1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "sec_comp_manager.h"
16
17 #include "bundle_mgr_client.h"
18 #include "delay_exit_task.h"
19 #include "display.h"
20 #include "display_info.h"
21 #include "display_manager.h"
22 #include "hisysevent.h"
23 #include "i_sec_comp_service.h"
24 #include "ipc_skeleton.h"
25 #include "iservice_registry.h"
26 #include "sec_comp_enhance_adapter.h"
27 #include "sec_comp_err.h"
28 #include "sec_comp_info.h"
29 #include "sec_comp_info_helper.h"
30 #include "sec_comp_log.h"
31
32 namespace OHOS {
33 namespace Security {
34 namespace SecurityComponent {
35 namespace {
36 constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_SECURITY_COMPONENT, "SecCompManager"};
37 static constexpr int32_t SC_ID_START = 1000;
38 static constexpr int32_t MAX_INT_NUM = 0x7fffffff;
39 static constexpr int32_t MAX_SINGLE_PROC_COMP_SIZE = 500;
40 static constexpr unsigned long REPORT_REMOTE_OBJECT_SIZE = 2UL;
41 static std::mutex g_instanceMutex;
42 const std::string START_DIALOG = "start dialog, onclick will be trap after dialog closed.";
43 }
44
SecCompManager()45 SecCompManager::SecCompManager()
46 {
47 scIdStart_ = SC_ID_START;
48 }
49
GetInstance()50 SecCompManager& SecCompManager::GetInstance()
51 {
52 static SecCompManager* instance = nullptr;
53 if (instance == nullptr) {
54 std::lock_guard<std::mutex> lock(g_instanceMutex);
55 if (instance == nullptr) {
56 instance = new SecCompManager();
57 }
58 }
59 return *instance;
60 }
61
CreateScId()62 int32_t SecCompManager::CreateScId()
63 {
64 std::lock_guard<std::mutex> lock(scIdMtx_);
65 if (scIdStart_ == MAX_INT_NUM) {
66 scIdStart_ = SC_ID_START;
67 } else {
68 scIdStart_++;
69 }
70 return scIdStart_;
71 }
72
AddSecurityComponentToList(int32_t pid,AccessToken::AccessTokenID tokenId,std::shared_ptr<SecCompEntity> newEntity)73 int32_t SecCompManager::AddSecurityComponentToList(int32_t pid,
74 AccessToken::AccessTokenID tokenId, std::shared_ptr<SecCompEntity> newEntity)
75 {
76 OHOS::Utils::UniqueWriteGuard<OHOS::Utils::RWLock> lk(this->componentInfoLock_);
77 if (isSaExit_) {
78 SC_LOG_ERROR(LABEL, "SA is exiting, retry...");
79 return SC_SERVICE_ERROR_SERVICE_NOT_EXIST;
80 }
81
82 auto iter = componentMap_.find(pid);
83 if (iter != componentMap_.end()) {
84 if (iter->second.compList.size() > MAX_SINGLE_PROC_COMP_SIZE) {
85 SC_LOG_ERROR(LABEL, "single proccess has too many component.");
86 return SC_SERVICE_ERROR_VALUE_INVALID;
87 }
88 iter->second.isForeground = true;
89 iter->second.compList.emplace_back(newEntity);
90 SecCompEnhanceAdapter::EnableInputEnhance();
91 DelayExitTask::GetInstance().Stop();
92 return SC_OK;
93 }
94
95 ProcessCompInfos newProcess;
96 newProcess.isForeground = true;
97 newProcess.tokenId = tokenId;
98 newProcess.compList.emplace_back(newEntity);
99 componentMap_[pid] = newProcess;
100 SecCompEnhanceAdapter::EnableInputEnhance();
101 DelayExitTask::GetInstance().Stop();
102 return SC_OK;
103 }
104
DeleteSecurityComponentFromList(int32_t pid,int32_t scId)105 int32_t SecCompManager::DeleteSecurityComponentFromList(int32_t pid, int32_t scId)
106 {
107 OHOS::Utils::UniqueWriteGuard<OHOS::Utils::RWLock> lk(this->componentInfoLock_);
108 auto iter = componentMap_.find(pid);
109 if (iter == componentMap_.end()) {
110 SC_LOG_ERROR(LABEL, "Can not find registered process");
111 return SC_SERVICE_ERROR_COMPONENT_NOT_EXIST;
112 }
113 auto& list = iter->second.compList;
114 for (auto it = list.begin(); it != list.end(); ++it) {
115 std::shared_ptr<SecCompEntity> sc = *it;
116 if (sc == nullptr) {
117 SC_LOG_ERROR(LABEL, "Secomp entity is nullptr");
