openharmony/startup_appspawn
1
0
Fork 0
mirror of https://gitee.com/openharmony/startup_appspawn synced 2024-10-07 08:13:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

build appdata sandbox

Browse Source 
Signed-off-by: cheng_jinsong <chengjinsong2@huawei.com>
This commit is contained in:
cheng_jinsong 2023-05-04 17:33:37 +08:00
parent 28c64e0b1f
commit 8e6c98e08e
11 changed files with 382 additions and 486 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
adapter/appspawn_sandbox.cpp
View File

@ -27,12 +27,7 @@ using namespace OHOS::AppSpawn;
namespace {
const std::string MODULE_TEST_BUNDLE_NAME("moduleTestProcessName");
const std::string NAMESPACE_JSON_CONFIG("/system/etc/sandbox/sandbox-config.json");
#if defined (__aarch64__) || defined (__x86_64__)
const std::string APP_JSON_CONFIG("/system/etc/sandbox/appdata-sandbox64.json");
#else
const std::string APP_JSON_CONFIG("/system/etc/sandbox/appdata-sandbox.json");
#endif
const std::string PRODUCT_JSON_CONFIG("/system/etc/sandbox/product-sandbox.json");
}
void LoadAppSandboxConfig(void)
@ -43,10 +38,6 @@ void LoadAppSandboxConfig(void)
APPSPAWN_CHECK_ONLY_LOG(rc, "AppSpawnServer::Failed to load app private sandbox config");
SandboxUtils::StoreJsonConfig(appSandboxConfig);
rc = JsonUtils::GetJsonObjFromJson(appSandboxConfig, PRODUCT_JSON_CONFIG);
APPSPAWN_CHECK_ONLY_LOG(rc, "AppSpawnServer::Failed to load app product sandbox config");
SandboxUtils::StoreProductJsonConfig(appSandboxConfig);
nlohmann::json appNamespaceConfig;
rc = JsonUtils::GetJsonObjFromJson(appNamespaceConfig, NAMESPACE_JSON_CONFIG);
APPSPAWN_CHECK_ONLY_LOG(rc, "AppSpawnServer::Failed to load app sandbox namespace config");

22
appdata-sandbox-asan.json Executable file
View File

@ -0,0 +1,22 @@
{
"common" : [{
"top-sandbox-switch": "ON",
"app-base" : [{
"sandbox-root" : "/mnt/sandbox/<PackageName>",
"mount-paths" : [ {
"src-path" : "/system/asan/lib",
"sandbox-path" : "/system/asan/lib",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/vendor/asan/lib",
"sandbox-path" : "/vendor/asan/lib",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}
],
"symbol-links" : [
]
}]
}]
}

10
appdata-sandbox.json
View File

@ -43,11 +43,6 @@
"sandbox-path" : "/system/lib",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/asan/lib",
"sandbox-path" : "/system/asan/lib",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/data",
"sandbox-path" : "/system/data",
@ -78,11 +73,6 @@
"sandbox-path" : "/vendor/lib",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/vendor/asan/lib",
"sandbox-path" : "/vendor/asan/lib",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/data/app/el1/bundle/public/<PackageName>",
"sandbox-path" : "/data/storage/el1/bundle",

