1 /*
2 * Copyright (c) 2021-2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "bundle_permission_mgr.h"
17
18 #include "app_log_wrapper.h"
19 #include "bundle_mgr_service.h"
20 #include "ipc_skeleton.h"
21
22 namespace OHOS {
23 namespace AppExecFwk {
24 using namespace OHOS::Security;
25
ConvertPermissionDef(const AccessToken::PermissionDef & permDef,PermissionDef & permissionDef)26 void BundlePermissionMgr::ConvertPermissionDef(
27 const AccessToken::PermissionDef &permDef, PermissionDef &permissionDef)
28 {
29 permissionDef.permissionName = permDef.permissionName;
30 permissionDef.bundleName = permDef.bundleName;
31 permissionDef.grantMode = permDef.grantMode;
32 permissionDef.availableLevel = permDef.availableLevel;
33 permissionDef.provisionEnable = permDef.provisionEnable;
34 permissionDef.distributedSceneEnable = permDef.distributedSceneEnable;
35 permissionDef.label = permDef.label;
36 permissionDef.labelId = permDef.labelId;
37 permissionDef.description = permDef.description;
38 permissionDef.descriptionId = permDef.descriptionId;
39 }
40
41 // Convert from the struct DefinePermission that parsed from config.json
ConvertPermissionDef(AccessToken::PermissionDef & permDef,const DefinePermission & definePermission,const std::string & bundleName)42 void BundlePermissionMgr::ConvertPermissionDef(
43 AccessToken::PermissionDef &permDef, const DefinePermission &definePermission, const std::string &bundleName)
44 {
45 permDef.permissionName = definePermission.name;
46 permDef.bundleName = bundleName;
47 permDef.grantMode = [&definePermission]() -> int {
48 if (definePermission.grantMode ==
49 ProfileReader::BUNDLE_MODULE_PROFILE_KEY_DEF_PERMISSIONS_GRANTMODE_SYSTEM_GRANT) {
50 return AccessToken::GrantMode::SYSTEM_GRANT;
51 }
52 return AccessToken::GrantMode::USER_GRANT;
53 }();
54
55 permDef.availableLevel = GetTokenApl(definePermission.availableLevel);
56 permDef.provisionEnable = definePermission.provisionEnable;
57 permDef.distributedSceneEnable = definePermission.distributedSceneEnable;
58 permDef.label = definePermission.label;
59 permDef.labelId = definePermission.labelId;
60 permDef.description = definePermission.description;
61 permDef.descriptionId = definePermission.descriptionId;
62 }
63
GetTokenApl(const std::string & apl)64 AccessToken::ATokenAplEnum BundlePermissionMgr::GetTokenApl(const std::string &apl)
65 {
66 if (apl == Profile::AVAILABLELEVEL_SYSTEM_CORE) {
67 return AccessToken::ATokenAplEnum::APL_SYSTEM_CORE;
68 }
69 if (apl == Profile::AVAILABLELEVEL_SYSTEM_BASIC) {
70 return AccessToken::ATokenAplEnum::APL_SYSTEM_BASIC;
71 }
72 return AccessToken::ATokenAplEnum::APL_NORMAL;
73 }
74
CreateHapPolicyParam(const InnerBundleInfo & innerBundleInfo)75 Security::AccessToken::HapPolicyParams BundlePermissionMgr::CreateHapPolicyParam(
76 const InnerBundleInfo &innerBundleInfo)
77 {
78 AccessToken::HapPolicyParams hapPolicy;
79 std::string apl = innerBundleInfo.GetAppPrivilegeLevel();
80 APP_LOGD("BundlePermissionMgr::CreateHapPolicyParam apl : %{public}s", apl.c_str());
81 std::vector<AccessToken::PermissionDef> permDef = GetPermissionDefList(innerBundleInfo);
82 std::vector<AccessToken::PermissionStateFull> permStateFull = GetPermissionStateFullList(innerBundleInfo);
83 hapPolicy.apl = GetTokenApl(apl);
84 hapPolicy.domain = "domain";
85 hapPolicy.permList = permDef;
86 hapPolicy.permStateList = permStateFull;
87 return hapPolicy;
88 }
89
CreateAccessTokenId(const InnerBundleInfo & innerBundleInfo,const std::string bundleName,const int32_t userId)90 AccessToken::AccessTokenID BundlePermissionMgr::CreateAccessTokenId(
91 const InnerBundleInfo &innerBundleInfo, const std::string bundleName, const int32_t userId)
92 {
