1 /*
2 * Copyright (c) 2024-2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_data_brief.h"
17
18 #include <algorithm>
19 #include <chrono>
20 #include <iostream>
21
22 #include "access_token.h"
23 #include "access_token_error.h"
24 #include "accesstoken_common_log.h"
25 #include "constant_common.h"
26 #include "permission_map.h"
27 #include "perm_setproc.h"
28 #include "permission_validator.h"
29 #include "accesstoken_id_manager.h"
30 #include "data_validator.h"
31 #include "tokenid_attributes.h"
32 #include "token_field_const.h"
33 #include "data_translator.h"
34
35 namespace OHOS {
36 namespace Security {
37 namespace AccessToken {
38 std::recursive_mutex g_briefInstanceMutex;
39
40 const uint32_t IS_KERNEL_EFFECT = (0x1 << 0);
41 const uint32_t HAS_VALUE = (0x1 << 1);
42
GetInstance()43 PermissionDataBrief& PermissionDataBrief::GetInstance()
44 {
45 static PermissionDataBrief* instance = nullptr;
46 if (instance == nullptr) {
47 std::lock_guard<std::recursive_mutex> lock(g_briefInstanceMutex);
48 if (instance == nullptr) {
49 PermissionDataBrief* tmp = new PermissionDataBrief();
50 instance = std::move(tmp);
51 }
52 }
53 return *instance;
54 }
55
GetPermissionBriefData(AccessTokenID tokenID,const PermissionStatus & permState,const std::map<std::string,std::string> & aclExtendedMap,BriefPermData & briefPermData)56 bool PermissionDataBrief::GetPermissionBriefData(
57 AccessTokenID tokenID, const PermissionStatus &permState,
58 const std::map<std::string, std::string>& aclExtendedMap, BriefPermData& briefPermData)
59 {
60 uint32_t code;
61 if (PermissionValidator::IsGrantStatusValid(permState.grantStatus) &&
62 TransferPermissionToOpcode(permState.permissionName, code)) {
63 PermissionBriefDef briefDef;
64 GetPermissionBriefDef(code, briefDef);
65
66 briefPermData.status = static_cast<int8_t>(permState.grantStatus);
67 briefPermData.permCode = code;
68 briefPermData.flag = permState.grantFlag;
69 if (briefDef.isKernelEffect) {
70 briefPermData.type = IS_KERNEL_EFFECT;
71 } else {
72 briefPermData.type = 0;
73 }
74
75 uint64_t key = (static_cast<uint64_t>(tokenID) << 32) | briefPermData.permCode;
76 if (briefDef.hasValue) {
77 auto iter = aclExtendedMap.find(permState.permissionName);
78 if (iter != aclExtendedMap.end()) {
79 extendedValue_[key] = iter->second;
80 } else {
81 extendedValue_[key] = "";
82 }
83 briefPermData.type |= HAS_VALUE;
84 }
85
86 if (briefPermData.type != 0) {
87 LOGI(ATM_DOMAIN, ATM_TAG, "%{public}s with type %{public}d",
88 permState.permissionName.c_str(), static_cast<int32_t>(briefPermData.type));
89 }
90 // if permission is about kernel permission without value, do not add it to extendedValue_
91 return true;
92 }
93
94 return false;
95 }
96
GetExtendedValueList(AccessTokenID tokenId,std::vector<PermissionWithValue> & extendedPermList)97 void PermissionDataBrief::GetExtendedValueList(
98 AccessTokenID tokenId, std::vector<PermissionWithValue>& extendedPermList)
99 {
100 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
101 return GetExtendedValueListInner(tokenId, extendedPermList);
102 }
103
GetExtendedValueListInner(AccessTokenID tokenId,std::vector<PermissionWithValue> & extendedPermList)104 void PermissionDataBrief::GetExtendedValueListInner(
105 AccessTokenID tokenId, std::vector<PermissionWithValue>& extendedPermList)
106 {
107 for (const auto& item : extendedValue_) {
108 uint64_t key = item.first;
109 uint32_t permCode = key & 0xFFFFFFFF;
110 std::string permissionName;
111 if (!TransferOpcodeToPermission(permCode, permissionName)) {
112 LOGE(ATM_DOMAIN, ATM_TAG, "TransferOpcodeToPermission failed, permCode: %{public}u", permCode);
113 continue;
114 }
115 uint32_t tmpTokenID = key >> 32;
116 if (tmpTokenID != tokenId) {
117 continue;
118 }
119 PermissionWithValue extendedPerm;
120 extendedPerm.permissionName = permissionName;
121 extendedPerm.value = item.second;
122 extendedPermList.emplace_back(extendedPerm);
123 }
124 }
125
GetKernelPermissions(AccessTokenID tokenId,std::vector<PermissionWithValue> & kernelPermList)126 int32_t PermissionDataBrief::GetKernelPermissions(
127 AccessTokenID tokenId, std::vector<PermissionWithValue>& kernelPermList)
128 {
129 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
130
131 std::vector<BriefPermData> list;
132 int32_t ret = GetBriefPermDataByTokenIdInner(tokenId, list);
133 if (ret != RET_SUCCESS) {
134 LOGE(ATM_DOMAIN, ATM_TAG,
135 "GetBriefPermDataByTokenIdInner failed, tokenId: %{public}d, ret is %{public}d", tokenId, ret);
136 return ret;
137 }
138 for (const auto& data : list) {
139 if ((data.type & IS_KERNEL_EFFECT) != IS_KERNEL_EFFECT) {
140 continue;
141 }
142 std::string permissionName;
143 if (!TransferOpcodeToPermission(data.permCode, permissionName)) {
144 LOGE(ATM_DOMAIN, ATM_TAG, "TransferOpcodeToPermission failed, permCode: %{public}u", data.permCode);
145 continue;
146 }
147 std::string value;
148 if ((data.type & HAS_VALUE) == HAS_VALUE) {
149 uint64_t key = (static_cast<uint64_t>(tokenId) << 32) | data.permCode;
150 auto it = extendedValue_.find(key);
151 if (it == extendedValue_.end()) {
152 LOGE(ATM_DOMAIN, ATM_TAG, "%{public}s not with value.", permissionName.c_str());
153 return ERR_PERMISSION_WITHOUT_VALUE;