413
appdata-sandbox64.json
View File

@ -4,51 +4,6 @@
"app-base" : [{
"sandbox-root" : "/mnt/sandbox/<PackageName>",
"mount-paths" : [{
"src-path" : "/config",
"sandbox-path" : "/config",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/dev",
"sandbox-path" : "/dev",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/proc",
"sandbox-path" : "/proc",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/sys",
"sandbox-path" : "/sys",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/sys_prod",
"sandbox-path" : "/sys_prod",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/app",
"sandbox-path" : "/system/app",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/fonts",
"sandbox-path" : "/system/fonts",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/lib",
"sandbox-path" : "/system/lib",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/asan/lib",
"sandbox-path" : "/system/asan/lib",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/lib64",
"sandbox-path" : "/system/lib64",
"sandbox-flags" : [ "bind", "rec" ],
@ -58,31 +13,6 @@
"sandbox-path" : "/system/asan/lib64",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/data",
"sandbox-path" : "/system/data",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/usr",
"sandbox-path" : "/system/usr",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/profile",
"sandbox-path" : "/system/profile",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/bin",
"sandbox-path" : "/system/bin",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/etc",
"sandbox-path" : "/system/etc",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/vendor/lib64",
"sandbox-path" : "/vendor/lib64",
@ -93,368 +23,38 @@
"sandbox-path" : "/vendor/asan/lib64",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/data/app/el1/bundle/public/<PackageName>",
"sandbox-path" : "/data/storage/el1/bundle",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "true"
}, {
"src-path" : "/data/app/el2/<currentUserId>/base/<PackageName>",
"sandbox-path" : "/data/storage/el2/base",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
},{
"src-path" : "/data/app/el1/<currentUserId>/database/<PackageName>",
"sandbox-path" : "/data/storage/el1/database",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "true"
}, {
"src-path" : "/data/app/el2/<currentUserId>/database/<PackageName>",
"sandbox-path" : "/data/storage/el2/database",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/data/app/el1/<currentUserId>/base/<PackageName>",
"sandbox-path" : "/data/storage/el1/base",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "true"
}, {
"src-path" : "/mnt/hmdfs/<currentUserId>",
"sandbox-path" : "/mnt/hmdfs/<currentUserId>",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/mnt/hmdfs/<currentUserId>/account/merge_view/data/<PackageName>",
"sandbox-path" : "/data/storage/el2/distributedfiles",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/mnt/hmdfs/<currentUserId>/non_account/merge_view/data/",
"sandbox-path" : "/data/storage/el2/auth_groups",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/data/local/ark-cache/<PackageName>",
"sandbox-path" : "/data/storage/ark-cache",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/data/local/ark-profile/<currentUserId>/<PackageName>",
"sandbox-path" : "/data/storage/ark-profile",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/mnt/share/<currentUserId>/<PackageName>",
"sandbox-path" : "/data/storage/el2/share",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}
],
"symbol-links" : [{
"target-name" : "/system/bin",
"link-name" : "/bin",
"check-action-status": "false"
}, {
"target-name" : "/system/lib64",
"link-name" : "/lib64",
"check-action-status": "false"
}, {
"target-name" : "/system/lib",
"link-name" : "/lib",
"check-action-status": "false"
}, {
"target-name" : "/system/etc",
"link-name" : "/etc",
"check-action-status": "false"
}, {
"target-name" : "/sys/kernel/debug",
"link-name" : "/d",
"check-action-status": "false"
}
]
}],
"app-resources" : [{
"sandbox-root" : "/mnt/sandbox/<PackageName>",
"mount-paths" : [{
"src-path" : "/data/app/el1/bundle/public/com.ohos.nweb",
"sandbox-path" : "/data/storage/el1/bundle/nweb",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/data/app/el1/bundle/public/ohos.global.systemres",
"sandbox-path" : "/data/storage/el1/bundle/ohos.global.systemres",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/app/ohos.global.systemres",
"sandbox-path" : "/data/storage/el1/bundle/systemResources",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/app/SystemResources",
"sandbox-path" : "/data/storage/el1/bundle/systemResources",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/data/app/el1/bundle/public/ohos.global.systemres.overlay",
"sandbox-path" : "/data/storage/el1/bundle/ohos.global.systemres.overlay",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/data/misc",
"sandbox-path" : "/data/storage/el1/bundle/misc",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}
],
"flags-point" : [{
"flags": "DLP_MANAGER",
"sandbox-root" : "/mnt/sandbox/<PackageName>",
"mount-paths" : [{
"src-path" : "/data/app/el2/<currentUserId>/base/<PackageName_index>",
"sandbox-path" : "/data/storage/el2/base",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
},{
"src-path" : "/data/app/el1/<currentUserId>/database/<PackageName_index>",
"sandbox-path" : "/data/storage/el1/database",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/data/app/el2/<currentUserId>/database/<PackageName_index>",
"sandbox-path" : "/data/storage/el2/database",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/data/app/el1/<currentUserId>/base/<PackageName_index>",
"sandbox-path" : "/data/storage/el1/base",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}
]}, {
