1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "dlp_credential.h"
17 #include <thread>
18 #include <unistd.h>
19 #include <dlfcn.h>
20 #include <unordered_map>
21 #include "account_adapt.h"
22 #include "bundle_manager_adapter.h"
23 #include "dlp_credential_client.h"
24 #include "dlp_policy_mgr_client.h"
25 #include "dlp_permission.h"
26 #include "dlp_permission_log.h"
27 #include "dlp_permission_serializer.h"
28 #include "ipc_skeleton.h"
29 #include "ohos_account_kits.h"
30 #include "os_account_manager.h"
31 #include "parameters.h"
32 #include "permission_policy.h"
33 #include "securec.h"
34
35 namespace OHOS {
36 namespace Security {
37 namespace DlpPermission {
38 using namespace OHOS::AppExecFwk;
39 namespace {
40 const std::string LOCAL_ENCRYPTED_CERT = "encryptedPolicy";
41 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_DLP_PERMISSION, "DlpCredential"};
42 const std::string PERMISSION_ACCESS_DLP_FILE = "ohos.permission.ACCESS_DLP_FILE";
43 static const size_t MAX_REQUEST_NUM = 100;
44 static const uint32_t MAX_APPID_LIST_NUM = 250;
45 static const uint32_t MAX_APPID_LENGTH = 200;
46 static const uint32_t DLP_RESTORE_POLICY_DATA_LEN = 1024 * 200;
47 static const std::string POLICY_CERT = "policyCert";
48 static const std::string DLP_MANAGER_BUNDLE_NAME = "com.ohos.dlpmanager";
49 static std::unordered_map<uint64_t, RequestInfo> g_requestMap;
50 static std::unordered_map<uint64_t, DlpAccountType> g_requestAccountTypeMap;
51 static const std::string DEVELOPER_MODE = "const.security.developermode.state";
52 std::mutex g_lockRequest;
53
54 #ifdef SUPPORT_DLP_CREDENTIAL
55 static const size_t LENGTH_FOR_64_BIT = 8;
56 static const std::string DLP_CREDENTIAL_SDK_PATH_32_BIT = "/system/lib/libdlp_credential_sdk.z.so";
57 static const std::string DLP_CREDENTIAL_SDK_PATH_64_BIT = "/system/lib64/libdlp_credential_sdk.z.so";
58
59 typedef int32_t (*DlpAddPolicyFunction)(PolicyType type, const uint8_t *policy, uint32_t policyLen);
60 typedef int32_t (*DlpRemovePolicyFunction)(PolicyType type);
61 typedef int32_t (*DlpGetPolicyFunction)(PolicyType type, uint8_t *policy, uint32_t *policyLen);
62 typedef int32_t (*DlpCheckPermissionFunction)(PolicyType type, PolicyHandle handle);
63 typedef int32_t (*DlpPackPolicyFunction)(uint32_t osAccountId, const DLP_PackPolicyParams *params,
64 DLP_PackPolicyCallback callback, uint64_t *requestId);
65 typedef int32_t (*DlpRestorePolicyFunction)(uint32_t osAccountId, const DLP_EncPolicyData *params,
66 DLP_RestorePolicyCallback callback, uint64_t *requestId);
67
68 static void *g_dlpCredentialSdkHandle = nullptr;
69 std::mutex g_lockDlpCredSdk;
70 #endif
71 } // namespace
72
IsDlpCredentialHuksError(int errorCode)73 static bool IsDlpCredentialHuksError(int errorCode)
74 {
75 return ((errorCode >= DLP_ERR_GENERATE_KEY_FAILED) && (errorCode < DLP_ERR_IPC_INTERNAL_FAILED));
76 }
77
IsDlpCredentialIpcError(int errorCode)78 static bool IsDlpCredentialIpcError(int errorCode)
79 {
80 return ((errorCode >= DLP_ERR_IPC_INTERNAL_FAILED) && (errorCode < DLP_ERR_CONNECTION_TIME_OUT));
81 }
82
IsDlpCredentialServerError(int errorCode)83 static bool IsDlpCredentialServerError(int errorCode)
84 {
85 return ((errorCode >= DLP_ERR_CONNECTION_TIME_OUT) && (errorCode < DLP_ERR_FILE_PATH));
86 }
87
IsNoPermissionError(int errorCode)88 static bool IsNoPermissionError(int errorCode)
89 {
90 return ((errorCode == DLP_ERR_CONNECTION_VIP_RIGHT_EXPIRED) || (errorCode == DLP_ERR_CONNECTION_NO_PERMISSION));
91 }
92
IsNoInternetError(int errorCode)93 static bool IsNoInternetError(int errorCode)
94 {
95 return ((errorCode == DLP_ERR_CONNECTION_TIME_OUT) || (errorCode == DLP_ERR_TOKEN_CONNECTION_TIME_OUT) ||
96 (errorCode == DLP_ERR_TOKEN_CONNECTION_FAIL));
97 }
98
ConvertCredentialError(int errorCode)99 static int32_t ConvertCredentialError(int errorCode)
100 {
101 if (errorCode == DLP_SUCCESS) {
102 return DLP_OK;
103 }
104 if (errorCode == DLP_ERR_CONNECTION_POLICY_PERMISSION_EXPIRED) {
105 return DLP_CREDENTIAL_ERROR_TIME_EXPIRED;
106 }
107 if (errorCode == DLP_ERR_APPID_NOT_AUTHORIZED) {
108 return DLP_CREDENTIAL_ERROR_APPID_NOT_AUTHORIZED;
109 }
110 if (errorCode == DLP_ERR_CALLBACK_TIME_OUT) {
111 return DLP_CREDENTIAL_ERROR_SERVER_TIME_OUT_ERROR;
112 }
113 if (errorCode == DLP_ERR_ACCOUNT_NOT_LOG_IN) {
114 return DLP_CREDENTIAL_ERROR_NO_ACCOUNT_ERROR;
115 }
116 if (IsNoInternetError(errorCode)) {
117 return DLP_CREDENTIAL_ERROR_NO_INTERNET;
118 }
119 if (IsNoPermissionError(errorCode)) {
120 return DLP_CREDENTIAL_ERROR_NO_PERMISSION_ERROR;
121 }
122 if (IsDlpCredentialHuksError(errorCode)) {
123 return DLP_CREDENTIAL_ERROR_HUKS_ERROR;
124 }
125 if (IsDlpCredentialIpcError(errorCode)) {
