1 /*
2 * Copyright (c) 2021-2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "bundle_permission_mgr.h"
17
18 #include "app_log_wrapper.h"
19 #include "bundle_mgr_service.h"
20 #include "bundle_parser.h"
21 #include "ipc_skeleton.h"
22 #include "parameter.h"
23
24 namespace OHOS {
25 namespace AppExecFwk {
26 using namespace OHOS::Security;
27 std::map<std::string, DefaultPermission> BundlePermissionMgr::defaultPermissions_;
28
Init()29 bool BundlePermissionMgr::Init()
30 {
31 std::vector<std::string> permissionFileList;
32 #ifdef USE_PRE_BUNDLE_PROFILE
33 std::vector<std::string> rootDirList;
34 BMSEventHandler::GetPreInstallRootDirList(rootDirList);
35 if (rootDirList.empty()) {
36 APP_LOGE("rootDirList is empty");
37 return false;
38 }
39 std::transform(rootDirList.begin(),
40 rootDirList.end(),
41 std::back_inserter(permissionFileList),
42 [](const auto &rootDir) {
43 return rootDir + Constants::PRODUCT_SUFFIX + Constants::INSTALL_LIST_PERMISSIONS_CONFIG;
44 });
45 #else
46 permissionFileList.emplace_back(Constants::INSTALL_LIST_PERMISSIONS_FILE_PATH);
47 #endif
48 BundleParser bundleParser;
49 std::set<DefaultPermission> permissions;
50 for (const auto &permissionFile : permissionFileList) {
51 if (bundleParser.ParseDefaultPermission(permissionFile, permissions) != ERR_OK) {
52 APP_LOGW("BundlePermissionMgr::Init failed");
53 continue;
54 }
55 }
56
57 defaultPermissions_.clear();
58 for (const auto &permission : permissions) {
59 defaultPermissions_.try_emplace(permission.bundleName, permission);
60 }
61 APP_LOGD("BundlePermissionMgr::Init success");
62 return true;
63 }
64
UnInit()65 void BundlePermissionMgr::UnInit()
66 {
67 APP_LOGD("BundlePermissionMgr::UnInit");
68 defaultPermissions_.clear();
69 }
70
ConvertPermissionDef(const AccessToken::PermissionDef & permDef,PermissionDef & permissionDef)71 void BundlePermissionMgr::ConvertPermissionDef(
72 const AccessToken::PermissionDef &permDef, PermissionDef &permissionDef)
73 {
74 permissionDef.permissionName = permDef.permissionName;
75 permissionDef.bundleName = permDef.bundleName;
76 permissionDef.grantMode = permDef.grantMode;
77 permissionDef.availableLevel = permDef.availableLevel;
78 permissionDef.provisionEnable = permDef.provisionEnable;
79 permissionDef.distributedSceneEnable = permDef.distributedSceneEnable;
80 permissionDef.label = permDef.label;
81 permissionDef.labelId = permDef.labelId;
82 permissionDef.description = permDef.description;
83 permissionDef.descriptionId = permDef.descriptionId;
84 }
85
86 // Convert from the struct DefinePermission that parsed from config.json
ConvertPermissionDef(AccessToken::PermissionDef & permDef,const DefinePermission & definePermission,const std::string & bundleName)87 void BundlePermissionMgr::ConvertPermissionDef(
88 AccessToken::PermissionDef &permDef, const DefinePermission &definePermission, const std::string &bundleName)
89 {
90 permDef.permissionName = definePermission.name;
91 permDef.bundleName = bundleName;
92 permDef.grantMode = [&definePermission]() -> int {
93 if (definePermission.grantMode ==
94 Profile::DEFINEPERMISSION_GRANT_MODE_SYSTEM_GRANT) {
95 return AccessToken::GrantMode::SYSTEM_GRANT;
96 }
97 return AccessToken::GrantMode::USER_GRANT;
98 }();
99
100 permDef.availableLevel = GetTokenApl(definePermission.availableLevel);
101 permDef.provisionEnable = definePermission.provisionEnable;
102 permDef.distributedSceneEnable = definePermission.distributedSceneEnable;
103 permDef.label = definePermission.label;
104 permDef.labelId = definePermission.labelId;
105 permDef.description = definePermission.description;
106 permDef.descriptionId = definePermission.descriptionId;
107 }
108
GetTokenApl(const std::string & apl)109 AccessToken::ATokenAplEnum BundlePermissionMgr::GetTokenApl(const std::string &apl)
110 {
111 if (apl == Profile::AVAILABLELEVEL_SYSTEM_CORE) {
112 return AccessToken::ATokenAplEnum::APL_SYSTEM_CORE;
113 }
114 if (apl == Profile::AVAILABLELEVEL_SYSTEM_BASIC) {
115 return AccessToken::ATokenAplEnum::APL_SYSTEM_BASIC;
116 }
117 return AccessToken::ATokenAplEnum::APL_NORMAL;
118 }
119
CreateHapPolicyParam(const InnerBundleInfo & innerBundleInfo)120 AccessToken::HapPolicyParams BundlePermissionMgr::CreateHapPolicyParam(
121 const InnerBundleInfo &innerBundleInfo)
122 {
123 std::vector<AccessToken::PermissionStateFull> permStateFull = GetPermissionStateFullList(innerBundleInfo);
124 return CreateHapPolicyParam(innerBundleInfo, permStateFull);