154 }
155 value = it->second;
156 if (value.empty()) {
157 value = "true";
158 }
159 } else {
160 value = "true";
161 }
162 PermissionWithValue kernelPerm;
163 kernelPerm.permissionName = permissionName;
164 kernelPerm.value = value;
165 kernelPermList.emplace_back(kernelPerm);
166 }
167 return RET_SUCCESS;
168 }
169
GetReqPermissionByName(AccessTokenID tokenId,const std::string & permissionName,std::string & value,bool tokenIdCheck)170 int32_t PermissionDataBrief::GetReqPermissionByName(
171 AccessTokenID tokenId, const std::string& permissionName,
172 std::string& value, bool tokenIdCheck)
173 {
174 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
175 if (tokenIdCheck) {
176 auto iter = requestedPermData_.find(tokenId);
177 if (iter == requestedPermData_.end()) {
178 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID %{public}d is not exist.", tokenId);
179 return ERR_TOKEN_INVALID;
180 }
181 }
182
183 uint32_t permCode;
184 if (!TransferPermissionToOpcode(permissionName, permCode)) {
185 LOGE(ATM_DOMAIN, ATM_TAG,
186 "TransferPermissionToOpcode failed, permissionName: %{public}s.", permissionName.c_str());
187 return ERR_PERMISSION_NOT_EXIST;
188 }
189 uint64_t key = (static_cast<uint64_t>(tokenId) << 32) | permCode;
190 auto it = extendedValue_.find(key);
191 if (it == extendedValue_.end()) {
192 LOGE(ATM_DOMAIN, ATM_TAG, "%{public}s not with value.", permissionName.c_str());
193 return ERR_PERMISSION_WITHOUT_VALUE;
194 }
195
196 value = it->second;
197 return RET_SUCCESS;
198 }
199
GetPermissionStatus(const BriefPermData & briefPermData,PermissionStatus & permState)200 bool PermissionDataBrief::GetPermissionStatus(const BriefPermData& briefPermData, PermissionStatus &permState)
201 {
202 std::string permissionName;
203 if (TransferOpcodeToPermission(briefPermData.permCode, permissionName)) {
204 permState.grantStatus = static_cast<int32_t>(briefPermData.status);
205 permState.permissionName = permissionName;
206 permState.grantFlag = briefPermData.flag;
207 return true;
208 }
209 return false;
210 }
211
GetPermissionBriefDataList(AccessTokenID tokenID,const std::vector<PermissionStatus> & permStateList,const std::map<std::string,std::string> & aclExtendedMap,std::vector<BriefPermData> & list)212 void PermissionDataBrief::GetPermissionBriefDataList(AccessTokenID tokenID,
213 const std::vector<PermissionStatus>& permStateList,
214 const std::map<std::string, std::string>& aclExtendedMap,
215 std::vector<BriefPermData>& list)
216 {
217 // delte permission with value
218 DeleteExtendedValue(tokenID);
219
220 for (const auto& state : permStateList) {
221 BriefPermData data = {0};
222 if (GetPermissionBriefData(tokenID, state, aclExtendedMap, data)) {
223 list.emplace_back(data);
224 }
225 }
226 }
227
AddBriefPermDataByTokenId(AccessTokenID tokenID,const std::vector<BriefPermData> & listInput)228 void PermissionDataBrief::AddBriefPermDataByTokenId(
229 AccessTokenID tokenID, const std::vector<BriefPermData>& listInput)
230 {
231 auto iter = requestedPermData_.find(tokenID);
232 if (iter != requestedPermData_.end()) {
233 requestedPermData_.erase(tokenID);
234 }
235 requestedPermData_[tokenID] = listInput;
236 }
237
AddPermToBriefPermission(AccessTokenID tokenId,const std::vector<PermissionStatus> & permStateList,bool defCheck)238 void PermissionDataBrief::AddPermToBriefPermission(
239 AccessTokenID tokenId, const std::vector<PermissionStatus>& permStateList, bool defCheck)
240 {
241 std::map<std::string, std::string> aclExtendedMap;
242 return AddPermToBriefPermission(tokenId, permStateList, aclExtendedMap, defCheck);
243 }
244
AddPermToBriefPermission(AccessTokenID tokenId,const std::vector<PermissionStatus> & permStateList,const std::map<std::string,std::string> & aclExtendedMap,bool defCheck)245 void PermissionDataBrief::AddPermToBriefPermission(
246 AccessTokenID tokenId, const std::vector<PermissionStatus>& permStateList,
247 const std::map<std::string, std::string>& aclExtendedMap, bool defCheck)
248 {
249 ATokenTypeEnum tokenType = TokenIDAttributes::GetTokenIdTypeEnum(tokenId);
250 std::vector<PermissionStatus> permStateListRes;
251 if (defCheck) {
252 PermissionValidator::FilterInvalidPermissionState(tokenType, true, permStateList, permStateListRes);
253 } else {
254 permStateListRes.assign(permStateList.begin(), permStateList.end());
255 }
256
257 std::vector<BriefPermData> list;
258 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
259 GetPermissionBriefDataList(tokenId, permStateListRes, aclExtendedMap, list);
260 AddBriefPermDataByTokenId(tokenId, list);
261 }
262
UpdatePermStatus(const BriefPermData & permOld,BriefPermData & permNew)263 void PermissionDataBrief::UpdatePermStatus(const BriefPermData& permOld, BriefPermData& permNew)
264 {
265 // If old permission is fixed by admin policy or admin cancel, and new permisson is fixed by system,
266 // use new initalized state.
267 if (((permOld.flag & PERMISSION_FIXED_BY_ADMIN_POLICY) != 0 ||
268 (permOld.flag & PERMISSION_ADMIN_POLICIES_CANCEL) != 0) &&
269 (permNew.flag == PERMISSION_SYSTEM_FIXED)) {
270 return;
271 }
272 // If old permission is admin cancel, and new permisson is pre_authorization cancelable,
273 // use new initalized state.
