add package name gids

Signed-off-by: wangfeng <wangfeng277@huawei.com>
This commit is contained in:
wangfeng 2024-09-24 23:04:14 +08:00
parent fcd3f76e46
commit 7b34f95485
4 changed files with 49 additions and 9 deletions

View File

@ -391,6 +391,14 @@
"src-path" : "/mnt/data/<currentUserId>", "src-path" : "/mnt/data/<currentUserId>",
"sandbox-path" : "/mnt/data/<currentUserId>" "sandbox-path" : "/mnt/data/<currentUserId>"
}] }]
}, {
"name": "com.ohos.sceneboard",
"sandbox-switch": "ON",
"gids": ["data_reserve"],
"mount-paths" : [{
"src-path" : "/data/app/el1/bundle/public/",
"sandbox-path" : "/data/bundles/"
}]
}] }]
}, },
"name-groups": [{ "name-groups": [{

View File

@ -1,6 +1,6 @@
{ {
"global": { "global": {
"sandbox-root" : "/mnt/sandbox/<PackageName>", "sandbox-root" : "/mnt/sandbox/<currentUserId>/app-root-isolated",
"sandbox-ns-flags" : [ "net" ] "sandbox-ns-flags" : [ "net" ]
}, },
"required": { "required": {
@ -29,9 +29,6 @@
}, { }, {
"src-path" : "/system/lib64", "src-path" : "/system/lib64",
"sandbox-path" : "/system/lib64" "sandbox-path" : "/system/lib64"
}, {
"src-path" : "/data/app/el1/bundle/public/<PackageName>",
"sandbox-path" : "/data/storage/el1/bundle"
}], }],
"symbol-links" : [{ "symbol-links" : [{
"target-name" : "/system/etc", "target-name" : "/system/etc",
@ -50,13 +47,14 @@
"link-name" : "/lib64", "link-name" : "/lib64",
"check-action-status": "false" "check-action-status": "false"
}], }],
"mount-files": [{ "mount-files": [],
"src-path" : "/system/etc/hosts",
"sandbox-path" : "/data/service/el1/network/hosts_user/hosts"
}],
"mount-groups" : [] "mount-groups" : []
}, },
"app-variable": { "app-variable": {
"mount-paths": [{
"src-path" : "/data/app/el1/bundle/public/<PackageName>",
"sandbox-path" : "/data/storage/el1/bundle"
}],
"mount-groups": [] "mount-groups": []
} }
} }

View File

@ -30,7 +30,7 @@ if (defined(appspawn_sandbox_new) && appspawn_sandbox_new) {
} }
ohos_prebuilt_etc("appdata-sandbox-isolated-new.json") { ohos_prebuilt_etc("appdata-sandbox-isolated-new.json") {
source = "../appdata-sandbox-isolated.json" source = "../appdata-sandbox-isolated-new.json"
part_name = "${part_name}" part_name = "${part_name}"
module_install_dir = "etc/sandbox" module_install_dir = "etc/sandbox"
} }

View File

@ -611,6 +611,38 @@ static int AppendPermissionGid(const AppSpawnSandboxCfg *sandbox, AppSpawningCtx
return 0; return 0;
} }
static int AppendPackageNameGids(const AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property)
{
AppSpawnMsgDacInfo *dacInfo = (AppSpawnMsgDacInfo *)GetAppProperty(property, TLV_DAC_INFO);
APPSPAWN_CHECK(dacInfo != NULL, return APPSPAWN_TLV_NONE,
"No tlv %{public}d in msg %{public}s", TLV_DAC_INFO, GetProcessName(property));
SandboxPackageNameNode *sandboxNode =
(SandboxPackageNameNode *)GetSandboxSection(&sandbox->packageNameQueue, GetProcessName(property));
if (sandboxNode == NULL || sandboxNode->section.gidCount == 0) {
return 0;
}
size_t copyLen = sandboxNode->section.gidCount;
if ((sandboxNode->section.gidCount + dacInfo->gidCount) > APP_MAX_GIDS) {
APPSPAWN_LOGW("More gid for %{public}s msg count %{public}u permission %{public}u",
GetProcessName(property),
dacInfo->gidCount,
sandboxNode->section.gidCount);
copyLen = APP_MAX_GIDS - dacInfo->gidCount;
}
int ret = memcpy_s(&dacInfo->gidTable[dacInfo->gidCount], sizeof(gid_t) * copyLen,
sandboxNode->section.gidTable, sizeof(gid_t) * copyLen);
if (ret != EOK) {
APPSPAWN_LOGW("Failed to append permission %{public}s gid to %{public}s",
sandboxNode->section.name,
GetProcessName(property));
}
dacInfo->gidCount += copyLen;
return 0;
}
int SpawnPrepareSandboxCfg(AppSpawnMgr *content, AppSpawningCtx *property) int SpawnPrepareSandboxCfg(AppSpawnMgr *content, AppSpawningCtx *property)
{ {
APPSPAWN_CHECK_ONLY_EXPER(content != NULL, return -1); APPSPAWN_CHECK_ONLY_EXPER(content != NULL, return -1);
@ -637,6 +669,8 @@ int SpawnPrepareSandboxCfg(AppSpawnMgr *content, AppSpawningCtx *property)
int ret = AppendPermissionGid(sandbox, property); int ret = AppendPermissionGid(sandbox, property);
APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property)); APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property));
ret = AppendPackageNameGids(sandbox, property);
APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property));
ret = StagedMountSystemConst(sandbox, property, IsNWebSpawnMode(content)); ret = StagedMountSystemConst(sandbox, property, IsNWebSpawnMode(content));
APPSPAWN_CHECK(ret == 0, return ret, "Failed to mount system-const for %{public}s", GetProcessName(property)); APPSPAWN_CHECK(ret == 0, return ret, "Failed to mount system-const for %{public}s", GetProcessName(property));
return 0; return 0;