ] }], "app-resources" : [{ - "sandbox-root" : "/mnt/sandbox/", "mount-paths" : [{ "src-path" : "/data/app/el1/bundle/public/com.ohos.nweb", "sandbox-path" : "/data/storage/el1/bundle/nweb", @@ -251,7 +249,6 @@ ], "flags-point" : [{ "flags": "DLP_MANAGER", - "sandbox-root" : "/mnt/sandbox/", "mount-paths" : [{ "src-path" : "/data/app/el2//base/", "sandbox-path" : "/data/storage/el2/base", @@ -285,7 +282,6 @@ } ]}, { "flags": "START_FLAGS_BACKUP", - "sandbox-root" : "/mnt/sandbox/", "mount-paths": [{ "src-path": "/data/service/el2//backup/bundles/", "sandbox-path": "/data/storage/el2/backup", @@ -306,7 +302,6 @@ "individual" : [{ "com.huawei.ohos.hiviewx" : [{ "sandbox-switch": "ON", - "sandbox-root" : "/mnt/sandbox/", "mount-paths" : [{ "src-path" : "/data/log/", "sandbox-path" : "/data/log/", @@ -318,7 +313,6 @@ }], "com.huawei.ohos.betaclub" : [{ "sandbox-switch": "ON", - "sandbox-root" : "/mnt/sandbox/", "mount-paths" : [{ "src-path" : "/data/log/", "sandbox-path" : "/data/log/", @@ -330,7 +324,6 @@ }], "com.ohos.medialibrary.medialibrarydata" : [{ "sandbox-switch": "ON", - "sandbox-root" : "/mnt/sandbox/", "mount-paths" : [{ "src-path" : "/storage/media/", "sandbox-path" : "/storage/media", @@ -363,7 +356,6 @@ }], "com.ohos.launcher" : [{ "sandbox-switch": "ON", - "sandbox-root" : "/mnt/sandbox/", "mount-paths" : [{ "src-path" : "/data/app/el1/bundle/public/", "sandbox-path" : "/data/bundles/", @@ -375,7 +367,6 @@ }], "com.ohos.systemui" : [{ "sandbox-switch": "ON", - "sandbox-root" : "/mnt/sandbox/", "mount-paths" : [{ "src-path" : "/data/app/el1/bundle/public/", "sandbox-path" : "/data/app/el1/bundle/public/", @@ -387,7 +378,6 @@ }], "com.ohos.sceneboard" : [{ "sandbox-switch": "ON", - "sandbox-root" : "/mnt/sandbox/", "mount-paths" : [{ "src-path" : "/data/app/el1/bundle/public/", "sandbox-path" : "/data/app/el1/bundle/public/", @@ -399,7 +389,6 @@ }], "com.ohos.permissionmanager" : [{ "sandbox-switch": "ON", - "sandbox-root" : "/mnt/sandbox/", "mount-paths" : [{ "src-path" : "/data/app/el1/bundle/public/", "sandbox-path" : "/data/bundles/", @@ -411,7 +400,6 @@ }], "com.ohos.certmanager" : [{ "sandbox-switch": "ON", - "sandbox-root" : "/mnt/sandbox/", "mount-paths" : [{ "src-path" : "/data/app/el1/bundle/public/", "sandbox-path" : "/data/bundles/", @@ -423,7 +411,6 @@ }], "com.ohos.amsdialog" : [{ "sandbox-switch": "ON", - "sandbox-root" : "/mnt/sandbox/", "mount-paths" : [{ "src-path" : "/data/app/el1/bundle/public/", "sandbox-path" : "/data/bundles/", @@ -435,11 +422,9 @@ }], "ohos.samples.ecg" : [{ "sandbox-switch": "ON", - "sandbox-root" : "/mnt/sandbox/", "mount-paths" : [], "flags-point" : [{ "flags": "NOT_SUPPORTED", - "sandbox-root" : "/mnt/sandbox/", "mount-paths" : [{ "src-path" : "/data/app/el1/bundle/public/", "sandbox-path" : "/data/bundles/", @@ -448,7 +433,6 @@ } ]}, { "flags": "START_FLAGS_BACKUP", - "sandbox-root" : "/mnt/sandbox/", "mount-paths" : [{ "src-path" : "/data/app/el1/bundle/public/", "sandbox-path" : "/data/bundles/", @@ -461,7 +445,6 @@ }], "com.ohos.dlpmanager" : [{ "sandbox-switch": "ON", - "sandbox-root" : "/mnt/sandbox/", "sandbox-shared" : "true", "mount-paths" : [{ "src-path" : "/mnt/data/", @@ -481,7 +464,6 @@ }], "com.ohos.UserFile.ExternalFileManager" : [{ "sandbox-switch": "ON", - "sandbox-root" : "/mnt/sandbox/", "mount-paths" : [{ "src-path" : "/data/service/el1/public/storage_daemon/share/public", "sandbox-path" : "/data/storage/el1/bundle/storage_daemon", @@ -587,7 +569,6 @@ "permission":[{ "ohos.permission.FILE_ACCESS_MANAGER":[{ "sandbox-switch": "ON", - "sandbox-root": "/mnt/sandbox/", "gids": [1006, 1008], "mount-paths": [{ "src-path": "/data/service/el1/public/storage_daemon/share/public", @@ -620,7 +601,6 @@ }], "ohos.permission.READ_IMAGEVIDEO":[{ "sandbox-switch": "ON", - "sandbox-root": "/mnt/sandbox/", "gids": [1008], "mount-paths": [{ "src-path": "/data/service/el2//hmdfs/account/files/.thumbs/Photo", @@ -631,7 +611,6 @@ }], "ohos.permission.FILE_CROSS_APP":[{ "sandbox-switch": "ON", - "sandbox-root": "/mnt/sandbox/", "gids": [1006], "mount-paths": [{ "src-path": "/storage/media//local/files/Docs", @@ -669,7 +648,6 @@ }], "ohos.permission.ACTIVATE_THEME_PACKAGE":[{ "sandbox-switch": "ON", - "sandbox-root": "/mnt/sandbox/", "mount-paths": [{ "src-path": "/data/service/el1/public/themes//a/system", "sandbox-path": "/data/themes/a/system", @@ -684,7 +662,6 @@ }], "ohos.permission.GET_WALLPAPER":[{ "sandbox-switch": "ON", - "sandbox-root": "/mnt/sandbox/", "mount-paths": [{ "src-path": "/data/service/el1/public/wallpaper/", "sandbox-path": "/data/wallpaper", @@ -694,7 +671,6 @@ }], "ohos.permission.ACCESS_BUNDLE_DIR":[{ "sandbox-switch": "ON", - "sandbox-root": "/mnt/sandbox/", "gids": [1010], "mount-paths": [{ "src-path": "/data/app/el1/bundle/public", diff --git a/etc/sandbox/appdata_sandbox_fixer.py b/etc/sandbox/appdata_sandbox_fixer.py index f113e51c..2e7b9c51 100755 --- a/etc/sandbox/appdata_sandbox_fixer.py +++ b/etc/sandbox/appdata_sandbox_fixer.py @@ -30,13 +30,13 @@ APP_SANDBOX_DEFAULT = ''' "common" : [{ "top-sandbox-switch": "ON", "app-base" : [{ - "sandbox-root" : "/mnt/sandbox/", + "sandbox-root" : "/mnt/sandbox//", "mount-paths" : [], "symbol-links": [], "flags-point" : [] }], "app-resources" : [{ - "sandbox-root" : "/mnt/sandbox/", + "sandbox-root" : "/mnt/sandbox//", "mount-paths" : [], "flags-point" : [], "symbol-links" : [] diff --git a/standard/appspawn_service.c b/standard/appspawn_service.c index f6016814..e0e4edaf 100644 --- a/standard/appspawn_service.c +++ b/standard/appspawn_service.c @@ -267,16 +267,21 @@ void MakeDirRec(const char *path) static void MountAppEl2Dir(const AppSpawnClient* client) { + const int userIdBase = 200000; const char rootPath[] = "/mnt/sandbox/"; const char el2Path[] = "/data/storage/el2"; AppParameter *appProperty = &((AppSpawnClientExt *)client)->property; if (IsUnlockStatus(appProperty->uid)) { return; } - size_t allPathSize = strlen(rootPath) + strlen(el2Path) + strlen(appProperty->bundleName) + 1; + + char userId[USER_ID_SIZE] = {0}; + size_t len = sprintf_s(userId, USER_ID_SIZE, "%u", appProperty->uid); + APPSPAWN_CHECK(len > 0 && (len < USER_ID_SIZE), return true, "Failed to get userId"); + size_t allPathSize = strlen(rootPath) + strlen(el2Path) + strlen(appProperty->bundleName) + strlen(userId) + 1; char *path = malloc(sizeof(char) * (allPathSize)); APPSPAWN_CHECK(path != NULL, return, "Failed to malloc path"); - size_t len = sprintf_s(path, allPathSize, "%s%s%s", rootPath, + size_t len = sprintf_s(path, allPathSize, "%s%s/%s%s", rootPath, userId, appProperty->bundleName, el2Path); APPSPAWN_CHECK(len > 0 && (len < allPathSize), return, "Failed to get el2 path"); diff --git a/util/src/sandbox_utils.cpp b/util/src/sandbox_utils.cpp index 7e2df693..c3394197 100644 --- a/util/src/sandbox_utils.cpp +++ b/util/src/sandbox_utils.cpp @@ -314,7 +314,7 @@ std::string SandboxUtils::GetSbxPathByConfig(const ClientSocket::AppProperty *ap sandboxRoot = config[g_sandboxRootPrefix].get(); sandboxRoot = ConvertToRealPath(appProperty, sandboxRoot); } else { - sandboxRoot = g_sandBoxDir + appProperty->bundleName; + sandboxRoot = g_sandBoxDir + appProperty->bundleName + "/" + to_string(appProperty->uid / UID_BASE); APPSPAWN_LOGE("read sandbox-root config failed, set sandbox-root to default root" "app name is %{public}s", appProperty->bundleName); } @@ -978,7 +978,7 @@ int32_t SandboxUtils::DoSandboxRootFolderCreateAdapt(std::string &sandboxPackage #endif MakeDirRecursive(sandboxPackagePath, FILE_MODE); - // bind mount "/" to /mnt/sandbox/ path + // bind mount "/" to /mnt/sandbox// path // rootfs: to do more resources bind mount here to get more strict resources constraints #ifndef APPSPAWN_TEST rc = mount("/", sandboxPackagePath.c_str(), NULL, BASIC_MOUNT_FLAGS, NULL); @@ -1271,7 +1271,7 @@ int32_t SandboxUtils::SetAppSandboxProperty(AppSpawnClient *client) if (CheckBundleName(appProperty->bundleName) != 0) { return -1; } - std::string sandboxPackagePath = g_sandBoxRootDir; + std::string sandboxPackagePath = g_sandBoxRootDir + to_string(appProperty->uid / UID_BASE) + "/"; const std::string bundleName = appProperty->bundleName; bool sandboxSharedStatus = GetSandboxPrivateSharedStatus(bundleName); sandboxPackagePath += bundleName;