• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #ifndef ACCESSTOKEN_MANAGER_SERVICE_H
17 #define ACCESSTOKEN_MANAGER_SERVICE_H
18 
19 #include <set>
20 #include <string>
21 #include <vector>
22 #include <unordered_set>
23 
24 #include "access_token_manager_stub.h"
25 #ifdef EVENTHANDLER_ENABLE
26 #include "access_event_handler.h"
27 #endif
28 #include "access_token_db.h"
29 #include "access_token.h"
30 #include "generic_values.h"
31 #include "hap_token_info.h"
32 #include "iremote_object.h"
33 #include "json_parse_loader.h"
34 #include "nocopyable.h"
35 #include "permission_map.h"
36 #include "singleton.h"
37 #include "system_ability.h"
38 #include "thread_pool.h"
39 
40 namespace OHOS {
41 namespace Security {
42 namespace AccessToken {
43 enum class ServiceRunningState { STATE_NOT_START, STATE_RUNNING };
44 class AccessTokenManagerService final : public SystemAbility, public AccessTokenManagerStub {
45     DECLARE_DELAYED_SINGLETON(AccessTokenManagerService);
46     DECLEAR_SYSTEM_ABILITY(AccessTokenManagerService);
47 
48 public:
49     void OnStart() override;
50     void OnStop() override;
51     void OnAddSystemAbility(int32_t systemAbilityId, const std::string& deviceId) override;
52     void OnRemoveSystemAbility(int32_t systemAbilityId, const std::string& deviceId) override;
53 
54     int32_t AllocHapToken(const HapInfoParcel& info, const HapPolicyParcel& policy, uint64_t& fullTokenId) override;
55     int32_t GetPermissionUsedType(
56         AccessTokenID tokenID, const std::string& permissionName, int32_t& permUsedType) override;
57     int32_t InitHapToken(const HapInfoParcel& info, const HapPolicyParcel& policy,
58         uint64_t& fullTokenId, HapInfoCheckResultIdl& resultInfoIdl) override;
59     int32_t VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName, int32_t& state) override;
60     int VerifyAccessToken(AccessTokenID tokenID,
61         const std::vector<std::string>& permissionList, std::vector<int32_t>& permStateList) override;
62     int GetDefPermission(const std::string& permissionName, PermissionDefParcel& permissionDefResult) override;
63     int GetReqPermissions(
64         AccessTokenID tokenID, std::vector<PermissionStatusParcel>& reqPermList, bool isSystemGrant) override;
65     int32_t GetSelfPermissionStatus(const std::string& permissionName, int32_t& status) override;
66     int32_t GetSelfPermissionsState(std::vector<PermissionListStateParcel>& reqPermList,
67         PermissionGrantInfoParcel& infoParcel, int32_t& permOper) override;
68     int32_t GetPermissionsStatus(AccessTokenID tokenID, std::vector<PermissionListStateParcel>& reqPermList) override;
69     int GetPermissionFlag(AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag) override;
70     int32_t SetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t status,
71         int32_t userID) override;
72     int32_t GetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t& status,
73         int32_t userID) override;
74     int32_t RequestAppPermOnSetting(AccessTokenID tokenID) override;
75     int GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag) override;
76     int RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag) override;
77     int GrantPermissionForSpecifiedTime(
78         AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime) override;
79     int ClearUserGrantedPermissionState(AccessTokenID tokenID) override;
80     int32_t SetPermissionStatusWithPolicy(
81         AccessTokenID tokenID, const std::vector<std::string>& permissionList, int32_t status, uint32_t flag) override;
82     int DeleteToken(AccessTokenID tokenID) override;
83     int GetTokenType(AccessTokenID tokenID);
84     int GetTokenType(AccessTokenID tokenID, int32_t& tokenType) override;
85     int32_t GetHapTokenID(
86         int32_t userID, const std::string& bundleName, int32_t instIndex, uint64_t& fullTokenId) override;
87     int32_t AllocLocalTokenID(
88         const std::string& remoteDeviceID, AccessTokenID remoteTokenID, AccessTokenID& tokenId) override;
89     int GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfoParcel& infoParcel) override;
90     int32_t GetTokenIDByUserID(int32_t userID, std::vector<AccessTokenID>& tokenIds) override;
91     int GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfoParcel& infoParcel) override;
92     int32_t UpdateHapToken(uint64_t& fullTokenId, const UpdateHapInfoParamsIdl& infoIdl,
93         const HapPolicyParcel& policyParcel, HapInfoCheckResultIdl& resultInfoIdl) override;
94     int32_t RegisterPermStateChangeCallback(
95         const PermStateChangeScopeParcel& scope, const sptr<IRemoteObject>& callback) override;
96     int32_t UnRegisterPermStateChangeCallback(const sptr<IRemoteObject>& callback) override;
97     int32_t RegisterSelfPermStateChangeCallback(const PermStateChangeScopeParcel& scope,
98         const sptr<IRemoteObject>& callback) override;
99     int32_t UnRegisterSelfPermStateChangeCallback(const sptr<IRemoteObject>& callback) override;
100 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
101     int32_t ReloadNativeTokenInfo() override;
102 #endif
