From 712a43a585ed90098bdea15cfb45bd9181190a02 Mon Sep 17 00:00:00 2001 From: wangchen Date: Wed, 9 Jul 2025 16:47:59 +0800 Subject: [PATCH] =?UTF-8?q?rawdata=E9=97=AE=E9=A2=98=E4=BF=AE=E5=A4=8D=20c?= =?UTF-8?q?lose=20#ICL1ZB=20Signed-off-by:=20wangchen=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../include/policy_vec_raw_data.h | 13 ++++ .../src/service/sandbox_manager_service.cpp | 70 +++++++++++++------ .../unittest/sandbox_manager_service_test.cpp | 68 ++++++++++++++++++ 3 files changed, 131 insertions(+), 20 deletions(-) diff --git a/frameworks/sandbox_manager/include/policy_vec_raw_data.h b/frameworks/sandbox_manager/include/policy_vec_raw_data.h index 3bcf2fe..c0210ff 100644 --- a/frameworks/sandbox_manager/include/policy_vec_raw_data.h +++ b/frameworks/sandbox_manager/include/policy_vec_raw_data.h @@ -22,6 +22,7 @@ namespace OHOS { namespace AccessControl { namespace SandboxManager { +const uint32_t POLICY_VEC_MAX_NUM = 300000; struct PolicyVecRawData { uint32_t size; const void* data; @@ -51,16 +52,28 @@ struct PolicyVecRawData { uint32_t ssLength = static_cast(ss.tellp()); uint32_t policyNum = 0; ss.read(reinterpret_cast(&policyNum), sizeof(policyNum)); + if (ss.fail() || ss.eof() || (policyNum > POLICY_VEC_MAX_NUM)) { + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } for (uint32_t i = 0; i < policyNum; i++) { uint32_t pathLen = 0; ss.read(reinterpret_cast(&pathLen), sizeof(pathLen)); + if (ss.fail() || ss.eof()) { + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } if (pathLen > ssLength - static_cast(ss.tellg())) { return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; } PolicyInfo info; info.path.resize(pathLen); ss.read(info.path.data(), pathLen); + if (ss.fail() || ss.eof()) { + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } ss.read(reinterpret_cast(&info.mode), sizeof(info.mode)); + if (ss.fail() || ss.eof()) { + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } out.push_back(info); } return SANDBOX_MANAGER_OK; diff --git a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp index dba9c0a..7ac5665 100644 --- a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp +++ b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp @@ -218,14 +218,17 @@ int32_t SandboxManagerService::SetPolicyByBundleName(const std::string &bundleNa return PERMISSION_DENIED; } std::vector policy; - policyRawData.Unmarshalling(policy); + int32_t ret = policyRawData.Unmarshalling(policy); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } size_t policySize = policy.size(); if (policySize == 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy size failed, size = %{public}zu.", policySize); return INVALID_PARAMTER; } int32_t userId = 0; - int32_t ret = AccountSA::OsAccountManager::GetForegroundOsAccountLocalId(userId); + ret = AccountSA::OsAccountManager::GetForegroundOsAccountLocalId(userId); if (ret != 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "grantPermission failed, get user id failed error=%{public}d", ret); return INVALID_PARAMTER; @@ -259,7 +262,10 @@ int32_t SandboxManagerService::PersistPolicy(const PolicyVecRawData &policyRawDa return PERMISSION_DENIED; } std::vector policy; - policyRawData.Unmarshalling(policy); + int32_t ret = policyRawData.Unmarshalling(policy); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } size_t policySize = policy.size(); if (policySize == 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Policy vector size error, size = %{public}zu.", policy.size()); @@ -272,7 +278,7 @@ int32_t SandboxManagerService::PersistPolicy(const PolicyVecRawData &policyRawDa } std::vector result; - int32_t ret = PolicyInfoManager::GetInstance().AddPolicy(callingTokenId, policy, result, flag); + ret = PolicyInfoManager::GetInstance().AddPolicy(callingTokenId, policy, result, flag); if (ret != SANDBOX_MANAGER_OK) { return ret; } @@ -289,7 +295,10 @@ int32_t SandboxManagerService::UnPersistPolicy( return PERMISSION_DENIED; } std::vector policy; - policyRawData.Unmarshalling(policy); + int32_t ret = policyRawData.Unmarshalling(policy); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } size_t policySize = policy.size(); if (policySize == 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Policy vector size error, size = %{public}zu.", policy.size()); @@ -297,7 +306,7 @@ int32_t SandboxManagerService::UnPersistPolicy( } std::vector result; - int32_t ret = PolicyInfoManager::GetInstance().RemovePolicy(callingTokenId, policy, result); + ret = PolicyInfoManager::GetInstance().RemovePolicy(callingTokenId, policy, result); if (ret != SANDBOX_MANAGER_OK) { return ret; } @@ -314,7 +323,10 @@ int32_t SandboxManagerService::PersistPolicyByTokenId( return PERMISSION_DENIED; } std::vector policy; - policyRawData.Unmarshalling(policy); + int32_t ret = policyRawData.Unmarshalling(policy); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } size_t policySize = policy.size(); if ((policySize == 0) || (tokenId == 0)) { SANDBOXMANAGER_LOG_ERROR( @@ -329,7 +341,7 @@ int32_t SandboxManagerService::PersistPolicyByTokenId( } std::vector result; - int32_t ret = PolicyInfoManager::GetInstance().AddPolicy(tokenId, policy, result, flag); + ret = PolicyInfoManager::GetInstance().AddPolicy(tokenId, policy, result, flag); if (ret != SANDBOX_MANAGER_OK) { return ret; } @@ -346,7 +358,10 @@ int32_t SandboxManagerService::UnPersistPolicyByTokenId( return PERMISSION_DENIED; } std::vector policy; - policyRawData.Unmarshalling(policy); + int32_t ret = policyRawData.Unmarshalling(policy); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } size_t policySize = policy.size(); if ((policySize == 0) || (tokenId == 0)) { SANDBOXMANAGER_LOG_ERROR( @@ -356,7 +371,7 @@ int32_t SandboxManagerService::UnPersistPolicyByTokenId( } std::vector result; - int32_t ret = PolicyInfoManager::GetInstance().RemovePolicy(tokenId, policy, result); + ret = PolicyInfoManager::GetInstance().RemovePolicy(tokenId, policy, result); if (ret != SANDBOX_MANAGER_OK) { return ret; } @@ -373,7 +388,10 @@ int32_t SandboxManagerService::SetPolicy(uint32_t tokenId, const PolicyVecRawDat return PERMISSION_DENIED; } std::vector policy; - policyRawData.Unmarshalling(policy); + int32_t ret = policyRawData.Unmarshalling(policy); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } size_t policySize = policy.size(); if (policySize == 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy size failed, size = %{public}zu.", policySize); @@ -388,7 +406,7 @@ int32_t SandboxManagerService::SetPolicy(uint32_t tokenId, const PolicyVecRawDat return INVALID_PARAMTER; } std::vector result; - int32_t ret = PolicyInfoManager::GetInstance().SetPolicy(tokenId, policy, policyFlag, result, timestamp); + ret = PolicyInfoManager::GetInstance().SetPolicy(tokenId, policy, policyFlag, result, timestamp); if (ret != SANDBOX_MANAGER_OK) { return ret; } @@ -439,7 +457,10 @@ int32_t SandboxManagerService::CheckPolicy(uint32_t tokenId, const PolicyVecRawD return PERMISSION_DENIED; } std::vector policy; - policyRawData.Unmarshalling(policy); + int32_t ret = policyRawData.Unmarshalling(policy); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } size_t policySize = policy.size(); if (policySize == 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy size failed, size = %{public}zu.", policySize); @@ -450,7 +471,7 @@ int32_t SandboxManagerService::CheckPolicy(uint32_t tokenId, const PolicyVecRawD return INVALID_PARAMTER; } std::vector result; - int32_t ret = PolicyInfoManager::GetInstance().CheckPolicy(tokenId, policy, result); + ret = PolicyInfoManager::GetInstance().CheckPolicy(tokenId, policy, result); if (ret != SANDBOX_MANAGER_OK) { return ret; } @@ -467,7 +488,10 @@ int32_t SandboxManagerService::StartAccessingPolicy(const PolicyVecRawData &poli return PERMISSION_DENIED; } std::vector policy; - policyRawData.Unmarshalling(policy); + int32_t ret = policyRawData.Unmarshalling(policy); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } if (!useCallerToken) { callingTokenId = tokenId; } @@ -478,7 +502,7 @@ int32_t SandboxManagerService::StartAccessingPolicy(const PolicyVecRawData &poli } std::vector result; - int32_t ret = PolicyInfoManager::GetInstance().StartAccessingPolicy(callingTokenId, policy, result, timestamp); + ret = PolicyInfoManager::GetInstance().StartAccessingPolicy(callingTokenId, policy, result, timestamp); if (ret != SANDBOX_MANAGER_OK) { return ret; } @@ -495,7 +519,10 @@ int32_t SandboxManagerService::StopAccessingPolicy( return PERMISSION_DENIED; } std::vector policy; - policyRawData.Unmarshalling(policy); + int32_t ret = policyRawData.Unmarshalling(policy); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } size_t policySize = policy.size(); if (policySize == 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Policy vector size error, size = %{public}zu", policy.size()); @@ -503,7 +530,7 @@ int32_t SandboxManagerService::StopAccessingPolicy( } std::vector result; - int32_t ret = PolicyInfoManager::GetInstance().StopAccessingPolicy(callingTokenId, policy, result); + ret = PolicyInfoManager::GetInstance().StopAccessingPolicy(callingTokenId, policy, result); if (ret != SANDBOX_MANAGER_OK) { return ret; } @@ -521,7 +548,10 @@ int32_t SandboxManagerService::CheckPersistPolicy( return PERMISSION_DENIED; } std::vector policy; - policyRawData.Unmarshalling(policy); + int32_t ret = policyRawData.Unmarshalling(policy); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } size_t policySize = policy.size(); if (policySize == 0 || tokenId == 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Policy vector size error, size = %{public}zu, tokenid = %{public}d.", @@ -531,7 +561,7 @@ int32_t SandboxManagerService::CheckPersistPolicy( std::vector matchResult(policySize); - int32_t ret = PolicyInfoManager::GetInstance().MatchPolicy(tokenId, policy, matchResult); + ret = PolicyInfoManager::GetInstance().MatchPolicy(tokenId, policy, matchResult); if (ret != SANDBOX_MANAGER_OK) { return ret; } diff --git a/services/sandbox_manager/test/unittest/sandbox_manager_service_test.cpp b/services/sandbox_manager/test/unittest/sandbox_manager_service_test.cpp index e90e92f..95a7b02 100644 --- a/services/sandbox_manager/test/unittest/sandbox_manager_service_test.cpp +++ b/services/sandbox_manager/test/unittest/sandbox_manager_service_test.cpp @@ -53,6 +53,7 @@ const std::string SET_POLICY_PERMISSION = "ohos.permission.SET_SANDBOX_POLICY"; const std::string CHECK_POLICY_PERMISSION = "ohos.permission.CHECK_SANDBOX_POLICY"; const std::string ACCESS_PERSIST_PERMISSION = "ohos.permission.FILE_ACCESS_PERSIST"; const uint64_t POLICY_VECTOR_SIZE = 5000; +const uint64_t POLICY_VECTOR_LARGE_SIZE = 400000; #ifdef MEMORY_MANAGER_ENABLE constexpr int32_t MAX_RUNNING_NUM = 256; constexpr int64_t EXTRA_PARAM = 3; @@ -598,6 +599,73 @@ HWTEST_F(SandboxManagerServiceTest, MemoryManagerTest002, TestSize.Level1) EXPECT_EQ(SA_READY_TO_UNLOAD, sandboxManagerService_->OnIdle(reason)); SandboxMemoryManager::GetInstance().SetIsDelayedToUnload(false); } + +/** + * @tc.name: SandboxManagerServiceRawDataTest001 + * @tc.desc: Test Marshalling - large input + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerServiceTest, SandboxManagerServiceRawDataTest001, TestSize.Level0) +{ + std::vector policy; + policy.resize(POLICY_VECTOR_SIZE + 1); + PolicyVecRawData policyRawData; + policyRawData.Marshalling(policy); + Uint32VecRawData resultRawData; + uint64_t policyFlag = 0; + EXPECT_EQ(SANDBOX_MANAGER_OK, + sandboxManagerService_->SetPolicy(selfTokenId_, policyRawData, policyFlag, resultRawData)); + + policy.resize(POLICY_VECTOR_LARGE_SIZE + 1); + PolicyVecRawData policyRawData1; + policyRawData1.Marshalling(policy); + std::vector result1; + Uint32VecRawData resultRawData1; + EXPECT_EQ(SANDBOX_MANAGER_SERVICE_PARCEL_ERR, + sandboxManagerService_->SetPolicy(selfTokenId_, policyRawData1, policyFlag, resultRawData1)); +} + +/** + * @tc.name: SandboxManagerServiceRawDataTest002 + * @tc.desc: Test Marshalling - large input + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerServiceTest, SandboxManagerServiceRawDataTest002, TestSize.Level0) +{ + std::vector policy; + policy.resize(POLICY_VECTOR_SIZE + 1); + PolicyVecRawData policyRawData; + policyRawData.Marshalling(policy); + Uint32VecRawData resultRawData; + uint64_t policyFlag = 0; + EXPECT_EQ(SANDBOX_MANAGER_OK, + sandboxManagerService_->SetPolicy(selfTokenId_, policyRawData, policyFlag, resultRawData)); + + PolicyVecRawData policyRawData1; + std::stringstream ss; + uint32_t policyNum = POLICY_VECTOR_SIZE; + ss.write(reinterpret_cast(&policyNum), sizeof(policyNum)); + PolicyInfo info; + info.path = "/data/log"; + info.mode = OperateMode::READ_MODE; + for (uint32_t i = 0; i < POLICY_VECTOR_SIZE; i++) { + uint32_t pathLen = info.path.length() * POLICY_VECTOR_SIZE; + ss.write(reinterpret_cast(&pathLen), sizeof(pathLen)); + pathLen = info.path.length(); + ss.write(info.path.c_str(), pathLen); + ss.write(reinterpret_cast(&info.mode), sizeof(info.mode)); + } + policyRawData1.serializedData = ss.str(); + policyRawData1.data = reinterpret_cast(policyRawData1.serializedData.data()); + policyRawData1.size = policyRawData1.serializedData.length(); + + std::vector result1; + Uint32VecRawData resultRawData1; + EXPECT_EQ(SANDBOX_MANAGER_SERVICE_PARCEL_ERR, + sandboxManagerService_->SetPolicy(selfTokenId_, policyRawData1, policyFlag, resultRawData1)); +} #endif } // SandboxManager } // AccessControl -- Gitee