126 return DLP_CREDENTIAL_ERROR_IPC_ERROR;
127 }
128 if (IsDlpCredentialServerError(errorCode)) {
129 return DLP_CREDENTIAL_ERROR_SERVER_ERROR;
130 }
131 return DLP_CREDENTIAL_ERROR_COMMON_ERROR;
132 }
133
GetCallbackFromRequestMap(uint64_t requestId,RequestInfo & info)134 static bool GetCallbackFromRequestMap(uint64_t requestId, RequestInfo& info)
135 {
136 DLP_LOG_INFO(LABEL, "Get callback, requestId: %{public}llu", static_cast<unsigned long long>(requestId));
137 std::lock_guard<std::mutex> lock(g_lockRequest);
138 auto iter = g_requestMap.find(requestId);
139 if (iter != g_requestMap.end()) {
140 info = iter->second;
141 g_requestMap.erase(requestId);
142 return true;
143 }
144 DLP_LOG_ERROR(LABEL, "Callback not found");
145 return false;
146 }
147
InsertCallbackToRequestMap(uint64_t requestId,const RequestInfo & info)148 static int32_t InsertCallbackToRequestMap(uint64_t requestId, const RequestInfo& info)
149 {
150 DLP_LOG_DEBUG(LABEL, "insert request, requestId: %{public}llu", static_cast<unsigned long long>(requestId));
151 if (g_requestMap.count(requestId) > 0) {
152 DLP_LOG_ERROR(LABEL, "Duplicate task, requestId: %{public}llu", static_cast<unsigned long long>(requestId));
153 return DLP_SERVICE_ERROR_CREDENTIAL_TASK_DUPLICATE;
154 }
155 g_requestMap[requestId] = info;
156 return DLP_OK;
157 }
158
QueryRequestIdle()159 static int32_t QueryRequestIdle()
160 {
161 DLP_LOG_DEBUG(LABEL, "Total tasks: %{public}zu", g_requestMap.size());
162 if (g_requestMap.size() > MAX_REQUEST_NUM) {
163 DLP_LOG_ERROR(LABEL, "Task busy");
164 return DLP_SERVICE_ERROR_CREDENTIAL_BUSY;
165 }
166 return DLP_OK;
167 }
168
DlpPackPolicyCallback(uint64_t requestId,int errorCode,DLP_EncPolicyData * outParams)169 static void DlpPackPolicyCallback(uint64_t requestId, int errorCode, DLP_EncPolicyData* outParams)
170 {
171 DLP_LOG_INFO(LABEL, "Called, requestId: %{public}llu", static_cast<unsigned long long>(requestId));
172 RequestInfo info;
173 if (!GetCallbackFromRequestMap(requestId, info)) {
174 DLP_LOG_ERROR(LABEL, "callback is null");
175 return;
176 }
177
178 if (errorCode != 0) {
179 DLP_LOG_ERROR(LABEL, "Pack Policy error, errorCode: %{public}d", errorCode);
180 info.callback->OnGenerateDlpCertificate(ConvertCredentialError(errorCode), std::vector<uint8_t>());
181 return;
182 }
183
184 if (outParams == nullptr || outParams->data == nullptr || outParams->featureName == nullptr) {
185 DLP_LOG_ERROR(LABEL, "Params is null");
186 info.callback->OnGenerateDlpCertificate(DLP_SERVICE_ERROR_VALUE_INVALID, std::vector<uint8_t>());
187 return;
188 }
189 unordered_json encDataJson;
190 int32_t res = DlpPermissionSerializer::GetInstance().SerializeEncPolicyData(*outParams, encDataJson);
191 if (res != DLP_OK) {
192 DLP_LOG_ERROR(LABEL, "Serialize fail");
193 return;
194 }
195 std::string encData = encDataJson.dump();
196 std::vector<uint8_t> cert(encData.begin(), encData.end());
197 info.callback->OnGenerateDlpCertificate(errorCode, cert);
198 }
199
GetNewCert(const unordered_json & plainPolicyJson,std::vector<uint8_t> & cert,DlpAccountType ownerAccountType)200 static int32_t GetNewCert(const unordered_json& plainPolicyJson, std::vector<uint8_t>& cert,
201 DlpAccountType ownerAccountType)
202 {
203 #ifdef SUPPORT_DLP_CREDENTIAL
204 unordered_json json;
205 if (plainPolicyJson.find(POLICY_CERT) == plainPolicyJson.end() || !plainPolicyJson.at(POLICY_CERT).is_object()) {
206 DLP_LOG_ERROR(LABEL, "can not found policyCert");
207 return DLP_CREDENTIAL_ERROR_SERVER_ERROR;
208 }
209 plainPolicyJson.at(POLICY_CERT).get_to(json);
210 std::string encData = json.dump();
211 DLP_EncPolicyData params;
212 params.data = reinterpret_cast<uint8_t*>(strdup(encData.c_str()));
213 if (params.data == nullptr) {
214 DLP_LOG_ERROR(LABEL, "Strdup failed.");
215 return DLP_CREDENTIAL_ERROR_VALUE_INVALID;
216 }
217 params.dataLen = strlen(encData.c_str());
218 params.accountType = static_cast<AccountType>(ownerAccountType);
219 unordered_json encDataJson;
220 int32_t res = DlpPermissionSerializer::GetInstance().SerializeEncPolicyData(params, encDataJson);
221 if (res != DLP_OK) {
222 DLP_LOG_ERROR(LABEL, "Serialize fail");
223 free(params.data);
224 params.data = nullptr;
225 return res;
226 }
227 free(params.data);
228 params.data = nullptr;
229 std::string encDataStr = encDataJson.dump();
230 cert.assign(encDataStr.begin(), encDataStr.end());
231 #endif
232 return DLP_OK;
233 }
234
DlpRestorePolicyCallbackCheck(sptr<IDlpPermissionCallback> callback,DlpAccountType accountType,int errorCode,DLP_RestorePolicyData * outParams,PermissionPolicy policyInfo)235 static int32_t DlpRestorePolicyCallbackCheck(sptr<IDlpPermissionCallback> callback, DlpAccountType accountType,
