1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_manager.h"
17
18 #include <iostream>
19 #include <numeric>
20 #include <sstream>
21
22 #include "access_token.h"
23 #include "access_token_error.h"
24 #include "accesstoken_dfx_define.h"
25 #include "accesstoken_id_manager.h"
26 #include "accesstoken_info_manager.h"
27 #include "accesstoken_common_log.h"
28 #include "access_token_db.h"
29 #include "app_manager_access_client.h"
30 #include "callback_manager.h"
31 #include "constant_common.h"
32 #ifdef SUPPORT_SANDBOX_APP
33 #include "dlp_permission_set_manager.h"
34 #endif
35 #include "ipc_skeleton.h"
36 #include "hisysevent_adapter.h"
37 #include "parameter.h"
38 #include "short_grant_manager.h"
39 #include "permission_map.h"
40 #include "permission_validator.h"
41 #include "perm_setproc.h"
42 #include "token_field_const.h"
43 #ifdef TOKEN_SYNC_ENABLE
44 #include "token_modify_notifier.h"
45 #endif
46
47 namespace OHOS {
48 namespace Security {
49 namespace AccessToken {
50 namespace {
51 static const char* PERMISSION_STATUS_CHANGE_KEY = "accesstoken.permission.change";
52 static constexpr int32_t VALUE_MAX_LEN = 32;
53 static const std::vector<std::string> g_notDisplayedPerms = {
54 "ohos.permission.ANSWER_CALL",
55 "ohos.permission.MANAGE_VOICEMAIL",
56 "ohos.permission.READ_CELL_MESSAGES",
57 "ohos.permission.READ_MESSAGES",
58 "ohos.permission.RECEIVE_MMS",
59 "ohos.permission.RECEIVE_SMS",
60 "ohos.permission.RECEIVE_WAP_MESSAGES",
61 "ohos.permission.SEND_MESSAGES",
62 "ohos.permission.READ_CALL_LOG",
63 "ohos.permission.WRITE_CALL_LOG",
64 "ohos.permission.SHORT_TERM_WRITE_IMAGEVIDEO"
65 };
66 constexpr const char* APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM = "enterprise_mdm";
67 }
68 PermissionManager* PermissionManager::implInstance_ = nullptr;
69 std::recursive_mutex PermissionManager::mutex_;
70
GetInstance()71 PermissionManager& PermissionManager::GetInstance()
72 {
73 if (implInstance_ == nullptr) {
74 std::lock_guard<std::recursive_mutex> lock_l(mutex_);
75 if (implInstance_ == nullptr) {
76 implInstance_ = new PermissionManager();
77 }
78 }
79 return *implInstance_;
80 }
81
RegisterImpl(PermissionManager * implInstance)82 void PermissionManager::RegisterImpl(PermissionManager* implInstance)
83 {
84 implInstance_ = implInstance;
85 }
86
PermissionManager()87 PermissionManager::PermissionManager()
88 {
89 char value[VALUE_MAX_LEN] = {0};
90 int32_t ret = GetParameter(PERMISSION_STATUS_CHANGE_KEY, "", value, VALUE_MAX_LEN - 1);
91 if (ret < 0) {
92 LOGE(ATM_DOMAIN, ATM_TAG, "Return default value, ret=%{public}d", ret);
93 paramValue_ = 0;
94 return;
95 }
96 paramValue_ = static_cast<uint64_t>(std::atoll(value));
97 }
98
~PermissionManager()99 PermissionManager::~PermissionManager()
100 {}
101
VerifyHapAccessToken(AccessTokenID tokenID,const std::string & permissionName)102 int PermissionManager::VerifyHapAccessToken(AccessTokenID tokenID, const std::string& permissionName)
103 {
104 return HapTokenInfoInner::VerifyPermissionStatus(tokenID, permissionName); // 从data获取
105 }
106
GetPermissionUsedType(AccessTokenID tokenID,const std::string & permissionName)107 PermUsedTypeEnum PermissionManager::GetPermissionUsedType(
108 AccessTokenID tokenID, const std::string& permissionName)
109 {
110 if ((tokenID == INVALID_TOKENID) ||
111 (TOKEN_HAP != AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID))) {
112 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d is invalid.", tokenID);
113 return PermUsedTypeEnum::INVALID_USED_TYPE;
114 }
115 PermUsedTypeEnum ret = HapTokenInfoInner::GetPermissionUsedType(tokenID, permissionName);
116 LOGI(ATM_DOMAIN, ATM_TAG,
117 "Application %{public}u apply for %{public}s for type %{public}d.", tokenID, permissionName.c_str(), ret);
118 return ret;
119 }
120
GetReqPermissions(AccessTokenID tokenID,std::vector<PermissionStatus> & reqPermList,bool isSystemGrant)121 int PermissionManager::GetReqPermissions(
122 AccessTokenID tokenID, std::vector<PermissionStatus>& reqPermList, bool isSystemGrant)
123 {
124 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, isSystemGrant: %{public}d", tokenID, isSystemGrant);
125 std::shared_ptr<HapTokenInfoInner> infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenID);
126 if (infoPtr == nullptr) {
127 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is invalid.", tokenID);
128 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
129 }
130 GrantMode mode = isSystemGrant ? SYSTEM_GRANT : USER_GRANT;
131 std::vector<PermissionStatus> tmpList;
132 int32_t ret = infoPtr->GetPermissionStateList(tmpList);
133 if (ret != RET_SUCCESS) {
134 LOGE(ATM_DOMAIN, ATM_TAG, "GetPermissionStateList failed, token %{public}u is invalid.", tokenID);
135 return ret;
136 }
137 for (const auto& perm : tmpList) {
138 PermissionBriefDef briefDef;
139 if (!GetPermissionBriefDef(perm.permissionName, briefDef)) {
140 continue;
141 }
142
143 if (briefDef.grantMode == mode) {
144 reqPermList.emplace_back(perm);
145 }
146 }
147 return RET_SUCCESS;
148 }
149
IsPermissionRequestedInHap(const std::vector<PermissionStatus> & permsList,PermissionListState & permState,int32_t & status,uint32_t & flag)150 static bool IsPermissionRequestedInHap(const std::vector<PermissionStatus>& permsList,
151 PermissionListState& permState, int32_t& status, uint32_t& flag)
152 {
153 const std::string permission = permState.permissionName;
154 if (!IsPermissionValidForHap(permission)) {
155 LOGE(ATM_DOMAIN, ATM_TAG, "No definition for hap permission: %{public}s!", permission.c_str());
156 permState.errorReason = PERM_INVALID;
157 return false;
158 }
159 auto iter = std::find_if(permsList.begin(), permsList.end(), [permission](const PermissionStatus& perm) {
160 return permission == perm.permissionName;
161 });
162 if (iter == permsList.end()) {
163 LOGW(ATM_DOMAIN, ATM_TAG, "Can not find permission: %{public}s define!", permission.c_str());
164 permState.errorReason = PERM_NOT_DECLEARED;
165 return false;
166 }
167 LOGD(ATM_DOMAIN, ATM_TAG, "Find goal permission: %{public}s, status: %{public}d, flag: %{public}d",
168 permission.c_str(), iter->grantStatus, iter->grantFlag);
169 status = iter->grantStatus;
170 flag = static_cast<uint32_t>(iter->grantFlag);
171 return true;
172 }
173
IsPermissionRestrictedByRules(const std::string & permission)174 static bool IsPermissionRestrictedByRules(const std::string& permission)
175 {
176 // Several permission is not available to common apps.
