From 5c2b50f91f47d70b96a2149978cd60d1b62c69db Mon Sep 17 00:00:00 2001 From: chennuo Date: Sat, 26 Jul 2025 16:14:42 +0800 Subject: [PATCH] add 3009 to lldb Signed-off-by: chennuo --- appdata-sandbox.json | 10 ++---- modules/common/appspawn_common.c | 43 ++++++++++++++++++----- modules/sandbox/normal/sandbox_common.cpp | 8 +---- modules/sandbox/normal/sandbox_core.cpp | 11 +++--- 4 files changed, 44 insertions(+), 28 deletions(-) diff --git a/appdata-sandbox.json b/appdata-sandbox.json index 38115a04..6e2f215d 100755 --- a/appdata-sandbox.json +++ b/appdata-sandbox.json @@ -761,7 +761,7 @@ "sandbox-flags": [ "bind", "rec" ] }, { - "src-path": "/mnt/user//sharefs/docs", + "src-path": "/mnt/user//nosharefs/docs", "sandbox-path": "/storage/Users", "sandbox-flags": [ "bind", "rec" ] }, @@ -949,7 +949,8 @@ "mount-paths": [{ "src-path": "/data/log/UserView", "sandbox-path": "/data/log/UserView", - "sandbox-flags": [ "bind", "rec" ] + "sandbox-flags": [ "bind", "rec" ], + "dec-paths": [ "/data/log/UserView" ] } ] }], @@ -1063,11 +1064,6 @@ } ] }], - "ohos.permission.READ_WRITE_USER_FILE":[{ - "sandbox-switch": "ON", - "gids": [1006], - "mount-paths": [] - }], "ohos.permission.ACCESS_APP_CLONE_DIR":[{ "sandbox-switch": "ON", "gids":[2002], diff --git a/modules/common/appspawn_common.c b/modules/common/appspawn_common.c index b3820bed..57342e19 100644 --- a/modules/common/appspawn_common.c +++ b/modules/common/appspawn_common.c @@ -75,6 +75,9 @@ #define HM_DEC_IOCTL_BASE 's' #define HM_ADD_ISOLATE_DIR 16 #define ADD_ISOLATE_DIR_CMD _IOWR(HM_DEC_IOCTL_BASE, HM_ADD_ISOLATE_DIR, IsolateDirInfo) +#ifdef APPSPAWN_SUPPORT_NOSHAREFS +#define READ_PROCESS_GROUP 3009 +#endif static int SetProcessName(const AppSpawnMgr *content, const AppSpawningCtx *property) { @@ -133,13 +136,9 @@ static int SetAmbientCapability(int cap) return 0; } -//if current process is native process, set the ambient static int SetAmbientCapabilities(const AppSpawningCtx *property) { - if (GetAppSpawnMsgType(property) != MSG_SPAWN_NATIVE_PROCESS) { - return 0; - } - const int caps[] = {CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_KILL}; + const int caps[] = {CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER}; size_t capCount = sizeof(caps) / sizeof(caps[0]); for (size_t i = 0;i < capCount; ++i) { if (SetAmbientCapability(caps[i]) != 0) { @@ -147,6 +146,10 @@ static int SetAmbientCapabilities(const AppSpawningCtx *property) return -1; } } + // Only custom sandbox app can set the CAP_KILL ambient to 1 + if (CheckAppMsgFlagsSet(property, APP_FLAGS_CUSTOM_SANDBOX)) { + APPSPAWN_CHECK(SetAmbientCapability(CAP_KILL) == 0, return -1, "set ambient failed:%{public}d", CAP_KILL); + } return 0; } #endif @@ -171,7 +174,10 @@ APPSPAWN_STATIC int SetCapabilities(const AppSpawnMgr *content, const AppSpawnin if (!CheckAppMsgFlagsSet(property, APP_FLAGS_ISOLATED_SANDBOX_TYPE) && (IsAppSpawnMode(content) || IsNativeSpawnMode(content))) { baseCaps = CAP_TO_MASK(CAP_DAC_OVERRIDE) | CAP_TO_MASK(CAP_DAC_READ_SEARCH) | - CAP_TO_MASK(CAP_FOWNER) | CAP_TO_MASK(CAP_KILL); + CAP_TO_MASK(CAP_FOWNER); + if (CheckAppMsgFlagsSet(property, APP_FLAGS_CUSTOM_SANDBOX)) { + baseCaps |= CAP_TO_MASK(CAP_KILL); + } } #else if (IsAppSpawnMode(content)) { @@ -197,8 +203,11 @@ APPSPAWN_STATIC int SetCapabilities(const AppSpawnMgr *content, const AppSpawnin isRet = capset(&capHeader, &capData[0]) != 0; APPSPAWN_CHECK(!isRet, return -errno, "Failed to capset errno: %{public}d", errno); #ifdef APPSPAWN_SUPPORT_NOSHAREFS - isRet = SetAmbientCapabilities(property); - APPSPAWN_CHECK(!isRet, return -1, "Failed to set ambient"); + if (!CheckAppMsgFlagsSet(property, APP_FLAGS_ISOLATED_SANDBOX_TYPE) && + (IsAppSpawnMode(content) || IsNativeSpawnMode(content))) { + isRet = SetAmbientCapabilities(property); + APPSPAWN_CHECK(!isRet, return -1, "Failed to set ambient"); + } #endif return 0; } @@ -720,6 +729,23 @@ APPSPAWN_STATIC int RecordStartTime(AppSpawnMgr *content, AppSpawningCtx *proper return 0; } +static int AddSpecialGroupToProcess(AppSpawnMgr *content, AppSpawningCtx *property) +{ +#ifdef APPSPAWN_SUPPORT_NOSHAREFS + APPSPAWN_LOGV("add 3009 groups int native process"); + if (GetAppSpawnMsgType(property) != MSG_SPAWN_NATIVE_PROCESS) { + return 0; + } + AppSpawnMsgDacInfo *dacInfo = (AppSpawnMsgDacInfo *)GetAppProperty(property, TLV_DAC_INFO); + APPSPAWN_CHECK(dacInfo != NULL, return APPSPAWN_TLV_NONE, + "No tlv %{public}d in msg %{public}s", TLV_DAC_INFO, GetProcessName(property)); + APPSPAWN_CHECK(dacInfo->gidCount < APP_MAX_GIDS, return -1, + "Failed to add groups:%{public}d due to current gidCount is MAX", READ_PROCESS_GROUP); + dacInfo->gidTable[dacInfo->gidCount++] = READ_PROCESS_GROUP; +#endif + return 0; +} + MODULE_CONSTRUCTOR(void) { APPSPAWN_LOGV("Load common module ..."); @@ -738,4 +764,5 @@ MODULE_CONSTRUCTOR(void) AddAppSpawnHook(STAGE_PARENT_POST_FORK, HOOK_PRIO_HIGHEST, CloseFdArgs); AddAppSpawnHook(STAGE_CHILD_PRE_COLDBOOT, HOOK_PRIO_HIGHEST, SetFdEnv); AddAppSpawnHook(STAGE_CHILD_PRE_RUN, HOOK_PRIO_HIGHEST, RecordStartTime); + AddAppSpawnHook(STAGE_CHILD_EXECUTE, HOOK_PRIO_COMMON, AddSpecialGroupToProcess); } diff --git a/modules/sandbox/normal/sandbox_common.cpp b/modules/sandbox/normal/sandbox_common.cpp index c34e2fc1..fc89bf45 100644 --- a/modules/sandbox/normal/sandbox_common.cpp +++ b/modules/sandbox/normal/sandbox_common.cpp @@ -902,13 +902,7 @@ std::string SandboxCommon::ConvertToRealPathWithPermission(const AppSpawningCtx } if (path.find(SandboxCommonDef::g_userId) != std::string::npos) { - if (deviceTypeEnable_ == SandboxCommonDef::FILE_CROSS_APP_STATUS) { - path = ReplaceAllVariables(path, SandboxCommonDef::g_userId, "currentUser"); - } else if (deviceTypeEnable_ == SandboxCommonDef::FILE_ACCESS_COMMON_DIR_STATUS) { - path = ReplaceAllVariables(path, SandboxCommonDef::g_userId, "currentUser"); - } else { - return ""; - } + path = ReplaceAllVariables(path, SandboxCommonDef::g_userId, "currentUser"); } return path; } diff --git a/modules/sandbox/normal/sandbox_core.cpp b/modules/sandbox/normal/sandbox_core.cpp index 0959eafb..affa6da1 100644 --- a/modules/sandbox/normal/sandbox_core.cpp +++ b/modules/sandbox/normal/sandbox_core.cpp @@ -122,12 +122,11 @@ void SandboxCore::UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty, int32_t SandboxCore::UpdatePermissionFlags(AppSpawningCtx *appProperty) { int32_t index = 0; - int32_t appFullMountStatus = SandboxCommon::CheckAppFullMountEnable(); - if (appFullMountStatus == SandboxCommonDef::FILE_CROSS_APP_STATUS) { - index = GetPermissionIndex(nullptr, SandboxCommonDef::FILE_CROSS_APP_MODE.c_str()); - } else if (appFullMountStatus == SandboxCommonDef::FILE_ACCESS_COMMON_DIR_STATUS) { - index = GetPermissionIndex(nullptr, SandboxCommonDef::FILE_ACCESS_COMMON_DIR_MODE.c_str()); - } +#ifdef APPSPAWN_SUPPORT_NOSHAREFS + index = GetPermissionIndex(nullptr, SandboxCommonDef::FILE_CROSS_APP_MODE.c_str()); +#else + index = GetPermissionIndex(nullptr, SandboxCommonDef::FILE_ACCESS_COMMON_DIR_MODE.c_str()); +#endif int32_t fileMgrIndex = GetPermissionIndex(nullptr, SandboxCommonDef::FILE_ACCESS_MANAGER_MODE.c_str()); if (index > 0 && (CheckAppPermissionFlagSet(appProperty, static_cast(fileMgrIndex)) == 0)) { return SetAppPermissionFlags(appProperty, index); -- Gitee