• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2025 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "permission_manager_adapter.h"
17 #include "accesstoken_kit.h"
18 #include "dlp_dfx_define.h"
19 #include "dlp_permission.h"
20 #include "dlp_permission_log.h"
21 #include "bundle_manager_adapter.h"
22 #include "bundle_mgr_client.h"
23 #include "os_account_manager.h"
24 #include "system_ability_definition.h"
25 #include "iservice_registry.h"
26 #include "ipc_skeleton.h"
27 
28 namespace OHOS {
29 namespace Security {
30 namespace DlpPermission {
31 using namespace Security::AccessToken;
32 using namespace OHOS::AppExecFwk;
33 
34 namespace {
35 constexpr OHOS::HiviewDFX::HiLogLabel LABEL = { LOG_CORE, SECURITY_DOMAIN_DLP_PERMISSION, "PermissionManagerAdapter" };
36 static const std::string CRED_HAP_IDENTIFIER = "5765880207854232861";
37 static const std::string MDM_HAP_IDENTIFIER = "6917562860841254665";
38 }
GetOsAccountId(int32_t & osAccountId)39 static int32_t GetOsAccountId(int32_t &osAccountId)
40 {
41     using OHOS::AccountSA::OsAccountManager;
42     std::vector<int32_t> ids;
43     int32_t ret = OsAccountManager::QueryActiveOsAccountIds(ids);
44     if (ret != OHOS::ERR_OK) {
45         DLP_LOG_ERROR(LABEL, "Call QueryActiveOsAccountIds from OsAccountKits failed. ret:%{public}d.", ret);
46         return DLP_HAP_ID_GET_ERROR;
47     }
48     if (ids.empty() || (ids.at(0) < 0)) {
49         DLP_LOG_ERROR(LABEL, "The ids from OsAccountKits is invalid.");
50         return DLP_HAP_ID_GET_ERROR;
51     }
52     osAccountId = ids.at(0);
53     return DLP_OK;
54 }
55 
GetBundleMgrsa()56 static sptr<AppExecFwk::IBundleMgr> GetBundleMgrsa()
57 {
58     auto systemAbilityManager = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
59     if (systemAbilityManager == nullptr) {
60         DLP_LOG_ERROR(LABEL, "GetBundleMgr GetSystemAbilityManager is null.");
61         return nullptr;
62     }
63     auto bundleMgrSa = systemAbilityManager->GetSystemAbility(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID);
64     if (bundleMgrSa == nullptr) {
65         DLP_LOG_ERROR(LABEL, "GetBundleMgr GetSystemAbility is null.");
66         return nullptr;
67     }
68 
69     return iface_cast<AppExecFwk::IBundleMgr>(bundleMgrSa);
70 }
71 
GetAppIdentifier(const std::string & bundleName,std::string & appIdentifier,int32_t userId)72 static bool GetAppIdentifier(const std::string &bundleName, std::string &appIdentifier, int32_t userId)
73 {
74     auto bundleMgr = GetBundleMgrsa();
75     if (bundleMgr == nullptr) {
76         DLP_LOG_ERROR(LABEL, "GetAppIdentifier cant get bundleMgr.");
77         return false;
78     }
79     AppExecFwk::BundleInfo bundleInfo;
80     int ret = bundleMgr->GetBundleInfoV9(bundleName,
81         static_cast<int32_t>(AppExecFwk::GetBundleInfoFlag::GET_BUNDLE_INFO_WITH_SIGNATURE_INFO), bundleInfo, userId);
82     if (ret != 0) {
83         DLP_LOG_ERROR(LABEL, "GetAppIdentifier failed to get bundle info for %{public}s due to errCode %{public}d.",
84             bundleName.c_str(), ret);
85         return false;
86     }
87     if (bundleInfo.signatureInfo.appIdentifier.empty()) {
88         DLP_LOG_ERROR(LABEL, "GetAppIdentifier cant get appIdentifier.");
89         return false;
90     }
91     appIdentifier = bundleInfo.signatureInfo.appIdentifier;
92     return true;
93 }
94 
CheckPermissionForConnect(uint32_t callerTokenId)95 static int32_t CheckPermissionForConnect(uint32_t callerTokenId)
96 {
97     int32_t osAccountId = 0;
98     int32_t ret = GetOsAccountId(osAccountId);
99     if (ret != DLP_OK) {
