diff --git a/interfaces/innerkits/sandbox/chipset-sandbox.json b/interfaces/innerkits/sandbox/chipset-sandbox.json index 6f4c2d05a28ea9b6841b701625491d43275652f2..8c0734dae7c1e08fa572be369a1c7cc323455fcc 100644 --- a/interfaces/innerkits/sandbox/chipset-sandbox.json +++ b/interfaces/innerkits/sandbox/chipset-sandbox.json @@ -19,15 +19,18 @@ }, { "src-path" : "/system/app", "sandbox-path" : "/system/app", - "sandbox-flags" : [ "bind", "rec", "private" ] + "sandbox-flags" : [ "bind", "rec", "private" ], + "ignore": 1 }, { "src-path" : "/system/fonts", "sandbox-path" : "/system/fonts", - "sandbox-flags" : [ "bind", "rec", "private" ] + "sandbox-flags" : [ "bind", "rec", "private" ], + "ignore": 1 }, { "src-path" : "/system/usr", "sandbox-path" : "/system/usr", - "sandbox-flags" : [ "bind", "rec", "private" ] + "sandbox-flags" : [ "bind", "rec", "private" ], + "ignore": 1 }, { "src-path" : "/vendor", "sandbox-path" : "/vendor", @@ -47,7 +50,8 @@ }, { "src-path" : "/sys/kernel/debug/tracing", "sandbox-path" : "/sys/kernel/debug/tracing", - "sandbox-flags" : [ "bind", "private" ] + "sandbox-flags" : [ "bind", "private" ], + "ignore": 1 }, { "src-path" : "/sys/kernel/debug", "sandbox-path" : "/sys/kernel/debug", diff --git a/interfaces/innerkits/sandbox/chipset-sandbox64.json b/interfaces/innerkits/sandbox/chipset-sandbox64.json index de8e0dbfe289bb9f7a62b68d43869e999a72e790..b0462f49bc45f0974baeebb9057ab716d7bbcd13 100644 --- a/interfaces/innerkits/sandbox/chipset-sandbox64.json +++ b/interfaces/innerkits/sandbox/chipset-sandbox64.json @@ -23,15 +23,18 @@ }, { "src-path" : "/system/app", "sandbox-path" : "/system/app", - "sandbox-flags" : [ "bind", "rec", "private" ] + "sandbox-flags" : [ "bind", "rec", "private" ], + "ignore": 1 }, { "src-path" : "/system/fonts", "sandbox-path" : "/system/fonts", - "sandbox-flags" : [ "bind", "rec", "private" ] + "sandbox-flags" : [ "bind", "rec", "private" ], + "ignore": 1 }, { "src-path" : "/system/usr", "sandbox-path" : "/system/usr", - "sandbox-flags" : [ "bind", "rec", "private" ] + "sandbox-flags" : [ "bind", "rec", "private" ], + "ignore": 1 }, { "src-path" : "/vendor", "sandbox-path" : "/vendor", @@ -51,12 +54,13 @@ }, { "src-path" : "/sys/kernel/debug/tracing", "sandbox-path" : "/sys/kernel/debug/tracing", - "sandbox-flags" : [ "bind", "private" ] + "sandbox-flags" : [ "bind", "private" ], + "ignore": 1 }, { "src-path" : "/sys/kernel/debug", "sandbox-path" : "/sys/kernel/debug", "sandbox-flags" : [ "bind", "private" ] - }, { + }, { "src-path" : "/sys", "sandbox-path" : "/sys", "sandbox-flags" : [ "bind", "private" ] diff --git a/interfaces/innerkits/sandbox/include/sandbox.h b/interfaces/innerkits/sandbox/include/sandbox.h index ae913cf4607e0344d0d374527bafca06513b0e57..f62ba22603b1da2806be89efcc6d1c98c572f834 100644 --- a/interfaces/innerkits/sandbox/include/sandbox.h +++ b/interfaces/innerkits/sandbox/include/sandbox.h @@ -26,6 +26,7 @@ typedef struct { char *source; // source 目录,一般是全局的fs 目录 char *target; // 沙盒化后的目录 unsigned long flags; + bool ignoreErrors; } mount_t; typedef struct MountList { diff --git