1 /*
2 * Copyright (c) 2021-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_manager.h"
17
18 #include <iostream>
19 #include <numeric>
20 #include <sstream>
21
22 #include "access_token.h"
23 #include "access_token_error.h"
24 #include "accesstoken_dfx_define.h"
25 #include "accesstoken_id_manager.h"
26 #include "accesstoken_info_manager.h"
27 #include "accesstoken_log.h"
28 #include "app_manager_access_client.h"
29 #include "callback_manager.h"
30 #ifdef SUPPORT_SANDBOX_APP
31 #include "dlp_permission_set_manager.h"
32 #endif
33 #include "ipc_skeleton.h"
34 #include "parameter.h"
35 #include "permission_definition_cache.h"
36 #include "permission_map.h"
37 #include "permission_validator.h"
38 #ifdef TOKEN_SYNC_ENABLE
39 #include "token_modify_notifier.h"
40 #endif
41 #include "perm_setproc.h"
42
43 namespace OHOS {
44 namespace Security {
45 namespace AccessToken {
46 namespace {
47 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "PermissionManager"};
48 static const char* PERMISSION_STATUS_CHANGE_KEY = "accesstoken.permission.change";
49 static constexpr int32_t VALUE_MAX_LEN = 32;
50 static constexpr int32_t ROOT_UID = 0;
51 static const std::vector<std::string> g_notDisplayedPerms = {
52 "ohos.permission.ANSWER_CALL",
53 "ohos.permission.MANAGE_VOICEMAIL",
54 "ohos.permission.READ_CELL_MESSAGES",
55 "ohos.permission.READ_MESSAGES",
56 "ohos.permission.RECEIVE_MMS",
57 "ohos.permission.RECEIVE_SMS",
58 "ohos.permission.RECEIVE_WAP_MESSAGES",
59 "ohos.permission.SEND_MESSAGES",
60 "ohos.permission.READ_CALL_LOG",
61 "ohos.permission.WRITE_CALL_LOG"
62 };
63 }
64 PermissionManager* PermissionManager::implInstance_ = nullptr;
65 std::recursive_mutex PermissionManager::mutex_;
66
GetInstance()67 PermissionManager& PermissionManager::GetInstance()
68 {
69 if (implInstance_ == nullptr) {
70 std::lock_guard<std::recursive_mutex> lock_l(mutex_);
71 if (implInstance_ == nullptr) {
72 implInstance_ = new PermissionManager();
73 }
74 }
75 return *implInstance_;
76 }
77
RegisterImpl(PermissionManager * implInstance)78 void PermissionManager::RegisterImpl(PermissionManager* implInstance)
79 {
80 implInstance_ = implInstance;
81 }
82
PermissionManager()83 PermissionManager::PermissionManager()
84 {
85 char value[VALUE_MAX_LEN] = {0};
86 int32_t ret = GetParameter(PERMISSION_STATUS_CHANGE_KEY, "", value, VALUE_MAX_LEN - 1);
87 if (ret < 0) {
88 ACCESSTOKEN_LOG_ERROR(LABEL, "return default value, ret=%{public}d", ret);
89 paramValue_ = 0;
90 return;
91 }
92 paramValue_ = static_cast<uint64_t>(std::atoll(value));
93 }
94
~PermissionManager()95 PermissionManager::~PermissionManager()
96 {}
97
ClearAllSecCompGrantedPerm(const std::vector<AccessTokenID> & tokenIdList)98 void PermissionManager::ClearAllSecCompGrantedPerm(const std::vector<AccessTokenID>& tokenIdList)
99 {
100 for (const auto& tokenId : tokenIdList) {
101 std::shared_ptr<HapTokenInfoInner> tokenInfoPtr =
102 AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenId);
103 if (tokenInfoPtr == nullptr) {
104 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenId is invalid, tokenId=%{public}u", tokenId);
105 continue;
106 }
107 std::shared_ptr<PermissionPolicySet> permPolicySet = tokenInfoPtr->GetHapInfoPermissionPolicySet();
108 if (permPolicySet != nullptr) {
109 permPolicySet->ClearSecCompGrantedPerm();
110 }
111 }
112 }
113
AddDefPermissions(const std::vector<PermissionDef> & permList,AccessTokenID tokenId,bool updateFlag)114 void PermissionManager::AddDefPermissions(const std::vector<PermissionDef>& permList, AccessTokenID tokenId,
115 bool updateFlag)
116 {
117 std::vector<PermissionDef> permFilterList;
118 PermissionValidator::FilterInvalidPermissionDef(permList, permFilterList);
119 ACCESSTOKEN_LOG_INFO(LABEL, "permFilterList size: %{public}zu", permFilterList.size());
120 for (const auto& perm : permFilterList) {
121 if (updateFlag) {
122 PermissionDefinitionCache::GetInstance().Update(perm, tokenId);
123 continue;
124 }
125
126 if (!PermissionDefinitionCache::GetInstance().HasDefinition(perm.permissionName)) {
127 PermissionDefinitionCache::GetInstance().Insert(perm, tokenId);
128 } else {
129 ACCESSTOKEN_LOG_INFO(LABEL, "permission %{public}s has define",
130 TransferPermissionDefToString(perm).c_str());
131 }
132 }
133 }
134
RemoveDefPermissions(AccessTokenID tokenID)135 void PermissionManager::RemoveDefPermissions(AccessTokenID tokenID)
136 {
137 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called, tokenID: %{public}u", __func__, tokenID);
138 std::shared_ptr<HapTokenInfoInner> tokenInfo =
139 AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenID);
140 if (tokenInfo == nullptr) {
141 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid params(tokenID: %{public}u)!", tokenID);
142 return;
143 }
144 std::string bundleName = tokenInfo->GetBundleName();
145 PermissionDefinitionCache::GetInstance().DeleteByBundleName(bundleName);
146 }
147
VerifyHapAccessToken(AccessTokenID tokenID,const std::string & permissionName)148 int PermissionManager::VerifyHapAccessToken(AccessTokenID tokenID, const std::string& permissionName)
149 {
150 std::shared_ptr<HapTokenInfoInner> tokenInfoPtr =
151 AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenID);
152 if (tokenInfoPtr == nullptr) {
153 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID: %{public}d, can not find tokenInfo!", tokenID);
154 return PERMISSION_DENIED;
155 }
156 std::shared_ptr<PermissionPolicySet> permPolicySet = tokenInfoPtr->GetHapInfoPermissionPolicySet();
157 if (permPolicySet == nullptr) {
158 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID: %{public}d, invalid params!", tokenID);
159 return PERMISSION_DENIED;
160 }
161
162 return permPolicySet->VerifyPermissionStatus(permissionName);
163 }
164
VerifyNativeAccessToken(AccessTokenID tokenID,const std::string & permissionName)165 int PermissionManager::VerifyNativeAccessToken(AccessTokenID tokenID, const std::string& permissionName)
166 {
167 std::shared_ptr<NativeTokenInfoInner> tokenInfoPtr =
168 AccessTokenInfoManager::GetInstance().GetNativeTokenInfoInner(tokenID);
169 if (tokenInfoPtr == nullptr) {
170 ACCESSTOKEN_LOG_ERROR(LABEL, "can not find tokenInfo!");
