!863 add sandbox-flags-customized check mount config

Merge pull request !863 from wangfenging/master
2024-11-27 01:00:38 +00:00 · 2023-12-12 16:10:40 +00:00 · 2023-12-12 16:10:40 +00:00 · 765413ae2f
commit 765413ae2f
parent 2a6dd1c9df 4a90491db7
2 changed files with 51 additions and 24 deletions
--- a/util/include/sandbox_utils.h
+++ b/util/include/sandbox_utils.h
@ -36,6 +36,13 @@ public:
    static int32_t SetAppSandboxPropertyNweb(AppSpawnClient *client);
    static uint32_t GetSandboxNsFlags(bool isNweb);
    static std::set<std::string> GetMountPermissionNames();
+    typedef struct {
+        unsigned long mountFlags;
+        const char *optionsPoint;
+        const char *fsTypePoint;
+        std::string fsType;
+        std::string sandboxPath;
+    } SandboxMountConfig;

 private:
    static int32_t DoAppSandboxMountOnce(const char *originPath, const char *destinationPath,
@ -102,6 +109,10 @@ private:
    static unsigned long GetSandboxMountFlags(nlohmann::json &config);
    static const char *GetSandboxFsType(nlohmann::json &config);
    static const char *GetSandboxOptions(nlohmann::json &config);
+    static std::string GetSandboxPath(const ClientSocket::AppProperty *appProperty, nlohmann::json &mntPoint,
+                                      const std::string &section, std::string sandboxRoot);
+    static void GetSandboxMountConfig(const std::string &section, nlohmann::json &mntPoint,
+                                         SandboxMountConfig &mountConfig);
 private:
    static std::vector<nlohmann::json> appSandboxConfig_;
    static bool deviceTypeEnable_;
--- a/util/src/sandbox_utils.cpp
+++ b/util/src/sandbox_utils.cpp
@ -286,13 +286,7 @@ std::string SandboxUtils::ConvertToRealPathWithPermission(const ClientSocket::Ap

    if (sandboxRoot.find(g_userId) != std::string::npos) {
        if (deviceTypeEnable_) {
-            std::string userName = "";
-            ErrCode errCode = OHOS::AccountSA::OsAccountManager::GetOsAccountShortName(userName);
-            if (errCode != ERR_OK) {
-                APPSPAWN_LOGE("get short name failed, errCode: %{public}d", errCode);
-                return userName;
-            }
-            sandboxRoot = replace_all(sandboxRoot, g_userId, userName.c_str());
+            sandboxRoot = replace_all(sandboxRoot, g_userId, "currentUser");
        } else {
            sandboxRoot = replace_all(sandboxRoot, g_userId, "currentUser");
        }
@ -307,7 +301,7 @@ bool SandboxUtils::GetSandboxDacOverrideEnable(nlohmann::json &config)
        return false;
    }
    dacOverrideSensitive = config[g_dacOverrideSensitive].get<std::string>();
-    if (dacOverrideSensitive.compare(g_statusCheck) == 0) {
+    if (dacOverrideSensitive.compare("true") == 0) {
        return true;
    }
    return false;
@ -346,8 +340,9 @@ bool SandboxUtils::GetSbxSwitchStatusByConfig(nlohmann::json &config)
 static bool CheckMountConfig(nlohmann::json &mntPoint, const ClientSocket::AppProperty *appProperty,
                             bool checkFlag)
 {
-    bool istrue = mntPoint.find(g_srcPath) == mntPoint.end() || mntPoint.find(g_sandBoxPath) == mntPoint.end()
-            || mntPoint.find(g_sandBoxFlags) == mntPoint.end();
+    bool istrue = mntPoint.find(g_srcPath) == mntPoint.end() || mntPoint.find(g_sandBoxPath) == mntPoint.end() ||
+                  ((mntPoint.find(g_sandBoxFlags) == mntPoint.end()) &&
+                    (mntPoint.find(g_sandBoxFlagsCustomized) == mntPoint.end()));
    APPSPAWN_CHECK(!istrue, return false, "read mount config failed, app name is %{public}s", appProperty->bundleName);

    if (mntPoint[g_appAplName] != nullptr) {
@ -465,7 +460,7 @@ const char *SandboxUtils::GetSandboxOptions(nlohmann::json &config)
 {
    std::string options;
    if (GetSandboxDacOverrideEnable(config) && (deviceTypeEnable_ == true) &&
-        (config.find("true") != config.end())) {
+        (config.find(g_sandBoxOptions) != config.end())) {
        options = config[g_sandBoxOptions].get<std::string>();
    } else {
        options = "";
@ -474,6 +469,34 @@ const char *SandboxUtils::GetSandboxOptions(nlohmann::json &config)
    return optionsPoint;
 }

