1 /*
2 * Copyright (c) 2021-2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accesstoken_manager_service.h"
17
18 #include <stack>
19 #include <unistd.h>
20
21 #include "access_token.h"
22 #include "access_token_db_operator.h"
23 #include "access_token_error.h"
24 #include "accesstoken_common_log.h"
25 #include "accesstoken_dfx_define.h"
26 #include "accesstoken_id_manager.h"
27 #include "accesstoken_info_manager.h"
28 #include "accesstoken_service_ipc_interface_code.h"
29 #include "constant_common.h"
30 #include "data_usage_dfx.h"
31 #include "data_validator.h"
32 #include "hap_token_info.h"
33 #include "hap_token_info_inner.h"
34 #include "hisysevent_adapter.h"
35 #ifdef HITRACE_NATIVE_ENABLE
36 #include "hitrace_meter.h"
37 #endif
38 #include "ipc_skeleton.h"
39 #include "libraryloader.h"
40 #include "memory_guard.h"
41 #include "parameter.h"
42 #include "parameters.h"
43 #include "permission_list_state.h"
44 #include "permission_manager.h"
45 #include "permission_validator.h"
46 #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE
47 #include "sec_comp_enhance_agent.h"
48 #endif
49 #include "sec_comp_monitor.h"
50 #include "short_grant_manager.h"
51 #include "string_ex.h"
52 #include "system_ability_definition.h"
53 #include "time_util.h"
54 #include "tokenid_attributes.h"
55 #include "token_field_const.h"
56 #ifdef TOKEN_SYNC_ENABLE
57 #include "token_modify_notifier.h"
58 #endif // TOKEN_SYNC_ENABLE
59 #include "tokenid_kit.h"
60 #ifdef HICOLLIE_ENABLE
61 #include "xcollie/xcollie.h"
62 #endif // HICOLLIE_ENABLE
63
64 namespace OHOS {
65 namespace Security {
66 namespace AccessToken {
67 namespace {
68 static const char* ACCESS_TOKEN_SERVICE_INIT_KEY = "accesstoken.permission.init";
69 constexpr int32_t ERROR = -1;
70 const char* GRANT_ABILITY_BUNDLE_NAME = "com.ohos.permissionmanager";
71 const char* GRANT_ABILITY_ABILITY_NAME = "com.ohos.permissionmanager.GrantAbility";
72 const char* PERMISSION_STATE_SHEET_ABILITY_NAME = "com.ohos.permissionmanager.PermissionStateSheetAbility";
73 const char* GLOBAL_SWITCH_SHEET_ABILITY_NAME = "com.ohos.permissionmanager.GlobalSwitchSheetAbility";
74 const char* APPLICATION_SETTING_ABILITY_NAME = "com.ohos.permissionmanager.MainAbility";
75 const char* DEVELOPER_MODE_STATE = "const.security.developermode.state";
76
77 const std::string MANAGE_HAP_TOKENID_PERMISSION = "ohos.permission.MANAGE_HAP_TOKENID";
78 static constexpr int MAX_PERMISSION_SIZE = 1024;
79 static constexpr int32_t MAX_USER_POLICY_SIZE = 1024;
80 const std::string GRANT_SENSITIVE_PERMISSIONS = "ohos.permission.GRANT_SENSITIVE_PERMISSIONS";
81 const std::string REVOKE_SENSITIVE_PERMISSIONS = "ohos.permission.REVOKE_SENSITIVE_PERMISSIONS";
82 const std::string GET_SENSITIVE_PERMISSIONS = "ohos.permission.GET_SENSITIVE_PERMISSIONS";
83 const std::string DISABLE_PERMISSION_DIALOG = "ohos.permission.DISABLE_PERMISSION_DIALOG";
84 const std::string GRANT_SHORT_TERM_WRITE_MEDIAVIDEO = "ohos.permission.GRANT_SHORT_TERM_WRITE_MEDIAVIDEO";
85 const std::string MANAGE_EDM_POLICY = "ohos.permission.MANAGE_EDM_POLICY";
86
87 static constexpr int32_t SA_ID_ACCESSTOKEN_MANAGER_SERVICE = 3503;
88
89 #ifdef HICOLLIE_ENABLE
90 constexpr uint32_t TIMEOUT = 40; // 40s
91 thread_local std::stack<int32_t> g_timerIdStack;
92 #endif // HICOLLIE_ENABLE
93
94 constexpr uint32_t BITMAP_INDEX_1 = 1;
95 constexpr uint32_t BITMAP_INDEX_2 = 2;
96 constexpr uint32_t BITMAP_INDEX_3 = 3;
97 constexpr uint32_t BITMAP_INDEX_4 = 4;
98 constexpr uint32_t BITMAP_INDEX_5 = 5;
99 constexpr uint32_t BITMAP_INDEX_6 = 6;
100 }
101
102 const bool REGISTER_RESULT =
103 SystemAbility::MakeAndRegisterAbility(DelayedSingleton<AccessTokenManagerService>::GetInstance().get());
104
AccessTokenManagerService()105 AccessTokenManagerService::AccessTokenManagerService()
106 : SystemAbility(SA_ID_ACCESSTOKEN_MANAGER_SERVICE, true), state_(ServiceRunningState::STATE_NOT_START)
107 {
108 LOGI(ATM_DOMAIN, ATM_TAG, "AccessTokenManagerService()");
109 }
110
~AccessTokenManagerService()111 AccessTokenManagerService::~AccessTokenManagerService()
112 {
113 LOGI(ATM_DOMAIN, ATM_TAG, "~AccessTokenManagerService()");
114 }
115
OnStart()116 void AccessTokenManagerService::OnStart()
117 {
118 if (state_ == ServiceRunningState::STATE_RUNNING) {
119 LOGI(ATM_DOMAIN, ATM_TAG, "AccessTokenManagerService has already started!");
120 return;
121 }
122 LOGI(ATM_DOMAIN, ATM_TAG, "AccessTokenManagerService is starting.");
123 if (!Initialize()) {
124 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to initialize.");
125 return;
126 }
127 state_ = ServiceRunningState::STATE_RUNNING;
128 bool ret = Publish(DelayedSingleton<AccessTokenManagerService>::GetInstance().get());
129 if (!ret) {
130 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to publish service!");
131 ReportSysEventServiceStartError(SA_PUBLISH_FAILED, "Publish accesstoken_service fail.", ERROR);
132 return;
133 }
134 AccessTokenServiceParamSet();
135 (void)AddSystemAbilityListener(SECURITY_COMPONENT_SERVICE_ID);
136 #ifdef TOKEN_SYNC_ENABLE
137 (void)AddSystemAbilityListener(DISTRIBUTED_HARDWARE_DEVICEMANAGER_SA_ID);
138 #endif
139 LOGI(ATM_DOMAIN, ATM_TAG, "Congratulations, AccessTokenManagerService start successfully!");
140 }
141
OnStop()142 void AccessTokenManagerService::OnStop()
143 {
144 LOGI(ATM_DOMAIN, ATM_TAG, "Stop service.");
145 state_ = ServiceRunningState::STATE_NOT_START;
146 }
147
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)148 void AccessTokenManagerService::OnAddSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
149 {
150 #ifdef TOKEN_SYNC_ENABLE
151 if (systemAbilityId == DISTRIBUTED_HARDWARE_DEVICEMANAGER_SA_ID) {
152 AccessTokenInfoManager::GetInstance().InitDmCallback();
153 }
154 #endif
155 }
156
OnRemoveSystemAbility(int32_t systemAbilityId,const std::string & deviceId)157 void AccessTokenManagerService::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
158 {
159 if (systemAbilityId == SECURITY_COMPONENT_SERVICE_ID) {
160 HapTokenInfoInner::ClearAllSecCompGrantedPerm();
161 return;
162 }
163 }
164
GetPermissionUsedType(AccessTokenID tokenID,const std::string & permissionName,int32_t & permUsedType)165 int32_t AccessTokenManagerService::GetPermissionUsedType(
166 AccessTokenID tokenID, const std::string& permissionName, int32_t& permUsedType)
167 {
168 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d, permission=%{public}s", tokenID, permissionName.c_str());
169 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
170 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
171 permUsedType = static_cast<int32_t>(PermUsedTypeEnum::INVALID_USED_TYPE);
172 return permUsedType;
173 }
174 permUsedType = static_cast<int32_t>(
175 PermissionManager::GetInstance().GetPermissionUsedType(tokenID, permissionName));
176 return ERR_OK;
177 }
178
VerifyAccessToken(AccessTokenID tokenID,const std::string & permissionName,int32_t & state)179 int32_t AccessTokenManagerService::VerifyAccessToken(
180 AccessTokenID tokenID, const std::string& permissionName, int32_t& state)
181 {
182 state = VerifyAccessToken(tokenID, permissionName);
183 return RET_SUCCESS;
184 }
185
VerifyAccessToken(AccessTokenID tokenID,const std::string & permissionName)186 int AccessTokenManagerService::VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName)
187 {
188 #ifdef HITRACE_NATIVE_ENABLE
189 StartTraceEx(HiTraceOutputLevel::HITRACE_LEVEL_DEBUG, HITRACE_TAG_ACCESS_CONTROL, "AccessTokenVerifyPermission");
190 #endif
191 int32_t res = AccessTokenInfoManager::GetInstance().VerifyAccessToken(tokenID, permissionName);
192 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d, permission: %{public}s, res %{public}d",
193 tokenID, permissionName.c_str(), res);
194 if ((res == PERMISSION_GRANTED) &&
195 (TokenIDAttributes::GetTokenIdTypeEnum(tokenID) == TOKEN_HAP)) {
196 res = AccessTokenInfoManager::GetInstance().IsPermissionRestrictedByUserPolicy(tokenID, permissionName) ?
