1 /*
2 * Copyright (C) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #ifndef APPSPAWN_SANDBOX_H
17 #define APPSPAWN_SANDBOX_H
18
19 #include "appspawn.h"
20 #include "appspawn_hook.h"
21 #include "appspawn_manager.h"
22 #include "appspawn_utils.h"
23 #include "list.h"
24
25 #ifdef __cplusplus
26 extern "C" {
27 #endif
28
29 #define SANDBOX_STAMP_FILE_SUFFIX ".stamp"
30 #define JSON_FLAGS_INTERNAL "__internal__"
31 #define SANDBOX_NWEBSPAWN_ROOT_PATH APPSPAWN_BASE_DIR "/mnt/sandbox/com.ohos.render/"
32 #define OHOS_RENDER "__internal__.com.ohos.render"
33
34 #define PHYSICAL_APP_INSTALL_PATH "/data/app/el1/bundle/public/"
35 #define APL_SYSTEM_CORE "system_core"
36 #define APL_SYSTEM_BASIC "system_basic"
37 #define DEFAULT_NWEB_SANDBOX_SEC_PATH "/data/app/el1/bundle/public/com.ohos.nweb" // persist.nweb.sandbox.src_path
38
39 #define PARAMETER_PACKAGE_NAME "<PackageName>"
40 #define PARAMETER_USER_ID "<currentUserId>"
41 #define PARAMETER_PACKAGE_INDEX "<PackageName_index>"
42 #define ARK_WEB_PERSIST_PACKAGE_NAME "persist.arkwebcore.package_name"
43 #define PARAMETER_ARK_WEB_PACKAGE_INDEX "<arkWebPackageName>"
44 #define SHAREFS_OPTION_USER ",user_id="
45
46 #define FILE_MODE 0711
47 #define MAX_SANDBOX_BUFFER 256
48 #define OPTIONS_MAX_LEN 256
49 #define APP_FLAGS_SECTION 0x80000000
50 #define BASIC_MOUNT_FLAGS (MS_REC | MS_BIND)
51 #define INVALID_UID ((uint32_t)-1)
52 #define PARAM_BUFFER_SIZE 128
53
54 #ifdef APPSPAWN_64
55 #define APPSPAWN_LIB_NAME "lib64"
56 #else
57 #define APPSPAWN_LIB_NAME "lib"
58 #endif
59
60 #define MOUNT_MODE_NONE 0 // "none"
61 #define MOUNT_MODE_ALWAYS 1 // "always"
62 #define MOUNT_MODE_NOT_EXIST 2 // "not-exists"
63
64 #define MOUNT_PATH_OP_NONE ((uint32_t)-1)
65 #define MOUNT_PATH_OP_SYMLINK SANDBOX_TAG_INVALID
66 #define MOUNT_PATH_OP_UNMOUNT (SANDBOX_TAG_INVALID + 1)
67 #define MOUNT_PATH_OP_ONLY_SANDBOX (SANDBOX_TAG_INVALID + 2)
68 #define MOUNT_PATH_OP_REPLACE_BY_SANDBOX (SANDBOX_TAG_INVALID + 3)
69 #define MOUNT_PATH_OP_REPLACE_BY_SRC (SANDBOX_TAG_INVALID + 4)
70 #define FILE_CROSS_APP_MODE "ohos.permission.FILE_CROSS_APP"
71 #define FILE_ACCESS_COMMON_DIR_MODE "ohos.permission.FILE_ACCESS_COMMON_DIR"
72 #define ACCESS_DLP_FILE_MODE "ohos.permission.ACCESS_DLP_FILE"
73 #define FILE_ACCESS_MANAGER_MODE "ohos.permission.FILE_ACCESS_MANAGER"
74 #define READ_WRITE_USER_FILE_MODE "ohos.permission.READ_WRITE_USER_FILE"
75 #define GET_ALL_PROCESSES_MODE "ohos.permission.GET_ALL_PROCESSES"
76
77 typedef enum SandboxTag {
78 SANDBOX_TAG_MOUNT_PATH = 0,
79 SANDBOX_TAG_MOUNT_FILE,
80 SANDBOX_TAG_SYMLINK,
81 SANDBOX_TAG_PERMISSION,
82 SANDBOX_TAG_PACKAGE_NAME,
83 SANDBOX_TAG_SPAWN_FLAGS,
84 SANDBOX_TAG_NAME_GROUP,
85 SANDBOX_TAG_SYSTEM_CONST,
86 SANDBOX_TAG_APP_VARIABLE,
87 SANDBOX_TAG_APP_CONST,
88 SANDBOX_TAG_REQUIRED,
89 SANDBOX_TAG_INVALID
90 } SandboxNodeType;
91
92 typedef enum {
93 SANDBOX_PACKAGENAME_DEFAULT = 0,
94 SANDBOX_PACKAGENAME_CLONE,
95 SANDBOX_PACKAGENAME_EXTENSION,
