From c9e825880eb09d4feea09ce11ce727a153324793 Mon Sep 17 00:00:00 2001
From: nianyuu <zhouwenqiang12@huawei.com>
Date: Tue, 17 Jun 2025 14:33:24 +0800
Subject: [PATCH] set deny rules for dec

Signed-off-by: nianyuu <zhouwenqiang12@huawei.com>
---
 modules/sandbox/sandbox_dec.c                 |  5 ++-
 modules/sandbox/sandbox_dec.h                 |  7 ++++
 modules/sandbox/sandbox_utils.cpp             | 38 +++++++++++++++++++
 modules/sandbox/sandbox_utils.h               |  1 +
 .../app_spawn_sandbox_test.cpp                | 28 ++++++++++++++
 5 files changed, 77 insertions(+), 2 deletions(-)

diff --git a/modules/sandbox/sandbox_dec.c b/modules/sandbox/sandbox_dec.c
index 1a00b622..cc1e74eb 100644
--- a/modules/sandbox/sandbox_dec.c
+++ b/modules/sandbox/sandbox_dec.c
@@ -89,7 +89,7 @@ void SetDecPolicyInfos(DecPolicyInfo *decPolicyInfos)
             return;
         }
         pathInfo.pathLen = (uint32_t)strlen(pathInfo.path);
-        pathInfo.mode = SANDBOX_MODE_WRITE | SANDBOX_MODE_READ;
+        pathInfo.mode = decPolicyInfos->path[i].mode;
         uint32_t index = g_decPolicyInfos->pathNum + i;
         g_decPolicyInfos->path[index] = pathInfo;
     }
@@ -191,7 +191,8 @@ void SetDecPolicy(void)
     } else {
         APPSPAWN_LOGI("set SET_DEC_POLICY_CMD sandbox policy success. timestamp:%{public}" PRId64 "", timestamp);
         for (uint32_t i = 0; i < g_decPolicyInfos->pathNum; i++) {
-            APPSPAWN_LOGI("policy info: %{public}s", g_decPolicyInfos->path[i].path);
+            APPSPAWN_LOGI("policy info: path %{public}s, mode 0x%{public}x",
+                g_decPolicyInfos->path[i].path, g_decPolicyInfos->path[i].mode);
         }
     }
     close(fd);
diff --git a/modules/sandbox/sandbox_dec.h b/modules/sandbox/sandbox_dec.h
index eda4d839..64452893 100644
--- a/modules/sandbox/sandbox_dec.h
+++ b/modules/sandbox/sandbox_dec.h
@@ -51,6 +51,8 @@ extern "C" {
 #define MAX_POLICY_NUM 8
 #define SANDBOX_MODE_READ  0x00000001
 #define SANDBOX_MODE_WRITE (SANDBOX_MODE_READ << 1)
+#define DEC_MODE_DENY_READ  (1 << 5)
+#define DEC_MODE_DENY_WRITE (1 << 6)
 
 #define DEC_POLICY_HEADER_RESERVED 64
 
@@ -71,6 +73,11 @@ typedef struct DecPolicyInfo {
     bool flag;
 } DecPolicyInfo;
 
+typedef struct DecDenyPathTemplate {
+    const char *permission;
+    const char *decPath;
+} DecDenyPathTemplate;
+
 void SetDecPolicyInfos(DecPolicyInfo *decPolicyInfos);
 void DestroyDecPolicyInfos(DecPolicyInfo *decPolicyInfos);
 void SetDecPolicy(void);
diff --git a/modules/sandbox/sandbox_utils.cpp b/modules/sandbox/sandbox_utils.cpp
index 1187e9e4..5fcefbc8 100644
--- a/modules/sandbox/sandbox_utils.cpp
+++ b/modules/sandbox/sandbox_utils.cpp
@@ -1027,6 +1027,43 @@ EXIT:
     return ret;
 }
 
