1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_verification.h"
17
18 #include "ability_manager_errors.h"
19 #include "accesstoken_kit.h"
20 #include "hilog_tag_wrapper.h"
21 #include "permission_constants.h"
22 #include "server_constant.h"
23 #include "support_system_ability_permission.h"
24 #include "tokenid_kit.h"
25 #include "hitrace_meter.h"
26 #include "hilog_tag_wrapper.h"
27
28 namespace OHOS {
29 namespace AAFwk {
30 const std::string DLP_PARAMS_SECURITY_FLAG = "ohos.dlp.params.securityFlag";
31 namespace {
32 const int32_t SHELL_START_EXTENSION_FLOOR = 0; // FORM
33 const int32_t SHELL_START_EXTENSION_CEIL = 21; // EMBEDDED_UI
34 const int32_t TOKEN_ID_BIT_SIZE = 32;
35 const std::string FOUNDATION_PROCESS_NAME = "foundation";
36 const std::set<std::string> OBSERVER_NATIVE_CALLER = {
37 "memmgrservice",
38 "resource_schedule_service",
39 };
40 }
VerifyPermissionByTokenId(const int & tokenId,const std::string & permissionName) const41 bool PermissionVerification::VerifyPermissionByTokenId(const int &tokenId, const std::string &permissionName) const
42 {
43 TAG_LOGD(AAFwkTag::DEFAULT, "permission %{public}s", permissionName.c_str());
44 int32_t ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permissionName, false);
45 if (ret != Security::AccessToken::PermissionState::PERMISSION_GRANTED) {
46 TAG_LOGE(AAFwkTag::DEFAULT, "%{public}s: PERMISSION_DENIED", permissionName.c_str());
47 return false;
48 }
49 TAG_LOGD(AAFwkTag::DEFAULT, "verify token success");
50 return true;
51 }
52
VerifyCallingPermission(const std::string & permissionName,const uint32_t specifyTokenId) const53 bool PermissionVerification::VerifyCallingPermission(
54 const std::string &permissionName, const uint32_t specifyTokenId) const
55 {
56 HITRACE_METER_NAME(HITRACE_TAG_ABILITY_MANAGER, __PRETTY_FUNCTION__);
57 TAG_LOGD(AAFwkTag::DEFAULT, "permission %{public}s, specifyTokenId: %{public}u",
58 permissionName.c_str(), specifyTokenId);
59 auto callerToken = specifyTokenId == 0 ? GetCallingTokenID() : specifyTokenId;
60 TAG_LOGD(AAFwkTag::DEFAULT, "Token: %{public}u", callerToken);
61 int32_t ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName, false);
62 if (ret != Security::AccessToken::PermissionState::PERMISSION_GRANTED) {
63 TAG_LOGE(AAFwkTag::DEFAULT, "%{public}s: PERMISSION_DENIED", permissionName.c_str());
64 return false;
65 }
66 TAG_LOGD(AAFwkTag::DEFAULT, "verify Token success");
67 return true;
68 }
69
IsSACall() const70 bool PermissionVerification::IsSACall() const
71 {
72 auto callerToken = GetCallingTokenID();
73 return IsSACallByTokenId(callerToken);
74 }
75
IsSACallByTokenId(uint32_t callerTokenId) const76 bool PermissionVerification::IsSACallByTokenId(uint32_t callerTokenId) const
77 {
78 TAG_LOGD(AAFwkTag::DEFAULT, "called");
79 if (callerTokenId == 0) {
80 callerTokenId = GetCallingTokenID();
81 }
82 auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerTokenId);
83 if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
84 TAG_LOGD(AAFwkTag::DEFAULT, "verify success");
85 return true;
86 }
87 TAG_LOGD(AAFwkTag::DEFAULT, "Not SA called");
88 return false;
89 }
90
IsShellCall() const91 bool PermissionVerification::IsShellCall() const
92 {
93 auto callerToken = GetCallingTokenID();
94 return IsShellCallByTokenId(callerToken);
95 }
96
IsShellCallByTokenId(uint32_t callerTokenId) const97 bool PermissionVerification::IsShellCallByTokenId(uint32_t callerTokenId) const
98 {
99 TAG_LOGD(AAFwkTag::DEFAULT, "called");
100 if (callerTokenId == 0) {
