1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_manager.h"
17
18 #include "accesstoken_kit.h"
19 #include "access_token.h"
20 #include "dm_anonymous.h"
21 #include "dm_constants.h"
22 #include "dm_log.h"
23 #include "ipc_skeleton.h"
24 #include "tokenid_kit.h"
25
26 using namespace OHOS::Security::AccessToken;
27
28 namespace OHOS {
29 namespace DistributedHardware {
30 DM_IMPLEMENT_SINGLE_INSTANCE(PermissionManager);
31 namespace {
32 constexpr const char* DM_SERVICE_ACCESS_PERMISSION = "ohos.permission.ACCESS_SERVICE_DM";
33 constexpr const char* DM_SERVICE_ACCESS_NEWPERMISSION = "ohos.permission.DISTRIBUTED_DATASYNC";
34 constexpr const char* DM_MONITOR_DEVICE_NETWORK_STATE_PERMISSION = "ohos.permission.MONITOR_DEVICE_NETWORK_STATE";
35 constexpr int32_t AUTH_CODE_WHITE_LIST_NUM = 6;
36 constexpr const static char* g_authCodeWhiteList[AUTH_CODE_WHITE_LIST_NUM] = {
37 "com.huawei.msdp.hmringgenerator",
38 "com.huawei.msdp.hmringdiscriminator",
39 "CollaborationFwk",
40 "wear_link_service",
41 "watch_system_service",
42 "cast_engine_service",
43 };
44
45 constexpr int32_t PIN_HOLDER_WHITE_LIST_NUM = 1;
46 constexpr const static char* g_pinHolderWhiteList[PIN_HOLDER_WHITE_LIST_NUM] = {
47 "CollaborationFwk",
48 };
49
50 constexpr int32_t SYSTEM_SA_WHITE_LIST_NUM = 8;
51 constexpr const static char* SYSTEM_SA_WHITE_LIST[SYSTEM_SA_WHITE_LIST_NUM] = {
52 "Samgr_Networking",
53 "ohos.distributeddata.service",
54 "ohos.dslm",
55 "ohos.deviceprofile",
56 "distributed_bundle_framework",
57 "ohos.dhardware",
58 "ohos.security.distributed_access_token",
59 "ohos.storage.distributedfile.daemon",
60 };
61
62 constexpr uint32_t SETDNPOLICY_WHITE_LIST_NUM = 4;
63 constexpr const static char* g_setDnPolicyWhiteList[SETDNPOLICY_WHITE_LIST_NUM] = {
64 "collaboration_service",
65 "watch_system_service",
66 "com.huawei.hmos.walletservice",
67 "com.ohos.distributedjstest",
68 };
69
70 constexpr uint32_t GETDEVICEINFO_WHITE_LIST_NUM = 2;
71 constexpr const static char* g_getDeviceInfoWhiteList[GETDEVICEINFO_WHITE_LIST_NUM] = {
72 "gameservice_server",
73 "com.huawei.hmos.slassistant",
74 };
75 constexpr int32_t MODIFY_LOCAL_DEVICE_NAME_WHITE_LIST_NUM = 1;
76 constexpr const static char* g_modifyLocalDeviceNameWhiteList[MODIFY_LOCAL_DEVICE_NAME_WHITE_LIST_NUM] = {
77 "com.huawei.hmos.settings",
78 };
79 constexpr int32_t MODIFY_REMOTE_DEVICE_NAME_WHITE_LIST_NUM = 1;
80 constexpr const static char* g_modifyRemoteDeviceNameWhiteList[MODIFY_REMOTE_DEVICE_NAME_WHITE_LIST_NUM] = {
81 "com.ohos.settings",
82 };
83
84 constexpr int32_t PUT_DEVICE_PROFILE_INFO_LIST_WHITE_LIST_NUM = 2;
85 constexpr const static char* g_putDeviceProfileInfoListWhiteList[PUT_DEVICE_PROFILE_INFO_LIST_WHITE_LIST_NUM] = {
86 "com.huawei.hmos.ailifesvc",
87 "com.huawei.hmos.tvcooperation",
88 };
89 }
90
CheckPermission(void)91 bool PermissionManager::CheckPermission(void)
92 {
93 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
94 if (tokenCaller == 0) {
95 LOGE("CheckPermission GetCallingTokenID error.");
96 return false;
97 }
98 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
99 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_HAP || tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
100 if (AccessTokenKit::VerifyAccessToken(tokenCaller, DM_SERVICE_ACCESS_PERMISSION) !=
101 PermissionState::PERMISSION_GRANTED) {
102 LOGE("DM service access is denied, please apply for corresponding permissions");
103 return false;
104 }
105 }
106 return true;
107 }
108
CheckNewPermission(void)109 bool PermissionManager::CheckNewPermission(void)
110 {
111 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
112 if (tokenCaller == 0) {
113 LOGE("CheckNewPermission GetCallingTokenID error.");
114 return false;
115 }
116 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
117 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_HAP || tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
