1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "enterprise_device_mgr_ability.h"
17
18 #include <cstring>
19 #include <string_ex.h>
20 #include <thread>
21
22 #include "application_state_observer.h"
23 #include "bundle_info.h"
24 #include "clipboard_policy.h"
25 #include "common_event_manager.h"
26 #include "common_event_support.h"
27 #include "device_policies_storage_rdb.h"
28 #include "directory_ex.h"
29 #include "ipc_skeleton.h"
30 #include "iservice_registry.h"
31 #include "matching_skills.h"
32 #include "message_parcel.h"
33 #include "mock_session_manager_service_interface.h"
34 #include "parameters.h"
35 #include "system_ability.h"
36 #include "system_ability_definition.h"
37
38 #include "array_string_serializer.h"
39 #include "edm_constants.h"
40 #include "edm_data_ability_utils.h"
41 #include "edm_errors.h"
42 #include "edm_ipc_interface_code.h"
43 #include "edm_log.h"
44 #include "edm_sys_manager.h"
45 #include "enterprise_admin_connection.h"
46 #include "enterprise_bundle_connection.h"
47 #include "enterprise_conn_manager.h"
48 #include "func_code_utils.h"
49 #include "plugin_policy_reader.h"
50
51 #ifdef NET_MANAGER_BASE_EDM_ENABLE
52 #include "map_string_serializer.h"
53 #include "net_policy_client.h"
54 #endif
55 #ifdef USERIAM_EDM_ENABLE
56 #include "fingerprint_policy.h"
57 #include "fingerprint_policy_serializer.h"
58 #include "password_policy_serializer.h"
59 #include "usb_device_id.h"
60 #include "user_auth_client.h"
61 #endif
62
63 namespace OHOS {
64 namespace EDM {
65 const bool REGISTER_RESULT =
66 SystemAbility::MakeAndRegisterAbility(EnterpriseDeviceMgrAbility::GetInstance().GetRefPtr());
67
68 const std::string PERMISSION_UPDATE_SYSTEM = "ohos.permission.UPDATE_SYSTEM";
69 const std::string PERMISSION_GET_ADMINPROVISION_INFO = "ohos.permission.START_PROVISIONING_MESSAGE";
70 const std::string PARAM_EDM_ENABLE = "persist.edm.edm_enable";
71 const std::string PARAM_SECURITY_MODE = "ohos.boot.advsecmode.state";
72 const std::string SYSTEM_UPDATE_FOR_POLICY = "usual.event.DUE_SA_FIRMWARE_UPDATE_FOR_POLICY";
73 const std::string FIRMWARE_EVENT_INFO_NAME = "version";
74 const std::string FIRMWARE_EVENT_INFO_TYPE = "packageType";
75 const std::string FIRMWARE_EVENT_INFO_CHECK_TIME = "firstReceivedTime";
76 const std::string DEVELOP_MODE_STATE = "const.security.developermode.state";
77 const std::string EDM_ADMIN_ENABLED_EVENT = "com.ohos.edm.edmadminenabled";
78 const std::string EDM_ADMIN_DISABLED_EVENT = "com.ohos.edm.edmadmindisabled";
79 const std::string APP_TYPE_ENTERPRISE_MDM = "enterprise_mdm";
80 const std::string APP_TYPE_ENTERPRISE_NORMAL = "enterprise_normal";
81 const char* const KEY_EDM_DISPLAY = "com.enterprise.enterprise_device_manager_display";
82 const std::string DISALLOWED_UNINSTALL_POLICY = "disallowed_uninstall_bundles";
83
84 std::shared_mutex EnterpriseDeviceMgrAbility::dataLock_;
85 std::shared_mutex EnterpriseDeviceMgrAbility::adminLock_;
86
87 sptr<EnterpriseDeviceMgrAbility> EnterpriseDeviceMgrAbility::instance_;
88
89 constexpr int32_t TIMER_TIMEOUT = 360000; // 6 * 60 * 1000;
90 constexpr const char *WITHOUT_PERMISSION_TAG = "";
91 #ifndef EDM_FUZZ_TEST
92 const int EDM_UID = 3057;
93 #endif
94
AddCommonEventFuncMap()95 void EnterpriseDeviceMgrAbility::AddCommonEventFuncMap()
96 {
97 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_USER_ADDED] =
98 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
99 that->OnCommonEventUserAdded(data);
100 };
101 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_USER_SWITCHED] =
102 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
103 that->OnCommonEventUserSwitched(data);
104 };
105 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_USER_REMOVED] =
106 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
107 that->OnCommonEventUserRemoved(data);
108 };
109 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_ADDED] =
110 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
111 that->OnCommonEventPackageAdded(data);
112 };
113 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED] =
114 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
115 that->OnCommonEventPackageRemoved(data);
116 };
117 commonEventFuncMap_[SYSTEM_UPDATE_FOR_POLICY] =
118 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
119 that->OnCommonEventSystemUpdate(data);
120 };
121 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_CHANGED] =
122 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
123 that->OnCommonEventPackageChanged(data);
124 };
125 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_BUNDLE_SCAN_FINISHED] =
126 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
127 that->OnCommonEventBmsReady(data);
128 };
129 }
130
OnCommonEventSystemUpdate(const EventFwk::CommonEventData & data)131 void EnterpriseDeviceMgrAbility::OnCommonEventSystemUpdate(const EventFwk::CommonEventData &data)
132 {
133 EDMLOGI("OnCommonEventSystemUpdate");
134 UpdateInfo updateInfo;
135 updateInfo.version = data.GetWant().GetStringParam(FIRMWARE_EVENT_INFO_NAME);
136 updateInfo.firstReceivedTime = data.GetWant().GetLongParam(FIRMWARE_EVENT_INFO_CHECK_TIME, 0);
137 updateInfo.packageType = data.GetWant().GetStringParam(FIRMWARE_EVENT_INFO_TYPE);
138
139 ConnectAbilityOnSystemUpdate(updateInfo);
140 }
141
ConnectAbilityOnSystemUpdate(const UpdateInfo & updateInfo)142 void EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemUpdate(const UpdateInfo &updateInfo)
143 {
144 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
145 AdminManager::GetInstance()->GetAdminBySubscribeEvent(ManagedEvent::SYSTEM_UPDATE, subAdmins);
146 if (subAdmins.empty()) {
147 EDMLOGW("Get subscriber by common event failed.");
148 return;
149 }
150 AAFwk::Want want;
151 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
152 if (manager == nullptr) {
153 EDMLOGW("EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemUpdate EnterpriseConnManager null");
154 return;
155 }
156 for (const auto &subAdmin : subAdmins) {
157 for (const auto &it : subAdmin.second) {
158 want.SetElementName(it->adminInfo_.packageName_, it->adminInfo_.className_);
159 sptr<IEnterpriseConnection> connection =
160 manager->CreateUpdateConnection(want, subAdmin.first, updateInfo);
161 manager->ConnectAbility(connection);
162 }
163 }
164 }
165
AddOnAddSystemAbilityFuncMap()166 void EnterpriseDeviceMgrAbility::AddOnAddSystemAbilityFuncMap()
167 {
168 addSystemAbilityFuncMap_[APP_MGR_SERVICE_ID] =
169 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
170 that->OnAppManagerServiceStart();
171 };
172 addSystemAbilityFuncMap_[COMMON_EVENT_SERVICE_ID] =
173 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
174 that->OnCommonEventServiceStart();
175 };
176 addSystemAbilityFuncMap_[ABILITY_MGR_SERVICE_ID] =
177 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
178 that->OnAbilityManagerServiceStart();
179 };
180 addSystemAbilityFuncMap_[WINDOW_MANAGER_SERVICE_ID] =
181 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
182 that->OnWindowManagerServiceStart();
183 };
184 #ifdef PASTEBOARD_EDM_ENABLE
185 addSystemAbilityFuncMap_[PASTEBOARD_SERVICE_ID] =
186 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
187 that->OnPasteboardServiceStart();
188 };
189 #endif
190 #ifdef NET_MANAGER_BASE_EDM_ENABLE
191 addSystemAbilityFuncMap_[COMM_NET_POLICY_MANAGER_SYS_ABILITY_ID] =
192 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
193 that->OnNetManagerBaseServiceStart();
194 };
195 #endif
196 #ifdef USB_EDM_ENABLE
197 addSystemAbilityFuncMap_[USB_SYSTEM_ABILITY_ID] =
198 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
199 that->OnUsbServiceStart();
200 };
201 #endif
202 addSystemAbilityFuncMap_[RENDER_SERVICE] =
203 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
204 that->OnRenderSystemStart();
205 };
206 }
207
208 #ifdef COMMON_EVENT_SERVICE_EDM_ENABLE
EnterpriseDeviceEventSubscriber(const EventFwk::CommonEventSubscribeInfo & subscribeInfo,EnterpriseDeviceMgrAbility & listener)209 EnterpriseDeviceEventSubscriber::EnterpriseDeviceEventSubscriber(
210 const EventFwk::CommonEventSubscribeInfo &subscribeInfo,
211 EnterpriseDeviceMgrAbility &listener) : EventFwk::CommonEventSubscriber(subscribeInfo), listener_(listener) {}
212
OnReceiveEvent(const EventFwk::CommonEventData & data)213 void EnterpriseDeviceEventSubscriber::OnReceiveEvent(const EventFwk::CommonEventData &data)
214 {
215 const std::string action = data.GetWant().GetAction();
216 EDMLOGI("EDM OnReceiveEvent get action: %{public}s", action.c_str());
217 auto func = listener_.commonEventFuncMap_.find(action);
218 if (func != listener_.commonEventFuncMap_.end()) {
219 auto commonEventFunc = func->second;
220 if (commonEventFunc != nullptr) {
221 return commonEventFunc(&listener_, data);
222 }
223 } else {
224 EDMLOGW("OnReceiveEvent action is invalid");
225 }
226 }
227
CreateEnterpriseDeviceEventSubscriber(EnterpriseDeviceMgrAbility & listener)228 std::shared_ptr<EventFwk::CommonEventSubscriber> EnterpriseDeviceMgrAbility::CreateEnterpriseDeviceEventSubscriber(
229 EnterpriseDeviceMgrAbility &listener)
230 {
231 EventFwk::MatchingSkills skill = EventFwk::MatchingSkills();
232 AddCommonEventFuncMap();
233 for (auto &item : commonEventFuncMap_) {
234 if (item.first == SYSTEM_UPDATE_FOR_POLICY) {
235 continue;
236 }
237 skill.AddEvent(item.first);
238 EDMLOGI("CreateEnterpriseDeviceEventSubscriber AddEvent: %{public}s", item.first.c_str());
239 }
240 EventFwk::CommonEventSubscribeInfo info(skill);
241 return std::make_shared<EnterpriseDeviceEventSubscriber>(info, listener);
242 }
243 #endif
244
OnCommonEventUserAdded(const EventFwk::CommonEventData & data)245 void EnterpriseDeviceMgrAbility::OnCommonEventUserAdded(const EventFwk::CommonEventData &data)
246 {
247 int userIdToAdd = data.GetCode();
248 if (userIdToAdd < 0) {
249 EDMLOGE("EnterpriseDeviceMgrAbility OnCommonEventUserAdded error userid:%{public}d", userIdToAdd);
250 return;
251 }
252 EDMLOGI("EnterpriseDeviceMgrAbility OnCommonEventUserAdded %{public}d", userIdToAdd);
253 ConnectAbilityOnSystemAccountEvent(userIdToAdd, ManagedEvent::USER_ADDED);
254 }
255
OnCommonEventUserSwitched(const EventFwk::CommonEventData & data)256 void EnterpriseDeviceMgrAbility::OnCommonEventUserSwitched(const EventFwk::CommonEventData &data)
257 {
258 int userIdToSwitch = data.GetCode();
259 if (userIdToSwitch < 0) {
260 EDMLOGE("EnterpriseDeviceMgrAbility OnCommonEventUserSwitched error userid:%{public}d", userIdToSwitch);
261 return;
262 }
263 EDMLOGI("EnterpriseDeviceMgrAbility OnCommonEventUserSwitched %{public}d", userIdToSwitch);
264 ConnectAbilityOnSystemAccountEvent(userIdToSwitch, ManagedEvent::USER_SWITCHED);
265 }
266
OnCommonEventUserRemoved(const EventFwk::CommonEventData & data)267 void EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved(const EventFwk::CommonEventData &data)
268 {
269 int userIdToRemove = data.GetCode();
270 if (userIdToRemove < 0) {
271 EDMLOGE("EnterpriseDeviceMgrAbility OnCommonEventUserRemoved error userid:%{public}d", userIdToRemove);
272 return;
273 }
274 EDMLOGI("OnCommonEventUserRemoved");
275 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
276 // include super admin, need to be removed
277 std::vector<std::shared_ptr<Admin>> userAdmin;
278 AdminManager::GetInstance()->GetAdminByUserId(userIdToRemove, userAdmin);
279 for (auto &item : userAdmin) {
280 if (FAILED(RemoveAdminAndAdminPolicy(item->adminInfo_.packageName_, userIdToRemove))) {
281 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved remove admin failed packagename = %{public}s",
282 item->adminInfo_.packageName_.c_str());
283 }
284 }
285 std::vector<std::shared_ptr<Admin>> subAndSuperAdmin;
286 AdminManager::GetInstance()->GetAdminByUserId(EdmConstants::DEFAULT_USER_ID, subAndSuperAdmin);
287 for (const auto &subAdmin : subAndSuperAdmin) {
