1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accesstoken_manager_stub.h"
17
18 #include <unistd.h>
19 #include "accesstoken_dfx_define.h"
20 #include "accesstoken_common_log.h"
21 #include "access_token_error.h"
22 #include "ipc_skeleton.h"
23 #include "memory_guard.h"
24 #include "string_ex.h"
25 #include "tokenid_kit.h"
26 #ifdef HICOLLIE_ENABLE
27 #include "xcollie/xcollie.h"
28 #endif // HICOLLIE_ENABLE
29
30 namespace OHOS {
31 namespace Security {
32 namespace AccessToken {
33 namespace {
34 const std::string MANAGE_HAP_TOKENID_PERMISSION = "ohos.permission.MANAGE_HAP_TOKENID";
35 static const int32_t DUMP_CAPACITY_SIZE = 2 * 1024 * 1000;
36 static const int MAX_PERMISSION_SIZE = 1000;
37 static const int32_t MAX_USER_POLICY_SIZE = 1024;
38 const std::string GRANT_SENSITIVE_PERMISSIONS = "ohos.permission.GRANT_SENSITIVE_PERMISSIONS";
39 const std::string REVOKE_SENSITIVE_PERMISSIONS = "ohos.permission.REVOKE_SENSITIVE_PERMISSIONS";
40 const std::string GET_SENSITIVE_PERMISSIONS = "ohos.permission.GET_SENSITIVE_PERMISSIONS";
41 const std::string DISABLE_PERMISSION_DIALOG = "ohos.permission.DISABLE_PERMISSION_DIALOG";
42 const std::string GRANT_SHORT_TERM_WRITE_MEDIAVIDEO = "ohos.permission.GRANT_SHORT_TERM_WRITE_MEDIAVIDEO";
43
44 #ifdef HICOLLIE_ENABLE
45 constexpr uint32_t TIMEOUT = 40; // 40s
46 #endif // HICOLLIE_ENABLE
47 }
48
OnRemoteRequest(uint32_t code,MessageParcel & data,MessageParcel & reply,MessageOption & option)49 int32_t AccessTokenManagerStub::OnRemoteRequest(
50 uint32_t code, MessageParcel& data, MessageParcel& reply, MessageOption& option)
51 {
52 MemoryGuard guard;
53
54 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
55 LOGD(ATM_DOMAIN, ATM_TAG, "Code %{public}u token %{public}u", code, callingTokenID);
56 std::u16string descriptor = data.ReadInterfaceToken();
57 if (descriptor != IAccessTokenManager::GetDescriptor()) {
58 LOGE(ATM_DOMAIN, ATM_TAG, "Get unexpect descriptor: %{public}s", Str16ToStr8(descriptor).c_str());
59 return ERROR_IPC_REQUEST_FAIL;
60 }
61
62 #ifdef HICOLLIE_ENABLE
63 std::string name = "AtmTimer";
64 int timerId = HiviewDFX::XCollie::GetInstance().SetTimer(name, TIMEOUT, nullptr, nullptr,
65 HiviewDFX::XCOLLIE_FLAG_LOG);
66 #endif // HICOLLIE_ENABLE
67
68 auto itFunc = requestFuncMap_.find(code);
69 if (itFunc != requestFuncMap_.end()) {
70 auto requestFunc = itFunc->second;
71 if (requestFunc != nullptr) {
72 (this->*requestFunc)(data, reply);
73
74 #ifdef HICOLLIE_ENABLE
75 HiviewDFX::XCollie::GetInstance().CancelTimer(timerId);
76 #endif // HICOLLIE_ENABLE
77
78 return NO_ERROR;
79 }
80 }
81
82 #ifdef HICOLLIE_ENABLE
83 HiviewDFX::XCollie::GetInstance().CancelTimer(timerId);
84 #endif // HICOLLIE_ENABLE
85
86 return IPCObjectStub::OnRemoteRequest(code, data, reply, option); // when code invalid
87 }
88
DeleteTokenInfoInner(MessageParcel & data,MessageParcel & reply)89 void AccessTokenManagerStub::DeleteTokenInfoInner(MessageParcel& data, MessageParcel& reply)
90 {
91 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
92 if (!IsPrivilegedCalling() &&
93 (VerifyAccessToken(callingTokenID, MANAGE_HAP_TOKENID_PERMISSION) == PERMISSION_DENIED)) {
94 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
95 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
96 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
97 return;
98 }
99 AccessTokenID tokenID = data.ReadUint32();
100 if (this->GetTokenType(tokenID) != TOKEN_HAP) {
101 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
102 reply.WriteInt32(AccessTokenError::ERR_PARAM_INVALID), "WriteInt32 failed.");
103 return;
104 }
105 int result = this->DeleteToken(tokenID);
106 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
107 }
108
GetPermissionUsedTypeInner(MessageParcel & data,MessageParcel & reply)109 void AccessTokenManagerStub::GetPermissionUsedTypeInner(MessageParcel& data, MessageParcel& reply)
110 {
111 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
112 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
113 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
114 reply.WriteInt32(static_cast<int32_t>(PermUsedTypeEnum::INVALID_USED_TYPE)),
115 "WriteInt32 failed.");
116 return;
117 }
118 uint32_t tokenID;
119 if (!data.ReadUint32(tokenID)) {
120 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to read tokenID.");
121 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
122 reply.WriteInt32(static_cast<int32_t>(PermUsedTypeEnum::INVALID_USED_TYPE)),
123 "WriteInt32 failed.");
124 return;
125 }
126 std::string permissionName;
127 if (!data.ReadString(permissionName)) {
128 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to read permissionName.");
129 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(
130 static_cast<int32_t>(PermUsedTypeEnum::INVALID_USED_TYPE)), "WriteInt32 failed.");
131 return;
132 }
133 PermUsedTypeEnum result = this->GetPermissionUsedType(tokenID, permissionName);
134 int32_t type = static_cast<int32_t>(result);
135 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(type), "WriteInt32 failed.");
136 }
137
VerifyAccessTokenInner(MessageParcel & data,MessageParcel & reply)138 void AccessTokenManagerStub::VerifyAccessTokenInner(MessageParcel& data, MessageParcel& reply)
139 {
140 AccessTokenID tokenID = data.ReadUint32();
141 std::string permissionName = data.ReadString();
142 int result = this->VerifyAccessToken(tokenID, permissionName);
143 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
144 }
145
VerifyAccessTokenWithListInner(MessageParcel & data,MessageParcel & reply)146 void AccessTokenManagerStub::VerifyAccessTokenWithListInner(MessageParcel& data, MessageParcel& reply)
147 {
148 AccessTokenID tokenID;
149 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, data.ReadUint32(tokenID), "ReadUint32 failed.");
150
151 std::vector<std::string> permissionList;
152 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, data.ReadStringVector(&permissionList), "ReadStringVector failed.");
153
154 std::vector<int32_t> permStateList;
155 this->VerifyAccessToken(tokenID, permissionList, permStateList);
156
157 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32Vector(permStateList), "WriteInt32Vector failed.");
158 }
159
GetDefPermissionInner(MessageParcel & data,MessageParcel & reply)160 void AccessTokenManagerStub::GetDefPermissionInner(MessageParcel& data, MessageParcel& reply)
161 {
162 std::string permissionName = data.ReadString();
163 PermissionDefParcel permissionDefParcel;
164 int result = this->GetDefPermission(permissionName, permissionDefParcel);
165 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
166 if (result != RET_SUCCESS) {
167 return;
168 }
169 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
170 reply.WriteParcelable(&permissionDefParcel), "Write PermissionDefParcel fail.");
171 }
172
GetReqPermissionsInner(MessageParcel & data,MessageParcel & reply)173 void AccessTokenManagerStub::GetReqPermissionsInner(MessageParcel& data, MessageParcel& reply)
174 {
175 unsigned int callingTokenID = IPCSkeleton::GetCallingTokenID();
176 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
177 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
178 reply.WriteInt32(AccessTokenError::ERR_NOT_SYSTEM_APP), "WriteInt32 failed.");
179 return;
180 }
181 if (!IsPrivilegedCalling() &&
182 VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
183 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
184 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
185 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
186 return;
187 }
188
189 AccessTokenID tokenID = data.ReadUint32();
190 int isSystemGrant = data.ReadInt32();
191 std::vector<PermissionStatusParcel> permList;
192
193 int result = this->GetReqPermissions(tokenID, permList, isSystemGrant);
194 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
