• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2022-2025 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "permission_verification.h"
17 
18 #include "ability_manager_errors.h"
19 #include "accesstoken_kit.h"
20 #include "hilog_tag_wrapper.h"
21 #include "permission_constants.h"
22 #include "server_constant.h"
23 #include "support_system_ability_permission.h"
24 #include "tokenid_kit.h"
25 #include "hitrace_meter.h"
26 #include "hilog_tag_wrapper.h"
27 #include "record_cost_time_util.h"
28 
29 namespace OHOS {
30 namespace AAFwk {
31 const std::string DLP_PARAMS_SECURITY_FLAG = "ohos.dlp.params.securityFlag";
32 namespace {
33 const int32_t SHELL_START_EXTENSION_FLOOR = 0; // FORM
34 const int32_t SHELL_START_EXTENSION_CEIL = 21; // EMBEDDED_UI
35 const int32_t TOKEN_ID_BIT_SIZE = 32;
36 const std::string FOUNDATION_PROCESS_NAME = "foundation";
37 const std::set<std::string> OBSERVER_NATIVE_CALLER = {
38     "memmgrservice",
39     "resource_schedule_service",
40 };
41 }
VerifyPermissionByTokenId(const int & tokenId,const std::string & permissionName) const42 bool PermissionVerification::VerifyPermissionByTokenId(const int &tokenId, const std::string &permissionName) const
43 {
44     TAG_LOGD(AAFwkTag::DEFAULT, "permission %{public}s", permissionName.c_str());
45     int32_t ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permissionName, false);
46     if (ret != Security::AccessToken::PermissionState::PERMISSION_GRANTED) {
47         TAG_LOGE(AAFwkTag::DEFAULT, "%{public}s: PERMISSION_DENIED", permissionName.c_str());
48         return false;
49     }
50     TAG_LOGD(AAFwkTag::DEFAULT, "verify token success");
51     return true;
52 }
53 
VerifyCallingPermission(const std::string & permissionName,const uint32_t specifyTokenId) const54 bool PermissionVerification::VerifyCallingPermission(
55     const std::string &permissionName, const uint32_t specifyTokenId) const
56 {
57     HITRACE_METER_NAME(HITRACE_TAG_ABILITY_MANAGER, __PRETTY_FUNCTION__);
58     RecordCostTimeUtil timeRecord("VerifyCallingPermission");
59     TAG_LOGD(AAFwkTag::DEFAULT, "permission %{public}s, specifyTokenId: %{public}u",
60         permissionName.c_str(), specifyTokenId);
61     auto callerToken = specifyTokenId == 0 ? GetCallingTokenID() : specifyTokenId;
62     TAG_LOGD(AAFwkTag::DEFAULT, "Token: %{public}u", callerToken);
63     int32_t ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName, false);
64     if (ret != Security::AccessToken::PermissionState::PERMISSION_GRANTED) {
65         TAG_LOGW(AAFwkTag::DEFAULT, "%{public}s: PERMISSION_DENIED", permissionName.c_str());
66         return false;
67     }
68     TAG_LOGD(AAFwkTag::DEFAULT, "verify Token success");
69     return true;
70 }
71 
IsSACall() const72 bool PermissionVerification::IsSACall() const
73 {
74     auto callerToken = GetCallingTokenID();
75     return IsSACallByTokenId(callerToken);
76 }
77 
IsSACallByTokenId(uint32_t callerTokenId) const78 bool PermissionVerification::IsSACallByTokenId(uint32_t callerTokenId) const
79 {
80     TAG_LOGD(AAFwkTag::DEFAULT, "called");
81     if (callerTokenId == 0) {
82         callerTokenId = GetCallingTokenID();
83     }
84     auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerTokenId);
85     if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
86         TAG_LOGD(AAFwkTag::DEFAULT, "verify success");
87         return true;
88     }
89     TAG_LOGD(AAFwkTag::DEFAULT, "Not SA called");
90     return false;
91 }
92 
IsShellCall() const93 bool PermissionVerification::IsShellCall() const
94 {
95     auto callerToken = GetCallingTokenID();
96     return IsShellCallByTokenId(callerToken);
97 }
98 
IsShellCallByTokenId(uint32_t callerTokenId) const99 bool PermissionVerification::IsShellCallByTokenId(uint32_t callerTokenId) const
