diff --git a/interfaces/innerkits/include/appspawn.h b/interfaces/innerkits/include/appspawn.h index 8a53fdc7edd61fce45602d948c2617b6d35105a8..a1c7a0f5f569a5ee36cee1e25ce51e5ebbc51d19 100644 --- a/interfaces/innerkits/include/appspawn.h +++ b/interfaces/innerkits/include/appspawn.h @@ -201,6 +201,7 @@ typedef enum { APP_FLAGS_PRE_INSTALLED_HAP = 29, APP_FLAGS_GET_ALL_PROCESSES = 30, APP_FLAGS_CUSTOM_SANDBOX = 31, + APP_FLAGS_SET_CAPS_FOWNER, APP_FLAGS_ALLOW_IOURING = 33, APP_FLAGS_UNLOCKED_STATUS = 34, MAX_FLAGS_INDEX = 63, diff --git a/interfaces/innerkits/permission/appspawn_mount_permission.c b/interfaces/innerkits/permission/appspawn_mount_permission.c index dfa399149c90055db87ebe966240157e5dcc5d11..e6b354eb69a1238025dc8442f27645e8ddbc3050 100644 --- a/interfaces/innerkits/permission/appspawn_mount_permission.c +++ b/interfaces/innerkits/permission/appspawn_mount_permission.c @@ -26,6 +26,10 @@ #include "json_utils.h" #include "securec.h" +static const char *g_staticPermission[] = { + "ohos.permission.FOWNER", + "ohos.permission.ALLOW_IOURING" +}; typedef struct TagParseJsonContext { SandboxQueue permissionQueue; int32_t maxPermissionIndex; @@ -107,6 +111,10 @@ static int LoadPermissionConfig(PermissionManager *mgr) (void)ParseJsonConfig("etc/sandbox", mgr->type == CLIENT_FOR_APPSPAWN ? APP_SANDBOX_FILE_NAME : RENDER_SANDBOX_FILE_NAME, ParseAppSandboxConfig, mgr); + size_t count = sizeof(g_staticPermission) / sizeof(g_staticPermission[0]); + for (size_t i = 0; i < count; i++) { + AddSandboxPermissionNode(g_staticPermission[i], &mgr->permissionQueue); + } mgr->maxPermissionIndex = PermissionRenumber(&mgr->permissionQueue); return 0; } diff --git a/modules/common/appspawn_common.c b/modules/common/appspawn_common.c index 06565357f6fcbbaeb58c71d327d7836ec82ee23a..b3820bed32c2afb0e1ad5ce4144df60621408b8d 100644 --- a/modules/common/appspawn_common.c +++ b/modules/common/appspawn_common.c @@ -173,6 +173,10 @@ APPSPAWN_STATIC int SetCapabilities(const AppSpawnMgr *content, const AppSpawnin baseCaps = CAP_TO_MASK(CAP_DAC_OVERRIDE) | CAP_TO_MASK(CAP_DAC_READ_SEARCH) | CAP_TO_MASK(CAP_FOWNER) | CAP_TO_MASK(CAP_KILL); } +#else + if (IsAppSpawnMode(content)) { + baseCaps = CheckAppMsgFlagsSet(property, APP_FLAGS_SET_CAPS_FOWNER) ? (1 << CAP_FOWNER) : 0; + } #endif const uint64_t inheriTable = baseCaps; const uint64_t permitted = baseCaps;