1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "bundle_install_checker.h"
17
18 #include <regex>
19
20 #include "bundle_data_mgr.h"
21 #include "bundle_mgr_service.h"
22 #include "bundle_mgr_service_event_handler.h"
23 #include "bundle_parser.h"
24 #include "bundle_permission_mgr.h"
25 #include "bundle_util.h"
26 #include "parameter.h"
27 #include "parameters.h"
28 #include "privilege_extension_ability_type.h"
29 #include "scope_guard.h"
30 #include "systemcapability.h"
31
32 namespace OHOS {
33 namespace AppExecFwk {
34 namespace {
35 const std::string PRIVILEGE_ALLOW_APP_DATA_NOT_CLEARED = "AllowAppDataNotCleared";
36 const std::string PRIVILEGE_ALLOW_APP_MULTI_PROCESS = "AllowAppMultiProcess";
37 const std::string PRIVILEGE_ALLOW_APP_DESKTOP_ICON_HIDE = "AllowAppDesktopIconHide";
38 const std::string PRIVILEGE_ALLOW_ABILITY_PRIORITY_QUERIED = "AllowAbilityPriorityQueried";
39 const std::string PRIVILEGE_ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS = "AllowAbilityExcludeFromMissions";
40 const std::string PRIVILEGE_ALLOW_MISSION_NOT_CLEARED = "AllowMissionNotCleared";
41 const std::string PRIVILEGE_ALLOW_APP_USE_PRIVILEGE_EXTENSION = "AllowAppUsePrivilegeExtension";
42 const std::string PRIVILEGE_ALLOW_FORM_VISIBLE_NOTIFY = "AllowFormVisibleNotify";
43 const std::string PRIVILEGE_ALLOW_APP_SHARE_LIBRARY = "AllowAppShareLibrary";
44 const std::string ALLOW_APP_DATA_NOT_CLEARED = "allowAppDataNotCleared";
45 const std::string ALLOW_APP_MULTI_PROCESS = "allowAppMultiProcess";
46 const std::string ALLOW_APP_DESKTOP_ICON_HIDE = "allowAppDesktopIconHide";
47 const std::string ALLOW_ABILITY_PRIORITY_QUERIED = "allowAbilityPriorityQueried";
48 const std::string ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS = "allowAbilityExcludeFromMissions";
49 const std::string ALLOW_MISSION_NOT_CLEARED = "allowMissionNotCleared";
50 const std::string ALLOW_APP_USE_PRIVILEGE_EXTENSION = "allowAppUsePrivilegeExtension";
51 const std::string ALLOW_FORM_VISIBLE_NOTIFY = "allowFormVisibleNotify";
52 const std::string ALLOW_APP_SHARE_LIBRARY = "allowAppShareLibrary";
53 const std::string APP_TEST_BUNDLE_NAME = "com.OpenHarmony.app.test";
54 const std::string BUNDLE_NAME_XTS_TEST = "com.acts.";
55 const std::string APL_NORMAL = "normal";
56 const std::string SLASH = "/";
57 const std::string DOUBLE_SLASH = "//";
58 const std::string SUPPORT_ISOLATION_MODE = "persist.bms.supportIsolationMode";
59 const std::string VALUE_TRUE = "true";
60 const std::string VALUE_TRUE_BOOL = "1";
61 const std::string VALUE_FALSE = "false";
62 const std::string NONISOLATION_ONLY = "nonisolationOnly";
63 const std::string ISOLATION_ONLY = "isolationOnly";
64 const int32_t SLAH_OFFSET = 2;
65 const int32_t THRESHOLD_VAL_LEN = 40;
66 constexpr const char* SYSTEM_APP_SCAN_PATH = "/system/app";
67 constexpr const char* DEVICE_TYPE_OF_DEFAULT = "default";
68 constexpr const char* DEVICE_TYPE_OF_PHONE = "phone";
69 constexpr const char* APP_INSTALL_PATH = "/data/app/el1/bundle";
70
71 const std::unordered_map<Security::Verify::AppDistType, std::string> APP_DISTRIBUTION_TYPE_MAPS = {
72 { Security::Verify::AppDistType::NONE_TYPE, Constants::APP_DISTRIBUTION_TYPE_NONE },
73 { Security::Verify::AppDistType::APP_GALLERY, Constants::APP_DISTRIBUTION_TYPE_APP_GALLERY },
74 { Security::Verify::AppDistType::ENTERPRISE, Constants::APP_DISTRIBUTION_TYPE_ENTERPRISE },
75 { Security::Verify::AppDistType::ENTERPRISE_NORMAL, Constants::APP_DISTRIBUTION_TYPE_ENTERPRISE_NORMAL },
76 { Security::Verify::AppDistType::ENTERPRISE_MDM, Constants::APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM },
77 { Security::Verify::AppDistType::OS_INTEGRATION, Constants::APP_DISTRIBUTION_TYPE_OS_INTEGRATION },
78 { Security::Verify::AppDistType::CROWDTESTING, Constants::APP_DISTRIBUTION_TYPE_CROWDTESTING },
79 };
80
81 const std::unordered_map<std::string, void (*)(AppPrivilegeCapability &appPrivilegeCapability)>
82 PRIVILEGE_MAP = {
83 { PRIVILEGE_ALLOW_APP_DATA_NOT_CLEARED,
__anon853d76f70202() 84 [] (AppPrivilegeCapability &appPrivilegeCapability) {
85 appPrivilegeCapability.userDataClearable = false;
86 } },
87 { PRIVILEGE_ALLOW_APP_MULTI_PROCESS,
__anon853d76f70302() 88 [] (AppPrivilegeCapability &appPrivilegeCapability) {
89 appPrivilegeCapability.allowMultiProcess = true;
90 } },
91 { PRIVILEGE_ALLOW_APP_DESKTOP_ICON_HIDE,
__anon853d76f70402() 92 [] (AppPrivilegeCapability &appPrivilegeCapability) {
93 appPrivilegeCapability.hideDesktopIcon = true;
94 } },
95 { PRIVILEGE_ALLOW_ABILITY_PRIORITY_QUERIED,
__anon853d76f70502() 96 [] (AppPrivilegeCapability &appPrivilegeCapability) {
97 appPrivilegeCapability.allowQueryPriority = true;
98 } },
99 { PRIVILEGE_ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS,
__anon853d76f70602() 100 [] (AppPrivilegeCapability &appPrivilegeCapability) {
101 appPrivilegeCapability.allowExcludeFromMissions = true;
102 } },
103 { PRIVILEGE_ALLOW_MISSION_NOT_CLEARED,
__anon853d76f70702() 104 [] (AppPrivilegeCapability &appPrivilegeCapability) {
105 appPrivilegeCapability.allowMissionNotCleared = true;
106 } },
107 { PRIVILEGE_ALLOW_APP_USE_PRIVILEGE_EXTENSION,
__anon853d76f70802() 108 [] (AppPrivilegeCapability &appPrivilegeCapability) {
109 appPrivilegeCapability.allowUsePrivilegeExtension = true;
110 } },
111 { PRIVILEGE_ALLOW_FORM_VISIBLE_NOTIFY,
__anon853d76f70902() 112 [] (AppPrivilegeCapability &appPrivilegeCapability) {
113 appPrivilegeCapability.formVisibleNotify = true;
114 } },
115 { PRIVILEGE_ALLOW_APP_SHARE_LIBRARY,
__anon853d76f70a02() 116 [] (AppPrivilegeCapability &appPrivilegeCapability) {
117 appPrivilegeCapability.appShareLibrary = true;
118 } },
119 };
120
GetAppDistributionType(const Security::Verify::AppDistType & type)121 std::string GetAppDistributionType(const Security::Verify::AppDistType &type)
122 {
123 auto typeIter = APP_DISTRIBUTION_TYPE_MAPS.find(type);
124 if (typeIter == APP_DISTRIBUTION_TYPE_MAPS.end()) {
125 APP_LOGE("wrong AppDistType");
126 return Constants::APP_DISTRIBUTION_TYPE_NONE;
127 }
128
129 return typeIter->second;
130 }
131
GetAppProvisionType(const Security::Verify::ProvisionType & type)132 std::string GetAppProvisionType(const Security::Verify::ProvisionType &type)
133 {
134 if (type == Security::Verify::ProvisionType::DEBUG) {
135 return Constants::APP_PROVISION_TYPE_DEBUG;
136 }
137
138 return Constants::APP_PROVISION_TYPE_RELEASE;
139 }
140
IsPrivilegeExtensionAbilityType(ExtensionAbilityType type)141 bool IsPrivilegeExtensionAbilityType(ExtensionAbilityType type)
142 {
143 return PRIVILEGE_EXTENSION_ABILITY_TYPE.find(type) != PRIVILEGE_EXTENSION_ABILITY_TYPE.end();
144 }
145
IsSystemExtensionAbilityType(ExtensionAbilityType type)146 bool IsSystemExtensionAbilityType(ExtensionAbilityType type)
147 {
148 return SYSTEM_EXTENSION_ABILITY_TYPE.find(type) != SYSTEM_EXTENSION_ABILITY_TYPE.end();
149 }
150 }
151
CheckSysCap(const std::vector<std::string> & bundlePaths)152 ErrCode BundleInstallChecker::CheckSysCap(const std::vector<std::string> &bundlePaths)
153 {
154 APP_LOGD("check hap syscaps start.");
155 if (bundlePaths.empty()) {
156 APP_LOGE("check hap syscaps failed due to empty bundlePaths!");
157 return ERR_APPEXECFWK_INSTALL_PARAM_ERROR;
158 }
159
160 ErrCode result = ERR_OK;
161 BundleParser bundleParser;
162 for (const auto &bundlePath : bundlePaths) {
163 std::vector<std::string> bundleSysCaps;
164 result = bundleParser.ParseSysCap(bundlePath, bundleSysCaps);
165 if (result != ERR_OK) {
166 APP_LOGE("parse bundle syscap failed, error: %{public}d", result);
167 return result;
168 }
169
170 for (const auto &bundleSysCapItem : bundleSysCaps) {
171 APP_LOGD("check syscap(%{public}s)", bundleSysCapItem.c_str());
