From 03b87d8dacfe55392cd23786b60509d6c8a07881 Mon Sep 17 00:00:00 2001 From: wangchen Date: Sat, 13 Sep 2025 18:33:47 +0800 Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=E6=89=93=E7=82=B9=20close=20?= =?UTF-8?q?#ICV12G=20Signed-off-by:=20wangchen=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- frameworks/sandbox_manager/BUILD.gn | 1 + .../include/sandbox_manager_dfx_helper.h | 8 ++++ .../src/sandbox_manager_dfx_helper.cpp | 28 ++++++++++- .../main/cpp/src/media/media_path_support.cpp | 48 +++++++++++++------ .../cpp/src/service/policy_info_manager.cpp | 45 ++++++++++++----- 5 files changed, 103 insertions(+), 27 deletions(-) diff --git a/frameworks/sandbox_manager/BUILD.gn b/frameworks/sandbox_manager/BUILD.gn index 4221037..04061c3 100644 --- a/frameworks/sandbox_manager/BUILD.gn +++ b/frameworks/sandbox_manager/BUILD.gn @@ -101,6 +101,7 @@ ohos_shared_library("sandbox_manager_communication_adapter_cxx") { ] external_deps = [ + "access_token:libaccesstoken_sdk", "c_utils:utils", "hisysevent:libhisysevent", "ipc:ipc_core", diff --git a/frameworks/sandbox_manager/include/sandbox_manager_dfx_helper.h b/frameworks/sandbox_manager/include/sandbox_manager_dfx_helper.h index f548d14..1f5e3e2 100644 --- a/frameworks/sandbox_manager/include/sandbox_manager_dfx_helper.h +++ b/frameworks/sandbox_manager/include/sandbox_manager_dfx_helper.h @@ -35,6 +35,8 @@ enum OperateTypeEnum: int32_t { START_ACCESSING_POLICY_BY_TOKEN, STOP_ACCESSING_POLICY, UNPERSIST_POLICY, + PERSIST_MEDIA_POLICY, + UNPERSIST_MEDIA_POLICY, }; const static std::map OPERATE_TYPE_MAP = { @@ -50,6 +52,8 @@ const static std::map OPERATE_TYPE_MAP = { {OperateTypeEnum::START_ACCESSING_POLICY_BY_TOKEN, "start_accessing_policy_by_token"}, {OperateTypeEnum::STOP_ACCESSING_POLICY, "stop_accessing_policy"}, {OperateTypeEnum::UNPERSIST_POLICY, "unpersist_policy"}, + {OperateTypeEnum::PERSIST_MEDIA_POLICY, "persist_media_policy"}, + {OperateTypeEnum::UNPERSIST_MEDIA_POLICY, "unpersist_media_policy"}, }; class PolicyOperateInfo { @@ -64,6 +68,9 @@ public: uint32_t successNum; uint32_t failNum; uint32_t invalidNum; + uint32_t rModeNum; + uint32_t wModeNum; + uint32_t rwModeNum; }; class SandboxManagerDfxHelper { @@ -72,6 +79,7 @@ public: const uint32_t callerTokenid = 0, const uint32_t callerPid = 0); static void WritePersistPolicyOperateSucc(const OperateTypeEnum operateType, const PolicyOperateInfo &info); static void WriteTempPolicyOperateSucc(const OperateTypeEnum operateType, const PolicyOperateInfo &info); + static void OperateInfoSetByMode(PolicyOperateInfo &info, uint32_t mode); }; } // SandboxManager } // AccessControl diff --git a/frameworks/sandbox_manager/src/sandbox_manager_dfx_helper.cpp b/frameworks/sandbox_manager/src/sandbox_manager_dfx_helper.cpp index ef1a6c6..6ed7ce2 100644 --- a/frameworks/sandbox_manager/src/sandbox_manager_dfx_helper.cpp +++ b/frameworks/sandbox_manager/src/sandbox_manager_dfx_helper.cpp @@ -15,8 +15,10 @@ #include "sandbox_manager_dfx_helper.h" +#include "accesstoken_kit.h" #include "hisysevent.h" #include "ipc_skeleton.h" +#include "policy_info.h" namespace OHOS { namespace AccessControl { @@ -37,6 +39,20 @@ PolicyOperateInfo::PolicyOperateInfo(uint32_t totalNum, uint32_t successNum, { callerPid = static_cast(IPCSkeleton::GetCallingRealPid()); callerTokenid = IPCSkeleton::GetCallingTokenID(); + rModeNum = 