1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "privacy_manager_service.h"
17
18 #include <cinttypes>
19 #include <cstring>
20
21 #include "access_token.h"
22 #include "accesstoken_common_log.h"
23 #include "active_status_callback_manager.h"
24 #include "ipc_skeleton.h"
25 #ifdef COMMON_EVENT_SERVICE_ENABLE
26 #include "privacy_common_event_subscriber.h"
27 #endif //COMMON_EVENT_SERVICE_ENABLE
28 #include "constant_common.h"
29 #include "constant.h"
30 #include "ipc_skeleton.h"
31 #include "permission_record_manager.h"
32 #include "privacy_manager_proxy_death_param.h"
33 #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE
34 #include "privacy_sec_comp_enhance_agent.h"
35 #endif
36 #include "system_ability_definition.h"
37 #include "string_ex.h"
38
39 namespace OHOS {
40 namespace Security {
41 namespace AccessToken {
42
43 const bool REGISTER_RESULT =
44 SystemAbility::MakeAndRegisterAbility(DelayedSingleton<PrivacyManagerService>::GetInstance().get());
45
PrivacyManagerService()46 PrivacyManagerService::PrivacyManagerService()
47 : SystemAbility(SA_ID_PRIVACY_MANAGER_SERVICE, true), state_(ServiceRunningState::STATE_NOT_START)
48 {
49 LOGI(PRI_DOMAIN, PRI_TAG, "PrivacyManagerService()");
50 }
51
~PrivacyManagerService()52 PrivacyManagerService::~PrivacyManagerService()
53 {
54 LOGI(PRI_DOMAIN, PRI_TAG, "~PrivacyManagerService()");
55 #ifdef COMMON_EVENT_SERVICE_ENABLE
56 PrivacyCommonEventSubscriber::UnRegisterEvent();
57 #endif //COMMON_EVENT_SERVICE_ENABLE
58 }
59
OnStart()60 void PrivacyManagerService::OnStart()
61 {
62 if (state_ == ServiceRunningState::STATE_RUNNING) {
63 LOGI(PRI_DOMAIN, PRI_TAG, "PrivacyManagerService has already started!");
64 return;
65 }
66 LOGI(PRI_DOMAIN, PRI_TAG, "PrivacyManagerService is starting");
67 if (!Initialize()) {
68 LOGE(PRI_DOMAIN, PRI_TAG, "Failed to initialize");
69 return;
70 }
71
72 AddSystemAbilityListener(COMMON_EVENT_SERVICE_ID);
73 AddSystemAbilityListener(SCREENLOCK_SERVICE_ID);
74
75 state_ = ServiceRunningState::STATE_RUNNING;
76 bool ret = Publish(DelayedSingleton<PrivacyManagerService>::GetInstance().get());
77 if (!ret) {
78 LOGE(PRI_DOMAIN, PRI_TAG, "Failed to publish service!");
79 return;
80 }
81 LOGI(PRI_DOMAIN, PRI_TAG, "Congratulations, PrivacyManagerService start successfully!");
82 }
83
OnStop()84 void PrivacyManagerService::OnStop()
85 {
86 LOGI(PRI_DOMAIN, PRI_TAG, "Stop service");
87 state_ = ServiceRunningState::STATE_NOT_START;
88 }
89
AddPermissionUsedRecord(const AddPermParamInfoParcel & infoParcel,bool asyncMode)90 int32_t PrivacyManagerService::AddPermissionUsedRecord(const AddPermParamInfoParcel& infoParcel,
91 bool asyncMode)
92 {
93 LOGD(PRI_DOMAIN, PRI_TAG, "id: %{public}d, perm: %{public}s, succCnt: %{public}d,"
94 " failCnt: %{public}d, type: %{public}d", infoParcel.info.tokenId, infoParcel.info.permissionName.c_str(),
95 infoParcel.info.successCount, infoParcel.info.failCount, infoParcel.info.type);
96 AddPermParamInfo info = infoParcel.info;
97 return PermissionRecordManager::GetInstance().AddPermissionUsedRecord(info);
98 }
99
SetPermissionUsedRecordToggleStatus(int32_t userID,bool status)100 int32_t PrivacyManagerService::SetPermissionUsedRecordToggleStatus(int32_t userID, bool status)
101 {
102 LOGI(PRI_DOMAIN, PRI_TAG, "userID: %{public}d, status: %{public}d", userID, status ? 1 : 0);
103 return PermissionRecordManager::GetInstance().SetPermissionUsedRecordToggleStatus(userID, status);
104 }
105
GetPermissionUsedRecordToggleStatus(int32_t userID,bool & status)106 int32_t PrivacyManagerService::GetPermissionUsedRecordToggleStatus(int32_t userID, bool& status)
107 {