172 if (!HasSystemCapability(bundleSysCapItem.c_str())) {
173 APP_LOGE("check syscap failed which %{public}s is not exsit",
174 bundleSysCapItem.c_str());
175 return ERR_APPEXECFWK_INSTALL_CHECK_SYSCAP_FAILED;
176 }
177 }
178 }
179
180 APP_LOGD("finish check hap syscaps");
181 return result;
182 }
183
CheckMultipleHapsSignInfo(const std::vector<std::string> & bundlePaths,std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)184 ErrCode BundleInstallChecker::CheckMultipleHapsSignInfo(
185 const std::vector<std::string> &bundlePaths,
186 std::vector<Security::Verify::HapVerifyResult>& hapVerifyRes)
187 {
188 APP_LOGD("Check multiple haps signInfo");
189 if (bundlePaths.empty()) {
190 APP_LOGE("check hap sign info failed due to empty bundlePaths!");
191 return ERR_APPEXECFWK_INSTALL_PARAM_ERROR;
192 }
193
194 for (const std::string &bundlePath : bundlePaths) {
195 Security::Verify::HapVerifyResult hapVerifyResult;
196 #ifndef X86_EMULATOR_MODE
197 auto verifyRes = BundleVerifyMgr::HapVerify(bundlePath, hapVerifyResult);
198 if (verifyRes != ERR_OK) {
199 APP_LOGE("hap file verify failed");
200 return verifyRes;
201 }
202 #else
203 BundleVerifyMgr::ParseHapProfile(bundlePath, hapVerifyResult);
204 #endif
205 hapVerifyRes.emplace_back(hapVerifyResult);
206 }
207
208 if (hapVerifyRes.empty()) {
209 APP_LOGE("no sign info in the all haps!");
210 return ERR_APPEXECFWK_INSTALL_FAILED_INCOMPATIBLE_SIGNATURE;
211 }
212
213 #ifndef X86_EMULATOR_MODE
214 auto appId = hapVerifyRes[0].GetProvisionInfo().appId;
215 auto apl = hapVerifyRes[0].GetProvisionInfo().bundleInfo.apl;
216 auto appDistributionType = hapVerifyRes[0].GetProvisionInfo().distributionType;
217 auto appProvisionType = hapVerifyRes[0].GetProvisionInfo().type;
218 bool isInvalid = std::any_of(hapVerifyRes.begin(), hapVerifyRes.end(),
219 [appId, apl, appDistributionType, appProvisionType](const auto &hapVerifyResult) {
220 if (appId != hapVerifyResult.GetProvisionInfo().appId) {
221 APP_LOGE("error: hap files have different appId");
222 return true;
223 }
224 if (apl != hapVerifyResult.GetProvisionInfo().bundleInfo.apl) {
225 APP_LOGE("error: hap files have different apl");
226 return true;
227 }
228 if (appDistributionType != hapVerifyResult.GetProvisionInfo().distributionType) {
229 APP_LOGE("error: hap files have different appDistributionType");
230 return true;
231 }
232 if (appProvisionType != hapVerifyResult.GetProvisionInfo().type) {
233 APP_LOGE("error: hap files have different appProvisionType");
234 return true;
235 }
236 return false;
237 });
238 if (isInvalid) {
239 return ERR_APPEXECFWK_INSTALL_FAILED_INCOMPATIBLE_SIGNATURE;
240 }
241 #endif
242 APP_LOGD("finish check multiple haps signInfo");
243 return ERR_OK;
244 }
245
VaildInstallPermission(const InstallParam & installParam,const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)246 bool BundleInstallChecker::VaildInstallPermission(const InstallParam &installParam,
247 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
248 {
249 PermissionStatus installBundleStatus = installParam.installBundlePermissionStatus;
250 PermissionStatus installEnterpriseBundleStatus = installParam.installEnterpriseBundlePermissionStatus;
251 PermissionStatus installEtpMdmBundleStatus = installParam.installEtpMdmBundlePermissionStatus;
252 bool isCallByShell = installParam.isCallByShell;
253 if (!isCallByShell && installBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
254 installEnterpriseBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
255 installEtpMdmBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS) {
256 return true;
257 }
258 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
259 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
260 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE) {
261 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
262 APP_LOGE("enterprise bundle can not be installed by shell");
263 return false;
264 }
265 if (!isCallByShell && installEnterpriseBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
266 APP_LOGE("install enterprise bundle permission denied");
267 return false;
268 }
269 continue;
270 }
271 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
272 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
273 bool result = VaildEnterpriseInstallPermission(installParam, provisionInfo);
274 if (!result) {
275 return false;
276 }
277 continue;
278 }
279 if (installBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
280 APP_LOGE("install permission denied");
281 return false;
282 }
283 }
284 return true;
285 }
286
VaildEnterpriseInstallPermission(const InstallParam & installParam,const Security::Verify::ProvisionInfo & provisionInfo)287 bool BundleInstallChecker::VaildEnterpriseInstallPermission(const InstallParam &installParam,
288 const Security::Verify::ProvisionInfo &provisionInfo)
289 {
290 if (installParam.isSelfUpdate) {
291 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
292 APP_LOGI("Mdm self update");
293 return true;
294 }
295 APP_LOGE("Self update not MDM");
296 return false;
297 }
298 bool isCallByShell = installParam.isCallByShell;
299 PermissionStatus installEtpNormalBundleStatus = installParam.installEtpNormalBundlePermissionStatus;
300 PermissionStatus installEtpMdmBundleStatus = installParam.installEtpMdmBundlePermissionStatus;
301 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
302 APP_LOGE("enterprise normal/mdm bundle can not be installed by shell");
303 return false;
304 }
305 if (!isCallByShell &&
306 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL &&
307 installEtpNormalBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS &&
308 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
309 APP_LOGE("install enterprise normal bundle permission denied");
310 return false;
311 }
312 if (!isCallByShell &&
313 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM &&
314 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
315 APP_LOGE("install enterprise mdm bundle permission denied");
316 return false;
317 }
318 return true;
319 }
320
ParseHapFiles(const std::vector<std::string> & bundlePaths,const InstallCheckParam & checkParam,std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes,std::unordered_map<std::string,InnerBundleInfo> & infos)321 ErrCode BundleInstallChecker::ParseHapFiles(
322 const std::vector<std::string> &bundlePaths,
323 const InstallCheckParam &checkParam,
324 std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes,
325 std::unordered_map<std::string, InnerBundleInfo> &infos)
326 {
327 APP_LOGD("Parse hap file");
328 ErrCode result = ERR_OK;
329 for (uint32_t i = 0; i < bundlePaths.size(); ++i) {
330 InnerBundleInfo newInfo;
331 BundlePackInfo packInfo;
332 newInfo.SetAppType(checkParam.appType);
333 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
334 bool isSystemApp = (provisionInfo.bundleInfo.appFeature == Constants::HOS_SYSTEM_APP) ||
335 (bundlePaths[i].find(SYSTEM_APP_SCAN_PATH) == 0);
336 if (isSystemApp) {
337 newInfo.SetAppType(Constants::AppType::SYSTEM_APP);
338 }
339
340 newInfo.SetIsPreInstallApp(checkParam.isPreInstallApp);
341 result = ParseBundleInfo(bundlePaths[i], newInfo, packInfo);
342 if (result != ERR_OK) {
343 APP_LOGE("bundle parse failed %{public}d", result);
344 return result;
345 }
346 #ifndef X86_EMULATOR_MODE
347 result = CheckBundleName(provisionInfo.bundleInfo.bundleName, newInfo.GetBundleName());
348 if (result != ERR_OK) {
349 APP_LOGE("check provision bundleName failed");
350 return result;
351 }
352 #endif
353 if (newInfo.HasEntry()) {
354 if (isContainEntry_) {
355 APP_LOGE("more than one entry hap in the direction!");
356 return ERR_APPEXECFWK_INSTALL_INVALID_NUMBER_OF_ENTRY_HAP;
357 }