195 if (result != RET_SUCCESS) {
196 return;
197 }
198 LOGD(ATM_DOMAIN, ATM_TAG, "PermList size: %{public}zu", permList.size());
199 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(permList.size()), "WriteInt32 failed.");
200 for (const auto& permDef : permList) {
201 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteParcelable(&permDef), "WriteParcelable fail.");
202 }
203 }
204
GetSelfPermissionsStateInner(MessageParcel & data,MessageParcel & reply)205 void AccessTokenManagerStub::GetSelfPermissionsStateInner(MessageParcel& data, MessageParcel& reply)
206 {
207 std::vector<PermissionListStateParcel> permList;
208 uint32_t size = 0;
209 if (!data.ReadUint32(size)) {
210 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(INVALID_OPER), "WriteInt32 failed.");
211 return;
212 }
213 LOGD(ATM_DOMAIN, ATM_TAG, "PermList size read from client data is %{public}d.", size);
214 if (size > MAX_PERMISSION_SIZE) {
215 LOGE(ATM_DOMAIN, ATM_TAG, "PermList size %{public}d is invalid", size);
216 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(INVALID_OPER), "WriteInt32 failed.");
217 return;
218 }
219 for (uint32_t i = 0; i < size; i++) {
220 sptr<PermissionListStateParcel> permissionParcel = data.ReadParcelable<PermissionListStateParcel>();
221 if (permissionParcel != nullptr) {
222 permList.emplace_back(*permissionParcel);
223 }
224 }
225 PermissionGrantInfoParcel infoParcel;
226 PermissionOper result = this->GetSelfPermissionsState(permList, infoParcel);
227 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
228
229 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteUint32(permList.size()), "WriteUint32 failed.");
230 for (const auto& perm : permList) {
231 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteParcelable(&perm), "WriteParcelable failed.");
232 }
233 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteParcelable(&infoParcel), "WriteParcelable failed.");
234 }
235
GetPermissionsStatusInner(MessageParcel & data,MessageParcel & reply)236 void AccessTokenManagerStub::GetPermissionsStatusInner(MessageParcel& data, MessageParcel& reply)
237 {
238 unsigned int callingTokenID = IPCSkeleton::GetCallingTokenID();
239 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
240 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
241 reply.WriteInt32(AccessTokenError::ERR_NOT_SYSTEM_APP), "WriteInt32 failed.");
242 return;
243 }
244 if (!IsPrivilegedCalling() &&
245 VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
246 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
247 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
248 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
249 return;
250 }
251
252 AccessTokenID tokenID = data.ReadUint32();
253 std::vector<PermissionListStateParcel> permList;
254 uint32_t size = 0;
255 if (!data.ReadUint32(size)) {
256 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(INVALID_OPER), "WriteInt32 failed.");
257 return;
258 }
259 LOGD(ATM_DOMAIN, ATM_TAG, "PermList size read from client data is %{public}d.", size);
260 if (size > MAX_PERMISSION_SIZE) {
261 LOGE(ATM_DOMAIN, ATM_TAG, "PermList size %{public}d is oversize", size);
262 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(INVALID_OPER), "WriteInt32 failed.");
263 return;
264 }
265 for (uint32_t i = 0; i < size; i++) {
266 sptr<PermissionListStateParcel> permissionParcel = data.ReadParcelable<PermissionListStateParcel>();
267 if (permissionParcel != nullptr) {
268 permList.emplace_back(*permissionParcel);
269 }
270 }
271 int32_t result = this->GetPermissionsStatus(tokenID, permList);
272
273 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
274 if (result != RET_SUCCESS) {
275 return;
276 }
277 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteUint32(permList.size()), "WriteUint32 failed.");
278 for (const auto& perm : permList) {
279 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteParcelable(&perm), "WriteParcelable failed.");
280 }
281 }
282
GetPermissionFlagInner(MessageParcel & data,MessageParcel & reply)283 void AccessTokenManagerStub::GetPermissionFlagInner(MessageParcel& data, MessageParcel& reply)
284 {
285 unsigned int callingTokenID = IPCSkeleton::GetCallingTokenID();
286 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
287 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
288 reply.WriteInt32(AccessTokenError::ERR_NOT_SYSTEM_APP), "WriteInt32 failed.");
289 return;
290 }
291 AccessTokenID tokenID = data.ReadUint32();
292 std::string permissionName = data.ReadString();
293 if (!IsPrivilegedCalling() &&
294 VerifyAccessToken(callingTokenID, GRANT_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED &&
295 VerifyAccessToken(callingTokenID, REVOKE_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED &&
296 VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
297 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
298 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
299 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
300 return;
301 }
302 uint32_t flag;
303 int result = this->GetPermissionFlag(tokenID, permissionName, flag);
304 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
305 if (result != RET_SUCCESS) {
306 return;
307 }
308
309 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteUint32(flag), "WriteUint32 failed.");
310 }
311
SetPermissionRequestToggleStatusInner(MessageParcel & data,MessageParcel & reply)312 void AccessTokenManagerStub::SetPermissionRequestToggleStatusInner(MessageParcel& data, MessageParcel& reply)
313 {
314 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
315 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
316 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
317 reply.WriteInt32(AccessTokenError::ERR_NOT_SYSTEM_APP), "WriteInt32 failed.");
318 return;
319 }
320
321 std::string permissionName = data.ReadString();
322 uint32_t status = data.ReadUint32();
323 int32_t userID = data.ReadInt32();
324 if (!IsPrivilegedCalling() && VerifyAccessToken(callingTokenID, DISABLE_PERMISSION_DIALOG) == PERMISSION_DENIED) {
325 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
326 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR, "CALLER_TOKENID",
327 callingTokenID, "PERMISSION_NAME", permissionName, "INTERFACE", "SetToggleStatus");
328 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d).", callingTokenID);
329 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
330 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
331 return;
332 }
333 int32_t result = this->SetPermissionRequestToggleStatus(permissionName, status, userID);
334 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
335 }
336
GetPermissionRequestToggleStatusInner(MessageParcel & data,MessageParcel & reply)337 void AccessTokenManagerStub::GetPermissionRequestToggleStatusInner(MessageParcel& data, MessageParcel& reply)
338 {
339 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
340 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
341 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
342 reply.WriteInt32(AccessTokenError::ERR_NOT_SYSTEM_APP), "WriteInt32 failed.");
343 return;
344 }
345
346 std::string permissionName = data.ReadString();
347 int32_t userID = data.ReadInt32();
348 if (!IsShellProcessCalling() && !IsPrivilegedCalling() &&
349 VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
350 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
351 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR, "CALLER_TOKENID",
352 callingTokenID, "PERMISSION_NAME", permissionName, "INTERFACE", "GetToggleStatus");
353 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d).", callingTokenID);
354 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
355 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
356 return;
357 }