118 if (AccessTokenKit::VerifyAccessToken(tokenCaller, DM_SERVICE_ACCESS_NEWPERMISSION) !=
119 PermissionState::PERMISSION_GRANTED) {
120 LOGE("DM service access is denied, please apply for corresponding new permissions");
121 return false;
122 }
123 }
124 return true;
125 }
126
CheckMonitorPermission(void)127 bool PermissionManager::CheckMonitorPermission(void)
128 {
129 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
130 if (tokenCaller == 0) {
131 LOGE("CheckMonitorPermission GetCallingTokenID error.");
132 return false;
133 }
134 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
135 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
136 if (AccessTokenKit::VerifyAccessToken(tokenCaller, DM_MONITOR_DEVICE_NETWORK_STATE_PERMISSION) !=
137 PermissionState::PERMISSION_GRANTED) {
138 LOGE("DM service access is denied, please apply for corresponding permissions.");
139 return false;
140 }
141 }
142 return true;
143 }
144
GetCallerProcessName(std::string & processName)145 int32_t PermissionManager::GetCallerProcessName(std::string &processName)
146 {
147 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
148 if (tokenCaller == 0) {
149 LOGE("GetCallerProcessName GetCallingTokenID error.");
150 return ERR_DM_FAILED;
151 }
152 LOGI("GetCallerProcessName::tokenCaller ID == %{public}s", GetAnonyInt32(tokenCaller).c_str());
153 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
154 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_HAP) {
155 HapTokenInfo tokenInfo;
156 if (AccessTokenKit::GetHapTokenInfo(tokenCaller, tokenInfo) != EOK) {
157 LOGE("GetHapTokenInfo failed.");
158 return ERR_DM_FAILED;
159 }
160 processName = std::move(tokenInfo.bundleName);
161 uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
162 if (!OHOS::Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullTokenId)) {
163 LOGE("GetCallerProcessName %{public}s not system hap.", processName.c_str());
164 return ERR_DM_FAILED;
165 }
166 } else if (tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
167 NativeTokenInfo tokenInfo;
168 if (AccessTokenKit::GetNativeTokenInfo(tokenCaller, tokenInfo) != EOK) {
169 LOGE("GetNativeTokenInfo failed.");
170 return ERR_DM_FAILED;
171 }
172 processName = std::move(tokenInfo.processName);
173 } else {
174 LOGE("GetCallerProcessName failed, unsupported process.");
175 return ERR_DM_FAILED;
176 }
177
178 LOGI("Get process name: %{public}s success.", processName.c_str());
179 return DM_OK;
180 }
181
CheckProcessNameValidOnAuthCode(const std::string & processName)182 bool PermissionManager::CheckProcessNameValidOnAuthCode(const std::string &processName)
183 {
184 LOGI("Enter PermissionManager::CheckProcessNameValidOnAuthCode");
185 if (processName.empty()) {
186 LOGE("ProcessName is empty");
187 return false;
188 }
189
190 uint16_t index = 0;
191 for (; index < AUTH_CODE_WHITE_LIST_NUM; ++index) {
192 std::string tmp(g_authCodeWhiteList[index]);
193 if (processName == tmp) {
194 return true;
195 }
196 }
197
198 LOGE("CheckProcessNameValidOnAuthCode process name: %{public}s invalid.", processName.c_str());
199 return false;
200 }
201
CheckProcessNameValidOnPinHolder(const std::string & processName)202 bool PermissionManager::CheckProcessNameValidOnPinHolder(const std::string &processName)
203 {
204 LOGI("Enter PermissionManager::CheckProcessNameValidOnPinHolder");
205 if (processName.empty()) {
206 LOGE("ProcessName is empty");
207 return false;
208 }
209
210 uint16_t index = 0;
211 for (; index < PIN_HOLDER_WHITE_LIST_NUM; ++index) {
212 std::string tmp(g_pinHolderWhiteList[index]);
213 if (processName == tmp) {
214 return true;
215 }
216 }
217
218 LOGE("CheckProcessNameValidOnPinHolder process name: %{public}s invalid.", processName.c_str());
219 return false;
220 }
221
CheckWhiteListSystemSA(const std::string & pkgName)222 bool PermissionManager::CheckWhiteListSystemSA(const std::string &pkgName)
223 {
224 for (uint16_t index = 0; index < SYSTEM_SA_WHITE_LIST_NUM; ++index) {