358 isContainEntry_ = true;
359 }
360
361 SetEntryInstallationFree(packInfo, newInfo);
362 result = CheckMainElement(newInfo);
363 if (result != ERR_OK) {
364 return result;
365 }
366 AppPrivilegeCapability appPrivilegeCapability;
367 // from provision file
368 ParseAppPrivilegeCapability(provisionInfo, appPrivilegeCapability);
369 // form install_list_capability.json, higher priority than provision file
370 FetchPrivilegeCapabilityFromPreConfig(
371 newInfo.GetBundleName(), provisionInfo.fingerprint, appPrivilegeCapability);
372 // process bundleInfo by appPrivilegeCapability
373 result = ProcessBundleInfoByPrivilegeCapability(appPrivilegeCapability, newInfo);
374 if (result != ERR_OK) {
375 return result;
376 }
377 CollectProvisionInfo(provisionInfo, appPrivilegeCapability, newInfo);
378 #ifdef USE_PRE_BUNDLE_PROFILE
379 GetPrivilegeCapability(checkParam, newInfo);
380 #endif
381 if (provisionInfo.distributionType == Security::Verify::AppDistType::CROWDTESTING) {
382 newInfo.SetAppCrowdtestDeadline(checkParam.crowdtestDeadline);
383 } else {
384 newInfo.SetAppCrowdtestDeadline(Constants::INVALID_CROWDTEST_DEADLINE);
385 }
386 if ((result = CheckSystemSize(bundlePaths[i], checkParam.appType)) != ERR_OK) {
387 APP_LOGE("install failed due to insufficient disk memory");
388 return result;
389 }
390
391 infos.emplace(bundlePaths[i], newInfo);
392 }
393 if ((result = CheckModuleNameForMulitHaps(infos)) != ERR_OK) {
394 APP_LOGE("install failed due to duplicated moduleName");
395 return result;
396 }
397 if ((result = CheckAllowEnterpriseBundle(hapVerifyRes)) != ERR_OK) {
398 APP_LOGE("install failed due to non-enterprise device");
399 return result;
400 }
401 if ((checkParam.installBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
402 checkParam.installEnterpriseBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
403 checkParam.installEtpNormalBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
404 checkParam.installEtpMdmBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS) &&
405 !VaildInstallPermissionForShare(checkParam, hapVerifyRes)) {
406 // need vaild permission
407 APP_LOGE("install permission denied");
408 return ERR_APPEXECFWK_INSTALL_PERMISSION_DENIED;
409 }
410 APP_LOGD("finish parse hap file");
411 return result;
412 }
413
VaildInstallPermissionForShare(const InstallCheckParam & checkParam,const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)414 bool BundleInstallChecker::VaildInstallPermissionForShare(const InstallCheckParam &checkParam,
415 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
416 {
417 PermissionStatus installBundleStatus = checkParam.installBundlePermissionStatus;
418 PermissionStatus installEnterpriseBundleStatus = checkParam.installEnterpriseBundlePermissionStatus;
419 PermissionStatus installEtpMdmBundleStatus = checkParam.installEtpMdmBundlePermissionStatus;
420 bool isCallByShell = checkParam.isCallByShell;
421 if (!isCallByShell && installBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
422 installEnterpriseBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
423 installEtpMdmBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS) {
424 return true;
425 }
426 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
427 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
428 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE) {
429 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
430 APP_LOGE("enterprise bundle can not be installed by shell");
431 return false;
432 }
433 if (!isCallByShell && installEnterpriseBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
434 APP_LOGE("install enterprise bundle permission denied");
435 return false;
436 }
437 continue;
438 }
439 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
440 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
441 bool result = VaildEnterpriseInstallPermissionForShare(checkParam, provisionInfo);
442 if (!result) {
443 return false;
444 }
445 continue;
446 }
447 if (installBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
448 APP_LOGE("install permission denied");
449 return false;
450 }
451 }
452 return true;
453 }
454
VaildEnterpriseInstallPermissionForShare(const InstallCheckParam & checkParam,const Security::Verify::ProvisionInfo & provisionInfo)455 bool BundleInstallChecker::VaildEnterpriseInstallPermissionForShare(const InstallCheckParam &checkParam,
456 const Security::Verify::ProvisionInfo &provisionInfo)
457 {
458 bool isCallByShell = checkParam.isCallByShell;
459 PermissionStatus installEtpNormalBundleStatus = checkParam.installEtpNormalBundlePermissionStatus;
460 PermissionStatus installEtpMdmBundleStatus = checkParam.installEtpMdmBundlePermissionStatus;
461 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
462 APP_LOGE("enterprise normal/mdm bundle can not be installed by shell");
463 return false;
464 }
465 if (!isCallByShell &&
466 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL &&
467 installEtpNormalBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS &&
468 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
469 APP_LOGE("install enterprise normal bundle permission denied");
470 return false;
471 }
472 if (!isCallByShell &&
473 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM &&
474 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
475 APP_LOGE("install enterprise mdm bundle permission denied");
476 return false;
477 }
478 return true;
479 }
480
CheckDependency(std::unordered_map<std::string,InnerBundleInfo> & infos)481 ErrCode BundleInstallChecker::CheckDependency(std::unordered_map<std::string, InnerBundleInfo> &infos)
482 {
483 APP_LOGD("CheckDependency");
484
485 for (const auto &info : infos) {
486 if (info.second.GetInnerModuleInfos().empty()) {
487 continue;
488 }
489 // There is only one innerModuleInfo when installing
490 InnerModuleInfo moduleInfo = info.second.GetInnerModuleInfos().begin()->second;
491 APP_LOGD("current module:%s, dependencies = %s", moduleInfo.moduleName.c_str(),
492 GetJsonStrFromInfo(moduleInfo.dependencies).c_str());
493 bool isModuleExist = false;
494 for (const auto &dependency : moduleInfo.dependencies) {
495 if (!NeedCheckDependency(dependency, info.second)) {
496 APP_LOGD("deliveryWithInstall is false, do not check whether the dependency exists.");
497 continue;
498 }
499
500 std::string bundleName =
501 dependency.bundleName.empty() ? info.second.GetBundleName() : dependency.bundleName;
502 isModuleExist = FindModuleInInstallingPackage(dependency.moduleName, bundleName, infos);
503 if (!isModuleExist) {
504 APP_LOGW("The depend module:%{public}s is not exist in installing package.",
505 dependency.moduleName.c_str());
506 isModuleExist = FindModuleInInstalledPackage(dependency.moduleName, bundleName,
507 info.second.GetVersionCode());
508 if (!isModuleExist) {
509 APP_LOGE("The depend module:%{public}s is not exist.", dependency.moduleName.c_str());
510 return ERR_APPEXECFWK_INSTALL_DEPENDENT_MODULE_NOT_EXIST;
511 }
512 }
513 }
514 }
515
516 return ERR_OK;
517 }
518
NeedCheckDependency(const Dependency & dependency,const InnerBundleInfo & info)519 bool BundleInstallChecker::NeedCheckDependency(const Dependency &dependency, const InnerBundleInfo &info)
520 {
521 APP_LOGD("NeedCheckDependency the moduleName is %{public}s, the bundleName is %{public}s.",
522 dependency.moduleName.c_str(), dependency.bundleName.c_str());
523
524 if (!dependency.bundleName.empty() && dependency.bundleName != info.GetBundleName()) {
525 APP_LOGD("Cross-app dependencies, check dependency with shared bundle installer.");
526 return false;
527 }
528 std::vector<PackageModule> modules = info.GetBundlePackInfo().summary.modules;
529 if (modules.empty()) {
