1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "sec_comp_service.h"
16
17 #include <unistd.h>
18
19 #include "app_mgr_death_recipient.h"
20 #include "bundle_info.h"
21 #include "bundle_mgr_client.h"
22 #include "hisysevent.h"
23 #include "hitrace_meter.h"
24 #include "ipc_skeleton.h"
25 #include "iservice_registry.h"
26 #include "sec_comp_click_event_parcel.h"
27 #include "sec_comp_enhance_adapter.h"
28 #include "sec_comp_err.h"
29 #include "sec_comp_manager.h"
30 #include "sec_comp_log.h"
31 #include "system_ability_definition.h"
32
33 namespace OHOS {
34 namespace Security {
35 namespace SecurityComponent {
36 namespace {
37 constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_SECURITY_COMPONENT, "SecCompService"};
38 static const int32_t ROOT_UID = 0;
39 static constexpr int32_t BASE_USER_RANGE = 200000;
40 #ifndef SA_ID_SECURITY_COMPONENT_SERVICE
41 constexpr int32_t SA_ID_SECURITY_COMPONENT_SERVICE = 3506;
42 #endif
43 }
44
45 REGISTER_SYSTEM_ABILITY_BY_ID(SecCompService, SA_ID_SECURITY_COMPONENT_SERVICE, true);
46
SecCompService(int32_t saId,bool runOnCreate)47 SecCompService::SecCompService(int32_t saId, bool runOnCreate)
48 : SystemAbility(saId, runOnCreate), state_(ServiceRunningState::STATE_NOT_START)
49 {
50 }
51
~SecCompService()52 SecCompService::~SecCompService()
53 {
54 }
55
OnStart()56 void SecCompService::OnStart()
57 {
58 StartTrace(HITRACE_TAG_ACCESS_CONTROL, "SecurityComponentOnStart");
59 if (state_ == ServiceRunningState::STATE_RUNNING) {
60 SC_LOG_INFO(LABEL, "SecCompService has already started!");
61 FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
62 return;
63 }
64 SC_LOG_INFO(LABEL, "SecCompService is starting");
65 if (!RegisterAppStateObserver()) {
66 SC_LOG_ERROR(LABEL, "Failed to register app state observer!");
67 FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
68 return;
69 }
70 if (!Initialize()) {
71 SC_LOG_ERROR(LABEL, "Failed to initialize");
72 FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
73 return;
74 }
75
76 state_ = ServiceRunningState::STATE_RUNNING;
77 bool ret = Publish(this);
78 if (!ret) {
79 SC_LOG_ERROR(LABEL, "Failed to publish service!");
80 FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
81 return;
82 }
83 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::SEC_COMPONENT, "SERVICE_INIT_SUCCESS",
84 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "PID", getpid());
85 SC_LOG_INFO(LABEL, "Congratulations, SecCompService start successfully!");
86 FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
87 }
88
OnStop()89 void SecCompService::OnStop()
90 {
91 SC_LOG_INFO(LABEL, "Stop service");
92 state_ = ServiceRunningState::STATE_NOT_START;
93 UnregisterAppStateObserver();
94 }
95
RegisterAppStateObserver()96 bool SecCompService::RegisterAppStateObserver()
97 {
98 if (appStateObserver_ != nullptr) {
99 SC_LOG_INFO(LABEL, "AppStateObserver instance already create");
100 return true;
101 }
102 appStateObserver_ = new (std::nothrow) AppStateObserver();
103 if (appStateObserver_ == nullptr) {
104 SC_LOG_ERROR(LABEL, "Failed to create AppStateObserver instance");
105 return false;
106 }
107 sptr<ISystemAbilityManager> samgrClient = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
108 if (samgrClient == nullptr) {
109 SC_LOG_ERROR(LABEL, "Failed to get system ability manager");
110 appStateObserver_ = nullptr;
111 return false;
112 }
113 auto remoteObject = samgrClient->GetSystemAbility(APP_MGR_SERVICE_ID);
114 iAppMgr_ = iface_cast<AppExecFwk::IAppMgr>(remoteObject);
115 if (iAppMgr_ == nullptr) {
116 SC_LOG_ERROR(LABEL, "Failed to get ability manager service");
