openharmony/startup_appspawn
1
0
Fork 0
mirror of https://gitee.com/openharmony/startup_appspawn synced 2024-12-04 05:14:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

!1215 delete FILE_ACCESS_MANAGER permission Docs mount paht

Browse Source 
Merge pull request !1215 from wangfenging/master
This commit is contained in:
openharmony_ci 2024-06-14 11:17:25 +00:00 committed by Gitee
commit 48ad063494
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
11 changed files with 91 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
appdata-sandbox-app.json
View File

@ -189,7 +189,7 @@
"src-path": "/storage/cloud/<currentUserId>/files/.thumbs/Photo"
}]
}, {
"name": "ohos.permission.ENABLE_FILE_CROSS_APP",
"name": "ohos.permission.FILE_CROSS_APP",
"gids": ["file_manager"],
"mount-paths": [{
"src-path": "/storage/media/<currentUserId>/local/files/Docs",

2
appdata-sandbox.json
View File

@ -618,7 +618,7 @@
}
]
}],
"ohos.permission.ENABLE_FILE_CROSS_APP":[{
"ohos.permission.FILE_CROSS_APP":[{
"sandbox-switch": "ON",
"gids": [1006],
"mount-paths": [{

2
modules/sandbox/appspawn_sandbox.h
View File

@ -66,7 +66,7 @@ extern "C" {
#define MOUNT_PATH_OP_ONLY_SANDBOX (SANDBOX_TAG_INVALID + 2)
#define MOUNT_PATH_OP_REPLACE_BY_SANDBOX (SANDBOX_TAG_INVALID + 3)
#define MOUNT_PATH_OP_REPLACE_BY_SRC (SANDBOX_TAG_INVALID + 4)
#define ENABLE_FILE_CROSS_APP_MODE "ohos.permission.ENABLE_FILE_CROSS_APP"
#define FILE_CROSS_APP_MODE "ohos.permission.FILE_CROSS_APP"
typedef enum SandboxTag {
SANDBOX_TAG_MOUNT_PATH = 0,

2
modules/sandbox/sandbox_manager.c
View File

@ -586,7 +586,7 @@ int SpawnPrepareSandboxCfg(AppSpawnMgr *content, AppSpawningCtx *property)
APPSPAWN_CHECK(sandbox != NULL, return -1, "Failed to get sandbox for %{public}s", GetProcessName(property));
if (sandbox->appFullMountEnable) {
int index = GetPermissionIndexInQueue(&sandbox->permissionQueue, ENABLE_FILE_CROSS_APP_MODE);
int index = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_CROSS_APP_MODE);
if (index > 0) {
SetAppPermissionFlags(property, index);
}