118 continue;
119 }
120 if (sc->scId_ == scId) {
121 list.erase(it);
122 if (!IsForegroundCompExist()) {
123 SecCompEnhanceAdapter::DisableInputEnhance();
124 }
125 DelayExitTask::GetInstance().Start();
126 return SC_OK;
127 }
128 }
129 SC_LOG_ERROR(LABEL, "Can not find component");
130 return SC_SERVICE_ERROR_COMPONENT_NOT_EXIST;
131 }
132
TransformCallBackResult(enum SCErrCode error)133 static std::string TransformCallBackResult(enum SCErrCode error)
134 {
135 std::string errMsg = "";
136 switch (error) {
137 case SC_ENHANCE_ERROR_NOT_EXIST_ENHANCE:
138 errMsg = "enhance do not exist";
139 break;
140 case SC_ENHANCE_ERROR_VALUE_INVALID:
141 errMsg = "value is invalid";
142 break;
143 case SC_ENHANCE_ERROR_CALLBACK_NOT_EXIST:
144 errMsg = "callback do not exist";
145 break;
146 case SC_ENHANCE_ERROR_CALLBACK_OPER_FAIL:
147 errMsg = "callback operate fail";
148 break;
149 case SC_SERVICE_ERROR_COMPONENT_INFO_INVALID:
150 errMsg = "component info invalid";
151 break;
152 case SC_ENHANCE_ERROR_CALLBACK_CHECK_FAIL:
153 errMsg = "callback check fail";
154 break;
155 default:
156 errMsg = "unknown error";
157 break;
158 }
159 return errMsg;
160 }
161
GetSecurityComponentFromList(int32_t pid,int32_t scId)162 std::shared_ptr<SecCompEntity> SecCompManager::GetSecurityComponentFromList(int32_t pid, int32_t scId)
163 {
164 auto iter = componentMap_.find(pid);
165 if (iter == componentMap_.end()) {
166 return nullptr;
167 }
168 auto& list = iter->second.compList;
169 for (auto it = list.begin(); it != list.end(); ++it) {
170 std::shared_ptr<SecCompEntity> sc = *it;
171 if (sc == nullptr) {
172 SC_LOG_ERROR(LABEL, "Secomp entity is nullptr");
173 continue;
174 }
175 if (sc->scId_ == scId) {
176 return *it;
177 }
178 }
179 return nullptr;
180 }
181
IsForegroundCompExist()182 bool SecCompManager::IsForegroundCompExist()
183 {
184 return std::any_of(componentMap_.begin(), componentMap_.end(), [](const auto & iter) {
185 return (iter.second.isForeground) && (iter.second.compList.size() > 0);
186 });
187 }
188
IsCompExist()189 bool SecCompManager::IsCompExist()
190 {
191 return std::any_of(componentMap_.begin(), componentMap_.end(), [](const auto & iter) {
192 return (iter.second.compList.size() > 0);
193 });
194 }
195
NotifyProcessForeground(int32_t pid)196 void SecCompManager::NotifyProcessForeground(int32_t pid)
197 {
198 OHOS::Utils::UniqueWriteGuard<OHOS::Utils::RWLock> lk(this->componentInfoLock_);
199 auto iter = componentMap_.find(pid);
200 if (iter == componentMap_.end()) {
201 return;
202 }
203 SecCompPermManager::GetInstance().CancelAppRevokingPermisions(iter->second.tokenId);
204 iter->second.isForeground = true;
205 if (IsForegroundCompExist()) {
206 SecCompEnhanceAdapter::EnableInputEnhance();
207 }
208
209 SC_LOG_INFO(LABEL, "App pid %{public}d to foreground", pid);
210 }
211
NotifyProcessBackground(int32_t pid)212 void SecCompManager::NotifyProcessBackground(int32_t pid)
213 {
214 OHOS::Utils::UniqueWriteGuard<OHOS::Utils::RWLock> lk(this->componentInfoLock_);
215 auto iter = componentMap_.find(pid);
216 if (iter == componentMap_.end()) {
217 return;
218 }
219
220 SecCompPermManager::GetInstance().RevokeAppPermisionsDelayed(iter->second.tokenId);
221 iter->second.isForeground = false;
222 if (!IsForegroundCompExist()) {
223 SecCompEnhanceAdapter::DisableInputEnhance();
224 }
225 SC_LOG_INFO(LABEL, "App pid %{public}d to background", pid);
226 }
227
NotifyProcessDied(int32_t pid,bool isProcessCached)228 void SecCompManager::NotifyProcessDied(int32_t pid, bool isProcessCached)
229 {
230 if (!isProcessCached) {
231 // notify enhance process died.
