1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_checker.h"
17
18 #include "accesstoken_kit.h"
19 #include "avsession_log.h"
20 #include "ipc_skeleton.h"
21 #include "bundle_mgr_client.h"
22 #include "tokenid_kit.h"
23
24 namespace OHOS::AVSession {
25 using namespace Security::AccessToken;
26 using AppExecFwk::BundleMgrClient;
GetInstance()27 PermissionChecker& PermissionChecker::GetInstance()
28 {
29 static PermissionChecker permissionChecker;
30 return permissionChecker;
31 }
32
CheckSystemPermission(Security::AccessToken::AccessTokenID tokenId)33 bool PermissionChecker::CheckSystemPermission(Security::AccessToken::AccessTokenID tokenId)
34 {
35 if (AccessTokenKit::GetTokenTypeFlag(tokenId) == TOKEN_NATIVE) {
36 return true;
37 }
38
39 if (AccessTokenKit::GetTokenTypeFlag(tokenId) == TOKEN_SHELL) {
40 return true;
41 }
42
43 uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
44 bool isSystemApp = TokenIdKit::IsSystemAppByFullTokenID(fullTokenId);
45 if (!isSystemApp) {
46 SLOGI("Not system app, permission reject tokenid=%{public}u", tokenId);
47 return false;
48 }
49
50 SLOGI("Check system permission finished");
51 return true;
52 }
53
CheckSystemPermission()54 bool PermissionChecker::CheckSystemPermission()
55 {
56 AccessTokenID callerToken = OHOS::IPCSkeleton::GetCallingTokenID();
57 return CheckSystemPermission(callerToken);
58 }
59
CheckSystemPermissionByUid(int uid)60 bool PermissionChecker::CheckSystemPermissionByUid(int uid)
61 {
62 BundleMgrClient client;
63 std::string bundleName;
64 std::string identity = OHOS::IPCSkeleton::ResetCallingIdentity();
65 if (client.GetNameForUid(uid, bundleName) != OHOS::ERR_OK) {
66 return true;
67 }
68 OHOS::IPCSkeleton::SetCallingIdentity(identity);
69
70 AccessTokenIDEx accessTokenIdEx = AccessTokenKit::GetHapTokenIDEx(uid / UID_TRANSFORM_DIVISOR, bundleName, 0);
71 auto tokenId = accessTokenIdEx.tokenIdExStruct.tokenID;
72 SLOGD("CheckSystemPermissionByUid get tokenId : %{public}u", tokenId);
73 SLOGD("CheckSystemPermissionByUid get full tokenId : %{public}llu", accessTokenIdEx.tokenIDEx);
74 if (tokenId == INVALID_TOKENID) {
75 SLOGE("get token id failed");
76 return false;
77 }
78 if (AccessTokenKit::GetTokenTypeFlag(tokenId) == TOKEN_NATIVE) {
79 return true;
80 }
81
82 if (AccessTokenKit::GetTokenTypeFlag(tokenId) == TOKEN_SHELL) {
83 return true;
84 }
85 bool isSystemApp = TokenIdKit::IsSystemAppByFullTokenID(accessTokenIdEx.tokenIDEx);
86 if (!isSystemApp) {
87 SLOGI("CheckSystemPermissionByUid Not system app, fullTokenId=%{public}llu", accessTokenIdEx.tokenIDEx);
88 return false;
89 }
90 SLOGD("CheckSystemPermissionByUid is system app done");
91 return true;
92 }
93 } // namespace OHOS::AVSession
94