93 APP_LOGD("BundlePermissionMgr::CreateAccessTokenId bundleName = %{public}s, userId = %{public}d",
94 bundleName.c_str(), userId);
95 AccessToken::HapInfoParams hapInfo;
96 hapInfo.userID = userId;
97 hapInfo.bundleName = bundleName;
98 hapInfo.instIndex = 0;
99 hapInfo.appIDDesc = innerBundleInfo.GetProvisionId();
100 AccessToken::HapPolicyParams hapPolicy = CreateHapPolicyParam(innerBundleInfo);
101 AccessToken::AccessTokenIDEx accessToken = AccessToken::AccessTokenKit::AllocHapToken(hapInfo, hapPolicy);
102 APP_LOGD("BundlePermissionMgr::CreateAccessTokenId accessTokenId = %{public}u",
103 accessToken.tokenIdExStruct.tokenID);
104 return accessToken.tokenIdExStruct.tokenID;
105 }
106
UpdateDefineAndRequestPermissions(const Security::AccessToken::AccessTokenID tokenId,const InnerBundleInfo & oldInfo,const InnerBundleInfo & newInfo,std::vector<std::string> & newRequestPermName)107 bool BundlePermissionMgr::UpdateDefineAndRequestPermissions(const Security::AccessToken::AccessTokenID tokenId,
108 const InnerBundleInfo &oldInfo, const InnerBundleInfo &newInfo, std::vector<std::string> &newRequestPermName)
109 {
110 APP_LOGD("BundlePermissionMgr::UpdateDefineAndRequestPermissions bundleName = %{public}s",
111 newInfo.GetBundleName().c_str());
112 std::vector<AccessToken::PermissionDef> defPermList = GetPermissionDefList(newInfo);
113 std::vector<AccessToken::PermissionDef> newDefPermList;
114 if (!GetNewPermissionDefList(tokenId, defPermList, newDefPermList)) {
115 return false;
116 }
117 std::vector<AccessToken::PermissionStateFull> reqPermissionStateList = GetPermissionStateFullList(newInfo);
118 std::vector<AccessToken::PermissionStateFull> newPermissionStateList;
119 if (!GetNewPermissionStateFull(tokenId, reqPermissionStateList, newPermissionStateList, newRequestPermName)) {
120 return false;
121 }
122 // delete old definePermission
123 std::vector<std::string> needDeleteDefinePermission = GetNeedDeleteDefinePermissionName(oldInfo, newInfo);
124 for (const auto &name : needDeleteDefinePermission) {
125 auto iter = std::find_if(newDefPermList.begin(), newDefPermList.end(), [&name](const auto &defPerm) {
126 return defPerm.permissionName == name;
127 });
128 if (iter != newDefPermList.end()) {
129 APP_LOGD("delete definePermission %{public}s", name.c_str());
130 newDefPermList.erase(iter);
131 }
132 }
133 // delete old requestPermission
134 std::vector<std::string> needDeleteRequestPermission = GetNeedDeleteRequestPermissionName(oldInfo, newInfo);
135 for (const auto &name : needDeleteRequestPermission) {
136 auto iter = std::find_if(newPermissionStateList.begin(), newPermissionStateList.end(),
137 [&name](const auto &defPerm) {
138 return defPerm.permissionName == name;
139 });
140 if (iter != newPermissionStateList.end()) {
141 APP_LOGD("delete requestPermission %{public}s", name.c_str());
142 newPermissionStateList.erase(iter);
143 }
144 }
145 AccessToken::HapPolicyParams hapPolicy;
146 std::string apl = newInfo.GetAppPrivilegeLevel();
147 APP_LOGD("apl : %{public}s, newDefPermList size : %{public}zu, newPermissionStateList size : %{public}zu",
148 apl.c_str(), newDefPermList.size(), newPermissionStateList.size());
149 hapPolicy.apl = GetTokenApl(apl);
150 hapPolicy.domain = "domain"; // default
151 hapPolicy.permList = newDefPermList;
152 hapPolicy.permStateList = newPermissionStateList;
153 std::string appId = newInfo.GetProvisionId();
154 int32_t ret = AccessToken::AccessTokenKit::UpdateHapToken(tokenId, appId, hapPolicy);
155 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
156 APP_LOGE("UpdateDefineAndRequestPermissions UpdateHapToken failed errcode: %{public}d", ret);
157 return false;
158 }
159 APP_LOGD("BundlePermissionMgr::UpdateDefineAndRequestPermissions end");
160 return true;
