diff --git a/appdata-sandbox.json b/appdata-sandbox.json
index 6e2f215d7ca513673089ef5d3907906bf57f4f30..042036502fe442291b2fe85b6add334af4423603 100755
--- a/appdata-sandbox.json
+++ b/appdata-sandbox.json
@@ -298,84 +298,112 @@
                 }
             ],
         "flags-point" : [{
-                    "flags": "DLP_MANAGER",
-                    "mount-paths" : [{
-                        "src-path" : "/data/app/el2/<currentUserId>/base/<PackageName_index>",
-                        "sandbox-path" : "/data/storage/el2/base",
-                        "sandbox-flags" : [ "bind", "rec" ],
-                        "check-action-status": "false"
-                    },{
-                        "src-path" : "/data/app/el1/<currentUserId>/database/<PackageName_index>",
-                        "sandbox-path" : "/data/storage/el1/database",
-                        "sandbox-flags" : [ "bind", "rec" ],
-                        "check-action-status": "false"
-                    }, {
-                        "src-path" : "/data/app/el2/<currentUserId>/database/<PackageName_index>",
-                        "sandbox-path" : "/data/storage/el2/database",
-                        "sandbox-flags" : [ "bind", "rec" ],
-                        "check-action-status": "false"
-                    }, {
-                        "src-path" : "/data/app/el1/<currentUserId>/base/<PackageName_index>",
-                        "sandbox-path" : "/data/storage/el1/base",
-                        "sandbox-flags" : [ "bind", "rec" ],
-                        "check-action-status": "false"
-                    }, {
-                        "src-path" : "/data/app/el2/<currentUserId>/log/<PackageName_index>",
-                        "sandbox-path" : "/data/storage/el2/log",
-                        "sandbox-flags" : [ "bind", "rec" ],
-                        "check-action-status": "false"
-                    }, {
-                        "src-path" : "/mnt/share/<currentUserId>/<PackageName_index>",
-                        "sandbox-path" : "/data/storage/el2/share",
-                        "sandbox-flags" : [ "bind", "rec" ],
-                        "check-action-status": "false"
-                    }
-                    ]}, {
-                        "flags": "START_FLAGS_BACKUP",
-                        "mount-paths": [{
-                            "src-path": "/data/app/el2/<currentUserId>/base/<PackageName>/.backup",
-                            "sandbox-path": "/data/storage/el2/backup",
-                            "sandbox-flags": [ "bind", "rec" ],
-                            "check-action-status": "false"
-                        }, {
-                            "src-path" : "/data/app/el1/<currentUserId>/base/<PackageName>/.backup",
-                            "sandbox-path" : "/data/storage/el1/backup",
-                            "sandbox-flags" : [ "bind", "rec" ],
-                            "check-action-status": "false"
-                        }
-                    ]}, {
-                        "flags": "DEVELOPER_MODE",
-                        "mount-paths": [{
-                            "src-path": "/data/app/el1/bundle/<currentUserId>/hnppublic",
-                            "sandbox-path": "/data/service/hnp",
-                            "sandbox-flags": [ "bind", "rec" ],
-                            "check-action-status": "false"
-                        }, {
-                            "src-path" : "/data/app/el1/bundle/<currentUserId>/hnp/<PackageName>",
-                            "sandbox-path" : "/data/app",
-                            "sandbox-flags" : [ "bind", "rec" ],
-                            "check-action-status": "false"