530 APP_LOGD("NeedCheckDependency modules is empty, need check dependency.");
531 return true;
532 }
533 for (const auto &module : modules) {
534 if (module.distro.moduleName == dependency.moduleName) {
535 return module.distro.deliveryWithInstall;
536 }
537 }
538
539 APP_LOGD("NeedCheckDependency the module not found, need check dependency.");
540 return true;
541 }
542
FindModuleInInstallingPackage(const std::string & moduleName,const std::string & bundleName,const std::unordered_map<std::string,InnerBundleInfo> & infos)543 bool BundleInstallChecker::FindModuleInInstallingPackage(
544 const std::string &moduleName,
545 const std::string &bundleName,
546 const std::unordered_map<std::string, InnerBundleInfo> &infos)
547 {
548 APP_LOGD("FindModuleInInstallingPackage the moduleName is %{public}s, the bundleName is %{public}s.",
549 moduleName.c_str(), bundleName.c_str());
550 for (const auto &info : infos) {
551 if (info.second.GetBundleName() == bundleName) {
552 if (info.second.GetInnerModuleInfos().empty()) {
553 continue;
554 }
555 // There is only one innerModuleInfo when installing
556 InnerModuleInfo moduleInfo = info.second.GetInnerModuleInfos().begin()->second;
557 if (moduleInfo.moduleName == moduleName) {
558 return true;
559 }
560 }
561 }
562 return false;
563 }
564
FindModuleInInstalledPackage(const std::string & moduleName,const std::string & bundleName,uint32_t versionCode)565 bool BundleInstallChecker::FindModuleInInstalledPackage(
566 const std::string &moduleName,
567 const std::string &bundleName,
568 uint32_t versionCode)
569 {
570 APP_LOGD("FindModuleInInstalledPackage the moduleName is %{public}s, the bundleName is %{public}s",
571 moduleName.c_str(), bundleName.c_str());
572 std::shared_ptr<BundleDataMgr> dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
573 if (dataMgr == nullptr) {
574 APP_LOGE("Get dataMgr shared_ptr nullptr");
575 return false;
576 }
577
578 ScopeGuard enableGuard([&dataMgr, &bundleName] { dataMgr->EnableBundle(bundleName); });
579 InnerBundleInfo bundleInfo;
580 bool isBundleExist = dataMgr->GetInnerBundleInfo(bundleName, bundleInfo);
581 if (!isBundleExist) {
582 APP_LOGE("the bundle: %{public}s is not install", bundleName.c_str());
583 return false;
584 }
585 if (!bundleInfo.FindModule(moduleName)) {
586 APP_LOGE("the module: %{public}s is not install", moduleName.c_str());
587 return false;
588 }
589 if (bundleInfo.GetVersionCode() != versionCode) {
590 APP_LOGE("the versionCode %{public}d of dependency is not consistent with the installed module",
591 bundleInfo.GetVersionCode());
592 return false;
593 }
594 return true;
595 }
596
CheckBundleName(const std::string & provisionBundleName,const std::string & bundleName)597 ErrCode BundleInstallChecker::CheckBundleName(const std::string &provisionBundleName, const std::string &bundleName)
598 {
599 APP_LOGD("CheckBundleName provisionBundleName:%{public}s, bundleName:%{public}s",
600 provisionBundleName.c_str(), bundleName.c_str());
601 if (provisionBundleName.empty() || bundleName.empty()) {
602 APP_LOGE("CheckBundleName provisionBundleName:%{public}s, bundleName:%{public}s failed",
603 provisionBundleName.c_str(), bundleName.c_str());
604 return ERR_APPEXECFWK_INSTALL_FAILED_BUNDLE_SIGNATURE_VERIFICATION_FAILURE;
605 }
606 if (provisionBundleName == bundleName) {
607 return ERR_OK;
608 }
609 APP_LOGE("CheckBundleName failed provisionBundleName:%{public}s, bundleName:%{public}s",
610 provisionBundleName.c_str(), bundleName.c_str());
611 return ERR_APPEXECFWK_INSTALL_FAILED_BUNDLE_SIGNATURE_VERIFICATION_FAILURE;
612 }
613
CollectProvisionInfo(const Security::Verify::ProvisionInfo & provisionInfo,const AppPrivilegeCapability & appPrivilegeCapability,InnerBundleInfo & newInfo)614 void BundleInstallChecker::CollectProvisionInfo(
615 const Security::Verify::ProvisionInfo &provisionInfo,
616 const AppPrivilegeCapability &appPrivilegeCapability,
617 InnerBundleInfo &newInfo)
618 {
619 newInfo.SetProvisionId(provisionInfo.appId);
620 newInfo.SetAppFeature(provisionInfo.bundleInfo.appFeature);
621 newInfo.SetAppPrivilegeLevel(provisionInfo.bundleInfo.apl);
622 newInfo.SetAllowedAcls(provisionInfo.acls.allowedAcls);
623 newInfo.SetCertificateFingerprint(provisionInfo.fingerprint);
624 newInfo.SetAppDistributionType(GetAppDistributionType(provisionInfo.distributionType));
625 newInfo.SetAppProvisionType(GetAppProvisionType(provisionInfo.type));
626 SetAppProvisionMetadata(provisionInfo.metadatas, newInfo);
627 #ifdef USE_PRE_BUNDLE_PROFILE
628 newInfo.SetUserDataClearable(appPrivilegeCapability.userDataClearable);
629 newInfo.SetHideDesktopIcon(appPrivilegeCapability.hideDesktopIcon);
630 newInfo.SetFormVisibleNotify(appPrivilegeCapability.formVisibleNotify);
631 #endif
632 }
633
SetAppProvisionMetadata(const std::vector<Security::Verify::Metadata> & provisionMetadatas,InnerBundleInfo & newInfo)634 void BundleInstallChecker::SetAppProvisionMetadata(const std::vector<Security::Verify::Metadata> &provisionMetadatas,
635 InnerBundleInfo &newInfo)
636 {
637 if (provisionMetadatas.empty()) {
638 return;
639 }
640 std::vector<Metadata> metadatas;
641 for (const auto &it : provisionMetadatas) {
642 Metadata metadata;
643 metadata.name = it.name;
644 metadata.value = it.value;
645 metadatas.emplace_back(metadata);
646 }
647 newInfo.SetAppProvisionMetadata(metadatas);
648 }
649
GetPrivilegeCapability(const InstallCheckParam & checkParam,InnerBundleInfo & newInfo)650 void BundleInstallChecker::GetPrivilegeCapability(
651 const InstallCheckParam &checkParam, InnerBundleInfo &newInfo)
652 {
653 // Reset privilege capability
654 newInfo.SetKeepAlive(false);
655 newInfo.SetSingleton(false);
656
657 newInfo.SetRemovable(checkParam.removable);
658 PreBundleConfigInfo preBundleConfigInfo;
659 preBundleConfigInfo.bundleName = newInfo.GetBundleName();
660 BMSEventHandler::GetPreInstallCapability(preBundleConfigInfo);
661 bool ret = false;
662 if (!preBundleConfigInfo.appSignature.empty()) {
663 ret = std::find(
664 preBundleConfigInfo.appSignature.begin(),
665 preBundleConfigInfo.appSignature.end(),
666 newInfo.GetCertificateFingerprint()) !=
667 preBundleConfigInfo.appSignature.end();
668 }
669
670 if (!ret) {
671 APP_LOGW("appSignature is incompatible");
672 return;
673 }
674
675 newInfo.SetKeepAlive(preBundleConfigInfo.keepAlive);
676 newInfo.SetSingleton(preBundleConfigInfo.singleton);
677 newInfo.SetRunningResourcesApply(preBundleConfigInfo.runningResourcesApply);
678 newInfo.SetAssociatedWakeUp(preBundleConfigInfo.associatedWakeUp);
679 newInfo.SetAllowCommonEvent(preBundleConfigInfo.allowCommonEvent);
680 newInfo.SetResourcesApply(preBundleConfigInfo.resourcesApply);
681 }
682
SetPackInstallationFree(BundlePackInfo & bundlePackInfo,const InnerBundleInfo & innerBundleInfo) const683 void BundleInstallChecker::SetPackInstallationFree(BundlePackInfo &bundlePackInfo,
684 const InnerBundleInfo &innerBundleInfo) const
685 {
686 if (innerBundleInfo.GetIsNewVersion()) {
687 if (innerBundleInfo.GetApplicationBundleType() != BundleType::ATOMIC_SERVICE) {
688 for (auto &item : bundlePackInfo.summary.modules) {
689 item.distro.installationFree = false;
690 }
691 return;
692 }
693 for (auto &item : bundlePackInfo.summary.modules) {
694 item.distro.installationFree = true;
695 }
696 }
697 }
698
ParseBundleInfo(const std::string & bundleFilePath,InnerBundleInfo & info,BundlePackInfo & packInfo) const699 ErrCode BundleInstallChecker::ParseBundleInfo(
700 const std::string &bundleFilePath,
701 InnerBundleInfo &info,
702 BundlePackInfo &packInfo) const
703 {
704 BundleParser bundleParser;
705 ErrCode result = bundleParser.Parse(bundleFilePath, info);
706 if (result != ERR_OK) {