101 callerTokenId = GetCallingTokenID();
102 }
103 auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerTokenId);
104 if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL) {
105 TAG_LOGD(AAFwkTag::DEFAULT, "verify success");
106 return true;
107 }
108 TAG_LOGD(AAFwkTag::DEFAULT, "Not shell called");
109 return false;
110 }
111
CheckSpecificSystemAbilityAccessPermission(const std::string & processName) const112 bool PermissionVerification::CheckSpecificSystemAbilityAccessPermission(const std::string &processName) const
113 {
114 HITRACE_METER_NAME(HITRACE_TAG_ABILITY_MANAGER, __PRETTY_FUNCTION__);
115 TAG_LOGD(AAFwkTag::DEFAULT, "called");
116 if (!IsSACall()) {
117 TAG_LOGE(AAFwkTag::DEFAULT, "verify fail");
118 return false;
119 }
120 auto callerToken = GetCallingTokenID();
121 Security::AccessToken::NativeTokenInfo nativeTokenInfo;
122 int32_t result = Security::AccessToken::AccessTokenKit::GetNativeTokenInfo(callerToken, nativeTokenInfo);
123 if (result != ERR_OK || nativeTokenInfo.processName != processName) {
124 TAG_LOGE(AAFwkTag::DEFAULT, "check process fail");
125 return false;
126 }
127 return true;
128 }
129
CheckObserverCallerPermission() const130 bool PermissionVerification::CheckObserverCallerPermission() const
131 {
132 TAG_LOGD(AAFwkTag::DEFAULT, "called");
133 if (!IsSACall()) {
134 TAG_LOGE(AAFwkTag::DEFAULT, "tokenType not native");
135 return false;
136 }
137 auto callerToken = GetCallingTokenID();
138 Security::AccessToken::NativeTokenInfo nativeTokenInfo;
139 int32_t result = Security::AccessToken::AccessTokenKit::GetNativeTokenInfo(callerToken, nativeTokenInfo);
140 if (result != ERR_OK ||
141 OBSERVER_NATIVE_CALLER.find(nativeTokenInfo.processName) == OBSERVER_NATIVE_CALLER.end()) {
142 TAG_LOGE(AAFwkTag::DEFAULT, "check token fail");
143 return false;
144 }
145 return true;
146 }
147
VerifyRunningInfoPerm() const148 bool PermissionVerification::VerifyRunningInfoPerm() const
149 {
150 if (VerifyCallingPermission(PermissionConstants::PERMISSION_GET_RUNNING_INFO)) {
151 TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
152 return true;
153 }
154 TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
155 return false;
156 }
157
VerifyControllerPerm() const158 bool PermissionVerification::VerifyControllerPerm() const
159 {
160 if (VerifyCallingPermission(PermissionConstants::PERMISSION_SET_ABILITY_CONTROLLER)) {
161 TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
162 return true;
163 }
164 TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
165 return false;
166 }
167
VerifyDlpPermission(Want & want) const168 bool PermissionVerification::VerifyDlpPermission(Want &want) const
169 {
170 if (want.GetIntParam(AbilityRuntime::ServerConstant::DLP_INDEX, 0) == 0) {
171 want.RemoveParam(DLP_PARAMS_SECURITY_FLAG);
172 return true;
173 }
174
175 if (VerifyCallingPermission(PermissionConstants::PERMISSION_ACCESS_DLP)) {
176 return true;
177 }
178 TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
179 return false;
180 }
181
VerifyAccountPermission() const182 int PermissionVerification::VerifyAccountPermission() const
183 {
184 if (VerifyCallingPermission(PermissionConstants::PERMISSION_INTERACT_ACROSS_LOCAL_ACCOUNTS)) {
185 return ERR_OK;
186 }
187 TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
188 return CHECK_PERMISSION_FAILED;
189 }
190
VerifyMissionPermission() const191 bool PermissionVerification::VerifyMissionPermission() const
192 {
193 HITRACE_METER_NAME(HITRACE_TAG_ABILITY_MANAGER, __PRETTY_FUNCTION__);