100
modules/sandbox/sandbox_utils.cpp
View File

@ -50,7 +50,7 @@ using namespace OHOS;
namespace OHOS {
namespace AppSpawn {
namespace {
constexpr int32_t FUSE_OPTIONS_MAX_LEN = 256;
constexpr int32_t OPTIONS_MAX_LEN = 256;
constexpr int32_t DLP_FUSE_FD = 1000;
constexpr int32_t APP_LOG_DIR_GID = 1007;
constexpr int32_t APP_DATABASE_DIR_GID = 3012;
@ -119,9 +119,11 @@ namespace {
const std::string g_sandBoxRootDir = "/mnt/sandbox/";
const std::string g_ohosRender = "__internal__.com.ohos.render";
const std::string g_sandBoxRootDirNweb = "/mnt/sandbox/com.ohos.render/";
const std::string ENABLE_FILE_CROSS_APP_MODE = "ohos.permission.ENABLE_FILE_CROSS_APP";
const std::string FILE_CROSS_APP_MODE = "ohos.permission.FILE_CROSS_APP";
const std::string FILE_ACCESS_COMMON_DIR_MODE = "ohos.permission.FILE_ACCESS_COMMON_DIR";
const std::string ACCESS_DLP_FILE_MODE = "ohos.permission.ACCESS_DLP_FILE";
const std::string FILE_ACCESS_MANAGER_MODE = "ohos.permission.FILE_ACCESS_MANAGER";
const char *DOCS_FILE_NAME = "Docs";
}
static uint32_t GetAppMsgFlags(const AppSpawningCtx *property)
@ -544,10 +546,11 @@ std::string SandboxUtils::GetSbxPathByConfig(const AppSpawningCtx *appProperty,
sandboxRoot = defaultSandboxRoot;
} else {
sandboxRoot = ConvertToRealPath(appProperty, sandboxRoot);
APPSPAWN_LOGI("set sandbox-root name is %{public}s", sandboxRoot.c_str());
}
} else {
sandboxRoot = defaultSandboxRoot;
APPSPAWN_LOGI("set sandbox-root to default rootapp name is %{public}s", GetBundleName(appProperty));
APPSPAWN_LOGV("set sandbox-root to default rootapp name is %{public}s", GetBundleName(appProperty));
}
return sandboxRoot;
@ -616,7 +619,7 @@ static int32_t DoDlpAppMountStrategy(const AppSpawningCtx *appProperty,
int fd = open("/dev/fuse", O_RDWR);
APPSPAWN_CHECK(fd != -1, return -EINVAL, "open /dev/fuse failed, errno is %{public}d", errno);
char options[FUSE_OPTIONS_MAX_LEN];
char options[OPTIONS_MAX_LEN];
(void)sprintf_s(options, sizeof(options), "fd=%d,"
"rootmode=40000,user_id=%d,group_id=%d,allow_other,"
"context=\"u:object_r:dlp_fuse_file:s0\","
@ -696,22 +699,29 @@ std::string SandboxUtils::GetSandboxFsType(nlohmann::json &config)
return fsType;
}
std::string SandboxUtils::GetSandboxOptions(nlohmann::json &config)
std::string SandboxUtils::GetSandboxOptions(const AppSpawningCtx *appProperty, nlohmann::json &config)
{
AppSpawnMsgDacInfo *dacInfo = reinterpret_cast<AppSpawnMsgDacInfo *>(GetAppProperty(appProperty, TLV_DAC_INFO));
if (dacInfo == nullptr) {
return "";
}
std::string options;
const int userIdBase = 200000;
if (GetSandboxDacOverrideEnable(config) && (config.find(g_sandBoxOptions) != config.end())) {
options = config[g_sandBoxOptions].get<std::string>();
options = config[g_sandBoxOptions].get<std::string>() + ",user_id=";
options += std::to_string(dacInfo->uid / userIdBase);
} else {
options = "";
}
return options;
}
void SandboxUtils::GetSandboxMountConfig(const std::string &section, nlohmann::json &mntPoint,
SandboxMountConfig &mountConfig)
void SandboxUtils::GetSandboxMountConfig(const AppSpawningCtx *appProperty, const std::string &section,
nlohmann::json &mntPoint, SandboxMountConfig &mountConfig)
{
if (section.compare(g_permissionPrefix) == 0) {
mountConfig.optionsPoint = GetSandboxOptions(mntPoint);
mountConfig.optionsPoint = GetSandboxOptions(appProperty, mntPoint);
mountConfig.fsType = GetSandboxFsType(mntPoint);
} else {
mountConfig.fsType = (mntPoint.find(g_fsType) != mntPoint.end()) ? mntPoint[g_fsType].get<std::string>() : "";