288 if ((subAdmin->GetAdminType() == AdminType::SUB_SUPER_ADMIN || subAdmin->GetAdminType() == AdminType::ENT ||
289 subAdmin->GetAdminType() == AdminType::VIRTUAL_ADMIN) &&
290 FAILED(RemoveAdminAndAdminPolicy(subAdmin->adminInfo_.packageName_, userIdToRemove))) {
291 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved: remove sub and super admin policy failed.");
292 }
293 }
294 ConnectAbilityOnSystemAccountEvent(userIdToRemove, ManagedEvent::USER_REMOVED);
295 }
296
OnCommonEventPackageAdded(const EventFwk::CommonEventData & data)297 void EnterpriseDeviceMgrAbility::OnCommonEventPackageAdded(const EventFwk::CommonEventData &data)
298 {
299 EDMLOGI("OnCommonEventPackageAdded");
300 AAFwk::Want want = data.GetWant();
301 std::string bundleName = want.GetElement().GetBundleName();
302 int32_t userId = want.GetIntParam(AppExecFwk::Constants::USER_ID, AppExecFwk::Constants::INVALID_USERID);
303 if (userId == AppExecFwk::Constants::INVALID_USERID) {
304 EDMLOGE("OnCommonEventPackageAdded get INVALID_USERID");
305 return;
306 }
307 ConnectAbilityOnSystemEvent(bundleName, ManagedEvent::BUNDLE_ADDED, userId);
308 }
309
UpdateClipboardInfo(const std::string & bundleName,int32_t userId)310 void EnterpriseDeviceMgrAbility::UpdateClipboardInfo(const std::string &bundleName, int32_t userId)
311 {
312 EDMLOGI("OnCommonEventPackageRemoved UpdateClipboardInfo");
313 std::vector<std::shared_ptr<Admin>> admins;
314 AdminManager::GetInstance()->GetAdmins(admins, EdmConstants::DEFAULT_USER_ID);
315 for (const auto& admin : admins) {
316 std::uint32_t funcCode =
317 POLICY_FUNC_CODE((std::uint32_t)FuncOperateType::SET, EdmInterfaceCode::CLIPBOARD_POLICY);
318 MessageParcel reply;
319 MessageParcel data;
320 data.WriteString(WITHOUT_PERMISSION_TAG);
321 data.WriteInt32(ClipboardFunctionType::SET_HAS_BUNDLE_NAME);
322 data.WriteString(bundleName);
323 data.WriteInt32(userId);
324 data.WriteInt32(static_cast<int32_t>(ClipboardPolicy::DEFAULT));
325 OHOS::AppExecFwk::ElementName elementName;
326 elementName.SetBundleName(admin->adminInfo_.packageName_);
327 elementName.SetAbilityName(admin->adminInfo_.className_);
328 HandleDevicePolicy(funcCode, elementName, data, reply, EdmConstants::DEFAULT_USER_ID);
329 }
330 }
331
OnCommonEventPackageRemoved(const EventFwk::CommonEventData & data)332 void EnterpriseDeviceMgrAbility::OnCommonEventPackageRemoved(const EventFwk::CommonEventData &data)
333 {
334 EDMLOGI("OnCommonEventPackageRemoved");
335 std::string bundleName = data.GetWant().GetElement().GetBundleName();
336 int32_t userId = data.GetWant().GetIntParam(AppExecFwk::Constants::USER_ID, AppExecFwk::Constants::INVALID_USERID);
337 if (userId == AppExecFwk::Constants::INVALID_USERID) {
338 EDMLOGE("OnCommonEventPackageRemoved get INVALID_USERID");
339 return;
340 }
341 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
342 std::shared_ptr<Admin> admin = AdminManager::GetInstance()->GetAdminByPkgName(bundleName, userId);
343 if (admin != nullptr) {
344 if (admin->adminInfo_.adminType_ == AdminType::NORMAL) {
345 RemoveAdminAndAdminPolicy(bundleName, userId);
346 }
347 if ((admin->adminInfo_.adminType_ == AdminType::SUB_SUPER_ADMIN ||
348 admin->adminInfo_.adminType_ == AdminType::VIRTUAL_ADMIN) && userId == EdmConstants::DEFAULT_USER_ID) {
349 // remove sub super admin and sub super admin policy
350 RemoveSubSuperAdminAndAdminPolicy(bundleName);
351 }
352 if (admin->adminInfo_.adminType_ == AdminType::ENT && userId == EdmConstants::DEFAULT_USER_ID) {
353 // remove super admin and super admin policy
354 RemoveSuperAdminAndAdminPolicy(bundleName);
355 }
356 if (admin->adminInfo_.adminType_ == AdminType::BYOD && userId == EdmConstants::DEFAULT_USER_ID) {
357 RemoveAdminAndAdminPolicy(bundleName, userId);
358 }
359 if (!AdminManager::GetInstance()->IsAdminExist()) {
360 system::SetParameter(PARAM_EDM_ENABLE, "false");
361 NotifyAdminEnabled(false);
362 }
363 }
364 ConnectAbilityOnSystemEvent(bundleName, ManagedEvent::BUNDLE_REMOVED, userId);
365 autoLock.unlock();
366 UpdateClipboardInfo(bundleName, userId);
367 }
368
OnCommonEventPackageChanged(const EventFwk::CommonEventData & data)369 void EnterpriseDeviceMgrAbility::OnCommonEventPackageChanged(const EventFwk::CommonEventData &data)
370 {
371 EDMLOGI("OnCommonEventPackageChanged");
372 std::string bundleName = data.GetWant().GetElement().GetBundleName();
373 int32_t userId = data.GetWant().GetIntParam(AppExecFwk::Constants::USER_ID, AppExecFwk::Constants::INVALID_USERID);
374 std::shared_ptr<Admin> admin = AdminManager::GetInstance()->GetAdminByPkgName(bundleName, userId);
375 if (admin != nullptr && admin->GetAdminType() == AdminType::ENT) {
376 OnAdminEnabled(admin->adminInfo_.packageName_, admin->adminInfo_.className_,
377 IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED, userId, false);
378 }
379 }
380
OnCommonEventBmsReady(const EventFwk::CommonEventData & data)381 void EnterpriseDeviceMgrAbility::OnCommonEventBmsReady(const EventFwk::CommonEventData &data)
382 {
383 EDMLOGI("OnCommonEventBmsReady");
384 ConnectEnterpriseAbility();
385 }
386
OnAdminEnabled(const std::string & bundleName,const std::string & abilityName,uint32_t code,int32_t userId,bool isAdminEnabled)387 bool EnterpriseDeviceMgrAbility::OnAdminEnabled(const std::string &bundleName, const std::string &abilityName,
388 uint32_t code, int32_t userId, bool isAdminEnabled)
389 {
390 AAFwk::Want connectWant;
391 connectWant.SetElementName(bundleName, abilityName);
392 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
393 sptr<IEnterpriseConnection> connection = manager->CreateAdminConnection(connectWant, code, userId, isAdminEnabled);
394 return manager->ConnectAbility(connection);
395 }
396
ConnectAbilityOnSystemAccountEvent(const int32_t accountId,ManagedEvent event)397 void EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemAccountEvent(const int32_t accountId, ManagedEvent event)
398 {
399 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
400 AdminManager::GetInstance()->GetAdminBySubscribeEvent(event, subAdmins);
401 if (subAdmins.empty()) {
402 EDMLOGW("SystemEventSubscriber Get subscriber by common event failed.");
403 return;
404 }
405 AAFwk::Want want;
406 for (const auto &subAdmin : subAdmins) {
407 for (const auto &it : subAdmin.second) {
408 want.SetElementName(it->adminInfo_.packageName_, it->adminInfo_.className_);
409 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
410 int32_t currentUserId = GetCurrentUserId();
411 if (currentUserId < 0) {
412 return;
413 }
414 sptr<IEnterpriseConnection> connection =
415 manager->CreateAccountConnection(want, static_cast<uint32_t>(event), currentUserId, accountId);
416 manager->ConnectAbility(connection);
417 }
418 }
419 }
420
ConnectAbilityOnSystemEvent(const std::string & bundleName,ManagedEvent event,int32_t userId)421 void EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemEvent(const std::string &bundleName,
422 ManagedEvent event, int32_t userId)
423 {
424 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
425 AdminManager::GetInstance()->GetAdminBySubscribeEvent(event, subAdmins);
426 if (subAdmins.empty()) {
427 EDMLOGW("Get subscriber by common event failed.");
428 return;
429 }
430 AAFwk::Want want;
431 for (const auto &subAdmin : subAdmins) {
432 for (const auto &it : subAdmin.second) {
433 want.SetElementName(it->adminInfo_.packageName_, it->adminInfo_.className_);
434 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
435 sptr<IEnterpriseConnection> connection =
436 manager->CreateBundleConnection(want, static_cast<uint32_t>(event), subAdmin.first, bundleName, userId);
437 manager->ConnectAbility(connection);
438 }
439 }
440 }
441
NotifyAdminEnabled(bool isEnabled)442 void EnterpriseDeviceMgrAbility::NotifyAdminEnabled(bool isEnabled)
443 {
444 EDMLOGI("EnterpriseDeviceMgrAbility notify admin enabled: %{public}d.", isEnabled);
445 AAFwk::Want want;
446 if (isEnabled) {
447 want.SetAction(EDM_ADMIN_ENABLED_EVENT);
448 } else {
449 want.SetAction(EDM_ADMIN_DISABLED_EVENT);
450 }
451 EventFwk::CommonEventData eventData;
452 eventData.SetWant(want);
453 if (!EventFwk::CommonEventManager::PublishCommonEvent(eventData)) {
454 EDMLOGE("EnterpriseDeviceMgrAbility notify admin enabled failed.");
455 }
456 }
457
GetInstance()458 sptr<EnterpriseDeviceMgrAbility> EnterpriseDeviceMgrAbility::GetInstance()
459 {
460 if (instance_ == nullptr) {
461 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
462 if (instance_ == nullptr) {
463 EDMLOGD("EnterpriseDeviceMgrAbility:GetInstance instance = new EnterpriseDeviceMgrAbility()");
464 instance_ = new (std::nothrow) EnterpriseDeviceMgrAbility();
465 }
466 }
467 return instance_;
468 }
469
EnterpriseDeviceMgrAbility()470 EnterpriseDeviceMgrAbility::EnterpriseDeviceMgrAbility() : SystemAbility(ENTERPRISE_DEVICE_MANAGER_SA_ID, true)
471 {
472 EDMLOGI("EnterpriseDeviceMgrAbility:new instance");
473 }
474
~EnterpriseDeviceMgrAbility()475 EnterpriseDeviceMgrAbility::~EnterpriseDeviceMgrAbility()
476 {
477 instance_ = nullptr;
478
479 if (AdminManager::GetInstance()) {
480 AdminManager::GetInstance().reset();
481 }
482
483 if (pluginMgr_) {
484 pluginMgr_.reset();
485 }
486
487 if (policyMgr_) {
488 policyMgr_.reset();
489 }
490 EDMLOGD("instance is destroyed");
491 }
492
Dump(int32_t fd,const std::vector<std::u16string> & args)493 int32_t EnterpriseDeviceMgrAbility::Dump(int32_t fd, const std::vector<std::u16string> &args)
494 {
495 EDMLOGI("EnterpriseDeviceMgrAbility::Dump");
496 if (fd < 0) {
497 EDMLOGE("Dump fd invalid");
498 return ERR_EDM_DUMP_FAILED;
499 }
500 std::string result;
501 result.append("Ohos enterprise device manager service: \n");
502 std::vector<std::string> enabledAdminList;
503 GetEnabledAdmin(AdminType::NORMAL, enabledAdminList);
504 if (enabledAdminList.empty()) {
505 result.append("There is no admin enabled\n");
506 } else {
507 result.append("Enabled admin exist :\n");
508 for (const auto &enabledAdmin : enabledAdminList) {
509 result.append(enabledAdmin);
510 result.append("\n");
511 }
512 }
513 int32_t ret = dprintf(fd, "%s", result.c_str());
514 if (ret < 0) {
515 EDMLOGE("dprintf to dump fd failed");
516 return ERR_EDM_DUMP_FAILED;
517 }
518 return ERR_OK;
519 }
520
OnStart()521 void EnterpriseDeviceMgrAbility::OnStart()
522 {
523 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
524 EDMLOGD("EnterpriseDeviceMgrAbility::OnStart() Publish");
525 InitAllAdmins();
526 InitAllPolices();
527 RemoveAllDebugAdmin();
528 if (!registerToService_) {
529 if (!Publish(this)) {
530 EDMLOGE("EnterpriseDeviceMgrAbility: res == false");
531 return;
532 }
533 registerToService_ = true;
534 }
535 AddOnAddSystemAbilityFuncMap();
536 AddSystemAbilityListeners();
537 CheckAndUpdateByodSettingsData();
538 }
539
CheckAndUpdateByodSettingsData()540 void EnterpriseDeviceMgrAbility::CheckAndUpdateByodSettingsData()
541 {
542 if (AdminManager::GetInstance()->IsByodAdminExist()) {
543 EDMLOGD("CheckAndUpdateByodSettingsData:byod exist.");
544 std::string data = "false";
545 EdmDataAbilityUtils::GetStringFromSettingsDataShare(KEY_EDM_DISPLAY, data);
546 if (data == "false") {
547 EdmDataAbilityUtils::UpdateSettingsData(KEY_EDM_DISPLAY, "true");
548 }
549 }
550 }
551
InitAllAdmins()552 void EnterpriseDeviceMgrAbility::InitAllAdmins()
553 {
554 AdminManager::GetInstance()->Init();
555 EDMLOGD("create AdminManager::GetInstance() success");
556 }
557
InitAllPlugins()558 void EnterpriseDeviceMgrAbility::InitAllPlugins()
559 {
560 std::unique_lock<std::shared_mutex> autoLock(dataLock_);
561 if (!pluginMgr_) {
562 pluginMgr_ = PluginManager::GetInstance();
563 }
564 EDMLOGD("create pluginMgr_ success");
565 lastCallTime_ = std::chrono::system_clock::now();
566 if (pluginHasInit_) {
567 std::unique_lock<std::mutex> lock(waitMutex_);
