diff --git a/appdata-sandbox.json b/appdata-sandbox.json index 7370669594af4593a3d1ba8c136d61ecb285ca52..64f8ea73b4df223b30a8a5a6ce396afa2436c291 100644 --- a/appdata-sandbox.json +++ b/appdata-sandbox.json @@ -909,13 +909,6 @@ "sandbox-flags" : [ "bind", "rec" ], "mount-shared-flag" : "true", "check-action-status": "true" - }, { - "src-path" : "/dev/fuse", - "sandbox-path" : "/mnt/data/fuse", - "sandbox-flags" : [ "MS_NOSUID", "MS_NODEV", "MS_NOEXEC", "MS_NOATIME", "MS_LAZYTIME" ], - "dac-override-sensitive": "true", - "fs-type": "fuse", - "check-action-status": "false" }, { "src-path" : "", "sandbox-path" : "", diff --git a/modules/sandbox/normal/sandbox_core.cpp b/modules/sandbox/normal/sandbox_core.cpp index 524053a7d7bc984afe5f3965d20d1475c18c9704..076abf38d0fc2ec240322e981de988b8a38c629a 100644 --- a/modules/sandbox/normal/sandbox_core.cpp +++ b/modules/sandbox/normal/sandbox_core.cpp @@ -150,63 +150,56 @@ std::string SandboxCore::GetSandboxPath(const AppSpawningCtx *appProperty, cJSON return sandboxPath; } -int32_t SandboxCore::DoDlpAppMountStrategy(const AppSpawningCtx *appProperty, const std::string &srcPath, - const std::string &sandboxPath, const std::string &fsType, unsigned long mountFlags) +int32_t SandboxCore::HandleDlpMount(const AppSpawnMsgDacInfo *dacInfo) { - AppSpawnMsgDacInfo *dacInfo = reinterpret_cast(GetAppProperty(appProperty, TLV_DAC_INFO)); - if (dacInfo == nullptr) { - return -1; - } - + std::string fusePath = "/mnt/data/" + std::to_string(dacInfo->uid / UID_BASE) + "/fuse"; // umount fuse path, make sure that sandbox path is not a mount point - umount2(sandboxPath.c_str(), MNT_DETACH); + umount2(fusePath.c_str(), MNT_DETACH); + + int32_t ret = SandboxCommon::CreateDirRecursive(fusePath, SandboxCommonDef::FILE_MODE); + APPSPAWN_CHECK(ret == 0, return APPSPAWN_SANDBOX_ERROR_MKDIR_FAIL, + "Create sandbox path failed, errno is %{public}d", errno); int fd = open("/dev/fuse", O_RDWR); - APPSPAWN_CHECK(fd != -1, return -EINVAL, "open /dev/fuse failed, errno is %{public}d", errno); + APPSPAWN_CHECK(fd > 0, return -EINVAL, "Open /dev/fuse failed, errno is %{public}d", errno); char options[SandboxCommonDef::OPTIONS_MAX_LEN]; - (void)sprintf_s(options, sizeof(options), "fd=%d," - "rootmode=40000,user_id=%u,group_id=%u,allow_other," - "context=\"u:object_r:dlp_fuse_file:s0\"," - "fscontext=u:object_r:dlp_fuse_file:s0", - fd, dacInfo->uid, dacInfo->gid); - - // To make sure destinationPath exist - (void)SandboxCommon::CreateDirRecursive(sandboxPath, SandboxCommonDef::FILE_MODE); + ret = sprintf_s(options, sizeof(options), "fd=%d," + "rootmode=40000,user_id=%u,group_id=%u,allow_other," + "context=\"u:object_r:dlp_fuse_file:s0\"," + "fscontext=u:object_r:dlp_fuse_file:s0", + fd, dacInfo->uid, dacInfo->gid); + APPSPAWN_CHECK(ret >= 0, close(fd); + return APPSPAWN_ERROR_UTILS_MEM_FAIL, "Make mount fuse option failed, errno is %{public}d", errno); #ifndef APPSPAWN_TEST - APPSPAWN_LOGV("Bind mount %{public}s to %{public}s '%{public}s' '%{public}lu' '%{public}s'", - srcPath.c_str(), sandboxPath.c_str(), fsType.c_str(), mountFlags, options); - int ret = mount(srcPath.c_str(), sandboxPath.c_str(), fsType.c_str(), mountFlags, options); + ret = mount("/dev/fuse", fusePath.c_str(), "fuse", + MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_NOATIME | MS_LAZYTIME, options); APPSPAWN_CHECK(ret == 0, close(fd); - return ret, "DoDlpAppMountStrategy failed, bind mount %{public}s to %{public}s failed %{public}d", - srcPath.c_str(), sandboxPath.c_str(), errno); - - ret = mount(nullptr, sandboxPath.c_str(), nullptr, MS_SHARED, nullptr); + return ret, "Mount fuse failed %{public}s, errno: %{public}d", fusePath.c_str(), errno); + ret = mount(nullptr, fusePath.c_str(), nullptr, MS_SHARED, nullptr); APPSPAWN_CHECK(ret == 0, close(fd); - return ret, "errno is: %{public}d, private mount to %{public}s failed", errno, sandboxPath.c_str()); + return ret, "Shared mount %{public}s, errno: %{public}d", fusePath.c_str(), errno); #endif + /* set DLP_FUSE_FD */ #ifdef WITH_DLP SetDlpFuseFd(fd); #endif - return fd; + return 0; } -int32_t SandboxCore::HandleSpecialAppMount(const AppSpawningCtx *appProperty, const std::string &srcPath, - const std::string &sandboxPath, const std::string &fsType, unsigned long mountFlags) +bool SandboxCore::CheckDlpMount(const AppSpawningCtx *appProperty) { std::string bundleName = GetBundleName(appProperty); std::string processName = GetProcessName(appProperty); /* dlp application mount strategy */ /* dlp is an example, we should change to real bundle name later */ - if (bundleName.find(SandboxCommonDef::g_dlpBundleName) != std::string::npos && - processName.compare(SandboxCommonDef::g_dlpBundleName) == 0) { - if (!fsType.empty()) { - return DoDlpAppMountStrategy(appProperty, srcPath, sandboxPath, fsType, mountFlags); - } + if (!(bundleName.find(SandboxCommonDef::g_dlpBundleName) != std::string::npos && + processName.compare(SandboxCommonDef::g_dlpBundleName) == 0)) { + return false; } - return -1; + return true; } cJSON *SandboxCore::GetPrivateJsonInfo(const AppSpawningCtx *appProperty, cJSON *wholeConfig) @@ -554,11 +547,7 @@ int32_t SandboxCore::ProcessMountPoint(cJSON *mntPoint, MountPointProcessParams GetBoolValueFromJsonObj(mntPoint, SandboxCommonDef::g_mountSharedFlag, false) ? MS_SHARED : MS_SLAVE }; - /* if app mount failed for special strategy, we need deal with common mount config */ - int ret = HandleSpecialAppMount(params.appProperty, arg.srcPath, arg.destPath, arg.fsType, arg.mountFlags); - if (ret < 0) { - ret = SandboxCommon::DoAppSandboxMountOnce(params.appProperty, &arg); - } + int ret = SandboxCommon::DoAppSandboxMountOnce(params.appProperty, &arg); APPSPAWN_CHECK(ret == 0 || !SandboxCommon::IsMountSuccessful(mntPoint), #ifdef APPSPAWN_HISYSEVENT ReportMountFail(params.bundleName.c_str(), arg.srcPath, arg.destPath, errno); @@ -913,20 +902,23 @@ int32_t SandboxCore::SetSandboxProperty(AppSpawningCtx *appProperty, std::string int32_t SandboxCore::SetAppSandboxProperty(AppSpawningCtx *appProperty, uint32_t sandboxNsFlags) { - APPSPAWN_CHECK(appProperty != nullptr, return -1, "Invalid appspawn client"); - if (SandboxCommon::CheckBundleName(GetBundleName(appProperty)) != 0) { - return -1; + APPSPAWN_CHECK(appProperty != nullptr, return APPSPAWN_SANDBOX_INVALID, "Invalid appspawn client"); + const std::string bundleName = GetBundleName(appProperty); + if (SandboxCommon::CheckBundleName(bundleName) != 0) { + return APPSPAWN_SANDBOX_INVALID; } AppSpawnMsgDacInfo *dacInfo = reinterpret_cast(GetAppProperty(appProperty, TLV_DAC_INFO)); - APPSPAWN_CHECK(dacInfo != nullptr, return -1, "No dac info in msg app property"); + APPSPAWN_CHECK(dacInfo != nullptr, return APPSPAWN_SANDBOX_INVALID, "No dac info in msg app property"); - const std::string bundleName = GetBundleName(appProperty); - cJSON *tmpJson = nullptr; - std::string sandboxPackagePath = SandboxCommon::GetSandboxRootPath(appProperty, tmpJson); + std::string sandboxPackagePath = SandboxCommon::GetSandboxRootPath(appProperty, nullptr); SandboxCommon::CreateDirRecursiveWithClock(sandboxPackagePath.c_str(), SandboxCommonDef::FILE_MODE); - bool sandboxSharedStatus = SandboxCommon::IsPrivateSharedStatus(bundleName, appProperty) || - (CheckAppPermissionFlagSet(appProperty, static_cast(GetPermissionIndex(nullptr, - SandboxCommonDef::ACCESS_DLP_FILE_MODE.c_str()))) != 0); + + bool dlpStatus = (CheckAppPermissionFlagSet(appProperty, + static_cast(GetPermissionIndex(nullptr, SandboxCommonDef::ACCESS_DLP_FILE_MODE.c_str()))) != 0); + if (dlpStatus && CheckDlpMount(appProperty)) { + int ret = HandleDlpMount(dacInfo); + APPSPAWN_CHECK_ONLY_LOG(ret == 0, "Handle dlp mount failed"); + } // add pid to a new mnt namespace StartAppspawnTrace("EnableSandboxNamespace"); @@ -940,7 +932,7 @@ int32_t SandboxCore::SetAppSandboxProperty(AppSpawningCtx *appProperty, uint32_t // check app sandbox switch if (!SandboxCommon::IsTotalSandboxEnabled(appProperty) || !SandboxCommon::IsAppSandboxEnabled(appProperty)) { rc = DoSandboxRootFolderCreateAdapt(sandboxPackagePath); - } else if (!sandboxSharedStatus) { + } else { rc = DoSandboxRootFolderCreate(appProperty, sandboxPackagePath); } APPSPAWN_CHECK(rc == 0, return rc, "DoSandboxRootFolderCreate failed, %{public}s", bundleName.c_str()); @@ -953,7 +945,7 @@ int32_t SandboxCore::SetAppSandboxProperty(AppSpawningCtx *appProperty, uint32_t #ifndef APPSPAWN_TEST StartAppspawnTrace("ChangeCurrentDir"); - rc = ChangeCurrentDir(sandboxPackagePath, bundleName, sandboxSharedStatus); + rc = ChangeCurrentDir(sandboxPackagePath, bundleName, false); FinishAppspawnTrace(); APPSPAWN_CHECK(rc == 0, return rc, "change current dir failed"); APPSPAWN_LOGV("Change root dir success"); diff --git a/modules/sandbox/normal/sandbox_core.h b/modules/sandbox/normal/sandbox_core.h