diff --git a/appdata-sandbox-asan.json b/appdata-sandbox-asan.json index cfde0075b56ffe60127789909b71b0036f31cc30..d0a8dbf2e58bf0f17e96e6889e60abee7557fd5c 100755 --- a/appdata-sandbox-asan.json +++ b/appdata-sandbox-asan.json @@ -19,6 +19,16 @@ "sandbox-path" : "/system/asan/bin", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" + }, { + "src-path" : "/system/asan/lib64", + "sandbox-path" : "/system/asan/lib64", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/vendor/asan/lib64", + "sandbox-path" : "/vendor/asan/lib64", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" } ], "symbol-links" : [ diff --git a/appdata-sandbox.json b/appdata-sandbox.json index 9c888d59985ea33fa1aef0f5140e5fa8e1ef04b4..77500194902347fddddaafc1e356d935c0afe0ef 100644 --- a/appdata-sandbox.json +++ b/appdata-sandbox.json @@ -48,11 +48,6 @@ "sandbox-path" : "/system/lib", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" - }, { - "src-path" : "/system/data", - "sandbox-path" : "/system/data", - "sandbox-flags" : [ "bind", "rec" ], - "check-action-status": "false" }, { "src-path" : "/system/usr", "sandbox-path" : "/system/usr", @@ -78,21 +73,11 @@ "sandbox-path" : "/system/framework", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" - }, { - "src-path" : "/system/etc/hosts", - "sandbox-path" : "/data/service/el1/public/hosts_user/hosts", - "sandbox-flags" : [ "bind", "rec" ], - "check-action-status": "false" }, { "src-path" : "/system/resource", "sandbox-path" : "/system/resource", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" - }, { - "src-path" : "/vendor/lib", - "sandbox-path" : "/vendor/lib", - "sandbox-flags" : [ "bind", "rec" ], - "check-action-status": "false" }, { "src-path" : "/vendor/etc/hiai", "sandbox-path" : "/vendor/etc/hiai", @@ -158,11 +143,6 @@ "sandbox-path" : "/data/storage/el2/auth_groups", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" - }, { - "src-path" : "/data/app/el1/public/aot_compiler/ark_cache/", - "sandbox-path" : "/data/storage/ark-cache", - "sandbox-flags" : [ "bind", "rec" ], - "check-action-status": "false" }, { "src-path" : "/data/app/el1//aot_compiler/ark_profile/", "sandbox-path" : "/data/storage/ark-profile", @@ -233,21 +213,11 @@ "sandbox-path" : "/data/storage/el4/database", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" - }, { - "src-path" : "/chip_prod/etc/passthrough", - "sandbox-path" : "/chip_prod/etc/passthrough", - "sandbox-flags" : [ "bind", "rec" ], - "check-action-status": "false" }, { "src-path" : "/mnt/hmdfs//cloud/data/", "sandbox-path" : "/data/storage/el2/cloud", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" - }, { - "src-path" : "/vendor/etc/vulkan", - "sandbox-path" : "/vendor/etc/vulkan", - "sandbox-flags" : [ "bind", "rec" ], - "check-action-status": "false" }, { "src-path" : "/mnt/data//media_fuse", "sandbox-path" : "/data/storage/el2/media", @@ -285,11 +255,6 @@ "sandbox-path" : "/data/storage/el1/bundle/arkwebcore", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" - }, { - "src-path" : "/system/app/ohos.global.systemres", - "sandbox-path" : "/data/global/systemResources", - "sandbox-flags" : [ "bind", "rec" ], - "check-action-status": "false" }, { "src-path" : "/system/app/SystemResources", "sandbox-path" : "/data/global/systemResources", @@ -409,6 +374,44 @@ } ]}], "symbol-links" : [] + }], + "app-nolog" : [{ + "mount-paths" : [{ + "src-path" : "/system/data", + "sandbox-path" : "/system/data", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/etc/hosts", + "sandbox-path" : "/data/service/el1/public/hosts_user/hosts", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/vendor/lib", + "sandbox-path" : "/vendor/lib", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/system/app/ohos.global.systemres", + "sandbox-path" : "/data/global/systemResources", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/data/app/el1/public/aot_compiler/ark_cache/", + "sandbox-path" : "/data/storage/ark-cache", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/chip_prod/etc/passthrough", + "sandbox-path" : "/chip_prod/etc/passthrough", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }, { + "src-path" : "/vendor/etc/vulkan", + "sandbox-path" : "/vendor/etc/vulkan", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }] }] }], "individual" : [{ diff --git a/appdata-sandbox64.json b/appdata-sandbox64.json index 2633f72f212d0aae1d777981b0d93177298f6446..3d979d17525dfa57f05d923e256585b21156dfd7 100644 --- a/appdata-sandbox64.json +++ b/appdata-sandbox64.json @@ -9,21 +9,11 @@ "sandbox-path" : "/system/lib64", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" - }, { - "src-path" : "/system/asan/lib64", - "sandbox-path" : "/system/asan/lib64", - "sandbox-flags" : [ "bind", "rec" ], - "check-action-status": "false" }, { "src-path" : "/vendor/lib64", "sandbox-path" : "/vendor/lib64", "sandbox-flags" : [ "bind", "rec" ], "check-action-status": "false" - }, { - "src-path" : "/vendor/asan/lib64", - "sandbox-path" : "/vendor/asan/lib64", - "sandbox-flags" : [ "bind", "rec" ], - "check-action-status": "false" }, { "src-path" : "/chip_prod/lib64/passthrough", "sandbox-path" : "/chip_prod/lib64/passthrough", @@ -43,6 +33,14 @@ "mount-paths" : [], "flags-point" : [], "symbol-links" : [] + }], + "app-nolog" : [{ + "mount-paths" : [{ + "src-path" : "/chip_prod/lib64/passthrough", + "sandbox-path" : "/chip_prod/lib64/passthrough", + "sandbox-flags" : [ "bind", "rec" ], + "check-action-status": "false" + }] }] }], "individual" : [{ diff --git a/etc/sandbox/appdata_sandbox_fixer.py b/etc/sandbox/appdata_sandbox_fixer.py index e049f56e9368b66f8eda90cc5711398bf81d0a05..0b001077e68e0a462eb8ee772f971dad222d963f 100755 --- a/etc/sandbox/appdata_sandbox_fixer.py +++ b/etc/sandbox/appdata_sandbox_fixer.py @@ -41,6 +41,12 @@ APP_SANDBOX_DEFAULT = ''' "mount-paths" : [], "flags-point" : [], "symbol-links" : [] + }], + "app-nolog" : [{ + "sandbox-root" : "/mnt/sandbox//", + "mount-paths" : [], + "flags-point" : [], + "symbol-links" : [] }] }], "individual" : [{}], @@ -179,7 +185,12 @@ def _merge_scope_common(origin, new): if app is not None and len(app) > 0: _merge_scope_app(origin.get("app-resources"), app) pass - + + #处理 app-nolog + app = new.get("app-nolog") + if app is not None and len(app) > 0: + _merge_scope_app(origin.get("app-nolog"), app) + pass def parse_args(args): args = build_utils.expand_file_args(args) diff --git a/modules/common/appspawn_begetctl.c b/modules/common/appspawn_begetctl.c index 3696bb8ffb15f38071f147ebdb5ee79abcb5b8b9..984af15423c02a83633d6bffa2b9199c1c6f41bc 100755 --- a/modules/common/appspawn_begetctl.c +++ b/modules/common/appspawn_begetctl.c @@ -70,7 +70,7 @@ APPSPAWN_STATIC int RunBegetctlBootApp(AppSpawnMgr *content, AppSpawningCtx *pro APPSPAWN_CHECK_ONLY_EXPER(property != NULL, return -1); UNUSED(content); if ((property->client.flags & APP_BEGETCTL_BOOT) != APP_BEGETCTL_BOOT) { - APPSPAWN_LOGW("Enter begetctl boot without BEGETCTL_BOOT flag set"); + APPSPAWN_LOGV("Enter begetctl boot without BEGETCTL_BOOT flag set"); return 0; } uint32_t len = 0; diff --git a/modules/sandbox/normal/appspawn_sandbox_manager.cpp b/modules/sandbox/normal/appspawn_sandbox_manager.cpp index 201f68f822aa41a28ec7d62db116685f4c454412..f5b1172a6af50a572522bad69fd41765fea713a7 100644 --- a/modules/sandbox/normal/appspawn_sandbox_manager.cpp +++ b/modules/sandbox/normal/appspawn_sandbox_manager.cpp @@ -87,6 +87,60 @@ static int InstallDebugSandbox(AppSpawnMgr *content, AppSpawningCtx *property) return OHOS::AppSpawn::SandboxCore::InstallDebugSandbox(content, property); } +static void UmountDir(const char *rootPath, const char *targetPath, const AppSpawnedProcessInfo *appInfo) +{ + size_t allPathSize = strlen(rootPath) + USER_ID_SIZE + strlen(appInfo->name) + strlen(targetPath) + 2; + char *path = reinterpret_cast(malloc(sizeof(char) * (allPathSize))); + APPSPAWN_CHECK(path != nullptr, return, "Failed to malloc path"); + + int ret = sprintf_s(path, allPathSize, "%s%u/%s%s", rootPath, appInfo->uid / UID_BASE, + appInfo->name, targetPath); + APPSPAWN_CHECK(ret > 0 && ((size_t)ret < allPathSize), free(path); + return, "Failed to get sandbox path errno %{public}d", errno); + + ret = umount2(path, MNT_DETACH); + if (ret == 0) { + APPSPAWN_LOGV("Umount2 sandbox path %{public}s success", path); + } else { + APPSPAWN_LOGW("Failed to umount2 sandbox path %{public}s errno %{public}d", path, errno); + } + free(path); +} + +static int UmountSandboxPath(const AppSpawnMgr *content, const AppSpawnedProcessInfo *appInfo) +{ + APPSPAWN_CHECK(content != nullptr && appInfo != nullptr && appInfo->name != NULL, + return -1, "Invalid content or appInfo"); + if (!IsAppSpawnMode(content)) { + return 0; + } + APPSPAWN_LOGV("UmountSandboxPath name %{public}s pid %{public}d", appInfo->name, appInfo->pid); + const char rootPath[] = "/mnt/sandbox/"; + const char el1Path[] = "/data/storage/el1/bundle"; + + std::string varBundleName = std::string(appInfo->name); + if (appInfo->appIndex > 0) { + varBundleName = "+clone-" + std::to_string(appInfo->appIndex) + "+" + varBundleName; + } + + uint32_t userId = appInfo->uid / UID_BASE; + std::string key = std::to_string(userId) + "-" + varBundleName; + std::map *el1BundleCountMap = static_cast*>(GetEl1BundleMountCount()); + if (el1BundleCountMap == nullptr || el1BundleCountMap->find(key) == el1BundleCountMap->end()) { + return 0; + } + (*el1BundleCountMap)[key]--; + if ((*el1BundleCountMap)[key] == 0) { + APPSPAWN_LOGV("no app %{public}s use it in userId %{public}u, need umount", appInfo->name, userId); + UmountDir(rootPath, el1Path, appInfo); + el1BundleCountMap->erase(key); + } else { + APPSPAWN_LOGV("app %{public}s use it mount times %{public}d in userId %{public}u, not need umount", + appInfo->name, (*el1BundleCountMap)[key], userId); + } + return 0; +} + #ifndef APPSPAWN_SANDBOX_NEW MODULE_CONSTRUCTOR(void) { diff --git a/modules/sandbox/normal/sandbox_common.cpp b/modules/sandbox/normal/sandbox_common.cpp index 0503c71acc67f50612debf0c734b31d0dc70fe37..f2df29f61bc240c673e87bf83b1e53677a2ad0ac 100644 --- a/modules/sandbox/normal/sandbox_common.cpp +++ b/modules/sandbox/normal/sandbox_common.cpp @@ -1015,7 +1015,7 @@ int32_t SandboxCommon::DoAppSandboxMountOnce(const