358 uint32_t status;
359 int32_t result = this->GetPermissionRequestToggleStatus(permissionName, status, userID);
360 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
361 if (result != RET_SUCCESS) {
362 return;
363 }
364 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(status), "WriteInt32 failed.");
365 }
366
RequestAppPermOnSettingInner(MessageParcel & data,MessageParcel & reply)367 void AccessTokenManagerStub::RequestAppPermOnSettingInner(MessageParcel& data, MessageParcel& reply)
368 {
369 if (!IsSystemAppCalling()) {
370 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
371 reply.WriteInt32(AccessTokenError::ERR_NOT_SYSTEM_APP), "WriteInt32 failed.");
372 return;
373 }
374
375 AccessTokenID tokenID;
376 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, data.ReadUint32(tokenID), "ReadUint32 failed.");
377
378 int result = this->RequestAppPermOnSetting(tokenID);
379 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
380 }
381
GrantPermissionInner(MessageParcel & data,MessageParcel & reply)382 void AccessTokenManagerStub::GrantPermissionInner(MessageParcel& data, MessageParcel& reply)
383 {
384 unsigned int callingTokenID = IPCSkeleton::GetCallingTokenID();
385 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
386 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
387 reply.WriteInt32(AccessTokenError::ERR_NOT_SYSTEM_APP), "WriteInt32 failed.");
388 return;
389 }
390 AccessTokenID tokenID = data.ReadUint32();
391 std::string permissionName = data.ReadString();
392 uint32_t flag = data.ReadUint32();
393 if (!IsPrivilegedCalling() &&
394 VerifyAccessToken(callingTokenID, GRANT_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
395 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
396 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR,
397 "CALLER_TOKENID", callingTokenID, "PERMISSION_NAME", permissionName);
398 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
399 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
400 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
401 return;
402 }
403 int result = this->GrantPermission(tokenID, permissionName, flag);
404 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
405 }
406
RevokePermissionInner(MessageParcel & data,MessageParcel & reply)407 void AccessTokenManagerStub::RevokePermissionInner(MessageParcel& data, MessageParcel& reply)
408 {
409 unsigned int callingTokenID = IPCSkeleton::GetCallingTokenID();
410 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
411 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
412 reply.WriteInt32(AccessTokenError::ERR_NOT_SYSTEM_APP), "WriteInt32 failed.");
413 return;
414 }
415 AccessTokenID tokenID = data.ReadUint32();
416 std::string permissionName = data.ReadString();
417 uint32_t flag = data.ReadUint32();
418 if (!IsPrivilegedCalling() &&
419 VerifyAccessToken(callingTokenID, REVOKE_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
420 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
421 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR,
422 "CALLER_TOKENID", callingTokenID, "PERMISSION_NAME", permissionName);
423 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
424 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
425 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
426 return;
427 }
428 int result = this->RevokePermission(tokenID, permissionName, flag);
429 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
430 }
431
GrantPermissionForSpecifiedTimeInner(MessageParcel & data,MessageParcel & reply)432 void AccessTokenManagerStub::GrantPermissionForSpecifiedTimeInner(MessageParcel& data, MessageParcel& reply)
433 {
434 unsigned int callingTokenID = IPCSkeleton::GetCallingTokenID();
435 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
436 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
437 reply.WriteInt32(AccessTokenError::ERR_NOT_SYSTEM_APP), "WriteInt32 failed.");
438 return;
439 }
440 AccessTokenID tokenID = data.ReadUint32();
441 std::string permissionName = data.ReadString();
442 uint32_t onceTime = data.ReadUint32();
443 if (!IsPrivilegedCalling() &&
444 VerifyAccessToken(callingTokenID, GRANT_SHORT_TERM_WRITE_MEDIAVIDEO) == PERMISSION_DENIED) {
445 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
446 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR,
447 "CALLER_TOKENID", callingTokenID, "PERMISSION_NAME", permissionName);
448 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
449 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
450 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
451 return;
452 }
453 int result = this->GrantPermissionForSpecifiedTime(tokenID, permissionName, onceTime);
454 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
455 }
456
ClearUserGrantedPermissionStateInner(MessageParcel & data,MessageParcel & reply)457 void AccessTokenManagerStub::ClearUserGrantedPermissionStateInner(MessageParcel& data, MessageParcel& reply)
458 {
459 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
460 if (!IsPrivilegedCalling() &&
461 VerifyAccessToken(callingTokenID, REVOKE_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
462 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
463 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR,
464 "CALLER_TOKENID", callingTokenID);
465 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
466 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
467 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
468 return;
469 }
470 AccessTokenID tokenID = data.ReadUint32();
471 int result = this->ClearUserGrantedPermissionState(tokenID);
472 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
473 }
474
AllocHapTokenInner(MessageParcel & data,MessageParcel & reply)475 void AccessTokenManagerStub::AllocHapTokenInner(MessageParcel& data, MessageParcel& reply)
476 {
477 AccessTokenIDEx res = {0};
478 AccessTokenID tokenID = IPCSkeleton::GetCallingTokenID();
479 if (!IsPrivilegedCalling() &&
480 (VerifyAccessToken(tokenID, MANAGE_HAP_TOKENID_PERMISSION) == PERMISSION_DENIED)) {
481 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", tokenID);
482 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
483 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
484 return;
485 }
486
487 sptr<HapInfoParcel> hapInfoParcel = data.ReadParcelable<HapInfoParcel>();
488 sptr<HapPolicyParcel> hapPolicyParcel = data.ReadParcelable<HapPolicyParcel>();
489 if (hapInfoParcel == nullptr || hapPolicyParcel == nullptr) {
490 LOGE(ATM_DOMAIN, ATM_TAG, "Read hapPolicyParcel or hapInfoParcel fail");
491 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
492 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
493 return;
494 }
495 res = this->AllocHapToken(*hapInfoParcel, *hapPolicyParcel);
496 reply.WriteUint64(res.tokenIDEx);
497 }
498
InitHapTokenInner(MessageParcel & data,MessageParcel & reply)499 void AccessTokenManagerStub::InitHapTokenInner(MessageParcel& data, MessageParcel& reply)
500 {
501 AccessTokenID tokenID = IPCSkeleton::GetCallingTokenID();
502 if (!IsPrivilegedCalling() &&
503 (VerifyAccessToken(tokenID, MANAGE_HAP_TOKENID_PERMISSION) == PERMISSION_DENIED)) {
504 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", tokenID);
505 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
506 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
507 return;
508 }
509
510 sptr<HapInfoParcel> hapInfoParcel = data.ReadParcelable<HapInfoParcel>();
511 sptr<HapPolicyParcel> hapPolicyParcel = data.ReadParcelable<HapPolicyParcel>();
512 if (hapInfoParcel == nullptr || hapPolicyParcel == nullptr) {
513 LOGE(ATM_DOMAIN, ATM_TAG, "Read hapPolicyParcel or hapInfoParcel fail");
514 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
515 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
516 return;
517 }
518 int32_t res;