274 if ((permOld.flag & PERMISSION_ADMIN_POLICIES_CANCEL) != 0 &&
275 permNew.flag == PERMISSION_PRE_AUTHORIZED_CANCELABLE) {
276 return;
277 }
278
279 // if user_grant permission is not operated by user, it keeps the new initalized state.
280 // the new state can be pre_authorization.
281 if ((permOld.flag == PERMISSION_DEFAULT_FLAG) && (permOld.status == PERMISSION_DENIED)) {
282 return;
283 }
284 // if old user_grant permission is granted by pre_authorization fixed, it keeps the new initalized state.
285 // the new state can be pre_authorization or not.
286 if ((permOld.flag == PERMISSION_SYSTEM_FIXED) ||
287 // if old user_grant permission is granted by pre_authorization unfixed
288 // and the user has not operated this permission, it keeps the new initalized state.
289 (permOld.flag == PERMISSION_PRE_AUTHORIZED_CANCELABLE)) {
290 return;
291 }
292
293 permNew.status = permOld.status;
294 permNew.flag = permOld.flag;
295 }
296
Update(AccessTokenID tokenId,const std::vector<PermissionStatus> & permStateList,const std::map<std::string,std::string> & aclExtendedMap)297 void PermissionDataBrief::Update(
298 AccessTokenID tokenId, const std::vector<PermissionStatus>& permStateList,
299 const std::map<std::string, std::string>& aclExtendedMap)
300 {
301 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
302 std::vector<PermissionStatus> permStateFilterList;
303 PermissionValidator::FilterInvalidPermissionState(TOKEN_HAP, true, permStateList, permStateFilterList);
304 LOGI(ATM_DOMAIN, ATM_TAG, "PermStateFilterList size: %{public}zu.", permStateFilterList.size());
305
306 std::vector<BriefPermData> newList;
307 GetPermissionBriefDataList(tokenId, permStateFilterList, aclExtendedMap, newList);
308 std::vector<BriefPermData> briefPermDataList;
309 (void)GetBriefPermDataByTokenIdInner(tokenId, briefPermDataList);
310 for (BriefPermData& newPermData : newList) {
311 auto iter = std::find_if(briefPermDataList.begin(), briefPermDataList.end(),
312 [newPermData](const BriefPermData& oldPermData) {
313 return newPermData.permCode == oldPermData.permCode;
314 });
315 if (iter != briefPermDataList.end()) {
316 UpdatePermStatus(*iter, newPermData);
317 }
318 }
319 AddBriefPermDataByTokenId(tokenId, newList);
320 }
321
GetFlagWroteToDb(uint32_t grantFlag)322 uint32_t PermissionDataBrief::GetFlagWroteToDb(uint32_t grantFlag)
323 {
324 return ConstantCommon::GetFlagWithoutSpecifiedElement(grantFlag, PERMISSION_COMPONENT_SET);
325 }
326
TranslationIntoAclExtendedMap(AccessTokenID tokenId,const std::vector<GenericValues> & extendedPermRes,std::map<std::string,std::string> & aclExtendedMap)327 int32_t PermissionDataBrief::TranslationIntoAclExtendedMap(
328 AccessTokenID tokenId,
329 const std::vector<GenericValues>& extendedPermRes,
330 std::map<std::string, std::string>& aclExtendedMap)
331 {
332 for (const GenericValues& permValue : extendedPermRes) {
333 if ((AccessTokenID)permValue.GetInt(TokenFiledConst::FIELD_TOKEN_ID) != tokenId) {
334 continue;
335 }
336 PermissionWithValue perm;
337 int ret = DataTranslator::TranslationIntoExtendedPermission(permValue, perm);
338 if (ret != RET_SUCCESS) {
339 return ret;
340 }
341 aclExtendedMap[perm.permissionName] = perm.value;
342 }
343 return RET_SUCCESS;
344 }
345
RestorePermissionBriefData(AccessTokenID tokenId,const std::vector<GenericValues> & permStateRes,const std::vector<GenericValues> extendedPermRes)346 void PermissionDataBrief::RestorePermissionBriefData(AccessTokenID tokenId,
347 const std::vector<GenericValues>& permStateRes, const std::vector<GenericValues> extendedPermRes)
348 {
349 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
350 std::vector<BriefPermData> list;
351 std::map<std::string, std::string> aclExtendedMap;
352 int result = TranslationIntoAclExtendedMap(tokenId, extendedPermRes, aclExtendedMap);
353 if (result != RET_SUCCESS) {
354 return;
355 }
356 for (const GenericValues& stateValue : permStateRes) {
357 if ((AccessTokenID)stateValue.GetInt(TokenFiledConst::FIELD_TOKEN_ID) != tokenId) {
358 continue;
359 }
360 PermissionStatus state;
361 int ret = DataTranslator::TranslationIntoPermissionStatus(stateValue, state);
362 if (ret == RET_SUCCESS) {
363 BriefPermData data = {0};
364 if (!GetPermissionBriefData(tokenId, state, aclExtendedMap, data)) {
365 continue;
366 }
367 MergePermBriefData(list, data);
368 } else {
369 LOGE(ATM_DOMAIN, ATM_TAG, "TokenId 0x%{public}x permState is wrong.", tokenId);
370 }
371 }
372 AddBriefPermDataByTokenId(tokenId, list);
373 }
374
MergePermBriefData(std::vector<BriefPermData> & permBriefDataList,BriefPermData & data)375 void PermissionDataBrief::MergePermBriefData(std::vector<BriefPermData>& permBriefDataList,
376 BriefPermData& data)
377 {
378 uint32_t flag = GetFlagWroteToDb(data.flag);
379 data.flag = flag;
380 for (auto iter = permBriefDataList.begin(); iter != permBriefDataList.end(); iter++) {
381 if (data.permCode == iter->permCode) {
382 iter->status = data.status;
383 iter->flag = data.flag;
384 LOGD(ATM_DOMAIN, ATM_TAG, "Update permission: %{public}d.", static_cast<int32_t>(data.permCode));
385 return;
386 }
387 }
388 LOGD(ATM_DOMAIN, ATM_TAG, "Add permission: %{public}d.", static_cast<int32_t>(data.permCode));
389 permBriefDataList.emplace_back(data);
390 }
391
