From ab0cfbe2ff67318b98572a0315607e0df7598481 Mon Sep 17 00:00:00 2001
From: wangchen <wangchen240@huawei.com>
Date: Thu, 7 Aug 2025 22:06:28 +0800
Subject: [PATCH] =?UTF-8?q?=E5=8C=85=E6=9B=B4=E6=96=B0=E5=A4=84=E7=90=86?=
 =?UTF-8?q?=20close=20#ICRXPJ=20Signed-off-by:=20wangchen=20<wangchen240@h?=
 =?UTF-8?q?uawei.com>?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bundle.json                                   |  2 +
 .../inner_api/sandbox_manager/test/BUILD.gn   |  3 +
 services/sandbox_manager/BUILD.gn             |  3 +
 .../cpp/include/service/policy_info_manager.h |  8 ++
 .../include/service/sandbox_manager_service.h |  1 +
 .../sandbox_manager_event_subscriber.cpp      |  9 +++
 .../cpp/src/service/policy_info_manager.cpp   | 76 +++++++++++++++++++
 .../src/service/sandbox_manager_service.cpp   | 50 ++++++++++++
 .../sandbox_manager_service.json              |  3 +
 .../sandbox_manager_service.cfg               |  1 +
 .../sandbox_manager_service.cfg               |  1 +
 services/sandbox_manager/test/BUILD.gn        |  3 +
 .../sandbox_manager_service_fuzz.gni          |  3 +
 13 files changed, 163 insertions(+)

diff --git a/bundle.json b/bundle.json
index 5792a2c..1f107e7 100644
--- a/bundle.json
+++ b/bundle.json
@@ -28,6 +28,8 @@
       "components": [
         "ability_base",
         "access_token",
+        "appspawn",
+        "bundle_framework",
         "cJSON",
         "c_utils",
         "common_event_service",
diff --git a/frameworks/inner_api/sandbox_manager/test/BUILD.gn b/frameworks/inner_api/sandbox_manager/test/BUILD.gn
index 6eb1ed1..c14fd5f 100644
--- a/frameworks/inner_api/sandbox_manager/test/BUILD.gn
+++ b/frameworks/inner_api/sandbox_manager/test/BUILD.gn
@@ -58,6 +58,9 @@ ohos_unittest("libsandbox_manager_sdk_test") {
     "access_token:libaccesstoken_sdk",
     "access_token:libnativetoken",
     "access_token:libtoken_setproc",
+    "appspawn:appspawn_dec_util",
+    "bundle_framework:appexecfwk_base",
+    "bundle_framework:appexecfwk_core",
     "cJSON:cjson",
     "c_utils:utils",
     "common_event_service:cesfwk_innerkits",
diff --git a/services/sandbox_manager/BUILD.gn b/services/sandbox_manager/BUILD.gn
index 2978a92..9175870 100644
--- a/services/sandbox_manager/BUILD.gn
+++ b/services/sandbox_manager/BUILD.gn
@@ -84,6 +84,9 @@ if (is_standard_system) {
     external_deps = [
       "ability_base:want",
       "access_token:libaccesstoken_sdk",
+      "appspawn:appspawn_dec_util",
+      "bundle_framework:appexecfwk_base",
+      "bundle_framework:appexecfwk_core",
       "cJSON:cjson",
       "c_utils:utils",
       "common_event_service:cesfwk_core",
diff --git a/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h b/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h
index b78c465..4072b9c 100644
--- a/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h
+++ b/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h
@@ -136,6 +136,13 @@ public:
      * @return int32_t
      */
     int32_t UnSetAllPolicyByToken(const uint32_t tokenId, uint64_t timestamp = 0);
+    /**
+     * @brief clean policys when package changed
+     * @param bundleName bundle name
+     * @param userID a given userid
+     * @return int32_t
+     */
+    int32_t CleanPolicyByPackageChanged(const std::string &bundleName, int32_t userID);
 private:
     /**
      * @brief Clean policy list on MAC
@@ -274,6 +281,7 @@ private:
         std::vector<size_t> &validIndex, std::vector<PolicyInfo> &validPolicies);
     std::vector<std::string> splitPath(const std::string &path);
     bool CheckPathWithinRule(const std::string &path);
+    int32_t CleanPolicyByPathlist(uint32_t tokenId, std::vector<std::string> &list);
 };
 } // namespace SandboxManager
 } // namespace AccessControl
diff --git a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h
index fea611f..b964227 100644
--- a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h
+++ b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h