236 int errorCode, DLP_RestorePolicyData* outParams, PermissionPolicy policyInfo)
237 {
238 if (callback == nullptr || accountType == INVALID_ACCOUNT) {
239 DLP_LOG_ERROR(LABEL, "callback is null or accountType is 0");
240 return DLP_SERVICE_ERROR_VALUE_INVALID;
241 }
242 if (errorCode != 0) {
243 DLP_LOG_ERROR(LABEL, "Restore Policy error, errorCode: %{public}d", errorCode);
244 callback->OnParseDlpCertificate(ConvertCredentialError(errorCode), policyInfo, {});
245 return DLP_SERVICE_ERROR_VALUE_INVALID;
246 }
247 if (outParams == nullptr || outParams->data == nullptr) {
248 DLP_LOG_ERROR(LABEL, "Params is null");
249 callback->OnParseDlpCertificate(DLP_SERVICE_ERROR_VALUE_INVALID, policyInfo, {});
250 return DLP_SERVICE_ERROR_VALUE_INVALID;
251 }
252 return DLP_OK;
253 }
254
FreeBuffer(char ** buff,uint32_t buffLen)255 static void FreeBuffer(char** buff, uint32_t buffLen)
256 {
257 if (buff == nullptr) {
258 DLP_LOG_ERROR(LABEL, "Uint8 buffer is already nullptr.");
259 return;
260 }
261 if (*buff != nullptr) {
262 memset_s(*buff, buffLen, 0, buffLen);
263 delete[] *buff;
264 *buff = nullptr;
265 }
266 }
267
SetPermissionPolicy(DLP_RestorePolicyData * outParams,sptr<IDlpPermissionCallback> callback,PermissionPolicy & policyInfo,unordered_json & jsonObj)268 static bool SetPermissionPolicy(DLP_RestorePolicyData* outParams, sptr<IDlpPermissionCallback> callback,
269 PermissionPolicy& policyInfo, unordered_json& jsonObj)
270 {
271 if (outParams->dataLen > DLP_RESTORE_POLICY_DATA_LEN) {
272 DLP_LOG_ERROR(LABEL, "outParams->dataLen is out of size.");
273 return false;
274 }
275 auto policyStr = new (std::nothrow) char[outParams->dataLen + 1];
276 if (policyStr == nullptr) {
277 DLP_LOG_ERROR(LABEL, "New memory fail");
278 callback->OnParseDlpCertificate(DLP_SERVICE_ERROR_MEMORY_OPERATE_FAIL, policyInfo, {});
279 return false;
280 }
281 if (memcpy_s(policyStr, outParams->dataLen + 1, outParams->data, outParams->dataLen) != EOK) {
282 DLP_LOG_ERROR(LABEL, "Memcpy_s fail");
283 FreeBuffer(&policyStr, outParams->dataLen + 1);
284 callback->OnParseDlpCertificate(DLP_SERVICE_ERROR_MEMORY_OPERATE_FAIL, policyInfo, {});
285 return false;
286 }
287 policyStr[outParams->dataLen] = '\0';
288 jsonObj = unordered_json::parse(policyStr, policyStr + outParams->dataLen + 1, nullptr, false);
289 if (jsonObj.is_discarded() || (!jsonObj.is_object())) {
290 DLP_LOG_ERROR(LABEL, "JsonObj is discarded");
291 FreeBuffer(&policyStr, outParams->dataLen + 1);
292 callback->OnParseDlpCertificate(DLP_SERVICE_ERROR_JSON_OPERATE_FAIL, policyInfo, {});
293 return false;
294 }
295 FreeBuffer(&policyStr, outParams->dataLen + 1);
296 auto res = DlpPermissionSerializer::GetInstance().DeserializeDlpPermission(jsonObj, policyInfo);
297 if (res != DLP_OK) {
298 callback->OnParseDlpCertificate(res, policyInfo, {});
299 return false;
300 }
301 return true;
302 }
303
CheckDebugPermission(const RequestInfo & requestInfo,PermissionPolicy & policyInfo)304 static int32_t CheckDebugPermission(const RequestInfo& requestInfo, PermissionPolicy& policyInfo)
305 {
306 bool isDebugApp = (requestInfo.appProvisionType == AppExecFwk::Constants::APP_PROVISION_TYPE_DEBUG);
307 if (!isDebugApp) {
308 return DLP_OK;
309 }
310 bool isDeveloperMode = OHOS::system::GetBoolParameter(DEVELOPER_MODE, false);
311 if (isDeveloperMode && policyInfo.debug_) {
312 return DLP_OK;
313 }
314 DLP_LOG_ERROR(LABEL, "CheckDebugPermission error, isDeveloperMode=%{public}d "
315 "isDebugApp=%{public}d isDebugFile=%{public}d.", isDeveloperMode, isDebugApp, policyInfo.debug_);
316 return DLP_SERVICE_ERROR_PERMISSION_DENY;
317 }
318
DlpRestorePolicyCallback(uint64_t requestId,int errorCode,DLP_RestorePolicyData * outParams)319 static void DlpRestorePolicyCallback(uint64_t requestId, int errorCode, DLP_RestorePolicyData* outParams)
320 {
321 DLP_LOG_INFO(LABEL, "Called, requestId: %{public}llu", static_cast<unsigned long long>(requestId));
322 RequestInfo requestInfo;
323 if (!GetCallbackFromRequestMap(requestId, requestInfo)) {
324 DLP_LOG_ERROR(LABEL, "callback is null");
325 return;
326 }
327 PermissionPolicy policyInfo;
328 int32_t res = DlpRestorePolicyCallbackCheck(
329 requestInfo.callback, requestInfo.accountType, errorCode, outParams, policyInfo);
330 if (res != DLP_OK) {
331 return;
332 }
333 unordered_json jsonObj;
334 if (!SetPermissionPolicy(outParams, requestInfo.callback, policyInfo, jsonObj)) {
335 return;
336 }
337 policyInfo.ownerAccountType_ = requestInfo.accountType;
338 std::vector<uint8_t> cert;
339 res = GetNewCert(jsonObj, cert, requestInfo.accountType);
340 if (res != DLP_OK) {
341 requestInfo.callback->OnParseDlpCertificate(res, policyInfo, {});
342 return;
343 }
