From 451467af54c0856189f8e40f91bf7e5d5034f91b Mon Sep 17 00:00:00 2001 From: Zheng Yongjun Date: Mon, 23 May 2022 15:29:38 +0800 Subject: [PATCH 1/3] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E5=BA=94=E7=94=A8?= =?UTF-8?q?=E6=B2=99=E7=AE=B1=E6=8C=82=E8=BD=BD=E6=97=B6=E7=9A=84mountflag?= =?UTF-8?q?=E9=80=89=E9=A1=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Zheng Yongjun --- util/src/sandbox_utils.cpp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/util/src/sandbox_utils.cpp b/util/src/sandbox_utils.cpp index 333f9070..d88a9fe0 100644 --- a/util/src/sandbox_utils.cpp +++ b/util/src/sandbox_utils.cpp @@ -204,7 +204,12 @@ unsigned long SandboxUtils::GetMountFlagsFromConfig(const std::vector Date: Mon, 23 May 2022 19:33:17 +0800 Subject: [PATCH 2/3] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E5=BA=94=E7=94=A8?= =?UTF-8?q?=E6=B2=99=E7=AE=B1mount=E6=93=8D=E4=BD=9C=E7=9A=84options?= =?UTF-8?q?=E5=8F=82=E6=95=B0=E6=8E=A5=E5=8F=97=E5=8F=8A=E5=A4=84=E7=90=86?= =?UTF-8?q?=E6=9C=BA=E5=88=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Zheng Yongjun --- util/include/sandbox_utils.h | 5 +++-- util/src/sandbox_utils.cpp | 29 ++++++++++++++--------------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/util/include/sandbox_utils.h b/util/include/sandbox_utils.h index 4a7d5fa3..e4c0db20 100644 --- a/util/include/sandbox_utils.h +++ b/util/include/sandbox_utils.h @@ -34,8 +34,9 @@ public: private: static void MakeDirRecursive(const std::string path, mode_t mode); - static int32_t DoAppSandboxMountOnce(const std::string originPath, const std::string destinationPath, - const std::string fsType, unsigned long mountFlags); + static int32_t DoAppSandboxMountOnce(const char *originPath, const char *destinationPath, + const char *fsType, unsigned long mountFlags, + const char *options); static int32_t DoSandboxFileCommonBind(const ClientSocket::AppProperty *appProperty, nlohmann::json &wholeConfig); static int32_t DoSandboxFileCommonSymlink(const ClientSocket::AppProperty *appProperty, nlohmann::json &wholeConfig); diff --git a/util/src/sandbox_utils.cpp b/util/src/sandbox_utils.cpp index d88a9fe0..e403530f 100644 --- a/util/src/sandbox_utils.cpp +++ b/util/src/sandbox_utils.cpp @@ -111,8 +111,9 @@ void SandboxUtils::MakeDirRecursive(const std::string path, mode_t mode) } while (index < size); } -int32_t SandboxUtils::DoAppSandboxMountOnce(const std::string originPath, const std::string destinationPath, - const std::string fsType, unsigned long mountFlags) +int32_t SandboxUtils::DoAppSandboxMountOnce(const char *originPath, const char *destinationPath, + const char *fsType, unsigned long mountFlags, + const char *options) { int ret = 0; @@ -120,20 +121,16 @@ int32_t SandboxUtils::DoAppSandboxMountOnce(const std::string originPath, const MakeDirRecursive(destinationPath, FILE_MODE); // to mount fs and bind mount files or directory - if (fsType.empty()) { - ret = mount(originPath.c_str(), destinationPath.c_str(), NULL, mountFlags, NULL); - } else { - ret = mount(originPath.c_str(), destinationPath.c_str(), fsType.c_str(), mountFlags, NULL); - } + ret = mount(originPath, destinationPath, fsType, mountFlags, options); if (ret) { - HiLog::Error(LABEL, "bind mount %{public}s to %{public}s failed %{public}d", originPath.c_str(), - destinationPath.c_str(), errno); + HiLog::Error(LABEL, "bind mount %{public}s to %{public}s failed %{public}d", originPath, + destinationPath, errno); return ret; } - ret = mount(NULL, destinationPath.c_str(), NULL, MS_PRIVATE, NULL); + ret = mount(NULL, destinationPath, NULL, MS_PRIVATE, NULL); if (ret) { - HiLog::Error(LABEL, "private mount to %{public}s failed %{public}d", destinationPath.c_str(), errno); + HiLog::Error(LABEL, "private mount to %{public}s failed %{public}d", destinationPath, errno); return ret; } @@ -302,10 +299,10 @@ int SandboxUtils::DoAllMntPointsMount(const ClientSocket::AppProperty *appProper int ret = 0; if (mntPoint.find(FS_TYPE) == mntPoint.end()) { - ret = DoAppSandboxMountOnce(srcPath.c_str(), sandboxPath.c_str(), "", mountFlags); + ret = DoAppSandboxMountOnce(srcPath.c_str(), sandboxPath.c_str(), "", mountFlags, nullptr); } else { std::string fsType = mntPoint[FS_TYPE].get(); - ret = DoAppSandboxMountOnce(srcPath.c_str(), sandboxPath.c_str(), fsType.c_str(), mountFlags); + ret = DoAppSandboxMountOnce(srcPath.c_str(), sandboxPath.c_str(), fsType.c_str(), mountFlags, nullptr); } if (ret) { HiLog::Error(LABEL, "DoAppSandboxMountOnce failed, %{public}s", sandboxPath.c_str()); @@ -510,7 +507,8 @@ int32_t SandboxUtils::SetCommonAppSandboxProperty(const ClientSocket::AppPropert strcmp(appProperty->apl, APL_SYSTEM_CORE.data()) == 0) { // need permission check for system app here std::string destbundlesPath = sandboxPackagePath + DATA_BUNDLES; - DoAppSandboxMountOnce(PHYSICAL_APP_INSTALL_PATH.c_str(), destbundlesPath.c_str(), "", BASIC_MOUNT_FLAGS); + DoAppSandboxMountOnce(PHYSICAL_APP_INSTALL_PATH.c_str(), destbundlesPath.c_str(), "", BASIC_MOUNT_FLAGS, + nullptr); } return 0; @@ -545,7 +543,8 @@ int32_t SandboxUtils::DoSandboxRootFolderCreate(const ClientSocket::AppProperty return rc; } - DoAppSandboxMountOnce(sandboxPackagePath.c_str(), sandboxPackagePath.c_str(), "", BASIC_MOUNT_FLAGS); + DoAppSandboxMountOnce(sandboxPackagePath.c_str(), sandboxPackagePath.c_str(), "", + BASIC_MOUNT_FLAGS, nullptr); return 0; } -- Gitee From 66c9f9ce01958db1e64e3837db899beda3d5372e Mon Sep 17 00:00:00 2001 From: Zheng Yongjun Date: Mon, 23 May 2022 22:01:23 +0800 Subject: [PATCH 3/3] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E5=AF=B9=E7=89=B9?= =?UTF-8?q?=E6=AE=8A=E5=BA=94=E7=94=A8=E8=BF=9B=E8=A1=8C=E7=89=B9=E6=AE=8A?= =?UTF-8?q?=E5=9C=BA=E6=99=AF=E5=A4=84=E7=90=86=E7=9A=84=E5=85=AC=E5=85=B1?= =?UTF-8?q?