diff --git a/services/sandbox/BUILD.gn b/services/sandbox/BUILD.gn index ff43918def319e4b0f58d88d361e67090445c5a6..0671aa7d91d3e8372d59453a42a223d3aad72b78 100755 --- a/services/sandbox/BUILD.gn +++ b/services/sandbox/BUILD.gn @@ -12,6 +12,7 @@ # limitations under the License. import("//base/startup/init/begetd.gni") +import("//base/startup/init/services/sandbox/scripts/system_sandbox_fixer.gni") import("//build/ohos.gni") config("exported_header_files") { @@ -48,10 +49,11 @@ ohos_static_library("sandbox") { } ohos_prebuilt_etc("system-sandbox.json") { - if (target_cpu == "arm64") { - source = "system-sandbox64.json" - } else { - source = "system-sandbox.json" + source = "//base/startup/init/services/sandbox/system-sandbox.json" + if (target_cpu == "arm64" || target_cpu == "x86_64") { + extra_sandbox_cfgs = [] + extra_sandbox_cfgs += + [ "//base/startup/init/services/sandbox/system-sandbox64.json" ] } output = "//base/startup/init/services/sandbox/system-sandbox.json" part_name = "init" @@ -60,10 +62,11 @@ ohos_prebuilt_etc("system-sandbox.json") { } ohos_prebuilt_etc("chipset-sandbox.json") { - if (target_cpu == "arm64") { - source = "chipset-sandbox64.json" - } else { - source = "chipset-sandbox.json" + source = "//base/startup/init/services/sandbox/chipset-sandbox.json" + if (target_cpu == "arm64" || target_cpu == "x86_64") { + extra_sandbox_cfgs = [] + extra_sandbox_cfgs += + [ "//base/startup/init/services/sandbox/chipset-sandbox64.json" ] } output = "//base/startup/init/services/sandbox/chipset-sandbox.json" part_name = "init" diff --git a/services/sandbox/chipset-sandbox64.json b/services/sandbox/chipset-sandbox64.json index 1f41db94d17cc9e6d36490358c1b2d5e1741f102..340a8dab2d4a43f4a9df8641ff10097873fca2c3 100644 --- a/services/sandbox/chipset-sandbox64.json +++ b/services/sandbox/chipset-sandbox64.json @@ -1,89 +1,9 @@ { "sandbox-root" : "/mnt/sandbox/chipset", "mount-bind-paths" : [{ - "src-path" : "/system/bin", - "sandbox-path" : "/system/bin", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/system/etc", - "sandbox-path" : "/system/etc", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { "src-path" : "/system/lib64", "sandbox-path" : "/system/lib64", "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/system/lib", - "sandbox-path" : "/system/lib", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/system/profile", - "sandbox-path" : "/system/profile", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/system/app", - "sandbox-path" : "/system/app", - "sandbox-flags" : [ "bind", "rec", "private" ], - "ignore": 1 - }, { - "src-path" : "/system/fonts", - "sandbox-path" : "/system/fonts", - "sandbox-flags" : [ "bind", "rec", "private" ], - "ignore": 1 - }, { - "src-path" : "/system/usr", - "sandbox-path" : "/system/usr", - "sandbox-flags" : [ "bind", "rec", "private" ], - "ignore": 1 - }, { - "src-path" : "/vendor", - "sandbox-path" : "/vendor", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/dev", - "sandbox-path" : "/dev", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/proc", - "sandbox-path" : "/proc", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/data", - "sandbox-path" : "/data", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/sys/kernel/debug/tracing", - "sandbox-path" : "/sys/kernel/debug/tracing", - "sandbox-flags" : [ "bind", "private" ], - "ignore": 1 - }, { - "src-path" : "/sys/kernel/debug", - "sandbox-path" : "/sys/kernel/debug", - "sandbox-flags" : [ "bind", "private" ] - }, { - "src-path" : "/sys", - "sandbox-path" : "/sys", - "sandbox-flags" : [ "bind", "private" ] - }, { - "src-path" : "/config", - "sandbox-path" : "/config", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/mnt", - "sandbox-path" : "/mnt", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/storage", - "sandbox-path" : "/storage", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/sys_prod", - "sandbox-path" : "/sys_prod", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/chip_prod", - "sandbox-path" : "/chip_prod", - "sandbox-flags" : [ "bind", "rec", "private" ] } ], "mount-bind-files" : [{ @@ -91,15 +11,6 @@ "symbol-links" : [{ "target-name" : "/system/lib64", "link-name" : "/lib64" - }, { - "target-name" : "/system/lib", - "link-name" : "/lib" - }, { - "target-name" : "/system/bin", - "link-name" : "/bin" - }, { - "target-name" : "/system/etc", - "link-name" : "/etc" } ] } diff --git a/services/sandbox/scripts/system_sandbox_fixer.gni b/services/sandbox/scripts/system_sandbox_fixer.gni new file mode 100644 index 0000000000000000000000000000000000000000..9eb8ed5bce158f358b4fa19ba80979bf83a09a69 --- /dev/null +++ b/services/sandbox/scripts/system_sandbox_fixer.gni @@ -0,0 +1,90 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//build/config/python.gni") +import("//build/templates/common/copy.gni") + +template("ohos_prebuilt_system_sandbox") { + assert(defined(invoker.source), "source must be defined for ${target_name}.") + + _fixed_sandbox_target = "${target_name}_sandbox_fixed" + _fixed_sandbox_file = target_gen_dir + "/${target_name}.fixed/" + + get_path_info(invoker.source, "file") + _output_para_file = get_path_info(invoker.source, "file") + + action_with_pydeps(_fixed_sandbox_target) { + deps = [] + script = + "//base/startup/init/services/sandbox/scripts/system_sandbox_fixer.py" + depfile = "${target_gen_dir}/${target_name}.d" + args = [ + "--output", + rebase_path(_fixed_sandbox_file, root_build_dir), + "--source-file", + rebase_path(invoker.source, root_build_dir), + "--depfile", + rebase_path(depfile, root_build_dir), + ] + if (defined(invoker.extra_sandbox_cfgs)) { + foreach(extra, invoker.extra_sandbox_cfgs) { + args += [ + "--extra_sandbox_cfg", + rebase_path(extra, root_build_dir), + ] + } + } + if (defined(invoker.patterns)) { + foreach(pattern, invoker.patterns) { + args += [ + "--patterns", + pattern, + ] + } + } + inputs = [ invoker.source ] + outputs = [ _fixed_sandbox_file ] + } + + ohos_copy(target_name) { + deps = [ ":$_fixed_sandbox_target" ] + forward_variables_from(invoker, + [ + "testonly", + "visibility", + + "deps", + "public_configs", + "subsystem_name", + "part_name", + + # For generate_module_info + "install_images", + "module_install_dir", + "relative_install_dir", + "symlink_target_name", + + # Open source license related + "license_file", + "license_as_sources", + ]) + sources = [ _fixed_sandbox_file ] + outputs = [ "${target_out_dir}/${target_name}/${_output_para_file}" ] + module_type = "etc" + install_enable = true + module_source_dir = "${target_out_dir}/${target_name}" + module_install_name = _output_para_file + if (defined(invoker.install_enable)) { + install_enable = invoker.install_enable + } + } +} diff --git a/services/sandbox/scripts/system_sandbox_fixer.py b/services/sandbox/scripts/system_sandbox_fixer.py new file mode 100644 index 0000000000000000000000000000000000000000..dcc135250a742b7cd240fc97233b36dfb38cb6b3 --- /dev/null +++ b/services/sandbox/scripts/system_sandbox_fixer.py @@ -0,0 +1,141 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import optparse +import os +import sys +import json +import stat + +sys.path.append(os.path.join(os.path.dirname(__file__), os.pardir, os.pardir, + os.pardir, os.pardir, os.pardir, os.pardir, "build")) +from scripts.util import build_utils # noqa: E402 + +#default json +jsonText = ''' +{ + "sandbox-root" : "/mnt/sandbox/system", + "mount-bind-paths" : [], + "mount-bind-files" : [], + "symbol-links" : [] +} +''' +def _merge_list(origin, new): + if origin == None or new == None: + return + for data1 in new: + if data1 not in origin: + origin.append(data1) + +def _is_same_data(data1, data2, keys): + for key in keys: + if data1.get(key) != data2.get(key): + return False + return True + +def _merge_scope_array(origin, new, keys): + for data1 in new: + isFound = False + for data2 in origin: + if _is_same_data(data1, data2, keys): + isFound = True + for field in ["sandbox-path", "ignore", "target-name", "link-name"]: + if data1.get(field) != None: + data2[field] = data1[field] + + for field in ["sandbox-flags"]: # by list merger + item = data1.get(field) + if item != None and len(item) > 0: + _merge_list(data2[field], item) + break + if not isFound: + origin.append(data1) + +def __substitude_contents(options, source_file): + with open(source_file, "r") as f: + contents = f.read() + if not options.patterns: + return json.loads(contents) + for pattern in options.patterns: + parts = pattern.split(":") + contents = contents.replace("{%s}" % parts[0], parts[1]) + return json.loads(contents) + +def _get_json_list(options): + data_list = [] + #decode source file + contents = __substitude_contents(options, options.source_file) + if contents : + data_list.append(contents) + + if options.extra_sandbox_cfgs == None: + return data_list + + #decode extra file + for sandbox_cfg in options.extra_sandbox_cfgs: + contents = __substitude_contents(options, sandbox_cfg) + if contents : + data_list.append(contents) + return data_list + +def fix_sandbox_config_file(options): + data_list = _get_json_list(options) + originJson = json.loads(jsonText) + fieldInfos = { + "mount-bind-paths": ["src-path", "sandbox-path"], + "mount-bind-files" : ["src-path"], + "symbol-links": ["target-name"] + } + for data in data_list: + # for normal field + for name in ["sandbox-root"]: + if data.get(name) != None: + originJson[name] = data.get(name) + + # for array + for name, keys in fieldInfos.items(): + item = data.get(name) + if item != None and len(item) > 0: + _merge_scope_array(originJson.get(name), item, keys) + + # dump json to output + flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC + modes = stat.S_IWUSR | stat.S_IRUSR | stat.S_IWGRP | stat.S_IRGRP + with os.fdopen(os.open(options.output, flags, modes), 'w') as f: + f.write(json.dumps(originJson, ensure_ascii=False, indent=2)) + +def parse_args(args): + args = build_utils.expand_file_args(args) + + parser = optparse.OptionParser() + build_utils.add_depfile_option(parser) + parser.add_option('--output', help='fixed sandbox configure file') + parser.add_option('--source-file', help='source para file') + parser.add_option('--patterns', action="append", + type="string", dest="patterns", help='replace string patterns like libpath:lib64') + parser.add_option('--extra_sandbox_cfg', action="append", + type="string", dest="extra_sandbox_cfgs", help='extra sandbox') + + options, _ = parser.parse_args(args) + return options + +def main(args): + options = parse_args(args) + depfile_deps = ([options.source_file]) + fix_sandbox_config_file(options) + build_utils.write_depfile(options.depfile, options.output, depfile_deps, add_pydeps=False) + +if __name__ == '__main__': + sys.exit(main(sys.argv[1:])) diff --git a/services/sandbox/scripts/system_sandbox_fixer.pydeps b/services/sandbox/scripts/system_sandbox_fixer.pydeps new file mode 100644 index 0000000000000000000000000000000000000000..4d3ec7c37d27364eb6ed4802a8949b2c667b2cf8 --- /dev/null +++ b/services/sandbox/scripts/system_sandbox_fixer.pydeps @@ -0,0 +1,9 @@ +# Generated by running: +# build/print_python_deps.py --root base/startup/init/services/sandbox/scripts --output base/startup/init/services/sandbox/scripts/system_sandbox_fixer.pydeps base/startup/init/services/sandbox/scripts/system_sandbox_fixer.py +../../../../../../build/gn_helpers.py +../../../../../../build/scripts/__init__.py +../../../../../../build/scripts/util/__init__.py +../../../../../../build/scripts/util/build_utils.py +../../../../../../build/scripts/util/md5_check.py +../../../../../../build/scripts/util/pycache.py +system_sandbox_fixer.py diff --git a/services/sandbox/system-sandbox64.json b/services/sandbox/system-sandbox64.json index f58896da59623de53e22b37b6f5a6372c88ed41d..1d67a922643ed8e7e23757eab75dc92496fabefa 100644 --- a/services/sandbox/system-sandbox64.json +++ b/services/sandbox/system-sandbox64.json @@ -1,93 +1,9 @@ { "sandbox-root" : "/mnt/sandbox/system", "mount-bind-paths" : [{ - "src-path" : "/system/bin", - "sandbox-path" : "/system/bin", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/system/etc", - "sandbox-path" : "/system/etc", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { "src-path" : "/system/lib64", "sandbox-path" : "/system/lib64", "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/system/lib", - "sandbox-path" : "/system/lib", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/system/profile", - "sandbox-path" : "/system/profile", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/system/app", - "sandbox-path" : "/system/app", - "sandbox-flags" : [ "bind", "rec", "private" ], - "ignore": 1 - }, { - "src-path" : "/system/fonts", - "sandbox-path" : "/system/fonts", - "sandbox-flags" : [ "bind", "rec", "private" ], - "ignore": 1 - }, { - "src-path" : "/system/usr", - "sandbox-path" : "/system/usr", - "sandbox-flags" : [ "bind", "rec", "private" ], - "ignore": 1 - }, { - "src-path" : "/vendor", - "sandbox-path" : "/vendor", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/dev", - "sandbox-path" : "/dev", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/proc", - "sandbox-path" : "/proc", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/data", - "sandbox-path" : "/data", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/sys/kernel/debug/tracing", - "sandbox-path" : "/sys/kernel/debug/tracing", - "sandbox-flags" : [ "bind", "private" ], - "ignore": 1 - }, { - "src-path" : "/sys/kernel/debug/tracing", - "sandbox-path" : "/sys/kernel/debug/tracing", - "sandbox-flags" : [ "bind", "private" ] - }, { - "src-path" : "/sys/kernel/debug", - "sandbox-path" : "/sys/kernel/debug", - "sandbox-flags" : [ "bind", "private" ] - }, { - "src-path" : "/sys", - "sandbox-path" : "/sys", - "sandbox-flags" : [ "bind", "private" ] - }, { - "src-path" : "/config", - "sandbox-path" : "/config", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/mnt", - "sandbox-path" : "/mnt", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/sys_prod", - "sandbox-path" : "/sys_prod", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/vendor", - "sandbox-path" : "/chipset", - "sandbox-flags" : [ "bind", "rec", "private" ] - }, { - "src-path" : "/chip_prod", - "sandbox-path" : "/chip_prod", - "sandbox-flags" : [ "bind", "rec", "private" ] } ], "mount-bind-files" : [{ @@ -95,15 +11,6 @@ "symbol-links" : [{ "target-name" : "/system/lib64", "link-name" : "/lib64" - }, { - "target-name" : "/system/lib", - "link-name" : "/lib" - }, { - "target-name" : "/system/bin", - "link-name" : "/bin" - }, { - "target-name" : "/system/etc", - "link-name" : "/etc" } ] }