161 }
162
GetNeedDeleteDefinePermissionName(const InnerBundleInfo & oldInfo,const InnerBundleInfo & newInfo)163 std::vector<std::string> BundlePermissionMgr::GetNeedDeleteDefinePermissionName(const InnerBundleInfo &oldInfo,
164 const InnerBundleInfo &newInfo)
165 {
166 std::vector<DefinePermission> oldDefinePermissions = oldInfo.GetAllDefinePermissions();
167 std::vector<DefinePermission> newDefinePermissions = newInfo.GetAllDefinePermissions();
168 std::vector<std::string> needDeleteDefinePermission;
169 for (const auto &defPerm : oldDefinePermissions) {
170 auto iter = std::find_if(newDefinePermissions.begin(), newDefinePermissions.end(),
171 [&defPerm](const auto &perm) {
172 return defPerm.name == perm.name;
173 });
174 if (iter == newDefinePermissions.end()) {
175 APP_LOGD("GetNeedDeleteDefinePermissionName need delete %{public}s", defPerm.name.c_str());
176 needDeleteDefinePermission.emplace_back(defPerm.name);
177 }
178 }
179 return needDeleteDefinePermission;
180 }
181
GetNeedDeleteRequestPermissionName(const InnerBundleInfo & oldInfo,const InnerBundleInfo & newInfo)182 std::vector<std::string> BundlePermissionMgr::GetNeedDeleteRequestPermissionName(const InnerBundleInfo &oldInfo,
183 const InnerBundleInfo &newInfo)
184 {
185 std::vector<RequestPermission> oldRequestPermissions = oldInfo.GetAllRequestPermissions();
186 std::vector<RequestPermission> newRequestPermissions = newInfo.GetAllRequestPermissions();
187 std::vector<std::string> needDeleteRequestPermission;
188 for (const auto &reqPerm : oldRequestPermissions) {
189 auto iter = std::find_if(newRequestPermissions.begin(), newRequestPermissions.end(),
190 [&reqPerm](const auto &perm) {
191 return reqPerm.name == perm.name;
192 });
193 if (iter == newRequestPermissions.end()) {
194 APP_LOGD("GetNeedDeleteRequestPermissionName need delete %{public}s", reqPerm.name.c_str());
195 needDeleteRequestPermission.emplace_back(reqPerm.name);
196 }
197 }
198 return needDeleteRequestPermission;
199 }
200
GetNewPermissionDefList(Security::AccessToken::AccessTokenID tokenId,const std::vector<Security::AccessToken::PermissionDef> & permissionDef,std::vector<Security::AccessToken::PermissionDef> & newPermissionDef)201 bool BundlePermissionMgr::GetNewPermissionDefList(Security::AccessToken::AccessTokenID tokenId,
202 const std::vector<Security::AccessToken::PermissionDef> &permissionDef,
203 std::vector<Security::AccessToken::PermissionDef> &newPermissionDef)
204 {
205 int32_t ret = AccessToken::AccessTokenKit::GetDefPermissions(tokenId, newPermissionDef);
206 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
207 APP_LOGE("BundlePermissionMgr::GetNewPermissionDefList GetDefPermissions failed errcode: %{public}d", ret);
208 return false;
209 }
210 for (const auto &perm : permissionDef) {
211 if (std::find_if(newPermissionDef.begin(), newPermissionDef.end(), [&perm](const auto &newPerm) {
212 return newPerm.permissionName == perm.permissionName;
213 }) == newPermissionDef.end()) {
214 APP_LOGD("BundlePermissionMgr::GetNewPermissionDefList add define permission %{public}s",
215 perm.permissionName.c_str());
216 newPermissionDef.emplace_back(perm);
217 }
218 }
219 return true;
220 }
221
GetNewPermissionStateFull(Security::AccessToken::AccessTokenID tokenId,const std::vector<Security::AccessToken::PermissionStateFull> & permissionState,std::vector<Security::AccessToken::PermissionStateFull> & newPermissionState,std::vector<std::string> & newRequestPermName)222 bool BundlePermissionMgr::GetNewPermissionStateFull(Security::AccessToken::AccessTokenID tokenId,
223 const std::vector<Security::AccessToken::PermissionStateFull> &permissionState,
224 std::vector<Security::AccessToken::PermissionStateFull> &newPermissionState,