-                        }
-                    ]}, {
-                        "flags": "PREINSTALLED_HAP",
-                        "mount-paths": [{
-                            "src-path": "/system/app",
-                            "sandbox-path": "/system/app",
-                            "sandbox-flags": [ "bind", "rec" ],
-                            "check-action-status": "false"
-                        }
-                    ]}, {
-                        "flags": "CUSTOM_SANDBOX_HAP",
-                        "mount-paths": [{
-                            "src-path": "/tmp",
-                            "sandbox-path": "/tmp",
-                            "sandbox-flags": [ "bind", "rec" ],
-                            "check-action-status": "false"
-                        }
-                    ]}
-            ],
-            "symbol-links" : [
-            ]
+            "flags": "DLP_MANAGER",
+            "mount-paths" : [{
+                    "src-path" : "/data/app/el2/<currentUserId>/base/<PackageName_index>",
+                    "sandbox-path" : "/data/storage/el2/base",
+                    "sandbox-flags" : [ "bind", "rec" ],
+                    "check-action-status": "false"
+                }, {
+                    "src-path" : "/data/app/el1/<currentUserId>/database/<PackageName_index>",
+                    "sandbox-path" : "/data/storage/el1/database",
+                    "sandbox-flags" : [ "bind", "rec" ],
+                    "check-action-status": "false"
+                }, {
+                    "src-path" : "/data/app/el2/<currentUserId>/database/<PackageName_index>",
+                    "sandbox-path" : "/data/storage/el2/database",
+                    "sandbox-flags" : [ "bind", "rec" ],
+                    "check-action-status": "false"
+                }, {
+                    "src-path" : "/data/app/el1/<currentUserId>/base/<PackageName_index>",
+                    "sandbox-path" : "/data/storage/el1/base",
+                    "sandbox-flags" : [ "bind", "rec" ],
+                    "check-action-status": "false"
+                }, {
+                    "src-path" : "/data/app/el2/<currentUserId>/log/<PackageName_index>",
+                    "sandbox-path" : "/data/storage/el2/log",
+                    "sandbox-flags" : [ "bind", "rec" ],
+                    "check-action-status": "false"
+                }, {
+                    "src-path" : "/mnt/share/<currentUserId>/<PackageName_index>",
+                    "sandbox-path" : "/data/storage/el2/share",
+                    "sandbox-flags" : [ "bind", "rec" ],
+                    "check-action-status": "false"
+                }
+            ]}, {
+            "flags": "START_FLAGS_BACKUP",
+            "mount-paths": [{
+                    "src-path": "/data/app/el2/<currentUserId>/base/<PackageName>/.backup",
+                    "sandbox-path": "/data/storage/el2/backup",
+                    "sandbox-flags": [ "bind", "rec" ],
+                    "check-action-status": "false"
+                }, {
+                    "src-path" : "/data/app/el1/<currentUserId>/base/<PackageName>/.backup",
+                    "sandbox-path" : "/data/storage/el1/backup",
+                    "sandbox-flags" : [ "bind", "rec" ],
+                    "check-action-status": "false"
+                }
+            ]}, {
+            "flags": "DEVELOPER_MODE",
+            "mount-paths": [{
+                    "src-path": "/data/app/el1/bundle/<currentUserId>/hnppublic",
+                    "sandbox-path": "/data/service/hnp",
+                    "sandbox-flags": [ "bind", "rec" ],
+                    "check-action-status": "false"
+                }, {