232 SecCompEnhanceAdapter::NotifyProcessDied(pid);
233 malicious_.RemoveAppFromMaliciousAppList(pid);
234 }
235 OHOS::Utils::UniqueWriteGuard<OHOS::Utils::RWLock> lk(this->componentInfoLock_);
236 auto iter = componentMap_.find(pid);
237 if (iter == componentMap_.end()) {
238 return;
239 }
240
241 FirstUseDialog::GetInstance().RemoveDialogWaitEntitys(pid);
242
243 SC_LOG_INFO(LABEL, "App pid %{public}d died", pid);
244 iter->second.compList.clear();
245 SecCompPermManager::GetInstance().RevokeAppPermissions(iter->second.tokenId);
246 SecCompPermManager::GetInstance().RevokeTempSavePermission(iter->second.tokenId);
247 componentMap_.erase(pid);
248
249 if (!IsForegroundCompExist()) {
250 SecCompEnhanceAdapter::DisableInputEnhance();
251 }
252
253 DelayExitTask::GetInstance().Start();
254 }
255
ExitSaProcess()256 void SecCompManager::ExitSaProcess()
257 {
258 OHOS::Utils::UniqueWriteGuard<OHOS::Utils::RWLock> lk(this->componentInfoLock_);
259 if (IsCompExist()) {
260 SC_LOG_INFO(LABEL, "Apps using security component still exist, no exit sa");
261 return;
262 }
263
264 isSaExit_ = true;
265 SecCompEnhanceAdapter::DisableInputEnhance();
266 SecCompEnhanceAdapter::ExitEnhanceService();
267
268 SC_LOG_INFO(LABEL, "All processes using security component died, start sa exit");
269 auto systemAbilityMgr = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
270 if (systemAbilityMgr == nullptr) {
271 SC_LOG_ERROR(LABEL, "Failed to get SystemAbilityManager.");
272 return;
273 }
274 int32_t ret = systemAbilityMgr->UnloadSystemAbility(SA_ID_SECURITY_COMPONENT_SERVICE);
275 if (ret != SC_OK) {
276 SC_LOG_ERROR(LABEL, "Failed to UnloadSystemAbility service! errcode=%{public}d", ret);
277 return;
278 }
279 SC_LOG_INFO(LABEL, "UnloadSystemAbility successfully!");
280 }
281
ExitWhenAppMgrDied()282 void SecCompManager::ExitWhenAppMgrDied()
283 {
284 OHOS::Utils::UniqueWriteGuard<OHOS::Utils::RWLock> lk(this->componentInfoLock_);
285 for (auto iter = componentMap_.begin(); iter != componentMap_.end(); ++iter) {
286 iter->second.compList.clear();
287 SecCompPermManager::GetInstance().RevokeAppPermissions(iter->second.tokenId);
288 SecCompPermManager::GetInstance().RevokeTempSavePermission(iter->second.tokenId);
289 }
290 componentMap_.clear();
291
292 // no need exit enhance service, only disable input enhance.