344 res = CheckDebugPermission(requestInfo, policyInfo);
345 if (res != DLP_OK) {
346 requestInfo.callback->OnParseDlpCertificate(res, policyInfo, {});
347 return;
348 }
349 requestInfo.callback->OnParseDlpCertificate(errorCode, policyInfo, cert);
350 }
351
GetInstance()352 DlpCredential& DlpCredential::GetInstance()
353 {
354 static DlpCredential instance;
355 return instance;
356 }
357
FreeDlpPackPolicyParams(DLP_PackPolicyParams & packPolicy)358 static void FreeDlpPackPolicyParams(DLP_PackPolicyParams& packPolicy)
359 {
360 if (packPolicy.featureName != nullptr) {
361 free(packPolicy.featureName);
362 packPolicy.featureName = nullptr;
363 }
364 if (packPolicy.data != nullptr) {
365 free(packPolicy.data);
366 packPolicy.data = nullptr;
367 }
368 if (packPolicy.senderAccountInfo.accountId != nullptr) {
369 free(packPolicy.senderAccountInfo.accountId);
370 packPolicy.senderAccountInfo.accountId = nullptr;
371 }
372 }
373
374 #ifdef SUPPORT_DLP_CREDENTIAL
GetDlpCredSdkLibFunc(const char * funcName)375 static void *GetDlpCredSdkLibFunc(const char *funcName)
376 {
377 std::lock_guard<std::mutex> lock(g_lockDlpCredSdk);
378 if (g_dlpCredentialSdkHandle == nullptr) {
379 if (sizeof(void *) == LENGTH_FOR_64_BIT) {
380 g_dlpCredentialSdkHandle = dlopen(DLP_CREDENTIAL_SDK_PATH_64_BIT.c_str(), RTLD_LAZY);
381 } else {
382 g_dlpCredentialSdkHandle = dlopen(DLP_CREDENTIAL_SDK_PATH_32_BIT.c_str(), RTLD_LAZY);
383 }
384 if (g_dlpCredentialSdkHandle == nullptr) {
385 return nullptr;
386 }
387 }
388
389 void *func = dlsym(g_dlpCredentialSdkHandle, funcName);
390 return func;
391 }
392
DestroyDlpCredentialSdk()393 static void DestroyDlpCredentialSdk()
394 {
395 DLP_LOG_INFO(LABEL, "start DestroyDlpCredentialSdk.");
396 std::lock_guard<std::mutex> lock(g_lockDlpCredSdk);
397 if (g_dlpCredentialSdkHandle != nullptr) {
398 dlclose(g_dlpCredentialSdkHandle);
399 g_dlpCredentialSdkHandle = nullptr;
400 DLP_LOG_INFO(LABEL, "dlclose dlpCredentialSdk end.");
401 }
402 }
403 #endif
404
DlpCredential()405 DlpCredential::DlpCredential() {}
406
~DlpCredential()407 DlpCredential::~DlpCredential()
408 {
409 #ifdef SUPPORT_DLP_CREDENTIAL
410 DestroyDlpCredentialSdk();
411 #endif
412 }
413
414 #ifdef SUPPORT_DLP_CREDENTIAL
CleanupDlpCredentialSdk()415 extern "C" __attribute__((destructor)) void CleanupDlpCredentialSdk()
416 {
417 DestroyDlpCredentialSdk();
418 }
419 #endif
420
PackPolicy(DLP_PackPolicyParams & packPolicy,DlpAccountType accountType,const sptr<IDlpPermissionCallback> & callback)421 static int32_t PackPolicy(DLP_PackPolicyParams &packPolicy, DlpAccountType accountType,
422 const sptr<IDlpPermissionCallback>& callback)
423 {
424 uint64_t requestId;
425
426 #ifdef SUPPORT_DLP_CREDENTIAL
427 DlpPackPolicyFunction dlpPackPolicyFunc =
428 reinterpret_cast<DlpPackPolicyFunction>(GetDlpCredSdkLibFunc("DLP_PackPolicy"));
429 if (dlpPackPolicyFunc == nullptr) {
430 DLP_LOG_ERROR(LABEL, "dlsym DLP_PackPolicy error.");
431 DestroyDlpCredentialSdk();
432 return DLP_SERVICE_ERROR_VALUE_INVALID;
433 }
434 int32_t res = (*dlpPackPolicyFunc)(GetCallingUserId(), &packPolicy, DlpPackPolicyCallback, &requestId);
435 #else
436 int32_t res = DLP_PackPolicy(GetCallingUserId(), &packPolicy, DlpPackPolicyCallback, &requestId);
437 #endif
438 if (res != 0) {
439 DLP_LOG_ERROR(LABEL, "Start request fail, error: %{public}d", res);
440 return ConvertCredentialError(res);
441 }
442 DLP_LOG_INFO(
443 LABEL, "Start request success, requestId: %{public}llu", static_cast<unsigned long long>(requestId));
444 RequestInfo info = {
445 .callback = callback,
446 .accountType = accountType
447 };
448 return InsertCallbackToRequestMap(requestId, info);
449 }
450
GenerateDlpCertificate(const std::string & policy,const std::string & accountInfo,DlpAccountType accountType,const sptr<IDlpPermissionCallback> & callback)451 int32_t DlpCredential::GenerateDlpCertificate(const std::string& policy, const std::string& accountInfo,
452 DlpAccountType accountType, const sptr<IDlpPermissionCallback>& callback)
453 {
454 EncAndDecOptions encAndDecOptions = {
455 .opt = RECEIVER_DECRYPT_MUST_USE_CLOUD,
456 .extraInfo = nullptr,
457 .extraInfoLen = 0
458 };
459
460 AccountInfo accountCfg = {
461 .accountId = reinterpret_cast<uint8_t*>(strdup(accountInfo.c_str())),
462 .accountIdLen = strlen(accountInfo.c_str()),
463 };
464 if (accountCfg.accountId == nullptr) {
465 DLP_LOG_ERROR(LABEL, "Strdup failed.");
466 return DLP_PARSE_ERROR_ACCOUNT_INVALID;
467 }
468
469 DLP_PackPolicyParams packPolicy = {
470 .featureName = strdup("dlp_permission_service"),
471 .data = reinterpret_cast<uint8_t*>(strdup(policy.c_str())),
472 .dataLen = strlen(policy.c_str()),
473 .options = encAndDecOptions,
474 .accountType = static_cast<AccountType>(accountType),