+                    "src-path" : "/data/app/el1/bundle/<currentUserId>/hnp/<PackageName>",
+                    "sandbox-path" : "/data/app",
+                    "sandbox-flags" : [ "bind", "rec" ],
+                    "check-action-status": "false"
+                }
+            ]}, {
+            "flags": "PREINSTALLED_HAP",
+            "mount-paths": [{
+                    "src-path": "/system/app",
+                    "sandbox-path": "/system/app",
+                    "sandbox-flags": [ "bind", "rec" ],
+                    "check-action-status": "false"
+                }
+            ]}, {
+            "flags": "CUSTOM_SANDBOX_HAP",
+            "mount-paths": [{
+                    "src-path": "/tmp",
+                    "sandbox-path": "/tmp",
+                    "sandbox-flags": [ "bind", "rec" ],
+                    "check-action-status": "false"
+                }
+            ]}, {
+            "flags": "FILE_CROSS_APP",
+            "mount-paths": [{
+                    "src-path": "/mnt/data/external",
+                    "sandbox-path": "/storage/External",
+                    "sandbox-flags": [ "bind", "rec" ]
+                }, {
+                    "src-path": "/mnt/user/<currentUserId>/nosharefs/docs",
+                    "sandbox-path": "/storage/Users",
+                    "sandbox-flags": [ "bind", "rec" ]
+                }, {
+                    "src-path": "/mnt/data/<currentUserId>/userExternal",
+                    "sandbox-path": "/storage/userExternal",
+                    "sandbox-flags": [ "bind", "rec" ],
+                    "check-action-status": "false"
+                }
+            ]}, {
+            "flags": "FILE_ACCESS_COMMON_DIR",
+            "mount-paths": [{
+                    "src-path": "/mnt/user/<currentUserId>/sharefs/docs",
+                    "sandbox-path": "/mnt/storage/Users",
+                    "sandbox-flags": [ "bind", "rec" ]
+                }, {
+                    "src-path": "/mnt/sandbox/<currentUserId>/<clonePackageName>/mnt/storage/Users",
+                    "sandbox-path": "/storage/Users",
+                    "sandbox-flags-customized": [ "MS_NODEV"],
+                    "dac-override-sensitive": "true",
+                    "fs-type": "sharefs",
+                    "options": "override"
+                }
+            ]}],
+            "symbol-links" : []
         }]
     }],
     "individual" : [{
@@ -753,43 +781,6 @@
                 }
             ]
         }],
-        "ohos.permission.FILE_CROSS_APP":[{
-            "sandbox-switch": "ON",
-            "mount-paths": [{
-                    "src-path": "/mnt/data/external",
-                    "sandbox-path": "/storage/External",
-                    "sandbox-flags": [ "bind", "rec" ]
-                },
-                {
-                    "src-path": "/mnt/user/<currentUserId>/nosharefs/docs",
-                    "sandbox-path": "/storage/Users",
-                    "sandbox-flags": [ "bind", "rec" ]
-                },
-                {
-                    "src-path": "/mnt/data/<currentUserId>/userExternal",
-                    "sandbox-path": "/storage/userExternal",
-                    "sandbox-flags": [ "bind", "rec" ],
-                    "check-action-status": "false"
-                }
-            ]
-        }],
-        "ohos.permission.FILE_ACCESS_COMMON_DIR":[{
-            "sandbox-switch": "ON",
-            "mount-paths": [{
-                    "src-path": "/mnt/user/<currentUserId>/sharefs/docs",
-                    "sandbox-path": "/mnt/storage/Users",
-                    "sandbox-flags": [ "bind", "rec" ]
-                },
-                {
