From c3dc98adbac26017a322efb472849015d84391ff Mon Sep 17 00:00:00 2001
From: ligongshao <flamingsword1953@163.com>
Date: Tue, 12 Aug 2025 14:38:26 +0800
Subject: [PATCH] set dec inherit deny.

Signed-off-by: ligongshao <ligongshao2@huawei.com>
---
 modules/sandbox/normal/sandbox_core.cpp | 2 +-
 modules/sandbox/sandbox_dec.h           | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/modules/sandbox/normal/sandbox_core.cpp b/modules/sandbox/normal/sandbox_core.cpp
index e59b3131..004a4119 100644
--- a/modules/sandbox/normal/sandbox_core.cpp
+++ b/modules/sandbox/normal/sandbox_core.cpp
@@ -1205,7 +1205,7 @@ void SandboxCore::SetDecDenyWithDir(const AppSpawningCtx *appProperty)
         PathInfo pathInfo = {0};
         pathInfo.path = const_cast<char *>(DEC_DENY_PATH_MAP[i].decPath);
         pathInfo.pathLen = static_cast<uint32_t>(strlen(pathInfo.path));
-        pathInfo.mode = DEC_MODE_DENY_READ | DEC_MODE_DENY_WRITE;
+        pathInfo.mode = DEC_MODE_DENY_INHERIT;
         decPolicyInfo.path[j++] = pathInfo;
         decPolicyInfo.pathNum += 1;
     }
diff --git a/modules/sandbox/sandbox_dec.h b/modules/sandbox/sandbox_dec.h
index 64452893..8a8594fa 100644
--- a/modules/sandbox/sandbox_dec.h
+++ b/modules/sandbox/sandbox_dec.h
@@ -51,8 +51,7 @@ extern "C" {
 #define MAX_POLICY_NUM 8
 #define SANDBOX_MODE_READ  0x00000001
 #define SANDBOX_MODE_WRITE (SANDBOX_MODE_READ << 1)
-#define DEC_MODE_DENY_READ  (1 << 5)
-#define DEC_MODE_DENY_WRITE (1 << 6)
+#define DEC_MODE_DENY_INHERIT (1 << 9)
 
 #define DEC_POLICY_HEADER_RESERVED 64
 
-- 
Gitee