1 /*
2 * Copyright (c) 2021-2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_manager.h"
17
18 #include <iostream>
19 #include <numeric>
20 #include <sstream>
21
22 #include "access_token.h"
23 #include "access_token_db_operator.h"
24 #include "access_token_error.h"
25 #include "accesstoken_dfx_define.h"
26 #include "accesstoken_id_manager.h"
27 #include "accesstoken_info_manager.h"
28 #include "accesstoken_common_log.h"
29 #include "app_manager_access_client.h"
30 #include "callback_manager.h"
31 #include "constant_common.h"
32 #ifdef SUPPORT_SANDBOX_APP
33 #include "dlp_permission_set_manager.h"
34 #endif
35 #include "iaccess_token_manager.h"
36 #include "ipc_skeleton.h"
37 #include "hisysevent_adapter.h"
38 #include "parameter.h"
39 #include "parameters.h"
40 #include "short_grant_manager.h"
41 #include "permission_map.h"
42 #include "permission_validator.h"
43 #include "perm_setproc.h"
44 #include "tokenid_attributes.h"
45 #include "token_field_const.h"
46 #ifdef TOKEN_SYNC_ENABLE
47 #include "token_modify_notifier.h"
48 #endif
49
50 namespace OHOS {
51 namespace Security {
52 namespace AccessToken {
53 namespace {
54 static const char* ENTERPRISE_NORMAL_CHECK = "accesstoken.enterprise_normal_check";
55 static const char* PERMISSION_STATUS_CHANGE_KEY = "accesstoken.permission.change";
56 static const char* PERMISSION_STATUS_FLAG_CHANGE_KEY = "accesstoken.permission.flagchange";
57 static constexpr int32_t VALUE_MAX_LEN = 32;
58 static const std::vector<std::string> g_notDisplayedPerms = {
59 "ohos.permission.ANSWER_CALL",
60 "ohos.permission.MANAGE_VOICEMAIL",
61 "ohos.permission.READ_CELL_MESSAGES",
62 "ohos.permission.READ_MESSAGES",
63 "ohos.permission.RECEIVE_MMS",
64 "ohos.permission.RECEIVE_SMS",
65 "ohos.permission.RECEIVE_WAP_MESSAGES",
66 "ohos.permission.SEND_MESSAGES",
67 "ohos.permission.READ_CALL_LOG",
68 "ohos.permission.WRITE_CALL_LOG",
69 "ohos.permission.SHORT_TERM_WRITE_IMAGEVIDEO"
70 };
71 constexpr const char* APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM = "enterprise_mdm";
72 constexpr const char* APP_DISTRIBUTION_TYPE_ENTERPRISE_NORMAL = "enterprise_normal";
73 constexpr const char* APP_DISTRIBUTION_TYPE_DEBUG = "none";
74 }
75 PermissionManager* PermissionManager::implInstance_ = nullptr;
76 std::recursive_mutex PermissionManager::mutex_;
77
GetInstance()78 PermissionManager& PermissionManager::GetInstance()
79 {
80 if (implInstance_ == nullptr) {
81 std::lock_guard<std::recursive_mutex> lock_l(mutex_);
82 if (implInstance_ == nullptr) {
83 implInstance_ = new PermissionManager();
84 }
85 }
86 return *implInstance_;
87 }
88
RegisterImpl(PermissionManager * implInstance)89 void PermissionManager::RegisterImpl(PermissionManager* implInstance)
90 {
91 implInstance_ = implInstance;
92 }
93
PermissionManager()94 PermissionManager::PermissionManager()
95 {
96 char value[VALUE_MAX_LEN] = {0};
97 int32_t ret = GetParameter(PERMISSION_STATUS_CHANGE_KEY, "", value, VALUE_MAX_LEN - 1);
98 if (ret < 0) {
99 LOGE(ATM_DOMAIN, ATM_TAG, "Return default value, ret=%{public}d", ret);
100 paramValue_ = 0;
101 } else {
102 paramValue_ = static_cast<uint64_t>(std::atoll(value));
103 }
104
105 char flagValue[VALUE_MAX_LEN] = {0};
106 ret = GetParameter(PERMISSION_STATUS_FLAG_CHANGE_KEY, "", flagValue, VALUE_MAX_LEN - 1);
107 if (ret < 0) {
108 LOGE(ATM_DOMAIN, ATM_TAG, "Return default flag value, ret=%{public}d", ret);
109 paramFlagValue_ = 0;
110 return;
111 }
112 paramFlagValue_ = static_cast<uint64_t>(std::atoll(flagValue));
113 }
114
~PermissionManager()115 PermissionManager::~PermissionManager()
116 {}
117
VerifyHapAccessToken(AccessTokenID tokenID,const std::string & permissionName)118 int PermissionManager::VerifyHapAccessToken(AccessTokenID tokenID, const std::string& permissionName)
119 {
120 return HapTokenInfoInner::VerifyPermissionStatus(tokenID, permissionName); // 从data获取
121 }
122
GetPermissionUsedType(AccessTokenID tokenID,const std::string & permissionName)123 PermUsedTypeEnum PermissionManager::GetPermissionUsedType(
124 AccessTokenID tokenID, const std::string& permissionName)
125 {
126 if ((tokenID == INVALID_TOKENID) ||
127 (TOKEN_HAP != TokenIDAttributes::GetTokenIdTypeEnum(tokenID))) {
128 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d is invalid.", tokenID);
129 return PermUsedTypeEnum::INVALID_USED_TYPE;
130 }
131 PermUsedTypeEnum ret = HapTokenInfoInner::GetPermissionUsedType(tokenID, permissionName);
132 LOGI(ATM_DOMAIN, ATM_TAG,
133 "Application %{public}u apply for %{public}s for type %{public}d.", tokenID, permissionName.c_str(), ret);
134 return ret;
135 }
136
GetReqPermissions(AccessTokenID tokenID,std::vector<PermissionStatus> & reqPermList,bool isSystemGrant)137 int PermissionManager::GetReqPermissions(
138 AccessTokenID tokenID, std::vector<PermissionStatus>& reqPermList, bool isSystemGrant)
139 {
140 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, isSystemGrant: %{public}d", tokenID, isSystemGrant);
141 std::shared_ptr<HapTokenInfoInner> infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenID);
142 if (infoPtr == nullptr) {
143 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is invalid.", tokenID);
144 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
145 }
146 GrantMode mode = isSystemGrant ? SYSTEM_GRANT : USER_GRANT;
147 std::vector<PermissionStatus> tmpList;
148 int32_t ret = infoPtr->GetPermissionStateList(tmpList);
149 if (ret != RET_SUCCESS) {
150 LOGE(ATM_DOMAIN, ATM_TAG, "GetPermissionStateList failed, token %{public}u is invalid.", tokenID);
151 return ret;
152 }
153 for (const auto& perm : tmpList) {
154 PermissionBriefDef briefDef;
155 if (!GetPermissionBriefDef(perm.permissionName, briefDef)) {
156 continue;
157 }
158
159 if (briefDef.grantMode == mode) {
160 reqPermList.emplace_back(perm);
161 }
162 }
163 return RET_SUCCESS;
164 }
165
IsPermissionRequestedInHap(const std::vector<PermissionStatus> & permsList,PermissionListState & permState,int32_t & status,uint32_t & flag)166 static bool IsPermissionRequestedInHap(const std::vector<PermissionStatus>& permsList,
167 PermissionListState& permState, int32_t& status, uint32_t& flag)
168 {
169 const std::string permission = permState.permissionName;
170 if (!IsPermissionValidForHap(permission)) {
171 LOGE(ATM_DOMAIN, ATM_TAG, "No definition for hap permission: %{public}s!", permission.c_str());
172 permState.errorReason = PERM_INVALID;
173 return false;
174 }
175 auto iter = std::find_if(permsList.begin(), permsList.end(), [permission](const PermissionStatus& perm) {
176 return permission == perm.permissionName;
177 });
178 if (iter == permsList.end()) {
179 LOGW(ATM_DOMAIN, ATM_TAG, "Can not find permission: %{public}s define!", permission.c_str());
180 permState.errorReason = PERM_NOT_DECLEARED;
181 return false;
182 }
183 LOGD(ATM_DOMAIN, ATM_TAG, "Find goal permission: %{public}s, status: %{public}d, flag: %{public}d",
184 permission.c_str(), iter->grantStatus, iter->grantFlag);
185 status = iter->grantStatus;
186 flag = static_cast<uint32_t>(iter->grantFlag);
187 return true;
188 }
189
IsPermissionRestrictedByRules(const std::string & permission)190 static bool IsPermissionRestrictedByRules(const std::string& permission)
191 {
192 // Several permission is not available to common apps.
193 // Specified apps can get the permission by pre-authorization instead of Pop-ups.