-                    "src-path": "/mnt/sandbox/<currentUserId>/<clonePackageName>/mnt/storage/Users",
-                    "sandbox-path": "/storage/Users",
-                    "sandbox-flags-customized": [ "MS_NODEV"],
-                    "dac-override-sensitive": "true",
-                    "fs-type": "sharefs",
-                    "options": "override"
-                }
-            ]
-        }],
         "ohos.permission.ACTIVATE_THEME_PACKAGE":[{
             "sandbox-switch": "ON",
             "gids": [3817],
diff --git a/interfaces/innerkits/include/appspawn.h b/interfaces/innerkits/include/appspawn.h
index a1c7a0f5f569a5ee36cee1e25ce51e5ebbc51d19..506fd6817cc82eb0bd832a9ded01b7423a42d5fa 100644
--- a/interfaces/innerkits/include/appspawn.h
+++ b/interfaces/innerkits/include/appspawn.h
@@ -204,6 +204,8 @@ typedef enum {
     APP_FLAGS_SET_CAPS_FOWNER,
     APP_FLAGS_ALLOW_IOURING = 33,
     APP_FLAGS_UNLOCKED_STATUS = 34,
+    APP_FLAGS_FILE_CROSS_APP = 35,
+    APP_FLAGS_FILE_ACCESS_COMMON_DIR = 36,
     MAX_FLAGS_INDEX = 63,
 } AppFlagsIndex;
 
diff --git a/interfaces/innerkits/permission/appspawn_mount_permission.c b/interfaces/innerkits/permission/appspawn_mount_permission.c
index b828348c490bf2dde43f550bd90e91ea1c612af4..adb7ba27395fe44fdb02304b13ef5318265f1957 100644
--- a/interfaces/innerkits/permission/appspawn_mount_permission.c
+++ b/interfaces/innerkits/permission/appspawn_mount_permission.c
@@ -26,11 +26,6 @@
 #include "json_utils.h"
 #include "securec.h"
 
-static const char *g_staticPermission[] = {
-    "ohos.permission.FOWNER",
-    "ohos.permission.ALLOW_IOURING"
-};
-
 typedef struct TagParseJsonContext {
     SandboxQueue permissionQueue;
     int32_t maxPermissionIndex;
@@ -112,10 +107,9 @@ static int LoadPermissionConfig(PermissionManager *mgr)
     (void)ParseJsonConfig("etc/sandbox",
                           mgr->type == CLIENT_FOR_APPSPAWN ? APP_SANDBOX_FILE_NAME : RENDER_SANDBOX_FILE_NAME,
                           ParseAppSandboxConfig, mgr);
-
-    size_t count = sizeof(g_staticPermission) / sizeof(g_staticPermission[0]);
+    size_t count = sizeof(g_spawnerPermissionList) / sizeof(g_spawnerPermissionList[0]);
     for (size_t i = 0; i < count; i++) {
-        AddSandboxPermissionNode(g_staticPermission[i], &mgr->permissionQueue);
+        AddSandboxPermissionNode(g_spawnerPermissionList[i], &mgr->permissionQueue);
     }
     mgr->maxPermissionIndex = PermissionRenumber(&mgr->permissionQueue);
     return 0;
diff --git a/modules/sandbox/normal/sandbox_common.cpp b/modules/sandbox/normal/sandbox_common.cpp
index f00b4aceb5f8cb400fe9e87927e3bd9fa7cc6436..5552befe9b3abd258c54a9da4c363a64f6eec2d8 100644
--- a/modules/sandbox/normal/sandbox_common.cpp
+++ b/modules/sandbox/normal/sandbox_common.cpp
@@ -394,15 +394,16 @@ bool SandboxCommon::GetSwitchStatus(cJSON *config) // GetSbxSwitchStatusByConfig
 
 uint32_t SandboxCommon::ConvertFlagStr(const std::string &flagStr)
 {
-    const std::map<std::string, int> flagsMap = {{"0", 0}, {"START_FLAGS_BACKUP", 1},
-                                                 {"DLP_MANAGER", 2},
-                                                 {"DEVELOPER_MODE", 17},
-                                                 {"PREINSTALLED_HAP", 29},
-                                                 {"CUSTOM_SANDBOX_HAP", 31},
-                                                 {"PREINSTALLED_SHELL_HAP", 35}};
+    const std::map<std::string, int> flagsMap = {{"START_FLAGS_BACKUP", APP_FLAGS_BACKUP_EXTENSION},
+                                                 {"DLP_MANAGER", APP_FLAGS_DLP_MANAGER},
+                                                 {"DEVELOPER_MODE", APP_FLAGS_DEVELOPER_MODE},
