diff --git a/bundle.json b/bundle.json index e813a843bfcc0d69f50353482ec1e7db0e07a09f..88e6f9189919282d524dbf531a26713b6744c474 100644 --- a/bundle.json +++ b/bundle.json @@ -48,7 +48,8 @@ "//base/startup/init_lite/interfaces/innerkits/socket:libsocket", "//base/startup/init_lite/services/loopevent:loopevent", "//base/startup/init_lite/interfaces/innerkits/plugin:libplugin", - "//base/startup/init_lite/device_info:device_info_group" + "//base/startup/init_lite/device_info:device_info_group", + "//base/startup/init_lite/interfaces/innerkits/sandbox:libsandbox" ], "inner_kits": [ { diff --git a/interfaces/innerkits/sandbox/BUILD.gn b/interfaces/innerkits/sandbox/BUILD.gn new file mode 100755 index 0000000000000000000000000000000000000000..cf8c2fc9e10e1b52717ac4fe8d25fae520c85c40 --- /dev/null +++ b/interfaces/innerkits/sandbox/BUILD.gn @@ -0,0 +1,67 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//base/startup/init_lite/begetd.gni") +import("//build/ohos.gni") + +config("exported_header_files") { + visibility = [ ":*" ] + include_dirs = [ "include/" ] +} + +ohos_shared_library("libsandbox") { + sources = [ + "sandbox.c", + "sandbox_namespace.c", + ] + public_configs = [ ":exported_header_files" ] + include_dirs = [ + "//third_party/bounds_checking_function/include", + "//base/startup/init_lite/services/include", + "//base/startup/init_lite/interfaces/innerkits/include", + "//third_party/cJSON", + ] + defines = [ "INIT_AGENT" ] + deps = [ + "//base/startup/init_lite/services/utils:libinit_utils", + "//third_party/bounds_checking_function:libsec_shared", + "//third_party/cJSON:cjson_static", + ] + + deps += [ "//base/startup/init_lite/services/log:init_log" ] + + part_name = "init" + install_images = [ "system" ] +} + +# For init only +ohos_static_library("libsandbox_static") { + sources = [ + "sandbox.c", + "sandbox_namespace.c", + ] + public_configs = [ ":exported_header_files" ] + include_dirs = [ + "//third_party/bounds_checking_function/include", + "//base/startup/init_lite/interfaces/innerkits/include", + "//base/startup/init_lite/services/include", + "//third_party/cJSON", + ] + deps = [ + "//base/startup/init_lite/services/utils:libinit_utils", + "//third_party/bounds_checking_function:libsec_static", + "//third_party/cJSON:cjson_static", + ] + deps += [ "//base/startup/init_lite/services/log:init_log" ] + part_name = "init" +} diff --git a/interfaces/innerkits/sandbox/app-sandbox.json b/interfaces/innerkits/sandbox/app-sandbox.json new file mode 100644 index 0000000000000000000000000000000000000000..4f8162178f682d575f1d5ec1008370d561dee799 --- /dev/null +++ b/interfaces/innerkits/sandbox/app-sandbox.json @@ -0,0 +1,54 @@ +{ + "sandbox-root" : "/mnt/sandbox/app", + "mount-bind-paths" : [{ + "src-path" : "/mnt", + "sandbox-path" : "/mnt", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/bin", + "sandbox-path" : "/system/bin", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/lib", + "sandbox-path" : "/system/lib", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/lib/module", + "sandbox-path" : "/system/lib/module", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/etc", + "sandbox-path" : "/system/etc", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/sys", + "sandbox-path" : "/sys", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/proc", + "sandbox-path" : "/proc", + "sandbox-flags" : [ "bind", "rec" ] + }, { + "src-path" : "/dev", + "sandbox-path" : "/dev", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/data", + "sandbox-path" : "/data", + "sandbox-flags" : [ "bind", "rec", "private" ] + } + ], + "mount-bind-files" : [{ + }], + "symbol-links" : [{ + "target-name" : "/system/bin", + "link-name" : "/bin" + }, { + "target-name" : "/system/lib", + "link-name" : "/lib" + }, { + "target-name" : "/system/etc", + "link-name" : "/etc" + } + ] +} \ No newline at end of file diff --git a/interfaces/innerkits/sandbox/chipset-sandbox.json b/interfaces/innerkits/sandbox/chipset-sandbox.json new file mode 100644 index 0000000000000000000000000000000000000000..3b97c39561588546a9ae8e1b730924ca36ca2d50 --- /dev/null +++ b/interfaces/innerkits/sandbox/chipset-sandbox.json @@ -0,0 +1,58 @@ +{ + "sandbox-root" : "/mnt/sandbox/chipset", + "mount-bind-paths" : [{ + "src-path" : "/system/lib/vndk", + "sandbox-path" : "/system/lib/vndk", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/lib/platform-vndk", + "sandbox-path" : "/system/lib/platform-vndk", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/lib/ndk", + "sandbox-path" : "/system/lib/ndk", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/vendor/lib", + "sandbox-path" : "/vendor/lib", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/vendor/bin", + "sandbox-path" : "/vendor/bin", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/vendor/etc", + "sandbox-path" : "/vendor/etc", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/dev", + "sandbox-path" : "/dev", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/proc", + "sandbox-path" : "/proc", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/data", + "sandbox-path" : "/data", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/sys", + "sandbox-path" : "/sys", + "sandbox-flags" : [ "bind", "rec", "private" ] + } + ], + "mount-bind-files" : [{ + }], + "symbol-links" : [{ + "target-name" : "/vendor/lib", + "link-name" : "/lib" + }, { + "target-name" : "/vendor/bin", + "link-name" : "/bin" + }, { + "target-name" : "/vendor/etc", + "link-name" : "/etc" + } + ] +} \ No newline at end of file diff --git a/interfaces/innerkits/sandbox/include/sandbox.h b/interfaces/innerkits/sandbox/include/sandbox.h new file mode 100644 index 0000000000000000000000000000000000000000..4fa96f2b9afe143fed4f358f527a465f15cd159e --- /dev/null +++ b/interfaces/innerkits/sandbox/include/sandbox.h @@ -0,0 +1,64 @@ +/* +* Copyright (c) 2022 Huawei Device Co., Ltd. +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +#ifndef BASE_STARTUP_INITLITE_SANDBOX_H +#define BASE_STARTUP_INITLITE_SANDBOX_H + +#ifdef __cplusplus +extern "C" { +#endif +#include +#include "init_utils.h" + +typedef struct { + char *source; // source 目录,一般是全局的fs 目录 + char *target; // 沙盒化后的目录 + unsigned long flags; +} mount_t; + +typedef struct MountList { + mount_t *info; + struct MountList *next; +} mountlist_t; + +typedef struct { + char *target; + char *linkName; +} linker_t; + +typedef struct LinkList { + linker_t *info; + struct LinkList *next; +} linklist_t; + +typedef struct { + mountlist_t *mounts; + linklist_t *links; + char *rootPath; // /mnt/sandbox/system|vendor|xxx + char name[MAX_BUFFER_LEN]; // name of sandbox. i.e system, chipset etc. + bool isCreated; // sandbox already created or not + int ns; // namespace +} sandbox_t; + +bool InitSandboxWithName(const char *name); +int PrepareSandbox(const char *name); +int EnterSandbox(const char *name); +void DestroySandbox(const char *name); +int CheckSupportSandbox(void); +void DumpSandboxByName(const char *name); +#ifdef __cplusplus +} +#endif +#endif diff --git a/interfaces/innerkits/sandbox/include/sandbox_namespace.h