108 LOGD(PRI_DOMAIN, PRI_TAG, "userID: %{public}d, status: %{public}d", userID, status ? 1 : 0);
109 return PermissionRecordManager::GetInstance().GetPermissionUsedRecordToggleStatus(userID, status);
110 }
111
GetProxyDeathHandler()112 std::shared_ptr<ProxyDeathHandler> PrivacyManagerService::GetProxyDeathHandler()
113 {
114 std::lock_guard<std::mutex> lock(deathHandlerMutex_);
115 if (proxyDeathHandler_ == nullptr) {
116 proxyDeathHandler_ = std::make_shared<ProxyDeathHandler>();
117 }
118 return proxyDeathHandler_;
119 }
120
ProcessProxyDeathStub(const sptr<IRemoteObject> & anonyStub,int32_t callerPid)121 void PrivacyManagerService::ProcessProxyDeathStub(const sptr<IRemoteObject>& anonyStub, int32_t callerPid)
122 {
123 if (anonyStub == nullptr) {
124 LOGE(PRI_DOMAIN, PRI_TAG, "anonyStub is nullptr.");
125 return;
126 }
127 std::shared_ptr<ProxyDeathParam> param = std::make_shared<PrivacyManagerProxyDeathParam>(callerPid);
128 if (param == nullptr) {
129 LOGE(PRI_DOMAIN, PRI_TAG, "Create param failed.");
130 return;
131 }
132 auto handler = GetProxyDeathHandler();
133 if (handler == nullptr) {
134 LOGE(PRI_DOMAIN, PRI_TAG, "Handler is nullptr.");
135 return;
136 }
137 handler->AddProxyStub(anonyStub, param);
138 }
139
ReleaseDeathStub(int32_t callerPid)140 void PrivacyManagerService::ReleaseDeathStub(int32_t callerPid)
141 {
142 std::shared_ptr<ProxyDeathParam> param = std::make_shared<PrivacyManagerProxyDeathParam>(callerPid);
143 if (param == nullptr) {
144 LOGE(PRI_DOMAIN, PRI_TAG, "Create param failed.");
145 return;
146 }
147 auto handler = GetProxyDeathHandler();
148 if (handler == nullptr) {
149 LOGE(PRI_DOMAIN, PRI_TAG, "Handler is nullptr.");
150 return;
151 }
152 handler->ReleaseProxyByParam(param);
153 }
154
StartUsingPermission(const PermissionUsedTypeInfoParcel & infoParcel,const sptr<IRemoteObject> & anonyStub)155 int32_t PrivacyManagerService::StartUsingPermission(
156 const PermissionUsedTypeInfoParcel &infoParcel, const sptr<IRemoteObject>& anonyStub)
157 {
158 int32_t callerPid = IPCSkeleton::GetCallingPid();
159 LOGI(PRI_DOMAIN, PRI_TAG, "Caller pid = %{public}d.", callerPid);
160 ProcessProxyDeathStub(anonyStub, callerPid);
161 return PermissionRecordManager::GetInstance().StartUsingPermission(infoParcel.info, callerPid);
162 }
163
StartUsingPermission(const PermissionUsedTypeInfoParcel & infoParcel,const sptr<IRemoteObject> & callback,const sptr<IRemoteObject> & anonyStub)164 int32_t PrivacyManagerService::StartUsingPermission(const PermissionUsedTypeInfoParcel &infoParcel,
165 const sptr<IRemoteObject>& callback, const sptr<IRemoteObject>& anonyStub)
166 {
167 int32_t callerPid = IPCSkeleton::GetCallingPid();
168 LOGI(PRI_DOMAIN, PRI_TAG, "Caller pid = %{public}d.", callerPid);
169 ProcessProxyDeathStub(anonyStub, callerPid);
170 return PermissionRecordManager::GetInstance().StartUsingPermission(infoParcel.info, callback, callerPid);
171 }
172
StopUsingPermission(AccessTokenID tokenId,int32_t pid,const std::string & permissionName)173 int32_t PrivacyManagerService::StopUsingPermission(
174 AccessTokenID tokenId, int32_t pid, const std::string& permissionName)
175 {
176 LOGI(PRI_DOMAIN, PRI_TAG, "id: %{public}u, pid: %{public}d, perm: %{public}s",
177 tokenId, pid, permissionName.c_str());
178 int32_t callerPid = IPCSkeleton::GetCallingPid();
179 int32_t ret = PermissionRecordManager::GetInstance().StopUsingPermission(tokenId, pid, permissionName, callerPid);
180 if (ret != Constant::SUCCESS) {
181 return ret;
182 }
183 if (!PermissionRecordManager::GetInstance().HasCallerInStartList(callerPid)) {
184 LOGI(PRI_DOMAIN, PRI_TAG, "No permission record from caller = %{public}d", callerPid);