@@ -80,6 +80,7 @@ private:
     void OnAddSystemAbility(int32_t systemAbilityId, const std::string& deviceId) override;
     bool StartByEventAction(const SystemAbilityOnDemandReason& startReason);
     bool IsFileManagerCalling(uint32_t tokenCaller);
+    bool PackageChangedEventAction(const SystemAbilityOnDemandReason &startReason);
 
     std::mutex stateMutex_;
     ServiceRunningState state_;
diff --git a/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp b/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp
index 8f986fc..8552231 100644
--- a/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp
+++ b/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp
@@ -19,6 +19,7 @@
 #include <string>
 #include "policy_info_manager.h"
 #include "sandbox_manager_log.h"
+#include "accesstoken_kit.h"
 
 namespace OHOS {
 namespace AccessControl {
@@ -43,6 +44,7 @@ bool SandboxManagerCommonEventSubscriber::RegisterEvent()
     skill->AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED);
     skill->AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_FULLY_REMOVED);
     skill->AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_DATA_CLEARED);
+    skill->AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_CHANGED);
     EventFwk::CommonEventSubscribeInfo subscribeInfo(*skill);
     auto info = std::make_shared<EventFwk::CommonEventSubscribeInfo>(*skill);
     g_subscriber = std::make_shared<SandboxManagerCommonEventSubscriber>(*info);
@@ -85,6 +87,13 @@ void SandboxManagerCommonEventSubscriber::OnReceiveEvent(const EventFwk::CommonE
         PolicyInfoManager::GetInstance().RemoveBundlePolicy(tokenId);
         SANDBOXMANAGER_LOG_INFO(LABEL, "RemovebundlePolicy, tokenid = %{public}d.", tokenId);
     }
+
+    if (action == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_CHANGED) {
+        std::string bundleName = want.GetElement().GetBundleName();
+        int32_t userID = want.GetParams().GetIntParam("userId", -1);
+        SANDBOXMANAGER_LOG_INFO(LABEL, "OnReceive Package changed %{public}s, %{public}d", bundleName.c_str(), userID);
+        (void)PolicyInfoManager::GetInstance().CleanPolicyByPackageChanged(bundleName, userID);
+    }
 }
 } // namespace SandboxManager
 } // namespace AccessControl
diff --git a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp
index 4419e09..5171ae0 100644
--- a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp
+++ b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp
@@ -38,6 +38,10 @@
 #include "os_account_manager.h"
 #include "media_path_support.h"
 #include "data_size_report_adapter.h"
+#include "bundle_mgr_interface.h"
+#include "dec_api.h"
+#include "iservice_registry.h"
+#include "system_ability_definition.h"
 
 namespace OHOS {
 namespace AccessControl {
@@ -1191,6 +1195,78 @@ int32_t PolicyInfoManager::MatchPolicy(
     }
     return SANDBOX_MANAGER_OK;
 }
+int32_t PolicyInfoManager::CleanPolicyByPathlist(uint32_t tokenId, std::vector<std::string> &list)
+{
+    SANDBOXMANAGER_LOG_INFO(LABEL, "pathlist size = %{public}zu", list.size());
+    std::vector<PolicyInfo> policy;
+    std::vector<uint32_t> u32Res;
+    for (std::string &p : list) {
+        PolicyInfo info;
+        info.path = p;
+        SANDBOXMANAGER_LOG_INFO(LABEL, "path = %{public}s", p.c_str());
+        /* The default config of appspawn is read and write */
+        info.mode = OperateMode::WRITE_MODE + OperateMode::READ_MODE;
+        policy.emplace_back(info);
+        (void)UnSetPolicy(tokenId, info);
+    }
+
+    return RemovePolicy(tokenId, policy, u32Res);
+}
+
+static sptr<AppExecFwk::IBundleMgr> GetBundleMgrsa()
+{
+    auto systemAbilityManager = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
+    if (systemAbilityManager == nullptr) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "GetBundleMgr GetSystemAbilityManager is null.");
+        return nullptr;
+    }
+    auto bundleMgrSa = systemAbilityManager->GetSystemAbility(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID);
