• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2022-2025 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *    http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "permission_adapter.h"
17 
18 #include <string>
19 #include <unordered_map>
20 #include <vector>
21 
22 #include "accesstoken_kit.h"
23 #include "ipc_sdk_defines.h"
24 #include "ipc_skeleton.h"
25 
26 #include "device_auth_defines.h"
27 #include "hc_log.h"
28 
29 using namespace std;
30 using namespace OHOS;
31 using namespace OHOS::Security::AccessToken;
32 
33 #define PROC_NAME_DEVICE_MANAGER "device_manager"
34 #define PROC_NAME_SOFT_BUS "softbus_server"
35 #define PROC_NAME_DEVICE_SECURITY_LEVEL "dslm_service"
36 #define PROC_NAME_ISHARE "CollaborationFwk"
37 #define PROC_NAME_REMOTE_COMM "remote_communication"
38 
39 static unordered_map<int32_t, vector<string>> g_apiAccessWhitelist = {
40     { IPC_CALL_ID_PROCESS_CREDENTIAL, { PROC_NAME_DEVICE_MANAGER } },
41     { IPC_CALL_ID_DA_AUTH_DEVICE, { PROC_NAME_DEVICE_MANAGER, PROC_NAME_SOFT_BUS } },
42     { IPC_CALL_ID_DA_PROC_DATA, { PROC_NAME_DEVICE_MANAGER, PROC_NAME_SOFT_BUS } },
43     { IPC_CALL_ID_DA_CANCEL_REQUEST, { PROC_NAME_DEVICE_MANAGER, PROC_NAME_SOFT_BUS } },
44 };
45 
46 static unordered_map<int32_t, vector<string>> g_apiAccessConfig = {
47     { IPC_CALL_ID_REG_CB, { PROC_NAME_DEVICE_MANAGER } },
48     { IPC_CALL_ID_UNREG_CB, { PROC_NAME_DEVICE_MANAGER } },
49     { IPC_CALL_ID_CREATE_GROUP, { PROC_NAME_DEVICE_MANAGER } },
50     { IPC_CALL_ID_DEL_GROUP, { PROC_NAME_DEVICE_MANAGER } },
51     { IPC_CALL_ID_ADD_GROUP_MEMBER, { PROC_NAME_DEVICE_MANAGER } },
52     { IPC_CALL_ID_DEL_GROUP_MEMBER, { PROC_NAME_DEVICE_MANAGER } },
53     { IPC_CALL_ID_GM_PROC_DATA, { PROC_NAME_DEVICE_MANAGER } },
54     { IPC_CALL_ID_APPLY_REG_INFO, { PROC_NAME_DEVICE_MANAGER } },
55     { IPC_CALL_ID_ADD_MULTI_GROUP_MEMBERS, { PROC_NAME_DEVICE_MANAGER } },
56     { IPC_CALL_ID_DEL_MULTI_GROUP_MEMBERS, { PROC_NAME_DEVICE_MANAGER } },
57     { IPC_CALL_GM_CANCEL_REQUEST, { PROC_NAME_DEVICE_MANAGER } },
58     { IPC_CALL_ID_AUTH_DEVICE, { PROC_NAME_SOFT_BUS, PROC_NAME_DEVICE_MANAGER, PROC_NAME_ISHARE } },
59     { IPC_CALL_ID_GA_PROC_DATA, { PROC_NAME_SOFT_BUS, PROC_NAME_DEVICE_MANAGER, PROC_NAME_ISHARE } },
60     { IPC_CALL_GA_CANCEL_REQUEST, { PROC_NAME_SOFT_BUS, PROC_NAME_DEVICE_MANAGER, PROC_NAME_ISHARE } },
61     { IPC_CALL_ID_GET_PK_INFO_LIST, { PROC_NAME_DEVICE_SECURITY_LEVEL } },
62     { IPC_CALL_ID_AV_GET_CLIENT_SHARED_KEY, { PROC_NAME_REMOTE_COMM } },
63     { IPC_CALL_ID_AV_GET_SERVER_SHARED_KEY, { PROC_NAME_REMOTE_COMM } },
64     { IPC_CALL_ID_LA_START_LIGHT_ACCOUNT_AUTH, { PROC_NAME_SOFT_BUS } },
65     { IPC_CALL_ID_LA_PROCESS_LIGHT_ACCOUNT_AUTH, { PROC_NAME_SOFT_BUS } },
66 };
67 
68 static unordered_set<int32_t> g_credMgrApi = {
69     IPC_CALL_ID_CM_ADD_CREDENTIAL,
70     IPC_CALL_ID_CM_AGREE_CREDENTIAL,
71     IPC_CALL_ID_CM_DEL_CRED_BY_PARAMS,