100         DLP_LOG_ERROR(LABEL, "Failed to GetOsAccountId.");
101         return ret;
102     }
103 
104     HapTokenInfo hapTokenInfo;
105     int32_t result = AccessTokenKit::GetHapTokenInfo(callerTokenId, hapTokenInfo);
106     if (result != 0) {
107         DLP_LOG_ERROR(LABEL, "Failed to GetHapTokenInfo.");
108         return DLP_HAP_ID_GET_ERROR;
109     }
110 
111     std::string appIdentifier;
112     if (GetAppIdentifier(hapTokenInfo.bundleName, appIdentifier, osAccountId) == false) {
113         DLP_LOG_ERROR(LABEL, "Failed to check appIdentifier.");
114         return DLP_HAP_ID_GET_ERROR;
115     }
116 
117     if (appIdentifier != CRED_HAP_IDENTIFIER) {
118         DLP_LOG_ERROR(LABEL, "Failed to match appIdentifier.");
119         return DLP_HAP_ID_GET_ERROR;
120     }
121     return DLP_OK;
122 }
123 
CheckPermissionAndGetAppId(std::string & appId)124 bool PermissionManagerAdapter::CheckPermissionAndGetAppId(std::string& appId)
125 {
126     Security::AccessToken::AccessTokenID callingToken = IPCSkeleton::GetCallingTokenID();
127     int32_t osAccountId = 0;
128     int32_t ret = GetOsAccountId(osAccountId);
129     if (ret != DLP_OK) {
130         DLP_LOG_ERROR(LABEL, "Failed to GetOsAccountId.");
131         return false;
132     }
133 
134     HapTokenInfo hapTokenInfo;
135     int32_t result = AccessTokenKit::GetHapTokenInfo(callingToken, hapTokenInfo);
136     if (result != 0) {
137         DLP_LOG_ERROR(LABEL, "Failed to GetHapTokenInfo.");
138         return false;
139     }
140 
141     std::string appIdentifier;
142     if (GetAppIdentifier(hapTokenInfo.bundleName, appIdentifier, osAccountId) == false) {
143         DLP_LOG_ERROR(LABEL, "Failed to check appIdentifier.");
144         return false;
145     }
146 
147     if (appIdentifier != MDM_HAP_IDENTIFIER) {
148         DLP_LOG_ERROR(LABEL, "Failed to match appIdentifier.");
149         return false;
150     }
151     appId = appIdentifier;
152     return true;
153 }
154 
CheckPermission(const std::string & permission)155 bool PermissionManagerAdapter::CheckPermission(const std::string& permission)
156 {
157     Security::AccessToken::AccessTokenID callingToken = IPCSkeleton::GetCallingTokenID();
158     if (CheckPermissionForConnect(callingToken) == DLP_OK) {
159         DLP_LOG_INFO(LABEL, "Check permission %{public}s pass due to authenticated hap.", permission.c_str());
160         return true;
161     }
162     int res = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callingToken, permission);
163     if (res == Security::AccessToken::PermissionState::PERMISSION_GRANTED) {
164         DLP_LOG_INFO(LABEL, "Check permission %{public}s pass", permission.c_str());
165         return true;
166     }
167 
168     HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::DLP, "DLP_PERMISSION_REPORT",
169         HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", DLP_PERMISSION_VERIFY_ERROR,
170         "CALLER_TOKENID", callingToken);
171 
172     DLP_LOG_ERROR(LABEL, "Check permission %{public}s fail", permission.c_str());
173     return false;
174 }
175 
CheckSandboxFlagWithService(AccessToken::AccessTokenID tokenId,bool & sandboxFlag)176 int32_t PermissionManagerAdapter::CheckSandboxFlagWithService(AccessToken::AccessTokenID tokenId, bool& sandboxFlag)
177 {
178     int32_t res = AccessToken::AccessTokenKit::GetHapDlpFlag(tokenId);
179     if (res < 0) {
180         DLP_LOG_ERROR(LABEL, "Invalid tokenId");
181         return res;
182     }
183     sandboxFlag = (res == 1);
184     return DLP_OK;
185 }
186 }  // namespace DlpPermission
187 }  // namespace Security
188 }  // namespace OHOS