171 return PERMISSION_DENIED;
172 }
173
174 NativeTokenInfo info;
175 tokenInfoPtr->TranslateToNativeTokenInfo(info);
176 if (!tokenInfoPtr->IsRemote() && !PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
177 if (PermissionDefinitionCache::GetInstance().IsHapPermissionDefEmpty()) {
178 ACCESSTOKEN_LOG_INFO(LABEL, "permission definition set has not been installed!");
179 if (AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) == TOKEN_NATIVE) {
180 return PERMISSION_GRANTED;
181 }
182 ACCESSTOKEN_LOG_ERROR(LABEL, "token: %{public}d type error!", tokenID);
183 return PERMISSION_DENIED;
184 }
185 ACCESSTOKEN_LOG_ERROR(LABEL, "no definition for permission: %{public}s!", permissionName.c_str());
186 return PERMISSION_DENIED;
187 }
188 std::shared_ptr<PermissionPolicySet> permPolicySet =
189 AccessTokenInfoManager::GetInstance().GetNativePermissionPolicySet(tokenID);
190 if (permPolicySet == nullptr) {
191 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid params!");
192 return PERMISSION_DENIED;
193 }
194
195 return permPolicySet->VerifyPermissionStatus(permissionName);
196 }
197
VerifyAccessToken(AccessTokenID tokenID,const std::string & permissionName)198 int PermissionManager::VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName)
199 {
200 if (tokenID == INVALID_TOKENID) {
201 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_CHECK",
202 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", VERIFY_TOKEN_ID_ERROR, "CALLER_TOKENID",
203 static_cast<AccessTokenID>(IPCSkeleton::GetCallingTokenID()), "PERMISSION_NAME", permissionName);
204 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
205 return PERMISSION_DENIED;
206 }
207
208 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
209 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID: %{public}d, invalid params!", tokenID);
210 return PERMISSION_DENIED;
211 }
212
213 ATokenTypeEnum tokenType = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID);
214 if ((tokenType == TOKEN_NATIVE) || (tokenType == TOKEN_SHELL)) {
215 return VerifyNativeAccessToken(tokenID, permissionName);
216 }
217 if (tokenType == TOKEN_HAP) {
218 return VerifyHapAccessToken(tokenID, permissionName);
219 }
220 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID: %{public}d, invalid tokenType!", tokenID);
221 return PERMISSION_DENIED;
222 }
223
GetDefPermission(const std::string & permissionName,PermissionDef & permissionDefResult)224 int PermissionManager::GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult)
225 {
226 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
227 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid params!");
228 return AccessTokenError::ERR_PARAM_INVALID;
229 }
230 // all permissions can be obtained.
231 if (!PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
232 ACCESSTOKEN_LOG_ERROR(
233 LABEL, "no definition for permission: %{public}s!", permissionName.c_str());
234 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
235 }
236 return PermissionDefinitionCache::GetInstance().FindByPermissionName(permissionName, permissionDefResult);
237 }
238
GetDefPermissions(AccessTokenID tokenID,std::vector<PermissionDef> & permList)239 int PermissionManager::GetDefPermissions(AccessTokenID tokenID, std::vector<PermissionDef>& permList)
240 {
241 std::shared_ptr<PermissionPolicySet> permPolicySet =
242 AccessTokenInfoManager::GetInstance().GetHapPermissionPolicySet(tokenID);
243 if (permPolicySet == nullptr) {
244 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid params!");
245 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
246 }
247
248 permPolicySet->GetDefPermissions(permList);
249 return RET_SUCCESS;
250 }
251
GetReqPermissions(AccessTokenID tokenID,std::vector<PermissionStateFull> & reqPermList,bool isSystemGrant)252 int PermissionManager::GetReqPermissions(
253 AccessTokenID tokenID, std::vector<PermissionStateFull>& reqPermList, bool isSystemGrant)
254 {
255 ACCESSTOKEN_LOG_DEBUG(LABEL, "%{public}s called, tokenID: %{public}u, isSystemGrant: %{public}d",
256 __func__, tokenID, isSystemGrant);
257 std::shared_ptr<PermissionPolicySet> permPolicySet =
258 AccessTokenInfoManager::GetInstance().GetHapPermissionPolicySet(tokenID);
259 if (permPolicySet == nullptr) {
260 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid params!");
261 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
262 }
263
264 GrantMode mode = isSystemGrant ? SYSTEM_GRANT : USER_GRANT;
265 std::vector<PermissionStateFull> tmpList;
266 permPolicySet->GetPermissionStateFulls(tmpList);
267 for (const auto& perm : tmpList) {
268 PermissionDef permDef;
269 GetDefPermission(perm.permissionName, permDef);
270 if (permDef.grantMode == mode) {
271 reqPermList.emplace_back(perm);
272 }
273 }
274 return RET_SUCCESS;
275 }
276
IsPermissionRequestedInHap(const std::vector<PermissionStateFull> & permsList,const std::string & permission,int32_t & status,uint32_t & flag)277 static bool IsPermissionRequestedInHap(const std::vector<PermissionStateFull>& permsList,
278 const std::string &permission, int32_t& status, uint32_t& flag)
279 {
280 if (!PermissionDefinitionCache::GetInstance().HasHapPermissionDefinitionForHap(permission)) {
281 ACCESSTOKEN_LOG_ERROR(LABEL, "no definition for hap permission: %{public}s!", permission.c_str());
282 return false;
283 }
284 auto iter = std::find_if(permsList.begin(), permsList.end(), [permission](const PermissionStateFull& perm) {
285 return permission == perm.permissionName;
286 });
287 if (iter == permsList.end()) {
288 ACCESSTOKEN_LOG_WARN(LABEL, "can not find permission: %{public}s define!", permission.c_str());
289 return false;
290 }
291 ACCESSTOKEN_LOG_DEBUG(LABEL, "find goal permission: %{public}s, status: %{public}d, flag: %{public}d",
292 permission.c_str(), iter->grantStatus[0], iter->grantFlags[0]);
293 status = iter->grantStatus[0];
294 flag = static_cast<uint32_t>(iter->grantFlags[0]);
295 return true;
296 }
297
IsPermissionRestrictedByRules(const std::string & permission)298 static bool IsPermissionRestrictedByRules(const std::string& permission)
299 {
300 // Several permission is not available to common apps.