a/interfaces/innerkits/sandbox/sandbox.c b/interfaces/innerkits/sandbox/sandbox.c index f23300d534e6a8d014064d19754daa91195c4667..b0ea91800d221cb9993b51342c2de4981493ec96 100644 --- a/interfaces/innerkits/sandbox/sandbox.c +++ b/interfaces/innerkits/sandbox/sandbox.c @@ -20,6 +20,7 @@ #include #include #include +#include #include #include #include @@ -35,6 +36,7 @@ #define SANDBOX_SOURCE "src-path" #define SANDBOX_TARGET "sandbox-path" #define SANDBOX_FLAGS "sandbox-flags" +#define SANDBOX_IGNORE_ERRORS "ignore" #define SANDBOX_SYMLINK_TAG "symbol-links" #define SANDBOX_SYMLINK_TARGET "target-name" #define SANDBOX_SYMLINK_NAME "link-name" @@ -152,6 +154,10 @@ static int AddMountInfoToSandbox(sandbox_t *sandbox, cJSON *item, const char *ty BEGET_ERROR_CHECK(tmpMount->info != NULL, free(tmpMount); return -1, "Failed calloc err=%d", errno); tmpMount->info->source = strdup(srcPath); tmpMount->info->target = strdup(dstPath); + tmpMount->info->ignoreErrors = false; + if (cJSON_GetNumberValue(cJSON_GetObjectItem(item, SANDBOX_IGNORE_ERRORS))) { + tmpMount->info->ignoreErrors = true; + } for (int i = 0; i < count; i++) { cJSON *item = cJSON_GetArrayItem(obj, i); tmpMount->info->flags |= GetSandboxMountFlags(item); @@ -298,10 +304,13 @@ static void InitSandbox(sandbox_t *sandbox, const char *sandboxConfig, const cha static int CheckAndMakeDir(const char *dir, mode_t mode) { - if (access(dir, F_OK) == 0) { + struct stat sb; + + if ((stat(dir, &sb) == 0) && S_ISDIR(sb.st_mode)) { BEGET_LOGW("Mount point \' %s \' already exist", dir); return 0; } else { + BEGET_LOGI("Ready to create dir [%s] now ...", dir); if (errno == ENOENT) { BEGET_ERROR_CHECK(MakeDirRecursive(dir, mode) == 0, return -1, "Failed MakeDirRecursive %s, err=%d", dir, errno); @@ -323,7 +332,7 @@ static int BindMount(const char *source, const char *target, unsigned long flags unsigned long tmpflags = flags; mode_t mode = S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH; if (tag == SANDBOX_TAG_MOUNT_PATH) { - BEGET_ERROR_CHECK(CheckAndMakeDir(target, mode) == 0, return -1, "Failed make %s dir.", target); + CheckAndMakeDir(target, mode); } else if (tag == SANDBOX_TAG_MOUNT_FILE) { BEGET_ERROR_CHECK(CheckAndCreatFile(target, mode) == 0, return -1, "Failed make %s file.", target); } else { @@ -366,6 +375,7 @@ static int MountSandboxInfo(const mountlist_t *mounts, const char *rootPath, San if (mounts == NULL) { return 0; } + BEGET_LOGI("MountSandboxInfo now ..."); BEGET_CHECK(mounts->info != NULL, return 0); while (mounts != NULL) { mount_t *mount = mounts->info; @@ -373,9 +383,16 @@ static int MountSandboxInfo(const mountlist_t *mounts, const char *rootPath, San char target[PATH_MAX] = {}; BEGET_ERROR_CHECK(!