fix: 新需求

Signed-off-by: 樊景乐 <fanjingle@h-partners.com>
2024-11-23 07:00:17 +00:00 · 2024-10-28 11:39:26 +08:00 · 2024-10-28 11:39:26 +08:00 · b31d6357b6
commit b31d6357b6
parent 23f9147b03
4 changed files with 55 additions and 21 deletions
--- a/modules/sandbox/appspawn_sandbox.h
+++ b/modules/sandbox/appspawn_sandbox.h
@ -71,6 +71,7 @@ extern "C" {
 #define FILE_ACCESS_COMMON_DIR_MODE "ohos.permission.FILE_ACCESS_COMMON_DIR"
 #define ACCESS_DLP_FILE_MODE "ohos.permission.ACCESS_DLP_FILE"
 #define FILE_ACCESS_MANAGER_MODE "ohos.permission.FILE_ACCESS_MANAGER"
+#define READ_WRITE_USER_FILE_MODE "ohos.permission.READ_WRITE_USER_FILE"

 typedef enum SandboxTag {
    SANDBOX_TAG_MOUNT_PATH = 0,
--- a/modules/sandbox/sandbox_manager.c
+++ b/modules/sandbox/sandbox_manager.c
@ -643,6 +643,42 @@ static int AppendPackageNameGids(const AppSpawnSandboxCfg *sandbox, AppSpawningC
    return 0;
 }

+static int SetSandboxPermissionFlag(AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property)
+{
+    int32_t index = 0;
+    if (sandbox->appFullMountEnable) {
+        index = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_CROSS_APP_MODE);
+    } else {
+        index = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_ACCESS_COMMON_DIR_MODE);
+    }
+
+    int32_t fileMgrIndex = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_ACCESS_MANAGER_MODE);
+    int32_t userFileIndex = GetPermissionIndexInQueue(&sandbox->permissionQueue, READ_WRITE_USER_FILE_MODE);
+    int fileMgrRes = CheckAppPermissionFlagSet(property, (uint32_t)fileMgrIndex);
+    int userFileRes = CheckAppPermissionFlagSet(property, (uint32_t)userFileIndex);
+    //If both FILE_ACCESS_MANAGER_MODE and READ_WRITE_USER_FILE_MODE exist, the value is invalid.
+    if (fileMgrRes != 0 && userFileRes != 0) {
+        APPSPAWN_LOGE("invalid msg request.");
+        return -1;
+    }
+    // If FILE_ACCESS_MANAGER_MODE and READ_WRITE_USER_FILE_MODE do not exist,set the flag bit.
+    if (index > 0 && (fileMgrIndex > 0 && userFileIndex > 0) && (fileMgrRes == 0 && userFileRes == 0)) {
+        if (SetAppPermissionFlags(property, index) != 0) {
+            return -1;
+        }
+    }
+    return 0;
+}
+
+static int AppendGids(AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property)
+{
+    int ret = AppendPermissionGid(sandbox, property);
+    APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property));
+    ret = AppendPackageNameGids(sandbox, property);
+    APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property));
+    return ret;
+}
+
 int SpawnPrepareSandboxCfg(AppSpawnMgr *content, AppSpawningCtx *property)
 {
    APPSPAWN_CHECK_ONLY_EXPER(content != NULL, return -1);
@ -652,25 +688,13 @@ int SpawnPrepareSandboxCfg(AppSpawnMgr *content, AppSpawningCtx *property)
        EXT_DATA_SANDBOX;
    AppSpawnSandboxCfg *sandbox = GetAppSpawnSandbox(content, type);
    APPSPAWN_CHECK(sandbox != NULL, return -1, "Failed to get sandbox for %{public}s", GetProcessName(property));
-
-    int32_t index = 0;
-    if (sandbox->appFullMountEnable) {
-        index = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_CROSS_APP_MODE);
-    } else {
-        index = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_ACCESS_COMMON_DIR_MODE);
+    int ret = SetSandboxPermissionFlag(sandbox, property);
+    if (ret != 0) {
+        APPSPAWN_LOGW("set sandbox permission flag failed.");
+        return APPSPAWN_SANDBOX_ERROR_SET_PERMISSION_FLAG_FAIL;
    }
-
-    int32_t fileMgrIndex = GetPermissionIndexInQueue(&sandbox->permissionQueue, FILE_ACCESS_MANAGER_MODE);
-    if (index > 0 && (CheckAppMsgFlagsSet(property, (uint32_t)fileMgrIndex) == 0)) {
-        if (SetAppPermissionFlags(property, index) != 0) {
-            return -1;
-        }
-    }
-
-    int ret = AppendPermissionGid(sandbox, property);
-    APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property));
-    ret = AppendPackageNameGids(sandbox, property);
    APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property));
+    ret = AppendGids(sandbox, property);
    ret = StagedMountSystemConst(sandbox, property, IsNWebSpawnMode(content));
    APPSPAWN_CHECK(ret == 0, return ret, "Failed to mount system-const for %{public}s", GetProcessName(property));
    return 0;
--- a/modules/sandbox/sandbox_utils.cpp
+++ b/modules/sandbox/sandbox_utils.cpp
@ -134,6 +134,7 @@ namespace {
    const std::string FILE_ACCESS_COMMON_DIR_MODE = "ohos.permission.FILE_ACCESS_COMMON_DIR";
    const std::string ACCESS_DLP_FILE_MODE = "ohos.permission.ACCESS_DLP_FILE";
    const std::string FILE_ACCESS_MANAGER_MODE = "ohos.permission.FILE_ACCESS_MANAGER";
+    const std::string READ_WRITE_USER_FILE_MODE = "ohos.permission.READ_WRITE_USER_FILE";
    const std::string ARK_WEB_PERSIST_PACKAGE_NAME = "persist.arkwebcore.package_name";