b/interfaces/innerkits/sandbox/include/sandbox_namespace.h new file mode 100644 index 0000000000000000000000000000000000000000..4e398a5979fd81a9de447dddc57d5746634fe44c --- /dev/null +++ b/interfaces/innerkits/sandbox/include/sandbox_namespace.h @@ -0,0 +1,36 @@ +/* +* Copyright (c) 2022 Huawei Device Co., Ltd. +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ +#ifndef SANDBOX_NAMESPACE_H +#define SANDBOX_NAMESPACE_H + +#ifdef __cplusplus +#if __cplusplus +extern "C" { +#endif +#endif + +int GetNamespaceFd(const char *nsPath); +int UnshareNamespace(int nsType); +int SetNamespce(int nsFd, int nsType); +void InitDefaultNamespace(void); +int EnterDefaultNamespace(void); +void CloseDefaultNamespace(void); + +#ifdef __cplusplus +#if __cplusplus +} +#endif +#endif +#endif \ No newline at end of file diff --git a/interfaces/innerkits/sandbox/privapp-sandbox.json b/interfaces/innerkits/sandbox/privapp-sandbox.json new file mode 100644 index 0000000000000000000000000000000000000000..6b340ddac9241021c33a33bc51dd5637b95d9262 --- /dev/null +++ b/interfaces/innerkits/sandbox/privapp-sandbox.json @@ -0,0 +1,58 @@ +{ + "sandbox-root" : "/mnt/sandbox/priv-app", + "mount-bind-paths" : [{ + "src-path" : "/mnt", + "sandbox-path" : "/mnt", + "sandbox-flags" : [ "bind", "rec" ] + }, { + "src-path" : "/system/bin", + "sandbox-path" : "/system/bin", + "sandbox-flags" : [ "bind", "rec" ] + }, { + "src-path" : "/system/bin", + "sandbox-path" : "/system/common/bin", + "sandbox-flags" : [ "bind", "rec" ] + }, { + "src-path" : "/system/lib", + "sandbox-path" : "/system/lib", + "sandbox-flags" : [ "bind", "rec" ] + }, { + "src-path" : "/system/lib/module", + "sandbox-path" : "/system/lib/module", + "sandbox-flags" : [ "bind", "rec" ] + }, { + "src-path" : "/system/etc", + "sandbox-path" : "/system/etc", + "sandbox-flags" : [ "bind", "rec" ] + }, { + "src-path" : "/sys", + "sandbox-path" : "/sys", + "sandbox-flags" : [ "bind", "rec" ] + }, { + "src-path" : "/proc", + "sandbox-path" : "/proc", + "sandbox-flags" : [ "bind", "rec" ] + }, { + "src-path" : "/dev", + "sandbox-path" : "/dev", + "sandbox-flags" : [ "bind", "rec" ] + }, { + "src-path" : "/data", + "sandbox-path" : "/data", + "sandbox-flags" : [ "bind", "rec" ] + } + ], + "mount-bind-files": [{ + }], + "symbol-links": [{ + "target-name" : "/system/bin", + "link-name" : "/bin" + }, { + "target-name" : "/system/lib", + "link-name" : "/lib" + }, { + "target-name" : "/system/etc", + "link-name" : "/etc" + } + ] +} \ No newline at end of file diff --git a/interfaces/innerkits/sandbox/sandbox.c b/interfaces/innerkits/sandbox/sandbox.c new file mode 100644 index 0000000000000000000000000000000000000000..15aaf9c3b664eb1e0811bd64b84be40f3ab31ba9 --- /dev/null +++ b/interfaces/innerkits/sandbox/sandbox.c @@ -0,0 +1,657 @@ +/* +* Copyright (c) 2022 Huawei Device Co., Ltd. +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +#include "sandbox.h" + +#include +#include +#include +#include +#include +#include +#include +#include "beget_ext.h" +#include "init_utils.h" +#include "cJSON.h" +#include "sandbox_namespace.h" +#include "securec.h" + +#define SANDBOX_ROOT_TAG "sandbox-root" +#define SANDBOX_MOUNT_PATH_TAG "mount-bind-paths" +#define SANDBOX_MOUNT_FILE_TAG "mount-bind-files" +#define SANDBOX_SOURCE "src-path" +#define SANDBOX_TARGET "sandbox-path" +#define SANDBOX_FLAGS "sandbox-flags" +#define SANDBOX_SYMLINK_TAG "symbol-links" +#define SANDBOX_SYMLINK_TARGET "target-name" +#define SANDBOX_SYMLINK_NAME "link-name" + +#define SANDBOX_SYSTEM_CONFIG_FILE "/system/etc/sandbox/system-sandbox.json" +#define SANDBOX_CHIPSET_CONFIG_FILE "/system/etc/sandbox/chipset-sandbox.json" +#define SANDBOX_PRIVAPP_CONFIG_FILE "/system/etc/sandbox/privapp-sandbox.json" +#define SANDBOX_APP_CONFIG_FILE "/system/etc/sandbox/app-sandbox.json" + +#define SANDBOX_MOUNT_FLAGS_MS_BIND "bind" +#define SANDBOX_MOUNT_FLAGS_MS_PRIVATE "private" +#define SANDBOX_MOUNT_FLAGS_MS_REC "rec" +#define SANDBOX_MOUNT_FLAGS_MS_MOVE "move" + +struct SandboxMountFlags { + const char *flag; + unsigned long value; +}; + +struct SandboxMountFlags g_flags[] = { + { + .flag = "bind", + .value = MS_BIND, + }, + { + .flag = "private", + .value = MS_PRIVATE, + }, + { + .flag = "rec", + .value = MS_REC, + }, + { + .flag = "move", + .value = MS_MOVE, + } +}; + + +static sandbox_t g_systemSandbox; +static sandbox_t g_chipsetSandbox; +static sandbox_t g_privAppSandbox; +static sandbox_t g_appSandbox; + +struct SandboxMap { + const char *name; + sandbox_t *sandbox; + const char *configfile; +}; + +struct SandboxMap g_map[] = { + { + .name = "system", + .sandbox = &g_systemSandbox, + .configfile = SANDBOX_SYSTEM_CONFIG_FILE, + }, + { + .name = "chipset", + .sandbox = &g_chipsetSandbox, + .configfile = SANDBOX_CHIPSET_CONFIG_FILE, + }, + { + .name = "priv-app", + .sandbox = &g_privAppSandbox, + .configfile = SANDBOX_PRIVAPP_CONFIG_FILE, + }, + { + .name = "app", + .sandbox = &g_appSandbox, + .configfile = SANDBOX_APP_CONFIG_FILE, + } +}; + +static unsigned long GetSandboxMountFlags(cJSON *item) +{ + BEGET_ERROR_CHECK(item != NULL, return 0, "Invalid parameter."); + char *str = cJSON_GetStringValue(item); + if (str == NULL) { + return 0; + } + for (size_t i = 0; i < ARRAY_LENGTH(g_flags); i++) { + if (strcmp(str, g_flags[i].flag) == 0) { + return g_flags[i].value; + } + } + return 0; +} + +typedef int (*AddInfoToSandboxCallback)(sandbox_t *sandbox, cJSON *item); + +static int AddMountInfoToSandbox(sandbox_t *sandbox, cJSON *item) +{ + if (sandbox == NULL || item == NULL) { + return -1; + } + mountlist_t *tmpMount = (mountlist_t *)calloc(1, sizeof(mountlist_t)); + BEGET_ERROR_CHECK(tmpMount != NULL, return -1, "Failed calloc err=%d", errno); + tmpMount->info = (mount_t *)calloc(1, sizeof(mount_t)); + BEGET_ERROR_CHECK(tmpMount->info != NULL, return -1, "Failed calloc err=%d", errno); + + char *srcPath = cJSON_GetStringValue(cJSON_GetObjectItem(item, SANDBOX_SOURCE)); + if (srcPath != NULL) { + tmpMount->info->source = strdup(srcPath); + } + char *dstPath = cJSON_GetStringValue(cJSON_GetObjectItem(item, SANDBOX_TARGET)); + if (dstPath != NULL) { + tmpMount->info->target = strdup(dstPath); + } + cJSON *obj = cJSON_GetObjectItem(item, SANDBOX_FLAGS); + BEGET_ERROR_CHECK(obj != NULL, return -1, "Failed get sandbox-flags."); + int ret = cJSON_IsArray(obj); + BEGET_ERROR_CHECK(ret, return -1, "Failed get sandbox-flags array. "); + int count = cJSON_GetArraySize(obj); + BEGET_ERROR_CHECK(count > 0, return -1, "Failed get sandbox-flags array size."); + for (int i = 0; i < count; i++) { + cJSON *item = cJSON_GetArrayItem(obj, i); + tmpMount->info->flags |= GetSandboxMountFlags(item); + } + + if (sandbox->mounts == NULL) { + sandbox->mounts = tmpMount; + tmpMount->next = NULL; + } else { + tmpMount->next = sandbox->mounts->next; + sandbox->mounts->next = tmpMount; + } + return 0; +} + +static int AddSymbolLinksToSandbox(sandbox_t *sandbox, cJSON *item) +{ + if (sandbox == NULL || item == NULL) { + return -1; + } + linklist_t *tmpLink = (linklist_t *)calloc(1, sizeof(linklist_t)); + BEGET_ERROR_CHECK(tmpLink != NULL, return -1, "Failed