@ -733,8 +743,38 @@ std::string SandboxUtils::GetSandboxPath(const AppSpawningCtx *appProperty, nloh
return sandboxPath;
}
static bool CheckFileMgrPermission(const AppSpawningCtx *appProperty, const char *typeName)
{
int index = GetPermissionIndex(nullptr, FILE_ACCESS_MANAGER_MODE.c_str());
if (CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(index)) && typeName != nullptr) {
return true;
}
return false;
}
static bool IsFileManagerMountType(const AppSpawningCtx *appProperty, std::string srcPath, const char *typeName)
{
std::string permissionTypeName = typeName == nullptr ? "" : typeName;
if ((permissionTypeName.find(FILE_CROSS_APP_MODE) != std::string::npos) &&
(srcPath.find(DOCS_FILE_NAME) != std::string::npos)) {
return true;
}
return false;
}
static bool CheckMountFlag(const AppSpawningCtx *appProperty, const std::string bundleName, nlohmann::json &appConfig)
{
if (appConfig.find(g_flags) != appConfig.end()) {
if (((ConvertFlagStr(appConfig[g_flags].get<std::string>()) & GetAppMsgFlags(appProperty)) != 0) &&
bundleName.find("wps") != std::string::npos) {
return true;
}
}
return false;
}
int SandboxUtils::DoAllMntPointsMount(const AppSpawningCtx *appProperty,
nlohmann::json &appConfig, const std::string &section)
nlohmann::json &appConfig, const char *typeName, const std::string &section)
{
std::string bundleName = GetBundleName(appProperty);
if (appConfig.find(g_mountPrefix) == appConfig.end()) {
@ -743,29 +783,24 @@ int SandboxUtils::DoAllMntPointsMount(const AppSpawningCtx *appProperty,
return 0;
}
bool checkFlag = false;
if (appConfig.find(g_flags) != appConfig.end()) {
if (((ConvertFlagStr(appConfig[g_flags].get<std::string>()) & GetAppMsgFlags(appProperty)) != 0) &&
bundleName.find("wps") != std::string::npos) {
checkFlag = true;
}
}
std::string sandboxRoot = GetSbxPathByConfig(appProperty, appConfig);
bool checkFlag = CheckMountFlag(appProperty, bundleName, appConfig);
bool checkFileMgrPermission = CheckFileMgrPermission(appProperty, typeName);
nlohmann::json mountPoints = appConfig[g_mountPrefix];
std::string sandboxRoot = GetSbxPathByConfig(appProperty, appConfig);
unsigned int mountPointSize = mountPoints.size();
for (unsigned int i = 0; i < mountPointSize; i++) {
nlohmann::json mntPoint = mountPoints[i];
std::string srcPath = ConvertToRealPath(appProperty, mntPoint[g_srcPath].get<std::string>());
std::string sandboxPath = GetSandboxPath(appProperty, mntPoint, section, sandboxRoot);
if (CheckMountConfig(mntPoint, appProperty, checkFlag) == false) {
if ((CheckMountConfig(mntPoint, appProperty, checkFlag) == false) ||
(checkFileMgrPermission == true && IsFileManagerMountType(appProperty, srcPath, typeName))) {
continue;
}
std::string srcPath = ConvertToRealPath(appProperty, mntPoint[g_srcPath].get<std::string>());
std::string sandboxPath = GetSandboxPath(appProperty, mntPoint, section, sandboxRoot);
SandboxMountConfig mountConfig = {0};
GetSandboxMountConfig(section, mntPoint, mountConfig);
GetSandboxMountConfig(appProperty, section, mntPoint, mountConfig);
unsigned long mountFlags = GetSandboxMountFlags(mntPoint);
mode_t mountSharedFlag = (mntPoint.find(g_mountSharedFlag) != mntPoint.end()) ? MS_SHARED : MS_SLAVE;
@ -861,7 +896,7 @@ int32_t SandboxUtils::DoSandboxFilePrivateBind(const AppSpawningCtx *appProperty
nlohmann::json privateAppConfig = wholeConfig[g_privatePrefix][0];
if (privateAppConfig.find(bundleName) != privateAppConfig.end()) {
APPSPAWN_LOGV("DoSandboxFilePrivateBind %{public}s", bundleName);
return DoAllMntPointsMount(appProperty, privateAppConfig[bundleName][0], g_privatePrefix);