StorePermissionBriefData(AccessTokenID tokenId,std::vector<GenericValues> & permStateValueList)392 int32_t PermissionDataBrief::StorePermissionBriefData(AccessTokenID tokenId,
393 std::vector<GenericValues>& permStateValueList)
394 {
395 std::vector<BriefPermData> permBriefDatalist;
396 {
397 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
398 int32_t ret = GetBriefPermDataByTokenIdInner(tokenId, permBriefDatalist);
399 if (ret != RET_SUCCESS) {
400 return ret;
401 }
402 }
403
404 for (const auto& data : permBriefDatalist) {
405 LOGD(ATM_DOMAIN, ATM_TAG, "PermissionName: %{public}d", static_cast<int32_t>(data.permCode));
406 GenericValues genericValues;
407 PermissionStatus permState;
408 if (!GetPermissionStatus(data, permState)) {
409 LOGE(ATM_DOMAIN, ATM_TAG, "Permission not exist, code=%{public}d", static_cast<int32_t>(data.permCode));
410 continue;
411 }
412 genericValues.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId));
413 DataTranslator::TranslationIntoGenericValues(permState, genericValues);
414 permStateValueList.emplace_back(genericValues);
415 }
416 return RET_SUCCESS;
417 }
418
UpdateWithNewFlag(uint32_t oldFlag,uint32_t currFlag)419 static uint32_t UpdateWithNewFlag(uint32_t oldFlag, uint32_t currFlag)
420 {
421 uint32_t newFlag = currFlag | (oldFlag & PERMISSION_PRE_AUTHORIZED_CANCELABLE);
422 return newFlag;
423 }
424
425 /**
426 * @brief Check whether the permission is restricted by admin policy and cannot be modified.
427 * Returns true if:
428 * - the oldFlag was set with PERMISSION_FIXED_BY_ADMIN_POLICY, and
429 * - the newFlag does NOT contain any of the following flags:
430 * PERMISSION_FIXED_BY_ADMIN_POLICY, PERMISSION_SYSTEM_FIXED, or PERMISSION_ADMIN_POLICIES_CANCEL.
431 * This indicates that the permission is controlled by admin policy and cannot be modified.
432 *
433 * @param oldFlag The original permission flag before modification.
434 * @param newFlag The new permission flag to be applied.
435 * @return Returns true if the permission is restricted and cannot be modified;
436 * otherwise returns false.
437 */
isRestrictedPermission(uint32_t oldFlag,uint32_t newFlag)438 bool PermissionDataBrief::isRestrictedPermission(uint32_t oldFlag, uint32_t newFlag)
439 {
440 bool isFixedByAdmin = ((oldFlag & PERMISSION_FIXED_BY_ADMIN_POLICY) == PERMISSION_FIXED_BY_ADMIN_POLICY);
441 bool newFlagDoesNotHaveFixedAdmin = (newFlag & PERMISSION_FIXED_BY_ADMIN_POLICY) == 0;
442 bool newFlagHasNoSystemFixed = (newFlag & PERMISSION_SYSTEM_FIXED) == 0;
443 bool newFlagHasNoAdminCancel = (newFlag & PERMISSION_ADMIN_POLICIES_CANCEL) == 0;
444 return isFixedByAdmin && newFlagDoesNotHaveFixedAdmin && newFlagHasNoSystemFixed && newFlagHasNoAdminCancel;
445 }
446
UpdatePermStateList(AccessTokenID tokenId,uint32_t opCode,bool isGranted,uint32_t flag)447 int32_t PermissionDataBrief::UpdatePermStateList(
448 AccessTokenID tokenId, uint32_t opCode, bool isGranted, uint32_t flag)
449 {
450 auto iterPermData = requestedPermData_.find(tokenId);
451 if (iterPermData == requestedPermData_.end()) {
452 LOGC(ATM_DOMAIN, ATM_TAG, "TokenID %{public}d is not exist.", tokenId);
453 return ERR_TOKEN_INVALID;
454 }
455 std::vector<BriefPermData>& permBriefDatalist = requestedPermData_[tokenId];
456 auto iter = std::find_if(permBriefDatalist.begin(), permBriefDatalist.end(),
457 [opCode](const BriefPermData& permData) {
458 return opCode == permData.permCode;
459 });
460 if (iter == permBriefDatalist.end()) {
461 LOGC(ATM_DOMAIN, ATM_TAG, "Permission not request!");
462 return AccessTokenError::ERR_PARAM_INVALID;
463 }
464 if ((static_cast<uint32_t>(iter->flag) & PERMISSION_SYSTEM_FIXED) == PERMISSION_SYSTEM_FIXED) {
465 LOGC(ATM_DOMAIN, ATM_TAG, "Permission fixed by system!");
466 return AccessTokenError::ERR_PARAM_INVALID;
467 }
468 if (isRestrictedPermission(iter->flag, flag)) {
469 LOGC(ATM_DOMAIN, ATM_TAG, "Oldflag: %{public}d, invalid params!", iter->flag);
470 return AccessTokenError::ERR_PERMISSION_RESTRICTED;
471 }
472 if ((flag & PERMISSION_ADMIN_POLICIES_CANCEL) == PERMISSION_ADMIN_POLICIES_CANCEL &&
473 (iter->flag & PERMISSION_FIXED_BY_ADMIN_POLICY) == 0) {
474 LOGC(ATM_DOMAIN, ATM_TAG, "Permission is not fixed by admin policy, cannot cancel.");
475 return AccessTokenError::ERR_PARAM_INVALID;
476 }
477 if ((flag & PERMISSION_ADMIN_POLICIES_CANCEL) == 0) {
478 iter->status = isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED;
479 }
480 iter->flag = UpdateWithNewFlag(iter->flag, flag);
481 LOGI(ATM_DOMAIN, ATM_TAG,
482 "Update perm state list, tokenId: %{public}d, permCode: %{public}d, status: %{public}d, flag: %{public}d",
483 tokenId, opCode, iter->status, iter->flag);
484 return RET_SUCCESS;
485 }
486
UpdateSecCompGrantedPermList(AccessTokenID tokenId,const std::string & permissionName,bool isToGrant)487 int32_t PermissionDataBrief::UpdateSecCompGrantedPermList(AccessTokenID tokenId,
488 const std::string& permissionName, bool isToGrant)
489 {
490 uint32_t flag = 0;
491 int32_t ret = QueryPermissionFlag(tokenId, permissionName, flag);
492 if ((flag & PERMISSION_FIXED_BY_ADMIN_POLICY) != 0) {
493 LOGI(ATM_DOMAIN, ATM_TAG, "Flag is fixed by admin not Update, oldFlag %{public}u .", flag);
494 return ERR_PERMISSION_RESTRICTED;
495 }
496
497 LOGD(ATM_DOMAIN, ATM_TAG, "Ret is %{public}d. flag is %{public}d", ret, flag);
498 // if the permission has been operated by user or the permission has been granted by system.
