1 /*
2 * Copyright (c) 2023-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "dlp_file_kits.h"
17 #include <cstdlib>
18 #include <fcntl.h>
19 #include <string>
20 #include <sys/stat.h>
21 #include <sys/types.h>
22 #include <unistd.h>
23 #include <unordered_map>
24 #include "dlp_file.h"
25 #include "dlp_permission_log.h"
26 #include "dlp_zip.h"
27 #include "file_uri.h"
28 #include "securec.h"
29 #include "dlp_utils.h"
30 #include "dlp_permission.h"
31
32 namespace OHOS {
33 namespace Security {
34 namespace DlpPermission {
35 namespace {
36 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_DLP_PERMISSION, "DlpFileKits"};
37 static const std::string FILE_SCHEME_PREFIX = "file://";
38 } // namespace
39 using Want = OHOS::AAFwk::Want;
40 using WantParams = OHOS::AAFwk::WantParams;
41
42 static const std::unordered_map<std::string, std::string> SUFFIX_MIMETYPE_MAP = {
43 {"txt", "text/plain"},
44 {"doc", "application/msword"},
45 {"docx", "application/vnd.openxmlformats-officedocument.wordprocessingml.document"},
46 {"dot", "application/msword"},
47 {"dotx", "application/vnd.openxmlformats-officedocument.wordprocessingml.template"},
48 {"odt", "application/vnd.oasis.opendocument.text"},
49 {"pdf", "application/pdf"},
50 {"pot", "application/vnd.ms-powerpoint"},
51 {"potx", "application/vnd.openxmlformats-officedocument.presentationml.template"},
52 {"pps", "application/vnd.ms-powerpoint"},
53 {"ppsx", "application/vnd.openxmlformats-officedocument.presentationml.slideshow"},
54 {"ppt", "application/vnd.ms-powerpoint"},
55 {"pptx", "application/vnd.openxmlformats-officedocument.presentationml.presentation"},
56 {"rtf", "text/rtf"},
57 {"xls", "application/vnd.ms-excel"},
58 {"xlsx", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"},
59 {"xlt", "application/vnd.ms-excel"},
60 {"xltx", "application/vnd.openxmlformats-officedocument.spreadsheetml.template"},
61 {"xlam", "application/vnd.ms-excel.addin.macroEnabled.12"},
62 {"xlsb", "application/vnd.ms-excel.sheet.binary.macroEnabled.12"},
63 {"xlsm", "application/vnd.ms-excel.sheet.macroEnabled.12"},
64 {"xltm", "application/vnd.ms-excel.template.macroEnabled.12"},
65 {"xml", "text/xml"},
66 {"ppam", "application/vnd.ms-powerpoint.addin.macroEnabled.12"},
67 {"pptm", "application/vnd.ms-powerpoint.presentation.macroEnabled.12"},
68 {"ppsm", "application/vnd.ms-powerpoint.slideshow.macroEnabled.12"},
69 {"potm", "application/vnd.ms-powerpoint.template.macroEnabled.12"},
70 {"docm", "application/vnd.ms-word.document.macroEnabled.12"},
71 {"dotm", "application/vnd.ms-word.template.macroEnabled.12"},
72 {"odp", "application/vnd.oasis.opendocument.presentation"},
73 };
74
IsDlpFileName(const std::string & dlpFileName)75 static bool IsDlpFileName(const std::string& dlpFileName)
76 {
77 uint32_t dlpSuffixLen = DLP_FILE_SUFFIX.size();
78 uint32_t fileNameLen = dlpFileName.size();
79 if (fileNameLen <= dlpSuffixLen) {
80 return false;
81 }
82
83 std::string fileSuffix = dlpFileName.substr(fileNameLen - dlpSuffixLen, dlpSuffixLen);
84 if (DlpUtils::ToLowerString(fileSuffix) != DLP_FILE_SUFFIX) {
85 return false;
86 }
87 return true;
88 }
89
GetMimeTypeBySuffix(const std::string & suffix)90 static std::string GetMimeTypeBySuffix(const std::string& suffix)
91 {
92 std::string lower = DlpUtils::ToLowerString(suffix);
93 auto iter = SUFFIX_MIMETYPE_MAP.find(lower);
94 if (iter != SUFFIX_MIMETYPE_MAP.end()) {
95 return iter->second;
96 }
97 return DEFAULT_STRING;
98 }
99
IsValidDlpHeader(const struct DlpHeader & head)100 static bool IsValidDlpHeader(const struct DlpHeader& head)
101 {
102 if (head.magic != DLP_FILE_MAGIC || head.certSize == 0 || head.certSize > DLP_MAX_CERT_SIZE ||