177 // Specified apps can get the permission by pre-authorization instead of Pop-ups.
178 auto iterator = std::find(g_notDisplayedPerms.begin(), g_notDisplayedPerms.end(), permission);
179 if (iterator != g_notDisplayedPerms.end()) {
180 LOGW(ATM_DOMAIN, ATM_TAG, "Permission is not available to common apps: %{public}s!", permission.c_str());
181 return true;
182 }
183
184 #ifdef SUPPORT_SANDBOX_APP
185 // Specified dlp permissions are limited to specified dlp type hap.
186 AccessTokenID callingTokenId = IPCSkeleton::GetCallingTokenID();
187 int32_t dlpType = AccessTokenInfoManager::GetInstance().GetHapTokenDlpType(callingTokenId);
188 if ((dlpType != DLP_COMMON) &&
189 !DlpPermissionSetManager::GetInstance().IsPermissionAvailableToDlpHap(dlpType, permission)) {
190 LOGW(ATM_DOMAIN, ATM_TAG,
191 "callingTokenId is not allowed to grant dlp permission: %{public}s!", permission.c_str());
192 return true;
193 }
194 #endif
195
196 return false;
197 }
198
GetSelfPermissionState(const std::vector<PermissionStatus> & permsList,PermissionListState & permState,int32_t apiVersion)199 void PermissionManager::GetSelfPermissionState(const std::vector<PermissionStatus>& permsList,
200 PermissionListState& permState, int32_t apiVersion)
201 {
202 int32_t goalGrantStatus;
203 uint32_t goalGrantFlag;
204
205 // api8 require vague location permission refuse directly because there is no vague location permission in api8
206 if ((permState.permissionName == VAGUE_LOCATION_PERMISSION_NAME) && (apiVersion < ACCURATE_LOCATION_API_VERSION)) {
207 permState.state = INVALID_OPER;
208 permState.errorReason = CONDITIONS_NOT_MET;
209 return;
210 }
211 if (!IsPermissionRequestedInHap(permsList, permState, goalGrantStatus, goalGrantFlag)) {
212 permState.state = INVALID_OPER;
213 return;
214 }
215 if (IsPermissionRestrictedByRules(permState.permissionName)) {
216 permState.state = INVALID_OPER;
217 permState.errorReason = UNABLE_POP_UP;
218 return;
219 }
220 LOGI(ATM_DOMAIN, ATM_TAG, "%{public}s: status: %{public}d, flag: %{public}d",
221 permState.permissionName.c_str(), goalGrantStatus, goalGrantFlag);
222 if (goalGrantStatus == PERMISSION_DENIED) {
223 if ((goalGrantFlag & PERMISSION_POLICY_FIXED) != 0) {
224 permState.state = SETTING_OPER;
225 permState.errorReason = REQ_SUCCESS;
226 return;
227 }
228
229 if ((goalGrantFlag == PERMISSION_DEFAULT_FLAG) || ((goalGrantFlag & PERMISSION_USER_SET) != 0) ||
230 ((goalGrantFlag & PERMISSION_COMPONENT_SET) != 0) || ((goalGrantFlag & PERMISSION_ALLOW_THIS_TIME) != 0)) {
231 permState.state = DYNAMIC_OPER;
232 permState.errorReason = REQ_SUCCESS;
233 return;
234 }
235 if ((goalGrantFlag & PERMISSION_USER_FIXED) != 0) {
236 permState.state = SETTING_OPER;
237 permState.errorReason = REQ_SUCCESS;
238 return;
239 }
240 }
241 permState.state = PASS_OPER;
242 permState.errorReason = REQ_SUCCESS;
243 return;
244 }
245
GetPermissionFlag(AccessTokenID tokenID,const std::string & permissionName,uint32_t & flag)246 int PermissionManager::GetPermissionFlag(AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag)
247 {
248 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, permissionName: %{public}s", tokenID, permissionName.c_str());
249 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
250 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName:%{public}s invalid!", permissionName.c_str());
251 return AccessTokenError::ERR_PARAM_INVALID;
252 }
253 if (!IsDefinedPermission(permissionName)) {
254 LOGE(ATM_DOMAIN, ATM_TAG, "No definition for permission: %{public}s!", permissionName.c_str());
255 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
256 }
257 uint32_t fullFlag;
258 int32_t ret = HapTokenInfoInner::QueryPermissionFlag(tokenID, permissionName, fullFlag);
259 if (ret == RET_SUCCESS) {
260 flag = ConstantCommon::GetFlagWithoutSpecifiedElement(fullFlag, PERMISSION_GRANTED_BY_POLICY);
261 }
262 return ret;
263 }
264
GetAbilityManager()265 AbilityManagerAccessLoaderInterface* PermissionManager::GetAbilityManager()
266 {
267 if (abilityManagerLoader_ == nullptr) {
268 std::lock_guard<std::mutex> lock(abilityManagerMutex_);
269 if (abilityManagerLoader_ == nullptr) {
270 abilityManagerLoader_ = std::make_shared<LibraryLoader>(ABILITY_MANAGER_LIBPATH);
271 }
272 }
273
274 return abilityManagerLoader_->GetObject<AbilityManagerAccessLoaderInterface>();
275 }
276
RequestAppPermOnSetting(const HapTokenInfo & hapInfo,const std::string & bundleName,const std::string & abilityName)277 int32_t PermissionManager::RequestAppPermOnSetting(const HapTokenInfo& hapInfo,
278 const std::string& bundleName, const std::string& abilityName)
279 {
280 LOGI(ATM_DOMAIN, ATM_TAG, "bundleName=%{public}s, abilityName=%{public}s, hapInfo.bundleName=%{public}s",
281 bundleName.c_str(), abilityName.c_str(), hapInfo.bundleName.c_str());
282
283 InnerWant innerWant = {
284 .bundleName = bundleName,
285 .abilityName = abilityName,
286 .hapBundleName = hapInfo.bundleName,
287 .hapAppIndex = hapInfo.instIndex,
288 .hapUserID = hapInfo.userID,