568 notifySignal_ = true;
569 waitSignal_.notify_one();
570 } else {
571 pluginMgr_->LoadPlugin();
572 pluginHasInit_ = true;
573 std::thread timerThread([this]() {
574 this->UnloadPluginTask();
575 });
576 timerThread.detach();
577 }
578 }
579
UnloadPluginTask()580 void EnterpriseDeviceMgrAbility::UnloadPluginTask()
581 {
582 while (pluginHasInit_) {
583 {
584 std::unique_lock<std::mutex> lock(waitMutex_);
585 notifySignal_ = false;
586 waitSignal_.wait_for(lock, std::chrono::milliseconds(TIMER_TIMEOUT), [this] {
587 return this->notifySignal_;
588 });
589 }
590 std::unique_lock<std::shared_mutex> autoLock(dataLock_);
591 auto now = std::chrono::system_clock::now();
592 auto diffTime = std::chrono::duration_cast<std::chrono::milliseconds>(now - lastCallTime_).count();
593 if (diffTime >= std::chrono::milliseconds(TIMER_TIMEOUT).count()) {
594 if (pluginMgr_) {
595 pluginMgr_->UnloadPlugin();
596 }
597 pluginHasInit_ = false;
598 }
599 }
600 }
601
InitAllPolices()602 void EnterpriseDeviceMgrAbility::InitAllPolices()
603 {
604 if (!policyMgr_) {
605 policyMgr_ = std::make_shared<PolicyManager>();
606 IPolicyManager::policyManagerInstance_ = policyMgr_.get();
607 }
608 std::vector<int32_t> userIds;
609 auto devicePolicies = DevicePoliciesStorageRdb::GetInstance();
610 if (devicePolicies == nullptr) {
611 EDMLOGW("OnAddSystemAbility::InitAllPolices:get rdbStore failed.");
612 return;
613 }
614 EDMLOGI("InitAllPolices userIds size %{public}zu", userIds.size());
615 devicePolicies->QueryAllUserId(userIds);
616 policyMgr_->Init(userIds);
617 allowDelegatedPolicies_ = { "disallow_add_local_account", "disallow_add_os_account_by_user",
618 "disallow_running_bundles", "manage_auto_start_apps", "allowed_bluetooth_devices", "set_browser_policies",
619 "allowed_install_bundles", "disallowed_install_bundles", "disallowed_uninstall_bundles", "snapshot_skip",
620 "location_policy", "disabled_network_interface", "global_proxy", "disabled_bluetooth",
621 "disallow_modify_datetime", "disabled_printer", "policy_screen_shot", "disabled_hdc", "disable_microphone",
622 "fingerprint_auth", "disable_usb", "disable_wifi", "disallowed_tethering", "inactive_user_freeze",
623 "password_policy", "clipboard_policy", "ntp_server", "set_update_policy", "notify_upgrade_packages",
624 "allowed_usb_devices", "usb_read_only", "disallowed_usb_devices", "get_device_info", "watermark_image_policy",
625 "policy_screen_record" };
626 }
627
RemoveAllDebugAdmin()628 void EnterpriseDeviceMgrAbility::RemoveAllDebugAdmin()
629 {
630 bool isDebug = system::GetBoolParameter(DEVELOP_MODE_STATE, false);
631 if (!isDebug) {
632 std::vector<std::shared_ptr<Admin>> userAdmin;
633 AdminManager::GetInstance()->GetAdminByUserId(EdmConstants::DEFAULT_USER_ID, userAdmin);
634 for (const auto &item: userAdmin) {
635 if (item->adminInfo_.isDebug_) {
636 EDMLOGD("remove debug admin %{public}s", item->adminInfo_.packageName_.c_str());
637 RemoveSuperAdminAndAdminPolicy(item->adminInfo_.packageName_);
638 }
639 }
640 }
641 }
642
AddSystemAbilityListeners()643 void EnterpriseDeviceMgrAbility::AddSystemAbilityListeners()
644 {
645 AddSystemAbilityListener(COMMON_EVENT_SERVICE_ID);
646 AddSystemAbilityListener(APP_MGR_SERVICE_ID);
647 AddSystemAbilityListener(ABILITY_MGR_SERVICE_ID);
648 AddSystemAbilityListener(SUBSYS_USERIAM_SYS_ABILITY_USERAUTH);
649 AddSystemAbilityListener(WINDOW_MANAGER_SERVICE_ID);
650 #ifdef PASTEBOARD_EDM_ENABLE
651 AddSystemAbilityListener(PASTEBOARD_SERVICE_ID);
652 #endif
653 #ifdef NET_MANAGER_BASE_EDM_ENABLE
654 AddSystemAbilityListener(COMM_NET_POLICY_MANAGER_SYS_ABILITY_ID);
655 #endif
656 #ifdef USB_EDM_ENABLE
657 AddSystemAbilityListener(USB_SYSTEM_ABILITY_ID);
658 #endif
659 AddSystemAbilityListener(RENDER_SERVICE);
660 }
661
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)662 void EnterpriseDeviceMgrAbility::OnAddSystemAbility(int32_t systemAbilityId, const std::string &deviceId)
663 {
664 EDMLOGD("OnAddSystemAbility systemAbilityId:%{public}d added!", systemAbilityId);
665 auto func = addSystemAbilityFuncMap_.find(systemAbilityId);
666 if (func != addSystemAbilityFuncMap_.end()) {
667 auto memberFunc = func->second;
668 if (memberFunc != nullptr) {
669 return memberFunc(this, systemAbilityId, deviceId);
670 }
671 }
672 }
673
OnAppManagerServiceStart()674 void EnterpriseDeviceMgrAbility::OnAppManagerServiceStart()
675 {
676 EDMLOGI("OnAppManagerServiceStart");
677 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
678 AdminManager::GetInstance()->GetAdminBySubscribeEvent(ManagedEvent::APP_START, subAdmins);
679 AdminManager::GetInstance()->GetAdminBySubscribeEvent(ManagedEvent::APP_STOP, subAdmins);
680 if (!subAdmins.empty()) {
681 EDMLOGI("the admin that listened the APP_START or APP_STOP event is existed");
682 SubscribeAppState();
683 }
684 }
685
OnAbilityManagerServiceStart()686 void EnterpriseDeviceMgrAbility::OnAbilityManagerServiceStart()
687 {
688 EDMLOGI("OnAbilityManagerServiceStart");
689 ConnectEnterpriseAbility();
690 }
691
ConnectEnterpriseAbility()692 void EnterpriseDeviceMgrAbility::ConnectEnterpriseAbility()
693 {
694 auto superAdmin = AdminManager::GetInstance()->GetSuperAdmin();
695 if (superAdmin != nullptr && !hasConnect_) {
696 hasConnect_ = OnAdminEnabled(superAdmin->adminInfo_.packageName_, superAdmin->adminInfo_.className_,
697 IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED, EdmConstants::DEFAULT_USER_ID, false);
698 }
699 }
700
OnCommonEventServiceStart()701 void EnterpriseDeviceMgrAbility::OnCommonEventServiceStart()
702 {
703 #ifdef COMMON_EVENT_SERVICE_EDM_ENABLE
704 commonEventSubscriber = CreateEnterpriseDeviceEventSubscriber(*this);
705 EventFwk::CommonEventManager::SubscribeCommonEvent(this->commonEventSubscriber);
706 EDMLOGI("create commonEventSubscriber success");
707
708 EventFwk::MatchingSkills skill = EventFwk::MatchingSkills();
709 skill.AddEvent(SYSTEM_UPDATE_FOR_POLICY);
710 EDMLOGI("CreateEnterpriseDeviceEventSubscriber AddEvent: %{public}s", SYSTEM_UPDATE_FOR_POLICY.c_str());
711 EventFwk::CommonEventSubscribeInfo info(skill);
712 info.SetPermission(PERMISSION_UPDATE_SYSTEM);
713 EventFwk::CommonEventManager::SubscribeCommonEvent(std::make_shared<EnterpriseDeviceEventSubscriber>(info, *this));
714 #else
715 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventServiceStart Unsupported Capabilities.");
716 return;
717 #endif
718 }
719
720 #ifdef PASTEBOARD_EDM_ENABLE
OnPasteboardServiceStart()721 void EnterpriseDeviceMgrAbility::OnPasteboardServiceStart()
722 {
723 EDMLOGI("OnPasteboardServiceStart");
724 std::string policyData;
725 policyMgr_->GetPolicy("", "clipboard_policy", policyData, EdmConstants::DEFAULT_USER_ID);
726 auto clipboardSerializer_ = ClipboardSerializer::GetInstance();
727 std::map<int32_t, ClipboardInfo> policyMap;
728 clipboardSerializer_->Deserialize(policyData, policyMap);
729 ClipboardUtils::HandlePasteboardPolicy(policyMap);
730 }
731 #endif
732
733 #ifdef NET_MANAGER_BASE_EDM_ENABLE
OnNetManagerBaseServiceStart()734 void EnterpriseDeviceMgrAbility::OnNetManagerBaseServiceStart()
735 {
736 EDMLOGI("EnterpriseDeviceMgrAbility::OnNetManagerBaseServiceStart");
737 std::string policyData;
738 policyMgr_->GetPolicy("", "disabled_network_interface", policyData, EdmConstants::DEFAULT_USER_ID);
739 std::map<std::string, std::string> policyMap;
740 MapStringSerializer::GetInstance()->Deserialize(policyData, policyMap);
741 HandleDisallowedNetworkInterface(policyMap);
742 }
743
HandleDisallowedNetworkInterface(const std::map<std::string,std::string> policyMap)744 void EnterpriseDeviceMgrAbility::HandleDisallowedNetworkInterface(const std::map<std::string, std::string> policyMap)
745 {
746 std::vector<std::string> netList;
747 for (const auto& iter : policyMap) {
748 netList.emplace_back(iter.first);
749 EDMLOGD("HandleDisallowedNetworkInterface %{public}s", iter.first.c_str());
750 }
751 auto netPolicyClient = DelayedSingleton<NetManagerStandard::NetPolicyClient>::GetInstance();
752 if (netPolicyClient != nullptr) {
753 if (FAILED(netPolicyClient->SetNicTrafficAllowed(netList, false))) {
754 EDMLOGE("EnterpriseDeviceMgrAbility::HandleDisallowedNetworkInterface SetNicTrafficAllowed failed.");
755 } else {
756 EDMLOGE("EnterpriseDeviceMgrAbility::HandleDisallowedNetworkInterface get NetPolicyClient failed.");
757 }
758 }
759 }
760 #endif
761
762 #ifdef USERIAM_EDM_ENABLE
OnUserAuthFrameworkStart()763 void EnterpriseDeviceMgrAbility::OnUserAuthFrameworkStart()
764 {
765 EDMLOGI("OnUserAuthFrameworkStart");
766 SetPasswordPolicy();
767 SetFingerprintPolicy();
768 }
769
SetPasswordPolicy()770 void EnterpriseDeviceMgrAbility::SetPasswordPolicy()
771 {
772 std::string policyData;
773 policyMgr_->GetPolicy("", "password_policy", policyData, EdmConstants::DEFAULT_USER_ID);
774 auto serializer_ = PasswordSerializer::GetInstance();
775 PasswordPolicy policy;
776 serializer_->Deserialize(policyData, policy);
777 UserIam::UserAuth::GlobalConfigParam param;
778 param.type = UserIam::UserAuth::GlobalConfigType::PIN_EXPIRED_PERIOD;
779 param.authTypes.push_back(UserIam::UserAuth::AuthType::PIN);
780 param.value.pinExpiredPeriod = policy.validityPeriod;
781 int32_t ret = UserIam::UserAuth::UserAuthClient::GetInstance().SetGlobalConfigParam(param);
782 if (ret != 0) {
783 EDMLOGW("SetGlobalConfigParam SetPasswordPolicy Error");
784 }
785 }
786
SetFingerprintPolicy()787 void EnterpriseDeviceMgrAbility::SetFingerprintPolicy()
788 {
789 std::string policyData;
790 policyMgr_->GetPolicy("", "fingerprint_auth", policyData, EdmConstants::DEFAULT_USER_ID);
791 auto serializer_ = FingerprintPolicySerializer::GetInstance();
792 FingerprintPolicy policy;
793 serializer_->Deserialize(policyData, policy);
794 std::vector<int32_t> userIds(policy.accountIds.size());
795 std::copy(policy.accountIds.begin(), policy.accountIds.end(), userIds.begin());
796 UserIam::UserAuth::GlobalConfigParam param;
797 param.userIds = userIds;
798 param.authTypes.push_back(UserIam::UserAuth::AuthType::FINGERPRINT);
799 param.type = UserIam::UserAuth::GlobalConfigType::ENABLE_STATUS;
800 param.value.enableStatus = !policy.globalDisallow && userIds.size() == 0;
801 int32_t ret = UserIam::UserAuth::UserAuthClient::GetInstance().SetGlobalConfigParam(param);
802 if (ret != ERR_OK) {
803 EDMLOGW("SetGlobalConfigParam SetFingerprintPolicy Error");
804 }
805 }
806 #endif
807
808 #ifdef USB_EDM_ENABLE
OnUsbServiceStart()809 void EnterpriseDeviceMgrAbility::OnUsbServiceStart()
810 {
811 EDMLOGI("OnUsbServiceStart");
812 std::string disableUsbPolicy;
813 policyMgr_->GetPolicy("", "disable_usb", disableUsbPolicy, EdmConstants::DEFAULT_USER_ID);
814 bool isUsbDisabled = false;
815 BoolSerializer::GetInstance()->Deserialize(policyData, isUsbDisabled);
816 if (isUsbDisabled) {
817 ErrCode disableUsbRet = UsbPolicyUtils::SetUsbDisabled(isUsbDisabled);
818 if (disableUsbRet != ERR_OK) {
819 EDMLOGW("SetUsbDisabled Error: %{public}d", disableUsbRet);
820 }
821 return;
822 }
823
824 std::string allowUsbDevicePolicy;
825 policyMgr_->GetPolicy("", "allowed_usb_devices", allowUsbDevicePolicy, EdmConstants::DEFAULT_USER_ID);
826 std::vector<UsbDeviceId> usbDeviceIds;
827 ArrayUsbDeviceIdSerializer::GetInstance()->Deserialize(policyData, usbDeviceIds);
828 if (!usbDeviceIds.empty()) {
829 ErrCode allowedUsbRet = UsbPolicyUtils::AddAllowedUsbDevices(usbDeviceIds);
830 if (allowedUsbRet != ERR_OK) {
831 EDMLOGW("AddAllowedUsbDevices Error: %{public}d", disableUsbRet);
832 }
833 return;
834 }
835
836 std::string usbStoragePolicy;
837 policyMgr_->GetPolicy("", "usb_read_only", usbStoragePolicy, EdmConstants::DEFAULT_USER_ID);
838
839 std::string disallowUsbDevicePolicy;
840 policyMgr_->GetPolicy("", "disallowed_usb_devices", disallowUsbDevicePolicy, EdmConstants::DEFAULT_USER_ID);