125 }
126
CreateHapPolicyParam(const InnerBundleInfo & innerBundleInfo,const std::vector<Security::AccessToken::PermissionStateFull> & permissions)127 AccessToken::HapPolicyParams BundlePermissionMgr::CreateHapPolicyParam(
128 const InnerBundleInfo &innerBundleInfo, const std::vector<Security::AccessToken::PermissionStateFull> &permissions)
129 {
130 AccessToken::HapPolicyParams hapPolicy;
131 std::string apl = innerBundleInfo.GetAppPrivilegeLevel();
132 APP_LOGD("BundlePermissionMgr::CreateHapPolicyParam apl : %{public}s", apl.c_str());
133 std::vector<AccessToken::PermissionDef> permDef = GetPermissionDefList(innerBundleInfo);
134 hapPolicy.apl = GetTokenApl(apl);
135 hapPolicy.domain = "domain";
136 hapPolicy.permList = permDef;
137 hapPolicy.permStateList = permissions;
138 return hapPolicy;
139 }
140
CreateAccessTokenId(const InnerBundleInfo & innerBundleInfo,const std::string bundleName,const int32_t userId)141 AccessToken::AccessTokenID BundlePermissionMgr::CreateAccessTokenId(
142 const InnerBundleInfo &innerBundleInfo, const std::string bundleName, const int32_t userId)
143 {
144 APP_LOGD("BundlePermissionMgr::CreateAccessTokenId bundleName = %{public}s, userId = %{public}d",
145 bundleName.c_str(), userId);
146 AccessToken::HapPolicyParams hapPolicy = CreateHapPolicyParam(innerBundleInfo);
147 return CreateAccessTokenId(innerBundleInfo, bundleName, userId, 0, hapPolicy);
148 }
149
CreateAccessTokenId(const InnerBundleInfo & innerBundleInfo,const std::string bundleName,const int32_t userId,const int32_t dlpType,const AccessToken::HapPolicyParams & hapPolicy)150 AccessToken::AccessTokenID BundlePermissionMgr::CreateAccessTokenId(
151 const InnerBundleInfo &innerBundleInfo, const std::string bundleName, const int32_t userId, const int32_t dlpType,
152 const AccessToken::HapPolicyParams &hapPolicy)
153 {
154 APP_LOGD("CreateAccessTokenId bundleName = %{public}s, userId = %{public}d, dlpType = %{public}d",
155 bundleName.c_str(), userId, dlpType);
156 AccessToken::HapInfoParams hapInfo;
157 hapInfo.userID = userId;
158 hapInfo.bundleName = bundleName;
159 hapInfo.instIndex = innerBundleInfo.GetAppIndex();
160 hapInfo.appIDDesc = innerBundleInfo.GetAppId();
161 hapInfo.dlpType = dlpType;
162 hapInfo.apiVersion = innerBundleInfo.GetBaseApplicationInfo().apiTargetVersion;
163 AccessToken::AccessTokenIDEx accessToken = AccessToken::AccessTokenKit::AllocHapToken(hapInfo, hapPolicy);
164 APP_LOGD("BundlePermissionMgr::CreateAccessTokenId accessTokenId = %{public}u",
165 accessToken.tokenIdExStruct.tokenID);
166 return accessToken.tokenIdExStruct.tokenID;
167 }
168
UpdateDefineAndRequestPermissions(const Security::AccessToken::AccessTokenID tokenId,const InnerBundleInfo & oldInfo,const InnerBundleInfo & newInfo,std::vector<std::string> & newRequestPermName)169 bool BundlePermissionMgr::UpdateDefineAndRequestPermissions(const Security::AccessToken::AccessTokenID tokenId,
170 const InnerBundleInfo &oldInfo, const InnerBundleInfo &newInfo, std::vector<std::string> &newRequestPermName)
171 {
172 APP_LOGD("BundlePermissionMgr::UpdateDefineAndRequestPermissions bundleName = %{public}s",
173 newInfo.GetBundleName().c_str());
174 std::vector<AccessToken::PermissionDef> defPermList = GetPermissionDefList(newInfo);
175 std::vector<AccessToken::PermissionDef> newDefPermList;
176 if (!GetNewPermissionDefList(tokenId, defPermList, newDefPermList)) {
177 return false;
178 }
179 std::vector<AccessToken::PermissionStateFull> reqPermissionStateList = GetPermissionStateFullList(newInfo);
180 std::vector<AccessToken::PermissionStateFull> newPermissionStateList;
181 if (!GetNewPermissionStateFull(tokenId, reqPermissionStateList, newPermissionStateList, newRequestPermName)) {
182 return false;
183 }
184 // delete old definePermission
185 std::vector<std::string> needDeleteDefinePermission = GetNeedDeleteDefinePermissionName(oldInfo, newInfo);
186 for (const auto &name : needDeleteDefinePermission) {
187 auto iter = std::find_if(newDefPermList.begin(), newDefPermList.end(), [&name](const auto &defPerm) {
188 return defPerm.permissionName == name;
189 });
190 if (iter != newDefPermList.end()) {
191 APP_LOGD("delete definePermission %{public}s", name.c_str());
192 newDefPermList.erase(iter);
193 }
194 }
195 // delete old requestPermission
196 std::vector<std::string> needDeleteRequestPermission = GetNeedDeleteRequestPermissionName(oldInfo, newInfo);
