diff --git a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp index 3caf16ea4c2f1e5da6dfbec24a9e9f395990a357..584328851137d972f020ed3af7cfcc38f29cd2e6 100644 --- a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp +++ b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp @@ -997,23 +997,33 @@ int32_t PolicyInfoManager::CheckPolicyValidity(const PolicyInfo &policy) } const std::unordered_set g_blockPathList = { - "/storage/User/currentUser/appdata", - "/storage/User/currentUser/appdata/el1", - "/storage/User/currentUser/appdata/el2", - "/storage/User/currentUser/appdata/el3", - "/storage/User/currentUser/appdata/el4", - "/storage/User/currentUser/appdata/el5", - "/storage/User/currentUser/appdata/el1/base", - "/storage/User/currentUser/appdata/el2/base", - "/storage/User/currentUser/appdata/el3/base", - "/storage/User/currentUser/appdata/el4/base", - "/storage/User/currentUser/appdata/el5/base", + "/storage/Users/currentUser/appdata", + "/storage/Users/currentUser/appdata/el1", + "/storage/Users/currentUser/appdata/el2", + "/storage/Users/currentUser/appdata/el3", + "/storage/Users/currentUser/appdata/el4", + "/storage/Users/currentUser/appdata/el5", + "/storage/Users/currentUser/appdata/el1/base", + "/storage/Users/currentUser/appdata/el2/base", + "/storage/Users/currentUser/appdata/el3/base", + "/storage/Users/currentUser/appdata/el4/base", + "/storage/Users/currentUser/appdata/el5/base", }; int32_t PolicyInfoManager::CheckPathIsBlocked(const std::string &path) { - if (g_blockPathList.count(path) != 0) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "Policy path is in blocklist"); + uint32_t length = path.length(); + const char* cStr = path.c_str(); + uint32_t cStrLength = strlen(cStr); + if (length != cStrLength) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "path have a terminator: %{public}s, pathLen:%{public}u, cstrLen:%{public}u", + path.c_str(), length, cStrLength); + return SandboxRetType::INVALID_PATH; + } + + std::string pathTmp = AdjustPath(path); + if (g_blockPathList.count(pathTmp) != 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "path not allowed to set policy: %{public}s", path.c_str()); return SandboxRetType::INVALID_PATH; } return SANDBOX_MANAGER_OK; diff --git a/services/sandbox_manager/test/unittest/policy_info_manager_test.cpp b/services/sandbox_manager/test/unittest/policy_info_manager_test.cpp index cd8ea768f4bf9c4b1895e2bb884b242411e60304..ed8acddb29dad6abf289e85e742164bd2531f156 100644 --- a/services/sandbox_manager/test/unittest/policy_info_manager_test.cpp +++ b/services/sandbox_manager/test/unittest/policy_info_manager_test.cpp @@ -167,7 +167,7 @@ HWTEST_F(PolicyInfoManagerTest, PolicyInfoManagerTest003, TestSize.Level0) std::vector policy; policy.emplace_back(info); - info.path = "/storage/User/currentUser/appdata/el2"; + info.path = "/storage/Users/currentUser/appdata/el2"; info.mode = OperateMode::READ_MODE + OperateMode::WRITE_MODE; policy[0] = info; std::vector setResult; @@ -175,19 +175,29 @@ HWTEST_F(PolicyInfoManagerTest, PolicyInfoManagerTest003, TestSize.Level0) ASSERT_EQ(1, setResult.size()); EXPECT_EQ(SandboxRetType::INVALID_PATH, setResult[0]); - info.path = "/storage/User/currentUser/appdata/el3/base"; + info.path = "/storage/Users/currentUser/appdata/el3/base"; info.mode = OperateMode::READ_MODE + OperateMode::WRITE_MODE; policy[0] = info; EXPECT_EQ(SANDBOX_MANAGER_OK, PolicyInfoManager::GetInstance().SetPolicy(selfTokenId_, policy, 1, setResult)); ASSERT_EQ(1, setResult.size()); EXPECT_EQ(SandboxRetType::INVALID_PATH, setResult[0]); - info.path = "/storage/User/currentUser/appdata/el6"; + info.path = "/storage/Users/currentUser/appdata/el6"; info.mode = OperateMode::READ_MODE + OperateMode::WRITE_MODE; policy[0] = info; EXPECT_EQ(SANDBOX_MANAGER_OK, PolicyInfoManager::GetInstance().SetPolicy(selfTokenId_, policy, 1, setResult)); ASSERT_EQ(1, setResult.size()); EXPECT_EQ(SandboxRetType::OPERATE_SUCCESSFULLY, setResult[0]); + + info.path = "/storage/Users/currentUser/appdata/el3"; + size_t insert_pos = info.path.length(); + info.path.insert(insert_pos, 1, '\0'); + info.path += "/test"; + info.mode = OperateMode::READ_MODE + OperateMode::WRITE_MODE; + policy[0] = info; + EXPECT_EQ(SANDBOX_MANAGER_OK, PolicyInfoManager::GetInstance().SetPolicy(selfTokenId_, policy, 1, setResult)); + ASSERT_EQ(1, setResult.size()); + EXPECT_EQ(SandboxRetType::INVALID_PATH, setResult[0]); } #endif @@ -295,13 +305,14 @@ HWTEST_F(PolicyInfoManagerTest, PolicyInfoManagerTest007, TestSize.Level1) */ HWTEST_F(PolicyInfoManagerTest, PolicyInfoManagerTest008, TestSize.Level1) { - std::string path1 = "/storage/User/currentUser/appdata"; - std::string path2 = "/storage/User/currentUser/appdata/el1"; - std::string path3 = "/storage/User/currentUser/appdata/el2/base"; - std::string path4 = "/storage/User/currentUser/appdata/test"; - std::string path5 = "/storage/User/currentUser/appdata/el1/test"; - std::string path6 = "/storage/User/currentUser/appdata/el2/base/test"; - std::string path7 = "/storage/User/currentUser/appdata/el6"; + std::string path1 = "/storage/Users/currentUser/appdata"; + std::string path2 = "/storage/Users/currentUser/appdata/el1"; + std::string path3 = "/storage/Users/currentUser/appdata/el2/base"; + std::string path4 = "/storage/Users/currentUser/appdata/test"; + std::string path5 = "/storage/Users/currentUser/appdata/el1/test"; + std::string path6 = "/storage/Users/currentUser/appdata/el2/base/test"; + std::string path7 = "/storage/Users/currentUser/appdata/el6"; + std::string path8 = "/storage/Users/currentUser/appdata/el5/"; EXPECT_EQ(SandboxRetType::INVALID_PATH, PolicyInfoManager::GetInstance().CheckPathIsBlocked(path1)); EXPECT_EQ(SandboxRetType::INVALID_PATH, PolicyInfoManager::GetInstance().CheckPathIsBlocked(path2)); @@ -310,6 +321,7 @@ HWTEST_F(PolicyInfoManagerTest, PolicyInfoManagerTest008, TestSize.Level1) EXPECT_EQ(SANDBOX_MANAGER_OK, PolicyInfoManager::GetInstance().CheckPathIsBlocked(path5)); EXPECT_EQ(SANDBOX_MANAGER_OK, PolicyInfoManager::GetInstance().CheckPathIsBlocked(path6)); EXPECT_EQ(SANDBOX_MANAGER_OK, PolicyInfoManager::GetInstance().CheckPathIsBlocked(path7)); + EXPECT_EQ(SandboxRetType::INVALID_PATH, PolicyInfoManager::GetInstance().CheckPathIsBlocked(path8)); } /**