+                                                 {"PREINSTALLED_HAP", APP_FLAGS_PRE_INSTALLED_HAP},
+                                                 {"CUSTOM_SANDBOX_HAP", APP_FLAGS_CUSTOM_SANDBOX},
+                                                 {"FILE_CROSS_APP", APP_FLAGS_FILE_CROSS_APP},
+                                                 {"FILE_ACCESS_COMMON_DIR", APP_FLAGS_FILE_ACCESS_COMMON_DIR}};
 
     if (flagsMap.count(flagStr)) {
-        return 1 << flagsMap.at(flagStr);
+        return flagsMap.at(flagStr);
     }
     return 0;
 }
diff --git a/modules/sandbox/normal/sandbox_core.cpp b/modules/sandbox/normal/sandbox_core.cpp
index 9b3a0444e8443b8eeba5d2e975abb59a394853c6..b5cabeb5b5eded9f02ed370a9b23021f2641ba8a 100644
--- a/modules/sandbox/normal/sandbox_core.cpp
+++ b/modules/sandbox/normal/sandbox_core.cpp
@@ -95,7 +95,8 @@ bool SandboxCore::CheckMountFlag(const AppSpawningCtx *appProperty, const std::s
         return false;
     }
     std::string flagStr(flagChr);
-    if (((SandboxCommon::ConvertFlagStr(flagStr) & GetAppMsgFlags(appProperty)) != 0) &&
+    uint32_t flag = SandboxCommon::ConvertFlagStr(flagStr);
+    if ((CheckAppMsgFlagsSet(appProperty, flag) != 0) &&
         bundleName.find("wps") != std::string::npos) {
         return true;
     }
@@ -117,17 +118,17 @@ void SandboxCore::UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty, cons
     }
 }
 
-int32_t SandboxCore::UpdatePermissionFlags(AppSpawningCtx *appProperty)
+int32_t SandboxCore::UpdatePointFlags(AppSpawningCtx *appProperty)
 {
-    int32_t index = 0;
+    uint32_t index = 0;
 #ifdef APPSPAWN_SUPPORT_NOSHAREFS
-    index = GetPermissionIndex(nullptr, SandboxCommonDef::FILE_CROSS_APP_MODE.c_str());
+    index = APP_FLAGS_FILE_CROSS_APP;
 #else
-    index = GetPermissionIndex(nullptr, SandboxCommonDef::FILE_ACCESS_COMMON_DIR_MODE.c_str());
+    index = APP_FLAGS_FILE_ACCESS_COMMON_DIR;
 #endif
     int32_t fileMgrIndex = GetPermissionIndex(nullptr, SandboxCommonDef::FILE_ACCESS_MANAGER_MODE.c_str());
-    if (index > 0 && (CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(fileMgrIndex)) == 0)) {
-        return SetAppPermissionFlags(appProperty, index);
+    if ((CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(fileMgrIndex)) == 0)) {
+        return SetAppSpawnMsgFlag(appProperty->message, TLV_MSG_FLAGS, index);
     }
     return 0;
 }
@@ -701,8 +702,8 @@ void SandboxCore::GetSpecialMountCondition(bool &isPreInstalled, bool &isHaveSan
 {
     const std::string preInstallFlag = "PREINSTALLED_HAP";
     const std::string customSandBoxFlag = "CUSTOM_SANDBOX_HAP";
-    isPreInstalled = (GetAppMsgFlags(appProperty) & SandboxCommon::ConvertFlagStr(preInstallFlag)) != 0;
-    isHaveSandBoxPermission = (GetAppMsgFlags(appProperty) & SandboxCommon::ConvertFlagStr(customSandBoxFlag)) != 0;
+    isPreInstalled = CheckAppMsgFlagsSet(appProperty, SandboxCommon::ConvertFlagStr(preInstallFlag)) != 0;
+    isHaveSandBoxPermission = CheckAppMsgFlagsSet(appProperty, SandboxCommon::ConvertFlagStr(customSandBoxFlag)) != 0;
 }
 
 int32_t SandboxCore::MountNonShellPreInstallHap(const AppSpawningCtx *appProperty, cJSON *item)
@@ -756,7 +757,7 @@ int32_t SandboxCore::HandleFlagsPoint(const AppSpawningCtx *appProperty, cJSON *
         }
 
         uint32_t flag = SandboxCommon::ConvertFlagStr(flagsStr);
-        if ((GetAppMsgFlags(appProperty) & flag) == 0) {
+        if (CheckAppMsgFlagsSet(appProperty, flag) == 0) {
             return 0;
         }
         return DoAllMntPointsMount(appProperty, item, nullptr, SandboxCommonDef::g_flagePoint);
@@ -933,10 +934,8 @@ int32_t SandboxCore::SetAppSandboxProperty(AppSpawningCtx *appProperty, uint32_t