100 {
101     TAG_LOGD(AAFwkTag::DEFAULT, "called");
102     if (callerTokenId == 0) {
103         callerTokenId = GetCallingTokenID();
104     }
105     auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerTokenId);
106     if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL) {
107         TAG_LOGD(AAFwkTag::DEFAULT, "verify success");
108         return true;
109     }
110     TAG_LOGD(AAFwkTag::DEFAULT, "Not shell called");
111     return false;
112 }
113 
CheckSpecificSystemAbilityAccessPermission(const std::string & processName) const114 bool PermissionVerification::CheckSpecificSystemAbilityAccessPermission(const std::string &processName) const
115 {
116     HITRACE_METER_NAME(HITRACE_TAG_ABILITY_MANAGER, __PRETTY_FUNCTION__);
117     TAG_LOGD(AAFwkTag::DEFAULT, "called");
118     if (!IsSACall()) {
119         TAG_LOGE(AAFwkTag::DEFAULT, "verify fail");
120         return false;
121     }
122     auto callerToken = GetCallingTokenID();
123     Security::AccessToken::NativeTokenInfo nativeTokenInfo;
124     int32_t result = Security::AccessToken::AccessTokenKit::GetNativeTokenInfo(callerToken, nativeTokenInfo);
125     if (result != ERR_OK || nativeTokenInfo.processName != processName) {
126         TAG_LOGE(AAFwkTag::DEFAULT, "check process fail");
127         return false;
128     }
129     return true;
130 }
131 
CheckObserverCallerPermission() const132 bool PermissionVerification::CheckObserverCallerPermission() const
133 {
134     TAG_LOGD(AAFwkTag::DEFAULT, "called");
135     if (!IsSACall()) {
136         TAG_LOGE(AAFwkTag::DEFAULT, "tokenType not native");
137         return false;
138     }
139     auto callerToken = GetCallingTokenID();
140     Security::AccessToken::NativeTokenInfo nativeTokenInfo;
141     int32_t result = Security::AccessToken::AccessTokenKit::GetNativeTokenInfo(callerToken, nativeTokenInfo);
142     if (result != ERR_OK ||
143         OBSERVER_NATIVE_CALLER.find(nativeTokenInfo.processName) == OBSERVER_NATIVE_CALLER.end()) {
144         TAG_LOGE(AAFwkTag::DEFAULT, "check token fail");
145         return false;
146     }
147     return true;
148 }
149 
VerifyRunningInfoPerm() const150 bool PermissionVerification::VerifyRunningInfoPerm() const
151 {
152     if (VerifyCallingPermission(PermissionConstants::PERMISSION_GET_RUNNING_INFO)) {
153         TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
154         return true;
155     }
156     return false;
157 }
158 
VerifyCustomSandbox(uint32_t accessTokenId) const159 bool PermissionVerification::VerifyCustomSandbox(uint32_t accessTokenId) const
160 {
161     if (VerifyPermissionByTokenId(accessTokenId, PermissionConstants::PERMISSION_CUSTOM_SANDBOX)) {
162         TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
163         return true;
164     }
165     return false;
166 }
167 
VerifyControllerPerm() const168 bool PermissionVerification::VerifyControllerPerm() const
169 {
170     if (VerifyCallingPermission(PermissionConstants::PERMISSION_SET_ABILITY_CONTROLLER)) {
171         TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
172         return true;
173     }
174     return false;
175 }
176 
VerifyDlpPermission(Want & want) const177 bool PermissionVerification::VerifyDlpPermission(Want &want) const
178 {
179     if (want.GetIntParam(AbilityRuntime::ServerConstant::DLP_INDEX, 0) == 0) {
180         want.RemoveParam(DLP_PARAMS_SECURITY_FLAG);
181         return true;
182     }
183 
184     if (VerifyCallingPermission(PermissionConstants::PERMISSION_ACCESS_DLP)) {
185         return true;
186     }
187     return false;
188 }
189 
VerifyAccountPermission() const190 int PermissionVerification::VerifyAccountPermission() const
191 {