194 if (VerifyCallingPermission(PermissionConstants::PERMISSION_MANAGE_MISSION)) {
195 TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
196 return true;
197 }
198 TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
199 return false;
200 }
201
VerifyAppStateObserverPermission() const202 int PermissionVerification::VerifyAppStateObserverPermission() const
203 {
204 if (VerifyCallingPermission(PermissionConstants::PERMISSION_RUNNING_STATE_OBSERVER)) {
205 TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
206 return ERR_OK;
207 }
208 TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
209 return ERR_PERMISSION_DENIED;
210 }
211
VerifyUpdateConfigurationPerm() const212 int32_t PermissionVerification::VerifyUpdateConfigurationPerm() const
213 {
214 if (VerifyCallingPermission(PermissionConstants::PERMISSION_UPDATE_CONFIGURATION)) {
215 TAG_LOGI(AAFwkTag::DEFAULT,
216 "Permission %{public}s granted", PermissionConstants::PERMISSION_UPDATE_CONFIGURATION);
217 return ERR_OK;
218 }
219 TAG_LOGE(AAFwkTag::DEFAULT,
220 "Permission %{public}s denied", PermissionConstants::PERMISSION_UPDATE_CONFIGURATION);
221 return ERR_PERMISSION_DENIED;
222 }
223
VerifyUpdateAPPConfigurationPerm() const224 int32_t PermissionVerification::VerifyUpdateAPPConfigurationPerm() const
225 {
226 if (VerifyCallingPermission(PermissionConstants::PERMISSION_UPDATE_APP_CONFIGURATION)) {
227 TAG_LOGI(AAFwkTag::DEFAULT,
228 "Permission %{public}s granted", PermissionConstants::PERMISSION_UPDATE_APP_CONFIGURATION);
229 return ERR_OK;
230 }
231 TAG_LOGE(AAFwkTag::DEFAULT,
232 "Permission %{public}s denied", PermissionConstants::PERMISSION_UPDATE_APP_CONFIGURATION);
233 return ERR_PERMISSION_DENIED;
234 }
235
VerifyInstallBundlePermission() const236 bool PermissionVerification::VerifyInstallBundlePermission() const
237 {
238 if (VerifyCallingPermission(PermissionConstants::PERMISSION_INSTALL_BUNDLE)) {
239 TAG_LOGI(AAFwkTag::DEFAULT,
240 "Permission %{public}s granted", PermissionConstants::PERMISSION_INSTALL_BUNDLE);
241 return true;
242 }
243
244 TAG_LOGE(AAFwkTag::DEFAULT, "Permission %{public}s denied", PermissionConstants::PERMISSION_INSTALL_BUNDLE);
245 return false;
246 }
247
VerifyGetBundleInfoPrivilegedPermission() const248 bool PermissionVerification::VerifyGetBundleInfoPrivilegedPermission() const
249 {
250 if (VerifyCallingPermission(PermissionConstants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED)) {
251 TAG_LOGI(AAFwkTag::DEFAULT,
252 "Permission %{public}s granted", PermissionConstants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED);
253 return true;
254 }
255
256 TAG_LOGE(AAFwkTag::DEFAULT,
257 "Permission %{public}s denied", PermissionConstants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED);
258 return false;
259 }
260
VerifyStartRecentAbilityPermission() const261 bool PermissionVerification::VerifyStartRecentAbilityPermission() const
262 {
263 if (VerifyCallingPermission(PermissionConstants::PERMISSION_START_RECENT_ABILITY)) {
264 TAG_LOGI(AAFwkTag::DEFAULT,
265 "Permission %{public}s granted", PermissionConstants::PERMISSION_START_RECENT_ABILITY);
266 return true;
267 }
268 return VerifyMissionPermission();
269 }
270
CheckCallDataAbilityPermission(const VerificationInfo & verificationInfo,bool isShell) const271 int PermissionVerification::CheckCallDataAbilityPermission(const VerificationInfo &verificationInfo, bool isShell) const
272 {
273 if ((verificationInfo.apiTargetVersion > API8 || isShell) &&