475 .senderAccountInfo = accountCfg,
476 .reserved = {0},
477 };
478 if (packPolicy.featureName == nullptr || packPolicy.data == nullptr) {
479 DLP_LOG_ERROR(LABEL, "Strdup failed.");
480 free(accountCfg.accountId);
481 accountCfg.accountId = nullptr;
482 FreeDlpPackPolicyParams(packPolicy);
483 return DLP_PARSE_ERROR_ACCOUNT_INVALID;
484 }
485 int32_t res = 0;
486 {
487 std::lock_guard<std::mutex> lock(g_lockRequest);
488 int32_t status = QueryRequestIdle();
489 if (status != DLP_OK) {
490 FreeDlpPackPolicyParams(packPolicy);
491 return status;
492 }
493 res = PackPolicy(packPolicy, accountType, callback);
494 }
495 FreeDlpPackPolicyParams(packPolicy);
496 return res;
497 }
498
FreeDLPEncPolicyData(DLP_EncPolicyData & encPolicy)499 static void FreeDLPEncPolicyData(DLP_EncPolicyData& encPolicy)
500 {
501 if (encPolicy.featureName != nullptr) {
502 free(encPolicy.featureName);
503 encPolicy.featureName = nullptr;
504 }
505 if (encPolicy.data != nullptr) {
506 delete[] encPolicy.data;
507 encPolicy.data = nullptr;
508 }
509 if (encPolicy.options.extraInfo != nullptr) {
510 delete[] encPolicy.options.extraInfo;
511 encPolicy.options.extraInfo = nullptr;
512 }
513 if (encPolicy.receiverAccountInfo.accountId != nullptr) {
514 free(encPolicy.receiverAccountInfo.accountId);
515 encPolicy.receiverAccountInfo.accountId = nullptr;
516 }
517 }
518
GetLocalAccountName(std::string & account,const std::string & contactAccount,bool * isOwner)519 static int32_t GetLocalAccountName(std::string& account, const std::string& contactAccount, bool* isOwner)
520 {
521 std::pair<bool, AccountSA::OhosAccountInfo> accountInfo =
522 AccountSA::OhosAccountKits::GetInstance().QueryOhosAccountInfo();
523 if (accountInfo.first) {
524 account = accountInfo.second.uid_;
525 if (contactAccount.compare("") != 0 && contactAccount.compare(accountInfo.second.name_) == 0) {
526 *isOwner = true;
527 }
528 return DLP_OK;
529 }
530 return DLP_PARSE_ERROR_ACCOUNT_INVALID;
531 }
532
GetDomainAccountName(std::string & account,const std::string & contactAccount,bool * isOwner)533 static int32_t GetDomainAccountName(std::string& account, const std::string& contactAccount, bool* isOwner)
534 {
535 int32_t userId;
536 int32_t res = OHOS::AccountSA::OsAccountManager::GetForegroundOsAccountLocalId(userId);
537 if (res != 0) {
538 DLP_LOG_ERROR(LABEL, "GetForegroundOsAccountLocalId failed %{public}d", res);
539 return DLP_PARSE_ERROR_ACCOUNT_INVALID;
540 }
541 AccountSA::OsAccountInfo osAccountInfo;
542 if (OHOS::AccountSA::OsAccountManager::QueryOsAccountById(userId, osAccountInfo) != 0) {
543 DLP_LOG_ERROR(LABEL, "GetOsAccountLocalIdFromDomain return not 0");
544 return DLP_PARSE_ERROR_ACCOUNT_INVALID;
545 }
546 AccountSA::DomainAccountInfo domainInfo;
547 osAccountInfo.GetDomainInfo(domainInfo);
548 if (domainInfo.accountName_.empty()) {
549 DLP_LOG_ERROR(LABEL, "accountName_ empty");
550 return DLP_PARSE_ERROR_ACCOUNT_INVALID;
551 }
552 if (contactAccount.compare("") != 0 && contactAccount.compare(domainInfo.accountName_) == 0) {
553 *isOwner = true;
554 }
555 account = domainInfo.accountId_;
556 return DLP_OK;
557 }
558
GetAccoutInfo(DlpAccountType accountType,AccountInfo & accountCfg,const std::string & contactAccount,bool * isOwner)559 static int32_t GetAccoutInfo(DlpAccountType accountType, AccountInfo& accountCfg,
560 const std::string& contactAccount, bool* isOwner)
561 {
562 std::string account;
563 if (accountType == DOMAIN_ACCOUNT) {
564 if (GetDomainAccountName(account, contactAccount, isOwner) != DLP_OK) {
565 DLP_LOG_ERROR(LABEL, "query GetDomainAccountName failed");
566 accountCfg = {
567 .accountId = nullptr,
568 .accountIdLen = 0,
569 };
570 return DLP_OK;
571 }
572 } else {
573 if (GetLocalAccountName(account, contactAccount, isOwner) != DLP_OK) {
574 DLP_LOG_ERROR(LABEL, "query GetLocalAccountName failed");
575 return DLP_PARSE_ERROR_ACCOUNT_INVALID;
576 }
577 }
578
579 accountCfg = {
580 .accountId = reinterpret_cast<uint8_t*>(strdup(account.c_str())),
581 .accountIdLen = strlen(account.c_str()),
582 };
583 if (accountCfg.accountId == nullptr) {
584 DLP_LOG_ERROR(LABEL, "Strdup failed.");
585 return DLP_CREDENTIAL_ERROR_VALUE_INVALID;
586 }
587 return DLP_OK;
588 }
589
AdapterData(const std::vector<uint8_t> & offlineCert,bool isOwner,unordered_json jsonObj,DLP_EncPolicyData & encPolicy)590 static int32_t AdapterData(const std::vector<uint8_t>& offlineCert, bool isOwner, unordered_json jsonObj,
591 DLP_EncPolicyData& encPolicy)
592 {
593 DLP_LOG_DEBUG(LABEL, "enter");
594 unordered_json offlineJsonObj;
595 if (!offlineCert.empty()) {
596 std::string offlineEncDataJsonStr(offlineCert.begin(), offlineCert.end());