301 // Specified apps can get the permission by pre-authorization instead of Pop-ups.
302 auto iterator = std::find(g_notDisplayedPerms.begin(), g_notDisplayedPerms.end(), permission);
303 if (iterator != g_notDisplayedPerms.end()) {
304 ACCESSTOKEN_LOG_WARN(LABEL, "permission is not available to common apps: %{public}s!", permission.c_str());
305 return true;
306 }
307
308 #ifdef SUPPORT_SANDBOX_APP
309 // Specified dlp permissions are limited to specified dlp type hap.
310 AccessTokenID callingTokenId = IPCSkeleton::GetCallingTokenID();
311 int32_t dlpType = AccessTokenInfoManager::GetInstance().GetHapTokenDlpType(callingTokenId);
312 if ((dlpType != DLP_COMMON) &&
313 !DlpPermissionSetManager::GetInstance().IsPermissionAvailableToDlpHap(dlpType, permission)) {
314 ACCESSTOKEN_LOG_WARN(LABEL,
315 "callingTokenId is not allowed to grant dlp permission: %{public}s!", permission.c_str());
316 return true;
317 }
318 #endif
319
320 return false;
321 }
322
GetSelfPermissionState(const std::vector<PermissionStateFull> & permsList,PermissionListState & permState,int32_t apiVersion)323 void PermissionManager::GetSelfPermissionState(const std::vector<PermissionStateFull>& permsList,
324 PermissionListState& permState, int32_t apiVersion)
325 {
326 int32_t goalGrantStatus;
327 uint32_t goalGrantFlag;
328
329 // api8 require vague location permission refuse directly because there is no vague location permission in api8
330 if ((permState.permissionName == VAGUE_LOCATION_PERMISSION_NAME) && (apiVersion < ACCURATE_LOCATION_API_VERSION)) {
331 permState.state = INVALID_OPER;
332 return;
333 }
334 if (!IsPermissionRequestedInHap(permsList, permState.permissionName, goalGrantStatus, goalGrantFlag)) {
335 permState.state = INVALID_OPER;
336 return;
337 }
338 if (IsPermissionRestrictedByRules(permState.permissionName)) {
339 permState.state = INVALID_OPER;
340 return;
341 }
342 if (goalGrantStatus == PERMISSION_DENIED) {
343 if ((goalGrantFlag & PERMISSION_POLICY_FIXED) != 0) {
344 permState.state = SETTING_OPER;
345 return;
346 }
347
348 if ((goalGrantFlag == PERMISSION_DEFAULT_FLAG) || ((goalGrantFlag & PERMISSION_USER_SET) != 0) ||
349 ((goalGrantFlag & PERMISSION_COMPONENT_SET) != 0) || ((goalGrantFlag & PERMISSION_ALLOW_THIS_TIME) != 0)) {
350 permState.state = DYNAMIC_OPER;
351 return;
352 }
353 if ((goalGrantFlag & PERMISSION_USER_FIXED) != 0) {
354 permState.state = SETTING_OPER;
355 return;
356 }
357 }
358 permState.state = PASS_OPER;
359 return;
360 }
361
GetPermissionFlag(AccessTokenID tokenID,const std::string & permissionName,uint32_t & flag)362 int PermissionManager::GetPermissionFlag(AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag)
363 {
364 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called, tokenID: %{public}u, permissionName: %{public}s",
365 __func__, tokenID, permissionName.c_str());
366 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
367 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid params!");
368 return AccessTokenError::ERR_PARAM_INVALID;
369 }
370 if (!PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
371 ACCESSTOKEN_LOG_ERROR(
372 LABEL, "no definition for permission: %{public}s!", permissionName.c_str());
373 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
374 }
375 std::shared_ptr<PermissionPolicySet> permPolicySet =
376 AccessTokenInfoManager::GetInstance().GetHapPermissionPolicySet(tokenID);
377 if (permPolicySet == nullptr) {
378 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid params!");
379 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
380 }
381 int32_t fullFlag;
382 int32_t ret = permPolicySet->QueryPermissionFlag(permissionName, fullFlag);
383 if (ret == RET_SUCCESS) {
384 flag = permPolicySet->GetFlagWithoutSpecifiedElement(fullFlag, PERMISSION_GRANTED_BY_POLICY);
385 }
386 return ret;
387 }
388
ParamUpdate(const std::string & permissionName,uint32_t flag,bool filtered)389 void PermissionManager::ParamUpdate(const std::string& permissionName, uint32_t flag, bool filtered)
390 {
391 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permParamSetLock_);
392 if (filtered || (PermissionDefinitionCache::GetInstance().IsUserGrantedPermission(permissionName) &&
393 ((flag != PERMISSION_GRANTED_BY_POLICY) && (flag != PERMISSION_SYSTEM_FIXED)))) {
394 paramValue_++;
395 ACCESSTOKEN_LOG_DEBUG(LABEL,
396 "paramValue_ change %{public}llu", static_cast<unsigned long long>(paramValue_));
397 int32_t res = SetParameter(PERMISSION_STATUS_CHANGE_KEY, std::to_string(paramValue_).c_str());
398 if (res != 0) {
399 ACCESSTOKEN_LOG_ERROR(LABEL, "SetParameter failed %{public}d", res);
400 }
401 }
402 }
403
NotifyWhenPermissionStateUpdated(AccessTokenID tokenID,const std::string & permissionName,bool isGranted,uint32_t flag,const std::shared_ptr<HapTokenInfoInner> & infoPtr)404 void PermissionManager::NotifyWhenPermissionStateUpdated(AccessTokenID tokenID, const std::string& permissionName,
405 bool isGranted, uint32_t flag, const std::shared_ptr<HapTokenInfoInner>& infoPtr)
406 {
407 ACCESSTOKEN_LOG_INFO(LABEL, "isUpdated");
408 int32_t changeType = isGranted ? GRANTED : REVOKED;
409
410 // To notify the listener register.