289 .callerTokenId = IPCSkeleton::GetCallingTokenID()
290 };
291
292 AbilityManagerAccessLoaderInterface* abilityManager = GetAbilityManager();
293 if (abilityManager == nullptr) {
294 LOGE(ATM_DOMAIN, ATM_TAG, "AbilityManager is nullptr!");
295 return AccessTokenError::ERR_SERVICE_ABNORMAL;
296 }
297 ErrCode err = abilityManager->StartAbility(innerWant, nullptr);
298 if (err != ERR_OK) {
299 LOGE(ATM_DOMAIN, ATM_TAG, "Fail to StartAbility, err:%{public}d", err);
300 return AccessTokenError::ERR_SERVICE_ABNORMAL;
301 }
302 return ERR_OK;
303 }
304
ParamUpdate(const std::string & permissionName,uint32_t flag,bool filtered)305 void PermissionManager::ParamUpdate(const std::string& permissionName, uint32_t flag, bool filtered)
306 {
307 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permParamSetLock_);
308 if (filtered || (IsUserGrantPermission(permissionName) &&
309 ((flag != PERMISSION_GRANTED_BY_POLICY) && (flag != PERMISSION_SYSTEM_FIXED)))) {
310 paramValue_++;
311 LOGD(ATM_DOMAIN, ATM_TAG,
312 "paramValue_ change %{public}llu", static_cast<unsigned long long>(paramValue_));
313 int32_t res = SetParameter(PERMISSION_STATUS_CHANGE_KEY, std::to_string(paramValue_).c_str());
314 if (res != 0) {
315 LOGE(ATM_DOMAIN, ATM_TAG, "SetParameter failed %{public}d", res);
316 }
317 }
318 }
319
NotifyWhenPermissionStateUpdated(AccessTokenID tokenID,const std::string & permissionName,bool isGranted,uint32_t flag,const std::shared_ptr<HapTokenInfoInner> & infoPtr)320 void PermissionManager::NotifyWhenPermissionStateUpdated(AccessTokenID tokenID, const std::string& permissionName,
321 bool isGranted, uint32_t flag, const std::shared_ptr<HapTokenInfoInner>& infoPtr)
322 {
323 LOGI(ATM_DOMAIN, ATM_TAG, "IsUpdated");
324 int32_t changeType = isGranted ? STATE_CHANGE_GRANTED : STATE_CHANGE_REVOKED;
325
326 // set to kernel(grant/revoke)
327 SetPermToKernel(tokenID, permissionName, isGranted);
328
329 // To notify the listener register.
330 CallbackManager::GetInstance().ExecuteCallbackAsync(tokenID, permissionName, changeType);
331
332 // To notify the client cache to update by resetting paramValue_.
333 ParamUpdate(permissionName, flag, false);
334
335 // DFX.
336 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_CHECK_EVENT",
337 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "CODE", USER_GRANT_PERMISSION_EVENT,
338 "CALLER_TOKENID", tokenID, "PERMISSION_NAME", permissionName, "FLAG", flag,
339 "PERMISSION_GRANT_TYPE", changeType);
340 grantEvent_.AddEvent(tokenID, permissionName, infoPtr->permUpdateTimestamp_);
341 }
342
UpdateTokenPermissionState(AccessTokenID id,const std::string & permission,bool isGranted,uint32_t flag,bool needKill)343 int32_t PermissionManager::UpdateTokenPermissionState(
344 AccessTokenID id, const std::string& permission, bool isGranted, uint32_t flag, bool needKill)
345 {
346 std::shared_ptr<HapTokenInfoInner> infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(id);
347 if (infoPtr == nullptr) {
348 LOGE(ATM_DOMAIN, ATM_TAG, "tokenInfo is null, tokenId=%{public}u", id);
349 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
350 }
351
352 int32_t ret = UpdateTokenPermissionStateCheck(infoPtr, id, permission, isGranted, flag);
353 if (ret != ERR_OK) {
354 return ret;
355 }
356
357 // statusBefore cannot use VerifyPermissionStatus in permPolicySet, because the function exclude secComp
358 bool isSecCompGrantedBefore = HapTokenInfoInner::IsPermissionGrantedWithSecComp(id, permission);
359 bool statusChanged = false;
360 ret = infoPtr->UpdatePermissionStatus(permission, isGranted, flag, statusChanged);
361 if (ret != RET_SUCCESS) {
362 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR",
363 HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", UPDATE_PERMISSION_STATUS_FAILED, "TOKENID", id,
364 "PERM", permission, "BUNDLE_NAME", infoPtr->GetBundleName(), "INT_VAL1", ret,
365 "INT_VAL2", static_cast<int32_t>(flag), "NEED_KILL", needKill);
366 return ret;
367 }
368 if (statusChanged) {
369 NotifyWhenPermissionStateUpdated(id, permission, isGranted, flag, infoPtr);
370 // To notify kill process when perm is revoke
371 if (needKill && (!isGranted && !isSecCompGrantedBefore)) {
372 LOGI(ATM_DOMAIN, ATM_TAG, "(%{public}s) is revoked, kill process(%{public}u).", permission.c_str(), id);
373 AbilityManagerAccessLoaderInterface* abilityManager = GetAbilityManager();
374 if (abilityManager == nullptr) {
375 LOGE(ATM_DOMAIN, ATM_TAG, "AbilityManager is nullptr!");
376 } else if ((ret = abilityManager->KillProcessForPermissionUpdate(id)) != ERR_OK) {
377 LOGE(ATM_DOMAIN, ATM_TAG, "kill process failed, ret=%{public}d.", ret);
378 }
379 }
380 }
381
382 #ifdef TOKEN_SYNC_ENABLE
383 TokenModifyNotifier::GetInstance().NotifyTokenModify(id);
384 #endif
385 return RET_SUCCESS;
386 }
387
UpdateTokenPermissionStateCheck(const std::shared_ptr<HapTokenInfoInner> & infoPtr,AccessTokenID id,const std::string & permission,bool isGranted,uint32_t flag)388 int32_t PermissionManager::UpdateTokenPermissionStateCheck(const std::shared_ptr<HapTokenInfoInner>& infoPtr,