96 SANDBOX_PACKAGENAME_CLONE_AND_EXTENSION,
97 SANDBOX_PACKAGENAME_ATOMIC_SERVICE,
98 } SandboxVarPackageNameType;
99
100 typedef struct {
101 struct ListNode node;
102 uint32_t type;
103 } SandboxMountNode;
104
105 typedef struct TagSandboxQueue {
106 struct ListNode front;
107 uint32_t type;
108 } SandboxQueue;
109
110 /*
111 "create-on-demand": {
112 "uid": "userId", // 默认使用消息的uid、gid
113 "gid": "groupId",
114 "ugo": 750
115 }
116 */
117 typedef struct {
118 uid_t uid;
119 gid_t gid;
120 uint32_t mode;
121 } PathDemandInfo;
122
123 typedef struct TagPathMountNode {
124 SandboxMountNode sandboxNode;
125 char *source; // source 目录,一般是全局的fs 目录
126 char *target; // 沙盒化后的目录
127 mode_t destMode; // "dest-mode": "S_IRUSR | S_IWOTH | S_IRWXU " 默认值:0
128 uint32_t mountSharedFlag : 1; // "mount-shared-flag" : "true", 默认值:false
129 uint32_t createDemand : 1;
130 uint32_t checkErrorFlag : 1;
131 uint32_t category;
132 char *appAplName;
133 PathDemandInfo demandInfo[0];
134 } PathMountNode;
135
136 typedef struct TagSymbolLinkNode {
137 SandboxMountNode sandboxNode;
138 char *target;
139 char *linkName;
140 mode_t destMode; // "dest-mode": "S_IRUSR | S_IWOTH | S_IRWXU "
141 uint32_t checkErrorFlag : 1;
142 } SymbolLinkNode;
143
144 typedef struct TagSandboxSection {
145 SandboxMountNode sandboxNode;
146 struct ListNode front; // mount-path
147 char *name;
148 uint32_t number : 16;
149 uint32_t gidCount : 16;
150 gid_t *gidTable; // "gids": [1006, 1008],
151 uint32_t sandboxSwitch : 1; // "sandbox-switch": "ON",
152 uint32_t sandboxShared : 1; // "sandbox-switch": "ON",
153 SandboxMountNode **nameGroups;
154 } SandboxSection;
155
156 typedef struct {
157 SandboxSection section;
158 } SandboxPackageNameNode;
159
160 typedef struct {
161 SandboxSection section;
162 uint32_t flagIndex;
163 } SandboxFlagsNode;
164
165 typedef struct TagSandboxGroupNode {
166 SandboxSection section;
167 uint32_t destType;
168 PathMountNode *depNode;
169 uint32_t depMode;
170 uint32_t depMounted : 1; // 是否执行了挂载
171 } SandboxNameGroupNode;
172
173 typedef struct TagPermissionNode {
174 SandboxSection section;
175 int32_t permissionIndex;
176 } SandboxPermissionNode;
177
178 typedef struct TagAppSpawnSandboxCfg {
179 AppSpawnExtData extData;
180 SandboxQueue requiredQueue;
181 SandboxQueue permissionQueue;
182 SandboxQueue packageNameQueue; // SandboxSection
183 SandboxQueue spawnFlagsQueue;
184 SandboxQueue nameGroupsQueue;
185 uint32_t depNodeCount;
186 SandboxNameGroupNode **depGroupNodes;
187 int32_t maxPermissionIndex;
188 uint32_t sandboxNsFlags; // "sandbox-ns-flags": [ "pid", "net" ], // for appspawn and newspawn
189 // for comm section
190 uint32_t topSandboxSwitch : 1; // "top-sandbox-switch": "ON",
191 uint32_t appFullMountEnable : 1;
192 uint32_t pidNamespaceSupport : 1;
193 uint32_t mounted : 1;
194 char *rootPath;
195 } AppSpawnSandboxCfg;
196
197 enum {
198 BUFFER_FOR_SOURCE,
199 BUFFER_FOR_TARGET,
200 BUFFER_FOR_TMP,
201 MAX_BUFFER
202 };
203
204 typedef struct TagSandboxBuffer {