117 appStateObserver_ = nullptr;
118 return false;
119 }
120
121 if (iAppMgr_->RegisterApplicationStateObserver(appStateObserver_) != ERR_OK) {
122 SC_LOG_ERROR(LABEL, "Failed to Register app state observer");
123 iAppMgr_ = nullptr;
124 appStateObserver_ = nullptr;
125 return false;
126 }
127
128 sptr<AppMgrDeathRecipient> appMgrDeathRecipient = new (std::nothrow) AppMgrDeathRecipient();
129 if (appMgrDeathRecipient == nullptr) {
130 SC_LOG_ERROR(LABEL, "Alloc appMgr death observer fail");
131 return false;
132 }
133
134 if (!remoteObject->AddDeathRecipient(appMgrDeathRecipient)) {
135 SC_LOG_ERROR(LABEL, "Add service death observer fail");
136 return false;
137 }
138
139 std::vector<AppExecFwk::AppStateData> list;
140 if (iAppMgr_->GetForegroundApplications(list) == ERR_OK) {
141 for (auto it = list.begin(); it != list.end(); ++it) {
142 appStateObserver_->AddProcessToForegroundSet(*it);
143 }
144 }
145 SC_LOG_INFO(LABEL, "Register app state observer success");
146 return true;
147 }
148
UnregisterAppStateObserver()149 void SecCompService::UnregisterAppStateObserver()
150 {
151 if (iAppMgr_ != nullptr && appStateObserver_ != nullptr) {
152 iAppMgr_->UnregisterApplicationStateObserver(appStateObserver_);
153 }
154 }
155
GetCallerInfo(SecCompCallerInfo & caller)156 bool SecCompService::GetCallerInfo(SecCompCallerInfo& caller)
157 {
158 AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
159 int32_t pid = IPCSkeleton::GetCallingPid();
160 int32_t uid = IPCSkeleton::GetCallingUid();
161 if ((uid != ROOT_UID) && (AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId) != AccessToken::TOKEN_HAP)) {
162 SC_LOG_ERROR(LABEL, "Get caller tokenId invalid");
163 return false;
164 }
165 if ((uid != ROOT_UID) && (!appStateObserver_->IsProcessForeground(pid, uid))) {
166 SC_LOG_ERROR(LABEL, "caller pid is not in foreground");
167 return false;
168 }
169 caller.tokenId = tokenId;
170 caller.pid = pid;
171 caller.uid = uid;
172 return true;
173 }
174
ParseParams(const std::string & componentInfo,SecCompCallerInfo & caller,nlohmann::json & jsonRes)175 int32_t SecCompService::ParseParams(const std::string& componentInfo,
176 SecCompCallerInfo& caller, nlohmann::json& jsonRes)
177 {
178 if (!GetCallerInfo(caller)) {
179 SC_LOG_ERROR(LABEL, "Check caller failed");
180 return SC_SERVICE_ERROR_VALUE_INVALID;
181 }
182
183 jsonRes = nlohmann::json::parse(componentInfo, nullptr, false);
184 if (jsonRes.is_discarded()) {
185 SC_LOG_ERROR(LABEL, "component info invalid %{public}s", componentInfo.c_str());
186 return SC_SERVICE_ERROR_VALUE_INVALID;
187 }
188 return SC_OK;
189 }
190
WriteError(int32_t res,SecCompRawdata & rawReply)191 int32_t SecCompService::WriteError(int32_t res, SecCompRawdata& rawReply)
192 {
193 MessageParcel replyParcel;
194 if (!replyParcel.WriteInt32(res)) {
195 SC_LOG_ERROR(LABEL, "Write error res failed.");
196 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
197 }
198
199 if (!SecCompEnhanceAdapter::EnhanceSrvSerialize(replyParcel, rawReply)) {
200 SC_LOG_ERROR(LABEL, "Serialize error session info failed");
201 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
202 }
203 return SC_OK;
204 }
205
RegisterReadFromRawdata(SecCompRawdata & rawData,SecCompType & type,std::string & componentInfo)206 int32_t SecCompService::RegisterReadFromRawdata(SecCompRawdata& rawData, SecCompType& type, std::string& componentInfo)
207 {
208 MessageParcel deserializedData;
209 if (!SecCompEnhanceAdapter::EnhanceSrvDeserialize(rawData, deserializedData)) {
210 SC_LOG_ERROR(LABEL, "Register deserialize session info failed");
211 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
