add package name gids

Signed-off-by: wangfeng <wangfeng277@huawei.com>
2024-11-22 22:50:21 +00:00 · 2024-09-24 23:04:14 +08:00 · 2024-09-24 23:04:14 +08:00 · 7b34f95485
commit 7b34f95485
parent fcd3f76e46
4 changed files with 49 additions and 9 deletions
--- a/appdata-sandbox-app.json
+++ b/appdata-sandbox-app.json
@ -391,6 +391,14 @@
                "src-path" : "/mnt/data/<currentUserId>",
                "sandbox-path" : "/mnt/data/<currentUserId>"
            }]
+        }, {
+            "name": "com.ohos.sceneboard",
+            "sandbox-switch": "ON",
+            "gids": ["data_reserve"],
+            "mount-paths" : [{
+                "src-path" : "/data/app/el1/bundle/public/",
+                "sandbox-path" : "/data/bundles/"
+            }]
        }]
    },
    "name-groups": [{
--- a/appdata-sandbox-isolated-new.json
+++ b/appdata-sandbox-isolated-new.json
@ -1,6 +1,6 @@
 {
    "global": {
-        "sandbox-root" : "/mnt/sandbox/<PackageName>",
+        "sandbox-root" : "/mnt/sandbox/<currentUserId>/app-root-isolated",
        "sandbox-ns-flags" : [ "net" ]
    },
    "required": {
@ -29,9 +29,6 @@
            }, {
                "src-path" : "/system/lib64",
                "sandbox-path" : "/system/lib64"
-            }, {
-                "src-path" : "/data/app/el1/bundle/public/<PackageName>",
-                "sandbox-path" : "/data/storage/el1/bundle"
            }],
            "symbol-links" : [{
                "target-name" : "/system/etc",
@ -50,13 +47,14 @@
                "link-name" : "/lib64",
                "check-action-status": "false"
                }],
-            "mount-files": [{
-                "src-path" : "/system/etc/hosts",
-                "sandbox-path" : "/data/service/el1/network/hosts_user/hosts"
-            }],
+            "mount-files": [],
            "mount-groups" : []
        },
        "app-variable": {
+            "mount-paths": [{
+                "src-path" : "/data/app/el1/bundle/public/<PackageName>",
+                "sandbox-path" : "/data/storage/el1/bundle"
+            }],
            "mount-groups": []
        }
    }
--- a/etc/BUILD.gn
+++ b/etc/BUILD.gn
@ -30,7 +30,7 @@ if (defined(appspawn_sandbox_new) && appspawn_sandbox_new) {
  }

  ohos_prebuilt_etc("appdata-sandbox-isolated-new.json") {
-    source = "../appdata-sandbox-isolated.json"
+    source = "../appdata-sandbox-isolated-new.json"
    part_name = "${part_name}"
    module_install_dir = "etc/sandbox"
  }
--- a/modules/sandbox/sandbox_manager.c
+++ b/modules/sandbox/sandbox_manager.c
@ -611,6 +611,38 @@ static int AppendPermissionGid(const AppSpawnSandboxCfg *sandbox, AppSpawningCtx
    return 0;
 }

+static int AppendPackageNameGids(const AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property)
+{
+    AppSpawnMsgDacInfo *dacInfo = (AppSpawnMsgDacInfo *)GetAppProperty(property, TLV_DAC_INFO);
+    APPSPAWN_CHECK(dacInfo != NULL, return APPSPAWN_TLV_NONE,
+        "No tlv %{public}d in msg %{public}s", TLV_DAC_INFO, GetProcessName(property));
+    
+    SandboxPackageNameNode *sandboxNode =
+        (SandboxPackageNameNode *)GetSandboxSection(&sandbox->packageNameQueue, GetProcessName(property));
+    if (sandboxNode == NULL || sandboxNode->section.gidCount == 0) {
+        return 0;
+    }
+
+    size_t copyLen = sandboxNode->section.gidCount;
+    if ((sandboxNode->section.gidCount + dacInfo->gidCount) > APP_MAX_GIDS) {
+        APPSPAWN_LOGW("More gid for %{public}s msg count %{public}u permission %{public}u",
+                      GetProcessName(property),
+                      dacInfo->gidCount,
+                      sandboxNode->section.gidCount);
+        copyLen = APP_MAX_GIDS - dacInfo->gidCount;
+    }
+    int ret = memcpy_s(&dacInfo->gidTable[dacInfo->gidCount], sizeof(gid_t) * copyLen,
+                       sandboxNode->section.gidTable, sizeof(gid_t) * copyLen);
+    if (ret != EOK) {
+        APPSPAWN_LOGW("Failed to append permission %{public}s gid to %{public}s",
+                      sandboxNode->section.name,
+                      GetProcessName(property));
+    }
+    dacInfo->gidCount += copyLen;
+
+    return 0;
+}
+
 int SpawnPrepareSandboxCfg(AppSpawnMgr *content, AppSpawningCtx *property)
 {
    APPSPAWN_CHECK_ONLY_EXPER(content != NULL, return -1);
@ -637,6 +669,8 @@ int SpawnPrepareSandboxCfg(AppSpawnMgr *content, AppSpawningCtx *property)

    int ret = AppendPermissionGid(sandbox, property);
    APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property));
+    ret = AppendPackageNameGids(sandbox, property);
+    APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property));
    ret = StagedMountSystemConst(sandbox, property, IsNWebSpawnMode(content));
    APPSPAWN_CHECK(ret == 0, return ret, "Failed to mount system-const for %{public}s", GetProcessName(property));
    return 0;