225 std::vector<std::string> &newRequestPermName)
226 {
227 if (!GetAllReqPermissionStateFull(tokenId, newPermissionState)) {
228 APP_LOGE("BundlePermissionMgr::GetNewPermissionStateFull failed");
229 return false;
230 }
231 for (const auto &perm : permissionState) {
232 if (std::find_if(newPermissionState.begin(), newPermissionState.end(), [&perm](const auto &newPerm) {
233 return newPerm.permissionName == perm.permissionName;
234 }) == newPermissionState.end()) {
235 APP_LOGD("BundlePermissionMgr::GetNewPermissionStateFull add request permission %{public}s",
236 perm.permissionName.c_str());
237 newPermissionState.emplace_back(perm);
238 newRequestPermName.emplace_back(perm.permissionName);
239 }
240 }
241 return true;
242 }
243
AddDefineAndRequestPermissions(const Security::AccessToken::AccessTokenID tokenId,const InnerBundleInfo & innerBundleInfo,std::vector<std::string> & newRequestPermName)244 bool BundlePermissionMgr::AddDefineAndRequestPermissions(const Security::AccessToken::AccessTokenID tokenId,
245 const InnerBundleInfo &innerBundleInfo, std::vector<std::string> &newRequestPermName)
246 {
247 APP_LOGD("BundlePermissionMgr::AddDefineAndRequestPermissions start");
248 std::vector<AccessToken::PermissionDef> defPermList = GetPermissionDefList(innerBundleInfo);
249 std::vector<AccessToken::PermissionDef> newDefPermList;
250 if (!GetNewPermissionDefList(tokenId, defPermList, newDefPermList)) {
251 return false;
252 }
253
254 std::vector<AccessToken::PermissionStateFull> reqPermissionStateList = GetPermissionStateFullList(innerBundleInfo);
255 std::vector<AccessToken::PermissionStateFull> newPermissionStateList;
256 if (!GetNewPermissionStateFull(tokenId, reqPermissionStateList, newPermissionStateList, newRequestPermName)) {
257 return false;
258 }
259
260 AccessToken::HapPolicyParams hapPolicy;
261 std::string apl = innerBundleInfo.GetAppPrivilegeLevel();
262 APP_LOGD("BundlePermissionMgr::AddDefineAndRequestPermissions apl : %{public}s, newDefPermList size : %{public}zu, \
263 newPermissionStateList size : %{public}zu", apl.c_str(), newDefPermList.size(),
264 newPermissionStateList.size());
265 hapPolicy.apl = GetTokenApl(apl);
266 hapPolicy.domain = "domain"; // default
267 hapPolicy.permList = newDefPermList;
268 hapPolicy.permStateList = newPermissionStateList;
269 std::string appId = innerBundleInfo.GetProvisionId();
270 int32_t ret = AccessToken::AccessTokenKit::UpdateHapToken(tokenId, appId, hapPolicy);
271 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
272 APP_LOGE("BundlePermissionMgr::AddDefineAndRequestPermissions UpdateHapToken failed errcode: %{public}d", ret);
273 return false;
274 }
275 APP_LOGD("BundlePermissionMgr::AddDefineAndRequestPermissions end");
276 return true;
277 }
278
DeleteAccessTokenId(const AccessToken::AccessTokenID tokenId)279 int32_t BundlePermissionMgr::DeleteAccessTokenId(const AccessToken::AccessTokenID tokenId)
280 {
281 APP_LOGD("BundlePermissionMgr::DeleteAccessTokenId tokenId : %{public}u", tokenId);
282 return AccessToken::AccessTokenKit::DeleteToken(tokenId);
283 }
284
ClearUserGrantedPermissionState(const AccessToken::AccessTokenID tokenId)285 int32_t BundlePermissionMgr::ClearUserGrantedPermissionState(const AccessToken::AccessTokenID tokenId)
286 {
287 return AccessToken::AccessTokenKit::ClearUserGrantedPermissionState(tokenId);
288 }
289
GetPermissionDefList(const InnerBundleInfo & innerBundleInfo)290 std::vector<AccessToken::PermissionDef> BundlePermissionMgr::GetPermissionDefList(
291 const InnerBundleInfo &innerBundleInfo)
292 {
293 const auto bundleName = innerBundleInfo.GetBundleName();
294 const auto defPermissions = innerBundleInfo.GetAllDefinePermissions();
295 std::vector<AccessToken::PermissionDef> permList;
