From 7ab0d252b850214c1403c92c51c6d338c7aad506 Mon Sep 17 00:00:00 2001
From: GengYinzong <gengyinzong@huawei.com>
Date: Wed, 16 Jul 2025 20:29:18 -0700
Subject: [PATCH] fix

Signed-off-by: GengYinzong <gengyinzong@huawei.com>
---
 interfaces/innerkits/include/appspawn.h   |  1 +
 modules/common/appspawn_adapter.cpp       |  5 +++++
 modules/sandbox/modern/appspawn_sandbox.h |  1 +
 modules/sandbox/modern/sandbox_manager.c  | 16 +++++++++-------
 modules/sandbox/normal/sandbox_core.cpp   | 17 +++++++++--------
 modules/sandbox/normal/sandbox_core.h     |  3 ++-
 modules/sandbox/normal/sandbox_def.h      |  1 +
 util/include/appspawn_utils.h             |  3 ++-
 8 files changed, 30 insertions(+), 17 deletions(-)

diff --git a/interfaces/innerkits/include/appspawn.h b/interfaces/innerkits/include/appspawn.h
index 4d0c6039..8a53fdc7 100644
--- a/interfaces/innerkits/include/appspawn.h
+++ b/interfaces/innerkits/include/appspawn.h
@@ -201,6 +201,7 @@ typedef enum {
     APP_FLAGS_PRE_INSTALLED_HAP = 29,
     APP_FLAGS_GET_ALL_PROCESSES = 30,
     APP_FLAGS_CUSTOM_SANDBOX = 31,
+    APP_FLAGS_ALLOW_IOURING = 33,
     APP_FLAGS_UNLOCKED_STATUS = 34,
     MAX_FLAGS_INDEX = 63,
 } AppFlagsIndex;
diff --git a/modules/common/appspawn_adapter.cpp b/modules/common/appspawn_adapter.cpp
index 09c6c19c..88344085 100644
--- a/modules/common/appspawn_adapter.cpp
+++ b/modules/common/appspawn_adapter.cpp
@@ -216,6 +216,11 @@ int SetSeccompFilter(const AppSpawnMgr *content, const AppSpawningCtx *property)
         appName = APP_ATOMIC;
     }
 
+    // Set seccomp policy for processes that have ohos.permission.ALLOW_IOURING.
+    if (CheckAppMsgFlagsSet(property, APP_FLAGS_ALLOW_IOURING) != 0) {
+        appName = APP_ALLOW_IOURING;
+    }
+
     if (!SetSeccompPolicyWithName(type, appName)) {
         APPSPAWN_LOGE("Failed to set %{public}s seccomp filter and exit %{public}d", appName, errno);
         return -EINVAL;
diff --git a/modules/sandbox/modern/appspawn_sandbox.h b/modules/sandbox/modern/appspawn_sandbox.h
index b0065e02..74a2b2ff 100644
--- a/modules/sandbox/modern/appspawn_sandbox.h
+++ b/modules/sandbox/modern/appspawn_sandbox.h
@@ -75,6 +75,7 @@ extern "C" {
 #define FILE_ACCESS_MANAGER_MODE             "ohos.permission.FILE_ACCESS_MANAGER"
 #define READ_WRITE_USER_FILE_MODE            "ohos.permission.READ_WRITE_USER_FILE"
 #define GET_ALL_PROCESSES_MODE               "ohos.permission.GET_ALL_PROCESSES"
+#define APP_ALLOW_IOURING                    "ohos.permission.ALLOW_IOURING"
 
 typedef enum SandboxTag {
     SANDBOX_TAG_MOUNT_PATH = 0,
diff --git a/modules/sandbox/modern/sandbox_manager.c b/modules/sandbox/modern/sandbox_manager.c
index c90d5c62..800f5a85 100644
--- a/modules/sandbox/modern/sandbox_manager.c
+++ b/modules/sandbox/modern/sandbox_manager.c
@@ -709,18 +709,19 @@ static int AppendPackageNameGids(const AppSpawnSandboxCfg *sandbox, AppSpawningC
     return 0;
 }
 