411 CallbackManager::GetInstance().ExecuteCallbackAsync(tokenID, permissionName, changeType);
412
413 // To notify the client cache to update by resetting paramValue_.
414 ParamUpdate(permissionName, flag, false);
415
416 // set to kernel(grant/revoke)
417 SetPermToKernel(tokenID, permissionName, isGranted);
418
419 // DFX.
420 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_CHECK_EVENT",
421 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "CODE", USER_GRANT_PERMISSION_EVENT,
422 "CALLER_TOKENID", tokenID, "PERMISSION_NAME", permissionName, "FLAG", flag,
423 "PERMISSION_GRANT_TYPE", changeType);
424 grantEvent_.AddEvent(tokenID, permissionName, infoPtr->permUpdateTimestamp_);
425 }
426
UpdateTokenPermissionState(AccessTokenID tokenID,const std::string & permissionName,bool isGranted,uint32_t flag)427 int32_t PermissionManager::UpdateTokenPermissionState(
428 AccessTokenID tokenID, const std::string& permissionName, bool isGranted, uint32_t flag)
429 {
430 std::shared_ptr<HapTokenInfoInner> infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenID);
431 if (infoPtr == nullptr) {
432 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid params!");
433 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
434 }
435 if (infoPtr->IsRemote()) {
436 ACCESSTOKEN_LOG_ERROR(LABEL, "remote token can not update");
437 return AccessTokenError::ERR_IDENTITY_CHECK_FAILED;
438 }
439 if (flag == PERMISSION_ALLOW_THIS_TIME) {
440 if (isGranted) {
441 if (!IsAllowGrantTempPermission(tokenID, permissionName)) {
442 ACCESSTOKEN_LOG_ERROR(LABEL, "grant permission failed, tokenID:%{public}d, permissionName:%{public}s",
443 tokenID, permissionName.c_str());
444 return ERR_IDENTITY_CHECK_FAILED;
445 }
446 }
447 }
448 std::shared_ptr<PermissionPolicySet> permPolicySet = infoPtr->GetHapInfoPermissionPolicySet();
449 if (permPolicySet == nullptr) {
450 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid params!");
451 return AccessTokenError::ERR_PARAM_INVALID;
452 }
453 #ifdef SUPPORT_SANDBOX_APP
454 int32_t hapDlpType = infoPtr->GetDlpType();
455 if (hapDlpType != DLP_COMMON) {
456 int32_t permDlpMode = DlpPermissionSetManager::GetInstance().GetPermDlpMode(permissionName);
457 if (!DlpPermissionSetManager::GetInstance().IsPermDlpModeAvailableToDlpHap(hapDlpType, permDlpMode)) {
458 ACCESSTOKEN_LOG_DEBUG(LABEL, "%{public}u is not allowed to be granted permissionName %{public}s",
459 tokenID, permissionName.c_str());
460 return AccessTokenError::ERR_IDENTITY_CHECK_FAILED;
461 }
462 }
463 #endif
464 int32_t statusBefore = permPolicySet->VerifyPermissionStatus(permissionName);
465 int32_t ret = permPolicySet->UpdatePermissionStatus(permissionName, isGranted, flag);
466 if (ret != RET_SUCCESS) {
467 return ret;
468 }
469 int32_t statusAfter = permPolicySet->VerifyPermissionStatus(permissionName);
470 if (statusAfter != statusBefore) {
471 NotifyWhenPermissionStateUpdated(tokenID, permissionName, isGranted, flag, infoPtr);
472 }
473
474 #ifdef TOKEN_SYNC_ENABLE
475 TokenModifyNotifier::GetInstance().NotifyTokenModify(tokenID);
476 #endif
477 return RET_SUCCESS;
478 }
479
IsAllowGrantTempPermission(AccessTokenID tokenID,const std::string & permissionName)480 bool PermissionManager::IsAllowGrantTempPermission(AccessTokenID tokenID, const std::string& permissionName)
481 {
482 HapTokenInfo tokenInfo;
483 if (AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, tokenInfo) != RET_SUCCESS) {
484 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid tokenId(%{public}d)", tokenID);
485 return false;
486 }
487 bool isForeground = false;
488 std::vector<AppStateData> foreGroundAppList;
489 AppManagerAccessClient::GetInstance().GetForegroundApplications(foreGroundAppList);
490
491 if (std::any_of(foreGroundAppList.begin(), foreGroundAppList.end(),
492 [=](const auto& foreGroundApp) { return foreGroundApp.bundleName == tokenInfo.bundleName; })) {
493 isForeground = true;
494 }
495 ACCESSTOKEN_LOG_INFO(LABEL, "get app state permissionName:%{public}s, isForeground:%{public}d",
496 permissionName.c_str(), isForeground);
497 bool userEnable = true;
498 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
499 int callingUid = IPCSkeleton::GetCallingUid();
500 if (callingUid == ROOT_UID) {
501 userEnable = false;
502 }
503 #endif
504 if ((!userEnable) || (isForeground)) {
505 TempPermissionObserver::GetInstance().AddTempPermTokenToList(tokenID, permissionName);
506 return true;
507 }
508 return false;
509 }
510
CheckAndUpdatePermission(AccessTokenID tokenID,const std::string & permissionName,bool isGranted,uint32_t flag)511 int32_t PermissionManager::CheckAndUpdatePermission(AccessTokenID tokenID, const std::string& permissionName,
512 bool isGranted, uint32_t flag)
513 {
514 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
515 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid params!");
516 return AccessTokenError::ERR_PARAM_INVALID;
517 }
518 if (!PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
519 ACCESSTOKEN_LOG_ERROR(
520 LABEL, "no definition for permission: %{public}s!", permissionName.c_str());
521 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
522 }
523 if (!PermissionValidator::IsPermissionFlagValid(flag)) {
524 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid params!");
525 return AccessTokenError::ERR_PARAM_INVALID;
526 }
527 int32_t ret = UpdateTokenPermissionState(tokenID, permissionName, isGranted, flag);
528 if (ret != RET_SUCCESS) {
529 return ret;
530 }
531
532 #ifdef SUPPORT_SANDBOX_APP
533 // The action of sharing would be taken place only if the grant operation or revoke operation equals to success.