597 offlineJsonObj = unordered_json::parse(offlineEncDataJsonStr, nullptr, false);
598 if (offlineJsonObj.is_discarded()) {
599 DLP_LOG_ERROR(LABEL, "offlineJsonObj is discarded");
600 return DLP_SERVICE_ERROR_JSON_OPERATE_FAIL;
601 }
602 }
603 std::string ownerAccountId = "";
604 if (isOwner) {
605 std::string temp(reinterpret_cast<const char*>(encPolicy.receiverAccountInfo.accountId));
606 ownerAccountId = temp;
607 }
608 int32_t result = DlpPermissionSerializer::GetInstance().DeserializeEncPolicyDataByFirstVersion(jsonObj,
609 offlineJsonObj, encPolicy, ownerAccountId);
610 if (result != DLP_OK) {
611 FreeDLPEncPolicyData(encPolicy);
612 return result;
613 }
614 return DLP_OK;
615 }
616
InitEncPolicyData(EncAndDecOptions & options,DLP_EncPolicyData & encPolicy,const bool offlineAccess,const std::string & appId)617 static int32_t InitEncPolicyData(EncAndDecOptions& options, DLP_EncPolicyData& encPolicy, const bool offlineAccess,
618 const std::string& appId)
619 {
620 options = {.opt = CloudEncOption::RECEIVER_DECRYPT_MUST_USE_CLOUD, .extraInfo = nullptr};
621 if (offlineAccess) {
622 options.opt = CloudEncOption::RECEIVER_DECRYPT_MUST_USE_CLOUD_AND_RETURN_ENCRYPTION_VALUE;
623 }
624 encPolicy = {
625 .featureName = strdup(const_cast<char *>(appId.c_str())),
626 .options = options,
627 .reserved = {0},
628 };
629 if (encPolicy.featureName == nullptr) {
630 DLP_LOG_ERROR(LABEL, "Strdup failed.");
631 return DLP_CREDENTIAL_ERROR_VALUE_INVALID;
632 }
633 return DLP_OK;
634 }
635
RestorePolicy(DLP_EncPolicyData & encPolicy,AppExecFwk::ApplicationInfo & applicationInfo,const sptr<IDlpPermissionCallback> & callback,DlpAccountType accountType)636 static int32_t RestorePolicy(DLP_EncPolicyData &encPolicy, AppExecFwk::ApplicationInfo& applicationInfo,
637 const sptr<IDlpPermissionCallback>& callback, DlpAccountType accountType)
638 {
639 uint64_t requestId;
640 #ifdef SUPPORT_DLP_CREDENTIAL
641 DlpRestorePolicyFunction dlpRestorePolicyFunc =
642 reinterpret_cast<DlpRestorePolicyFunction>(GetDlpCredSdkLibFunc("DLP_RestorePolicy"));
643 if (dlpRestorePolicyFunc == nullptr) {
644 DLP_LOG_ERROR(LABEL, "dlsym DLP_RestorePolicy error.");
645 DestroyDlpCredentialSdk();
646 return DLP_SERVICE_ERROR_VALUE_INVALID;
647 }
648 int32_t res = (*dlpRestorePolicyFunc)(GetCallingUserId(), &encPolicy, DlpRestorePolicyCallback, &requestId);
649 #else
650 int32_t res = DLP_RestorePolicy(GetCallingUserId(), &encPolicy, DlpRestorePolicyCallback, &requestId);
651 #endif
652 if (res != 0) {
653 DLP_LOG_ERROR(LABEL, "Start request fail, error: %{public}d", res);
654 return ConvertCredentialError(res);
655 }
656 DLP_LOG_INFO(
657 LABEL, "Start request success, requestId: %{public}llu", static_cast<unsigned long long>(requestId));
658 RequestInfo info = {
659 .callback = callback,
660 .accountType = accountType,
661 .appProvisionType = applicationInfo.appProvisionType
662 };
663 return InsertCallbackToRequestMap(requestId, info);
664 }
665
ParseDlpCertificate(const sptr<CertParcel> & certParcel,const sptr<IDlpPermissionCallback> & callback,const std::string & appId,bool offlineAccess,AppExecFwk::ApplicationInfo & applicationInfo)666 int32_t DlpCredential::ParseDlpCertificate(const sptr<CertParcel>& certParcel,
667 const sptr<IDlpPermissionCallback>& callback,
668 const std::string& appId, bool offlineAccess,
669 AppExecFwk::ApplicationInfo& applicationInfo)
670 {
671 std::string encDataJsonStr(certParcel->cert.begin(), certParcel->cert.end());
672 auto jsonObj = unordered_json::parse(encDataJsonStr, nullptr, false);
673 if (jsonObj.is_discarded() || (!jsonObj.is_object())) {
674 DLP_LOG_ERROR(LABEL, "JsonObj is discarded");
675 return DLP_SERVICE_ERROR_JSON_OPERATE_FAIL;
676 }
677 EncAndDecOptions options;
678 DLP_EncPolicyData encPolicy;
679 int32_t ret = InitEncPolicyData(options, encPolicy, offlineAccess, appId);
680 if (ret != DLP_OK) {
681 return ret;
682 }
683 int32_t result =
684 DlpPermissionSerializer::GetInstance().DeserializeEncPolicyData(jsonObj, encPolicy, certParcel->isNeedAdapter);
685 auto accountType = static_cast<DlpAccountType>(encPolicy.accountType);
686 if (result != DLP_OK) {
687 FreeDLPEncPolicyData(encPolicy);
688 return DLP_SERVICE_ERROR_JSON_OPERATE_FAIL;
689 }
690 bool isOwner = false;
691 int32_t infoRet = GetAccoutInfo(accountType, encPolicy.receiverAccountInfo, certParcel->contactAccount, &isOwner);
692 if (infoRet != DLP_OK) {
693 FreeDLPEncPolicyData(encPolicy);
694 return infoRet;
695 }
696 if (certParcel->isNeedAdapter) {
697 AdapterData(certParcel->offlineCert, isOwner, jsonObj, encPolicy);
698 }
699 encPolicy.reserved[IS_NEED_CHECK_CUSTOM_PROPERTY] = static_cast<uint8_t>(certParcel->needCheckCustomProperty);
700 int32_t res = 0;