+void SandboxUtils::GetSandboxMountConfig(const std::string &section, nlohmann::json &mntPoint,
+                                         SandboxMountConfig &mountConfig)
+{
+    if (section.compare(g_permissionPrefix) == 0) {
+        mountConfig.optionsPoint = GetSandboxOptions(mntPoint);
+        mountConfig.fsTypePoint = GetSandboxFsType(mntPoint);
+        mountConfig.fsType = (mountConfig.fsTypePoint != nullptr) ? mountConfig.fsTypePoint : "";
+    } else {
+        mountConfig.fsType = (mntPoint.find(g_fsType) != mntPoint.end()) ? mntPoint[g_fsType].get<std::string>() : "";
+        mountConfig.fsTypePoint = mountConfig.fsType.empty() ? nullptr : mountConfig.fsType.c_str();
+        mountConfig.optionsPoint = nullptr;
+    }
+    return;
+}
+
+std::string SandboxUtils::GetSandboxPath(const ClientSocket::AppProperty *appProperty, nlohmann::json &mntPoint,
+                                     const std::string &section, std::string sandboxRoot)
+{
+    std::string sandboxPath = "";
+    if (section.compare(g_permissionPrefix) == 0) {
+        sandboxPath = sandboxRoot + ConvertToRealPathWithPermission(appProperty,
+                                                                    mntPoint[g_sandBoxPath].get<std::string>());
+    } else {
+        sandboxPath = sandboxRoot + ConvertToRealPath(appProperty, mntPoint[g_sandBoxPath].get<std::string>());
+    }
+    return sandboxPath;
+}
+
 int SandboxUtils::DoAllMntPointsMount(const ClientSocket::AppProperty *appProperty,
                                      nlohmann::json &appConfig, const std::string &section)
 {
@ -504,24 +527,17 @@ int SandboxUtils::DoAllMntPointsMount(const ClientSocket::AppProperty *appProper
        }

        std::string srcPath = ConvertToRealPath(appProperty, mntPoint[g_srcPath].get<std::string>());
-        std::string sandboxPath = "";
-        if (section.compare(g_permissionPrefix) == 0) {
-            sandboxPath = sandboxRoot + ConvertToRealPathWithPermission(appProperty,
-                                                                        mntPoint[g_sandBoxPath].get<std::string>());
-        } else {
-            sandboxPath = sandboxRoot + ConvertToRealPath(appProperty, mntPoint[g_sandBoxPath].get<std::string>());
-        }
+        std::string sandboxPath = GetSandboxPath(appProperty, mntPoint, section, sandboxRoot);
+        SandboxMountConfig mountConfig = {0};
+        GetSandboxMountConfig(section, mntPoint, mountConfig);
        unsigned long mountFlags = GetSandboxMountFlags(mntPoint);
-        const char *optionsPoint = GetSandboxOptions(mntPoint);
-        const char *fsTypePoint = GetSandboxFsType(mntPoint);
-        std::string fsType = (fsTypePoint != nullptr) ? fsTypePoint : "";
        mode_t mountSharedFlag = (mntPoint.find(g_mountSharedFlag) != mntPoint.end()) ? MS_SHARED : MS_SLAVE;

        /* if app mount failed for special strategy, we need deal with common mount config */
-        int ret = HandleSpecialAppMount(appProperty, srcPath, sandboxPath, fsType, mountFlags);
+        int ret = HandleSpecialAppMount(appProperty, srcPath, sandboxPath, mountConfig.fsType, mountFlags);
        if (ret < 0) {
-            ret = DoAppSandboxMountOnce(srcPath.c_str(), sandboxPath.c_str(), fsTypePoint,
-                                        mountFlags, optionsPoint, mountSharedFlag);
+            ret = DoAppSandboxMountOnce(srcPath.c_str(), sandboxPath.c_str(), mountConfig.fsTypePoint,
+                                        mountFlags, mountConfig.optionsPoint, mountSharedFlag);
        }
        if (ret) {
            std::string actionStatus = g_statusCheck;