calloc err=%d", errno); + tmpLink->info = (linker_t *)calloc(1, sizeof(linker_t)); + BEGET_ERROR_CHECK(tmpLink->info != NULL, return -1, "Failed calloc err=%d", errno); + + char *target = cJSON_GetStringValue(cJSON_GetObjectItem(item, SANDBOX_SYMLINK_TARGET)); + if (target != NULL) { + tmpLink->info->target = strdup(target); + } + char *name = cJSON_GetStringValue(cJSON_GetObjectItem(item, SANDBOX_SYMLINK_NAME)); + if (name != NULL) { + tmpLink->info->linkName = strdup(name); + } + + if (sandbox->links == NULL) { + sandbox->links = tmpLink; + tmpLink->next = NULL; + } else { + tmpLink->next = sandbox->links->next; + sandbox->links->next = tmpLink; + } + return 0; +} + +static int GetSandboxInfo(sandbox_t *sandbox, cJSON *root, const char *itemName) +{ + if (sandbox == NULL || root == NULL || itemName == NULL) { + BEGET_LOGE("Get sandbox mount info with invalid argument"); + return -1; + } + + cJSON *obj = cJSON_GetObjectItem(root, itemName); + if (obj == NULL) { + BEGET_LOGE("Cannot find item \' %s \' in sandbox config", itemName); + return -1; + } + if (!cJSON_IsArray(obj)) { + BEGET_LOGE("%s with invalid type, should be array", itemName); + return -1; + } + + int counts = cJSON_GetArraySize(obj); + if (counts <= 0) { + BEGET_LOGE("%s with invalid content", itemName); + return -1; + } + AddInfoToSandboxCallback func; + if (strcmp(itemName, SANDBOX_MOUNT_PATH_TAG) == 0) { + func = AddMountInfoToSandbox; + } else if (strcmp(itemName, SANDBOX_SYMLINK_TAG) == 0) { + func = AddSymbolLinksToSandbox; + } else { + BEGET_LOGE("Failed %s item name is not support.", itemName); + return -1; + } + for (int i = 0; i < counts; i++) { + cJSON *item = cJSON_GetArrayItem(obj, i); + BEGET_ERROR_CHECK(item != NULL, return -1, "Failed get json array item %d", i); + if (func(sandbox, item) < 0) { + BEGET_LOGE("Failed add info to sandbox."); + return -1; + } + } + return 0; +} + +static int ParseSandboxConfig(sandbox_t *sandbox, const char *sandboxConfig) +{ + if (sandbox == NULL || sandboxConfig == NULL) { + BEGET_LOGE("Parse sandbox config with invalid argument"); + return -1; + } + char *contents = ReadFileToBuf(sandboxConfig); + if (contents == NULL) { + return -1; + } + cJSON *root = cJSON_Parse(contents); + if (root == NULL) { + BEGET_LOGE("Parse sandbox config \' %s \' failed", sandboxConfig); + return -1; + } + cJSON *sandboxRoot = cJSON_GetObjectItem(root, SANDBOX_ROOT_TAG); + if (sandboxRoot == NULL) { + BEGET_LOGE("Cannot find item \' %s \' in sandbox config", SANDBOX_ROOT_TAG); + cJSON_Delete(root); + return -1; + } + char *rootdir = cJSON_GetStringValue(sandboxRoot); + if (rootdir != NULL) { + sandbox->rootPath = strdup(rootdir); + if (sandbox->rootPath == NULL) { + BEGET_LOGE("Get sandbox root path out of memory"); + cJSON_Delete(root); + return -1; + } + } + if (GetSandboxInfo(sandbox, root, SANDBOX_MOUNT_PATH_TAG) < 0) { + cJSON_Delete(root); + return -1; + } + if (GetSandboxInfo(sandbox, root, SANDBOX_SYMLINK_TAG) < 0) { + cJSON_Delete(root); + return -1; + } + cJSON_Delete(root); + return 0; +} + +static struct SandboxMap *GetSandboxMapByName(const char *name) +{ + if (name == NULL) { + BEGET_LOGE("Failed get sandbox map name is NULL."); + return NULL; + } + int len = ARRAY_LENGTH(g_map); + for (int i = 0; i < len; i++) { + if (strcmp(g_map[i].name, name) == 0) { + return &g_map[i]; + } + } + return NULL; +} + +static void InitSandbox(sandbox_t *sandbox, const char *sandboxConfig, const char *name) +{ + if (sandbox == NULL || sandboxConfig == NULL || name == NULL) { + BEGET_LOGE("Init sandbox with invalid arguments"); + return; + } + if (sandbox->isCreated) { + BEGET_LOGE("Sandbox %s has created."); + return; + } + if (UnshareNamespace(CLONE_NEWNS) < 0) { + return; + } + sandbox->ns = GetNamespaceFd("/proc/self/ns/mnt"); + if (sandbox->ns < 0) { + BEGET_LOGE("Failed get sandbox namespace fd."); + return; + } + + if (strcpy_s(sandbox->name, MAX_BUFFER_LEN - 1, name) != 0) { + BEGET_LOGE("Failed to copy sandbox name"); + return; + } + + // parse json config + if (ParseSandboxConfig(sandbox, sandboxConfig) < 0) { + return; + } +} + +static int CheckAndMakeDir(const char *dir, mode_t mode) +{ + if (access(dir, F_OK) == 0) { + BEGET_LOGW("Mount point \' %s \' already exist", dir); + return 0; + } else { + if (errno == ENOENT) { + if (MakeDirRecursive(dir, mode) != 0) { + BEGET_LOGE("Failed MakeDirRecursive %s, err=%d", dir, errno); + return -1; + } + } else { + BEGET_LOGW("Failed to access mount point \' %s \', err = %d", dir, errno); + return -1; + } + } + return 0; +} + +static int BindMount(const char *source, const char *target, unsigned long flags) +{ + if (source == NULL || target == NULL) { + BEGET_LOGE("Mount with invalid arguments"); + errno = EINVAL; + return -1; + } + mode_t mode = S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH; + if (CheckAndMakeDir(target, mode) != 0) { + BEGET_LOGE("Failed make %s dir.", target); + return -1; + } + + if ((flags & MS_BIND) == 0) { + BEGET_LOGW("Not configure bind, must configure bind flag."); + flags |= MS_BIND; + } + + if ((flags & MS_REC) == 0) { + BEGET_LOGW("Not configure rec, must configure rec flag."); + flags |= MS_REC; + } + + // do mount + if (mount(source, target, NULL, flags, NULL) != 0) { + BEGET_LOGE("Failed to bind mount \' %s \' to \' %s \', err = %d", source, target, errno); + return -1; + } + + return 0; +} + +static bool IsValidSandbox(sandbox_t *sandbox) +{ + if (sandbox == NULL) { + BEGET_LOGE("preparing sandbox with invalid argument"); + return false; + } + + if (sandbox->rootPath == NULL) { + return false; + } + + if (sandbox->mounts == NULL) { + return false; + } + return true; +} + +static int MountSandboxInfo(const mountlist_t *mounts, const char *rootPath) +{ + if (mounts == NULL) { + return -1; + } + if (mounts->info == NULL) { + return -1; + } + while (mounts != NULL) { + mount_t *mount = mounts->info; + char *source = mount->source; + char target[PATH_MAX] = {}; + if (snprintf_s(target, PATH_MAX, PATH_MAX - 1, "%s%s", rootPath, mount->target) < 0) { + BEGET_LOGE("Failed snprintf_s err=%d", errno); + return -1; + } + int rc = BindMount(source, target, mount->flags); + BEGET_ERROR_CHECK(rc == 0, return -1, "Failed bind mount %s to %s.", source, target); + mounts = mounts->next; + } + return 0; +} + +static int LinkSandboxInfo(const linklist_t *links, const char *rootPath) +{ + if (links == NULL) { + return -1; + } + if (links->info == NULL) { + return -1; + } + while (links != NULL) { + linker_t *link = links->info; + char linkName[PATH_MAX] = {0}; + if (snprintf_s(linkName, PATH_MAX, PATH_MAX - 1, "%s%s", rootPath, link->linkName) < 0) { + BEGET_LOGE("Failed snprintf_s err=%d", errno); + return -1; + } + int rc = symlink(link->target, linkName); + if (rc != 0) { + if (errno == EEXIST) { + BEGET_LOGE("symbol link name \' %s \' already exist", linkName); + } else { + BEGET_LOGE("Failed to link \' %s \' to \' %s \', err = %d", link->target, linkName, errno); + return -1; + } + } + links = links->next; + } + return 0; +} + +int PrepareSandbox(const char *name) +{ + BEGET_ERROR_CHECK(name != NULL, return -1, "Prepare sandbox name is NULL."); + BEGET_ERROR_CHECK(getuid() == 0, return -1, "Current process uid is not root, exit."); + struct SandboxMap *map = GetSandboxMapByName(name); + BEGET_ERROR_CHECK(map != NULL, return -1, "Failed get sandbox map by name %s.", name); + sandbox_t *sandbox = map->sandbox; + BEGET_CHECK(IsValidSandbox(sandbox) == true, return -1); + BEGET_INFO_CHECK(sandbox->isCreated == false, return 0, "Sandbox %s already created", sandbox->name); + BEGET_CHECK(sandbox->rootPath != NULL, return -1); + mode_t mode = S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH; + BEGET_ERROR_CHECK(CheckAndMakeDir(sandbox->rootPath, mode) == 0, return -1, "Failed root %s.", sandbox->rootPath); + int rc = mount(NULL, "/", NULL, MS_REC | MS_SLAVE, NULL); + BEGET_ERROR_CHECK(rc == 0, return -1, "Failed set mount slave err = %d", errno); + rc = BindMount(sandbox->rootPath, sandbox->rootPath, MS_BIND | MS_REC); + BEGET_ERROR_CHECK(rc == 0, return -1, "Failed to mount rootpath bind err = %d", errno); + + // 1) walk through all mounts and do bind mount + rc = MountSandboxInfo(sandbox->mounts, sandbox->rootPath); + if (rc < 0) { + return -1; + } + + // 2) walk through all links and do symbol link + rc = LinkSandboxInfo(sandbox->links, sandbox->rootPath); + if (rc < 0) { + return -1; + } + + BEGET_ERROR_CHECK(chdir(sandbox->rootPath) == 0, return -1, "Change to %s, err = %d", sandbox->rootPath, errno); + BEGET_ERROR_CHECK(syscall(SYS_pivot_root, sandbox->rootPath, sandbox->rootPath) == 0, return -1, + "Failed system call pivot root, err=%d", errno); + BEGET_ERROR_CHECK(umount2(".", MNT_DETACH) == 0, return -1, "Failed umount2 MNT_DETACH, err=%d", errno); + sandbox->isCreated = true; + return 0; +} + +static void FreeLink(linker_t *link) +{ + if (link == NULL) { + return; + } + + if (link->linkName != NULL) { + free(link->linkName); + link->linkName = NULL; + } + + if (link->target != NULL) { + free(link->target); + link->target = NULL; + } +} + +static void FreeLinks(linklist_t *links) +{ + if (links == NULL) { + return; + } + + linklist_t *tmp = links; + while (tmp != NULL) { + linklist_t *next = tmp ->next; + FreeLink(tmp->info); + free(tmp); + tmp = next; + } +} + +static void FreeMount(mount_t *mount) +{ + if (mount == NULL) { + return; + } + + if (mount->source != NULL) { + free(mount->source); + mount->source = NULL; + } + + if (mount->target != NULL) { + free(mount->target); + mount->target = NULL; + } +} + +static void FreeMounts(mountlist_t *mounts) +{ + if (mounts == NULL) { + return; + } + + mountlist_t *tmp = mounts; + while (tmp != NULL) { + mountlist_t *next = tmp ->next; + FreeMount(tmp->info); + free(tmp); + tmp = next; + } +} + +bool InitSandboxWithName(const char *name) +{ + bool isFound = false; + if (name == NULL) { + BEGET_LOGE("Init sandbox name is NULL."); + return isFound; + } + struct SandboxMap *map = GetSandboxMapByName(name); + if (map != NULL) { + InitSandbox(map->sandbox, map->configfile, name); + isFound = true; + } + + if (!isFound) { + BEGET_LOGE("Cannot find sandbox with name %s.", name); + } + return isFound; +} + +void DestroySandbox(const char *name) +{ + if (name == NULL) { + BEGET_LOGE("Destroy sandbox name is NULL."); + return; + } + struct SandboxMap *map = GetSandboxMapByName(name); + if (map == NULL) { + BEGET_LOGE("Failed get sandbox map by name %s.", name); + return; + } + sandbox_t *sandbox = map->sandbox; + + if (sandbox == NULL) { + return; + } + + if (sandbox->rootPath != NULL) { + free(sandbox->rootPath); + sandbox->rootPath = NULL; + } + FreeLinks(sandbox->links); + FreeMounts(sandbox->mounts); + if (sandbox->ns > 0) { + (void)close(sandbox->ns); + } + sandbox->isCreated = false; + return; +} + +int EnterSandbox(const char *name) +{ + if (name == NULL) { + BEGET_LOGE("Sandbox name is NULL."); + return -1; + } + struct SandboxMap *map = GetSandboxMapByName(name); + if (map == NULL) { + BEGET_LOGE("Failed to get sandbox map by name %s.", name); + return -1; + } + sandbox_t *sandbox = map->sandbox; + + if (sandbox == NULL) { + return -1; + } + if (sandbox->isCreated == false) { + BEGET_LOGE("Sandbox %s has not been created.", name); + return -1; + } + if (sandbox->ns > 0) { + if (SetNamespce(sandbox->ns, CLONE_NEWNS) < 0) { + BEGET_LOGE("Failed to enter mount namespace for sandbox \' %s \', err=%d.", name, errno); + return -1; + } + } else { + BEGET_LOGE("Sandbox \' %s \' namespace fd is invalid.", name); + return -1; + } + return 0; +} + +void DumpSandboxByName(const char *name) +{ + if (name == NULL) { + BEGET_LOGE("Init sandbox name is NULL."); + return; + } + struct SandboxMap *map = GetSandboxMapByName(name); + if (map == NULL) { + return; + } + BEGET_LOGI("Sandbox Map name: %s.", map->name); + BEGET_LOGI("Sandbox Map config file: %s.", map->configfile); + BEGET_LOGI("Sandbox name: %s.", map->sandbox->name); + BEGET_LOGI("Sandbox rootPath: %s.", map->sandbox->rootPath); + BEGET_LOGI("Sandbox mounts info:"); + mountlist_t *mounts = map->sandbox->mounts; + while (mounts != NULL) { + mount_t *mount = mounts->info; + BEGET_LOGI("Sandbox mounts list source: %s", mount->source); + BEGET_LOGI("Sandbox mounts list target: %s", mount->target); + mounts = mounts->next; + } + BEGET_LOGI("Sandbox links info:"); + linklist_t *links = map->sandbox->links; + while (links != NULL) { + linker_t *link = links->info; + BEGET_LOGI("Sandbox links list source: %s", link->target); + BEGET_LOGI("Sandbox links list target: %s", link->linkName); + links = links->next; + } + return; +} diff --git a/interfaces/innerkits/sandbox/sandbox_namespace.c b/interfaces/innerkits/sandbox/sandbox_namespace.c new file mode 100644 index 0000000000000000000000000000000000000000..071f129811565f6be6ba54976c4473fd9e7d76b5 --- /dev/null +++ b/interfaces/innerkits/sandbox/sandbox_namespace.c @@ -0,0 +1,91 @@ +/* +* Copyright (c) 2022 Huawei Device Co., Ltd. +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +#include +#include +#include +#include +#include +#include +#include "beget_ext.h" + +static int g_defaultNs; + +int GetNamespaceFd(const char *nsPath) +{ + if (nsPath == NULL) { + return -1; + } + int ns = open(nsPath, O_RDONLY | O_CLOEXEC); + if (ns < 0) { + BEGET_LOGE("Failed unshare namespace, err=%d", errno); + return -1; + } + return ns; +} + +int UnshareNamespace(int nsType) +{ + if (nsType == CLONE_NEWNS) { + if (unshare(nsType) < 0) { + BEGET_LOGE("Failed unshare namespace, err=%d", errno); + return -1; + } else { + return 0; + } + } else { + BEGET_LOGE("Failed unshare, type is not support"); + return -1; + } +} + +int SetNamespce(int nsFd, int nsType) +{ + if (nsFd < 0) { + BEGET_LOGE("Failed get namespace fd"); + return -1; + } + if (nsType != CLONE_NEWNS) { + BEGET_LOGE("Failed get namespace type"); + return -1; + } + return setns(nsFd, nsType); +} + +void InitDefaultNamespace(void) +{ + if (g_defaultNs > 0) { + (void)close(g_defaultNs); + } + g_defaultNs = GetNamespaceFd("/proc/self/ns/mnt"); + return; +} + +int EnterDefaultNamespace(void) +{ + if (g_defaultNs < 0) { + return -1; + } + return SetNamespce(g_defaultNs, CLONE_NEWNS); +} + +void