     int rc = EnableSandboxNamespace(appProperty, sandboxNsFlags);
     FinishAppspawnTrace();
     APPSPAWN_CHECK(rc == 0, return rc, "unshare failed, packagename is %{public}s", bundleName.c_str());
-    if (UpdatePermissionFlags(appProperty) != 0) {
-        APPSPAWN_LOGW("Set app permission flag fail.");
-        return -1;
-    }
+    APPSPAWN_CHECK(UpdatePointFlags(appProperty) == 0, return -1, "Set app permission flag fail.");
+
     UpdateMsgFlagsWithPermission(appProperty, SandboxCommonDef::GET_ALL_PROCESSES_MODE, APP_FLAGS_GET_ALL_PROCESSES);
     UpdateMsgFlagsWithPermission(appProperty, SandboxCommonDef::APP_ALLOW_IOURING, APP_FLAGS_ALLOW_IOURING);
     // check app sandbox switch
diff --git a/modules/sandbox/normal/sandbox_core.h b/modules/sandbox/normal/sandbox_core.h
index ab8d05d63abef5ac5d18ce6a628c5f76f2a37bae..adfaac2c9521489f944a4571193f6b6ebe7178cd 100644
--- a/modules/sandbox/normal/sandbox_core.h
+++ b/modules/sandbox/normal/sandbox_core.h
@@ -76,7 +76,7 @@ private:
                                cJSON *appConfig);
     static void UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty, const std::string &permissionMode,
                                              uint32_t flag);
-    static int32_t UpdatePermissionFlags(AppSpawningCtx *appProperty);
+    static int32_t UpdatePointFlags(AppSpawningCtx *appProperty);
     static std::string GetSandboxPath(const AppSpawningCtx *appProperty, cJSON *mntPoint,
                                       const std::string &section, std::string sandboxRoot);
 
diff --git a/test/unittest/app_spawn_standard_test/app_spawn_sandbox_test.cpp b/test/unittest/app_spawn_standard_test/app_spawn_sandbox_test.cpp
index b33ea9d12c41a573e787391beb839fb7046c2f0f..2fa6c180c8cda83ee258a70e341ee291b814a17a 100644
--- a/test/unittest/app_spawn_standard_test/app_spawn_sandbox_test.cpp
+++ b/test/unittest/app_spawn_standard_test/app_spawn_sandbox_test.cpp
@@ -1854,32 +1854,6 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_dec_05, TestSize.Level0)
     DeleteAppSpawningCtx(appProperty);
 }
 
-/**
- * @tc.name: App_Spawn_Sandbox_dec_06
- * @tc.desc: set deny dec rules
- * @tc.type: FUNC
- * @tc.author:
- */
-HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_dec_06, TestSize.Level0)
-{
-    AppSpawningCtx *appProperty = GetTestAppProperty();
-    AppSpawn::SandboxCore::SetDecDenyWithDir(appProperty);
-
-    int32_t userFileIndex = GetPermissionIndex(nullptr, "ohos.permission.READ_WRITE_USER_FILE");
-    ASSERT_NE(userFileIndex, 0);
-    int ret = SetAppPermissionFlags(appProperty, userFileIndex);
-    ASSERT_EQ(ret, 0);
-    AppSpawn::SandboxCore::SetDecDenyWithDir(appProperty);
-
-    int32_t downloadIndex = GetPermissionIndex(nullptr, "ohos.permission.READ_WRITE_DOWNLOAD_DIRECTORY");
-    ASSERT_NE(downloadIndex, 0);
-    ret = SetAppPermissionFlags(appProperty, downloadIndex);
-    ASSERT_EQ(ret, 0);
-    AppSpawn::SandboxCore::SetDecDenyWithDir(appProperty);
-
-    DeleteAppSpawningCtx(appProperty);
-}
-
 /**
  * @tc.name: App_Spawn_Sandbox_Shared_Mount_01
  * @tc.desc: [IsValidDataGroupItem] input valid param
diff --git a/test/unittest/app_spawn_test_helper.cpp b/test/unittest/app_spawn_test_helper.cpp
index 7d4d8228ef7c92cfaec846657f3138deb9108b1a..16b7e48b11a242b6ca3136d9ebd2d6e3f601a91b 100644
--- a/test/unittest/app_spawn_test_helper.cpp
+++ b/test/unittest/app_spawn_test_helper.cpp
@@ -672,7 +672,7 @@ int AppSpawnTestHelper::AddBaseTlv(uint8_t *buffer, uint32_t bufferLen, uint32_t
 {
     // add app flage
     uint32_t currLen = 0;
-    uint32_t flags[2] = {1, 0b1010};
+    uint32_t flags[2] = {2, 0b1010};
     AppSpawnTlv tlv = {};
     tlv.tlvType = TLV_MSG_FLAGS;
     tlv.tlvLen = sizeof(AppSpawnTlv) + sizeof(flags);