519 AccessTokenIDEx fullTokenId = { 0 };
520 HapInfoCheckResult result;
521 res = this->InitHapToken(*hapInfoParcel, *hapPolicyParcel, fullTokenId, result);
522 if (!reply.WriteInt32(res)) {
523 LOGE(ATM_DOMAIN, ATM_TAG, "WriteInt32 fail");
524 }
525
526 if (res != RET_SUCCESS) {
527 if (!result.permCheckResult.permissionName.empty()) {
528 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG,
529 reply.WriteString(result.permCheckResult.permissionName), "WriteString failed.");
530 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG,
531 reply.WriteInt32(result.permCheckResult.rule), "WriteInt32 failed.");
532 }
533 LOGE(ATM_DOMAIN, ATM_TAG, "Res error %{public}d.", res);
534 return;
535 }
536 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteUint64(fullTokenId.tokenIDEx), "WriteUint64 failed.");
537 }
538
GetTokenTypeInner(MessageParcel & data,MessageParcel & reply)539 void AccessTokenManagerStub::GetTokenTypeInner(MessageParcel& data, MessageParcel& reply)
540 {
541 AccessTokenID tokenID = data.ReadUint32();
542 int result = this->GetTokenType(tokenID);
543 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
544 }
545
GetHapTokenIDInner(MessageParcel & data,MessageParcel & reply)546 void AccessTokenManagerStub::GetHapTokenIDInner(MessageParcel& data, MessageParcel& reply)
547 {
548 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
549 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
550 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(INVALID_TOKENID), "WriteInt32 failed.");
551 return;
552 }
553 int userID = data.ReadInt32();
554 std::string bundleName = data.ReadString();
555 int instIndex = data.ReadInt32();
556 AccessTokenIDEx tokenIdEx = this->GetHapTokenID(userID, bundleName, instIndex);
557 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteUint64(tokenIdEx.tokenIDEx), "WriteUint64 failed.");
558 }
559
AllocLocalTokenIDInner(MessageParcel & data,MessageParcel & reply)560 void AccessTokenManagerStub::AllocLocalTokenIDInner(MessageParcel& data, MessageParcel& reply)
561 {
562 if ((!IsNativeProcessCalling()) && !IsPrivilegedCalling()) {
563 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
564 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(INVALID_TOKENID), "WriteInt32 failed.");
565 return;
566 }
567 std::string remoteDeviceID = data.ReadString();
568 AccessTokenID remoteTokenID = data.ReadUint32();
569 AccessTokenID result = this->AllocLocalTokenID(remoteDeviceID, remoteTokenID);
570 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteUint32(result), "WriteUint32 failed.");
571 }
572
UpdateHapTokenInner(MessageParcel & data,MessageParcel & reply)573 void AccessTokenManagerStub::UpdateHapTokenInner(MessageParcel& data, MessageParcel& reply)
574 {
575 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
576 if (!IsPrivilegedCalling() &&
577 (VerifyAccessToken(callingTokenID, MANAGE_HAP_TOKENID_PERMISSION) == PERMISSION_DENIED)) {
578 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
579 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
580 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
581 return;
582 }
583 UpdateHapInfoParams info;
584 AccessTokenID tokenID = data.ReadUint32();
585 info.isSystemApp = data.ReadBool();
586 info.appIDDesc = data.ReadString();
587 info.apiVersion = data.ReadInt32();
588 info.appDistributionType = data.ReadString();
589 AccessTokenIDEx tokenIdEx;
590 tokenIdEx.tokenIdExStruct.tokenID = tokenID;
591 sptr<HapPolicyParcel> policyParcel = data.ReadParcelable<HapPolicyParcel>();
592 if (policyParcel == nullptr) {
593 LOGE(ATM_DOMAIN, ATM_TAG, "PolicyParcel read faild");
594 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
595 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
596 return;
597 }
598 HapInfoCheckResult resultInfo;
599 int32_t result = this->UpdateHapToken(tokenIdEx, info, *policyParcel, resultInfo);
600 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
601 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
602 reply.WriteUint32(tokenIdEx.tokenIdExStruct.tokenAttr), "WriteUint32 failed.");
603 if (result != RET_SUCCESS) {
604 if (!resultInfo.permCheckResult.permissionName.empty()) {
605 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG,
606 reply.WriteString(resultInfo.permCheckResult.permissionName), "WriteString failed.");
607 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG,
608 reply.WriteInt32(resultInfo.permCheckResult.rule), "WriteInt32 failed.");
609 }
610 LOGE(ATM_DOMAIN, ATM_TAG, "Res error %{public}d", result);
611 return;
612 }
613 }
614
GetTokenIDByUserIDInner(MessageParcel & data,MessageParcel & reply)615 void AccessTokenManagerStub::GetTokenIDByUserIDInner(MessageParcel& data, MessageParcel& reply)
616 {
617 if (!IsNativeProcessCalling()) {
618 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
619 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
620 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
621 return;
622 }
623 std::unordered_set<AccessTokenID> tokenIdList;
624 int32_t userID = 0;
625 if (!data.ReadInt32(userID)) {
626 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to read userId.");
627 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
628 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
629 return;
630 }
631 int32_t result = this->GetTokenIDByUserID(userID, tokenIdList);
632 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
633 if (result != RET_SUCCESS) {
634 return;
635 }
636 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteUint32(tokenIdList.size()), "WriteUint32 failed.");
637 for (const auto& tokenId : tokenIdList) {
638 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteUint32(tokenId), "WriteUint32 failed.");
639 }
640 }
641
GetHapTokenInfoInner(MessageParcel & data,MessageParcel & reply)642 void AccessTokenManagerStub::GetHapTokenInfoInner(MessageParcel& data, MessageParcel& reply)
643 {
644 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
645 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
646 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
647 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
648 return;
649 }
650 HapTokenInfoParcel hapTokenInfoParcel;
651 AccessTokenID tokenID = data.ReadUint32();
652 int result = this->GetHapTokenInfo(tokenID, hapTokenInfoParcel);
653 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
654 if (result != RET_SUCCESS) {
655 return;
656 }
657 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteParcelable(&hapTokenInfoParcel), "Write parcel failed.");
658 }
659
GetHapTokenInfoExtensionInner(MessageParcel & data,MessageParcel & reply)660 void AccessTokenManagerStub::GetHapTokenInfoExtensionInner(MessageParcel& data, MessageParcel& reply)
661 {
662 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
663 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
664 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
665 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
666 return;
667 }
668 HapTokenInfoParcel hapTokenInfoParcel;
669 std::string appID;
670 AccessTokenID tokenID = data.ReadUint32();
671 int result = this->GetHapTokenInfoExtension(tokenID, hapTokenInfoParcel, appID);
672 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
673 if (result != RET_SUCCESS) {
674 return;
675 }
676 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteParcelable(&hapTokenInfoParcel), "Write parcel failed.");
677 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteString(appID), "Write string failed.");
678 }
679
GetNativeTokenInfoInner(MessageParcel & data,MessageParcel & reply)680 void AccessTokenManagerStub::GetNativeTokenInfoInner(MessageParcel& data, MessageParcel& reply)
681 {
682 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
683 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d).", IPCSkeleton::GetCallingTokenID());