293 SecCompEnhanceAdapter::DisableInputEnhance();
294 isSaExit_ = true;
295
296 SC_LOG_INFO(LABEL, "app mgr died, start sa exit");
297 auto systemAbilityMgr = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
298 if (systemAbilityMgr == nullptr) {
299 SC_LOG_ERROR(LABEL, "failed to get SystemAbilityManager.");
300 return;
301 }
302 int32_t ret = systemAbilityMgr->UnloadSystemAbility(SA_ID_SECURITY_COMPONENT_SERVICE);
303 if (ret != SC_OK) {
304 SC_LOG_ERROR(LABEL, "failed to UnloadSystemAbility service! errcode=%{public}d", ret);
305 return;
306 }
307 SC_LOG_INFO(LABEL, "UnloadSystemAbility successfully!");
308 }
309
SendCheckInfoEnhanceSysEvent(int32_t scId,SecCompType type,const std::string & scene,int32_t res)310 void SecCompManager::SendCheckInfoEnhanceSysEvent(int32_t scId,
311 SecCompType type, const std::string& scene, int32_t res)
312 {
313 int32_t uid = IPCSkeleton::GetCallingUid();
314 OHOS::AppExecFwk::BundleMgrClient bmsClient;
315 std::string bundleName = "";
316 bmsClient.GetNameForUid(uid, bundleName);
317 if (res == SC_ENHANCE_ERROR_CHALLENGE_CHECK_FAIL) {
318 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::SEC_COMPONENT, "CHALLENGE_CHECK_FAILED",
319 HiviewDFX::HiSysEvent::EventType::SECURITY, "CALLER_UID", uid, "CALLER_BUNDLE_NAME", bundleName,
320 "CALLER_PID", IPCSkeleton::GetCallingPid(), "SC_ID", scId, "SC_TYPE", type, "CALL_SCENE",
321 scene);
322 } else {
323 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::SEC_COMPONENT, "CALLBACK_FAILED",
324 HiviewDFX::HiSysEvent::EventType::SECURITY, "CALLER_UID", uid, "CALLER_BUNDLE_NAME", bundleName,
325 "CALLER_PID", IPCSkeleton::GetCallingPid(), "SC_TYPE", type,
326 "CALL_SCENE", scene, "REASON", TransformCallBackResult(static_cast<enum SCErrCode>(res)));
327 }
328 }
329
AddSecurityComponentProcess(const SecCompCallerInfo & caller)330 int32_t SecCompManager::AddSecurityComponentProcess(const SecCompCallerInfo& caller)
331 {
332 DelayExitTask::GetInstance().Stop();
333 {
334 OHOS::Utils::UniqueWriteGuard<OHOS::Utils::RWLock> lk(this->componentInfoLock_);
335 if (isSaExit_) {
336 SC_LOG_ERROR(LABEL, "SA is exiting, retry...");
337 return SC_SERVICE_ERROR_SERVICE_NOT_EXIST;
338 }
339
340 auto iter = componentMap_.find(caller.pid);
341 if (iter == componentMap_.end()) {
342 ProcessCompInfos newProcess;
343 newProcess.isForeground = true;
344 newProcess.tokenId = caller.tokenId;
345 componentMap_[caller.pid] = newProcess;
346 }
347 SecCompEnhanceAdapter::EnableInputEnhance();
348 }
349 SecCompEnhanceAdapter::AddSecurityComponentProcess(caller.pid);
350 return SC_OK;
351 }
352
RegisterSecurityComponent(SecCompType type,const nlohmann::json & jsonComponent,const SecCompCallerInfo & caller,int32_t & scId)353 int32_t SecCompManager::RegisterSecurityComponent(SecCompType type,
354 const nlohmann::json& jsonComponent, const SecCompCallerInfo& caller, int32_t& scId)
355 {
356 SC_LOG_DEBUG(LABEL, "PID: %{public}d, register security component", caller.pid);
357 if (malicious_.IsInMaliciousAppList(caller.pid, caller.uid)) {
358 SC_LOG_ERROR(LABEL, "app is in MaliciousAppList, never allow it");
359 return SC_ENHANCE_ERROR_IN_MALICIOUS_LIST;
360 }
361
362 std::string message;
363 SecCompBase* componentPtr = SecCompInfoHelper::ParseComponent(type, jsonComponent, message);
364 std::shared_ptr<SecCompBase> component(componentPtr);
