diff --git a/modules/sandbox/appspawn_sandbox.h b/modules/sandbox/appspawn_sandbox.h
index 1a34aa38..af78fd37 100644
--- a/modules/sandbox/appspawn_sandbox.h
+++ b/modules/sandbox/appspawn_sandbox.h
@@ -71,6 +71,7 @@ extern "C" {
 #define FILE_ACCESS_COMMON_DIR_MODE "ohos.permission.FILE_ACCESS_COMMON_DIR"
 #define ACCESS_DLP_FILE_MODE "ohos.permission.ACCESS_DLP_FILE"
 #define FILE_ACCESS_MANAGER_MODE "ohos.permission.FILE_ACCESS_MANAGER"
+#define READ_WRITE_USER_FILE_MODE "ohos.permission.READ_WRITE_USER_FILE"
 
 typedef enum SandboxTag {
     SANDBOX_TAG_MOUNT_PATH = 0,
diff --git a/modules/sandbox/sandbox_manager.c b/modules/sandbox/sandbox_manager.c
index 56ffc658..e62901db 100644
--- a/modules/sandbox/sandbox_manager.c
+++ b/modules/sandbox/sandbox_manager.c
@@ -643,6 +643,42 @@ static int AppendPackageNameGids(const AppSpawnSandboxCfg *sandbox, AppSpawningC
     return 0;
 }
 
+static int SetSandboxPermissionFlag(AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property)
+{
+    int32_t index = 0;
+    if (sandbox->appFullMountEnable) {
+        index = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_CROSS_APP_MODE);
+    } else {
+        index = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_ACCESS_COMMON_DIR_MODE);
+    }
+
+    int32_t fileMgrIndex = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_ACCESS_MANAGER_MODE);
+    int32_t userFileIndex = GetPermissionIndexInQueue(&sandbox->permissionQueue, READ_WRITE_USER_FILE_MODE);
+    int fileMgrRes = CheckAppPermissionFlagSet(property, (uint32_t)fileMgrIndex);
+    int userFileRes = CheckAppPermissionFlagSet(property, (uint32_t)userFileIndex);
+    //If both FILE_ACCESS_MANAGER_MODE and READ_WRITE_USER_FILE_MODE exist, the value is invalid.
+    if (fileMgrRes != 0 && userFileRes != 0) {
+        APPSPAWN_LOGE("invalid msg request.");
+        return -1;
+    }
+    // If FILE_ACCESS_MANAGER_MODE and READ_WRITE_USER_FILE_MODE do not exist,set the flag bit.
+    if (index > 0 && (fileMgrIndex > 0 && userFileIndex > 0) && (fileMgrRes == 0 && userFileRes == 0)) {
+        if (SetAppPermissionFlags(property, index) != 0) {
+            return -1;
+        }
+    }
+    return 0;
+}
+
+static int AppendGids(AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property)
+{
+    int ret = AppendPermissionGid(sandbox, property);
+    APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property));
+    ret = AppendPackageNameGids(sandbox, property);
+    APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property));
+    return ret;
+}
+
 int SpawnPrepareSandboxCfg(AppSpawnMgr *content, AppSpawningCtx *property)
 {
     APPSPAWN_CHECK_ONLY_EXPER(content != NULL, return -1);
@@ -652,25 +688,13 @@ int SpawnPrepareSandboxCfg(AppSpawnMgr *content, AppSpawningCtx *property)
         EXT_DATA_SANDBOX;
     AppSpawnSandboxCfg *sandbox = GetAppSpawnSandbox(content, type);
     APPSPAWN_CHECK(sandbox != NULL, return -1, "Failed to get sandbox for %{public}s", GetProcessName(property));
-
-    int32_t index = 0;
-    if (sandbox->appFullMountEnable) {
-        index = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_CROSS_APP_MODE);
-    } else {
-        index = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_ACCESS_COMMON_DIR_MODE);
+    int ret = SetSandboxPermissionFlag(sandbox, property);
+    if (ret != 0) {
+        APPSPAWN_LOGW("set sandbox permission flag failed.");
+        return APPSPAWN_SANDBOX_ERROR_SET_PERMISSION_FLAG_FAIL;
     }
-
-    int32_t fileMgrIndex = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_ACCESS_MANAGER_MODE);
-    if (index > 0 && (CheckAppMsgFlagsSet(property, (uint32_t)fileMgrIndex) == 0)) {
-        if (SetAppPermissionFlags(property, index) != 0) {
-            return -1;
-        }
-    }
-
-    int ret = AppendPermissionGid(sandbox, property);
-    APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property));
-    ret = AppendPackageNameGids(sandbox, property);
     APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property));
+    ret = AppendGids(sandbox, property);
     ret = StagedMountSystemConst(sandbox, property, IsNWebSpawnMode(content));
     APPSPAWN_CHECK(ret == 0, return ret, "Failed to mount system-const for %{public}s", GetProcessName(property));
     return 0;
diff --git a/modules/sandbox/sandbox_utils.cpp b/modules/sandbox/sandbox_utils.cpp
index 40bfa12a..d6ec28c9 100644
--- a/modules/sandbox/sandbox_utils.cpp
+++ b/modules/sandbox/sandbox_utils.cpp
@@ -134,6 +134,7 @@ namespace {
     const std::string FILE_ACCESS_COMMON_DIR_MODE = "ohos.permission.FILE_ACCESS_COMMON_DIR";
     const std::string ACCESS_DLP_FILE_MODE = "ohos.permission.ACCESS_DLP_FILE";
     const std::string FILE_ACCESS_MANAGER_MODE = "ohos.permission.FILE_ACCESS_MANAGER";
+    const std::string READ_WRITE_USER_FILE_MODE = "ohos.permission.READ_WRITE_USER_FILE";
     const std::string ARK_WEB_PERSIST_PACKAGE_NAME = "persist.arkwebcore.package_name";
 
