diff --git a/modules/sandbox/BUILD.gn b/modules/sandbox/BUILD.gn index ac304bea8c45f3148965395a69a72106224204a1..fb3f3f8bf79c2412df125096c781c2da87750fb1 100644 --- a/modules/sandbox/BUILD.gn +++ b/modules/sandbox/BUILD.gn @@ -97,7 +97,6 @@ if (defined(appspawn_sandbox_new) && appspawn_sandbox_new) { "config_policy:configpolicy_util", "hilog:libhilog", "init:libbegetutil", - "json:nlohmann_json_static", ] if (!defined(ohos_lite)) { external_deps += [ "hitrace:hitrace_meter" ] diff --git a/modules/sandbox/modern/sandbox_load.c b/modules/sandbox/modern/sandbox_load.c index f7a7d617f13efbe0eac16935e1ff5d96e8457969..0af4536b5e63a047749991e8db55556877f0d119 100644 --- a/modules/sandbox/modern/sandbox_load.c +++ b/modules/sandbox/modern/sandbox_load.c @@ -725,7 +725,7 @@ APPSPAWN_STATIC int ParseAppSandboxConfig(const cJSON *root, ParseJsonContext *c cJSON *config = cJSON_GetObjectItemCaseSensitive(json, "permission"); ret = ParseConditionalConfig(sandbox, config, "permission", ParsePermissionConfig); APPSPAWN_CHECK_ONLY_EXPER(ret == 0, return ret); - // sandbox permission + // spawning permission ret = AddSpawnerPermissionNode(sandbox); APPSPAWN_CHECK_ONLY_EXPER(ret == 0, return ret); // spawn-flag diff --git a/modules/sandbox/normal/sandbox_core.cpp b/modules/sandbox/normal/sandbox_core.cpp index 0959eafb09bd6c6ba8a3b285c4bc94d53f2db71f..0fded43f0c5e1b98cbcdcb567ec101f11d51d387 100644 --- a/modules/sandbox/normal/sandbox_core.cpp +++ b/modules/sandbox/normal/sandbox_core.cpp @@ -57,7 +57,6 @@ bool SandboxCore::NeedNetworkIsolated(AppSpawningCtx *property) int SandboxCore::EnableSandboxNamespace(AppSpawningCtx *appProperty, uint32_t sandboxNsFlags) { - StartAppspawnTrace("EnableSandboxNamespace"); #ifdef APPSPAWN_HISYSEVENT struct timespec startClock = {0}; clock_gettime(CLOCK_MONOTONIC, &startClock); @@ -75,7 +74,6 @@ int SandboxCore::EnableSandboxNamespace(AppSpawningCtx *appProperty, uint32_t sa rc = EnableNewNetNamespace(); APPSPAWN_CHECK(rc == 0, return rc, "Set %{public}s new netnamespace failed", GetBundleName(appProperty)); } - FinishAppspawnTrace(); return 0; } @@ -104,8 +102,8 @@ bool SandboxCore::CheckMountFlag(const AppSpawningCtx *appProperty, const std::s return false; } -void SandboxCore::UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty, - const std::string &permissionMode, uint32_t flag) +void SandboxCore::UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty, const std::string &permissionMode, + uint32_t flag) { int32_t processIndex = GetPermissionIndex(nullptr, permissionMode.c_str()); if ((CheckAppPermissionFlagSet(appProperty, static_cast(processIndex)) == 0)) { @@ -176,11 +174,10 @@ int32_t SandboxCore::DoDlpAppMountStrategy(const AppSpawningCtx *appProperty, co // To make sure destinationPath exist (void)SandboxCommon::CreateDirRecursive(sandboxPath, SandboxCommonDef::FILE_MODE); - int ret = 0; #ifndef APPSPAWN_TEST APPSPAWN_LOGV("Bind mount %{public}s to %{public}s '%{public}s' '%{public}lu' '%{public}s'", srcPath.c_str(), sandboxPath.c_str(), fsType.c_str(), mountFlags, options); - ret = mount(srcPath.c_str(), sandboxPath.c_str(), fsType.c_str(), mountFlags, options); + int ret = mount(srcPath.c_str(), sandboxPath.c_str(), fsType.c_str(), mountFlags, options); APPSPAWN_CHECK(ret == 0, close(fd); return ret, "DoDlpAppMountStrategy failed, bind mount %{public}s to %{public}s failed %{public}d", srcPath.c_str(), sandboxPath.c_str(), errno); @@ -276,17 +273,16 @@ int32_t SandboxCore::DoSandboxFilePermissionBind(AppSpawningCtx *appProperty, cJ cJSON *permissionChild = item->child; while (permissionChild != nullptr) { int index = GetPermissionIndex(nullptr, permissionChild->string); - APPSPAWN_LOGV("DoSandboxFilePermissionBind %{public}s index %{public}d", permissionChild->string, index); if (CheckAppPermissionFlagSet(appProperty, static_cast(index)) == 0) { permissionChild = permissionChild->next; continue; } - DoAddGid(appProperty, permissionChild, permissionChild->string, SandboxCommonDef::g_permissionPrefix); cJSON *permissionMountPaths = cJSON_GetArrayItem(permissionChild, 0); if (!permissionMountPaths) { permissionChild = permissionChild->next; continue; } + APPSPAWN_LOGV("DoSandboxFilePermissionBind %{public}s index %{public}d", permissionChild->string, index); DoAddGid(appProperty, permissionMountPaths, permissionChild->string, SandboxCommonDef::g_permissionPrefix); DoAllMntPointsMount(appProperty, permissionMountPaths, permissionChild->string, SandboxCommonDef::g_permissionPrefix); @@ -383,12 +379,11 @@ int32_t SandboxCore::DoSandboxFileCommonFlagsPointHandle(const AppSpawningCtx *a return 0; } - cJSON *appResoucesConfig = GetFirstSubConfig(firstCommon, SandboxCommonDef::g_appResources); - if (!appResoucesConfig) { + cJSON *appResourcesConfig = GetFirstSubConfig(firstCommon, SandboxCommonDef::g_appResources); + if (!appResourcesConfig) { return 0; } - - return HandleFlagsPoint(appProperty, appResoucesConfig); + return HandleFlagsPoint(appProperty, appResourcesConfig); } int32_t SandboxCore::SetCommonAppSandboxProperty_(const AppSpawningCtx *appProperty, cJSON *config) @@ -486,7 +481,6 @@ int32_t SandboxCore::MountAllGroup(const AppSpawningCtx *appProperty, std::strin mode_t mountSharedFlag = MS_SLAVE; if (CheckAppMsgFlagsSet(appProperty, APP_FLAGS_ISOLATED_SANDBOX)) { - APPSPAWN_LOGV("Data group flags is isolated"); mountSharedFlag |= MS_REMOUNT | MS_NODEV | MS_RDONLY | MS_BIND; } @@ -880,9 +874,7 @@ int32_t SandboxCore::SetAppSandboxProperty(AppSpawningCtx *appProperty, uint32_t return -1; } AppSpawnMsgDacInfo *dacInfo = reinterpret_cast(GetAppProperty(appProperty, TLV_DAC_INFO)); - if (dacInfo == nullptr) { - return -1; - } + APPSPAWN_CHECK(dacInfo != nullptr, return -1, "No dac info in msg app property"); const std::string bundleName = GetBundleName(appProperty); cJSON *tmpJson = nullptr; @@ -893,7 +885,9 @@ int32_t SandboxCore::SetAppSandboxProperty(AppSpawningCtx *appProperty, uint32_t SandboxCommonDef::ACCESS_DLP_FILE_MODE.c_str()))) != 0); // add pid to a new mnt namespace + StartAppspawnTrace("EnableSandboxNamespace"); int rc = EnableSandboxNamespace(appProperty, sandboxNsFlags); + FinishAppspawnTrace(); APPSPAWN_CHECK(rc == 0, return rc, "unshare failed, packagename is %{public}s", bundleName.c_str()); if (UpdatePermissionFlags(appProperty) != 0) { APPSPAWN_LOGW("Set app permission flag fail."); @@ -990,7 +984,9 @@ int32_t SandboxCore::SetAppSandboxPropertyNweb(AppSpawningCtx *appProperty, uint SandboxCommon::CreateDirRecursiveWithClock(sandboxPackagePath.c_str(), SandboxCommonDef::FILE_MODE); // add pid to a new mnt namespace + StartAppspawnTrace("EnableSandboxNamespace"); int rc = EnableSandboxNamespace(appProperty, sandboxNsFlags); + FinishAppspawnTrace(); APPSPAWN_CHECK(rc == 0, return rc, "unshare failed, packagename is %{public}s", bundleName.c_str()); // check app sandbox switch @@ -1001,10 +997,9 @@ int32_t SandboxCore::SetAppSandboxPropertyNweb(AppSpawningCtx *appProperty, uint rc = DoSandboxRootFolderCreate(appProperty, sandboxPackagePath); } APPSPAWN_CHECK(rc == 0, return rc, "DoSandboxRootFolderCreate