native进程孵化

Signed-off-by: 王达 <wangda20@huawei.com>

appdata-sandbox-isolated.json

@@ -0,0 +1,122 @@
+{
+    "common": [{
+        "top-sandbox-switch": "ON",
+        "app-base": [{
+            "sandbox-ns-flags" : [ "net" ],
+            "mount-paths" : [{
+                "src-path" : "/dev",
+                "sandbox-path" : "/dev",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/proc",
+                "sandbox-path" : "/proc",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/sys",
+                "sandbox-path" : "/sys",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/system/fonts",
+                "sandbox-path" : "/system/fonts",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/system/etc",
+                "sandbox-path" : "/system/etc",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/system/etc/hosts",
+                "sandbox-path" : "/data/service/el1/network/hosts_user/hosts",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/system/bin",
+                "sandbox-path" : "/system/bin",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/system/lib",
+                "sandbox-path" : "/system/lib",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/system/lib64",
+                "sandbox-path" : "/system/lib64",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/system/lib/platformsdk",
+                "sandbox-path" : "/system/lib/platformsdk",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/system/lib/ndk",
+                "sandbox-path" : "/system/lib/ndk",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/system/lib/module",
+                "sandbox-path" : "/system/lib/module",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/system/lib/chipset-pub-sdk",
+                "sandbox-path" : "/system/lib/chipset-pub-sdk",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/system/lib/chipset-sdk",
+                "sandbox-path" : "/system/lib/chipset-sdk",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/system/lib/seccomp",
+                "sandbox-path" : "/system/lib/seccomp",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/system/lib/extensionability",
+                "sandbox-path" : "/system/lib/extensionability",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/system/lib/media",
+                "sandbox-path" : "/system/lib/media",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/system/lib/ld-musl-arm.so.1",
+                "sandbox-path" : "/system/lib/ld-musl-arm.so.1",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }, {
+                "src-path" : "/data/app/el1/bundle/public/",
+                "sandbox-path" : "/data/app/el1/bundle/public/",
+                "sandbox-flags" : [ "bind", "rec" ],
+                "check-action-status": "false"
+            }],
+            "symbol-links" : [{
+                "target-name" : "/system/etc",
+                "link-name" : "/etc",
+                "check-action-status": "false"
+            }, {
+                "target-name" : "/system/bin",
+                "link-name" : "/bin",
+                "check-action-status": "false"
+            }, {
+                "target-name" : "/system/lib",
+                "link-name" : "/lib",
+                "check-action-status": "false"
+            }, {
+                "target-name" : "/system/lib64",
+                "link-name" : "/lib64",
+                "check-action-status": "false"
+            }]
+
+        }]
+    }]
+}

appspawn.cfg

@@ -55,6 +55,17 @@
                 "gid" : "nwebspawn",
                 "option" : [
                 ]
+            },
+            {
+                "name" : "NativeSpawn",
+                "family" : "AF_LOCAL",
+                "type" : "SOCK_STREAM",
+                "protocol" : "default",
+                "permissions" : "0666",
+                "uid" : "root",
+                "gid" : "appspawn",
+                "option" : [
+                ]
             }],
             "sandbox" : 0,
             "start-mode" : "boot",
@@ -66,4 +77,3 @@
         }
     ]
 }
-

common/appspawn_server.h

@@ -29,9 +29,33 @@ typedef enum {
     MODE_FOR_NWEB_SPAWN,
     MODE_FOR_APP_COLD_RUN,
     MODE_FOR_NWEB_COLD_RUN,
+    MODE_FOR_NATIVE_SPAWN,
+    MODE_FOR_CJAPP_SPAWN,
     MODE_INVALID
 } RunMode;
 
+typedef enum {
+    PROCESS_FOR_APP_SPAWN,
+    PROCESS_FOR_NWEB_SPAWN,
+    PROCESS_FOR_APP_COLD_RUN,
+    PROCESS_FOR_NWEB_COLD_RUN,
+    PROCESS_FOR_NATIVE_SPAWN,
+    PROCESS_FOR_NWEB_RESTART,
+    PROCESS_INVALID
+} RunProcess;
+
+typedef enum {
+    CJPROCESS_FOR_APP_SPAWN,
+    CJPROCESS_FOR_APP_COLD_RUN,
+    CJPROCESS_INVALID
+} CJRunProcess;
+
+typedef enum {
+    PROCESS_TYPE_APPSPAWN,
+    PROCESS_TYPE_CJAPPSPAWN,
+    PROCESS_TYPE_INVALID
+} ProcessType;
+
 typedef struct AppSpawnClient {
     uint32_t id;
     uint32_t flags;  // Save negotiated flags

etc/BUILD.gn

@@ -28,6 +28,12 @@ if (defined(appspawn_sandbox_new) && appspawn_sandbox_new) {
     part_name = "${part_name}"
     module_install_dir = "etc/sandbox"
   }
+
+  ohos_prebuilt_etc("appdata-sandbox-isolated.json") {
+    source = "../appdata-sandbox-isolated.json"
+    part_name = "${part_name}"
+    module_install_dir = "etc/sandbox"
+  }
 } else {
   ohos_prebuilt_appdata_sandbox("appdata-sandbox.json") {
     source = "../appdata-sandbox.json"
@@ -43,6 +49,15 @@ if (defined(appspawn_sandbox_new) && appspawn_sandbox_new) {
     part_name = "${part_name}"
     module_install_dir = "etc/sandbox"
   }
+
+  ohos_prebuilt_appdata_sandbox("appdata-sandbox-isolated.json") {
+    source = "../appdata-sandbox-isolated.json"
+    patterns = []
+    extra_sandbox_cfgs = []
+    subsystem_name = "${subsystem_name}"
+    part_name = "${part_name}"
+    module_install_dir = "etc/sandbox"
+  }
 }
 
 ohos_prebuilt_etc("appspawn_preload.json") {
@@ -54,6 +69,7 @@ ohos_prebuilt_etc("appspawn_preload.json") {
 group("etc_files") {
   deps = [
     ":appdata-sandbox.json",
+    ":appdata-sandbox-isolated.json",
     ":appspawn_preload.json",
   ]
   if (defined(appspawn_sandbox_new) && appspawn_sandbox_new) {

interfaces/innerkits/client/appspawn_client.c

@@ -91,8 +91,22 @@ APPSPAWN_STATIC void CloseClientSocket(int socketId)
 
 APPSPAWN_STATIC int CreateClientSocket(uint32_t type, uint32_t timeout)
 {
-    const char *socketName = type == CLIENT_FOR_APPSPAWN ? APPSPAWN_SOCKET_NAME :
+    const char *socketName;
-                             (type == CLIENT_FOR_CJAPPSPAWN ? CJAPPSPAWN_SOCKET_NAME : NWEBSPAWN_SOCKET_NAME);
+
+    switch (type) {
+        case CLIENT_FOR_APPSPAWN:
+            socketName = APPSPAWN_SOCKET_NAME;
+            break;
+        case CLIENT_FOR_CJAPPSPAWN:
+            socketName = CJAPPSPAWN_SOCKET_NAME;
+            break;
+        case CLIENT_FOR_NATIVESPAWN:
+            socketName = NATIVESPAWN_SOCKET_NAME;
+            break;
+        default:
+            socketName = NWEBSPAWN_SOCKET_NAME;
+            break;
+    }
 
     int socketFd = socket(AF_UNIX, SOCK_STREAM, 0);  // SOCK_SEQPACKET
     APPSPAWN_CHECK(socketFd >= 0, return -1,
@@ -270,6 +284,9 @@ int AppSpawnClientInit(const char *serviceName, AppSpawnClientHandle *handle)
         type = CLIENT_FOR_CJAPPSPAWN;
     } else if (strcmp(serviceName, NWEBSPAWN_SERVER_NAME) == 0 || strstr(serviceName, NWEBSPAWN_SOCKET_NAME) != NULL) {
         type = CLIENT_FOR_NWEBSPAWN;
+    } else if (strcmp(serviceName, NATIVESPAWN_SERVER_NAME) == 0 ||
+        strstr(serviceName, NATIVESPAWN_SOCKET_NAME) != NULL) {
+        type = CLIENT_FOR_NATIVESPAWN;
     }
     int ret = InitClientInstance(type);
     APPSPAWN_CHECK(ret == 0, return APPSPAWN_SYSTEM_ERROR, "Failed to create reqMgr");

interfaces/innerkits/client/appspawn_client.h

@@ -46,6 +46,7 @@ typedef enum {
     CLIENT_FOR_APPSPAWN,
     CLIENT_FOR_NWEBSPAWN,
     CLIENT_FOR_CJAPPSPAWN,
+    CLIENT_FOR_NATIVESPAWN,
     CLIENT_MAX
 } AppSpawnClientType;
 

interfaces/innerkits/include/appspawn.h

@@ -49,6 +49,7 @@ typedef void *AppSpawnClientHandle;
 #define APPSPAWN_SERVER_NAME "appspawn"
 #define CJAPPSPAWN_SERVER_NAME "cjappspawn"
 #define NWEBSPAWN_RESTART "nwebRestart"
+#define NATIVESPAWN_SERVER_NAME "nativespawn"
 
