diff --git a/appdata-sandbox.json b/appdata-sandbox.json index 6326fba6..d27feae6 100755 --- a/appdata-sandbox.json +++ b/appdata-sandbox.json @@ -54,11 +54,6 @@ "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" }, { - "src-path" : "/system/lib/ld-musl-arm.so.1", - "sandbox-path" : "/system/lib/ld-musl-arm.so.1", - "sandbox-flags" : [ "bind", "rec" ], - "check-action-status": "false" - },{ "src-path" : "/system/lib/ndk", "sandbox-path" : "/system/lib/ndk", "sandbox-flags" : [ "bind", "rec" ], @@ -579,8 +574,133 @@ "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" }, { - "src-path" : "/system/lib/ld-musl-arm.so.1", - "sandbox-path" : "/system/lib/ld-musl-arm.so.1", + "src-path" : "/system/app/", + "sandbox-path" : "/system/app/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/vendor/lib", + "sandbox-path" : "/vendor/lib", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/app/el1/bundle/public/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/app/NWeb", + "sandbox-path" : "/system/app/NWeb", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/module_update/ArkWebCore/app/", + "sandbox-path" : "/module_update/ArkWebCore/app/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + } + ], + "symbol-links" : [{ + "target-name" : "/system/etc", + "link-name" : "/etc", + "check-action-status": "false" + }, { + "target-name" : "/system/bin", + "link-name" : "/bin", + "check-action-status": "false" + }, { + "target-name" : "/system/lib", + "link-name" : "/lib", + "check-action-status": "false" + } + ] + }], + "__internal__.com.ohos.gpu" : [{ + "sandbox-root" : "/mnt/sandbox/com.ohos.render/", + "sandbox-ns-flags" : [ "pid", "net" ], + "mount-paths" : [{ + "src-path" : "/dev", + "sandbox-path" : "/dev", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/proc", + "sandbox-path" : "/proc", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/sys", + "sandbox-path" : "/sys", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/fonts", + "sandbox-path" : "/system/fonts", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/etc", + "sandbox-path" : "/system/etc", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/etc/hosts", + "sandbox-path" : "/data/service/el1/network/hosts_user/hosts", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/storage/el1/bundle/arkwebcore", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/bin", + "sandbox-path" : "/system/bin", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib", + "sandbox-path" : "/system/lib", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib/platformsdk", + "sandbox-path" : "/system/lib/platformsdk", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib/ndk", + "sandbox-path" : "/system/lib/ndk", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib/module", + "sandbox-path" : "/system/lib/module", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib/chipset-pub-sdk", + "sandbox-path" : "/system/lib/chipset-pub-sdk", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib/chipset-sdk", + "sandbox-path" : "/system/lib/chipset-sdk", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib/seccomp", + "sandbox-path" : "/system/lib/seccomp", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib/extensionability", + "sandbox-path" : "/system/lib/extensionability", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib/media", + "sandbox-path" : "/system/lib/media", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" }, { @@ -623,13 +743,7 @@ "link-name" : "/lib", "check-action-status": "false" } - ], - "flags-point" : [{ - "flags": "DLP_MANAGER", - "sandbox-root" : "/mnt/sandbox/com.ohos.render/", - "mount-paths" : [], - "symbol-links" : [{}] - }] + ] }] }], "permission":[{ diff --git a/appdata-sandbox64.json b/appdata-sandbox64.json index 2a254101..bc54ec69 100644 --- a/appdata-sandbox64.json +++ b/appdata-sandbox64.json @@ -5,11 +5,6 @@ "sandbox-root" : "/mnt/sandbox/", "sandbox-ns-flags" : [ "net" ], "mount-paths" : [{ - "src-path" : "/system/lib", - "sandbox-path" : "/system/lib", - "sandbox-flags" : [ "bind", "rec" ], - "check-action-status": "false" - }, { "src-path" : "/system/lib64/platformsdk", "sandbox-path" : "/system/lib64/platformsdk", "sandbox-flags" : [ "bind", "rec" ], @@ -49,11 +44,6 @@ "sandbox-path" : "/system/lib64/media", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" - }, { - "src-path" : "/system/lib/ld-musl-aarch64.so.1", - "sandbox-path" : "/system/lib/ld-musl-aarch64.so.1", - "sandbox-flags" : [ "bind", "rec" ], - "check-action-status": "false" }, { "src-path" : "/system/asan/lib64", "sandbox-path" : "/system/asan/lib64", @@ -95,11 +85,6 @@ "sandbox-root" : "/mnt/sandbox/com.ohos.render/", "sandbox-ns-flags" : [ "pid", "net" ], "mount-paths" : [{ - "src-path" : "/system/lib", - "sandbox-path" : "/system/lib", - "sandbox-flags" : [ "bind", "rec" ], - "check-action-status": "false" - },{ "src-path" : "/system/lib64/platformsdk", "sandbox-path" : "/system/lib64/platformsdk", "sandbox-flags" : [ "bind", "rec" ], @@ -140,8 +125,60 @@ "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" }, { - "src-path" : "/system/lib/ld-musl-aarch64.so.1", - "sandbox-path" : "/system/lib/ld-musl-aarch64.so.1", + "src-path" : "/vendor/lib64", + "sandbox-path" : "/vendor/lib64", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + } + ], + "symbol-links" : [{ + "target-name" : "/system/lib64", + "link-name" : "/lib64", + "check-action-status": "false" + } + ] + }], + "__internal__.com.ohos.gpu" : [{ + "sandbox-root" : "/mnt/sandbox/com.ohos.render/", + "sandbox-ns-flags" : [ "pid", "net" ], + "mount-paths" : [{ + "src-path" : "/system/lib64/platformsdk", + "sandbox-path" : "/system/lib64/platformsdk", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib64/ndk", + "sandbox-path" : "/system/lib64/ndk", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib64/module", + "sandbox-path" : "/system/lib64/module", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib64/chipset-pub-sdk", + "sandbox-path" : "/system/lib64/chipset-pub-sdk", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib64/chipset-sdk", + "sandbox-path" : "/system/lib64/chipset-sdk", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib64/seccomp", + "sandbox-path" : "/system/lib64/seccomp", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib64/extensionability", + "sandbox-path" : "/system/lib64/extensionability", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib64/media", + "sandbox-path" : "/system/lib64/media", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" }, { @@ -156,13 +193,7 @@ "link-name" : "/lib64", "check-action-status": "false" } - ], - "flags-point" : [{ - "flags": "DLP_MANAGER", - "sandbox-root" : "/mnt/sandbox/com.ohos.render/", - "mount-paths" : [], - "symbol-links" : [{}] - }] + ] }] }] } diff --git a/modules/sandbox/sandbox_utils.cpp b/modules/sandbox/sandbox_utils.cpp index a13483ab..4f0bb4c2 100644 --- a/modules/sandbox/sandbox_utils.cpp +++ b/modules/sandbox/sandbox_utils.cpp @@ -127,6 +127,7 @@ namespace { const char* g_fileSeparator = "/"; const char* g_overlayDecollator = "|"; const std::string g_sandBoxRootDir = "/mnt/sandbox/"; + const std::string g_ohosGpu = "__internal__.com.ohos.gpu"; const std::string g_ohosRender = "__internal__.com.ohos.render"; const std::string g_sandBoxRootDirNweb = "/mnt/sandbox/com.ohos.render/"; const std::string FILE_CROSS_APP_MODE = "ohos.permission.FILE_CROSS_APP"; @@ -1100,7 +1101,10 @@ int32_t SandboxUtils::SetRenderSandboxPropertyNweb(const AppSpawningCtx *appProp for (auto& config : SandboxUtils::GetJsonConfig(type)) { nlohmann::json& privateAppConfig = config[g_privatePrefix][0]; - if (privateAppConfig.find(g_ohosRender) != privateAppConfig.end()) { + char *processType = (char *)(GetAppSpawnMsgExtInfo(appProperty->message, MSG_EXT_NAME_PROCESS_TYPE, NULL)); + APPSPAWN_CHECK(processType != NULL, return -1, "Invalid processType data"); + + if (strcmp(processType, "render") == 0 && privateAppConfig.find(g_ohosRender) != privateAppConfig.end()) { int ret = DoAllMntPointsMount(appProperty, privateAppConfig[g_ohosRender][0], nullptr, g_ohosRender); APPSPAWN_CHECK(ret == 0, return ret, "DoAllMntPointsMount failed, %{public}s", GetBundleName(appProperty)); @@ -1110,6 +1114,16 @@ int32_t SandboxUtils::SetRenderSandboxPropertyNweb(const AppSpawningCtx *appProp ret = HandleFlagsPoint(appProperty, privateAppConfig[g_ohosRender][0]); APPSPAWN_CHECK_ONLY_LOG(ret == 0, "HandleFlagsPoint for render-sandbox failed, %{public}s", GetBundleName(appProperty)); + } else if (strcmp(processType, "gpu") == 0 && privateAppConfig.find(g_ohosGpu) != privateAppConfig.end()) { + int ret = DoAllMntPointsMount(appProperty, privateAppConfig[g_ohosGpu][0], nullptr, g_ohosGpu); + APPSPAWN_CHECK(ret == 0, return ret, "DoAllMntPointsMount failed, %{public}s", + GetBundleName(appProperty)); + ret = DoAllSymlinkPointslink(appProperty, privateAppConfig[g_ohosGpu][0]); + APPSPAWN_CHECK(ret == 0, return ret, "DoAllSymlinkPointslink failed, %{public}s", + GetBundleName(appProperty)); + ret = HandleFlagsPoint(appProperty, privateAppConfig[g_ohosGpu][0]); + APPSPAWN_CHECK_ONLY_LOG(ret == 0, "HandleFlagsPoint for render-sandbox failed, %{public}s", + GetBundleName(appProperty)); } } return 0;