+    if (bundleMgrSa == nullptr) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "GetBundleMgr GetSystemAbility is null.");
+        return nullptr;
+    }
+
+    return iface_cast<AppExecFwk::IBundleMgr>(bundleMgrSa);
+}
+
+int32_t PolicyInfoManager::CleanPolicyByPackageChanged(const std::string &bundleName, int32_t userID)
+{
+    auto bundleMgr = GetBundleMgrsa();
+    if (bundleMgr == nullptr) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Get bundleMgr failed.");
+        return PERMISSION_DENIED;
+    }
+
+    std::vector<int32_t> appIndexes;
+    ErrCode err = bundleMgr->GetCloneAppIndexes(bundleName, appIndexes, userID);
+    if (err != ERR_OK) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "get appindex error %{public}s, err: %{public}d", bundleName.c_str(), err);
+        return PERMISSION_DENIED;
+    }
+    SANDBOXMANAGER_LOG_INFO(LABEL, "get appindex size = %{public}zu", appIndexes.size());
+    appIndexes.emplace_back(0);
+
+    std::map<std::string, std::vector<std::string>> decPathMap = GetDecPathMap();
+    for (int32_t appIndex : appIndexes) {
+        uint32_t tokenId =  Security::AccessToken::AccessTokenKit::GetHapTokenID(userID, bundleName, appIndex);
+        if (tokenId == Security::AccessToken::INVALID_TOKENID) {
+            SANDBOXMANAGER_LOG_ERROR(LABEL, "GetHapTokenID failed uid = %{public}d, %{public}s",
+                userID, bundleName.c_str());
+            continue;
+        }
+        for (auto &[permission, pathList] : decPathMap) {
+            SANDBOXMANAGER_LOG_INFO(LABEL, "check %{public}s permission", permission.c_str());
+            int ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permission);
+            if (ret != Security::AccessToken::PERMISSION_GRANTED) {
+                SANDBOXMANAGER_LOG_INFO(LABEL, "need clean %{public}s permission", permission.c_str());
+                (void)CleanPolicyByPathlist(tokenId, pathList);
+            } else {
+                SANDBOXMANAGER_LOG_INFO(LABEL, "no need clean %{public}s permission", permission.c_str());
+            }
+        }
+    }
+    return SANDBOX_MANAGER_OK;
+}
 } // namespace SandboxManager
 } // namespace AccessControl
 } // namespace OHOS
diff --git a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp
index 9d2450e..12d36a2 100644
--- a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp
+++ b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp
@@ -666,6 +666,53 @@ void SandboxManagerService::DelayUnloadService()
 #endif
 }
 
+bool SandboxManagerService::PackageChangedEventAction(const SystemAbilityOnDemandReason &startReason)
+{
+    auto wantMap = startReason.GetExtraData().GetWant();
+    std::string bundleName;
+    int32_t userId;
+    for (auto i = wantMap.begin(); i != wantMap.end(); ++i) {
+        std::string key = std::string(i->first.data());
+        std::string value = std::string(i->second.data());
+        if (key == "bundleName") {
+            if (value.empty()) {
+                SANDBOXMANAGER_LOG_ERROR(LABEL, "Error empty bundleName received.");
+                return false;
+            }
+            bundleName = value;
+        }
+        if (key == "userId") {
+            if (value.empty()) {
+                SANDBOXMANAGER_LOG_ERROR(LABEL, "Error empty userId received.");
+                return false;
+            }
+            if (std::isdigit(value[0]) == 0) {
+                SANDBOXMANAGER_LOG_ERROR(LABEL, "Invalid digit userId string received.");
+                return false;
+            }
+            size_t idx = 0;
+            userId = std::stoul(value, &idx);
+            if (idx != value.length()) {
+                SANDBOXMANAGER_LOG_ERROR(LABEL, "Convert failed, userId = %{public}s.", value.c_str());
+                return false;
+            }
+            if (userId == 0) {
+                SANDBOXMANAGER_LOG_ERROR(LABEL, "Receive invalid userId.");
+                return false;
+            }
+        }
+    }
+