684 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
685 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
686 return;
687 }
688 AccessTokenID tokenID = data.ReadUint32();
689 NativeTokenInfoParcel nativeTokenInfoParcel;
690 int result = this->GetNativeTokenInfo(tokenID, nativeTokenInfoParcel);
691 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
692 if (result != RET_SUCCESS) {
693 return;
694 }
695 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteParcelable(&nativeTokenInfoParcel), "WriteInt32 failed.");
696 }
697
RegisterPermStateChangeCallbackInner(MessageParcel & data,MessageParcel & reply)698 void AccessTokenManagerStub::RegisterPermStateChangeCallbackInner(MessageParcel& data, MessageParcel& reply)
699 {
700 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
701 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
702 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
703 reply.WriteInt32(AccessTokenError::ERR_NOT_SYSTEM_APP), "WriteInt32 failed.");
704 return;
705 }
706 if (VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
707 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
708 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
709 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
710 return;
711 }
712 sptr<PermStateChangeScopeParcel> scopeParcel = data.ReadParcelable<PermStateChangeScopeParcel>();
713 if (scopeParcel == nullptr) {
714 LOGE(ATM_DOMAIN, ATM_TAG, "Read scopeParcel fail");
715 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
716 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
717 return;
718 }
719 sptr<IRemoteObject> callback = data.ReadRemoteObject();
720 if (callback == nullptr) {
721 LOGE(ATM_DOMAIN, ATM_TAG, "Read callback fail");
722 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
723 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
724 return;
725 }
726 int32_t result = this->RegisterPermStateChangeCallback(*scopeParcel, callback);
727 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
728 }
729
UnRegisterPermStateChangeCallbackInner(MessageParcel & data,MessageParcel & reply)730 void AccessTokenManagerStub::UnRegisterPermStateChangeCallbackInner(MessageParcel& data, MessageParcel& reply)
731 {
732 uint32_t callingToken = IPCSkeleton::GetCallingTokenID();
733 if ((this->GetTokenType(callingToken) == TOKEN_HAP) && (!IsSystemAppCalling())) {
734 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
735 reply.WriteInt32(AccessTokenError::ERR_NOT_SYSTEM_APP), "WriteInt32 failed.");
736 return;
737 }
738 if (VerifyAccessToken(callingToken, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
739 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingToken);
740 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
741 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
742 return;
743 }
744 sptr<IRemoteObject> callback = data.ReadRemoteObject();
745 if (callback == nullptr) {
746 LOGE(ATM_DOMAIN, ATM_TAG, "Read callback fail");
747 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
748 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
749 return;
750 }
751 int32_t result = this->UnRegisterPermStateChangeCallback(callback);
752 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
753 }
754
RegisterSelfPermStateChangeCallbackInner(MessageParcel & data,MessageParcel & reply)755 void AccessTokenManagerStub::RegisterSelfPermStateChangeCallbackInner(MessageParcel& data, MessageParcel& reply)
756 {
757 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
758 if (this->GetTokenType(callingTokenID) != TOKEN_HAP) {
759 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is not hap.");
760 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
761 reply.WriteInt32(AccessTokenError::ERR_PARAM_INVALID), "WriteInt32 failed.");
762 return;
763 }
764 sptr<PermStateChangeScopeParcel> scopeParcel = data.ReadParcelable<PermStateChangeScopeParcel>();
765 if (scopeParcel == nullptr) {
766 LOGE(ATM_DOMAIN, ATM_TAG, "Read scopeParcel fail");
767 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
768 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
769 return;
770 }
771 sptr<IRemoteObject> callback = data.ReadRemoteObject();
772 if (callback == nullptr) {
773 LOGE(ATM_DOMAIN, ATM_TAG, "Read callback fail");
774 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
775 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
776 return;
777 }
778 int32_t result = this->RegisterSelfPermStateChangeCallback(*scopeParcel, callback);
779 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
780 }
781
UnRegisterSelfPermStateChangeCallbackInner(MessageParcel & data,MessageParcel & reply)782 void AccessTokenManagerStub::UnRegisterSelfPermStateChangeCallbackInner(MessageParcel& data, MessageParcel& reply)
783 {
784 uint32_t callingToken = IPCSkeleton::GetCallingTokenID();
785 if (this->GetTokenType(callingToken) != TOKEN_HAP) {
786 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is not hap.");
787 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
788 reply.WriteInt32(AccessTokenError::ERR_PARAM_INVALID), "WriteInt32 failed.");
789 return;
790 }
791 sptr<IRemoteObject> callback = data.ReadRemoteObject();
792 if (callback == nullptr) {
793 LOGE(ATM_DOMAIN, ATM_TAG, "Read callback fail");
794 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
795 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
796 return;
797 }
798 int32_t result = this->UnRegisterSelfPermStateChangeCallback(callback);
799 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
800 }
801
802 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
ReloadNativeTokenInfoInner(MessageParcel & data,MessageParcel & reply)803 void AccessTokenManagerStub::ReloadNativeTokenInfoInner(MessageParcel& data, MessageParcel& reply)
804 {
805 if (!IsPrivilegedCalling()) {
806 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
807 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
808 reply.WriteUint32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
809 return;
810 }
811 int32_t result = this->ReloadNativeTokenInfo();
812 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
813 }
814 #endif
815
GetNativeTokenIdInner(MessageParcel & data,MessageParcel & reply)816 void AccessTokenManagerStub::GetNativeTokenIdInner(MessageParcel& data, MessageParcel& reply)
817 {
818 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
819 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
820 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteUint32(INVALID_TOKENID), "WriteUint32 failed.");
821 return;
822 }
823 std::string processName;
824 if (!data.ReadString(processName)) {
825 LOGE(ATM_DOMAIN, ATM_TAG, "ReadString fail, processName=%{public}s", processName.c_str());
826 return;
827 }
828 AccessTokenID result = this->GetNativeTokenId(processName);
829 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
830 }
831
GetKernelPermissionsInner(MessageParcel & data,MessageParcel & reply)832 void AccessTokenManagerStub::GetKernelPermissionsInner(MessageParcel& data, MessageParcel& reply)
833 {
834 auto callingToken = IPCSkeleton::GetCallingTokenID();
835 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
836 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingToken);
837 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
838 reply.WriteUint32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteUint32 failed.");
839 return;
840 }
841
842 AccessTokenID tokenID;
843 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, data.ReadUint32(tokenID), "ReadUint32 failed.");
844 std::vector<PermissionWithValue> kernelPermList;
845 int32_t result = this->GetKernelPermissions(tokenID, kernelPermList);
846 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
847 if (result != RET_SUCCESS) {
848 return;
849 }