192     if (VerifyCallingPermission(PermissionConstants::PERMISSION_INTERACT_ACROSS_LOCAL_ACCOUNTS)) {
193         return ERR_OK;
194     }
195     return CHECK_PERMISSION_FAILED;
196 }
197 
VerifyMissionPermission() const198 bool PermissionVerification::VerifyMissionPermission() const
199 {
200     HITRACE_METER_NAME(HITRACE_TAG_ABILITY_MANAGER, __PRETTY_FUNCTION__);
201     if (VerifyCallingPermission(PermissionConstants::PERMISSION_MANAGE_MISSION)) {
202         TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
203         return true;
204     }
205     return false;
206 }
207 
VerifyAppStateObserverPermission() const208 int PermissionVerification::VerifyAppStateObserverPermission() const
209 {
210     if (VerifyCallingPermission(PermissionConstants::PERMISSION_RUNNING_STATE_OBSERVER)) {
211         TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
212         return ERR_OK;
213     }
214     return ERR_PERMISSION_DENIED;
215 }
216 
VerifyUpdateConfigurationPerm() const217 int32_t PermissionVerification::VerifyUpdateConfigurationPerm() const
218 {
219     if (VerifyCallingPermission(PermissionConstants::PERMISSION_UPDATE_CONFIGURATION)) {
220         TAG_LOGI(AAFwkTag::DEFAULT,
221             "Permission %{public}s granted", PermissionConstants::PERMISSION_UPDATE_CONFIGURATION);
222         return ERR_OK;
223     }
224     return ERR_PERMISSION_DENIED;
225 }
226 
VerifyUpdateAPPConfigurationPerm() const227 int32_t PermissionVerification::VerifyUpdateAPPConfigurationPerm() const
228 {
229     if (VerifyCallingPermission(PermissionConstants::PERMISSION_UPDATE_APP_CONFIGURATION)) {
230         TAG_LOGI(AAFwkTag::DEFAULT,
231             "Permission %{public}s granted", PermissionConstants::PERMISSION_UPDATE_APP_CONFIGURATION);
232         return ERR_OK;
233     }
234     return ERR_PERMISSION_DENIED;
235 }
236 
VerifyInstallBundlePermission() const237 bool PermissionVerification::VerifyInstallBundlePermission() const
238 {
239     if (VerifyCallingPermission(PermissionConstants::PERMISSION_INSTALL_BUNDLE)) {
240         TAG_LOGI(AAFwkTag::DEFAULT,
241             "Permission %{public}s granted", PermissionConstants::PERMISSION_INSTALL_BUNDLE);
242         return true;
243     }
244     return false;
245 }
246 
VerifyGetBundleInfoPrivilegedPermission() const247 bool PermissionVerification::VerifyGetBundleInfoPrivilegedPermission() const
248 {
249     if (VerifyCallingPermission(PermissionConstants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED)) {
250         TAG_LOGI(AAFwkTag::DEFAULT,
251             "Permission %{public}s granted", PermissionConstants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED);
252         return true;
253     }
254     return false;
255 }
256 
VerifyStartRecentAbilityPermission() const257 bool PermissionVerification::VerifyStartRecentAbilityPermission() const
258 {
259     if (VerifyCallingPermission(PermissionConstants::PERMISSION_START_RECENT_ABILITY)) {
260         TAG_LOGI(AAFwkTag::DEFAULT,
261             "Permission %{public}s granted", PermissionConstants::PERMISSION_START_RECENT_ABILITY);
262         return true;
263     }
264     return VerifyMissionPermission();
265 }
266 
CheckCallDataAbilityPermission(const VerificationInfo & verificationInfo,bool isShell) const267 int PermissionVerification::CheckCallDataAbilityPermission(const VerificationInfo &verificationInfo, bool isShell) const
268 {
269     if ((verificationInfo.apiTargetVersion > API8 || isShell) &&
270         !JudgeStartAbilityFromBackground(verificationInfo.isBackgroundCall)) {
271         TAG_LOGE(AAFwkTag::DEFAULT, "caller START_ABILITIES_FROM_BACKGROUND permission invalid");
272         return CHECK_PERMISSION_FAILED;
273     }