CloseDefaultNamespace(void) +{ + if (g_defaultNs > 0) { + (void)close(g_defaultNs); + g_defaultNs = -1; + } + return; +} diff --git a/interfaces/innerkits/sandbox/system-sandbox.json b/interfaces/innerkits/sandbox/system-sandbox.json new file mode 100644 index 0000000000000000000000000000000000000000..0a55be155aa924f001a22c688798015c9e5745d8 --- /dev/null +++ b/interfaces/innerkits/sandbox/system-sandbox.json @@ -0,0 +1,74 @@ +{ + "sandbox-root" : "/mnt/sandbox/system", + "mount-bind-paths" : [{ + "src-path" : "/system/bin", + "sandbox-path" : "/system/bin", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/etc", + "sandbox-path" : "/system/etc", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/lib", + "sandbox-path" : "/system/lib", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/profile", + "sandbox-path" : "/system/profile", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/app", + "sandbox-path" : "/system/app", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/system/fonts", + "sandbox-path" : "/system/fonts", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/vendor", + "sandbox-path" : "/vendor", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/dev", + "sandbox-path" : "/dev", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/proc", + "sandbox-path" : "/proc", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/data", + "sandbox-path" : "/data", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/sys", + "sandbox-path" : "/sys", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/config", + "sandbox-path" : "/config", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/mnt", + "sandbox-path" : "/mnt", + "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/storage", + "sandbox-path" : "/storage", + "sandbox-flags" : [ "bind", "rec", "private" ] + } + ], + "mount-bind-files" : [{ + }], + "symbol-links" : [{ + "target-name" : "/system/lib", + "link-name" : "/lib" + }, { + "target-name" : "/system/bin", + "link-name" : "/bin" + }, { + "target-name" : "/system/etc", + "link-name" : "/etc" + } + ] +} \ No newline at end of file diff --git a/interfaces/innerkits/socket/BUILD.gn b/interfaces/innerkits/socket/BUILD.gn index f5fc3e9d766e58b502450eb0e7de050117b81a0f..619230d4918f493db9a2b95bfc5a5dbe2e152720 100644 --- a/interfaces/innerkits/socket/BUILD.gn +++ b/interfaces/innerkits/socket/BUILD.gn @@ -49,5 +49,6 @@ if (defined(ohos_lite)) { "system", "updater", ] + relative_install_dir = "platform-vndk" } } diff --git a/services/BUILD.gn b/services/BUILD.gn index 77146a06819012702c7584301bd0aedce6bf5b73..9b2c9ecb2a9c24257333783fd8a37f04c72b28e8 100755 --- a/services/BUILD.gn +++ b/services/BUILD.gn @@ -125,6 +125,7 @@ if (defined(ohos_lite)) { include_dirs = [ "//base/security/access_token/interfaces/innerkits/token_setproc/include", "//base/security/access_token/interfaces/innerkits/nativetoken/include", + "//base/startup/init_lite/interfaces/innerkits/sandbox/include", "//base/startup/init_lite/services/include/param", "//base/startup/init_lite/services/include", "//base/startup/init_lite/services/init/include", @@ -141,6 +142,7 @@ if (defined(ohos_lite)) { "//base/security/access_token/interfaces/innerkits/nativetoken:libnativetoken", "//base/security/access_token/interfaces/innerkits/token_setproc:libtoken_setproc", "//base/startup/init_lite/interfaces/innerkits:libfsmanager_static", + "//base/startup/init_lite/interfaces/innerkits/sandbox:libsandbox_static", "//base/startup/init_lite/services/log:init_log", "//base/startup/init_lite/services/loopevent:loopevent", "//base/startup/init_lite/services/param:param_service", @@ -301,6 +303,31 @@ if (defined(ohos_lite)) { part_name = "init" } + ohos_prebuilt_etc("system-sandbox.json") { + source = "//base/startup/init_lite/interfaces/innerkits/sandbox/system-sandbox.json" + part_name = "init" + module_install_dir = "etc/sandbox" + } + + ohos_prebuilt_etc("chipset-sandbox.json") { + source = "//base/startup/init_lite/interfaces/innerkits/sandbox/chipset-sandbox.json" + part_name = "init" + module_install_dir = "etc/sandbox" + } + + ohos_prebuilt_etc("privapp-sandbox.json") { + source = "//base/startup/init_lite/interfaces/innerkits/sandbox/privapp-sandbox.json" + part_name = "init" + module_install_dir = "etc/sandbox" + } + + ohos_prebuilt_etc("app-sandbox.json") { + source = + "//base/startup/init_lite/interfaces/innerkits/sandbox/app-sandbox.json" + part_name = "init" + module_install_dir = "etc/sandbox" + } + ohos_prebuilt_etc("init.reboot") { source = "//base/startup/init_lite/services/etc/init.reboot.cfg" part_name = "init" @@ -309,8 +336,10 @@ if (defined(ohos_lite)) { group("init_etc") { deps = [ + ":app-sandbox.json", ":boot.group", ":charing.group", + ":chipset-sandbox.json", ":group", ":init.cfg", ":init.reboot", @@ -320,8 +349,10 @@ if (defined(ohos_lite)) { ":ohos.para.dac", ":passwd", ":plugin_modules", + ":privapp-sandbox.json", ":syscap.json", ":syscap.para", + ":system-sandbox.json", ":systemcapability.json", ] } diff --git a/services/begetctl/BUILD.gn b/services/begetctl/BUILD.gn index 61daf86dd774619ce1af3630bb3e3e22cc56d2c1..24f2cc11a0dc79a474eaed92072cf6ebcc0cddaa 100755 --- a/services/begetctl/BUILD.gn +++ b/services/begetctl/BUILD.gn @@ -20,6 +20,7 @@ ohos_executable("begetctl") { "main.c", "misc_daemon.cpp", "param_cmd.c", + "sandbox.cpp", "service_control.c", "shell/shell_bas.c", ] @@ -41,12 +42,16 @@ ohos_executable("begetctl") { "//base/startup/init_lite/services/param/include", "//base/startup/init_lite/services/loopevent/include", "//third_party/bounds_checking_function/include", + "//base/startup/init_lite/interfaces/innerkits/sandbox/include", + "//utils/native/base/include", ] deps = [ "//base/startup/init_lite/interfaces/innerkits:libbegetutil", + "//base/startup/init_lite/interfaces/innerkits/sandbox:libsandbox_static", "//base/startup/init_lite/services/log:agent_log", "//base/startup/init_lite/services/param:param_client", "//third_party/bounds_checking_function:libsec_static", + "//utils/native/base:utils", ] if (param_test) { @@ -82,6 +87,7 @@ ohos_executable("begetctl") { "stop_service", "service", "param", + "sandbox", ] install_images = [ "system" ] diff --git a/services/begetctl/sandbox.cpp b/services/begetctl/sandbox.cpp new file mode 100755 index 0000000000000000000000000000000000000000..74d4c2bd6ccdc0d53cb0dfaa215c64b21b3b9272 --- /dev/null +++ b/services/begetctl/sandbox.cpp @@ -0,0 +1,218 @@ +/* + * Copyright (c) 2022 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "begetctl.h" +#include "init_utils.h" +#include "sandbox.h" +#include "sandbox_namespace.h" +#include "string_ex.h" + +using namespace OHOS; +struct option g_options[] = { + { "config_file", required_argument, nullptr, 'c' }, + { "sandbox_name", required_argument, nullptr, 's' }, + { "process_name", required_argument, nullptr, 'p' }, + { "help", no_argument, nullptr, 'h' }, + { nullptr, 0, nullptr, 0 }, +}; + +static void Usage() +{ + std::cout << "sandbox -c, --config_file=sandbox config file \"config file with json format\"" << std::endl; + std::cout << "sandbox -s, --sandbox_name=sandbox name \"Sandbox name, system, chipset etc.