• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "ipc_common.h"
17 
18 #include "accesstoken_kit.h"
19 #include "iam_common_defines.h"
20 #include "iam_logger.h"
21 #ifdef HAS_OS_ACCOUNT_PART
22 #include "os_account_manager.h"
23 #endif // HAS_OS_ACCOUNT_PART
24 #define LOG_LABEL UserIam::Common::LABEL_USER_AUTH_SA
25 
26 namespace OHOS {
27 namespace UserIam {
28 namespace UserAuth {
29 namespace PermissionString {
30     const std::string MANAGE_USER_IDM_PERMISSION = "ohos.permission.MANAGE_USER_IDM";
31     const std::string USE_USER_IDM_PERMISSION = "ohos.permission.USE_USER_IDM";
32     const std::string ACCESS_USER_AUTH_INTERNAL_PERMISSION = "ohos.permission.ACCESS_USER_AUTH_INTERNAL";
33     const std::string ACCESS_BIOMETRIC_PERMISSION = "ohos.permission.ACCESS_BIOMETRIC";
34     const std::string ACCESS_AUTH_RESPOOL = "ohos.permission.ACCESS_AUTH_RESPOOL";
35     const std::string ENFORCE_USER_IDM = "ohos.permission.ENFORCE_USER_IDM";
36 }
37 
38 namespace {
39     // process white list of allowing to call, <processUid, processName>
40     const std::vector<std::pair<int32_t, std::string>> whiteLists = {
41         {3058, "accountmgr"},
42     };
43 }
44 
GetCallingUserId(IPCObjectStub & stub,int32_t & userId)45 int32_t IpcCommon::GetCallingUserId(IPCObjectStub &stub, int32_t &userId)
46 {
47     if (userId != 0) {
48         return SUCCESS;
49     }
50     uint32_t tokenId = GetAccessTokenId(stub);
51     using namespace Security::AccessToken;
52     ATokenTypeEnum callingType = AccessTokenKit::GetTokenTypeFlag(tokenId);
53     if (callingType != TOKEN_HAP) {
54         IAM_LOGE("failed to get calling type");
55         return TYPE_NOT_SUPPORT;
56     }
57     HapTokenInfo hapTokenInfo;
58     int result = AccessTokenKit::GetHapTokenInfo(tokenId, hapTokenInfo);
59     if (result != SUCCESS) {
60         IAM_LOGE("failed to get hap token info, result = %{public}d", result);
61         return TYPE_NOT_SUPPORT;
62     }
63     userId = static_cast<int32_t>(hapTokenInfo.userID);
64     IAM_LOGI("get callingUserId is %{public}d", userId);
65     return SUCCESS;
66 }
67 
GetActiveUserId(std::optional<int32_t> & userId)68 int32_t IpcCommon::GetActiveUserId(std::optional<int32_t> &userId)
69 {
70     if (userId.has_value() && userId.value() != 0) {
71         return SUCCESS;
72     }
73     std::vector<int32_t> ids;
74 #ifdef HAS_OS_ACCOUNT_PART
75     ErrCode queryRet = AccountSA::OsAccountManager::QueryActiveOsAccountIds(ids);
76     if (queryRet != ERR_OK || ids.empty()) {
77         IAM_LOGE("failed to query active account id");
78         return GENERAL_ERROR;
79     }
80 #else  // HAS_OS_ACCOUNT_PART
81     const int32_t DEFAULT_OS_ACCOUNT_ID = 0;
82     ids.push_back(DEFAULT_OS_ACCOUNT_ID);
83     IAM_LOGI("there is no os account part, use default id");
84 #endif // HAS_OS_ACCOUNT_PART
85     userId = ids.front();
86     return SUCCESS;
87 }
88 
CheckPermission(IPCObjectStub & stub,Permission permission)89 bool IpcCommon::CheckPermission(IPCObjectStub &stub, Permission permission)
90 {
91     switch (permission) {
92         case MANAGE_USER_IDM_PERMISSION:
93             return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::MANAGE_USER_IDM_PERMISSION) &&
94                 CheckNativeCallingProcessWhiteList(stub);
95         case USE_USER_IDM_PERMISSION:
96             return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::USE_USER_IDM_PERMISSION);