(snprintf_s(target, PATH_MAX, PATH_MAX - 1, "%s%s", rootPath, mount->target) < 0), return -1, "Failed snprintf_s err=%d", errno); + BEGET_LOGI("Do BindMount from [%s] to [%s] now ...", source, target); int rc = BindMount(source, target, mount->flags, tag); - BEGET_ERROR_CHECK(rc == 0, return -1, "Failed bind mount %s to %s.", source, target); - mounts = mounts->next; + if (rc != 0) { + BEGET_LOGW("Failed bind mount %s to %s.", source, target); + } + if (mount->ignoreErrors) { + mounts = mounts->next; + continue; + } + return -1; } return 0; } diff --git a/interfaces/innerkits/sandbox/system-sandbox.json b/interfaces/innerkits/sandbox/system-sandbox.json index b4666fcaea30ff81e73064fe3de62dffa2ad0e02..201f8961a45fc5772805c43796614aab2ee72d03 100644 --- a/interfaces/innerkits/sandbox/system-sandbox.json +++ b/interfaces/innerkits/sandbox/system-sandbox.json @@ -19,15 +19,18 @@ }, { "src-path" : "/system/app", "sandbox-path" : "/system/app", - "sandbox-flags" : [ "bind", "rec", "private" ] + "sandbox-flags" : [ "bind", "rec", "private" ], + "ignore": 1 }, { "src-path" : "/system/fonts", "sandbox-path" : "/system/fonts", - "sandbox-flags" : [ "bind", "rec", "private" ] + "sandbox-flags" : [ "bind", "rec", "private" ], + "ignore": 1 }, { "src-path" : "/system/usr", "sandbox-path" : "/system/usr", - "sandbox-flags" : [ "bind", "rec", "private" ] + "sandbox-flags" : [ "bind", "rec", "private" ], + "ignore": 1 }, { "src-path" : "/vendor", "sandbox-path" : "/vendor", @@ -47,7 +50,8 @@ }, { "src-path" : "/sys/kernel/debug/tracing", "sandbox-path" : "/sys/kernel/debug/tracing", - "sandbox-flags" : [ "bind", "private" ] + "sandbox-flags" : [ "bind", "private" ], + "ignore": 1 }, { "src-path" : "/sys/kernel/debug", "sandbox-path" : "/sys/kernel/debug", @@ -59,7 +63,8 @@ }, { "src-path" : "/config", "sandbox-path" : "/config", - "sandbox-flags" : [ "bind", "rec", "private" ] + "sandbox-flags" : [ "bind", "rec", "private" ], + "ignore": 1 }, { "src-path" : "/mnt", "sandbox-path" : "/mnt", diff --git a/interfaces/innerkits/sandbox/system-sandbox64.json b/interfaces/innerkits/sandbox/system-sandbox64.json index ea187d3cc2c834ac834b7a03925954cda512e969..82f97e4d490d77a17624004acf701e60fe4ab5db 100644 --- a/interfaces/innerkits/sandbox/system-sandbox64.json +++ b/interfaces/innerkits/sandbox/system-sandbox64.json @@ -23,15 +23,18 @@ }, { "src-path" : "/system/app", "sandbox-path" : "/system/app", - "sandbox-flags" : [ "bind", "rec", "private" ] + "sandbox-flags" : [ "bind", "rec", "private" ], + "ignore": 1 }, { "src-path" : "/system/fonts", "sandbox-path" : "/system/fonts", - "sandbox-flags" : [ "bind", "rec", "private" ] + "sandbox-flags" : [ "bind", "rec", "private" ], + "ignore": 1 }, { "src-path" : "/system/usr", "sandbox-path" : "/system/usr", - "sandbox-flags" : [ "bind", "rec", "private" ] + "sandbox-flags" : [ "bind", "rec", "private" ], + "ignore": 1 }, { "src-path" : "/vendor", "sandbox-path" : "/vendor", @@ -48,6 +51,11 @@ "src-path" : "/data", "sandbox-path" : "/data", "sandbox-flags" : [ "bind", "rec", "private" ] + }, { + "src-path" : "/sys/kernel/debug/tracing", + "sandbox-path" : "/sys/kernel/debug/tracing", + "sandbox-flags" : [ "bind", "private" ], + "ignore": 1 }, { "src-path" : "/sys/kernel/debug/tracing", "sandbox-path" : "/sys/kernel/debug/tracing", @@ -56,7 +64,7 @@ "src-path" : "/sys/kernel/debug", "sandbox-path" : "/sys/kernel/debug", "sandbox-flags" : [ "bind", "private" ] - }, { + }, { "src-path" : "/sys", "sandbox-path" : "/sys", "sandbox-flags" : [ "bind", "private" ]