197 for (const auto &name : needDeleteRequestPermission) {
198 auto iter = std::find_if(newPermissionStateList.begin(), newPermissionStateList.end(),
199 [&name](const auto &defPerm) {
200 return defPerm.permissionName == name;
201 });
202 if (iter != newPermissionStateList.end()) {
203 APP_LOGD("delete requestPermission %{public}s", name.c_str());
204 newPermissionStateList.erase(iter);
205 }
206 }
207 AccessToken::HapPolicyParams hapPolicy;
208 std::string apl = newInfo.GetAppPrivilegeLevel();
209 APP_LOGD("apl : %{public}s, newDefPermList size : %{public}zu, newPermissionStateList size : %{public}zu",
210 apl.c_str(), newDefPermList.size(), newPermissionStateList.size());
211 hapPolicy.apl = GetTokenApl(apl);
212 hapPolicy.domain = "domain"; // default
213 hapPolicy.permList = newDefPermList;
214 hapPolicy.permStateList = newPermissionStateList;
215 std::string appId = newInfo.GetAppId();
216 int32_t ret = AccessToken::AccessTokenKit::UpdateHapToken(tokenId, appId,
217 newInfo.GetBaseApplicationInfo().apiTargetVersion, hapPolicy);
218 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
219 APP_LOGE("UpdateDefineAndRequestPermissions UpdateHapToken failed errcode: %{public}d", ret);
220 return false;
221 }
222 APP_LOGD("BundlePermissionMgr::UpdateDefineAndRequestPermissions end");
223 return true;
224 }
225
GetNeedDeleteDefinePermissionName(const InnerBundleInfo & oldInfo,const InnerBundleInfo & newInfo)226 std::vector<std::string> BundlePermissionMgr::GetNeedDeleteDefinePermissionName(const InnerBundleInfo &oldInfo,
227 const InnerBundleInfo &newInfo)
228 {
229 std::vector<DefinePermission> oldDefinePermissions = oldInfo.GetAllDefinePermissions();
230 std::vector<DefinePermission> newDefinePermissions = newInfo.GetAllDefinePermissions();
231 std::vector<std::string> needDeleteDefinePermission;
232 for (const auto &defPerm : oldDefinePermissions) {
233 auto iter = std::find_if(newDefinePermissions.begin(), newDefinePermissions.end(),
234 [&defPerm](const auto &perm) {
235 return defPerm.name == perm.name;
236 });
237 if (iter == newDefinePermissions.end()) {
238 APP_LOGD("GetNeedDeleteDefinePermissionName need delete %{public}s", defPerm.name.c_str());
239 needDeleteDefinePermission.emplace_back(defPerm.name);
240 }
241 }
242 return needDeleteDefinePermission;
243 }
244
GetNeedDeleteRequestPermissionName(const InnerBundleInfo & oldInfo,const InnerBundleInfo & newInfo)245 std::vector<std::string> BundlePermissionMgr::GetNeedDeleteRequestPermissionName(const InnerBundleInfo &oldInfo,
246 const InnerBundleInfo &newInfo)
247 {
248 std::vector<RequestPermission> oldRequestPermissions = oldInfo.GetAllRequestPermissions();
249 std::vector<RequestPermission> newRequestPermissions = newInfo.GetAllRequestPermissions();
250 std::vector<std::string> needDeleteRequestPermission;
251 for (const auto &reqPerm : oldRequestPermissions) {
252 auto iter = std::find_if(newRequestPermissions.begin(), newRequestPermissions.end(),
253 [&reqPerm](const auto &perm) {
254 return reqPerm.name == perm.name;
255 });
256 if (iter == newRequestPermissions.end()) {
257 APP_LOGD("GetNeedDeleteRequestPermissionName need delete %{public}s", reqPerm.name.c_str());
258 needDeleteRequestPermission.emplace_back(reqPerm.name);
259 }
260 }
261 return needDeleteRequestPermission;
262 }
263
GetNewPermissionDefList(Security::AccessToken::AccessTokenID tokenId,const std::vector<Security::AccessToken::PermissionDef> & permissionDef,std::vector<Security::AccessToken::PermissionDef> & newPermissionDef)264 bool BundlePermissionMgr::GetNewPermissionDefList(Security::AccessToken::AccessTokenID tokenId,
265 const std::vector<Security::AccessToken::PermissionDef> &permissionDef,
266 std::vector<Security::AccessToken::PermissionDef> &newPermissionDef)
267 {
268 int32_t ret = AccessToken::AccessTokenKit::GetDefPermissions(tokenId, newPermissionDef);
269 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
270 APP_LOGE("BundlePermissionMgr::GetNewPermissionDefList GetDefPermissions failed errcode: %{public}d", ret);
271 return false;
272 }
273 for (const auto &perm : permissionDef) {
274 if (std::find_if(newPermissionDef.begin(), newPermissionDef.end(), [&perm](const auto &newPerm) {
275 return newPerm.permissionName == perm.permissionName;
276 }) == newPermissionDef.end()) {
277 APP_LOGD("BundlePermissionMgr::GetNewPermissionDefList add define permission %{public}s",
278 perm.permissionName.c_str());
279 newPermissionDef.emplace_back(perm);