+static const DecDenyPathTemplate DEC_DENY_PATH_MAP[] = {
+    {"ohos.permission.READ_WRITE_DOWNLOAD_DIRECTORY", "/storage/Users/currentUser/Download"},
+    {"ohos.permission.READ_WRITE_DESKTOP_DIRECTORY", "/storage/Users/currentUser/Desktop"},
+    {"ohos.permission.READ_WRITE_DOCUMENTS_DIRECTORY", "/storage/Users/currentUser/Documents"},
+};
+void SandboxUtils::SetDecDenyWithDir(const AppSpawningCtx *appProperty)
+{
+    int32_t userFileIndex = GetPermissionIndex(nullptr, READ_WRITE_USER_FILE_MODE.c_str());
+    if (CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(userFileIndex)) == 0) {
+        APPSPAWN_LOGV("The app doesn't have %{public}s, no need to set deny rules", READ_WRITE_USER_FILE_MODE.c_str());
+        return;
+    }
+
+    AppSpawnMsgAccessToken *tokenInfo =
+        reinterpret_cast<AppSpawnMsgAccessToken *>(GetAppProperty(appProperty, TLV_ACCESS_TOKEN_INFO));
+    APPSPAWN_CHECK(tokenInfo != NULL, return, "Get token id failed");
+
+    DecPolicyInfo decPolicyInfo = {0};
+    decPolicyInfo.pathNum = 0;
+    uint32_t count = ARRAY_LENGTH(DEC_DENY_PATH_MAP);
+    for (uint32_t i = 0, j = 0; i < count; i++) {
+        int32_t index = GetPermissionIndex(nullptr, DEC_DENY_PATH_MAP[i].permission);
+        if (CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(index))) {
+            continue;
+        }
+        PathInfo pathInfo = {0};
+        pathInfo.path = const_cast<char *>(DEC_DENY_PATH_MAP[i].decPath);
+        pathInfo.pathLen = static_cast<uint32_t>(strlen(pathInfo.path));
+        pathInfo.mode = DEC_MODE_DENY_READ | DEC_MODE_DENY_WRITE;
+        decPolicyInfo.path[j++] = pathInfo;
+        decPolicyInfo.pathNum += 1;
+    }
+    decPolicyInfo.tokenId = tokenInfo->accessTokenIdEx;
+    decPolicyInfo.flag = true;
+    SetDecPolicyInfos(&decPolicyInfo);
+}
+
 static bool GetCheckStatus(nlohmann::json &mntPoint)
 {
     std::string value = g_statusCheck;
@@ -1988,6 +2025,7 @@ int32_t SandboxUtils::SetAppSandboxProperty(AppSpawningCtx *appProperty, uint32_
     APPSPAWN_LOGV("Change root dir success");
 #endif
     SetDecWithDir(appProperty, dacInfo->uid / UID_BASE);
+    SetDecDenyWithDir(appProperty);
     SetDecPolicy();
 #if defined(APPSPAWN_MOUNT_TMPSHM) && defined(WITH_SELINUX)
     Restorecon(DEV_SHM_DIR);
diff --git a/modules/sandbox/sandbox_utils.h b/modules/sandbox/sandbox_utils.h
index 145e7533..a5d1b7e1 100755
--- a/modules/sandbox/sandbox_utils.h
+++ b/modules/sandbox/sandbox_utils.h
@@ -76,6 +76,7 @@ private:
                                              std::string &sandboxPackagePath);
     static int32_t SetDecPolicyWithPermission(const AppSpawningCtx *appProperty, SandboxMountConfig &mountConfig);
     static int32_t SetDecWithDir(const AppSpawningCtx *appProperty, uint32_t userId);
+    static void SetDecDenyWithDir(const AppSpawningCtx *appProperty);
     static void DoSandboxChmod(nlohmann::json jsonConfig, std::string &sandboxRoot);
     static int DoAllMntPointsMount(const AppSpawningCtx *appProperty,
         nlohmann::json &appConfig, const char *typeName, const std::string &section = "app-base");
diff --git a/test/unittest/app_spawn_standard_test/app_spawn_sandbox_test.cpp b/test/unittest/app_spawn_standard_test/app_spawn_sandbox_test.cpp
index 18a7ebdb..a8d6bb9f 100644
--- a/test/unittest/app_spawn_standard_test/app_spawn_sandbox_test.cpp
+++ b/test/unittest/app_spawn_standard_test/app_spawn_sandbox_test.cpp
@@ -1720,6 +1720,34 @@ HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_dec_05, TestSize.Level0)
     GTEST_LOG_(INFO) << "App_Spawn_Sandbox_dec_05 end";
 }
 
+/**
+ * @tc.name: App_Spawn_Sandbox_dec_06
+ * @tc.desc: set deny dec rules
+ * @tc.type: FUNC
+ * @tc.author:
+ */
+HWTEST_F(AppSpawnSandboxTest, App_Spawn_Sandbox_dec_06, TestSize.Level0)
+{
+    GTEST_LOG_(INFO) << "App_Spawn_Sandbox_dec_06 start";
+    AppSpawningCtx *appProperty = GetTestAppProperty();
+    OHOS::AppSpawn::SandboxUtils::SetDecDenyWithDir(appProperty);
+
+    int32_t userFileIndex = GetPermissionIndex(nullptr, "ohos.permission.READ_WRITE_USER_FILE");
+    ASSERT_NE(userFileIndex, 0);
+    int ret = SetAppPermissionFlags(appProperty, userFileIndex);
+    ASSERT_EQ(ret, 0);
+    OHOS::AppSpawn::SandboxUtils::SetDecDenyWithDir(appProperty);
+
+    int32_t downloadIndex = GetPermissionIndex(nullptr, "ohos.permission.READ_WRITE_DOWNLOAD_DIRECTORY");
+    ASSERT_NE(downloadIndex, 0);
+    ret = SetAppPermissionFlags(appProperty, downloadIndex);
+    ASSERT_EQ(ret, 0);
+    OHOS::AppSpawn::SandboxUtils::SetDecDenyWithDir(appProperty);
+
+    DeleteAppSpawningCtx(appProperty);
+    GTEST_LOG_(INFO) << "App_Spawn_Sandbox_dec_06 end";
+}
+
 /**
  * @tc.name: App_Spawn_Sandbox_Shared_Mount_01
  * @tc.desc: [IsValidDataGroupItem] input valid param
-- 
Gitee