194 auto iterator = std::find(g_notDisplayedPerms.begin(), g_notDisplayedPerms.end(), permission);
195 if (iterator != g_notDisplayedPerms.end()) {
196 LOGW(ATM_DOMAIN, ATM_TAG, "Permission is not available to common apps: %{public}s!", permission.c_str());
197 return true;
198 }
199
200 #ifdef SUPPORT_SANDBOX_APP
201 // Specified dlp permissions are limited to specified dlp type hap.
202 AccessTokenID callingTokenId = IPCSkeleton::GetCallingTokenID();
203 int32_t dlpType = AccessTokenInfoManager::GetInstance().GetHapTokenDlpType(callingTokenId);
204 if ((dlpType != DLP_COMMON) &&
205 !DlpPermissionSetManager::GetInstance().IsPermissionAvailableToDlpHap(dlpType, permission)) {
206 LOGW(ATM_DOMAIN, ATM_TAG,
207 "callingTokenId is not allowed to grant dlp permission: %{public}s!", permission.c_str());
208 return true;
209 }
210 #endif
211
212 return false;
213 }
214
HandlePermissionDeniedCase(uint32_t goalGrantFlag,PermissionListState & permState)215 bool PermissionManager::HandlePermissionDeniedCase(uint32_t goalGrantFlag, PermissionListState& permState)
216 {
217 if ((goalGrantFlag & PERMISSION_FIXED_BY_ADMIN_POLICY) != 0) {
218 permState.state = FORBIDDEN_OPER;
219 permState.errorReason = FIXED_BY_POLICY;
220 return true;
221 }
222 if ((goalGrantFlag & PERMISSION_ADMIN_POLICIES_CANCEL) != 0) {
223 permState.state = SETTING_OPER;
224 permState.errorReason = REQ_SUCCESS;
225 return true;
226 }
227 if ((goalGrantFlag & PERMISSION_FIXED_FOR_SECURITY_POLICY) != 0) {
228 permState.state = SETTING_OPER;
229 permState.errorReason = REQ_SUCCESS;
230 return true;
231 }
232 if ((goalGrantFlag == PERMISSION_DEFAULT_FLAG) || ((goalGrantFlag & PERMISSION_USER_SET) != 0) ||
233 ((goalGrantFlag & PERMISSION_COMPONENT_SET) != 0) || ((goalGrantFlag & PERMISSION_ALLOW_THIS_TIME) != 0)) {
234 permState.state = DYNAMIC_OPER;
235 permState.errorReason = REQ_SUCCESS;
236 return true;
237 }
238 if ((goalGrantFlag & PERMISSION_USER_FIXED) != 0) {
239 permState.state = SETTING_OPER;
240 permState.errorReason = REQ_SUCCESS;
241 return true;
242 }
243 return false;
244 }
245
GetSelfPermissionState(const std::vector<PermissionStatus> & permsList,PermissionListState & permState,int32_t apiVersion)246 void PermissionManager::GetSelfPermissionState(const std::vector<PermissionStatus>& permsList,
247 PermissionListState& permState, int32_t apiVersion)
248 {
249 int32_t goalGrantStatus;
250 uint32_t goalGrantFlag;
251
252 // api8 require vague location permission refuse directly because there is no vague location permission in api8
253 if ((permState.permissionName == VAGUE_LOCATION_PERMISSION_NAME) && (apiVersion < ACCURATE_LOCATION_API_VERSION)) {
254 permState.state = INVALID_OPER;
255 permState.errorReason = CONDITIONS_NOT_MET;
256 return;
257 }
258 if (!IsPermissionRequestedInHap(permsList, permState, goalGrantStatus, goalGrantFlag)) {
259 permState.state = INVALID_OPER;
260 return;
261 }
262 if (IsPermissionRestrictedByRules(permState.permissionName)) {
263 permState.state = INVALID_OPER;
264 permState.errorReason = UNABLE_POP_UP;
265 return;
266 }
267 LOGI(ATM_DOMAIN, ATM_TAG, "%{public}s: status: %{public}d, flag: %{public}d",
268 permState.permissionName.c_str(), goalGrantStatus, goalGrantFlag);
269 if ((goalGrantStatus == PERMISSION_DENIED) && HandlePermissionDeniedCase(goalGrantFlag, permState)) {
270 return;
271 }
272 permState.state = PASS_OPER;
273 permState.errorReason = REQ_SUCCESS;
274 return;
275 }
276
GetPermissionFlag(AccessTokenID tokenID,const std::string & permissionName,uint32_t & flag)277 int PermissionManager::GetPermissionFlag(AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag)
278 {
279 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, permissionName: %{public}s", tokenID, permissionName.c_str());
280 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
281 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName:%{public}s invalid!", permissionName.c_str());
282 return AccessTokenError::ERR_PARAM_INVALID;
283 }
284 if (!IsDefinedPermission(permissionName)) {
285 LOGE(ATM_DOMAIN, ATM_TAG, "No definition for permission: %{public}s!", permissionName.c_str());
286 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
287 }
288 uint32_t fullFlag;
289 int32_t ret = HapTokenInfoInner::QueryPermissionFlag(tokenID, permissionName, fullFlag);
290 if (ret == RET_SUCCESS) {
291 flag = ConstantCommon::GetFlagWithoutSpecifiedElement(fullFlag, PERMISSION_PRE_AUTHORIZED_CANCELABLE);
292 }
293 return ret;
294 }
295
GetAbilityManager()296 std::shared_ptr<LibraryLoader> PermissionManager::GetAbilityManager()
297 {
298 #ifdef DYNAMIC_CLOSE_LIBS
299 return std::make_shared<LibraryLoader>(ABILITY_MANAGER_LIBPATH);
300 #endif
301 if (abilityManagerLoader_ == nullptr) {
302 std::lock_guard<std::mutex> lock(abilityManagerMutex_);
303 if (abilityManagerLoader_ == nullptr) {
304 abilityManagerLoader_ = std::make_shared<LibraryLoader>(ABILITY_MANAGER_LIBPATH);
305 }
306 }
307 return abilityManagerLoader_;
308 }
309
RequestAppPermOnSetting(const HapTokenInfo & hapInfo,const std::string & bundleName,const std::string & abilityName)310 int32_t PermissionManager::RequestAppPermOnSetting(const HapTokenInfo& hapInfo,
311 const std::string& bundleName, const std::string& abilityName)
312 {
313 LOGI(ATM_DOMAIN, ATM_TAG, "bundleName=%{public}s, abilityName=%{public}s, hapInfo.bundleName=%{public}s",
314 bundleName.c_str(), abilityName.c_str(), hapInfo.bundleName.c_str());
315
316 InnerWant innerWant = {
317 .bundleName = bundleName,
318 .abilityName = abilityName,
319 .hapBundleName = hapInfo.bundleName,
320 .hapAppIndex = hapInfo.instIndex,
321 .hapUserID = hapInfo.userID,
322 .callerTokenId = IPCSkeleton::GetCallingTokenID()
323 };
324
325 std::shared_ptr<LibraryLoader> abilityManagerLoader = GetAbilityManager();
326 AbilityManagerAccessLoaderInterface* abilityManager =
327 abilityManagerLoader->GetObject<AbilityManagerAccessLoaderInterface>();
328 if (abilityManager == nullptr) {
329 LOGE(ATM_DOMAIN, ATM_TAG, "AbilityManager is nullptr!");
330 return AccessTokenError::ERR_SERVICE_ABNORMAL;
331 }
332 ErrCode err = abilityManager->StartAbility(innerWant, nullptr);
333 if (err != ERR_OK) {
334 LOGE(ATM_DOMAIN, ATM_TAG, "Fail to StartAbility, err:%{public}d", err);
335 return AccessTokenError::ERR_SERVICE_ABNORMAL;
336 }
337 return ERR_OK;
338 }
339
ParamUpdate(const std::string & permissionName,uint32_t flag,bool filtered)340 void PermissionManager::ParamUpdate(const std::string& permissionName, uint32_t flag, bool filtered)
341 {
342 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permParamSetLock_);
343 if (filtered || (IsUserGrantPermission(permissionName) &&
344 ((flag != PERMISSION_PRE_AUTHORIZED_CANCELABLE) && (flag != PERMISSION_SYSTEM_FIXED)))) {
345 paramValue_++;
346 LOGD(ATM_DOMAIN, ATM_TAG,
347 "paramValue_ change %{public}llu", static_cast<unsigned long long>(paramValue_));
348 int32_t res = SetParameter(PERMISSION_STATUS_CHANGE_KEY, std::to_string(paramValue_).c_str());
349 if (res != 0) {
350 LOGE(ATM_DOMAIN, ATM_TAG, "SetParameter failed %{public}d", res);
351 }
352 }
353 }
354
ParamFlagUpdate()355 void PermissionManager::ParamFlagUpdate()
356 {
357 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permFlagParamSetLock_);
358 paramFlagValue_++;
359 LOGD(ATM_DOMAIN, ATM_TAG,
360 "paramFlagValue_ change %{public}llu", static_cast<unsigned long long>(paramFlagValue_));
361 int32_t res = SetParameter(PERMISSION_STATUS_FLAG_CHANGE_KEY, std::to_string(paramFlagValue_).c_str());
362 if (res != 0) {
363 LOGE(ATM_DOMAIN, ATM_TAG, "SetParameter failed %{public}d", res);
364 }
365 }
366
NotifyWhenPermissionStateUpdated(AccessTokenID tokenID,const std::string & permissionName,bool isGranted,uint32_t flag,const std::shared_ptr<HapTokenInfoInner> & infoPtr)367 void PermissionManager::NotifyWhenPermissionStateUpdated(AccessTokenID tokenID, const std::string& permissionName,
368 bool isGranted, uint32_t flag, const std::shared_ptr<HapTokenInfoInner>& infoPtr)
369 {
370 LOGI(ATM_DOMAIN, ATM_TAG, "IsUpdated");
371 int32_t changeType = isGranted ? STATE_CHANGE_GRANTED : STATE_CHANGE_REVOKED;
372
373 // set to kernel(grant/revoke)
374 SetPermToKernel(tokenID, permissionName, isGranted);
375
376 // To notify the listener register.