280 }
281 }
282 return true;
283 }
284
GetNewPermissionStateFull(Security::AccessToken::AccessTokenID tokenId,const std::vector<Security::AccessToken::PermissionStateFull> & permissionState,std::vector<Security::AccessToken::PermissionStateFull> & newPermissionState,std::vector<std::string> & newRequestPermName)285 bool BundlePermissionMgr::GetNewPermissionStateFull(Security::AccessToken::AccessTokenID tokenId,
286 const std::vector<Security::AccessToken::PermissionStateFull> &permissionState,
287 std::vector<Security::AccessToken::PermissionStateFull> &newPermissionState,
288 std::vector<std::string> &newRequestPermName)
289 {
290 if (!GetAllReqPermissionStateFull(tokenId, newPermissionState)) {
291 APP_LOGE("BundlePermissionMgr::GetNewPermissionStateFull failed");
292 return false;
293 }
294 for (const auto &perm : permissionState) {
295 if (std::find_if(newPermissionState.begin(), newPermissionState.end(), [&perm](const auto &newPerm) {
296 return newPerm.permissionName == perm.permissionName;
297 }) == newPermissionState.end()) {
298 APP_LOGD("BundlePermissionMgr::GetNewPermissionStateFull add request permission %{public}s",
299 perm.permissionName.c_str());
300 newPermissionState.emplace_back(perm);
301 newRequestPermName.emplace_back(perm.permissionName);
302 }
303 }
304 return true;
305 }
306
AddDefineAndRequestPermissions(const Security::AccessToken::AccessTokenID tokenId,const InnerBundleInfo & innerBundleInfo,std::vector<std::string> & newRequestPermName)307 bool BundlePermissionMgr::AddDefineAndRequestPermissions(const Security::AccessToken::AccessTokenID tokenId,
308 const InnerBundleInfo &innerBundleInfo, std::vector<std::string> &newRequestPermName)
309 {
310 APP_LOGD("BundlePermissionMgr::AddDefineAndRequestPermissions start");
311 std::vector<AccessToken::PermissionDef> defPermList = GetPermissionDefList(innerBundleInfo);
312 std::vector<AccessToken::PermissionDef> newDefPermList;
313 if (!GetNewPermissionDefList(tokenId, defPermList, newDefPermList)) {
314 return false;
315 }
316
317 std::vector<AccessToken::PermissionStateFull> reqPermissionStateList = GetPermissionStateFullList(innerBundleInfo);
318 std::vector<AccessToken::PermissionStateFull> newPermissionStateList;
319 if (!GetNewPermissionStateFull(tokenId, reqPermissionStateList, newPermissionStateList, newRequestPermName)) {
320 return false;
321 }
322
323 AccessToken::HapPolicyParams hapPolicy;
324 std::string apl = innerBundleInfo.GetAppPrivilegeLevel();
325 APP_LOGD("BundlePermissionMgr::AddDefineAndRequestPermissions apl : %{public}s, newDefPermList size : %{public}zu, \
326 newPermissionStateList size : %{public}zu", apl.c_str(), newDefPermList.size(),
327 newPermissionStateList.size());
328 hapPolicy.apl = GetTokenApl(apl);
329 hapPolicy.domain = "domain"; // default
330 hapPolicy.permList = newDefPermList;
331 hapPolicy.permStateList = newPermissionStateList;
332 std::string appId = innerBundleInfo.GetAppId();
333 int32_t ret = AccessToken::AccessTokenKit::UpdateHapToken(tokenId, appId,
334 innerBundleInfo.GetBaseApplicationInfo().apiTargetVersion, hapPolicy);
335 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
336 APP_LOGE("BundlePermissionMgr::AddDefineAndRequestPermissions UpdateHapToken failed errcode: %{public}d", ret);
337 return false;
338 }
339 APP_LOGD("BundlePermissionMgr::AddDefineAndRequestPermissions end");
340 return true;
341 }
342
DeleteAccessTokenId(const AccessToken::AccessTokenID tokenId)343 int32_t BundlePermissionMgr::DeleteAccessTokenId(const AccessToken::AccessTokenID tokenId)
344 {
345 return AccessToken::AccessTokenKit::DeleteToken(tokenId);
346 }
347
ClearUserGrantedPermissionState(const AccessToken::AccessTokenID tokenId)348 int32_t BundlePermissionMgr::ClearUserGrantedPermissionState(const AccessToken::AccessTokenID tokenId)
349 {
350 return AccessToken::AccessTokenKit::ClearUserGrantedPermissionState(tokenId);
351 }
352
GetPermissionDefList(const InnerBundleInfo & innerBundleInfo)353 std::vector<AccessToken::PermissionDef> BundlePermissionMgr::GetPermissionDefList(
354 const InnerBundleInfo &innerBundleInfo)
355 {
356 const auto bundleName = innerBundleInfo.GetBundleName();
357 const auto defPermissions = innerBundleInfo.GetAllDefinePermissions();
358 std::vector<AccessToken::PermissionDef> permList;
359 if (!defPermissions.empty()) {
360 for (const auto &defPermission : defPermissions) {
361 AccessToken::PermissionDef perm;