389 AccessTokenID id, const std::string& permission, bool isGranted, uint32_t flag)
390 {
391 if (infoPtr->IsRemote()) {
392 LOGE(ATM_DOMAIN, ATM_TAG, "Remote token can not update");
393 return AccessTokenError::ERR_IDENTITY_CHECK_FAILED;
394 }
395 if ((flag == PERMISSION_ALLOW_THIS_TIME) && isGranted) {
396 if (!TempPermissionObserver::GetInstance().IsAllowGrantTempPermission(id, permission)) {
397 LOGE(ATM_DOMAIN, ATM_TAG, "Id:%{public}d fail to grant permission:%{public}s", id, permission.c_str());
398 return ERR_IDENTITY_CHECK_FAILED;
399 }
400 }
401
402 #ifdef SUPPORT_SANDBOX_APP
403 int32_t hapDlpType = infoPtr->GetDlpType();
404 if (hapDlpType != DLP_COMMON) {
405 int32_t permDlpMode = DlpPermissionSetManager::GetInstance().GetPermDlpMode(permission);
406 if (!DlpPermissionSetManager::GetInstance().IsPermDlpModeAvailableToDlpHap(hapDlpType, permDlpMode)) {
407 LOGD(ATM_DOMAIN, ATM_TAG, "%{public}s cannot to be granted to %{public}u", permission.c_str(), id);
408 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR",
409 HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", DLP_CHECK_FAILED, "TOKENID", id, "PERM",
410 permission, "BUNDLE_NAME", infoPtr->GetBundleName(), "INT_VAL1", hapDlpType, "INT_VAL2", permDlpMode);
411 return AccessTokenError::ERR_IDENTITY_CHECK_FAILED;
412 }
413 }
414 #endif
415 return ERR_OK;
416 }
417
UpdatePermission(AccessTokenID tokenID,const std::string & permissionName,bool isGranted,uint32_t flag,bool needKill)418 int32_t PermissionManager::UpdatePermission(AccessTokenID tokenID, const std::string& permissionName,
419 bool isGranted, uint32_t flag, bool needKill)
420 {
421 int32_t ret = UpdateTokenPermissionState(tokenID, permissionName, isGranted, flag, needKill);
422 if (ret != RET_SUCCESS) {
423 return ret;
424 }
425
426 #ifdef SUPPORT_SANDBOX_APP
427 // The action of sharing would be taken place only if the grant operation or revoke operation equals to success.
428 std::vector<AccessTokenID> tokenIdList;
429 AccessTokenInfoManager::GetInstance().GetRelatedSandBoxHapList(tokenID, tokenIdList);
430 for (const auto& id : tokenIdList) {
431 (void)UpdateTokenPermissionState(id, permissionName, isGranted, flag, needKill);
432 }
433 #endif
434
435 // DFX
436 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION",
437 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "TOKENID", tokenID, "PERMISSION_NAME",
438 permissionName, "PERMISSION_FLAG", flag, "GRANTED_FLAG", isGranted);
439 return RET_SUCCESS;
440 }
441
CheckAndUpdatePermission(AccessTokenID tokenID,const std::string & permissionName,bool isGranted,uint32_t flag)442 int32_t PermissionManager::CheckAndUpdatePermission(AccessTokenID tokenID, const std::string& permissionName,
443 bool isGranted, uint32_t flag)
444 {
445 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
446 LOGE(ATM_DOMAIN, ATM_TAG, "permissionName: %{public}s, Invalid params!", permissionName.c_str());
447 return AccessTokenError::ERR_PARAM_INVALID;
448 }
449 if (!IsDefinedPermission(permissionName)) {
450 LOGE(ATM_DOMAIN, ATM_TAG, "No definition for permission: %{public}s!", permissionName.c_str());
451 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
452 }
453 if (!PermissionValidator::IsPermissionFlagValid(flag)) {
454 LOGE(ATM_DOMAIN, ATM_TAG, "flag: %{public}d, Invalid params!", flag);
455 return AccessTokenError::ERR_PARAM_INVALID;
456 }
457 bool needKill = false;
458 // To kill process when perm is revoke
459 if (!isGranted && flag != PERMISSION_COMPONENT_SET) {
460 LOGI(ATM_DOMAIN, ATM_TAG, "Perm(%{public}s) is revoked, kill process(%{public}u).",
461 permissionName.c_str(), tokenID);
462 needKill = true;
463 }
464
465 return UpdatePermission(tokenID, permissionName, isGranted, flag, needKill);
466 }
467
GrantPermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)468 int32_t PermissionManager::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
469 {
470 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, permissionName: %{public}s, flag: %{public}d",
471 tokenID, permissionName.c_str(), flag);
472 return CheckAndUpdatePermission(tokenID, permissionName, true, flag);
473 }
474
RevokePermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)475 int32_t PermissionManager::RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
476 {
477 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, permissionName: %{public}s, flag: %{public}d",
478 tokenID, permissionName.c_str(), flag);
479 return CheckAndUpdatePermission(tokenID, permissionName, false, flag);
480 }
481
GrantPermissionForSpecifiedTime(AccessTokenID tokenID,const std::string & permissionName,uint32_t onceTime)482 int32_t PermissionManager::GrantPermissionForSpecifiedTime(
483 AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime)
484 {
485 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, permissionName: %{public}s, onceTime: %{public}d",
486 tokenID, permissionName.c_str(), onceTime);
487 return ShortGrantManager::GetInstance().RefreshPermission(tokenID, permissionName, onceTime);
488 }