225 std::string tmp(SYSTEM_SA_WHITE_LIST[index]);
226 if (pkgName == tmp) {
227 return true;
228 }
229 }
230 return false;
231 }
232
GetWhiteListSystemSA()233 std::unordered_set<std::string> PermissionManager::GetWhiteListSystemSA()
234 {
235 std::unordered_set<std::string> systemSA;
236 for (uint16_t index = 0; index < SYSTEM_SA_WHITE_LIST_NUM; ++index) {
237 std::string tmp(SYSTEM_SA_WHITE_LIST[index]);
238 systemSA.insert(tmp);
239 }
240 return systemSA;
241 }
242
CheckSystemSA(const std::string & pkgName)243 bool PermissionManager::CheckSystemSA(const std::string &pkgName)
244 {
245 LOGI("Get calling tokenID.");
246 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
247 if (tokenCaller == 0) {
248 LOGE("CheckMonitorPermission GetCallingTokenID error.");
249 return false;
250 }
251 LOGI("Get token type flag.");
252 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
253 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
254 return true;
255 }
256 return false;
257 }
258
CheckProcessNameValidOnSetDnPolicy(const std::string & processName)259 bool PermissionManager::CheckProcessNameValidOnSetDnPolicy(const std::string &processName)
260 {
261 if (processName.empty()) {
262 LOGE("ProcessName is empty");
263 return false;
264 }
265 uint16_t index = 0;
266 for (; index < SETDNPOLICY_WHITE_LIST_NUM; ++index) {
267 std::string tmp(g_setDnPolicyWhiteList[index]);
268 if (processName == tmp) {
269 return true;
270 }
271 }
272
273 LOGE("Process name: %{public}s invalid.", processName.c_str());
274 return false;
275 }
276
CheckProcessNameValidOnGetDeviceInfo(const std::string & processName)277 bool PermissionManager::CheckProcessNameValidOnGetDeviceInfo(const std::string &processName)
278 {
279 if (processName.empty()) {
280 LOGE("ProcessName is empty");
281 return false;
282 }
283 uint16_t index = 0;
284 for (; index < GETDEVICEINFO_WHITE_LIST_NUM; ++index) {
285 std::string tmp(g_getDeviceInfoWhiteList[index]);
286 if (processName == tmp) {
287 return true;
288 }
289 }
290
291 LOGE("Process name: %{public}s invalid.", processName.c_str());
292 return false;
293 }
294
CheckProcessNameValidModifyLocalDeviceName(const std::string & processName)295 bool PermissionManager::CheckProcessNameValidModifyLocalDeviceName(const std::string &processName)
296 {
297 if (processName.empty()) {
298 LOGE("ProcessName is empty");
299 return false;
300 }
301 uint16_t index = 0;
302 for (; index < MODIFY_LOCAL_DEVICE_NAME_WHITE_LIST_NUM; ++index) {
303 std::string tmp(g_modifyLocalDeviceNameWhiteList[index]);
304 if (processName == tmp) {
305 return true;
306 }
307 }
308
309 LOGE("Process name: %{public}s invalid.", processName.c_str());
310 return false;
311 }
312
CheckProcessNameValidModifyRemoteDeviceName(const std::string & processName)313 bool PermissionManager::CheckProcessNameValidModifyRemoteDeviceName(const std::string &processName)
314 {
315 if (processName.empty()) {
316 LOGE("ProcessName is empty");
317 return false;
318 }
319 uint16_t index = 0;
320 for (; index < MODIFY_REMOTE_DEVICE_NAME_WHITE_LIST_NUM; ++index) {
321 std::string tmp(g_modifyRemoteDeviceNameWhiteList[index]);
322 if (processName == tmp) {
323 return true;
324 }
325 }
326
327 LOGE("Process name: %{public}s invalid.", processName.c_str());
328 return false;
329 }
330
CheckProcessNameValidPutDeviceProfileInfoList(const std::string & processName)331 bool PermissionManager::CheckProcessNameValidPutDeviceProfileInfoList(const std::string &processName)
332 {
333 if (processName.empty()) {
334 LOGE("ProcessName is empty");
335 return false;
336 }
337 uint16_t index = 0;
338 for (; index < PUT_DEVICE_PROFILE_INFO_LIST_WHITE_LIST_NUM; ++index) {
339 std::string tmp(g_putDeviceProfileInfoListWhiteList[index]);
340 if (processName == tmp) {
341 return true;
342 }
343 }
344
345 LOGE("Process name: %{public}s invalid.", processName.c_str());
346 return false;
347 }
348 } // namespace DistributedHardware
349 } // namespace OHOS
350