1 /*
2 * Copyright (c) 2022-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission.h"
17
18 #include "accesstoken_kit.h"
19 #include "bundle_mgr_interface.h"
20 #include "ipc_skeleton.h"
21 #include "iservice_registry.h"
22 #include "system_ability_definition.h"
23 #include "power_log.h"
24
25 using namespace OHOS;
26 using namespace OHOS::AppExecFwk;
27 using namespace OHOS::Security::AccessToken;
28
29 namespace {
30 static sptr<IBundleMgr> g_bundleMgr = nullptr;
31 }
32
33 namespace OHOS {
34 namespace PowerMgr {
IsTokenAplMatch(ATokenAplEnum apl)35 static bool IsTokenAplMatch(ATokenAplEnum apl)
36 {
37 AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
38 pid_t pid = IPCSkeleton::GetCallingPid();
39 pid_t uid = IPCSkeleton::GetCallingUid();
40 ATokenTypeEnum type = AccessTokenKit::GetTokenTypeFlag(tokenId);
41 POWER_HILOGD(COMP_UTILS, "checking apl, apl=%{public}d, type=%{public}d, pid=%{public}d, uid=%{public}d",
42 static_cast<int32_t>(apl), static_cast<int32_t>(type), pid, uid);
43 NativeTokenInfo info;
44 AccessTokenKit::GetNativeTokenInfo(tokenId, info);
45 if (info.apl == apl) {
46 return true;
47 }
48 POWER_HILOGW(COMP_UTILS, "apl not match, info.apl=%{public}d, type=%{public}d, pid=%{public}d, uid=%{public}d",
49 static_cast<int32_t>(info.apl), static_cast<int32_t>(type), pid, uid);
50 return false;
51 }
52
IsSystemCore()53 bool Permission::IsSystemCore()
54 {
55 bool isMatch = IsTokenAplMatch(ATokenAplEnum::APL_SYSTEM_CORE);
56 if (!isMatch) {
57 POWER_HILOGW(COMP_UTILS, "access token denied");
58 }
59 return isMatch;
60 }
61
IsSystemBasic()62 bool Permission::IsSystemBasic()
63 {
64 bool isMatch = IsTokenAplMatch(ATokenAplEnum::APL_SYSTEM_BASIC);
65 if (!isMatch) {
66 POWER_HILOGW(COMP_UTILS, "access token denied");
67 }
68 return isMatch;
69 }
70
IsSystemApl()71 bool Permission::IsSystemApl()
72 {
73 return IsSystemBasic() || IsSystemCore();
74 }
75
GetBundleMgr()76 static sptr<IBundleMgr> GetBundleMgr()
77 {
78 if (g_bundleMgr != nullptr) {
79 return g_bundleMgr;
80 }
81 auto sam = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
82 if (sam == nullptr) {
83 POWER_HILOGW(COMP_SVC, "GetSystemAbilityManager return nullptr");
84 return nullptr;
85 }
86 auto bundleMgrSa = sam->GetSystemAbility(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID);
87 if (bundleMgrSa == nullptr) {
88 POWER_HILOGW(COMP_SVC, "GetSystemAbility return nullptr");
89 return nullptr;
90 }
91 auto bundleMgr = iface_cast<IBundleMgr>(bundleMgrSa);
92 if (bundleMgr == nullptr) {
93 POWER_HILOGW(COMP_SVC, "iface_cast return nullptr");
94 }
95 g_bundleMgr = bundleMgr;
96 return g_bundleMgr;
97 }
98
IsSystemHap()99 bool Permission::IsSystemHap()
100 {
101 AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
102 pid_t pid = IPCSkeleton::GetCallingPid();
103 pid_t uid = IPCSkeleton::GetCallingUid();
104 ATokenTypeEnum type = AccessTokenKit::GetTokenTypeFlag(tokenId);
105 POWER_HILOGD(COMP_UTILS, "checking system hap, type=%{public}d, pid=%{public}d, uid=%{public}d",
106 static_cast<int32_t>(type), pid, uid);
107 bool result = false;
108 switch (type) {
109 case ATokenTypeEnum::TOKEN_HAP:
110 {
111 auto bundleMgr = GetBundleMgr();
112 if (bundleMgr == nullptr) {
113 POWER_HILOGW(COMP_SVC, "BundleMgr is nullptr, return false");
114 return false;
115 }
116 result = bundleMgr->CheckIsSystemAppByUid(uid);
117 break;
118 }
119 case ATokenTypeEnum::TOKEN_NATIVE:
120 case ATokenTypeEnum::TOKEN_SHELL:
121 result = true;
122 break;
123 case ATokenTypeEnum::TOKEN_INVALID:
124 case ATokenTypeEnum::TOKEN_TYPE_BUTT:
125 break;
126 default:
127 break;
128 }
129 if (!result) {
130 POWER_HILOGW(COMP_UTILS, "system denied, type=%{public}d, pid=%{public}d, uid=%{public}d",
131 static_cast<int32_t>(type), pid, uid);
132 return false;
133 }
134 return true;
135 }
136
IsSystem()137 bool Permission::IsSystem()
138 {
139 return IsSystemApl() || IsSystemHap();
140 }
141
IsPermissionGranted(const std::string & perm)142 bool Permission::IsPermissionGranted(const std::string& perm)
143 {
144 AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
145 pid_t pid = IPCSkeleton::GetCallingPid();
146 pid_t uid = IPCSkeleton::GetCallingUid();
147 ATokenTypeEnum type = AccessTokenKit::GetTokenTypeFlag(tokenId);
148 POWER_HILOGD(COMP_UTILS, "checking permission, perm=%{public}s type=%{public}d, pid=%{public}d, uid=%{public}d",
149 perm.c_str(), static_cast<int32_t>(type), pid, uid);
150 int32_t result = PermissionState::PERMISSION_DENIED;
151 switch (type) {
152 case ATokenTypeEnum::TOKEN_HAP:
153 result = AccessTokenKit::VerifyAccessToken(tokenId, perm);
154 break;
155 case ATokenTypeEnum::TOKEN_NATIVE:
156 case ATokenTypeEnum::TOKEN_SHELL:
157 result = PermissionState::PERMISSION_GRANTED;
158 break;
159 case ATokenTypeEnum::TOKEN_INVALID:
160 case ATokenTypeEnum::TOKEN_TYPE_BUTT:
161 break;
162 }
163 if (result == PermissionState::PERMISSION_DENIED) {
164 POWER_HILOGW(COMP_UTILS, "permission denied, perm=%{public}s type=%{public}d, pid=%{public}d, uid=%{public}d",
165 perm.c_str(), static_cast<int32_t>(type), pid, uid);
166 return false;
167 }
168 return true;
169 }
170
IsSystemHapPermGranted(const std::string & perm)171 bool Permission::IsSystemHapPermGranted(const std::string& perm)
172 {
173 return IsSystemHap() && IsPermissionGranted(perm);
174 }
175 } // namespace PowerMgr
176 } // namespace OHOS
177