197 PERMISSION_DENIED : PERMISSION_GRANTED;
198 }
199 #ifdef HITRACE_NATIVE_ENABLE
200 FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
201 #endif
202 return res;
203 }
204
VerifyAccessToken(AccessTokenID tokenID,const std::vector<std::string> & permissionList,std::vector<int32_t> & permStateList)205 int AccessTokenManagerService::VerifyAccessToken(AccessTokenID tokenID,
206 const std::vector<std::string>& permissionList, std::vector<int32_t>& permStateList)
207 {
208 permStateList.clear();
209 permStateList.resize(permissionList.size(), PERMISSION_DENIED);
210 for (size_t i = 0; i < permissionList.size(); i++) {
211 permStateList[i] = VerifyAccessToken(tokenID, permissionList[i]);
212 }
213 return RET_SUCCESS;
214 }
215
GetDefPermission(const std::string & permissionName,PermissionDefParcel & permissionDefResult)216 int AccessTokenManagerService::GetDefPermission(
217 const std::string& permissionName, PermissionDefParcel& permissionDefResult)
218 {
219 LOGI(ATM_DOMAIN, ATM_TAG, "Permission: %{public}s", permissionName.c_str());
220
221 // for ipc call not by accesstoken client
222 if (!DataValidator::IsPermissionNameValid(permissionName)) {
223 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid");
224 return AccessTokenError::ERR_PARAM_INVALID;
225 }
226
227 PermissionBriefDef briefDef;
228 if (!GetPermissionBriefDef(permissionName, briefDef)) {
229 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
230 }
231
232 ConvertPermissionBriefToDef(briefDef, permissionDefResult.permissionDef);
233
234 if (briefDef.grantMode == GrantMode::SYSTEM_GRANT) {
235 return 0;
236 }
237
238 GenericValues conditionValue;
239 conditionValue.Put(TokenFiledConst::FIELD_PERMISSION_NAME, permissionName);
240
241 std::vector<GenericValues> results;
242 int32_t res = AccessTokenDbOperator::Find(AtmDataType::ACCESSTOKEN_PERMISSION_DEF, conditionValue, results);
243 if (res != 0) {
244 return res;
245 }
246
247 if (results.empty()) {
248 // user grant permission has define in map, not exsit in db
249 return AccessTokenError::ERR_SERVICE_ABNORMAL;
250 }
251
252 permissionDefResult.permissionDef.labelId = results[0].GetInt(TokenFiledConst::FIELD_LABEL_ID);
253 permissionDefResult.permissionDef.descriptionId = results[0].GetInt(TokenFiledConst::FIELD_DESCRIPTION_ID);
254
255 return 0;
256 }
257
GetReqPermissions(AccessTokenID tokenID,std::vector<PermissionStatusParcel> & reqPermList,bool isSystemGrant)258 int AccessTokenManagerService::GetReqPermissions(
259 AccessTokenID tokenID, std::vector<PermissionStatusParcel>& reqPermList, bool isSystemGrant)
260 {
261 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
262 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
263 return AccessTokenError::ERR_NOT_SYSTEM_APP;
264 }
265 if (!IsPrivilegedCalling() &&
266 VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
267 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
268 return AccessTokenError::ERR_PERMISSION_DENIED;
269 }
270
271 std::vector<PermissionStatus> permList;
272 int ret = PermissionManager::GetInstance().GetReqPermissions(tokenID, permList, isSystemGrant);
273
274 for (const auto& perm : permList) {
275 PermissionStatusParcel permParcel;
276 permParcel.permState = perm;
277 reqPermList.emplace_back(permParcel);
278 }
279 return ret;
280 }
281
GetSelfPermissionStatus(const std::string & permissionName,int32_t & status)282 int32_t AccessTokenManagerService::GetSelfPermissionStatus(const std::string& permissionName, int32_t& status)
283 {
284 status = INVALID_OPER;
285 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
286 PermissionListStateParcel parcel;
287 parcel.permsState.permissionName = permissionName;
288 parcel.permsState.state = INVALID_OPER;
289 std::vector<PermissionListStateParcel> list{parcel};
290 (void)GetPermissionsState(callingTokenID, list);
291 if (!list.empty()) {
292 status = static_cast<int32_t>(list[0].permsState.state);
293 }
294 return ERR_OK;
295 }
296
GetSelfPermissionsState(std::vector<PermissionListStateParcel> & reqPermList,PermissionGrantInfoParcel & infoParcel,int32_t & permOper)297 int32_t AccessTokenManagerService::GetSelfPermissionsState(std::vector<PermissionListStateParcel>& reqPermList,
298 PermissionGrantInfoParcel& infoParcel, int32_t& permOper)
299 {
300 uint32_t size = reqPermList.size();
301 if (size > MAX_PERMISSION_SIZE) {
302 LOGE(ATM_DOMAIN, ATM_TAG, "PermList size %{public}d is invalid", size);
303 return INVALID_OPER;
304 }
305 infoParcel.info.grantBundleName = grantBundleName_;
306 infoParcel.info.grantAbilityName = grantAbilityName_;
307 infoParcel.info.grantServiceAbilityName = grantServiceAbilityName_;
308 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
309 permOper = GetPermissionsState(callingTokenID, reqPermList);
310 return ERR_OK;
311 }
312
GetPermissionsStatus(AccessTokenID tokenID,std::vector<PermissionListStateParcel> & reqPermList)313 int32_t AccessTokenManagerService::GetPermissionsStatus(AccessTokenID tokenID,
314 std::vector<PermissionListStateParcel>& reqPermList)
315 {
316 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
317 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
318 return AccessTokenError::ERR_NOT_SYSTEM_APP;
319 }
320 if (!IsPrivilegedCalling() &&
321 VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
322 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
323 return AccessTokenError::ERR_PERMISSION_DENIED;
324 }
325
326 uint32_t size = reqPermList.size();
327 if (size > MAX_PERMISSION_SIZE) {
328 LOGE(ATM_DOMAIN, ATM_TAG, "PermList size %{public}d is invalid", size);
329 return AccessTokenError::ERR_PARAM_INVALID;
330 }
331
332 if (!AccessTokenInfoManager::GetInstance().IsTokenIdExist(tokenID)) {
333 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d does not exist", tokenID);
334 return ERR_TOKENID_NOT_EXIST;
335 }
336 PermissionOper ret = GetPermissionsState(tokenID, reqPermList);
337 return ret == INVALID_OPER ? RET_FAILED : RET_SUCCESS;
338 }
339
GetAppReqPermissions(AccessTokenID tokenID,std::vector<PermissionStatus> & permsList)340 static bool GetAppReqPermissions(AccessTokenID tokenID, std::vector<PermissionStatus>& permsList)
341 {
342 int retUserGrant = PermissionManager::GetInstance().GetReqPermissions(tokenID, permsList, false);
343 int retSysGrant = PermissionManager::GetInstance().GetReqPermissions(tokenID, permsList, true);
344 if ((retSysGrant != RET_SUCCESS) || (retUserGrant != RET_SUCCESS)) {
345 LOGE(ATM_DOMAIN, ATM_TAG,
346 "GetReqPermissions failed, retUserGrant:%{public}d, retSysGrant:%{public}d",
347 retUserGrant, retSysGrant);
348 return false;
349 }
350 return true;
351 }
352
isLocationPermSpecialHandle(std::string permissionName,int32_t apiVersion)353 bool AccessTokenManagerService::isLocationPermSpecialHandle(std::string permissionName, int32_t apiVersion)
354 {
355 return ((permissionName == VAGUE_LOCATION_PERMISSION_NAME) ||
356 (permissionName == ACCURATE_LOCATION_PERMISSION_NAME) ||
357 (permissionName == BACKGROUND_LOCATION_PERMISSION_NAME)) &&
358 (apiVersion >= ACCURATE_LOCATION_API_VERSION);
359 }
360
GetPermissionsState(AccessTokenID tokenID,std::vector<PermissionListStateParcel> & reqPermList)361 PermissionOper AccessTokenManagerService::GetPermissionsState(AccessTokenID tokenID,
362 std::vector<PermissionListStateParcel>& reqPermList)
363 {
364 int32_t apiVersion = 0;
365 if (!PermissionManager::GetInstance().GetApiVersionByTokenId(tokenID, apiVersion)) {
366 LOGE(ATM_DOMAIN, ATM_TAG, "Get api version error");
367 return INVALID_OPER;
368 }
369 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d, apiVersion: %{public}d", tokenID, apiVersion);
370
371 bool needRes = false;
372 bool fixedByPolicyRes = false;
373 std::vector<PermissionStatus> permsList;
374 if (!GetAppReqPermissions(tokenID, permsList)) {
375 return INVALID_OPER;
376 }
377
378 // api9 location permission handle here
379 if (apiVersion >= ACCURATE_LOCATION_API_VERSION) {
380 needRes = PermissionManager::GetInstance().LocationPermissionSpecialHandle(
381 tokenID, reqPermList, permsList, apiVersion);
382 }
383
384 uint32_t size = reqPermList.size();
385 for (uint32_t i = 0; i < size; i++) {
386 // api9 location permission special handle above
387 if (isLocationPermSpecialHandle(reqPermList[i].permsState.permissionName, apiVersion)) {
388 continue;
389 }
390
391 PermissionManager::GetInstance().GetSelfPermissionState(permsList, reqPermList[i].permsState, apiVersion);
392 needRes = (static_cast<PermissionOper>(reqPermList[i].permsState.state) == DYNAMIC_OPER) ? true : needRes;
393 if (static_cast<PermissionOper>(reqPermList[i].permsState.state) == FORBIDDEN_OPER) {
394 fixedByPolicyRes = true;
395 }
396 LOGD(ATM_DOMAIN, ATM_TAG, "Perm: %{public}s, state: %{public}d",
397 reqPermList[i].permsState.permissionName.c_str(), reqPermList[i].permsState.state);
398 }
399 if (GetTokenType(tokenID) == TOKEN_HAP && AccessTokenInfoManager::GetInstance().GetPermDialogCap(tokenID)) {
400 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d is under control", tokenID);
401 uint32_t size = reqPermList.size();
402 for (uint32_t i = 0; i < size; i++) {
403 if (reqPermList[i].permsState.state != INVALID_OPER) {
404 reqPermList[i].permsState.state = FORBIDDEN_OPER;
405 reqPermList[i].permsState.errorReason = PRIVACY_STATEMENT_NOT_AGREED;
406 }
407 }
408 return FORBIDDEN_OPER;
409 }
410 if (needRes) {
411 return DYNAMIC_OPER;
412 }
413 if (fixedByPolicyRes) {
414 return FORBIDDEN_OPER;
415 }
416 return PASS_OPER;
417 }
418
GetPermissionFlag(AccessTokenID tokenID,const std::string & permissionName,uint32_t & flag)419 int AccessTokenManagerService::GetPermissionFlag(
420 AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag)
421 {
422 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
423 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
424 return AccessTokenError::ERR_NOT_SYSTEM_APP;
425 }
426 if (!IsPrivilegedCalling() &&
427 VerifyAccessToken(callingTokenID, GRANT_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED &&