212 }
213
214 uint32_t uintType;
215 if (!deserializedData.ReadUint32(uintType)) {
216 SC_LOG_ERROR(LABEL, "Register read component type failed");
217 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
218 }
219
220 if (uintType <= UNKNOWN_SC_TYPE || uintType >= MAX_SC_TYPE) {
221 SC_LOG_ERROR(LABEL, "Register security component type invalid");
222 return SC_SERVICE_ERROR_VALUE_INVALID;
223 }
224 type = static_cast<SecCompType>(uintType);
225
226 if (!deserializedData.ReadString(componentInfo)) {
227 SC_LOG_ERROR(LABEL, "Register read component info failed");
228 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
229 }
230 return SC_OK;
231 }
232
RegisterSecurityComponentBody(SecCompType type,const std::string & componentInfo,int32_t & scId)233 int32_t SecCompService::RegisterSecurityComponentBody(SecCompType type,
234 const std::string& componentInfo, int32_t& scId)
235 {
236 StartTrace(HITRACE_TAG_ACCESS_CONTROL, "SecurityComponentRegister");
237 SecCompCallerInfo caller;
238 caller.tokenId = IPCSkeleton::GetCallingTokenID();
239 caller.pid = IPCSkeleton::GetCallingPid();
240 caller.uid = IPCSkeleton::GetCallingUid();
241 if ((caller.uid != ROOT_UID)
242 && (AccessToken::AccessTokenKit::GetTokenTypeFlag(caller.tokenId) != AccessToken::TOKEN_HAP)) {
243 SC_LOG_ERROR(LABEL, "Get caller tokenId invalid");
244 FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
245 return SC_SERVICE_ERROR_VALUE_INVALID;
246 }
247 nlohmann::json jsonRes = nlohmann::json::parse(componentInfo, nullptr, false);
248 if (jsonRes.is_discarded()) {
249 SC_LOG_ERROR(LABEL, "component info invalid %{public}s", componentInfo.c_str());
250 FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
251 return SC_SERVICE_ERROR_VALUE_INVALID;
252 }
253
254 int32_t res = SecCompManager::GetInstance().RegisterSecurityComponent(type, jsonRes, caller, scId);
255 FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
256 if (res != SC_OK) {
257 return res;
258 }
259
260 int32_t uid = IPCSkeleton::GetCallingUid();
261 OHOS::AppExecFwk::BundleMgrClient bmsClient;
262 std::string bundleName = "";
263 if (bmsClient.GetNameForUid(uid, bundleName) != SC_OK) {
264 SC_LOG_ERROR(LABEL, "Failed to get bundle name for UID %{public}d", uid);
265 return res;
266 }
267
268 AppExecFwk::BundleInfo bundleInfo;
269 int32_t userId = uid / BASE_USER_RANGE;
270 if (bmsClient.GetBundleInfo(bundleName, AppExecFwk::BundleFlag::GET_BUNDLE_DEFAULT, bundleInfo, userId) != SC_OK) {
271 SC_LOG_ERROR(LABEL, "Failed to get bundle info for bundle name %{public}s", bundleName.c_str());
272 return res;
273 }
274
275 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::SEC_COMPONENT, "REGISTER_SUCCESS",
276 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "CALLER_UID", IPCSkeleton::GetCallingUid(),
277 "CALLER_PID", IPCSkeleton::GetCallingRealPid(), "CALLER_BUNDLE_NAME", bundleName, "CALLER_BUNDLE_VERSION",
278 bundleInfo.versionName, "SC_ID", scId, "SC_TYPE", type);
279 return res;
280 }
281
RegisterWriteToRawdata(int32_t res,int32_t scId,SecCompRawdata & rawReply)282 int32_t SecCompService::RegisterWriteToRawdata(int32_t res, int32_t scId, SecCompRawdata& rawReply)
283 {
284 MessageParcel replyParcel;
285 if (!replyParcel.WriteInt32(res)) {
286 SC_LOG_ERROR(LABEL, "Register security component result failed");
287 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
288 }
289
290 if (!replyParcel.WriteInt32(scId)) {
291 SC_LOG_ERROR(LABEL, "Register security component result failed");
292 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
293 }
294
295 if (!SecCompEnhanceAdapter::EnhanceSrvSerialize(replyParcel, rawReply)) {