274 !JudgeStartAbilityFromBackground(verificationInfo.isBackgroundCall)) {
275 TAG_LOGE(AAFwkTag::DEFAULT, "caller START_ABILITIES_FROM_BACKGROUND permission invalid");
276 return CHECK_PERMISSION_FAILED;
277 }
278 if (!JudgeStartInvisibleAbility(verificationInfo.accessTokenId, verificationInfo.visible)) {
279 TAG_LOGE(AAFwkTag::DEFAULT,
280 "caller INVISIBLE permission invalid");
281 return ABILITY_VISIBLE_FALSE_DENY_REQUEST;
282 }
283 if (!JudgeAssociatedWakeUp(verificationInfo.accessTokenId, verificationInfo.associatedWakeUp)) {
284 TAG_LOGE(AAFwkTag::DEFAULT, "associatedWakeUp false");
285 return CHECK_PERMISSION_FAILED;
286 }
287
288 return ERR_OK;
289 }
290
CheckCallServiceAbilityPermission(const VerificationInfo & verificationInfo) const291 int PermissionVerification::CheckCallServiceAbilityPermission(const VerificationInfo &verificationInfo) const
292 {
293 if (CheckSpecificSystemAbilityAccessPermission(FOUNDATION_PROCESS_NAME)) {
294 TAG_LOGD(AAFwkTag::DEFAULT, "Allow fms to connect service ability");
295 return ERR_OK;
296 }
297 if ((verificationInfo.apiTargetVersion > API8 || IsShellCall()) &&
298 !JudgeStartAbilityFromBackground(verificationInfo.isBackgroundCall)) {
299 TAG_LOGE(AAFwkTag::DEFAULT, "caller START_ABILITIES_FROM_BACKGROUND permission invalid");
300 return CHECK_PERMISSION_FAILED;
301 }
302 if (!JudgeStartInvisibleAbility(verificationInfo.accessTokenId, verificationInfo.visible)) {
303 TAG_LOGE(AAFwkTag::DEFAULT, "caller INVISIBLE permission invalid");
304 return ABILITY_VISIBLE_FALSE_DENY_REQUEST;
305 }
306 if (!JudgeAssociatedWakeUp(verificationInfo.accessTokenId, verificationInfo.associatedWakeUp)) {
307 TAG_LOGE(AAFwkTag::DEFAULT, "associatedWakeUp false");
308 return CHECK_PERMISSION_FAILED;
309 }
310
311 return ERR_OK;
312 }
313
CheckCallAbilityPermission(const VerificationInfo & verificationInfo,bool isCallByShortcut) const314 int PermissionVerification::CheckCallAbilityPermission(const VerificationInfo &verificationInfo,
315 bool isCallByShortcut) const
316 {
317 return JudgeInvisibleAndBackground(verificationInfo, isCallByShortcut);
318 }
319
CheckCallServiceExtensionPermission(const VerificationInfo & verificationInfo) const320 int PermissionVerification::CheckCallServiceExtensionPermission(const VerificationInfo &verificationInfo) const
321 {
322 return JudgeInvisibleAndBackground(verificationInfo);
323 }
324
CheckStartByCallPermission(const VerificationInfo & verificationInfo) const325 int PermissionVerification::CheckStartByCallPermission(const VerificationInfo &verificationInfo) const
326 {
327 if (IsCallFromSameAccessToken(verificationInfo.accessTokenId)) {
328 TAG_LOGE(AAFwkTag::DEFAULT, "StartAbilityByCall reject");
329 return CHECK_PERMISSION_FAILED;
330 }
331 // Different APP call, check permissions
332 if (!VerifyCallingPermission(PermissionConstants::PERMISSION_ABILITY_BACKGROUND_COMMUNICATION)) {
333 TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
334 return CHECK_PERMISSION_FAILED;
335 }
336 if (!JudgeStartInvisibleAbility(verificationInfo.accessTokenId, verificationInfo.visible)) {
337 TAG_LOGE(AAFwkTag::DEFAULT, "caller INVISIBLE permission invalid");
338 return ABILITY_VISIBLE_FALSE_DENY_REQUEST;
339 }
340 if (!JudgeStartAbilityFromBackground(verificationInfo.isBackgroundCall)) {
341 TAG_LOGE(AAFwkTag::DEFAULT, "caller START_ABILITIES_FROM_BACKGROUND permission invalid");
342 return CHECK_PERMISSION_FAILED;
343 }
344
345 return ERR_OK;
346 }
347