428 VerifyAccessToken(callingTokenID, REVOKE_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED &&
429 VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED &&
430 VerifyAccessToken(callingTokenID, MANAGE_EDM_POLICY) == PERMISSION_DENIED) {
431 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
432 return AccessTokenError::ERR_PERMISSION_DENIED;
433 }
434 return PermissionManager::GetInstance().GetPermissionFlag(tokenID, permissionName, flag);
435 }
436
SetPermissionRequestToggleStatus(const std::string & permissionName,uint32_t status,int32_t userID=0)437 int32_t AccessTokenManagerService::SetPermissionRequestToggleStatus(
438 const std::string& permissionName, uint32_t status, int32_t userID = 0)
439 {
440 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
441 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
442 return AccessTokenError::ERR_NOT_SYSTEM_APP;
443 }
444
445 if (!IsPrivilegedCalling() && VerifyAccessToken(callingTokenID, DISABLE_PERMISSION_DIALOG) == PERMISSION_DENIED) {
446 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
447 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR, "CALLER_TOKENID",
448 callingTokenID, "PERMISSION_NAME", permissionName, "INTERFACE", "SetToggleStatus");
449 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d).", callingTokenID);
450 return AccessTokenError::ERR_PERMISSION_DENIED;
451 }
452 return AccessTokenInfoManager::GetInstance().SetPermissionRequestToggleStatus(permissionName, status, userID);
453 }
454
GetPermissionRequestToggleStatus(const std::string & permissionName,uint32_t & status,int32_t userID=0)455 int32_t AccessTokenManagerService::GetPermissionRequestToggleStatus(
456 const std::string& permissionName, uint32_t& status, int32_t userID = 0)
457 {
458 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
459 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
460 return AccessTokenError::ERR_NOT_SYSTEM_APP;
461 }
462
463 if (!IsShellProcessCalling() && !IsPrivilegedCalling() &&
464 VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
465 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
466 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR, "CALLER_TOKENID",
467 callingTokenID, "PERMISSION_NAME", permissionName, "INTERFACE", "GetToggleStatus");
468 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d).", callingTokenID);
469 return AccessTokenError::ERR_PERMISSION_DENIED;
470 }
471 return AccessTokenInfoManager::GetInstance().GetPermissionRequestToggleStatus(permissionName, status, userID);
472 }
473
RequestAppPermOnSetting(AccessTokenID tokenID)474 int32_t AccessTokenManagerService::RequestAppPermOnSetting(AccessTokenID tokenID)
475 {
476 if (!IsSystemAppCalling()) {
477 return AccessTokenError::ERR_NOT_SYSTEM_APP;
478 }
479
480 HapTokenInfo hapInfo;
481 int32_t ret = AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapInfo);
482 if (ret != ERR_OK) {
483 LOGE(ATM_DOMAIN, ATM_TAG, "GetHapTokenInfo failed, err=%{public}d.", ret);
484 return ret;
485 }
486 return PermissionManager::GetInstance().RequestAppPermOnSetting(hapInfo,
487 grantBundleName_, applicationSettingAbilityName_);
488 }
489
GrantPermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)490 int AccessTokenManagerService::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
491 {
492 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
493 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
494 return AccessTokenError::ERR_NOT_SYSTEM_APP;
495 }
496
497 if (!IsPrivilegedCalling() &&
498 VerifyAccessToken(callingTokenID, GRANT_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
499 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
500 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR,
501 "CALLER_TOKENID", callingTokenID, "PERMISSION_NAME", permissionName);
502 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
503 return AccessTokenError::ERR_PERMISSION_DENIED;
504 }
505
506 int32_t ret = PermissionManager::GetInstance().GrantPermission(tokenID, permissionName, flag);
507 return ret;
508 }
509
RevokePermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)510 int AccessTokenManagerService::RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
511 {
512 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
513 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
514 return AccessTokenError::ERR_NOT_SYSTEM_APP;
515 }
516
517 if (!IsPrivilegedCalling() &&
518 VerifyAccessToken(callingTokenID, REVOKE_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
519 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
520 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR,
521 "CALLER_TOKENID", callingTokenID, "PERMISSION_NAME", permissionName);
522 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
523 return AccessTokenError::ERR_PERMISSION_DENIED;
524 }
525 return PermissionManager::GetInstance().RevokePermission(tokenID, permissionName, flag);
526 }
527
GrantPermissionForSpecifiedTime(AccessTokenID tokenID,const std::string & permissionName,uint32_t onceTime)528 int AccessTokenManagerService::GrantPermissionForSpecifiedTime(
529 AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime)
530 {
531 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
532 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
533 return AccessTokenError::ERR_NOT_SYSTEM_APP;
534 }
535
536 if (!IsPrivilegedCalling() &&
537 VerifyAccessToken(callingTokenID, GRANT_SHORT_TERM_WRITE_MEDIAVIDEO) == PERMISSION_DENIED) {
538 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
539 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR,
540 "CALLER_TOKENID", callingTokenID, "PERMISSION_NAME", permissionName);
541 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
542 return AccessTokenError::ERR_PERMISSION_DENIED;
543 }
544
545 int32_t ret = PermissionManager::GetInstance().GrantPermissionForSpecifiedTime(tokenID, permissionName, onceTime);
546 return ret;
547 }
548
ClearUserGrantedPermissionState(AccessTokenID tokenID)549 int AccessTokenManagerService::ClearUserGrantedPermissionState(AccessTokenID tokenID)
550 {
551 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d", tokenID);
552 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
553 if (!IsPrivilegedCalling() &&
554 VerifyAccessToken(callingTokenID, REVOKE_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
555 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
556 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR,
557 "CALLER_TOKENID", callingTokenID);
558 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
559 return AccessTokenError::ERR_PERMISSION_DENIED;
560 }
561
562 AccessTokenInfoManager::GetInstance().ClearUserGrantedPermissionState(tokenID);
563 AccessTokenInfoManager::GetInstance().SetPermDialogCap(tokenID, false);
564 return RET_SUCCESS;
565 }
566
SetPermissionStatusWithPolicy(AccessTokenID tokenID,const std::vector<std::string> & permissionList,int32_t status,uint32_t flag)567 int32_t AccessTokenManagerService::SetPermissionStatusWithPolicy(
568 AccessTokenID tokenID, const std::vector<std::string>& permissionList, int32_t status, uint32_t flag)
569 {
570 LOGI(ATM_DOMAIN, ATM_TAG, "tokenID: %{public}d, permList size:%{public}zu, status: %{public}d, flag: %{public}u.",
571 tokenID, permissionList.size(), status, flag);
572 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
573 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
574 return AccessTokenError::ERR_NOT_SYSTEM_APP;
575 }
576 if (!IsPrivilegedCalling() &&
577 VerifyAccessToken(callingTokenID, MANAGE_EDM_POLICY) == PERMISSION_DENIED) {
578 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
579 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR, "CALLER_TOKENID",
580 callingTokenID);
581 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d).", callingTokenID);
582 return AccessTokenError::ERR_PERMISSION_DENIED;
583 }
584 if (!DataValidator::IsPermissionListSizeValid(permissionList)) {
585 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionList size is invalid: %{public}zu.", permissionList.size());
586 return AccessTokenError::ERR_PARAM_INVALID;
587 }
588 return PermissionManager::GetInstance().SetPermissionStatusWithPolicy(tokenID, permissionList, status, flag);
589 }
590
RegisterPermStateChangeCallback(const PermStateChangeScopeParcel & scope,const sptr<IRemoteObject> & callback)591 int32_t AccessTokenManagerService::RegisterPermStateChangeCallback(
592 const PermStateChangeScopeParcel& scope, const sptr<IRemoteObject>& callback)
593 {
594 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
595 if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
596 return AccessTokenError::ERR_NOT_SYSTEM_APP;
597 }
598 if (VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
599 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
600 return AccessTokenError::ERR_PERMISSION_DENIED;
601 }
602 return PermissionManager::GetInstance().AddPermStateChangeCallback(scope.scope, callback);
603 }
604
UnRegisterPermStateChangeCallback(const sptr<IRemoteObject> & callback)605 int32_t AccessTokenManagerService::UnRegisterPermStateChangeCallback(const sptr<IRemoteObject>& callback)
606 {
607 uint32_t callingToken = IPCSkeleton::GetCallingTokenID();
608 if ((this->GetTokenType(callingToken) == TOKEN_HAP) && (!IsSystemAppCalling())) {
609 return AccessTokenError::ERR_NOT_SYSTEM_APP;
610 }
611 if (VerifyAccessToken(callingToken, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
612 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingToken);
613
614 return AccessTokenError::ERR_PERMISSION_DENIED;
615 }
616 return PermissionManager::GetInstance().RemovePermStateChangeCallback(callback);
617 }
618
RegisterSelfPermStateChangeCallback(const PermStateChangeScopeParcel & scope,const sptr<IRemoteObject> & callback)619 int32_t AccessTokenManagerService::RegisterSelfPermStateChangeCallback(
620 const PermStateChangeScopeParcel& scope, const sptr<IRemoteObject>& callback)
621 {
622 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
623 if (this->GetTokenType(callingTokenID) != TOKEN_HAP) {