205 uint32_t bufferLen;
206 uint32_t current;
207 char *buffer;
208 } SandboxBuffer;
209
210 typedef struct TagSandboxContext {
211 SandboxBuffer buffer[MAX_BUFFER];
212 const char *bundleName;
213 const AppSpawnMsgNode *message; // 修改成操作消息
214 uint32_t sandboxSwitch : 1;
215 uint32_t sandboxShared : 1;
216 uint32_t bundleHasWps : 1;
217 uint32_t dlpBundle : 1;
218 uint32_t appFullMountEnable : 1;
219 uint32_t nwebspawn : 1;
220 uint32_t sandboxNsFlags;
221 char *rootPath;
222 } SandboxContext;
223
224 typedef struct {
225 const char *sandboxPath;
226 const char *permission;
227 } MountSharedTemplate;
228
229 /**
230 * @brief AppSpawnSandboxCfg op
231 *
232 * @return AppSpawnSandboxCfg*
233 */
234 AppSpawnSandboxCfg *CreateAppSpawnSandbox(ExtDataType type);
235 AppSpawnSandboxCfg *GetAppSpawnSandbox(const AppSpawnMgr *content, ExtDataType type);
236 void DeleteAppSpawnSandbox(AppSpawnSandboxCfg *sandbox);
237 int LoadAppSandboxConfig(AppSpawnSandboxCfg *sandbox, RunMode mode);
238 void DumpAppSpawnSandboxCfg(AppSpawnSandboxCfg *sandbox);
239
240 /**
241 * @brief SandboxSection op
242 *
243 */
244 SandboxSection *CreateSandboxSection(const char *name, uint32_t dataLen, uint32_t type);
245 SandboxSection *GetSandboxSection(const SandboxQueue *queue, const char *name);
246 void AddSandboxSection(SandboxSection *node, SandboxQueue *queue);
247 void DeleteSandboxSection(SandboxSection *node);
GetSectionType(const SandboxSection * section)248 __attribute__((always_inline)) inline uint32_t GetSectionType(const SandboxSection *section)
249 {
250 return section != NULL ? section->sandboxNode.type : SANDBOX_TAG_INVALID;
251 }
252
253 /**
254 * @brief SandboxMountNode op
255 *
256 */
257 SandboxMountNode *CreateSandboxMountNode(uint32_t dataLen, uint32_t type);
258 SandboxMountNode *GetFirstSandboxMountNode(const SandboxSection *section);
259 void DeleteSandboxMountNode(SandboxMountNode *mountNode);
260 void AddSandboxMountNode(SandboxMountNode *node, SandboxSection *section);
261 PathMountNode *GetPathMountNode(const SandboxSection *section, int type, const char *source, const char *target);
262 SymbolLinkNode *GetSymbolLinkNode(const SandboxSection *section, const char *target, const char *linkName);
263
264 /**
265 * @brief sandbox mount interface
266 *
267 */
268 int MountSandboxConfigs(AppSpawnSandboxCfg *sandbox, const AppSpawningCtx *property, int nwebspawn);
269 int StagedMountSystemConst(AppSpawnSandboxCfg *sandbox, const AppSpawningCtx *property, int nwebspawn);
270 int StagedMountPreUnShare(const SandboxContext *context, AppSpawnSandboxCfg *sandbox);
271 int StagedMountPostUnshare(const SandboxContext *context, const AppSpawnSandboxCfg *sandbox);
272 // 在子进程退出时,由父进程发起unmount操作
273 int UnmountDepPaths(const AppSpawnSandboxCfg *sandbox, uid_t uid);
274 int UnmountSandboxConfigs(const AppSpawnSandboxCfg *sandbox, uid_t uid, const char *name);
275
276 /**
277 * @brief Variable op
278 *
279 */
280 typedef struct {
281 struct ListNode node;