return DoAllMntPointsMount(appProperty, privateAppConfig[bundleName][0], nullptr, g_privatePrefix);
}
return 0;
@ -879,9 +914,10 @@ int32_t SandboxUtils::DoSandboxFilePermissionBind(AppSpawningCtx *appProperty,
const std::string permission = it.key();
int index = GetPermissionIndex(nullptr, permission.c_str());
APPSPAWN_LOGV("DoSandboxFilePermissionBind mountPermissionFlags %{public}d", index);
if (CheckAppPermissionFlagSet(appProperty, (uint32_t)index)) {
if (CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(index))) {
DoAddGid(appProperty, permissionAppConfig[permission][0], permission.c_str(), g_permissionPrefix);
DoAllMntPointsMount(appProperty, permissionAppConfig[permission][0], g_permissionPrefix);
DoAllMntPointsMount(appProperty, permissionAppConfig[permission][0], permission.c_str(),
g_permissionPrefix);
} else {
APPSPAWN_LOGV("DoSandboxFilePermissionBind false %{public}s permission %{public}s",
GetBundleName(appProperty), permission.c_str());
@ -935,7 +971,7 @@ int32_t SandboxUtils::HandleFlagsPoint(const AppSpawningCtx *appProperty,
std::string flagsStr = flagPoint[g_flags].get<std::string>();
uint32_t flag = ConvertFlagStr(flagsStr);
if ((GetAppMsgFlags(appProperty) & flag) != 0) {
return DoAllMntPointsMount(appProperty, flagPoint, g_flagePoint);
return DoAllMntPointsMount(appProperty, flagPoint, nullptr, g_flagePoint);
}
} else {
APPSPAWN_LOGE("read flags config failed, app name is %{public}s", GetBundleName(appProperty));
@ -974,14 +1010,14 @@ int32_t SandboxUtils::DoSandboxFileCommonBind(const AppSpawningCtx *appProperty,
int ret = 0;
if (commonConfig.find(g_appBase) != commonConfig.end()) {
ret = DoAllMntPointsMount(appProperty, commonConfig[g_appBase][0], g_appBase);
ret = DoAllMntPointsMount(appProperty, commonConfig[g_appBase][0], nullptr, g_appBase);
if (ret) {
return ret;
}
}
if (commonConfig.find(g_appResources) != commonConfig.end()) {
ret = DoAllMntPointsMount(appProperty, commonConfig[g_appResources][0], g_appResources);
ret = DoAllMntPointsMount(appProperty, commonConfig[g_appResources][0], nullptr, g_appResources);
}
return ret;
@ -1044,7 +1080,7 @@ int32_t SandboxUtils::SetRenderSandboxPropertyNweb(const AppSpawningCtx *appProp
nlohmann::json privateAppConfig = config[g_privatePrefix][0];
if (privateAppConfig.find(g_ohosRender) != privateAppConfig.end()) {
int ret = DoAllMntPointsMount(appProperty, privateAppConfig[g_ohosRender][0], g_ohosRender);
int ret = DoAllMntPointsMount(appProperty, privateAppConfig[g_ohosRender][0], nullptr, g_ohosRender);
APPSPAWN_CHECK(ret == 0, return ret, "DoAllMntPointsMount failed, %{public}s",
GetBundleName(appProperty));
ret = DoAllSymlinkPointslink(appProperty, privateAppConfig[g_ohosRender][0]);
@ -1528,7 +1564,7 @@ int32_t SandboxUtils::SetAppSandboxProperty(AppSpawningCtx *appProperty, uint32_
int index = 0;
if (CheckAppFullMountEnable()) {
index = GetPermissionIndex(nullptr, ENABLE_FILE_CROSS_APP_MODE.c_str());
index = GetPermissionIndex(nullptr, FILE_CROSS_APP_MODE.c_str());
} else {
index = GetPermissionIndex(nullptr, FILE_ACCESS_COMMON_DIR_MODE.c_str());
}
@ -1778,7 +1814,7 @@ static void MountDirOnLock(const AppSpawningCtx *property)
}
int index = GetPermissionIndex(nullptr, "ohos.permission.FILE_ACCESS_MANAGER");
APPSPAWN_LOGV("mount dir on lock mountPermissionFlags %{public}d", index);
if (CheckAppPermissionFlagSet(property, (uint32_t)index)) {
if (CheckAppPermissionFlagSet(property, static_cast<uint32_t>(index))) {
MountDir(property, rootPath, userPath);
}
MountDir(property, rootPath, el2Path);