296 SC_LOG_ERROR(LABEL, "Register serialize session info failed");
297 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
298 }
299 return SC_OK;
300 }
301
RegisterSecurityComponent(const SecCompRawdata & rawData,SecCompRawdata & rawReply)302 int32_t SecCompService::RegisterSecurityComponent(const SecCompRawdata& rawData, SecCompRawdata& rawReply)
303 {
304 SecCompType type;
305 std::string componentInfo;
306 int32_t res;
307 do {
308 res = RegisterReadFromRawdata(const_cast<SecCompRawdata&>(rawData), type, componentInfo);
309 if (res != SC_OK) {
310 break;
311 }
312 int32_t scId = INVALID_SC_ID;
313
314 res = RegisterSecurityComponentBody(type, componentInfo, scId);
315 if (res != SC_OK) {
316 break;
317 }
318 res = RegisterWriteToRawdata(res, scId, rawReply);
319 } while (0);
320 if (res != SC_OK) {
321 if (WriteError(res, rawReply) != SC_OK) {
322 SC_LOG_ERROR(LABEL, "Write rawReply error.");
323 return res;
324 }
325 }
326 return SC_OK;
327 }
328
UpdateReadFromRawdata(SecCompRawdata & rawData,int32_t & scId,std::string & componentInfo)329 int32_t SecCompService::UpdateReadFromRawdata(SecCompRawdata& rawData, int32_t& scId, std::string& componentInfo)
330 {
331 MessageParcel deserializedData;
332 if (!SecCompEnhanceAdapter::EnhanceSrvDeserialize(rawData, deserializedData)) {
333 SC_LOG_ERROR(LABEL, "Update deserialize session info failed");
334 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
335 }
336
337 if (!deserializedData.ReadInt32(scId)) {
338 SC_LOG_ERROR(LABEL, "Update read component id failed");
339 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
340 }
341
342 if (scId < 0) {
343 SC_LOG_ERROR(LABEL, "Update security component id invalid");
344 return SC_SERVICE_ERROR_VALUE_INVALID;
345 }
346
347 if (!deserializedData.ReadString(componentInfo)) {
348 SC_LOG_ERROR(LABEL, "Update read component info failed");
349 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
350 }
351 return SC_OK;
352 }
353
UpdateSecurityComponentBody(int32_t scId,const std::string & componentInfo)354 int32_t SecCompService::UpdateSecurityComponentBody(int32_t scId, const std::string& componentInfo)
355 {
356 SecCompCallerInfo caller;
357 nlohmann::json jsonRes;
358 if (ParseParams(componentInfo, caller, jsonRes) != SC_OK) {
359 return SC_SERVICE_ERROR_VALUE_INVALID;
360 }
361 return SecCompManager::GetInstance().UpdateSecurityComponent(scId, jsonRes, caller);
362 }
363
UpdateWriteToRawdata(int32_t res,SecCompRawdata & rawReply)364 int32_t SecCompService::UpdateWriteToRawdata(int32_t res, SecCompRawdata& rawReply)
365 {
366 MessageParcel replyParcel;
367 if (!replyParcel.WriteInt32(res)) {
368 SC_LOG_ERROR(LABEL, "Update security component result failed");
369 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
370 }
371
372 if (!SecCompEnhanceAdapter::EnhanceSrvSerialize(replyParcel, rawReply)) {
373 SC_LOG_ERROR(LABEL, "Update serialize session info failed");
374 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
375 }
376 return SC_OK;
377 }
378
UpdateSecurityComponent(const SecCompRawdata & rawData,SecCompRawdata & rawReply)379 int32_t SecCompService::UpdateSecurityComponent(const SecCompRawdata& rawData, SecCompRawdata& rawReply)
380 {
381 int32_t scId;
382 std::string componentInfo;
383 int32_t res;
384 do {
385 res = UpdateReadFromRawdata(const_cast<SecCompRawdata&>(rawData), scId, componentInfo);
386 if (res != SC_OK) {
387 break;
388 }
389 res = UpdateSecurityComponentBody(scId, componentInfo);
390 if (res != SC_OK) {
391 break;
392 }
393 res = UpdateWriteToRawdata(res, rawReply);
394 } while (0);
395 if (res != SC_OK) {
396 if (WriteError(res, rawReply) != SC_OK) {
