1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission.h"
17
18 #include "accesstoken_kit.h"
19 #include "bundle_mgr_interface.h"
20 #include "ipc_skeleton.h"
21 #include "iservice_registry.h"
22 #include "system_ability_definition.h"
23 #include "power_log.h"
24
25 using namespace OHOS;
26 using namespace OHOS::AppExecFwk;
27 using namespace OHOS::Security::AccessToken;
28
29 namespace {
30 static sptr<IBundleMgr> g_bundleMgr = nullptr;
31 }
32
33 namespace OHOS {
34 namespace PowerMgr {
IsTokenAplMatch(ATokenAplEnum apl)35 static bool IsTokenAplMatch(ATokenAplEnum apl)
36 {
37 AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
38 pid_t pid = IPCSkeleton::GetCallingPid();
39 pid_t uid = IPCSkeleton::GetCallingUid();
40 ATokenTypeEnum type = AccessTokenKit::GetTokenTypeFlag(tokenId);
41 POWER_HILOGD(COMP_UTILS, "checking apl, apl=%{public}d, type=%{public}d, pid=%{public}d, uid=%{public}d",
42 static_cast<int32_t>(apl), static_cast<int32_t>(type), pid, uid);
43 NativeTokenInfo info;
44 AccessTokenKit::GetNativeTokenInfo(tokenId, info);
45 if (info.apl == apl) {
46 return true;
47 }
48 POWER_HILOGW(COMP_UTILS, "apl not match, info.apl=%{public}d, type=%{public}d, pid=%{public}d, uid=%{public}d",
49 static_cast<int32_t>(info.apl), static_cast<int32_t>(type), pid, uid);
50 return false;
51 }
52
IsSystemCore()53 bool Permission::IsSystemCore()
54 {
55 bool isMatch = IsTokenAplMatch(ATokenAplEnum::APL_SYSTEM_CORE);
56 if (!isMatch) {
57 POWER_HILOGW(COMP_UTILS, "access token denied");
58 }
59 return isMatch;
60 }
61
IsSystemBasic()62 bool Permission::IsSystemBasic()
63 {
64 bool isMatch = IsTokenAplMatch(ATokenAplEnum::APL_SYSTEM_BASIC);
65 if (!isMatch) {
66 POWER_HILOGW(COMP_UTILS, "access token denied");
67 }
68 return isMatch;
69 }
70
IsSystemApl()71 bool Permission::IsSystemApl()
72 {
73 return IsSystemBasic() || IsSystemCore();
74 }
75
GetBundleMgr()76 static sptr<IBundleMgr> GetBundleMgr()
77 {
78 if (g_bundleMgr != nullptr) {
79 return g_bundleMgr;
80 }
81 auto sam = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
82 if (sam == nullptr) {
83 POWER_HILOGW(COMP_SVC, "GetSystemAbilityManager return nullptr");
84 return nullptr;
85 }
86 auto bundleMgrSa = sam->GetSystemAbility(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID);
87 if (bundleMgrSa == nullptr) {
88 POWER_HILOGW(COMP_SVC, "GetSystemAbility return nullptr");
89 return nullptr;
90 }
91 auto bundleMgr = iface_cast<IBundleMgr>(bundleMgrSa);
92 if (bundleMgr == nullptr) {
93 POWER_HILOGW(COMP_SVC, "iface_cast return nullptr");
94 }
95 g_bundleMgr = bundleMgr;
96 return g_bundleMgr;
97 }
98
IsSystemHap()99 bool Permission::IsSystemHap()
100 {
101 AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
102 pid_t pid = IPCSkeleton::GetCallingPid();
103 pid_t uid = IPCSkeleton::GetCallingUid();
104 ATokenTypeEnum type = AccessTokenKit::GetTokenTypeFlag(tokenId);
105 POWER_HILOGD(COMP_UTILS, "checking system hap, type=%{public}d, pid=%{public}d, uid=%{public}d",
106 static_cast<int32_t>(type), pid, uid);
107 auto bundleMgr = GetBundleMgr();
108 if (bundleMgr == nullptr) {
109 POWER_HILOGW(COMP_SVC, "BundleMgr is nullptr, return false");
110 return false;
111 }
112 return bundleMgr->CheckIsSystemAppByUid(uid);
113 }
114
IsSystem()115 bool Permission::IsSystem()
116 {
117 return IsSystemApl() || IsSystemHap();
118 }
119
IsPermissionGranted(const std::string & perm)120 bool Permission::IsPermissionGranted(const std::string& perm)
121 {
122 AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
123 pid_t pid = IPCSkeleton::GetCallingPid();
124 pid_t uid = IPCSkeleton::GetCallingUid();
125 ATokenTypeEnum type = AccessTokenKit::GetTokenTypeFlag(tokenId);
126 POWER_HILOGD(COMP_UTILS, "checking permission, perm=%{public}s type=%{public}d, pid=%{public}d, uid=%{public}d",
127 perm.c_str(), static_cast<int32_t>(type), pid, uid);
128 int32_t result = PermissionState::PERMISSION_DENIED;
129 switch (type) {
130 case ATokenTypeEnum::TOKEN_HAP:
131 result = AccessTokenKit::VerifyAccessToken(tokenId, perm);
132 break;
133 case ATokenTypeEnum::TOKEN_NATIVE:
134 case ATokenTypeEnum::TOKEN_SHELL:
135 result = PermissionState::PERMISSION_GRANTED;
136 break;
137 case ATokenTypeEnum::TOKEN_INVALID:
138 case ATokenTypeEnum::TOKEN_TYPE_BUTT:
139 break;
140 }
141 if (result == PermissionState::PERMISSION_DENIED) {
142 POWER_HILOGW(COMP_UTILS, "permission denied, perm=%{public}s type=%{public}d, pid=%{public}d, uid=%{public}d",
143 perm.c_str(), static_cast<int32_t>(type), pid, uid);
144 return false;
145 }
146 return true;
147 }
148
IsSystemHapPermGranted(const std::string & perm)149 bool Permission::IsSystemHapPermGranted(const std::string& perm)
150 {
151 return IsSystemHap() && IsPermissionGranted(perm);
152 }
153 } // namespace PowerMgr
154 } // namespace OHOS
155