From 969a53944179f591d8795549e9dd8eb1ecfe3819 Mon Sep 17 00:00:00 2001 From: GengYinzong Date: Wed, 7 May 2025 19:17:50 -0700 Subject: [PATCH] fix Signed-off-by: GengYinzong --- interfaces/innerkits/include/appspawn.h | 1 + modules/common/appspawn_adapter.cpp | 5 +++++ modules/sandbox/appspawn_sandbox.h | 1 + modules/sandbox/sandbox_manager.c | 16 +++++++++------- modules/sandbox/sandbox_utils.cpp | 20 ++++++++++---------- modules/sandbox/sandbox_utils.h | 3 ++- 6 files changed, 28 insertions(+), 18 deletions(-) diff --git a/interfaces/innerkits/include/appspawn.h b/interfaces/innerkits/include/appspawn.h index 7372aff2..8ff7e887 100644 --- a/interfaces/innerkits/include/appspawn.h +++ b/interfaces/innerkits/include/appspawn.h @@ -199,6 +199,7 @@ typedef enum { APP_FLAGS_PRE_INSTALLED_HAP = 29, APP_FLAGS_GET_ALL_PROCESSES = 30, APP_FLAGS_CUSTOM_SANDBOX = 31, + APP_FLAGS_ALLOW_IOURING = 33, MAX_FLAGS_INDEX = 63, } AppFlagsIndex; diff --git a/modules/common/appspawn_adapter.cpp b/modules/common/appspawn_adapter.cpp index 47e466ec..7f12db02 100644 --- a/modules/common/appspawn_adapter.cpp +++ b/modules/common/appspawn_adapter.cpp @@ -221,6 +221,11 @@ int SetSeccompFilter(const AppSpawnMgr *content, const AppSpawningCtx *property) appName = APP_ATOMIC; } + // Set seccomp policy for processes that have ohos.permission.ALLOW_IOURING. + if (CheckAppMsgFlagsSet(property, APP_FLAGS_ALLOW_IOURING) != 0) { + appName = APP_ALLOW_IOURING; + } + if (!SetSeccompPolicyWithName(type, appName)) { APPSPAWN_LOGE("Failed to set %{public}s seccomp filter and exit %{public}d", appName, errno); return -EINVAL; diff --git a/modules/sandbox/appspawn_sandbox.h b/modules/sandbox/appspawn_sandbox.h index d6b8cb0a..4772e93c 100644 --- a/modules/sandbox/appspawn_sandbox.h +++ b/modules/sandbox/appspawn_sandbox.h @@ -73,6 +73,7 @@ extern "C" { #define FILE_ACCESS_MANAGER_MODE "ohos.permission.FILE_ACCESS_MANAGER" #define READ_WRITE_USER_FILE_MODE "ohos.permission.READ_WRITE_USER_FILE" #define GET_ALL_PROCESSES_MODE "ohos.permission.GET_ALL_PROCESSES" +#define APP_ALLOW_IOURING "ohos.permission.ALLOW_IOURING" typedef enum SandboxTag { SANDBOX_TAG_MOUNT_PATH = 0, diff --git a/modules/sandbox/sandbox_manager.c b/modules/sandbox/sandbox_manager.c index 5da123f6..fb248476 100644 --- a/modules/sandbox/sandbox_manager.c +++ b/modules/sandbox/sandbox_manager.c @@ -703,18 +703,19 @@ static int AppendPackageNameGids(const AppSpawnSandboxCfg *sandbox, AppSpawningC return 0; } -static void UpdateMsgFlagsWithPermission(AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property) +static void UpdateMsgFlagsWithPermission(AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property, + const char *permissionMode, uint32_t flag) { - int32_t allProcessIndex = GetPermissionIndexInQueue(&sandbox->permissionQueue, GET_ALL_PROCESSES_MODE); - int res = CheckAppPermissionFlagSet(property, (uint32_t)allProcessIndex); + int32_t processIndex = GetPermissionIndexInQueue(&sandbox->permissionQueue, permissionMode); + int res = CheckAppPermissionFlagSet(property, (uint32_t)processIndex); if (res == 0) { - APPSPAWN_LOGV("Don't need set GET_ALL_PROCESSES_MODE flag"); + APPSPAWN_LOGV("Don't need set %{public}s flag", permissionMode); return; } - int ret = SetAppSpawnMsgFlag(property->message, TLV_MSG_FLAGS, APP_FLAGS_GET_ALL_PROCESSES); + int ret = SetAppSpawnMsgFlag(property->message, TLV_MSG_FLAGS, flag); if (ret != 0) { - APPSPAWN_LOGE("Set GET_ALL_PROCESSES_MODE flag failed"); + APPSPAWN_LOGE("Set %{public}s flag failed", permissionMode); } return; } @@ -771,7 +772,8 @@ int SpawnPrepareSandboxCfg(AppSpawnMgr *content, AppSpawningCtx *property) APPSPAWN_LOGW("set sandbox permission flag failed."); return