397 SC_LOG_ERROR(LABEL, "Write rawReply error.");
398 return res;
399 }
400 }
401 return SC_OK;
402 }
403
UnregisterReadFromRawdata(SecCompRawdata & rawData,int32_t & scId)404 int32_t SecCompService::UnregisterReadFromRawdata(SecCompRawdata& rawData, int32_t& scId)
405 {
406 MessageParcel deserializedData;
407 if (!SecCompEnhanceAdapter::EnhanceSrvDeserialize(rawData, deserializedData)) {
408 SC_LOG_ERROR(LABEL, "Unregister deserialize session info failed");
409 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
410 }
411 if (!deserializedData.ReadInt32(scId)) {
412 SC_LOG_ERROR(LABEL, "Unregister read component id failed");
413 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
414 }
415
416 if (scId < 0) {
417 SC_LOG_ERROR(LABEL, "Unregister security component id invalid");
418 return SC_SERVICE_ERROR_VALUE_INVALID;
419 }
420 return SC_OK;
421 }
422
UnregisterSecurityComponentBody(int32_t scId)423 int32_t SecCompService::UnregisterSecurityComponentBody(int32_t scId)
424 {
425 SecCompCallerInfo caller;
426 caller.tokenId = IPCSkeleton::GetCallingTokenID();
427 caller.pid = IPCSkeleton::GetCallingPid();
428 caller.uid = IPCSkeleton::GetCallingUid();
429
430 return SecCompManager::GetInstance().UnregisterSecurityComponent(scId, caller);
431 }
432
UnregisterWriteToRawdata(int32_t res,SecCompRawdata & rawReply)433 int32_t SecCompService::UnregisterWriteToRawdata(int32_t res, SecCompRawdata& rawReply)
434 {
435 MessageParcel replyParcel;
436 if (!replyParcel.WriteInt32(res)) {
437 SC_LOG_ERROR(LABEL, "Unregister security component result failed");
438 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
439 }
440
441 if (!SecCompEnhanceAdapter::EnhanceSrvSerialize(replyParcel, rawReply)) {
442 SC_LOG_ERROR(LABEL, "Unregister serialize session info failed");
443 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
444 }
445 return SC_OK;
446 }
447
UnregisterSecurityComponent(const SecCompRawdata & rawData,SecCompRawdata & rawReply)448 int32_t SecCompService::UnregisterSecurityComponent(const SecCompRawdata& rawData, SecCompRawdata& rawReply)
449 {
450 int32_t scId;
451 int32_t res;
452 do {
453 res = UnregisterReadFromRawdata(const_cast<SecCompRawdata&>(rawData), scId);
454 if (res != SC_OK) {
455 break;
456 }
457
458 res = UnregisterSecurityComponentBody(scId);
459 if (res != SC_OK) {
460 break;
461 }
462 res = UnregisterWriteToRawdata(res, rawReply);
463 } while (0);
464 if (res != SC_OK) {
465 if (WriteError(res, rawReply) != SC_OK) {
466 SC_LOG_ERROR(LABEL, "Write rawReply error.");
467 return res;
468 }
469 }
470 return SC_OK;
471 }
472
ReportSecurityComponentClickEventBody(SecCompInfo & secCompInfo,sptr<IRemoteObject> callerToken,sptr<IRemoteObject> dialogCallback,std::string & message)473 int32_t SecCompService::ReportSecurityComponentClickEventBody(SecCompInfo& secCompInfo,
474 sptr<IRemoteObject> callerToken, sptr<IRemoteObject> dialogCallback, std::string& message)
475 {
476 StartTrace(HITRACE_TAG_ACCESS_CONTROL, "SecurityComponentClick");
477 SecCompCallerInfo caller;
478 nlohmann::json jsonRes;
479 if (ParseParams(secCompInfo.componentInfo, caller, jsonRes) != SC_OK) {
480 FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
481 return SC_SERVICE_ERROR_VALUE_INVALID;
482 }
483 std::vector<sptr<IRemoteObject>> remoteArr = { callerToken, dialogCallback };
484 int32_t res =
485 SecCompManager::GetInstance().ReportSecurityComponentClickEvent(secCompInfo, jsonRes, caller, remoteArr,
486 message);
487 FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
488 return res;
489 }
490