296 if (!defPermissions.empty()) {
297 for (const auto &defPermission : defPermissions) {
298 AccessToken::PermissionDef perm;
299 APP_LOGD("defPermission %{public}s", defPermission.name.c_str());
300 ConvertPermissionDef(perm, defPermission, bundleName);
301 permList.emplace_back(perm);
302 }
303 }
304 return permList;
305 }
306
GetPermissionStateFullList(const InnerBundleInfo & innerBundleInfo)307 std::vector<AccessToken::PermissionStateFull> BundlePermissionMgr::GetPermissionStateFullList(
308 const InnerBundleInfo &innerBundleInfo)
309 {
310 auto reqPermissions = innerBundleInfo.GetAllRequestPermissions();
311 std::vector<std::string> grantPermList;
312 std::vector<AccessToken::PermissionStateFull> permStateFullList;
313 if (!reqPermissions.empty()) {
314 for (const auto &reqPermission : reqPermissions) {
315 AccessToken::PermissionStateFull perState;
316 perState.permissionName = reqPermission.name;
317 perState.isGeneral = true;
318 perState.resDeviceID.emplace_back(innerBundleInfo.GetBaseApplicationInfo().deviceId);
319 perState.grantStatus.emplace_back(AccessToken::PermissionState::PERMISSION_DENIED);
320 perState.grantFlags.emplace_back(AccessToken::PermissionFlag::PERMISSION_USER_SET);
321 permStateFullList.emplace_back(perState);
322 }
323 } else {
324 APP_LOGD("BundlePermissionMgr::GetPermissionStateFullList requestPermission is empty");
325 }
326 return permStateFullList;
327 }
328
InnerGrantRequestPermissions(const std::vector<RequestPermission> & reqPermissions,const std::string & apl,const std::vector<std::string> & acls,const Security::AccessToken::AccessTokenID tokenId,bool isPreInstallApp)329 bool BundlePermissionMgr::InnerGrantRequestPermissions(const std::vector<RequestPermission> &reqPermissions,
330 const std::string &apl, const std::vector<std::string> &acls,
331 const Security::AccessToken::AccessTokenID tokenId, bool isPreInstallApp)
332 {
333 std::vector<std::string> grantPermList;
334 for (const auto &reqPermission : reqPermissions) {
335 APP_LOGI("add permission %{public}s", reqPermission.name.c_str());
336 AccessToken::PermissionDef permDef;
337 int32_t ret = AccessToken::AccessTokenKit::GetDefPermission(reqPermission.name, permDef);
338 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
339 APP_LOGE("get permission def failed, request permission name: %{public}s", reqPermission.name.c_str());
340 continue;
341 }
342 if (CheckGrantPermission(permDef, apl, acls) || isPreInstallApp) {
343 if (permDef.grantMode == AccessToken::GrantMode::SYSTEM_GRANT) {
344 APP_LOGD("InnerGrantRequestPermissions system grant permission %{public}s", reqPermission.name.c_str());
345 grantPermList.emplace_back(reqPermission.name);
346 }
347 } else {
348 return false;
349 }
350 }
351
352 APP_LOGD("InnerGrantRequestPermissions add system grant permission %{public}zu", grantPermList.size());
353 for (const auto &perm : grantPermList) {
354 auto ret = AccessToken::AccessTokenKit::GrantPermission(tokenId, perm, 0);
355 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
356 APP_LOGE("GrantReqPermission failed, request permission name:%{public}s", perm.c_str());
357 return false;
358 }
359 }
360 return true;
361 }
362
GrantRequestPermissions(const InnerBundleInfo & innerBundleInfo,const AccessToken::AccessTokenID tokenId)363 bool BundlePermissionMgr::GrantRequestPermissions(const InnerBundleInfo &innerBundleInfo,
364 const AccessToken::AccessTokenID tokenId)
365 {
366 std::vector<RequestPermission> reqPermissions = innerBundleInfo.GetAllRequestPermissions();
367 std::string apl = innerBundleInfo.GetAppPrivilegeLevel();
368 std::vector<std::string> acls = innerBundleInfo.GetAllowedAcls();
369 bool isPreInstallApp = innerBundleInfo.IsPreInstallApp();