+    SANDBOXMANAGER_LOG_INFO(LABEL, "bundleName = %{public}s.%{public}d", bundleName.c_str(), userId);
+    int32_t ret = PolicyInfoManager::GetInstance().CleanPolicyByPackageChanged(bundleName, userId);
+    if (ret != SANDBOX_MANAGER_OK) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "%{public}s  clean policy failed", bundleName.c_str());
+        return false;
+    }
+
+    return true;
+}
+
 bool SandboxManagerService::StartByEventAction(const SystemAbilityOnDemandReason& startReason)
 {
     std::string reasonName = startReason.GetName();
@@ -705,6 +752,9 @@ bool SandboxManagerService::StartByEventAction(const SystemAbilityOnDemandReason
         }
         SANDBOXMANAGER_LOG_INFO(LABEL, "RemovebundlePolicy, tokenID = %{public}u.", tokenId);
     }
+    if (reasonName == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_CHANGED) {
+        return PackageChangedEventAction(startReason);
+    }
     return true;
 }
 
diff --git a/services/sandbox_manager/main/sa_profile/proc_non_resident/sandbox_manager_service.json b/services/sandbox_manager/main/sa_profile/proc_non_resident/sandbox_manager_service.json
index a5c45f9..5004feb 100644
--- a/services/sandbox_manager/main/sa_profile/proc_non_resident/sandbox_manager_service.json
+++ b/services/sandbox_manager/main/sa_profile/proc_non_resident/sandbox_manager_service.json
@@ -18,6 +18,9 @@
             },
             {
                 "name": "usual.event.PACKAGE_DATA_CLEARED"
+            },
+            {
+                "name": "usual.event.PACKAGE_CHANGED"
             }]
         },
         "stop-on-demand": {
diff --git a/services/sandbox_manager/proc_non_resident_cfg/sandbox_manager_service.cfg b/services/sandbox_manager/proc_non_resident_cfg/sandbox_manager_service.cfg
index dfff5fb..9d686e5 100644
--- a/services/sandbox_manager/proc_non_resident_cfg/sandbox_manager_service.cfg
+++ b/services/sandbox_manager/proc_non_resident_cfg/sandbox_manager_service.cfg
@@ -13,6 +13,7 @@
         "uid" : "sandbox_manager",
         "gid" : ["sandbox_manager"],
         "permission" : [
+            "ohos.permission.GET_BUNDLE_INFO_PRIVILEGED"
         ],
         "secon" : "u:r:sandbox_manager_service:s0"
     }
diff --git a/services/sandbox_manager/proc_resident_cfg/sandbox_manager_service.cfg b/services/sandbox_manager/proc_resident_cfg/sandbox_manager_service.cfg
index 7f9d494..ac46f8d 100644
--- a/services/sandbox_manager/proc_resident_cfg/sandbox_manager_service.cfg
+++ b/services/sandbox_manager/proc_resident_cfg/sandbox_manager_service.cfg
@@ -11,6 +11,7 @@
         "uid" : "sandbox_manager",
         "gid" : ["sandbox_manager"],
         "permission" : [
+            "ohos.permission.GET_BUNDLE_INFO_PRIVILEGED"
         ],
         "secon" : "u:r:sandbox_manager_service:s0"
     }
diff --git a/services/sandbox_manager/test/BUILD.gn b/services/sandbox_manager/test/BUILD.gn
index df9a2f1..3196e53 100644
--- a/services/sandbox_manager/test/BUILD.gn
+++ b/services/sandbox_manager/test/BUILD.gn
@@ -94,6 +94,9 @@ ohos_unittest("libsandbox_manager_service_standard_test") {
     "access_token:libaccesstoken_sdk",
     "access_token:libnativetoken",
     "access_token:libtoken_setproc",
+    "appspawn:appspawn_dec_util",
+    "bundle_framework:appexecfwk_base",
+    "bundle_framework:appexecfwk_core",
     "cJSON:cjson",
     "c_utils:utils",
     "common_event_service:cesfwk_core",
diff --git a/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni b/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni
index 5e215c5..5ad8636 100644
--- a/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni
+++ b/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni
@@ -59,6 +59,9 @@ sandbox_manager_external_deps = [
   "access_token:libaccesstoken_sdk",
   "access_token:libnativetoken",
   "access_token:libtoken_setproc",
+  "appspawn:appspawn_dec_util",
+  "bundle_framework:appexecfwk_base",
+  "bundle_framework:appexecfwk_core",
   "cJSON:cjson",
   "c_utils:utils",
   "common_event_service:cesfwk_core",
-- 
Gitee