GetCallingTokenID() const348 unsigned int PermissionVerification::GetCallingTokenID() const
349 {
350 auto callerToken = IPCSkeleton::GetCallingTokenID();
351 TAG_LOGD(AAFwkTag::DEFAULT, "callerToken: %{private}u", callerToken);
352 return callerToken;
353 }
354
JudgeStartInvisibleAbility(const uint32_t accessTokenId,const bool visible,const uint32_t specifyTokenId) const355 bool PermissionVerification::JudgeStartInvisibleAbility(const uint32_t accessTokenId, const bool visible,
356 const uint32_t specifyTokenId) const
357 {
358 if (visible) {
359 TAG_LOGD(AAFwkTag::DEFAULT, "visible:true");
360 return true;
361 }
362 if (specifyTokenId > 0 && accessTokenId == specifyTokenId) {
363 TAG_LOGD(AAFwkTag::DEFAULT, "accessTokenId equal specifyTokenId");
364 return true;
365 }
366 if (IsCallFromSameAccessToken(accessTokenId)) {
367 TAG_LOGD(AAFwkTag::DEFAULT, "TargetAbility in same APP");
368 return true;
369 }
370 if (VerifyCallingPermission(PermissionConstants::PERMISSION_START_INVISIBLE_ABILITY, specifyTokenId)) {
371 TAG_LOGD(AAFwkTag::DEFAULT, "Caller PASS");
372 return true;
373 }
374 TAG_LOGE(AAFwkTag::DEFAULT, "verification fail");
375 return false;
376 }
377
JudgeStartAbilityFromBackground(const bool isBackgroundCall) const378 bool PermissionVerification::JudgeStartAbilityFromBackground(const bool isBackgroundCall) const
379 {
380 if (!isBackgroundCall) {
381 TAG_LOGD(AAFwkTag::DEFAULT, "Caller not background");
382 return true;
383 }
384
385 // Temporarily supports permissions with two different spellings
386 // PERMISSION_START_ABILIIES_FROM_BACKGROUND will be removed later due to misspelling
387 if (VerifyCallingPermission(PermissionConstants::PERMISSION_START_ABILITIES_FROM_BACKGROUND) ||
388 VerifyCallingPermission(PermissionConstants::PERMISSION_START_ABILIIES_FROM_BACKGROUND)) {
389 TAG_LOGD(AAFwkTag::DEFAULT, "Caller PASS");
390 return true;
391 }
392 TAG_LOGE(AAFwkTag::DEFAULT, "verification fail");
393 return false;
394 }
395
JudgeAssociatedWakeUp(const uint32_t accessTokenId,const bool associatedWakeUp) const396 bool PermissionVerification::JudgeAssociatedWakeUp(const uint32_t accessTokenId, const bool associatedWakeUp) const
397 {
398 if (IsCallFromSameAccessToken(accessTokenId)) {
399 TAG_LOGD(AAFwkTag::DEFAULT, "TargetAbility in same APP");
400 return true;
401 }
402 if (associatedWakeUp) {
403 TAG_LOGD(AAFwkTag::DEFAULT, "associatedWakeUp: true");
404 return true;
405 }
406 TAG_LOGE(AAFwkTag::DEFAULT, "not allowed associatedWakeUp");
407 return false;
408 }
409
JudgeInvisibleAndBackground(const VerificationInfo & verificationInfo,bool isCallByShortcut) const410 int PermissionVerification::JudgeInvisibleAndBackground(const VerificationInfo &verificationInfo,
411 bool isCallByShortcut) const
412 {
413 uint32_t specifyTokenId = verificationInfo.specifyTokenId;
414 TAG_LOGD(AAFwkTag::DEFAULT, "specifyTokenId: %{public}u, isCallByShortcut %{public}d",
415 specifyTokenId, isCallByShortcut);
416 if (specifyTokenId == 0 &&
417 SupportSystemAbilityPermission::IsSupportSaCallPermission() && IsSACall()) {
418 TAG_LOGD(AAFwkTag::DEFAULT, "Support SA call");
419 return ERR_OK;
420 }
421 if (!isCallByShortcut &&
422 !JudgeStartInvisibleAbility(verificationInfo.accessTokenId, verificationInfo.visible,
423 specifyTokenId)) {
424 TAG_LOGE(AAFwkTag::DEFAULT, "caller INVISIBLE permission invalid");
425 return ABILITY_VISIBLE_FALSE_DENY_REQUEST;
426 }
427 if (!JudgeStartAbilityFromBackground(verificationInfo.isBackgroundCall)) {
428 TAG_LOGE(AAFwkTag::DEFAULT, "caller START_ABILITIES_FROM_BACKGROUND permission invalid");