"flags": "START_FLAGS_BACKUP",
"sandbox-root" : "/mnt/sandbox/<PackageName>",
"mount-paths": [{
"src-path": "/data/service/el2/<currentUserId>/backup/bundles/<PackageName>",
"sandbox-path": "/data/storage/el2/backup",
"sandbox-flags": [ "bind", "rec" ],
"check-action-status": "false"
}
]}
],
"symbol-links" : [
]
"mount-paths" : [],
"flags-point" : [],
"symbol-links" : []
}]
}],
"individual" : [{
"com.huawei.ohos.hiviewx" : [{
"sandbox-switch": "ON",
"sandbox-root" : "/mnt/sandbox/<PackageName>",
"mount-paths" : [{
"src-path" : "/data/log/",
"sandbox-path" : "/data/log/",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "true"
}
],
"symbol-links" : []
}],
"com.huawei.ohos.betaclub" : [{
"sandbox-switch": "ON",
"sandbox-root" : "/mnt/sandbox/<PackageName>",
"mount-paths" : [{
"src-path" : "/data/log/",
"sandbox-path" : "/data/log/",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "true"
}
],
"symbol-links" : []
}],
"com.ohos.medialibrary.medialibrarydata" : [{
"sandbox-switch": "ON",
"sandbox-root" : "/mnt/sandbox/<PackageName>",
"mount-paths" : [{
"src-path" : "/storage/media/<currentUserId>",
"sandbox-path" : "/storage/media",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "none",
"sandbox-path" : "/storage/media/local/epfs",
"sandbox-flags" : [ "MS_NODEV" ],
"fs-type": "epfs",
"check-action-status": "false"
}
],
"symbol-links" : []
}],
"com.ohos.launcher" : [{
"sandbox-switch": "ON",
"sandbox-root" : "/mnt/sandbox/<PackageName>",
"mount-paths" : [{
"src-path" : "/data/app/el1/bundle/public/",
"sandbox-path" : "/data/bundles/",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "true"
}
],
"symbol-links" : []
}],
"com.ohos.systemui" : [{
"sandbox-switch": "ON",
"sandbox-root" : "/mnt/sandbox/<PackageName>",
"mount-paths" : [{
"src-path" : "/data/app/el1/bundle/public/",
"sandbox-path" : "/data/app/el1/bundle/public/",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "true"
}
],
"symbol-links" : []
}],
"com.ohos.permissionmanager" : [{
"sandbox-switch": "ON",
"sandbox-root" : "/mnt/sandbox/<PackageName>",
"mount-paths" : [{
"src-path" : "/data/app/el1/bundle/public/",
"sandbox-path" : "/data/bundles/",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "true"
}
],
"symbol-links" : []
}],
"ohos.samples.ecg" : [{
"sandbox-switch": "OFF",
"sandbox-root" : "/mnt/sandbox/<PackageName>",
"mount-paths" : [{
"src-path" : "/data/app/el1/bundle/public/",
"sandbox-path" : "/data/bundles/",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "true"
}
],
"symbol-links" : []
}],
"com.ohos.dlpmanager" : [{
"sandbox-switch": "ON",
"sandbox-root" : "/mnt/sandbox/<PackageName>",
"mount-paths" : [{
"src-path" : "/dev/fuse",
"sandbox-path" : "/data/fuse",
"sandbox-flags" : [ "MS_NOSUID", "MS_NODEV", "MS_NOEXEC", "MS_NOATIME", "MS_LAZYTIME" ],
"fs-type": "fuse",
"check-action-status": "false"
}
],
"symbol-links" : []
}],
"com.ohos.UserFile.ExternalFileManager" : [{
"sandbox-switch": "ON",
"sandbox-root" : "/mnt/sandbox/<PackageName>",
"mount-paths" : [{
"src-path" : "/data/service/el1/public/storage_daemon/share/public",
"sandbox-path" : "/data/storage/el1/bundle/storage_daemon",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "true"
},
{
"src-path" : "/mnt/external",
"sandbox-path" : "/mnt/external",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "true"
}
],
"symbol-links" : []
}],
"__internal__.com.ohos.render" : [{
"sandbox-root" : "/mnt/sandbox/com.ohos.render/<PackageName>",
"mount-paths" : [{
"src-path" : "/dev",
"sandbox-path" : "/dev",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/proc",
"sandbox-path" : "/proc",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/sys",
"sandbox-path" : "/sys",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/fonts",
"sandbox-path" : "/system/fonts",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/etc",
"sandbox-path" : "/system/etc",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/data/app/el2/<currentUserId>/base/<PackageName>",
"sandbox-path" : "/data/storage/el2/base",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "true"
}, {
"src-path" : "/data/app/el1/bundle/public/com.ohos.nweb",
"sandbox-path" : "/data/storage/el1/bundle/nweb",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/bin",
"sandbox-path" : "/system/bin",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/lib",
"sandbox-path" : "/system/lib",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/lib64",
"sandbox-path" : "/system/lib64",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/app/com.ohos.nweb",
"sandbox-path" : "/system/app/com.ohos.nweb",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/vendor/lib64",
"sandbox-path" : "/vendor/lib64",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/data/app/el1/bundle/public/com.ohos.nweb",
"sandbox-path" : "/data/app/el1/bundle/public/com.ohos.nweb",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}, {
"src-path" : "/system/app/NWeb",
"sandbox-path" : "/system/app/NWeb",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}
],
"symbol-links" : [{
"target-name" : "/system/etc",
"link-name" : "/etc",
"check-action-status": "false"
}, {
"target-name" : "/system/bin",
"link-name" : "/bin",
"check-action-status": "false"
}, {
"target-name" : "/system/lib",
"link-name" : "/lib",
"check-action-status": "false"
}, {
"target-name" : "/system/lib64",
"link-name" : "/lib64",
"check-action-status": "false"
@ -463,12 +63,7 @@
"flags-point" : [{
"flags": "DLP_MANAGER",
"sandbox-root" : "/mnt/sandbox/com.ohos.render/<PackageName>",
"mount-paths" : [{
"src-path" : "/data/app/el2/<currentUserId>/base/<PackageName_index>",
"sandbox-path" : "/data/storage/el2/base",
"sandbox-flags" : [ "bind", "rec" ],
"check-action-status": "false"
}],
"mount-paths" : [],
"symbol-links" : [{}]
}]
}]