failed, %{public}s", bundleName.c_str()); - // rendering process can be created by different apps, - // and the bundle names of these apps are different, - // so we can't use the method SetPrivateAppSandboxProperty - // which mount dirs by using bundle name. + + // rendering process can be created by different apps, and the bundle names of these apps are different + // so we can't use the method SetPrivateAppSandboxProperty which mount dirs by using bundle name. rc = SetRenderSandboxPropertyNweb(appProperty, sandboxPackagePath); APPSPAWN_CHECK(rc == 0, return rc, "SetRenderSandboxPropertyNweb for %{public}s failed", bundleName.c_str()); @@ -1056,8 +1051,6 @@ int32_t SandboxCore::ChangeCurrentDir(std::string &sandboxPackagePath, const std return ret; } - - static const DecDenyPathTemplate DEC_DENY_PATH_MAP[] = { {"ohos.permission.READ_WRITE_DOWNLOAD_DIRECTORY", "/storage/Users/currentUser/Download"}, {"ohos.permission.READ_WRITE_DESKTOP_DIRECTORY", "/storage/Users/currentUser/Desktop"}, @@ -1228,7 +1221,7 @@ int32_t SandboxCore::GetPackageList(AppSpawningCtx *property, std::vector(GetAppProperty(property, TLV_DAC_INFO)); - if (GetBundleName(property) == nullptr ||SandboxCommon::CheckBundleName(GetBundleName(property)) != 0 || + if (GetBundleName(property) == nullptr || SandboxCommon::CheckBundleName(GetBundleName(property)) != 0 || info == nullptr) { std::string uid; char *userId = (char *)GetAppSpawnMsgExtInfo(property->message, MSG_EXT_NAME_USERID, nullptr); @@ -1314,7 +1307,7 @@ int32_t SandboxCore::UninstallDebugSandbox(AppSpawnMgr *content, AppSpawningCtx ret = rmdir(sandboxPath.c_str()); APPSPAWN_CHECK_ONLY_LOG(ret == 0, "rmdir failed %{public}d %{public}d", ret, errno); } - + return 0; } @@ -1386,7 +1379,7 @@ int32_t SandboxCore::MountDebugSharefs(const AppSpawningCtx *property, const cha } char options[SandboxCommonDef::OPTIONS_MAX_LEN] = {0}; ret = snprintf_s(options, SandboxCommonDef::OPTIONS_MAX_LEN, SandboxCommonDef::OPTIONS_MAX_LEN - 1, - "override_support_delete,user_id=%u", info->uid / UID_BASE); + "override_support_delete,user_id=%u", info->uid / UID_BASE); if (ret <= 0) { return APPSPAWN_ERROR_UTILS_MEM_FAIL; } @@ -1458,4 +1451,4 @@ int32_t SandboxCore::InstallDebugSandbox(AppSpawnMgr *content, AppSpawningCtx *p return 0; } } // namespace AppSpawn -} // namespace OHOS +} // namespace OHOS \ No newline at end of file diff --git a/modules/sandbox/normal/sandbox_core.h b/modules/sandbox/normal/sandbox_core.h index 2d61cd18bcf9f61defa3649968dde6f3cd949161..3a4c9e62ebc0c95422d4744235c471bd70419569 100644 --- a/modules/sandbox/normal/sandbox_core.h +++ b/modules/sandbox/normal/sandbox_core.h @@ -74,8 +74,8 @@ private: static uint32_t GetAppMsgFlags(const AppSpawningCtx *property); static bool CheckMountFlag(const AppSpawningCtx *appProperty, const std::string bundleName, cJSON *appConfig); - static void UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty, - const std::string &permissionMode, uint32_t flag); + static void UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty, const std::string &permissionMode, + uint32_t flag); static int32_t UpdatePermissionFlags(AppSpawningCtx *appProperty); static std::string GetSandboxPath(const AppSpawningCtx *appProperty, cJSON *mntPoint, const std::string §ion, std::string sandboxRoot); diff --git a/modules/sandbox/sandbox_dec.c b/modules/sandbox/sandbox_dec.c index cc1e74eba50e22a971e164d311c0fb2000c0603d..8e36ea2e4113757d97e0ab797eb7b2e865b14136 100644 --- a/modules/sandbox/sandbox_dec.c +++ b/modules/sandbox/sandbox_dec.c @@ -125,7 +125,7 @@ static int SetDenyConstraintDirs(AppSpawnMgr *content) APPSPAWN_LOGE("set sandbox policy failed."); } else { APPSPAWN_LOGI("set CONSTRAINT_DEC_POLICY_CMD sandbox policy success."); - for (uint32_t i = 0; i < decDirsSize; i++) { + for (uint32_t i = 0; i < decPolicyInfos.pathNum; i++) { APPSPAWN_LOGI("policy info: %{public}s", decPolicyInfos.path[i].path); } } @@ -159,7 +159,7 @@ static int SetForcedPrefixDirs(AppSpawnMgr *content) APPSPAWN_LOGE("set sandbox forced prefix failed."); } else { APPSPAWN_LOGI("set SET_DEC_PREFIX_CMD sandbox policy success."); - for (uint32_t i = 0; i < decDirsSize; i++) { + for (uint32_t i = 0; i < decPolicyInfos.pathNum; i++) { APPSPAWN_LOGI("policy info: %{public}s", decPolicyInfos.path[i].path); } } diff --git a/standard/appspawn_service.c b/standard/appspawn_service.c index b53f56d75627dd8e4560362ffd1def12d047dc8f..809ea1b628c1f8d2b17cbc82860b1c547cd36437 100644 --- a/standard/appspawn_service.c +++ b/standard/appspawn_service.c @@ -290,7 +290,6 @@ static void SendMessageComplete(const TaskHandle taskHandle, BufferHandle handle static int SendResponse(const AppSpawnConnection *connection, const AppSpawnMsg *msg, int result, pid_t pid) { - StartAppspawnTrace("SendResponse"); APPSPAWN_LOGV("SendResponse connectionId: %{public}u result: 0x%{public}x pid: %{public}d", connection->connectionId, result, pid); uint32_t bufferSize = sizeof(AppSpawnResponseMsg); @@ -302,9 +301,7 @@ static int SendResponse(const AppSpawnConnection *connection, const AppSpawnMsg return -1, "Failed to memcpy_s bufferSize"); buffer->result.result = result; buffer->result.pid = pid; - ret = LE_Send(LE_GetDefaultLoop(), connection->stream, handle, bufferSize); - FinishAppspawnTrace(); - return ret; + return LE_Send(LE_GetDefaultLoop(), connection->stream, handle, bufferSize); } static void WaitMsgCompleteTimeOut(const TimerHandle taskHandle, void *context) @@ -761,6 +758,7 @@ static int GetAppSpawnMsg(AppSpawningCtx *property, uint32_t memSize) message = NULL; return 0; } + DeleteAppSpawnMsg(&message); return -1; } @@ -845,7 +843,7 @@ static void ProcessPreFork(AppSpawnContent *content, AppSpawningCtx *property) FinishAppspawnTrace(); if (content->reservedPid < 0) { ClearPipeFd(content->preforkFd, PIPE_FD_LENGTH); - APPSPAWN_LOGE("prefork fork child process failed %{public}d", content->reservedPid); + APPSPAWN_LOGE("prefork fork child process failed %{public}d, err %{public}d", content->reservedPid, errno); } } } @@ -1119,7 +1117,9 @@ static void ProcessChildResponse(const WatcherHandle taskHandle, int fd, uint32_ ProcessMgrHookExecute(STAGE_SERVER_APP_ADD, GetAppSpawnContent(), appInfo); // response AppSpawnHookExecute(STAGE_PARENT_PRE_RELY, 0, GetAppSpawnContent(), &property->client); + StartAppspawnTrace("SendResponse"); SendResponse(property->message->connection, &property->message->msgHeader, 0, property->pid); + FinishAppspawnTrace(); AppSpawnHookExecute(STAGE_PARENT_POST_RELY, 0, GetAppSpawnContent(), &property->client); #ifdef DEBUG_BEGETCTL_BOOT if (IsDeveloperModeOpen()) { @@ -1344,8 +1344,8 @@ static void AppSpawnRun(AppSpawnContent *content, int argc, char *const argv[]) APPSPAWN_STATIC int AppSpawnClearEnv(AppSpawnMgr *content, AppSpawningCtx *property) { - StartAppspawnTrace("AppSpawnClearEnv"); APPSPAWN_CHECK(content != NULL, return 0, "Invalid appspawn content"); + StartAppspawnTrace("AppSpawnClearEnv"); DeleteAppSpawningCtx(property); AppSpawnDestroyContent(&content->content); APPSPAWN_LOGV("clear %{public}d end", getpid());