701 {
702 std::lock_guard<std::mutex> lock(g_lockRequest);
703 int32_t status = QueryRequestIdle();
704 if (status != DLP_OK) {
705 FreeDLPEncPolicyData(encPolicy);
706 return status;
707 }
708 res = RestorePolicy(encPolicy, applicationInfo, callback, accountType);
709 }
710 FreeDLPEncPolicyData(encPolicy);
711 return res;
712 }
713
ParseStringVectorToUint8TypedArray(const std::vector<std::string> & appIdList,uint8_t * policy,uint32_t policySize)714 int32_t ParseStringVectorToUint8TypedArray(const std::vector<std::string>& appIdList, uint8_t *policy,
715 uint32_t policySize)
716 {
717 uint32_t count = static_cast<uint32_t>(appIdList.size());
718 if (memcpy_s(policy, policySize, &count, sizeof(uint32_t)) != EOK) {
719 DLP_LOG_ERROR(LABEL, "Memcpy policy fail");
720 return DLP_CREDENTIAL_ERROR_MEMORY_OPERATE_FAIL;
721 }
722 int32_t offset = sizeof(uint32_t);
723 for (int32_t i = 0; i < static_cast<int32_t>(appIdList.size()); i++) {
724 if (appIdList[i].empty()) {
725 DLP_LOG_ERROR(LABEL, "Empty appId");
726 return DLP_SERVICE_ERROR_VALUE_INVALID;
727 }
728 char *appId = const_cast<char *>(appIdList[i].c_str());
729 uint32_t length = static_cast<uint32_t>(strlen(appId));
730 if (length > MAX_APPID_LENGTH) {
731 DLP_LOG_ERROR(LABEL, "AppId longer than limit");
732 return DLP_SERVICE_ERROR_VALUE_INVALID;
733 }
734 if (memcpy_s(policy + offset, policySize - offset, &length, sizeof(uint32_t)) != EOK) {
735 DLP_LOG_ERROR(LABEL, "Memcpy policy fail");
736 return DLP_CREDENTIAL_ERROR_MEMORY_OPERATE_FAIL;
737 }
738 offset += sizeof(uint32_t);
739 if (memcpy_s(policy + offset, policySize - offset, appId, strlen(appId)) != EOK) {
740 DLP_LOG_ERROR(LABEL, "Memcpy policy fail");
741 return DLP_CREDENTIAL_ERROR_MEMORY_OPERATE_FAIL;
742 }
743 offset += strlen(appId);
744 }
745 return offset;
746 }
747
ParseUint8TypedArrayToStringVector(uint8_t * policy,const uint32_t * policyLen,std::vector<std::string> & appIdList)748 int32_t ParseUint8TypedArrayToStringVector(uint8_t *policy, const uint32_t *policyLen,
749 std::vector<std::string>& appIdList)
750 {
751 if (*policyLen > MAX_APPID_LIST_NUM * MAX_APPID_LENGTH) {
752 return DLP_SERVICE_ERROR_VALUE_INVALID;
753 }
754 uint32_t count = reinterpret_cast<uint32_t *>(policy)[0];
755 if (count < 0 || count > MAX_APPID_LIST_NUM) {
756 DLP_LOG_ERROR(LABEL, "get appId List too large");
757 return DLP_SERVICE_ERROR_VALUE_INVALID;
758 }
759 int32_t offset = sizeof(uint32_t);
760 for (uint32_t i = 0; i < count; i++) {
761 int32_t length = reinterpret_cast<int32_t *>(policy + offset)[0];
762 offset += sizeof(uint32_t);
763 appIdList.push_back(std::string(reinterpret_cast<char *>(policy + offset), length));
764 offset += length;
765 }
766 return DLP_OK;
767 }
768
PresetDLPPolicy(const std::vector<std::string> & srcList,std::vector<std::string> & dstList)769 int32_t PresetDLPPolicy(const std::vector<std::string>& srcList, std::vector<std::string>& dstList)
770 {
771 AppExecFwk::BundleInfo bundleInfo;
772 int32_t userId;
773 bool result = GetUserIdByForegroundAccount(&userId);
774 if (!result) {
775 DLP_LOG_ERROR(LABEL, "get userId error");
776 return DLP_SERVICE_ERROR_VALUE_INVALID;
777 }
778 if (BundleManagerAdapter::GetInstance().CheckHapPermission(DLP_MANAGER_BUNDLE_NAME, PERMISSION_ACCESS_DLP_FILE) &&
779 !BundleManagerAdapter::GetInstance().GetBundleInfo(DLP_MANAGER_BUNDLE_NAME,
780 static_cast<int32_t>(AppExecFwk::GetBundleInfoFlag::GET_BUNDLE_INFO_WITH_SIGNATURE_INFO), bundleInfo, userId)) {
781 DLP_LOG_ERROR(LABEL, "get appId error");
782 return DLP_SERVICE_ERROR_IPC_REQUEST_FAIL;
783 }
784 dstList.assign(srcList.begin(), srcList.end());
785 dstList.push_back(bundleInfo.appId);
786 return DLP_OK;
787 }
788
RemovePresetDLPPolicy(std::vector<std::string> & appIdList)789 int32_t RemovePresetDLPPolicy(std::vector<std::string>& appIdList)
790 {
791 if (appIdList.size() > 0) {
792 appIdList.pop_back();
793 }
794 return DLP_OK;
795 }
796
SetMDMPolicy(const std::vector<std::string> & appIdList)797 int32_t DlpCredential::SetMDMPolicy(const std::vector<std::string>& appIdList)
798 {
799 if (size(appIdList) > MAX_APPID_LENGTH) {
800 DLP_LOG_ERROR(LABEL, "appId List too large");
801 return DLP_SERVICE_ERROR_VALUE_INVALID;
802 }
803 uint32_t policySize = (size(appIdList) + 1) * MAX_APPID_LENGTH;
804 uint8_t *policy = new (std::nothrow)uint8_t[policySize];
805 if (policy == nullptr) {
806 DLP_LOG_WARN(LABEL, "alloc policy failed.");
807 delete[] policy;
808 return DLP_CREDENTIAL_ERROR_MEMORY_OPERATE_FAIL;
809 }
810 std::vector<std::string> presetAppIdList;
811 int32_t res = PresetDLPPolicy(appIdList, presetAppIdList);
812 if (res != DLP_OK) {
813 delete[] policy;
814 return res;
815 }