377 CallbackManager::GetInstance().ExecuteCallbackAsync(tokenID, permissionName, changeType);
378
379 // To notify the client cache to update by resetting paramValue_.
380 ParamUpdate(permissionName, flag, false);
381
382 // DFX.
383 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_CHECK_EVENT",
384 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "CODE", USER_GRANT_PERMISSION_EVENT,
385 "CALLER_TOKENID", tokenID, "PERMISSION_NAME", permissionName, "FLAG", flag,
386 "PERMISSION_GRANT_TYPE", changeType);
387 grantEvent_.AddEvent(tokenID, permissionName, infoPtr->permUpdateTimestamp_);
388 }
389
UpdateTokenPermissionState(const std::shared_ptr<HapTokenInfoInner> & infoPtr,AccessTokenID tokenID,const std::string & permission,bool isGranted,uint32_t flag,bool needKill)390 int32_t PermissionManager::UpdateTokenPermissionState(const std::shared_ptr<HapTokenInfoInner>& infoPtr,
391 AccessTokenID tokenID, const std::string& permission, bool isGranted, uint32_t flag, bool needKill)
392 {
393 bool isSecCompGrantedBefore = HapTokenInfoInner::IsPermissionGrantedWithSecComp(tokenID, permission);
394 bool statusChanged = false;
395 int32_t ret = infoPtr->UpdatePermissionStatus(permission, isGranted, flag, statusChanged);
396 if (ret != RET_SUCCESS) {
397 LOGC(ATM_DOMAIN, ATM_TAG, "Update info perm status failed, ret is %{public}d", ret);
398 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR",
399 HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", UPDATE_PERMISSION_STATUS_FAILED, "TOKENID",
400 tokenID, "PERM", permission, "BUNDLE_NAME", infoPtr->GetBundleName(), "INT_VAL1", ret, "INT_VAL2",
401 static_cast<int32_t>(flag), "NEED_KILL", needKill);
402 return ret;
403 }
404 if (statusChanged) {
405 NotifyWhenPermissionStateUpdated(tokenID, permission, isGranted, flag, infoPtr);
406 // To notify kill process when perm is revoke
407 if (needKill && (!isGranted && !isSecCompGrantedBefore)) {
408 LOGI(ATM_DOMAIN, ATM_TAG, "(%{public}s) is revoked, kill process(%{public}u).", permission.c_str(),
409 tokenID);
410 std::shared_ptr<LibraryLoader> abilityManagerLoader = GetAbilityManager();
411 AbilityManagerAccessLoaderInterface *abilityManager =
412 abilityManagerLoader->GetObject<AbilityManagerAccessLoaderInterface>();
413 if (abilityManager == nullptr) {
414 LOGE(ATM_DOMAIN, ATM_TAG, "AbilityManager is nullptr!");
415 } else if ((ret = abilityManager->KillProcessForPermissionUpdate(tokenID)) != ERR_OK) {
416 LOGE(ATM_DOMAIN, ATM_TAG, "kill process failed, ret=%{public}d.", ret);
417 }
418 }
419 }
420 return RET_SUCCESS;
421 }
422
UpdateMultiTokenPermissionState(const std::shared_ptr<HapTokenInfoInner> & infoPtr,AccessTokenID tokenID,const std::vector<std::string> & permissionList,bool isGranted,uint32_t flag,bool needKill)423 int32_t PermissionManager::UpdateMultiTokenPermissionState(const std::shared_ptr<HapTokenInfoInner> &infoPtr,
424 AccessTokenID tokenID, const std::vector<std::string> &permissionList, bool isGranted, uint32_t flag, bool needKill)
425 {
426 HapTokenInfo hapInfo;
427 AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapInfo);
428 ClearThreadErrorMsg();
429
430 int32_t ret = RET_SUCCESS;
431 bool isUpdateSuccess = false;
432 for (const std::string &permissionName : permissionList) {
433 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION",
434 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "SCENE_CODE", CommonSceneCode::AT_COMMON_START, "TOKENID",
435 tokenID, "USERID", hapInfo.userID, "BUNDLENAME", hapInfo.bundleName, "INSTINDEX", hapInfo.instIndex,
436 "PERMISSION_NAME", permissionName, "PERMISSION_FLAG", flag, "GRANTED_FLAG", isGranted);
437
438 ret = UpdateTokenPermissionState(infoPtr, tokenID, permissionName, isGranted, flag, needKill);
439 if (ret != RET_SUCCESS) {
440 break;
441 }
442
443 isUpdateSuccess = true;
444
445 uint32_t newFlag = flag;
446 if (GetPermissionFlag(tokenID, permissionName, newFlag) == RET_SUCCESS) {
447 flag = newFlag;
448 }
449 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION",
450 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "SCENE_CODE", CommonSceneCode::AT_COMMON_FINISH,
451 "TOKENID", tokenID, "PERMISSION_NAME", permissionName, "PERMISSION_FLAG", flag, "GRANTED_FLAG", isGranted,
452 "ERROR_CODE", ret);