850 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteUint32(kernelPermList.size()), "WriteUint32 failed.");
851 for (const auto& perm : kernelPermList) {
852 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteString(perm.permissionName), "WriteString failed.");
853 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteString(perm.value), "WriteString failed.");
854 }
855 }
856
GetReqPermissionByNameInner(MessageParcel & data,MessageParcel & reply)857 void AccessTokenManagerStub::GetReqPermissionByNameInner(MessageParcel& data, MessageParcel& reply)
858 {
859 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
860 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
861 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
862 reply.WriteUint32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteUint32 failed.");
863 return;
864 }
865
866 AccessTokenID tokenID;
867 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, data.ReadUint32(tokenID), "ReadUint32 failed.");
868 std::string permissionName;
869 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, data.ReadString(permissionName), "ReadUint32 failed.");
870 std::string resultValue;
871 int32_t result = this->GetReqPermissionByName(tokenID, permissionName, resultValue);
872 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
873 if (result != RET_SUCCESS) {
874 return;
875 }
876 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteString(resultValue), "WriteString failed.");
877 }
878
879 #ifdef TOKEN_SYNC_ENABLE
GetHapTokenInfoFromRemoteInner(MessageParcel & data,MessageParcel & reply)880 void AccessTokenManagerStub::GetHapTokenInfoFromRemoteInner(MessageParcel& data, MessageParcel& reply)
881 {
882 if (!IsAccessTokenCalling()) {
883 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
884 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
885 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
886 return;
887 }
888 AccessTokenID tokenID = data.ReadUint32();
889 HapTokenInfoForSyncParcel hapTokenParcel;
890
891 int result = this->GetHapTokenInfoFromRemote(tokenID, hapTokenParcel);
892 IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
893 if (result != RET_SUCCESS) {
894 return;
895 }
896 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteParcelable(&hapTokenParcel), "WriteParcelable failed.");
897 }
898
SetRemoteHapTokenInfoInner(MessageParcel & data,MessageParcel & reply)899 void AccessTokenManagerStub::SetRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply)
900 {
901 if (!IsAccessTokenCalling()) {
902 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
903 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
904 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
905 return;
906 }
907 std::string deviceID = data.ReadString();
908 sptr<HapTokenInfoForSyncParcel> hapTokenParcel = data.ReadParcelable<HapTokenInfoForSyncParcel>();
909 if (hapTokenParcel == nullptr) {
910 LOGE(ATM_DOMAIN, ATM_TAG, "HapTokenParcel read faild");
911 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
912 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
913 return;
914 }
915 int result = this->SetRemoteHapTokenInfo(deviceID, *hapTokenParcel);
916 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
917 }
918
DeleteRemoteTokenInner(MessageParcel & data,MessageParcel & reply)919 void AccessTokenManagerStub::DeleteRemoteTokenInner(MessageParcel& data, MessageParcel& reply)
920 {
921 if (!IsAccessTokenCalling()) {
922 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
923 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
924 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
925 return;
926 }
927 std::string deviceID = data.ReadString();
928 AccessTokenID tokenID = data.ReadUint32();
929
930 int result = this->DeleteRemoteToken(deviceID, tokenID);
931 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
932 }
933
GetRemoteNativeTokenIDInner(MessageParcel & data,MessageParcel & reply)934 void AccessTokenManagerStub::GetRemoteNativeTokenIDInner(MessageParcel& data, MessageParcel& reply)
935 {
936 if (!IsAccessTokenCalling()) {
937 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
938 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(INVALID_TOKENID), "WriteInt32 failed.");
939 return;
940 }
941 std::string deviceID = data.ReadString();
942 AccessTokenID tokenID = data.ReadUint32();
943
944 AccessTokenID result = this->GetRemoteNativeTokenID(deviceID, tokenID);
945 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
946 }
947
DeleteRemoteDeviceTokensInner(MessageParcel & data,MessageParcel & reply)948 void AccessTokenManagerStub::DeleteRemoteDeviceTokensInner(MessageParcel& data, MessageParcel& reply)
949 {
950 if (!IsAccessTokenCalling()) {
951 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
952 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
953 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
954 return;
955 }
956 std::string deviceID = data.ReadString();
957
958 int result = this->DeleteRemoteDeviceTokens(deviceID);
959 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
960 }
961
RegisterTokenSyncCallbackInner(MessageParcel & data,MessageParcel & reply)962 void AccessTokenManagerStub::RegisterTokenSyncCallbackInner(MessageParcel& data, MessageParcel& reply)
963 {
964 if (!IsAccessTokenCalling()) {
965 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied, tokenID=%{public}d", IPCSkeleton::GetCallingTokenID());
966 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
967 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
968 return;
969 }
970
971 sptr<IRemoteObject> callback = data.ReadRemoteObject();
972 if (callback == nullptr) {
973 LOGE(ATM_DOMAIN, ATM_TAG, "Callback read failed.");
974 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
975 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
976 return;
977 }
978 int32_t result = this->RegisterTokenSyncCallback(callback);
979 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
980 }
981
UnRegisterTokenSyncCallbackInner(MessageParcel & data,MessageParcel & reply)982 void AccessTokenManagerStub::UnRegisterTokenSyncCallbackInner(MessageParcel& data, MessageParcel& reply)
983 {
984 if (!IsAccessTokenCalling()) {
985 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied, tokenID=%{public}d", IPCSkeleton::GetCallingTokenID());
986 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
987 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
988 return;
989 }
990
991 int32_t result = this->UnRegisterTokenSyncCallback();
992 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
993 }
994 #endif
995
GetVersionInner(MessageParcel & data,MessageParcel & reply)996 void AccessTokenManagerStub::GetVersionInner(MessageParcel& data, MessageParcel& reply)
997 {
998 uint32_t callingToken = IPCSkeleton::GetCallingTokenID();
999 if ((this->GetTokenType(callingToken) == TOKEN_HAP) && (!IsSystemAppCalling())) {
1000 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
1001 reply.WriteInt32(AccessTokenError::ERR_NOT_SYSTEM_APP), "WriteInt32 failed.");
1002 return;
1003 }
1004 uint32_t version;
1005 int32_t result = this->GetVersion(version);
1006 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
1007 if (result != RET_SUCCESS) {
1008 return;
1009 }
1010 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteUint32(version), "WriteUint32 failed.");
1011 }
1012
DumpTokenInfoInner(MessageParcel & data,MessageParcel & reply)1013 void AccessTokenManagerStub::DumpTokenInfoInner(MessageParcel& data, MessageParcel& reply)
1014 {
1015 if (!IsShellProcessCalling()) {
1016 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
1017 reply.WriteString("");
1018 return;
1019 }
1020 sptr<AtmToolsParamInfoParcel> infoParcel = data.ReadParcelable<AtmToolsParamInfoParcel>();
1021 if (infoParcel == nullptr) {
1022 LOGE(ATM_DOMAIN, ATM_TAG, "Read infoParcel fail");