APPSPAWN_SANDBOX_ERROR_SET_PERMISSION_FLAG_FAIL; } - UpdateMsgFlagsWithPermission(sandbox, property); + UpdateMsgFlagsWithPermission(sandbox, property, GET_ALL_PROCESSES_MODE, APP_FLAGS_GET_ALL_PROCESSES); + UpdateMsgFlagsWithPermission(sandbox, property, APP_ALLOW_IOURING, APP_FLAGS_ALLOW_IOURING); ret = AppendGids(sandbox, property); APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property)); diff --git a/modules/sandbox/sandbox_utils.cpp b/modules/sandbox/sandbox_utils.cpp index 6f30d7b4..9230af39 100644 --- a/modules/sandbox/sandbox_utils.cpp +++ b/modules/sandbox/sandbox_utils.cpp @@ -143,6 +143,7 @@ namespace { const std::string FILE_ACCESS_MANAGER_MODE = "ohos.permission.FILE_ACCESS_MANAGER"; const std::string READ_WRITE_USER_FILE_MODE = "ohos.permission.READ_WRITE_USER_FILE"; const std::string GET_ALL_PROCESSES_MODE = "ohos.permission.GET_ALL_PROCESSES"; + const std::string APP_ALLOW_IOURING = "ohos.permission.ALLOW_IOURING"; const std::string ARK_WEB_PERSIST_PACKAGE_NAME = "persist.arkwebcore.package_name"; const std::string& getArkWebPackageName() @@ -1706,20 +1707,19 @@ static int EnableSandboxNamespace(AppSpawningCtx *appProperty, uint32_t sandboxN return 0; } -void SandboxUtils::UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty) +void SandboxUtils::UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty, + const std::string &permissionMode, uint32_t flag) { - int32_t processIndex = GetPermissionIndex(nullptr, GET_ALL_PROCESSES_MODE.c_str()); + int32_t processIndex = GetPermissionIndex(nullptr, permissionMode.c_str()); if ((CheckAppPermissionFlagSet(appProperty, static_cast(processIndex)) == 0)) { - APPSPAWN_LOGV("Don't need set GET_ALL_PROCESSES_MODE flag"); + APPSPAWN_LOGV("Don't need set %{public}s flag", permissionMode.c_str()); return; } - int ret = SetAppSpawnMsgFlag(appProperty->message, TLV_MSG_FLAGS, APP_FLAGS_GET_ALL_PROCESSES); + int ret = SetAppSpawnMsgFlag(appProperty->message, TLV_MSG_FLAGS, flag); if (ret != 0) { - APPSPAWN_LOGV("Set GET_ALL_PROCESSES_MODE flag failed"); + APPSPAWN_LOGV("Set %{public}s flag failed", permissionMode.c_str()); } - - return; } int32_t SandboxUtils::UpdatePermissionFlags(AppSpawningCtx *appProperty) @@ -1784,10 +1784,10 @@ int32_t SandboxUtils::SetAppSandboxProperty(AppSpawningCtx *appProperty, uint32_ APPSPAWN_LOGW("Set app permission flag fail."); return -1; } - UpdateMsgFlagsWithPermission(appProperty); + UpdateMsgFlagsWithPermission(appProperty, GET_ALL_PROCESSES_MODE, APP_FLAGS_GET_ALL_PROCESSES); + UpdateMsgFlagsWithPermission(appProperty, APP_ALLOW_IOURING, APP_FLAGS_ALLOW_IOURING); // check app sandbox switch - if ((CheckTotalSandboxSwitchStatus(appProperty) == false) || - (CheckAppSandboxSwitchStatus(appProperty) == false)) { + if ((CheckTotalSandboxSwitchStatus(appProperty) == false) || (CheckAppSandboxSwitchStatus(appProperty) == false)) { rc = DoSandboxRootFolderCreateAdapt(sandboxPackagePath); } else if (!sandboxSharedStatus) { rc = DoSandboxRootFolderCreate(appProperty, sandboxPackagePath); diff --git a/modules/sandbox/sandbox_utils.h b/modules/sandbox/sandbox_utils.h index 1ad93280..6f2d971b 100755 --- a/modules/sandbox/sandbox_utils.h +++ b/modules/sandbox/sandbox_utils.h @@ -107,7 +107,8 @@ private: static int32_t DoAddGid(AppSpawningCtx *appProperty, nlohmann::json &appConfig, const char* permissionName, const std::string §ion); static int32_t CheckAppFullMountEnable(); - static void UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty); + static void UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty, + const std::string &permissionMode, uint32_t flag); static int32_t UpdatePermissionFlags(AppSpawningCtx *appProperty); static int32_t SetSandboxProperty(AppSpawningCtx *appProperty, std::string &sandboxPackagePath); static int32_t ChangeCurrentDir(std::string &sandboxPackagePath, const std::string &bundleName, -- Gitee