534 std::vector<AccessTokenID> tokenIdList;
535 AccessTokenInfoManager::GetInstance().GetRelatedSandBoxHapList(tokenID, tokenIdList);
536 for (const auto& id : tokenIdList) {
537 (void)UpdateTokenPermissionState(id, permissionName, isGranted, flag);
538 }
539 #endif
540 return RET_SUCCESS;
541 }
542
GrantPermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)543 int32_t PermissionManager::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
544 {
545 ACCESSTOKEN_LOG_INFO(LABEL,
546 "%{public}s called, tokenID: %{public}u, permissionName: %{public}s, flag: %{public}d",
547 __func__, tokenID, permissionName.c_str(), flag);
548 return CheckAndUpdatePermission(tokenID, permissionName, true, flag);
549 }
550
RevokePermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)551 int32_t PermissionManager::RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
552 {
553 ACCESSTOKEN_LOG_INFO(LABEL,
554 "%{public}s called, tokenID: %{public}u, permissionName: %{public}s, flag: %{public}d",
555 __func__, tokenID, permissionName.c_str(), flag);
556 return CheckAndUpdatePermission(tokenID, permissionName, false, flag);
557 }
558
ScopeToString(const std::vector<AccessTokenID> & tokenIDs,const std::vector<std::string> & permList)559 void PermissionManager::ScopeToString(
560 const std::vector<AccessTokenID>& tokenIDs, const std::vector<std::string>& permList)
561 {
562 std::stringstream str;
563 copy(tokenIDs.begin(), tokenIDs.end(), std::ostream_iterator<uint32_t>(str, ", "));
564 std::string tokenidStr = str.str();
565
566 std::string permStr;
567 permStr = accumulate(permList.begin(), permList.end(), std::string(" "));
568
569 ACCESSTOKEN_LOG_INFO(LABEL, "tokenidStr = %{public}s permStr =%{public}s",
570 tokenidStr.c_str(), permStr.c_str());
571 }
572
ScopeFilter(const PermStateChangeScope & scopeSrc,PermStateChangeScope & scopeRes)573 int32_t PermissionManager::ScopeFilter(const PermStateChangeScope& scopeSrc, PermStateChangeScope& scopeRes)
574 {
575 std::set<uint32_t> tokenIdSet;
576 for (const auto& tokenId : scopeSrc.tokenIDs) {
577 if (AccessTokenInfoManager::GetInstance().IsTokenIdExist(tokenId) &&
578 (tokenIdSet.count(tokenId) == 0)) {
579 scopeRes.tokenIDs.emplace_back(tokenId);
580 tokenIdSet.insert(tokenId);
581 continue;
582 }
583 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenId %{public}d invalid!", tokenId);
584 }
585 std::set<std::string> permSet;
586 for (const auto& permissionName : scopeSrc.permList) {
587 if (PermissionDefinitionCache::GetInstance().HasDefinition(permissionName) &&
588 permSet.count(permissionName) == 0) {
589 scopeRes.permList.emplace_back(permissionName);
590 permSet.insert(permissionName);
591 continue;
592 }
593 ACCESSTOKEN_LOG_ERROR(LABEL, "permission %{public}s invalid!", permissionName.c_str());
594 }
595 if ((scopeRes.tokenIDs.empty()) && (!scopeSrc.tokenIDs.empty())) {
596 ACCESSTOKEN_LOG_ERROR(LABEL, "valid tokenid size is 0!");
597 return AccessTokenError::ERR_PARAM_INVALID;
598 }
599 if ((scopeRes.permList.empty()) && (!scopeSrc.permList.empty())) {
600 ACCESSTOKEN_LOG_ERROR(LABEL, "valid permission size is 0!");
601 return AccessTokenError::ERR_PARAM_INVALID;
602 }
603 ScopeToString(scopeRes.tokenIDs, scopeRes.permList);
604 return RET_SUCCESS;
605 }
606
AddPermStateChangeCallback(const PermStateChangeScope & scope,const sptr<IRemoteObject> & callback)607 int32_t PermissionManager::AddPermStateChangeCallback(
608 const PermStateChangeScope& scope, const sptr<IRemoteObject>& callback)
609 {
610 ACCESSTOKEN_LOG_INFO(LABEL, "called");
611 PermStateChangeScope scopeRes;
612 int32_t result = ScopeFilter(scope, scopeRes);
613 if (result != RET_SUCCESS) {
614 return result;
615 }
616 return CallbackManager::GetInstance().AddCallback(scope, callback);
617 }
618
RemovePermStateChangeCallback(const sptr<IRemoteObject> & callback)619 int32_t PermissionManager::RemovePermStateChangeCallback(const sptr<IRemoteObject>& callback)
620 {
621 return CallbackManager::GetInstance().RemoveCallback(callback);
622 }
623
GetApiVersionByTokenId(AccessTokenID tokenID,int32_t & apiVersion)624 bool PermissionManager::GetApiVersionByTokenId(AccessTokenID tokenID, int32_t& apiVersion)
625 {
626 // only hap can do this
627 AccessTokenIDInner *idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenID);
628 ATokenTypeEnum tokenType = (ATokenTypeEnum)(idInner->type);
629 if (tokenType != TOKEN_HAP) {
630 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid token type %{public}d", tokenType);
631 return false;
632 }
633
634 HapTokenInfo hapInfo;
635 int ret = AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapInfo);
636 if (ret != RET_SUCCESS) {
637 ACCESSTOKEN_LOG_ERROR(LABEL, "get hap token info error!");
638 return false;
639 }
640
641 apiVersion = hapInfo.apiVersion;
642
643 return true;
644 }
645
IsPermissionVaild(const std::string & permissionName)646 bool PermissionManager::IsPermissionVaild(const std::string& permissionName)
647 {
648 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
649 ACCESSTOKEN_LOG_WARN(LABEL, "invalid permissionName %{public}s", permissionName.c_str());
650 return false;
651 }
652
653 if (!PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
654 ACCESSTOKEN_LOG_WARN(LABEL, "permission %{public}s has no definition ", permissionName.c_str());