365 if (component == nullptr) {
366 SC_LOG_ERROR(LABEL, "Parse component info invalid");
367 int32_t uid = IPCSkeleton::GetCallingUid();
368 OHOS::AppExecFwk::BundleMgrClient bmsClient;
369 std::string bundleName = "";
370 bmsClient.GetNameForUid(uid, bundleName);
371 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::SEC_COMPONENT, "COMPONENT_INFO_CHECK_FAILED",
372 HiviewDFX::HiSysEvent::EventType::SECURITY, "CALLER_UID", uid, "CALLER_BUNDLE_NAME", bundleName,
373 "CALLER_PID", IPCSkeleton::GetCallingPid(), "SC_ID", scId, "CALL_SCENE", "REGITSTER", "SC_TYPE", type);
374 return SC_SERVICE_ERROR_COMPONENT_INFO_INVALID;
375 }
376
377 int32_t enhanceRes =
378 SecCompEnhanceAdapter::CheckComponentInfoEnhance(caller.pid, component, jsonComponent);
379 if (enhanceRes != SC_OK) {
380 SendCheckInfoEnhanceSysEvent(INVALID_SC_ID, type, "REGISTER", enhanceRes);
381 SC_LOG_ERROR(LABEL, "enhance check failed");
382 malicious_.AddAppToMaliciousAppList(caller.pid);
383 return enhanceRes;
384 }
385
386 int32_t registerId = CreateScId();
387 std::shared_ptr<SecCompEntity> entity =
388 std::make_shared<SecCompEntity>(component, caller.tokenId, registerId, caller.pid, caller.uid);
389 int32_t ret = AddSecurityComponentToList(caller.pid, caller.tokenId, entity);
390 if (ret == SC_OK) {
391 scId = registerId;
392 } else {
393 SC_LOG_ERROR(LABEL, "Register security component failed");
394 scId = INVALID_SC_ID;
395 }
396 return ret;
397 }
398
UpdateSecurityComponent(int32_t scId,const nlohmann::json & jsonComponent,const SecCompCallerInfo & caller)399 int32_t SecCompManager::UpdateSecurityComponent(int32_t scId, const nlohmann::json& jsonComponent,
400 const SecCompCallerInfo& caller)
401 {
402 SC_LOG_DEBUG(LABEL, "PID: %{public}d, update security component", caller.pid);
403 if (malicious_.IsInMaliciousAppList(caller.pid, caller.uid)) {
404 SC_LOG_ERROR(LABEL, "app is in MaliciousAppList, never allow it");
405 return SC_ENHANCE_ERROR_IN_MALICIOUS_LIST;
406 }
407
408 OHOS::Utils::UniqueWriteGuard<OHOS::Utils::RWLock> lk(this->componentInfoLock_);
409 std::shared_ptr<SecCompEntity> sc = GetSecurityComponentFromList(caller.pid, scId);
410 if (sc == nullptr) {
411 SC_LOG_ERROR(LABEL, "Can not find target component");
412 return SC_SERVICE_ERROR_COMPONENT_NOT_EXIST;
413 }
414 std::string message;
415 SecCompBase* report = SecCompInfoHelper::ParseComponent(sc->GetType(), jsonComponent, message);
416 std::shared_ptr<SecCompBase> reportComponentInfo(report);
417 if (reportComponentInfo == nullptr) {
418 SC_LOG_ERROR(LABEL, "Update component info invalid");
419 int32_t uid = IPCSkeleton::GetCallingUid();
420 OHOS::AppExecFwk::BundleMgrClient bmsClient;
421 std::string bundleName = "";
422 bmsClient.GetNameForUid(uid, bundleName);
423 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::SEC_COMPONENT, "COMPONENT_INFO_CHECK_FAILED",
424 HiviewDFX::HiSysEvent::EventType::SECURITY, "CALLER_UID", uid, "CALLER_BUNDLE_NAME", bundleName,
425 "CALLER_PID", IPCSkeleton::GetCallingPid(), "SC_ID", scId, "CALL_SCENE", "UPDATE",
426 "SC_TYPE", sc->GetType());
427 return SC_SERVICE_ERROR_COMPONENT_INFO_INVALID;
428 }
429
430 int32_t enhanceRes =
431 SecCompEnhanceAdapter::CheckComponentInfoEnhance(caller.pid, reportComponentInfo, jsonComponent);
432 if (enhanceRes != SC_OK) {
433 SendCheckInfoEnhanceSysEvent(scId, sc->GetType(), "UPDATE", enhanceRes);