\"" << std::endl; + std::cout << "sandbox -p, --process=process name \"sh, hdcd, hdf_devhost, etc.\"" << std::endl; + std::cout << "sandbox -h, --help \"Show help\"" << std::endl; + exit(0); +} + +static std::string SearchConfigBySandboxName(const std::string &sandboxName) +{ + std::map sandboxConfigMap = { + {"system", "/system/etc/system-sandbox.json"}, + {"chipset", "/system/etc/chipset-sandbox.json"}, + {"priv-app", "/system/etc/priv-app-sandbox.json"}, + {"app", "/system/etc/app-sandbox.json"}, + }; + auto it = sandboxConfigMap.find(sandboxName); + if (it == sandboxConfigMap.end()) { + return ""; + } else { + return it->second; + } +} + +static void RunSandbox(const std::string &configFile, const std::string &name) +{ + std::string config {}; + std::string sandboxName {}; + if (!name.empty()) { + config = SearchConfigBySandboxName(name); + sandboxName = name; + } else { + // Without sandbox name, give one. + sandboxName = "sandbox_test"; + } + + if (config.empty()) { + std::cout << "No sandbox name " << sandboxName << "or config file specified!" << std::endl; + return; + } + InitDefaultNamespace(); + if (!InitSandboxWithName(sandboxName.c_str())) { + std::cout << "Init sandbox failed." << std::endl; + return; + } + + DumpSandboxByName(sandboxName.c_str()); + if (PrepareSandbox(sandboxName.c_str()) != 0) { + std::cout << "Prepare sandbox failed." << std::endl; + return; + } + EnterDefaultNamespace(); + CloseDefaultNamespace(); + EnterSandbox(sandboxName.c_str()); + return; +} + +static void EnterShell() +{ + char *argv[] = { (char *)"sh", NULL }; + char *envp[] = { nullptr }; + if (execve("/system/bin/sh", argv, envp) != 0) { + std::cout << "execve sh failed! err = "<< errno << std::endl; + } + return; +} + +static const int MAX_PROCESS_ARGC = 8; +static void EnterExec(const std::string &processName) +{ + if (processName.empty()) { + std::cout << "process name is nullptr." << std::endl; + return; + } + std::string tmpName = processName; + std::vector vtr; + const std::string sep = " "; + OHOS::SplitStr(tmpName, sep, vtr, true, false); + + if ((vtr.size() > MAX_PROCESS_ARGC) || (vtr.size() <= 0)) { + std::cout << "Service parameters is error." << std::endl; + return; + } + char *argv[MAX_PROCESS_ARGC] = {}; + std::vector::iterator it; + int i = 0; + for (it = vtr.begin(); it != vtr.end(); it++) { + argv[i] = (char *)(*it).c_str(); + std::cout << std::string(argv[i]) << std::endl; + i++; + } + argv[i] = NULL; + char *envp[] = { NULL }; + if (execve(argv[0], argv, envp) != 0) { + std::cout << "execve:" << argv[0] << "failed! err = "<< errno << std::endl; + } + return; +} + +static void RunCmd(const std::string &configFile, const std::string &sandboxName, const std::string &processName) +{ + if (!sandboxName.empty() && processName.empty()) { + RunSandbox(configFile, sandboxName); + EnterShell(); + } else if (!sandboxName.empty() && !processName.empty()) { + RunSandbox(configFile, sandboxName); + EnterExec(processName); + } else if (sandboxName.empty() && !processName.empty()) { + std::cout << "process name:" << processName << std::endl; + RunSandbox(configFile, std::string("system")); + EnterExec(processName); + } else { + Usage(); + } +} + +static int main_cmd(BShellHandle shell, int argc, char **argv) +{ + int rc = -1; + int optIndex = -1; + std::string configFile {}; + std::string sandboxName {}; + std::string processName {}; + while ((rc = getopt_long(argc, argv, "c:s:p:h", g_options, &optIndex)) != -1) { + switch (rc) { + case 0: { + std::string optionName = g_options[optIndex].name; + if (optionName == "config_file") { + configFile = optarg; + } else if (optionName == "help") { + Usage(); + } else if (optionName == "sandbox_name") { + sandboxName = optarg; + } else if (optionName == "process_name") { + processName = optarg; + } + break; + } + case 'c': + configFile = optarg; + break; + case 'h': + Usage(); + break; + case 's': + sandboxName = optarg; + break; + case 'p': + std::cout << "1111 process name:" << optarg << std::endl; + processName = optarg; + break; + case '?': + std::cout << "Invalid arugment\n"; + break; + default: + std::cout << "Invalid arugment\n"; + break; + } + } + RunCmd(configFile, sandboxName, processName); + return 0; +} + +MODULE_CONSTRUCTOR(void) +{ + CmdInfo infos[] = { + { + (char *)"sandbox", main_cmd, (char *)"sandbox debug tool", + (char *)"sandbox -s, --sandbox=system, chipset, priv-app, or app", + NULL + } + }; + for (size_t i = 0; i < ARRAY_LENGTH(infos); i++) { + BShellEnvRegitsterCmd(GetShellHandle(), &infos[i]); + } +} diff --git a/services/etc/init.cfg b/services/etc/init.cfg index f0cb2059df865de057a5ebb9cd3b981db74ac100..1e38e0e1c2569d5c7becfcca8c2ca2cf6d4092fd 100755 --- a/services/etc/init.cfg +++ b/services/etc/init.cfg @@ -21,6 +21,8 @@ "chmod 0771 /data", "mkdir /data/service 0711 root root", "mkdir /data/service/el0 0711 root root", + "mksandbox system", + "mksandbox chipset", "load_persist_params ", "chown access_token access_token /dev/access_token_id", "chmod 0666 /dev/access_token_id" @@ -64,11 +66,9 @@ "write /dev/blkio/background/blkio.weight 500", "write /dev/blkio/blkio.group_idle 0", "write /dev/blkio/background/blkio.group_idle 0", - "mount configfs none /config nodev noexec nosuid", "chmod 0770 /config/sdcardfs", "chown system package_info /config/sdcardfs", "symlink /storage/self/primary /sdcard", - "mkdir /mnt/sandbox 0711 root root", "write /proc/sys/kernel/panic_on_oops 1", "write /proc/sys/kernel/hung_task_timeout_secs 0", "write /proc/cpu/alignment 4", @@ -221,7 +221,6 @@ "mkdir /data/service/el2/0/hmdfs 0711 system system", "mkdir /data/chipset/el1/0 0711 root root", "mkdir /data/chipset/el2/0 0711 root root", - "mount tmpfs tmpfs /storage nodev noexec nosuid mode=0755,uid=0,gid=0", "mkdir /storage/media 0711 root root", "mkdir /data/bootchart 0755 shell shell", "mkdir /data/app-staging 0750 system system", @@ -450,6 +449,7 @@ }], "critical" : [ 0, 15, 5], "ondemand" : true, + "sandbox" : 0, "start-mode" : "condition" }, { "name" : "console", @@ -457,6 +457,7 @@ "start-mode" : "condition", "disabled" : 1, "console" : 1, + "sandbox" : 0, "uid" : "root", "gid" : ["shell", "log", "readproc"], "jobs" : { @@ -467,6 +468,7 @@ "start-mode" : "condition", "path" : ["/system/bin/watchdog_service", "10", "2"], "disabled" : 1, + "sandbox" : 0, "uid" : "root", "gid" : ["shell", "log", "readproc"] }, { diff --git a/services/etc/init.usb.cfg b/services/etc/init.usb.cfg index 8b5711a0aeb8452b2ba0936e3cfb6888539b98ff..885635b7c3f4160b5ea296d03eeb25ff816e5203 100755 --- a/services/etc/init.usb.cfg +++ b/services/etc/init.usb.cfg @@ -28,6 +28,7 @@ "uid" : "system", "gid" : "system" }], + "sandbox" : 0, "start-mode" : "condition", "disabled" : 1 } diff --git a/services/etc/init.without_two_stages.cfg b/services/etc/init.without_two_stages.cfg index 7b2f272b5df55f24dc676edc4373f70fd6a2da4b..4a0e1bebe05e1fc8901637f7b1737300d1bbcec4 100755 --- a/services/etc/init.without_two_stages.cfg +++ b/services/etc/init.without_two_stages.cfg @@ -16,9 +16,6 @@ "mkdir /dev/memcg/system 0550 system system", "start