Lines Matching defs:sandbox
121 static int BuildRootPath(char *buffer, uint32_t bufferLen, const AppSpawnSandboxCfg *sandbox, uid_t uid)
127 uint32_t rootLen = strlen(sandbox->rootPath);
128 char *rootPath = strstr(sandbox->rootPath, PARAMETER_USER_ID);
130 len = sprintf_s(buffer, bufferLen, "%s/%d", sandbox->rootPath, uid);
132 ret = memcpy_s(buffer, bufferLen, sandbox->rootPath, rootPath - sandbox->rootPath);
133 APPSPAWN_CHECK(ret == 0, return ret, "Failed to copy root path %{public}s", sandbox->rootPath);
134 currLen = rootPath - sandbox->rootPath;
138 uid, sandbox->rootPath + currLen + userIdLen);
143 "Failed to format root path %{public}s", sandbox->rootPath);
190 const AppSpawnSandboxCfg *sandbox, const AppSpawningCtx *property, int nwebspawn)
199 context->appFullMountEnable = sandbox->appFullMountEnable;
204 &sandbox->packageNameQueue, context->bundleName);
213 context->sandboxNsFlags |= sandbox->sandboxNsFlags & CLONE_NEWNET ? CLONE_NEWNET : 0;
216 ListNode *node = sandbox->permissionQueue.front.next;
217 while (node != &sandbox->permissionQueue.front) {
227 const char *rootPath = GetSandboxRealVar(context, BUFFER_FOR_SOURCE, sandbox->rootPath, NULL, NULL);
301 // umount fuse path, make sure that sandbox path is not a mount point
306 "open /dev/fuse failed, errno: %{public}d sandbox path %{public}s", errno, args->destinationPath);
581 return, "Failed to get sandbox path");
612 static void MountDirToShared(const SandboxContext *context, AppSpawnSandboxCfg *sandbox)
614 const char rootPath[] = "/mnt/sandbox/";
634 int index = GetPermissionIndexInQueue(&sandbox->permissionQueue, MOUNT_SHARED_MAP[i].permission);
651 APPSPAWN_LOGE("snprintf_s lock sandbox path stamp failed");
710 const AppSpawnSandboxCfg *sandbox, const SandboxSection *section, uint32_t op)
714 // if sandbox switch is off, don't do symlink work again
715 if (context->sandboxSwitch && sandbox->topSandboxSwitch) {
721 "Mount sandbox config fail result: %{public}d, app: %{public}s", ret, context->bundleName);
743 static int SetExpandSandboxConfig(const SandboxContext *context, const AppSpawnSandboxCfg *sandbox)
745 int ret = ProcessExpandAppSandboxConfig(context, sandbox, "HspList");
748 ret = ProcessExpandAppSandboxConfig(context, sandbox, "DataGroup");
770 static int SetSandboxPackageNameConfig(const SandboxContext *context, const AppSpawnSandboxCfg *sandbox)
773 (SandboxPackageNameNode *)GetSandboxSection(&sandbox->packageNameQueue, context->bundleName);
775 int ret = MountSandboxConfig(context, sandbox, &sandboxNode->section, MOUNT_PATH_OP_NONE);
781 static int SetSandboxSpawnFlagsConfig(const SandboxContext *context, const AppSpawnSandboxCfg *sandbox)
783 ListNode *node = sandbox->spawnFlagsQueue.front.next;
784 while (node != &sandbox->spawnFlagsQueue.front) {
792 int ret = MountSandboxConfig(context, sandbox, &sandboxNode->section, MOUNT_PATH_OP_NONE);
799 static int SetSandboxPermissionConfig(const SandboxContext *context, const AppSpawnSandboxCfg *sandbox)
802 ListNode *node = sandbox->permissionQueue.front.next;
803 while (node != &sandbox->permissionQueue.front) {
812 int ret = MountSandboxConfig(context, sandbox, &permissionNode->section, MOUNT_PATH_OP_NONE);
819 static int SetOverlayAppSandboxConfig(const SandboxContext *context, const AppSpawnSandboxCfg *sandbox)