453 ReportSysCommonEventError(static_cast<int32_t>(isGranted ?
454 IAccessTokenManagerIpcCode::COMMAND_GRANT_PERMISSION :
455 IAccessTokenManagerIpcCode::COMMAND_REVOKE_PERMISSION), ret);
456 }
457
458 if (isUpdateSuccess) {
459 ParamFlagUpdate();
460 #ifdef TOKEN_SYNC_ENABLE
461 TokenModifyNotifier::GetInstance().NotifyTokenModify(tokenID);
462 #endif
463 }
464 return ret;
465 }
466
UpdateTokenPermissionState(AccessTokenID id,const std::string & permission,bool isGranted,uint32_t flag,bool needKill)467 int32_t PermissionManager::UpdateTokenPermissionState(
468 AccessTokenID id, const std::string& permission, bool isGranted, uint32_t flag, bool needKill)
469 {
470 std::shared_ptr<HapTokenInfoInner> infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(id);
471 if (infoPtr == nullptr) {
472 LOGC(ATM_DOMAIN, ATM_TAG, "tokenInfo is null, tokenId=%{public}u", id);
473 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
474 }
475
476 int32_t ret = UpdateTokenPermissionStateCheck(infoPtr, id, permission, isGranted, flag);
477 if (ret != ERR_OK) {
478 return ret;
479 }
480
481 // statusBefore cannot use VerifyPermissionStatus in permPolicySet, because the function exclude secComp
482 bool isSecCompGrantedBefore = HapTokenInfoInner::IsPermissionGrantedWithSecComp(id, permission);
483 bool statusChanged = false;
484 ret = infoPtr->UpdatePermissionStatus(permission, isGranted, flag, statusChanged);
485 if (ret != RET_SUCCESS) {
486 LOGC(ATM_DOMAIN, ATM_TAG, "Update info perm status failed, ret is %{public}d", ret);
487 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR",
488 HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", UPDATE_PERMISSION_STATUS_FAILED, "TOKENID", id,
489 "PERM", permission, "BUNDLE_NAME", infoPtr->GetBundleName(), "INT_VAL1", ret,
490 "INT_VAL2", static_cast<int32_t>(flag), "NEED_KILL", needKill);
491 return ret;
492 }
493
494 // notify flag change
495 ParamFlagUpdate();
496
497 if (statusChanged) {
498 NotifyWhenPermissionStateUpdated(id, permission, isGranted, flag, infoPtr);
499 // To notify kill process when perm is revoke
500 if (needKill && (!isGranted && !isSecCompGrantedBefore)) {
501 LOGI(ATM_DOMAIN, ATM_TAG, "(%{public}s) is revoked, kill process(%{public}u).", permission.c_str(), id);
502 std::shared_ptr<LibraryLoader> abilityManagerLoader = GetAbilityManager();
503 AbilityManagerAccessLoaderInterface* abilityManager =
504 abilityManagerLoader->GetObject<AbilityManagerAccessLoaderInterface>();
505 if (abilityManager == nullptr) {
506 LOGE(ATM_DOMAIN, ATM_TAG, "AbilityManager is nullptr!");
507 } else if ((ret = abilityManager->KillProcessForPermissionUpdate(id)) != ERR_OK) {
508 LOGE(ATM_DOMAIN, ATM_TAG, "kill process failed, ret=%{public}d.", ret);
509 }
510 }
511 }
512
513 #ifdef TOKEN_SYNC_ENABLE
514 TokenModifyNotifier::GetInstance().NotifyTokenModify(id);
515 #endif
516 return RET_SUCCESS;
517 }
518
UpdateTokenPermissionStateCheck(const std::shared_ptr<HapTokenInfoInner> & infoPtr,AccessTokenID id,const std::string & permission,bool isGranted,uint32_t flag)519 int32_t PermissionManager::UpdateTokenPermissionStateCheck(const std::shared_ptr<HapTokenInfoInner>& infoPtr,
520 AccessTokenID id, const std::string& permission, bool isGranted, uint32_t flag)
521 {
522 if (infoPtr->IsRemote()) {
523 LOGC(ATM_DOMAIN, ATM_TAG, "Remote token can not update");
524 return AccessTokenError::ERR_IDENTITY_CHECK_FAILED;
525 }
526 if ((flag == PERMISSION_ALLOW_THIS_TIME) && isGranted) {
527 if (!TempPermissionObserver::GetInstance().IsAllowGrantTempPermission(id, permission)) {
528 LOGC(ATM_DOMAIN, ATM_TAG, "Id:%{public}d fail to grant permission:%{public}s", id, permission.c_str());
529 return ERR_IDENTITY_CHECK_FAILED;
530 }
531 }
532
533 #ifdef SUPPORT_SANDBOX_APP
534 int32_t hapDlpType = infoPtr->GetDlpType();
535 if (hapDlpType != DLP_COMMON) {
536 int32_t permDlpMode = DlpPermissionSetManager::GetInstance().GetPermDlpMode(permission);
537 if (!DlpPermissionSetManager::GetInstance().IsPermDlpModeAvailableToDlpHap(hapDlpType, permDlpMode)) {
538 LOGC(ATM_DOMAIN, ATM_TAG, "%{public}s cannot to be granted to %{public}u", permission.c_str(), id);
539 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR",
540 HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", DLP_CHECK_FAILED, "TOKENID", id, "PERM",
541 permission, "BUNDLE_NAME", infoPtr->GetBundleName(), "INT_VAL1", hapDlpType, "INT_VAL2", permDlpMode);
542 return AccessTokenError::ERR_IDENTITY_CHECK_FAILED;
543 }
544 }
545 #endif
546 return ERR_OK;
547 }
548
UpdateMultiPermissionStatus(AccessTokenID tokenID,const std::vector<std::string> & permissionList,int32_t status,uint32_t flag)549 int32_t PermissionManager::UpdateMultiPermissionStatus(
550 AccessTokenID tokenID, const std::vector<std::string> &permissionList, int32_t status, uint32_t flag)
551 {
552 bool isGranted = (status == PERMISSION_GRANTED);
553 bool needKill = false;
554 // To kill process when perm is revoke
555 if (!isGranted) {
556 LOGI(ATM_DOMAIN, ATM_TAG, "Perm is revoked, kill process(%{public}u).", tokenID);
557 needKill = true;
558 }
559
560 std::shared_ptr<HapTokenInfoInner> infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenID);
561 if (infoPtr == nullptr) {
562 LOGC(ATM_DOMAIN, ATM_TAG, "tokenInfo is null, tokenId=%{public}u.", tokenID);
563 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
564 }
565
566 int32_t ret = UpdateMultiTokenPermissionStateCheck(infoPtr, tokenID, permissionList);
567 if (ret != RET_SUCCESS) {
568 return ret;
569 }
570
571 ret = UpdateMultiTokenPermissionState(infoPtr, tokenID, permissionList, isGranted, flag, needKill);
572 if (ret != RET_SUCCESS) {
573 LOGC(ATM_DOMAIN, ATM_TAG, "Update permission %{public}u failed, ret is %{public}d.", tokenID, ret);
574 return ret;
575 }
576
577 #ifdef SUPPORT_SANDBOX_APP
578 // The action of sharing would be taken place only if the grant operation or revoke operation equals to success.
579 std::vector<AccessTokenID> tokenIdList;
580 AccessTokenInfoManager::GetInstance().GetRelatedSandBoxHapList(tokenID, tokenIdList);
581 for (const auto &id : tokenIdList) {
582 (void)UpdateMultiTokenPermissionState(infoPtr, id, permissionList, isGranted, flag, needKill);
583 }
584 #endif
585
586 return RET_SUCCESS;
587 }
588
UpdateMultiTokenPermissionStateCheck(const std::shared_ptr<HapTokenInfoInner> & infoPtr,AccessTokenID tokenID,const std::vector<std::string> & permissionList)589 int32_t PermissionManager::UpdateMultiTokenPermissionStateCheck(const std::shared_ptr<HapTokenInfoInner> &infoPtr,
590 AccessTokenID tokenID, const std::vector<std::string> &permissionList)
591 {
592 if (infoPtr->IsRemote()) {
593 LOGC(ATM_DOMAIN, ATM_TAG, "Remote token can not update.");
594 return AccessTokenError::ERR_IDENTITY_CHECK_FAILED;
595 }
596
597 #ifdef SUPPORT_SANDBOX_APP
598 int32_t hapDlpType = infoPtr->GetDlpType();
599 if (hapDlpType == DLP_COMMON) {
600 return RET_SUCCESS;
601 }
602 for (const std::string& permissionName : permissionList) {
603 int32_t permDlpMode = DlpPermissionSetManager::GetInstance().GetPermDlpMode(permissionName);
604 if (!DlpPermissionSetManager::GetInstance().IsPermDlpModeAvailableToDlpHap(hapDlpType, permDlpMode)) {
605 LOGC(ATM_DOMAIN, ATM_TAG,
606 "%{public}s cannot to be granted to %{public}u.", permissionName.c_str(), tokenID);
607 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR",
608 HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", DLP_CHECK_FAILED, "TOKENID", tokenID, "PERM",
609 permissionName, "BUNDLE_NAME", infoPtr->GetBundleName(), "INT_VAL1", hapDlpType,
610 "INT_VAL2", permDlpMode);
611 return AccessTokenError::ERR_IDENTITY_CHECK_FAILED;
612 }
613 }
614 #endif
615
616 return RET_SUCCESS;
617 }
618
UpdatePermission(AccessTokenID tokenID,const std::string & permissionName,bool isGranted,uint32_t flag,bool needKill)619 int32_t PermissionManager::UpdatePermission(AccessTokenID tokenID, const std::string& permissionName,
620 bool isGranted, uint32_t flag, bool needKill)
621 {
622 int32_t ret = UpdateTokenPermissionState(tokenID, permissionName, isGranted, flag, needKill);
623 if (ret != RET_SUCCESS) {
624 LOGC(ATM_DOMAIN, ATM_TAG, "Update permission %{public}u %{public}s failed, ret is %{public}d", tokenID,
625 permissionName.c_str(), ret);
626 return ret;
627 }
628
629 #ifdef SUPPORT_SANDBOX_APP
630 // The action of sharing would be taken place only if the grant operation or revoke operation equals to success.