 #pragma pack(4)
 #define APP_MAX_GIDS 64
@@ -175,6 +176,11 @@ typedef enum {
     APP_FLAGS_CHILDPROCESS,
     APP_FLAGS_HWASAN_ENABLED = 21,
     APP_FLAGS_UBSAN_ENABLED = 22,
+    APP_FLAGS_ISOLATED_SANDBOX_TYPE,
+    APP_FLAGS_ISOLATED_SELINUX_LABEL,
+    APP_FLAGS_ISOLATED_SECCOMP_TYPE,
+    APP_FLAGS_ISOLATED_NETWORK,
+    APP_FLAGS_ISOLATED_DATAGROUP,
     MAX_FLAGS_INDEX = 63,
 } AppFlagsIndex;
 

modules/common/appspawn_adapter.cpp

@@ -48,7 +48,7 @@ int SetAppAccessToken(const AppSpawnMgr *content, const AppSpawningCtx *property
     APPSPAWN_LOGV("AppSpawnServer::set access token %{public}" PRId64 " %{public}d",
         tokenInfo->accessTokenIdEx, IsNWebSpawnMode(content));
 
-    if (IsNWebSpawnMode(content)) {
+    if (IsNWebSpawnMode(content) || IsNativeSpawnMode(content)) {
         TokenIdKit tokenIdKit;
         tokenId = tokenIdKit.GetRenderTokenID(tokenInfo->accessTokenIdEx);
     } else {
@@ -151,7 +151,7 @@ int SetSeccompFilter(const AppSpawnMgr *content, const AppSpawningCtx *property)
 #ifdef WITH_SECCOMP
     const char *appName = APP_NAME;
     SeccompFilterType type = APP;
-    
+
     if (IsNWebSpawnMode(content)) {
         uint32_t len = 0;
         std::string processType =

modules/module_engine/include/appspawn_msg.h

@@ -30,6 +30,7 @@ extern "C" {
 #define APPSPAWN_SOCKET_NAME "AppSpawn"
 #define CJAPPSPAWN_SOCKET_NAME "CJAppSpawn"
 #define KEEPALIVE_NAME "keepalive"
+#define NATIVESPAWN_SOCKET_NAME "NativeSpawn"
 
 #define APPSPAWN_ALIGN(len) (((len) + 0x03) & (~0x03))
 #define APPSPAWN_TLV_NAME_LEN 32

modules/sandbox/appspawn_permission.h

@@ -27,6 +27,7 @@ extern "C" {
 
 #define APP_SANDBOX_FILE_NAME "/appdata-sandbox.json"
 #define WEB_SANDBOX_FILE_NAME "/appdata-sandbox-nweb.json"
+#define ISOLATED_SANDBOX_FILE_NAME "/appdata-sandbox-isolated.json"
 
 typedef struct TagSandboxQueue SandboxQueue;
 typedef struct TagPermissionNode SandboxPermissionNode;

modules/sandbox/appspawn_sandbox.c

@@ -199,7 +199,7 @@ static int InitSandboxContext(SandboxContext *context,
     context->message = property->message;
 
     context->sandboxNsFlags = CLONE_NEWNS;
-    if (CheckSpawningMsgFlagSet(context, APP_FLAGS_ISOLATED_SANDBOX)) {
+    if (CheckSpawningMsgFlagSet(context, APP_FLAGS_ISOLATED_NETWORK)) {
         context->sandboxNsFlags |= sandbox->sandboxNsFlags & CLONE_NEWNET ? CLONE_NEWNET : 0;
     }
 

modules/sandbox/appspawn_sandbox.h

@@ -227,7 +227,7 @@ typedef struct {
 AppSpawnSandboxCfg *CreateAppSpawnSandbox(void);
 AppSpawnSandboxCfg *GetAppSpawnSandbox(const AppSpawnMgr *content);
 void DeleteAppSpawnSandbox(AppSpawnSandboxCfg *sandbox);
-int LoadAppSandboxConfig(AppSpawnSandboxCfg *sandbox, int nwebSpawn);
+int LoadAppSandboxConfig(AppSpawnSandboxCfg *sandbox, RunMode mode);
 void DumpAppSpawnSandboxCfg(AppSpawnSandboxCfg *sandbox);
 
 /**

modules/sandbox/sandbox_load.c

@@ -661,10 +661,19 @@ APPSPAWN_STATIC int ParseAppSandboxConfig(const cJSON *root, ParseJsonContext *c
     return ret;
 }
 
-int LoadAppSandboxConfig(AppSpawnSandboxCfg *sandbox, int nwebSpawn)
+APPSPAWN_STATIC const char *GetSandboxNameByMode(RunMode mode)
+{
+    if (mode == MODE_FOR_NATIVE_SPAWN) {
+        return ISOLATED_SANDBOX_FILE_NAME;
+    }
+
+    return APP_SANDBOX_FILE_NAME;
+}
+
+int LoadAppSandboxConfig(AppSpawnSandboxCfg *sandbox, RunMode mode)
 {
     APPSPAWN_CHECK_ONLY_EXPER(sandbox != NULL, return APPSPAWN_ARG_INVALID);
-    const char *sandboxName = nwebSpawn ? WEB_SANDBOX_FILE_NAME : APP_SANDBOX_FILE_NAME;
+    const char *sandboxName = GetSandboxNameByMode(mode);
     if (sandbox->depGroupNodes != NULL) {
         APPSPAWN_LOGW("Sandbox has been load");
         return 0;

modules/sandbox/sandbox_utils.cpp

@@ -33,6 +33,7 @@
 #include "appspawn_msg.h"
 #include "appspawn_server.h"
 #include "appspawn_service.h"
+#include "appspawn_utils.h"
 #include "config_policy_utils.h"
 #include "init_param.h"
 #include "parameter.h"
@@ -62,6 +63,7 @@ namespace {
     constexpr std::string_view APL_SYSTEM_CORE("system_core");
     constexpr std::string_view APL_SYSTEM_BASIC("system_basic");
     const std::string APP_JSON_CONFIG("/appdata-sandbox.json");
+    const std::string APP_ISOLATED_JSON_CONFIG("/appdata-sandbox-isolated.json");
     const std::string g_physicalAppInstallPath = "/data/app/el1/bundle/public/";
     const std::string g_sandboxGroupPath = "/data/storage/el2/group/";
     const std::string g_sandboxHspInstallPath = "/data/storage/el1/bundle/";
@@ -180,17 +182,17 @@ bool JsonUtils::GetStringFromJson(const nlohmann::json &json, const std::string
     }
 }
 
-std::vector<nlohmann::json> SandboxUtils::appSandboxConfig_ = {};
+std::map<SandboxConfigType, std::vector<nlohmann::json>> SandboxUtils::appSandboxConfig_ = {};
 int32_t SandboxUtils::deviceTypeEnable_ = -1;
 
-void SandboxUtils::StoreJsonConfig(nlohmann::json &appSandboxConfig)
+void SandboxUtils::StoreJsonConfig(nlohmann::json &appSandboxConfig, SandboxConfigType type)
 {
-    SandboxUtils::appSandboxConfig_.push_back(appSandboxConfig);
+    SandboxUtils::appSandboxConfig_[type].push_back(appSandboxConfig);
 }
 