624 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is not hap.");
625 return AccessTokenError::ERR_PARAM_INVALID;
626 }
627 return PermissionManager::GetInstance().AddPermStateChangeCallback(scope.scope, callback);
628 }
629
UnRegisterSelfPermStateChangeCallback(const sptr<IRemoteObject> & callback)630 int32_t AccessTokenManagerService::UnRegisterSelfPermStateChangeCallback(const sptr<IRemoteObject>& callback)
631 {
632 uint32_t callingToken = IPCSkeleton::GetCallingTokenID();
633 if (this->GetTokenType(callingToken) != TOKEN_HAP) {
634 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is not hap.");
635 return AccessTokenError::ERR_PARAM_INVALID;
636 }
637 return PermissionManager::GetInstance().RemovePermStateChangeCallback(callback);
638 }
639
AllocHapToken(const HapInfoParcel & info,const HapPolicyParcel & policy,uint64_t & fullTokenId)640 int32_t AccessTokenManagerService::AllocHapToken(const HapInfoParcel& info, const HapPolicyParcel& policy,
641 uint64_t& fullTokenId)
642 {
643 LOGI(ATM_DOMAIN, ATM_TAG, "BundleName: %{public}s", info.hapInfoParameter.bundleName.c_str());
644 AccessTokenIDEx tokenIdEx;
645 tokenIdEx.tokenIDEx = 0LL;
646
647 AccessTokenID tokenID = IPCSkeleton::GetCallingTokenID();
648 if (!IsPrivilegedCalling() &&
649 (VerifyAccessToken(tokenID, MANAGE_HAP_TOKENID_PERMISSION) == PERMISSION_DENIED)) {
650 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", tokenID);
651 fullTokenId = static_cast<uint64_t>(tokenIdEx.tokenIDEx);
652 return ERR_OK;
653 }
654
655 std::vector<GenericValues> undefValues;
656 int ret = AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(
657 info.hapInfoParameter, policy.hapPolicy, tokenIdEx, undefValues);
658 if (ret != RET_SUCCESS) {
659 LOGE(ATM_DOMAIN, ATM_TAG, "Hap token info create failed");
660 }
661 fullTokenId = static_cast<uint64_t>(tokenIdEx.tokenIDEx);
662 return ERR_OK;
663 }
664
TransferHapPolicy(const HapPolicy & policyIn,HapPolicy & policyOut)665 static void TransferHapPolicy(const HapPolicy& policyIn, HapPolicy& policyOut)
666 {
667 policyOut.apl = policyIn.apl;
668 policyOut.domain = policyIn.domain;
669 policyOut.permList.assign(policyIn.permList.begin(), policyIn.permList.end());
670 policyOut.aclRequestedList.assign(policyIn.aclRequestedList.begin(), policyIn.aclRequestedList.end());
671 policyOut.preAuthorizationInfo.assign(policyIn.preAuthorizationInfo.begin(), policyIn.preAuthorizationInfo.end());
672 for (const auto& perm : policyIn.permStateList) {
673 PermissionStatus tmp;
674 tmp.permissionName = perm.permissionName;
675 tmp.grantStatus = perm.grantStatus;
676 tmp.grantFlag = perm.grantFlag;
677 policyOut.permStateList.emplace_back(tmp);
678 }
679 policyOut.checkIgnore = policyIn.checkIgnore;
680 policyOut.aclExtendedMap = policyIn.aclExtendedMap;
681 }
682
DumpEventInfo(const HapPolicy & policy,HapDfxInfo & dfxInfo)683 static void DumpEventInfo(const HapPolicy& policy, HapDfxInfo& dfxInfo)
684 {
685 dfxInfo.permInfo = std::to_string(policy.permStateList.size()) + " : [";
686 for (const auto& permState : policy.permStateList) {
687 dfxInfo.permInfo.append(permState.permissionName + ", ");
688 }
689 dfxInfo.permInfo.append("]");
690
691 dfxInfo.aclInfo = std::to_string(policy.aclRequestedList.size()) + " : [";
692 for (const auto& perm : policy.aclRequestedList) {
693 dfxInfo.aclInfo.append(perm + ", ");
694 }
695 dfxInfo.aclInfo.append("]");
696
697 dfxInfo.preauthInfo = std::to_string(policy.preAuthorizationInfo.size()) + " : [";
698 for (const auto& preAuthInfo : policy.preAuthorizationInfo) {
699 dfxInfo.preauthInfo.append(preAuthInfo.permissionName + ", ");
700 }
701 dfxInfo.preauthInfo.append("]");
702
703 dfxInfo.extendInfo = std::to_string(policy.aclExtendedMap.size()) + " : {";
704 for (const auto& aclExtend : policy.aclExtendedMap) {
705 dfxInfo.extendInfo.append(aclExtend.first + ": " + aclExtend.second + ", ");
706 }
707 dfxInfo.extendInfo.append("}");
708 }
709
ReportAddHap(AccessTokenIDEx fullTokenId,const HapInfoParams & info,const HapPolicy & policy,int64_t beginTime,int32_t errorCode)710 void AccessTokenManagerService::ReportAddHap(AccessTokenIDEx fullTokenId, const HapInfoParams& info,
711 const HapPolicy& policy, int64_t beginTime, int32_t errorCode)
712 {
713 HapDfxInfo dfxInfo;
714 dfxInfo.ipcCode = static_cast<int32_t>(IAccessTokenManagerIpcCode::COMMAND_INIT_HAP_TOKEN);
715 dfxInfo.tokenId = fullTokenId.tokenIdExStruct.tokenID;
716 dfxInfo.tokenIdEx = fullTokenId;
717 dfxInfo.userID = info.userID;
718 dfxInfo.bundleName = info.bundleName;
719 dfxInfo.instIndex = info.instIndex;
720 dfxInfo.duration = TimeUtil::GetCurrentTimestamp() - beginTime;
721
722 // add
723 dfxInfo.sceneCode = static_cast<int32_t>(AddHapSceneCode::INSTALL_FINISH);
724 dfxInfo.dlpType = static_cast<HapDlpType>(info.dlpType);
725 dfxInfo.isRestore = info.isRestore;
726
727 DumpEventInfo(policy, dfxInfo);
728 ReportSysEventAddHap(errorCode, dfxInfo, true);
729 }
730
ReportUpdateHap(AccessTokenIDEx fullTokenId,const HapTokenInfo & info,const HapPolicy & policy,int64_t beginTime,int32_t errorCode)731 void AccessTokenManagerService::ReportUpdateHap(AccessTokenIDEx fullTokenId, const HapTokenInfo& info,
732 const HapPolicy& policy, int64_t beginTime, int32_t errorCode)
733 {
734 HapDfxInfo dfxInfo;
735 dfxInfo.ipcCode = static_cast<int32_t>(IAccessTokenManagerIpcCode::COMMAND_UPDATE_HAP_TOKEN);
736 dfxInfo.tokenId = fullTokenId.tokenIdExStruct.tokenID;
737 dfxInfo.tokenIdEx = fullTokenId;
738 dfxInfo.userID = info.userID;
739 dfxInfo.bundleName = info.bundleName;
740 dfxInfo.instIndex = info.instIndex;
741 dfxInfo.duration = TimeUtil::GetCurrentTimestamp() - beginTime;
742
743 DumpEventInfo(policy, dfxInfo);
744 ReportSysEventUpdateHap(errorCode, dfxInfo);
745 }
746
InitHapToken(const HapInfoParcel & info,const HapPolicyParcel & policy,uint64_t & fullTokenId,HapInfoCheckResultIdl & resultInfoIdl)747 int32_t AccessTokenManagerService::InitHapToken(const HapInfoParcel& info, const HapPolicyParcel& policy,
748 uint64_t& fullTokenId, HapInfoCheckResultIdl& resultInfoIdl)
749 {
750 LOGI(ATM_DOMAIN, ATM_TAG, "Init hap %{public}s.", info.hapInfoParameter.bundleName.c_str());
751 AccessTokenID tokenID = IPCSkeleton::GetCallingTokenID();
752 if (!IsPrivilegedCalling() &&
753 (VerifyAccessToken(tokenID, MANAGE_HAP_TOKENID_PERMISSION) == PERMISSION_DENIED)) {
754 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", tokenID);
755 return AccessTokenError::ERR_PERMISSION_DENIED;
756 }
757
758 int64_t beginTime = TimeUtil::GetCurrentTimestamp();
759 HapPolicy policyCopy;
760 TransferHapPolicy(policy.hapPolicy, policyCopy);
761
762 resultInfoIdl.realResult = ERR_OK;
763 std::vector<PermissionStatus> initializedList;
764 std::vector<GenericValues> undefValues;
765 if (info.hapInfoParameter.dlpType == DLP_COMMON) {
766 HapInfoCheckResult permCheckResult;
767 HapInitInfo initInfo;
768 initInfo.installInfo = info.hapInfoParameter;
769 initInfo.policy = policyCopy;
770 initInfo.bundleName = info.hapInfoParameter.bundleName;
771 if (!PermissionManager::GetInstance().InitPermissionList(initInfo, initializedList, permCheckResult,
772 undefValues)) {
773 resultInfoIdl.realResult = ERROR;
774 resultInfoIdl.permissionName = permCheckResult.permCheckResult.permissionName;
775 int32_t rule = permCheckResult.permCheckResult.rule;
776 resultInfoIdl.rule = static_cast<PermissionRulesEnumIdl>(rule);
777 ReportAddHap({0}, info.hapInfoParameter, policyCopy, beginTime, ERR_PERM_REQUEST_CFG_FAILED);
778 return ERR_OK;
779 }
780 } else {
781 if (!PermissionManager::GetInstance().InitDlpPermissionList(
782 info.hapInfoParameter.bundleName, info.hapInfoParameter.userID, initializedList, undefValues)) {
783 ReportAddHap({0}, info.hapInfoParameter, policyCopy, beginTime, ERR_PERM_REQUEST_CFG_FAILED);
784 return ERR_PERM_REQUEST_CFG_FAILED;
785 }
786 }
787 policyCopy.permStateList = initializedList;
788
789 AccessTokenIDEx tokenIdEx;
790 int32_t ret = AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(
791 info.hapInfoParameter, policyCopy, tokenIdEx, undefValues);
792 fullTokenId = tokenIdEx.tokenIDEx;
793 ReportAddHap(tokenIdEx, info.hapInfoParameter, policyCopy, beginTime, ret);
794 return ret;
795 }
796
DeleteToken(AccessTokenID tokenID)797 int AccessTokenManagerService::DeleteToken(AccessTokenID tokenID)
798 {
799 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d", tokenID);
800 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
801 if (!IsPrivilegedCalling() &&
802 (VerifyAccessToken(callingTokenID, MANAGE_HAP_TOKENID_PERMISSION) == PERMISSION_DENIED)) {
803 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
804 return AccessTokenError::ERR_PERMISSION_DENIED;
805 }
806 if (this->GetTokenType(tokenID) != TOKEN_HAP) {
807 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is not hap.", tokenID);
808 return AccessTokenError::ERR_PARAM_INVALID;
809 }
810
811 HapDfxInfo dfxInfo = {};
812 dfxInfo.tokenId = tokenID;
813 dfxInfo.ipcCode = static_cast<int32_t>(IAccessTokenManagerIpcCode::COMMAND_DELETE_TOKEN);
814 int64_t beginTime = TimeUtil::GetCurrentTimestamp();
815 HapTokenInfo hapInfo;
816 int32_t errorCode = AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapInfo);
817 if (errorCode != ERR_OK) {
818 LOGC(ATM_DOMAIN, ATM_TAG, "GetHapTokenInfo failed, err=%{public}d.", errorCode);
819 dfxInfo.duration = TimeUtil::GetCurrentTimestamp() - beginTime;
820 ReportSysEventDelHap(errorCode, dfxInfo);
821 return errorCode;
822 }
823
824 // only support hap token deletion
825 errorCode = AccessTokenInfoManager::GetInstance().RemoveHapTokenInfo(tokenID);
826
827 dfxInfo.userID = hapInfo.userID;
828 dfxInfo.bundleName = hapInfo.bundleName;
829 dfxInfo.instIndex = hapInfo.instIndex;
830 dfxInfo.duration = TimeUtil::GetCurrentTimestamp() - beginTime;
831 ReportSysEventDelHap(errorCode, dfxInfo);
832 return errorCode;
833 }
834
GetTokenType(AccessTokenID tokenID)835 int AccessTokenManagerService::GetTokenType(AccessTokenID tokenID)
836 {
837 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d", tokenID);
838 return AccessTokenIDManager::GetInstance().GetTokenIdType(tokenID);