655 return false;
656 }
657 return true;
658 }
659
GetLocationPermissionIndex(std::vector<PermissionListStateParcel> & reqPermList,LocationIndex & locationIndex)660 bool PermissionManager::GetLocationPermissionIndex(std::vector<PermissionListStateParcel>& reqPermList,
661 LocationIndex& locationIndex)
662 {
663 int index = 0;
664 bool hasFound = false;
665
666 for (const auto& perm : reqPermList) {
667 if (perm.permsState.permissionName == VAGUE_LOCATION_PERMISSION_NAME) {
668 locationIndex.vagueIndex = index;
669 hasFound = true;
670 } else if (perm.permsState.permissionName == ACCURATE_LOCATION_PERMISSION_NAME) {
671 locationIndex.accurateIndex = index;
672 hasFound = true;
673 } else if (perm.permsState.permissionName == BACKGROUND_LOCATION_PERMISSION_NAME) {
674 locationIndex.backIndex = index;
675 hasFound = true;
676 }
677
678 index++;
679
680 if ((locationIndex.vagueIndex != PERMISSION_NOT_REQUSET) &&
681 (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) &&
682 (locationIndex.backIndex != PERMISSION_NOT_REQUSET)) {
683 break;
684 }
685 }
686
687 ACCESSTOKEN_LOG_INFO(LABEL,
688 "vague index is %{public}d, accurate index is %{public}d, background index is %{public}d!",
689 locationIndex.vagueIndex, locationIndex.accurateIndex, locationIndex.backIndex);
690
691 return hasFound;
692 }
693
GetStateWithVaguePermission(std::vector<PermissionListStateParcel> & reqPermList,std::vector<PermissionStateFull> & permsList,int32_t apiVersion,const LocationIndex & locationIndex)694 bool PermissionManager::GetStateWithVaguePermission(std::vector<PermissionListStateParcel>& reqPermList,
695 std::vector<PermissionStateFull>& permsList, int32_t apiVersion, const LocationIndex& locationIndex)
696 {
697 bool needRes = false;
698 GetSelfPermissionState(permsList, reqPermList[locationIndex.vagueIndex].permsState, apiVersion);
699 needRes = reqPermList[locationIndex.vagueIndex].permsState.state == DYNAMIC_OPER;
700 if (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) {
701 // request accurate and vague permission, if vague has been set or invalid, accurate can't be requested
702 GetSelfPermissionState(permsList, reqPermList[locationIndex.accurateIndex].permsState, apiVersion);
703 if (reqPermList[locationIndex.accurateIndex].permsState.state == DYNAMIC_OPER &&
704 ((reqPermList[locationIndex.vagueIndex].permsState.state == SETTING_OPER) ||
705 (reqPermList[locationIndex.vagueIndex].permsState.state == INVALID_OPER))) {
706 reqPermList[locationIndex.accurateIndex].permsState.state = INVALID_OPER;
707 }
708 needRes = needRes || (reqPermList[locationIndex.accurateIndex].permsState.state == DYNAMIC_OPER);
709 }
710 if (locationIndex.backIndex != PERMISSION_NOT_REQUSET) {
711 // with back and vague permission
712 // back state is SETTING_OPER when dynamic pop-up dialog appears and INVALID_OPER when it doesn't
713 GetSelfPermissionState(permsList, reqPermList[locationIndex.backIndex].permsState, apiVersion);
714 if (reqPermList[locationIndex.backIndex].permsState.state == DYNAMIC_OPER) {
715 if (((locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) &&
716 (reqPermList[locationIndex.accurateIndex].permsState.state == DYNAMIC_OPER)) ||
717 (reqPermList[locationIndex.vagueIndex].permsState.state == DYNAMIC_OPER)) {
718 reqPermList[locationIndex.backIndex].permsState.state = SETTING_OPER;
719 } else {
720 reqPermList[locationIndex.backIndex].permsState.state = INVALID_OPER;
721 }
722 }
723 }
724 return needRes;
725 }
726
GetLocationPermissionState(std::vector<PermissionListStateParcel> & reqPermList,std::vector<PermissionStateFull> & permsList,int32_t apiVersion)727 bool PermissionManager::GetLocationPermissionState(std::vector<PermissionListStateParcel>& reqPermList,
728 std::vector<PermissionStateFull>& permsList, int32_t apiVersion)
729 {
730 struct LocationIndex locationIndex;
731 if (!GetLocationPermissionIndex(reqPermList, locationIndex)) {
732 return false;
733 }
734 if (locationIndex.vagueIndex != PERMISSION_NOT_REQUSET) {
735 return GetStateWithVaguePermission(reqPermList, permsList, apiVersion, locationIndex);
736 }
737 // permission handle without vague location, accurate and back can't be requested
738 if (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) {
739 reqPermList[locationIndex.accurateIndex].permsState.state = INVALID_OPER;
740 }
741 if (locationIndex.backIndex != PERMISSION_NOT_REQUSET) {
742 reqPermList[locationIndex.backIndex].permsState.state = INVALID_OPER;
743 }
744 return false;
745 }
746
GetStateWithVaguePermissionBackGroundVersion(std::vector<PermissionListStateParcel> & reqPermList,std::vector<PermissionStateFull> & permsList,int32_t apiVersion,const LocationIndex & locationIndex)747 bool PermissionManager::GetStateWithVaguePermissionBackGroundVersion(
748 std::vector<PermissionListStateParcel>& reqPermList,
749 std::vector<PermissionStateFull>& permsList, int32_t apiVersion, const LocationIndex& locationIndex)
750 {
751 bool needRes = false;
752 GetSelfPermissionState(permsList, reqPermList[locationIndex.vagueIndex].permsState, apiVersion);
753 needRes = reqPermList[locationIndex.vagueIndex].permsState.state == DYNAMIC_OPER;
754 if (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) {
755 // request accurate and vague permission, if vague has been set or invalid, accurate can't be requested