429 return CHECK_PERMISSION_FAILED;
430 }
431
432 return ERR_OK;
433 }
434
JudgeCallerIsAllowedToUseSystemAPI() const435 bool PermissionVerification::JudgeCallerIsAllowedToUseSystemAPI() const
436 {
437 if (IsSACall() || IsShellCall()) {
438 return true;
439 }
440 auto callerToken = IPCSkeleton::GetCallingFullTokenID();
441 return Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(callerToken);
442 }
443
IsSystemAppCall() const444 bool PermissionVerification::IsSystemAppCall() const
445 {
446 auto callerToken = IPCSkeleton::GetCallingFullTokenID();
447 return Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(callerToken);
448 }
449
IsSystemAppCallByTokenId(uint32_t callerTokenId) const450 bool PermissionVerification::IsSystemAppCallByTokenId(uint32_t callerTokenId) const
451 {
452 if (callerTokenId == 0) {
453 return IsSystemAppCall();
454 }
455 auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerTokenId);
456 if (tokenType != Security::AccessToken::ATokenTypeEnum::TOKEN_HAP) {
457 TAG_LOGE(AAFwkTag::URIPERMMGR, "Not TOKEN_HAP.");
458 return false;
459 }
460 Security::AccessToken::HapTokenInfo hapInfo;
461 auto ret = Security::AccessToken::AccessTokenKit::GetHapTokenInfo(callerTokenId, hapInfo);
462 if (ret != Security::AccessToken::AccessTokenKitRet::RET_SUCCESS) {
463 TAG_LOGE(AAFwkTag::URIPERMMGR, "GetHapTokenInfo failed, ret:%{public}d", ret);
464 return false;
465 }
466 uint64_t fullCallerTokenId = (static_cast<uint64_t>(hapInfo.tokenAttr) << TOKEN_ID_BIT_SIZE) + callerTokenId;
467 return Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullCallerTokenId);
468 }
469
VerifyBackgroundCallPermission(const bool isBackgroundCall) const470 bool PermissionVerification::VerifyBackgroundCallPermission(const bool isBackgroundCall) const
471 {
472 return JudgeStartAbilityFromBackground(isBackgroundCall);
473 }
474
VerifyPrepareTerminatePermission() const475 bool PermissionVerification::VerifyPrepareTerminatePermission() const
476 {
477 if (VerifyCallingPermission(PermissionConstants::PERMISSION_PREPARE_TERMINATE)) {
478 TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
479 return true;
480 }
481 TAG_LOGD(AAFwkTag::DEFAULT, "Permission denied");
482 return false;
483 }
484
VerifyPrepareTerminatePermission(const int & tokenId) const485 bool PermissionVerification::VerifyPrepareTerminatePermission(const int &tokenId) const
486 {
487 int32_t ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId,
488 PermissionConstants::PERMISSION_PREPARE_TERMINATE, false);
489 if (ret != Security::AccessToken::PermissionState::PERMISSION_GRANTED) {
490 TAG_LOGD(AAFwkTag::DEFAULT, "permission denied");
491 return false;
492 }
493 TAG_LOGD(AAFwkTag::DEFAULT, "verify AccessToken success");
494 return true;
495 }
496
VerifyShellStartExtensionType(int32_t type) const497 bool PermissionVerification::VerifyShellStartExtensionType(int32_t type) const
498 {
499 if (IsShellCall() && type >= SHELL_START_EXTENSION_FLOOR && type <= SHELL_START_EXTENSION_CEIL) {
500 return true;
501 }
502 TAG_LOGD(AAFwkTag::DEFAULT, "reject start");
503 return false;
504 }
505
VerifyPreloadApplicationPermission() const506 bool PermissionVerification::VerifyPreloadApplicationPermission() const
507 {
508 if (VerifyCallingPermission(PermissionConstants::PERMISSION_PRELOAD_APPLICATION)) {
509 TAG_LOGD(AAFwkTag::DEFAULT, "Permission %{public}s granted",
510 PermissionConstants::PERMISSION_PRELOAD_APPLICATION);
511 return true;
512 }