499 if ((ConstantCommon::IsPermOperatedByUser(flag) || ConstantCommon::IsPermOperatedBySystem(flag))) {
500 LOGD(ATM_DOMAIN, ATM_TAG, "The permission has been operated.");
501 if (isToGrant) {
502 // The data included in requested perm list.
503 int32_t status = VerifyPermissionStatus(tokenId, permissionName);
504 // Permission has been granted, there is no need to add perm state in security component permList.
505 if (status == PERMISSION_GRANTED) {
506 return RET_SUCCESS;
507 } else {
508 LOGC(ATM_DOMAIN, ATM_TAG, "Permission has been revoked by user.");
509 return ERR_PERMISSION_DENIED;
510 }
511 } else {
512 /* revoke is called while the permission has been operated by user or system */
513 SecCompGrantedPermListUpdated(
514 tokenId, permissionName, false);
515 return RET_SUCCESS;
516 }
517 }
518 // the permission has not been operated by user or the app has not applied for this permission in config.json
519 SecCompGrantedPermListUpdated(tokenId, permissionName, isToGrant);
520 return RET_SUCCESS;
521 }
522
UpdatePermissionStatus(AccessTokenID tokenId,const std::string & permissionName,bool isGranted,uint32_t flag,bool & statusChanged)523 int32_t PermissionDataBrief::UpdatePermissionStatus(AccessTokenID tokenId,
524 const std::string& permissionName, bool isGranted, uint32_t flag, bool& statusChanged)
525 {
526 uint32_t opCode;
527 if (!TransferPermissionToOpcode(permissionName, opCode)) {
528 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid %{public}s.", permissionName.c_str());
529 return ERR_PARAM_INVALID;
530 }
531 int32_t ret;
532 int32_t oldStatus = VerifyPermissionStatus(tokenId, opCode);
533 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
534 if (!ConstantCommon::IsPermGrantedBySecComp(flag)) {
535 ret = UpdatePermStateList(tokenId, opCode, isGranted, flag);
536 } else {
537 LOGD(ATM_DOMAIN, ATM_TAG, "Permission is set by security component.");
538 ret = UpdateSecCompGrantedPermList(tokenId, permissionName, isGranted);
539 }
540 int32_t newStatus = VerifyPermissionStatus(tokenId, opCode);
541 statusChanged = (oldStatus == newStatus) ? false : true;
542 return ret;
543 }
544
ResetUserGrantPermissionStatus(AccessTokenID tokenID)545 int32_t PermissionDataBrief::ResetUserGrantPermissionStatus(AccessTokenID tokenID)
546 {
547 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
548 auto iter = requestedPermData_.find(tokenID);
549 if (iter == requestedPermData_.end()) {
550 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID %{public}d is not exist.", tokenID);
551 return ERR_TOKEN_INVALID;
552 }
553 for (auto& perm : iter->second) {
554 uint32_t oldFlag = static_cast<uint32_t>(perm.flag);
555 if ((oldFlag & PERMISSION_SYSTEM_FIXED) != 0) {
556 continue;
557 }
558 /* A user_grant permission has been set by system for cancellable pre-authorization. */
559 /* it should keep granted when the app reset. */
560 if ((oldFlag & PERMISSION_PRE_AUTHORIZED_CANCELABLE) != 0) {
561 perm.status = PERMISSION_GRANTED;
562 perm.flag = PERMISSION_PRE_AUTHORIZED_CANCELABLE;
563 continue;
564 }
565 if ((oldFlag & PERMISSION_FIXED_BY_ADMIN_POLICY) != 0) {
566 continue;
567 }
568 perm.status = PERMISSION_DENIED;
569 perm.flag = PERMISSION_DEFAULT_FLAG;
570 }
571 ClearAllSecCompGrantedPermById(tokenID);
572 return RET_SUCCESS;
573 }
574
DeleteExtendedValue(AccessTokenID tokenID)575 void PermissionDataBrief::DeleteExtendedValue(AccessTokenID tokenID)
576 {
577 auto it = extendedValue_.begin();
578 while (it != extendedValue_.end()) {
579 uint64_t key = it->first;
580 AccessTokenID tokenIDToDelete = key >> 32;
581 if (tokenIDToDelete == tokenID) {
582 it = extendedValue_.erase(it);
583 } else {
584 ++it;
585 }
586 }
587 }
588
DeleteBriefPermDataByTokenId(AccessTokenID tokenID)589 int32_t PermissionDataBrief::DeleteBriefPermDataByTokenId(AccessTokenID tokenID)
590 {
591 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
592 auto iter = requestedPermData_.find(tokenID);
593 if (iter == requestedPermData_.end()) {
594 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID %{public}d is not exist.", tokenID);
595 return ERR_TOKEN_INVALID;
596 }
597 requestedPermData_.erase(tokenID);
598 std::list<BriefSecCompData>::iterator secCompData;
599 for (secCompData = secCompList_.begin(); secCompData != secCompList_.end();) {
600 if (secCompData->tokenId != tokenID) {
601 ++secCompData;
602 } else {
603 secCompData = secCompList_.erase(secCompData);
604 }
605 }
606 DeleteExtendedValue(tokenID);
607 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID %{public}u is deleted.", tokenID);
608 return RET_SUCCESS;
609 }
GetBriefPermDataByTokenIdInner(AccessTokenID tokenID,std::vector<BriefPermData> & list)610 int32_t PermissionDataBrief::GetBriefPermDataByTokenIdInner(AccessTokenID tokenID, std::vector<BriefPermData>& list)
611 {
612 auto iter = requestedPermData_.find(tokenID);
613 if (iter == requestedPermData_.end()) {
614 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID %{public}d is not exist.", tokenID);
615 return ERR_TOKEN_INVALID;
616 }
617 for (const auto& data : iter->second) {
618 list.emplace_back(data);
619 }
620 return RET_SUCCESS;
621 }
622