     const std::string& getArkWebPackageName()
@@ -1585,13 +1586,19 @@ int32_t SandboxUtils::SetPermissionWithParam(AppSpawningCtx *appProperty)
     } else if (appFullMountStatus == FILE_ACCESS_COMMON_DIR_STATUS) {
         index = GetPermissionIndex(nullptr, FILE_ACCESS_COMMON_DIR_MODE.c_str());
     }
-
+    int32_t userFileIndex = GetPermissionIndex(nullptr, READ_WRITE_USER_FILE_MODE.c_str());
     int32_t fileMgrIndex = GetPermissionIndex(nullptr, FILE_ACCESS_MANAGER_MODE.c_str());
-    if (index > 0 && fileMgrIndex > 0 &&
-        (CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(fileMgrIndex)) == 0)) {
+    if ((CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(userFileIndex)) != 0) &&
+        (CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(fileMgrIndex)) != 0)) {
+        APPSPAWN_LOGE("invalid msg request.");
+        return -1;
+    }
+    if (index > 0 && (fileMgrIndex > 0 && userFileIndex > 0) &&
+        (CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(userFileIndex)) == 0) &&
+        (CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(fileMgrIndex))== 0)) {
         return SetAppPermissionFlags(appProperty, index);
     }
-    return -1;
+    return 0;
 }
 
 #ifdef APPSPAWN_MOUNT_TMPSHM
@@ -1631,6 +1638,7 @@ int32_t SandboxUtils::SetAppSandboxProperty(AppSpawningCtx *appProperty, uint32_
 
     if (SetPermissionWithParam(appProperty) != 0) {
         APPSPAWN_LOGW("Set app permission flag fail.");
+        return -1;
     }
 
     // check app sandbox switch
diff --git a/util/include/appspawn_utils.h b/util/include/appspawn_utils.h
index 950e8274..7395760c 100755
--- a/util/include/appspawn_utils.h
+++ b/util/include/appspawn_utils.h
@@ -122,6 +122,7 @@ typedef enum {
     APPSPAWN_DEBUG_MODE_NOT_SUPPORT,
     APPSPAWN_ERROR_UTILS_MEM_FAIL,
     APPSPAWN_ERROR_FILE_RMDIR_FAIL,
+    APPSPAWN_SANDBOX_ERROR_SET_PERMISSION_FLAG_FAIL,
     APPSPAWN_NODE_EXIST,
 } AppSpawnErrorCode;