707 APP_LOGE("parse bundle info failed, error: %{public}d", result);
708 return result;
709 }
710
711 if (!packInfo.GetValid()) {
712 result = bundleParser.ParsePackInfo(bundleFilePath, packInfo);
713 if (result != ERR_OK) {
714 APP_LOGE("parse bundle pack info failed, error: %{public}d", result);
715 return result;
716 }
717
718 SetPackInstallationFree(packInfo, info);
719 info.SetBundlePackInfo(packInfo);
720 packInfo.SetValid(true);
721 }
722
723 return ERR_OK;
724 }
725
SetEntryInstallationFree(const BundlePackInfo & bundlePackInfo,InnerBundleInfo & innerBundleInfo)726 void BundleInstallChecker::SetEntryInstallationFree(
727 const BundlePackInfo &bundlePackInfo,
728 InnerBundleInfo &innerBundleInfo)
729 {
730 APP_LOGI("SetEntryInstallationFree start");
731 if (!bundlePackInfo.GetValid()) {
732 APP_LOGW("no pack.info in the hap file");
733 return;
734 }
735
736 auto packageModule = bundlePackInfo.summary.modules;
737 auto installationFree = std::any_of(packageModule.begin(), packageModule.end(), [&](const auto &module) {
738 return module.distro.moduleType == "entry" && module.distro.installationFree;
739 });
740 if (installationFree) {
741 APP_LOGI("install or update hm service");
742 }
743 if (innerBundleInfo.GetIsNewVersion()) {
744 installationFree = innerBundleInfo.GetApplicationBundleType() == BundleType::ATOMIC_SERVICE;
745 }
746
747 innerBundleInfo.SetEntryInstallationFree(installationFree);
748 if (installationFree && !innerBundleInfo.GetIsNewVersion()) {
749 innerBundleInfo.SetApplicationBundleType(BundleType::ATOMIC_SERVICE);
750 }
751 APP_LOGI("SetEntryInstallationFree end");
752 }
753
CheckSystemSize(const std::string & bundlePath,const Constants::AppType appType) const754 ErrCode BundleInstallChecker::CheckSystemSize(
755 const std::string &bundlePath,
756 const Constants::AppType appType) const
757 {
758 if ((appType == Constants::AppType::SYSTEM_APP) &&
759 (BundleUtil::CheckSystemSize(bundlePath, APP_INSTALL_PATH))) {
760 return ERR_OK;
761 }
762
763 if ((appType == Constants::AppType::THIRD_SYSTEM_APP) &&
764 (BundleUtil::CheckSystemSize(bundlePath, APP_INSTALL_PATH))) {
765 return ERR_OK;
766 }
767
768 if ((appType == Constants::AppType::THIRD_PARTY_APP) &&
769 (BundleUtil::CheckSystemSize(bundlePath, APP_INSTALL_PATH))) {
770 return ERR_OK;
771 }
772
773 APP_LOGE("install failed due to insufficient disk memory");
774 return ERR_APPEXECFWK_INSTALL_DISK_MEM_INSUFFICIENT;
775 }
776
CheckHapHashParams(std::unordered_map<std::string,InnerBundleInfo> & infos,std::map<std::string,std::string> hashParams)777 ErrCode BundleInstallChecker::CheckHapHashParams(
778 std::unordered_map<std::string, InnerBundleInfo> &infos,
779 std::map<std::string, std::string> hashParams)
780 {
781 if (hashParams.empty()) {
782 APP_LOGD("hashParams is empty");
783 return ERR_OK;
784 }
785
786 std::vector<std::string> hapModuleNames;
787 for (auto &info : infos) {
788 std::vector<std::string> moduleNames;
789 info.second.GetModuleNames(moduleNames);
790 if (moduleNames.empty()) {
791 APP_LOGE("hap(%{public}s) moduleName is empty", info.first.c_str());
792 return ERR_APPEXECFWK_INSTALL_FAILED_MODULE_NAME_EMPTY;
793 }
794
795 if (std::find(hapModuleNames.begin(), hapModuleNames.end(), moduleNames[0]) != hapModuleNames.end()) {
796 APP_LOGE("hap moduleName(%{public}s) duplicate", moduleNames[0].c_str());
797 return ERR_APPEXECFWK_INSTALL_FAILED_MODULE_NAME_DUPLICATE;
798 }
799
800 hapModuleNames.emplace_back(moduleNames[0]);
801 auto hashParamIter = hashParams.find(moduleNames[0]);
802 if (hashParamIter != hashParams.end()) {
803 info.second.SetModuleHashValue(hashParamIter->second);
804 hashParams.erase(hashParamIter);
805 }
806 }
807
808 if (!hashParams.empty()) {
809 APP_LOGE("Some hashParam moduleName is not exist in hap moduleNames");
810 return ERR_APPEXECFWK_INSTALL_FAILED_CHECK_HAP_HASH_PARAM;
811 }
812
813 return ERR_OK;
814 }
815
CheckAppLabelInfo(const std::unordered_map<std::string,InnerBundleInfo> & infos)816 ErrCode BundleInstallChecker::CheckAppLabelInfo(
817 const std::unordered_map<std::string, InnerBundleInfo> &infos)
818 {
819 APP_LOGD("Check APP label");
820 ErrCode ret = ERR_OK;
821 std::string bundleName = (infos.begin()->second).GetBundleName();
822 std::string vendor = (infos.begin()->second).GetVendor();
823 uint32_t versionCode = (infos.begin()->second).GetVersionCode();
824 std::string versionName = (infos.begin()->second).GetVersionName();
825 uint32_t minCompatibleVersionCode = (infos.begin()->second).GetMinCompatibleVersionCode();
826 uint32_t target = (infos.begin()->second).GetTargetVersion();
827 std::string releaseType = (infos.begin()->second).GetReleaseType();
828 uint32_t compatible = (infos.begin()->second).GetCompatibleVersion();
829 bool singleton = (infos.begin()->second).IsSingleton();
830 Constants::AppType appType = (infos.begin()->second).GetAppType();
831 bool isStage = (infos.begin()->second).GetIsNewVersion();
832 const std::string targetBundleName = (infos.begin()->second).GetTargetBundleName();
833 int32_t targetPriority = (infos.begin()->second).GetTargetPriority();
834 bool asanEnabled = (infos.begin()->second).GetAsanEnabled();
835 BundleType bundleType = (infos.begin()->second).GetApplicationBundleType();
836 bool isHmService = (infos.begin()->second).GetEntryInstallationFree();
837 bool debug = (infos.begin()->second).GetBaseApplicationInfo().debug;
838
839 for (const auto &info : infos) {
840 // check bundleName
841 if (bundleName != info.second.GetBundleName()) {
842 return ERR_APPEXECFWK_INSTALL_BUNDLENAME_NOT_SAME;
843 }
844 // check version
845 if (bundleType != BundleType::SHARED) {
846 if (versionCode != info.second.GetVersionCode()) {
847 return ERR_APPEXECFWK_INSTALL_VERSIONCODE_NOT_SAME;
848 }
849 if (versionName != info.second.GetVersionName()) {
850 return ERR_APPEXECFWK_INSTALL_VERSIONNAME_NOT_SAME;
851 }
852 if (minCompatibleVersionCode != info.second.GetMinCompatibleVersionCode()) {
853 return ERR_APPEXECFWK_INSTALL_MINCOMPATIBLE_VERSIONCODE_NOT_SAME;
854 }
855 }
856 // check vendor
857 if (vendor != info.second.GetVendor()) {
858 return ERR_APPEXECFWK_INSTALL_VENDOR_NOT_SAME;
859 }
860 // check release type
861 if (target != info.second.GetTargetVersion()) {
862 return ERR_APPEXECFWK_INSTALL_RELEASETYPE_TARGET_NOT_SAME;
863 }
864 if (compatible != info.second.GetCompatibleVersion()) {
865 return ERR_APPEXECFWK_INSTALL_RELEASETYPE_COMPATIBLE_NOT_SAME;
866 }
867 if (releaseType != info.second.GetReleaseType()) {
868 return ERR_APPEXECFWK_INSTALL_RELEASETYPE_NOT_SAME;
869 }
870 if (singleton != info.second.IsSingleton()) {
871 return ERR_APPEXECFWK_INSTALL_SINGLETON_NOT_SAME;
872 }
873 if (appType != info.second.GetAppType()) {
874 return ERR_APPEXECFWK_INSTALL_APPTYPE_NOT_SAME;
875 }
876 // check model type(FA or stage)
877 if (isStage != info.second.GetIsNewVersion()) {
878 APP_LOGE("must be all FA model or all stage model");
879 return ERR_APPEXECFWK_INSTALL_STATE_ERROR;
880 }
881 if (targetBundleName != info.second.GetTargetBundleName()) {
882 return ERR_BUNDLEMANAGER_OVERLAY_INSTALLATION_FAILED_TARGET_BUNDLE_NAME_NOT_SAME;
883 }
884 if (targetPriority != info.second.GetTargetPriority()) {
885 return ERR_BUNDLEMANAGER_OVERLAY_INSTALLATION_FAILED_TARGET_PRIORITY_NOT_SAME;
886 }
887 // check asanEnabled
888 if (asanEnabled != info.second.GetAsanEnabled()) {
889 APP_LOGE("asanEnabled is not same");
890 return ERR_APPEXECFWK_INSTALL_ASAN_ENABLED_NOT_SAME;
891 }
892 if (bundleType != info.second.GetApplicationBundleType()) {
893 return ERR_APPEXECFWK_BUNDLE_TYPE_NOT_SAME;
894 }
895 if (isHmService != info.second.GetEntryInstallationFree()) {
896 APP_LOGE("application and hm service are not allowed installed simultaneously.");