ueventd", "start watchdog_service", - "mkdir /data", - "mount ext4 /dev/block/platform/soc/10100000.himci.eMMC/by-name/vendor /vendor wait rdonly barrier=1", - "mount ext4 /dev/block/platform/soc/10100000.himci.eMMC/by-name/userdata /data wait nosuid nodev noatime barrier=1,data=ordered,noauto_da_alloc", "chown system system /data", "chmod 0771 /data", "mkdir /data/service 0711 root root", @@ -64,11 +61,9 @@ "write /dev/blkio/background/blkio.weight 500", "write /dev/blkio/blkio.group_idle 0", "write /dev/blkio/background/blkio.group_idle 0", - "mount configfs none /config nodev noexec nosuid", "chmod 0770 /config/sdcardfs", "chown system package_info /config/sdcardfs", "symlink /storage/self/primary /sdcard", - "mkdir /mnt/sandbox 0711 root root", "write /proc/sys/kernel/panic_on_oops 1", "write /proc/sys/kernel/hung_task_timeout_secs 0", "write /proc/cpu/alignment 4", diff --git a/services/etc/param/ohos.para b/services/etc/param/ohos.para index dcd03421d027b265855dbf5074c327db11a1caae..07707b11effeb80e1120fc32a52d0dec596b4d18 100755 --- a/services/etc/param/ohos.para +++ b/services/etc/param/ohos.para @@ -37,6 +37,7 @@ const.build.characteristics=default const.product.model=ohos const.product.name="OpenHarmony 2.0 Canary" persist.sys.usb.config=hdc +const.sandbox=enable # const.build.characteristics=default const.product.devicetype=default # OHOS_SOFTWARE_MODEL[] = {"default"} @@ -80,4 +81,4 @@ const.ohos.buildroothash=default # OHOS_SDK_API_LEVEL = 8 const.ohos.sdkapilevel=8 # OHOS_OS_NAME[] = { "OpenHarmony" } -const.ohos.name=OpenHarmony \ No newline at end of file +const.ohos.name=OpenHarmony diff --git a/services/init/include/init.h b/services/init/include/init.h index b7f5e913ed3dc78f912a1c0a3667dcb59c09b820..f3dcc22cec5eff97c12c1199bc353a0e89161533 100755 --- a/services/init/include/init.h +++ b/services/init/include/init.h @@ -43,6 +43,7 @@ void SystemExecuteRcs(void); void ReadConfig(void); void SignalInit(void); +void SetServiceEnterSandbox(const char *path, unsigned int attribute); #ifdef __cplusplus #if __cplusplus diff --git a/services/init/include/init_service.h b/services/init/include/init_service.h index dde5469001e7fbc0df61537fca60307ec215ce4e..6472c0e3dd890ee4343b33217fc515274ed4a75c 100755 --- a/services/init/include/init_service.h +++ b/services/init/include/init_service.h @@ -51,7 +51,8 @@ extern "C" { #define SERVICE_ATTR_DYNAMIC 0x100 // dynamic service #define SERVICE_ATTR_ONDEMAND 0x200 // ondemand, manage socket by init #define SERVICE_ATTR_TIMERSTART 0x400 // Mark a service will be started by timer -#define SERVICE_ATTR_NEEDWAIT 0x800 // Mark a service will be started by timer +#define SERVICE_ATTR_NEEDWAIT 0x800 // Mark a service will be started by timer +#define SERVICE_ATTR_SANDBOX 0x1000 // make service will enter sandbox #define MAX_SERVICE_NAME 32 #define MAX_APL_NAME 32 @@ -79,6 +80,12 @@ extern "C" { #define EnableServiceTimer(service) \ ((service)->attribute |= SERVICE_ATTR_TIMERSTART) +#define MarkServiceWithSandbox(service) \ + ((service)->attribute |= SERVICE_ATTR_SANDBOX) + +#define UnMarkServiceWithSandbox(service) \ + ((service)->attribute &= ~SERVICE_ATTR_SANDBOX) + typedef enum { START_MODE_CONDITION, START_MODE_BOOT, diff --git a/services/init/include/init_service_manager.h b/services/init/include/init_service_manager.h index 36a726dcce95b4ea142cfd93b4897b9de53d340d..19e868aeaa128e28162d2e72796b0f8500c16bb2 100755 --- a/services/init/include/init_service_manager.h +++ b/services/init/include/init_service_manager.h @@ -33,6 +33,7 @@ extern "C" { #define CRITICAL_STR_IN_CFG "critical" #define DISABLED_STR_IN_CFG "disabled" #define CONSOLE_STR_IN_CFG "console" +#define SANDBOX_STR_IN_CFG "sandbox" #define D_CAPS_STR_IN_CFG "d-caps" #define APL_STR_IN_CFG "apl" #define CPU_CORE_STR_IN_CFG "cpucore" diff --git a/services/init/init_common_service.c b/services/init/init_common_service.c index 61fc595eb5b8ff1eb79fd10770d1633e66a2b7b0..79018cca7a6833aef24e971f383123c1fe2d8050 100755 --- a/services/init/init_common_service.c +++ b/services/init/init_common_service.c @@ -280,8 +280,9 @@ int ServiceStart(Service *service) } int pid = fork(); if (pid == 0) { - INIT_CHECK_ONLY_ELOG(SetAccessToken(service) == SERVICE_SUCCESS, - "set access token failed for service %s", service->name); + SetServiceEnterSandbox(service->pathArgs.argv[0], service->attribute); + + INIT_CHECK_ONLY_ELOG(SetAccessToken(service) == SERVICE_SUCCESS, "access token failed %s", service->name); // deal start job if (service->serviceJobs.jobsName[JOB_ON_START] != NULL) { DoJobNow(service->serviceJobs.jobsName[JOB_ON_START]); @@ -290,8 +291,7 @@ int ServiceStart(Service *service) ClearEnvironment(); if (!IsOnDemandService(service)) { - int ret = CreateServiceSocket(service); - INIT_ERROR_CHECK(ret >= 0, return SERVICE_FAILURE, + INIT_ERROR_CHECK(CreateServiceSocket(service) >= 0, return SERVICE_FAILURE, "service %s exit! create socket failed!", service->name); } diff --git a/services/init/init_service_manager.c b/services/init/init_service_manager.c index a97704fd05d9cd46ea6cff25756568ab3d096aa7..68a88736d5c834ccd89fe0c4bf0ee2bf6cccd8ae 100755 --- a/services/init/init_service_manager.c +++ b/services/init/init_service_manager.c @@ -641,7 +641,7 @@ static int CheckServiceKeyName(const cJSON *curService) char *cfgServiceKeyList[] = { "name", "path", "uid", "gid", "once", "importance", "caps", "disabled", "writepid", "critical", "socket", "console", "dynamic", "file", "ondemand", - "d-caps", "apl", "jobs", "start-mode", "end-mode", "cpucore", "secon" + "d-caps", "apl", "jobs", "start-mode", "end-mode", "cpucore", "secon", "sandbox" }; INIT_CHECK_RETURN_VALUE(curService != NULL, SERVICE_FAILURE); cJSON *child = curService->child; @@ -788,6 +788,26 @@ static int GetCpuArgs(const cJSON *argJson, const char *name, Service *service) return SERVICE_SUCCESS; } +static int GetServiceSandbox(const cJSON *curItem, Service *service) +{ + MarkServiceWithSandbox(service); + cJSON *item = cJSON_GetObjectItem(curItem, "sandbox"); + if (item == NULL) { + return SERVICE_SUCCESS; + } + + INIT_ERROR_CHECK(cJSON_IsNumber(item), return SERVICE_FAILURE, + "Service : %s sandbox value only support number.", service->name); + int isSandbox = (int)cJSON_GetNumberValue(item); + if (isSandbox == 1) { + MarkServiceWithSandbox(service); + } else { + UnMarkServiceWithSandbox(service); + } + + return SERVICE_SUCCESS; +} + int ParseOneService(const cJSON *curItem, Service *service) { INIT_CHECK_RETURN_VALUE(curItem != NULL && service != NULL, SERVICE_FAILURE); @@ -822,6 +842,8 @@ int ParseOneService(const cJSON *curItem, Service *service) (void)GetServiceArgs(curItem, D_CAPS_STR_IN_CFG, MAX_WRITEPID_FILES, &service->capsArgs); (void)GetStringItem(curItem, APL_STR_IN_CFG, service->apl, MAX_APL_NAME); (void)GetCpuArgs(curItem, CPU_CORE_STR_IN_CFG, service); + ret = GetServiceSandbox(curItem, service); + INIT_ERROR_CHECK(ret == 0, return SERVICE_FAILURE, "Failed to get sandbox for service %s", service->name); ret = GetServiceCaps(curItem, service); INIT_ERROR_CHECK(ret == 0, return SERVICE_FAILURE, "Failed to