    const std::string& getArkWebPackageName()
@ -1585,13 +1586,19 @@ int32_t SandboxUtils::SetPermissionWithParam(AppSpawningCtx *appProperty)
    } else if (appFullMountStatus == FILE_ACCESS_COMMON_DIR_STATUS) {
        index = GetPermissionIndex(nullptr, FILE_ACCESS_COMMON_DIR_MODE.c_str());
    }
-
+    int32_t userFileIndex = GetPermissionIndex(nullptr, READ_WRITE_USER_FILE_MODE.c_str());
    int32_t fileMgrIndex = GetPermissionIndex(nullptr, FILE_ACCESS_MANAGER_MODE.c_str());
-    if (index > 0 && fileMgrIndex > 0 &&
-        (CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(fileMgrIndex)) == 0)) {
+    if ((CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(userFileIndex)) != 0) &&
+        (CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(fileMgrIndex)) != 0)) {
+        APPSPAWN_LOGE("invalid msg request.");
+        return -1;
+    }
+    if (index > 0 && (fileMgrIndex > 0 && userFileIndex > 0) &&
+        (CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(userFileIndex)) == 0) &&
+        (CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(fileMgrIndex))== 0)) {
        return SetAppPermissionFlags(appProperty, index);
    }
-    return -1;
+    return 0;
 }

 #ifdef APPSPAWN_MOUNT_TMPSHM
@ -1631,6 +1638,7 @@ int32_t SandboxUtils::SetAppSandboxProperty(AppSpawningCtx *appProperty, uint32_

    if (SetPermissionWithParam(appProperty) != 0) {
        APPSPAWN_LOGW("Set app permission flag fail.");
+        return -1;
    }

    // check app sandbox switch
--- a/util/include/appspawn_utils.h
+++ b/util/include/appspawn_utils.h
@ -122,6 +122,7 @@ typedef enum {
    APPSPAWN_DEBUG_MODE_NOT_SUPPORT,
    APPSPAWN_ERROR_UTILS_MEM_FAIL,
    APPSPAWN_ERROR_FILE_RMDIR_FAIL,
+    APPSPAWN_SANDBOX_ERROR_SET_PERMISSION_FLAG_FAIL,
    APPSPAWN_NODE_EXIST,
 } AppSpawnErrorCode;