274     if (!JudgeStartInvisibleAbility(verificationInfo.accessTokenId, verificationInfo.visible)) {
275         TAG_LOGE(AAFwkTag::DEFAULT,
276             "caller INVISIBLE permission invalid");
277         return ABILITY_VISIBLE_FALSE_DENY_REQUEST;
278     }
279     if (!JudgeAssociatedWakeUp(verificationInfo.accessTokenId, verificationInfo.associatedWakeUp)) {
280         TAG_LOGE(AAFwkTag::DEFAULT, "associatedWakeUp false");
281         return CHECK_PERMISSION_FAILED;
282     }
283 
284     return ERR_OK;
285 }
286 
CheckCallServiceAbilityPermission(const VerificationInfo & verificationInfo) const287 int PermissionVerification::CheckCallServiceAbilityPermission(const VerificationInfo &verificationInfo) const
288 {
289     if (CheckSpecificSystemAbilityAccessPermission(FOUNDATION_PROCESS_NAME)) {
290         TAG_LOGD(AAFwkTag::DEFAULT, "Allow fms to connect service ability");
291         return ERR_OK;
292     }
293     if ((verificationInfo.apiTargetVersion > API8 || IsShellCall()) &&
294         !JudgeStartAbilityFromBackground(verificationInfo.isBackgroundCall)) {
295         TAG_LOGE(AAFwkTag::DEFAULT, "caller START_ABILITIES_FROM_BACKGROUND permission invalid");
296         return CHECK_PERMISSION_FAILED;
297     }
298     if (!JudgeStartInvisibleAbility(verificationInfo.accessTokenId, verificationInfo.visible)) {
299         TAG_LOGE(AAFwkTag::DEFAULT, "caller INVISIBLE permission invalid");
300         return ABILITY_VISIBLE_FALSE_DENY_REQUEST;
301     }
302     if (!JudgeAssociatedWakeUp(verificationInfo.accessTokenId, verificationInfo.associatedWakeUp)) {
303         TAG_LOGE(AAFwkTag::DEFAULT, "associatedWakeUp false");
304         return CHECK_PERMISSION_FAILED;
305     }
306 
307     return ERR_OK;
308 }
309 
CheckCallAbilityPermission(const VerificationInfo & verificationInfo,bool isCallByShortcut) const310 int PermissionVerification::CheckCallAbilityPermission(const VerificationInfo &verificationInfo,
311     bool isCallByShortcut) const
312 {
313     return JudgeInvisibleAndBackground(verificationInfo, isCallByShortcut);
314 }
315 
CheckCallServiceExtensionPermission(const VerificationInfo & verificationInfo) const316 int PermissionVerification::CheckCallServiceExtensionPermission(const VerificationInfo &verificationInfo) const
317 {
318     return JudgeInvisibleAndBackground(verificationInfo);
319 }
320 
CheckStartByCallPermission(const VerificationInfo & verificationInfo) const321 int PermissionVerification::CheckStartByCallPermission(const VerificationInfo &verificationInfo) const
322 {
323     if (IsCallFromSameAccessToken(verificationInfo.accessTokenId)) {
324         TAG_LOGE(AAFwkTag::DEFAULT, "StartAbilityByCall reject");
325         return CHECK_PERMISSION_FAILED;
326     }
327     // Different APP call, check permissions
328     if (!VerifyCallingPermission(PermissionConstants::PERMISSION_ABILITY_BACKGROUND_COMMUNICATION)) {
329         TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
330         return CHECK_PERMISSION_FAILED;
331     }
332     if (!JudgeStartInvisibleAbility(verificationInfo.accessTokenId, verificationInfo.visible)) {
333         TAG_LOGE(AAFwkTag::DEFAULT, "caller INVISIBLE permission invalid");
334         return ABILITY_VISIBLE_FALSE_DENY_REQUEST;
335     }
336     if (!JudgeStartAbilityFromBackground(verificationInfo.isBackgroundCall)) {
337         TAG_LOGE(AAFwkTag::DEFAULT, "caller START_ABILITIES_FROM_BACKGROUND permission invalid");
338         return CHECK_PERMISSION_FAILED;
339     }
340 
341     return ERR_OK;
342 }
343 
GetCallingTokenID() const344 unsigned int PermissionVerification::GetCallingTokenID() const
345 {
346     auto callerToken = IPCSkeleton::GetCallingTokenID();
347     TAG_LOGD(AAFwkTag::DEFAULT, "callerToken: %{private}u", callerToken);
348     return callerToken;
