1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "ipc_skeleton.h"
17 #include "permission_helper.h"
18 #include "proto.h"
19
20 #include "mmi_log.h"
21
22 #include "tokenid_kit.h"
23
24 namespace OHOS {
25 namespace MMI {
26 namespace {
27 constexpr OHOS::HiviewDFX::HiLogLabel LABEL = { LOG_CORE, MMI_LOG_DOMAIN, "PermissionHelper" };
28 } // namespace
29
PermissionHelper()30 PermissionHelper::PermissionHelper() {}
~PermissionHelper()31 PermissionHelper::~PermissionHelper() {}
32
VerifySystemApp()33 bool PermissionHelper::VerifySystemApp()
34 {
35 MMI_HILOGD("verify system App");
36 auto callerToken = IPCSkeleton::GetCallingTokenID();
37 auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
38 MMI_HILOGD("token type is %{public}d", static_cast<int32_t>(tokenType));
39 if (tokenType == OHOS::Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE
40 || tokenType == OHOS::Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL) {
41 MMI_HILOGD("called tokenType is native, verify success");
42 return true;
43 }
44 uint64_t accessTokenIdEx = IPCSkeleton::GetCallingFullTokenID();
45 if (!OHOS::Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(accessTokenIdEx)) {
46 MMI_HILOGE("system api is called by non-system app");
47 return false;
48 }
49 return true;
50 }
51
CheckPermission(uint32_t required)52 bool PermissionHelper::CheckPermission(uint32_t required)
53 {
54 CALL_DEBUG_ENTER;
55 auto tokenId = IPCSkeleton::GetCallingTokenID();
56 auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
57 if (tokenType == OHOS::Security::AccessToken::TOKEN_HAP) {
58 return CheckHapPermission(tokenId, required);
59 } else if (tokenType == OHOS::Security::AccessToken::TOKEN_NATIVE) {
60 MMI_HILOGD("Token type is native");
61 return true;
62 } else if (tokenType == OHOS::Security::AccessToken::TOKEN_SHELL) {
63 MMI_HILOGI("Token type is shell");
64 return true;
65 } else {
66 MMI_HILOGE("Unsupported token type:%{public}d", tokenType);
67 return false;
68 }
69 }
70
CheckMonitor()71 bool PermissionHelper::CheckMonitor()
72 {
73 CALL_DEBUG_ENTER;
74 auto tokenId = IPCSkeleton::GetCallingTokenID();
75 auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
76 if ((tokenType == OHOS::Security::AccessToken::TOKEN_HAP) ||
77 (tokenType == OHOS::Security::AccessToken::TOKEN_NATIVE)) {
78 return CheckMonitorPermission(tokenId);
79 } else if (tokenType == OHOS::Security::AccessToken::TOKEN_SHELL) {
80 MMI_HILOGI("Token type is shell");
81 return true;
82 } else {
83 MMI_HILOGE("Unsupported token type:%{public}d", tokenType);
84 return false;
85 }
86 }
87
CheckInterceptor()88 bool PermissionHelper::CheckInterceptor()
89 {
90 CALL_DEBUG_ENTER;
91 auto tokenId = IPCSkeleton::GetCallingTokenID();
92 auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
93 if ((tokenType == OHOS::Security::AccessToken::TOKEN_HAP) ||
94 (tokenType == OHOS::Security::AccessToken::TOKEN_NATIVE)) {
95 return CheckInterceptorPermission(tokenId);
96 } else if (tokenType == OHOS::Security::AccessToken::TOKEN_SHELL) {
97 MMI_HILOGI("Token type is shell");
98 return true;
99 } else {
100 MMI_HILOGE("Unsupported token type:%{public}d", tokenType);
101 return false;
102 }
103 }
104
CheckHapPermission(uint32_t tokenId,uint32_t required)105 bool PermissionHelper::CheckHapPermission(uint32_t tokenId, uint32_t required)
106 {
107 OHOS::Security::AccessToken::HapTokenInfo findInfo;