103 head.contactAccountSize == 0 || head.contactAccountSize > DLP_MAX_CERT_SIZE ||
104 head.certOffset != sizeof(struct DlpHeader)) {
105 DLP_LOG_ERROR(LABEL, "Parse dlp file header error. certSize=%{public}u, contactAccountSize=%{public}u",
106 head.certSize, head.contactAccountSize);
107 return false;
108 }
109 if (head.contactAccountOffset != (sizeof(struct DlpHeader) + head.certSize) ||
110 head.txtOffset != (sizeof(struct DlpHeader) + head.certSize + head.contactAccountSize + head.offlineCertSize) ||
111 head.txtSize > DLP_MAX_CONTENT_SIZE || head.offlineCertSize > DLP_MAX_CERT_SIZE) {
112 DLP_LOG_ERROR(LABEL, "Parse dlp file header error.");
113 return false;
114 }
115 return true;
116 }
117
IsDlpFile(int32_t dlpFd)118 bool DlpFileKits::IsDlpFile(int32_t dlpFd)
119 {
120 if (dlpFd < 0) {
121 DLP_LOG_ERROR(LABEL, "dlp file fd is invalid");
122 return false;
123 }
124
125 if (IsZipFile(dlpFd)) {
126 return CheckUnzipFileInfo(dlpFd);
127 }
128
129 off_t curPos = lseek(dlpFd, 0, SEEK_CUR);
130 if (curPos < 0) {
131 DLP_LOG_ERROR(LABEL, "seek dlp file current failed, %{public}s", strerror(errno));
132 return false;
133 }
134
135 if (lseek(dlpFd, 0, SEEK_SET) == static_cast<off_t>(-1)) {
136 DLP_LOG_ERROR(LABEL, "seek dlp file start failed, %{public}s", strerror(errno));
137 return false;
138 }
139 struct DlpHeader head;
140 if (read(dlpFd, &head, sizeof(struct DlpHeader)) != sizeof(struct DlpHeader)) {
141 DLP_LOG_ERROR(LABEL, "can not read dlp file head, %{public}s", strerror(errno));
142 return false;
143 }
144
145 if (lseek(dlpFd, curPos, SEEK_SET) < 0) {
146 DLP_LOG_ERROR(LABEL, "seek dlp file back failed, %{public}s", strerror(errno));
147 return false;
148 }
149
150 return IsValidDlpHeader(head);
151 }
152
GetSandboxFlag(Want & want)153 bool DlpFileKits::GetSandboxFlag(Want& want)
154 {
155 std::string action = want.GetAction();
156 if (!action.empty() && action != TAG_ACTION_VIEW && action != TAG_ACTION_EDIT) {
157 DLP_LOG_DEBUG(LABEL, "Action %{public}s is not dlp scene", action.c_str());
158 return false;
159 }
160
161 std::string uri = want.GetUriString();
162 if (uri.find(FILE_SCHEME_PREFIX) != 0) {
163 DLP_LOG_DEBUG(LABEL, "uri is missing file://");
164 return false;
165 }
166 AppFileService::ModuleFileUri::FileUri fileUri(uri);
167 std::string fileName = fileUri.GetName();
168 if (fileName.empty() || !IsDlpFileName(fileName)) {
169 DLP_LOG_DEBUG(LABEL, "File name is not exist or not dlp, name=%{private}s", fileName.c_str());
170 return false;
171 }
172 std::string path = fileUri.GetRealPath();
173 int fd = open(path.c_str(), O_RDONLY);
174 if (fd == -1) {
175 DLP_LOG_ERROR(LABEL, "open file error, uri=%{private}s path=%{private}s error=%{public}d", uri.c_str(),
176 path.c_str(), errno);
177 return false;
178 }
179 if (!IsDlpFile(fd)) {
180 DLP_LOG_WARN(LABEL, "Fd %{public}d is not dlp file", fd);
181 close(fd);
182 return false;
183 }
184 close(fd);
185 fd = -1;
186 std::string realSuffix = DlpUtils::GetDlpFileRealSuffix(fileName);
187 if (realSuffix != DEFAULT_STRING) {
188 DLP_LOG_DEBUG(LABEL, "Real suffix is %{public}s", realSuffix.c_str());
189 std::string realType = GetMimeTypeBySuffix(realSuffix);
190 if (realType != DEFAULT_STRING) {
191 want.SetType(realType);
192 } else {
193 DLP_LOG_INFO(LABEL, "Real suffix %{public}s not match known type, using origin type %{public}s",
194 realSuffix.c_str(), want.GetType().c_str());
195 }
196 }
197 DLP_LOG_INFO(LABEL, "Sanbox flag is true");
198 return true;
199 }
200
ConvertAbilityInfoWithBundleName(const std::string & abilityName,const std::string & bundleName,std::vector<AppExecFwk::AbilityInfo> & abilityInfos)201 static int32_t ConvertAbilityInfoWithBundleName(const std::string &abilityName, const std::string &bundleName,