897 return ERR_APPEXECFWK_INSTALL_TYPE_ERROR;
898 }
899 if (debug != info.second.GetBaseApplicationInfo().debug) {
900 return ERR_APPEXECFWK_INSTALL_DEBUG_NOT_SAME;
901 }
902 }
903 APP_LOGD("finish check APP label");
904 return ret;
905 }
906
CheckMultiNativeFile(std::unordered_map<std::string,InnerBundleInfo> & infos)907 ErrCode BundleInstallChecker::CheckMultiNativeFile(
908 std::unordered_map<std::string, InnerBundleInfo> &infos)
909 {
910 ErrCode result = CheckMultiNativeSo(infos);
911 if (result != ERR_OK) {
912 APP_LOGE("Check multi nativeSo failed, result: %{public}d", result);
913 return result;
914 }
915
916 result = CheckMultiArkNativeFile(infos);
917 if (result != ERR_OK) {
918 APP_LOGE("Check multi arkNativeFile failed, result: %{public}d", result);
919 return result;
920 }
921
922 return ERR_OK;
923 }
924
CheckMultiArkNativeFile(std::unordered_map<std::string,InnerBundleInfo> & infos)925 ErrCode BundleInstallChecker::CheckMultiArkNativeFile(
926 std::unordered_map<std::string, InnerBundleInfo> &infos)
927 {
928 std::string arkNativeFileAbi = (infos.begin()->second).GetArkNativeFileAbi();
929 for (const auto &info : infos) {
930 if (info.second.GetArkNativeFileAbi().empty()) {
931 continue;
932 }
933 if (arkNativeFileAbi.empty()) {
934 arkNativeFileAbi = info.second.GetArkNativeFileAbi();
935 continue;
936 }
937 if (arkNativeFileAbi != info.second.GetArkNativeFileAbi()) {
938 return ERR_APPEXECFWK_INSTALL_AN_INCOMPATIBLE;
939 }
940 }
941
942 // Ensure the an is consistent in multiple haps
943 if (!arkNativeFileAbi.empty()) {
944 for (auto &info : infos) {
945 info.second.SetArkNativeFileAbi(arkNativeFileAbi);
946 }
947 }
948
949 return ERR_OK;
950 }
951
CheckMultiNativeSo(std::unordered_map<std::string,InnerBundleInfo> & infos)952 ErrCode BundleInstallChecker::CheckMultiNativeSo(
953 std::unordered_map<std::string, InnerBundleInfo> &infos)
954 {
955 std::string nativeLibraryPath = (infos.begin()->second).GetNativeLibraryPath();
956 std::string cpuAbi = (infos.begin()->second).GetCpuAbi();
957 for (const auto &info : infos) {
958 if (info.second.GetNativeLibraryPath().empty()) {
959 continue;
960 }
961 if (nativeLibraryPath.empty()) {
962 nativeLibraryPath = info.second.GetNativeLibraryPath();
963 cpuAbi = info.second.GetCpuAbi();
964 continue;
965 }
966 if (nativeLibraryPath != info.second.GetNativeLibraryPath()
967 || cpuAbi != info.second.GetCpuAbi()) {
968 return ERR_APPEXECFWK_INSTALL_SO_INCOMPATIBLE;
969 }
970 }
971
972 // Ensure the so is consistent in multiple haps
973 if (!nativeLibraryPath.empty()) {
974 for (auto &info : infos) {
975 info.second.SetNativeLibraryPath(nativeLibraryPath);
976 info.second.SetCpuAbi(cpuAbi);
977 }
978 }
979
980 return ERR_OK;
981 }
982
ResetProperties()983 void BundleInstallChecker::ResetProperties()
984 {
985 isContainEntry_ = false;
986 }
987
ParseAppPrivilegeCapability(const Security::Verify::ProvisionInfo & provisionInfo,AppPrivilegeCapability & appPrivilegeCapability)988 void BundleInstallChecker::ParseAppPrivilegeCapability(
989 const Security::Verify::ProvisionInfo &provisionInfo,
990 AppPrivilegeCapability &appPrivilegeCapability)
991 {
992 for (const auto &appPrivilege : provisionInfo.appPrivilegeCapabilities) {
993 auto iter = PRIVILEGE_MAP.find(appPrivilege);
994 if (iter != PRIVILEGE_MAP.end()) {
995 iter->second(appPrivilegeCapability);
996 }
997 }
998 if ((provisionInfo.bundleInfo.bundleName != APP_TEST_BUNDLE_NAME) &&
999 (provisionInfo.bundleInfo.bundleName.find(BUNDLE_NAME_XTS_TEST) != 0)) {
1000 appPrivilegeCapability.allowMultiProcess = false;
1001 appPrivilegeCapability.allowUsePrivilegeExtension = false;
1002 appPrivilegeCapability.formVisibleNotify = false;
1003 }
1004
1005 APP_LOGD("AppPrivilegeCapability %{public}s",
1006 appPrivilegeCapability.ToString().c_str());
1007 #ifndef USE_PRE_BUNDLE_PROFILE
1008 appPrivilegeCapability.allowMultiProcess = true;
1009 appPrivilegeCapability.allowUsePrivilegeExtension = true;
1010 #endif
1011 }
1012
CheckModuleNameForMulitHaps(const std::unordered_map<std::string,InnerBundleInfo> & infos) const1013 ErrCode BundleInstallChecker::CheckModuleNameForMulitHaps(
1014 const std::unordered_map<std::string, InnerBundleInfo> &infos) const
1015 {
1016 std::set<std::string> moduleSet;
1017 for (const auto &info : infos) {
1018 std::vector<std::string> moduleVec = info.second.GetDistroModuleName();
1019 if (moduleVec.empty()) {
1020 APP_LOGE("moduleName vector is empty");
1021 return ERR_APPEXECFWK_INSTALL_INTERNAL_ERROR;
1022 }
1023 moduleSet.insert(moduleVec[0]);
1024 }
1025
1026 if (moduleSet.size() != infos.size()) {
1027 APP_LOGE("someone moduleName is not unique in the haps");
1028 return ERR_APPEXECFWK_INSTALL_NOT_UNIQUE_DISTRO_MODULE_NAME;
1029 }
1030 return ERR_OK;
1031 }
1032
IsExistedDistroModule(const InnerBundleInfo & newInfo,const InnerBundleInfo & info) const1033 bool BundleInstallChecker::IsExistedDistroModule(const InnerBundleInfo &newInfo, const InnerBundleInfo &info) const
1034 {
1035 std::string moduleName = newInfo.GetCurModuleName();
1036 std::string packageName = newInfo.GetCurrentModulePackage();
1037 if (packageName.empty() || moduleName.empty()) {
1038 APP_LOGE("IsExistedDistroModule failed due to invalid packageName or moduleName");
1039 return false;
1040 }
1041 std::string oldModuleName = info.GetModuleNameByPackage(packageName);
1042 // if FA update to Stage, allow module name inconsistent
1043 bool isFAToStage = !info.GetIsNewVersion() && newInfo.GetIsNewVersion();
1044 if (!isFAToStage) {
1045 // if not FA update to Stage, check consistency of module name
1046 if (moduleName.compare(oldModuleName) != 0) {
1047 APP_LOGE("no moduleName in the innerModuleInfo");
1048 return false;
1049 }
1050 }
1051 // check consistency of module type
1052 std::string newModuleType = newInfo.GetModuleTypeByPackage(packageName);
1053 std::string oldModuleType = info.GetModuleTypeByPackage(packageName);
1054 if (newModuleType.compare(oldModuleType) != 0) {
1055 APP_LOGE("moduleType is different between the new hap and the original hap");
1056 return false;
1057 }
1058
1059 return true;
1060 }
1061
IsContainModuleName(const InnerBundleInfo & newInfo,const InnerBundleInfo & info) const1062 bool BundleInstallChecker::IsContainModuleName(const InnerBundleInfo &newInfo, const InnerBundleInfo &info) const
1063 {
1064 std::string moduleName = newInfo.GetCurModuleName();
1065 std::vector<std::string> moduleVec = info.GetDistroModuleName();
1066 if (moduleName.empty() || moduleVec.empty()) {
1067 APP_LOGE("IsContainModuleName failed due to invalid moduleName or modulevec");
1068 return false;
1069 }
1070 return (find(moduleVec.cbegin(), moduleVec.cend(), moduleName) == moduleVec.cend()) ? false : true;
1071 }
1072
CheckMainElement(const InnerBundleInfo & info)1073 ErrCode BundleInstallChecker::CheckMainElement(const InnerBundleInfo &info)
1074 {
1075 const std::map<std::string, InnerModuleInfo> &innerModuleInfos = info.GetInnerModuleInfos();
1076 if (innerModuleInfos.empty()) {
1077 return ERR_OK;
1078 }
1079 if (innerModuleInfos.cbegin()->second.distro.moduleType == Profile::MODULE_TYPE_SHARED) {
1080 return ERR_OK;
1081 }
1082 if (info.GetEntryInstallationFree() && innerModuleInfos.cbegin()->second.mainAbility.empty()) {
1083 APP_LOGE("atomic service's mainElement can't be empty.");
1084 return ERR_APPEXECFWK_PARSE_PROFILE_PROP_CHECK_ERROR;
1085 }
1086 return ERR_OK;
1087 }
1088
GetPrivilegeCapabilityValue(const std::vector<std::string> & existInJson,const std::string & key,bool existInPreJson,bool existInProvision)1089 bool BundleInstallChecker::GetPrivilegeCapabilityValue(
1090 const std::vector<std::string> &existInJson,
1091 const std::string &key,