434 SC_LOG_ERROR(LABEL, "enhance check failed");
435 malicious_.AddAppToMaliciousAppList(caller.pid);
436 return enhanceRes;
437 }
438
439 sc->componentInfo_ = reportComponentInfo;
440 return SC_OK;
441 }
442
UnregisterSecurityComponent(int32_t scId,const SecCompCallerInfo & caller)443 int32_t SecCompManager::UnregisterSecurityComponent(int32_t scId, const SecCompCallerInfo& caller)
444 {
445 SC_LOG_DEBUG(LABEL, "PID: %{public}d, unregister security component", caller.pid);
446 if (scId < 0) {
447 SC_LOG_ERROR(LABEL, "ScId is invalid");
448 return SC_SERVICE_ERROR_VALUE_INVALID;
449 }
450 return DeleteSecurityComponentFromList(caller.pid, scId);
451 }
452
CheckClickSecurityComponentInfo(std::shared_ptr<SecCompEntity> sc,int32_t scId,const nlohmann::json & jsonComponent,const SecCompCallerInfo & caller,std::string & message)453 int32_t SecCompManager::CheckClickSecurityComponentInfo(std::shared_ptr<SecCompEntity> sc, int32_t scId,
454 const nlohmann::json& jsonComponent, const SecCompCallerInfo& caller, std::string& message)
455 {
456 SC_LOG_DEBUG(LABEL, "PID: %{public}d, Check security component", caller.pid);
457 SecCompBase* report = SecCompInfoHelper::ParseComponent(sc->GetType(), jsonComponent, message, true);
458 std::shared_ptr<SecCompBase> reportComponentInfo(report);
459 int32_t uid = IPCSkeleton::GetCallingUid();
460 OHOS::AppExecFwk::BundleMgrClient bmsClient;
461 std::string bundleName = "";
462 bmsClient.GetNameForUid(uid, bundleName);
463 if ((reportComponentInfo == nullptr) || (!reportComponentInfo->GetValid())) {
464 SC_LOG_ERROR(LABEL, "report component info invalid");
465 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::SEC_COMPONENT, "COMPONENT_INFO_CHECK_FAILED",
466 HiviewDFX::HiSysEvent::EventType::SECURITY, "CALLER_UID", uid, "CALLER_BUNDLE_NAME", bundleName,
467 "CALLER_PID", IPCSkeleton::GetCallingPid(), "SC_ID", scId, "CALL_SCENE", "CLICK", "SC_TYPE",
468 sc->GetType());
469 return SC_SERVICE_ERROR_COMPONENT_INFO_INVALID;
470 }
471 if (report && (report->isClipped_ || report->hasNonCompatileChange_)) {
472 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::SEC_COMPONENT, "CLIP_CHECK_FAILED",
473 HiviewDFX::HiSysEvent::EventType::SECURITY,
474 "CALLER_BUNDLE_NAME", bundleName, "COMPONENT_INFO", jsonComponent.dump().c_str());
475 }
476
477 SecCompInfoHelper::ScreenInfo screenInfo = {
478 .displayId = report->displayId_,
479 .crossAxisState = report->crossAxisState_,
480 .isWearable = report->isWearableDevice_
481 };
482
483 if ((!SecCompInfoHelper::CheckRectValid(reportComponentInfo->rect_, reportComponentInfo->windowRect_,
484 screenInfo, message))) {
485 SC_LOG_ERROR(LABEL, "compare component info failed.");
486 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::SEC_COMPONENT, "COMPONENT_INFO_CHECK_FAILED",
487 HiviewDFX::HiSysEvent::EventType::SECURITY, "CALLER_UID", uid, "CALLER_BUNDLE_NAME", bundleName,
488 "CALLER_PID", IPCSkeleton::GetCallingPid(), "SC_ID", scId, "CALL_SCENE", "CLICK", "SC_TYPE",
489 sc->GetType());
490 return SC_SERVICE_ERROR_COMPONENT_INFO_INVALID;
491 }
492 int32_t enhanceRes =
493 SecCompEnhanceAdapter::CheckComponentInfoEnhance(caller.pid, reportComponentInfo, jsonComponent);
494 if (enhanceRes != SC_OK) {
495 SendCheckInfoEnhanceSysEvent(scId, sc->GetType(), "CLICK", enhanceRes);
496 SC_LOG_ERROR(LABEL, "enhance check failed");