489
ScopeToString(const std::vector<AccessTokenID> & tokenIDs,const std::vector<std::string> & permList)490 void PermissionManager::ScopeToString(
491 const std::vector<AccessTokenID>& tokenIDs, const std::vector<std::string>& permList)
492 {
493 std::stringstream str;
494 copy(tokenIDs.begin(), tokenIDs.end(), std::ostream_iterator<uint32_t>(str, ", "));
495 std::string tokenidStr = str.str();
496
497 std::string permStr;
498 permStr = accumulate(permList.begin(), permList.end(), std::string(" "));
499
500 LOGI(ATM_DOMAIN, ATM_TAG, "TokenidStr = %{public}s permStr =%{public}s",
501 tokenidStr.c_str(), permStr.c_str());
502 }
503
ScopeFilter(const PermStateChangeScope & scopeSrc,PermStateChangeScope & scopeRes)504 int32_t PermissionManager::ScopeFilter(const PermStateChangeScope& scopeSrc, PermStateChangeScope& scopeRes)
505 {
506 std::set<uint32_t> tokenIdSet;
507 for (const auto& tokenId : scopeSrc.tokenIDs) {
508 if (AccessTokenInfoManager::GetInstance().IsTokenIdExist(tokenId) &&
509 (tokenIdSet.count(tokenId) == 0)) {
510 scopeRes.tokenIDs.emplace_back(tokenId);
511 tokenIdSet.insert(tokenId);
512 continue;
513 }
514 LOGE(ATM_DOMAIN, ATM_TAG, "TokenId %{public}d invalid!", tokenId);
515 }
516 std::set<std::string> permSet;
517 for (const auto& permissionName : scopeSrc.permList) {
518 if (IsDefinedPermission(permissionName) &&
519 permSet.count(permissionName) == 0) {
520 scopeRes.permList.emplace_back(permissionName);
521 permSet.insert(permissionName);
522 continue;
523 }
524 LOGE(ATM_DOMAIN, ATM_TAG, "Permission %{public}s invalid!", permissionName.c_str());
525 }
526 if ((scopeRes.tokenIDs.empty()) && (!scopeSrc.tokenIDs.empty())) {
527 LOGE(ATM_DOMAIN, ATM_TAG, "Valid tokenid size is 0!");
528 return AccessTokenError::ERR_PARAM_INVALID;
529 }
530 if ((scopeRes.permList.empty()) && (!scopeSrc.permList.empty())) {
531 LOGE(ATM_DOMAIN, ATM_TAG, "Valid permission size is 0!");
532 return AccessTokenError::ERR_PARAM_INVALID;
533 }
534 ScopeToString(scopeRes.tokenIDs, scopeRes.permList);
535 return RET_SUCCESS;
536 }
537
AddPermStateChangeCallback(const PermStateChangeScope & scope,const sptr<IRemoteObject> & callback)538 int32_t PermissionManager::AddPermStateChangeCallback(
539 const PermStateChangeScope& scope, const sptr<IRemoteObject>& callback)
540 {
541 PermStateChangeScope scopeRes;
542 int32_t result = ScopeFilter(scope, scopeRes);
543 if (result != RET_SUCCESS) {
544 return result;
545 }
546 return CallbackManager::GetInstance().AddCallback(scope, callback);
547 }
548
RemovePermStateChangeCallback(const sptr<IRemoteObject> & callback)549 int32_t PermissionManager::RemovePermStateChangeCallback(const sptr<IRemoteObject>& callback)
550 {
551 LOGI(ATM_DOMAIN, ATM_TAG, "Called");
552 return CallbackManager::GetInstance().RemoveCallback(callback);
553 }
554
GetApiVersionByTokenId(AccessTokenID tokenID,int32_t & apiVersion)555 bool PermissionManager::GetApiVersionByTokenId(AccessTokenID tokenID, int32_t& apiVersion)
556 {
557 // only hap can do this
558 AccessTokenIDInner *idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenID);
559 ATokenTypeEnum tokenType = (ATokenTypeEnum)(idInner->type);
560 if (tokenType != TOKEN_HAP) {
561 LOGE(ATM_DOMAIN, ATM_TAG, "Invalid token type %{public}d", tokenType);
562 return false;
563 }
564
565 HapTokenInfo hapInfo;
566 int ret = AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapInfo);
567 if (ret != RET_SUCCESS) {
568 LOGE(ATM_DOMAIN, ATM_TAG, "Get hap token info error!");
569 return false;
570 }
571
572 apiVersion = hapInfo.apiVersion;
573
574 return true;
575 }
576
IsPermissionVaild(const std::string & permissionName)577 bool PermissionManager::IsPermissionVaild(const std::string& permissionName)
578 {
579 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
580 LOGW(ATM_DOMAIN, ATM_TAG, "Invalid permissionName %{public}s", permissionName.c_str());
581 return false;
582 }
583
584 if (!IsDefinedPermission(permissionName)) {
585 LOGW(ATM_DOMAIN, ATM_TAG, "Permission %{public}s has no definition ", permissionName.c_str());
586 return false;
587 }
588 return true;
589 }
590
GetLocationPermissionIndex(std::vector<PermissionListStateParcel> & reqPermList,LocationIndex & locationIndex)591 bool PermissionManager::GetLocationPermissionIndex(std::vector<PermissionListStateParcel>& reqPermList,
592 LocationIndex& locationIndex)
593 {
594 uint32_t index = 0;
595 bool hasFound = false;
596
597 for (const auto& perm : reqPermList) {
598 if (perm.permsState.permissionName == VAGUE_LOCATION_PERMISSION_NAME) {
599 locationIndex.vagueIndex = index;
600 hasFound = true;
601 } else if (perm.permsState.permissionName == ACCURATE_LOCATION_PERMISSION_NAME) {
602 locationIndex.accurateIndex = index;
603 hasFound = true;
604 } else if (perm.permsState.permissionName == BACKGROUND_LOCATION_PERMISSION_NAME) {
605 locationIndex.backIndex = index;
606 hasFound = true;
607 }
608
609 index++;
610
611 if ((locationIndex.vagueIndex != PERMISSION_NOT_REQUSET) &&
612 (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) &&
