From 7e84773ce8bab759537581a2cf2f3f14a900e884 Mon Sep 17 00:00:00 2001 From: Zheng Yongjun Date: Mon, 10 Jan 2022 14:53:56 +0800 Subject: [PATCH] Add sandbox static mapping to do some resources constrain Signed-off-by: Zheng Yongjun --- src/appspawn_server.cpp | 68 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/src/appspawn_server.cpp b/src/appspawn_server.cpp index 38ccf1e4..85d2b615 100644 --- a/src/appspawn_server.cpp +++ b/src/appspawn_server.cpp @@ -401,10 +401,12 @@ void AppSpawnServer::SetServerSocket(const std::shared_ptr &server bool AppSpawnServer::SetAppProcProperty(int connectFd, const ClientSocket::AppProperty *appProperty, char *longProcName, int64_t longProcNameLen, const int32_t fd[FDLEN2]) { + int rc; if (appProperty == nullptr) { HiLog::Error(LABEL, "appProperty is nullptr"); return false; } + pid_t newPid = getpid(); HiLog::Debug(LABEL, "AppSpawnServer::Success to fork new process, pid = %{public}d", newPid); // close socket connection and peer socket in child process @@ -413,6 +415,72 @@ bool AppSpawnServer::SetAppProcProperty(int connectFd, const ClientSocket::AppPr close(fd[0]); // close read fd UninstallSigHandler(); + // create /mnt/sandbox/ path + std::string rootPath = "/mnt/sandbox/"; + mkdir(rootPath.c_str(), 0755); + rootPath += appProperty->processName; + mkdir(rootPath.c_str(), 0755); + + // to create /mnt/sandbox//data/storage/el1 related path, later should delete this code. + std::string tmpPath = rootPath + "/data/"; + mkdir(tmpPath.c_str(), 0755); + tmpPath = rootPath + "/data/storage"; + mkdir(tmpPath.c_str(), 0755); + tmpPath = rootPath + "/data/storage/el1"; + mkdir(tmpPath.c_str(), 0755); + tmpPath = rootPath + "/data/storage/el1/0"; + mkdir(tmpPath.c_str(), 0755); + tmpPath = rootPath + "/data/storage/el1/0/base"; + mkdir(tmpPath.c_str(), 0755); + + // to create /mnt/sandbox//data/storage/el1 related path, later should delete this code. + mkdir(tmpPath.c_str(), 0755); + tmpPath = rootPath + "/data/storage/el2"; + mkdir(tmpPath.c_str(), 0755); + tmpPath = rootPath + "/data/storage/el2/bundle"; + mkdir(tmpPath.c_str(), 0755); + + // add pid to a new mnt namespace + rc = unshare(CLONE_NEWNS); + if (rc) { + HiLog::Error(LABEL, "unshare failed, packagename is %{public}s", appProperty->processName); + return false; + } + + // bind mount "/" to /mnt/sandbox/ path + // TODO: to do more resouces bind mount here to get more strict resources constraints + rc = mount("/", rootPath.c_str(), NULL, MS_BIND | MS_REC, NULL); + if (rc) { + HiLog::Error(LABEL, "mount bind / failed, packagename is %{public}s", appProperty->processName); + return false; + } + + // do bind mount again after unshare + std::string oriInstallPath = "/data/app/el1/base/"; + std::string oriDataPath = "/data/app/el2/0/bundle/"; + std::string destInstallPath = rootPath + "/data/storage/el1/0/base"; + std::string destDataPath = rootPath + "/data/storage/el2/bundle"; + oriInstallPath += appProperty->processName; + oriDataPath += appProperty->processName; + + rc = mount(oriInstallPath.c_str(), destInstallPath.c_str(), NULL, MS_BIND | MS_PRIVATE, NULL); + if (rc) { + HiLog::Error(LABEL, "mount bind package install path failed, packagename is %{public}s", appProperty->processName); + return false; + } + + rc = mount(oriDataPath.c_str(), destDataPath.c_str(), NULL, MS_BIND | MS_PRIVATE, NULL); + if (rc) { + HiLog::Error(LABEL, "mount bind package data path failed, packagename is %{public}s", appProperty->processName); + return false; + } + + rc = chroot(rootPath.c_str()); + if (rc) { + HiLog::Error(LABEL, "chroot failed, packagename is %{public}s", appProperty->processName); + return false; + } + int32_t ret = ERR_OK; ret = SetKeepCapabilities(appProperty->uid); if (FAILED(ret)) { -- Gitee