-std::vector<nlohmann::json> &SandboxUtils::GetJsonConfig()
+std::vector<nlohmann::json> &SandboxUtils::GetJsonConfig(SandboxConfigType type)
 {
-    return SandboxUtils::appSandboxConfig_;
+    return SandboxUtils::appSandboxConfig_[type];
 }
 
 static void MakeDirRecursive(const std::string &path, mode_t mode)
@@ -562,8 +564,9 @@ std::string SandboxUtils::GetSbxPathByConfig(const AppSpawningCtx *appProperty,
 
     std::string sandboxRoot = "";
     const std::string originSandboxPath = "/mnt/sandbox/<PackageName>";
+    std::string isolatedFlagText = CheckAppMsgFlagsSet(appProperty, APP_FLAGS_ISOLATED_SANDBOX_TYPE) ? "isolated/" : "";
     const std::string defaultSandboxRoot = g_sandBoxDir + to_string(dacInfo->uid / UID_BASE) +
-        "/" + GetBundleName(appProperty);
+        "/" + isolatedFlagText.c_str() + GetBundleName(appProperty);
     if (config.find(g_sandboxRootPrefix) != config.end()) {
         sandboxRoot = config[g_sandboxRootPrefix].get<std::string>();
         if (sandboxRoot == originSandboxPath) {
@@ -934,7 +937,7 @@ int32_t SandboxUtils::DoSandboxFilePermissionBind(AppSpawningCtx *appProperty,
 std::set<std::string> SandboxUtils::GetMountPermissionNames()
 {
     std::set<std::string> permissionSet;
-    for (auto& config : SandboxUtils::GetJsonConfig()) {
+    for (auto& config : SandboxUtils::GetJsonConfig(SANBOX_APP_JSON_CONFIG)) {
         if (config.find(g_permissionPrefix) == config.end()) {
             continue;
         }
@@ -1081,7 +1084,10 @@ int32_t SandboxUtils::SetRenderSandboxProperty(const AppSpawningCtx *appProperty
 int32_t SandboxUtils::SetRenderSandboxPropertyNweb(const AppSpawningCtx *appProperty,
                                                    std::string &sandboxPackagePath)
 {
-    for (auto& config : SandboxUtils::GetJsonConfig()) {
+    SandboxConfigType type = CheckAppMsgFlagsSet(appProperty, APP_FLAGS_ISOLATED_SANDBOX_TYPE) ?
+        SANBOX_ISOLATED_JSON_CONFIG : SANBOX_APP_JSON_CONFIG;
+
+    for (auto& config : SandboxUtils::GetJsonConfig(type)) {
         nlohmann::json& privateAppConfig = config[g_privatePrefix][0];
         if (privateAppConfig.find(g_ohosRender) != privateAppConfig.end()) {
             int ret = DoAllMntPointsMount(appProperty, privateAppConfig[g_ohosRender][0], nullptr, g_ohosRender);
@@ -1101,17 +1107,23 @@ int32_t SandboxUtils::SetRenderSandboxPropertyNweb(const AppSpawningCtx *appProp
 int32_t SandboxUtils::SetPrivateAppSandboxProperty(const AppSpawningCtx *appProperty)
 {
     int ret = 0;
-    for (auto& config : SandboxUtils::GetJsonConfig()) {
+    SandboxConfigType type = CheckAppMsgFlagsSet(appProperty, APP_FLAGS_ISOLATED_SANDBOX_TYPE) ?
+        SANBOX_ISOLATED_JSON_CONFIG : SANBOX_APP_JSON_CONFIG;
+
+    for (auto& config : SandboxUtils::GetJsonConfig(type)) {
         ret = SetPrivateAppSandboxProperty_(appProperty, config);
         APPSPAWN_CHECK(ret == 0, return ret, "parse adddata-sandbox config failed");
     }
     return ret;
 }
 
-static bool GetSandboxPrivateSharedStatus(const string &bundleName)
+static bool GetSandboxPrivateSharedStatus(const string &bundleName, AppSpawningCtx *appProperty)
 {
     bool result = false;
-    for (auto& config : SandboxUtils::GetJsonConfig()) {
+    SandboxConfigType type = CheckAppMsgFlagsSet(appProperty, APP_FLAGS_ISOLATED_SANDBOX_TYPE) ?
+        SANBOX_ISOLATED_JSON_CONFIG : SANBOX_APP_JSON_CONFIG;
+
+    for (auto& config : SandboxUtils::GetJsonConfig(type)) {
         nlohmann::json& privateAppConfig = config[g_privatePrefix][0];
         if (privateAppConfig.find(bundleName) != privateAppConfig.end() &&
             privateAppConfig[bundleName][0].find(g_sandBoxShared) !=
@@ -1129,7 +1141,10 @@ static bool GetSandboxPrivateSharedStatus(const string &bundleName)
 int32_t SandboxUtils::SetPermissionAppSandboxProperty(AppSpawningCtx *appProperty)
 {
     int ret = 0;
-    for (auto& config : SandboxUtils::GetJsonConfig()) {
+    SandboxConfigType type = CheckAppMsgFlagsSet(appProperty, APP_FLAGS_ISOLATED_SANDBOX_TYPE) ?
+        SANBOX_ISOLATED_JSON_CONFIG : SANBOX_APP_JSON_CONFIG;
+
+    for (auto& config : SandboxUtils::GetJsonConfig(type)) {
         ret = SetPermissionAppSandboxProperty_(appProperty, config);
         APPSPAWN_CHECK(ret == 0, return ret, "parse adddata-sandbox config failed");
     }
@@ -1161,7 +1176,10 @@ int32_t SandboxUtils::SetCommonAppSandboxProperty(const AppSpawningCtx *appPrope
                                                   std::string &sandboxPackagePath)
 {
     int ret = 0;
-    for (auto& jsonConfig : SandboxUtils::GetJsonConfig()) {
+    SandboxConfigType type = CheckAppMsgFlagsSet(appProperty, APP_FLAGS_ISOLATED_SANDBOX_TYPE) ?
+        SANBOX_ISOLATED_JSON_CONFIG : SANBOX_APP_JSON_CONFIG;
+
+    for (auto& jsonConfig : SandboxUtils::GetJsonConfig(type)) {
         ret = SetCommonAppSandboxProperty_(appProperty, jsonConfig);
         APPSPAWN_CHECK(ret == 0, return ret,
             "parse appdata config for common failed, %{public}s", sandboxPackagePath.c_str());
@@ -1330,7 +1348,7 @@ uint32_t SandboxUtils::GetSandboxNsFlags(bool isNweb)
         return nsFlags;
     }
 
-    for (auto& config : SandboxUtils::GetJsonConfig()) {
+    for (auto& config : SandboxUtils::GetJsonConfig(SANBOX_APP_JSON_CONFIG)) {
         if (isNweb) {
             nlohmann::json& privateAppConfig = config[g_privatePrefix][0];
             if (privateAppConfig.find(g_ohosRender) == privateAppConfig.end()) {
@@ -1371,7 +1389,10 @@ bool SandboxUtils::CheckBundleNameForPrivate(const std::string &bundleName)
 
 bool SandboxUtils::CheckTotalSandboxSwitchStatus(const AppSpawningCtx *appProperty)
 {
-    for (auto& wholeConfig : SandboxUtils::GetJsonConfig()) {
+    SandboxConfigType type = CheckAppMsgFlagsSet(appProperty, APP_FLAGS_ISOLATED_SANDBOX_TYPE) ?
+        SANBOX_ISOLATED_JSON_CONFIG : SANBOX_APP_JSON_CONFIG;
+
+    for (auto& wholeConfig : SandboxUtils::GetJsonConfig(type)) {
         if (wholeConfig.find(g_commonPrefix) == wholeConfig.end()) {
             continue;
         }
@@ -1392,7 +1413,10 @@ bool SandboxUtils::CheckTotalSandboxSwitchStatus(const AppSpawningCtx *appProper
 bool SandboxUtils::CheckAppSandboxSwitchStatus(const AppSpawningCtx *appProperty)
 {
     bool rc = true;
-    for (auto& wholeConfig : SandboxUtils::GetJsonConfig()) {
+    SandboxConfigType type = CheckAppMsgFlagsSet(appProperty, APP_FLAGS_ISOLATED_SANDBOX_TYPE) ?
+        SANBOX_ISOLATED_JSON_CONFIG : SANBOX_APP_JSON_CONFIG;
+
+    for (auto& wholeConfig : SandboxUtils::GetJsonConfig(type)) {
         if (wholeConfig.find(g_privatePrefix) == wholeConfig.end()) {
             continue;
         }
@@ -1584,8 +1608,10 @@ int32_t SandboxUtils::SetAppSandboxProperty(AppSpawningCtx *appProperty, uint32_
 
     std::string sandboxPackagePath = g_sandBoxRootDir + to_string(dacInfo->uid / UID_BASE) + "/";
     const std::string bundleName = GetBundleName(appProperty);
-    bool sandboxSharedStatus = GetSandboxPrivateSharedStatus(bundleName) || (CheckAppPermissionFlagSet(appProperty,
+    bool sandboxSharedStatus = GetSandboxPrivateSharedStatus(bundleName, appProperty) ||
-        static_cast<uint32_t>(GetPermissionIndex(nullptr, ACCESS_DLP_FILE_MODE.c_str()))) != 0);
+        (CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(GetPermissionIndex(nullptr,
+        ACCESS_DLP_FILE_MODE.c_str()))) != 0);
+    sandboxPackagePath += CheckAppMsgFlagsSet(appProperty, APP_FLAGS_ISOLATED_SANDBOX_TYPE) ? "isolated/" : "";
     sandboxPackagePath += bundleName;
     MakeDirRecursive(sandboxPackagePath.c_str(), FILE_MODE);
 