0; + wModeNum = 0; + rwModeNum = 0; +} + +void SandboxManagerDfxHelper::OperateInfoSetByMode(PolicyOperateInfo &info, uint32_t mode) +{ + if (mode == OperateMode::READ_MODE) { + info.rModeNum++; + } else if (mode == OperateMode::WRITE_MODE) { + info.wModeNum++; + } else if (mode == (OperateMode::READ_MODE + OperateMode::WRITE_MODE)) { + info.rwModeNum++; + } } void SandboxManagerDfxHelper::WritePermissionCheckFailEvent(const std::string &permission, @@ -59,11 +75,21 @@ void SandboxManagerDfxHelper::WritePersistPolicyOperateSucc( const OperateTypeEnum operateType, const PolicyOperateInfo &info) { std::string type = GetOperateString(operateType); + std::string bundleName; + Security::AccessToken::HapTokenInfo hapTokenInfoRes; + int ret = Security::AccessToken::AccessTokenKit::GetHapTokenInfo(info.callerTokenid, hapTokenInfoRes); + if (ret != 0) { + bundleName = "not_get"; + } else { + bundleName = hapTokenInfoRes.bundleName; + } + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::SANDBOX_MANAGER, "PERSIST_POLICY_OPERATE_SUCCESS", HiviewDFX::HiSysEvent::EventType::FAULT, "OPERATE_TYPE", type, "CALLER_PID", info.callerPid, "CALLER_TOKENID", info.callerTokenid, "TOTAL_NUM", info.policyNum, "SUCCESS_NUM", info.successNum, - "FAIL_NUM", info.failNum, "INVALID_NUM", info.invalidNum); + "FAIL_NUM", info.failNum, "INVALID_NUM", info.invalidNum, "RMODE_NUM", info.rModeNum, + "WMODE_NUM", info.wModeNum, "RWMODE_NUM", info.rwModeNum, "BUNDLE_NAME", bundleName); } void SandboxManagerDfxHelper::WriteTempPolicyOperateSucc( diff --git a/services/sandbox_manager/main/cpp/src/media/media_path_support.cpp b/services/sandbox_manager/main/cpp/src/media/media_path_support.cpp index b362541..8bbb170 100644 --- a/services/sandbox_manager/main/cpp/src/media/media_path_support.cpp +++ b/services/sandbox_manager/main/cpp/src/media/media_path_support.cpp @@ -26,6 +26,7 @@ #include "policy_field_const.h" #include "policy_info.h" #include "sandbox_manager_const.h" +#include "sandbox_manager_dfx_helper.h" #include "sandbox_manager_err_code.h" #include "sandbox_manager_log.h" #include "ipc_skeleton.h" @@ -166,6 +167,32 @@ int32_t SandboxManagerMedia::CheckPolicyBeforeGrant(uint32_t tokenId, std::vecto return SANDBOX_MANAGER_OK; } +static void SetAddResultAndWriteDfx(PolicyOperateInfo &info, std::vector &results, size_t mediaPolicySize, + std::vector &mediaBool, OperateTypeEnum operation) +{ + uint32_t succ = 0; + uint32_t retType; + if (operation == OperateTypeEnum::PERSIST_MEDIA_POLICY) { + retType = SandboxRetType::FORBIDDEN_TO_BE_PERSISTED; + } else { + retType = SandboxRetType::POLICY_HAS_NOT_BEEN_PERSISTED; + } + + for (size_t i = 0; i < mediaPolicySize; ++i) { + if (mediaBool[i] == true) { + results[i] = SandboxRetType::OPERATE_SUCCESSFULLY; + succ++; + } else { + results[i] = retType; + } + } + info.policyNum = mediaPolicySize; + info.successNum = succ; + info.failNum = mediaPolicySize - succ; + info.invalidNum = 0; + SandboxManagerDfxHelper::WritePersistPolicyOperateSucc(operation, info); +} + int32_t SandboxManagerMedia::AddMediaPolicy(uint32_t tokenId, const std::vector &policy, std::vector &PolicyIndex, std::vector &results) { @@ -177,6 +204,7 @@ int32_t SandboxManagerMedia::AddMediaPolicy(uint32_t tokenId, const std::vector< } SANDBOXMANAGER_LOG_INFO(LABEL, "AddMediaPolicy, tokenId:%{public}u", tokenId); size_t mediaPolicyIndexSize = PolicyIndex.size(); + PolicyOperateInfo info(0, 0, 0, 0); std::vector mediaPaths; std::vector mediaMode; mediaPaths.reserve(mediaPolicyIndexSize); @@ -185,6 +213,7 @@ int32_t SandboxManagerMedia::AddMediaPolicy(uint32_t tokenId, const std::vector< size_t num = PolicyIndex[i]; mediaPaths.emplace_back(policy[num].path); mediaMode.emplace_back(policy[num].mode); + SandboxManagerDfxHelper::OperateInfoSetByMode(info, policy[num].mode); } std::vector mediaBool; @@ -209,13 +238,7 @@ int32_t SandboxManagerMedia::AddMediaPolicy(uint32_t tokenId, const std::vector< return SANDBOX_MANAGER_MEDIA_CALL_ERR; } } - for (size_t i = 0; i < mediaPolicyIndexSize; ++i) { - if (mediaBool[i] == true) { - results[i] = SandboxRetType::OPERATE_SUCCESSFULLY; - } else { - results[i] = SandboxRetType::FORBIDDEN_TO_BE_PERSISTED; - } - } + SetAddResultAndWriteDfx(info, results, mediaPolicyIndexSize, mediaBool, OperateTypeEnum::PERSIST_MEDIA_POLICY); return SANDBOX_MANAGER_OK; } @@ -279,6 +302,7 @@ int32_t SandboxManagerMedia::RemoveMediaPolicy(uint32_t tokenId, const std::vect } SANDBOXMANAGER_LOG_INFO(LABEL, "RemoveMediaPolicy, tokenId:%{public}u", tokenId); size_t mediaPolicySize = policy.size(); + PolicyOperateInfo info(0, 0, 0, 0); std::vector mediaPaths; std::vector uris; std::vector mediaMode; @@ -287,6 +311,7 @@ int32_t SandboxManagerMedia::RemoveMediaPolicy(uint32_t tokenId, const std::vect for (size_t i = 0; i < mediaPolicySize; ++i) { mediaPaths.emplace_back(policy[i].path); mediaMode.emplace_back(policy[i].mode); + SandboxManagerDfxHelper::OperateInfoSetByMode(info, policy[i].mode); } std::vector mediaBool; @@ -311,13 +336,8 @@ int32_t SandboxManagerMedia::RemoveMediaPolicy(uint32_t tokenId, const std::vect return SANDBOX_MANAGER_MEDIA_CALL_ERR; } } - for (size_t i = 0; i < mediaPolicySize; ++i) { - if (mediaBool[i] == true) { - result[i] = SandboxRetType::OPERATE_SUCCESSFULLY; - } else { - result[i] = SandboxRetType::POLICY_HAS_NOT_BEEN_PERSISTED; - } - } + + SetAddResultAndWriteDfx(info, result, mediaPolicySize, mediaBool, OperateTypeEnum::UNPERSIST_MEDIA_POLICY); return SANDBOX_MANAGER_OK; } diff --git a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp index 94c42ca..4e1f055 100644 --- a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp +++ b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp @@ -212,6 +212,16 @@ int32_t PolicyInfoManager::CleanPolicyByUserId(uint32_t userId, const std::vecto return SANDBOX_MANAGER_OK; } +static void SetAddResultAndWriteDfx(PolicyOperateInfo &info, std::vector &results, size_t policySize, + size_t succNum, size_t failNum, size_t invalidNum) +{ + info.policyNum = policySize; + info.successNum = succNum; + info.failNum = failNum; + info.invalidNum = invalidNum; + SandboxManagerDfxHelper::WritePersistPolicyOperateSucc(OperateTypeEnum::PERSIST_POLICY, info); +} + int32_t PolicyInfoManager::AddNormalPolicy(const uint32_t tokenId, const std::vector &policy, std::vector &result, const uint32_t flag, std::vector &queryPolicyIndex, uint32_t invalidNum) { @@ -221,18 +231,20 @@ int32_t PolicyInfoManager::AddNormalPolicy(const uint32_t tokenId, const std::ve return SANDBOX_MANAGER_OK; } size_t policySize = policy.size(); - + PolicyOperateInfo info(0, 0, 0, 0); // query mac kernel size_t queryPolicyIndexSize = queryPolicyIndex.size(); std::vector queryResults(queryPolicyIndexSize); std::vector