1023 reply.WriteString("read infoParcel fail");
1024 return;
1025 }
1026 std::string dumpInfo = "";
1027 this->DumpTokenInfo(*infoParcel, dumpInfo);
1028 if (!reply.SetDataCapacity(DUMP_CAPACITY_SIZE)) {
1029 LOGW(ATM_DOMAIN, ATM_TAG, "SetDataCapacity failed");
1030 }
1031 if (!reply.WriteString(dumpInfo)) {
1032 LOGE(ATM_DOMAIN, ATM_TAG, "WriteString failed");
1033 }
1034 }
1035
SetPermDialogCapInner(MessageParcel & data,MessageParcel & reply)1036 void AccessTokenManagerStub::SetPermDialogCapInner(MessageParcel& data, MessageParcel& reply)
1037 {
1038 uint32_t callingToken = IPCSkeleton::GetCallingTokenID();
1039 if (VerifyAccessToken(callingToken, DISABLE_PERMISSION_DIALOG) == PERMISSION_DENIED) {
1040 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingToken);
1041 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
1042 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
1043 return;
1044 }
1045
1046 sptr<HapBaseInfoParcel> hapBaseInfoParcel = data.ReadParcelable<HapBaseInfoParcel>();
1047 if (hapBaseInfoParcel == nullptr) {
1048 LOGE(ATM_DOMAIN, ATM_TAG, "Read hapBaseInfoParcel fail");
1049 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
1050 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
1051 return;
1052 }
1053 bool enable = data.ReadBool();
1054 int32_t res = this->SetPermDialogCap(*hapBaseInfoParcel, enable);
1055 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(res), "WriteInt32 failed.");
1056 }
1057
GetPermissionManagerInfoInner(MessageParcel & data,MessageParcel & reply)1058 void AccessTokenManagerStub::GetPermissionManagerInfoInner(MessageParcel& data, MessageParcel& reply)
1059 {
1060 PermissionGrantInfoParcel infoParcel;
1061 this->GetPermissionManagerInfo(infoParcel);
1062 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteParcelable(&infoParcel), "WriteParcelable failed.");
1063 }
1064
InitUserPolicyInner(MessageParcel & data,MessageParcel & reply)1065 void AccessTokenManagerStub::InitUserPolicyInner(MessageParcel& data, MessageParcel& reply)
1066 {
1067 uint32_t callingToken = IPCSkeleton::GetCallingTokenID();
1068 if (VerifyAccessToken(callingToken, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
1069 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingToken);
1070 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
1071 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
1072 return;
1073 }
1074 std::vector<UserState> userList;
1075 std::vector<std::string> permList;
1076 uint32_t userSize = data.ReadUint32();
1077 uint32_t permSize = data.ReadUint32();
1078 if ((userSize > MAX_USER_POLICY_SIZE) || (permSize > MAX_USER_POLICY_SIZE)) {
1079 LOGE(ATM_DOMAIN, ATM_TAG, "Size %{public}u is invalid", userSize);
1080 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
1081 reply.WriteInt32(AccessTokenError::ERR_OVERSIZE), "WriteParcelable failed.");
1082 return;
1083 }
1084 for (uint32_t i = 0; i < userSize; i++) {
1085 UserState userInfo;
1086 if (!data.ReadInt32(userInfo.userId)) {
1087 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to read userId.");
1088 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
1089 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
1090 return;
1091 }
1092 if (!data.ReadBool(userInfo.isActive)) {
1093 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to read isActive.");
1094 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
1095 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
1096 return;
1097 }
1098 userList.emplace_back(userInfo);
1099 }
1100 for (uint32_t i = 0; i < permSize; i++) {
1101 std::string permission;
1102 if (!data.ReadString(permission)) {
1103 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to read permission.");
1104 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
1105 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
1106 return;
1107 }
1108 permList.emplace_back(permission);
1109 }
1110 int32_t res = this->InitUserPolicy(userList, permList);
1111 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(res), "WriteInt32 failed.");
1112 }
1113
UpdateUserPolicyInner(MessageParcel & data,MessageParcel & reply)1114 void AccessTokenManagerStub::UpdateUserPolicyInner(MessageParcel& data, MessageParcel& reply)
1115 {
1116 uint32_t callingToken = IPCSkeleton::GetCallingTokenID();
1117 if (VerifyAccessToken(callingToken, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
1118 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingToken);
1119 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
1120 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
1121 return;
1122 }
1123 std::vector<UserState> userList;
1124 uint32_t userSize = data.ReadUint32();
1125 if (userSize > MAX_USER_POLICY_SIZE) {
1126 LOGE(ATM_DOMAIN, ATM_TAG, "Size %{public}u is invalid", userSize);
1127 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(AccessTokenError::ERR_OVERSIZE), "WriteInt32 failed.");
1128 return;
1129 }
1130 for (uint32_t i = 0; i < userSize; i++) {
1131 UserState userInfo;
1132 if (!data.ReadInt32(userInfo.userId)) {
1133 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to read userId.");
1134 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
1135 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
1136 return;
1137 }
1138 if (!data.ReadBool(userInfo.isActive)) {
1139 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to read isActive.");
1140 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
1141 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
1142 return;
1143 }
1144 userList.emplace_back(userInfo);
1145 }
1146 int32_t res = this->UpdateUserPolicy(userList);
1147 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(res), "WriteInt32 failed.");
1148 }
1149
ClearUserPolicyInner(MessageParcel & data,MessageParcel & reply)1150 void AccessTokenManagerStub::ClearUserPolicyInner(MessageParcel& data, MessageParcel& reply)
1151 {
1152 uint32_t callingToken = IPCSkeleton::GetCallingTokenID();
1153 if (VerifyAccessToken(callingToken, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
1154 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingToken);
1155 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG,
1156 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED), "WriteInt32 failed.");
1157 return;
1158 }
1159
1160 int32_t res = this->ClearUserPolicy();
1161 IF_FALSE_PRINT_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(res), "WriteInt32 failed.");
1162 }
1163
IsPrivilegedCalling() const1164 bool AccessTokenManagerStub::IsPrivilegedCalling() const
1165 {
1166 // shell process is root in debug mode.
1167 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
1168 int32_t callingUid = IPCSkeleton::GetCallingUid();
1169 return callingUid == ROOT_UID;
1170 #else
1171 return false;
1172 #endif
1173 }
1174
IsAccessTokenCalling()1175 bool AccessTokenManagerStub::IsAccessTokenCalling()
1176 {
1177 uint32_t tokenCaller = IPCSkeleton::GetCallingTokenID();
1178 if (tokenSyncId_ == 0) {
1179 tokenSyncId_ = this->GetNativeTokenId("token_sync_service");
1180 }
1181 return tokenCaller == tokenSyncId_;
1182 }
1183
IsNativeProcessCalling()1184 bool AccessTokenManagerStub::IsNativeProcessCalling()
1185 {
1186 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
1187 return this->GetTokenType(tokenCaller) == TOKEN_NATIVE;
1188 }
1189
IsShellProcessCalling()1190 bool AccessTokenManagerStub::IsShellProcessCalling()
1191 {
1192 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
1193 return this->GetTokenType(tokenCaller) == TOKEN_SHELL;
1194 }
1195
IsSystemAppCalling() const1196 bool AccessTokenManagerStub::IsSystemAppCalling() const
1197 {
1198 uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
1199 return TokenIdKit::IsSystemAppByFullTokenID(fullTokenId);
1200 }
1201
1202 #ifdef TOKEN_SYNC_ENABLE