@@ -1624,7 +1650,7 @@ int32_t SandboxUtils::SetAppSandboxPropertyNweb(AppSpawningCtx *appProperty, uin
     }
     std::string sandboxPackagePath = g_sandBoxRootDirNweb;
     const std::string bundleName = GetBundleName(appProperty);
-    bool sandboxSharedStatus = GetSandboxPrivateSharedStatus(bundleName);
+    bool sandboxSharedStatus = GetSandboxPrivateSharedStatus(bundleName, appProperty);
     sandboxPackagePath += bundleName;
     MakeDirRecursive(sandboxPackagePath.c_str(), FILE_MODE);
 
@@ -1705,11 +1731,17 @@ int LoadAppSandboxConfig(AppSpawnMgr *content)
             continue;
         }
         std::string path = files->paths[i];
-        path += OHOS::AppSpawn::APP_JSON_CONFIG;
+        std::string appPath = path + OHOS::AppSpawn::APP_JSON_CONFIG;
-        APPSPAWN_LOGI("LoadAppSandboxConfig %{public}s", path.c_str());
+        APPSPAWN_LOGI("LoadAppSandboxConfig %{public}s", appPath.c_str());
-        rc = OHOS::AppSpawn::JsonUtils::GetJsonObjFromJson(appSandboxConfig, path);
+        rc = OHOS::AppSpawn::JsonUtils::GetJsonObjFromJson(appSandboxConfig, appPath);
-        APPSPAWN_CHECK(rc, continue, "Failed to load app data sandbox config %{public}s", path.c_str());
+        APPSPAWN_CHECK(rc, continue, "Failed to load app data sandbox config %{public}s", appPath.c_str());
-        OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(appSandboxConfig);
+        OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(appSandboxConfig, SANBOX_APP_JSON_CONFIG);
+
+        std::string isolatedPath = path + OHOS::AppSpawn::APP_ISOLATED_JSON_CONFIG;
+        APPSPAWN_LOGI("LoadAppSandboxConfig %{public}s", isolatedPath.c_str());
+        rc = OHOS::AppSpawn::JsonUtils::GetJsonObjFromJson(appSandboxConfig, isolatedPath);
+        APPSPAWN_CHECK(rc, continue, "Failed to load app data sandbox config %{public}s", isolatedPath.c_str());
+        OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(appSandboxConfig, SANBOX_ISOLATED_JSON_CONFIG);
     }
     FreeCfgFiles(files);
     bool isNweb = IsNWebSpawnMode(content);
@@ -1736,7 +1768,7 @@ int32_t SetAppSandboxProperty(AppSpawnMgr *content, AppSpawningCtx *property)
         }
     }
     uint32_t sandboxNsFlags = CLONE_NEWNS;
-    if (CheckAppMsgFlagsSet(property, APP_FLAGS_ISOLATED_SANDBOX)) {
+    if (CheckAppMsgFlagsSet(property, APP_FLAGS_ISOLATED_NETWORK)) {
         sandboxNsFlags |= content->content.sandboxNsFlags & CLONE_NEWNET ? CLONE_NEWNET : 0;
     }
     APPSPAWN_LOGV("SetAppSandboxProperty sandboxNsFlags 0x%{public}x", sandboxNsFlags);

modules/sandbox/sandbox_utils.h

@@ -26,12 +26,17 @@
 #include "appspawn_server.h"
 #include "appspawn_manager.h"
 
+typedef enum {
+    SANBOX_APP_JSON_CONFIG,
+    SANBOX_ISOLATED_JSON_CONFIG
+} SandboxConfigType;
+
 namespace OHOS {
 namespace AppSpawn {
 class SandboxUtils {
 public:
-    static void StoreJsonConfig(nlohmann::json &appSandboxConfig);
+    static void StoreJsonConfig(nlohmann::json &appSandboxConfig, SandboxConfigType type);
-    static std::vector<nlohmann::json> &GetJsonConfig();
+    static std::vector<nlohmann::json> &GetJsonConfig(SandboxConfigType type);
     static int32_t SetAppSandboxProperty(AppSpawningCtx *client, uint32_t sandboxNsFlags = CLONE_NEWNS);
     static int32_t SetAppSandboxPropertyNweb(AppSpawningCtx *client, uint32_t sandboxNsFlags = CLONE_NEWNS);
     static uint32_t GetSandboxNsFlags(bool isNweb);
@@ -115,7 +120,7 @@ private:
                                       const std::string &section, std::string sandboxRoot);
     static void GetSandboxMountConfig(const AppSpawningCtx *appProperty, const std::string &section,
                                       nlohmann::json &mntPoint,SandboxMountConfig &mountConfig);
-    static std::vector<nlohmann::json> appSandboxConfig_;
+    static std::map<SandboxConfigType, std::vector<nlohmann::json>> appSandboxConfig_;
     static int32_t deviceTypeEnable_;
 };
 class JsonUtils {

service/hnp/README_zh.md

@@ -74,7 +74,7 @@ HAP工程根目录
 ## 3 Native软件包的使用方法
 ### 3.1 在hap应用中访问Native二进制
 以c++语言为例，可以在hap应用代码中通过system、execv等函数执行二进制。默认公有hnp包软链接路径为/data/service/hnp/bin，默认私有hnp包软链接路径为/data/app/bin，默认软链接路径已加入环境变量中。
-### 3.1 hdc shell执行方法
+### 3.2 hdc shell执行方法
 
 **操作步骤：**
 1. 从应用市场下载Native软件包hap应用并安装。

standard/appspawn_main.c

@@ -27,6 +27,22 @@
 
 #define APPSPAWN_PRELOAD "libappspawn_helper.z.so"
 
+static AppSpawnStartArgTemplate g_appSpawnStartArgTemplate[PROCESS_INVALID] = {
+    {APPSPAWN_SERVER_NAME, {MODE_FOR_APP_SPAWN, MODULE_APPSPAWN, APPSPAWN_SOCKET_NAME, APPSPAWN_SERVER_NAME, 1}},
+    {NWEBSPAWN_SERVER_NAME, {MODE_FOR_NWEB_SPAWN, MODULE_NWEBSPAWN, NWEBSPAWN_SOCKET_NAME, NWEBSPAWN_SERVER_NAME, 1}},
+    {"app_cold", {MODE_FOR_APP_COLD_RUN, MODULE_APPSPAWN, APPSPAWN_SOCKET_NAME, APPSPAWN_SERVER_NAME, 0}},
+    {"nweb_cold", {MODE_FOR_NWEB_COLD_RUN, MODULE_NWEBSPAWN, APPSPAWN_SOCKET_NAME, NWEBSPAWN_SERVER_NAME, 0}},
+    {NATIVESPAWN_SERVER_NAME, {MODE_FOR_NATIVE_SPAWN, MODULE_APPSPAWN, NATIVESPAWN_SOCKET_NAME,
+        NATIVESPAWN_SERVER_NAME, 1}},
+    {NWEBSPAWN_RESTART, {MODE_FOR_NWEB_SPAWN, MODULE_NWEBSPAWN, NWEBSPAWN_SOCKET_NAME, NWEBSPAWN_SERVER_NAME, 1}},
+};
+
+static AppSpawnStartArgTemplate g_appCJSpawnStartArgTemplate[CJPROCESS_INVALID] = {
+    {CJAPPSPAWN_SERVER_NAME, {MODE_FOR_CJAPP_SPAWN, MODULE_APPSPAWN, CJAPPSPAWN_SOCKET_NAME, CJAPPSPAWN_SERVER_NAME,
+        1}},
+    {"app_cold", {MODE_FOR_APP_COLD_RUN, MODULE_APPSPAWN, CJAPPSPAWN_SOCKET_NAME, CJAPPSPAWN_SERVER_NAME, 0}},
+};
+
 static void CheckPreload(char *const argv[])
 {
     char buf[256] = APPSPAWN_PRELOAD;  // 256 is enough in most cases
@@ -58,6 +74,27 @@ static void CheckPreload(char *const argv[])
     APPSPAWN_LOGE("execv fail: %{public}s: %{public}d: %{public}d", buf, errno, ret);
 }
 