370 return InnerGrantRequestPermissions(reqPermissions, apl, acls, tokenId, isPreInstallApp);
371 }
372
GrantRequestPermissions(const InnerBundleInfo & innerBundleInfo,const std::vector<std::string> & requestPermName,const AccessToken::AccessTokenID tokenId)373 bool BundlePermissionMgr::GrantRequestPermissions(const InnerBundleInfo &innerBundleInfo,
374 const std::vector<std::string> &requestPermName,
375 const AccessToken::AccessTokenID tokenId)
376 {
377 std::vector<RequestPermission> reqPermissions = innerBundleInfo.GetAllRequestPermissions();
378 std::string apl = innerBundleInfo.GetAppPrivilegeLevel();
379 std::vector<std::string> acls = innerBundleInfo.GetAllowedAcls();
380 bool isPreInstallApp = innerBundleInfo.IsPreInstallApp();
381 std::vector<RequestPermission> newRequestPermissions;
382 for (const auto &name : requestPermName) {
383 auto iter = find_if(reqPermissions.begin(), reqPermissions.end(), [&name](const auto &req) {
384 return name == req.name;
385 });
386 if (iter != reqPermissions.end()) {
387 newRequestPermissions.emplace_back(*iter);
388 }
389 }
390 return InnerGrantRequestPermissions(newRequestPermissions, apl, acls, tokenId, isPreInstallApp);
391 }
392
GetAllReqPermissionStateFull(AccessToken::AccessTokenID tokenId,std::vector<AccessToken::PermissionStateFull> & newPermissionState)393 bool BundlePermissionMgr::GetAllReqPermissionStateFull(AccessToken::AccessTokenID tokenId,
394 std::vector<AccessToken::PermissionStateFull> &newPermissionState)
395 {
396 std::vector<AccessToken::PermissionStateFull> userGrantReqPermList;
397 int32_t ret = AccessToken::AccessTokenKit::GetReqPermissions(tokenId, userGrantReqPermList, false);
398 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
399 APP_LOGE("GetAllReqPermissionStateFull get user grant failed errcode: %{public}d", ret);
400 return false;
401 }
402 std::vector<AccessToken::PermissionStateFull> systemGrantReqPermList;
403 ret = AccessToken::AccessTokenKit::GetReqPermissions(tokenId, systemGrantReqPermList, true);
404 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
405 APP_LOGE("GetAllReqPermissionStateFull get system grant failed errcode: %{public}d", ret);
406 return false;
407 }
408 newPermissionState = userGrantReqPermList;
409 for (auto &perm : systemGrantReqPermList) {
410 newPermissionState.emplace_back(perm);
411 }
412 return true;
413 }
414
GetRequestPermissionStates(BundleInfo & bundleInfo)415 bool BundlePermissionMgr::GetRequestPermissionStates(BundleInfo &bundleInfo)
416 {
417 std::vector<std::string> requestPermission = bundleInfo.reqPermissions;
418 if (requestPermission.empty()) {
419 APP_LOGD("GetRequestPermissionStates requestPermission empty");
420 return true;
421 }
422 uint32_t tokenId = bundleInfo.applicationInfo.accessTokenId;
423 std::vector<Security::AccessToken::PermissionStateFull> allPermissionState;
424 if (!GetAllReqPermissionStateFull(tokenId, allPermissionState)) {
425 APP_LOGE("BundlePermissionMgr::GetRequestPermissionStates failed");
426 return false;
427 }
428 std::string deviceId = bundleInfo.applicationInfo.deviceId;
429 for (auto &req : requestPermission) {
430 auto iter = std::find_if(allPermissionState.begin(), allPermissionState.end(),
431 [&req](const auto &perm) {
432 return perm.permissionName == req;
433 });
434 if (iter != allPermissionState.end()) {
435 APP_LOGD("GetRequestPermissionStates request permission name : %{public}s, deviceId : %{public}s",
436 req.c_str(), deviceId.c_str());
437 for (std::vector<std::string>::size_type i = 0; i < iter->resDeviceID.size(); i++) {
438 if (iter->resDeviceID[i] == deviceId) {
439 bundleInfo.reqPermissionStates.emplace_back(iter->grantStatus[i]);
440 break;
441 }
442 }
443 } else {
