1 /*
2 * Copyright (c) 2025-2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "disallowed_usb_storage_device_write_plugin.h"
17
18 #include <ipc_skeleton.h>
19 #include "array_usb_device_type_serializer.h"
20 #include "bool_serializer.h"
21 #include "edm_constants.h"
22 #include "edm_errors.h"
23 #include "edm_ipc_interface_code.h"
24 #include "edm_log.h"
25 #include "iplugin_manager.h"
26 #include "os_account_manager.h"
27 #include "parameters.h"
28 #include "usb_interface_type.h"
29
30 namespace OHOS {
31 namespace EDM {
32 const bool REGISTER_RESULT = IPluginManager::GetInstance()->AddPlugin(
33 DisallowedUsbStorageDeviceWritePlugin::GetPlugin());
34 const std::string CONSTRAINT_USB_STORAGE_DEVICE_WRITE = "constraint.usb.storageDevice.write"; // 存储类型的USB设备只读策略
35 const int32_t USB_DEVICE_TYPE_BASE_CLASS_STORAGE = 8;
36
InitPlugin(std::shared_ptr<IPluginTemplate<DisallowedUsbStorageDeviceWritePlugin,bool>> ptr)37 void DisallowedUsbStorageDeviceWritePlugin::InitPlugin(
38 std::shared_ptr<IPluginTemplate<DisallowedUsbStorageDeviceWritePlugin, bool>> ptr)
39 {
40 EDMLOGI("DisallowedUsbStorageDeviceWritePlugin InitPlugin...");
41 ptr->InitAttribute(
42 EdmInterfaceCode::DISALLOWED_USB_STORAGE_DEVICE_WRITE,
43 PolicyName::POLICY_DISALLOWED_USB_STORAGE_DEVICE_WRITE,
44 EdmPermission::PERMISSION_ENTERPRISE_MANAGE_RESTRICTIONS,
45 IPlugin::PermissionType::SUPER_DEVICE_ADMIN,
46 true);
47 ptr->SetSerializer(BoolSerializer::GetInstance());
48 ptr->SetOnHandlePolicyListener(&DisallowedUsbStorageDeviceWritePlugin::OnSetPolicy, FuncOperateType::SET);
49 ptr->SetOnAdminRemoveListener(&DisallowedUsbStorageDeviceWritePlugin::OnAdminRemove);
50 }
51
OnSetPolicy(bool & data,bool & currentData,bool & mergeData,int32_t userId)52 ErrCode DisallowedUsbStorageDeviceWritePlugin::OnSetPolicy(bool &data, bool ¤tData, bool &mergeData,
53 int32_t userId)
54 {
55 EDMLOGI("DisallowedUsbStorageDeviceWritePlugin::OnSetPolicy, data: %{public}d, currentData: %{public}d, "
56 "mergeData: %{public}d", data, currentData, mergeData);
57 std::string value = system::GetParameter(
58 EdmConstants::CONST_ENTERPRISE_EXTERNAL_STORAGE_DEVICE_MANAGE_ENABLE, "false");
59 if (value == "false") {
60 EDMLOGE("DisallowedUsbStorageDeviceWritePlugin::OnSetPolicy failed, interface unsupported");
61 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
62 }
63 bool isConflict = false;
64 if (FAILED(HasConflictPolicy(isConflict))) {
65 EDMLOGE("DisallowedUsbStorageDeviceWritePlugin::OnSetPolicy, HasConflictPolicy failed");
66 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
67 }
68 if (isConflict) {
69 return EdmReturnErrCode::CONFIGURATION_CONFLICT_FAILED;
70 }
71
72 if (mergeData) {
73 currentData = data;
74 return ERR_OK;
75 }
76 ErrCode ret = SetUsbStorageDeviceWritePolicy(data, userId);
77 EDMLOGI("DisallowedUsbStorageDeviceWritePlugin::OnSetPolicy, "
78 "SetUsbStorageDeviceWritePolicy ret: %{public}d", ret);
79 if (FAILED(ret)) {
80 EDMLOGE("DisallowedUsbStorageDeviceWritePlugin::OnSetPolicy, SetUsbStorageDeviceWritePolicy failed");
81 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
82 }
83 currentData = data;
84 mergeData = data;
85 return ERR_OK;
86 }
87
OnAdminRemove(const std::string & adminName,bool & data,bool & mergeData,int32_t userId)88 ErrCode DisallowedUsbStorageDeviceWritePlugin::OnAdminRemove(const std::string &adminName, bool &data,
89 bool &mergeData, int32_t userId)
90 {
91 EDMLOGI("DisallowedUsbStorageDeviceWritePlugin::OnAdminRemove, adminName: %{public}s, data: %{public}d, "