497 malicious_.AddAppToMaliciousAppList(caller.pid);
498 return enhanceRes;
499 }
500
501 sc->componentInfo_ = reportComponentInfo;
502 return SC_OK;
503 }
504
ReportEvent(std::string eventName,HiviewDFX::HiSysEvent::EventType eventType,int32_t scId,SecCompType scType)505 static void ReportEvent(std::string eventName, HiviewDFX::HiSysEvent::EventType eventType, int32_t scId,
506 SecCompType scType)
507 {
508 int32_t uid = IPCSkeleton::GetCallingUid();
509 OHOS::AppExecFwk::BundleMgrClient bmsClient;
510 std::string bundleName = "";
511 bmsClient.GetNameForUid(uid, bundleName);
512 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::SEC_COMPONENT, eventName,
513 eventType, "CALLER_UID", uid, "CALLER_BUNDLE_NAME", bundleName,
514 "CALLER_PID", IPCSkeleton::GetCallingPid(), "SC_ID", scId, "SC_TYPE", scType);
515 }
516
GetFoldOffsetY(const CrossAxisState crossAxisState)517 void SecCompManager::GetFoldOffsetY(const CrossAxisState crossAxisState)
518 {
519 if (crossAxisState == CrossAxisState::STATE_INVALID) {
520 return;
521 }
522 if (superFoldOffsetY_ != 0) {
523 return;
524 }
525 auto foldCreaseRegion = OHOS::Rosen::DisplayManager::GetInstance().GetCurrentFoldCreaseRegion();
526 if (foldCreaseRegion == nullptr) {
527 SC_LOG_ERROR(LABEL, "foldCreaseRegion is nullptr");
528 return;
529 }
530 const auto& creaseRects = foldCreaseRegion->GetCreaseRects();
531 if (creaseRects.empty()) {
532 SC_LOG_ERROR(LABEL, "creaseRects is empty");
533 return;
534 }
535 const auto& rect = creaseRects.front();
536 superFoldOffsetY_ = rect.height_ + rect.posY_;
537 SC_LOG_INFO(LABEL, "height: %{public}d, posY: %{public}d", rect.height_, rect.posY_);
538 }
539
ReportSecurityComponentClickEvent(SecCompInfo & info,const nlohmann::json & compJson,const SecCompCallerInfo & caller,const std::vector<sptr<IRemoteObject>> & remote,std::string & message)540 int32_t SecCompManager::ReportSecurityComponentClickEvent(SecCompInfo& info, const nlohmann::json& compJson,
541 const SecCompCallerInfo& caller, const std::vector<sptr<IRemoteObject>>& remote, std::string& message)
542 {
543 if (remote.size() < REPORT_REMOTE_OBJECT_SIZE) {
544 SC_LOG_ERROR(LABEL, "remote object size is invalid");
545 return SC_SERVICE_ERROR_VALUE_INVALID;
546 }
547 if (malicious_.IsInMaliciousAppList(caller.pid, caller.uid)) {
548 SC_LOG_ERROR(LABEL, "app is in MaliciousAppList, never allow it");
549 return SC_ENHANCE_ERROR_IN_MALICIOUS_LIST;
550 }
551
552 OHOS::Utils::UniqueReadGuard<OHOS::Utils::RWLock> lk(this->componentInfoLock_);
553 std::shared_ptr<SecCompEntity> sc = GetSecurityComponentFromList(caller.pid, info.scId);
554 if (sc == nullptr) {
555 SC_LOG_ERROR(LABEL, "Can not find target component");
556 return SC_SERVICE_ERROR_COMPONENT_NOT_EXIST;
557 }
558 int32_t res = CheckClickSecurityComponentInfo(sc, info.scId, compJson, caller, message);
559 if (res != SC_OK) {
560 return res;
561 }
562 SecCompBase* reportComponentInfo = SecCompInfoHelper::ParseComponent(sc->GetType(), compJson, message, true);
563 std::shared_ptr<SecCompBase> report(reportComponentInfo);
564 if (report == nullptr) {
565 return SC_SERVICE_ERROR_COMPONENT_INFO_INVALID;
566 }
567
568 GetFoldOffsetY(report->crossAxisState_);
569
570 res = sc->CheckClickInfo(info.clickInfo, superFoldOffsetY_, report->crossAxisState_, message);
571 if (res != SC_OK) {
