1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "risk_analysis_manager_service.h"
17
18 #include <thread>
19
20 #include "accesstoken_kit.h"
21 #include "tokenid_kit.h"
22 #include "ipc_skeleton.h"
23
24 #include "bigdata.h"
25 #include "database_manager.h"
26 #include "errors.h"
27 #include "model_manager.h"
28 #include "event_group_config.h"
29 #include "risk_analysis_define.h"
30 #include "risk_analysis_manager_callback_proxy.h"
31 #include "security_guard_define.h"
32 #include "security_guard_log.h"
33 #include "security_guard_utils.h"
34 #include "system_ability_definition.h"
35 #include "ffrt.h"
36 #include "config_manager.h"
37 #include "store_define.h"
38
39 namespace OHOS::Security::SecurityGuard {
40 REGISTER_SYSTEM_ABILITY_BY_ID(RiskAnalysisManagerService, RISK_ANALYSIS_MANAGER_SA_ID, true);
41
42 namespace {
43 constexpr int32_t TIMEOUT_REPLY = 500;
44 constexpr const char* REQUEST_PERMISSION = "ohos.permission.securityguard.REQUEST_SECURITY_MODEL_RESULT";
45 constexpr const char* QUERY_SECURITY_MODEL_RESULT_PERMISSION = "ohos.permission.QUERY_SECURITY_MODEL_RESULT";
46 const std::vector<uint32_t> MODELIDS = {
47 3001000000, 3001000001, 3001000002, 3001000005, 3001000006, 3001000007, 3001000009
48 };
49 const std::unordered_map<std::string, std::vector<std::string>> g_apiPermissionsMap {
50 {"RequestSecurityModelResult", {REQUEST_PERMISSION, QUERY_SECURITY_MODEL_RESULT_PERMISSION}},
51 };
52 }
53
RiskAnalysisManagerService(int32_t saId,bool runOnCreate)54 RiskAnalysisManagerService::RiskAnalysisManagerService(int32_t saId, bool runOnCreate)
55 : SystemAbility(saId, runOnCreate)
56 {
57 SGLOGW("%{public}s", __func__);
58 }
59
OnStart()60 void RiskAnalysisManagerService::OnStart()
61 {
62 SGLOGI("RiskAnalysisManagerService %{public}s", __func__);
63 bool success = ConfigManager::InitConfig<EventConfig>();
64 if (!success) {
65 SGLOGE("init event config error");
66 }
67 success = ConfigManager::InitConfig<ModelConfig>();
68 if (!success) {
69 SGLOGE("init model config error");
70 }
71 success = ConfigManager::InitConfig<EventGroupConfig>();
72 if (!success) {
73 SGLOGE("init event group error");
74 }
75 auto task = [] {
76 ModelManager::GetInstance().Init();
77 };
78 ffrt::submit(task);
79
80 AddSystemAbilityListener(COMMON_EVENT_SERVICE_ID);
81 if (!Publish(this)) {
82 SGLOGE("Publish error");
83 }
84 }
85
OnStop()86 void RiskAnalysisManagerService::OnStop()
87 {
88 }
89
IsApiHasPermission(const std::string & api)90 int32_t RiskAnalysisManagerService::IsApiHasPermission(const std::string &api)
91 {
92 if (g_apiPermissionsMap.count(api) == 0) {
93 SGLOGE("api not in map");
94 return FAILED;
95 }
96 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
97 if (std::any_of(g_apiPermissionsMap.at(api).cbegin(), g_apiPermissionsMap.at(api).cend(),
98 [callerToken](const std::string &per) {
99 int code = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, per);
100 return code == AccessToken::PermissionState::PERMISSION_GRANTED;
101 })) {
102 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenType(callerToken);
103 if (tokenType != AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
104 uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
105 if (!AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullTokenId)) {
106 SGLOGE("not system app no permission");
107 return NO_SYSTEMCALL;
108 }
109 }
110 return SUCCESS;
111 }
112 SGLOGE("caller no permission");
113 return NO_PERMISSION;
114 }
115
RequestSecurityModelResult(const std::string & devId,uint32_t modelId,const std::string & param,const sptr<IRemoteObject> & callback)116 int32_t RiskAnalysisManagerService::RequestSecurityModelResult(const std::string &devId, uint32_t modelId,
117 const std::string ¶m, const sptr<IRemoteObject> &callback)
118 {
119 SGLOGI("enter RiskAnalysisManagerService RequestSecurityModelResult");
120 int32_t ret = IsApiHasPermission("RequestSecurityModelResult");
121 if (ret != SUCCESS) {
122 return ret;
123 }
124 ClassifyEvent event;
125 event.pid = IPCSkeleton::GetCallingPid();
126 event.time = SecurityGuardUtils::GetDate();
127 auto promise = std::make_shared<std::promise<std::string>>();
128 auto future = promise->get_future();
129 PushRiskAnalysisTask(modelId, param, promise);
130 std::chrono::milliseconds span(TIMEOUT_REPLY);
131 std::string result{};
132 if (future.wait_for(span) == std::future_status::timeout) {
133 SGLOGE("wait for result timeout");
134 ret = TIME_OUT;
135 } else {
136 result = future.get();
137 ret = SUCCESS;
138 }
139 SGLOGI("ReportClassifyEvent");
140 event.status = result;
141 BigData::ReportClassifyEvent(event);
142 auto proxy = iface_cast<RiskAnalysisManagerCallbackProxy>(callback);
143 if (proxy == nullptr) {
144 return NULL_OBJECT;
145 }
146 proxy->ResponseSecurityModelResult(devId, modelId, result);
147 SGLOGI("get analysis result=%{private}s", result.c_str());
148 return ret;
149 }
150
PushRiskAnalysisTask(uint32_t modelId,std::string param,std::shared_ptr<std::promise<std::string>> promise)151 void RiskAnalysisManagerService::PushRiskAnalysisTask(uint32_t modelId, std::string param,
152 std::shared_ptr<std::promise<std::string>> promise)
153 {
154 auto task = [modelId, param, promise] {
155 SGLOGD("modelId=%{public}u", modelId);
156 if (std::count(MODELIDS.begin(), MODELIDS.end(), modelId) == 0) {
157 SGLOGE("model not support, no need to analyse, modelId=%{public}u", modelId);
158 promise->set_value(UNKNOWN_STATUS);
159 return;
160 }
161 std::string result = ModelManager::GetInstance().GetResult(modelId, param);
162 SGLOGI("result is %{private}s", result.c_str());
163 promise->set_value(result);
164 };
165 ffrt::submit(task);
166 }
167
SetModelState(uint32_t modelId,bool enable)168 int32_t RiskAnalysisManagerService::SetModelState(uint32_t modelId, bool enable)
169 {
170 return SUCCESS;
171 }
172
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)173 void RiskAnalysisManagerService::OnAddSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
174 {
175 SGLOGI("OnAddSystemAbility, systemAbilityId=%{public}d", systemAbilityId);
176 if (systemAbilityId == COMMON_EVENT_SERVICE_ID) {
177 ConfigManager::GetInstance().StartUpdate();
178 }
179 }
180
OnRemoveSystemAbility(int32_t systemAbilityId,const std::string & deviceId)181 void RiskAnalysisManagerService::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
182 {
183 SGLOGW("OnRemoveSystemAbility, systemAbilityId=%{public}d", systemAbilityId);
184 }
185 }
186