72     IPC_CALL_ID_CM_BATCH_UPDATE_CREDENTIALS,
73     IPC_CALL_ID_CM_REG_LISTENER,
74     IPC_CALL_ID_CM_UNREG_LISTENER,
75     IPC_CALL_ID_CM_EXPORT_CREDENTIAL,
76     IPC_CALL_ID_CM_QUERY_CREDENTIAL_BY_PARAMS,
77     IPC_CALL_ID_CM_QUERY_CREDENTIAL_BY_CRED_ID,
78     IPC_CALL_ID_CM_DEL_CREDENTIAL,
79     IPC_CALL_ID_CM_UPDATE_CRED_INFO,
80 };
81 
82 static unordered_set<int32_t> g_credAuthApi = {
83     IPC_CALL_ID_CA_AUTH_CREDENTIAL,
84     IPC_CALL_ID_CA_PROCESS_CRED_DATA,
85 };
86 
IsProcessAllowAccess(const string & processName,int32_t methodId)87 static bool IsProcessAllowAccess(const string &processName, int32_t methodId)
88 {
89     if (g_apiAccessConfig.find(methodId) == g_apiAccessConfig.end()) {
90         return true;
91     }
92     return find(g_apiAccessConfig[methodId].begin(), g_apiAccessConfig[methodId].end(), processName) !=
93         g_apiAccessConfig[methodId].end();
94 }
95 
IsProcessInWhitelist(const string & processName,int32_t methodId)96 static bool IsProcessInWhitelist(const string& processName, int32_t methodId)
97 {
98     if (g_apiAccessWhitelist.find(methodId) == g_apiAccessWhitelist.end()) {
99         return true;
100     }
101     bool ret = find(g_apiAccessWhitelist[methodId].begin(), g_apiAccessWhitelist[methodId].end(), processName) !=
102                   g_apiAccessWhitelist[methodId].end();
103     if (!ret) {
104         LOGE("Access Denied: Process(%" LOG_PUB "s) not in access whitlist", processName.c_str());
105     }
106     return ret;
107 }
108 
CheckInterfacePermission(const char * permission)109 int32_t CheckInterfacePermission(const char *permission)
110 {
111     AccessTokenID accessTokenId = IPCSkeleton::GetCallingTokenID();
112     int result = AccessTokenKit::VerifyAccessToken(accessTokenId, permission);
113     if (result != PERMISSION_GRANTED) {
114         LOGW("The permission %" LOG_PUB "s is not granted!, res: %" LOG_PUB "d", permission, result);
115         return HC_ERR_IPC_PERMISSION_DENIED;
116     }
117     return HC_SUCCESS;
118 }
119 
CheckCredMgrPermission(int32_t methodId)120 static int32_t CheckCredMgrPermission(int32_t methodId)
121 {
122     if (g_credMgrApi.count(methodId) == 0) {
123         return HC_SUCCESS;
124     }
125     if (CheckInterfacePermission(CRED_PRIVILEGE_PERMISSION) == HC_SUCCESS ||
126         CheckInterfacePermission(CRED_MGR_PERMISSION) == HC_SUCCESS) {
127         return HC_SUCCESS;
128     }
129     LOGE("Do not have CRED MGR or CRED PRIVILEGE permission!");
130     return HC_ERR_IPC_PERMISSION_DENIED;
131 }
132 
CheckCredAuthPermission(int32_t methodId)133 static int32_t CheckCredAuthPermission(int32_t methodId)
134 {
135     if (g_credAuthApi.count(methodId) == 0) {
136         return HC_SUCCESS;
137     }
138     if (CheckInterfacePermission(CRED_PRIVILEGE_PERMISSION) == HC_SUCCESS ||
139         CheckInterfacePermission(CRED_AUTH_PERMISSION) == HC_SUCCESS) {
140         return HC_SUCCESS;
141     }
