From e0bef6dfc11a757a4e2a9b5f443f9d2f75a17cf1 Mon Sep 17 00:00:00 2001
From: xionglei6 <xionglei6@huawei.com>
Date: Mon, 7 Mar 2022 14:38:19 +0800
Subject: [PATCH] add: appspawn sandbox config json

Signed-off-by: xionglei6 <xionglei6@huawei.com>
---
 interfaces/innerkits/sandbox/app-sandbox.json | 54 +++++++++++++++++
 .../innerkits/sandbox/privapp-sandbox.json    | 58 +++++++++++++++++++
 services/BUILD.gn                             |  2 +
 3 files changed, 114 insertions(+)
 create mode 100644 interfaces/innerkits/sandbox/app-sandbox.json
 create mode 100644 interfaces/innerkits/sandbox/privapp-sandbox.json

diff --git a/interfaces/innerkits/sandbox/app-sandbox.json b/interfaces/innerkits/sandbox/app-sandbox.json
new file mode 100644
index 00000000..4f816217
--- /dev/null
+++ b/interfaces/innerkits/sandbox/app-sandbox.json
@@ -0,0 +1,54 @@
+{
+    "sandbox-root" : "/mnt/sandbox/app",
+    "mount-bind-paths" : [{
+            "src-path" : "/mnt",
+            "sandbox-path" : "/mnt",
+            "sandbox-flags" : [ "bind", "rec", "private" ]
+        }, {
+            "src-path" : "/system/bin",
+            "sandbox-path" : "/system/bin",
+            "sandbox-flags" : [ "bind", "rec", "private" ]
+        }, {
+            "src-path" : "/system/lib",
+            "sandbox-path" : "/system/lib",
+            "sandbox-flags" : [ "bind", "rec", "private" ]
+        }, {
+            "src-path" : "/system/lib/module",
+            "sandbox-path" : "/system/lib/module",
+            "sandbox-flags" : [ "bind", "rec", "private" ]
+        }, {
+            "src-path" : "/system/etc",
+            "sandbox-path" : "/system/etc",
+            "sandbox-flags" : [ "bind", "rec", "private" ]
+        }, {
+            "src-path" : "/sys",
+            "sandbox-path" : "/sys",
+            "sandbox-flags" : [ "bind", "rec", "private" ]
+        }, {
+            "src-path" : "/proc",
+            "sandbox-path" : "/proc",
+            "sandbox-flags" : [ "bind", "rec" ]
+        }, {
+            "src-path" : "/dev",
+            "sandbox-path" : "/dev",
+            "sandbox-flags" : [ "bind", "rec", "private" ]
+        }, {
+            "src-path" : "/data",
+            "sandbox-path" : "/data",
+            "sandbox-flags" : [ "bind", "rec", "private" ]
+        }
+    ],
+    "mount-bind-files" : [{
+    }],
+    "symbol-links" : [{
+            "target-name" : "/system/bin",
+            "link-name" : "/bin"
+        }, {
+            "target-name" : "/system/lib",
+            "link-name" : "/lib"
+        }, {
+            "target-name" : "/system/etc",
+            "link-name" : "/etc"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/interfaces/innerkits/sandbox/privapp-sandbox.json b/interfaces/innerkits/sandbox/privapp-sandbox.json
new file mode 100644
index 00000000..6b340dda
--- /dev/null
+++ b/interfaces/innerkits/sandbox/privapp-sandbox.json
@@ -0,0 +1,58 @@
+{
+    "sandbox-root" : "/mnt/sandbox/priv-app",
+    "mount-bind-paths" : [{
+            "src-path" : "/mnt",
+            "sandbox-path" : "/mnt",
+            "sandbox-flags" : [ "bind", "rec" ]
+        }, {
+            "src-path" : "/system/bin",
+            "sandbox-path" : "/system/bin",
+            "sandbox-flags" : [ "bind", "rec" ]
+        }, {
+            "src-path" : "/system/bin",
+            "sandbox-path" : "/system/common/bin",
+            "sandbox-flags" : [ "bind", "rec" ]
+        }, {
+            "src-path" : "/system/lib",
+            "sandbox-path" : "/system/lib",
+            "sandbox-flags" : [ "bind", "rec" ]
+        }, {
+            "src-path" : "/system/lib/module",
+            "sandbox-path" : "/system/lib/module",
+            "sandbox-flags" : [ "bind", "rec" ]
+        }, {
+            "src-path" : "/system/etc",
+            "sandbox-path" : "/system/etc",
+            "sandbox-flags" : [ "bind", "rec" ]
+        }, {
+            "src-path" : "/sys",
+            "sandbox-path" : "/sys",
+            "sandbox-flags" : [ "bind", "rec" ]
+        }, {
+            "src-path" : "/proc",
+            "sandbox-path" : "/proc",
+            "sandbox-flags" : [ "bind", "rec" ]
+        }, {
+            "src-path" : "/dev",
+            "sandbox-path" : "/dev",
+            "sandbox-flags" : [ "bind", "rec" ]
+        }, {
+            "src-path" : "/data",
+            "sandbox-path" : "/data",
+            "sandbox-flags" : [ "bind", "rec" ]
+        }
+    ],
+    "mount-bind-files": [{
+    }],
+    "symbol-links": [{
+            "target-name" : "/system/bin",
+            "link-name" : "/bin"
+        }, {
+            "target-name" : "/system/lib",
+            "link-name" : "/lib"
+        }, {
+            "target-name" : "/system/etc",
+            "link-name" : "/etc"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/services/BUILD.gn b/services/BUILD.gn
index 9420c6b9..e5ffb521 100755
--- a/services/BUILD.gn
+++ b/services/BUILD.gn
@@ -317,6 +317,7 @@ if (defined(ohos_lite)) {
 
   group("init_etc") {
     deps = [
+      ":app-sandbox.json",
       ":boot.group",
       ":charing.group",
       ":chipset-sandbox.json",
@@ -328,6 +329,7 @@ if (defined(ohos_lite)) {
       ":ohos.para.dac",
       ":passwd",
       ":plugin_modules",
+      ":privapp-sandbox.json",
       ":syscap.json",
       ":syscap.para",
       ":system-sandbox.json",
-- 
GitLab