GetBriefPermDataByTokenId(AccessTokenID tokenID,std::vector<BriefPermData> & list)623 int32_t PermissionDataBrief::GetBriefPermDataByTokenId(AccessTokenID tokenID, std::vector<BriefPermData>& list)
624 {
625 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
626 return GetBriefPermDataByTokenIdInner(tokenID, list);
627 }
628
GetGrantedPermByTokenId(AccessTokenID tokenID,const std::vector<std::string> & constrainedList,std::vector<std::string> & permissionList)629 void PermissionDataBrief::GetGrantedPermByTokenId(AccessTokenID tokenID,
630 const std::vector<std::string>& constrainedList, std::vector<std::string>& permissionList)
631 {
632 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
633 auto iter = requestedPermData_.find(tokenID);
634 if (iter == requestedPermData_.end()) {
635 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID %{public}d is not exist.", tokenID);
636 return;
637 }
638 for (const auto& data : iter->second) {
639 if (data.status == PERMISSION_GRANTED) {
640 std::string permission;
641 (void)TransferOpcodeToPermission(data.permCode, permission);
642 if (constrainedList.empty() ||
643 (std::find(constrainedList.begin(), constrainedList.end(), permission) == constrainedList.end())) {
644 permissionList.emplace_back(permission);
645 LOGD(ATM_DOMAIN, ATM_TAG, "Permission %{public}s is granted.", permission.c_str());
646 }
647 }
648 }
649 std::list<BriefSecCompData>::iterator secCompData;
650 for (secCompData = secCompList_.begin(); secCompData != secCompList_.end(); ++secCompData) {
651 if (secCompData->tokenId == tokenID) {
652 std::string permission;
653 (void)TransferOpcodeToPermission(secCompData->permCode, permission);
654 permissionList.emplace_back(permission);
655 LOGD(ATM_DOMAIN, ATM_TAG, "Permission %{public}s is granted by secComp.", permission.c_str());
656 }
657 }
658 return;
659 }
660
GetPermStatusListByTokenId(AccessTokenID tokenID,const std::vector<uint32_t> constrainedList,std::vector<uint32_t> & opCodeList,std::vector<bool> & statusList)661 void PermissionDataBrief::GetPermStatusListByTokenId(AccessTokenID tokenID,
662 const std::vector<uint32_t> constrainedList, std::vector<uint32_t>& opCodeList, std::vector<bool>& statusList)
663 {
664 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
665 auto iter = requestedPermData_.find(tokenID);
666 if (iter == requestedPermData_.end()) {
667 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID %{public}d is not exist.", tokenID);
668 return;
669 }
670 for (const auto& data : iter->second) {
671 /* The permission is not constrained by user policy. */
672 if (constrainedList.empty() ||
673 (std::find(constrainedList.begin(), constrainedList.end(), data.permCode) == constrainedList.end())) {
674 opCodeList.emplace_back(data.permCode);
675 bool status = data.status == PERMISSION_GRANTED ? true : false;
676 statusList.emplace_back(status);
677 } else {
678 /* The permission is constrained by user policy which is in constrainedList. */
679 opCodeList.emplace_back(data.permCode);
680 statusList.emplace_back(false);
681 }
682 }
683
684 AccessTokenIDInner *idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenID);
685 if (static_cast<ATokenTypeEnum>(idInner->type) != TOKEN_HAP) {
686 return;
687 }
688 /* Only an application can be granted by secComp. */
689 std::list<BriefSecCompData>::iterator secCompData;
690 for (secCompData = secCompList_.begin(); secCompData != secCompList_.end(); ++secCompData) {
691 if (secCompData->tokenId == tokenID) {
692 opCodeList.emplace_back(secCompData->permCode);
693 statusList.emplace_back(true);
694 }
695 }
696 return;
697 }
698
GetPermissionUsedType(AccessTokenID tokenID,int32_t opCode)699 PermUsedTypeEnum PermissionDataBrief::GetPermissionUsedType(AccessTokenID tokenID, int32_t opCode)
700 {
701 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
702 auto iter = requestedPermData_.find(tokenID);
703 if (iter == requestedPermData_.end()) {
704 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is not exist %{public}d.", tokenID);
705 return PermUsedTypeEnum::INVALID_USED_TYPE;
706 }
707 auto it = std::find_if(iter->second.begin(), iter->second.end(), [opCode](BriefPermData data) {
708 return (data.permCode == opCode);
709 });
710 if (it != iter->second.end()) {
711 if (ConstantCommon::IsPermGrantedBySecComp(it->flag)) {
712 return PermUsedTypeEnum::SEC_COMPONENT_TYPE;
713 }
714 if (it->status == PERMISSION_DENIED) {
715 LOGE(ATM_DOMAIN, ATM_TAG, "Permission of %{public}d is requested, but not granted.", tokenID);
716 return PermUsedTypeEnum::INVALID_USED_TYPE;
717 }
718 return PermUsedTypeEnum::NORMAL_TYPE;
719 }
720 std::list<BriefSecCompData>::iterator secCompData;
721 for (secCompData = secCompList_.begin(); secCompData != secCompList_.end(); ++secCompData) {
722 if ((secCompData->tokenId == tokenID) && (secCompData->permCode == opCode)) {
723 return PermUsedTypeEnum::SEC_COMPONENT_TYPE;
724 }
725 }
726 return PermUsedTypeEnum::INVALID_USED_TYPE;
727 }
VerifyPermissionStatus(AccessTokenID tokenID,uint32_t permCode)728 int32_t PermissionDataBrief::VerifyPermissionStatus(AccessTokenID tokenID, uint32_t permCode)
729 {
730 auto iter = requestedPermData_.find(tokenID);
731 if (iter == requestedPermData_.end()) {
