1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #ifndef OHOS_ABILITY_RUNTIME_DLP_UTILS_H
17 #define OHOS_ABILITY_RUNTIME_DLP_UTILS_H
18
19 #include "ability_record.h"
20 #ifdef WITH_DLP
21 #include "dlp_permission_kit.h"
22 #endif // WITH_DLP
23 #include "hilog_wrapper.h"
24 #include "iremote_object.h"
25 #include "permission_verification.h"
26 #include "want.h"
27
28 namespace OHOS {
29 namespace AAFwk {
30 namespace DlpUtils {
31 #ifdef WITH_DLP
32 using Dlp = Security::DlpPermission::DlpPermissionKit;
33 #endif // WITH_DLP
DlpAccessOtherAppsCheck(const sptr<IRemoteObject> & callerToken,const Want & want)34 [[maybe_unused]]static bool DlpAccessOtherAppsCheck(const sptr<IRemoteObject> &callerToken, const Want &want)
35 {
36 #ifdef WITH_DLP
37 auto isSaCall = AAFwk::PermissionVerification::GetInstance()->IsSACall();
38 if (isSaCall) {
39 return true;
40 }
41 if (callerToken == nullptr) {
42 return true;
43 }
44 auto abilityRecord = Token::GetAbilityRecordByToken(callerToken);
45 if (abilityRecord == nullptr) {
46 HILOG_ERROR("Ability has already been destroyed.");
47 return true;
48 }
49 if (abilityRecord->GetAppIndex() == 0) {
50 return true;
51 }
52 if (abilityRecord->GetApplicationInfo().bundleName == want.GetElement().GetBundleName()) {
53 return true;
54 }
55 int32_t uid = abilityRecord->GetApplicationInfo().uid;
56 Security::DlpPermission::SandBoxExternalAuthorType authResult;
57 int result = Dlp::GetSandboxExternalAuthorization(uid, want, authResult);
58 if (result != ERR_OK) {
59 HILOG_ERROR("GetSandboxExternalAuthorization failed %{public}d.", result);
60 return false;
61 }
62 if (authResult != Security::DlpPermission::SandBoxExternalAuthorType::ALLOW_START_ABILITY) {
63 HILOG_ERROR("Auth failed, not allow start %{public}d.", uid);
64 return false;
65 }
66 #endif // WITH_DLP
67 return true;
68 }
69
OtherAppsAccessDlpCheck(const sptr<IRemoteObject> & callerToken,const Want & want)70 [[maybe_unused]]static bool OtherAppsAccessDlpCheck(const sptr<IRemoteObject> &callerToken, const Want &want)
71 {
72 if (callerToken != nullptr) {
73 auto abilityRecord = Token::GetAbilityRecordByToken(callerToken);
74 if (abilityRecord != nullptr && abilityRecord->GetAppIndex() != 0) {
75 return true;
76 }
77 }
78
79 return PermissionVerification::GetInstance()->VerifyDlpPermission(const_cast<Want &>(want));
80 }
81
SandboxAuthCheck(const AbilityRecord & callerRecord,const Want & want)82 [[maybe_unused]]static bool SandboxAuthCheck(const AbilityRecord &callerRecord, const Want &want)
83 {
84 #ifdef WITH_DLP
85 int32_t uid = callerRecord.GetApplicationInfo().uid;
86 Security::DlpPermission::SandBoxExternalAuthorType authResult;
87 int result = Dlp::GetSandboxExternalAuthorization(uid, want, authResult);
88 if (result != ERR_OK) {
89 HILOG_ERROR("GetSandboxExternalAuthorization failed %{public}d.", result);
90 return false;
91 }
92 if (authResult != Security::DlpPermission::SandBoxExternalAuthorType::ALLOW_START_ABILITY) {
93 HILOG_ERROR("Auth failed, not allow start %{public}d.", uid);
94 return false;
95 }
96 #endif // WITH_DLP
97 return true;
98 }
99 } // namespace DlpUtils
100 } // namespace AAFwk
101 } // namespace OHOS
102 #endif // OHOS_ABILITY_RUNTIME_DLP_UTILS_H
103