+static AppSpawnStartArgTemplate *GetAppSpawnStartArg(const char *serverName, ProcessType type)
+{
+    if (type == PROCESS_TYPE_APPSPAWN) {
+        for (uint32_t i = 0; i < ARRAY_LENGTH(g_appSpawnStartArgTemplate); i++) {
+            if (strcmp(serverName, g_appSpawnStartArgTemplate[i].serverName) == 0) {
+                return &g_appSpawnStartArgTemplate[i];
+            }
+        }
+
+        return &g_appSpawnStartArgTemplate[PROCESS_FOR_APP_SPAWN];
+    } else {
+        for (uint32_t i = 0; i < ARRAY_LENGTH(g_appCJSpawnStartArgTemplate); i++) {
+            if (strcmp(serverName, g_appCJSpawnStartArgTemplate[i].serverName) == 0) {
+                return &g_appCJSpawnStartArgTemplate[i];
+            }
+        }
+
+        return &g_appCJSpawnStartArgTemplate[CJPROCESS_FOR_APP_SPAWN];
+    }
+}
+
 // appspawn -mode appspawn | cold | nwebspawn -param app_property -fd clientFd
 int main(int argc, char *const argv[])
 {
@@ -74,59 +111,34 @@ int main(int argc, char *const argv[])
     CheckPreload(argv);
     (void)signal(SIGPIPE, SIG_IGN);
     uint32_t argvSize = end - start;
-    AppSpawnStartArg arg = {};
+    AppSpawnStartArg *arg;
-#ifndef CJAPP_SPAWN
+    AppSpawnStartArgTemplate *argTemp = NULL;
-    arg.mode = MODE_FOR_APP_SPAWN;
+
-    arg.socketName = APPSPAWN_SOCKET_NAME;
+#ifdef CJAPP_SPAWN
-    arg.serviceName = APPSPAWN_SERVER_NAME;
+    argTemp = &g_appCJSpawnStartArgTemplate[CJPROCESS_FOR_APP_SPAWN];
-    arg.moduleType = MODULE_APPSPAWN;
+    if (argc > MODE_VALUE_INDEX) {
-    arg.initArg = 1;
+        argTemp = GetAppSpawnStartArg(argv[MODE_VALUE_INDEX], PROCESS_TYPE_CJAPPSPAWN);
-    if (argc <= MODE_VALUE_INDEX) {  // appspawn start
-        arg.mode = MODE_FOR_APP_SPAWN;
-    } else if (strcmp(argv[MODE_VALUE_INDEX], "app_cold") == 0) {  // cold start
-        APPSPAWN_CHECK(argc >= ARG_NULL, return 0, "Invalid arg for cold start %{public}d", argc);
-        arg.mode = MODE_FOR_APP_COLD_RUN;
-        arg.initArg = 0;
-    } else if (strcmp(argv[MODE_VALUE_INDEX], "nweb_cold") == 0) {  // cold start
-        APPSPAWN_CHECK(argc >= ARG_NULL, return 0, "Invalid arg for cold start %{public}d", argc);
-        arg.mode = MODE_FOR_NWEB_COLD_RUN;
-        arg.moduleType = MODULE_NWEBSPAWN;
-        arg.serviceName = NWEBSPAWN_SERVER_NAME;
-        arg.initArg = 0;
-    } else if (strcmp(argv[MODE_VALUE_INDEX], NWEBSPAWN_SERVER_NAME) == 0) {  // nweb spawn start
-        APPSPAWN_CHECK(argvSize >= APP_LEN_PROC_NAME,
-            return 0, "Invalid arg size for service %{public}s", arg.serviceName);
-        arg.mode = MODE_FOR_NWEB_SPAWN;
-        arg.moduleType = MODULE_NWEBSPAWN;
-        arg.socketName = NWEBSPAWN_SOCKET_NAME;
-        arg.serviceName = NWEBSPAWN_SERVER_NAME;
-    } else if (strcmp(argv[MODE_VALUE_INDEX], NWEBSPAWN_RESTART) == 0) {  // nweb spawn restart
-        APPSPAWN_CHECK_ONLY_EXPER(argvSize >= APP_LEN_PROC_NAME, argvSize = APP_LEN_PROC_NAME);
-        arg.mode = MODE_FOR_NWEB_SPAWN;
-        arg.moduleType = MODULE_NWEBSPAWN;
-        arg.socketName = NWEBSPAWN_SOCKET_NAME;
-        arg.serviceName = NWEBSPAWN_SERVER_NAME;
-    } else {
-        APPSPAWN_CHECK(argvSize >= APP_LEN_PROC_NAME,
-            return 0, "Invalid arg size for service %{public}s", arg.serviceName);
     }
-    AppSpawnContent *content = StartSpawnService(&arg, argvSize, argc, argv);
 #else
-    arg.mode = MODE_FOR_APP_SPAWN;
+    argTemp = &g_appSpawnStartArgTemplate[PROCESS_FOR_APP_SPAWN];
-    arg.socketName = CJAPPSPAWN_SOCKET_NAME;
+    if (argc > MODE_VALUE_INDEX) {
-    arg.serviceName = CJAPPSPAWN_SERVER_NAME;
+        argTemp = GetAppSpawnStartArg(argv[MODE_VALUE_INDEX], PROCESS_TYPE_APPSPAWN);
-    arg.moduleType = MODULE_APPSPAWN;
-    arg.initArg = 1;
-    // cold start in cjappspawn is for ide-sanitizers (asan/tsan/hwasan)
-    if (strcmp(argv[MODE_VALUE_INDEX], "app_cold") == 0) {  // cold start
-        APPSPAWN_CHECK(argc >= ARG_NULL, return 0, "Invalid arg for cold start %{public}d", argc);
-        arg.mode = MODE_FOR_APP_COLD_RUN;
-        arg.initArg = 0;
     }
-    AppSpawnContent *content = StartCJSpawnService(&arg, argvSize, argc, argv);
 #endif
+    arg = &argTemp->arg;
+    if (arg->initArg == 0) {
+        APPSPAWN_CHECK(argc >= ARG_NULL, return 0, "Invalid arg for cold start %{public}d", argc);
+    } else {
+        if (strcmp(argTemp->serverName, NWEBSPAWN_RESTART) == 0) {  // nweb spawn restart
+            APPSPAWN_CHECK_ONLY_EXPER(argvSize >= APP_LEN_PROC_NAME, argvSize = APP_LEN_PROC_NAME);
+        } else {
+            APPSPAWN_CHECK(argvSize >= APP_LEN_PROC_NAME, return 0, "Invalid arg size for service %{public}s",
+                arg->serviceName);
+        }
+    }
+    AppSpawnContent *content = StartSpawnService(arg, argvSize, argc, argv);
     if (content != NULL) {
-        if (arg.moduleType == MODULE_APPSPAWN) {
+        if (arg->moduleType == MODULE_APPSPAWN) {
             AppSpawnKickDogStart(content);
         }
         content->runAppSpawn(content, argc, argv);

standard/appspawn_manager.h

@@ -187,6 +187,11 @@ APPSPAWN_INLINE int IsNWebSpawnMode(const AppSpawnMgr *content)
         (content->content.mode == MODE_FOR_NWEB_SPAWN || content->content.mode == MODE_FOR_NWEB_COLD_RUN);
 }
 
+APPSPAWN_INLINE int IsNativeSpawnMode(const AppSpawnMgr *content)
+{
+    return (content != NULL) && (content->content.mode == MODE_FOR_NATIVE_SPAWN);
+}
+
 APPSPAWN_INLINE int IsColdRunMode(const AppSpawnMgr *content)
 {
     return (content != NULL) &&

standard/appspawn_service.c

@@ -117,6 +117,16 @@ static void StopAppSpawn(void)
         OH_ListInit(&appInfo->node);
         free(appInfo);
     }
+    // delete nativespawn, and wait exit. Otherwise, the process of nativespawn spawning will become zombie
+    appInfo = GetSpawnedProcessByName(NATIVESPAWN_SERVER_NAME);
+    if (appInfo != NULL) {
+        APPSPAWN_LOGI("kill %{public}s pid: %{public}d", appInfo->name, appInfo->pid);
+        int exitStatus = 0;
+        KillAndWaitStatus(appInfo->pid, SIGTERM, &exitStatus);
+        OH_ListRemove(&appInfo->node);
+        OH_ListInit(&appInfo->node);
+        free(appInfo);
+    }
     TraversalSpawnedProcess(AppQueueDestroyProc, NULL);
     APPSPAWN_LOGI("StopAppSpawn ");
 #ifdef APPSPAWN_HISYSEVENT
@@ -962,25 +972,54 @@ AppSpawnContent *AppSpawnCreateContent(const char *socketName, char *longProcNam
     return &appSpawnContent->content;
 }
 