841 std::vector<USB::UsbDeviceType> disallowedDevices;
842 ArrayUsbDeviceTypeSerializer::GetInstance()->Deserialize(policyData, disallowedDevices);
843 if (usbStoragePolicy == std::to_string(EdmConstants::STORAGE_USB_POLICY_DISABLED)) {
844 USB::UsbDeviceType storageType;
845 storageType.baseClass = USB_DEVICE_TYPE_BASE_CLASS_STORAGE;
846 storageType.subClass = USB_DEVICE_TYPE_BASE_CLASS_STORAGE;
847 storageType.protocol = USB_DEVICE_TYPE_BASE_CLASS_STORAGE;
848 storageType.isDeviceType = false;
849 disallowedDevices.emplace_back(storageType);
850 }
851 if (!disallowedDevices.empty()) {
852 ErrCode disallowedUsbRet = UsbPolicyUtils::SetDisallowedUsbDevices(disallowedDevices);
853 if (disallowedUsbRet != ERR_OK) {
854 EDMLOGW("SetDisallowedUsbDevices Error: %{public}d", disableUsbRet);
855 }
856 }
857 }
858 #endif
859
OnRenderSystemStart()860 void EnterpriseDeviceMgrAbility::OnRenderSystemStart()
861 {
862 EDMLOGI("OnRenderSystemStart");
863 InitAllPlugins();
864 std::uint32_t funcCode =
865 POLICY_FUNC_CODE((std::uint32_t)FuncOperateType::SET, EdmInterfaceCode::WATERMARK_IMAGE);
866 auto plugin = pluginMgr_->GetPluginByFuncCode(funcCode);
867 if (plugin == nullptr) {
868 EDMLOGE("get watermarkPlugin fail");
869 return;
870 }
871 MessageParcel data;
872 data.WriteString(EdmConstants::SecurityManager::SET_ALL_WATERMARK_TYPE);
873 MessageParcel reply;
874 HandlePolicyData policyData;
875 plugin->OnHandlePolicy(funcCode, data, reply, policyData, EdmConstants::DEFAULT_USER_ID);
876 }
877
OnRemoveSystemAbility(int32_t systemAbilityId,const std::string & deviceId)878 void EnterpriseDeviceMgrAbility::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string &deviceId) {}
879
OnWindowManagerServiceStart()880 void EnterpriseDeviceMgrAbility::OnWindowManagerServiceStart()
881 {
882 auto serializer = ArrayStringSerializer::GetInstance();
883 std::vector<int32_t> userIds = { EdmConstants::DEFAULT_USER_ID };
884 policyMgr_->GetPolicyUserIds(userIds);
885 EDMLOGD("OnWindowManagerServiceStart userIds size %{public}zu", userIds.size());
886 std::unordered_map<int32_t, std::vector<std::string>> policyMap;
887 for (int32_t userId : userIds) {
888 std::string policyData;
889 policyMgr_->GetPolicy("", "snapshot_skip", policyData, userId);
890 std::vector<std::string> vecData;
891 serializer->Deserialize(policyData, vecData);
892 if (vecData.empty()) {
893 continue;
894 }
895 policyMap.insert(make_pair(userId, vecData));
896 }
897 if (!policyMap.empty()) {
898 auto remoteObject = EdmSysManager::GetRemoteObjectOfSystemAbility(WINDOW_MANAGER_SERVICE_ID);
899 if (remoteObject == nullptr) {
900 EDMLOGE("OnWindowManagerServiceStart wms obj get fial");
901 return;
902 }
903 auto mockSessionManagerServiceProxy = iface_cast<OHOS::Rosen::IMockSessionManagerInterface>(remoteObject);
904 if (mockSessionManagerServiceProxy == nullptr) {
905 EDMLOGE("OnWindowManagerServiceStart wms obj cast fial");
906 return;
907 }
908 EDMLOGI("OnWindowManagerServiceStart init snap shot skip policy when wms restart");
909 mockSessionManagerServiceProxy->SetSnapshotSkipByIdNamesMap(policyMap);
910 } else {
911 EDMLOGI("OnWindowManagerServiceStart no policy to update");
912 }
913 }
914
OnStop()915 void EnterpriseDeviceMgrAbility::OnStop()
916 {
917 EDMLOGD("EnterpriseDeviceMgrAbility::OnStop()");
918 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
919 if (pluginHasInit_) {
920 pluginHasInit_ = false;
921 std::unique_lock<std::mutex> lock(waitMutex_);
922 notifySignal_ = true;
923 waitSignal_.notify_one();
924 }
925 }
926
GetBundleMgr()927 std::shared_ptr<IEdmBundleManager> EnterpriseDeviceMgrAbility::GetBundleMgr()
928 {
929 return GetExternalManagerFactory()->CreateBundleManager();
930 }
931
GetAppMgr()932 std::shared_ptr<IEdmAppManager> EnterpriseDeviceMgrAbility::GetAppMgr()
933 {
934 return GetExternalManagerFactory()->CreateAppManager();
935 }
936
GetOsAccountMgr()937 std::shared_ptr<IEdmOsAccountManager> EnterpriseDeviceMgrAbility::GetOsAccountMgr()
938 {
939 return GetExternalManagerFactory()->CreateOsAccountManager();
940 }
941
GetPermissionChecker()942 std::shared_ptr<PermissionChecker> EnterpriseDeviceMgrAbility::GetPermissionChecker()
943 {
944 return PermissionChecker::GetInstance();
945 }
946
SubscribeAppState()947 bool EnterpriseDeviceMgrAbility::SubscribeAppState()
948 {
949 if (appStateObserver_) {
950 EDMLOGD("appStateObserver has subscribed");
951 return true;
952 }
953 appStateObserver_ = new (std::nothrow) ApplicationStateObserver(*this);
954 if (!appStateObserver_) {
955 EDMLOGE("new ApplicationStateObserver failed");
956 return false;
957 }
958 if (GetAppMgr()->RegisterApplicationStateObserver(appStateObserver_)) {
959 EDMLOGE("RegisterApplicationStateObserver fail!");
960 appStateObserver_.clear();
961 appStateObserver_ = nullptr;
962 return false;
963 }
964 return true;
965 }
966
UnsubscribeAppState()967 bool EnterpriseDeviceMgrAbility::UnsubscribeAppState()
968 {
969 if (!appStateObserver_) {
970 EDMLOGD("appStateObserver has subscribed");
971 return true;
972 }
973 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
974 AdminManager::GetInstance()->GetAdminBySubscribeEvent(ManagedEvent::APP_START, subAdmins);
975 AdminManager::GetInstance()->GetAdminBySubscribeEvent(ManagedEvent::APP_STOP, subAdmins);
976 if (!subAdmins.empty()) {
977 return true;
978 }
979 if (GetAppMgr()->UnregisterApplicationStateObserver(appStateObserver_)) {
980 EDMLOGE("UnregisterApplicationStateObserver fail!");
981 return false;
982 }
983 appStateObserver_.clear();
984 appStateObserver_ = nullptr;
985 return true;
986 }
987
VerifyEnableAdminCondition(AppExecFwk::ElementName & admin,AdminType type,int32_t userId,bool isDebug)988 ErrCode EnterpriseDeviceMgrAbility::VerifyEnableAdminCondition(AppExecFwk::ElementName &admin, AdminType type,
989 int32_t userId, bool isDebug)
990 {
991 if ((type == AdminType::ENT || type == AdminType::BYOD) && userId != DEFAULT_USER_ID) {
992 EDMLOGW("EnableAdmin: Super or byod admin can only be enabled in default user.");
993 return ERR_EDM_ADD_ADMIN_FAILED;
994 }
995
996 if (type != AdminType::ENT && system::GetBoolParameter(PARAM_SECURITY_MODE, false)) {
997 EDMLOGW("EnableAdmin: The current mode is not supported.");
998 return ERR_EDM_ADD_ADMIN_FAILED;
999 }
1000
1001 if (isDebug && AdminManager::GetInstance()->IsSuperAdminExist()) {
1002 EDMLOGW("EnableAdmin: An official super admin exsit, cannot enable another debug admin");
1003 return ERR_EDM_ADD_ADMIN_FAILED;
1004 }
1005
1006 if (VerifyEnableAdminConditionCheckExistAdmin(admin, type, userId, isDebug) != ERR_OK) {
1007 return ERR_EDM_ADD_ADMIN_FAILED;
1008 }
1009 return ERR_OK;
1010 }
1011
VerifyEnableAdminConditionCheckExistAdmin(AppExecFwk::ElementName & admin,AdminType type,int32_t userId,bool isDebug)1012 ErrCode EnterpriseDeviceMgrAbility::VerifyEnableAdminConditionCheckExistAdmin(AppExecFwk::ElementName &admin,
1013 AdminType type, int32_t userId, bool isDebug)
1014 {
1015 std::shared_ptr<Admin> existAdmin = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(), userId);
1016 if (existAdmin != nullptr) {
1017 if (type == AdminType::BYOD && existAdmin->GetAdminType() != AdminType::BYOD) {
1018 EDMLOGW("EnableAdmin: a byod admin can't be enabled when alreadly enabled other admin.");
1019 return ERR_EDM_ADD_ADMIN_FAILED;
1020 }
1021 if (type != AdminType::BYOD && existAdmin->GetAdminType() == AdminType::BYOD) {
1022 EDMLOGW("EnableAdmin: a admin can't be enabled when alreadly enabled byod admin.");
1023 return ERR_EDM_ADD_ADMIN_FAILED;
1024 }
1025 if (existAdmin->GetAdminType() == AdminType::SUB_SUPER_ADMIN ||
1026 existAdmin->GetAdminType() == AdminType::VIRTUAL_ADMIN) {
1027 EDMLOGW("EnableAdmin: sub-super admin can not be enabled as a normal or super admin.");
1028 return ERR_EDM_ADD_ADMIN_FAILED;
1029 }
1030 if (existAdmin->GetAdminType() == AdminType::ENT && type != AdminType::ENT) {
1031 EDMLOGW("EnableAdmin: an exist super admin can't be enabled twice with different role or user id.");
1032 return ERR_EDM_ADD_ADMIN_FAILED;
1033 }
1034 if (isDebug != existAdmin->adminInfo_.isDebug_) {
1035 EDMLOGW("EnableAdmin: debug parameter can not be changed.");
1036 return ERR_EDM_ADD_ADMIN_FAILED;
1037 }
1038 /* An application can't be enabled twice with different ability name */
1039 if (existAdmin->adminInfo_.className_ != admin.GetAbilityName()) {
1040 EDMLOGW("EnableAdmin: There is another admin ability enabled with the same package name.");
1041 return ERR_EDM_ADD_ADMIN_FAILED;
1042 }
1043 return ERR_OK;
1044 }
1045 if (!isDebug && type == AdminType::BYOD && AdminManager::GetInstance()->IsAdminExist()) {
1046 EDMLOGW("EnableAdmin: byod admin not allowd enable when another admin enabled.");
1047 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
1048 }
1049 if (!isDebug && type != AdminType::BYOD && AdminManager::GetInstance()->IsByodAdminExist()) {
1050 EDMLOGW("EnableAdmin: other admin not allowd enable when byod admin enabled.");
1051 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
1052 }
1053 return ERR_OK;
1054 }
1055
CheckReplaceAdmins(AppExecFwk::ElementName & oldAdmin,AppExecFwk::ElementName & newAdmin,std::vector<AppExecFwk::ExtensionAbilityInfo> & abilityInfo,std::vector<std::string> & permissionList)1056 ErrCode EnterpriseDeviceMgrAbility::CheckReplaceAdmins(AppExecFwk::ElementName &oldAdmin,
1057 AppExecFwk::ElementName &newAdmin, std::vector<AppExecFwk::ExtensionAbilityInfo> &abilityInfo,
1058 std::vector<std::string> &permissionList)
1059 {
1060 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
1061 if (!GetPermissionChecker()->VerifyCallingPermission(tokenId,
1062 EdmPermission::PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
1063 EDMLOGW("EnterpriseDeviceMgrAbility::ReplaceSuperAdmin check permission failed");
1064 return EdmReturnErrCode::PERMISSION_DENIED;
1065 }
1066
1067 auto edmAdmin = AdminManager::GetInstance()->GetSuperAdmin();
1068 if (edmAdmin == nullptr || edmAdmin->adminInfo_.packageName_ != oldAdmin.GetBundleName() ||
1069 edmAdmin->adminInfo_.className_ != oldAdmin.GetAbilityName()) {
1070 EDMLOGE("CheckReplaceAdmins param oldAdmin is not super admin");
1071 return EdmReturnErrCode::ADMIN_INACTIVE;
1072 }
1073
1074 AAFwk::Want want;
1075 want.SetElement(newAdmin);
1076 if (!GetBundleMgr()->QueryExtensionAbilityInfos(want, AppExecFwk::ExtensionAbilityType::ENTERPRISE_ADMIN,
1077 AppExecFwk::ExtensionAbilityInfoFlag::GET_EXTENSION_INFO_WITH_PERMISSION, DEFAULT_USER_ID, abilityInfo) ||
1078 abilityInfo.empty()) {
1079 EDMLOGW("ReplaceSuperAdmin: QueryExtensionAbilityInfos_newAdmin failed");
1080 return EdmReturnErrCode::COMPONENT_INVALID;
1081 }
1082
1083 if (FAILED(VerifyEnableAdminCondition(newAdmin, AdminType::ENT, DEFAULT_USER_ID, false))) {
1084 EDMLOGW("ReplaceSuperAdmin: VerifyEnableAdminCondition failed.");
1085 return EdmReturnErrCode::REPLACE_ADMIN_FAILED;
1086 }
1087 if (FAILED(GetPermissionChecker()->GetAllPermissionsByAdmin(newAdmin.GetBundleName(), AdminType::ENT,
1088 DEFAULT_USER_ID, permissionList))) {
1089 EDMLOGW("ReplaceSuperAdmin: GetAllPermissionsByAdmin failed");
1090 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1091 }
1092 return ERR_OK;
1093 }
1094
AddDisallowUninstallApp(const std::string & bundleName)1095 ErrCode EnterpriseDeviceMgrAbility::AddDisallowUninstallApp(const std::string &bundleName)
1096 {
1097 AppExecFwk::BundleInfo bundleInfo;
1098 GetBundleMgr()->GetBundleInfo(bundleName, AppExecFwk::BundleFlag::GET_BUNDLE_WITH_ABILITIES,
1099 bundleInfo, DEFAULT_USER_ID);
1100 std::vector<std::string> data = {bundleInfo.appId};
1101 if (FAILED(GetBundleMgr()->AddAppInstallControlRule(data,
1102 AppExecFwk::AppInstallControlRuleType::DISALLOWED_UNINSTALL, DEFAULT_USER_ID))) {
1103 EDMLOGE("EnterpriseDeviceMgrAbility::AddDisallowUninstallApp failed");