103     int GetHapTokenInfoExtension(AccessTokenID tokenID,
104         HapTokenInfoParcel& hapTokenInfoRes, std::string& appID) override;
105     int32_t GetNativeTokenId(const std::string& processName, AccessTokenID& tokenID) override;
106 #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE
107     int32_t RegisterSecCompEnhance(const SecCompEnhanceDataParcel& enhanceParcel) override;
108     int32_t UpdateSecCompEnhance(int32_t pid, uint32_t seqNum) override;
109     int32_t GetSecCompEnhance(int32_t pid, SecCompEnhanceDataParcel& enhanceParcel) override;
110 #endif
111     int32_t IsToastShownNeeded(int32_t pid, bool& needToShow) override;
112 
113 #ifdef TOKEN_SYNC_ENABLE
114     int GetHapTokenInfoFromRemote(AccessTokenID tokenID, HapTokenInfoForSyncParcel& hapSyncParcel) override;
115     int SetRemoteHapTokenInfo(const std::string& deviceID, const HapTokenInfoForSyncParcel& hapSyncParcel) override;
116     int DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID) override;
117     int32_t GetRemoteNativeTokenID(const std::string& deviceID, AccessTokenID tokenID, AccessTokenID& tokenId) override;
118     int DeleteRemoteDeviceTokens(const std::string& deviceID) override;
119     int32_t RegisterTokenSyncCallback(const sptr<IRemoteObject>& callback) override;
120     int32_t UnRegisterTokenSyncCallback() override;
121 #endif
122     int32_t GetKernelPermissions(
123         AccessTokenID tokenId, std::vector<PermissionWithValueIdl>& kernelPermIdlList) override;
124     int32_t GetReqPermissionByName(
125         AccessTokenID tokenId, const std::string& permissionName, std::string& value) override;
126     int SetPermDialogCap(const HapBaseInfoParcel& hapBaseInfoParcel, bool enable) override;
127     int32_t GetPermissionManagerInfo(PermissionGrantInfoParcel& infoParcel) override;
128     int32_t InitUserPolicy(
129         const std::vector<UserStateIdl>& userIdlList, const std::vector<std::string>& permList) override;
130     int32_t UpdateUserPolicy(const std::vector<UserStateIdl>& userIdlList) override;
131     int32_t ClearUserPolicy() override;
132     int32_t DumpTokenInfo(const AtmToolsParamInfoParcel& infoParcel, std::string& dumpInfo) override;
133     int32_t GetVersion(uint32_t& version) override;
134 
135     int32_t CallbackEnter(uint32_t code) override;
136     int32_t CallbackExit(uint32_t code, int32_t result) override;
137 
138 private:
139     void GetValidConfigFilePathList(std::vector<std::string>& pathList);
140     bool GetConfigGrantValueFromFile(std::string& fileContent);
141     void SetFlagIfNeed(const AccessTokenServiceConfig& atConfig, int32_t& cancelTime, uint32_t& parseConfigFlag);
142     void GetConfigValue(uint32_t& parseConfigFlag);
143     bool Initialize();
144     void AccessTokenServiceParamSet() const;
145     bool isLocationPermSpecialHandle(std::string permissionName, int32_t apiVersion);
146     int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName);
147     PermissionOper GetPermissionsState(AccessTokenID tokenID, std::vector<PermissionListStateParcel>& reqPermList);
148     void ReportAddHap(AccessTokenIDEx fullTokenId, const HapInfoParams& hapInfo,
149         const HapPolicy& policy, int64_t beginTime, int32_t errorCode);
150     void ReportUpdateHap(AccessTokenIDEx fullTokenId, const HapTokenInfo& info,
151         const HapPolicy& policy, int64_t beginTime, int32_t errorCode);
152     bool IsPermissionValid(int32_t hapApl, const PermissionBriefDef& data, const std::string& value, bool isAcl);
153     void FilterInvalidData(const std::vector<GenericValues>& results,
154         const std::map<int32_t, TokenIdInfo>& tokenIdAplMap, std::vector<GenericValues>& validValueList);
155     void UpdateUndefinedInfoCache(const std::vector<GenericValues>& validValueList,
156         std::vector<GenericValues>& stateValues, std::vector<GenericValues>& extendValues);
157     void HandleHapUndefinedInfo(const std::map<int32_t, TokenIdInfo>& tokenIdAplMap, std::vector<DelInfo>& delInfoVec,
158         std::vector<AddInfo>& addInfoVec);
159     void UpdateDatabaseAsync(const std::vector<DelInfo>& delInfoVec, const std::vector<AddInfo>& addInfoVec);
160     void HandlePermDefUpdate(const std::map<int32_t, TokenIdInfo>& tokenIdAplMap);
161 
162     ServiceRunningState state_;
163     std::string grantBundleName_;
164     std::string grantAbilityName_;
165     std::string grantServiceAbilityName_;
166     std::string permStateAbilityName_;
167     std::string globalSwitchAbilityName_;
168     std::string applicationSettingAbilityName_;
169 
170     bool IsPrivilegedCalling() const;
171     bool IsAccessTokenCalling();
172     bool IsNativeProcessCalling();
173     bool IsSystemAppCalling() const;
174     bool IsShellProcessCalling();
175     bool IsSecCompServiceCalling();
176 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
177     static const int32_t ROOT_UID = 0;
178 #endif
179     static const int32_t ACCESSTOKEN_UID = 3020;
180 
181     AccessTokenID tokenSyncId_ = 0;
182     AccessTokenID secCompTokenId_ = 0;
183 };
184 } // namespace AccessToken
185 } // namespace Security
186 } // namespace OHOS
187 #endif // ACCESSTOKEN_MANAGER_SERVICE_H
188