816 int32_t policyLen = ParseStringVectorToUint8TypedArray(presetAppIdList, policy, policySize);
817 if (policyLen <= 0) {
818 delete[] policy;
819 return policyLen;
820 }
821
822 #ifdef SUPPORT_DLP_CREDENTIAL
823 DlpAddPolicyFunction dlpAddPolicyFunc =
824 reinterpret_cast<DlpAddPolicyFunction>(GetDlpCredSdkLibFunc("DLP_AddPolicy"));
825 if (dlpAddPolicyFunc == nullptr) {
826 DLP_LOG_ERROR(LABEL, "dlsym DLP_AddPolicy error.");
827 DestroyDlpCredentialSdk();
828 delete[] policy;
829 return DLP_SERVICE_ERROR_VALUE_INVALID;
830 }
831 res = (*dlpAddPolicyFunc)(PolicyType::AUTHORIZED_APPLICATION_LIST, policy, policyLen);
832 #else
833 res = DLP_AddPolicy(PolicyType::AUTHORIZED_APPLICATION_LIST, policy, policyLen);
834 #endif
835 if (res != DLP_OK) {
836 DLP_LOG_ERROR(LABEL, "SetMDMPolicy request fail, error: %{public}d", res);
837 }
838 delete[] policy;
839 return res;
840 }
841
GetMDMPolicy(std::vector<std::string> & appIdList)842 int32_t DlpCredential::GetMDMPolicy(std::vector<std::string>& appIdList)
843 {
844 uint32_t policyLen = MAX_APPID_LIST_NUM * MAX_APPID_LENGTH;
845 uint8_t *policy = new (std::nothrow)uint8_t[policyLen];
846 if (policy == nullptr) {
847 DLP_LOG_WARN(LABEL, "alloc policy failed.");
848 return DLP_CREDENTIAL_ERROR_MEMORY_OPERATE_FAIL;
849 }
850 #ifdef SUPPORT_DLP_CREDENTIAL
851 DlpGetPolicyFunction dlpGetPolicyFunc =
852 reinterpret_cast<DlpGetPolicyFunction>(GetDlpCredSdkLibFunc("DLP_GetPolicy"));
853 if (dlpGetPolicyFunc == nullptr) {
854 DLP_LOG_ERROR(LABEL, "dlsym DLP_GetPolicy error.");
855 DestroyDlpCredentialSdk();
856 delete[] policy;
857 return DLP_SERVICE_ERROR_VALUE_INVALID;
858 }
859 int32_t res = (*dlpGetPolicyFunc)(PolicyType::AUTHORIZED_APPLICATION_LIST, policy, &policyLen);
860 #else
861 int32_t res = DLP_GetPolicy(PolicyType::AUTHORIZED_APPLICATION_LIST, policy, &policyLen);
862 #endif
863 if (res != DLP_OK) {
864 DLP_LOG_ERROR(LABEL, "GetMDMPolicy request fail, error: %{public}d", res);
865 delete[] policy;
866 return res;
867 }
868 if (policyLen == 0) {
869 DLP_LOG_WARN(LABEL, "appIdList is empty.");
870 delete[] policy;
871 return DLP_OK;
872 }
873 res = ParseUint8TypedArrayToStringVector(policy, &policyLen, appIdList);
874 delete[] policy;
875 if (res == DLP_OK) {
876 res = RemovePresetDLPPolicy(appIdList);
877 }
878 return res;
879 }
880
RemoveMDMPolicy()881 int32_t DlpCredential::RemoveMDMPolicy()
882 {
883 #ifdef SUPPORT_DLP_CREDENTIAL
884 DlpRemovePolicyFunction dlpRemovePolicyFunc =
885 reinterpret_cast<DlpRemovePolicyFunction>(GetDlpCredSdkLibFunc("DLP_RemovePolicy"));
886 if (dlpRemovePolicyFunc == nullptr) {
887 DLP_LOG_ERROR(LABEL, "dlsym DLP_RemovePolicy error.");
888 DestroyDlpCredentialSdk();
889 return DLP_SERVICE_ERROR_VALUE_INVALID;
890 }
891 int32_t res = (*dlpRemovePolicyFunc)(PolicyType::AUTHORIZED_APPLICATION_LIST);
892 #else
893 int32_t res = DLP_RemovePolicy(PolicyType::AUTHORIZED_APPLICATION_LIST);
894 #endif
895 if (res != DLP_OK) {
896 DLP_LOG_ERROR(LABEL, "RemoveMDMPolicy request fail, error: %{public}d", res);
897 }
898 return res;
899 }
900
CheckMdmPermission(const std::string & bundleName,int32_t userId)901 int32_t DlpCredential::CheckMdmPermission(const std::string& bundleName, int32_t userId)
902 {
903 AppExecFwk::BundleInfo bundleInfo;
904 bool result = BundleManagerAdapter::GetInstance().GetBundleInfo(bundleName,
905 static_cast<int32_t>(AppExecFwk::GetBundleInfoFlag::GET_BUNDLE_INFO_WITH_SIGNATURE_INFO), bundleInfo, userId);
906 if (!result) {
907 DLP_LOG_ERROR(LABEL, "get appId error");
908 return DLP_SERVICE_ERROR_IPC_REQUEST_FAIL;
909 }
910 PolicyHandle handle = {.id = strdup(const_cast<char *>(bundleInfo.appId.c_str()))};
911 if (handle.id == nullptr) {
912 DLP_LOG_ERROR(LABEL, "Strdup failed.");
913 return DLP_CREDENTIAL_ERROR_SERVER_ERROR;
914 }
915 #ifdef SUPPORT_DLP_CREDENTIAL
916 DlpCheckPermissionFunction dlpCheckPermissionFunc =
917 reinterpret_cast<DlpCheckPermissionFunction>(GetDlpCredSdkLibFunc("DLP_CheckPermission"));
918 if (dlpCheckPermissionFunc == nullptr) {
919 DLP_LOG_ERROR(LABEL, "dlsym DLP_CheckPermission error.");
920 DestroyDlpCredentialSdk();
921 return DLP_SERVICE_ERROR_VALUE_INVALID;
922 }
923 int32_t res = (*dlpCheckPermissionFunc)(PolicyType::AUTHORIZED_APPLICATION_LIST, handle);
924 #else
925 int32_t res = DLP_CheckPermission(PolicyType::AUTHORIZED_APPLICATION_LIST, handle);
926 #endif
927 if (res != DLP_OK) {
928 DLP_LOG_ERROR(LABEL, "DLP_CheckPermission error:%{public}d", res);
929 res = DLP_CREDENTIAL_ERROR_APPID_NOT_AUTHORIZED;
930 }
931 if (handle.id != nullptr) {
932 free(handle.id);
933 handle.id = nullptr;
934 }
935 return res;
936 }
937 } // namespace DlpPermission
938 } // namespace Security
939 } // namespace OHOS
940