513 TAG_LOGE(AAFwkTag::DEFAULT, "Permission %{public}s denied",
514 PermissionConstants::PERMISSION_PRELOAD_APPLICATION);
515 return false;
516 }
517
VerifyPreStartAtomicServicePermission() const518 bool PermissionVerification::VerifyPreStartAtomicServicePermission() const
519 {
520 if (VerifyCallingPermission(PermissionConstants::PERMISSION_PRE_START_ATOMIC_SERVICE)) {
521 TAG_LOGD(AAFwkTag::APPMGR, "Permission %{public}s granted",
522 PermissionConstants::PERMISSION_PRE_START_ATOMIC_SERVICE);
523 return true;
524 }
525 TAG_LOGW(AAFwkTag::APPMGR, "Permission %{public}s denied",
526 PermissionConstants::PERMISSION_PRE_START_ATOMIC_SERVICE);
527 return false;
528 }
529
VerifyKillProcessDependedOnWebPermission() const530 bool PermissionVerification::VerifyKillProcessDependedOnWebPermission() const
531 {
532 if (IsSACall() && VerifyCallingPermission(PermissionConstants::PERMISSION_KILL_PROCESS_DEPENDED_ON_WEB)) {
533 TAG_LOGD(AAFwkTag::APPMGR, "Permission granted");
534 return true;
535 }
536 TAG_LOGW(AAFwkTag::APPMGR, "Permission denied");
537 return false;
538 }
539
VerifyBlockAllAppStartPermission() const540 bool PermissionVerification::VerifyBlockAllAppStartPermission() const
541 {
542 if (IsSACall() && VerifyCallingPermission(PermissionConstants::PERMISSION_BLOCK_ALL_APP_START)) {
543 TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
544 return true;
545 }
546 TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
547 return false;
548 }
549
VerifyStartUIAbilityToHiddenPermission() const550 bool PermissionVerification::VerifyStartUIAbilityToHiddenPermission() const
551 {
552 if (IsSACall() && VerifyCallingPermission(PermissionConstants::PERMISSION_START_UIABILITY_TO_HIDDEN)) {
553 TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
554 return true;
555 }
556 TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
557 return false;
558 }
559
VerifySuperviseKiaServicePermission() const560 bool PermissionVerification::VerifySuperviseKiaServicePermission() const
561 {
562 if (IsSACall() && VerifyCallingPermission(PermissionConstants::PERMISSION_SUPERVISE_KIA_SERVICE)) {
563 TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
564 return true;
565 }
566 TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
567 return false;
568 }
569
VerifyStartLocalDebug() const570 bool PermissionVerification::VerifyStartLocalDebug() const
571 {
572 if (VerifyCallingPermission(PermissionConstants::PERMISSION_PERFORM_LOCAL_DEBUG)) {
573 TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
574 return true;
575 }
576 TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
577 return false;
578 }
579
VerifyStartSelfUIAbility(int tokenId) const580 bool PermissionVerification::VerifyStartSelfUIAbility(int tokenId) const
581 {
582 if (!IsSACall() && VerifyPermissionByTokenId(tokenId, PermissionConstants::PERMISSION_NDK_START_SELF_UI_ABILITY)) {
583 TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
584 return true;
585 }
586 TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
587 return false;
588 }
589
VerifyFusionAccessPermission() const590 bool PermissionVerification::VerifyFusionAccessPermission() const
591 {
592 auto callerToken = GetCallingTokenID();
593 if (VerifyPermissionByTokenId(callerToken, PermissionConstants::PERMISSION_FUSION_ACCESS)) {
594 TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
595 return true;
596 }
597 TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
598 return false;
599 }
600 } // namespace AAFwk
601 } // namespace OHOS
602