From 07859bfd8f8e9a03241477cd7305ec837a325660 Mon Sep 17 00:00:00 2001 From: chennuo Date: Thu, 3 Jul 2025 21:54:10 +0800 Subject: [PATCH] cancel_sharefs Signed-off-by: chennuo --- appdata-sandbox.json | 42 ++------------- appspawn.gni | 1 + bundle.json | 1 + modules/common/BUILD.gn | 3 ++ modules/common/appspawn_common.c | 51 ++++++++++++++++--- modules/sandbox/BUILD.gn | 3 ++ modules/sandbox/sandbox_shared_mount.cpp | 12 ++++- modules/sandbox/sandbox_utils.cpp | 10 +--- test/mock/app_spawn_stub.h | 1 + .../app_spawn_common_test.cpp | 26 ++++++++++ 10 files changed, 95 insertions(+), 55 deletions(-) diff --git a/appdata-sandbox.json b/appdata-sandbox.json index 9504f374..fb974801 100755 --- a/appdata-sandbox.json +++ b/appdata-sandbox.json @@ -767,30 +767,14 @@ }, { "src-path": "/mnt/user//sharefs/docs", - "sandbox-path": "/mnt/storage/Users", - "sandbox-flags": [ "bind", "rec" ] - }, - { - "src-path": "/mnt/sandbox///mnt/storage/Users", "sandbox-path": "/storage/Users", - "sandbox-flags-customized": [ "MS_NODEV"], - "dac-override-sensitive": "true", - "fs-type": "sharefs", - "options": "override" + "sandbox-flags": [ "bind", "rec" ] }, { "src-path": "/mnt/data//userExternal", - "sandbox-path": "/mnt/storage/userExternal", + "sandbox-path": "/storage/userExternal", "sandbox-flags": [ "bind", "rec" ], "check-action-status": "false" - }, - { - "src-path": "/mnt/sandbox///mnt/storage/userExternal", - "sandbox-path": "/storage/userExternal", - "sandbox-flags-customized": [ "MS_NODEV" ], - "dac-override-sensitive": "true", - "fs-type": "sharefs", - "options": "override_support_delete" } ] }], @@ -950,7 +934,7 @@ "src-path" : "", "sandbox-path" : "", "sandbox-flags" : [], - "dec-paths": [ "/mnt/data/fuse" ] + "dec-paths": [ "/mnt/data/fuse", "/mnt/sandbox/*//storage/Users/currentUser" ] } ] }], @@ -1087,25 +1071,7 @@ "ohos.permission.READ_WRITE_USER_FILE":[{ "sandbox-switch": "ON", "gids": [1006], - "mount-paths": [{ - "src-path": "/storage/media//local/files/Docs", - "sandbox-path": "/storage/Users/", - "sandbox-flags": [ "bind", "rec" ], - "check-action-status": "false" - }, - { - "src-path": "/mnt/data/external", - "sandbox-path": "/storage/External", - "sandbox-flags": ["bind", "rec"], - "check-action-status": "false" - }, - { - "src-path": "/mnt/data//hmdfs", - "sandbox-path": "/storage/hmdfs", - "sandbox-flags": ["bind", "rec"], - "check-action-status": "false" - } - ] + "mount-paths": [] }], "ohos.permission.ACCESS_APP_CLONE_DIR":[{ "sandbox-switch": "ON", diff --git a/appspawn.gni b/appspawn.gni index 3e32920e..7dd16e55 100644 --- a/appspawn.gni +++ b/appspawn.gni @@ -36,6 +36,7 @@ declare_args() { appspawn_support_code_signature = true appspawn_allow_internet_permission = false appspawn_custom_sandbox = false + appspawn_support_nosharefs = false appspawn_support_local_debugger = false appspawn_hitrace_option = true } diff --git a/bundle.json b/bundle.json index ac0f60c4..b7fd12d0 100644 --- a/bundle.json +++ b/bundle.json @@ -29,6 +29,7 @@ "appspawn_support_code_signature", "appspawn_allow_internet_permission", "appspawn_custom_sandbox", + "appspawn_support_nosharefs", "appspawn_support_local_debugger" ], "rom": "296KB", diff --git a/modules/common/BUILD.gn b/modules/common/BUILD.gn index a8d347dc..e96d888f 100644 --- a/modules/common/BUILD.gn +++ b/modules/common/BUILD.gn @@ -93,6 +93,9 @@ ohos_shared_library("appspawn_common") { defines += [ "APPSPAWN_SANDBOX_NEW" ] } + if (appspawn_support_nosharefs) { + defines += [ "APPSPAWN_SUPPORT_NOSHAREFS" ] + } if (appspawn_allow_internet_permission) { defines += [ "APPSPAWN_ALLOW_INTERNET_PERMISSION" ] } diff --git a/modules/common/appspawn_common.c b/modules/common/appspawn_common.c index f0d4a74d..f1b3511f 100644 --- a/modules/common/appspawn_common.c +++ b/modules/common/appspawn_common.c @@ -121,32 +121,65 @@ static int