1# Sandbox Management 2 3## Overview 4### Function 5OpenHarmony supports two types of sandbox, namely, system sandbox and chipset sandbox. 6 7The system sandbox and chipset sandbox are created in the init module. Native services choose to enter the system sandbox or chipset sandbox based on their functions. 8 9Sandbox components can be isolated through the **mount** attribute if **mount-bind-paths** or **mount-bind-files** is set for them in configuration files such as **system-sandbox.json** and **chipset-sandbox.json**. In addition, a sandbox debugging tool is provided to facilitate sandbox debugging, verification, and optimization. For details about commands, see [Description of begetctl Commands](subsys-boot-init-plugin.md#parameters). 10 11### Constraints 12 13The sandbox management module is available only for the standard system. 14 15## How to Develop 16### Parameters 17 **Table 1** Parameters in the sandbox configuration file 18 19 | JSON Prefix| Description| 20 | ---------- | ---------- | 21 | sandbox-root | Root directory of the sandbox.| 22 | mount-bind-paths | Directory to mount.| 23 | mount-bind-files | File to mount.| 24 | src-path | Source path of the directory or file to mount.| 25 | sandbox-path | Target path in the sandbox.| 26 | sandbox-flags | Mount flag. The default value is **bind rec**.| 27 | ignore | Whether to ignore a mounting failure. If the value is set to 1, the system ignores the mounting failure and proceeds with the subsequent step. | 28 | target-name | Directory to link.| 29 | link-name | Target link in the sandbox.| 30 31 **Table 2** Description of sandbox configuration files 32 | Sandbox Configuration File| Description| 33 | -------- | -------- | 34 | chipset-sandbox64.json | Chipset sandbox configuration file for the 64-bit system| 35 | chipset-sandbox.json | Chipset sandbox configuration file for the 32-bit system| 36 | system-sandbox64.json | System sandbox configuration file for the 64-bit system| 37 | system-sandbox.json | System sandbox configuration file for the 32-bit system| 38 39### Available APIs 40Logical storage structure of the sandbox: 41 42```c++ 43// Main functions 44// name is "system" or "chipset" 45bool InitSandboxWithName(const char *name); // Parsing to the JSON structure 46 47typedef struct { 48 ListNode pathMountsHead; // sandbox mount_path list head 49 ListNode fileMountsHead; // sandbox mount_file list head 50 ListNode linksHead; // sandbox symbolic link list head 51 char *rootPath; // /mnt/sandbox/system|vendor|xxx 52 char name[MAX_BUFFER_LEN]; // name of sandbox. i.e system, chipset etc. 53 bool isCreated; // sandbox already created or not 54 int ns; // namespace // namespace 55} sandbox_t; 56``` 57### How to Develop 581. Create a sandbox. 59 - Create a system or chipset sandbox and configure the corresponding **system-sandbox.json** or **chipset-sandbox.json** file. For details about how to configure the JSON file, see [Sandbox JSON File Configuration](#sandbox). 60 - By default, the sandbox function of a service is enabled. If you do not want to move the service to the sandbox, set **sandbox** to **0** in the **.cfg** file. Otherwsie, set **sandbox** to **1**. 61 ``` 62 "sandbox" : 1 63 ``` 64 652. Modify the JSON file configuration of the sandbox. 66 - Go to the **/system/etc/sandbox/** directory, and run **cat system-sandbox.json** and **cat chipset-sandbox.json**. 67 If you are using a 64-bit system, run **cat system-sandbox64.json** and **cat chipset-sandbox64.json** instead. 68 - Modify the sandbox configuration files in the **base/startup/init/interfaces/innerkits/sandbox** directory. After that, restart the system. 69 70### Development Example 71Sandbox JSON File Configuration 72 73```json 74{ 75 "sandbox-root" : "/mnt/sandbox/system", 76 "mount-bind-paths" : [{ 77 "src-path" : "/system/lib/ndk", 78 "sandbox-path" : "/system/lib/ndk", 79 "sandbox-flags" : [ "bind", "rec", "private" ] 80 }], 81 "mount-bind-files" : [{ 82 "src-path" : "/system/lib/ld-musl-aarch64.so.1", 83 "sandbox-path" : "/system/lib/ld-musl-aarch64.so.1", 84 "sandbox-flags" : [ "bind", "rec", "private" ] 85 }], 86 "symbol-links" : [{ 87 "target-name" : "/vendor/lib", 88 "link-name" : "/lib" 89 }] 90} 91``` 92 93## FAQs 94### Failed to Create a Sandbox 95 96**Symptom** 97 98**Sandbox %s has not been created.** is printed in the dmesg or hilog. 99 100**Cause Analysis** 101 102Creating a sandbox failed because of a mounting and linking error. 103 104**Solution** 1051. Check whether the JSON file is correctly configured. 1062. Check whether the created sandbox is supported. 107