613 (locationIndex.backIndex != PERMISSION_NOT_REQUSET)) {
614 break;
615 }
616 }
617
618 LOGI(ATM_DOMAIN, ATM_TAG,
619 "vague index is %{public}d, accurate index is %{public}d, background index is %{public}d!",
620 locationIndex.vagueIndex, locationIndex.accurateIndex, locationIndex.backIndex);
621
622 return hasFound;
623 }
624
GetLocationPermissionState(AccessTokenID tokenID,std::vector<PermissionListStateParcel> & reqPermList,std::vector<PermissionStatus> & permsList,int32_t apiVersion,const LocationIndex & locationIndex)625 bool PermissionManager::GetLocationPermissionState(AccessTokenID tokenID,
626 std::vector<PermissionListStateParcel>& reqPermList, std::vector<PermissionStatus>& permsList,
627 int32_t apiVersion, const LocationIndex& locationIndex)
628 {
629 bool needVagueDynamic = false;
630 bool needAccurateDynamic = false; // needVagueDynamic-false, 1. not request;2. request but not equal to DYNAMIC_OPER
631 if (locationIndex.vagueIndex != PERMISSION_NOT_REQUSET) {
632 GetSelfPermissionState(permsList, reqPermList[locationIndex.vagueIndex].permsState, apiVersion);
633 needVagueDynamic = reqPermList[locationIndex.vagueIndex].permsState.state == DYNAMIC_OPER;
634 }
635
636 if (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) {
637 bool isVagueGranted = VerifyHapAccessToken(tokenID, VAGUE_LOCATION_PERMISSION_NAME) == PERMISSION_GRANTED;
638 // request accurate and vague permission, if vague has been set or invalid, accurate can't be requested
639 GetSelfPermissionState(permsList, reqPermList[locationIndex.accurateIndex].permsState, apiVersion);
640 needAccurateDynamic = reqPermList[locationIndex.accurateIndex].permsState.state == DYNAMIC_OPER;
641
642 // update permsState
643 if (needAccurateDynamic) {
644 // vague permissoion is not pop and permission status os not granted
645 if (!needVagueDynamic && !isVagueGranted) {
646 reqPermList[locationIndex.accurateIndex].permsState.state = INVALID_OPER;
647 reqPermList[locationIndex.accurateIndex].permsState.errorReason = CONDITIONS_NOT_MET;
648 needAccurateDynamic = false;
649 }
650 }
651 }
652
653 if (locationIndex.backIndex != PERMISSION_NOT_REQUSET) {
654 if (apiVersion >= BACKGROUND_LOCATION_API_VERSION) {
655 // background permission
656 // with back and vague permission, request back can not pop dynamic dialog
657 if (locationIndex.vagueIndex != PERMISSION_NOT_REQUSET) {
658 reqPermList[locationIndex.vagueIndex].permsState.state = INVALID_OPER;
659 reqPermList[locationIndex.vagueIndex].permsState.errorReason = CONDITIONS_NOT_MET;
660 }
661 if (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) {
662 reqPermList[locationIndex.accurateIndex].permsState.state = INVALID_OPER;
663 reqPermList[locationIndex.accurateIndex].permsState.errorReason = CONDITIONS_NOT_MET;
664 }
665 reqPermList[locationIndex.backIndex].permsState.state = INVALID_OPER;
666 reqPermList[locationIndex.backIndex].permsState.errorReason = CONDITIONS_NOT_MET;
667 return false;
668 }
669 // with back and vague permission
670 // back state is SETTING_OPER when dynamic pop-up dialog appears and INVALID_OPER when it doesn't
671 GetSelfPermissionState(permsList, reqPermList[locationIndex.backIndex].permsState, apiVersion);
672 if (reqPermList[locationIndex.backIndex].permsState.state == DYNAMIC_OPER) {
673 if (needAccurateDynamic || needVagueDynamic) {
674 reqPermList[locationIndex.backIndex].permsState.state = SETTING_OPER;
675 reqPermList[locationIndex.backIndex].permsState.errorReason = REQ_SUCCESS;
676 } else {
677 reqPermList[locationIndex.backIndex].permsState.state = INVALID_OPER;
678 reqPermList[locationIndex.backIndex].permsState.errorReason = CONDITIONS_NOT_MET;
679 }
680 }
681 }
682 return needVagueDynamic || needAccurateDynamic;
683 }
684
LocationPermissionSpecialHandle(AccessTokenID tokenID,std::vector<PermissionListStateParcel> & reqPermList,std::vector<PermissionStatus> & permsList,int32_t apiVersion)685 bool PermissionManager::LocationPermissionSpecialHandle(
686 AccessTokenID tokenID,
687 std::vector<PermissionListStateParcel>& reqPermList,
688 std::vector<PermissionStatus>& permsList, int32_t apiVersion)
689 {
690 struct LocationIndex locationIndex;
691 if (!GetLocationPermissionIndex(reqPermList, locationIndex)) {
692 return false;
693 }
694 return GetLocationPermissionState(tokenID, reqPermList, permsList, apiVersion, locationIndex);
695 }
696
NotifyUpdatedPermList(const std::vector<std::string> & grantedPermListBefore,const std::vector<std::string> & grantedPermListAfter,AccessTokenID tokenID)697 void PermissionManager::NotifyUpdatedPermList(const std::vector<std::string>& grantedPermListBefore,
698 const std::vector<std::string>& grantedPermListAfter, AccessTokenID tokenID)
699 {
700 for (uint32_t i = 0; i < grantedPermListBefore.size(); i++) {
701 LOGI(ATM_DOMAIN, ATM_TAG, "grantedPermListBefore[i] %{public}s.", grantedPermListBefore[i].c_str());
702 auto it = find(grantedPermListAfter.begin(), grantedPermListAfter.end(), grantedPermListBefore[i]);
703 if (it == grantedPermListAfter.end()) {