185 ReleaseDeathStub(callerPid);
186 }
187 return ret;
188 }
189
RemovePermissionUsedRecords(AccessTokenID tokenId)190 int32_t PrivacyManagerService::RemovePermissionUsedRecords(AccessTokenID tokenId)
191 {
192 LOGI(PRI_DOMAIN, PRI_TAG, "id: %{public}u", tokenId);
193 PermissionRecordManager::GetInstance().RemovePermissionUsedRecords(tokenId);
194 return Constant::SUCCESS;
195 }
196
GetPermissionUsedRecords(const PermissionUsedRequestParcel & request,PermissionUsedResultParcel & result)197 int32_t PrivacyManagerService::GetPermissionUsedRecords(
198 const PermissionUsedRequestParcel& request, PermissionUsedResultParcel& result)
199 {
200 std::string permissionList;
201 for (const auto& perm : request.request.permissionList) {
202 permissionList.append(perm);
203 permissionList.append(" ");
204 }
205 LOGI(PRI_DOMAIN, PRI_TAG, "id: %{public}d, timestamp: [%{public}" PRId64 "-%{public}" PRId64
206 "], flag: %{public}d, perm: %{public}s", request.request.tokenId, request.request.beginTimeMillis,
207 request.request.endTimeMillis, request.request.flag, permissionList.c_str());
208
209 PermissionUsedResult permissionRecord;
210 int32_t ret = PermissionRecordManager::GetInstance().GetPermissionUsedRecords(request.request, permissionRecord);
211 result.result = permissionRecord;
212 return ret;
213 }
214
GetPermissionUsedRecords(const PermissionUsedRequestParcel & request,const sptr<OnPermissionUsedRecordCallback> & callback)215 int32_t PrivacyManagerService::GetPermissionUsedRecords(
216 const PermissionUsedRequestParcel& request, const sptr<OnPermissionUsedRecordCallback>& callback)
217 {
218 LOGD(PRI_DOMAIN, PRI_TAG, "id: %{public}d", request.request.tokenId);
219 return PermissionRecordManager::GetInstance().GetPermissionUsedRecordsAsync(request.request, callback);
220 }
221
RegisterPermActiveStatusCallback(std::vector<std::string> & permList,const sptr<IRemoteObject> & callback)222 int32_t PrivacyManagerService::RegisterPermActiveStatusCallback(
223 std::vector<std::string>& permList, const sptr<IRemoteObject>& callback)
224 {
225 return PermissionRecordManager::GetInstance().RegisterPermActiveStatusCallback(
226 IPCSkeleton::GetCallingTokenID(), permList, callback);
227 }
228
229 #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE
RegisterSecCompEnhance(const SecCompEnhanceDataParcel & enhanceParcel)230 int32_t PrivacyManagerService::RegisterSecCompEnhance(const SecCompEnhanceDataParcel& enhanceParcel)
231 {
232 LOGI(PRI_DOMAIN, PRI_TAG, "Pid: %{public}d", enhanceParcel.enhanceData.pid);
233 return PrivacySecCompEnhanceAgent::GetInstance().RegisterSecCompEnhance(enhanceParcel.enhanceData);
234 }
235
UpdateSecCompEnhance(int32_t pid,uint32_t seqNum)236 int32_t PrivacyManagerService::UpdateSecCompEnhance(int32_t pid, uint32_t seqNum)
237 {
238 return PrivacySecCompEnhanceAgent::GetInstance().UpdateSecCompEnhance(pid, seqNum);
239 }
240
GetSecCompEnhance(int32_t pid,SecCompEnhanceDataParcel & enhanceParcel)241 int32_t PrivacyManagerService::GetSecCompEnhance(int32_t pid, SecCompEnhanceDataParcel& enhanceParcel)
242 {
243 SecCompEnhanceData enhanceData;
244 int32_t res = PrivacySecCompEnhanceAgent::GetInstance().GetSecCompEnhance(pid, enhanceData);
245 if (res != RET_SUCCESS) {
246 LOGW(PRI_DOMAIN, PRI_TAG, "Pid: %{public}d get enhance failed ", pid);
247 return res;
248 }
249
250 enhanceParcel.enhanceData = enhanceData;
251 return RET_SUCCESS;
252 }
253
GetSpecialSecCompEnhance(const std::string & bundleName,std::vector<SecCompEnhanceDataParcel> & enhanceParcelList)254 int32_t PrivacyManagerService::GetSpecialSecCompEnhance(const std::string& bundleName,