24
etc/BUILD.gn
View File

@ -12,26 +12,25 @@
# limitations under the License.
import("//base/startup/appspawn/appspawn.gni")
import("//base/startup/appspawn/etc/sandbox/appdata_sandbox_fixer.gni")
import("//build/ohos.gni")
ohos_prebuilt_etc("appdata-sandbox.json") {
if (target_cpu == "arm64") {
source = "//base/startup/appspawn/appdata-sandbox64.json"
} else {
source = "//base/startup/appspawn/appdata-sandbox.json"
ohos_prebuilt_appdata_sandbox("appdata-sandbox.json") {
source = "../appdata-sandbox.json"
patterns = []
extra_sandbox_cfgs = []
if (target_cpu == "arm64" || target_cpu == "x86_64") {
extra_sandbox_cfgs += [ "../appdata-sandbox64.json" ]
}
if (is_asan) {
extra_sandbox_cfgs += [ "../appdata-sandbox-asan.json" ]
}
extra_sandbox_cfgs += [ "../product-sandbox.json" ]
subsystem_name = "${subsystem_name}"
part_name = "${part_name}"
module_install_dir = "etc/sandbox"
}
ohos_prebuilt_etc("product-sandbox.json") {
source = "//base/startup/appspawn/product-sandbox.json"
part_name = "${part_name}"
module_install_dir = "etc/sandbox"
}
ohos_prebuilt_etc("sandbox-config.json") {
source = "//base/startup/appspawn/sandbox-config.json"
part_name = "${part_name}"
@ -48,7 +47,6 @@ group("etc_files") {
deps = [
":appdata-sandbox.json",
":appspawn_preload.json",
":product-sandbox.json",
":sandbox-config.json",
]
}

89
etc/sandbox/appdata_sandbox_fixer.gni Executable file
View File

@ -0,0 +1,89 @@
# Copyright (c) 2023 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import("//build/config/python.gni")
import("//build/templates/common/copy.gni")
template("ohos_prebuilt_appdata_sandbox") {
assert(defined(invoker.source), "source must be defined for ${target_name}.")
_fixed_sandbox_target = "${target_name}_sandbox_fixed"
_fixed_sandbox_file = target_gen_dir + "/${target_name}.fixed/" +
get_path_info(invoker.source, "file")
_output_para_file = get_path_info(invoker.source, "file")
action_with_pydeps(_fixed_sandbox_target) {
deps = []
script = "//base/startup/appspawn/etc/sandbox/appdata_sandbox_fixer.py"
depfile = "${target_gen_dir}/${target_name}.d"
args = [
"--output",
rebase_path(_fixed_sandbox_file, root_build_dir),
"--source-file",
rebase_path(invoker.source, root_build_dir),
"--depfile",
rebase_path(depfile, root_build_dir),
]
if (defined(invoker.extra_sandbox_cfgs)) {
foreach(extra, invoker.extra_sandbox_cfgs) {
args += [
"--extra_sandbox_cfg",
rebase_path(extra, root_build_dir),
]
}
}
if (defined(invoker.patterns)) {
foreach(pattern, invoker.patterns) {
args += [
"--patterns",
pattern,
]
}
}
inputs = [ invoker.source ]
outputs = [ _fixed_sandbox_file ]
}
ohos_copy(target_name) {
deps = [ ":$_fixed_sandbox_target" ]
forward_variables_from(invoker,
[
"testonly",
"visibility",
"deps",
"public_configs",
"subsystem_name",
"part_name",
# For generate_module_info
"install_images",
"module_install_dir",
"relative_install_dir",
"symlink_target_name",
# Open source license related
"license_file",
"license_as_sources",
])
sources = [ _fixed_sandbox_file ]
outputs = [ "${target_out_dir}/${target_name}/${_output_para_file}" ]
module_type = "etc"
install_enable = true
module_source_dir = "${target_out_dir}/${target_name}"
module_install_name = _output_para_file
if (defined(invoker.install_enable)) {
install_enable = invoker.install_enable
}
}
}