get caps for service %s", service->name); ret = GetDynamicService(curItem, service); diff --git a/services/init/lite/init.c b/services/init/lite/init.c index b710f49524cb4ec8fd4409aeea5a7196680b3dd6..2530754debd9885dc2052c5f52fede78b35146b7 100755 --- a/services/init/lite/init.c +++ b/services/init/lite/init.c @@ -82,3 +82,10 @@ void SystemRun(void) { LE_RunLoop(LE_GetDefaultLoop()); } + +void SetServiceEnterSandbox(const char *path, unsigned int attribute) +{ + UNUSED(path); + UNUSED(attribute); + return; +} diff --git a/services/init/standard/device.c b/services/init/standard/device.c index bac801fce19dc35cb47d25f42f6e52243cbe1e01..3152cf7dd68e7137002bb929383ddc7362e73a66 100755 --- a/services/init/standard/device.c +++ b/services/init/standard/device.c @@ -47,6 +47,12 @@ void MountBasicFs(void) if (mount("tmpfs", "/mnt", "tmpfs", MS_NOSUID, "mode=0755") != 0) { INIT_LOGE("Mount tmpfs failed. %s", strerror(errno)); } + if (mount("tmpfs", "/storage", "tmpfs", MS_NOEXEC | MS_NODEV| MS_NOSUID, "mode=0755") != 0) { + INIT_LOGE("Mount storage failed. %s", strerror(errno)); + } + if (mount("none", "/config", "configfs", MS_NOEXEC | MS_NODEV| MS_NOSUID, "mode=0755") != 0) { + INIT_LOGE("Mount configfs failed. %s", strerror(errno)); + } if (mkdir("/dev/pts", S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) != 0) { INIT_LOGE("mkdir /dev/pts failed. %s", strerror(errno)); } diff --git a/services/init/standard/init.c b/services/init/standard/init.c index e66b4df14f13ebb2cf2bc330ca5fda7034e2866a..4135a10638cf639a5046942bf3845e1e0367b478 100755 --- a/services/init/standard/init.c +++ b/services/init/standard/init.c @@ -38,11 +38,15 @@ #include "ueventd.h" #include "ueventd_socket.h" #include "fd_holder_internal.h" +#include "sandbox.h" +#include "sandbox_namespace.h" #ifdef WITH_SELINUX #include #include #endif // WITH_SELINUX +static bool g_enableSandbox; + static int FdHolderSockInit(void) { int sock = -1; @@ -267,6 +271,24 @@ static int SystemDump(int id, const char *name, int argc, const char **argv) } #endif +static void IsEnableSandbox(void) +{ + const char *name = "const.sandbox"; + char value[MAX_BUFFER_LEN] = {0}; + unsigned int len = MAX_BUFFER_LEN; + if (SystemReadParam(name, value, &len) != 0) { + INIT_LOGE("Failed read param."); + g_enableSandbox = false; + } + if (strcmp(value, "enable") == 0) { + INIT_LOGI("Enable sandbox."); + g_enableSandbox = true; + } else { + INIT_LOGI("Disable sandbox."); + g_enableSandbox = false; + } +} + void SystemConfig(void) { InitServiceSpace(); @@ -293,7 +315,7 @@ void SystemConfig(void) AddCmdExecutor("display", SystemDump); (void)AddCompleteJob("param:ohos.servicectrl.display", "ohos.servicectrl.display=*", "display system"); #endif - + IsEnableSandbox(); // execute init PostTrigger(EVENT_TRIGGER_BOOT, "pre-init", strlen("pre-init")); PostTrigger(EVENT_TRIGGER_BOOT, "init", strlen("init")); @@ -304,3 +326,31 @@ void SystemRun(void) { StartParamService(); } + +void SetServiceEnterSandbox(const char *execPath, unsigned int attribute) +{ + if (g_enableSandbox == false) { + return; + } + if ((attribute & SERVICE_ATTR_SANDBOX) != SERVICE_ATTR_SANDBOX) { + return; + } + INIT_ERROR_CHECK(execPath != NULL, return, "Service path is null."); + if (strncmp(execPath, "/system/bin/", strlen("/system/bin/")) == 0) { + if (strcmp(execPath, "/system/bin/appspawn") == 0) { + INIT_LOGI("Appspawn skip enter sandbox."); + } else if (strcmp(execPath, "/system/bin/hilogd") == 0) { + INIT_LOGI("Hilogd skip enter sandbox."); + } else { + INIT_ERROR_CHECK(EnterSandbox("system") == 0, return, + "Service %s failed enter sandbox system.", execPath); + } + } else if (strncmp(execPath, "/vendor/bin/", strlen("/vendor/bin/")) == 0) { + // chipset sandbox will be implemented later. + INIT_ERROR_CHECK(EnterSandbox("system") == 0, return, + "Service %s failed enter sandbox system.", execPath); + } else { + INIT_LOGE("Service %s does not enter sandbox", execPath); + } + return; +} diff --git a/services/init/standard/init_cmds.c b/services/init/standard/init_cmds.c index 60a565d2b5ba7485e8842e9bf7c6b1143c5ad686..9356e406e0c2cb1a5e330dc80d3aa80c6a2aea8e 100755 --- a/services/init/standard/init_cmds.c +++ b/services/init/standard/init_cmds.c @@ -37,6 +37,8 @@ #include "init_param.h" #include "init_service_manager.h" #include "init_utils.h" +#include "sandbox.h" +#include "sandbox_namespace.h" #include "securec.h" #ifdef WITH_SELINUX #include @@ -510,6 +512,34 @@ static void DoSwapon(const struct CmdArgs *ctx) INIT_LOGI("DoSwapon: end, ret = %d", ret); } +static void DoMkSandbox(const struct CmdArgs *ctx) +{ + INIT_LOGI("DoMkSandbox: start"); + if ((ctx == NULL) || (ctx->argc != 1)) { + INIT_LOGE("Call DoMkSandbox with invalid arguments"); + return; + } + + const char *sandbox = ctx->argv[0]; + if (sandbox == NULL) { + INIT_LOGE("Invaild sandbox name."); + return; + } + InitDefaultNamespace(); + if (!InitSandboxWithName(sandbox)) { + INIT_LOGE("Failed to init sandbox with name %s.", sandbox); + } + + if (PrepareSandbox(sandbox) != 0) { + INIT_LOGE("Failed to prepare sandbox %s.", sandbox); + DestroySandbox(sandbox); + } + if (EnterDefaultNamespace() < 0) { + INIT_LOGE("Failed to set default namespace."); + } + CloseDefaultNamespace(); +} + static const struct CmdTable g_cmdTable[] = { { "exec ", 1, 10, DoExec }, { "mknode ", 1, 5, DoMakeNode }, @@ -534,6 +564,7 @@ static const struct CmdTable g_cmdTable[] = { { "init_main_user ", 0, 1, DoInitMainUser }, { "mkswap", 1, 1, DoMkswap}, { "swapon", 1, 1, DoSwapon}, + { "mksandbox", 1, 1, DoMkSandbox}, }; const struct CmdTable *GetCmdTable(int *number) diff --git a/services/log/BUILD.gn b/services/log/BUILD.gn index ba3f7403bb42c2b965aa87a4288f707144ed6719..b8e404afe33435247fd46fba8df6f5a7b1344ffc 100755 --- a/services/log/BUILD.gn +++ b/services/log/BUILD.gn @@ -40,6 +40,7 @@ if (defined(ohos_lite)) { "system", "updater", ] + relative_install_dir = "platform-vndk" install_enable = true part_name = "init" subsystem_name = "startup" diff --git a/test/unittest/BUILD.gn b/test/unittest/BUILD.gn index 64fc776d6e631bc75347b03cef1e5a402a2944f3..d48273cde1b44d34fb15a23c94794b684c9e82a0 100755 --- a/test/unittest/BUILD.gn +++ b/test/unittest/BUILD.gn @@ -38,6 +38,8 @@ ohos_unittest("init_ut") { "//base/startup/init_lite/interfaces/innerkits/fs_manager/fstab_mount.c", "//base/startup/init_lite/interfaces/innerkits/plugin/init_plugin.c", "//base/startup/init_lite/interfaces/innerkits/reboot/init_reboot_innerkits.c", + "//base/startup/init_lite/interfaces/innerkits/sandbox/sandbox.c", + "//base/startup/init_lite/interfaces/innerkits/sandbox/sandbox_namespace.c", "//base/startup/init_lite/interfaces/innerkits/socket/init_socket.c", "//base/startup/init_lite/services/begetctl/param_cmd.c", "//base/startup/init_lite/services/begetctl/shell/shell_bas.c", @@ -168,6 +170,7 @@ ohos_unittest("init_ut") { "//third_party/cJSON", "//base/security/access_token/interfaces/innerkits/token_setproc/include", "//base/security/access_token/interfaces/innerkits/nativetoken/include", + "//base/startup/init_lite/interfaces/innerkits/sandbox/include", ] deps = [