732 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is not exist %{public}d.", tokenID);
733 return PERMISSION_DENIED;
734 }
735 auto it = std::find_if(iter->second.begin(), iter->second.end(), [permCode](BriefPermData data) {
736 return (data.permCode == permCode);
737 });
738 if (it != iter->second.end()) {
739 if (ConstantCommon::IsPermGrantedBySecComp(it->flag)) {
740 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d, permission is granted by secComp", tokenID);
741 return PERMISSION_GRANTED;
742 }
743 return static_cast<int32_t>(it->status);
744 }
745
746 std::list<BriefSecCompData>::iterator secCompData;
747 for (secCompData = secCompList_.begin(); secCompData != secCompList_.end(); ++secCompData) {
748 if ((secCompData->tokenId == tokenID) && (secCompData->permCode == permCode)) {
749 LOGD(ATM_DOMAIN, ATM_TAG,
750 "TokenID: %{public}d, permission is not requested. While it is granted by secComp", tokenID);
751 return PERMISSION_GRANTED;
752 }
753 }
754 return PERMISSION_DENIED;
755 }
756
VerifyPermissionStatus(AccessTokenID tokenID,const std::string & permission)757 int32_t PermissionDataBrief::VerifyPermissionStatus(AccessTokenID tokenID, const std::string& permission)
758 {
759 LOGD(ATM_DOMAIN, ATM_TAG, "tokenID %{public}d, permissionName %{public}s.", tokenID, permission.c_str());
760 uint32_t opCode;
761 if (!TransferPermissionToOpcode(permission, opCode)) {
762 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid %{public}s.", permission.c_str());
763 return PERMISSION_DENIED;
764 }
765 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
766 return VerifyPermissionStatus(tokenID, opCode);
767 }
768
IsPermissionGrantedWithSecComp(AccessTokenID tokenID,const std::string & permissionName)769 bool PermissionDataBrief::IsPermissionGrantedWithSecComp(AccessTokenID tokenID, const std::string& permissionName)
770 {
771 uint32_t opCode;
772 if (!TransferPermissionToOpcode(permissionName, opCode)) {
773 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid %{public}s.", permissionName.c_str());
774 return false;
775 }
776
777 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
778 auto iter = requestedPermData_.find(tokenID);
779 if (iter == requestedPermData_.end()) {
780 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is not exist %{public}d.", tokenID);
781 return false;
782 }
783 auto it = std::find_if(iter->second.begin(), iter->second.end(), [opCode](BriefPermData data) {
784 return (data.permCode == opCode);
785 });
786 if (it != iter->second.end()) {
787 if (ConstantCommon::IsPermGrantedBySecComp(it->flag)) {
788 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d, permission is granted by secComp", tokenID);
789 return true;
790 }
791 }
792 std::list<BriefSecCompData>::iterator secCompData;
793 for (secCompData = secCompList_.begin(); secCompData != secCompList_.end(); ++secCompData) {
794 if (secCompData->tokenId == tokenID && secCompData->permCode == opCode) {
795 return true;
796 }
797 }
798 return false;
799 }
800
QueryPermissionFlag(AccessTokenID tokenID,const std::string & permissionName,uint32_t & flag)801 int32_t PermissionDataBrief::QueryPermissionFlag(AccessTokenID tokenID, const std::string& permissionName,
802 uint32_t& flag)
803 {
804 uint32_t opCode;
805 if (!TransferPermissionToOpcode(permissionName, opCode)) {
806 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid %{public}s.", permissionName.c_str());
807 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
808 }
809
810 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
811 auto iter = requestedPermData_.find(tokenID);
812 if (iter == requestedPermData_.end()) {
813 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is invalid %{public}u.", tokenID);
814 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
815 }
816 auto it = std::find_if(iter->second.begin(), iter->second.end(), [opCode](BriefPermData data) {
817 return (data.permCode == opCode);
818 });
819 if (it != iter->second.end()) {
820 flag = it->flag;
821 return RET_SUCCESS;
822 }
823 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is not in requestedPerm list %{public}s.", permissionName.c_str());
824 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
825 }
826
SecCompGrantedPermListUpdated(AccessTokenID tokenID,const std::string & permissionName,bool isAdded)827 void PermissionDataBrief::SecCompGrantedPermListUpdated(
828 AccessTokenID tokenID, const std::string& permissionName, bool isAdded)
829 {
830 uint32_t opCode;
831 if (!TransferPermissionToOpcode(permissionName, opCode)) {
832 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid %{public}s.", permissionName.c_str());
833 return;
834 }
835
836 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
837 auto iter = requestedPermData_.find(tokenID);
838 if (iter == requestedPermData_.end()) {
839 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is invalid %{public}u.", tokenID);
840 return;
841 }
842 std::list<BriefSecCompData>::iterator secCompDataIter;
843 for (secCompDataIter = secCompList_.begin(); secCompDataIter != secCompList_.end(); ++secCompDataIter) {
844 if (secCompDataIter->tokenId == tokenID && secCompDataIter->permCode == opCode) {
845 break;
846 }
847 }
848 if (isAdded) {