229
etc/sandbox/appdata_sandbox_fixer.py Executable file
View File

@ -0,0 +1,229 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Copyright (c) 2023 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import optparse
import os
import sys
import json
import stat
sys.path.append(os.path.join(os.path.dirname(__file__), os.pardir, os.pardir,
os.pardir, os.pardir, os.pardir, "build"))
from scripts.util import build_utils # noqa: E402
#default json
APP_SANDBOX_DEFAULT = '''
{
"common" : [{
"top-sandbox-switch": "ON",
"app-base" : [{
"sandbox-root" : "/mnt/sandbox/<PackageName>",
"mount-paths" : [],
"symbol-links": [],
"flags-point" : []
}],
"app-resources" : [{
"sandbox-root" : "/mnt/sandbox/<PackageName>",
"mount-paths" : [],
"flags-point" : [],
"symbol-links" : []
}]
}],
"individual" : [{}]
}
'''
#only string in list
def _merge_list(origin, new):
if origin is None or new is None:
return
for data1 in new:
if data1 not in origin:
origin.append(data1)
def _is_same_data(data1, data2, keys):
for key in keys:
if data1.get(key) != data2.get(key):
return False
return True
#for object in list
def _handle_same_array(data1, data2):
for field in ["sandbox-root", "sandbox-path", "check-action-status", "fs-type", "link-name"]:
if data1.get(field) is not None:
data2[field] = data1[field]
for field in ["sandbox-flags"]: # by list merger
item = data1.get(field)
if item is not None and len(item) > 0:
_merge_list(data2[field], item)
def _merge_scope_array(origin, new, keys):
for data1 in new:
found = False
for data2 in origin:
if _is_same_data(data1, data2, keys):
found = True
_handle_same_array(data1, data2)
break
if not found:
origin.append(data1)
def _handle_same_data(data1, data2, field_infos):
for field in ["sandbox-root"]:
if data1.get(field) is not None:
data2[field] = data1[field]
# for array
for name, keys in field_infos.items():
item = data1.get(name)
if item is not None and len(item) > 0:
_merge_scope_array(data2[field], item, keys)
def _merge_scope_flags_point(origin, new):
field_infos = {
"mount-paths": ["src-path"]
}
for data1 in new:
found = False
for data2 in origin:
if _is_same_data(data1, data2, ["flags"]):
found = True
_handle_same_data(data1, data2, field_infos)
break
if not found:
origin.append(data1)
def _merge_scope_app(origin, new):
field_infos = {
"mount-paths": ["src-path"],
"symbol-links": ["target-name"]
}
# normal filed
for k in ["sandbox-root", "sandbox-switch"]:
if new[0].get(k) is not None:
origin[0][k] = new[0].get(k)
# for flags-point
flags_points = new[0].get("flags-point")
if flags_points:
_merge_scope_flags_point(origin[0]["flags-point"], flags_points)
# for array
for name, keys in field_infos.items():
item = new[0].get(name)
if item is not None and len(item) > 0:
_merge_scope_array(origin[0].get(name), item, keys)
def _merge_scope_individual(origin, new):
for k, v in new.items():
if k not in origin:
origin[k] = v
else:
_merge_scope_app(origin[k], v)
def _merge_scope_common(origin, new):
# 处理 top-sandbox-switch
for name in ["top-sandbox-switch"]:
if new.get(name) :
origin[name] = new.get(name)
#处理 app-base
app = new.get("app-base")
if app is not None and len(app) > 0:
_merge_scope_app(origin.get("app-base"), app)
pass
#处理 app-resources
app = new.get("app-resources")
if app is not None and len(app) > 0:
_merge_scope_app(origin.get("app-resources"), app)
pass
def parse_args(args):
args = build_utils.expand_file_args(args)
parser = optparse.OptionParser()
build_utils.add_depfile_option(parser)
parser.add_option('--output', help='fixed sandbox configure file')
parser.add_option('--source-file', help='source para file')
parser.add_option('--patterns', action="append",
type="string", dest="patterns", help='replace string patterns like libpath:lib64')
parser.add_option('--extra_sandbox_cfg', action="append",
type="string", dest="extra_sandbox_cfgs", help='extra sandbox')
options, _ = parser.parse_args(args)
return options
def __substitude_contents(options, source_file):
with open(source_file, "r") as f:
contents = f.read()
if not options.patterns:
return json.loads(contents)
for pattern in options.patterns:
parts = pattern.split(":")
contents = contents.replace("{%s}" % parts[0], parts[1])
return json.loads(contents)
def _get_json_list(options):
data_list = []
#decode source file
contents = __substitude_contents(options, options.source_file)
if contents :
data_list.append(contents)
if options.extra_sandbox_cfgs is None:
return data_list
#decode extra file
for sandbox_cfg in options.extra_sandbox_cfgs:
contents = __substitude_contents(options, sandbox_cfg)
if contents :
data_list.append(contents)
return data_list
def fix_sandbox_config_file(options):
data_list = _get_json_list(options)
#decode template
origin_json = json.loads(APP_SANDBOX_DEFAULT)
for data in data_list:
# 处理common
common = data.get("common")
if common is not None and len(common) > 0:
_merge_scope_common(origin_json.get("common")[0], common[0])
#处理individual
individuals = data.get("individual")
if individuals is not None and len(individuals) > 0:
_merge_scope_individual(origin_json.get("individual")[0], individuals[0])
pass
# dump json to output
flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC
modes = stat.S_IWUSR | stat.S_IRUSR | stat.S_IWGRP | stat.S_IRGRP
with os.fdopen(os.open(options.output, flags, modes), 'w') as f:
f.write(json.dumps(origin_json, ensure_ascii=False, indent=2))
def main(args):
options = parse_args(args)
depfile_deps = ([options.source_file])
fix_sandbox_config_file(options)
build_utils.write_depfile(options.depfile, options.output, depfile_deps, add_pydeps=False)
if __name__ == '__main__':
sys.exit(main(sys.argv[1:]))