362 APP_LOGD("defPermission %{public}s", defPermission.name.c_str());
363 ConvertPermissionDef(perm, defPermission, bundleName);
364 permList.emplace_back(perm);
365 }
366 }
367 return permList;
368 }
369
GetPermissionStateFullList(const InnerBundleInfo & innerBundleInfo)370 std::vector<AccessToken::PermissionStateFull> BundlePermissionMgr::GetPermissionStateFullList(
371 const InnerBundleInfo &innerBundleInfo)
372 {
373 auto reqPermissions = innerBundleInfo.GetAllRequestPermissions();
374 std::vector<AccessToken::PermissionStateFull> permStateFullList;
375 if (!reqPermissions.empty()) {
376 for (const auto &reqPermission : reqPermissions) {
377 AccessToken::PermissionStateFull perState;
378 perState.permissionName = reqPermission.name;
379 perState.isGeneral = true;
380 perState.resDeviceID.emplace_back(innerBundleInfo.GetBaseApplicationInfo().deviceId);
381 perState.grantStatus.emplace_back(AccessToken::PermissionState::PERMISSION_DENIED);
382 perState.grantFlags.emplace_back(AccessToken::PermissionFlag::PERMISSION_DEFAULT_FLAG);
383 permStateFullList.emplace_back(perState);
384 }
385 } else {
386 APP_LOGD("BundlePermissionMgr::GetPermissionStateFullList requestPermission is empty");
387 }
388 return permStateFullList;
389 }
390
GrantPermission(const Security::AccessToken::AccessTokenID tokenId,const std::string & permissionName,const Security::AccessToken::PermissionFlag flag,const std::string & bundleName)391 bool BundlePermissionMgr::GrantPermission(
392 const Security::AccessToken::AccessTokenID tokenId,
393 const std::string &permissionName,
394 const Security::AccessToken::PermissionFlag flag,
395 const std::string &bundleName)
396 {
397 int32_t ret = AccessToken::AccessTokenKit::GrantPermission(tokenId, permissionName, flag);
398 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
399 APP_LOGE("GrantPermission failed, bundleName:%{public}s, request permission:%{public}s, err:%{public}d",
400 bundleName.c_str(), permissionName.c_str(), ret);
401 return false;
402 }
403 return true;
404 }
405
InnerGrantRequestPermissions(Security::AccessToken::AccessTokenID tokenId,const std::vector<RequestPermission> & reqPermissions,const InnerBundleInfo & innerBundleInfo)406 bool BundlePermissionMgr::InnerGrantRequestPermissions(Security::AccessToken::AccessTokenID tokenId,
407 const std::vector<RequestPermission> &reqPermissions,
408 const InnerBundleInfo &innerBundleInfo)
409 {
410 std::string bundleName = innerBundleInfo.GetBundleName();
411 APP_LOGD("InnerGrantRequestPermissions start, bundleName:%{public}s", bundleName.c_str());
412 std::string apl = innerBundleInfo.GetAppPrivilegeLevel();
413 std::vector<std::string> acls = innerBundleInfo.GetAllowedAcls();
414 std::vector<std::string> systemGrantPermList;
415 std::vector<std::string> userGrantPermList;
416 for (const auto &reqPermission : reqPermissions) {
417 APP_LOGD("InnerGrantRequestPermissions add request permission %{public}s", reqPermission.name.c_str());
418 AccessToken::PermissionDef permDef;
419 int32_t ret = AccessToken::AccessTokenKit::GetDefPermission(reqPermission.name, permDef);
420 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
421 APP_LOGE("get permission def failed, request permission name: %{public}s", reqPermission.name.c_str());
422 continue;
423 }
424 if (CheckGrantPermission(permDef, apl, acls)) {
425 if (permDef.grantMode == AccessToken::GrantMode::SYSTEM_GRANT) {
426 systemGrantPermList.emplace_back(reqPermission.name);
427 } else {
428 userGrantPermList.emplace_back(reqPermission.name);
429 }
430 } else {
431 return false;
432 }
433 }
434 APP_LOGD("bundleName:%{public}s, add system_grant permission: %{public}zu, add user_grant permission: %{public}zu",
435 bundleName.c_str(), systemGrantPermList.size(), userGrantPermList.size());
436 for (const auto &perm : systemGrantPermList) {
437 if (!GrantPermission(tokenId, perm, AccessToken::PermissionFlag::PERMISSION_SYSTEM_FIXED, bundleName)) {
438 return false;
439 }
440 }
441 if (innerBundleInfo.IsPreInstallApp()) {
442 for (const auto &perm: userGrantPermList) {
443 bool userCancellable = false;
444 DefaultPermission permission;
445 if (!GetDefaultPermission(bundleName, permission)) {
446 continue;
447 }
448
449 #ifdef USE_PRE_BUNDLE_PROFILE
450 if (!MatchSignature(permission, innerBundleInfo.GetCertificateFingerprint())) {
451 continue;
452 }
453 #endif
454
455 if (!CheckPermissionInDefaultPermissions(permission, perm, userCancellable)) {
456 continue;