255 std::vector<SecCompEnhanceDataParcel>& enhanceParcelList)
256 {
257 std::vector<SecCompEnhanceData> enhanceList;
258 PrivacySecCompEnhanceAgent::GetInstance().GetSpecialSecCompEnhance(bundleName, enhanceList);
259 for (const auto& enhance : enhanceList) {
260 SecCompEnhanceDataParcel parcel;
261 parcel.enhanceData = enhance;
262 enhanceParcelList.emplace_back(parcel);
263 }
264 return RET_SUCCESS;
265 }
266 #endif
267
ResponseDumpCommand(int32_t fd,const std::vector<std::u16string> & args)268 int32_t PrivacyManagerService::ResponseDumpCommand(int32_t fd, const std::vector<std::u16string>& args)
269 {
270 if (args.size() < 2) { // 2 :need two args 0:command 1:tokenId
271 return ERR_INVALID_VALUE;
272 }
273 long long tokenId = atoll(static_cast<const char*>(Str16ToStr8(args.at(1)).c_str()));
274 PermissionUsedRequest request;
275 if (tokenId <= 0) {
276 return ERR_INVALID_VALUE;
277 }
278 request.tokenId = static_cast<uint32_t>(tokenId);
279 request.flag = FLAG_PERMISSION_USAGE_SUMMARY;
280 PermissionUsedResult result;
281 if (PermissionRecordManager::GetInstance().GetPermissionUsedRecords(request, result) != 0) {
282 return ERR_INVALID_VALUE;
283 }
284 std::string infos;
285 if (result.bundleRecords.empty() || result.bundleRecords[0].permissionRecords.empty()) {
286 dprintf(fd, "No Record \n");
287 return ERR_OK;
288 }
289 for (size_t index = 0; index < result.bundleRecords[0].permissionRecords.size(); index++) {
290 infos.append(R"( "permissionRecord": [)");
291 infos.append("\n");
292 infos.append(R"( "bundleName": )" + result.bundleRecords[0].bundleName + ",\n");
293 infos.append(R"( "isRemote": )" + std::to_string(result.bundleRecords[0].isRemote) + ",\n");
294 infos.append(R"( "permissionName": ")" + result.bundleRecords[0].permissionRecords[index].permissionName +
295 R"(")" + ",\n");
296 time_t lastAccessTime = static_cast<time_t>(result.bundleRecords[0].permissionRecords[index].lastAccessTime);
297 infos.append(R"( "lastAccessTime": )" + std::to_string(lastAccessTime) + ",\n");
298 infos.append(R"( "lastAccessDuration": )" +
299 std::to_string(result.bundleRecords[0].permissionRecords[index].lastAccessDuration) + ",\n");
300 infos.append(R"( "accessCount": ")" +
301 std::to_string(result.bundleRecords[0].permissionRecords[index].accessCount) + R"(")" + ",\n");
302 infos.append(" ]");
303 infos.append("\n");
304 }
305 dprintf(fd, "%s\n", infos.c_str());
306 return ERR_OK;
307 }
308
Dump(int32_t fd,const std::vector<std::u16string> & args)309 int32_t PrivacyManagerService::Dump(int32_t fd, const std::vector<std::u16string>& args)
310 {
311 if (fd < 0) {
312 LOGE(PRI_DOMAIN, PRI_TAG, "Dump fd invalid value");
313 return ERR_INVALID_VALUE;
314 }
315 int32_t ret = ERR_OK;
316 dprintf(fd, "Privacy Dump:\n");
317 if (args.size() == 0) {
318 dprintf(fd, "please use hidumper -s said -a '-h' command help\n");
319 return ret;
320 }
321 std::string arg0 = Str16ToStr8(args.at(0));
322 if (arg0.compare("-h") == 0) {
323 dprintf(fd, "Usage:\n");
324 dprintf(fd, " -h: command help\n");
325 dprintf(fd, " -t <TOKEN_ID>: according to specific token id dump permission used records\n");
326 } else if (arg0.compare("-t") == 0) {
327 ret = PrivacyManagerService::ResponseDumpCommand(fd, args);
328 } else {
329 dprintf(fd, "please use hidumper -s said -a '-h' command help\n");
330 ret = ERR_INVALID_VALUE;
331 }
332 return ret;
333 }
334
UnRegisterPermActiveStatusCallback(const sptr<IRemoteObject> & callback)335 int32_t PrivacyManagerService::UnRegisterPermActiveStatusCallback(const sptr<IRemoteObject>& callback)
336 {