349 }
350 
JudgeStartInvisibleAbility(const uint32_t accessTokenId,const bool visible,const uint32_t specifyTokenId) const351 bool PermissionVerification::JudgeStartInvisibleAbility(const uint32_t accessTokenId, const bool visible,
352     const uint32_t specifyTokenId) const
353 {
354     if (visible) {
355         TAG_LOGD(AAFwkTag::DEFAULT, "visible:true");
356         return true;
357     }
358     if (specifyTokenId > 0 && accessTokenId == specifyTokenId) {
359         TAG_LOGD(AAFwkTag::DEFAULT, "accessTokenId equal specifyTokenId");
360         return true;
361     }
362     if (IsCallFromSameAccessToken(accessTokenId)) {
363         TAG_LOGD(AAFwkTag::DEFAULT, "TargetAbility in same APP");
364         return true;
365     }
366     if (VerifyCallingPermission(PermissionConstants::PERMISSION_START_INVISIBLE_ABILITY, specifyTokenId)) {
367         TAG_LOGD(AAFwkTag::DEFAULT, "Caller PASS");
368         return true;
369     }
370     TAG_LOGE(AAFwkTag::DEFAULT, "verification fail");
371     return false;
372 }
373 
JudgeStartAbilityFromBackground(const bool isBackgroundCall) const374 bool PermissionVerification::JudgeStartAbilityFromBackground(const bool isBackgroundCall) const
375 {
376     if (!isBackgroundCall) {
377         TAG_LOGD(AAFwkTag::DEFAULT, "Caller not background");
378         return true;
379     }
380 
381     // Temporarily supports permissions with two different spellings
382     // PERMISSION_START_ABILIIES_FROM_BACKGROUND will be removed later due to misspelling
383     if (VerifyCallingPermission(PermissionConstants::PERMISSION_START_ABILITIES_FROM_BACKGROUND) ||
384         VerifyCallingPermission(PermissionConstants::PERMISSION_START_ABILIIES_FROM_BACKGROUND)) {
385         TAG_LOGD(AAFwkTag::DEFAULT, "Caller PASS");
386         return true;
387     }
388     TAG_LOGE(AAFwkTag::DEFAULT, "verification fail");
389     return false;
390 }
391 
JudgeAssociatedWakeUp(const uint32_t accessTokenId,const bool associatedWakeUp) const392 bool PermissionVerification::JudgeAssociatedWakeUp(const uint32_t accessTokenId, const bool associatedWakeUp) const
393 {
394     if (IsCallFromSameAccessToken(accessTokenId)) {
395         TAG_LOGD(AAFwkTag::DEFAULT, "TargetAbility in same APP");
396         return true;
397     }
398     if (associatedWakeUp) {
399         TAG_LOGD(AAFwkTag::DEFAULT, "associatedWakeUp: true");
400         return true;
401     }
402     TAG_LOGE(AAFwkTag::DEFAULT, "not allowed associatedWakeUp");
403     return false;
404 }
405 
JudgeInvisibleAndBackground(const VerificationInfo & verificationInfo,bool isCallByShortcut) const406 int PermissionVerification::JudgeInvisibleAndBackground(const VerificationInfo &verificationInfo,
407     bool isCallByShortcut) const
408 {
409     uint32_t specifyTokenId = verificationInfo.specifyTokenId;
410     TAG_LOGD(AAFwkTag::DEFAULT, "specifyTokenId: %{public}u, isCallByShortcut %{public}d",
411         specifyTokenId, isCallByShortcut);
412     if (specifyTokenId == 0 &&
413         SupportSystemAbilityPermission::IsSupportSaCallPermission()) {
414         TAG_LOGD(AAFwkTag::DEFAULT, "Support SA call");
415         return ERR_OK;
416     }
417     if (!isCallByShortcut &&
418         !JudgeStartInvisibleAbility(verificationInfo.accessTokenId, verificationInfo.visible,
419         specifyTokenId)) {
420         TAG_LOGE(AAFwkTag::DEFAULT, "caller INVISIBLE permission invalid");
421         return ABILITY_VISIBLE_FALSE_DENY_REQUEST;
422     }
423     if (!JudgeStartAbilityFromBackground(verificationInfo.isBackgroundCall)) {
424         TAG_LOGE(AAFwkTag::DEFAULT, "caller START_ABILITIES_FROM_BACKGROUND permission invalid");
425         return CHECK_PERMISSION_FAILED;
426     }
427 
428     return ERR_OK;