444 APP_LOGE("request permission name : %{public}s is not exit", req.c_str());
445 bundleInfo.reqPermissionStates.emplace_back(Constants::PERMISSION_NOT_GRANTED);
446 }
447 }
448 return true;
449 }
450
CheckGrantPermission(const AccessToken::PermissionDef & permDef,const std::string & apl,const std::vector<std::string> & acls)451 bool BundlePermissionMgr::CheckGrantPermission(
452 const AccessToken::PermissionDef &permDef,
453 const std::string &apl,
454 const std::vector<std::string> &acls)
455 {
456 AccessToken::ATokenAplEnum availableLevel = permDef.availableLevel;
457 APP_LOGD("BundlePermissionMgr::CheckGrantPermission availableLevel %{public}d, apl %{public}s",
458 availableLevel, apl.c_str());
459 switch (availableLevel) {
460 case AccessToken::ATokenAplEnum::APL_NORMAL: {
461 return true;
462 }
463 case AccessToken::ATokenAplEnum::APL_SYSTEM_BASIC: {
464 if ((apl == Profile::AVAILABLELEVEL_SYSTEM_BASIC) ||
465 (apl == Profile::AVAILABLELEVEL_SYSTEM_CORE)) {
466 return true;
467 }
468 break;
469 }
470 case AccessToken::ATokenAplEnum::APL_SYSTEM_CORE: {
471 if (apl == Profile::AVAILABLELEVEL_SYSTEM_CORE) {
472 return true;
473 }
474 break;
475 }
476 default:
477 APP_LOGE("availableLevel %{public}d error", availableLevel);
478 break;
479 }
480 if (permDef.provisionEnable) {
481 APP_LOGD("CheckGrantPermission acls size: %{public}zu", acls.size());
482 for (auto &perm : acls) {
483 if (permDef.permissionName == perm) {
484 return true;
485 }
486 }
487 }
488 APP_LOGE("BundlePermissionMgr::CheckGrantPermission failed permission name : %{public}s",
489 permDef.permissionName.c_str());
490 return false;
491 }
492
VerifyCallingPermission(const std::string & permissionName)493 bool BundlePermissionMgr::VerifyCallingPermission(const std::string &permissionName)
494 {
495 APP_LOGD("VerifyCallingPermission permission %{public}s", permissionName.c_str());
496 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
497 APP_LOGD("callerToken : %{public}u", callerToken);
498 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
499 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
500 APP_LOGD("caller tokenType is native, verify success");
501 return true;
502 }
503 int32_t ret = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName);
504 if (ret == AccessToken::PermissionState::PERMISSION_DENIED) {
505 APP_LOGE("permission %{public}s: PERMISSION_DENIED", permissionName.c_str());
506 return false;
507 }
508 APP_LOGD("verify AccessToken success");
509 return true;
510 }
511
VerifyPermission(const std::string & bundleName,const std::string & permissionName,const int32_t userId)512 int32_t BundlePermissionMgr::VerifyPermission(
513 const std::string &bundleName, const std::string &permissionName, const int32_t userId)
514 {
515 APP_LOGD("VerifyPermission bundleName %{public}s, permission %{public}s", bundleName.c_str(),
516 permissionName.c_str());
517 AccessToken::AccessTokenID tokenId = AccessToken::AccessTokenKit::GetHapTokenID(userId,
518 bundleName, 0);
519 return AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permissionName);
520 }
521
GetPermissionDef(const std::string & permissionName,PermissionDef & permissionDef)522 bool BundlePermissionMgr::GetPermissionDef(const std::string &permissionName, PermissionDef &permissionDef)
523 {
524 APP_LOGD("BundlePermissionMgr::GetPermissionDef permission %{public}s", permissionName.c_str());
525 AccessToken::PermissionDef accessTokenPermDef;
526 int32_t ret = AccessToken::AccessTokenKit::GetDefPermission(permissionName, accessTokenPermDef);
527 if (ret == AccessToken::AccessTokenKitRet::RET_SUCCESS) {
528 ConvertPermissionDef(accessTokenPermDef, permissionDef);
529 return true;
530 }
531 return false;
532 }
533 } // namespace AppExecFwk
534 } // namespace OHOS