92 "mergeData: %{public}d", adminName.c_str(), data, mergeData);
93 // admin 移除时,综合策略为只读,则最终策略不变,仍未只读
94 if (mergeData) {
95 return ERR_OK;
96 }
97 // admin 移除时,综合策略为读写,且移除的策略为只读,则更新策略为读写
98 if (data) {
99 ErrCode ret = SetUsbStorageDeviceWritePolicy(false, userId);
100 EDMLOGI("DisallowedUsbStorageDeviceWritePlugin::OnAdminRemove, "
101 "SetUsbStorageDeviceWritePolicy ret: %{public}d", ret);
102 if (FAILED(ret)) {
103 EDMLOGE("DisallowedUsbStorageDeviceWritePlugin::OnAdminRemove, SetUsbStorageDeviceWritePolicy failed");
104 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
105 }
106 }
107 return ERR_OK;
108 }
109
SetUsbStorageDeviceWritePolicy(bool policy,int32_t userId)110 ErrCode DisallowedUsbStorageDeviceWritePlugin::SetUsbStorageDeviceWritePolicy(bool policy, int32_t userId)
111 {
112 EDMLOGI("DisallowedUsbStorageDeviceWritePlugin::SetUsbStorageDeviceWritePolicy, "
113 "policy: %{public}d", policy);
114 std::vector<std::string> constraints;
115 constraints.emplace_back(CONSTRAINT_USB_STORAGE_DEVICE_WRITE);
116 ErrCode ret = AccountSA::OsAccountManager::SetSpecificOsAccountConstraints(constraints, policy, userId,
117 EdmConstants::DEFAULT_USER_ID, true);
118 EDMLOGI("DisallowedUsbStorageDeviceWritePlugin::SetUsbStorageDeviceWritePolicy, "
119 "SetSpecificOsAccountConstraints ret: %{public}d", ret);
120 return ret;
121 }
122
HasConflictPolicy(bool & isConflict)123 ErrCode DisallowedUsbStorageDeviceWritePlugin::HasConflictPolicy(bool &isConflict)
124 {
125 EDMLOGI("DisallowedUsbStorageDeviceWritePlugin::HasConflictPolicy enter");
126 auto policyManager = IPolicyManager::GetInstance();
127 std::string disableUsb;
128 policyManager->GetPolicy("", PolicyName::POLICY_DISABLE_USB, disableUsb);
129 if (disableUsb == "true") {
130 EDMLOGE("DisallowedUsbStorageDeviceWritePlugin::HasConflictPolicy, policy conflict! disableUsb: %{public}s",
131 disableUsb.c_str());
132 isConflict = true;
133 return ERR_OK;
134 }
135 std::string usbStoragePolicy;
136 policyManager->GetPolicy("", PolicyName::POLICY_USB_READ_ONLY, usbStoragePolicy);
137 if (usbStoragePolicy == std::to_string(EdmConstants::STORAGE_USB_POLICY_DISABLED) ||
138 usbStoragePolicy == std::to_string(EdmConstants::STORAGE_USB_POLICY_READ_ONLY)) {
139 EDMLOGE("DisallowedUsbStorageDeviceWritePlugin::HasConflictPolicy, policy conflict! "
140 "usbStoragePolicy: %{public}s", usbStoragePolicy.c_str());
141 isConflict = true;
142 return ERR_OK;
143 }
144 std::string disallowUsbDevicePolicy;
145 policyManager->GetPolicy("", PolicyName::POLICY_DISALLOWED_USB_DEVICES, disallowUsbDevicePolicy);
146 std::vector<USB::UsbDeviceType> usbDeviceTypes;
147 if (!ArrayUsbDeviceTypeSerializer::GetInstance()->Deserialize(disallowUsbDevicePolicy, usbDeviceTypes)) {
148 EDMLOGE("DisallowedUsbStorageDeviceWritePlugin::Deserialize failed");
149 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
150 }
151 bool isStorageUsbDisallowed = std::find_if(usbDeviceTypes.begin(), usbDeviceTypes.end(),
152 [&](USB::UsbDeviceType disallowedType) {
153 return disallowedType.baseClass == USB_DEVICE_TYPE_BASE_CLASS_STORAGE;
154 }) != usbDeviceTypes.end();
155 if (isStorageUsbDisallowed) {
156 EDMLOGE("DisallowedUsbStorageDeviceWritePlugin::HasConflictPolicy, policy conflict! "
157 "isStorageUsbDisallowed: %{public}d", isStorageUsbDisallowed);
158 isConflict = true;
159 return ERR_OK;
160 }
161
162 EDMLOGI("DisallowedUsbStorageDeviceWritePlugin::HasConflictPolicy end, no conflict");
163 isConflict = false;
164 return ERR_OK;
165 }
166 } // namespace EDM
167 } // namespace OHOS
168