631 std::vector<AccessTokenID> tokenIdList;
632 AccessTokenInfoManager::GetInstance().GetRelatedSandBoxHapList(tokenID, tokenIdList);
633 for (const auto& id : tokenIdList) {
634 (void)UpdateTokenPermissionState(id, permissionName, isGranted, flag, needKill);
635 }
636 #endif
637
638 return RET_SUCCESS;
639 }
640
CheckAndUpdatePermission(AccessTokenID tokenID,const std::string & permissionName,bool isGranted,uint32_t flag)641 int32_t PermissionManager::CheckAndUpdatePermission(AccessTokenID tokenID, const std::string& permissionName,
642 bool isGranted, uint32_t flag)
643 {
644 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
645 LOGC(ATM_DOMAIN, ATM_TAG, "permissionName: %{public}s, Invalid params!", permissionName.c_str());
646 return AccessTokenError::ERR_PARAM_INVALID;
647 }
648 if (!IsDefinedPermission(permissionName)) {
649 LOGC(ATM_DOMAIN, ATM_TAG, "No definition for permission: %{public}s!", permissionName.c_str());
650 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
651 }
652 if (!PermissionValidator::IsPermissionFlagValid(flag) || PermissionValidator::IsPermissionFlagValidForAdmin(flag)) {
653 LOGC(ATM_DOMAIN, ATM_TAG, "flag: %{public}d, Invalid params!", flag);
654 return AccessTokenError::ERR_PARAM_INVALID;
655 }
656 bool needKill = false;
657 // To kill process when perm is revoke
658 if (!isGranted && flag != PERMISSION_COMPONENT_SET) {
659 LOGI(ATM_DOMAIN, ATM_TAG, "Perm(%{public}s) is revoked, kill process(%{public}u).",
660 permissionName.c_str(), tokenID);
661 needKill = true;
662 }
663
664 return UpdatePermission(tokenID, permissionName, isGranted, flag, needKill);
665 }
666
CheckAndUpdatePermissionInner(AccessTokenID tokenID,const std::string & permissionName,bool isGranted,uint32_t flag)667 int32_t PermissionManager::CheckAndUpdatePermissionInner(AccessTokenID tokenID, const std::string& permissionName,
668 bool isGranted, uint32_t flag)
669 {
670 HapTokenInfo hapInfo;
671 AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapInfo);
672 ClearThreadErrorMsg();
673 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION",
674 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "SCENE_CODE", CommonSceneCode::AT_COMMON_START,
675 "TOKENID", tokenID, "USERID", hapInfo.userID, "BUNDLENAME", hapInfo.bundleName, "INSTINDEX", hapInfo.instIndex,
676 "PERMISSION_NAME", permissionName, "PERMISSION_FLAG", flag, "GRANTED_FLAG", isGranted);
677
678 int32_t ret = CheckAndUpdatePermission(tokenID, permissionName, isGranted, flag);
679
680 uint32_t newFlag = flag;
681 if (ret == RET_SUCCESS && GetPermissionFlag(tokenID, permissionName, newFlag) == RET_SUCCESS) {
682 flag = newFlag;
683 }
684
685 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION",
686 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "SCENE_CODE", CommonSceneCode::AT_COMMON_FINISH,
687 "TOKENID", tokenID, "PERMISSION_NAME", permissionName, "PERMISSION_FLAG", flag, "GRANTED_FLAG", isGranted,
688 "ERROR_CODE", ret);
689 ReportSysCommonEventError(static_cast<int32_t>(isGranted ? IAccessTokenManagerIpcCode::COMMAND_GRANT_PERMISSION :
690 IAccessTokenManagerIpcCode::COMMAND_REVOKE_PERMISSION), ret);
691 return ret;
692 }
693
CheckMultiPermissionStatus(AccessTokenID tokenID,const std::vector<std::string> & permissionList,int32_t status,uint32_t flag)694 int32_t PermissionManager::CheckMultiPermissionStatus(
695 AccessTokenID tokenID, const std::vector<std::string> &permissionList, int32_t status, uint32_t flag)
696 {
697 if (!PermissionValidator::IsPermissionFlagValidForAdmin(flag)) {
698 LOGC(ATM_DOMAIN, ATM_TAG, "flag: %{public}d, Invalid params!", flag);
699 return AccessTokenError::ERR_PARAM_INVALID;
700 }
701 for (const std::string& permissionName : permissionList) {
702 LOGI(ATM_DOMAIN, ATM_TAG,
703 "tokenID: %{public}d, permissionName: %{public}s, status: %{public}d, flag: %{public}d.", tokenID,
704 permissionName.c_str(), status, flag);
705 if (!IsDefinedPermission(permissionName)) {
706 LOGC(ATM_DOMAIN, ATM_TAG, "No definition for permission: %{public}s!", permissionName.c_str());
707 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
708 }
709 if (!IsUserGrantPermission(permissionName)) {
710 LOGC(ATM_DOMAIN, ATM_TAG, "Only support permissions of user_grant to set.");
711 return AccessTokenError::ERR_PARAM_INVALID;
712 }
713 }
714 return RET_SUCCESS;
715 }
716
CheckAndUpdateMultiPermissionStatus(AccessTokenID tokenID,const std::vector<std::string> & permissionList,int32_t status,uint32_t flag)717 int32_t PermissionManager::CheckAndUpdateMultiPermissionStatus(
718 AccessTokenID tokenID, const std::vector<std::string> &permissionList, int32_t status, uint32_t flag)
719 {
720 int32_t ret = RET_SUCCESS;
721 ret = CheckMultiPermissionStatus(tokenID, permissionList, status, flag);
722 if (ret != RET_SUCCESS) {
723 return ret;
724 }
725 ret = UpdateMultiPermissionStatus(tokenID, permissionList, status, flag);
726 if (ret != RET_SUCCESS) {
727 return ret;
728 }
729 return RET_SUCCESS;
730 }
731
GrantPermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)732 int32_t PermissionManager::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
733 {
734 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, permissionName: %{public}s, flag: %{public}d",
735 tokenID, permissionName.c_str(), flag);
736 return CheckAndUpdatePermissionInner(tokenID, permissionName, true, flag);
737 }
738
RevokePermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)739 int32_t PermissionManager::RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
740 {
741 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, permissionName: %{public}s, flag: %{public}d",
742 tokenID, permissionName.c_str(), flag);
743 return CheckAndUpdatePermissionInner(tokenID, permissionName, false, flag);
744 }
745
GrantPermissionForSpecifiedTime(AccessTokenID tokenID,const std::string & permissionName,uint32_t onceTime)746 int32_t PermissionManager::GrantPermissionForSpecifiedTime(
747 AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime)
748 {
749 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, permissionName: %{public}s, onceTime: %{public}d",
750 tokenID, permissionName.c_str(), onceTime);
751 return ShortGrantManager::GetInstance().RefreshPermission(tokenID, permissionName, onceTime);
752 }
753
ScopeToString(const std::vector<AccessTokenID> & tokenIDs,const std::vector<std::string> & permList)754 void PermissionManager::ScopeToString(
755 const std::vector<AccessTokenID>& tokenIDs, const std::vector<std::string>& permList)
756 {
757 std::stringstream str;
758 copy(tokenIDs.begin(), tokenIDs.end(), std::ostream_iterator<uint32_t>(str, ", "));
759 std::string tokenidStr = str.str();
760
761 std::string permStr;
762 permStr = accumulate(permList.begin(), permList.end(), std::string(" "));
763
764 LOGI(ATM_DOMAIN, ATM_TAG, "TokenidStr = %{public}s permStr =%{public}s",
765 tokenidStr.c_str(), permStr.c_str());
766 }
767
SetPermissionStatusWithPolicy(AccessTokenID tokenID,const std::vector<std::string> & permissionList,int32_t status,uint32_t flag)768 int32_t PermissionManager::SetPermissionStatusWithPolicy(
769 AccessTokenID tokenID, const std::vector<std::string>& permissionList, int32_t status, uint32_t flag)
770 {
771 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, status: %{public}d, flag: %{public}u.", tokenID, status, flag);
772 return CheckAndUpdateMultiPermissionStatus(tokenID, permissionList, status, flag);
773 }
774
ScopeFilter(const PermStateChangeScope & scopeSrc,PermStateChangeScope & scopeRes)775 int32_t PermissionManager::ScopeFilter(const PermStateChangeScope& scopeSrc, PermStateChangeScope& scopeRes)
776 {
777 std::set<uint32_t> tokenIdSet;
778 for (const auto& tokenId : scopeSrc.tokenIDs) {
779 if (AccessTokenInfoManager::GetInstance().IsTokenIdExist(tokenId) &&
780 (tokenIdSet.count(tokenId) == 0)) {