1092 bool existInPreJson,
1093 bool existInProvision)
1094 {
1095 if (find(existInJson.cbegin(), existInJson.cend(), key) != existInJson.cend()) {
1096 return existInPreJson;
1097 }
1098 return existInProvision;
1099 }
1100
FetchPrivilegeCapabilityFromPreConfig(const std::string & bundleName,const std::string & appSignature,AppPrivilegeCapability & appPrivilegeCapability)1101 void BundleInstallChecker::FetchPrivilegeCapabilityFromPreConfig(
1102 const std::string &bundleName,
1103 const std::string &appSignature,
1104 AppPrivilegeCapability &appPrivilegeCapability)
1105 {
1106 #ifdef USE_PRE_BUNDLE_PROFILE
1107 APP_LOGD("bundleName: %{public}s, FetchPrivilegeCapabilityFromPreConfig start", bundleName.c_str());
1108 PreBundleConfigInfo configInfo;
1109 configInfo.bundleName = bundleName;
1110 if (!BMSEventHandler::GetPreInstallCapability(configInfo)) {
1111 APP_LOGD("bundleName: %{public}s is not exist in pre install capability list", bundleName.c_str());
1112 return;
1113 }
1114 if (!MatchSignature(configInfo.appSignature, appSignature)) {
1115 APP_LOGE("bundleName: %{public}s signature verify failed", bundleName.c_str());
1116 return;
1117 }
1118 appPrivilegeCapability.allowUsePrivilegeExtension = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1119 ALLOW_APP_USE_PRIVILEGE_EXTENSION,
1120 configInfo.allowUsePrivilegeExtension, appPrivilegeCapability.allowUsePrivilegeExtension);
1121
1122 appPrivilegeCapability.allowMultiProcess = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1123 ALLOW_APP_MULTI_PROCESS,
1124 configInfo.allowMultiProcess, appPrivilegeCapability.allowMultiProcess);
1125
1126 appPrivilegeCapability.hideDesktopIcon = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1127 ALLOW_APP_DESKTOP_ICON_HIDE,
1128 configInfo.hideDesktopIcon, appPrivilegeCapability.hideDesktopIcon);
1129
1130 appPrivilegeCapability.allowQueryPriority = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1131 ALLOW_ABILITY_PRIORITY_QUERIED,
1132 configInfo.allowQueryPriority, appPrivilegeCapability.allowQueryPriority);
1133
1134 appPrivilegeCapability.allowExcludeFromMissions = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1135 ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS,
1136 configInfo.allowExcludeFromMissions, appPrivilegeCapability.allowExcludeFromMissions);
1137
1138 appPrivilegeCapability.allowMissionNotCleared = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1139 ALLOW_MISSION_NOT_CLEARED,
1140 configInfo.allowMissionNotCleared, appPrivilegeCapability.allowMissionNotCleared);
1141
1142 appPrivilegeCapability.formVisibleNotify = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1143 ALLOW_FORM_VISIBLE_NOTIFY,
1144 configInfo.formVisibleNotify, appPrivilegeCapability.formVisibleNotify);
1145
1146 appPrivilegeCapability.userDataClearable = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1147 ALLOW_APP_DATA_NOT_CLEARED,
1148 configInfo.userDataClearable, appPrivilegeCapability.userDataClearable);
1149
1150 appPrivilegeCapability.appShareLibrary = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1151 ALLOW_APP_SHARE_LIBRARY,
1152 configInfo.appShareLibrary, appPrivilegeCapability.appShareLibrary);
1153 APP_LOGD("AppPrivilegeCapability %{public}s", appPrivilegeCapability.ToString().c_str());
1154 #endif
1155 }
1156
MatchSignature(const std::vector<std::string> & appSignatures,const std::string & signature)1157 bool BundleInstallChecker::MatchSignature(
1158 const std::vector<std::string> &appSignatures, const std::string &signature)
1159 {
1160 if (appSignatures.empty()) {
1161 APP_LOGW("appSignature is empty");
1162 return false;
1163 }
1164
1165 return std::find(
1166 appSignatures.begin(), appSignatures.end(), signature) != appSignatures.end();
1167 }
1168
ProcessBundleInfoByPrivilegeCapability(const AppPrivilegeCapability & appPrivilegeCapability,InnerBundleInfo & innerBundleInfo)1169 ErrCode BundleInstallChecker::ProcessBundleInfoByPrivilegeCapability(
1170 const AppPrivilegeCapability &appPrivilegeCapability,
1171 InnerBundleInfo &innerBundleInfo)
1172 {
1173 // process application
1174 ApplicationInfo applicationInfo = innerBundleInfo.GetBaseApplicationInfo();
1175 if (!appPrivilegeCapability.allowMultiProcess || applicationInfo.process.empty()) {
1176 applicationInfo.process = applicationInfo.bundleName;
1177 }
1178 innerBundleInfo.SetBaseApplicationInfo(applicationInfo);
1179 BundleInfo bundleInfo = innerBundleInfo.GetBaseBundleInfo();
1180 // process allow app share library
1181 if (applicationInfo.bundleType == BundleType::SHARED && !appPrivilegeCapability.appShareLibrary) {
1182 APP_LOGE("not allow app share library");
1183 return ERR_APPEXECFWK_INSTALL_SHARE_APP_LIBRARY_NOT_ALLOWED;
1184 }
1185 // process ability
1186 auto &abilityInfos = innerBundleInfo.FetchAbilityInfos();
1187 for (auto iter = abilityInfos.begin(); iter != abilityInfos.end(); ++iter) {
1188 #ifdef USE_PRE_BUNDLE_PROFILE
1189 if (!appPrivilegeCapability.allowQueryPriority) {
1190 iter->second.priority = 0;
1191 }
1192 if (!appPrivilegeCapability.allowExcludeFromMissions) {
1193 iter->second.excludeFromMissions = false;
1194 }
1195 if (!appPrivilegeCapability.allowMissionNotCleared) {
1196 iter->second.unclearableMission = false;
1197 }
1198 #else
1199 if (!applicationInfo.isSystemApp || !bundleInfo.isPreInstallApp) {
1200 iter->second.priority = 0;
1201 iter->second.excludeFromMissions = false;
1202 }
1203 #endif
1204 }
1205 // process ExtensionAbility
1206 auto &extensionAbilityInfos = innerBundleInfo.FetchInnerExtensionInfos();
1207 for (auto iter = extensionAbilityInfos.begin(); iter != extensionAbilityInfos.end(); ++iter) {
1208 bool privilegeType = IsPrivilegeExtensionAbilityType(iter->second.type);
1209 if (privilegeType && !appPrivilegeCapability.allowUsePrivilegeExtension) {
1210 APP_LOGE("not allow use privilege extension");
1211 return ERR_APPEXECFWK_PARSE_PROFILE_PROP_CHECK_ERROR;
1212 }
1213
1214 bool systemType = IsSystemExtensionAbilityType(iter->second.type);
1215 if (systemType && !applicationInfo.isSystemApp) {
1216 APP_LOGE("not allow use system extension");
1217 return ERR_APPEXECFWK_PARSE_PROFILE_PROP_CHECK_ERROR;
1218 }
1219
1220 #ifdef USE_PRE_BUNDLE_PROFILE
1221 if (!appPrivilegeCapability.allowQueryPriority) {
1222 iter->second.priority = 0;
1223 }
1224 #else
1225 if (!applicationInfo.isSystemApp || !bundleInfo.isPreInstallApp) {
1226 iter->second.priority = 0;
1227 }
1228 #endif
1229 if (appPrivilegeCapability.allowMultiProcess) {
1230 APP_LOGD("bundleName: %{public}s support allowMultiProcess", iter->second.bundleName.c_str());
1231 auto hapModuleInfo = innerBundleInfo.GetInnerModuleInfoByModuleName(iter->second.moduleName);
1232 if (hapModuleInfo && !hapModuleInfo->process.empty()) {
1233 iter->second.process = hapModuleInfo->process;
1234 }
1235 }
1236 }
1237 // process InnerModuleInfo
1238 auto &innerModuleInfos = innerBundleInfo.FetchInnerModuleInfos();
1239 for (auto iter = innerModuleInfos.begin(); iter != innerModuleInfos.end(); ++iter) {
1240 if (iter->second.isModuleJson && (!appPrivilegeCapability.allowMultiProcess || iter->second.process.empty())) {
1241 iter->second.process = applicationInfo.bundleName;
1242 }
1243 }
1244 return ERR_OK;
1245 }
1246
CheckDeviceType(std::unordered_map<std::string,InnerBundleInfo> & infos) const1247 ErrCode BundleInstallChecker::CheckDeviceType(std::unordered_map<std::string, InnerBundleInfo> &infos) const
1248 {
1249 std::string deviceType = GetDeviceType();
1250 APP_LOGD("deviceType is %{public}s", deviceType.c_str());
1251 for (const auto &info : infos) {
1252 std::vector<std::string> devVec = info.second.GetDeviceType(info.second.GetCurrentModulePackage());
1253 if (devVec.empty()) {