282 ReplaceVarHandler replaceVar;
283 char name[0];
284 } AppSandboxVarNode;
285
286 typedef struct TagVarExtraData {
287 uint32_t sandboxTag;
288 uint32_t operation;
289 char *variablePackageName;
290 union {
291 PathMountNode *depNode;
292 } data;
293 } VarExtraData;
294
295 void ClearVariable(void);
296 void AddDefaultVariable(void);
297 const char *GetSandboxRealVar(const SandboxContext *context, uint32_t bufferType, const char *source,
298 const char *prefix, const VarExtraData *extraData);
299
300 /**
301 * @brief expand config
302 *
303 */
304 typedef struct {
305 struct ListNode node;
306 ProcessExpandSandboxCfg cfgHandle;
307 int prio;
308 char name[0];
309 } AppSandboxExpandAppCfgNode;
310 int ProcessExpandAppSandboxConfig(const SandboxContext *context,
311 const AppSpawnSandboxCfg *appSandBox, const char *name);
312 void AddDefaultExpandAppSandboxConfigHandle(void);
313 void ClearExpandAppSandboxConfigHandle(void);
314
GetSpawningMsgInfo(const SandboxContext * context,uint32_t type)315 __attribute__((always_inline)) inline void *GetSpawningMsgInfo(const SandboxContext *context, uint32_t type)
316 {
317 APPSPAWN_CHECK(context->message != NULL,
318 return NULL, "Invalid property for type %{public}u", type);
319 return GetAppSpawnMsgInfo(context->message, type);
320 }
321
322 /**
323 * @brief Sandbox Context op
324 *
325 * @return SandboxContext*
326 */
327 SandboxContext *GetSandboxContext(void);
328 void DeleteSandboxContext(SandboxContext *context);
329
330 /**
331 * @brief defineMount Arg Template and operation
332 *
333 */
334 enum {
335 MOUNT_TMP_DEFAULT,
336 MOUNT_TMP_RDONLY,
337 MOUNT_TMP_EPFS,
338 MOUNT_TMP_DAC_OVERRIDE_DELETE,
339 MOUNT_TMP_DAC_OVERRIDE,
340 MOUNT_TMP_FUSE,
341 MOUNT_TMP_DLP_FUSE,
342 MOUNT_TMP_SHRED,
343 MOUNT_TMP_MAX
344 };
345
346 typedef struct {
347 char *name;
348 uint32_t category;
349 const char *fsType;
350 unsigned long mountFlags;
351 const char *options;
352 mode_t mountSharedFlag;
353 } MountArgTemplate;
354
355 typedef struct {
356 const char *name;
357 unsigned long flags;
358 } SandboxFlagInfo;
359
360 uint32_t GetMountCategory(const char *name);
361 const MountArgTemplate *GetMountArgTemplate(uint32_t category);
362 const SandboxFlagInfo *GetSandboxFlagInfo(const char *key, const SandboxFlagInfo *flagsInfos, uint32_t count);
363 int GetPathMode(const char *name);
364
365 void DumpMountPathMountNode(const PathMountNode *pathNode);
366
367 typedef struct TagMountArg {
368 const char *originPath;
369 const char *destinationPath;
370 const char *fsType;
371 unsigned long mountFlags;
372 const char *options;
373 mode_t mountSharedFlag;
374 } MountArg;
375
376 int SandboxMountPath(const MountArg *arg);
377
IsPathEmpty(const char * path)378 __attribute__((always_inline)) inline int IsPathEmpty(const char *path)
379 {
380 if (path == NULL || path[0] == '\0') {
381 return 1;
382 }
383 return 0;
384 }
385
386 #ifdef __cplusplus
387 }
388 #endif
389 #endif // APPSPAWN_SANDBOX_H
390