704 CallbackManager::GetInstance().ExecuteCallbackAsync(
705 tokenID, grantedPermListBefore[i], STATE_CHANGE_REVOKED);
706 ParamUpdate(grantedPermListBefore[i], 0, true);
707 }
708 }
709 for (uint32_t i = 0; i < grantedPermListAfter.size(); i++) {
710 LOGI(ATM_DOMAIN, ATM_TAG, "grantedPermListAfter[i] %{public}s.", grantedPermListAfter[i].c_str());
711 auto it = find(grantedPermListBefore.begin(), grantedPermListBefore.end(), grantedPermListAfter[i]);
712 if (it == grantedPermListBefore.end()) {
713 CallbackManager::GetInstance().ExecuteCallbackAsync(
714 tokenID, grantedPermListAfter[i], STATE_CHANGE_GRANTED);
715 ParamUpdate(grantedPermListAfter[i], 0, false);
716 }
717 }
718 }
719
IsPermissionStateOrFlagMatched(const PermissionStatus & state1,const PermissionStatus & state2)720 bool PermissionManager::IsPermissionStateOrFlagMatched(const PermissionStatus& state1,
721 const PermissionStatus& state2)
722 {
723 return ((state1.grantStatus == state2.grantStatus) && (state1.grantFlag == state2.grantFlag));
724 }
725
GetStateOrFlagChangedList(std::vector<PermissionStatus> & stateListBefore,std::vector<PermissionStatus> & stateListAfter,std::vector<PermissionStatus> & stateChangeList)726 void PermissionManager::GetStateOrFlagChangedList(std::vector<PermissionStatus>& stateListBefore,
727 std::vector<PermissionStatus>& stateListAfter, std::vector<PermissionStatus>& stateChangeList)
728 {
729 uint32_t size = stateListBefore.size();
730
731 for (uint32_t i = 0; i < size; ++i) {
732 PermissionStatus state1 = stateListBefore[i];
733 PermissionStatus state2 = stateListAfter[i];
734
735 if (!IsPermissionStateOrFlagMatched(state1, state2)) {
736 stateChangeList.emplace_back(state2);
737 }
738 }
739 }
740
NotifyPermGrantStoreResult(bool result,uint64_t timestamp)741 void PermissionManager::NotifyPermGrantStoreResult(bool result, uint64_t timestamp)
742 {
743 grantEvent_.NotifyPermGrantStoreResult(result, timestamp);
744 }
745
AddNativePermToKernel(AccessTokenID tokenID,const std::vector<uint32_t> & opCodeList,const std::vector<bool> & statusList)746 void PermissionManager::AddNativePermToKernel(AccessTokenID tokenID,
747 const std::vector<uint32_t>& opCodeList, const std::vector<bool>& statusList)
748 {
749 int32_t ret = AddPermissionToKernel(tokenID, opCodeList, statusList);
750 if (ret != ACCESS_TOKEN_OK) {
751 LOGE(ATM_DOMAIN, ATM_TAG, "AddPermissionToKernel(token=%{public}d), size=%{public}zu, err=%{public}d",
752 tokenID, opCodeList.size(), ret);
753 }
754 }
755
AddHapPermToKernel(AccessTokenID tokenID,const std::vector<std::string> & permList)756 void PermissionManager::AddHapPermToKernel(AccessTokenID tokenID, const std::vector<std::string>& permList)
757 {
758 std::vector<uint32_t> permCodeList;
759 for (const auto &permission : permList) {
760 uint32_t code;
761 if (!TransferPermissionToOpcode(permission, code)) {
762 continue;
763 }
764 permCodeList.emplace_back(code);
765 }
766
767 std::vector<uint32_t> opCodeList;
768 std::vector<bool> statusList;
769 HapTokenInfoInner::GetPermStatusListByTokenId(tokenID, permCodeList, opCodeList, statusList);
770 int32_t ret = AddPermissionToKernel(tokenID, opCodeList, statusList);
771 if (ret != ACCESS_TOKEN_OK) {
772 LOGE(ATM_DOMAIN, ATM_TAG, "AddPermissionToKernel(token=%{public}d), size=%{public}zu, err=%{public}d",
773 tokenID, opCodeList.size(), ret);
774 }
775 }
776
RemovePermFromKernel(AccessTokenID tokenID)777 void PermissionManager::RemovePermFromKernel(AccessTokenID tokenID)
778 {
779 int32_t ret = RemovePermissionFromKernel(tokenID);
780 LOGI(ATM_DOMAIN, ATM_TAG,
781 "RemovePermissionFromKernel(token=%{public}d), err=%{public}d", tokenID, ret);
782 }
783
SetPermToKernel(AccessTokenID tokenID,const std::string & permissionName,bool isGranted)784 void PermissionManager::SetPermToKernel(
785 AccessTokenID tokenID, const std::string& permissionName, bool isGranted)
786 {
787 uint32_t code;
788 if (!TransferPermissionToOpcode(permissionName, code)) {
789 return;
790 }
791 int32_t ret = SetPermissionToKernel(tokenID, code, isGranted);
792 LOGI(ATM_DOMAIN, ATM_TAG,
793 "SetPermissionToKernel(token=%{public}d, permission=(%{public}s), err=%{public}d",
794 tokenID, permissionName.c_str(), ret);
795 }
796
IsAclSatisfied(const PermissionBriefDef & briefDef,const HapPolicy & policy)797 bool IsAclSatisfied(const PermissionBriefDef& briefDef, const HapPolicy& policy)
798 {
799 if (policy.checkIgnore == HapPolicyCheckIgnore::ACL_IGNORE_CHECK) {
800 LOGI(ATM_DOMAIN, ATM_TAG, "%{public}s ignore acl check.", briefDef.permissionName);
801 return true;
802 }
803
804 if (policy.apl < briefDef.availableLevel) {
805 if (!briefDef.provisionEnable) {
806 LOGE(ATM_DOMAIN, ATM_TAG, "%{public}s provisionEnable is false.", briefDef.permissionName);
807 return false;
808 }
809 bool isAclExist = false;
810 if (briefDef.hasValue) {
811 isAclExist = std::any_of(
812 policy.aclExtendedMap.begin(), policy.aclExtendedMap.end(), [briefDef](const auto &perm) {
813 return std::string(briefDef.permissionName) == perm.first;
814 });
815 } else {