9
etc/sandbox/appdata_sandbox_fixer.pydeps Executable file
View File

@ -0,0 +1,9 @@
# Generated by running:
# build/print_python_deps.py --root base/startup/appspawn/etc/sandbox --output base/startup/appspawn/etc/sandbox/appdata_sandbox_fixer.pydeps base/startup/appspawn/etc/sandbox/appdata_sandbox_fixer.py
../../../../../build/gn_helpers.py
../../../../../build/scripts/__init__.py
../../../../../build/scripts/util/__init__.py
../../../../../build/scripts/util/build_utils.py
../../../../../build/scripts/util/md5_check.py
../../../../../build/scripts/util/pycache.py
appdata_sandbox_fixer.py

7
test/unittest/app_spawn_standard_test/app_spawn_sandbox_test.cpp
View File

@ -665,13 +665,6 @@ HWTEST(AppSpawnSandboxTest, App_Spawn_Sandbox_22, TestSize.Level0)
nlohmann::json j_config1 = nlohmann::json::parse(mJsconfig1.c_str());
OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config1);
std::string pJsconfig1 = "{ \
\"common\":[], \
\"individual\": [] \
}";
nlohmann::json p_config1 = nlohmann::json::parse(pJsconfig1.c_str());
OHOS::AppSpawn::SandboxUtils::StoreProductJsonConfig(p_config1);
ClientSocket::AppProperty *m_appProperty = GetAppProperty();
int ret = strcpy_s(m_appProperty->apl, APP_APL_MAX_LEN, "system_basic");
if (ret != 0) {

8
util/include/sandbox_utils.h
View File

@ -21,6 +21,7 @@
#include <sys/types.h>
#include "nlohmann/json.hpp"
#include "client_socket.h"
#include "appspawn_server.h"
namespace OHOS {
namespace AppSpawn {
@ -30,9 +31,7 @@ public:
static nlohmann::json GetNamespaceJsonConfig(void);
static void StoreJsonConfig(nlohmann::json &appSandboxConfig);
static nlohmann::json GetJsonConfig();
static void StoreProductJsonConfig(nlohmann::json &productSandboxConfig);
static nlohmann::json GetProductJsonConfig();
static int32_t SetAppSandboxProperty(const ClientSocket::AppProperty *appProperty);
static int32_t SetAppSandboxProperty(AppSpawnClient *client);
static uint32_t GetNamespaceFlagsFromConfig(const char *bundleName);
private:
@ -59,7 +58,8 @@ private:
static int32_t DoSandboxRootFolderCreate(const ClientSocket::AppProperty *appProperty,
std::string &sandboxPackagePath);
static void DoSandboxChmod(nlohmann::json jsonConfig, std::string &sandboxRoot);
static int DoAllMntPointsMount(const ClientSocket::AppProperty *appProperty, nlohmann::json &appConfig);
static int DoAllMntPointsMount(const ClientSocket::AppProperty *appProperty,
nlohmann::json &appConfig, const std::string &section = "app-base");
static int DoAllSymlinkPointslink(const ClientSocket::AppProperty *appProperty, nlohmann::json &appConfig);
static std::string ConvertToRealPath(const ClientSocket::AppProperty *appProperty, std::string sandboxRoot);
static std::string GetSbxPathByConfig(const ClientSocket::AppProperty *appProperty, nlohmann::json &config);