SetKeepCapabilities(const AppSpawnMgr *content, const AppSpawningCtx return 0; } -static int SetCapabilities(const AppSpawnMgr *content, const AppSpawningCtx *property) +#ifdef APPSPAWN_SUPPORT_NOSHAREFS +static int SetAmbientCapability(int cap) +{ + if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) { + APPSPAWN_LOGE("prctl PR_CAP_AMBIENT failed: %{public}d", errno); + return -1; + } + return 0; +} + +//if current process is native process, set the ambient +static int SetAmbientCapabilities(const AppSpawningCtx *property) +{ + if (GetAppSpawnMsgType(property) != MSG_SPAWN_NATIVE_PROCESS) { + return 0; + } + const int caps[] = {CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_KILL}; + size_t capCount = sizeof(caps) / sizeof(caps[0]); + for (size_t i = 0;i < capCount; ++i) { + if (SetAmbientCapability(caps[i]) != 0) { + APPSPAWN_LOGE("set cap failed: %{public}d", caps[i]); + return -1; + } + } + return 0; +} +#endif + +APPSPAWN_STATIC int SetCapabilities(const AppSpawnMgr *content, const AppSpawningCtx *property) { // init cap struct __user_cap_header_struct capHeader; - bool isRet = memset_s(&capHeader, sizeof(capHeader), 0, sizeof(capHeader)) != EOK; APPSPAWN_CHECK(!isRet, return -EINVAL, "Failed to memset cap header"); capHeader.version = _LINUX_CAPABILITY_VERSION_3; capHeader.pid = 0; - struct __user_cap_data_struct capData[2]; // 2 is data number isRet = memset_s(&capData, sizeof(capData), 0, sizeof(capData)) != EOK; APPSPAWN_CHECK(!isRet, return -EINVAL, "Failed to memset cap data"); // init inheritable permitted effective zero #ifdef GRAPHIC_PERMISSION_CHECK - const uint64_t inheriTable = 0; - const uint64_t permitted = 0; - const uint64_t effective = 0; + u_int64_t baseCaps = 0; +#ifdef APPSPAWN_SUPPORT_NOSHAREFS + if (!CheckAppMsgFlagsSet(property, APP_FLAGS_ISOLATED_SANDBOX_TYPE) && + (IsAppSpawnMode(content) || IsNativeSpawnMode(content))) { + baseCaps = CAP_TO_MASK(CAP_DAC_OVERRIDE) | CAP_TO_MASK(CAP_DAC_READ_SEARCH) | + CAP_TO_MASK(CAP_FOWNER) | CAP_TO_MASK(CAP_KILL); + } +#endif + const uint64_t inheriTable = baseCaps; + const uint64_t permitted = baseCaps; + const uint64_t effective = baseCaps; #else const uint64_t inheriTable = 0x3fffffffff; const uint64_t permitted = 0x3fffffffff; const uint64_t effective = 0x3fffffffff; #endif - capData[0].inheritable = (__u32)(inheriTable); capData[1].inheritable = (__u32)(inheriTable >> BITLEN32); capData[0].permitted = (__u32)(permitted); @@ -157,6 +190,10 @@ static int SetCapabilities(const AppSpawnMgr *content, const AppSpawningCtx *pro // set capabilities isRet = capset(&capHeader, &capData[0]) != 0; APPSPAWN_CHECK(!isRet, return -errno, "Failed to capset errno: %{public}d", errno); +#ifdef APPSPAWN_SUPPORT_NOSHAREFS + isRet = SetAmbientCapabilities(property); + APPSPAWN_CHECK(!isRet, return -1, "Failed to set ambient"); +#endif return 0; } diff --git a/modules/sandbox/BUILD.gn b/modules/sandbox/BUILD.gn index 5464f7a9..1edc7021 100644 --- a/modules/sandbox/BUILD.gn +++ b/modules/sandbox/BUILD.gn @@ -125,6 +125,9 @@ if (defined(appspawn_sandbox_new) && appspawn_sandbox_new) { include_dirs += [ "${appspawn_path}/modules/sysevent" ] sources += [ "${appspawn_path}/modules/sysevent/hisysevent_adapter.cpp" ] } + if (appspawn_support_nosharefs) { + defines += [ "APPSPAWN_SUPPORT_NOSHAREFS" ] + } subsystem_name = "${subsystem_name}" part_name = "${part_name}" diff --git a/modules/sandbox/sandbox_shared_mount.cpp b/modules/sandbox/sandbox_shared_mount.cpp index 528dca99..e8dfa70d 100644 --- a/modules/sandbox/sandbox_shared_mount.cpp +++ b/modules/sandbox/sandbox_shared_mount.cpp @@ -297,7 +297,16 @@ static int MountWithOther(const AppSpawningCtx *property, const AppDacInfo *info APPSPAWN_LOGE("snprintf options failed, errno %{public}d", errno); return APPSPAWN_ERROR_UTILS_MEM_FAIL; } - +#ifdef APPSPAWN_SUPPORT_NOSHAREFS + SharedMountArgs arg = { + .srcPath = sharefsDocsDir, + .destPath = storageUserPath, + .fsType = nullptr, + .mountFlags = MS_BIND | MS_REC, + .options = nullptr, + .mountSharedFlag = MS_SHARED + }; +#else SharedMountArgs arg = { .srcPath = sharefsDocsDir, .destPath = storageUserPath, @@ -306,6 +315,7 @@ static int MountWithOther(const AppSpawningCtx *property, const AppDacInfo *info .options = options, .mountSharedFlag = MS_SHARED }; +#endif ret = DoSharedMount(&arg); if (ret != 0) { APPSPAWN_LOGE("mount %{public}s shared failed, ret %{public}d", storageUserPath, ret); diff --git a/modules/sandbox/sandbox_utils.cpp b/modules/sandbox/sandbox_utils.cpp index 5fcefbc8..7463cc22 100644 --- a/modules/sandbox/sandbox_utils.cpp +++ b/modules/sandbox/sandbox_utils.cpp @@ -1951,16 +1951,8 @@ int32_t SandboxUtils::UpdatePermissionFlags(AppSpawningCtx *appProperty) } else if (appFullMountStatus == FILE_ACCESS_COMMON_DIR_STATUS) { index = GetPermissionIndex(nullptr, FILE_ACCESS_COMMON_DIR_MODE.c_str()); } - int32_t userFileIndex = GetPermissionIndex(nullptr, READ_WRITE_USER_FILE_MODE.c_str()); int32_t fileMgrIndex = GetPermissionIndex(nullptr, FILE_ACCESS_MANAGER_MODE.c_str()); - if ((CheckAppPermissionFlagSet(appProperty, static_cast(userFileIndex)) != 0) && - (CheckAppPermissionFlagSet(appProperty, static_cast(fileMgrIndex)) != 0)) { - APPSPAWN_LOGE("invalid msg request."); - return -1; - } - if (index > 0 && (fileMgrIndex > 0 && userFileIndex > 0) && - (CheckAppPermissionFlagSet(appProperty, static_cast(userFileIndex)) == 0) && - (CheckAppPermissionFlagSet(appProperty, static_cast(fileMgrIndex)) == 0)) { + if (index > 0 && (CheckAppPermissionFlagSet(appProperty, static_cast(fileMgrIndex)) == 0)) { return SetAppPermissionFlags(appProperty, index); } return 0; diff --git a/test/mock/app_spawn_stub.h b/test/mock/app_spawn_stub.h index 75222f45..4e698ce1 100644 --- a/test/mock/app_spawn_stub.h +++ b/test/mock/app_spawn_stub.h @@ -111,6 +111,7 @@ int LoadPermission(AppSpawnClientType type); void DeletePermission(AppSpawnClientType type); int SetProcessName(const AppSpawnMgr *content, const AppSpawningCtx *property); int SetIsolateDir(const AppSpawningCtx *property); +int SetCapabilities(const AppSpawnMgr *content, const AppSpawningCtx *property); int SetFdEnv(AppSpawnMgr *content, AppSpawningCtx *property); int PreLoadEnablePidNs(AppSpawnMgr *content); int NsInitFunc(); diff --git a/test/unittest/app_spawn_standard_test/app_spawn_common_test.cpp b/test/unittest/app_spawn_standard_test/app_spawn_common_test.cpp index 22462e2f..45f26841 100644 --- a/test/unittest/app_spawn_standard_test/app_spawn_common_test.cpp +++ b/test/unittest/app_spawn_standard_test/app_spawn_common_test.cpp @@ -913,4 +913,30 @@ HWTEST_F(AppSpawnCommonTest, App_Spawn_FilterAppSpawnTrace, TestSize.Level0) } #endif +HWTEST_F(AppSpawnCommonTest, App_Spawn_SetCapabilities, TestSize.Level0) +{ + AppSpawnClientHandle clientHandle = nullptr; + AppSpawnReqMsgHandle reqHandle = 0; + AppSpawningCtx *property = nullptr; + AppSpawnMgr *mgr = nullptr; + int ret = -1; + do { + mgr = CreateAppSpawnMgr(MODE_FOR_NWEB_SPAWN); + EXPECT_EQ(mgr != nullptr, 1); + // create msg + ret = AppSpawnClientInit(NWEBSPAWN_SERVER_NAME, &clientHandle); + APPSPAWN_CHECK(ret == 0, break, "Failed to create reqMgr %{public}s", NWEBSPAWN_SERVER_NAME); + reqHandle = g_testHelper.CreateMsg(clientHandle, MSG_APP_SPAWN, 0); + APPSPAWN_CHECK(reqHandle != INVALID_REQ_HANDLE, break, + "Failed to create req %{public}s", NWEBSPAWN_SERVER_NAME); + property = g_testHelper.GetAppProperty(clientHandle, reqHandle); + APPSPAWN_CHECK_ONLY_EXPER(property != nullptr, break); + ret = SetCapabilities(mgr, property); + } while (0); + DeleteAppSpawningCtx(property); + AppSpawnClientDestroy(clientHandle); + DeleteAppSpawnMgr(mgr); + ASSERT_EQ(ret, 0); +} + } // namespace OHOS -- Gitee