-#ifndef CJAPP_SPAWN
+APPSPAWN_STATIC void AppSpawnArgSet(RunMode mode, AppSpawnStartArg *arg)
+{
+    if (mode == MODE_FOR_NWEB_SPAWN) {
+        arg->socketName = NWEBSPAWN_SOCKET_NAME;
+        arg->serviceName = NWEBSPAWN_SERVER_NAME;
+        arg->moduleType = MODULE_NWEBSPAWN;
+        arg->mode = MODE_FOR_NWEB_SPAWN;
+        arg->initArg = 1;
+    } else if (mode == MODE_FOR_NATIVE_SPAWN) {
+        arg->socketName = NATIVESPAWN_SOCKET_NAME;
+        arg->serviceName = NATIVESPAWN_SERVER_NAME;
+        arg->moduleType = MODULE_APPSPAWN;
+        arg->mode = MODE_FOR_NATIVE_SPAWN;
+        arg->initArg = 1;
+    }
+
+    return;
+}
+
+APPSPAWN_STATIC void AppSpawnStartServiceEnd(pid_t nwebSpawnPid, pid_t NativeSpawnPid)
+{
+    AddSpawnedProcess(nwebSpawnPid, NWEBSPAWN_SERVER_NAME);
+    AddSpawnedProcess(NativeSpawnPid, NATIVESPAWN_SERVER_NAME);
+    SetParameter("bootevent.appspawn.started", "true");
+}
+
 AppSpawnContent *StartSpawnService(const AppSpawnStartArg *startArg, uint32_t argvSize, int argc, char *const argv[])
 {
     APPSPAWN_CHECK(startArg != NULL && argv != NULL, return NULL, "Invalid start arg");
     pid_t pid = 0;
+    pid_t NativeSpawnPid  = 0;
     AppSpawnStartArg *arg = (AppSpawnStartArg *)startArg;
     APPSPAWN_LOGV("Start appspawn argvSize %{public}d mode %{public}d service %{public}s",
         argvSize, arg->mode, arg->serviceName);
     if (arg->mode == MODE_FOR_APP_SPAWN) {
         pid = NWebSpawnLaunch();
         if (pid == 0) {
-            arg->socketName = NWEBSPAWN_SOCKET_NAME;
+            AppSpawnArgSet(MODE_FOR_NWEB_SPAWN, arg);
-            arg->serviceName = NWEBSPAWN_SERVER_NAME;
+        } else {
-            arg->moduleType = MODULE_NWEBSPAWN;
+            NativeSpawnPid = NativeSpawnLaunch();
-            arg->mode = MODE_FOR_NWEB_SPAWN;
+            if (NativeSpawnPid  == 0) {
-            arg->initArg = 1;
+                AppSpawnArgSet(MODE_FOR_NATIVE_SPAWN, arg);
+            }
         }
     } else if (arg->mode == MODE_FOR_NWEB_SPAWN && getuid() == 0) {
         NWebSpawnInit();
+    } else if (arg->mode == MODE_FOR_NATIVE_SPAWN && getuid() == 0) {
+        NativeSpawnInit();
     }
     if (arg->initArg) {
         int ret = memset_s(argv[0], argvSize, 0, (size_t)argvSize);
@@ -1007,12 +1046,10 @@ AppSpawnContent *StartSpawnService(const AppSpawnStartArg *startArg, uint32_t ar
 #endif
     AddAppSpawnHook(STAGE_CHILD_PRE_RUN, HOOK_PRIO_LOWEST, AppSpawnClearEnv);
     if (arg->mode == MODE_FOR_APP_SPAWN) {
-        AddSpawnedProcess(pid, NWEBSPAWN_SERVER_NAME);
+        AppSpawnStartServiceEnd(pid, NativeSpawnPid);
-        SetParameter("bootevent.appspawn.started", "true");
     }
     return content;
 }
-#endif
 
 static AppSpawnMsgNode *ProcessSpawnBegetctlMsg(AppSpawnConnection *connection, AppSpawnMsgNode *message)
 {
@@ -1211,41 +1248,4 @@ static void ProcessRecvMsg(AppSpawnConnection *connection, AppSpawnMsgNode *mess
             DeleteAppSpawnMsg(message);
             break;
     }
-}
+}
-
-// To support cjappspawn
-#ifdef CJAPP_SPAWN
-AppSpawnContent *StartCJSpawnService(const AppSpawnStartArg *startArg, uint32_t argvSize, int argc, char *const argv[])
-{
-    APPSPAWN_LOGI("Start CJ Spawn Service ...");
-    APPSPAWN_CHECK(startArg != NULL && argv != NULL, return NULL, "Invalid start arg");
-    AppSpawnStartArg *arg = (AppSpawnStartArg *)startArg;
-    APPSPAWN_LOGV("Start appspawn argvSize %{public}d mode %{public}d service %{public}s",
-                  argvSize, arg->mode, arg->serviceName);
-    if (arg->initArg) {
-        int ret = memset_s(argv[0], argvSize, 0, (size_t)argvSize);
-        APPSPAWN_CHECK(ret == EOK, return NULL, "Failed to memset argv[0]");
-        ret = strncpy_s(argv[0], argvSize, arg->serviceName, strlen(arg->serviceName));
-        APPSPAWN_CHECK(ret == EOK, return NULL, "Failed to copy service name %{public}s", arg->serviceName);
-    }
-
-    // load module appspawn/common
-    AppSpawnLoadAutoRunModules(MODULE_COMMON);
-    AppSpawnModuleMgrInstall(ASAN_MODULE_PATH);
-
-    APPSPAWN_CHECK(LE_GetDefaultLoop() != NULL, return NULL, "Invalid default loop");
-    AppSpawnContent *content = AppSpawnCreateContent(arg->socketName, argv[0], argvSize, arg->mode);
-    APPSPAWN_CHECK(content != NULL, return NULL, "Failed to create content for %{public}s", arg->socketName);
-
-    AppSpawnLoadAutoRunModules(arg->moduleType);  // load corresponding plugin according to startup mode
-    int ret = ServerStageHookExecute(STAGE_SERVER_PRELOAD, content);   // Preload, prase the sandbox
-    APPSPAWN_CHECK(ret == 0, AppSpawnDestroyContent(content);
-    return NULL, "Failed to prepare load %{public}s result: %{public}d", arg->serviceName, ret);
-#ifndef APPSPAWN_TEST
-    APPSPAWN_CHECK(content->runChildProcessor != NULL, AppSpawnDestroyContent(content);
-    return NULL, "No child processor %{public}s result: %{public}d", arg->serviceName, ret);
-#endif
-    AddAppSpawnHook(STAGE_CHILD_PRE_RUN, HOOK_PRIO_LOWEST, AppSpawnClearEnv);
-    return content;
-}
-#endif

standard/appspawn_service.h

@@ -64,8 +64,15 @@ typedef struct TagAppSpawnStartArg {
     uint32_t initArg : 1;
 } AppSpawnStartArg;
 
+typedef struct {
+    char *serverName;
+    AppSpawnStartArg arg;
+} AppSpawnStartArgTemplate;
+
 pid_t NWebSpawnLaunch(void);
 void NWebSpawnInit(void);
+pid_t NativeSpawnLaunch(void);
+void NativeSpawnInit(void);
 AppSpawnContent *StartSpawnService(const AppSpawnStartArg *arg, uint32_t argvSize, int argc, char *const argv[]);
 #ifdef CJAPP_SPAWN
 AppSpawnContent *StartCJSpawnService(const AppSpawnStartArg *arg, uint32_t argvSize, int argc, char *const argv[]);

standard/nwebspawn_launcher.c

@@ -41,6 +41,9 @@
 #define NWEB_UID 3081
 #define NWEB_GID 3081
 #define NWEB_NAME "nwebspawn"
+#define NATIVE_UID 3082
+#define NATIVE_GID 3082
+#define NATIVE_NAME "nativespawn"
 #define CAP_NUM 2
 #define BITLEN32 32
 
@@ -93,3 +96,27 @@ pid_t NWebSpawnLaunch(void)
     APPSPAWN_LOGI("nwebspawn fork success pid: %{public}d", ret);
     return ret;
 }
+
+void NativeSpawnInit(void)
+{
+    APPSPAWN_LOGI("NativeSpawnInit");
+#ifdef WITH_SELINUX
+    int ret = setcon("u:r:nativespawn:s0");
+    APPSPAWN_CHECK_ONLY_LOG(ret == 0, "Setcon failed, errno: %{public}d", errno);
+#endif
+    pid_t pid = getpid();
+    setpriority(PRIO_PROCESS, pid, 0);
+#ifndef APPSPAWN_TEST
+    (void)prctl(PR_SET_NAME, NATIVE_NAME);
+#endif
+}
+
+pid_t NativeSpawnLaunch(void)
+{
+    pid_t pid = fork();
+    if (pid == 0) {
+        NativeSpawnInit();
+    }
+    APPSPAWN_LOGI("Nativespawn fork success pid: %{public}d", pid);
+    return pid;
+}

test/moduletest/appspawn_client_test.cpp

@@ -16,6 +16,7 @@
 #include "appspawn.h"
 #include "appspawn_utils.h"
 #include "securec.h"
+#include "appspawn_server.h"
 