839 }
840
GetTokenType(AccessTokenID tokenID,int32_t & tokenType)841 int AccessTokenManagerService::GetTokenType(AccessTokenID tokenID, int32_t& tokenType)
842 {
843 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d", tokenID);
844 tokenType = AccessTokenIDManager::GetInstance().GetTokenIdType(tokenID);
845 return ERR_OK;
846 }
847
GetHapTokenID(int32_t userID,const std::string & bundleName,int32_t instIndex,uint64_t & fullTokenId)848 int32_t AccessTokenManagerService::GetHapTokenID(
849 int32_t userID, const std::string& bundleName, int32_t instIndex, uint64_t& fullTokenId)
850 {
851 LOGD(ATM_DOMAIN, ATM_TAG, "UserID: %{public}d, bundle: %{public}s, instIndex: %{public}d",
852 userID, bundleName.c_str(), instIndex);
853 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
854 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
855
856 AccessTokenIDEx tokenIdEx = {0};
857 fullTokenId = tokenIdEx.tokenIDEx;
858 return ERR_OK;
859 }
860 AccessTokenIDEx tokenIdEx = AccessTokenInfoManager::GetInstance().GetHapTokenID(userID, bundleName, instIndex);
861 fullTokenId = tokenIdEx.tokenIDEx;
862 return ERR_OK;
863 }
864
AllocLocalTokenID(const std::string & remoteDeviceID,AccessTokenID remoteTokenID,AccessTokenID & tokenId)865 int32_t AccessTokenManagerService::AllocLocalTokenID(
866 const std::string& remoteDeviceID, AccessTokenID remoteTokenID, AccessTokenID& tokenId)
867 {
868 LOGI(ATM_DOMAIN, ATM_TAG, "RemoteDeviceID: %{public}s, remoteTokenID: %{public}d",
869 ConstantCommon::EncryptDevId(remoteDeviceID).c_str(), remoteTokenID);
870 if ((!IsNativeProcessCalling()) && !IsPrivilegedCalling()) {
871 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
872 tokenId = INVALID_TOKENID;
873 return ERR_OK;
874 }
875 AccessTokenID tokenID = AccessTokenInfoManager::GetInstance().AllocLocalTokenID(remoteDeviceID, remoteTokenID);
876 tokenId = tokenID;
877 return ERR_OK;
878 }
879
UpdateHapToken(uint64_t & fullTokenId,const UpdateHapInfoParamsIdl & infoIdl,const HapPolicyParcel & policyParcel,HapInfoCheckResultIdl & resultInfoIdl)880 int32_t AccessTokenManagerService::UpdateHapToken(uint64_t& fullTokenId, const UpdateHapInfoParamsIdl& infoIdl,
881 const HapPolicyParcel& policyParcel, HapInfoCheckResultIdl& resultInfoIdl)
882 {
883 AccessTokenIDEx tokenIdEx;
884 tokenIdEx.tokenIDEx = fullTokenId;
885 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d", tokenIdEx.tokenIdExStruct.tokenID);
886 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
887 if (!IsPrivilegedCalling() &&
888 (VerifyAccessToken(callingTokenID, MANAGE_HAP_TOKENID_PERMISSION) == PERMISSION_DENIED)) {
889 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
890 return AccessTokenError::ERR_PERMISSION_DENIED;
891 }
892 int64_t beginTime = TimeUtil::GetCurrentTimestamp();
893 HapTokenInfo hapInfo = { 0 };
894 int32_t error = AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenIdEx.tokenIdExStruct.tokenID, hapInfo);
895 if (error != ERR_OK) {
896 LOGC(ATM_DOMAIN, ATM_TAG, "GetHapTokenInfo failed, err=%{public}d.", error);
897 ReportUpdateHap(tokenIdEx, hapInfo, policyParcel.hapPolicy, beginTime, error);
898 return error;
899 }
900
901 UpdateHapInfoParams info;
902 info.appIDDesc = infoIdl.appIDDesc;
903 info.apiVersion = infoIdl.apiVersion;
904 info.isSystemApp = infoIdl.isSystemApp;
905 info.appDistributionType = infoIdl.appDistributionType;
906 info.isAtomicService = infoIdl.isAtomicService;
907 info.dataRefresh = infoIdl.dataRefresh;
908
909 resultInfoIdl.realResult = ERR_OK;
910 HapInfoCheckResult permCheckResult;
911 std::vector<GenericValues> undefValues;
912 std::vector<PermissionStatus> initializedList;
913 HapInitInfo initInfo;
914 initInfo.updateInfo = info;
915 initInfo.policy = policyParcel.hapPolicy;
916 initInfo.isUpdate = true;
917 initInfo.bundleName = hapInfo.bundleName;
918 initInfo.tokenID = tokenIdEx.tokenIdExStruct.tokenID;
919 if (!PermissionManager::GetInstance().InitPermissionList(initInfo, initializedList, permCheckResult, undefValues)) {
920 resultInfoIdl.realResult = ERROR;
921 resultInfoIdl.permissionName = permCheckResult.permCheckResult.permissionName;
922 int32_t rule = permCheckResult.permCheckResult.rule;
923 resultInfoIdl.rule = static_cast<PermissionRulesEnumIdl>(rule);
924 ReportUpdateHap(tokenIdEx, hapInfo, policyParcel.hapPolicy, beginTime, ERR_PERM_REQUEST_CFG_FAILED);
925 return ERR_OK;
926 }
927
928 error = AccessTokenInfoManager::GetInstance().UpdateHapToken(tokenIdEx, info,
929 initializedList, policyParcel.hapPolicy, undefValues);
930 fullTokenId = tokenIdEx.tokenIDEx;
931 ReportUpdateHap(tokenIdEx, hapInfo, policyParcel.hapPolicy, beginTime, error);
932 return error;
933 }
934
GetTokenIDByUserID(int32_t userID,std::vector<AccessTokenID> & tokenIds)935 int32_t AccessTokenManagerService::GetTokenIDByUserID(int32_t userID, std::vector<AccessTokenID>& tokenIds)
936 {
937 LOGD(ATM_DOMAIN, ATM_TAG, "UserID: %{public}d", userID);
938
939 if (!IsNativeProcessCalling()) {
940 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
941 return AccessTokenError::ERR_PERMISSION_DENIED;
942 }
943 std::unordered_set<AccessTokenID> tokenIdList;
944
945 auto result = AccessTokenInfoManager::GetInstance().GetTokenIDByUserID(userID, tokenIdList);
946 std::copy(tokenIdList.begin(), tokenIdList.end(), std::back_inserter(tokenIds));
947 return result;
948 }
949
GetHapTokenInfo(AccessTokenID tokenID,HapTokenInfoParcel & infoParcel)950 int AccessTokenManagerService::GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfoParcel& infoParcel)
951 {
952 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d", tokenID);
953
954 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
955 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
956 return AccessTokenError::ERR_PERMISSION_DENIED;
957 }
958
959 return AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, infoParcel.hapTokenInfoParams);
960 }
961
GetHapTokenInfoExtension(AccessTokenID tokenID,HapTokenInfoParcel & hapTokenInfoRes,std::string & appID)962 int AccessTokenManagerService::GetHapTokenInfoExtension(AccessTokenID tokenID,
963 HapTokenInfoParcel& hapTokenInfoRes, std::string& appID)
964 {
965 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d.", tokenID);
966 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
967 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
968 return AccessTokenError::ERR_PERMISSION_DENIED;
969 }
970
971 int ret = AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapTokenInfoRes.hapTokenInfoParams);
972 if (ret != RET_SUCCESS) {
973 LOGE(ATM_DOMAIN, ATM_TAG, "Get hap token info extenstion failed, ret is %{public}d.", ret);
974 return ret;
975 }
976
977 return AccessTokenInfoManager::GetInstance().GetHapAppIdByTokenId(tokenID, appID);
978 }
979
GetNativeTokenInfo(AccessTokenID tokenID,NativeTokenInfoParcel & infoParcel)980 int AccessTokenManagerService::GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfoParcel& infoParcel)
981 {
982 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d", tokenID);
983
984 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
985 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d).", IPCSkeleton::GetCallingTokenID());
986 return AccessTokenError::ERR_PERMISSION_DENIED;
987 }
988
989 NativeTokenInfoBase baseInfo;
990 int32_t ret = AccessTokenInfoManager::GetInstance().GetNativeTokenInfo(tokenID, baseInfo);
991 infoParcel.nativeTokenInfoParams.apl = baseInfo.apl;
992 infoParcel.nativeTokenInfoParams.processName = baseInfo.processName;
993 return ret;
994 }
995
996 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
ReloadNativeTokenInfo()997 int32_t AccessTokenManagerService::ReloadNativeTokenInfo()
998 {
999 if (!IsPrivilegedCalling()) {
1000 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
1001 return AccessTokenError::ERR_PERMISSION_DENIED;
1002 }
1003 LibraryLoader loader(CONFIG_PARSE_LIBPATH);
1004 ConfigPolicyLoaderInterface* policy = loader.GetObject<ConfigPolicyLoaderInterface>();
1005 if (policy == nullptr) {
1006 LOGE(ATM_DOMAIN, ATM_TAG, "Dlopen libaccesstoken_json_parse failed.");
1007 return RET_FAILED;
1008 }
1009
1010 std::vector<NativeTokenInfoBase> tokenInfos;
1011 int32_t res = policy->GetAllNativeTokenInfo(tokenInfos);
1012 if (res != RET_SUCCESS) {
1013 return res;
1014 }
1015
1016 AccessTokenInfoManager::GetInstance().InitNativeTokenInfos(tokenInfos);
1017 return RET_SUCCESS;
1018 }
1019 #endif
1020
GetNativeTokenId(const std::string & processName,AccessTokenID & tokenID)1021 int32_t AccessTokenManagerService::GetNativeTokenId(const std::string& processName, AccessTokenID& tokenID)
1022 {
1023 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
1024 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
1025 tokenID = INVALID_TOKENID;
1026 return ERR_OK;
1027 }
1028 tokenID = AccessTokenInfoManager::GetInstance().GetNativeTokenId(processName);
1029 return ERR_OK;
1030 }
1031
1032 #ifdef TOKEN_SYNC_ENABLE
GetHapTokenInfoFromRemote(AccessTokenID tokenID,HapTokenInfoForSyncParcel & hapSyncParcel)1033 int AccessTokenManagerService::GetHapTokenInfoFromRemote(AccessTokenID tokenID,
1034 HapTokenInfoForSyncParcel& hapSyncParcel)
1035 {
1036 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d", tokenID);
1037
1038 if (!IsAccessTokenCalling()) {
1039 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
1040 return AccessTokenError::ERR_PERMISSION_DENIED;
1041 }
1042 return AccessTokenInfoManager::GetInstance().GetHapTokenInfoFromRemote(tokenID,
1043 hapSyncParcel.hapTokenInfoForSyncParams);
1044 }
1045
TransferHapTokenInfoForSync(const HapTokenInfoForSync & policyIn,HapTokenInfoForSync & policyOut)1046 static void TransferHapTokenInfoForSync(const HapTokenInfoForSync& policyIn, HapTokenInfoForSync& policyOut)
1047 {
1048 policyOut.baseInfo.ver = policyIn.baseInfo.ver;
1049 policyOut.baseInfo.userID = policyIn.baseInfo.userID;
1050 policyOut.baseInfo.bundleName = policyIn.baseInfo.bundleName;
1051 policyOut.baseInfo.apiVersion = policyIn.baseInfo.apiVersion;
1052 policyOut.baseInfo.instIndex = policyIn.baseInfo.instIndex;
