diff --git a/interfaces/innerkits/sandbox/app-sandbox64.json b/interfaces/innerkits/sandbox/app-sandbox64.json
index adc5658f6a09952afb942a5ed5c4e349831bb327..2f757c1eeac8a38c72c7d1d7d76ca3ba9d1df9dc 100644
--- a/interfaces/innerkits/sandbox/app-sandbox64.json
+++ b/interfaces/innerkits/sandbox/app-sandbox64.json
@@ -44,6 +44,22 @@
             "src-path" : "/data",
             "sandbox-path" : "/data",
             "sandbox-flags" : [ "bind", "rec", "private" ]
+        }, {
+            "src-path" : "/system/fonts",
+            "sandbox-path" : "/system/fonts",
+            "sandbox-flags" : [ "bind", "rec", "private" ]
+        }, {
+            "src-path" : "/config",
+            "sandbox-path" : "/config",
+            "sandbox-flags" : [ "bind", "rec" ]
+        }, {
+            "src-path" : "/sys_prod",
+            "sandbox-path" : "/sys_prod",
+            "sandbox-flags" : [ "bind", "rec" ]
+        }, {
+            "src-path" : "/storage",
+            "sandbox-path" : "/storage",
+            "sandbox-flags" : [ "bind", "rec", "private" ]
         }
     ],
     "mount-bind-files" : [{
diff --git a/interfaces/innerkits/sandbox/privapp-sandbox64.json b/interfaces/innerkits/sandbox/privapp-sandbox64.json
index 40252c146f3edcc2e4c3c33fbbe1eb1a9a90b386..b4c649737632376abbe73bd2dea7458208b17bf6 100644
--- a/interfaces/innerkits/sandbox/privapp-sandbox64.json
+++ b/interfaces/innerkits/sandbox/privapp-sandbox64.json
@@ -48,6 +48,14 @@
             "src-path" : "/data",
             "sandbox-path" : "/data",
             "sandbox-flags" : [ "bind", "rec" ]
+        },{
+            "src-path" : "/storage",
+            "sandbox-path" : "/storage",
+            "sandbox-flags" : [ "bind", "rec", "private" ]
+        }, {
+            "src-path" : "/system/fonts",
+            "sandbox-path" : "/system/fonts",
+            "sandbox-flags" : [ "bind", "rec", "private" ]
         }
     ],
     "mount-bind-files": [{
diff --git a/services/BUILD.gn b/services/BUILD.gn
index 66c78fbe67907ad3ef97a27cb92dfdafd93ac546..ad3b0671e571da52a745e5920081e1e4dabe8ebd 100755
--- a/services/BUILD.gn
+++ b/services/BUILD.gn
@@ -421,6 +421,12 @@ if (defined(ohos_lite)) {
     module_install_dir = "etc/sandbox"
   }
 
+  ohos_prebuilt_etc("appdata-sandbox.json") {
+    source = "//base/startup/appspawn_standard/appdata-sandbox.json"
+    part_name = "init"
+    module_install_dir = "etc/sandbox"
+  }
+
   ohos_prebuilt_etc("init.reboot") {
     source = "//base/startup/init_lite/services/etc/init.reboot.cfg"
     part_name = "init"
@@ -430,6 +436,7 @@ if (defined(ohos_lite)) {
   group("init_etc") {
     deps = [
       ":app-sandbox.json",
+      ":appdata-sandbox.json",
       ":boot.group",
       ":charing.group",
       ":chipset-sandbox.json",
diff --git a/services/begetctl/misc_daemon.cpp b/services/begetctl/misc_daemon.cpp
index 6a04581658e0101e0d35a27b6f5c0403ea88932d..496b63d7f3ce6a819793ec5434d7f1e1bf76b71c 100644
--- a/services/begetctl/misc_daemon.cpp
+++ b/services/begetctl/misc_daemon.cpp
@@ -87,8 +87,8 @@ static void WriteLogoContent(int fd, const std::string &logoPath, uint32_t size)
         free(buffer);
         return;
     }
-    uint32_t ret = write(fd, buffer, size);
-    if (ret != size) {
+    ssize_t ret = write(fd, buffer, size);
+    if (ret == -1 || ret != size) {
         (void)fclose(rgbFile);
         free(buffer);
         return;
diff --git a/services/etc/group b/services/etc/group
index 26bfdaa808be15a2fc79b15889075bdfe84e726f..a1149354d2925d903657b5ca2176e9c74ddbcd45 100755
--- a/services/etc/group
+++ b/services/etc/group
@@ -66,6 +66,7 @@ device_usage_stats:x:3048:
 faceauth_host:x:3049:
 pinauth_host:x:3050:
 dms:x:5522:
+update:x:6666:
 sensor:x:6688:
 input:x:6696:
 msdp:x:6699:
diff --git a/services/etc/passwd b/services/etc/passwd
index 956040527440f3489aa00ba3d3080a528459a0e9..172f47c248df408b45f78a0b8e8793fb16a7f7bd 100755
--- a/services/etc/passwd
+++ b/services/etc/passwd
@@ -67,6 +67,7 @@ faceauth_host:x:3049:3049:::/bin/false
 pinauth_host:x:3050:3050:::/bin/false
 dms:x:5522:5522:::/bin/false
 dbms:x:6000:6000:::/bin/false
+update:x:6666:6666:::/bin/false
 sensor:x:6688:6688:::/bin/false
 input:x:6696:6696:::/bin/false
 msdp:x:6699:6699:::/bin/false
diff --git a/ueventd/ueventd_device_handler.c b/ueventd/ueventd_device_handler.c
index 71dc2460aff71fc0bb0fce4676e3e96174dd6d7d..7e839bd7bbfe6b8f8efb9cee5181e35628890b23 100644
--- a/ueventd/ueventd_device_handler.c
+++ b/ueventd/ueventd_device_handler.c
@@ -182,7 +182,7 @@ static int RemoveDeviceNode(const char *deviceNode, char **symLinks)
     }
     if (symLinks != NULL) {
         for (int i = 0; symLinks[i] != NULL; i++) {
-            char realPath[DEVICE_FILE_SIZE] = {};
+            char realPath[DEVICE_FILE_SIZE] = {0};
             const char *linkName = symLinks[i];
             ssize_t ret = readlink(linkName, realPath, DEVICE_FILE_SIZE - 1);
             if (ret < 0) {