AppSpawningCtx *appProperty, ret = mount(nullptr, arg->destPath, nullptr, arg->mountSharedFlag, nullptr); if (ret != 0) { - APPSPAWN_LOGI("errno is: %{public}d, private mount to %{public}s '%{public}u' failed", + APPSPAWN_DUMPI("errno is: %{public}d, private mount to %{public}s '%{public}u' failed", errno, arg->destPath, arg->mountSharedFlag); if (errno == EINVAL) { CheckMountStatus(arg->destPath); @@ -1025,5 +1025,34 @@ int32_t SandboxCommon::DoAppSandboxMountOnce(const AppSpawningCtx *appProperty, return 0; } +int32_t SandboxCommon::DoAppSandboxMountOnceNolog(const AppSpawningCtx *appProperty, const SharedMountArgs *arg) +{ + if (!(arg && arg->srcPath && arg->destPath && arg->srcPath[0] != '\0' && arg->destPath[0] != '\0')) { + return 0; + } + if (strstr(arg->srcPath, "system/etc/hosts") != nullptr || strstr(arg->srcPath, "system/etc/profile") != nullptr) { + CreateFileIfNotExist(arg->destPath); + } else { + (void)CreateDirRecursive(arg->destPath, SandboxCommonDef::FILE_MODE); + } + + int ret = 0; + APPSPAWN_LOGV("Bind mount %{public}s to %{public}s '%{public}s' '%{public}lu' '%{public}s' '%{public}u'", + arg->srcPath, arg->destPath, arg->fsType, arg->mountFlags, arg->options, arg->mountSharedFlag); + ret = mount(arg->srcPath, arg->destPath, arg->fsType, arg->mountFlags, arg->options); + if (ret != 0) { + APPSPAWN_LOGV("errno is: %{public}d, bind mount %{public}s to %{public}s", errno, arg->srcPath, arg->destPath); + return ret; + } + + ret = mount(nullptr, arg->destPath, nullptr, arg->mountSharedFlag, nullptr); + if (ret != 0) { + APPSPAWN_LOGV("errno is: %{public}d, private mount to %{public}s '%{public}u' failed", + errno, arg->destPath, arg->mountSharedFlag); + return ret; + } + return 0; +} + } // namespace AppSpawn } // namespace OHOS \ No newline at end of file diff --git a/modules/sandbox/normal/sandbox_common.h b/modules/sandbox/normal/sandbox_common.h index 9d34623d05d1529bb5b6f91003b87e111e65e0b1..21fd39cfb74c651eec2849026b81393d7e55989b 100644 --- a/modules/sandbox/normal/sandbox_common.h +++ b/modules/sandbox/normal/sandbox_common.h @@ -97,6 +97,7 @@ public: // 挂载操作 static int32_t DoAppSandboxMountOnce(const AppSpawningCtx *appProperty, const SharedMountArgs *arg); + static int32_t DoAppSandboxMountOnceNolog(const AppSpawningCtx *appProperty, const SharedMountArgs *arg); private: // 加载配置文件 diff --git a/modules/sandbox/normal/sandbox_core.cpp b/modules/sandbox/normal/sandbox_core.cpp index ea47460d33e899971584fded47015ee6a65c0f25..59e3cf8c6ee0dab77d002f2529b80185d344a9f1 100644 --- a/modules/sandbox/normal/sandbox_core.cpp +++ b/modules/sandbox/normal/sandbox_core.cpp @@ -337,6 +337,15 @@ int32_t SandboxCore::DoSandboxFileCommonBind(const AppSpawningCtx *appProperty, return 0; } ret = DoAllMntPointsMount(appProperty, appResourcesConfig, nullptr, SandboxCommonDef::g_appResources); + if (ret) { + return ret; + } + + cJSON *appNologConfig = GetFirstSubConfig(firstCommon, SandboxCommonDef::g_appNolog); + if (!appNologConfig) { + return 0; + } + ret = DoAllMntPointsMountNolog(appProperty, appNologConfig, nullptr, SandboxCommonDef::g_appNolog); return ret; } @@ -434,7 +443,7 @@ int32_t SandboxCore::MountAllHsp(const AppSpawningCtx *appProperty, std::string APPSPAWN_CHECK(count == cJSON_GetArraySize(modules), return -1, "MountAllHsp: sizes are not same"); APPSPAWN_CHECK(count == cJSON_GetArraySize(versions), return -1, "MountAllHsp: sizes are not same"); - APPSPAWN_LOGI("MountAllHsp app: %{public}s, count: %{public}d", GetBundleName(appProperty), count); + APPSPAWN_LOGV("MountAllHsp app: %{public}s, count: %{public}d", GetBundleName(appProperty), count); for (int i = 0; i < count; i++) { if (!