From ee799114a6c20515d14f98b9898d6def28a41054 Mon Sep 17 00:00:00 2001 From: chengjinsong2 Date: Fri, 9 Jun 2023 20:55:57 +0800 Subject: [PATCH 1/5] feat:modify the system sandbox Signed-off-by: chengjinsong2 --- services/sandbox/system-sandbox.json | 38 +++++++++++++++++++++++----- 1 file changed, 31 insertions(+), 7 deletions(-) diff --git a/services/sandbox/system-sandbox.json b/services/sandbox/system-sandbox.json index be331edfa..b6f9a076a 100644 --- a/services/sandbox/system-sandbox.json +++ b/services/sandbox/system-sandbox.json @@ -32,8 +32,8 @@ "sandbox-flags" : [ "bind", "rec", "private" ], "ignore": 1 }, { - "src-path" : "/vendor", - "sandbox-path" : "/vendor", + "src-path" : "/vendor/lib/chipsetsdk", + "sandbox-path" : "/vendor/lib/chipsetsdk", "sandbox-flags" : [ "bind", "rec", "private" ] }, { "src-path" : "/dev", @@ -74,17 +74,41 @@ "sandbox-path" : "/sys_prod", "sandbox-flags" : [ "bind", "rec", "private" ] }, { - "src-path" : "/vendor", - "sandbox-path" : "/chipset", + "src-path" : "/vendor/etc/firmware", + "sandbox-path" : "/vendor/etc/firmware", "sandbox-flags" : [ "bind", "rec", "private" ] }, { - "src-path" : "/chip_prod", - "sandbox-path" : "/chip_prod", + "src-path" : "/vendor/etc/audio", + "sandbox-path" : "/vendor/etc/audio", "sandbox-flags" : [ "bind", "rec", "private" ] } ], "mount-bind-files" : [{ - }], + "src-path" : "/vendor/lib/libmapper_service_1.0.z.so", + "sandbox-path" : "/vendor/lib/libmapper_service_1.0.z.so", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/vendor/lib/libinput_interfaces_service_1.0.z.so", + "sandbox-path" : "/vendor/lib/libinput_interfaces_service_1.0.z.so", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/vendor/lib/chipset-sdk/libhdi_input.z.so", + "sandbox-path" : "/vendor/lib/chipset-sdk/libhdi_input.z.so", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/vendor/lib/libhdf_utils.z.so", + "sandbox-path" : "/vendor/lib/libhdf_utils.z.so", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/vendor/lib/libdisplay_buffer_vdi_impl.z.so", + "sandbox-path" : "/vendor/lib/libdisplay_buffer_vdi_impl.z.so", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/vendor/lib/libdisplay_buffer_vendor.z.so", + "sandbox-path" : "/vendor/lib/libdisplay_buffer_vendor.z.so", + "sandbox-flags" : [ "bind", "rec", "private" ] + } + ], "symbol-links" : [{ "target-name" : "/system/lib", "link-name" : "/lib" -- Gitee From cbe5380483f82c01230aff03d160c3bbcb303d3f Mon Sep 17 00:00:00 2001 From: chengjinsong2 Date: Fri, 9 Jun 2023 21:06:31 +0800 Subject: [PATCH 2/5] feat:modify the chipset sandbox Signed-off-by: chengjinsong2 --- services/sandbox/chipset-sandbox.json | 83 ++++++++++++++++++--------- 1 file changed, 57 insertions(+), 26 deletions(-) diff --git a/services/sandbox/chipset-sandbox.json b/services/sandbox/chipset-sandbox.json index da8534005..b3f26b742 100644 --- a/services/sandbox/chipset-sandbox.json +++ b/services/sandbox/chipset-sandbox.json @@ -1,36 +1,30 @@ { "sandbox-root" : "/mnt/sandbox/chipset", - "mount-bind-paths" : [{ + "mount-bind-paths" : [ + { "src-path" : "/system/bin", "sandbox-path" : "/system/bin", "sandbox-flags" : [ "bind", "rec", "private" ] }, { - "src-path" : "/system/etc", - "sandbox-path" : "/system/etc", + "src-path" : "/system/etc/selinux", + "sandbox-path" : "/system/etc/selinux", "sandbox-flags" : [ "bind", "rec", "private" ] }, { - "src-path" : "/system/lib", - "sandbox-path" : "/system/lib", + "src-path" : "/system/lib/chipset-pub-sdk", + "sandbox-path" : "/system/lib/chipset-pub-sdk", "sandbox-flags" : [ "bind", "rec", "private" ] }, { - "src-path" : "/system/profile", - "sandbox-path" : "/system/profile", + "src-path" : "/system/lib/chipset-sdk", + "sandbox-path" : "/system/lib/chipset-sdk", "sandbox-flags" : [ "bind", "rec", "private" ] }, { - "src-path" : "/system/app", - "sandbox-path" : "/system/app", - "sandbox-flags" : [ "bind", "rec", "private" ], - "ignore": 1 - }, { - "src-path" : "/system/fonts", - "sandbox-path" : "/system/fonts", - "sandbox-flags" : [ "bind", "rec", "private" ], - "ignore": 1 + "src-path" : "/system/lib/ndk", + "sandbox-path" : "/system/lib/ndk", + "sandbox-flags" : [ "bind", "rec", "private" ] }, { - "src-path" : "/system/usr", - "sandbox-path" : "/system/usr", - "sandbox-flags" : [ "bind", "rec", "private" ], - "ignore": 1 + "src-path" : "/system/lib/platformsdk", + "sandbox-path" : "/system/lib/platformsdk", + "sandbox-flags" : [ "bind", "rec", "private" ] }, { "src-path" : "/vendor", "sandbox-path" : "/vendor", @@ -72,18 +66,55 @@ "src-path" : "/storage", "sandbox-path" : "/storage", "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/sys_prod", - "sandbox-path" : "/sys_prod", - "sandbox-flags" : [ "bind", "rec", "private" ] }, { "src-path" : "/chip_prod", "sandbox-path" : "/chip_prod", "sandbox-flags" : [ "bind", "rec", "private" ] } ], - "mount-bind-files" : [{ - }], + "mount-bind-files" : [ + { + "src-path" : "/system/etc/ld-musl-arm.path", + "sandbox-path" : "/system/etc/ld-musl-arm.path", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/etc/ld-musl-namespace-arm.ini", + "sandbox-path" : "/system/etc/ld-musl-namespace-arm.ini", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/lib/ld-musl-arm.so.1", + "sandbox-path" : "/system/lib/ld-musl-arm.so.1", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/lib/libc.so", + "sandbox-path" : "/system/lib/libc.so", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/lib/libc++.so", + "sandbox-path" : "/system/lib/libc++.so", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/lib/libdisplay_buffer_proxy_1.0.z.so", + "sandbox-path" : "/system/lib/libdisplay_buffer_proxy_1.0.z.so", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/lib/libudev.z.so", + "sandbox-path" : "/system/lib/libudev.z.so", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/lib/platformsdk/libcrypto_openssl.z.so", + "sandbox-path" : "/system/lib/platformsdk/libcrypto_openssl.z.so", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/lib/libclang_rt.ubsan_minimal.so", + "sandbox-path" : "/system/lib/libclang_rt.ubsan_minimal.so", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/lib/libunwind.z.so", + "sandbox-path" : "/system/lib/libunwind.z.so", + "sandbox-flags" : [ "bind", "rec", "private" ] + } + ], "symbol-links" : [{ "target-name" : "/system/lib", "link-name" : "/lib" -- Gitee From 737a42f3d9cbe3233a24ee1baf66ea4b0d3e15dc Mon Sep 17 00:00:00 2001 From: chengjinsong2 Date: Fri, 9 Jun 2023 21:25:28 +0800 Subject: [PATCH 3/5] Revert "feat:modify the system sandbox" This reverts commit ee799114a6c20515d14f98b9898d6def28a41054. --- services/sandbox/system-sandbox.json | 38 +++++----------------------- 1 file changed, 7 insertions(+), 31 deletions(-) diff --git a/services/sandbox/system-sandbox.json b/services/sandbox/system-sandbox.json index b6f9a076a..be331edfa 100644 --- a/services/sandbox/system-sandbox.json +++ b/services/sandbox/system-sandbox.json @@ -32,8 +32,8 @@ "sandbox-flags" : [ "bind", "rec", "private" ], "ignore": 1 }, { - "src-path" : "/vendor/lib/chipsetsdk", - "sandbox-path" : "/vendor/lib/chipsetsdk", + "src-path" : "/vendor", + "sandbox-path" : "/vendor", "sandbox-flags" : [ "bind", "rec", "private" ] }, { "src-path" : "/dev", @@ -74,41 +74,17 @@ "sandbox-path" : "/sys_prod", "sandbox-flags" : [ "bind", "rec", "private" ] }, { - "src-path" : "/vendor/etc/firmware", - "sandbox-path" : "/vendor/etc/firmware", + "src-path" : "/vendor", + "sandbox-path" : "/chipset", "sandbox-flags" : [ "bind", "rec", "private" ] }, { - "src-path" : "/vendor/etc/audio", - "sandbox-path" : "/vendor/etc/audio", + "src-path" : "/chip_prod", + "sandbox-path" : "/chip_prod", "sandbox-flags" : [ "bind", "rec", "private" ] } ], "mount-bind-files" : [{ - "src-path" : "/vendor/lib/libmapper_service_1.0.z.so", - "sandbox-path" : "/vendor/lib/libmapper_service_1.0.z.so", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/vendor/lib/libinput_interfaces_service_1.0.z.so", - "sandbox-path" : "/vendor/lib/libinput_interfaces_service_1.0.z.so", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/vendor/lib/chipset-sdk/libhdi_input.z.so", - "sandbox-path" : "/vendor/lib/chipset-sdk/libhdi_input.z.so", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/vendor/lib/libhdf_utils.z.so", - "sandbox-path" : "/vendor/lib/libhdf_utils.z.so", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/vendor/lib/libdisplay_buffer_vdi_impl.z.so", - "sandbox-path" : "/vendor/lib/libdisplay_buffer_vdi_impl.z.so", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/vendor/lib/libdisplay_buffer_vendor.z.so", - "sandbox-path" : "/vendor/lib/libdisplay_buffer_vendor.z.so", - "sandbox-flags" : [ "bind", "rec", "private" ] - } - ], + }], "symbol-links" : [{ "target-name" : "/system/lib", "link-name" : "/lib" -- Gitee From b65c4f9d719a1d2ff51f2d09d3e108b38e588154 Mon Sep 17 00:00:00 2001 From: cheng_jinsong Date: Tue, 13 Jun 2023 09:41:35 +0000 Subject: [PATCH 4/5] update services/sandbox/chipset-sandbox.json. Signed-off-by: cheng_jinsong --- services/sandbox/chipset-sandbox.json | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/services/sandbox/chipset-sandbox.json b/services/sandbox/chipset-sandbox.json index b3f26b742..85e328d6e 100644 --- a/services/sandbox/chipset-sandbox.json +++ b/services/sandbox/chipset-sandbox.json @@ -21,10 +21,6 @@ "src-path" : "/system/lib/ndk", "sandbox-path" : "/system/lib/ndk", "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/system/lib/platformsdk", - "sandbox-path" : "/system/lib/platformsdk", - "sandbox-flags" : [ "bind", "rec", "private" ] }, { "src-path" : "/vendor", "sandbox-path" : "/vendor", @@ -97,13 +93,9 @@ "src-path" : "/system/lib/libdisplay_buffer_proxy_1.0.z.so", "sandbox-path" : "/system/lib/libdisplay_buffer_proxy_1.0.z.so", "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/system/lib/libudev.z.so", - "sandbox-path" : "/system/lib/libudev.z.so", - "sandbox-flags" : [ "bind", "rec", "private" ] }, { "src-path" : "/system/lib/platformsdk/libcrypto_openssl.z.so", - "sandbox-path" : "/system/lib/platformsdk/libcrypto_openssl.z.so", + "sandbox-path" : "/system/lib/libcrypto_openssl.z.so", "sandbox-flags" : [ "bind", "rec", "private" ] }, { "src-path" : "/system/lib/libclang_rt.ubsan_minimal.so", -- Gitee From 6896d5707f96fcf1bde5c385fca48119ecda6268 Mon Sep 17 00:00:00 2001 From: cheng_jinsong Date: Tue, 13 Jun 2023 09:54:31 +0000 Subject: [PATCH 5/5] update services/sandbox/chipset-sandbox.json. Signed-off-by: cheng_jinsong --- services/sandbox/chipset-sandbox.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/services/sandbox/chipset-sandbox.json b/services/sandbox/chipset-sandbox.json index 85e328d6e..009cc709e 100644 --- a/services/sandbox/chipset-sandbox.json +++ b/services/sandbox/chipset-sandbox.json @@ -1,7 +1,6 @@ { "sandbox-root" : "/mnt/sandbox/chipset", - "mount-bind-paths" : [ - { + "mount-bind-paths" : [{ "src-path" : "/system/bin", "sandbox-path" : "/system/bin", "sandbox-flags" : [ "bind", "rec", "private" ] -- Gitee