 #include <gtest/gtest.h>
 
@@ -32,7 +33,7 @@ public:
     void TearDown() {}
 };
 
-static AppSpawnReqMsgHandle CreateMsg(AppSpawnClientHandle handle, const char *bundleName)
+static AppSpawnReqMsgHandle CreateMsg(AppSpawnClientHandle handle, const char *bundleName, RunMode mode)
 {
     AppSpawnReqMsgHandle reqHandle = 0;
     int ret = AppSpawnReqMsgCreate(MSG_APP_SPAWN, bundleName, &reqHandle);
@@ -52,6 +53,14 @@ static AppSpawnReqMsgHandle CreateMsg(AppSpawnClientHandle handle, const char *b
         APPSPAWN_CHECK(ret == 0, break, "Failed to add dac %{public}s", APPSPAWN_SERVER_NAME);
 
         AppSpawnReqMsgSetAppFlag(reqHandle, static_cast<AppFlagsIndex>(10));  // 10 test
+        if (mode == MODE_FOR_NATIVE_SPAWN) {
+            AppSpawnReqMsgSetAppFlag(reqHandle, static_cast<AppFlagsIndex>(23)); // 23 APP_FLAGS_ISOLATED_SANDBOX_TYPE
+            AppSpawnReqMsgSetAppFlag(reqHandle, static_cast<AppFlagsIndex>(26)); // 26 APP_FLAGS_ISOLATED_NETWORK
+        }
+
+        const char *apl = "normal";
+        ret = AppSpawnReqMsgSetAppDomainInfo(reqHandle, 1, apl);
+        APPSPAWN_CHECK(ret == 0, break, "Failed to add domain %{public}s", APPSPAWN_SERVER_NAME);
 
         ret = AppSpawnReqMsgSetAppAccessToken(reqHandle, 12345678);  // 12345678
         APPSPAWN_CHECK(ret == 0, break, "Failed to add access token %{public}s", APPSPAWN_SERVER_NAME);
@@ -85,7 +94,7 @@ HWTEST_F(AppSpawnClientTest, AppSpawn_Client_test001, TestSize.Level0)
 {
     AppSpawnClientHandle clientHandle = CreateClient(APPSPAWN_SERVER_NAME);
     ASSERT_EQ(clientHandle != NULL, 1);
-    AppSpawnReqMsgHandle reqHandle = CreateMsg(clientHandle, "ohos.samples.clock");
+    AppSpawnReqMsgHandle reqHandle = CreateMsg(clientHandle, "ohos.samples.clock", MODE_FOR_APP_SPAWN);
     ASSERT_EQ(reqHandle != INVALID_REQ_HANDLE, 1);
 
     AppSpawnResult result = {};
@@ -95,5 +104,21 @@ HWTEST_F(AppSpawnClientTest, AppSpawn_Client_test001, TestSize.Level0)
     }
     AppSpawnClientDestroy(clientHandle);
 }
+
+HWTEST_F(AppSpawnClientTest, AppSpawn_Client_test002, TestSize.Level0)
+{
+    AppSpawnClientHandle clientHandle = CreateClient(NATIVESPAWN_SERVER_NAME);
+    ASSERT_EQ(clientHandle != NULL, 1);
+    AppSpawnReqMsgHandle reqHandle = CreateMsg(clientHandle, "ohos.samples.clock", MODE_FOR_NATIVE_SPAWN);
+    ASSERT_EQ(reqHandle != INVALID_REQ_HANDLE, 1);
+
+    AppSpawnResult result = {};
+    int ret = AppSpawnClientSendMsg(clientHandle, reqHandle, &result);
+    if (ret == 0 && result.pid > 0) {
+        kill(result.pid, SIGKILL);
+    }
+    AppSpawnClientDestroy(clientHandle);
+}
+
 }  // namespace AppSpawn
 }  // namespace OHOS

test/moduletest/appspawn_test_cmder.cpp

@@ -88,7 +88,8 @@ static const char *APPSPAWN_TEST_USAGE = "usage: AppSpawnTest <options> \n"
     "  --thread xx              use multi-thread to send message\n"
     "  --type xx                send msg type \n"
     "  --pid xx                 render terminate pid\n"
-    "  --mode nwebspawn         send message to nwebspawn service\n";
+    "  --mode nwebspawn         send message to nwebspawn service\n"
+    "  --mode nativespawn       send message to nativespawn service\n";
 
 int AppSpawnTestCommander::ProcessArgs(int argc, char *const argv[])
 {
@@ -111,7 +112,13 @@ int AppSpawnTestCommander::ProcessArgs(int argc, char *const argv[])
             sendMsg = 1;
         } else if (strcmp(argv[i], "--mode") == 0 && ((i + 1) < argc)) {
             i++;
-            appSpawn_ = strcmp(argv[i], "nwebspawn") == 0 ? 0 : 1;
+            if (strcmp(argv[i], "nwebspawn") == 0) {
+                appSpawn_ = 0;
+            } else if (strcmp(argv[i], "nativespawn") == 0) {
+                appSpawn_ = 2;
+            } else {
+                appSpawn_ = 1;
+            }
             sendMsg = 1;
         } else if (strcmp(argv[i], "--type") == 0 && ((i + 1) < argc)) {
             i++;
@@ -380,7 +387,8 @@ int AppSpawnTestCommander::CreateMsg(AppSpawnReqMsgHandle &reqHandle,
 
 int AppSpawnTestCommander::SendMsg()
 {
-    const char *server = appSpawn_ ? APPSPAWN_SERVER_NAME : NWEBSPAWN_SERVER_NAME;
+    const char *server = appSpawn_ == 1 ? APPSPAWN_SERVER_NAME : (appSpawn_ == 2 ? NATIVESPAWN_SERVER_NAME :
+        NWEBSPAWN_SERVER_NAME);
     printf("Send msg to server '%s' \n", server);
     AppSpawnReqMsgHandle reqHandle = INVALID_REQ_HANDLE;
     int ret = 0;
@@ -547,7 +555,8 @@ void AppSpawnTestCommander::DumpThread(ThreadTaskHandle handle, const ThreadCont
 int AppSpawnTestCommander::Run()
 {
     int ret = 0;
-    const char *name = appSpawn_ ? APPSPAWN_SERVER_NAME : NWEBSPAWN_SERVER_NAME;
+    const char *name = appSpawn_ == 1 ? APPSPAWN_SERVER_NAME : (appSpawn_ == 2 ? NATIVESPAWN_SERVER_NAME :
+        NWEBSPAWN_SERVER_NAME);
     if (clientHandle_ == NULL) {
         ret = AppSpawnClientInit(name, &clientHandle_);
         APPSPAWN_CHECK(ret == 0, return -1, "Failed to create client %{public}s", name);

test/moduletest/appspawn_test_cmder.h

@@ -101,7 +101,7 @@ private:
     int ptyFd_{-1};
     uint32_t dumpFlags : 1;
     uint32_t exit_ : 1;
-    uint32_t appSpawn_ : 1;
+    uint32_t appSpawn_ : 2;
     uint32_t msgType_;
     pid_t terminatePid_;
     uint32_t threadCount_{1};

test/unittest/app_spawn_standard_test/app_spawn_sandbox_test.cpp

@@ -197,7 +197,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_10, TestSize.Level0)
     }";
     nlohmann::json j_config = nlohmann::json::parse(mJsconfig.c_str());
 
-    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config);
+    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config, SANBOX_APP_JSON_CONFIG);
     GTEST_LOG_(INFO) << "SetAppSandboxProperty start" << std::endl;
     g_testHelper.SetTestUid(1000);  // 1000 test
     g_testHelper.SetTestGid(1000);  // 1000 test
@@ -238,7 +238,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_13, TestSize.Level0)
     }";
     nlohmann::json j_config = nlohmann::json::parse(mJsconfig.c_str());
 
-    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config);
+    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config, SANBOX_APP_JSON_CONFIG);
 
     GTEST_LOG_(INFO) << "SetAppSandboxProperty start" << std::endl;
     g_testHelper.SetTestUid(1000);  // 1000 test
@@ -278,7 +278,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_14, TestSize.Level0)
     }";
     nlohmann::json j_config = nlohmann::json::parse(mJsconfig.c_str());
 
