From e106174c978a6211195441accd9871a1c2095cb0 Mon Sep 17 00:00:00 2001
From: ligongshao <flamingsword1953@163.com>
Date: Sun, 8 Jun 2025 02:12:15 +0800
Subject: [PATCH] support deny read and write

Signed-off-by: ligongshao <ligongshao2@huawei.com>
---
 .../unittest/src/sandbox_manager_kit_test.cpp | 79 +++++++++++++++++++
 .../sandbox_manager/ISandboxManager.idl       |  2 +-
 .../sandbox_manager/include/policy_info.h     |  4 +-
 3 files changed, 83 insertions(+), 2 deletions(-)

diff --git a/frameworks/inner_api/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp b/frameworks/inner_api/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp
index e806436..3810d49 100644
--- a/frameworks/inner_api/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp
+++ b/frameworks/inner_api/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp
@@ -16,6 +16,7 @@
 #include "sandbox_manager_kit_test.h"
 
 #include <cstdint>
+#include <dirent.h>
 #include <fcntl.h>
 #include <sys/ioctl.h>
 #include <unistd.h>
@@ -3472,6 +3473,84 @@ HWTEST_F(SandboxManagerKitTest, CheckSandboxPolicyPermissionsTest001, TestSize.L
 }
 #endif
 
+#ifdef DEC_ENABLED
+/**
+ * @tc.name: PhysicalPathDenyTest001
+ * @tc.desc: test deny physical path
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, PhysicalPathDenyTest001, TestSize.Level1)
+{
+    std::vector<PolicyInfo> policy;
+    uint64_t policyFlag = 1;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo info1 = {
+        .path = "/data/service/el1/100/",
+        .mode = OperateMode::DENY_READ_MODE
+    };
+    const uint32_t tokenId = g_mockToken;
+    policy.emplace_back(info1);
+
+    const char *DISTRIBUTE_PATH = "/data/service/el1/100/distributeddata";
+    DIR *dir = opendir(DISTRIBUTE_PATH);
+    ASSERT_NE(dir, nullptr);
+    closedir(dir);
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_EQ(OPERATE_SUCCESSFULLY, policyResult[0]);
+
+    dir = opendir(DISTRIBUTE_PATH);
+    ASSERT_EQ(dir, nullptr);
+
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(tokenId, info1));
+    dir = opendir(DISTRIBUTE_PATH);
+    ASSERT_NE(dir, nullptr);
+    closedir(dir);
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, policyResult));
+    dir = opendir(DISTRIBUTE_PATH);
+    ASSERT_EQ(dir, nullptr);
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetAllPolicyByToken(g_mockToken));
+    dir = opendir(DISTRIBUTE_PATH);
+    ASSERT_NE(dir, nullptr);
+    closedir(dir);
+}
+
+/**
+ * @tc.name: PhysicalPathDenyTest002
+ * @tc.desc: test deny physical path with invalid mode
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, PhysicalPathDenyTest002, TestSize.Level1)
+{
+    std::vector<PolicyInfo> policy;
+    uint64_t policyFlag = 1;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo info1 = {
+        .path = "/data/service/el1/100/",
+        .mode = OperateMode::MAX_MODE
+    };
+
+    PolicyInfo info2 = {
+        .path = "/data/service/el1/100/",
+        .mode = 0
+    };
+    const uint32_t tokenId = g_mockToken;
+    policy.emplace_back(info1);
+    policy.emplace_back(info2);
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, policyResult));
+    ASSERT_EQ(2, policyResult.size());
+    EXPECT_EQ(INVALID_MODE, policyResult[0]);
+    EXPECT_EQ(INVALID_MODE, policyResult[1]);
+}
+
+#endif
+
 #endif
 } // SandboxManager
 } // AccessControl
diff --git a/frameworks/sandbox_manager/ISandboxManager.idl b/frameworks/sandbox_manager/ISandboxManager.idl
index 9a947c9..684b185 100644
--- a/frameworks/sandbox_manager/ISandboxManager.idl
+++ b/frameworks/sandbox_manager/ISandboxManager.idl
@@ -31,7 +31,7 @@ interface OHOS.AccessControl.SandboxManager.ISandboxManager {
     [ipccode 0xffb8] void StopAccessingPolicy([in] PolicyVecRawData policyRawData, [out] Uint32VecRawData resultRawData);
     [ipccode 0xffb9] void CheckPersistPolicy([in] unsigned int tokenId, [in] PolicyVecRawData policyRawData, [out] BoolVecRawData resultRawData);
     [ipccode 0xffba, oneway] void StartAccessingByTokenId([in] unsigned int tokenId, [in] unsigned long timestamp);
-    [ipccode 0xffbb, oneway] void UnSetAllPolicyByToken([in] unsigned int tokenId, [in] unsigned long timestamp);
+    [ipccode 0xffbb] void UnSetAllPolicyByToken([in] unsigned int tokenId, [in] unsigned long timestamp);
     [ipccode 0xffbc] void PersistPolicyByTokenId([in] unsigned int tokenId, [in] PolicyVecRawData policyRawData, [out] Uint32VecRawData resultRawData);
     [ipccode 0xffbd] void UnPersistPolicyByTokenId([in] unsigned int tokenId, [in] PolicyVecRawData policyRawData, [out] Uint32VecRawData resultRawData);
     [ipccode 0xffbe, oneway] void CleanPersistPolicyByPath([in] List<String> filePathList);
diff --git a/interfaces/inner_api/sandbox_manager/include/policy_info.h b/interfaces/inner_api/sandbox_manager/include/policy_info.h
index 8bc0aa6..fad8032 100644
--- a/interfaces/inner_api/sandbox_manager/include/policy_info.h
+++ b/interfaces/inner_api/sandbox_manager/include/policy_info.h
@@ -45,7 +45,9 @@ typedef enum OperateMode {
     CREATE_MODE = 1 << 2,
     DELETE_MODE = 1 << 3,
     RENAME_MODE = 1 << 4,
-    MAX_MODE = 1 << 5,
+    DENY_READ_MODE = 1 << 5,
+    DENY_WRITE_MODE = 1 << 6,
+    MAX_MODE = 1 << 7,
 } OperateMode;
 } // namespace SandboxManager
 } // namespace AccessControl
-- 
Gitee