457 }
458 AccessToken::PermissionFlag flag = userCancellable ?
459 AccessToken::PermissionFlag::PERMISSION_GRANTED_BY_POLICY :
460 AccessToken::PermissionFlag::PERMISSION_SYSTEM_FIXED;
461 if (!GrantPermission(tokenId, perm, flag, bundleName)) {
462 return false;
463 }
464 }
465 }
466 APP_LOGD("InnerGrantRequestPermissions end, bundleName:%{public}s", bundleName.c_str());
467 return true;
468 }
469
GrantRequestPermissions(const InnerBundleInfo & innerBundleInfo,const AccessToken::AccessTokenID tokenId)470 bool BundlePermissionMgr::GrantRequestPermissions(const InnerBundleInfo &innerBundleInfo,
471 const AccessToken::AccessTokenID tokenId)
472 {
473 std::vector<RequestPermission> reqPermissions = innerBundleInfo.GetAllRequestPermissions();
474 return InnerGrantRequestPermissions(tokenId, reqPermissions, innerBundleInfo);
475 }
476
GrantRequestPermissions(const InnerBundleInfo & innerBundleInfo,const std::vector<std::string> & requestPermName,const AccessToken::AccessTokenID tokenId)477 bool BundlePermissionMgr::GrantRequestPermissions(const InnerBundleInfo &innerBundleInfo,
478 const std::vector<std::string> &requestPermName,
479 const AccessToken::AccessTokenID tokenId)
480 {
481 std::vector<RequestPermission> reqPermissions = innerBundleInfo.GetAllRequestPermissions();
482 std::vector<RequestPermission> newRequestPermissions;
483 for (const auto &name : requestPermName) {
484 auto iter = find_if(reqPermissions.begin(), reqPermissions.end(), [&name](const auto &req) {
485 return name == req.name;
486 });
487 if (iter != reqPermissions.end()) {
488 newRequestPermissions.emplace_back(*iter);
489 }
490 }
491 return InnerGrantRequestPermissions(tokenId, newRequestPermissions, innerBundleInfo);
492 }
493
GetAllReqPermissionStateFull(AccessToken::AccessTokenID tokenId,std::vector<AccessToken::PermissionStateFull> & newPermissionState)494 bool BundlePermissionMgr::GetAllReqPermissionStateFull(AccessToken::AccessTokenID tokenId,
495 std::vector<AccessToken::PermissionStateFull> &newPermissionState)
496 {
497 std::vector<AccessToken::PermissionStateFull> userGrantReqPermList;
498 int32_t ret = AccessToken::AccessTokenKit::GetReqPermissions(tokenId, userGrantReqPermList, false);
499 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
500 APP_LOGE("GetAllReqPermissionStateFull get user grant failed errcode: %{public}d", ret);
501 return false;
502 }
503 std::vector<AccessToken::PermissionStateFull> systemGrantReqPermList;
504 ret = AccessToken::AccessTokenKit::GetReqPermissions(tokenId, systemGrantReqPermList, true);
505 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
506 APP_LOGE("GetAllReqPermissionStateFull get system grant failed errcode: %{public}d", ret);
507 return false;
508 }
509 newPermissionState = userGrantReqPermList;
510 std::copy(systemGrantReqPermList.begin(), systemGrantReqPermList.end(), std::back_inserter(newPermissionState));
511 return true;
512 }
513
GetRequestPermissionStates(BundleInfo & bundleInfo,uint32_t tokenId,const std::string deviceId)514 bool BundlePermissionMgr::GetRequestPermissionStates(
515 BundleInfo &bundleInfo, uint32_t tokenId, const std::string deviceId)
516 {
517 std::vector<std::string> requestPermission = bundleInfo.reqPermissions;
518 if (requestPermission.empty()) {
519 APP_LOGD("GetRequestPermissionStates requestPermission empty");
520 return true;
521 }
522 std::vector<Security::AccessToken::PermissionStateFull> allPermissionState;
523 if (!GetAllReqPermissionStateFull(tokenId, allPermissionState)) {
524 APP_LOGW("BundlePermissionMgr::GetRequestPermissionStates failed");
525 }
526 for (auto &req : requestPermission) {
527 auto iter = std::find_if(allPermissionState.begin(), allPermissionState.end(),
528 [&req](const auto &perm) {
529 return perm.permissionName == req;
530 });
531 if (iter != allPermissionState.end()) {
532 APP_LOGD("GetRequestPermissionStates request permission name: %{public}s", req.c_str());
533 for (std::vector<std::string>::size_type i = 0; i < iter->resDeviceID.size(); i++) {
534 if (iter->resDeviceID[i] == deviceId) {
535 bundleInfo.reqPermissionStates.emplace_back(iter->grantStatus[i]);
536 break;
537 }
538 }
539 } else {
540 APP_LOGE("request permission name : %{public}s is not exit in AccessTokenMgr", req.c_str());
541 bundleInfo.reqPermissionStates.emplace_back(Constants::PERMISSION_NOT_GRANTED);
542 }
543 }
544 return true;
545 }
546
CheckGrantPermission(const AccessToken::PermissionDef & permDef,const std::string & apl,const std::vector<std::string> & acls)547 bool BundlePermissionMgr::CheckGrantPermission(
548 const AccessToken::PermissionDef &permDef,
549 const std::string &apl,
