From 9917f70067fcb148fb1dbfd1a1aedc06724f12f6 Mon Sep 17 00:00:00 2001 From: Mupceet Date: Thu, 19 May 2022 11:30:34 +0800 Subject: [PATCH 1/4] =?UTF-8?q?appspawn:=E6=8B=86=E5=88=86system,=E6=94=AF?= =?UTF-8?q?=E6=8C=8164=E4=BD=8D,=E6=A0=B9=E6=8D=AEapl-name=E6=8C=82?= =?UTF-8?q?=E8=BD=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mupceet Change-Id: I4b0ca72c936acb8bf5a4223bd0a3b7b875ef27d7 --- appdata-sandbox.json | 45 +++++++- appdata-sandbox64.json | 231 +++++++++++++++++++++++++++++++++++++ bundle.json | 1 + etc/BUILD.gn | 40 +++++++ util/src/sandbox_utils.cpp | 11 +- 5 files changed, 325 insertions(+), 3 deletions(-) create mode 100644 appdata-sandbox64.json create mode 100644 etc/BUILD.gn diff --git a/appdata-sandbox.json b/appdata-sandbox.json index f27629e0..f949aa84 100644 --- a/appdata-sandbox.json +++ b/appdata-sandbox.json @@ -29,8 +29,49 @@ "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" }, { - "src-path" : "/system", - "sandbox-path" : "/system", + "src-path" : "/system/app", + "sandbox-path" : "/system/app", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/app", + "sandbox-path" : "/test/app", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false", + "app-apl-name" : "normal" + }, { + "src-path" : "/system/fonts", + "sandbox-path" : "/system/fonts", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib", + "sandbox-path" : "/system/lib", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/data", + "sandbox-path" : "/system/data", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/usr", + "sandbox-path" : "/system/usr", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/profile", + "sandbox-path" : "/system/profile", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/bin", + "sandbox-path" : "/system/bin", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/etc", + "sandbox-path" : "/system/etc", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" }, { diff --git a/appdata-sandbox64.json b/appdata-sandbox64.json new file mode 100644 index 00000000..3d9f09f9 --- /dev/null +++ b/appdata-sandbox64.json @@ -0,0 +1,231 @@ +{ + "common" : [{ + "top-sandbox-switch": "ON", + "app-base" : [{ + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/config", + "sandbox-path" : "/config", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/dev", + "sandbox-path" : "/dev", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/proc", + "sandbox-path" : "/proc", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/sys", + "sandbox-path" : "/sys", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/sys_prod", + "sandbox-path" : "/sys_prod", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/app", + "sandbox-path" : "/system/app", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/fonts", + "sandbox-path" : "/system/fonts", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib", + "sandbox-path" : "/lib", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/lib64", + "sandbox-path" : "/system/lib64", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/data", + "sandbox-path" : "/system/data", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/usr", + "sandbox-path" : "/system/usr", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/profile", + "sandbox-path" : "/system/profile", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/bin", + "sandbox-path" : "/system/bin", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/etc", + "sandbox-path" : "/system/etc", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/storage/el1/bundle", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + }, { + "src-path" : "/data/app/el2//base/", + "sandbox-path" : "/data/storage/el2/base", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + },{ + "src-path" : "/data/app/el1//database/", + "sandbox-path" : "/data/storage/el1/database", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + }, { + "src-path" : "/data/app/el2//database/", + "sandbox-path" : "/data/storage/el2/database", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + }, { + "src-path" : "/data/app/el1//base/", + "sandbox-path" : "/data/storage/el1/base", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + }, { + "src-path" : "/mnt/hmdfs/", + "sandbox-path" : "/mnt/hmdfs/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/mnt/hmdfs//account/merge_view/data/", + "sandbox-path" : "/data/storage/el2/distributedfiles", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/mnt/hmdfs//non_account/merge_view/data/", + "sandbox-path" : "/data/storage/el2/auth_groups", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/data/app/el1/bundle/public/com.ohos.nweb", + "sandbox-path" : "/data/storage/el1/bundle/nweb", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/data/app/el1/bundle/public/ohos.global.systemres", + "sandbox-path" : "/data/storage/el1/bundle/ohos.global.systemres", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + } + ], + "symbol-links" : [{ + "target-name" : "/system/bin", + "link-name" : "/bin", + "check-action-status": "false" + }, { + "target-name" : "/system/lib64", + "link-name" : "/lib64", + "check-action-status": "false" + }, { + "target-name" : "/system/etc", + "link-name" : "/etc", + "check-action-status": "false" + }, { + "target-name" : "/system/bin/init", + "link-name" : "/init", + "check-action-status": "false" + }, { + "target-name" : "/sys/kernel/debug", + "link-name" : "/d", + "check-action-status": "false" + } + ] + }], + "app-resources" : [{ + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/data/app/el1/bundle/public/com.ohos.nweb", + "sandbox-path" : "/data/storage/el1/bundle/nweb", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/data/app/el1/bundle/public/ohos.global.systemres", + "sandbox-path" : "/data/storage/el1/bundle/ohos.global.systemres", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + } + ], + "symbol-links" : [ + ] + }] + }], + "individual" : [{ + "com.ohos.medialibrary.MediaLibraryDataA" : [{ + "sandbox-switch": "ON", + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/storage/media/", + "sandbox-path" : "/storage/media", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + } + ], + "symbol-links" : [] + }], + "com.ohos.medialibrary.MediaScannerAbilityA" : [{ + "sandbox-switch": "ON", + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/storage/media/", + "sandbox-path" : "/storage/media", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + } + ], + "symbol-links" : [] + }], + "com.ohos.launcher" : [{ + "sandbox-switch": "ON", + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/bundles/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + } + ], + "symbol-links" : [] + }], + "com.ohos.permissionmanager" : [{ + "sandbox-switch": "ON", + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/bundles/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + } + ], + "symbol-links" : [] + }], + "ohos.samples.ecg" : [{ + "sandbox-switch": "OFF", + "sandbox-root" : "/mnt/sandbox/", + "mount-bind-paths" : [{ + "src-path" : "/data/app/el1/bundle/public/", + "sandbox-path" : "/data/bundles/", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "true" + } + ], + "symbol-links" : [] + }] + }] +} \ No newline at end of file diff --git a/bundle.json b/bundle.json index 616ce543..8f5599c3 100644 --- a/bundle.json +++ b/bundle.json @@ -42,6 +42,7 @@ "//base/startup/appspawn_standard:appspawn.rc", "//base/startup/appspawn_standard:appspawn_server", "//base/startup/appspawn_standard:nweb", + "//base/startup/appspawn_standard/etc:etc_files", "//base/startup/appspawn_standard/interfaces/innerkits:appspawn_socket_client" ], "inner_kits": [ diff --git a/etc/BUILD.gn b/etc/BUILD.gn new file mode 100644 index 00000000..4b9bf530 --- /dev/null +++ b/etc/BUILD.gn @@ -0,0 +1,40 @@ +# Copyright (c) 2020-2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//base/startup/appspawn_standard/appspawn.gni") +import("//build/ohos.gni") + +ohos_prebuilt_etc("appdata-sandbox.json") { + if (target_cpu == "arm64") { + source = "//base/startup/appspawn_standard/appdata-sandbox64.json" + } else { + source = "//base/startup/appspawn_standard/appdata-sandbox.json" + } + + subsystem_name = "${subsystem_name}" + part_name = "${part_name}" + module_install_dir = "etc/sandbox" +} + +ohos_prebuilt_etc("product-sandbox.json") { + source = "//base/startup/appspawn_standard/product-sandbox.json" + part_name = "${part_name}" + module_install_dir = "etc/sandbox" +} + +group("etc_files") { + deps = [ + ":appdata-sandbox.json", + ":product-sandbox.json" + ] +} \ No newline at end of file diff --git a/util/src/sandbox_utils.cpp b/util/src/sandbox_utils.cpp index ad1ad18b..3db172c7 100644 --- a/util/src/sandbox_utils.cpp +++ b/util/src/sandbox_utils.cpp @@ -66,9 +66,9 @@ namespace { const char *WARGNAR_DEVICE_PATH = "/3rdmodem"; const char *APP_BASE = "app-base"; const char *APP_RESOURCES = "app-resources"; + const char *APP_APL_NAME = "app-apl-name"; } - nlohmann::json SandboxUtils::appSandboxConfig_; nlohmann::json SandboxUtils::productSandboxConfig_; @@ -275,6 +275,15 @@ int SandboxUtils::DoAllMntPointsMount(const ClientSocket::AppProperty *appProper continue; } + if (mntPoint[APP_APL_NAME] != nullptr) { + std::string app_apl_name = mntPoint[APP_APL_NAME]; + const char * p_app_apl = nullptr; + p_app_apl = app_apl_name.c_str(); + if (!strcmp(p_app_apl, appProperty->apl)) { + continue; + } + } + std::string srcPath = ConvertToRealPath(appProperty, mntPoint[SRC_PATH].get()); std::string sandboxPath = sandboxRoot + ConvertToRealPath(appProperty, mntPoint[SANDBOX_PATH].get()); -- Gitee From 119d58aa07e746fb2676d01685b5314c43b96969 Mon Sep 17 00:00:00 2001 From: Mupceet Date: Thu, 19 May 2022 11:45:34 +0800 Subject: [PATCH 2/4] =?UTF-8?q?appspawn:=20=E5=88=A0=E9=99=A4json=E4=B8=AD?= =?UTF-8?q?=E6=B5=8B=E8=AF=95apl-name=E7=9A=84=E6=95=B0=E6=8D=AE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mupceet Change-Id: I1e020fa5a4ab1f518c2fffbfccc09ff4a6a46641 --- appdata-sandbox.json | 6 ------ 1 file changed, 6 deletions(-) diff --git a/appdata-sandbox.json b/appdata-sandbox.json index f949aa84..0e24f8b9 100644 --- a/appdata-sandbox.json +++ b/appdata-sandbox.json @@ -33,12 +33,6 @@ "sandbox-path" : "/system/app", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" - }, { - "src-path" : "/system/app", - "sandbox-path" : "/test/app", - "sandbox-flags" : [ "bind", "rec" ], - "check-action-status": "false", - "app-apl-name" : "normal" }, { "src-path" : "/system/fonts", "sandbox-path" : "/system/fonts", -- Gitee From 6443f0d3719ba45c4f0c342baadb546acde9970c Mon Sep 17 00:00:00 2001 From: Mupceet Date: Thu, 19 May 2022 15:06:07 +0800 Subject: [PATCH 3/4] appspawn: support 64 Signed-off-by: Mupceet Change-Id: Ife02af5cd70a050946416df86dcbb1b0350403d9 --- adapter/appspawn_sandbox.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/adapter/appspawn_sandbox.cpp b/adapter/appspawn_sandbox.cpp index 980ee2da..a82b89c1 100644 --- a/adapter/appspawn_sandbox.cpp +++ b/adapter/appspawn_sandbox.cpp @@ -43,7 +43,11 @@ bool g_isPrivAppSandboxCreated = false; bool g_isAppSandboxCreated = false; namespace { +#ifdef __aarch64__ + const std::string APP_JSON_CONFIG("/system/etc/sandbox/appdata-sandbox64.json"); +#else const std::string APP_JSON_CONFIG("/system/etc/sandbox/appdata-sandbox.json"); +#endif const std::string PRODUCT_JSON_CONFIG("/system/etc/sandbox/product-sandbox.json"); } -- Gitee From e221cb5cdd0888a8e8ce2bbd90bc3e83b62ee0c7 Mon Sep 17 00:00:00 2001 From: Mupceet Date: Thu, 19 May 2022 12:42:46 +0000 Subject: [PATCH 4/4] =?UTF-8?q?update=20util/src/sandbox=5Futils.cpp.=20?= =?UTF-8?q?=E4=BB=A3=E7=A0=81=E6=A3=80=E6=9F=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- util/src/sandbox_utils.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/src/sandbox_utils.cpp b/util/src/sandbox_utils.cpp index 3db172c7..f7fb0a79 100644 --- a/util/src/sandbox_utils.cpp +++ b/util/src/sandbox_utils.cpp @@ -277,7 +277,7 @@ int SandboxUtils::DoAllMntPointsMount(const ClientSocket::AppProperty *appProper if (mntPoint[APP_APL_NAME] != nullptr) { std::string app_apl_name = mntPoint[APP_APL_NAME]; - const char * p_app_apl = nullptr; + const char *p_app_apl = nullptr; p_app_apl = app_apl_name.c_str(); if (!strcmp(p_app_apl, appProperty->apl)) { continue; -- Gitee