849 if (secCompDataIter == secCompList_.end()) {
850 BriefSecCompData secCompData = { 0 };
851 secCompData.permCode = opCode;
852 secCompData.tokenId = tokenID;
853 secCompList_.emplace_back(secCompData);
854 }
855 } else {
856 if (secCompDataIter != secCompList_.end()) {
857 secCompList_.erase(secCompDataIter);
858 }
859 }
860
861 auto it = std::find_if(iter->second.begin(), iter->second.end(), [opCode](BriefPermData data) {
862 return (data.permCode == opCode);
863 });
864 if (it != iter->second.end()) {
865 uint32_t oldFlag = it->flag;
866 uint32_t newFlag =
867 isAdded ? (oldFlag | PERMISSION_COMPONENT_SET) : (oldFlag & (~PERMISSION_COMPONENT_SET));
868 it->flag = newFlag;
869 LOGI(ATM_DOMAIN, ATM_TAG, "Update flag newFlag %{public}u, oldFlag %{public}u .", newFlag, oldFlag);
870 }
871 return;
872 }
873
ClearAllSecCompGrantedPerm()874 void PermissionDataBrief::ClearAllSecCompGrantedPerm()
875 {
876 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
877 std::list<BriefSecCompData>::iterator secCompData;
878 for (secCompData = secCompList_.begin(); secCompData != secCompList_.end();) {
879 secCompData = secCompList_.erase(secCompData);
880 }
881 }
882
ClearAllSecCompGrantedPermById(AccessTokenID tokenID)883 void PermissionDataBrief::ClearAllSecCompGrantedPermById(AccessTokenID tokenID)
884 {
885 std::list<BriefSecCompData>::iterator secCompData;
886 for (secCompData = secCompList_.begin(); secCompData != secCompList_.end();) {
887 if (secCompData->tokenId == tokenID) {
888 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID is cleared %{public}u.", tokenID);
889 secCompData = secCompList_.erase(secCompData);
890 } else {
891 ++secCompData;
892 }
893 }
894 }
895
RefreshPermStateToKernel(const std::vector<std::string> & constrainedList,bool hapUserIsActive,AccessTokenID tokenId,std::map<std::string,bool> & refreshedPermList)896 int32_t PermissionDataBrief::RefreshPermStateToKernel(const std::vector<std::string>& constrainedList,
897 bool hapUserIsActive, AccessTokenID tokenId, std::map<std::string, bool>& refreshedPermList)
898 {
899 std::vector<uint32_t> constrainedCodeList;
900 for (const auto& perm : constrainedList) {
901 uint32_t code;
902 if (TransferPermissionToOpcode(perm, code)) {
903 constrainedCodeList.emplace_back(code);
904 } else {
905 LOGW(ATM_DOMAIN, ATM_TAG, "Perm %{public}s is not exist.", perm.c_str());
906 }
907 }
908 if (constrainedCodeList.empty()) {
909 LOGD(ATM_DOMAIN, ATM_TAG, "constrainedCodeList is null.");
910 return RET_SUCCESS;
911 }
912
913 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
914 auto iter = requestedPermData_.find(tokenId);
915 if (iter == requestedPermData_.end()) {
916 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is not exist in requestedPermData_ %{public}u.", tokenId);
917 return AccessTokenError::ERR_PARAM_INVALID;
918 }
919
920 for (const auto& data : iter->second) {
921 if (std::find(constrainedCodeList.begin(), constrainedCodeList.end(), data.permCode) ==
922 constrainedCodeList.end()) {
923 continue;
924 }
925 bool isGrantedCurr;
926 int32_t ret = GetPermissionFromKernel(tokenId, data.permCode, isGrantedCurr);
927 if (ret != RET_SUCCESS) {
928 LOGE(ATM_DOMAIN, ATM_TAG, "GetPermissionToKernel err=%{public}d", ret);
929 continue;
930 }
931 bool isGrantedToBe = (data.status == PERMISSION_GRANTED) && hapUserIsActive;
932 LOGI(ATM_DOMAIN, ATM_TAG,
933 "id=%{public}u, opCode=%{public}u, isGranted=%{public}d, hapUserIsActive=%{public}d",
934 tokenId, data.permCode, isGrantedToBe, hapUserIsActive);
935 if (isGrantedCurr == isGrantedToBe) {
936 continue;
937 }
938 ret = SetPermissionToKernel(tokenId, data.permCode, isGrantedToBe);
939 if (ret != RET_SUCCESS) {
940 LOGE(ATM_DOMAIN, ATM_TAG, "SetPermissionToKernel err=%{public}d", ret);
941 continue;
942 }
943 std::string permission;
944 (void)TransferOpcodeToPermission(data.permCode, permission);
945 refreshedPermList[permission] = isGrantedToBe;
946 }
947 return RET_SUCCESS;
948 }
949
AddBriefPermData(AccessTokenID tokenID,const std::string & permissionName,PermissionState grantStatus,PermissionFlag grantFlag,const std::string & value)950 int32_t PermissionDataBrief::AddBriefPermData(AccessTokenID tokenID, const std::string& permissionName,
951 PermissionState grantStatus, PermissionFlag grantFlag, const std::string& value)
952 {
953 PermissionStatus status;
954 status.permissionName = permissionName;
955 status.grantStatus = static_cast<int32_t>(grantStatus);
956 status.grantFlag = static_cast<uint32_t>(grantFlag);
957
958 std::map<std::string, std::string> aclExtendedMap;
959 aclExtendedMap[permissionName] = value;
960
961 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permissionStateDataLock_);
962 BriefPermData data;
963 if (!GetPermissionBriefData(tokenID, status, aclExtendedMap, data)) {
964 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
965 }
966
967 std::vector<BriefPermData> list;
968 int32_t res = GetBriefPermDataByTokenIdInner(tokenID, list);
969 if (res != RET_SUCCESS) {
970 return res;
971 }
972
973 MergePermBriefData(list, data);
974 AddBriefPermDataByTokenId(tokenID, list);
975
976 return RET_SUCCESS;
977 }
978 } // namespace AccessToken
979 } // namespace Security
980 } // namespace OHOS