-    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config);
+    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config, SANBOX_APP_JSON_CONFIG);
 
     GTEST_LOG_(INFO) << "SetAppSandboxProperty start" << std::endl;
 
@@ -322,7 +322,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_15, TestSize.Level0)
     }";
     nlohmann::json j_config = nlohmann::json::parse(mJsconfig.c_str());
 
-    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config);
+    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config, SANBOX_APP_JSON_CONFIG);
 
     GTEST_LOG_(INFO) << "SetAppSandboxProperty start" << std::endl;
     g_testHelper.SetTestUid(1000);  // 1000 test
@@ -357,7 +357,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_16, TestSize.Level0)
     }";
     nlohmann::json j_config = nlohmann::json::parse(mJsconfig.c_str());
 
-    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config);
+    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config, SANBOX_APP_JSON_CONFIG);
 
     GTEST_LOG_(INFO) << "SetAppSandboxProperty start" << std::endl;
     g_testHelper.SetTestUid(1000);  // 1000 test
@@ -390,7 +390,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_17, TestSize.Level0)
         \"individual\": [] \
     }";
     nlohmann::json j_config = nlohmann::json::parse(mJsconfig.c_str());
-    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config);
+    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config, SANBOX_APP_JSON_CONFIG);
 
     std::string value;
     rc = JsonUtils::GetStringFromJson(j_config, "common", value);
@@ -439,7 +439,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_20, TestSize.Level0)
         \"individual\": [] \
     }";
     nlohmann::json j_config = nlohmann::json::parse(mJsconfig.c_str());
-    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config);
+    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config, SANBOX_APP_JSON_CONFIG);
 
     g_testHelper.SetTestUid(1000);  // 1000 test
     g_testHelper.SetTestGid(1000);  // 1000 test
@@ -464,7 +464,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_20, TestSize.Level0)
         }] \
     }";
     nlohmann::json j_config1 = nlohmann::json::parse(mJsconfig1.c_str());
-    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config1);
+    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config1, SANBOX_APP_JSON_CONFIG);
     OHOS::AppSpawn::SandboxUtils::SetAppSandboxProperty(appProperty);
     DeleteAppSpawningCtx(appProperty);
 }
@@ -485,7 +485,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_22, TestSize.Level0)
         \"individual\": [] \
     }";
     nlohmann::json j_config1 = nlohmann::json::parse(mJsconfig1.c_str());
-    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config1);
+    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config1, SANBOX_APP_JSON_CONFIG);
 
     g_testHelper.SetTestUid(1000);  // 1000 test
     g_testHelper.SetTestGid(1000);  // 1000 test
@@ -1108,7 +1108,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_38, TestSize.Level0)
     }";
 
     nlohmann::json p_config1 = nlohmann::json::parse(pJsconfig1.c_str());
-    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(p_config1);
+    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(p_config1, SANBOX_APP_JSON_CONFIG);
 
     std::string sandboxPackagePath = "/mnt/sandbox/100/";
     const std::string bundleName = GetBundleName(appProperty);
@@ -1206,7 +1206,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_41, TestSize.Level0)
     }";
     nlohmann::json j_config = nlohmann::json::parse(mJsconfig.c_str());
 
-    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config);
+    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config, SANBOX_APP_JSON_CONFIG);
 
     uint32_t cloneFlags = OHOS::AppSpawn::SandboxUtils::GetSandboxNsFlags(false);
     EXPECT_EQ(!!(cloneFlags & CLONE_NEWPID), true);
@@ -1240,7 +1240,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_42, TestSize.Level0)
     nlohmann::json j_config = nlohmann::json::parse(mJsconfig.c_str());
     const char *mountPath = "mount-paths";
     nlohmann::json j_secondConfig = j_config[mountPath][0];
-    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config);
+    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config, SANBOX_APP_JSON_CONFIG);
 
     std::string fsType = OHOS::AppSpawn::SandboxUtils::GetSandboxFsType(j_secondConfig);
     int ret = strcmp(fsType.c_str(), "sharefs");
@@ -1273,7 +1273,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_43, TestSize.Level0)
     const char *mountPath = "mount-paths";
     nlohmann::json j_secondConfig = j_config[mountPath][0];
 
-    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config);
+    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config, SANBOX_APP_JSON_CONFIG);
     OHOS::AppSpawn::SandboxUtils::SandboxMountConfig mountConfig;
     std::string section = "common";
     AppSpawningCtx *appProperty = GetTestAppProperty();
@@ -1307,7 +1307,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_44, TestSize.Level0)
     const char *mountPath = "mount-paths";
     nlohmann::json j_secondConfig = j_config[mountPath][0];
 
-    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config);
+    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config, SANBOX_APP_JSON_CONFIG);
     OHOS::AppSpawn::SandboxUtils::SandboxMountConfig mountConfig;
     std::string section = "permission";
     AppSpawningCtx *appProperty = GetTestAppProperty();
@@ -1341,7 +1341,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_45, TestSize.Level0)
     const char *mountPath = "mount-paths";
     nlohmann::json j_secondConfig = j_config[mountPath][0];
 
-    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config);
+    OHOS::AppSpawn::SandboxUtils::StoreJsonConfig(j_config, SANBOX_APP_JSON_CONFIG);
     AppSpawningCtx *appProperty = GetTestAppProperty();
     std::string options = OHOS::AppSpawn::SandboxUtils::GetSandboxOptions(appProperty, j_secondConfig);
     int ret = strcmp(options.c_str(), "support_overwrite=1,user_id=100");

test/unittest/app_spawn_standard_test/app_spawn_sandboxmgr_test.cpp

@@ -88,15 +88,15 @@ HWTEST_F(AppSpawnSandboxMgrTest, App_Spawn_AppSpawnSandboxCfg_002, TestSize.Leve
     OH_ListAddTail(&sandbox->extData.node, &mgr->extData);
 
     // for appspawn
-    int ret = LoadAppSandboxConfig(sandbox, 0);
+    int ret = LoadAppSandboxConfig(sandbox, MODE_FOR_APP_SPAWN);
     EXPECT_EQ(ret, 0);
-    ret = LoadAppSandboxConfig(sandbox, 0);  // 重复load
+    ret = LoadAppSandboxConfig(sandbox, MODE_FOR_APP_SPAWN);  // 重复load
     EXPECT_EQ(ret, 0);
 
     DeleteAppSpawnSandbox(sandbox);
     DeleteAppSpawnMgr(mgr);
 
-    ret = LoadAppSandboxConfig(nullptr, 0);
+    ret = LoadAppSandboxConfig(nullptr, MODE_FOR_APP_SPAWN);
     EXPECT_NE(ret, 0);
 }
 
@@ -111,23 +111,23 @@ HWTEST_F(AppSpawnSandboxMgrTest, App_Spawn_AppSpawnSandboxCfg_003, TestSize.Leve
     int ret = 0;
 #ifdef APPSPAWN_SANDBOX_NEW
     // for nwebspawn
-    ret = LoadAppSandboxConfig(sandbox, 1);
+    ret = LoadAppSandboxConfig(sandbox, MODE_FOR_NWEB_SPAWN);
     EXPECT_EQ(ret, 0);
-    ret = LoadAppSandboxConfig(sandbox, 1);  // 重复load
+    ret = LoadAppSandboxConfig(sandbox, MODE_FOR_NWEB_SPAWN);  // 重复load
     EXPECT_EQ(ret, 0);
-    ret = LoadAppSandboxConfig(sandbox, 2);  // 重复load
+    ret = LoadAppSandboxConfig(sandbox, MODE_FOR_NWEB_SPAWN);  // 重复load
     EXPECT_EQ(ret, 0);
 #else
     // for nwebspawn
-    ret = LoadAppSandboxConfig(sandbox, 0);
+    ret = LoadAppSandboxConfig(sandbox, MODE_FOR_NWEB_SPAWN);
     EXPECT_EQ(ret, 0);
-    ret = LoadAppSandboxConfig(sandbox, 0);  // 重复load
+    ret = LoadAppSandboxConfig(sandbox, MODE_FOR_NWEB_SPAWN);  // 重复load
     EXPECT_EQ(ret, 0);
 #endif
     DeleteAppSpawnSandbox(sandbox);
     DeleteAppSpawnMgr(mgr);
 
-    ret = LoadAppSandboxConfig(nullptr, 1);
+    ret = LoadAppSandboxConfig(nullptr, MODE_FOR_NWEB_SPAWN);
     EXPECT_NE(ret, 0);
 }