572 ReportEvent("CLICK_INFO_CHECK_FAILED", HiviewDFX::HiSysEvent::EventType::SECURITY,
573 info.scId, sc->GetType());
574 if (res == SC_ENHANCE_ERROR_CLICK_EXTRA_CHECK_FAIL) {
575 malicious_.AddAppToMaliciousAppList(caller.pid);
576 }
577
578 return SC_SERVICE_ERROR_CLICK_EVENT_INVALID;
579 }
580
581 if (FirstUseDialog::GetInstance().NotifyFirstUseDialog(sc, remote[0], remote[1], report->displayId_,
582 report->crossAxisState_) == SC_SERVICE_ERROR_WAIT_FOR_DIALOG_CLOSE) {
583 SC_LOG_INFO(LABEL, "start dialog, onclick will be trap after dialog closed.");
584 return SC_SERVICE_ERROR_WAIT_FOR_DIALOG_CLOSE;
585 }
586
587 res = sc->GrantTempPermission();
588 if (res != SC_OK) {
589 ReportEvent("TEMP_GRANT_FAILED", HiviewDFX::HiSysEvent::EventType::FAULT, info.scId, sc->GetType());
590 return res;
591 }
592 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::SEC_COMPONENT, "TEMP_GRANT_SUCCESS",
593 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "CALLER_UID", IPCSkeleton::GetCallingUid(),
594 "CALLER_PID", IPCSkeleton::GetCallingPid(), "SC_ID", info.scId, "SC_TYPE", sc->GetType());
595 return res;
596 }
597
DumpSecComp(std::string & dumpStr)598 void SecCompManager::DumpSecComp(std::string& dumpStr)
599 {
600 OHOS::Utils::UniqueReadGuard<OHOS::Utils::RWLock> lk(this->componentInfoLock_);
601 for (auto iter = componentMap_.begin(); iter != componentMap_.end(); ++iter) {
602 AccessToken::AccessTokenID tokenId = iter->second.tokenId;
603 bool locationPerm = SecCompPermManager::GetInstance().VerifyPermission(tokenId, LOCATION_COMPONENT);
604 bool pastePerm = SecCompPermManager::GetInstance().VerifyPermission(tokenId, PASTE_COMPONENT);
605 bool savePerm = SecCompPermManager::GetInstance().VerifyPermission(tokenId, SAVE_COMPONENT);
606 dumpStr.append("pid:" + std::to_string(iter->first) + ", tokenId:" + std::to_string(pastePerm) +
607 ", locationPerm:" + std::to_string(locationPerm) + ", pastePerm:" + std::to_string(pastePerm) +
608 ", savePerm:" + std::to_string(savePerm) + " \n");
609 for (auto compIter = iter->second.compList.begin(); compIter != iter->second.compList.end(); ++compIter) {
610 nlohmann::json json;
611 std::shared_ptr<SecCompEntity> sc = *compIter;
612 if (sc == nullptr || sc->componentInfo_ == nullptr) {
613 continue;
614 }
615
616 sc->componentInfo_->ToJson(json);
617 dumpStr.append(" scId:" + std::to_string(sc->scId_) +
618 ", isGrant:" + std::to_string(sc->IsGrant()) + ", " + json.dump() + "\n");
619 }
620 }
621 }
622
Initialize()623 bool SecCompManager::Initialize()
624 {
625 SC_LOG_DEBUG(LABEL, "Initialize!!");
626 SecCompEnhanceAdapter::StartEnhanceService();
627
628 secRunner_ = AppExecFwk::EventRunner::Create(true, AppExecFwk::ThreadMode::FFRT);
629 if (!secRunner_) {
630 SC_LOG_ERROR(LABEL, "failed to create a recvRunner.");
631 return false;
632 }
633
634 secHandler_ = std::make_shared<SecEventHandler>(secRunner_);
635 exitSaProcessFunc_ = []() {
636 SecCompManager::GetInstance().ExitSaProcess();
637 };
638 DelayExitTask::GetInstance().Init(secHandler_, exitSaProcessFunc_);
639 FirstUseDialog::GetInstance().Init(secHandler_);
640 SecCompEnhanceAdapter::EnableInputEnhance();
641 SecCompPermManager::GetInstance().InitEventHandler(secHandler_);
642 DelayExitTask::GetInstance().Start();
643
644 return true;
645 }
646 } // namespace SecurityComponent
647 } // namespace Security
648 } // namespace OHOS
649