97         case ACCESS_USER_AUTH_INTERNAL_PERMISSION:
98             return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::ACCESS_USER_AUTH_INTERNAL_PERMISSION);
99         case ACCESS_BIOMETRIC_PERMISSION:
100             return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::ACCESS_BIOMETRIC_PERMISSION);
101         case ACCESS_AUTH_RESPOOL:
102             return CheckDirectCaller(stub, PermissionString::ACCESS_AUTH_RESPOOL);
103         case ENFORCE_USER_IDM:
104             return CheckDirectCaller(stub, PermissionString::ENFORCE_USER_IDM) &&
105                 CheckNativeCallingProcessWhiteList(stub);
106         default:
107             IAM_LOGE("failed to check permission");
108             return false;
109     }
110 }
111 
GetAccessTokenId(IPCObjectStub & stub)112 uint32_t IpcCommon::GetAccessTokenId(IPCObjectStub &stub)
113 {
114     uint32_t tokenId = stub.GetFirstTokenID();
115     if (tokenId == 0) {
116         tokenId = stub.GetCallingTokenID();
117     }
118     return tokenId;
119 }
120 
CheckNativeCallingProcessWhiteList(IPCObjectStub & stub)121 bool IpcCommon::CheckNativeCallingProcessWhiteList(IPCObjectStub &stub)
122 {
123     uint32_t tokenId = stub.GetCallingTokenID();
124     using namespace Security::AccessToken;
125     ATokenTypeEnum callingType = AccessTokenKit::GetTokenTypeFlag(tokenId);
126     if (callingType != TOKEN_NATIVE) {
127         IAM_LOGE("failed to get calling type");
128         return false;
129     }
130     NativeTokenInfo nativeTokenInfo;
131     int result = AccessTokenKit::GetNativeTokenInfo(tokenId, nativeTokenInfo);
132     if (result != SUCCESS) {
133         IAM_LOGE("failed to get native token info, result = %{public}d", result);
134         return false;
135     }
136 
137     std::string processName = nativeTokenInfo.processName;
138     int32_t processUid = stub.GetCallingUid();
139     for (const auto &whiteList : whiteLists) {
140         if (whiteList.first == processUid && whiteList.second == processName) {
141             return true;
142         }
143     }
144     IAM_LOGE("failed to check process white list");
145     return false;
146 }
147 
CheckDirectCallerAndFirstCallerIfSet(IPCObjectStub & stub,const std::string & permission)148 bool IpcCommon::CheckDirectCallerAndFirstCallerIfSet(IPCObjectStub &stub, const std::string &permission)
149 {
150     uint32_t firstTokenId = stub.GetFirstTokenID();
151     uint32_t callingTokenId = stub.GetCallingTokenID();
152     using namespace Security::AccessToken;
153     if ((firstTokenId != 0 && AccessTokenKit::VerifyAccessToken(firstTokenId, permission) != RET_SUCCESS) ||
154         AccessTokenKit::VerifyAccessToken(callingTokenId, permission) != RET_SUCCESS) {
155         IAM_LOGE("failed to check permission");
156         return false;
157     }
158     return true;
159 }
160 
CheckDirectCaller(IPCObjectStub & stub,const std::string & permission)161 bool IpcCommon::CheckDirectCaller(IPCObjectStub &stub, const std::string &permission)
162 {
163     uint32_t callingTokenId = stub.GetCallingTokenID();
164     using namespace Security::AccessToken;
165     if (AccessTokenKit::VerifyAccessToken(callingTokenId, permission) != RET_SUCCESS) {
166         IAM_LOGE("failed to check permission");
167         return false;
168     }
169     return true;
170 }
171 } // namespace UserAuth
172 } // namespace UserIam
173 } // namespace OHOS