550 const std::vector<std::string> &acls)
551 {
552 AccessToken::ATokenAplEnum availableLevel = permDef.availableLevel;
553 APP_LOGD("BundlePermissionMgr::CheckGrantPermission availableLevel %{public}d, apl %{public}s",
554 availableLevel, apl.c_str());
555 switch (availableLevel) {
556 case AccessToken::ATokenAplEnum::APL_NORMAL: {
557 return true;
558 }
559 case AccessToken::ATokenAplEnum::APL_SYSTEM_BASIC: {
560 if ((apl == Profile::AVAILABLELEVEL_SYSTEM_BASIC) ||
561 (apl == Profile::AVAILABLELEVEL_SYSTEM_CORE)) {
562 return true;
563 }
564 break;
565 }
566 case AccessToken::ATokenAplEnum::APL_SYSTEM_CORE: {
567 if (apl == Profile::AVAILABLELEVEL_SYSTEM_CORE) {
568 return true;
569 }
570 break;
571 }
572 default:
573 APP_LOGE("availableLevel %{public}d error", availableLevel);
574 break;
575 }
576 if (permDef.provisionEnable) {
577 APP_LOGD("CheckGrantPermission acls size: %{public}zu", acls.size());
578 auto res = std::any_of(acls.begin(), acls.end(), [permDef](const auto &perm) {
579 return permDef.permissionName == perm;
580 });
581 if (res) {
582 return res;
583 }
584 }
585 APP_LOGE("BundlePermissionMgr::CheckGrantPermission failed permission name : %{public}s",
586 permDef.permissionName.c_str());
587 return false;
588 }
589
VerifyCallingPermission(const std::string & permissionName)590 bool BundlePermissionMgr::VerifyCallingPermission(const std::string &permissionName)
591 {
592 APP_LOGD("VerifyCallingPermission permission %{public}s", permissionName.c_str());
593 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
594 APP_LOGD("callerToken : %{private}u", callerToken);
595 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
596 int32_t callingUid = IPCSkeleton::GetCallingUid();
597 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE || callingUid == Constants::ROOT_UID) {
598 APP_LOGD("caller tokenType is native, verify success");
599 return true;
600 }
601 int32_t ret = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName);
602 if (ret == AccessToken::PermissionState::PERMISSION_DENIED) {
603 APP_LOGE("permission %{public}s: PERMISSION_DENIED", permissionName.c_str());
604 return false;
605 }
606 APP_LOGD("verify AccessToken success");
607 return true;
608 }
609
VerifyPermission(const std::string & bundleName,const std::string & permissionName,const int32_t userId)610 int32_t BundlePermissionMgr::VerifyPermission(
611 const std::string &bundleName, const std::string &permissionName, const int32_t userId)
612 {
613 APP_LOGD("VerifyPermission bundleName %{public}s, permission %{public}s", bundleName.c_str(),
614 permissionName.c_str());
615 AccessToken::AccessTokenID tokenId = AccessToken::AccessTokenKit::GetHapTokenID(userId,
616 bundleName, 0);
617 return AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permissionName);
618 }
619
GetPermissionDef(const std::string & permissionName,PermissionDef & permissionDef)620 ErrCode BundlePermissionMgr::GetPermissionDef(const std::string &permissionName, PermissionDef &permissionDef)
621 {
622 APP_LOGD("BundlePermissionMgr::GetPermissionDef permission %{public}s", permissionName.c_str());
623 AccessToken::PermissionDef accessTokenPermDef;
624 int32_t ret = AccessToken::AccessTokenKit::GetDefPermission(permissionName, accessTokenPermDef);
625 if (ret == AccessToken::AccessTokenKitRet::RET_SUCCESS) {
626 ConvertPermissionDef(accessTokenPermDef, permissionDef);
627 return ERR_OK;
628 }
629 return ERR_BUNDLE_MANAGER_QUERY_PERMISSION_DEFINE_FAILED;
630 }
631
CheckPermissionInDefaultPermissions(const DefaultPermission & defaultPermission,const std::string & permissionName,bool & userCancellable)632 bool BundlePermissionMgr::CheckPermissionInDefaultPermissions(const DefaultPermission &defaultPermission,
633 const std::string &permissionName, bool &userCancellable)
634 {
635 auto &grantPermission = defaultPermission.grantPermission;
636 auto iter = std::find_if(grantPermission.begin(), grantPermission.end(), [&permissionName](const auto &defPerm) {
637 return defPerm.name == permissionName;
638 });
639 if (iter == grantPermission.end()) {
640 APP_LOGW("can not find permission(%{public}s)", permissionName.c_str());
641 return false;
642 }
643
644 userCancellable = iter->userCancellable;
645 return true;
646 }
647
GetDefaultPermission(const std::string & bundleName,DefaultPermission & permission)648 bool BundlePermissionMgr::GetDefaultPermission(
649 const std::string &bundleName, DefaultPermission &permission)
650 {
651 auto iter = defaultPermissions_.find(bundleName);
652 if (iter == defaultPermissions_.end()) {
653 APP_LOGW("bundleName: %{public}s does not exist in defaultPermissions",
654 bundleName.c_str());
