1 /*
2 * Copyright (C) 2022-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_adapter.h"
17
18 #include <string>
19 #include <unordered_map>
20 #include <vector>
21
22 #include "accesstoken_kit.h"
23 #include "ipc_sdk_defines.h"
24 #include "ipc_skeleton.h"
25
26 #include "device_auth_defines.h"
27 #include "hc_log.h"
28
29 using namespace std;
30 using namespace OHOS;
31 using namespace OHOS::Security::AccessToken;
32
33 #define PROC_NAME_DEVICE_MANAGER "device_manager"
34 #define PROC_NAME_SOFT_BUS "softbus_server"
35 #define PROC_NAME_DEVICE_SECURITY_LEVEL "dslm_service"
36 #define PROC_NAME_ISHARE "CollaborationFwk"
37 #define PROC_NAME_REMOTE_COMM "remote_communication"
38
39 static unordered_map<int32_t, vector<string>> g_apiAccessWhitelist = {
40 { IPC_CALL_ID_PROCESS_CREDENTIAL, { PROC_NAME_DEVICE_MANAGER } },
41 { IPC_CALL_ID_DA_AUTH_DEVICE, { PROC_NAME_DEVICE_MANAGER, PROC_NAME_SOFT_BUS } },
42 { IPC_CALL_ID_DA_PROC_DATA, { PROC_NAME_DEVICE_MANAGER, PROC_NAME_SOFT_BUS } },
43 { IPC_CALL_ID_DA_CANCEL_REQUEST, { PROC_NAME_DEVICE_MANAGER, PROC_NAME_SOFT_BUS } },
44 };
45
46 static unordered_map<int32_t, vector<string>> g_apiAccessConfig = {
47 { IPC_CALL_ID_REG_CB, { PROC_NAME_DEVICE_MANAGER } },
48 { IPC_CALL_ID_UNREG_CB, { PROC_NAME_DEVICE_MANAGER } },
49 { IPC_CALL_ID_CREATE_GROUP, { PROC_NAME_DEVICE_MANAGER } },
50 { IPC_CALL_ID_DEL_GROUP, { PROC_NAME_DEVICE_MANAGER } },
51 { IPC_CALL_ID_ADD_GROUP_MEMBER, { PROC_NAME_DEVICE_MANAGER } },
52 { IPC_CALL_ID_DEL_GROUP_MEMBER, { PROC_NAME_DEVICE_MANAGER } },
53 { IPC_CALL_ID_GM_PROC_DATA, { PROC_NAME_DEVICE_MANAGER } },
54 { IPC_CALL_ID_APPLY_REG_INFO, { PROC_NAME_DEVICE_MANAGER } },
55 { IPC_CALL_ID_ADD_MULTI_GROUP_MEMBERS, { PROC_NAME_DEVICE_MANAGER } },
56 { IPC_CALL_ID_DEL_MULTI_GROUP_MEMBERS, { PROC_NAME_DEVICE_MANAGER } },
57 { IPC_CALL_GM_CANCEL_REQUEST, { PROC_NAME_DEVICE_MANAGER } },
58 { IPC_CALL_ID_AUTH_DEVICE, { PROC_NAME_SOFT_BUS, PROC_NAME_DEVICE_MANAGER, PROC_NAME_ISHARE } },
59 { IPC_CALL_ID_GA_PROC_DATA, { PROC_NAME_SOFT_BUS, PROC_NAME_DEVICE_MANAGER, PROC_NAME_ISHARE } },
60 { IPC_CALL_GA_CANCEL_REQUEST, { PROC_NAME_SOFT_BUS, PROC_NAME_DEVICE_MANAGER, PROC_NAME_ISHARE } },
61 { IPC_CALL_ID_GET_PK_INFO_LIST, { PROC_NAME_DEVICE_SECURITY_LEVEL } },
62 { IPC_CALL_ID_AV_GET_CLIENT_SHARED_KEY, { PROC_NAME_REMOTE_COMM } },
63 { IPC_CALL_ID_AV_GET_SERVER_SHARED_KEY, { PROC_NAME_REMOTE_COMM } },
64 };
65
IsProcessAllowAccess(const string & processName,int32_t methodId)66 static bool IsProcessAllowAccess(const string &processName, int32_t methodId)
67 {
68 if (g_apiAccessConfig.find(methodId) == g_apiAccessConfig.end()) {
69 return true;
70 }
71 return find(g_apiAccessConfig[methodId].begin(), g_apiAccessConfig[methodId].end(), processName) !=
72 g_apiAccessConfig[methodId].end();
73 }
74
IsProcessInWhitelist(const string & processName,int32_t methodId)75 static bool IsProcessInWhitelist(const string& processName, int32_t methodId)
76 {
77 if (g_apiAccessWhitelist.find(methodId) == g_apiAccessWhitelist.end()) {
78 return true;
79 }
80 bool ret = find(g_apiAccessWhitelist[methodId].begin(), g_apiAccessWhitelist[methodId].end(), processName) !=
81 g_apiAccessWhitelist[methodId].end();
82 if (!ret) {
83 LOGE("Access Denied: Process(%" LOG_PUB "s) not in access whitlist", processName.c_str());
84 }
85 return ret;
86 }
87
CheckPermission(int32_t methodId)88 int32_t CheckPermission(int32_t methodId)
89 {
90 AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
91 ATokenTypeEnum tokenType = AccessTokenKit::GetTokenTypeFlag(tokenId);
92 if (tokenType != TOKEN_NATIVE) {
93 LOGE("[AccessTokenKit][GetTokenTypeFlag]: Invalid token type: %" LOG_PUB "d", tokenType);
94 return HC_ERROR;
95 }
96 NativeTokenInfo findInfo;
97 if (AccessTokenKit::GetNativeTokenInfo(tokenId, findInfo) != 0) {
98 LOGE("[AccessTokenKit][GetNativeTokenInfo]: failed!");
99 return HC_ERROR;
100 }
101 if ((findInfo.apl != APL_SYSTEM_CORE) && (findInfo.apl != APL_SYSTEM_BASIC)) {
102 LOGE("Check permission(APL3=SYSTEM_CORE or APL2=SYSTEM_BASIC) failed! APL: %" LOG_PUB "d", findInfo.apl);
103 return HC_ERROR;
104 }
105
106 if (!IsProcessInWhitelist(findInfo.processName, methodId)) {
107 LOGE("Check permission(Access Whitelist) failed!");
108 return HC_ERROR;
109 }
110
111 if (!IsProcessAllowAccess(findInfo.processName, methodId)) {
112 LOGE("Check permission(Interface Access List) failed!");
113 return HC_ERROR;
114 }
115 return HC_SUCCESS;
116 }
117
GetCallingUid(void)118 int32_t GetCallingUid(void)
119 {
120 return IPCSkeleton::GetCallingUid();
121 }
122