824 int ret = ProcessExpandAppSandboxConfig(context, sandbox, "Overlay");
829 static int SetBundleResourceSandboxConfig(const SandboxContext *context, const AppSpawnSandboxCfg *sandbox)
869 const SandboxContext *context, const AppSpawnSandboxCfg *sandbox, bool remountProc)
883 static int SandboxRootFolderCreate(const SandboxContext *context, const AppSpawnSandboxCfg *sandbox)
886 sandbox->topSandboxSwitch, context->sandboxSwitch, context->sandboxShared);
889 if (sandbox->topSandboxSwitch == 0 || context->sandboxSwitch == 0) {
893 // bind mount "/" to /mnt/sandbox/<packageName> path
899 bool remountProc = !context->nwebspawn && ((sandbox->sandboxNsFlags & CLONE_NEWPID) == CLONE_NEWPID);
900 ret = SandboxRootFolderCreateNoShare(context, sandbox, remountProc);
905 static bool IsSandboxMounted(const AppSpawnSandboxCfg *sandbox, const char *name, const char *rootPath)
921 static int SetSandboxMounted(const AppSpawnSandboxCfg *sandbox, const char *name, char *rootPath)
941 APPSPAWN_LOGV("Unmount sandbox config sandbox path %{public}s ", rootPath);
947 int UnmountDepPaths(const AppSpawnSandboxCfg *sandbox, uid_t uid)
949 APPSPAWN_CHECK(sandbox != NULL, return -1, "Invalid sandbox or context");
950 APPSPAWN_LOGI("Unmount sandbox mount-paths-deps %{public}u ", sandbox->depNodeCount);
952 int ret = BuildRootPath(path, sizeof(path), sandbox, uid / UID_BASE);
955 for (uint32_t i = 0; i < sandbox->depNodeCount; i++) {
956 SandboxNameGroupNode *groupNode = sandbox->depGroupNodes[i];
967 int UnmountSandboxConfigs(const AppSpawnSandboxCfg *sandbox, uid_t uid, const char *name)
969 APPSPAWN_CHECK(sandbox != NULL, return -1, "Invalid sandbox or context");
972 int ret = BuildRootPath(path, sizeof(path), sandbox, uid / UID_BASE);
975 APPSPAWN_LOGI("Unmount sandbox %{public}s root: %{public}s", name, path);
977 if (!IsSandboxMounted(sandbox, name, path)) {
981 SandboxSection *section = GetSandboxSection(&sandbox->requiredQueue, name);
997 APPSPAWN_LOGI("Unmount sandbox %{public}s ", path);
1003 static bool IsADFPermission(AppSpawnSandboxCfg *sandbox, const AppSpawningCtx *property)
1005 int index = GetPermissionIndexInQueue(&sandbox->permissionQueue, ACCESS_DLP_FILE_MODE);
1016 int StagedMountSystemConst(AppSpawnSandboxCfg *sandbox, const AppSpawningCtx *property, int nwebspawn)
1018 APPSPAWN_CHECK(sandbox != NULL, return -1, "Failed to get sandbox for %{public}s", GetProcessName(property));
1021 * root-dir "/mnt/sandbox/app-root/<currentUserId>"
1024 * dst = root-dir + mount-path.sandbox-path
1030 * dst = mount-path.sandbox-path --> 存在依赖时,配置<deps-path>、<deps-sandbox-path>、<deps-src-path>
1033 * dst = root-dir + mount-path.sandbox-path
1037 int ret = InitSandboxContext(context, sandbox, property, nwebspawn);
1040 if (IsSandboxMounted(sandbox, "system-const", context->rootPath) && IsADFPermission(sandbox, property) != true) {
1046 APPSPAWN_LOGV("Set sandbox system-const %{public}s", context->rootPath);
1048 SetMountPathOperation(&operation, MOUNT_PATH_OP_REPLACE_BY_SANDBOX); // 首次挂载,使用sandbox替换
1049 SandboxSection *section = GetSandboxSection(&sandbox->requiredQueue, "system-const");
1051 ret = MountSandboxConfig(context, sandbox, section, operation);
1053 SetSandboxMounted(sandbox, "system-const", context->rootPath);
1093 static int SetSystemConstDepGroups(const SandboxContext *context, AppSpawnSandboxCfg *sandbox)