8
modules/sandbox/sandbox_utils.h
View File

@ -72,7 +72,7 @@ private:
std::string &sandboxPackagePath);
static void DoSandboxChmod(nlohmann::json jsonConfig, std::string &sandboxRoot);
static int DoAllMntPointsMount(const AppSpawningCtx *appProperty,
nlohmann::json &appConfig, const std::string &section = "app-base");
nlohmann::json &appConfig, const char *typeName, const std::string &section = "app-base");
static int DoAllSymlinkPointslink(const AppSpawningCtx *appProperty, nlohmann::json &appConfig);
static std::string ConvertToRealPath(const AppSpawningCtx *appProperty, std::string path);
static std::string ConvertToRealPathWithPermission(const AppSpawningCtx *appProperty, std::string path);
@ -109,11 +109,11 @@ private:
static bool GetSandboxDacOverrideEnable(nlohmann::json &config);
static unsigned long GetSandboxMountFlags(nlohmann::json &config);
static std::string GetSandboxFsType(nlohmann::json &config);
static std::string GetSandboxOptions(nlohmann::json &config);
static std::string GetSandboxOptions(const AppSpawningCtx *appProperty, nlohmann::json &config);
static std::string GetSandboxPath(const AppSpawningCtx *appProperty, nlohmann::json &mntPoint,
const std::string &section, std::string sandboxRoot);
static void GetSandboxMountConfig(const std::string &section, nlohmann::json &mntPoint,
SandboxMountConfig &mountConfig);
static void GetSandboxMountConfig(const AppSpawningCtx *appProperty, const std::string &section,
nlohmann::json &mntPoint,SandboxMountConfig &mountConfig);
static std::vector<nlohmann::json> appSandboxConfig_;
static bool deviceTypeEnable_;
};

2
test/moduletest/appspawn_client_test.cpp
View File

@ -58,7 +58,7 @@ static AppSpawnReqMsgHandle CreateMsg(AppSpawnClientHandle handle, const char *b
static const char *permissions[] = {
"ohos.permission.READ_IMAGEVIDEO",
"ohos.permission.ENABLE_FILE_CROSS_APP",
"ohos.permission.FILE_CROSS_APP",
"ohos.permission.ACTIVATE_THEME_PACKAGE",
"ohos.permission.GET_WALLPAPER",
};

2
test/moduletest/appspawn_test_cmder.cpp
View File

@ -56,7 +56,7 @@ static const std::string g_defaultAppInfo = "{ \
},\
\"permission\" : [\
\"ohos.permission.READ_IMAGEVIDEO\",\
\"ohos.permission.ENABLE_FILE_CROSS_APP\",\
\"ohos.permission.FILE_CROSS_APP\",\
\"ohos.permission.ACTIVATE_THEME_PACKAGE\"\
],\
\"internet-permission\" : {\

2
test/moduletest/test_app_info.json
View File

@ -14,7 +14,7 @@
},
"permission": [
"ohos.permission.READ_IMAGEVIDEO",
"ohos.permission.ENABLE_FILE_CROSS_APP",
"ohos.permission.FILE_CROSS_APP",
"ohos.permission.ACTIVATE_THEME_PACKAGE"
],
"internet-permission": {