781 scopeRes.tokenIDs.emplace_back(tokenId);
782 tokenIdSet.insert(tokenId);
783 continue;
784 }
785 LOGE(ATM_DOMAIN, ATM_TAG, "TokenId %{public}d invalid!", tokenId);
786 }
787 std::set<std::string> permSet;
788 for (const auto& permissionName : scopeSrc.permList) {
789 if (IsDefinedPermission(permissionName) &&
790 permSet.count(permissionName) == 0) {
791 scopeRes.permList.emplace_back(permissionName);
792 permSet.insert(permissionName);
793 continue;
794 }
795 LOGE(ATM_DOMAIN, ATM_TAG, "Permission %{public}s invalid!", permissionName.c_str());
796 }
797 if ((scopeRes.tokenIDs.empty()) && (!scopeSrc.tokenIDs.empty())) {
798 LOGE(ATM_DOMAIN, ATM_TAG, "Valid tokenid size is 0!");
799 return AccessTokenError::ERR_PARAM_INVALID;
800 }
801 if ((scopeRes.permList.empty()) && (!scopeSrc.permList.empty())) {
802 LOGE(ATM_DOMAIN, ATM_TAG, "Valid permission size is 0!");
803 return AccessTokenError::ERR_PARAM_INVALID;
804 }
805 ScopeToString(scopeRes.tokenIDs, scopeRes.permList);
806 return RET_SUCCESS;
807 }
808
AddPermStateChangeCallback(const PermStateChangeScope & scope,const sptr<IRemoteObject> & callback)809 int32_t PermissionManager::AddPermStateChangeCallback(
810 const PermStateChangeScope& scope, const sptr<IRemoteObject>& callback)
811 {
812 PermStateChangeScope scopeRes;
813 int32_t result = ScopeFilter(scope, scopeRes);
814 if (result != RET_SUCCESS) {
815 return result;
816 }
817 return CallbackManager::GetInstance().AddCallback(scopeRes, callback);
818 }
819
RemovePermStateChangeCallback(const sptr<IRemoteObject> & callback)820 int32_t PermissionManager::RemovePermStateChangeCallback(const sptr<IRemoteObject>& callback)
821 {
822 LOGI(ATM_DOMAIN, ATM_TAG, "Called");
823 return CallbackManager::GetInstance().RemoveCallback(callback);
824 }
825
GetApiVersionByTokenId(AccessTokenID tokenID,int32_t & apiVersion)826 bool PermissionManager::GetApiVersionByTokenId(AccessTokenID tokenID, int32_t& apiVersion)
827 {
828 // only hap can do this
829 AccessTokenIDInner *idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenID);
830 ATokenTypeEnum tokenType = (ATokenTypeEnum)(idInner->type);
831 if (tokenType != TOKEN_HAP) {
832 LOGE(ATM_DOMAIN, ATM_TAG, "Invalid token type %{public}d", tokenType);
833 return false;
834 }
835
836 HapTokenInfo hapInfo;
837 int ret = AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapInfo);
838 if (ret != RET_SUCCESS) {
839 LOGE(ATM_DOMAIN, ATM_TAG, "Get hap token info error!");
840 return false;
841 }
842
843 apiVersion = hapInfo.apiVersion;
844
845 return true;
846 }
847
IsPermissionVaild(const std::string & permissionName)848 bool PermissionManager::IsPermissionVaild(const std::string& permissionName)
849 {
850 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
851 LOGW(ATM_DOMAIN, ATM_TAG, "Invalid permissionName %{public}s", permissionName.c_str());
852 return false;
853 }
854
855 if (!IsDefinedPermission(permissionName)) {
856 LOGW(ATM_DOMAIN, ATM_TAG, "Permission %{public}s has no definition ", permissionName.c_str());
857 return false;
858 }
859 return true;
860 }
861
GetLocationPermissionIndex(std::vector<PermissionListStateParcel> & reqPermList,LocationIndex & locationIndex)862 bool PermissionManager::GetLocationPermissionIndex(std::vector<PermissionListStateParcel>& reqPermList,
863 LocationIndex& locationIndex)
864 {
865 uint32_t index = 0;
866 bool hasFound = false;
867
868 for (const auto& perm : reqPermList) {
869 if (perm.permsState.permissionName == VAGUE_LOCATION_PERMISSION_NAME) {
870 locationIndex.vagueIndex = index;
871 hasFound = true;
872 } else if (perm.permsState.permissionName == ACCURATE_LOCATION_PERMISSION_NAME) {
873 locationIndex.accurateIndex = index;
874 hasFound = true;
875 } else if (perm.permsState.permissionName == BACKGROUND_LOCATION_PERMISSION_NAME) {
876 locationIndex.backIndex = index;
877 hasFound = true;
878 }
879
880 index++;
881
882 if ((locationIndex.vagueIndex != PERMISSION_NOT_REQUSET) &&
883 (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) &&
884 (locationIndex.backIndex != PERMISSION_NOT_REQUSET)) {
885 break;
886 }
887 }
888
889 LOGI(ATM_DOMAIN, ATM_TAG,
890 "vague index is %{public}d, accurate index is %{public}d, background index is %{public}d!",
891 locationIndex.vagueIndex, locationIndex.accurateIndex, locationIndex.backIndex);
892
893 return hasFound;
894 }
895
GetLocationPermissionState(AccessTokenID tokenID,std::vector<PermissionListStateParcel> & reqPermList,std::vector<PermissionStatus> & permsList,int32_t apiVersion,const LocationIndex & locationIndex)896 bool PermissionManager::GetLocationPermissionState(AccessTokenID tokenID,
897 std::vector<PermissionListStateParcel>& reqPermList, std::vector<PermissionStatus>& permsList,
898 int32_t apiVersion, const LocationIndex& locationIndex)
899 {
900 bool needVagueDynamic = false;
901 bool needAccurateDynamic = false; // needVagueDynamic-false, 1. not request;2. request but not equal to DYNAMIC_OPER
902 if (locationIndex.vagueIndex != PERMISSION_NOT_REQUSET) {
903 GetSelfPermissionState(permsList, reqPermList[locationIndex.vagueIndex].permsState, apiVersion);
904 needVagueDynamic = reqPermList[locationIndex.vagueIndex].permsState.state == DYNAMIC_OPER;
905 }
906
907 if (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) {
908 bool isVagueGranted = VerifyHapAccessToken(tokenID, VAGUE_LOCATION_PERMISSION_NAME) == PERMISSION_GRANTED;
909 // request accurate and vague permission, if vague has been set or invalid, accurate can't be requested
910 GetSelfPermissionState(permsList, reqPermList[locationIndex.accurateIndex].permsState, apiVersion);
911 needAccurateDynamic = reqPermList[locationIndex.accurateIndex].permsState.state == DYNAMIC_OPER;
912
913 // update permsState
914 if (needAccurateDynamic) {
915 // vague permissoion is not pop and permission status os not granted
916 if (!needVagueDynamic && !isVagueGranted) {
917 reqPermList[locationIndex.accurateIndex].permsState.state = INVALID_OPER;
918 reqPermList[locationIndex.accurateIndex].permsState.errorReason = CONDITIONS_NOT_MET;
919 needAccurateDynamic = false;
920 }
921 }
922 }
923
924 if (locationIndex.backIndex != PERMISSION_NOT_REQUSET) {
925 if (apiVersion >= BACKGROUND_LOCATION_API_VERSION) {
926 // background permission
927 // with back and vague permission, request back can not pop dynamic dialog
928 if (locationIndex.vagueIndex != PERMISSION_NOT_REQUSET) {
929 reqPermList[locationIndex.vagueIndex].permsState.state = INVALID_OPER;
930 reqPermList[locationIndex.vagueIndex].permsState.errorReason = CONDITIONS_NOT_MET;
931 }
932 if (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) {
933 reqPermList[locationIndex.accurateIndex].permsState.state = INVALID_OPER;
934 reqPermList[locationIndex.accurateIndex].permsState.errorReason = CONDITIONS_NOT_MET;
935 }
936 reqPermList[locationIndex.backIndex].permsState.state = INVALID_OPER;
937 reqPermList[locationIndex.backIndex].permsState.errorReason = CONDITIONS_NOT_MET;
938 return false;
939 }
940 // with back and vague permission
941 // back state is SETTING_OPER when dynamic pop-up dialog appears and INVALID_OPER when it doesn't
942 GetSelfPermissionState(permsList, reqPermList[locationIndex.backIndex].permsState, apiVersion);
943 if (reqPermList[locationIndex.backIndex].permsState.state == DYNAMIC_OPER) {
944 if (needAccurateDynamic || needVagueDynamic) {
945 reqPermList[locationIndex.backIndex].permsState.state = SETTING_OPER;
946 reqPermList[locationIndex.backIndex].permsState.errorReason = REQ_SUCCESS;
947 } else {
948 reqPermList[locationIndex.backIndex].permsState.state = INVALID_OPER;
949 reqPermList[locationIndex.backIndex].permsState.errorReason = CONDITIONS_NOT_MET;
950 }
951 }
952 }
953 return needVagueDynamic || needAccurateDynamic;
954 }
955