1104 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1105 }
1106 return ERR_OK;
1107 }
1108
DelDisallowUninstallApp(const std::string & bundleName)1109 ErrCode EnterpriseDeviceMgrAbility::DelDisallowUninstallApp(const std::string &bundleName)
1110 {
1111 AppExecFwk::BundleInfo bundleInfo;
1112 GetBundleMgr()->GetBundleInfo(bundleName, AppExecFwk::BundleFlag::GET_BUNDLE_WITH_ABILITIES,
1113 bundleInfo, DEFAULT_USER_ID);
1114 std::vector<std::string> data = {bundleInfo.appId};
1115 if (FAILED(GetBundleMgr()->DeleteAppInstallControlRule(
1116 AppExecFwk::AppInstallControlRuleType::DISALLOWED_UNINSTALL, data, DEFAULT_USER_ID))) {
1117 EDMLOGE("EnterpriseDeviceMgrAbility::DelDisallowUninstallApp failed");
1118 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1119 }
1120 return ERR_OK;
1121 }
1122
HandleKeepPolicy(std::string & adminName,std::string & newAdminName,const Admin & edmAdmin,std::shared_ptr<Admin> adminPtr)1123 ErrCode EnterpriseDeviceMgrAbility::HandleKeepPolicy(std::string &adminName, std::string &newAdminName,
1124 const Admin &edmAdmin, std::shared_ptr<Admin> adminPtr)
1125 {
1126 if (FAILED(AdminManager::GetInstance()->ReplaceSuperAdminByPackageName(adminName, edmAdmin))) {
1127 EDMLOGE("ReplaceSuperAdmin update Admin Policies Failed");
1128 return EdmReturnErrCode::REPLACE_ADMIN_FAILED;
1129 }
1130 std::string adminPolicyValue;
1131 policyMgr_->GetPolicy(adminName, DISALLOWED_UNINSTALL_POLICY, adminPolicyValue);
1132 std::string combinedPolicyValue;
1133 policyMgr_->GetPolicy("", DISALLOWED_UNINSTALL_POLICY, combinedPolicyValue);
1134
1135 if (FAILED(policyMgr_->ReplaceAllPolicy(DEFAULT_USER_ID, adminName, newAdminName))) {
1136 EDMLOGE("ReplaceSuperAdmin update device Policies Failed");
1137 AdminManager::GetInstance()->ReplaceSuperAdminByPackageName(newAdminName, *adminPtr);
1138 return EdmReturnErrCode::REPLACE_ADMIN_FAILED;
1139 }
1140 if (!adminPolicyValue.empty() && adminPolicyValue.find(adminName) != std::string::npos) {
1141 if (FAILED(DelDisallowUninstallApp(adminName))) {
1142 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1143 }
1144 if (FAILED(AddDisallowUninstallApp(newAdminName))) {
1145 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1146 }
1147 adminPolicyValue.replace(adminPolicyValue.find(adminName), adminName.length(), newAdminName);
1148 combinedPolicyValue.replace(combinedPolicyValue.find(adminName), adminName.length(), newAdminName);
1149 EDMLOGD("ReplaceSuperAdmin uninstall new admin policy value: %{public}s", adminPolicyValue.c_str());
1150 EDMLOGD("ReplaceSuperAdmin uninstall new combined policy value: %{public}s", combinedPolicyValue.c_str());
1151 if (FAILED(policyMgr_->SetPolicy(newAdminName, DISALLOWED_UNINSTALL_POLICY, adminPolicyValue,
1152 combinedPolicyValue))) {
1153 EDMLOGE("ReplaceSuperAdmin update uninstall policy failed");
1154 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1155 }
1156 }
1157 return ERR_OK;
1158 }
1159
ReplaceSuperAdmin(AppExecFwk::ElementName & oldAdmin,AppExecFwk::ElementName & newAdmin,bool keepPolicy)1160 ErrCode EnterpriseDeviceMgrAbility::ReplaceSuperAdmin(AppExecFwk::ElementName &oldAdmin,
1161 AppExecFwk::ElementName &newAdmin, bool keepPolicy)
1162 {
1163 std::vector<AppExecFwk::ExtensionAbilityInfo> abilityInfo;
1164 std::vector<std::string> permissionList;
1165 ErrCode ret = CheckReplaceAdmins(oldAdmin, newAdmin, abilityInfo, permissionList);
1166 if (FAILED(ret)) {
1167 EDMLOGE("ReplaceSuperAdmin: CheckReplaceAdmins failed");
1168 return ret;
1169 }
1170 std::string adminName = oldAdmin.GetBundleName();
1171 std::shared_ptr<Admin> adminPtr = AdminManager::GetInstance()->GetAdminByPkgName(adminName, DEFAULT_USER_ID);
1172 if (adminPtr == nullptr) {
1173 EDMLOGE("ReplaceSuperAdmin adminName is not admin");
1174 return EdmReturnErrCode::ADMIN_INACTIVE;
1175 }
1176 EntInfo entInfo = adminPtr->adminInfo_.entInfo_;
1177 Admin edmAdmin(abilityInfo.at(0), AdminType::ENT, entInfo, permissionList, false);
1178 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1179 if (keepPolicy) {
1180 std::string newAdminName = newAdmin.GetBundleName();
1181 return HandleKeepPolicy(adminName, newAdminName, edmAdmin, adminPtr);
1182 } else {
1183 ErrCode res = DoDisableAdmin(adminName, DEFAULT_USER_ID, AdminType::ENT);
1184 if (res != ERR_OK) {
1185 EDMLOGE("ReplaceSuperAdmin: delete admin failed");
1186 return EdmReturnErrCode::REPLACE_ADMIN_FAILED;
1187 }
1188 }
1189 if (FAILED(AdminManager::GetInstance()->SetAdminValue(DEFAULT_USER_ID, edmAdmin))) {
1190 EDMLOGE("EnableAdmin: SetAdminValue failed.");
1191 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
1192 }
1193 system::SetParameter(PARAM_EDM_ENABLE, "true");
1194 NotifyAdminEnabled(true);
1195 OnAdminEnabled(newAdmin.GetBundleName(), newAdmin.GetAbilityName(), IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED,
1196 DEFAULT_USER_ID, true);
1197
1198 EDMLOGI("EnableAdmin: SetAdminEnabled success %{public}s", newAdmin.GetBundleName().c_str());
1199 return ERR_OK;
1200 }
1201
EnableAdmin(AppExecFwk::ElementName & admin,EntInfo & entInfo,AdminType type,int32_t userId)1202 ErrCode EnterpriseDeviceMgrAbility::EnableAdmin(AppExecFwk::ElementName &admin, EntInfo &entInfo, AdminType type,
1203 int32_t userId)
1204 {
1205 EDMLOGD("EnterpriseDeviceMgrAbility::EnableAdmin user id = %{public}d", userId);
1206 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1207 bool isDebug = GetPermissionChecker()->CheckIsDebug();
1208 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
1209 if (!isDebug && !GetPermissionChecker()->VerifyCallingPermission(tokenId,
1210 EdmPermission::PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
1211 EDMLOGW("EnterpriseDeviceMgrAbility::EnableAdmin check permission failed");
1212 return EdmReturnErrCode::PERMISSION_DENIED;
1213 }
1214 std::vector<AppExecFwk::ExtensionAbilityInfo> abilityInfo;
1215 AAFwk::Want want;
1216 want.SetElement(admin);
1217 if (!GetBundleMgr()->QueryExtensionAbilityInfos(want, AppExecFwk::ExtensionAbilityType::ENTERPRISE_ADMIN,
1218 AppExecFwk::ExtensionAbilityInfoFlag::GET_EXTENSION_INFO_WITH_PERMISSION, userId, abilityInfo) ||
1219 abilityInfo.empty()) {
1220 EDMLOGW("EnableAdmin: QueryExtensionAbilityInfos failed");
1221 return EdmReturnErrCode::COMPONENT_INVALID;
1222 }
1223 if (FAILED(VerifyEnableAdminCondition(admin, type, userId, isDebug))) {
1224 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
1225 }
1226 std::shared_ptr<Admin> existAdmin = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(), userId);
1227 if (!isDebug && type == AdminType::ENT && AdminManager::GetInstance()->IsSuperAdminExist()) {
1228 if ((existAdmin == nullptr) || existAdmin->adminInfo_.adminType_ != AdminType::ENT) {
1229 EDMLOGW("EnableAdmin: There is another super admin enabled.");
1230 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
1231 }
1232 }
1233 /* Get all request and registered permissions */
1234 std::vector<std::string> permissionList;
1235 if (FAILED(GetPermissionChecker()->GetAllPermissionsByAdmin(admin.GetBundleName(), type, userId,
1236 permissionList))) {
1237 EDMLOGW("EnableAdmin: GetAllPermissionsByAdmin failed");
1238 return EdmReturnErrCode::COMPONENT_INVALID;
1239 }
1240 Admin edmAdmin(abilityInfo.at(0), type, entInfo, permissionList, isDebug);
1241 if (FAILED(AdminManager::GetInstance()->SetAdminValue(userId, edmAdmin))) {
1242 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
1243 }
1244 AfterEnableAdmin(admin, type, userId);
1245 return ERR_OK;
1246 }
1247
AfterEnableAdmin(AppExecFwk::ElementName & admin,AdminType type,int32_t userId)1248 void EnterpriseDeviceMgrAbility::AfterEnableAdmin(AppExecFwk::ElementName &admin, AdminType type, int32_t userId)
1249 {
1250 system::SetParameter(PARAM_EDM_ENABLE, "true");
1251 NotifyAdminEnabled(true);
1252 EDMLOGI("EnableAdmin suc.:%{public}s type:%{public}d", admin.GetBundleName().c_str(), static_cast<uint32_t>(type));
1253 OnAdminEnabled(admin.GetBundleName(), admin.GetAbilityName(), IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED, userId,
1254 true);
1255 if (type == AdminType::BYOD) {
1256 AddDisallowUninstallApp(admin.GetBundleName());
1257 EdmDataAbilityUtils::UpdateSettingsData(KEY_EDM_DISPLAY, "true");
1258 }
1259 }
1260
RemoveAdminItem(const std::string & adminName,const std::string & policyName,const std::string & policyValue,int32_t userId)1261 ErrCode EnterpriseDeviceMgrAbility::RemoveAdminItem(const std::string &adminName, const std::string &policyName,
1262 const std::string &policyValue, int32_t userId)
1263 {
1264 InitAllPlugins();
1265 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByPolicyName(policyName);
1266 if (plugin == nullptr) {
1267 EDMLOGW("RemoveAdminItem: Get plugin by policy failed: %{public}s\n", policyName.c_str());
1268 return ERR_EDM_GET_PLUGIN_MGR_FAILED;
1269 }
1270 std::string mergedPolicyData;
1271 plugin->GetOthersMergePolicyData(adminName, mergedPolicyData);
1272 ErrCode ret = plugin->OnAdminRemove(adminName, policyValue, mergedPolicyData, userId);
1273 if (ret != ERR_OK) {
1274 EDMLOGW("RemoveAdminItem: OnAdminRemove failed, admin:%{public}s, value:%{public}s, res:%{public}d\n",
1275 adminName.c_str(), policyValue.c_str(), ret);
1276 }
1277 if (plugin->NeedSavePolicy()) {
1278 ErrCode setRet = ERR_OK;
1279 std::unordered_map<std::string, std::string> adminListMap;
1280 ret = policyMgr_->GetAdminByPolicyName(policyName, adminListMap, userId);
1281 if ((ret == ERR_EDM_POLICY_NOT_FOUND) || adminListMap.empty()) {
1282 setRet = policyMgr_->SetPolicy("", policyName, "", "", userId);
1283 } else {
1284 setRet = policyMgr_->SetPolicy(adminName, policyName, "", mergedPolicyData, userId);
1285 }
1286
1287 if (FAILED(setRet)) {
1288 EDMLOGW("RemoveAdminItem: DeleteAdminPolicy failed, admin:%{public}s, policy:%{public}s, res:%{public}d\n",
1289 adminName.c_str(), policyName.c_str(), ret);
1290 return ERR_EDM_DEL_ADMIN_FAILED;
1291 }
1292 }
1293 plugin->OnAdminRemoveDone(adminName, policyValue, userId);
1294 return ERR_OK;
1295 }
1296
RemoveAdminAndAdminPolicy(const std::string & adminName,int32_t userId)1297 ErrCode EnterpriseDeviceMgrAbility::RemoveAdminAndAdminPolicy(const std::string &adminName, int32_t userId)
1298 {
1299 EDMLOGD("RemoveAdminAndAdminPolicy:admin: %{public}s, user id:%{public}d.", adminName.c_str(), userId);
1300 ErrCode removeAdminPolicyRet = RemoveAdminPolicy(adminName, userId);
1301 if (FAILED(removeAdminPolicyRet)) {
1302 EDMLOGE("Remove admin %{public}s policy with user id = %{public}d fail.", adminName.c_str(), userId);
1303 return removeAdminPolicyRet;
1304 }
1305
1306 ErrCode removeAdminRet = RemoveAdmin(adminName, userId);
1307 if (FAILED(removeAdminRet)) {
1308 EDMLOGE("Remove admin %{public}s with user id = %{public}d fail.", adminName.c_str(), userId);
1309 return removeAdminRet;
1310 }
1311 return ERR_OK;
1312 }
1313
RemoveAdmin(const std::string & adminName,int32_t userId)1314 ErrCode EnterpriseDeviceMgrAbility::RemoveAdmin(const std::string &adminName, int32_t userId)
1315 {
1316 bool shouldUnsubscribeAppState = ShouldUnsubscribeAppState(adminName, userId);
1317 auto ret = AdminManager::GetInstance()->DeleteAdmin(adminName, userId);
1318 if (ret != ERR_OK && ret != ERR_EDM_UNKNOWN_ADMIN) {
1319 return ERR_EDM_DEL_ADMIN_FAILED;
1320 }
1321 if (shouldUnsubscribeAppState) {
1322 UnsubscribeAppState();
1323 }
1324 return ERR_OK;
1325 }
1326
RemoveAdminPolicy(const std::string & adminName,int32_t userId)1327 ErrCode EnterpriseDeviceMgrAbility::RemoveAdminPolicy(const std::string &adminName, int32_t userId)
1328 {
1329 std::unordered_map<std::string, std::string> policyItems;
1330 policyMgr_->GetAllPolicyByAdmin(adminName, policyItems, userId);
1331 for (const auto &policyItem : policyItems) {
1332 std::string policyItemName = policyItem.first;
