1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_manager.h"
17
18 #include "accesstoken_kit.h"
19 #include "access_token.h"
20 #include "dm_log.h"
21 #include "hap_token_info.h"
22 #include "ipc_skeleton.h"
23 #include "native_token_info.h"
24 #include "securec.h"
25
26 using namespace OHOS::Security::AccessToken;
27
28 namespace OHOS {
29 namespace DistributedHardware {
30 IMPLEMENT_SINGLE_INSTANCE(PermissionManager);
31 constexpr int32_t DM_OK = 0;
32 constexpr int32_t ERR_DM_FAILED = -20000;
33 constexpr int32_t PKG_NAME_SIZE_MAX = 256;
34 namespace {
35 constexpr const char* DM_SERVICE_ACCESS_PERMISSION = "ohos.permission.ACCESS_SERVICE_DM";
36 constexpr const char* DM_SERVICE_ACCESS_NEWPERMISSION = "ohos.permission.DISTRIBUTED_DATASYNC";
37
38 #define AUTH_CODE_WHITE_LIST_NUM (2)
39 constexpr const static char g_authCodeWhiteList[AUTH_CODE_WHITE_LIST_NUM][PKG_NAME_SIZE_MAX] = {
40 "com.huawei.msdp.hmringgenerator",
41 "com.huawei.msdp.hmringdiscriminator",
42 };
43
44 #define PIN_HOLDER_WHITE_LIST_NUM (1)
45 constexpr const static char g_pinHolderWhiteList[PIN_HOLDER_WHITE_LIST_NUM][PKG_NAME_SIZE_MAX] = {
46 "CollaborationFwk",
47 };
48 }
49
CheckPermission(void)50 bool PermissionManager::CheckPermission(void)
51 {
52 LOGI("Enter PermissionManager::CheckPermission");
53 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
54 if (tokenCaller == 0) {
55 return false;
56 }
57 LOGI("PermissionManager::tokenCaller ID == %d", tokenCaller);
58
59 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
60 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_HAP || tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
61 int32_t ret = AccessTokenKit::VerifyAccessToken(tokenCaller, DM_SERVICE_ACCESS_PERMISSION);
62 if (ret == PermissionState::PERMISSION_GRANTED) {
63 return true;
64 }
65 }
66 LOGE("DM service access is denied, please apply for corresponding permissions");
67 return false;
68 }
69
CheckNewPermission(void)70 bool PermissionManager::CheckNewPermission(void)
71 {
72 LOGI("Enter PermissionManager::CheckNewPermission");
73 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
74 if (tokenCaller == 0) {
75 return false;
76 }
77 LOGI("PermissionManager::tokenCaller ID == %d", tokenCaller);
78
79 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
80 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_HAP || tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
81 int32_t ret = AccessTokenKit::VerifyAccessToken(tokenCaller, DM_SERVICE_ACCESS_NEWPERMISSION);
82 if (ret == PermissionState::PERMISSION_GRANTED) {
83 return true;
84 }
85 }
86 LOGE("DM service access is denied, please apply for corresponding new permissions");
87 return false;
88 }
89
GetCallerProcessName(std::string & processName)90 int32_t PermissionManager::GetCallerProcessName(std::string &processName)
91 {
92 LOGI("Enter PermissionManager::GetCallerProcessName");
93 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
94 if (tokenCaller == 0) {
95 return ERR_DM_FAILED;
96 }
97 LOGI("PermissionManager::tokenCaller ID == %d", tokenCaller);
98 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
99 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_HAP) {
100 HapTokenInfo tokenInfo;
101 if (AccessTokenKit::GetHapTokenInfo(tokenCaller, tokenInfo) != EOK) {
102 LOGE("GetHapTokenInfo failed.");
103 return ERR_DM_FAILED;
104 }
105 processName = std::move(tokenInfo.bundleName);
106 } else if (tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
107 NativeTokenInfo tokenInfo;
108 if (AccessTokenKit::GetNativeTokenInfo(tokenCaller, tokenInfo) != EOK) {
109 LOGE("GetNativeTokenInfo failed.");
110 return ERR_DM_FAILED;
111 }
112 processName = std::move(tokenInfo.processName);
113 } else {
114 LOGE("GetCallerProcessName failed, unsupported process.");
115 return ERR_DM_FAILED;
116 }
117
118 LOGI("Get process name: %s success.", processName.c_str());
119 return DM_OK;
120 }
121
CheckProcessNameValidOnAuthCode(const std::string & processName)122 bool PermissionManager::CheckProcessNameValidOnAuthCode(const std::string &processName)
123 {
124 LOGI("Enter PermissionManager::CheckProcessNameValidOnAuthCode");
125 if (processName.empty()) {
126 LOGE("ProcessName is empty");
127 return false;
128 }
129
130 uint16_t index = 0;
131 for (; index < AUTH_CODE_WHITE_LIST_NUM; ++index) {
132 std::string tmp(g_authCodeWhiteList[index]);
133 if (processName == tmp) {
134 return true;
135 }
136 }
137
138 LOGE("CheckProcessNameValidOnAuthCode process name: %s invalid.", processName.c_str());
139 return false;
140 }
141
CheckProcessNameValidOnPinHolder(const std::string & processName)142 bool PermissionManager::CheckProcessNameValidOnPinHolder(const std::string &processName)
143 {
144 LOGI("Enter PermissionManager::CheckProcessNameValidOnPinHolder");
145 if (processName.empty()) {
146 LOGE("ProcessName is empty");
147 return false;
148 }
149
150 uint16_t index = 0;
151 for (; index < PIN_HOLDER_WHITE_LIST_NUM; ++index) {
152 std::string tmp(g_pinHolderWhiteList[index]);
153 if (processName == tmp) {
154 return true;
155 }
156 }
157
158 LOGE("CheckProcessNameValidOnPinHolder process name: %s invalid.", processName.c_str());
159 return false;
160 }
161 } // namespace DistributedHardware
162 } // namespace OHOS
163