202 std::vector<AppExecFwk::AbilityInfo> &abilityInfos)
203 {
204 Want want;
205 AppExecFwk::ElementName name;
206 name.SetAbilityName(abilityName);
207 name.SetBundleName(bundleName);
208 want.SetElement(name);
209
210 int32_t flags = static_cast<int32_t>(AppExecFwk::GetAbilityInfoFlag::GET_ABILITY_INFO_DEFAULT);
211 int32_t userId = 0;
212 int32_t ret = AccountSA::OsAccountManager::GetForegroundOsAccountLocalId(userId);
213 if (ret != ERR_OK) {
214 DLP_LOG_ERROR(LABEL, "Get os account localId error, %{public}d", ret);
215 return DLP_PARSE_ERROR_GET_ACCOUNT_FAIL;
216 }
217
218 auto bundleMgrProxy = DlpUtils::GetBundleMgrProxy();
219 if (bundleMgrProxy == nullptr) {
220 return DLP_SERVICE_ERROR_IPC_REQUEST_FAIL;
221 }
222 ret = bundleMgrProxy->QueryAbilityInfosV9(want, flags, userId, abilityInfos);
223 if (ret != ERR_OK) {
224 DLP_LOG_ERROR(LABEL, "Get ability info error, %{public}d", ret);
225 return DLP_PARSE_ERROR_BMS_ERROR;
226 }
227 return DLP_OK;
228 }
229
IsSupportDlp(const std::vector<std::string> & authPolicy,const std::string & bundleName,const std::string & fileType)230 static bool IsSupportDlp(const std::vector<std::string> &authPolicy,
231 const std::string &bundleName, const std::string &fileType)
232 {
233 auto it = std::find(authPolicy.begin(), authPolicy.end(), bundleName);
234 if (it != authPolicy.end()) {
235 return true;
236 }
237 return false;
238 }
239
ConvertAbilityInfoWithSupportDlp(const AAFwk::Want & want,std::vector<AppExecFwk::AbilityInfo> & abilityInfos)240 void DlpFileKits::ConvertAbilityInfoWithSupportDlp(const AAFwk::Want &want,
241 std::vector<AppExecFwk::AbilityInfo> &abilityInfos)
242 {
243 if (abilityInfos.size() == 0) {
244 DLP_LOG_INFO(LABEL, "ability size is zero.");
245 return;
246 }
247
248 std::string uri = want.GetUriString();
249 AppFileService::ModuleFileUri::FileUri fileUri(uri);
250 std::string fileName = fileUri.GetName();
251 if (fileName.empty() || !IsDlpFileName(fileName)) {
252 DLP_LOG_ERROR(LABEL, "File name is not exist or not dlp, name=%{private}s", fileName.c_str());
253 return;
254 }
255
256 std::string realSuffix = DlpUtils::GetDlpFileRealSuffix(fileName);
257 if (realSuffix == DEFAULT_STRING) {
258 return;
259 }
260 std::string fileType = DlpUtils::GetFileTypeBySuffix(realSuffix);
261 if (fileType == DEFAULT_STRING) {
262 DLP_LOG_ERROR(LABEL, "%{public}s is not support dlp.", realSuffix.c_str());
263 return;
264 }
265 std::vector<std::string> authPolicy;
266 if (!DlpUtils::GetAuthPolicyWithType(DLP_AUTH_POLICY, fileType, authPolicy)) {
267 return;
268 }
269
270 for (auto it = abilityInfos.begin(); it != abilityInfos.end();) {
271 if (!IsSupportDlp(authPolicy, it->bundleName, fileType)) {
272 abilityInfos.erase(it);
273 } else {
274 ++it;
275 }
276 }
277
278 if (abilityInfos.size() != 0) {
279 return;
280 }
281 std::vector<std::string> defalutAuthPolicy;
282 if (!DlpUtils::GetAuthPolicyWithType(DLP_AUTH_POLICY, DLP_DEFAULT_AUTH_POLICY, defalutAuthPolicy) ||
283 defalutAuthPolicy.size() <= 1) {
284 return;
285 }
286 int32_t ret = ConvertAbilityInfoWithBundleName(defalutAuthPolicy[0], defalutAuthPolicy[1], abilityInfos);
287 if (ret != DLP_OK) {
288 DLP_LOG_ERROR(LABEL, "Query ability info with bundleName error.");
289 }
290 }
291
IsDlpFileBySuffix(const std::string & fileSuffix)292 bool DlpFileKits::IsDlpFileBySuffix(const std::string &fileSuffix)
293 {
294 std::string lowerFileSuffix = DlpUtils::ToLowerString(fileSuffix);
295 if (lowerFileSuffix != DLP_FILE_SUFFIX) {
296 DLP_LOG_DEBUG(LABEL, "%{public}s is not dlp file suffix", lowerFileSuffix.c_str());
297 return false;
298 }
299 return true;
300 }
301 } // namespace DlpPermission
302 } // namespace Security
303 } // namespace OHOS
304