1333 std::string policyItemValue = policyItem.second;
1334 EDMLOGD("RemoveAdminPolicy:policyName:%{public}s", policyItemName.c_str());
1335 if (RemoveAdminItem(adminName, policyItemName, policyItemValue, userId) != ERR_OK) {
1336 return ERR_EDM_DEL_ADMIN_FAILED;
1337 }
1338 }
1339 return ERR_OK;
1340 }
1341
RemoveSubSuperAdminAndAdminPolicy(const std::string & bundleName)1342 ErrCode EnterpriseDeviceMgrAbility::RemoveSubSuperAdminAndAdminPolicy(const std::string &bundleName)
1343 {
1344 std::vector<int32_t> userIds;
1345 policyMgr_->GetPolicyUserIds(userIds);
1346 return RemoveSubOrSuperAdminAndAdminPolicy(bundleName, userIds);
1347 }
1348
RemoveSuperAdminAndAdminPolicy(const std::string & bundleName)1349 ErrCode EnterpriseDeviceMgrAbility::RemoveSuperAdminAndAdminPolicy(const std::string &bundleName)
1350 {
1351 std::vector<int32_t> userIds;
1352 policyMgr_->GetPolicyUserIds(userIds);
1353 // remove sub-super admin
1354 std::vector<std::string> subAdmins;
1355 AdminManager::GetInstance()->GetSubSuperAdminsByParentName(bundleName, subAdmins);
1356 for (auto const &subAdminName : subAdmins) {
1357 if (RemoveSubOrSuperAdminAndAdminPolicy(subAdminName, userIds) != ERR_OK) {
1358 return ERR_EDM_DEL_ADMIN_FAILED;
1359 }
1360 }
1361 // remove super admin on other userid
1362 return RemoveSubOrSuperAdminAndAdminPolicy(bundleName, userIds);
1363 }
1364
RemoveSubOrSuperAdminAndAdminPolicy(const std::string & bundleName,const std::vector<int32_t> & nonDefaultUserIds)1365 ErrCode EnterpriseDeviceMgrAbility::RemoveSubOrSuperAdminAndAdminPolicy(const std::string &bundleName,
1366 const std::vector<int32_t> &nonDefaultUserIds)
1367 {
1368 // remove super admin on other userid
1369 for (auto const &userId : nonDefaultUserIds) {
1370 if (RemoveAdminAndAdminPolicy(bundleName, userId) != ERR_OK) {
1371 return ERR_EDM_DEL_ADMIN_FAILED;
1372 }
1373 }
1374 // remove super admin default userid
1375 return RemoveAdminAndAdminPolicy(bundleName, EdmConstants::DEFAULT_USER_ID);
1376 }
1377
ShouldUnsubscribeAppState(const std::string & adminName,int32_t userId)1378 bool EnterpriseDeviceMgrAbility::ShouldUnsubscribeAppState(const std::string &adminName, int32_t userId)
1379 {
1380 std::shared_ptr<Admin> adminPtr = AdminManager::GetInstance()->GetAdminByPkgName(adminName, userId);
1381 if (adminPtr == nullptr) {
1382 EDMLOGE("ShouldUnsubscribeAppState adminPtr null");
1383 return false;
1384 }
1385 return std::any_of(adminPtr->adminInfo_.managedEvents_.begin(), adminPtr->adminInfo_.managedEvents_.end(),
1386 [](ManagedEvent event) { return event == ManagedEvent::APP_START || event == ManagedEvent::APP_STOP; });
1387 }
1388
DisableAdmin(AppExecFwk::ElementName & admin,int32_t userId)1389 ErrCode EnterpriseDeviceMgrAbility::DisableAdmin(AppExecFwk::ElementName &admin, int32_t userId)
1390 {
1391 EDMLOGI("EnterpriseDeviceMgrAbility::DisableAdmin user id = %{public}d", userId);
1392 std::shared_ptr<Admin> deviceAdmin = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(), userId);
1393 if (deviceAdmin == nullptr) {
1394 EDMLOGE("DisableAdmin: %{public}s is not activated", admin.GetBundleName().c_str());
1395 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1396 }
1397 AdminType adminType = deviceAdmin->GetAdminType();
1398 if (adminType == AdminType::ENT || adminType == AdminType::BYOD) {
1399 userId = DEFAULT_USER_ID;
1400 }
1401 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1402 return DoDisableAdmin(admin.GetBundleName(), userId, adminType);
1403 }
1404
DisableSuperAdmin(const std::string & bundleName)1405 ErrCode EnterpriseDeviceMgrAbility::DisableSuperAdmin(const std::string &bundleName)
1406 {
1407 EDMLOGI("EnterpriseDeviceMgrAbility::DisableSuperAdmin bundle name = %{public}s", bundleName.c_str());
1408 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1409 return DoDisableAdmin(bundleName, DEFAULT_USER_ID, AdminType::ENT);
1410 }
1411
1412 // non-thread-safe function
DoDisableAdmin(const std::string & bundleName,int32_t userId,AdminType adminType)1413 ErrCode EnterpriseDeviceMgrAbility::DoDisableAdmin(const std::string &bundleName, int32_t userId, AdminType adminType)
1414 {
1415 bool isDebug = GetPermissionChecker()->CheckIsDebug();
1416 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
1417 if (!isDebug && !GetPermissionChecker()->VerifyCallingPermission(tokenId,
1418 EdmPermission::PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
1419 EDMLOGW("DoDisableAdmin::DisableSuperAdmin check permission failed.");
1420 return EdmReturnErrCode::PERMISSION_DENIED;
1421 }
1422 std::shared_ptr<Admin> admin = AdminManager::GetInstance()->GetAdminByPkgName(bundleName, userId);
1423 if (admin == nullptr) {
1424 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1425 }
1426 if (isDebug && !admin->adminInfo_.isDebug_) {
1427 EDMLOGW("DoDisableAdmin: shell command can only remove debug super admin.");
1428 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1429 }
1430 if (admin->adminInfo_.adminType_ != adminType) {
1431 EDMLOGW("DoDisableAdmin: only remove the certain admin.");
1432 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1433 }
1434 if (adminType == AdminType::ENT && FAILED(RemoveSuperAdminAndAdminPolicy(bundleName))) {
1435 EDMLOGW("DoDisableAdmin: remove admin failed.");
1436 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1437 } else if ((adminType == AdminType::NORMAL || adminType == AdminType::BYOD) &&
1438 FAILED(RemoveAdminAndAdminPolicy(bundleName, userId))) {
1439 EDMLOGW("DoDisableAdmin: disable normal or byod admin failed.");
1440 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1441 }
1442 if (!AdminManager::GetInstance()->IsAdminExist()) {
1443 system::SetParameter(PARAM_EDM_ENABLE, "false");
1444 NotifyAdminEnabled(false);
1445 }
1446 OnAdminEnabled(admin->adminInfo_.packageName_, admin->adminInfo_.className_,
1447 IEnterpriseAdmin::COMMAND_ON_ADMIN_DISABLED, userId, true);
1448 if (adminType == AdminType::BYOD) {
1449 DelDisallowUninstallApp(bundleName);
1450 EdmDataAbilityUtils::UpdateSettingsData(KEY_EDM_DISPLAY, "false");
1451 }
1452 return ERR_OK;
1453 }
1454
IsSuperAdmin(const std::string & bundleName)1455 bool EnterpriseDeviceMgrAbility::IsSuperAdmin(const std::string &bundleName)
1456 {
1457 return AdminManager::GetInstance()->IsSuperAdmin(bundleName);
1458 }
1459
IsAdminEnabled(AppExecFwk::ElementName & admin,int32_t userId)1460 bool EnterpriseDeviceMgrAbility::IsAdminEnabled(AppExecFwk::ElementName &admin, int32_t userId)
1461 {
1462 std::shared_ptr<Admin> existAdmin = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(), userId);
1463 if (existAdmin != nullptr) {
1464 EDMLOGD("IsAdminEnabled: get admin successed");
1465 return true;
1466 }
1467 return false;
1468 }
1469
GetCurrentUserId()1470 int32_t EnterpriseDeviceMgrAbility::GetCurrentUserId()
1471 {
1472 std::vector<int32_t> ids;
1473 ErrCode ret = GetOsAccountMgr()->QueryActiveOsAccountIds(ids);
1474 if (FAILED(ret) || ids.empty()) {
1475 EDMLOGE("EnterpriseDeviceMgrAbility GetCurrentUserId failed");
1476 return -1;
1477 }
1478 EDMLOGD("EnterpriseDeviceMgrAbility GetCurrentUserId user id = %{public}d", ids.at(0));
1479 return (ids.at(0));
1480 }
1481
UpdateDevicePolicy(uint32_t code,const std::string & bundleName,MessageParcel & data,MessageParcel & reply,int32_t userId)1482 ErrCode EnterpriseDeviceMgrAbility::UpdateDevicePolicy(uint32_t code, const std::string &bundleName,
1483 MessageParcel &data, MessageParcel &reply, int32_t userId)
1484 {
1485 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
1486 if (plugin == nullptr) {
1487 EDMLOGW("UpdateDevicePolicy: get plugin failed, code:%{public}d", code);
1488 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
1489 }
1490
1491 std::string policyName = plugin->GetPolicyName();
1492 std::string oldCombinePolicy;
1493 policyMgr_->GetPolicy("", policyName, oldCombinePolicy, userId);
1494 HandlePolicyData handlePolicyData{"", "", false};
1495 policyMgr_->GetPolicy(bundleName, policyName, handlePolicyData.policyData, userId);
1496 plugin->GetOthersMergePolicyData(bundleName, handlePolicyData.mergePolicyData);
1497 ErrCode ret = plugin->GetExecuteStrategy()->OnSetExecute(code, data, reply, handlePolicyData, userId);
1498 if (FAILED(ret)) {
1499 EDMLOGW("UpdateDevicePolicy: OnHandlePolicy failed");
1500 return ret;
1501 }
1502 EDMLOGD("UpdateDevicePolicy: isChanged:%{public}d, needSave:%{public}d", handlePolicyData.isChanged,
1503 plugin->NeedSavePolicy());
1504 bool isGlobalChanged = false;
1505 if (plugin->NeedSavePolicy() && handlePolicyData.isChanged) {
1506 policyMgr_->SetPolicy(bundleName, policyName, handlePolicyData.policyData, handlePolicyData.mergePolicyData,
1507 userId);
1508 isGlobalChanged = (oldCombinePolicy != handlePolicyData.mergePolicyData);
1509 }
1510 plugin->OnHandlePolicyDone(code, bundleName, isGlobalChanged, userId);
1511 EDMLOGI("UpdateDevicePolicy: handle policy success.");
1512 return ERR_OK;
1513 }
1514
HandleDevicePolicy(uint32_t code,AppExecFwk::ElementName & admin,MessageParcel & data,MessageParcel & reply,int32_t userId)1515 ErrCode EnterpriseDeviceMgrAbility::HandleDevicePolicy(uint32_t code, AppExecFwk::ElementName &admin,
1516 MessageParcel &data, MessageParcel &reply, int32_t userId)
1517 {
1518 InitAllPlugins();
1519 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
1520 if (plugin == nullptr) {
1521 EDMLOGW("HandleDevicePolicy: get plugin failed, code:%{public}d", code);
1522 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
1523 }
1524 #ifndef EDM_FUZZ_TEST
1525 bool isUserExist = false;
1526 GetOsAccountMgr()->IsOsAccountExists(userId, isUserExist);
1527 if (!isUserExist) {
1528 return EdmReturnErrCode::PARAM_ERROR;
1529 }
1530 ErrCode systemCalling = GetPermissionChecker()->CheckSystemCalling(plugin->GetApiType(FuncOperateType::SET), "");
1531 if (FAILED(systemCalling)) {
1532 return systemCalling;
1533 }
1534 EDMLOGI("HandleDevicePolicy: HandleDevicePolicy userId = %{public}d", userId);
1535 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1536 std::shared_ptr<Admin> deviceAdmin = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(),
1537 GetCurrentUserId());
1538 if (deviceAdmin == nullptr) {
1539 EDMLOGE("HandleDevicePolicy: %{public}s is not activated", admin.GetBundleName().c_str());
1540 return EdmReturnErrCode::ADMIN_INACTIVE;
1541 }
1542 int uid = IPCSkeleton::GetCallingUid();
1543 std::string permissionTag = data.ReadString();
1544 if (uid != EDM_UID) {
1545 std::string setPermission = plugin->GetPermission(FuncOperateType::SET,
1546 GetPermissionChecker()->AdminTypeToPermissionType(deviceAdmin->GetAdminType()), permissionTag);
1547 EDMLOGD("HandleDevicePolicy: HandleDevicePolicy GetPermission = %{public}s", setPermission.c_str());
1548 ErrCode checkAdminPermission = GetPermissionChecker()->CheckHandlePolicyPermission(FuncOperateType::SET,
1549 admin.GetBundleName(), plugin->GetPolicyName(), setPermission, userId);
1550 if (FAILED(checkAdminPermission)) {
1551 return checkAdminPermission;
1552 }
1553 }
1554 #endif
1555 ErrCode ret = UpdateDevicePolicy(code, admin.GetBundleName(), data, reply, userId);
1556 ReportInfo info = ReportInfo(FuncCodeUtils::GetOperateType(code), plugin->GetPolicyName(), std::to_string(ret));
1557 SecurityReport::ReportSecurityInfo(admin.GetBundleName(), admin.GetAbilityName(), info, false);
1558 return ret;
1559 }
1560
GetDevicePolicy(uint32_t code,MessageParcel & data,MessageParcel & reply,int32_t userId)1561 ErrCode EnterpriseDeviceMgrAbility::GetDevicePolicy(uint32_t code, MessageParcel &data, MessageParcel &reply,
1562 int32_t userId)
1563 {
1564 bool isUserExist = false;
1565 GetOsAccountMgr()->IsOsAccountExists(userId, isUserExist);
1566 if (!isUserExist) {
1567 EDMLOGW("GetDevicePolicy: IsOsAccountExists failed");
1568 return EdmReturnErrCode::PARAM_ERROR;