108 if (OHOS::Security::AccessToken::AccessTokenKit::GetHapTokenInfo(tokenId, findInfo) != 0) {
109 MMI_HILOGE("GetHapTokenInfo failed");
110 return false;
111 }
112 if (!((1 << findInfo.apl) & required)) {
113 MMI_HILOGE("Check hap permission failed, name:%{public}s, apl:%{public}d, required:%{public}d",
114 findInfo.bundleName.c_str(), findInfo.apl, required);
115 return false;
116 }
117 MMI_HILOGD("Check hap permission success");
118 return true;
119 }
120
CheckMonitorPermission(uint32_t tokenId)121 bool PermissionHelper::CheckMonitorPermission(uint32_t tokenId)
122 {
123 static const std::string inputMonitor = "ohos.permission.INPUT_MONITORING";
124 int32_t ret = OHOS::Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, inputMonitor);
125 if (ret != OHOS::Security::AccessToken::PERMISSION_GRANTED) {
126 MMI_HILOGE("Check monitor permission failed ret:%{public}d", ret);
127 return false;
128 }
129 MMI_HILOGD("Check monitor permission success");
130 return true;
131 }
132
CheckInterceptorPermission(uint32_t tokenId)133 bool PermissionHelper::CheckInterceptorPermission(uint32_t tokenId)
134 {
135 static const std::string inputInterceptor = "ohos.permission.INTERCEPT_INPUT_EVENT";
136 int32_t ret = OHOS::Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, inputInterceptor);
137 if (ret != OHOS::Security::AccessToken::PERMISSION_GRANTED) {
138 MMI_HILOGE("Check interceptor permission failed ret:%{public}d", ret);
139 return false;
140 }
141 MMI_HILOGD("Check interceptor permission success");
142 return true;
143 }
144
CheckDispatchControl()145 bool PermissionHelper::CheckDispatchControl()
146 {
147 CALL_DEBUG_ENTER;
148 auto tokenId = IPCSkeleton::GetCallingTokenID();
149 auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
150 if ((tokenType == OHOS::Security::AccessToken::TOKEN_HAP) ||
151 (tokenType == OHOS::Security::AccessToken::TOKEN_NATIVE)) {
152 return CheckDispatchControlPermission(tokenId);
153 } else if (tokenType == OHOS::Security::AccessToken::TOKEN_SHELL) {
154 MMI_HILOGI("Token type is shell");
155 return true;
156 } else {
157 MMI_HILOGE("Unsupported token type:%{public}d", tokenType);
158 return false;
159 }
160 }
161
CheckDispatchControlPermission(uint32_t tokenId)162 bool PermissionHelper::CheckDispatchControlPermission(uint32_t tokenId)
163 {
164 static const std::string inputDispatchControl = "ohos.permission.INPUT_CONTROL_DISPATCHING";
165 int32_t ret = OHOS::Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, inputDispatchControl);
166 if (ret != OHOS::Security::AccessToken::PERMISSION_GRANTED) {
167 MMI_HILOGE("Check input dispatch control permission failed ret:%{public}d", ret);
168 return false;
169 }
170 MMI_HILOGD("Check input dispatch control permission success");
171 return true;
172 }
173
GetTokenType()174 int32_t PermissionHelper::GetTokenType()
175 {
176 CALL_DEBUG_ENTER;
177 auto tokenId = IPCSkeleton::GetCallingTokenID();
178 auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
179 if (tokenType == OHOS::Security::AccessToken::TOKEN_HAP) {
180 return TokenType::TOKEN_HAP;
181 } else if (tokenType == OHOS::Security::AccessToken::TOKEN_NATIVE) {
182 return TokenType::TOKEN_NATIVE;
183 } else if (tokenType == OHOS::Security::AccessToken::TOKEN_SHELL) {
184 return TokenType::TOKEN_SHELL;
185 } else {
186 MMI_HILOGW("Unsupported token type:%{public}d", tokenType);
187 return TokenType::TOKEN_INVALID;
188 }
189 }
190 } // namespace MMI
191 } // namespace OHOS
192