1053 policyOut.baseInfo.dlpType = policyIn.baseInfo.dlpType;
1054 policyOut.baseInfo.tokenID = policyIn.baseInfo.tokenID;
1055 policyOut.baseInfo.tokenAttr = policyIn.baseInfo.tokenAttr;
1056 for (const auto& item : policyIn.permStateList) {
1057 PermissionStatus tmp;
1058 tmp.permissionName = item.permissionName;
1059 tmp.grantStatus = item.grantStatus;
1060 tmp.grantFlag = item.grantFlag;
1061 policyOut.permStateList.emplace_back(tmp);
1062 }
1063 }
1064
SetRemoteHapTokenInfo(const std::string & deviceID,const HapTokenInfoForSyncParcel & hapSyncParcel)1065 int AccessTokenManagerService::SetRemoteHapTokenInfo(const std::string& deviceID,
1066 const HapTokenInfoForSyncParcel& hapSyncParcel)
1067 {
1068 LOGI(ATM_DOMAIN, ATM_TAG, "DeviceID: %{public}s", ConstantCommon::EncryptDevId(deviceID).c_str());
1069
1070 if (!IsAccessTokenCalling()) {
1071 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
1072 return AccessTokenError::ERR_PERMISSION_DENIED;
1073 }
1074 HapTokenInfoForSyncParcel hapSyncParcelCopy;
1075 TransferHapTokenInfoForSync(hapSyncParcel.hapTokenInfoForSyncParams, hapSyncParcelCopy.hapTokenInfoForSyncParams);
1076
1077 int ret = AccessTokenInfoManager::GetInstance().SetRemoteHapTokenInfo(deviceID,
1078 hapSyncParcelCopy.hapTokenInfoForSyncParams);
1079 return ret;
1080 }
1081
DeleteRemoteToken(const std::string & deviceID,AccessTokenID tokenID)1082 int AccessTokenManagerService::DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID)
1083 {
1084 LOGI(ATM_DOMAIN, ATM_TAG, "DeviceID: %{public}s, token id %{public}d",
1085 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
1086
1087 if (!IsAccessTokenCalling()) {
1088 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
1089 return AccessTokenError::ERR_PERMISSION_DENIED;
1090 }
1091 return AccessTokenInfoManager::GetInstance().DeleteRemoteToken(deviceID, tokenID);
1092 }
1093
GetRemoteNativeTokenID(const std::string & deviceID,AccessTokenID tokenID,AccessTokenID & tokenId)1094 int32_t AccessTokenManagerService::GetRemoteNativeTokenID(const std::string& deviceID,
1095 AccessTokenID tokenID, AccessTokenID& tokenId)
1096 {
1097 LOGI(ATM_DOMAIN, ATM_TAG, "DeviceID: %{public}s, token id %{public}d",
1098 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
1099
1100 if (!IsAccessTokenCalling()) {
1101 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
1102 tokenId = INVALID_TOKENID;
1103 return ERR_OK;
1104 }
1105 tokenId = AccessTokenInfoManager::GetInstance().GetRemoteNativeTokenID(deviceID, tokenID);
1106 return ERR_OK;
1107 }
1108
DeleteRemoteDeviceTokens(const std::string & deviceID)1109 int AccessTokenManagerService::DeleteRemoteDeviceTokens(const std::string& deviceID)
1110 {
1111 LOGI(ATM_DOMAIN, ATM_TAG, "DeviceID: %{public}s", ConstantCommon::EncryptDevId(deviceID).c_str());
1112
1113 if (!IsAccessTokenCalling()) {
1114 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
1115 return AccessTokenError::ERR_PERMISSION_DENIED;
1116 }
1117 return AccessTokenInfoManager::GetInstance().DeleteRemoteDeviceTokens(deviceID);
1118 }
1119
RegisterTokenSyncCallback(const sptr<IRemoteObject> & callback)1120 int32_t AccessTokenManagerService::RegisterTokenSyncCallback(const sptr<IRemoteObject>& callback)
1121 {
1122 LOGI(ATM_DOMAIN, ATM_TAG, "Call token sync callback registed.");
1123
1124 if (!IsAccessTokenCalling()) {
1125 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied, tokenID=%{public}d", IPCSkeleton::GetCallingTokenID());
1126 return AccessTokenError::ERR_PERMISSION_DENIED;
1127 }
1128 return TokenModifyNotifier::GetInstance().RegisterTokenSyncCallback(callback);
1129 }
1130
UnRegisterTokenSyncCallback()1131 int32_t AccessTokenManagerService::UnRegisterTokenSyncCallback()
1132 {
1133 LOGI(ATM_DOMAIN, ATM_TAG, "Call token sync callback unregisted.");
1134
1135 if (!IsAccessTokenCalling()) {
1136 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied, tokenID=%{public}d", IPCSkeleton::GetCallingTokenID());
1137 return AccessTokenError::ERR_PERMISSION_DENIED;
1138 }
1139 TokenModifyNotifier::GetInstance().UnRegisterTokenSyncCallback();
1140 return ERR_OK;
1141 }
1142 #endif
1143
DumpTokenInfo(const AtmToolsParamInfoParcel & infoParcel,std::string & dumpInfo)1144 int32_t AccessTokenManagerService::DumpTokenInfo(const AtmToolsParamInfoParcel& infoParcel, std::string& dumpInfo)
1145 {
1146 LOGI(ATM_DOMAIN, ATM_TAG, "Called");
1147 if (!IsShellProcessCalling()) {
1148 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
1149 dumpInfo = "";
1150 return ERR_OK;
1151 }
1152
1153 bool isDeveloperMode = OHOS::system::GetBoolParameter(DEVELOPER_MODE_STATE, false);
1154 if (!isDeveloperMode) {
1155 dumpInfo = "Developer mode not support.";
1156 return ERR_OK;
1157 }
1158
1159 AccessTokenInfoManager::GetInstance().DumpTokenInfo(infoParcel.info, dumpInfo);
1160 return ERR_OK;
1161 }
1162
GetVersion(uint32_t & version)1163 int32_t AccessTokenManagerService::GetVersion(uint32_t& version)
1164 {
1165 LOGI(ATM_DOMAIN, ATM_TAG, "Called");
1166 uint32_t callingToken = IPCSkeleton::GetCallingTokenID();
1167 if ((this->GetTokenType(callingToken) == TOKEN_HAP) && (!IsSystemAppCalling())) {
1168 return AccessTokenError::ERR_NOT_SYSTEM_APP;
1169 }
1170 version = DEFAULT_TOKEN_VERSION;
1171 return RET_SUCCESS;
1172 }
1173
SetPermDialogCap(const HapBaseInfoParcel & hapBaseInfoParcel,bool enable)1174 int32_t AccessTokenManagerService::SetPermDialogCap(const HapBaseInfoParcel& hapBaseInfoParcel, bool enable)
1175 {
1176 uint32_t callingToken = IPCSkeleton::GetCallingTokenID();
1177 if (VerifyAccessToken(callingToken, DISABLE_PERMISSION_DIALOG) == PERMISSION_DENIED) {
1178 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingToken);
1179 return AccessTokenError::ERR_PERMISSION_DENIED;
1180 }
1181
1182 AccessTokenIDEx tokenIdEx = AccessTokenInfoManager::GetInstance().GetHapTokenID(
1183 hapBaseInfoParcel.hapBaseInfo.userID,
1184 hapBaseInfoParcel.hapBaseInfo.bundleName,
1185 hapBaseInfoParcel.hapBaseInfo.instIndex);
1186 int32_t ret = AccessTokenInfoManager::GetInstance().SetPermDialogCap(tokenIdEx.tokenIdExStruct.tokenID, enable);
1187 // DFX
1188 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "SET_PERMISSION_DIALOG_CAP",
1189 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "TOKENID", tokenIdEx.tokenIdExStruct.tokenID,
1190 "USERID", hapBaseInfoParcel.hapBaseInfo.userID, "BUNDLENAME", hapBaseInfoParcel.hapBaseInfo.bundleName,
1191 "INSTINDEX", hapBaseInfoParcel.hapBaseInfo.instIndex, "ENABLE", enable);
1192 return ret;
1193 }
1194
GetPermissionManagerInfo(PermissionGrantInfoParcel & infoParcel)1195 int32_t AccessTokenManagerService::GetPermissionManagerInfo(PermissionGrantInfoParcel& infoParcel)
1196 {
1197 infoParcel.info.grantBundleName = grantBundleName_;
1198 infoParcel.info.grantAbilityName = grantAbilityName_;
1199 infoParcel.info.grantServiceAbilityName = grantServiceAbilityName_;
1200 infoParcel.info.permStateAbilityName = permStateAbilityName_;
1201 infoParcel.info.globalSwitchAbilityName = globalSwitchAbilityName_;
1202 return ERR_OK;
1203 }
1204
InitUserPolicy(const std::vector<UserStateIdl> & userIdlList,const std::vector<std::string> & permList)1205 int32_t AccessTokenManagerService::InitUserPolicy(
1206 const std::vector<UserStateIdl>& userIdlList, const std::vector<std::string>& permList)
1207 {
1208 uint32_t callingToken = IPCSkeleton::GetCallingTokenID();
1209 if (VerifyAccessToken(callingToken, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
1210 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingToken);
1211 return AccessTokenError::ERR_PERMISSION_DENIED;
1212 }
1213
1214 uint32_t userSize = userIdlList.size();
1215 uint32_t permSize = permList.size();
1216 if ((userSize > MAX_USER_POLICY_SIZE) || (permSize > MAX_USER_POLICY_SIZE)) {
1217 LOGE(ATM_DOMAIN, ATM_TAG, "Size %{public}u is invalid", userSize);
1218 return AccessTokenError::ERR_OVERSIZE;
1219 }
1220
1221 std::vector<UserState> userList;
1222 for (const auto& item : userIdlList) {
1223 UserState tmp;
1224 tmp.userId = item.userId;
1225 tmp.isActive = item.isActive;
1226 userList.emplace_back(tmp);
1227 }
1228 return AccessTokenInfoManager::GetInstance().InitUserPolicy(userList, permList);
1229 }
1230
UpdateUserPolicy(const std::vector<UserStateIdl> & userIdlList)1231 int32_t AccessTokenManagerService::UpdateUserPolicy(const std::vector<UserStateIdl>& userIdlList)
1232 {
1233 uint32_t callingToken = IPCSkeleton::GetCallingTokenID();
1234 if (VerifyAccessToken(callingToken, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
1235 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingToken);
1236 return AccessTokenError::ERR_PERMISSION_DENIED;
1237 }
1238
1239 uint32_t userSize = userIdlList.size();
1240 if (userSize > MAX_USER_POLICY_SIZE) {
1241 LOGE(ATM_DOMAIN, ATM_TAG, "Size %{public}u is invalid", userSize);
1242 return AccessTokenError::ERR_OVERSIZE;
1243 }
1244
1245 std::vector<UserState> userList;
1246 for (const auto& item : userIdlList) {
1247 UserState tmp;
1248 tmp.userId = item.userId;
1249 tmp.isActive = item.isActive;
1250 userList.emplace_back(tmp);
1251 }
1252 return AccessTokenInfoManager::GetInstance().UpdateUserPolicy(userList);
1253 }
1254
ClearUserPolicy()1255 int32_t AccessTokenManagerService::ClearUserPolicy()
1256 {
1257 uint32_t callingToken = IPCSkeleton::GetCallingTokenID();
1258 if (VerifyAccessToken(callingToken, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
1259 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingToken);
1260 return AccessTokenError::ERR_PERMISSION_DENIED;
1261 }
1262
1263 return AccessTokenInfoManager::GetInstance().ClearUserPolicy();
1264 }
1265
AccessTokenServiceParamSet() const1266 void AccessTokenManagerService::AccessTokenServiceParamSet() const
1267 {
1268 int32_t res = SetParameter(ACCESS_TOKEN_SERVICE_INIT_KEY, std::to_string(1).c_str());
1269 if (res != 0) {
1270 LOGE(ATM_DOMAIN, ATM_TAG, "SetParameter ACCESS_TOKEN_SERVICE_INIT_KEY 1 failed %{public}d", res);
1271 return;
1272 }
1273 // 2 is to tell others sa that at service is loaded.