1569 }
1570 std::shared_lock<std::shared_mutex> autoLock(adminLock_);
1571 ErrCode errCode = PluginPolicyReader::GetInstance()->GetPolicyByCode(policyMgr_, code, data, reply, userId);
1572 if (errCode == EdmReturnErrCode::INTERFACE_UNSUPPORTED) {
1573 EDMLOGW("GetDevicePolicy: GetPolicyByCode INTERFACE_UNSUPPORTED");
1574 return errCode;
1575 }
1576 if (errCode == ERR_CANNOT_FIND_QUERY_FAILED) {
1577 return GetDevicePolicyFromPlugin(code, data, reply, userId);
1578 }
1579 EDMLOGI("policy query get finished");
1580 return errCode;
1581 }
1582
GetDevicePolicyFromPlugin(uint32_t code,MessageParcel & data,MessageParcel & reply,int32_t userId)1583 ErrCode EnterpriseDeviceMgrAbility::GetDevicePolicyFromPlugin(uint32_t code, MessageParcel &data, MessageParcel &reply,
1584 int32_t userId)
1585 {
1586 InitAllPlugins();
1587 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
1588 if (plugin == nullptr) {
1589 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
1590 }
1591 std::string permissionTag = data.ReadString();
1592 ErrCode systemCallingCheck = GetPermissionChecker()->CheckSystemCalling(
1593 plugin->GetApiType(FuncOperateType::GET), permissionTag);
1594 if (FAILED(systemCallingCheck)) {
1595 return systemCallingCheck;
1596 }
1597 AppExecFwk::ElementName elementName;
1598 // has admin
1599 if (data.ReadInt32() == 0) {
1600 ErrCode errCode = CheckGetPolicyParam(data, plugin, elementName, permissionTag, userId);
1601 if (errCode != ERR_OK) {
1602 return errCode;
1603 }
1604 } else {
1605 std::string getPermission = plugin->GetPermission(FuncOperateType::GET,
1606 IPlugin::PermissionType::SUPER_DEVICE_ADMIN, permissionTag);
1607 if (!PermissionChecker::GetInstance()->CheckElementNullPermission(code, getPermission)) {
1608 EDMLOGE("GetDevicePolicy: permission check failed");
1609 return EdmReturnErrCode::PERMISSION_DENIED;
1610 }
1611 }
1612 std::string policyName = plugin->GetPolicyName();
1613 std::string policyValue;
1614
1615 if (plugin->NeedSavePolicy()) {
1616 policyMgr_->GetPolicy(elementName.GetBundleName(), policyName, policyValue, userId);
1617 }
1618 ErrCode getRet = plugin->GetExecuteStrategy()->OnGetExecute(code, policyValue, data, reply, userId);
1619 ReportInfo info = ReportInfo(FuncCodeUtils::GetOperateType(code), plugin->GetPolicyName(), std::to_string(getRet));
1620 SecurityReport::ReportSecurityInfo(elementName.GetBundleName(), elementName.GetAbilityName(), info, true);
1621 return getRet;
1622 }
1623
CheckGetPolicyParam(MessageParcel & data,std::shared_ptr<IPlugin> & plugin,AppExecFwk::ElementName & elementName,const std::string & permissionTag,int32_t userId)1624 ErrCode EnterpriseDeviceMgrAbility::CheckGetPolicyParam(MessageParcel &data, std::shared_ptr<IPlugin> &plugin,
1625 AppExecFwk::ElementName &elementName, const std::string &permissionTag, int32_t userId)
1626 {
1627 std::unique_ptr<AppExecFwk::ElementName> admin(data.ReadParcelable<AppExecFwk::ElementName>());
1628 if (!admin) {
1629 EDMLOGW("GetDevicePolicy: ReadParcelable failed");
1630 return EdmReturnErrCode::PARAM_ERROR;
1631 }
1632 #ifndef EDM_FUZZ_TEST
1633 std::shared_ptr<Admin> deviceAdmin = AdminManager::GetInstance()->GetAdminByPkgName(admin->GetBundleName(),
1634 GetCurrentUserId());
1635 if (deviceAdmin == nullptr) {
1636 return EdmReturnErrCode::ADMIN_INACTIVE;
1637 }
1638 std::string getPermission = plugin->GetPermission(FuncOperateType::GET,
1639 GetPermissionChecker()->AdminTypeToPermissionType(deviceAdmin->GetAdminType()), permissionTag);
1640 ErrCode ret = GetPermissionChecker()->CheckHandlePolicyPermission(FuncOperateType::GET,
1641 admin->GetBundleName(), plugin->GetPolicyName(), getPermission, userId);
1642 if (FAILED(ret)) {
1643 return ret;
1644 }
1645 #endif
1646 elementName.SetBundleName(admin->GetBundleName());
1647 elementName.SetAbilityName(admin->GetAbilityName());
1648 return ERR_OK;
1649 }
1650
CheckAndGetAdminProvisionInfo(uint32_t code,MessageParcel & data,MessageParcel & reply,int32_t userId)1651 ErrCode EnterpriseDeviceMgrAbility::CheckAndGetAdminProvisionInfo(uint32_t code, MessageParcel &data,
1652 MessageParcel &reply, int32_t userId)
1653 {
1654 std::unique_ptr<AppExecFwk::ElementName> admin(data.ReadParcelable<AppExecFwk::ElementName>());
1655 if (!admin) {
1656 EDMLOGW("CheckAndGetAdminProvisionInfo: ReadParcelable failed");
1657 return EdmReturnErrCode::PARAM_ERROR;
1658 }
1659 EDMLOGD("CheckAndGetAdminProvisionInfo bundleName: %{public}s, abilityName : %{public}s ",
1660 admin->GetBundleName().c_str(), admin->GetAbilityName().c_str());
1661
1662 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
1663 if (!GetPermissionChecker()->VerifyCallingPermission(tokenId, PERMISSION_GET_ADMINPROVISION_INFO)) {
1664 EDMLOGE("CheckAndGetAdminProvisionInfo::VerifyCallingPermission check permission failed.");
1665 return EdmReturnErrCode::PERMISSION_DENIED;
1666 }
1667 Security::AccessToken::HapTokenInfo hapTokenInfo;
1668 if (FAILED(Security::AccessToken::AccessTokenKit::GetHapTokenInfo(tokenId, hapTokenInfo)) ||
1669 hapTokenInfo.bundleName != admin->GetBundleName()) {
1670 EDMLOGE("CheckAndGetAdminProvisionInfo::calling bundleName is not input bundleName.");
1671 return EdmReturnErrCode::PARAM_ERROR;
1672 }
1673 std::vector<AppExecFwk::ExtensionAbilityInfo> abilityInfo;
1674 AAFwk::Want want;
1675 want.SetElement(*admin);
1676 if (!GetBundleMgr()->QueryExtensionAbilityInfos(want, AppExecFwk::ExtensionAbilityType::ENTERPRISE_ADMIN,
1677 AppExecFwk::ExtensionAbilityInfoFlag::GET_EXTENSION_INFO_WITH_PERMISSION, userId, abilityInfo) ||
1678 abilityInfo.empty()) {
1679 EDMLOGW("CheckAndGetAdminProvisionInfo: QueryExtensionAbilityInfos failed");
1680 return EdmReturnErrCode::PARAM_ERROR;
1681 }
1682 InitAllPlugins();
1683 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
1684 if (plugin == nullptr) {
1685 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1686 }
1687 if (AdminManager::GetInstance()->IsAdminExist()) {
1688 EDMLOGE("CheckAndGetAdminProvisionInfo::device exist admin.");
1689 return EdmReturnErrCode::PARAM_ERROR;
1690 }
1691 std::string policyValue;
1692 AppExecFwk::ElementName elementName;
1693 ErrCode getRet = plugin->GetExecuteStrategy()->OnGetExecute(code, policyValue, data, reply, userId);
1694 ReportInfo info = ReportInfo(FuncCodeUtils::GetOperateType(code), plugin->GetPolicyName(), std::to_string(getRet));
1695 SecurityReport::ReportSecurityInfo(elementName.GetBundleName(), elementName.GetAbilityName(), info, false);
1696 return getRet;
1697 }
1698
GetEnabledAdmin(AdminType type,std::vector<std::string> & enabledAdminList)1699 ErrCode EnterpriseDeviceMgrAbility::GetEnabledAdmin(AdminType type, std::vector<std::string> &enabledAdminList)
1700 {
1701 std::shared_lock<std::shared_mutex> autoLock(adminLock_);
1702 std::vector<std::string> superList;
1703 std::vector<std::string> normalList;
1704 std::vector<std::string> byodList;
1705 switch (type) {
1706 case AdminType::NORMAL:
1707 AdminManager::GetInstance()->GetEnabledAdmin(AdminType::NORMAL, normalList, GetCurrentUserId());
1708 AdminManager::GetInstance()->GetEnabledAdmin(AdminType::ENT, superList, EdmConstants::DEFAULT_USER_ID);
1709 break;
1710 case AdminType::ENT:
1711 AdminManager::GetInstance()->GetEnabledAdmin(AdminType::ENT, superList, EdmConstants::DEFAULT_USER_ID);
1712 break;
1713 case AdminType::BYOD:
1714 AdminManager::GetInstance()->GetEnabledAdmin(AdminType::BYOD, byodList, EdmConstants::DEFAULT_USER_ID);
1715 break;
1716 case AdminType::UNKNOWN:
1717 break;
1718 default:
1719 return ERR_EDM_PARAM_ERROR;
1720 }
1721 if (!superList.empty()) {
1722 enabledAdminList.insert(enabledAdminList.begin(), superList.begin(), superList.end());
1723 }
1724 if (!normalList.empty()) {
1725 enabledAdminList.insert(enabledAdminList.begin(), normalList.begin(), normalList.end());
1726 }
1727 if (!byodList.empty()) {
1728 enabledAdminList.insert(enabledAdminList.begin(), byodList.begin(), byodList.end());
1729 }
1730 for (const auto &enabledAdmin : enabledAdminList) {
1731 EDMLOGD("GetEnabledAdmin: %{public}s", enabledAdmin.c_str());
1732 }
1733 return ERR_OK;
1734 }
1735
GetEnterpriseInfo(AppExecFwk::ElementName & admin,MessageParcel & reply)1736 ErrCode EnterpriseDeviceMgrAbility::GetEnterpriseInfo(AppExecFwk::ElementName &admin, MessageParcel &reply)
1737 {
1738 std::shared_lock<std::shared_mutex> autoLock(adminLock_);
1739 auto adminItem = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(), GetCurrentUserId());
1740 if (adminItem != nullptr && adminItem->GetAdminType() == AdminType::VIRTUAL_ADMIN) {
1741 EDMLOGE("GetEnterpriseInfo delegated admin does not have permission to get enterprise info.");
1742 reply.WriteInt32(EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED);
1743 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1744 }
1745 EntInfo entInfo;
1746 int32_t userId = (adminItem != nullptr && (adminItem->GetAdminType() == AdminType::ENT ||
1747 adminItem->GetAdminType() == AdminType::SUB_SUPER_ADMIN)) ? EdmConstants::DEFAULT_USER_ID : GetCurrentUserId();
1748 ErrCode code = AdminManager::GetInstance()->GetEntInfo(admin.GetBundleName(), entInfo, userId);
1749 if (code != ERR_OK) {
1750 reply.WriteInt32(EdmReturnErrCode::ADMIN_INACTIVE);
1751 return EdmReturnErrCode::ADMIN_INACTIVE;
1752 }
1753 reply.WriteInt32(ERR_OK);
1754 entInfo.Marshalling(reply);
1755 EDMLOGD(
1756 "EnterpriseDeviceMgrAbility::GetEnterpriseInfo: entInfo->enterpriseName %{public}s, "
1757 "entInfo->description:%{public}s",
1758 entInfo.enterpriseName.c_str(), entInfo.description.c_str());
1759 return ERR_OK;
1760 }
1761
SetEnterpriseInfo(AppExecFwk::ElementName & admin,EntInfo & entInfo)1762 ErrCode EnterpriseDeviceMgrAbility::SetEnterpriseInfo(AppExecFwk::ElementName &admin, EntInfo &entInfo)
1763 {
1764 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1765 int32_t userId = GetCurrentUserId();
1766 std::shared_ptr<Admin> adminItem = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(), userId);
1767 if (adminItem == nullptr) {
1768 return EdmReturnErrCode::ADMIN_INACTIVE;
1769 }
1770 ErrCode ret = GetPermissionChecker()->CheckCallerPermission(adminItem,
1771 EdmPermission::PERMISSION_SET_ENTERPRISE_INFO, false);
1772 if (FAILED(ret)) {
1773 return ret;
1774 }
1775 if (adminItem->GetAdminType() == AdminType::ENT || adminItem->GetAdminType() == AdminType::SUB_SUPER_ADMIN) {
1776 userId = EdmConstants::DEFAULT_USER_ID;
1777 }
1778 ErrCode code = AdminManager::GetInstance()->SetEntInfo(admin.GetBundleName(), entInfo, userId);
1779 return (code != ERR_OK) ? EdmReturnErrCode::ADMIN_INACTIVE : ERR_OK;
1780 }
1781
HandleApplicationEvent(const std::vector<uint32_t> & events,bool subscribe)1782 ErrCode EnterpriseDeviceMgrAbility::HandleApplicationEvent(const std::vector<uint32_t> &events, bool subscribe)
1783 {
1784 bool shouldHandleAppState = std::any_of(events.begin(), events.end(), [](uint32_t event) {
1785 return event == static_cast<uint32_t>(ManagedEvent::APP_START) ||
1786 event == static_cast<uint32_t>(ManagedEvent::APP_STOP);
1787 });
1788 if (!shouldHandleAppState) {
1789 return ERR_OK;
1790 }
1791 if (subscribe) {
1792 return SubscribeAppState() ? ERR_OK : EdmReturnErrCode::SYSTEM_ABNORMALLY;
1793 } else {
1794 return UnsubscribeAppState() ? ERR_OK : EdmReturnErrCode::SYSTEM_ABNORMALLY;
1795 }
1796 }
1797
SubscribeManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1798 ErrCode EnterpriseDeviceMgrAbility::SubscribeManagedEvent(const AppExecFwk::ElementName &admin,
1799 const std::vector<uint32_t> &events)
1800 {
1801 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1802 RETURN_IF_FAILED(VerifyManagedEvent(admin, events));
1803 RETURN_IF_FAILED(HandleApplicationEvent(events, true));
1804 int32_t userId = AdminManager::GetInstance()->IsSuperOrSubSuperAdmin(admin.GetBundleName()) ?