142     LOGE("Do not have CRED AUTH or CRED PRIVILEGE permission!");
143     return HC_ERR_IPC_PERMISSION_DENIED;
144 }
145 
CheckACLPermission(int32_t methodId)146 static int32_t CheckACLPermission(int32_t methodId)
147 {
148     if (CheckCredAuthPermission(methodId) != HC_SUCCESS) {
149         return HC_ERR_IPC_PERMISSION_DENIED;
150     }
151     if (CheckCredMgrPermission(methodId) != HC_SUCCESS) {
152         return HC_ERR_IPC_PERMISSION_DENIED;
153     }
154     return HC_SUCCESS;
155 }
156 
CheckTokenType(ATokenTypeEnum tokenType,int32_t methodId)157 static bool CheckTokenType(ATokenTypeEnum tokenType, int32_t methodId)
158 {
159     if (tokenType == TOKEN_HAP && (g_credAuthApi.count(methodId) != 0 || g_credMgrApi.count(methodId) != 0)) {
160         LOGI("IS interface not need check token type");
161         return true;
162     }
163     if (tokenType == TOKEN_NATIVE) {
164         return true;
165     }
166     LOGE("[AccessTokenKit][GetTokenTypeFlag]: Invalid token type: %" LOG_PUB "d", tokenType);
167     return false;
168 }
169 
CheckNativeTokenInfo(AccessTokenID tokenId,int32_t methodId)170 static int32_t CheckNativeTokenInfo(AccessTokenID tokenId, int32_t methodId)
171 {
172     NativeTokenInfo findInfo;
173     if (AccessTokenKit::GetNativeTokenInfo(tokenId, findInfo) != 0) {
174         LOGE("[AccessTokenKit][GetNativeTokenInfo]: failed!");
175         return HC_ERR_IPC_PERMISSION_DENIED;
176     }
177     if ((findInfo.apl != APL_SYSTEM_CORE) && (findInfo.apl != APL_SYSTEM_BASIC)) {
178         LOGE("Check permission(APL3=SYSTEM_CORE or APL2=SYSTEM_BASIC) failed! APL: %" LOG_PUB "d", findInfo.apl);
179         return HC_ERR_IPC_PERMISSION_DENIED;
180     }
181     if (!IsProcessInWhitelist(findInfo.processName, methodId)) {
182         LOGE("Check permission(Access Whitelist) failed!");
183         return HC_ERR_IPC_PERMISSION_DENIED;
184     }
185     if (!IsProcessAllowAccess(findInfo.processName, methodId)) {
186         LOGE("Check permission(Interface Access List) failed!");
187         return HC_ERR_IPC_PERMISSION_DENIED;
188     }
189     return HC_SUCCESS;
190 }
191 
CheckPermission(int32_t methodId)192 int32_t CheckPermission(int32_t methodId)
193 {
194     AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
195     ATokenTypeEnum tokenType = AccessTokenKit::GetTokenTypeFlag(tokenId);
196     if (!CheckTokenType(tokenType, methodId)) {
197         return HC_ERR_IPC_PERMISSION_DENIED;
198     }
199     if (tokenType == TOKEN_NATIVE && CheckNativeTokenInfo(tokenId, methodId) != HC_SUCCESS) {
200         return HC_ERR_IPC_PERMISSION_DENIED;
201     }
202     if (CheckACLPermission(methodId) != HC_SUCCESS) {
203         LOGE("Check ACL permission failed!");
204         return HC_ERR_IPC_PERMISSION_DENIED;
205     }
206     return HC_SUCCESS;
207 }
208 
GetCallingUid(void)209 int32_t GetCallingUid(void)
210 {
211     return IPCSkeleton::GetCallingUid();
212 }
213