LocationPermissionSpecialHandle(AccessTokenID tokenID,std::vector<PermissionListStateParcel> & reqPermList,std::vector<PermissionStatus> & permsList,int32_t apiVersion)956 bool PermissionManager::LocationPermissionSpecialHandle(
957 AccessTokenID tokenID,
958 std::vector<PermissionListStateParcel>& reqPermList,
959 std::vector<PermissionStatus>& permsList, int32_t apiVersion)
960 {
961 struct LocationIndex locationIndex;
962 if (!GetLocationPermissionIndex(reqPermList, locationIndex)) {
963 return false;
964 }
965 return GetLocationPermissionState(tokenID, reqPermList, permsList, apiVersion, locationIndex);
966 }
967
NotifyUpdatedPermList(const std::vector<std::string> & grantedPermListBefore,const std::vector<std::string> & grantedPermListAfter,AccessTokenID tokenID)968 void PermissionManager::NotifyUpdatedPermList(const std::vector<std::string>& grantedPermListBefore,
969 const std::vector<std::string>& grantedPermListAfter, AccessTokenID tokenID)
970 {
971 for (uint32_t i = 0; i < grantedPermListBefore.size(); i++) {
972 LOGI(ATM_DOMAIN, ATM_TAG, "grantedPermListBefore[i] %{public}s.", grantedPermListBefore[i].c_str());
973 auto it = find(grantedPermListAfter.begin(), grantedPermListAfter.end(), grantedPermListBefore[i]);
974 if (it == grantedPermListAfter.end()) {
975 CallbackManager::GetInstance().ExecuteCallbackAsync(
976 tokenID, grantedPermListBefore[i], STATE_CHANGE_REVOKED);
977 ParamUpdate(grantedPermListBefore[i], 0, true);
978 }
979 }
980 for (uint32_t i = 0; i < grantedPermListAfter.size(); i++) {
981 LOGI(ATM_DOMAIN, ATM_TAG, "grantedPermListAfter[i] %{public}s.", grantedPermListAfter[i].c_str());
982 auto it = find(grantedPermListBefore.begin(), grantedPermListBefore.end(), grantedPermListAfter[i]);
983 if (it == grantedPermListBefore.end()) {
984 CallbackManager::GetInstance().ExecuteCallbackAsync(
985 tokenID, grantedPermListAfter[i], STATE_CHANGE_GRANTED);
986 ParamUpdate(grantedPermListAfter[i], 0, false);
987 }
988 }
989 }
990
NotifyPermGrantStoreResult(bool result,uint64_t timestamp)991 void PermissionManager::NotifyPermGrantStoreResult(bool result, uint64_t timestamp)
992 {
993 grantEvent_.NotifyPermGrantStoreResult(result, timestamp);
994 }
995
AddNativePermToKernel(AccessTokenID tokenID,const std::vector<uint32_t> & opCodeList,const std::vector<bool> & statusList)996 void PermissionManager::AddNativePermToKernel(AccessTokenID tokenID,
997 const std::vector<uint32_t>& opCodeList, const std::vector<bool>& statusList)
998 {
999 int32_t ret = AddPermissionToKernel(tokenID, opCodeList, statusList);
1000 if (ret != ACCESS_TOKEN_OK) {
1001 LOGE(ATM_DOMAIN, ATM_TAG, "AddPermissionToKernel(token=%{public}d), size=%{public}zu, err=%{public}d",
1002 tokenID, opCodeList.size(), ret);
1003 }
1004 }
1005
AddHapPermToKernel(AccessTokenID tokenID,const std::vector<std::string> & permList)1006 void PermissionManager::AddHapPermToKernel(AccessTokenID tokenID, const std::vector<std::string>& permList)
1007 {
1008 std::vector<uint32_t> permCodeList;
1009 for (const auto &permission : permList) {
1010 uint32_t code;
1011 if (!TransferPermissionToOpcode(permission, code)) {
1012 continue;
1013 }
1014 permCodeList.emplace_back(code);
1015 }
1016
1017 std::vector<uint32_t> opCodeList;
1018 std::vector<bool> statusList;
1019 HapTokenInfoInner::GetPermStatusListByTokenId(tokenID, permCodeList, opCodeList, statusList);
1020 int32_t ret = AddPermissionToKernel(tokenID, opCodeList, statusList);
1021 if (ret != ACCESS_TOKEN_OK) {
1022 LOGE(ATM_DOMAIN, ATM_TAG, "AddPermissionToKernel(token=%{public}d), size=%{public}zu, err=%{public}d",
1023 tokenID, opCodeList.size(), ret);
1024 }
1025 }
1026
RemovePermFromKernel(AccessTokenID tokenID)1027 void PermissionManager::RemovePermFromKernel(AccessTokenID tokenID)
1028 {
1029 int32_t ret = RemovePermissionFromKernel(tokenID);
1030 LOGI(ATM_DOMAIN, ATM_TAG,
1031 "RemovePermissionFromKernel(token=%{public}d), err=%{public}d", tokenID, ret);
1032 }
1033
SetPermToKernel(AccessTokenID tokenID,const std::string & permissionName,bool isGranted)1034 void PermissionManager::SetPermToKernel(
1035 AccessTokenID tokenID, const std::string& permissionName, bool isGranted)
1036 {
1037 uint32_t code;
1038 if (!TransferPermissionToOpcode(permissionName, code)) {
1039 return;
1040 }
1041 int32_t ret = SetPermissionToKernel(tokenID, code, isGranted);
1042 LOGI(ATM_DOMAIN, ATM_TAG,
1043 "SetPermissionToKernel(token=%{public}d, permission=(%{public}s), err=%{public}d",
1044 tokenID, permissionName.c_str(), ret);
1045 }
1046
IsAclSatisfied(const PermissionBriefDef & briefDef,const HapPolicy & policy)1047 bool IsAclSatisfied(const PermissionBriefDef& briefDef, const HapPolicy& policy)
1048 {
1049 if (policy.checkIgnore == HapPolicyCheckIgnore::ACL_IGNORE_CHECK) {
1050 LOGI(ATM_DOMAIN, ATM_TAG, "%{public}s ignore acl check.", briefDef.permissionName);
1051 return true;
1052 }
1053
1054 if (policy.apl < briefDef.availableLevel) {
1055 if (!briefDef.provisionEnable) {
1056 LOGC(ATM_DOMAIN, ATM_TAG, "%{public}s provisionEnable is false.", briefDef.permissionName);
1057 return false;
1058 }
1059 bool isAclExist = false;
1060 if (briefDef.hasValue) {
1061 isAclExist = std::any_of(
1062 policy.aclExtendedMap.begin(), policy.aclExtendedMap.end(), [briefDef](const auto &perm) {
1063 return std::string(briefDef.permissionName) == perm.first;
1064 });
1065 } else {
1066 isAclExist = std::any_of(
1067 policy.aclRequestedList.begin(), policy.aclRequestedList.end(), [briefDef](const auto &perm) {
1068 return std::string(briefDef.permissionName) == perm;
1069 });
1070 }
1071
1072 if (!isAclExist) {
1073 LOGC(ATM_DOMAIN, ATM_TAG, "%{public}s need acl.", briefDef.permissionName);
1074 return false;
1075 }
1076 }
1077 return true;
1078 }
1079
IsPermAvailableRangeSatisfied(const PermissionBriefDef & briefDef,const std::string & appDistributionType,bool isSystemApp,PermissionRulesEnum & rule,const HapInitInfo & initInfo)1080 bool PermissionManager::IsPermAvailableRangeSatisfied(const PermissionBriefDef& briefDef,
1081 const std::string& appDistributionType, bool isSystemApp, PermissionRulesEnum& rule, const HapInitInfo& initInfo)
1082 {
1083 if (briefDef.availableType == ATokenAvailableTypeEnum::MDM) {
1084 if (appDistributionType == "none") {
1085 LOGI(ATM_DOMAIN, ATM_TAG, "Debug app use permission: %{public}s.",
1086 briefDef.permissionName);
1087 return true;
1088 }
1089 if (appDistributionType != APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM) {
1090 LOGE(ATM_DOMAIN, ATM_TAG, "%{public}s is a mdm permission, the hap is not a mdm application.",
1091 briefDef.permissionName);
1092 rule = PERMISSION_EDM_RULE;
1093 return false;
1094 }
1095 }
1096 if (briefDef.availableType == ATokenAvailableTypeEnum::ENTERPRISE_NORMAL) {
1097 if (appDistributionType == APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM ||
1098 appDistributionType == APP_DISTRIBUTION_TYPE_ENTERPRISE_NORMAL ||
1099 isSystemApp ||
1100 appDistributionType == APP_DISTRIBUTION_TYPE_DEBUG) {
1101 return true;
1102 }
1103 LOGE(ATM_DOMAIN, ATM_TAG,
1104 "EnterpriseRuleCheck permission = %{public}s bundleName = %{public}s, tokenID = %{public}d.",
1105 briefDef.permissionName, initInfo.bundleName.c_str(), initInfo.tokenID);
1106 rule = PERMISSION_ENTERPRISE_NORMAL_RULE;
1107 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
1108 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR, "CALLER_TOKENID",
1109 initInfo.tokenID, "PERMISSION_NAME", briefDef.permissionName, "INTERFACE", initInfo.bundleName);
1110
1111 bool isEnterpriseNormal = OHOS::system::GetBoolParameter(ENTERPRISE_NORMAL_CHECK, false);
1112 if (isEnterpriseNormal) {
1113 return false;
1114 }
1115 }
1116 return true;
1117 }
1118
IsUserGrantPermPreAuthorized(const std::vector<PreAuthorizationInfo> & list,const std::string & permissionName,bool & userCancelable)1119 bool IsUserGrantPermPreAuthorized(const std::vector<PreAuthorizationInfo> &list,