(cJSON_IsString(cJSON_GetArrayItem(bundles, i)) && cJSON_IsString(cJSON_GetArrayItem(modules, i)) && cJSON_IsString(cJSON_GetArrayItem(versions, i)))) { @@ -521,7 +530,7 @@ int32_t SandboxCore::MountAllGroup(const AppSpawningCtx *appProperty, std::strin return ret; } -int32_t SandboxCore::ProcessMountPoint(cJSON *mntPoint, MountPointProcessParams ¶ms) +int32_t SandboxCore::ProcessMountPointCommmon(cJSON *mntPoint, MountPointProcessParams ¶ms, bool eableLogging) { APPSPAWN_CHECK_ONLY_EXPER(SandboxCommon::IsValidMountConfig(mntPoint, params.appProperty, params.checkFlag), return 0); @@ -546,20 +555,38 @@ int32_t SandboxCore::ProcessMountPoint(cJSON *mntPoint, MountPointProcessParams .mountSharedFlag = GetBoolValueFromJsonObj(mntPoint, SandboxCommonDef::g_mountSharedFlag, false) ? MS_SHARED : MS_SLAVE }; - - int ret = SandboxCommon::DoAppSandboxMountOnce(params.appProperty, &arg); - APPSPAWN_CHECK(ret == 0 || !SandboxCommon::IsMountSuccessful(mntPoint), + int ret = 0; + if (eableLogging) { + ret = SandboxCommon::DoAppSandboxMountOnce(params.appProperty, &arg); + APPSPAWN_CHECK(ret == 0 || !SandboxCommon::IsMountSuccessful(mntPoint), #ifdef APPSPAWN_HISYSEVENT ReportMountFail(params.bundleName.c_str(), arg.srcPath, arg.destPath, errno); ret = APPSPAWN_SANDBOX_MOUNT_FAIL; #endif return ret, "DoAppSandboxMountOnce section %{public}s failed, %{public}s", params.section.c_str(), arg.destPath); + } else { + ret = SandboxCommon::DoAppSandboxMountOnceNolog(params.appProperty, &arg); + APPSPAWN_CHECK(ret == 0 || !SandboxCommon::IsMountSuccessful(mntPoint), + return ret, + "DoAppSandboxMountOnceNolog section %{public}s failed, %{public}s", params.section.c_str(), arg.destPath); + } + SetDecPolicyWithPermission(params.appProperty, mountConfig); SandboxCommon::SetSandboxPathChmod(mntPoint, params.sandboxRoot); return 0; } +int32_t SandboxCore::ProcessMountPoint(cJSON *mntPoint, MountPointProcessParams ¶ms) +{ + return ProcessMountPointCommmon(mntPoint, params, true); +} + +int32_t SandboxCore::ProcessMountPointNolog(cJSON *mntPoint, MountPointProcessParams ¶ms) +{ + return ProcessMountPointCommmon(mntPoint, params, false); +} + int32_t SandboxCore::DoAllMntPointsMount(const AppSpawningCtx *appProperty, cJSON *appConfig, const char *typeName, const std::string §ion) { @@ -588,6 +615,34 @@ int32_t SandboxCore::DoAllMntPointsMount(const AppSpawningCtx *appProperty, cJSO return SandboxCommon::HandleArrayForeach(mountPoints, processor); } +int32_t SandboxCore::DoAllMntPointsMountNolog(const AppSpawningCtx *appProperty, cJSON *appConfig, + const char *typeName, const std::string §ion) +{ + std::string bundleName = GetBundleName(appProperty); + cJSON *mountPoints = cJSON_GetObjectItemCaseSensitive(appConfig, SandboxCommonDef::g_mountPrefix); + if (mountPoints == nullptr || !cJSON_IsArray(mountPoints)) { + APPSPAWN_LOGI("mount config is not found in %{public}s, app name is %{public}s", + section.c_str(), bundleName.c_str()); + return 0; + } + + std::string sandboxRoot = SandboxCommon::GetSandboxRootPath(appProperty, appConfig); + bool checkFlag = CheckMountFlag(appProperty, bundleName, appConfig); + MountPointProcessParams