19
test/unittest/app_spawn_standard_test/app_spawn_sandbox_test.cpp
View File

@ -764,7 +764,7 @@ HWTEST(AppSpawnSandboxTest, App_Spawn_Sandbox_30, TestSize.Level0)
}] \
}";
nlohmann::json j_config3 = nlohmann::json::parse(mJsconfig3.c_str());
int ret = OHOS::AppSpawn::SandboxUtils::DoAllMntPointsMount(appProperty, j_config3);
int ret = OHOS::AppSpawn::SandboxUtils::DoAllMntPointsMount(appProperty, j_config3, nullptr);
EXPECT_EQ(ret, 0);
std::string mJsconfig4 = "{ \
@ -778,7 +778,7 @@ HWTEST(AppSpawnSandboxTest, App_Spawn_Sandbox_30, TestSize.Level0)
}] \
}";
nlohmann::json j_config4 = nlohmann::json::parse(mJsconfig4.c_str());
ret = OHOS::AppSpawn::SandboxUtils::DoAllMntPointsMount(appProperty, j_config4);
ret = OHOS::AppSpawn::SandboxUtils::DoAllMntPointsMount(appProperty, j_config4, nullptr);
DeleteAppSpawningCtx(appProperty);
EXPECT_EQ(ret, 0);
}
@ -803,7 +803,7 @@ HWTEST(AppSpawnSandboxTest, App_Spawn_Sandbox_31, TestSize.Level0)
}] \
}";
nlohmann::json j_config1 = nlohmann::json::parse(mJsconfig1.c_str());
int ret = OHOS::AppSpawn::SandboxUtils::DoAllMntPointsMount(appProperty, j_config1);
int ret = OHOS::AppSpawn::SandboxUtils::DoAllMntPointsMount(appProperty, j_config1, nullptr);
EXPECT_EQ(ret, 0);
std::string mJsconfig2 = "{ \
@ -826,7 +826,7 @@ HWTEST(AppSpawnSandboxTest, App_Spawn_Sandbox_31, TestSize.Level0)
}";
nlohmann::json j_config2 = nlohmann::json::parse(mJsconfig2.c_str());
ret = OHOS::AppSpawn::SandboxUtils::DoAllMntPointsMount(appProperty, j_config2);
ret = OHOS::AppSpawn::SandboxUtils::DoAllMntPointsMount(appProperty, j_config2, nullptr);
DeleteAppSpawningCtx(appProperty);
EXPECT_TRUE(ret != 0);
}
@ -1276,7 +1276,8 @@ HWTEST(AppSpawnSandboxTest, App_Spawn_Sandbox_43, TestSize.Level0)
OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config);
OHOS::AppSpawn::SandboxUtils::SandboxMountConfig mountConfig;
std::string section = "common";
OHOS::AppSpawn::SandboxUtils::GetSandboxMountConfig(section, j_secondConfig, mountConfig);
AppSpawningCtx *appProperty = GetTestAppProperty();
OHOS::AppSpawn::SandboxUtils::GetSandboxMountConfig(appProperty, section, j_secondConfig, mountConfig);
int ret = strcmp(mountConfig.fsType.c_str(), "sharefs");
EXPECT_EQ(ret, 0);
GTEST_LOG_(INFO) << "App_Spawn_Sandbox_43 end";
@ -1309,7 +1310,8 @@ HWTEST(AppSpawnSandboxTest, App_Spawn_Sandbox_44, TestSize.Level0)
OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config);
OHOS::AppSpawn::SandboxUtils::SandboxMountConfig mountConfig;
std::string section = "permission";
OHOS::AppSpawn::SandboxUtils::GetSandboxMountConfig(section, j_secondConfig, mountConfig);
AppSpawningCtx *appProperty = GetTestAppProperty();
OHOS::AppSpawn::SandboxUtils::GetSandboxMountConfig(appProperty, section, j_secondConfig, mountConfig);
int ret = strcmp(mountConfig.fsType.c_str(), "sharefs");
EXPECT_EQ(ret, 0);
GTEST_LOG_(INFO) << "App_Spawn_Sandbox_44 end";
@ -1340,8 +1342,9 @@ HWTEST(AppSpawnSandboxTest, App_Spawn_Sandbox_45, TestSize.Level0)
nlohmann::json j_secondConfig = j_config[mountPath][0];
OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config);
std::string options = OHOS::AppSpawn::SandboxUtils::GetSandboxOptions(j_secondConfig);
int ret = strcmp(options.c_str(), "support_overwrite=1");
AppSpawningCtx *appProperty = GetTestAppProperty();
std::string options = OHOS::AppSpawn::SandboxUtils::GetSandboxOptions(appProperty, j_secondConfig);
int ret = strcmp(options.c_str(), "support_overwrite=1,user_id=100");
EXPECT_EQ(ret, 0);
GTEST_LOG_(INFO) << "App_Spawn_Sandbox_45 end";
}

2
test/unittest/app_spawn_test_helper.h
View File

@ -141,7 +141,7 @@ private:
uint32_t defaultMsgFlags_ = 0;
std::vector<const char *> permissions_ = {
const_cast<char *>("ohos.permission.READ_IMAGEVIDEO"),
const_cast<char *>("ohos.permission.ENABLE_FILE_CROSS_APP"),
const_cast<char *>("ohos.permission.FILE_CROSS_APP"),
const_cast<char *>("ohos.permission.ACTIVATE_THEME_PACKAGE"),
const_cast<char *>("ohos.permission.GET_WALLPAPER"),
const_cast<char *>("ohos.permission.ACCESS_DATA"),