1274 res = SetParameter(ACCESS_TOKEN_SERVICE_INIT_KEY, std::to_string(2).c_str());
1275 if (res != 0) {
1276 LOGE(ATM_DOMAIN, ATM_TAG, "SetParameter ACCESS_TOKEN_SERVICE_INIT_KEY 2 failed %{public}d", res);
1277 return;
1278 }
1279 }
1280
SetFlagIfNeed(const AccessTokenServiceConfig & atConfig,int32_t & cancelTime,uint32_t & parseConfigFlag)1281 void AccessTokenManagerService::SetFlagIfNeed(const AccessTokenServiceConfig& atConfig,
1282 int32_t& cancelTime, uint32_t& parseConfigFlag)
1283 {
1284 parseConfigFlag = 0;
1285 // set value from config
1286 if (!atConfig.grantBundleName.empty()) {
1287 grantBundleName_ = atConfig.grantBundleName;
1288 parseConfigFlag = 0x1;
1289 }
1290 if (!atConfig.grantAbilityName.empty()) {
1291 grantAbilityName_ = atConfig.grantAbilityName;
1292 parseConfigFlag |= 0x1 << BITMAP_INDEX_1;
1293 }
1294 if (!atConfig.grantServiceAbilityName.empty()) {
1295 grantServiceAbilityName_ = atConfig.grantServiceAbilityName;
1296 parseConfigFlag |= 0x1 << BITMAP_INDEX_2;
1297 }
1298 if (!atConfig.permStateAbilityName.empty()) {
1299 permStateAbilityName_ = atConfig.permStateAbilityName;
1300 parseConfigFlag |= 0x1 << BITMAP_INDEX_3;
1301 }
1302 if (!atConfig.globalSwitchAbilityName.empty()) {
1303 globalSwitchAbilityName_ = atConfig.globalSwitchAbilityName;
1304 parseConfigFlag |= 0x1 << BITMAP_INDEX_4;
1305 }
1306 if (atConfig.cancelTime != 0) {
1307 cancelTime = atConfig.cancelTime;
1308 parseConfigFlag |= 0x1 << BITMAP_INDEX_5;
1309 }
1310 if (!atConfig.applicationSettingAbilityName.empty()) {
1311 applicationSettingAbilityName_ = atConfig.applicationSettingAbilityName;
1312 parseConfigFlag |= 0x1 << BITMAP_INDEX_6;
1313 }
1314 }
1315
GetConfigValue(uint32_t & parseConfigFlag)1316 void AccessTokenManagerService::GetConfigValue(uint32_t& parseConfigFlag)
1317 {
1318 grantBundleName_ = GRANT_ABILITY_BUNDLE_NAME;
1319 grantAbilityName_ = GRANT_ABILITY_ABILITY_NAME;
1320 grantServiceAbilityName_ = GRANT_ABILITY_ABILITY_NAME;
1321 permStateAbilityName_ = PERMISSION_STATE_SHEET_ABILITY_NAME;
1322 globalSwitchAbilityName_ = GLOBAL_SWITCH_SHEET_ABILITY_NAME;
1323 int32_t cancelTime = 0;
1324 applicationSettingAbilityName_ = APPLICATION_SETTING_ABILITY_NAME;
1325 LibraryLoader loader(CONFIG_PARSE_LIBPATH);
1326 ConfigPolicyLoaderInterface* policy = loader.GetObject<ConfigPolicyLoaderInterface>();
1327 if (policy == nullptr) {
1328 LOGE(ATM_DOMAIN, ATM_TAG, "Dlopen libaccesstoken_json_parse failed.");
1329 return;
1330 }
1331 AccessTokenConfigValue value;
1332 if (policy->GetConfigValue(ServiceType::ACCESSTOKEN_SERVICE, value)) {
1333 SetFlagIfNeed(value.atConfig, cancelTime, parseConfigFlag);
1334 }
1335 TempPermissionObserver::GetInstance().SetCancelTime(cancelTime);
1336 LOGI(ATM_DOMAIN, ATM_TAG, "GrantBundleName_ is %{public}s, grantAbilityName_ is %{public}s, "
1337 "grantServiceAbilityName_ is %{public}s, permStateAbilityName_ is %{public}s, "
1338 "globalSwitchAbilityName_ is %{public}s, applicationSettingAbilityName_ is %{public}s.",
1339 grantBundleName_.c_str(), grantAbilityName_.c_str(), grantServiceAbilityName_.c_str(),
1340 permStateAbilityName_.c_str(), globalSwitchAbilityName_.c_str(), applicationSettingAbilityName_.c_str());
1341 }
1342
GetKernelPermissions(AccessTokenID tokenId,std::vector<PermissionWithValueIdl> & kernelPermIdlList)1343 int32_t AccessTokenManagerService::GetKernelPermissions(
1344 AccessTokenID tokenId, std::vector<PermissionWithValueIdl>& kernelPermIdlList)
1345 {
1346 auto callingToken = IPCSkeleton::GetCallingTokenID();
1347 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
1348 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingToken);
1349 return AccessTokenError::ERR_PERMISSION_DENIED;
1350 }
1351
1352 std::vector<PermissionWithValue> kernelPermList;
1353 auto result = AccessTokenInfoManager::GetInstance().GetKernelPermissions(tokenId, kernelPermList);
1354 for (const auto& item : kernelPermList) {
1355 PermissionWithValueIdl tmp;
1356 tmp.permissionName = item.permissionName;
1357 tmp.value = item.value;
1358 kernelPermIdlList.emplace_back(tmp);
1359 }
1360 return result;
1361 }
1362
GetReqPermissionByName(AccessTokenID tokenId,const std::string & permissionName,std::string & value)1363 int32_t AccessTokenManagerService::GetReqPermissionByName(
1364 AccessTokenID tokenId, const std::string& permissionName, std::string& value)
1365 {
1366 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
1367 LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", IPCSkeleton::GetCallingTokenID());
1368 return AccessTokenError::ERR_PERMISSION_DENIED;
1369 }
1370 return AccessTokenInfoManager::GetInstance().GetReqPermissionByName(
1371 tokenId, permissionName, value);
1372 }
1373
FilterInvalidData(const std::vector<GenericValues> & results,const std::map<int32_t,TokenIdInfo> & tokenIdAplMap,std::vector<GenericValues> & validValueList)1374 void AccessTokenManagerService::FilterInvalidData(const std::vector<GenericValues>& results,
1375 const std::map<int32_t, TokenIdInfo>& tokenIdAplMap, std::vector<GenericValues>& validValueList)
1376 {
1377 int32_t tokenId = 0;
1378 std::string permissionName;
1379 std::string appDistributionType;
1380 int32_t acl = 0;
1381 std::string value;
1382 PermissionBriefDef data;
1383
1384 for (const auto& result : results) {
1385 tokenId = result.GetInt(TokenFiledConst::FIELD_TOKEN_ID);
1386 auto iter = tokenIdAplMap.find(tokenId);
1387 if (iter == tokenIdAplMap.end()) {
1388 continue;
1389 }
1390
1391 permissionName = result.GetString(TokenFiledConst::FIELD_PERMISSION_NAME);
1392 if (!GetPermissionBriefDef(permissionName, data)) {
1393 LOGW(ATM_DOMAIN, ATM_TAG, "permission %{public}s is still invalid!", permissionName.c_str());
1394 continue;
1395 }
1396
1397 PermissionRulesEnum rule = PERMISSION_ACL_RULE;
1398 appDistributionType = result.GetString(TokenFiledConst::FIELD_APP_DISTRIBUTION_TYPE);
1399 HapInitInfo initInfo;
1400 initInfo.tokenID = static_cast<AccessTokenID>(tokenId);
1401 if (!PermissionManager::GetInstance().IsPermAvailableRangeSatisfied(
1402 data, appDistributionType, iter->second.isSystemApp, rule, initInfo)) {
1403 continue;
1404 }
1405
1406 acl = result.GetInt(TokenFiledConst::FIELD_ACL);
1407 value = result.GetString(TokenFiledConst::FIELD_VALUE);
1408 if (!IsPermissionValid(iter->second.apl, data, value, (acl == 1))) {
1409 // hap apl less than perm apl without acl is invalid now, keep them in db, maybe valid someday
1410 continue;
1411 }
1412
1413 validValueList.emplace_back(result);
1414 }
1415 }
1416
UpdateUndefinedInfoCache(const std::vector<GenericValues> & validValueList,std::vector<GenericValues> & stateValues,std::vector<GenericValues> & extendValues)1417 void AccessTokenManagerService::UpdateUndefinedInfoCache(const std::vector<GenericValues>& validValueList,
1418 std::vector<GenericValues>& stateValues, std::vector<GenericValues>& extendValues)
1419 {
1420 std::string permissionName;
1421 PermissionState grantStatus;
1422 PermissionFlag grantFlag;
1423 AccessTokenID tokenId = 0;
1424 std::string value;
1425
1426 for (const auto& validValue : validValueList) {
1427 permissionName = validValue.GetString(TokenFiledConst::FIELD_PERMISSION_NAME);
1428 PermissionBriefDef data;
1429 if (!GetPermissionBriefDef(permissionName, data)) {
1430 continue;
1431 }
1432
1433 if (data.grantMode == GrantMode::USER_GRANT) {
1434 grantStatus = PermissionState::PERMISSION_DENIED;
1435 grantFlag = PermissionFlag::PERMISSION_DEFAULT_FLAG;
1436 } else {
1437 grantStatus = PermissionState::PERMISSION_GRANTED;
1438 grantFlag = PermissionFlag::PERMISSION_SYSTEM_FIXED;
1439 }
1440
1441 tokenId = static_cast<AccessTokenID>(validValue.GetInt(TokenFiledConst::FIELD_TOKEN_ID));
1442 value = validValue.GetString(TokenFiledConst::FIELD_VALUE);
1443
1444 int32_t res = PermissionDataBrief::GetInstance().AddBriefPermData(tokenId, permissionName, grantStatus,
1445 grantFlag, value);
1446 if (res != RET_SUCCESS) {
1447 continue;
1448 }
1449
1450 PermissionManager::GetInstance().SetPermToKernel(tokenId, permissionName,
1451 (grantStatus == PermissionState::PERMISSION_GRANTED));
1452
1453 GenericValues stateValue;
1454 stateValue.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId));
1455 stateValue.Put(TokenFiledConst::FIELD_PERMISSION_NAME, permissionName);
1456 stateValue.Put(TokenFiledConst::FIELD_DEVICE_ID, "");
1457 stateValue.Put(TokenFiledConst::FIELD_GRANT_IS_GENERAL, 1);
1458 stateValue.Put(TokenFiledConst::FIELD_GRANT_STATE, static_cast<int32_t>(grantStatus));
1459 stateValue.Put(TokenFiledConst::FIELD_GRANT_FLAG, static_cast<int32_t>(grantFlag));
1460 stateValues.emplace_back(stateValue);
1461
1462 if ((data.hasValue) && !value.empty()) {
1463 GenericValues extendValue;
1464 extendValue.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId));
1465 extendValue.Put(TokenFiledConst::FIELD_PERMISSION_NAME, permissionName);
1466 extendValue.Put(TokenFiledConst::FIELD_VALUE, value);
1467 extendValues.emplace_back(extendValue);
1468 }
1469 }
1470 }
1471
IsPermissionValid(int32_t hapApl,const PermissionBriefDef & data,const std::string & value,bool isAcl)1472 bool AccessTokenManagerService::IsPermissionValid(int32_t hapApl, const PermissionBriefDef& data,
1473 const std::string& value, bool isAcl)
1474 {
1475 if (hapApl >= static_cast<int32_t>(data.availableLevel)) {
1476 return true; // not cross apl, this is valid
1477 }
1478
1479 if (isAcl) {
1480 return true; // cross apl but request by acl, this is valid
1481 } else {
1482 if (data.hasValue) {