mountPointParams = { + .appProperty = appProperty, + .checkFlag = checkFlag, + .section = section, + .sandboxRoot = sandboxRoot, + .bundleName = bundleName + }; + + auto processor = [&mountPointParams](cJSON *mntPoint) { + return ProcessMountPointNolog(mntPoint, mountPointParams); + }; + + return SandboxCommon::HandleArrayForeach(mountPoints, processor); +} + int32_t SandboxCore::DoAddGid(AppSpawningCtx *appProperty, cJSON *appConfig, const char *permissionName, const std::string §ion) { diff --git a/modules/sandbox/normal/sandbox_core.h b/modules/sandbox/normal/sandbox_core.h index 8758e863c111e6c4d44b49d976bee245af39e4ea..39c91fdf285e4b08f727c7c7e423d95a47fab555 100644 --- a/modules/sandbox/normal/sandbox_core.h +++ b/modules/sandbox/normal/sandbox_core.h @@ -34,6 +34,8 @@ public: // 沙箱挂载公共处理 static int32_t DoAllMntPointsMount(const AppSpawningCtx *appProperty, cJSON *appConfig, const char *typeName, const std::string §ion = "app-base"); + static int32_t DoAllMntPointsMountNolog(const AppSpawningCtx *appProperty, cJSON *appConfig, + const char *typeName, const std::string §ion = "app-nolog"); static int32_t DoAddGid(AppSpawningCtx *appProperty, cJSON *appConfig, const char* permissionName, const std::string §ion); static int32_t DoAllSymlinkPointslink(const AppSpawningCtx *appProperty, cJSON *appConfig); @@ -111,6 +113,8 @@ private: // 沙箱回调函数 static int32_t ProcessMountPoint(cJSON *mntPoint, MountPointProcessParams ¶ms); + static int32_t ProcessMountPointNolog(cJSON *mntPoint, MountPointProcessParams ¶ms); + static int32_t ProcessMountPointCommmon(cJSON *mntPoint, MountPointProcessParams ¶ms, bool eableLogging); // debug hap static std::string ConvertDebugRealPath(const AppSpawningCtx *appProperty, std::string path); diff --git a/modules/sandbox/normal/sandbox_def.h b/modules/sandbox/normal/sandbox_def.h index e0dcfdc8c797c68fd03a01bcf0c69858b0e188bb..8e8d61507aaa1cb5d7283fd1b811222b061d6054 100644 --- a/modules/sandbox/normal/sandbox_def.h +++ b/modules/sandbox/normal/sandbox_def.h @@ -30,7 +30,7 @@ constexpr int32_t FILE_ACCESS_COMMON_DIR_STATUS = 0; constexpr int32_t FILE_CROSS_APP_STATUS = 1; constexpr static mode_t FILE_MODE = 0711; constexpr static mode_t BASIC_MOUNT_FLAGS = MS_REC | MS_BIND; -constexpr int32_t MAX_MOUNT_TIME = 500; // 500us +constexpr int32_t MAX_MOUNT_TIME = 5000; // 5000us constexpr int32_t LOCK_STATUS_SIZE = 16; // 沙盒配置文件 @@ -49,6 +49,7 @@ constexpr const char *g_commonPrefix = "common"; constexpr const char *g_privatePrefix = "individual"; constexpr const char *g_permissionPrefix = "permission"; constexpr const char *g_appBase = "app-base"; +constexpr const char *g_appNolog = "app-nolog"; constexpr const char *g_appResources = "app-resources"; constexpr const char *g_flagePoint = "flags-point"; const std::string g_internal = "__internal__"; diff --git a/modules/sandbox/normal/sandbox_shared_mount.cpp b/modules/sandbox/normal/sandbox_shared_mount.cpp index 6b68acaeeb39b64c69195784783c76ee42f15652..3dba7cf32a93900804900de635778976e31eebbd 100644 --- a/modules/sandbox/normal/sandbox_shared_mount.cpp +++ b/modules/sandbox/normal/sandbox_shared_mount.cpp @@ -112,7 +112,7 @@ static bool IsUnlockStatus(uint32_t uid) std::string lockStatusParam = "startup.appspawn.lockstatus_" + std::to_string(uid); char userLockStatus[LOCK_STATUS_SIZE] = {0}; int ret = GetParameter(lockStatusParam.c_str(), "1", userLockStatus, sizeof(userLockStatus)); - APPSPAWN_LOGI("lockStatus %{public}u %{public}s", uid, userLockStatus); + APPSPAWN_DUMPI("lockStatus %{public}u %{public}s", uid, userLockStatus); if (ret > 0 && (strcmp(userLockStatus, "0") == 0)) { // 0:unlock status 1:lock status return true; } @@ -141,7 +141,7 @@ static int DoSharedMount(const SharedMountArgs *arg) APPSPAWN_LOGE("mount path %{public}s to shared failed, errno %{public}d", arg->destPath, errno); return ret; } - APPSPAWN_LOGI("mount path %{public}s to shared success", arg->destPath); + APPSPAWN_DUMPI("mount path %{public}s to shared success", arg->destPath); return 0; } @@ -155,6 +155,60 @@ static bool SetSandboxPathShared(const std::string &sandboxPath) return true; } +static int MountEl1Bundle(const AppSpawningCtx *property, const AppDacInfo *info, const char *varBundleName) +{ + /* /data/app/el1/bundle/public/ */ + AppSpawnMsgBundleInfo *bundleInfo = + reinterpret_cast(GetAppProperty(property, TLV_BUNDLE_INFO)); + if (bundleInfo == nullptr) { + return APPSPAWN_SANDBOX_INVALID; + } + char sourcePath[PATH_MAX_LEN] = {0}; + int ret = snprintf_s(sourcePath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "/data/app/el1/bundle/public/%s", + bundleInfo->bundleName); + if (ret <= 0) { + APPSPAWN_LOGE("snprintf data/app/el1/bundle/public/%{public}s failed, errno %{public}d", + bundleInfo->bundleName, errno); + return APPSPAWN_ERROR_UTILS_MEM_FAIL; + } + + /* /mnt/sandbox///data/storage/el1/bundle */ + char targetPath[PATH_MAX_LEN] = {0}; + ret = snprintf_s(targetPath, PATH_MAX_LEN, PATH_MAX_LEN - 1, "/mnt/sandbox/%u/%s/data/storage/el1/bundle", + info->uid/ UID_BASE, varBundleName); + if (ret <= 0) { + APPSPAWN_LOGE("snprintf el1 bundle sandbox path failed, errno %{public}d", errno); + return APPSPAWN_ERROR_UTILS_MEM_FAIL; + } + + ret = MakeDirRec(targetPath, DIR_MODE, 1); + if (ret != 0) { + APPSPAWN_LOGE("mkdir %{public}s failed, errno %{public}d", targetPath, errno); + return APPSPAWN_SANDBOX_ERROR_MKDIR_FAIL; + } + + ret = umount2(targetPath, MNT_DETACH); + if (ret != 0) { + APPSPAWN_LOGV("umount2 %{public}s failed, errno %{public}d", targetPath, errno); + } + + SharedMountArgs arg = { + .srcPath = sourcePath, + .destPath = targetPath, + .fsType = nullptr, + .mountFlags = MS_BIND | MS_REC, + .options = nullptr, + .mountSharedFlag = MS_SHARED + }; + ret = DoSharedMount(&arg); + if (ret != 0) { + APPSPAWN_LOGE("mount %{public}s shared failed, ret %{public}d", targetPath, ret); + } + std::string key = std::to_string(info->uid / UID_BASE) + "-" + std::string(varBundleName); + g_mountInfoMap[key]++; + return ret; +} + static int MountWithFileMgr(const AppSpawningCtx *property, const AppDacInfo *info, const char *varBundleName) { /* /mnt/user//nosharefs/docs */ diff --git a/modules/sandbox/sandbox_dec.c b/modules/sandbox/sandbox_dec.c index 72c0d4f8ecc49ec8ae99545226d0338456ce4c48..2f08a3958426b715e3ab9887cac11c7dd069623e 100644 --- a/modules/sandbox/sandbox_dec.c +++ b/modules/sandbox/sandbox_dec.c @@ -127,7 +127,7 @@ static int SetDenyConstraintDirs(AppSpawnMgr *content) } else { APPSPAWN_LOGI("set CONSTRAINT_DEC_POLICY_CMD sandbox policy success."); for (uint32_t i = 0; i < decPolicyInfos.pathNum; i++) { - APPSPAWN_LOGI("policy info: %{public}s", decPolicyInfos.path[i].path); + APPSPAWN_LOGI("%{public}s", decPolicyInfos.path[i].path); } } close(fd); @@ -161,7 +161,7 @@ static int