index 1461b6fb81e5b74a52cc86f628221682d52813d5..8758e863c111e6c4d44b49d976bee245af39e4ea 100644 --- a/modules/sandbox/normal/sandbox_core.h +++ b/modules/sandbox/normal/sandbox_core.h @@ -85,10 +85,8 @@ private: static cJSON *GetFirstSubConfig(cJSON *parent, const char *key); // 处理dlpmanager挂载 - static int32_t DoDlpAppMountStrategy(const AppSpawningCtx *appProperty, const std::string &srcPath, - const std::string &sandboxPath, const std::string &fsType, unsigned long mountFlags); - static int32_t HandleSpecialAppMount(const AppSpawningCtx *appProperty, const std::string &srcPath, - const std::string &sandboxPath, const std::string &fsType, unsigned long mountFlags); + static int32_t HandleDlpMount(const AppSpawnMsgDacInfo *dacInfo); + static bool CheckDlpMount(const AppSpawningCtx *appProperty); // 处理应用私有挂载 static cJSON *GetPrivateJsonInfo(const AppSpawningCtx *appProperty, cJSON *wholeConfig); diff --git a/test/moduletest/appspawn_client_test.cpp b/test/moduletest/appspawn_client_test.cpp index 3e285594d1223717493d74d07f41e4eaa0a7f917..8e2960f18f9cff99749f6c7b20fb5750416b2ae7 100644 --- a/test/moduletest/appspawn_client_test.cpp +++ b/test/moduletest/appspawn_client_test.cpp @@ -67,7 +67,6 @@ static AppSpawnReqMsgHandle CreateMsg(AppSpawnClientHandle handle, const char *b static const char *permissions[] = { "ohos.permission.MANAGE_PRIVATE_PHOTOS", - "ohos.permission.FILE_CROSS_APP", "ohos.permission.ACTIVATE_THEME_PACKAGE", "ohos.permission.GET_WALLPAPER", }; diff --git a/test/moduletest/appspawn_test_cmder.cpp b/test/moduletest/appspawn_test_cmder.cpp index f24498216b418ba2a90bc0dfc4e707484bf3f1ec..b1bca7767dafee2bf7dbbb90fb10e2a9d305d68e 100644 --- a/test/moduletest/appspawn_test_cmder.cpp +++ b/test/moduletest/appspawn_test_cmder.cpp @@ -56,7 +56,6 @@ static const std::string g_defaultAppInfo = "{ \ },\ \"permission\" : [\ \"ohos.permission.MANAGE_PRIVATE_PHOTOS\",\ - \"ohos.permission.FILE_CROSS_APP\",\ \"ohos.permission.ACTIVATE_THEME_PACKAGE\"\ ],\ \"internet-permission\" : {\ diff --git a/test/moduletest/test_app_info.json b/test/moduletest/test_app_info.json index 549e4699e261abbb79d734862da9133dd40a9c4b..bf584d895c93db43ee97bf6214977bc1702ca0b1 100644 --- a/test/moduletest/test_app_info.json +++ b/test/moduletest/test_app_info.json @@ -14,7 +14,6 @@ }, "permission": [ "ohos.permission.MANAGE_PRIVATE_PHOTOS", - "ohos.permission.FILE_CROSS_APP", "ohos.permission.ACTIVATE_THEME_PACKAGE" ], "internet-permission": { diff --git a/test/unittest/app_spawn_standard_test/app_spawn_sandbox_test.cpp b/test/unittest/app_spawn_standard_test/app_spawn_sandbox_test.cpp index 1d488af14a3f2d4cebd995b58ed1d161feeacd34..d929e46f0fd81e4d83036774d99732dc3afbdaad 100644 --- a/test/unittest/app_spawn_standard_test/app_spawn_sandbox_test.cpp +++ b/test/unittest/app_spawn_standard_test/app_spawn_sandbox_test.cpp @@ -652,7 +652,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_26, TestSize.Level0) cJSON *j_config2 = cJSON_Parse(mJsconfig2.c_str()); ASSERT_NE(j_config2, nullptr); int32_t ret = AppSpawn::SandboxCore::DoSandboxFileCommonBind(appProperty, j_config2); - EXPECT_NE(ret, 0); + EXPECT_EQ(ret, 0); cJSON_Delete(j_config2); DeleteAppSpawningCtx(appProperty); @@ -866,7 +866,7 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_31, TestSize.Level0) cJSON *j_config2 = cJSON_Parse(mJsconfig2.c_str()); ASSERT_NE(j_config2, nullptr); ret = AppSpawn::SandboxCore::DoAllMntPointsMount(appProperty, j_config2, nullptr); - EXPECT_NE(ret, 0); + EXPECT_EQ(ret, 0); cJSON_Delete(j_config1); cJSON_Delete(j_config2); @@ -2440,4 +2440,136 @@ HWTEST_F(AppSpawnSandboxTest, Handle_Flag_Point_PreInstall_Shell_Hap_002, TestSi EXPECT_EQ(res, 0); DeleteAppSpawningCtx(appProperty); } + +/** + * @tc.name: Handle_Dlp_Mount_01 + * @tc.desc: Test mounting the fuse directory in dlpmanager. + * @tc.type: FUNC + */ +HWTEST_F(AppSpawnSandboxTest, Handle_Dlp_Mount_01, TestSize.Level0) +{ + AppSpawningCtx *spawningCtx = GetTestAppProperty(); + ASSERT_EQ(spawningCtx != nullptr, 1); + AppSpawnMsgDacInfo *dacInfo = reinterpret_cast(GetAppProperty(spawningCtx, TLV_DAC_INFO)); + ASSERT_EQ(dacInfo != nullptr, 1); + + int32_t ret = AppSpawn::SandboxCore::HandleDlpMount(dacInfo); + + DeleteAppSpawningCtx(spawningCtx); +} + +/** + * @tc.name: Check_Dlp_Mount_01 + * @tc.desc: Verify whether it is necessary to execute the mount of dlpmanager, when is dlpmanager. + * @tc.type: FUNC + */ +HWTEST_F(AppSpawnSandboxTest, Check_Dlp_Mount_01, TestSize.Level0) +{ + g_testHelper.SetProcessName("com.ohos.dlpmanager"); + AppSpawningCtx *spawningCtx = GetTestAppProperty(); + ASSERT_EQ(spawningCtx != nullptr, 1); + + bool ret = AppSpawn::SandboxCore::CheckDlpMount(spawningCtx); + EXPECT_EQ(ret, true); + + DeleteAppSpawningCtx(spawningCtx); +} + +/** + * @tc.name: Check_Dlp_Mount_02 + * @tc.desc: Verify whether it is necessary to execute the mount of dlpmanager, when is not dlpmanager. + * @tc.type: FUNC + */ +HWTEST_F(AppSpawnSandboxTest, Check_Dlp_Mount_02, TestSize.Level0) +{ + g_testHelper.SetProcessName("com.ohos.notepad"); + AppSpawningCtx *spawningCtx = GetTestAppProperty(); + ASSERT_EQ(spawningCtx != nullptr, 1); + + bool ret = AppSpawn::SandboxCore::CheckDlpMount(spawningCtx); + EXPECT_EQ(ret, false); + + DeleteAppSpawningCtx(spawningCtx); +} + +/** + * @tc.name: Set_App_Sandbox_Property_For_Dlp_01 + * @tc.desc: When dlpStatus is true and CheckDlpMount is true. + * @tc.type: FUNC + */ +HWTEST_F(AppSpawnSandboxTest, Set_App_Sandbox_Property_For_Dlp_01, TestSize.Level0) +{ + g_testHelper.SetTestGid(1000); + g_testHelper.SetTestUid(1000); + g_testHelper.SetProcessName("com.ohos.dlpmanager"); + std::vector &permissions = g_testHelper.GetPermissions(); + permissions.push_back("ohos.permission.ACCESS_DLP_FILE"); + + AppSpawningCtx *spawningCtx = GetTestAppProperty(); + ASSERT_EQ(spawningCtx != nullptr, 1); + bool ret = AppSpawn::SandboxCore::SetAppSandboxProperty(spawningCtx, CLONE_NEWPID); + EXPECT_EQ(ret, false); + + DeleteAppSpawningCtx(spawningCtx); +} + +/** + * @tc.name: Set_App_Sandbox_Property_For_Dlp_02 + * @tc.desc: When dlpStatus is true and CheckDlpMount is false. + * @tc.type: FUNC + */ +HWTEST_F(AppSpawnSandboxTest, Set_App_Sandbox_Property_For_Dlp_02, TestSize.Level0) +{ + g_testHelper.SetTestGid(1000); + g_testHelper.SetTestUid(1000); + g_testHelper.SetProcessName("com.ohos.notepad"); + std::vector &permissions = g_testHelper.GetPermissions(); + permissions.push_back("ohos.permission.ACCESS_DLP_FILE"); + + AppSpawningCtx *spawningCtx = GetTestAppProperty(); + ASSERT_EQ(spawningCtx != nullptr, 1); + bool ret = AppSpawn::SandboxCore::SetAppSandboxProperty(spawningCtx, CLONE_NEWPID); + EXPECT_EQ(ret, false); + + DeleteAppSpawningCtx(spawningCtx); +} + +/** + * @tc.name: Set_App_Sandbox_Property_For_Dlp_03 + * @tc.desc: When dlpStatus is false and CheckDlpMount is true. + * @tc.type: FUNC + */ +HWTEST_F(AppSpawnSandboxTest, Set_App_Sandbox_Property_For_Dlp_03, TestSize.Level0) +{ + g_testHelper.SetTestGid(1000); + g_testHelper.SetTestUid(1000); + g_testHelper.SetProcessName("com.ohos.dlpmanager"); + + AppSpawningCtx *spawningCtx = GetTestAppProperty(); + ASSERT_EQ(spawningCtx != nullptr, 1); + bool ret = AppSpawn::SandboxCore::SetAppSandboxProperty(spawningCtx, CLONE_NEWPID); + EXPECT_EQ(ret, false); + + DeleteAppSpawningCtx(spawningCtx); +} + +/** + * @tc.name: Set_App_Sandbox_Property_For_Dlp_04 + * @tc.desc: When dlpStatus is false and CheckDlpMount is true. + * @tc.type: FUNC + */ +HWTEST_F(AppSpawnSandboxTest, Set_App_Sandbox_Property_For_Dlp_04, TestSize.Level0) +{ + g_testHelper.SetTestGid(1000); + g_testHelper.SetTestUid(1000); + g_testHelper.SetProcessName("com.ohos.notepad"); + + AppSpawningCtx *spawningCtx = GetTestAppProperty(); + ASSERT_EQ(spawningCtx != nullptr, 1); + bool ret = AppSpawn::SandboxCore::SetAppSandboxProperty(spawningCtx, CLONE_NEWPID); + EXPECT_EQ(ret, false); + + DeleteAppSpawningCtx(spawningCtx); +} + } // namespace OHOS diff --git a/test/unittest/app_spawn_test_helper.h b/test/unittest/app_spawn_test_helper.h index 4c9bfc33e483151c5b637c5657e6ee6e621320e8..4190f7575f7296b9cdaa2cd62b8647c203d33ec8 100644 --- a/test/unittest/app_spawn_test_helper.h +++ b/test/unittest/app_spawn_test_helper.h @@ -115,7 +115,7 @@ public: int CreateSocket(int type = 0); int CreateSendMsg(std::vector &buffer, uint32_t msgType, uint32_t &msgLen, const std::vector &addTlvFuncs); - const std::vector &GetPermissions() + std::vector &GetPermissions() { return permissions_; } @@ -149,7 +149,6 @@ private: int fdArg = -1; std::vector permissions_ = { const_cast("ohos.permission.MANAGE_PRIVATE_PHOTOS"), - const_cast("ohos.permission.FILE_CROSS_APP"), const_cast("ohos.permission.ACTIVATE_THEME_PACKAGE"), const_cast("ohos.permission.GET_WALLPAPER"), const_cast("ohos.permission.FILE_ACCESS_MANAGER")