From 46a0fea669b357fdbb8108919275c44087a60270 Mon Sep 17 00:00:00 2001 From: wangchen Date: Sat, 19 Jul 2025 15:53:52 +0800 Subject: [PATCH] =?UTF-8?q?=E9=83=A8=E5=88=86=E9=80=BB=E8=BE=91=E6=95=B4?= =?UTF-8?q?=E6=94=B9=20close=20#ICNEEW=20Signed-off-by:=20wangchen=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/sandbox_manager_kit.cpp | 4 +- .../unittest/src/sandbox_manager_kit_test.cpp | 14 +---- .../cpp/include/service/policy_info_manager.h | 5 +- .../cpp/src/database/sandbox_manager_rdb.cpp | 6 +- .../main/cpp/src/mac/mac_adapter.cpp | 14 +++-- .../cpp/src/service/policy_info_manager.cpp | 58 +++++++++++-------- .../src/service/sandbox_manager_service.cpp | 5 +- 7 files changed, 58 insertions(+), 48 deletions(-) diff --git a/frameworks/inner_api/sandbox_manager/src/sandbox_manager_kit.cpp b/frameworks/inner_api/sandbox_manager/src/sandbox_manager_kit.cpp index 87d022d..6abc37e 100644 --- a/frameworks/inner_api/sandbox_manager/src/sandbox_manager_kit.cpp +++ b/frameworks/inner_api/sandbox_manager/src/sandbox_manager_kit.cpp @@ -120,6 +120,7 @@ int32_t SandboxManagerKit::SetPolicyByBundleName(const std::string &bundleName, int32_t SandboxManagerKit::SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, std::vector &result, uint64_t timestamp) { + SANDBOXMANAGER_LOG_DEBUG(LABEL, "Called"); size_t policySize = policy.size(); if (policySize == 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy size failed, size = %{public}zu.", policySize); @@ -158,6 +159,7 @@ int32_t SandboxManagerKit::SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, uint64_t timestamp) { + SANDBOXMANAGER_LOG_DEBUG(LABEL, "Called"); size_t policySize = policy.size(); if (policySize == 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy size failed, size = %{public}zu.", policySize); @@ -285,4 +287,4 @@ int32_t SandboxManagerKit::CleanPolicyByUserId(uint32_t userId, const std::vecto } } // SandboxManager } // AccessControl -} // OHOS \ No newline at end of file +} // OHOS diff --git a/frameworks/inner_api/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp b/frameworks/inner_api/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp index 10e0240..8cb7cc0 100644 --- a/frameworks/inner_api/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp +++ b/frameworks/inner_api/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp @@ -2927,10 +2927,6 @@ HWTEST_F(SandboxManagerKitTest, CleanPolicyByUserIdTest002, TestSize.Level0) EXPECT_EQ(OPERATE_SUCCESSFULLY, policyResult[0]); std::vector result; - ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); - ASSERT_EQ(1, result.size()); - EXPECT_TRUE(result[0]); - std::vector retType; EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policy, retType)); ASSERT_EQ(1, retType.size()); @@ -2959,10 +2955,6 @@ HWTEST_F(SandboxManagerKitTest, CleanPolicyByUserIdTest002, TestSize.Level0) EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CleanPolicyByUserId(userId, filePaths)); EXPECT_EQ(0, SetSelfTokenID(g_mockToken)); sleep(1); - ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); - ASSERT_EQ(1, result.size()); - EXPECT_FALSE(result[0]); - ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPersistPolicy(g_mockToken, policy, result)); ASSERT_EQ(1, result.size()); EXPECT_FALSE(result[0]); @@ -3113,10 +3105,6 @@ HWTEST_F(SandboxManagerKitTest, CleanPolicyByUserIdTest006, TestSize.Level0) std::vector policy; uint64_t policyFlag = 1; std::vector policyResult; - PolicyInfo infoParentA = { - .path = "/A/B", - .mode = OperateMode::READ_MODE - }; PolicyInfo infoParentB = { .path = "/A/C", .mode = OperateMode::READ_MODE @@ -3125,8 +3113,8 @@ HWTEST_F(SandboxManagerKitTest, CleanPolicyByUserIdTest006, TestSize.Level0) .path = "/A/B/C", .mode = OperateMode::WRITE_MODE }; - policy.emplace_back(infoParentA); policy.emplace_back(infoParentB); + policy.emplace_back(infoParentC); ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult)); ASSERT_EQ(2, policyResult.size()); diff --git a/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h b/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h index 971634c..b78c465 100644 --- a/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h +++ b/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h @@ -147,10 +147,9 @@ private: * @brief find a record with same token and policy path (mode not inclued) * @param tokenId token id of the object * @param policy search policy - * @param result search