SetForcedPrefixDirs(AppSpawnMgr *content) } else { APPSPAWN_LOGI("set SET_DEC_PREFIX_CMD sandbox policy success."); for (uint32_t i = 0; i < decPolicyInfos.pathNum; i++) { - APPSPAWN_LOGI("policy info: %{public}s", decPolicyInfos.path[i].path); + APPSPAWN_LOGI("%{public}s", decPolicyInfos.path[i].path); } } close(fd); @@ -190,9 +190,9 @@ void SetDecPolicy(void) if (ioctl(fd, SET_DEC_POLICY_CMD, g_decPolicyInfos) < 0) { APPSPAWN_LOGE("set sandbox policy failed."); } else { - APPSPAWN_LOGI("set SET_DEC_POLICY_CMD sandbox policy success. timestamp:%{public}" PRId64 "", timestamp); + APPSPAWN_LOGV("set sandbox policy success. timestamp:%{public}" PRId64 "", timestamp); for (uint32_t i = 0; i < g_decPolicyInfos->pathNum; i++) { - APPSPAWN_LOGI("policy info: path %{public}s, mode 0x%{public}x", + APPSPAWN_DUMPI("path %{public}s, mode 0x%{public}x", g_decPolicyInfos->path[i].path, g_decPolicyInfos->path[i].mode); } } diff --git a/standard/appspawn_msgmgr.c b/standard/appspawn_msgmgr.c index 51d9f8df2540d36b707290d91a72e25df0868a08..e6e366055fab345ad4f63141238e44d4b1fafa76 100644 --- a/standard/appspawn_msgmgr.c +++ b/standard/appspawn_msgmgr.c @@ -349,7 +349,7 @@ int GetAppSpawnMsgFromBuffer(const uint8_t *buffer, uint32_t bufferLen, static inline void DumpMsgFlags(const char *processName, const char *info, const AppSpawnMsgFlags *msgFlags) { for (uint32_t i = 0; i < msgFlags->count; i++) { - APPSPAWN_DUMP("processName: %{public}s %{public}d %{public}s flags: 0x%{public}x", + APPSPAWN_DUMP("%{public}s %{public}d %{public}s flags: 0x%{public}x", processName, i, info, msgFlags->flags[i]); } } @@ -379,7 +379,7 @@ void DumpAppSpawnMsg(const AppSpawnMsgNode *message) APPSPAWN_ONLY_EXPER(msgFlags != NULL, DumpMsgFlags(message->msgHeader.processName, "App", msgFlags)); msgFlags = (AppSpawnMsgFlags *)GetAppSpawnMsgInfo(message, TLV_PERMISSION); APPSPAWN_ONLY_EXPER(msgFlags != NULL, - DumpMsgFlags(message->msgHeader.processName, "App permission bits", msgFlags)); + DumpMsgFlags(message->msgHeader.processName, "Bits", msgFlags)); AppSpawnMsgDacInfo *dacInfo = (AppSpawnMsgDacInfo *)GetAppSpawnMsgInfo(message, TLV_DAC_INFO); if (dacInfo != NULL) { diff --git a/util/include/appspawn_utils.h b/util/include/appspawn_utils.h index 7ce58c6d08016ba393c05b5ef3c1a673960eb954..255b4c4182c7b58630d39cadd275ce0c0b57038c 100644 --- a/util/include/appspawn_utils.h +++ b/util/include/appspawn_utils.h @@ -182,7 +182,7 @@ int EnableNewNetNamespace(void); HILOG_WARN(LOG_CORE, "[%{public}s:%{public}d]" fmt, (APP_FILE_NAME), (__LINE__), ##__VA_ARGS__) #define APPSPAWN_LOGF(fmt, ...) \ HILOG_FATAL(LOG_CORE, "[%{public}s:%{public}d]" fmt, (APP_FILE_NAME), (__LINE__), ##__VA_ARGS__) -#define APPSPAWN_DUMP_LOGI(fmt, ...) \ +#define APPSPAWN_DUMPI(fmt, ...) \ HILOG_INFO(LOG_CORE, fmt, ##__VA_ARGS__) #define APPSPAWN_DUMP(fmt, ...) \ do { \ @@ -202,7 +202,7 @@ int EnableNewNetNamespace(void); HILOG_DEBUG(HILOG_MODULE_HIVIEW, "[%{public}s:%{public}d]" fmt, (APP_FILE_NAME), (__LINE__), ##__VA_ARGS__) #define APPSPAWN_LOGW(fmt, ...) \ HILOG_FATAL(HILOG_MODULE_HIVIEW, "[%{public}s:%{public}d]" fmt, (APP_FILE_NAME), (__LINE__), ##__VA_ARGS__) -#define APPSPAWN_DUMP_LOGI(fmt, ...) \ +#define APPSPAWN_DUMPI(fmt, ...) \ HILOG_INFO(HILOG_MODULE_HIVIEW, fmt, ##__VA_ARGS__) #define APPSPAWN_KLOGI(fmt, ...) \ HILOG_INFO(HILOG_MODULE_HIVIEW, "[%{public}s:%{public}d]" fmt, (APP_FILE_NAME), (__LINE__), ##__VA_ARGS__)