48
util/src/sandbox_utils.cpp
View File

@ -27,6 +27,7 @@
#include "json_utils.h"
#include "securec.h"
#include "appspawn_server.h"
#include "appspawn_service.h"
#ifdef WITH_SELINUX
#include "hap_restorecon.h"
#endif
@ -102,7 +103,6 @@ namespace {
nlohmann::json SandboxUtils::appNamespaceConfig_;
nlohmann::json SandboxUtils::appSandboxConfig_;
nlohmann::json SandboxUtils::productSandboxConfig_;
void SandboxUtils::StoreNamespaceJsonConfig(nlohmann::json &appNamespaceConfig)
{
@ -124,16 +124,6 @@ nlohmann::json SandboxUtils::GetJsonConfig()
return SandboxUtils::appSandboxConfig_;
}
void SandboxUtils::StoreProductJsonConfig(nlohmann::json &productSandboxConfig)
{
SandboxUtils::productSandboxConfig_ = productSandboxConfig;
}
nlohmann::json SandboxUtils::GetProductJsonConfig()
{
return SandboxUtils::productSandboxConfig_;
}
static uint32_t NamespaceFlagsFromConfig(const std::vector<std::string> &vec)
{
const std::map<std::string, uint32_t> NamespaceFlagsMap = { {"mnt", CLONE_NEWNS}, {"pid", CLONE_NEWPID} };
@ -493,11 +483,13 @@ void SandboxUtils::CheckAndPrepareSrcPath(const ClientSocket::AppProperty *appPr
}
}
int SandboxUtils::DoAllMntPointsMount(const ClientSocket::AppProperty *appProperty, nlohmann::json &appConfig)
int SandboxUtils::DoAllMntPointsMount(const ClientSocket::AppProperty *appProperty,
nlohmann::json &appConfig, const std::string &section)
{
std::string bundleName = appProperty->bundleName;
if (appConfig.find(g_mountPrefix) == appConfig.end()) {
APPSPAWN_LOGV("mount config is not found, app name is %{public}s", bundleName.c_str());
APPSPAWN_LOGV("mount config is not found in %{public}s, app name is %{public}s",
section.c_str(), bundleName.c_str());
return 0;
}
@ -524,16 +516,12 @@ int SandboxUtils::DoAllMntPointsMount(const ClientSocket::AppProperty *appProper
std::string sandboxPath = sandboxRoot + ConvertToRealPath(appProperty,
mntPoint[g_sandBoxPath].get<std::string>());
unsigned long mountFlags = GetMountFlagsFromConfig(mntPoint[g_sandBoxFlags].get<std::vector<std::string>>());
std::string fsType = "";
if (mntPoint.find(g_fsType) != mntPoint.end()) {
fsType = mntPoint[g_fsType].get<std::string>();
}
std::string fsType = (mntPoint.find(g_fsType) != mntPoint.end()) ? mntPoint[g_fsType].get<std::string>() : "";
int ret = 0;
/* check and prepare /data/app/el2 base and database package path to avoid BMS failed to create this folder */
CheckAndPrepareSrcPath(appProperty, srcPath);
/* if app mount failed for special strategy, we need deal with common mount config */
ret = HandleSpecialAppMount(appProperty, srcPath, sandboxPath, fsType, mountFlags);
int ret = HandleSpecialAppMount(appProperty, srcPath, sandboxPath, fsType, mountFlags);
if (ret < 0) {
if (fsType.empty()) {
ret = DoAppSandboxMountOnce(srcPath.c_str(), sandboxPath.c_str(), nullptr, mountFlags, nullptr);
@ -545,7 +533,8 @@ int SandboxUtils::DoAllMntPointsMount(const ClientSocket::AppProperty *appProper
std::string actionStatus = g_statusCheck;
(void)JsonUtils::GetStringFromJson(mntPoint, g_actionStatuc, actionStatus);
if (actionStatus == g_statusCheck) {
APPSPAWN_LOGE("DoAppSandboxMountOnce failed, %{public}s", sandboxPath.c_str());
APPSPAWN_LOGE("DoAppSandboxMountOnce section %{public}s failed, %{public}s",
section.c_str(), sandboxPath.c_str());
return ret;
}
}
@ -600,7 +589,7 @@ int32_t SandboxUtils::DoSandboxFilePrivateBind(const ClientSocket::AppProperty *
{