1254 APP_LOGW("deviceTypes is empty");
1255 continue;
1256 }
1257
1258 if ((deviceType == DEVICE_TYPE_OF_PHONE) &&
1259 (find(devVec.begin(), devVec.end(), DEVICE_TYPE_OF_DEFAULT) != devVec.end())) {
1260 APP_LOGW("current deviceType is phone and bundle is matched with default");
1261 continue;
1262 }
1263
1264 if ((deviceType == DEVICE_TYPE_OF_DEFAULT) &&
1265 (find(devVec.begin(), devVec.end(), DEVICE_TYPE_OF_PHONE) != devVec.end())) {
1266 APP_LOGW("current deviceType is default and bundle is matched with phone");
1267 continue;
1268 }
1269
1270 if (find(devVec.begin(), devVec.end(), deviceType) == devVec.end()) {
1271 APP_LOGE("%{public}s is not supported", deviceType.c_str());
1272 return ERR_APPEXECFWK_INSTALL_DEVICE_TYPE_NOT_SUPPORTED;
1273 }
1274 }
1275 return ERR_OK;
1276 }
1277
ConvertToAppProvisionInfo(const Security::Verify::ProvisionInfo & provisionInfo) const1278 AppProvisionInfo BundleInstallChecker::ConvertToAppProvisionInfo(
1279 const Security::Verify::ProvisionInfo &provisionInfo) const
1280 {
1281 AppProvisionInfo appProvisionInfo;
1282 appProvisionInfo.versionCode = provisionInfo.versionCode;
1283 appProvisionInfo.versionName = provisionInfo.versionName;
1284 if (provisionInfo.type == Security::Verify::ProvisionType::DEBUG) {
1285 appProvisionInfo.type = Constants::APP_PROVISION_TYPE_DEBUG;
1286 appProvisionInfo.certificate = provisionInfo.bundleInfo.developmentCertificate;
1287 } else {
1288 appProvisionInfo.type = Constants::APP_PROVISION_TYPE_RELEASE;
1289 appProvisionInfo.certificate = provisionInfo.bundleInfo.distributionCertificate;
1290 }
1291 appProvisionInfo.appDistributionType = GetAppDistributionType(provisionInfo.distributionType);
1292 appProvisionInfo.apl = provisionInfo.bundleInfo.apl.empty() ? APL_NORMAL : provisionInfo.bundleInfo.apl;
1293 appProvisionInfo.developerId = provisionInfo.bundleInfo.developerId;
1294 appProvisionInfo.issuer = provisionInfo.issuer;
1295 appProvisionInfo.uuid = provisionInfo.uuid;
1296 appProvisionInfo.validity.notBefore = provisionInfo.validity.notBefore;
1297 appProvisionInfo.validity.notAfter = provisionInfo.validity.notAfter;
1298 return appProvisionInfo;
1299 }
1300
GetBundleNameFromUri(const std::string & uri)1301 std::string GetBundleNameFromUri(const std::string &uri)
1302 {
1303 std::size_t firstSlashPos = uri.find(DOUBLE_SLASH);
1304 if (firstSlashPos == std::string::npos) {
1305 APP_LOGE("dataproxy uri is invalid");
1306 return Constants::EMPTY_STRING;
1307 }
1308
1309 std::size_t secondSlashPos = uri.find(SLASH, firstSlashPos + SLAH_OFFSET);
1310 if (secondSlashPos == std::string::npos) {
1311 APP_LOGE("dataproxy uri is invalid");
1312 return Constants::EMPTY_STRING;
1313 }
1314
1315 std::string bundleName = uri.substr(firstSlashPos + SLAH_OFFSET, secondSlashPos - firstSlashPos - SLAH_OFFSET);
1316 return bundleName;
1317 }
1318
CheckProxyPermissionLevel(const std::string & permissionName) const1319 bool BundleInstallChecker::CheckProxyPermissionLevel(const std::string &permissionName) const
1320 {
1321 // no permission name, only for self usage
1322 if (permissionName.empty()) {
1323 return true;
1324 }
1325 PermissionDef permissionDef;
1326 ErrCode ret = BundlePermissionMgr::GetPermissionDef(permissionName, permissionDef);
1327 if (ret != ERR_OK) {
1328 APP_LOGE("getPermissionDef failed");
1329 return false;
1330 }
1331 if (permissionDef.availableLevel < Security::AccessToken::ATokenAplEnum::APL_SYSTEM_BASIC) {
1332 APP_LOGE("permission %{public}s level too low", permissionName.c_str());
1333 return false;
1334 }
1335 return true;
1336 }
1337
CheckProxyDatas(const InnerBundleInfo & innerBundleInfo) const1338 ErrCode BundleInstallChecker::CheckProxyDatas(const InnerBundleInfo &innerBundleInfo) const
1339 {
1340 auto bundleName = innerBundleInfo.GetBundleName();
1341 auto moduleInfos = innerBundleInfo.GetInnerModuleInfos();
1342 if (moduleInfos.empty()) {
1343 return ERR_OK;
1344 }
1345 for (const auto &moduleInfo : moduleInfos) {
1346 for (const auto &proxyData : moduleInfo.second.proxyDatas) {
1347 auto name = GetBundleNameFromUri(proxyData.uri);
1348 if (bundleName != name) {
1349 APP_LOGE("bundleName from uri %{public}s different from origin bundleName %{public}s",
1350 name.c_str(), bundleName.c_str());
1351 return ERR_APPEXECFWK_INSTALL_CHECK_PROXY_DATA_URI_FAILED;
1352 }
1353 if (innerBundleInfo.IsSystemApp()) {
1354 continue;
1355 }
1356 if (!CheckProxyPermissionLevel(proxyData.requiredReadPermission)
1357 || !CheckProxyPermissionLevel(proxyData.requiredWritePermission)) {
1358 return ERR_APPEXECFWK_INSTALL_CHECK_PROXY_DATA_PERMISSION_FAILED;
1359 }
1360 }
1361 }
1362 return ERR_OK;
1363 }
1364
CheckSupportIsolation(const char * szIsolationModeThresholdMb,const std::string & isolationMode)1365 bool CheckSupportIsolation(const char *szIsolationModeThresholdMb, const std::string &isolationMode)
1366 {
1367 if ((std::strcmp(szIsolationModeThresholdMb, VALUE_TRUE.c_str()) == 0) ||
1368 (std::strcmp(szIsolationModeThresholdMb, VALUE_TRUE_BOOL.c_str()) == 0)) {
1369 if (isolationMode == NONISOLATION_ONLY) {
1370 APP_LOGE("check isolation mode failed.");
1371 return false;
1372 }
1373 } else {
1374 if (isolationMode == ISOLATION_ONLY) {
1375 APP_LOGE("check isolation mode failed.");
1376 return false;
1377 }
1378 }
1379 return true;
1380 }
1381
CheckIsolationMode(const std::unordered_map<std::string,InnerBundleInfo> & infos) const1382 ErrCode BundleInstallChecker::CheckIsolationMode(const std::unordered_map<std::string, InnerBundleInfo> &infos) const
1383 {
1384 for (const auto &info : infos) {
1385 auto moduleInfos = info.second.GetInnerModuleInfos();
1386 for (const auto &moduleInfo : moduleInfos) {
1387 std::string isolationMode = moduleInfo.second.isolationMode;
1388 char szIsolationModeThresholdMb[THRESHOLD_VAL_LEN] = {0};
1389 int32_t ret = GetParameter(SUPPORT_ISOLATION_MODE.c_str(), "",
1390 szIsolationModeThresholdMb, THRESHOLD_VAL_LEN);
1391 if (ret <= 0) {
1392 APP_LOGW("GetParameter failed");
1393 }
1394 if (!CheckSupportIsolation(szIsolationModeThresholdMb, isolationMode)) {
1395 APP_LOGE("check isolation mode failed.");
1396 return ERR_APPEXECFWK_INSTALL_ISOLATION_MODE_FAILED;
1397 }
1398 }
1399 }
1400 return ERR_OK;
1401 }
1402
CheckSignatureFileDir(const std::string & signatureFileDir) const1403 ErrCode BundleInstallChecker::CheckSignatureFileDir(const std::string &signatureFileDir) const
1404 {
1405 if (!BundleUtil::CheckFileName(signatureFileDir)) {
1406 APP_LOGE("code signature file dir is invalid");
1407 return ERR_BUNDLEMANAGER_INSTALL_CODE_SIGNATURE_FILE_IS_INVALID;
1408 }
1409 if (!BundleUtil::CheckFileType(signatureFileDir, Constants::CODE_SIGNATURE_FILE_SUFFIX)) {
1410 APP_LOGE("signatureFileDir is not suffixed with .sig");
1411 return ERR_BUNDLEMANAGER_INSTALL_CODE_SIGNATURE_FILE_IS_INVALID;
1412 }
1413 return ERR_OK;
1414 }
1415
CheckAllowEnterpriseBundle(const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes) const1416 ErrCode BundleInstallChecker::CheckAllowEnterpriseBundle(
1417 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes) const
1418 {
1419 if (system::GetBoolParameter(Constants::ALLOW_ENTERPRISE_BUNDLE, false)) {
1420 return ERR_OK;
1421 }
1422 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
1423 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
1424 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
1425 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
1426 APP_LOGE("enterprise normal/mdm bundle cannot be installed on non-enterprise device");
1427 return ERR_APPEXECFWK_INSTALL_ENTERPRISE_BUNDLE_NOT_ALLOWED;
1428 }
1429 }
1430 return ERR_OK;
1431 }
1432 } // namespace AppExecFwk
1433 } // namespace OHOS