-static void UpdateMsgFlagsWithPermission(AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property)
+static void UpdateMsgFlagsWithPermission(AppSpawnSandboxCfg *sandbox, AppSpawningCtx *property,
+    const char *permissionMode, uint32_t flag)
 {
-    int32_t allProcessIndex = GetPermissionIndexInQueue(&sandbox->permissionQueue, GET_ALL_PROCESSES_MODE);
-    int res = CheckAppPermissionFlagSet(property, (uint32_t)allProcessIndex);
+    int32_t processIndex = GetPermissionIndexInQueue(&sandbox->permissionQueue, permissionMode);
+    int res = CheckAppPermissionFlagSet(property, (uint32_t)processIndex);
     if (res == 0) {
-        APPSPAWN_LOGV("Don't need set GET_ALL_PROCESSES_MODE flag");
+        APPSPAWN_LOGV("Don't need set %{public}s flag", permissionMode);
         return;
     }
 
-    int ret = SetAppSpawnMsgFlag(property->message, TLV_MSG_FLAGS, APP_FLAGS_GET_ALL_PROCESSES);
+    int ret = SetAppSpawnMsgFlag(property->message, TLV_MSG_FLAGS, flag);
     if (ret != 0) {
-        APPSPAWN_LOGE("Set GET_ALL_PROCESSES_MODE flag failed");
+        APPSPAWN_LOGE("Set %{public}s flag failed", permissionMode);
     }
     return;
 }
@@ -780,7 +781,8 @@ int SpawnPrepareSandboxCfg(AppSpawnMgr *content, AppSpawningCtx *property)
         APPSPAWN_LOGW("set sandbox permission flag failed.");
         return APPSPAWN_SANDBOX_ERROR_SET_PERMISSION_FLAG_FAIL;
     }
-    UpdateMsgFlagsWithPermission(sandbox, property);
+    UpdateMsgFlagsWithPermission(sandbox, property, GET_ALL_PROCESSES_MODE, APP_FLAGS_GET_ALL_PROCESSES);
+    UpdateMsgFlagsWithPermission(sandbox, property, APP_ALLOW_IOURING, APP_FLAGS_ALLOW_IOURING);
 
     ret = AppendGids(sandbox, property);
     APPSPAWN_CHECK(ret == 0, return ret, "Failed to add gid for %{public}s", GetProcessName(property));
diff --git a/modules/sandbox/normal/sandbox_core.cpp b/modules/sandbox/normal/sandbox_core.cpp
index 4173e73d..0959eafb 100644
--- a/modules/sandbox/normal/sandbox_core.cpp
+++ b/modules/sandbox/normal/sandbox_core.cpp
@@ -104,17 +104,18 @@ bool SandboxCore::CheckMountFlag(const AppSpawningCtx *appProperty, const std::s
     return false;
 }
 
-void SandboxCore::UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty)
+void SandboxCore::UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty,
+    const std::string &permissionMode, uint32_t flag)
 {
-    int32_t processIndex = GetPermissionIndex(nullptr, SandboxCommonDef::GET_ALL_PROCESSES_MODE.c_str());
+    int32_t processIndex = GetPermissionIndex(nullptr, permissionMode.c_str());
     if ((CheckAppPermissionFlagSet(appProperty, static_cast<uint32_t>(processIndex)) == 0)) {
-        APPSPAWN_LOGV("Don't need set GET_ALL_PROCESSES_MODE flag");
+        APPSPAWN_LOGV("Don't need set %{public}s flag", permissionMode.c_str());
         return;
     }
 
-    int ret = SetAppSpawnMsgFlag(appProperty->message, TLV_MSG_FLAGS, APP_FLAGS_GET_ALL_PROCESSES);
+    int ret = SetAppSpawnMsgFlag(appProperty->message, TLV_MSG_FLAGS, flag);
     if (ret != 0) {
-        APPSPAWN_LOGV("Set GET_ALL_PROCESSES_MODE flag failed");
+        APPSPAWN_LOGV("Set %{public}s flag failed", permissionMode.c_str());
     }
 }
 