429 }
430 
JudgeCallerIsAllowedToUseSystemAPI() const431 bool PermissionVerification::JudgeCallerIsAllowedToUseSystemAPI() const
432 {
433     if (IsSACall() || IsShellCall()) {
434         return true;
435     }
436     auto callerToken = IPCSkeleton::GetCallingFullTokenID();
437     return Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(callerToken);
438 }
439 
IsSystemAppCall() const440 bool PermissionVerification::IsSystemAppCall() const
441 {
442     auto callerToken = IPCSkeleton::GetCallingFullTokenID();
443     return Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(callerToken);
444 }
445 
IsSystemAppCallByTokenId(uint32_t callerTokenId) const446 bool PermissionVerification::IsSystemAppCallByTokenId(uint32_t callerTokenId) const
447 {
448     if (callerTokenId == 0) {
449         return IsSystemAppCall();
450     }
451     auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerTokenId);
452     if (tokenType != Security::AccessToken::ATokenTypeEnum::TOKEN_HAP) {
453         TAG_LOGE(AAFwkTag::URIPERMMGR, "Not TOKEN_HAP.");
454         return false;
455     }
456     Security::AccessToken::HapTokenInfo hapInfo;
457     auto ret = Security::AccessToken::AccessTokenKit::GetHapTokenInfo(callerTokenId, hapInfo);
458     if (ret != Security::AccessToken::AccessTokenKitRet::RET_SUCCESS) {
459         TAG_LOGE(AAFwkTag::URIPERMMGR, "GetHapTokenInfo failed, ret:%{public}d", ret);
460         return false;
461     }
462     uint64_t fullCallerTokenId = (static_cast<uint64_t>(hapInfo.tokenAttr) << TOKEN_ID_BIT_SIZE) + callerTokenId;
463     return Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullCallerTokenId);
464 }
465 
VerifyBackgroundCallPermission(const bool isBackgroundCall) const466 bool PermissionVerification::VerifyBackgroundCallPermission(const bool isBackgroundCall) const
467 {
468     return JudgeStartAbilityFromBackground(isBackgroundCall);
469 }
470 
VerifyPrepareTerminatePermission() const471 bool PermissionVerification::VerifyPrepareTerminatePermission() const
472 {
473     if (VerifyCallingPermission(PermissionConstants::PERMISSION_PREPARE_TERMINATE)) {
474         TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
475         return true;
476     }
477     TAG_LOGD(AAFwkTag::DEFAULT, "Permission denied");
478     return false;
479 }
480 
VerifyPrepareTerminatePermission(const int & tokenId) const481 bool PermissionVerification::VerifyPrepareTerminatePermission(const int &tokenId) const
482 {
483     int32_t ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId,
484         PermissionConstants::PERMISSION_PREPARE_TERMINATE, false);
485     if (ret != Security::AccessToken::PermissionState::PERMISSION_GRANTED) {
486         TAG_LOGD(AAFwkTag::DEFAULT, "permission denied");
487         return false;
488     }
489     TAG_LOGD(AAFwkTag::DEFAULT, "verify AccessToken success");
490     return true;
491 }
492 
VerifyShellStartExtensionType(int32_t type) const493 bool PermissionVerification::VerifyShellStartExtensionType(int32_t type) const
494 {
495     if (IsShellCall() && type >= SHELL_START_EXTENSION_FLOOR && type <= SHELL_START_EXTENSION_CEIL) {
496         return true;
497     }
498     TAG_LOGD(AAFwkTag::DEFAULT, "reject start");
499     return false;
500 }
501 
VerifyPreloadApplicationPermission() const502 bool PermissionVerification::VerifyPreloadApplicationPermission() const
503 {
504     if (VerifyCallingPermission(PermissionConstants::PERMISSION_PRELOAD_APPLICATION)) {
505         TAG_LOGD(AAFwkTag::DEFAULT, "Permission %{public}s granted",
506             PermissionConstants::PERMISSION_PRELOAD_APPLICATION);
507         return true;
508     }
509     TAG_LOGE(AAFwkTag::DEFAULT, "Permission %{public}s denied",
510         PermissionConstants::PERMISSION_PRELOAD_APPLICATION);