queryPolicys(queryPolicyIndexSize); - std::transform(queryPolicyIndex.begin(), queryPolicyIndex.end(), - queryPolicys.begin(), [policy](const size_t index) { return policy[index]; }); + for (size_t i = 0; i < queryPolicyIndexSize; ++i) { + queryPolicys[i] = policy[queryPolicyIndex[i]]; + SandboxManagerDfxHelper::OperateInfoSetByMode(info, queryPolicys[i].mode); + } + int32_t ret = macAdapter_.QuerySandboxPolicy(tokenId, queryPolicys, queryResults); if (ret != SANDBOX_MANAGER_OK) { SANDBOXMANAGER_LOG_ERROR(LABEL, "MacAdapter query error, err code = %{public}d", ret); - PolicyOperateInfo info(policySize, 0, policySize - invalidNum, invalidNum); - SandboxManagerDfxHelper::WritePersistPolicyOperateSucc(OperateTypeEnum::PERSIST_POLICY, info); + SetAddResultAndWriteDfx(info, queryPolicyIndexSize, 0, policySize - invalidNum, invalidNum); result.clear(); return ret; } @@ -253,8 +265,8 @@ int32_t PolicyInfoManager::AddNormalPolicy(const uint32_t tokenId, const std::ve result.clear(); return ret; } - PolicyOperateInfo info(policySize, addPolicyIndex.size(), failNum, invalidNum); - SandboxManagerDfxHelper::WritePersistPolicyOperateSucc(OperateTypeEnum::PERSIST_POLICY, info); + SetAddResultAndWriteDfx(info, queryPolicyIndexSize, addPolicyIndex.size(), failNum, invalidNum); + return SANDBOX_MANAGER_OK; } @@ -370,6 +382,16 @@ int32_t PolicyInfoManager::MatchNormalPolicy(const uint32_t tokenId, const std:: return SANDBOX_MANAGER_OK; } +static void WriteRemoveDfxInfo(uint32_t policySize, uint32_t succ, uint32_t fail, uint32_t invalid, + PolicyOperateInfo info) +{ + info.policyNum = policySize; + info.successNum = succ; + info.failNum = fail; + info.invalidNum = invalid; + SandboxManagerDfxHelper::WritePersistPolicyOperateSucc(OperateTypeEnum::UNPERSIST_POLICY, info); +} + int32_t PolicyInfoManager::RemoveNormalPolicy(const uint32_t tokenId, const std::vector &policy, std::vector &result, std::vector &mediaPolicy, std::vector &validMediaIndex) { @@ -379,6 +401,7 @@ int32_t PolicyInfoManager::RemoveNormalPolicy(const uint32_t tokenId, const std: uint32_t successNum = 0; std::vector conditions; conditions.reserve(policySize); + PolicyOperateInfo info(0, 0, 0, 0); for (size_t i = 0; i < policySize; ++i) { int32_t checkPolicyRet = CheckPolicyValidity(policy[i]); @@ -402,11 +425,10 @@ int32_t PolicyInfoManager::RemoveNormalPolicy(const uint32_t tokenId, const std: ret = UnsetSandboxPolicyAndRecord(tokenId, policy[i], conditions); if (ret != SANDBOX_MANAGER_OK) { ++failNum; - PolicyOperateInfo info(policySize, successNum, failNum, invalidNum); - SandboxManagerDfxHelper::WritePersistPolicyOperateSucc(OperateTypeEnum::UNPERSIST_POLICY, info); + WriteRemoveDfxInfo(policySize, successNum, failNum, invalidNum, info); return ret; } - + SandboxManagerDfxHelper::OperateInfoSetByMode(info, policy[i].mode); ++successNum; } if (!conditions.empty()) { @@ -415,8 +437,7 @@ int32_t PolicyInfoManager::RemoveNormalPolicy(const uint32_t tokenId, const std: SANDBOXMANAGER_LOG_ERROR(LABEL, "Database operate error"); return SANDBOX_MANAGER_DB_ERR; } - PolicyOperateInfo info(result.size(), successNum, failNum, invalidNum); - SandboxManagerDfxHelper::WritePersistPolicyOperateSucc(OperateTypeEnum::UNPERSIST_POLICY, info); + WriteRemoveDfxInfo(conditions.size(), successNum, failNum, invalidNum, info); } return SANDBOX_MANAGER_OK; } -- Gitee