result * @return SANDBOX_MANAGER_DB_ERR / SANDBOX_MANAGER_DB_RETURN_EMPTY / SANDBOX_MANAGER_OK */ - int32_t ExactFind(const uint32_t tokenId, const PolicyInfo &policy, PolicyInfo &result); + int32_t ExactFind(const uint32_t tokenId, const PolicyInfo &policy); /** * @brief check policy validity in batch * @param policies input policy, see policy_info.h @@ -261,6 +260,8 @@ private: MacAdapter macAdapter_; int32_t AddNormalPolicy(const uint32_t tokenId, const std::vector &policy, std::vector &result, const uint32_t flag, std::vector &queryPolicyIndex, uint32_t invalidNum); + int32_t RemoveNormalPolicy(const uint32_t tokenId, const std::vector &policy, + std::vector &result, std::vector &mediaPolicy, std::vector &validMediaIndex); int32_t StartAccessingNormalPolicy(const uint32_t tokenId, const std::vector &policy, std::vector &results, uint64_t timestamp); int32_t MatchNormalPolicy(const uint32_t tokenId, const std::vector &policy, diff --git a/services/sandbox_manager/main/cpp/src/database/sandbox_manager_rdb.cpp b/services/sandbox_manager/main/cpp/src/database/sandbox_manager_rdb.cpp index 63fd687..ded11b6 100644 --- a/services/sandbox_manager/main/cpp/src/database/sandbox_manager_rdb.cpp +++ b/services/sandbox_manager/main/cpp/src/database/sandbox_manager_rdb.cpp @@ -102,7 +102,11 @@ std::shared_ptr SandboxManagerRdb::GetRdb() { std::lock_guard lock(dbLock_); if (db_ == nullptr) { - OpenDataBase(); + int32_t ret = OpenDataBase(); + if (ret != SUCCESS) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Open db failed, errno: %{public}d", ret); + db_ = nullptr; + } } return db_; } diff --git a/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp b/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp index 9a4b001..4443284 100644 --- a/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp +++ b/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp @@ -217,9 +217,11 @@ int32_t MacAdapter::SetDenyCfg(std::string &rawData) } info.pathNum = curBatchSize; if (ioctl(fd_, DENY_DEC_RULE_CMD, &info) < 0) { - SANDBOXMANAGER_LOG_ERROR(LABEL, - "Set deny failed errno=%{public}d, path = %{public}s, mode = %{public}x, num = %{public}d", - errno, info.pathInfos[i].path, info.pathInfos[i].mode, info.pathNum); + for (size_t j = 0; j < curBatchSize; j++) { + SANDBOXMANAGER_LOG_ERROR(LABEL, + "Set deny failed errno=%{public}d, path = %{public}s, mode = %{public}x, num = %{public}d", + errno, info.pathInfos[j].path, info.pathInfos[j].mode, info.pathNum); + } break; } succSet += curBatchSize; @@ -310,7 +312,7 @@ int32_t MacAdapter::SetSandboxPolicy(const std::vector &policy, std: info.timestamp = macParams.timestamp; info.userId = macParams.userId; - uint32_t cmd = SET_POLICY_CMD; + int32_t cmd = SET_POLICY_CMD; for (size_t i = 0; i < curBatchSize; ++i) { info.pathInfos[i].path = const_cast(policy[offset + i].path.c_str()); info.pathInfos[i].pathLen = policy[offset + i].path.length(); @@ -552,7 +554,7 @@ int32_t MacAdapter::UnSetSandboxPolicy(uint32_t tokenId, const PolicyInfo &polic SANDBOXMANAGER_LOG_INFO(LABEL, "Unset sandbox policy target:%{public}u path:%{private}s mode:%{public}d", tokenId, info.pathInfos[0].path, info.pathInfos[0].mode); - uint32_t cmd = UN_SET_POLICY_CMD; + int32_t cmd = UN_SET_POLICY_CMD; if ((policy.mode & (OperateMode::DENY_READ_MODE | OperateMode::DENY_WRITE_MODE)) != 0) { cmd = DEL_DENY_DEC_RULE_CMD; } @@ -589,4 +591,4 @@ int32_t MacAdapter::DestroySandboxPolicy(uint32_t tokenId, uint64_t timestamp) } } // namespace SandboxManager } // namespace AccessControl -} // namespace OHOS \ No newline at end of file +} // namespace OHOS diff --git a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp index 1039f19..3611f58 100644 --- a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp +++ b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp @@ -241,7 +241,7 @@ int32_t PolicyInfoManager::AddNormalPolicy(const uint32_t tokenId, const std::ve if (queryResults[i]) { addPolicyIndex.emplace_back(queryPolicyIndex[i]); } else { - result[queryPolicyIndex[i]] = SandboxRetType::FORBIDDEN_TO_BE_PERSISTED; + result[i] = SandboxRetType::FORBIDDEN_TO_BE_PERSISTED; } } uint32_t failNum = queryPolicyIndexSize - addPolicyIndex.size(); @@ -366,28 +366,16 @@ int32_t PolicyInfoManager::MatchNormalPolicy(const uint32_t tokenId, const std:: return SANDBOX_MANAGER_OK; } -int32_t PolicyInfoManager::RemovePolicy( - const uint32_t tokenId, const std::vector &policy, std::vector &result) +int32_t PolicyInfoManager::RemoveNormalPolicy(const uint32_t tokenId, const std::vector &policy, + std::vector &result, std::vector &mediaPolicy, std::vector &validMediaIndex) { - if (!macAdapter_.IsMacSupport()) { - SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); - result.resize(policy.size(), SandboxRetType::OPERATE_SUCCESSFULLY); - return SANDBOX_MANAGER_OK; - } - // remove only token, path, mode equal size_t policySize = policy.size(); - if (result.size() != policySize) { - result.resize(policySize); - } uint32_t invalidNum = 0; uint32_t failNum = 0; uint32_t successNum = 0; std::vector conditions; - std::vector mediaPolicy; - std::vector validMediaIndex; - mediaPolicy.reserve(policySize); conditions.reserve(policySize); - validMediaIndex.reserve(policySize); + for (size_t i = 0; i < policySize; ++i) { int32_t checkPolicyRet = CheckPolicyValidity(policy[i]); if (checkPolicyRet != SANDBOX_MANAGER_OK) { @@ -401,8 +389,7 @@ int32_t PolicyInfoManager::RemovePolicy( ++invalidNum; continue; } - PolicyInfo exactFindRes; - int32_t ret = ExactFind(tokenId, policy[i], exactFindRes); + int32_t ret = ExactFind(tokenId, policy[i]); if (ret == SANDBOX_MANAGER_DB_RETURN_EMPTY) { result[i] = SandboxRetType::POLICY_HAS_NOT_BEEN_PERSISTED; ++successNum; @@ -418,10 +405,8 @@ int32_t PolicyInfoManager::RemovePolicy( ++successNum; } - - int32_t ret; if (!conditions.empty()) { - ret = SandboxManagerRdb::GetInstance().Remove(SANDBOX_MANAGER_PERSISTED_POLICY, conditions); + int32_t ret = SandboxManagerRdb::GetInstance().Remove(SANDBOX_MANAGER_PERSISTED_POLICY, conditions); if (ret != SandboxManagerRdb::SUCCESS) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Database operate error"); return SANDBOX_MANAGER_DB_ERR; @@ -429,6 +414,32 @@ int32_t PolicyInfoManager::RemovePolicy( PolicyOperateInfo info(result.size(), successNum, failNum, invalidNum); SandboxManagerDfxHelper::WritePersistPolicyOperateSucc(OperateTypeEnum::UNPERSIST_POLICY, info); } + return SANDBOX_MANAGER_OK; +} + + +int32_t PolicyInfoManager::RemovePolicy( + const uint32_t tokenId, const std::vector &policy, std::vector &result) +{ + if (!macAdapter_.IsMacSupport()) { + SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); + result.resize(policy.size(), SandboxRetType::OPERATE_SUCCESSFULLY); + return SANDBOX_MANAGER_OK; + } + // remove only token, path, mode equal + size_t policySize = policy.size(); + if (result.size() != policySize) { + result.resize(policySize); + } + + std::vector mediaPolicy; + std::vector validMediaIndex; + mediaPolicy.reserve(policySize); + validMediaIndex.reserve(policySize); + int32_t ret = RemoveNormalPolicy(tokenId, policy, result, mediaPolicy, validMediaIndex); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } if (!mediaPolicy.empty()) { std::vector checkMediaResult(validMediaIndex.size(), 0); @@ -803,7 +814,7 @@ int32_t PolicyInfoManager::RangeFind(const GenericValues &conditions, const Gene return SANDBOX_MANAGER_OK; } -int32_t PolicyInfoManager::ExactFind(const uint32_t tokenId, const PolicyInfo &policy, PolicyInfo &result) +int32_t PolicyInfoManager::ExactFind(const uint32_t tokenId, const PolicyInfo &policy) { // search policy that have same tokenId, path, depth, mode GenericValues conditions; @@ -821,8 +832,7 @@ int32_t PolicyInfoManager::ExactFind(const uint32_t tokenId, const PolicyInfo &p SANDBOXMANAGER_LOG_DEBUG(LABEL, "Database return empty"); return SANDBOX_MANAGER_DB_RETURN_EMPTY; } - result.path = searchResults[0].GetString(PolicyFiledConst::FIELD_PATH); - result.mode = static_cast(searchResults[0].GetInt(PolicyFiledConst::FIELD_MODE)); + return SANDBOX_MANAGER_OK; } diff --git a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp index 7ac5665..aeba5f2 100644 --- a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp +++ b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp @@ -699,7 +699,10 @@ bool SandboxManagerService::StartByEventAction(const SystemAbilityOnDemandReason SANDBOXMANAGER_LOG_ERROR(LABEL, "Receive invalid tokenId."); return false; } - PolicyInfoManager::GetInstance().RemoveBundlePolicy(tokenId); + if (PolicyInfoManager::GetInstance().RemoveBundlePolicy(tokenId) == false) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "RemoveBundlePolicy failed, tokenID = %{public}u.", tokenId); + return false; + } SANDBOXMANAGER_LOG_INFO(LABEL, "RemovebundlePolicy, tokenID = %{public}u.", tokenId); } return true; -- Gitee