816 isAclExist = std::any_of(
817 policy.aclRequestedList.begin(), policy.aclRequestedList.end(), [briefDef](const auto &perm) {
818 return std::string(briefDef.permissionName) == perm;
819 });
820 }
821
822 if (!isAclExist) {
823 LOGE(ATM_DOMAIN, ATM_TAG, "%{public}s need acl.", briefDef.permissionName);
824 return false;
825 }
826 }
827 return true;
828 }
829
IsPermAvailableRangeSatisfied(const PermissionBriefDef & briefDef,const std::string & appDistributionType)830 bool IsPermAvailableRangeSatisfied(const PermissionBriefDef& briefDef, const std::string& appDistributionType)
831 {
832 if (briefDef.availableType == ATokenAvailableTypeEnum::MDM) {
833 if (appDistributionType == "none") {
834 LOGI(ATM_DOMAIN, ATM_TAG, "Debug app use permission: %{public}s.",
835 briefDef.permissionName);
836 return true;
837 }
838 if (appDistributionType != APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM) {
839 LOGE(ATM_DOMAIN, ATM_TAG, "%{public}s is a mdm permission, the hap is not a mdm application.",
840 briefDef.permissionName);
841 return false;
842 }
843 }
844 return true;
845 }
846
IsUserGrantPermPreAuthorized(const std::vector<PreAuthorizationInfo> & list,const std::string & permissionName,bool & userCancelable)847 bool IsUserGrantPermPreAuthorized(const std::vector<PreAuthorizationInfo> &list,
848 const std::string &permissionName, bool &userCancelable)
849 {
850 auto iter = std::find_if(list.begin(), list.end(), [&permissionName](const auto &info) {
851 return info.permissionName == permissionName;
852 });
853 if (iter == list.end()) {
854 LOGI(ATM_DOMAIN, ATM_TAG, "Permission(%{public}s) is not in the list", permissionName.c_str());
855 return false;
856 }
857
858 userCancelable = iter->userCancelable;
859 return true;
860 }
861
InitDlpPermissionList(const std::string & bundleName,int32_t userId,std::vector<PermissionStatus> & initializedList)862 bool PermissionManager::InitDlpPermissionList(const std::string& bundleName, int32_t userId,
863 std::vector<PermissionStatus>& initializedList)
864 {
865 // get dlp original app
866 AccessTokenIDEx tokenId = AccessTokenInfoManager::GetInstance().GetHapTokenID(userId, bundleName, 0);
867 std::shared_ptr<HapTokenInfoInner> infoPtr =
868 AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenId.tokenIdExStruct.tokenID);
869 if (infoPtr == nullptr) {
870 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is invalid.", tokenId.tokenIdExStruct.tokenID);
871 return false;
872 }
873 (void)infoPtr->GetPermissionStateList(initializedList);
874 return true;
875 }
876
InitPermissionList(const std::string & appDistributionType,const HapPolicy & policy,std::vector<PermissionStatus> & initializedList,HapInfoCheckResult & result)877 bool PermissionManager::InitPermissionList(const std::string& appDistributionType, const HapPolicy& policy,
878 std::vector<PermissionStatus>& initializedList, HapInfoCheckResult& result)
879 {
880 LOGI(ATM_DOMAIN, ATM_TAG, "Before, request perm list size: %{public}zu, preAuthorizationInfo size %{public}zu, "
881 "ACLRequestedList size %{public}zu.",
882 policy.permStateList.size(), policy.preAuthorizationInfo.size(), policy.aclRequestedList.size());
883
884 for (auto state : policy.permStateList) {
885 PermissionBriefDef briefDef;
886 if (!GetPermissionBriefDef(state.permissionName, briefDef)) {
887 LOGE(ATM_DOMAIN, ATM_TAG, "Get definition of %{public}s failed.",
888 state.permissionName.c_str());
889 continue;
890 }
891
892 if (!IsAclSatisfied(briefDef, policy)) {
893 result.permCheckResult.permissionName = state.permissionName;
894 result.permCheckResult.rule = PERMISSION_ACL_RULE;
895 LOGE(ATM_DOMAIN, ATM_TAG, "Acl of %{public}s is invalid.", briefDef.permissionName);
896 return false;
897 }
898
899 // edm check
900 if (!IsPermAvailableRangeSatisfied(briefDef, appDistributionType)) {
901 result.permCheckResult.permissionName = state.permissionName;
902 result.permCheckResult.rule = PERMISSION_EDM_RULE;
903 LOGE(ATM_DOMAIN, ATM_TAG, "Available range of %{public}s is invalid.", briefDef.permissionName);
904 return false;
905 }
906 state.grantFlag = PERMISSION_DEFAULT_FLAG;
907 state.grantStatus = PERMISSION_DENIED;
908
909 if (briefDef.grantMode == AccessToken::GrantMode::SYSTEM_GRANT) {
910 state.grantFlag = PERMISSION_SYSTEM_FIXED;
911 state.grantStatus = PERMISSION_GRANTED;
912 initializedList.emplace_back(state);
913 continue;
914 }
915 if (policy.preAuthorizationInfo.size() == 0) {
916 initializedList.emplace_back(state);
917 continue;
918 }
919 bool userCancelable = true;
920 if (IsUserGrantPermPreAuthorized(policy.preAuthorizationInfo, state.permissionName, userCancelable)) {
921 state.grantFlag = userCancelable ? PERMISSION_GRANTED_BY_POLICY : PERMISSION_SYSTEM_FIXED;
922 state.grantStatus = PERMISSION_GRANTED;
923 }
924 initializedList.emplace_back(state);
925 }
926 LOGI(ATM_DOMAIN, ATM_TAG, "After, request perm list size: %{public}zu.", initializedList.size());
927 return true;
928 }
929
930 } // namespace AccessToken
931 } // namespace Security
932 } // namespace OHOS
933