1483 return !value.empty(); // permission hasValue is true and request with value, this is valid
1484 }
1485 return false;
1486 }
1487
1488 return false;
1489 }
1490
HandleHapUndefinedInfo(const std::map<int32_t,TokenIdInfo> & tokenIdAplMap,std::vector<DelInfo> & delInfoVec,std::vector<AddInfo> & addInfoVec)1491 void AccessTokenManagerService::HandleHapUndefinedInfo(const std::map<int32_t, TokenIdInfo>& tokenIdAplMap,
1492 std::vector<DelInfo>& delInfoVec, std::vector<AddInfo>& addInfoVec)
1493 {
1494 GenericValues conditionValue;
1495 std::vector<GenericValues> results;
1496
1497 // get all hap undefined data
1498 int32_t res = AccessTokenDbOperator::Find(AtmDataType::ACCESSTOKEN_HAP_UNDEFINE_INFO, conditionValue, results);
1499 if (res != 0) {
1500 return;
1501 }
1502
1503 if (results.empty()) {
1504 return;
1505 }
1506
1507 // filter invalid data
1508 std::vector<GenericValues> validValueList;
1509 FilterInvalidData(results, tokenIdAplMap, validValueList);
1510
1511 std::vector<GenericValues> stateValues;
1512 std::vector<GenericValues> extendValues;
1513 UpdateUndefinedInfoCache(validValueList, stateValues, extendValues);
1514
1515 DelInfo delInfo;
1516 for (const auto& value : validValueList) {
1517 delInfo.delType = AtmDataType::ACCESSTOKEN_HAP_UNDEFINE_INFO;
1518 delInfo.delValue = value;
1519 delInfoVec.emplace_back(delInfo);
1520 }
1521
1522 AddInfo addInfo;
1523 addInfo.addType = AtmDataType::ACCESSTOKEN_PERMISSION_STATE;
1524 addInfo.addValues = stateValues;
1525 addInfoVec.emplace_back(addInfo);
1526 addInfo.addType = AtmDataType::ACCESSTOKEN_PERMISSION_EXTEND_VALUE;
1527 addInfo.addValues = extendValues;
1528 addInfoVec.emplace_back(addInfo);
1529 }
1530
UpdateDatabaseAsync(const std::vector<DelInfo> & delInfoVec,const std::vector<AddInfo> & addInfoVec)1531 void AccessTokenManagerService::UpdateDatabaseAsync(const std::vector<DelInfo>& delInfoVec,
1532 const std::vector<AddInfo>& addInfoVec)
1533 {
1534 auto task = [delInfoVec, addInfoVec]() {
1535 LOGI(ATM_DOMAIN, ATM_TAG, "Entry!");
1536 (void)AccessTokenDbOperator::DeleteAndInsertValues(delInfoVec, addInfoVec);
1537 };
1538 std::thread updateDbThread(task);
1539 updateDbThread.detach();
1540 }
1541
HandlePermDefUpdate(const std::map<int32_t,TokenIdInfo> & tokenIdAplMap)1542 void AccessTokenManagerService::HandlePermDefUpdate(const std::map<int32_t, TokenIdInfo>& tokenIdAplMap)
1543 {
1544 std::string dbPermDefVersion;
1545 GenericValues conditionValue;
1546 conditionValue.Put(TokenFiledConst::FIELD_NAME, PERM_DEF_VERSION);
1547 std::vector<GenericValues> results;
1548 int32_t res = AccessTokenDbOperator::Find(AtmDataType::ACCESSTOKEN_SYSTEM_CONFIG, conditionValue, results);
1549 if (res != 0) {
1550 return;
1551 }
1552
1553 if (!results.empty()) {
1554 dbPermDefVersion = results[0].GetString(TokenFiledConst::FIELD_VALUE);
1555 }
1556
1557 const char* curPermDefVersion = GetPermDefVersion();
1558 bool isUpdate = dbPermDefVersion != std::string(curPermDefVersion);
1559 if (isUpdate) {
1560 LOGI(ATM_DOMAIN, ATM_TAG,
1561 "Permission definition version from db %{public}s is not same with current version %{public}s.",
1562 dbPermDefVersion.c_str(), curPermDefVersion);
1563
1564 GenericValues delValue;
1565 delValue.Put(TokenFiledConst::FIELD_NAME, PERM_DEF_VERSION);
1566 GenericValues addValue;
1567 addValue.Put(TokenFiledConst::FIELD_NAME, PERM_DEF_VERSION);
1568 addValue.Put(TokenFiledConst::FIELD_VALUE, std::string(curPermDefVersion));
1569 DelInfo delInfo;
1570 delInfo.delType = AtmDataType::ACCESSTOKEN_SYSTEM_CONFIG;
1571 delInfo.delValue = delValue;
1572 AddInfo addInfo;
1573 addInfo.addType = AtmDataType::ACCESSTOKEN_SYSTEM_CONFIG;
1574 addInfo.addValues.emplace_back(addValue);
1575
1576 // update or insert permission define version to db
1577 std::vector<DelInfo> delInfoVec;
1578 delInfoVec.emplace_back(delInfo);
1579 std::vector<AddInfo> addInfoVec;
1580 addInfoVec.emplace_back(addInfo);
1581
1582 if (!dbPermDefVersion.empty()) { // dbPermDefVersion empty means undefine table is empty
1583 HandleHapUndefinedInfo(tokenIdAplMap, delInfoVec, addInfoVec);
1584 }
1585
1586 UpdateDatabaseAsync(delInfoVec, addInfoVec);
1587 }
1588 }
1589
Initialize()1590 bool AccessTokenManagerService::Initialize()
1591 {
1592 MemoryGuard guard;
1593 ReportSysEventPerformance();
1594
1595 uint32_t hapSize = 0;
1596 uint32_t nativeSize = 0;
1597 uint32_t pefDefSize = 0;
1598 uint32_t dlpSize = 0;
1599 std::map<int32_t, TokenIdInfo> tokenIdAplMap;
1600 AccessTokenInfoManager::GetInstance().Init(hapSize, nativeSize, pefDefSize, dlpSize, tokenIdAplMap);
1601 HandlePermDefUpdate(tokenIdAplMap);
1602
1603 #ifdef EVENTHANDLER_ENABLE
1604 TempPermissionObserver::GetInstance().InitEventHandler();
1605 ShortGrantManager::GetInstance().InitEventHandler();
1606 #endif
1607 InitDfxInfo dfxInfo;
1608 dfxInfo.pid = getpid();
1609 dfxInfo.hapSize = hapSize;
1610 dfxInfo.nativeSize = nativeSize;
1611 dfxInfo.permDefSize = pefDefSize;
1612 dfxInfo.dlpSize = dlpSize;
1613 GetConfigValue(dfxInfo.parseConfigFlag);
1614
1615 ReportSysEventServiceStart(dfxInfo);
1616 ReportAccessTokenUserData();
1617 LOGI(ATM_DOMAIN, ATM_TAG, "Initialize success");
1618 return true;
1619 }
1620
IsPrivilegedCalling() const1621 bool AccessTokenManagerService::IsPrivilegedCalling() const
1622 {
1623 // shell process is root in debug mode.
1624 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
1625 int32_t callingUid = IPCSkeleton::GetCallingUid();
1626 return callingUid == ROOT_UID;
1627 #else
1628 return false;
1629 #endif
1630 }
1631
IsAccessTokenCalling()1632 bool AccessTokenManagerService::IsAccessTokenCalling()
1633 {
1634 uint32_t tokenCaller = IPCSkeleton::GetCallingTokenID();
1635 if (tokenSyncId_ == 0) {
1636 this->GetNativeTokenId("token_sync_service", tokenSyncId_);
1637 }
1638 return tokenCaller == tokenSyncId_;
1639 }
1640
IsNativeProcessCalling()1641 bool AccessTokenManagerService::IsNativeProcessCalling()
1642 {
1643 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
1644 return this->GetTokenType(tokenCaller) == TOKEN_NATIVE;
1645 }
1646
IsShellProcessCalling()1647 bool AccessTokenManagerService::IsShellProcessCalling()
1648 {
1649 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
1650 return this->GetTokenType(tokenCaller) == TOKEN_SHELL;
1651 }
1652
IsSystemAppCalling() const1653 bool AccessTokenManagerService::IsSystemAppCalling() const
1654 {
1655 uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
1656 return TokenIdKit::IsSystemAppByFullTokenID(fullTokenId);
1657 }
1658
IsSecCompServiceCalling()1659 bool AccessTokenManagerService::IsSecCompServiceCalling()
1660 {
1661 uint32_t tokenCaller = IPCSkeleton::GetCallingTokenID();
1662 if (secCompTokenId_ == 0) {
1663 this->GetNativeTokenId("security_component_service", secCompTokenId_);
1664 }
1665 return tokenCaller == secCompTokenId_;
1666 }
1667
CallbackEnter(uint32_t code)1668 int32_t AccessTokenManagerService::CallbackEnter(uint32_t code)
1669 {
1670 ClearThreadErrorMsg();
1671 #ifdef HICOLLIE_ENABLE
1672 std::string name = "AtmTimer";
1673 g_timerIdStack.push(HiviewDFX::XCollie::GetInstance().SetTimer(name, TIMEOUT, nullptr, nullptr,
1674 HiviewDFX::XCOLLIE_FLAG_LOG));
1675 #endif // HICOLLIE_ENABLE
1676 return ERR_OK;
1677 }
1678
CallbackExit(uint32_t code,int32_t result)1679 int32_t AccessTokenManagerService::CallbackExit(uint32_t code, int32_t result)
1680 {
1681 #ifdef HICOLLIE_ENABLE
1682 if (!g_timerIdStack.empty()) {
1683 HiviewDFX::XCollie::GetInstance().CancelTimer(g_timerIdStack.top());
1684 g_timerIdStack.pop();
1685 }
1686 #endif // HICOLLIE_ENABLE
1687 ClearThreadErrorMsg();
1688 return ERR_OK;
1689 }
1690
1691 #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE
RegisterSecCompEnhance(const SecCompEnhanceDataParcel & enhanceParcel)1692 int32_t AccessTokenManagerService::RegisterSecCompEnhance(const SecCompEnhanceDataParcel& enhanceParcel)
1693 {
1694 LOGI(ATM_DOMAIN, ATM_TAG, "Pid: %{public}d", enhanceParcel.enhanceData.pid);
1695 return SecCompEnhanceAgent::GetInstance().RegisterSecCompEnhance(enhanceParcel.enhanceData);
1696 }
1697
UpdateSecCompEnhance(int32_t pid,uint32_t seqNum)1698 int32_t AccessTokenManagerService::UpdateSecCompEnhance(int32_t pid, uint32_t seqNum)
1699 {
1700 if (!IsSecCompServiceCalling()) {
1701 return AccessTokenError::ERR_PERMISSION_DENIED;
1702 }
1703
1704 return SecCompEnhanceAgent::GetInstance().UpdateSecCompEnhance(pid, seqNum);
1705 }
1706
GetSecCompEnhance(int32_t pid,SecCompEnhanceDataParcel & enhanceParcel)1707 int32_t AccessTokenManagerService::GetSecCompEnhance(int32_t pid, SecCompEnhanceDataParcel& enhanceParcel)
1708 {
1709 if (!IsSecCompServiceCalling()) {
1710 return AccessTokenError::ERR_PERMISSION_DENIED;
1711 }
1712
1713 SecCompEnhanceData enhanceData;
1714 int32_t res = SecCompEnhanceAgent::GetInstance().GetSecCompEnhance(pid, enhanceData);
1715 if (res != RET_SUCCESS) {
1716 LOGW(ATM_DOMAIN, ATM_TAG, "Pid: %{public}d get enhance failed ", pid);
1717 return res;
1718 }
1719
1720 enhanceParcel.enhanceData = enhanceData;
1721 return RET_SUCCESS;
1722 }
1723 #endif
1724
IsToastShownNeeded(int32_t pid,bool & needToShow)1725 int32_t AccessTokenManagerService::IsToastShownNeeded(int32_t pid, bool& needToShow)
1726 {
1727 if (!IsSecCompServiceCalling()) {
1728 return AccessTokenError::ERR_PERMISSION_DENIED;
1729 }
1730
1731 needToShow = SecCompMonitor::GetInstance().IsToastShownNeeded(pid);
1732 return RET_SUCCESS;
1733 }
1734 } // namespace AccessToken
1735 } // namespace Security
1736 } // namespace OHOS
1737