756 GetSelfPermissionState(permsList, reqPermList[locationIndex.accurateIndex].permsState, apiVersion);
757 if (reqPermList[locationIndex.accurateIndex].permsState.state == DYNAMIC_OPER &&
758 ((reqPermList[locationIndex.vagueIndex].permsState.state == SETTING_OPER) ||
759 (reqPermList[locationIndex.vagueIndex].permsState.state == INVALID_OPER))) {
760 reqPermList[locationIndex.accurateIndex].permsState.state = INVALID_OPER;
761 }
762 needRes = needRes || (reqPermList[locationIndex.accurateIndex].permsState.state == DYNAMIC_OPER);
763 }
764 if (locationIndex.backIndex != PERMISSION_NOT_REQUSET) {
765 // with back and vague permission, request back can not pop dynamic dialog
766 reqPermList[locationIndex.vagueIndex].permsState.state = INVALID_OPER;
767 if (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) {
768 reqPermList[locationIndex.accurateIndex].permsState.state = INVALID_OPER;
769 }
770 reqPermList[locationIndex.backIndex].permsState.state = INVALID_OPER;
771 needRes = false;
772 }
773 return needRes;
774 }
775
GetLocationPermissionStateBackGroundVersion(std::vector<PermissionListStateParcel> & reqPermList,std::vector<PermissionStateFull> & permsList,int32_t apiVersion)776 bool PermissionManager::GetLocationPermissionStateBackGroundVersion(std::vector<PermissionListStateParcel>& reqPermList,
777 std::vector<PermissionStateFull>& permsList, int32_t apiVersion)
778 {
779 struct LocationIndex locationIndex;
780 if (!GetLocationPermissionIndex(reqPermList, locationIndex)) {
781 return false;
782 }
783 if (locationIndex.vagueIndex != PERMISSION_NOT_REQUSET) {
784 return GetStateWithVaguePermissionBackGroundVersion(reqPermList, permsList, apiVersion, locationIndex);
785 }
786 // permission handle without vague location, accurate and back can't be requested
787 if (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) {
788 reqPermList[locationIndex.accurateIndex].permsState.state = INVALID_OPER;
789 }
790 if (locationIndex.backIndex != PERMISSION_NOT_REQUSET) {
791 reqPermList[locationIndex.backIndex].permsState.state = INVALID_OPER;
792 }
793 return false;
794 }
795
LocationPermissionSpecialHandle(std::vector<PermissionListStateParcel> & reqPermList,std::vector<PermissionStateFull> & permsList,int32_t apiVersion)796 bool PermissionManager::LocationPermissionSpecialHandle(std::vector<PermissionListStateParcel>& reqPermList,
797 std::vector<PermissionStateFull>& permsList, int32_t apiVersion)
798 {
799 bool needRes = false;
800 if (apiVersion < BACKGROUND_LOCATION_API_VERSION) {
801 needRes = GetLocationPermissionState(reqPermList, permsList, apiVersion);
802 } else {
803 needRes = GetLocationPermissionStateBackGroundVersion(reqPermList, permsList, apiVersion);
804 }
805 return needRes;
806 }
807
ClearUserGrantedPermissionState(AccessTokenID tokenID)808 void PermissionManager::ClearUserGrantedPermissionState(AccessTokenID tokenID)
809 {
810 if (ClearUserGrantedPermission(tokenID) != RET_SUCCESS) {
811 return;
812 }
813 std::vector<AccessTokenID> tokenIdList;
814 AccessTokenInfoManager::GetInstance().GetRelatedSandBoxHapList(tokenID, tokenIdList);
815 for (const auto& id : tokenIdList) {
816 (void)ClearUserGrantedPermission(id);
817 }
818 }
819
NotifyUpdatedPermList(const std::vector<std::string> & grantedPermListBefore,const std::vector<std::string> & grantedPermListAfter,AccessTokenID tokenID)820 void PermissionManager::NotifyUpdatedPermList(const std::vector<std::string>& grantedPermListBefore,
821 const std::vector<std::string>& grantedPermListAfter, AccessTokenID tokenID)
822 {
823 for (uint32_t i = 0; i < grantedPermListBefore.size(); i++) {
824 auto it = find(grantedPermListAfter.begin(), grantedPermListAfter.end(), grantedPermListBefore[i]);
825 if (it == grantedPermListAfter.end()) {
826 CallbackManager::GetInstance().ExecuteCallbackAsync(tokenID, grantedPermListBefore[i], REVOKED);
827 ParamUpdate(grantedPermListBefore[i], 0, true);
828 }
829 }
830 for (uint32_t i = 0; i < grantedPermListAfter.size(); i++) {
831 auto it = find(grantedPermListBefore.begin(), grantedPermListBefore.end(), grantedPermListAfter[i]);
832 if (it == grantedPermListBefore.end()) {
833 CallbackManager::GetInstance().ExecuteCallbackAsync(tokenID, grantedPermListAfter[i], GRANTED);
834 ParamUpdate(grantedPermListAfter[i], 0, false);
835 }
836 }
837 }
838
ClearUserGrantedPermission(AccessTokenID tokenID)839 int32_t PermissionManager::ClearUserGrantedPermission(AccessTokenID tokenID)
840 {
841 std::shared_ptr<HapTokenInfoInner> infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenID);
842 if (infoPtr == nullptr) {
843 ACCESSTOKEN_LOG_ERROR(LABEL, "token %{public}u is invalid.", tokenID);
844 return ERR_PARAM_INVALID;
845 }
846 if (infoPtr->IsRemote()) {
847 ACCESSTOKEN_LOG_ERROR(LABEL, "it is a remote hap token %{public}u!", tokenID);
848 return ERR_IDENTITY_CHECK_FAILED;
849 }
850 std::shared_ptr<PermissionPolicySet> permPolicySet = infoPtr->GetHapInfoPermissionPolicySet();
851 if (permPolicySet == nullptr) {
852 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid params!");
853 return ERR_PARAM_INVALID;
854 }
855 std::vector<std::string> grantedPermListBefore;
856 permPolicySet->GetGrantedPermissionList(grantedPermListBefore);
857
858 // reset permission.