1120 const std::string &permissionName, bool &userCancelable)
1121 {
1122 auto iter = std::find_if(list.begin(), list.end(), [&permissionName](const auto &info) {
1123 return info.permissionName == permissionName;
1124 });
1125 if (iter == list.end()) {
1126 LOGI(ATM_DOMAIN, ATM_TAG, "Permission(%{public}s) is not in the list", permissionName.c_str());
1127 return false;
1128 }
1129
1130 userCancelable = iter->userCancelable;
1131 return true;
1132 }
1133
GetMasterAppUndValues(AccessTokenID tokenId,std::vector<GenericValues> & undefValues)1134 void PermissionManager::GetMasterAppUndValues(AccessTokenID tokenId, std::vector<GenericValues>& undefValues)
1135 {
1136 GenericValues conditionValue;
1137 conditionValue.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId));
1138 std::vector<GenericValues> results;
1139
1140 // get master app hap undefined data
1141 int32_t res = AccessTokenDbOperator::Find(AtmDataType::ACCESSTOKEN_HAP_UNDEFINE_INFO, conditionValue, results);
1142 if (res != 0) {
1143 return;
1144 }
1145
1146 if (results.empty()) {
1147 return;
1148 }
1149
1150 for (auto& value : results) {
1151 value.Remove(TokenFiledConst::FIELD_TOKEN_ID);
1152 undefValues.emplace_back(value);
1153 }
1154 }
1155
InitDlpPermissionList(const std::string & bundleName,int32_t userId,std::vector<PermissionStatus> & initializedList,std::vector<GenericValues> & undefValues)1156 bool PermissionManager::InitDlpPermissionList(const std::string& bundleName, int32_t userId,
1157 std::vector<PermissionStatus>& initializedList, std::vector<GenericValues>& undefValues)
1158 {
1159 // get dlp original app
1160 AccessTokenIDEx tokenId = AccessTokenInfoManager::GetInstance().GetHapTokenID(userId, bundleName, 0);
1161 std::shared_ptr<HapTokenInfoInner> infoPtr =
1162 AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenId.tokenIdExStruct.tokenID);
1163 if (infoPtr == nullptr) {
1164 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is invalid.", tokenId.tokenIdExStruct.tokenID);
1165 return false;
1166 }
1167 (void)infoPtr->GetPermissionStateList(initializedList);
1168 GetMasterAppUndValues(tokenId.tokenIdExStruct.tokenID, undefValues);
1169 return true;
1170 }
1171
FillUndefinedPermVector(const std::string & permissionName,const std::string & appDistributionType,const HapPolicy & policy,std::vector<GenericValues> & undefValues)1172 void PermissionManager::FillUndefinedPermVector(const std::string& permissionName,
1173 const std::string& appDistributionType, const HapPolicy& policy, std::vector<GenericValues>& undefValues)
1174 {
1175 GenericValues value;
1176 value.Put(TokenFiledConst::FIELD_PERMISSION_NAME, permissionName);
1177 value.Put(TokenFiledConst::FIELD_APP_DISTRIBUTION_TYPE, appDistributionType);
1178
1179 auto it = std::find_if(
1180 policy.aclRequestedList.begin(), policy.aclRequestedList.end(), [permissionName](const std::string& perm) {
1181 return permissionName == perm;
1182 });
1183 if (it != policy.aclRequestedList.end()) {
1184 value.Put(TokenFiledConst::FIELD_ACL, 1);
1185 } else {
1186 value.Put(TokenFiledConst::FIELD_ACL, 0);
1187 }
1188
1189 auto iter = std::find_if(policy.aclExtendedMap.begin(), policy.aclExtendedMap.end(),
1190 [permissionName](const auto& item) {
1191 return permissionName == item.first;
1192 });
1193 if (iter != policy.aclExtendedMap.end()) {
1194 value.Put(TokenFiledConst::FIELD_VALUE, iter->second);
1195 }
1196
1197 undefValues.emplace_back(value);
1198
1199 return;
1200 }
1201
AclAndEdmCheck(const PermissionBriefDef & briefDef,const HapInitInfo & initInfo,const std::string & permissionName,const std::string & appDistributionType,HapInfoCheckResult & result)1202 bool PermissionManager::AclAndEdmCheck(const PermissionBriefDef& briefDef, const HapInitInfo& initInfo,
1203 const std::string& permissionName, const std::string& appDistributionType, HapInfoCheckResult& result)
1204 {
1205 // acl check
1206 if (!IsAclSatisfied(briefDef, initInfo.policy)) {
1207 result.permCheckResult.permissionName = permissionName;
1208 result.permCheckResult.rule = PERMISSION_ACL_RULE;
1209 LOGC(ATM_DOMAIN, ATM_TAG, "Acl of %{public}s is invalid.", briefDef.permissionName);
1210 return false;
1211 }
1212
1213 // edm and enterprise_normal check
1214 bool isSystemApp = initInfo.isUpdate ? initInfo.updateInfo.isSystemApp : initInfo.installInfo.isSystemApp;
1215 PermissionRulesEnum rule = PERMISSION_ACL_RULE;
1216 if (IsPermAvailableRangeSatisfied(briefDef, appDistributionType, isSystemApp, rule, initInfo)) {
1217 return true;
1218 }
1219
1220 std::string bundleName = initInfo.bundleName;
1221 result.permCheckResult.permissionName = permissionName;
1222 if (rule == PERMISSION_EDM_RULE) {
1223 LOGE(ATM_DOMAIN, ATM_TAG, "MDM permission check failed.");
1224 result.permCheckResult.rule = PERMISSION_EDM_RULE;
1225 } else if (rule == PERMISSION_ENTERPRISE_NORMAL_RULE) {
1226 LOGE(ATM_DOMAIN, ATM_TAG, "Enterprise normal permission check failed.");
1227 result.permCheckResult.rule = PERMISSION_ENTERPRISE_NORMAL_RULE;
1228 }
1229 LOGC(ATM_DOMAIN, ATM_TAG, "Available range of %{public}s is invalid.", briefDef.permissionName);
1230 return false;
1231 }
1232
InitPermissionList(const HapInitInfo & initInfo,std::vector<PermissionStatus> & initializedList,HapInfoCheckResult & result,std::vector<GenericValues> & undefValues)1233 bool PermissionManager::InitPermissionList(const HapInitInfo& initInfo, std::vector<PermissionStatus>& initializedList,
1234 HapInfoCheckResult& result, std::vector<GenericValues>& undefValues)
1235 {
1236 LOGI(ATM_DOMAIN, ATM_TAG, "Before, request perm list size: %{public}zu, preAuthorizationInfo size %{public}zu, "
1237 "ACLRequestedList size %{public}zu.", initInfo.policy.permStateList.size(),
1238 initInfo.policy.preAuthorizationInfo.size(), initInfo.policy.aclRequestedList.size());
1239 std::string appDistributionType = (initInfo.isUpdate) ?
1240 initInfo.updateInfo.appDistributionType : initInfo.installInfo.appDistributionType;
1241
1242 PermissionStatus state;
1243 for (const auto& status : initInfo.policy.permStateList) {
1244 state = status;
1245 PermissionBriefDef briefDef;
1246 if (!GetPermissionBriefDef(state.permissionName, briefDef)) {
1247 LOGE(ATM_DOMAIN, ATM_TAG, "Get definition of %{public}s failed.",
1248 state.permissionName.c_str());
1249 FillUndefinedPermVector(state.permissionName, appDistributionType, initInfo.policy, undefValues);
1250 continue;
1251 }
1252
1253 if (!AclAndEdmCheck(briefDef, initInfo, state.permissionName, appDistributionType, result)) {
1254 if (initInfo.updateInfo.dataRefresh) {
1255 FillUndefinedPermVector(state.permissionName, appDistributionType, initInfo.policy, undefValues);
1256 continue;
1257 } else {
1258 return false;
1259 }
1260 }
1261
1262 state.grantFlag = PERMISSION_DEFAULT_FLAG;
1263 state.grantStatus = PERMISSION_DENIED;
1264
1265 if (briefDef.grantMode == AccessToken::GrantMode::SYSTEM_GRANT) {
1266 state.grantFlag = PERMISSION_SYSTEM_FIXED;
1267 state.grantStatus = PERMISSION_GRANTED;
1268 initializedList.emplace_back(state);
1269 continue;
1270 }
1271 if (initInfo.policy.preAuthorizationInfo.size() == 0) {
1272 initializedList.emplace_back(state);
1273 continue;
1274 }
1275 bool userCancelable = true;
1276 if (IsUserGrantPermPreAuthorized(initInfo.policy.preAuthorizationInfo, state.permissionName, userCancelable)) {
1277 state.grantFlag = userCancelable ? PERMISSION_PRE_AUTHORIZED_CANCELABLE : PERMISSION_SYSTEM_FIXED;
1278 state.grantStatus = PERMISSION_GRANTED;
1279 }
1280 initializedList.emplace_back(state);
1281 }
1282 LOGI(ATM_DOMAIN, ATM_TAG, "After, request perm list size: %{public}zu.", initializedList.size());
1283 return true;
1284 }
1285
1286 } // namespace AccessToken
1287 } // namespace Security
1288 } // namespace OHOS
1289