nlohmann::json privateAppConfig = wholeConfig[g_privatePrefix][0];
if (privateAppConfig.find(appProperty->bundleName) != privateAppConfig.end()) {
return DoAllMntPointsMount(appProperty, privateAppConfig[appProperty->bundleName][0]);
return DoAllMntPointsMount(appProperty, privateAppConfig[appProperty->bundleName][0], g_privatePrefix);
}
return 0;
@ -634,7 +623,7 @@ int32_t SandboxUtils::HandleFlagsPoint(const ClientSocket::AppProperty *appPrope
std::string flagsStr = flagPoint[g_flags].get<std::string>();
uint32_t flag = ConvertFlagStr(flagsStr);
if ((appProperty->flags & flag) != 0) {
return DoAllMntPointsMount(appProperty, flagPoint);
return DoAllMntPointsMount(appProperty, flagPoint, g_flagePoint);
}
} else {
APPSPAWN_LOGE("read flags config failed, app name is %{public}s", appProperty->bundleName);
@ -672,14 +661,14 @@ int32_t SandboxUtils::DoSandboxFileCommonBind(const ClientSocket::AppProperty *a
int ret = 0;
if (commonConfig.find(g_appBase) != commonConfig.end()) {
ret = DoAllMntPointsMount(appProperty, commonConfig[g_appBase][0]);
ret = DoAllMntPointsMount(appProperty, commonConfig[g_appBase][0], g_appBase);
if (ret) {
return ret;
}
}
if (commonConfig.find(g_appResources) != commonConfig.end()) {
ret = DoAllMntPointsMount(appProperty, commonConfig[g_appResources][0]);
ret = DoAllMntPointsMount(appProperty, commonConfig[g_appResources][0], g_appResources);
}
return ret;
@ -730,7 +719,7 @@ int32_t SandboxUtils::SetRenderSandboxProperty(const ClientSocket::AppProperty *
nlohmann::json privateAppConfig = config[g_privatePrefix][0];
if (privateAppConfig.find(g_ohosRender) != privateAppConfig.end()) {
int ret = DoAllMntPointsMount(appProperty, privateAppConfig[g_ohosRender][0]);
int ret = DoAllMntPointsMount(appProperty, privateAppConfig[g_ohosRender][0], g_ohosRender);
APPSPAWN_CHECK(ret == 0, return ret, "DoAllMntPointsMount failed, %{public}s",
appProperty->bundleName);
ret = DoAllSymlinkPointslink(appProperty, privateAppConfig[g_ohosRender][0]);
@ -746,15 +735,11 @@ int32_t SandboxUtils::SetRenderSandboxProperty(const ClientSocket::AppProperty *
int32_t SandboxUtils::SetPrivateAppSandboxProperty(const ClientSocket::AppProperty *appProperty)
{
nlohmann::json productConfig = SandboxUtils::GetProductJsonConfig();
nlohmann::json config = SandboxUtils::GetJsonConfig();
int ret = 0;
ret = SetPrivateAppSandboxProperty_(appProperty, config);
APPSPAWN_CHECK(ret == 0, return ret, "parse adddata-sandbox config failed");
ret = SetPrivateAppSandboxProperty_(appProperty, productConfig);
APPSPAWN_CHECK_ONLY_LOG(ret == 0, "parse product-sandbox config failed");
return ret;
}
@ -782,17 +767,12 @@ int32_t SandboxUtils::SetCommonAppSandboxProperty(const ClientSocket::AppPropert
std::string &sandboxPackagePath)
{
nlohmann::json jsonConfig = SandboxUtils::GetJsonConfig();
nlohmann::json productConfig = SandboxUtils::GetProductJsonConfig();
int ret = 0;
ret = SetCommonAppSandboxProperty_(appProperty, jsonConfig);
APPSPAWN_CHECK(ret == 0, return ret,
"parse appdata config for common failed, %{public}s", sandboxPackagePath.c_str());
ret = SetCommonAppSandboxProperty_(appProperty, productConfig);
APPSPAWN_CHECK(ret == 0, return ret,
"parse product config for common failed, %{public}s", sandboxPackagePath.c_str());
ret = MountAllHsp(appProperty, sandboxPackagePath);
APPSPAWN_CHECK(ret == 0, return ret, "mount hspList failed, %{public}s", sandboxPackagePath.c_str());