ReportWriteToRawdata(int32_t res,std::string message,SecCompRawdata & rawReply)491 int32_t SecCompService::ReportWriteToRawdata(int32_t res, std::string message, SecCompRawdata& rawReply)
492 {
493 MessageParcel replyParcel;
494 if (!replyParcel.WriteInt32(res)) {
495 SC_LOG_ERROR(LABEL, "Report security component result failed");
496 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
497 }
498
499 if (!replyParcel.WriteString(message)) {
500 SC_LOG_ERROR(LABEL, "Report security component error message failed");
501 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
502 }
503
504 if (!SecCompEnhanceAdapter::EnhanceSrvSerialize(replyParcel, rawReply)) {
505 SC_LOG_ERROR(LABEL, "Report serialize session info failed");
506 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
507 }
508
509 return SC_OK;
510 }
511
ReportSecurityComponentClickEvent(const sptr<IRemoteObject> & callerToken,const sptr<IRemoteObject> & dialogCallback,const SecCompRawdata & rawData,SecCompRawdata & rawReply)512 int32_t SecCompService::ReportSecurityComponentClickEvent(const sptr<IRemoteObject>& callerToken,
513 const sptr<IRemoteObject>& dialogCallback, const SecCompRawdata& rawData, SecCompRawdata& rawReply)
514 {
515 int32_t res;
516 do {
517 MessageParcel deserializedData;
518 if (!SecCompEnhanceAdapter::EnhanceSrvDeserialize(const_cast<SecCompRawdata&>(rawData), deserializedData)) {
519 SC_LOG_ERROR(LABEL, "Report deserialize session info failed");
520 res = SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
521 break;
522 }
523
524 int32_t scId;
525 if (!deserializedData.ReadInt32(scId)) {
526 SC_LOG_ERROR(LABEL, "Report read component id failed");
527 res = SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
528 break;
529 }
530
531 if (scId < 0) {
532 SC_LOG_ERROR(LABEL, "Report security component id invalid");
533 res = SC_SERVICE_ERROR_VALUE_INVALID;
534 break;
535 }
536
537 std::string componentInfo;
538 if (!deserializedData.ReadString(componentInfo)) {
539 SC_LOG_ERROR(LABEL, "Report read component info failed");
540 res = SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
541 break;
542 }
543 std::string message;
544 if (!deserializedData.ReadString(message)) {
545 SC_LOG_ERROR(LABEL, "Report read message failed");
546 res = SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
547 break;
548 }
549 sptr<SecCompClickEventParcel> clickInfoParcel = deserializedData.ReadParcelable<SecCompClickEventParcel>();
550 if (clickInfoParcel == nullptr) {
551 SC_LOG_ERROR(LABEL, "Report read clickInfo info failed");
552 res = SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
553 break;
554 }
555
556 SecCompInfo secCompInfo{ scId, componentInfo, clickInfoParcel->clickInfoParams_ };
557 res = ReportSecurityComponentClickEventBody(secCompInfo, callerToken, dialogCallback, message);
558 res = ReportWriteToRawdata(res, message, rawReply);
559 } while (0);
560 if (res != SC_OK) {
561 if (WriteError(res, rawReply) != SC_OK) {
562 SC_LOG_ERROR(LABEL, "Write rawReply error.");
563 return res;
564 }
565 }
566 return SC_OK;
567 }
568
PreRegisterReadFromRawdata(SecCompRawdata & rawData)569 int32_t SecCompService::PreRegisterReadFromRawdata(SecCompRawdata& rawData)
570 {
571 MessageParcel deserializedData;
572 if (!SecCompEnhanceAdapter::EnhanceSrvDeserialize(rawData, deserializedData)) {
573 SC_LOG_ERROR(LABEL, "preRegister deserialize session info failed");
574 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
575 }
576 return SC_OK;
577 }
578
PreRegisterSecCompProcessBody()579 int32_t SecCompService::PreRegisterSecCompProcessBody()
580 {
581 SecCompCallerInfo caller;
582 if (!GetCallerInfo(caller)) {
583 SC_LOG_ERROR(LABEL, "Check caller failed");