1805 EdmConstants::DEFAULT_USER_ID : GetCurrentUserId();
1806 AdminManager::GetInstance()->SaveSubscribeEvents(events, admin.GetBundleName(), userId);
1807 return ERR_OK;
1808 }
1809
UnsubscribeManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1810 ErrCode EnterpriseDeviceMgrAbility::UnsubscribeManagedEvent(const AppExecFwk::ElementName &admin,
1811 const std::vector<uint32_t> &events)
1812 {
1813 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1814 RETURN_IF_FAILED(VerifyManagedEvent(admin, events));
1815 int32_t userId = AdminManager::GetInstance()->IsSuperOrSubSuperAdmin(admin.GetBundleName()) ?
1816 EdmConstants::DEFAULT_USER_ID : GetCurrentUserId();
1817 AdminManager::GetInstance()->RemoveSubscribeEvents(events, admin.GetBundleName(), userId);
1818 return HandleApplicationEvent(events, false);
1819 }
1820
VerifyManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1821 ErrCode EnterpriseDeviceMgrAbility::VerifyManagedEvent(const AppExecFwk::ElementName &admin,
1822 const std::vector<uint32_t> &events)
1823 {
1824 std::shared_ptr<Admin> adminItem = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(),
1825 GetCurrentUserId());
1826 ErrCode ret = GetPermissionChecker()->CheckCallerPermission(adminItem,
1827 EdmPermission::PERMISSION_ENTERPRISE_SUBSCRIBE_MANAGED_EVENT, false);
1828 if (FAILED(ret)) {
1829 return ret;
1830 }
1831 if (events.empty()) {
1832 return EdmReturnErrCode::MANAGED_EVENTS_INVALID;
1833 }
1834 auto iter =
1835 std::find_if(events.begin(), events.end(), [this](uint32_t event) { return !CheckManagedEvent(event); });
1836 if (iter != std::end(events)) {
1837 return EdmReturnErrCode::MANAGED_EVENTS_INVALID;
1838 }
1839 return ERR_OK;
1840 }
1841
CheckManagedEvent(uint32_t event)1842 bool EnterpriseDeviceMgrAbility::CheckManagedEvent(uint32_t event)
1843 {
1844 if (event >= static_cast<uint32_t>(ManagedEvent::BUNDLE_ADDED) &&
1845 event <= static_cast<uint32_t>(ManagedEvent::USER_REMOVED)) {
1846 return true;
1847 }
1848 return false;
1849 }
1850
AuthorizeAdmin(const AppExecFwk::ElementName & admin,const std::string & bundleName)1851 ErrCode EnterpriseDeviceMgrAbility::AuthorizeAdmin(const AppExecFwk::ElementName &admin, const std::string &bundleName)
1852 {
1853 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1854 std::shared_ptr<Admin> adminItem = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(),
1855 GetCurrentUserId());
1856 ErrCode ret = GetPermissionChecker()->CheckCallerPermission(adminItem,
1857 EdmPermission::PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN, true);
1858 if (FAILED(ret)) {
1859 return ret;
1860 }
1861 /* Get all request and registered permissions */
1862 std::vector<std::string> permissionList;
1863 if (FAILED(GetPermissionChecker()->GetAllPermissionsByAdmin(bundleName, AdminType::SUB_SUPER_ADMIN,
1864 EdmConstants::DEFAULT_USER_ID, permissionList))) {
1865 EDMLOGW("AuthorizeAdmin: GetAllPermissionsByAdmin failed.");
1866 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1867 }
1868 EntInfo entInfo;
1869 AppExecFwk::ExtensionAbilityInfo abilityInfo;
1870 abilityInfo.bundleName = bundleName;
1871 Admin subAdmin(abilityInfo, AdminType::SUB_SUPER_ADMIN, entInfo, permissionList, adminItem->adminInfo_.isDebug_);
1872 subAdmin.SetParentAdminName(admin.GetBundleName());
1873 return AdminManager::GetInstance()->SetAdminValue(EdmConstants::DEFAULT_USER_ID, subAdmin);
1874 }
1875
GetSuperAdmin(MessageParcel & reply)1876 ErrCode EnterpriseDeviceMgrAbility::GetSuperAdmin(MessageParcel &reply)
1877 {
1878 std::shared_lock<std::shared_mutex> autoLock(adminLock_);
1879 auto superAdmin = AdminManager::GetInstance()->GetSuperAdmin();
1880 reply.WriteInt32(ERR_OK);
1881 if (superAdmin == nullptr) {
1882 reply.WriteString("");
1883 reply.WriteString("");
1884 } else {
1885 reply.WriteString(superAdmin->adminInfo_.packageName_);
1886 reply.WriteString(superAdmin->adminInfo_.className_);
1887 }
1888 return ERR_OK;
1889 }
1890
SetDelegatedPolicies(const std::string & parentAdminName,const std::string & bundleName,const std::vector<std::string> & policies)1891 ErrCode EnterpriseDeviceMgrAbility::SetDelegatedPolicies(const std::string &parentAdminName,
1892 const std::string &bundleName, const std::vector<std::string> &policies)
1893 {
1894 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1895 std::shared_ptr<Admin> adminItem = AdminManager::GetInstance()->GetAdminByPkgName(parentAdminName,
1896 GetCurrentUserId());
1897 ErrCode ret = GetPermissionChecker()->CheckCallerPermission(adminItem,
1898 EdmPermission::PERMISSION_ENTERPRISE_MANAGE_DELEGATED_POLICY, true);
1899 if (FAILED(ret)) {
1900 return ret;
1901 }
1902 if (parentAdminName == bundleName) {
1903 EDMLOGE("SetDelegatedPolicies does not delegated policies to self.");
1904 return EdmReturnErrCode::PARAM_ERROR;
1905 }
1906 if (policies.empty()) {
1907 EDMLOGW("SetDelegatedPolicies remove delegated policies.");
1908 return RemoveSubSuperAdminAndAdminPolicy(bundleName);
1909 }
1910 ret = CheckDelegatedPolicies(adminItem, policies);
1911 if (FAILED(ret)) {
1912 return ret;
1913 }
1914 if (!GetBundleMgr()->IsBundleInstalled(bundleName, EdmConstants::DEFAULT_USER_ID)) {
1915 EDMLOGE("SetDelegatedPolicies the delegated application does not installed.");
1916 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1917 }
1918 std::string appDistributionType = GetBundleMgr()->GetApplicationInfo(bundleName, EdmConstants::DEFAULT_USER_ID);
1919 if (appDistributionType != APP_TYPE_ENTERPRISE_MDM && appDistributionType != APP_TYPE_ENTERPRISE_NORMAL) {
1920 EDMLOGE("SetDelegatedPolicies get appDistributionType %{public}s.", appDistributionType.c_str());
1921 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1922 }
1923 EntInfo entInfo;
1924 AppExecFwk::ExtensionAbilityInfo abilityInfo;
1925 abilityInfo.bundleName = bundleName;
1926 Admin virtualAdmin(abilityInfo, AdminType::VIRTUAL_ADMIN, entInfo, {}, adminItem->adminInfo_.isDebug_);
1927 virtualAdmin.SetParentAdminName(parentAdminName);
1928 virtualAdmin.SetAccessiblePolicies(policies);
1929 return AdminManager::GetInstance()->SetAdminValue(EdmConstants::DEFAULT_USER_ID, virtualAdmin);
1930 }
1931
GetDelegatedPolicies(const std::string & parentAdminName,const std::string & bundleName,std::vector<std::string> & policies)1932 ErrCode EnterpriseDeviceMgrAbility::GetDelegatedPolicies(const std::string &parentAdminName,
1933 const std::string &bundleName, std::vector<std::string> &policies)
1934 {
1935 std::shared_lock<std::shared_mutex> autoLock(adminLock_);
1936 std::shared_ptr<Admin> adminItem = AdminManager::GetInstance()->GetAdminByPkgName(parentAdminName,
1937 GetCurrentUserId());
1938 ErrCode ret = GetPermissionChecker()->CheckCallerPermission(adminItem,
1939 EdmPermission::PERMISSION_ENTERPRISE_MANAGE_DELEGATED_POLICY, true);
1940 if (FAILED(ret)) {
1941 return ret;
1942 }
1943 return AdminManager::GetInstance()->GetPoliciesByVirtualAdmin(bundleName, parentAdminName, policies);
1944 }
1945
GetDelegatedBundleNames(const std::string & parentAdminName,const std::string & policyName,std::vector<std::string> & bundleNames)1946 ErrCode EnterpriseDeviceMgrAbility::GetDelegatedBundleNames(const std::string &parentAdminName,
1947 const std::string &policyName, std::vector<std::string> &bundleNames)
1948 {
1949 if (allowDelegatedPolicies_.find(policyName) == allowDelegatedPolicies_.end()) {
1950 return EdmReturnErrCode::PARAM_ERROR;
1951 }
1952 std::shared_lock<std::shared_mutex> autoLock(adminLock_);
1953 std::shared_ptr<Admin> adminItem = AdminManager::GetInstance()->GetAdminByPkgName(parentAdminName,
1954 GetCurrentUserId());
1955 ErrCode ret = GetPermissionChecker()->CheckCallerPermission(adminItem,
1956 EdmPermission::PERMISSION_ENTERPRISE_MANAGE_DELEGATED_POLICY, true);
1957 if (FAILED(ret)) {
1958 return ret;
1959 }
1960 AdminManager::GetInstance()->GetVirtualAdminsByPolicy(policyName, parentAdminName, bundleNames);
1961 return ERR_OK;
1962 }
1963
CheckDelegatedPolicies(std::shared_ptr<Admin> admin,const std::vector<std::string> & policies)1964 ErrCode EnterpriseDeviceMgrAbility::CheckDelegatedPolicies(std::shared_ptr<Admin> admin,
1965 const std::vector<std::string> &policies)
1966 {
1967 if (admin == nullptr) {
1968 return EdmReturnErrCode::ADMIN_INACTIVE;
1969 }
1970 InitAllPlugins();
1971 for (const std::string &policy : policies) {
1972 if (allowDelegatedPolicies_.find(policy) == allowDelegatedPolicies_.end()) {
1973 return EdmReturnErrCode::PARAM_ERROR;
1974 }
1975 auto plugin = pluginMgr_->GetPluginByPolicyName(policy);
1976 if (plugin == nullptr) {
1977 EDMLOGE("CheckDelegatedPolicies get policyName is not exist.");
1978 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1979 }
1980 auto permission = plugin->GetPermission(FuncOperateType::SET,
1981 GetPermissionChecker()->AdminTypeToPermissionType(admin->GetAdminType()));
1982 if (permission == NONE_PERMISSION_MATCH) {
1983 permission = plugin->GetPermission(FuncOperateType::SET,
1984 GetPermissionChecker()->AdminTypeToPermissionType(admin->GetAdminType()),
1985 EdmConstants::PERMISSION_TAG_VERSION_12);
1986 }
1987 if (permission.empty() || permission == NONE_PERMISSION_MATCH) {
1988 EDMLOGE("CheckDelegatedPolicies get plugin access permission failed.");
1989 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1990 }
1991 auto ret = GetPermissionChecker()->CheckAndUpdatePermission(admin, IPCSkeleton::GetCallingTokenID(),
1992 permission, EdmConstants::DEFAULT_USER_ID);
1993 if (FAILED(ret)) {
1994 return ret;
1995 }
1996 }
1997 return ERR_OK;
1998 }
1999
GetAdmins(std::vector<std::shared_ptr<AAFwk::Want>> & wants)2000 ErrCode EnterpriseDeviceMgrAbility::GetAdmins(std::vector<std::shared_ptr<AAFwk::Want>> &wants)
2001 {
2002 std::vector<std::shared_ptr<Admin>> admins;
2003 AdminManager::GetInstance()->GetAdmins(admins, GetCurrentUserId());
2004 for (auto admin : admins) {
2005 std::shared_ptr<AAFwk::Want> want = std::make_shared<AAFwk::Want>();
2006 want->SetParam("bundleName", admin->adminInfo_.packageName_);
2007 want->SetParam("abilityName", admin->adminInfo_.className_);
2008 want->SetParam("adminType", static_cast<int32_t>(admin->adminInfo_.adminType_));
2009 wants.push_back(want);
2010 }
2011 return ERR_OK;
2012 }
2013 } // namespace EDM
2014 } // namespace OHOS