1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission.h"
17
18 #include "accesstoken_kit.h"
19 #include "sys_mgr_client.h"
20 #include "ipc_skeleton.h"
21 #include "iservice_registry.h"
22 #include "system_ability_definition.h"
23 #include "devattest_log.h"
24
25 using namespace OHOS;
26 using namespace OHOS::AppExecFwk;
27 using namespace OHOS::AppExecFwk::Constants;
28 using namespace OHOS::Security::AccessToken;
29
30 namespace OHOS {
31 namespace DevAttest {
IsTokenAplMatch(ATokenAplEnum apl)32 static bool IsTokenAplMatch(ATokenAplEnum apl)
33 {
34 AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
35 pid_t pid = IPCSkeleton::GetCallingPid();
36 pid_t uid = IPCSkeleton::GetCallingUid();
37 ATokenTypeEnum type = AccessTokenKit::GetTokenTypeFlag(tokenId);
38 HILOGD("[IsTokenAplMatch] checking apl, apl=%{public}d, type=%{public}d, pid=%{public}d, uid=%{public}d",
39 static_cast<int32_t>(apl), static_cast<int32_t>(type), pid, uid);
40 if (type == ATokenTypeEnum::TOKEN_HAP) {
41 HILOGE("[IsTokenAplMatch] type is hap");
42 return false;
43 }
44 NativeTokenInfo info;
45 AccessTokenKit::GetNativeTokenInfo(tokenId, info);
46 if (info.apl == apl) {
47 return true;
48 }
49 HILOGD("[IsTokenAplMatch] apl not match, info.apl=%{public}d, type=%{public}d, pid=%{public}d, uid=%{public}d",
50 static_cast<int32_t>(info.apl), static_cast<int32_t>(type), pid, uid);
51 return false;
52 }
53
Permission()54 Permission::Permission()
55 {
56 }
57
~Permission()58 Permission::~Permission()
59 {
60 }
61
IsSystemCore()62 bool Permission::IsSystemCore()
63 {
64 bool isMatch = IsTokenAplMatch(ATokenAplEnum::APL_SYSTEM_CORE);
65 if (!isMatch) {
66 HILOGE("[IsSystemCore] access token denied");
67 }
68 return isMatch;
69 }
70
IsSystemBasic()71 bool Permission::IsSystemBasic()
72 {
73 bool isMatch = IsTokenAplMatch(ATokenAplEnum::APL_SYSTEM_BASIC);
74 if (!isMatch) {
75 HILOGE("[IsSystemBasic] access token denied");
76 }
77 return isMatch;
78 }
79
IsSystemApl()80 bool Permission::IsSystemApl()
81 {
82 return IsSystemBasic() || IsSystemCore();
83 }
84
InitPermissionInterface()85 void Permission::InitPermissionInterface()
86 {
87 HILOGI("[InitPermissionInterface] begin");
88 if (sptrBundleMgr_ != nullptr) {
89 HILOGE("[InitPermissionInterface] already init");
90 return;
91 }
92
93 sptrBundleMgr_ = GetBundleMgr();
94 HILOGI("[InitPermissionInterface] success");
95 return;
96 }
97
GetBundleMgr()98 sptr<IBundleMgr> Permission::GetBundleMgr()
99 {
100 auto bundleObj =
101 DelayedSingleton<AppExecFwk::SysMrgClient>::GetInstance()->GetSystemAbility(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID);
102 if (bundleObj == nullptr) {
103 HILOGE("[GetBundleMgr][kemin] GetSystemAbility is null");
104 return nullptr;
105 }
106
107 sptr<AppExecFwk::IBundleMgr> bmgr = iface_cast<AppExecFwk::IBundleMgr>(bundleObj);
108 if (bmgr == nullptr) {
109 HILOGE("[GetBundleMgr][kemin] iface_cast get null");
110 }
111 return bmgr;
112 }
113
IsSystemHap()114 bool Permission::IsSystemHap()
115 {
116 InitPermissionInterface();
117 AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
118 pid_t pid = IPCSkeleton::GetCallingPid();
119 pid_t uid = IPCSkeleton::GetCallingUid();
120 ATokenTypeEnum type = AccessTokenKit::GetTokenTypeFlag(tokenId);
121 HILOGD("[IsSystemHap] checking system hap, type=%{public}d, pid=%{public}d, uid=%{public}d",
122 static_cast<int32_t>(type), pid, uid);
123 if (type != ATokenTypeEnum::TOKEN_HAP) {
124 HILOGE("[IsSystemHap] type is not hap");
125 return false;
126 }
127 if (sptrBundleMgr_ == nullptr) {
128 HILOGE("[IsSystemHap] sptrBundleMgr_ is null");
129 return false;
130 }
131 return sptrBundleMgr_->CheckIsSystemAppByUid(uid);
132 }
133
IsSystem()134 bool Permission::IsSystem()
135 {
136 return IsSystemApl() || IsSystemHap();
137 }
138
IsPermissionGranted(const std::string & perm)139 bool Permission::IsPermissionGranted(const std::string& perm)
140 {
141 AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
142 pid_t pid = IPCSkeleton::GetCallingPid();
143 pid_t uid = IPCSkeleton::GetCallingUid();
144 ATokenTypeEnum type = AccessTokenKit::GetTokenTypeFlag(tokenId);
145 HILOGD("[IsPermissionGranted] check permission, perm=%{public}s type=%{public}d, pid=%{public}d,uid=%{public}d",
146 perm.c_str(), static_cast<int32_t>(type), pid, uid);
147 int32_t result = PermissionState::PERMISSION_DENIED;
148 switch (type) {
149 case ATokenTypeEnum::TOKEN_HAP:
150 result = AccessTokenKit::VerifyAccessToken(tokenId, perm);
151 break;
152 case ATokenTypeEnum::TOKEN_NATIVE:
153 case ATokenTypeEnum::TOKEN_SHELL:
154 result = PermissionState::PERMISSION_GRANTED;
155 break;
156 case ATokenTypeEnum::TOKEN_INVALID:
157 case ATokenTypeEnum::TOKEN_TYPE_BUTT:
158 break;
159 }
160 if (result == PermissionState::PERMISSION_DENIED) {
161 HILOGE("[IsPermissionGranted] permis denied, perm=%{public}s type=%{public}d, pid=%{public}d, uid=%{public}d",
162 perm.c_str(), static_cast<int32_t>(type), pid, uid);
163 return false;
164 }
165 return true;
166 }
167
IsSystemHapPermGranted(const std::string & perm)168 bool Permission::IsSystemHapPermGranted(const std::string& perm)
169 {
170 return IsSystemHap() && IsPermissionGranted(perm);
171 }
172 } // namespace DevAttest
173 } // namespace OHOS
174