584 return SC_SERVICE_ERROR_VALUE_INVALID;
585 }
586 return SecCompManager::GetInstance().AddSecurityComponentProcess(caller);
587 }
588
PreRegisterWriteToRawdata(int32_t res,SecCompRawdata & rawReply)589 int32_t SecCompService::PreRegisterWriteToRawdata(int32_t res, SecCompRawdata& rawReply)
590 {
591 MessageParcel replyParcel;
592 if (!replyParcel.WriteInt32(res)) {
593 SC_LOG_ERROR(LABEL, "preRegister write result failed");
594 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
595 }
596
597 if (!SecCompEnhanceAdapter::EnhanceSrvSerialize(replyParcel, rawReply)) {
598 SC_LOG_ERROR(LABEL, "preRegister serialize session info failed");
599 return SC_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
600 }
601 return SC_OK;
602 }
603
PreRegisterSecCompProcess(const SecCompRawdata & rawData,SecCompRawdata & rawReply)604 int32_t SecCompService::PreRegisterSecCompProcess(const SecCompRawdata& rawData, SecCompRawdata& rawReply)
605 {
606 int32_t res;
607 do {
608 res = PreRegisterReadFromRawdata(const_cast<SecCompRawdata&>(rawData));
609 if (res != SC_OK) {
610 break;
611 }
612
613 res = PreRegisterSecCompProcessBody();
614 if (res != SC_OK) {
615 break;
616 }
617 res = PreRegisterWriteToRawdata(res, rawReply);
618 } while (0);
619 if (res != SC_OK) {
620 if (WriteError(res, rawReply) != SC_OK) {
621 SC_LOG_ERROR(LABEL, "Write rawReply error.");
622 return res;
623 }
624 }
625 return SC_OK;
626 }
627
VerifySavePermission(AccessToken::AccessTokenID tokenId,bool & isGranted)628 int32_t SecCompService::VerifySavePermission(AccessToken::AccessTokenID tokenId, bool& isGranted)
629 {
630 if (!IsMediaLibraryCalling()) {
631 SC_LOG_ERROR(LABEL, "Not medialibrary called");
632 return SC_SERVICE_ERROR_CALLER_INVALID;
633 }
634
635 if (tokenId == 0) {
636 SC_LOG_ERROR(LABEL, "Verify AccessTokenId invalid");
637 return SC_SERVICE_ERROR_VALUE_INVALID;
638 }
639 isGranted = SecCompPermManager::GetInstance().VerifySavePermission(tokenId);
640 return SC_OK;
641 }
642
IsMediaLibraryCalling()643 bool SecCompService::IsMediaLibraryCalling()
644 {
645 int32_t uid = IPCSkeleton::GetCallingUid();
646 if (uid == ROOT_UID) {
647 return true;
648 }
649 int32_t userId = uid / BASE_USER_RANGE;
650 uint32_t tokenCaller = IPCSkeleton::GetCallingTokenID();
651 if (mediaLibraryTokenId_ != tokenCaller) {
652 mediaLibraryTokenId_ = AccessToken::AccessTokenKit::GetHapTokenID(
653 userId, "com.ohos.medialibrary.medialibrarydata", 0);
654 }
655 return tokenCaller == mediaLibraryTokenId_;
656 }
657
Dump(int fd,const std::vector<std::u16string> & args)658 int SecCompService::Dump(int fd, const std::vector<std::u16string>& args)
659 {
660 if (fd < 0) {
661 return ERR_INVALID_VALUE;
662 }
663
664 dprintf(fd, "SecCompService Dump:\n");
665 std::string arg0 = ((args.size() == 0)? "" : Str16ToStr8(args.at(0)));
666 if (arg0.compare("-h") == 0) {
667 dprintf(fd, "Usage:\n");
668 dprintf(fd, " -h: command help\n");
669 dprintf(fd, " -a: dump all sec component\n");
670 dprintf(fd, " -p: dump foreground processes\n");
671 } else if (arg0.compare("-p") == 0) {
672 std::string dumpStr;
673 appStateObserver_->DumpProcess(dumpStr);
674 dprintf(fd, "%s\n", dumpStr.c_str());
675 } else if (arg0.compare("-a") == 0 || arg0 == "") {
676 std::string dumpStr;
677 SecCompManager::GetInstance().DumpSecComp(dumpStr);
678 dprintf(fd, "%s\n", dumpStr.c_str());
679 }
680 return ERR_OK;
681 }
682
Initialize() const683 bool SecCompService::Initialize() const
684 {
685 return SecCompManager::GetInstance().Initialize();
686 }
687 } // namespace SecurityComponent
688 } // namespace Security
689 } // namespace OHOS
690