@@ -898,10 +899,10 @@ int32_t SandboxCore::SetAppSandboxProperty(AppSpawningCtx *appProperty, uint32_t
         APPSPAWN_LOGW("Set app permission flag fail.");
         return -1;
     }
-    UpdateMsgFlagsWithPermission(appProperty);
+    UpdateMsgFlagsWithPermission(appProperty, SandboxCommonDef::GET_ALL_PROCESSES_MODE, APP_FLAGS_GET_ALL_PROCESSES);
+    UpdateMsgFlagsWithPermission(appProperty, SandboxCommonDef::APP_ALLOW_IOURING, APP_FLAGS_ALLOW_IOURING);
     // check app sandbox switch
-    if ((SandboxCommon::IsTotalSandboxEnabled(appProperty) == false) ||
-        (SandboxCommon::IsAppSandboxEnabled(appProperty) == false)) {
+    if (!SandboxCommon::IsTotalSandboxEnabled(appProperty) || !SandboxCommon::IsAppSandboxEnabled(appProperty)) {
         rc = DoSandboxRootFolderCreateAdapt(sandboxPackagePath);
     } else if (!sandboxSharedStatus) {
         rc = DoSandboxRootFolderCreate(appProperty, sandboxPackagePath);
diff --git a/modules/sandbox/normal/sandbox_core.h b/modules/sandbox/normal/sandbox_core.h
index 9f379b72..2d61cd18 100644
--- a/modules/sandbox/normal/sandbox_core.h
+++ b/modules/sandbox/normal/sandbox_core.h
@@ -74,7 +74,8 @@ private:
     static uint32_t GetAppMsgFlags(const AppSpawningCtx *property);
     static bool CheckMountFlag(const AppSpawningCtx *appProperty, const std::string bundleName,
                                cJSON *appConfig);
-    static void UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty);
+    static void UpdateMsgFlagsWithPermission(AppSpawningCtx *appProperty,
+        const std::string &permissionMode, uint32_t flag);
     static int32_t UpdatePermissionFlags(AppSpawningCtx *appProperty);
     static std::string GetSandboxPath(const AppSpawningCtx *appProperty, cJSON *mntPoint,
                                       const std::string &section, std::string sandboxRoot);
diff --git a/modules/sandbox/normal/sandbox_def.h b/modules/sandbox/normal/sandbox_def.h
index 2762d14b..be6b7deb 100644
--- a/modules/sandbox/normal/sandbox_def.h
+++ b/modules/sandbox/normal/sandbox_def.h
@@ -146,6 +146,7 @@ const std::string ACCESS_DLP_FILE_MODE = "ohos.permission.ACCESS_DLP_FILE";
 const std::string FILE_ACCESS_MANAGER_MODE = "ohos.permission.FILE_ACCESS_MANAGER";
 const std::string READ_WRITE_USER_FILE_MODE = "ohos.permission.READ_WRITE_USER_FILE";
 const std::string GET_ALL_PROCESSES_MODE = "ohos.permission.GET_ALL_PROCESSES";
+const std::string APP_ALLOW_IOURING = "ohos.permission.ALLOW_IOURING";
 const std::string ARK_WEB_PERSIST_PACKAGE_NAME = "persist.arkwebcore.package_name";
 
 // 枚举类型
diff --git a/util/include/appspawn_utils.h b/util/include/appspawn_utils.h
index 2d196555..d8768344 100644
--- a/util/include/appspawn_utils.h
+++ b/util/include/appspawn_utils.h
@@ -102,7 +102,8 @@ typedef struct TagAppSpawnCommonEnv {
 
 /* spawner permission */
 static const char *g_spawnerPermissionList[] = {
-    "ohos.permission.FOWNER"
+    "ohos.permission.FOWNER",
+    "ohos.permission.ALLOW_IOURING"
 };
 
 typedef enum {
-- 
Gitee