655 return false;
656 }
657
658 permission = iter->second;
659 return true;
660 }
661
MatchSignature(const DefaultPermission & permission,const std::string & signature)662 bool BundlePermissionMgr::MatchSignature(
663 const DefaultPermission &permission, const std::string &signature)
664 {
665 if (permission.appSignature.empty()) {
666 APP_LOGW("appSignature is empty");
667 return false;
668 }
669
670 return std::find(permission.appSignature.begin(),
671 permission.appSignature.end(), signature) != permission.appSignature.end();
672 }
673
VerifySystemAppForHap(int32_t beginSystemApiVersion)674 bool BundlePermissionMgr::VerifySystemAppForHap(int32_t beginSystemApiVersion)
675 {
676 if (GetSdkApiVersion() < beginSystemApiVersion) {
677 return true;
678 }
679 std::string bundleName;
680 auto uid = IPCSkeleton::GetCallingUid();
681 auto userId = uid / Constants::BASE_USER_RANGE;
682 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
683 if (dataMgr == nullptr) {
684 APP_LOGE("DataMgr is nullptr");
685 return false;
686 }
687 auto ret = dataMgr->GetBundleNameForUid(uid, bundleName);
688 if (!ret) {
689 APP_LOGE("getBundleName failed");
690 return false;
691 }
692 ApplicationInfo applicationInfo;
693 auto res = dataMgr->GetApplicationInfoV9(bundleName,
694 static_cast<int32_t>(GetApplicationFlag::GET_APPLICATION_INFO_WITH_DISABLE), userId, applicationInfo);
695 if (res != ERR_OK) {
696 APP_LOGE("getApplicationInfo failed");
697 return false;
698 }
699 if (applicationInfo.isSystemApp) {
700 return true;
701 }
702 return applicationInfo.apiTargetVersion < beginSystemApiVersion;
703 }
704
705
706 // if the api has been system api since it is published, then beginSystemApiVersion can be omitted
VerifySystemApp(int32_t beginSystemApiVersion)707 bool BundlePermissionMgr::VerifySystemApp(int32_t beginSystemApiVersion)
708 {
709 APP_LOGD("verifying systemApp");
710 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
711 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
712 int32_t callingUid = IPCSkeleton::GetCallingUid();
713 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE ||
714 tokenType == AccessToken::ATokenTypeEnum::TOKEN_SHELL ||
715 callingUid == Constants::ROOT_UID ||
716 callingUid == Constants::BMS_UID ||
717 callingUid == Constants::SHELL_UID) {
718 APP_LOGD("caller tokenType is native, verify success");
719 return true;
720 }
721 return VerifySystemAppForHap(beginSystemApiVersion);
722 }
723
IsNativeTokenType()724 bool BundlePermissionMgr::IsNativeTokenType()
725 {
726 APP_LOGD("begin to verify token type");
727 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
728 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
729 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE
730 || tokenType == AccessToken::ATokenTypeEnum::TOKEN_SHELL) {
731 APP_LOGD("caller tokenType is native, verify success");
732 return true;
733 }
734 int32_t callingUid = IPCSkeleton::GetCallingUid();
735 APP_LOGD("calling uid is %{public}d", callingUid);
736 if (callingUid == Constants::ROOT_UID ||
737 callingUid == Constants::FOUNDATION_UID ||
738 callingUid == Constants::BMS_UID ||
739 callingUid == Constants::SHELL_UID) {
740 APP_LOGD("caller is root or foundation or BMS_UID, verify success");
741 return true;
742 }
743 APP_LOGE("caller tokenType not native, verify failed");
744 return false;
745 }
746
VerifyCallingUid()747 bool BundlePermissionMgr::VerifyCallingUid()
748 {
749 APP_LOGD("begin to verify calling uid");
750 int32_t callingUid = IPCSkeleton::GetCallingUid();
751 APP_LOGD("calling uid is %{public}d", callingUid);
752 if (callingUid == Constants::ROOT_UID ||
753 callingUid == Constants::FOUNDATION_UID ||
754 callingUid == Constants::BMS_UID ||
755 callingUid == Constants::SHELL_UID) {
756 APP_LOGD("caller is root or foundation or BMS_UID, verify success");
757 return true;
758 }
759 APP_LOGE("verify calling uid failed");
760 return false;
761 }
762
VerifyPreload(const AAFwk::Want & want)763 bool BundlePermissionMgr::VerifyPreload(const AAFwk::Want &want)
764 {
765 if (VerifyCallingUid()) {
766 return true;
767 }
768 std::string callingBundleName;
769 auto uid = IPCSkeleton::GetCallingUid();
770 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
771 if (dataMgr == nullptr) {
772 APP_LOGE("DataMgr is nullptr");
773 return false;
774 }
775 auto ret = dataMgr->GetBundleNameForUid(uid, callingBundleName);
776 if (!ret) {
777 APP_LOGE("getBundleName failed");
778 return false;
779 }
780 std::string bundleName = want.GetElement().GetBundleName();
781 return bundleName == callingBundleName;
782 }
783 } // namespace AppExecFwk
784 } // namespace OHOS