337 return PermissionRecordManager::GetInstance().UnRegisterPermActiveStatusCallback(callback);
338 }
339
IsAllowedUsingPermission(AccessTokenID tokenId,const std::string & permissionName,int32_t pid)340 bool PrivacyManagerService::IsAllowedUsingPermission(AccessTokenID tokenId, const std::string& permissionName,
341 int32_t pid)
342 {
343 LOGI(PRI_DOMAIN, PRI_TAG, "Id: %{public}d, perm: %{public}s, pid: %{public}d.",
344 tokenId, permissionName.c_str(), pid);
345 return PermissionRecordManager::GetInstance().IsAllowedUsingPermission(tokenId, permissionName, pid);
346 }
347
SetMutePolicy(uint32_t policyType,uint32_t callerType,bool isMute,AccessTokenID tokenID)348 int32_t PrivacyManagerService::SetMutePolicy(uint32_t policyType, uint32_t callerType, bool isMute,
349 AccessTokenID tokenID)
350 {
351 LOGI(PRI_DOMAIN, PRI_TAG, "PolicyType %{public}d, callerType %{public}d, isMute %{public}d, tokenId %{public}u",
352 policyType, callerType, isMute, tokenID);
353 return PermissionRecordManager::GetInstance().SetMutePolicy(
354 static_cast<PolicyType>(policyType), static_cast<CallerType>(callerType), isMute, tokenID);
355 }
356
SetHapWithFGReminder(uint32_t tokenId,bool isAllowed)357 int32_t PrivacyManagerService::SetHapWithFGReminder(uint32_t tokenId, bool isAllowed)
358 {
359 LOGI(PRI_DOMAIN, PRI_TAG, "id: %{public}d, isAllowed: %{public}d", tokenId, isAllowed);
360 return PermissionRecordManager::GetInstance().SetHapWithFGReminder(tokenId, isAllowed);
361 }
362
GetPermissionUsedTypeInfos(const AccessTokenID tokenId,const std::string & permissionName,std::vector<PermissionUsedTypeInfoParcel> & resultsParcel)363 int32_t PrivacyManagerService::GetPermissionUsedTypeInfos(const AccessTokenID tokenId,
364 const std::string& permissionName, std::vector<PermissionUsedTypeInfoParcel>& resultsParcel)
365 {
366 LOGD(PRI_DOMAIN, PRI_TAG, "id: %{public}d, perm: %{public}s", tokenId, permissionName.c_str());
367
368 std::vector<PermissionUsedTypeInfo> results;
369 int32_t res = PermissionRecordManager::GetInstance().GetPermissionUsedTypeInfos(tokenId, permissionName, results);
370 if (res != RET_SUCCESS) {
371 return res;
372 }
373
374 for (const auto& result : results) {
375 PermissionUsedTypeInfoParcel parcel;
376 parcel.info = result;
377 resultsParcel.emplace_back(parcel);
378 }
379
380 return RET_SUCCESS;
381 }
382
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)383 void PrivacyManagerService::OnAddSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
384 {
385 LOGI(PRI_DOMAIN, PRI_TAG, "saId is %{public}d", systemAbilityId);
386 #ifdef COMMON_EVENT_SERVICE_ENABLE
387 if (systemAbilityId == COMMON_EVENT_SERVICE_ID) {
388 PrivacyCommonEventSubscriber::RegisterEvent();
389 return;
390 }
391 #endif //COMMON_EVENT_SERVICE_ENABLE
392
393 if (systemAbilityId == SCREENLOCK_SERVICE_ID) {
394 int32_t lockScreenStatus = PermissionRecordManager::GetInstance().GetLockScreenStatus(true);
395 PermissionRecordManager::GetInstance().SetLockScreenStatus(lockScreenStatus);
396 return;
397 }
398 }
399
Initialize()400 bool PrivacyManagerService::Initialize()
401 {
402 PermissionRecordManager::GetInstance().Init();
403 #ifdef EVENTHANDLER_ENABLE
404 eventRunner_ = AppExecFwk::EventRunner::Create(true, AppExecFwk::ThreadMode::FFRT);
405 if (!eventRunner_) {
406 LOGE(PRI_DOMAIN, PRI_TAG, "Failed to create eventRunner.");
407 return false;
408 }
409 eventHandler_ = std::make_shared<AccessEventHandler>(eventRunner_);
410 ActiveStatusCallbackManager::GetInstance().InitEventHandler(eventHandler_);
411 #endif
412 return true;
413 }
414 } // namespace AccessToken
415 } // namespace Security
416 } // namespace OHOS
417