859 permPolicySet->ResetUserGrantPermissionStatus();
860 // clear security component granted permission which is not requested in module.json.
861 permPolicySet->ClearSecCompGrantedPerm();
862
863 #ifdef SUPPORT_SANDBOX_APP
864 // update permission status with dlp permission rule.
865 std::vector<PermissionStateFull> permListOfHap;
866 permPolicySet->GetPermissionStateFulls(permListOfHap);
867 DlpPermissionSetManager::GetInstance().UpdatePermStateWithDlpInfo(
868 infoPtr->GetDlpType(), permListOfHap);
869 permPolicySet->Update(permListOfHap);
870 #endif
871
872 std::vector<std::string> grantedPermListAfter;
873 permPolicySet->GetGrantedPermissionList(grantedPermListAfter);
874
875 NotifyUpdatedPermList(grantedPermListBefore, grantedPermListAfter, tokenID);
876
877 // clear
878 AddPermToKernel(tokenID, permPolicySet);
879 return RET_SUCCESS;
880 }
881
NotifyPermGrantStoreResult(bool result,uint64_t timestamp)882 void PermissionManager::NotifyPermGrantStoreResult(bool result, uint64_t timestamp)
883 {
884 grantEvent_.NotifyPermGrantStoreResult(result, timestamp);
885 }
886
TransferPermissionDefToString(const PermissionDef & inPermissionDef)887 std::string PermissionManager::TransferPermissionDefToString(const PermissionDef& inPermissionDef)
888 {
889 std::string infos;
890 infos.append(R"({"permissionName": ")" + inPermissionDef.permissionName + R"(")");
891 infos.append(R"(, "bundleName": ")" + inPermissionDef.bundleName + R"(")");
892 infos.append(R"(, "grantMode": )" + std::to_string(inPermissionDef.grantMode));
893 infos.append(R"(, "availableLevel": )" + std::to_string(inPermissionDef.availableLevel));
894 infos.append(R"(, "provisionEnable": )" + std::to_string(inPermissionDef.provisionEnable));
895 infos.append(R"(, "distributedSceneEnable": )" + std::to_string(inPermissionDef.distributedSceneEnable));
896 infos.append(R"(, "label": ")" + inPermissionDef.label + R"(")");
897 infos.append(R"(, "labelId": )" + std::to_string(inPermissionDef.labelId));
898 infos.append(R"(, "description": ")" + inPermissionDef.description + R"(")");
899 infos.append(R"(, "descriptionId": )" + std::to_string(inPermissionDef.descriptionId));
900 infos.append(R"(, "availableType": )" + std::to_string(inPermissionDef.availableType));
901 infos.append("}");
902 return infos;
903 }
904
AddPermToKernel(AccessTokenID tokenID,const std::shared_ptr<PermissionPolicySet> & policy)905 void PermissionManager::AddPermToKernel(AccessTokenID tokenID, const std::shared_ptr<PermissionPolicySet>& policy)
906 {
907 if (policy == nullptr) {
908 return;
909 }
910 std::vector<uint32_t> opCodeList;
911 std::vector<bool> statusList;
912 policy->GetPermissionStateList(opCodeList, statusList);
913 int32_t ret = AddPermissionToKernel(tokenID, opCodeList, statusList);
914 ACCESSTOKEN_LOG_INFO(LABEL,
915 "AddPermissionToKernel(token=%{public}d), size=%{public}zu, err=%{public}d",
916 tokenID, opCodeList.size(), ret);
917 }
918
RemovePermFromKernel(AccessTokenID tokenID)919 void PermissionManager::RemovePermFromKernel(AccessTokenID tokenID)
920 {
921 int32_t ret = RemovePermissionFromKernel(tokenID);
922 ACCESSTOKEN_LOG_INFO(LABEL,
923 "RemovePermissionFromKernel(token=%{public}d), err=%{public}d", tokenID, ret);
924 }
925
SetPermToKernel(AccessTokenID tokenID,const std::string & permissionName,bool isGranted)926 void PermissionManager::SetPermToKernel(AccessTokenID tokenID, const std::string& permissionName, bool isGranted)
927 {
928 uint32_t code;
929 if (!TransferPermissionToOpcode(permissionName, code)) {
930 return;
931 }
932 int32_t ret = SetPermissionToKernel(tokenID, code, isGranted);
933 ACCESSTOKEN_LOG_INFO(LABEL,
934 "SetPermissionToKernel(token=%{public}d, permission=(%{public}s), err=%{public}d",
935 tokenID, permissionName.c_str(), ret);
936 }
937 } // namespace AccessToken
938 } // namespace Security
939 } // namespace OHOS
940