SetTokenSyncFuncInMap()1203 void AccessTokenManagerStub::SetTokenSyncFuncInMap()
1204 {
1205 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_HAP_TOKEN_FROM_REMOTE)] =
1206 &AccessTokenManagerStub::GetHapTokenInfoFromRemoteInner;
1207 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::SET_REMOTE_HAP_TOKEN_INFO)] =
1208 &AccessTokenManagerStub::SetRemoteHapTokenInfoInner;
1209 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::DELETE_REMOTE_TOKEN_INFO)] =
1210 &AccessTokenManagerStub::DeleteRemoteTokenInner;
1211 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::DELETE_REMOTE_DEVICE_TOKEN)] =
1212 &AccessTokenManagerStub::DeleteRemoteDeviceTokensInner;
1213 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_NATIVE_REMOTE_TOKEN)] =
1214 &AccessTokenManagerStub::GetRemoteNativeTokenIDInner;
1215 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::REGISTER_TOKEN_SYNC_CALLBACK)] =
1216 &AccessTokenManagerStub::RegisterTokenSyncCallbackInner;
1217 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::UNREGISTER_TOKEN_SYNC_CALLBACK)] =
1218 &AccessTokenManagerStub::UnRegisterTokenSyncCallbackInner;
1219 }
1220 #endif
1221
SetLocalTokenOpFuncInMap()1222 void AccessTokenManagerStub::SetLocalTokenOpFuncInMap()
1223 {
1224 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::ALLOC_TOKEN_HAP)] =
1225 &AccessTokenManagerStub::AllocHapTokenInner;
1226 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::INIT_TOKEN_HAP)] =
1227 &AccessTokenManagerStub::InitHapTokenInner;
1228 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::TOKEN_DELETE)] =
1229 &AccessTokenManagerStub::DeleteTokenInfoInner;
1230 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_TOKEN_TYPE)] =
1231 &AccessTokenManagerStub::GetTokenTypeInner;
1232 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_HAP_TOKEN_ID)] =
1233 &AccessTokenManagerStub::GetHapTokenIDInner;
1234 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::ALLOC_LOCAL_TOKEN_ID)] =
1235 &AccessTokenManagerStub::AllocLocalTokenIDInner;
1236 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_NATIVE_TOKENINFO)] =
1237 &AccessTokenManagerStub::GetNativeTokenInfoInner;
1238 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_TOKEN_ID_BY_USER_ID)] =
1239 &AccessTokenManagerStub::GetTokenIDByUserIDInner;
1240 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_HAP_TOKENINFO)] =
1241 &AccessTokenManagerStub::GetHapTokenInfoInner;
1242 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::UPDATE_HAP_TOKEN)] =
1243 &AccessTokenManagerStub::UpdateHapTokenInner;
1244 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
1245 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::RELOAD_NATIVE_TOKEN_INFO)] =
1246 &AccessTokenManagerStub::ReloadNativeTokenInfoInner;
1247 #endif
1248 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_NATIVE_TOKEN_ID)] =
1249 &AccessTokenManagerStub::GetNativeTokenIdInner;
1250 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::SET_PERM_DIALOG_CAPABILITY)] =
1251 &AccessTokenManagerStub::SetPermDialogCapInner;
1252 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_PERMISSION_MANAGER_INFO)] =
1253 &AccessTokenManagerStub::GetPermissionManagerInfoInner;
1254 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::INIT_USER_POLICY)] =
1255 &AccessTokenManagerStub::InitUserPolicyInner;
1256 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::UPDATE_USER_POLICY)] =
1257 &AccessTokenManagerStub::UpdateUserPolicyInner;
1258 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::CLEAR_USER_POLICY)] =
1259 &AccessTokenManagerStub::ClearUserPolicyInner;
1260 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_HAP_TOKENINFO_EXT)] =
1261 &AccessTokenManagerStub::GetHapTokenInfoExtensionInner;
1262 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_KERNEL_PERMISSIONS)] =
1263 &AccessTokenManagerStub::GetKernelPermissionsInner;
1264 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_PERMISSION_BY_NAME)] =
1265 &AccessTokenManagerStub::GetReqPermissionByNameInner;
1266 }
1267
SetPermissionOpFuncInMap()1268 void AccessTokenManagerStub::SetPermissionOpFuncInMap()
1269 {
1270 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_USER_GRANTED_PERMISSION_USED_TYPE)] =
1271 &AccessTokenManagerStub::GetPermissionUsedTypeInner;
1272 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::VERIFY_ACCESSTOKEN)] =
1273 &AccessTokenManagerStub::VerifyAccessTokenInner;
1274 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::VERIFY_ACCESSTOKEN_WITH_LIST)] =
1275 &AccessTokenManagerStub::VerifyAccessTokenWithListInner;
1276 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_DEF_PERMISSION)] =
1277 &AccessTokenManagerStub::GetDefPermissionInner;
1278 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_REQ_PERMISSIONS)] =
1279 &AccessTokenManagerStub::GetReqPermissionsInner;
1280 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_PERMISSION_FLAG)] =
1281 &AccessTokenManagerStub::GetPermissionFlagInner;
1282 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GRANT_PERMISSION)] =
1283 &AccessTokenManagerStub::GrantPermissionInner;
1284 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::REVOKE_PERMISSION)] =
1285 &AccessTokenManagerStub::RevokePermissionInner;
1286 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GRANT_PERMISSION_FOR_SPECIFIEDTIME)] =
1287 &AccessTokenManagerStub::GrantPermissionForSpecifiedTimeInner;
1288 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::CLEAR_USER_GRANT_PERMISSION)] =
1289 &AccessTokenManagerStub::ClearUserGrantedPermissionStateInner;
1290 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_PERMISSION_OPER_STATE)] =
1291 &AccessTokenManagerStub::GetSelfPermissionsStateInner;
1292 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_PERMISSIONS_STATUS)] =
1293 &AccessTokenManagerStub::GetPermissionsStatusInner;
1294 requestFuncMap_[
1295 static_cast<uint32_t>(AccessTokenInterfaceCode::REGISTER_PERM_STATE_CHANGE_CALLBACK)] =
1296 &AccessTokenManagerStub::RegisterPermStateChangeCallbackInner;
1297 requestFuncMap_[
1298 static_cast<uint32_t>(AccessTokenInterfaceCode::UNREGISTER_PERM_STATE_CHANGE_CALLBACK)] =
1299 &AccessTokenManagerStub::UnRegisterPermStateChangeCallbackInner;
1300 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::DUMP_TOKENINFO)] =
1301 &AccessTokenManagerStub::DumpTokenInfoInner;
1302 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_VERSION)] =
1303 &AccessTokenManagerStub::GetVersionInner;
1304 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::SET_PERMISSION_REQUEST_TOGGLE_STATUS)] =
1305 &AccessTokenManagerStub::SetPermissionRequestToggleStatusInner;
1306 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::GET_PERMISSION_REQUEST_TOGGLE_STATUS)] =
1307 &AccessTokenManagerStub::GetPermissionRequestToggleStatusInner;
1308 requestFuncMap_[
1309 static_cast<uint32_t>(AccessTokenInterfaceCode::REGISTER_SELF_PERM_STATE_CHANGE_CALLBACK)] =
1310 &AccessTokenManagerStub::RegisterSelfPermStateChangeCallbackInner;
1311 requestFuncMap_[
1312 static_cast<uint32_t>(AccessTokenInterfaceCode::UNREGISTER_SELF_PERM_STATE_CHANGE_CALLBACK)] =
1313 &AccessTokenManagerStub::UnRegisterSelfPermStateChangeCallbackInner;
1314 requestFuncMap_[static_cast<uint32_t>(AccessTokenInterfaceCode::REQUEST_APP_PERM_ON_SETTING)] =
1315 &AccessTokenManagerStub::RequestAppPermOnSettingInner;
1316 }
1317
AccessTokenManagerStub()1318 AccessTokenManagerStub::AccessTokenManagerStub()
1319 {
1320 SetPermissionOpFuncInMap();
1321 SetLocalTokenOpFuncInMap();
1322 #ifdef TOKEN_SYNC_ENABLE
1323 SetTokenSyncFuncInMap();
1324 #endif
1325 }
1326
~AccessTokenManagerStub()1327 AccessTokenManagerStub::~AccessTokenManagerStub()
1328 {
1329 requestFuncMap_.clear();
1330 }
1331 } // namespace AccessToken
1332 } // namespace Security
1333 } // namespace OHOS
1334