=E6=A1=86=E6=9E=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Zheng Yongjun --- appdata-sandbox.json | 13 +++++ appdata-sandbox64.json | 8 +-- util/src/sandbox_utils.cpp | 107 ++++++++++++++++++++++++++++++------- 3 files changed, 104 insertions(+), 24 deletions(-) diff --git a/appdata-sandbox.json b/appdata-sandbox.json index 2ddac3b2..5eb8e622 100644 --- a/appdata-sandbox.json +++ b/appdata-sandbox.json @@ -221,6 +221,19 @@ } ], "symbol-links" : [] + }], + "ohos.samples.dlp" : [{ + "sandbox-switch": "ON", + "sandbox-root" : "/mnt/sandbox/", + "mount-paths" : [{ + "src-path" : "/dev/fuse", + "sandbox-path" : "/data/fuse", + "sandbox-flags" : [ "MS_NOSUID", "MS_NODEV", "MS_NOEXEC", "MS_NOATIME", "MS_LAZYTIME" ], + "fs-type": "fuse", + "check-action-status": "false" + } + ], + "symbol-links" : [] }] }] } diff --git a/appdata-sandbox64.json b/appdata-sandbox64.json index 1047a0f9..279fa052 100644 --- a/appdata-sandbox64.json +++ b/appdata-sandbox64.json @@ -228,14 +228,14 @@ "symbol-links" : [] }], "ohos.samples.dlp" : [{ - "sandbox-switch": "OFF", + "sandbox-switch": "ON", "sandbox-root" : "/mnt/sandbox/", "mount-paths" : [{ "src-path" : "/dev/fuse", "sandbox-path" : "/data/fuse", - "sandbox-flags" : [ "rec" ], - "fs-type": "fusefs", - "check-action-status": "true" + "sandbox-flags" : [ "MS_NOSUID", "MS_NODEV", "MS_NOEXEC", "MS_NOATIME", "MS_LAZYTIME" ], + "fs-type": "fuse", + "check-action-status": "false" } ], "symbol-links" : [] diff --git a/util/src/sandbox_utils.cpp b/util/src/sandbox_utils.cpp index e403530f..3b1f35ce 100644 --- a/util/src/sandbox_utils.cpp +++ b/util/src/sandbox_utils.cpp @@ -16,12 +16,15 @@ #include "sandbox_utils.h" #include "json_utils.h" #include "hilog/log.h" +#include "securec.h" #include #include #include #include #include +#include +#include #include #include #include @@ -37,6 +40,8 @@ namespace OHOS { namespace AppSpawn { namespace { constexpr int32_t UID_BASE = 200000; + constexpr int32_t FUSE_OPTIONS_MAX_LEN = 128; + constexpr int32_t DLP_FUSE_FD = 1000; constexpr static mode_t FILE_MODE = 0711; constexpr static mode_t BASIC_MOUNT_FLAGS = MS_REC | MS_BIND; constexpr std::string_view APL_SYSTEM_CORE("system_core"); @@ -206,7 +211,7 @@ unsigned long SandboxUtils::GetMountFlagsFromConfig(const std::vectorbundleName); + return false; + } + + if (mntPoint[APP_APL_NAME] != nullptr) { + std::string app_apl_name = mntPoint[APP_APL_NAME]; + const char *p_app_apl = nullptr; + p_app_apl = app_apl_name.c_str(); + if (!strcmp(p_app_apl, appProperty->apl)) { + return false; + } + } + + return true; +} + +static int32_t DoDlpAppMountStrategy(const std::string &srcPath, const std::string &sandboxPath, + const std::string &fsType, unsigned long mountFlags) +{ + int fd = open("/dev/fuse", O_RDWR); + if (fd == -1) { + HiLog::Error(LABEL, "open /dev/fuse failed, errno is %{public}d", errno); + return -EINVAL; + } + + char options[FUSE_OPTIONS_MAX_LEN]; + (void)sprintf_s(options, sizeof(options), "fd=%d,rootmode=40000,user_id=0,group_id=0", fd); + + int ret = mount(srcPath.c_str(), sandboxPath.c_str(), fsType.c_str(), mountFlags, options); + if (ret) { + HiLog::Error(LABEL, "DoDlpAppMountStrategy failed, bind mount %{public}s to %{public}s" + "failed %{public}d", srcPath.c_str(), sandboxPath.c_str(), errno); + return ret; + } + + /* close DLP_FUSE_FD and dup FD to it */ + close(DLP_FUSE_FD); + ret = dup2(fd, DLP_FUSE_FD); + if (ret) { + HiLog::Error(LABEL, "dup fuse fd %{public}d failed, errno is %{public}d", + fd, errno); + } + + return ret; +} + +static int32_t HandleSpecialAppMount(const std::string &srcPath, const std::string &sandboxPath, + const std::string &fsType, unsigned long mountFlags, + const std::string &bundleName) +{ + /* dlp application mount strategy */ + /* dlp is an example, we should change to real bundle name later */ + if (bundleName.find("dlp") != -1) { + if (fsType.empty()) { + return -1; + } else { + return DoDlpAppMountStrategy(srcPath, sandboxPath, fsType, mountFlags); + } + } + + return -1; +} + int SandboxUtils::DoAllMntPointsMount(const ClientSocket::AppProperty *appProperty, nlohmann::json &appConfig) { if (appConfig.find(MOUNT_PREFIX) == appConfig.end()) { @@ -276,33 +348,28 @@ int SandboxUtils::DoAllMntPointsMount(const ClientSocket::AppProperty *appProper for (unsigned int i = 0; i < mountPointSize; i++) { nlohmann::json mntPoint = mountPoints[i]; - // Check the validity of the mount configuration - if (mntPoint.find(SRC_PATH) == mntPoint.end() || mntPoint.find(SANDBOX_PATH) == mntPoint.end() - || mntPoint.find(SANDBOX_FLAGS) == mntPoint.end()) { - HiLog::Error(LABEL, "read mount config failed, app name is %{public}s", appProperty->bundleName); + if (CheckMountConfig(mntPoint, appProperty) == false) { continue; } - if (mntPoint[APP_APL_NAME] != nullptr) { - std::string app_apl_name = mntPoint[APP_APL_NAME]; - const char *p_app_apl = nullptr; - p_app_apl = app_apl_name.c_str(); - if (!strcmp(p_app_apl, appProperty->apl)) { - continue; - } - } - std::string srcPath = ConvertToRealPath(appProperty, mntPoint[SRC_PATH].get()); std::string sandboxPath = sandboxRoot + ConvertToRealPath(appProperty, mntPoint[SANDBOX_PATH].get()); unsigned long mountFlags = GetMountFlagsFromConfig(mntPoint[SANDBOX_FLAGS].get>()); + std::string fsType = ""; + if (mntPoint.find(FS_TYPE) != mntPoint.end()) { + fsType = mntPoint[FS_TYPE].get(); + } int ret = 0; - if (mntPoint.find(FS_TYPE) == mntPoint.end()) { - ret = DoAppSandboxMountOnce(srcPath.c_str(), sandboxPath.c_str(), "", mountFlags, nullptr); - } else { - std::string fsType = mntPoint[FS_TYPE].get(); - ret = DoAppSandboxMountOnce(srcPath.c_str(), sandboxPath.c_str(), fsType.c_str(), mountFlags, nullptr); + /* if app mount failed for special strategy, we need deal with common mount config */ + ret = HandleSpecialAppMount(srcPath, sandboxPath, fsType, mountFlags, appProperty->bundleName); + if (ret) { + if (fsType.empty()) { + ret = DoAppSandboxMountOnce(srcPath.c_str(), sandboxPath.c_str(), nullptr, mountFlags, nullptr); + } else { + ret = DoAppSandboxMountOnce(srcPath.c_str(), sandboxPath.c_str(), fsType.c_str(), mountFlags, nullptr); + } } if (ret) { HiLog::Error(LABEL, "DoAppSandboxMountOnce failed, %{public}s", sandboxPath.c_str()); @@ -645,4 +712,4 @@ int32_t SandboxUtils::SetAppSandboxProperty(const ClientSocket::AppProperty *app return 0; } } // namespace AppSpawn -} // namespace OHOS \ No newline at end of file +} // namespace OHOS -- Gitee