1095 SandboxSection *section = GetSandboxSection(&sandbox->requiredQueue, "system-const");
1112 static int SetAppVariableDepGroups(const SandboxContext *context, AppSpawnSandboxCfg *sandbox)
1114 SandboxSection *section = GetSandboxSection(&sandbox->requiredQueue, "app-variable");
1131 static int SetSpawnFlagsDepGroups(const SandboxContext *context, AppSpawnSandboxCfg *sandbox)
1133 ListNode *node = sandbox->spawnFlagsQueue.front.next;
1135 while (node != &sandbox->spawnFlagsQueue.front) {
1161 static int SetPackageNameDepGroups(const SandboxContext *context, AppSpawnSandboxCfg *sandbox)
1164 (SandboxPackageNameNode *)GetSandboxSection(&sandbox->packageNameQueue, context->bundleName);
1181 static int SetPermissionDepGroups(const SandboxContext *context, AppSpawnSandboxCfg *sandbox)
1183 ListNode *node = sandbox->permissionQueue.front.next;
1185 while (node != &sandbox->permissionQueue.front) {
1212 static int StagedDepGroupMounts(const SandboxContext *context, AppSpawnSandboxCfg *sandbox)
1214 int ret = SetSystemConstDepGroups(context, sandbox);
1217 ret = SetAppVariableDepGroups(context, sandbox);
1220 ret = SetSpawnFlagsDepGroups(context, sandbox);
1223 ret = SetPackageNameDepGroups(context, sandbox);
1226 ret = SetPermissionDepGroups(context, sandbox);
1232 int StagedMountPreUnShare(const SandboxContext *context, AppSpawnSandboxCfg *sandbox)
1234 APPSPAWN_CHECK(sandbox != NULL && context != NULL, return -1, "Invalid sandbox or context");
1235 APPSPAWN_LOGV("Set sandbox config before unshare group count %{public}d", sandbox->depNodeCount);
1237 MountDirToShared(context, sandbox);
1238 int ret = StagedDepGroupMounts(context, sandbox);
1243 static int SetAppVariableConfig(const SandboxContext *context, const AppSpawnSandboxCfg *sandbox)
1247 * root-dir global.sandbox-root
1253 * dst = mount-path.sandbox-path --> 存在依赖时,配置<deps-path>、<deps-sandbox-path>、<deps-src-path>
1256 * dst = root-dir + mount-path.sandbox-path
1259 // 首次挂载,使用sandbox替换
1262 SandboxSection *section = GetSandboxSection(&sandbox->requiredQueue, "app-variable");
1266 ret = MountSandboxConfig(context, sandbox, section, operation);
1272 int StagedMountPostUnshare(const SandboxContext *context, const AppSpawnSandboxCfg *sandbox)
1274 APPSPAWN_CHECK(sandbox != NULL && context != NULL, return -1, "Invalid sandbox or context");
1275 APPSPAWN_LOGV("Set sandbox config after unshare ");
1277 int ret = SetAppVariableConfig(context, sandbox);
1280 ret = SetExpandSandboxConfig(context, sandbox);
1284 ret = SetSandboxSpawnFlagsConfig(context, sandbox);
1287 ret = SetSandboxPackageNameConfig(context, sandbox);
1290 ret = SetSandboxPermissionConfig(context, sandbox);
1310 int MountSandboxConfigs(AppSpawnSandboxCfg *sandbox, const AppSpawningCtx *property, int nwebspawn)
1313 APPSPAWN_CHECK(sandbox != NULL, return -1, "Failed to get sandbox for %{public}s", GetProcessName(property));
1317 int ret = InitSandboxContext(context, sandbox, property, nwebspawn);
1320 APPSPAWN_LOGV("Set sandbox config %{public}s sandboxNsFlags 0x%{public}x",
1323 ret = StagedMountPreUnShare(context, sandbox);
1336 ret = SandboxRootFolderCreate(context, sandbox);
1339 ret = StagedMountPostUnshare(context, sandbox);
1342 ret = SetOverlayAppSandboxConfig(context, sandbox);
1344 ret = SetBundleResourceSandboxConfig(context, sandbox);