511     return false;
512 }
513 
VerifyPreStartAtomicServicePermission() const514 bool PermissionVerification::VerifyPreStartAtomicServicePermission() const
515 {
516     if (VerifyCallingPermission(PermissionConstants::PERMISSION_PRE_START_ATOMIC_SERVICE)) {
517         TAG_LOGD(AAFwkTag::APPMGR, "Permission %{public}s granted",
518             PermissionConstants::PERMISSION_PRE_START_ATOMIC_SERVICE);
519         return true;
520     }
521     TAG_LOGW(AAFwkTag::APPMGR, "Permission %{public}s denied",
522         PermissionConstants::PERMISSION_PRE_START_ATOMIC_SERVICE);
523     return false;
524 }
525 
VerifyKillProcessDependedOnWebPermission() const526 bool PermissionVerification::VerifyKillProcessDependedOnWebPermission() const
527 {
528     if (IsSACall() && VerifyCallingPermission(PermissionConstants::PERMISSION_KILL_PROCESS_DEPENDED_ON_WEB)) {
529         TAG_LOGD(AAFwkTag::APPMGR, "Permission granted");
530         return true;
531     }
532     TAG_LOGW(AAFwkTag::APPMGR, "Permission denied");
533     return false;
534 }
535 
VerifyBlockAllAppStartPermission() const536 bool PermissionVerification::VerifyBlockAllAppStartPermission() const
537 {
538     if (IsSACall() && VerifyCallingPermission(PermissionConstants::PERMISSION_BLOCK_ALL_APP_START)) {
539         TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
540         return true;
541     }
542     TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
543     return false;
544 }
545 
VerifyStartUIAbilityToHiddenPermission() const546 bool PermissionVerification::VerifyStartUIAbilityToHiddenPermission() const
547 {
548     if (IsSACall() && VerifyCallingPermission(PermissionConstants::PERMISSION_START_UIABILITY_TO_HIDDEN)) {
549         TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
550         return true;
551     }
552     TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
553     return false;
554 }
555 
VerifySuperviseKiaServicePermission() const556 bool PermissionVerification::VerifySuperviseKiaServicePermission() const
557 {
558     if (IsSACall() && VerifyCallingPermission(PermissionConstants::PERMISSION_SUPERVISE_KIA_SERVICE)) {
559         TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
560         return true;
561     }
562     TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
563     return false;
564 }
565 
VerifyStartLocalDebug(int32_t tokenId) const566 bool PermissionVerification::VerifyStartLocalDebug(int32_t tokenId) const
567 {
568     if (VerifyPermissionByTokenId(tokenId, PermissionConstants::PERMISSION_PERFORM_LOCAL_DEBUG)) {
569         TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
570         return true;
571     }
572     TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
573     return false;
574 }
575 
VerifyStartSelfUIAbility(int tokenId) const576 bool PermissionVerification::VerifyStartSelfUIAbility(int tokenId) const
577 {
578     if (!IsSACall() && VerifyPermissionByTokenId(tokenId, PermissionConstants::PERMISSION_NDK_START_SELF_UI_ABILITY)) {
579         TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
580         return true;
581     }
582     TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
583     return false;
584 }
585 
VerifyFusionAccessPermission() const586 bool PermissionVerification::VerifyFusionAccessPermission() const
587 {
588     auto callerToken = GetCallingTokenID();
589     if (VerifyPermissionByTokenId(callerToken, PermissionConstants::PERMISSION_FUSION_ACCESS)) {
590         TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
591         return true;
592     }
593     TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
594     return false;
595 }
596 }  // namespace AAFwk
597 }  // namespace OHOS
598