1 /*
2 * Copyright (c) 2022-2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_manager.h"
17
18 #include "accesstoken_kit.h"
19 #include "access_token.h"
20 #include "dm_anonymous.h"
21 #include "dm_constants.h"
22 #include "dm_log.h"
23 #include "ipc_skeleton.h"
24 #include "tokenid_kit.h"
25
26 using namespace OHOS::Security::AccessToken;
27
28 namespace OHOS {
29 namespace DistributedHardware {
30 DM_IMPLEMENT_SINGLE_INSTANCE(PermissionManager);
31 namespace {
32 constexpr const char* DM_SERVICE_ACCESS_PERMISSION = "ohos.permission.ACCESS_SERVICE_DM";
33 constexpr const char* DM_SERVICE_ACCESS_NEWPERMISSION = "ohos.permission.DISTRIBUTED_DATASYNC";
34 constexpr const char* DM_MONITOR_DEVICE_NETWORK_STATE_PERMISSION = "ohos.permission.MONITOR_DEVICE_NETWORK_STATE";
35 constexpr const static char* AUTH_CODE_WHITE_LIST[] = {
36 "CollaborationFwk",
37 "wear_link_service",
38 "watch_system_service",
39 "cast_engine_service",
40 "glasses_collaboration_service",
41 "xr_glass_app_service",
42 };
43 constexpr int32_t AUTH_CODE_WHITE_LIST_NUM = std::size(AUTH_CODE_WHITE_LIST);
44
45 constexpr const static char* PIN_HOLDER_WHITE_LIST[] = {
46 "CollaborationFwk",
47 };
48 constexpr int32_t PIN_HOLDER_WHITE_LIST_NUM = std::size(PIN_HOLDER_WHITE_LIST);
49
50 constexpr const static char* SYSTEM_SA_WHITE_LIST[] = {
51 "Samgr_Networking",
52 "ohos.distributeddata.service",
53 "ohos.dslm",
54 "ohos.deviceprofile",
55 "distributed_bundle_framework",
56 "ohos.dhardware",
57 "ohos.security.distributed_access_token",
58 "ohos.storage.distributedfile.daemon",
59 "audio_manager_service",
60 "hmos.collaborationfwk.deviceDetect",
61 };
62 constexpr int32_t SYSTEM_SA_WHITE_LIST_NUM = std::size(SYSTEM_SA_WHITE_LIST);
63
64 constexpr const static char* SETDNPOLICY_WHITE_LIST[] = {
65 "collaboration_service",
66 "watch_system_service",
67 "com.huawei.hmos.walletservice",
68 "com.ohos.distributedjstest",
69 "glasses_collaboration_service",
70 };
71 constexpr uint32_t SETDNPOLICY_WHITE_LIST_NUM = std::size(SETDNPOLICY_WHITE_LIST);
72
73 constexpr const static char* GETDEVICEINFO_WHITE_LIST[] = {
74 "gameservice_server",
75 "com.huawei.hmos.slassistant",
76 "token_sync_service",
77 };
78 constexpr uint32_t GETDEVICEINFO_WHITE_LIST_NUM = std::size(GETDEVICEINFO_WHITE_LIST);
79
80 constexpr const static char* MODIFY_LOCAL_DEVICE_NAME_WHITE_LIST[] = {
81 "com.huawei.hmos.settings",
82 "com.huawei.hmos.tvcooperation",
83 };
84 constexpr int32_t MODIFY_LOCAL_DEVICE_NAME_WHITE_LIST_NUM = std::size(MODIFY_LOCAL_DEVICE_NAME_WHITE_LIST);
85
86 constexpr const static char* MODIFY_REMOTE_DEVICE_NAME_WHITE_LIST[] = {
87 "com.ohos.settings",
88 };
89 constexpr int32_t MODIFY_REMOTE_DEVICE_NAME_WHITE_LIST_NUM = std::size(MODIFY_REMOTE_DEVICE_NAME_WHITE_LIST);
90
91 constexpr const static char* PUT_DEVICE_PROFILE_INFO_LIST_WHITE_LIST[] = {
92 "com.huawei.hmos.ailifesvc",
93 "com.huawei.hmos.tvcooperation",
94 };
95 constexpr int32_t PUT_DEVICE_PROFILE_INFO_LIST_WHITE_LIST_NUM = std::size(PUT_DEVICE_PROFILE_INFO_LIST_WHITE_LIST);
96
97 constexpr const static char* GET_TRUSTED_DEVICE_LIST_WHITE_LIST[] = {
98 "distributedsched",
99 };
100 constexpr uint32_t GET_TRUSTED_DEVICE_LIST_WHITE_LIST_NUM = std::size(GET_TRUSTED_DEVICE_LIST_WHITE_LIST);
101
102 constexpr const char* READ_LOCAL_DEVICE_NAME_PERMISSION = "ohos.permission.READ_LOCAL_DEVICE_NAME";
103 }
104
CheckPermission(void)105 bool PermissionManager::CheckPermission(void)
106 {
107 return VerifyAccessTokenByPermissionName(DM_SERVICE_ACCESS_PERMISSION);
108 }
109
CheckNewPermission(void)110 bool PermissionManager::CheckNewPermission(void)
111 {
112 return VerifyAccessTokenByPermissionName(DM_SERVICE_ACCESS_NEWPERMISSION);
113 }
114
CheckMonitorPermission(void)115 bool PermissionManager::CheckMonitorPermission(void)
116 {
117 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
118 if (tokenCaller == 0) {
119 LOGE("CheckMonitorPermission GetCallingTokenID error.");
120 return false;
121 }
122 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
123 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
124 if (AccessTokenKit::VerifyAccessToken(tokenCaller, DM_MONITOR_DEVICE_NETWORK_STATE_PERMISSION) ==
125 PermissionState::PERMISSION_GRANTED) {
126 return true;
127 }
128 }
129 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_HAP) {
130 if (AccessTokenKit::VerifyAccessToken(tokenCaller, DM_SERVICE_ACCESS_PERMISSION) ==
131 PermissionState::PERMISSION_GRANTED) {
132 return true;
133 }
134 }
135 LOGE("DM service access is denied, please apply for corresponding permissions.");
136 return false;
137 }
138
GetCallerProcessName(std::string & processName)139 int32_t PermissionManager::GetCallerProcessName(std::string &processName)
140 {
141 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
142 if (tokenCaller == 0) {
143 LOGE("GetCallerProcessName GetCallingTokenID error.");
144 return ERR_DM_FAILED;
145 }
146 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
147 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_HAP) {
148 HapTokenInfo tokenInfo;
149 if (AccessTokenKit::GetHapTokenInfo(tokenCaller, tokenInfo) != EOK) {
150 LOGE("GetHapTokenInfo failed.");
151 return ERR_DM_FAILED;
152 }
153 processName = std::move(tokenInfo.bundleName);
154 uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
155 if (!OHOS::Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullTokenId)) {
156 LOGE("GetCallerProcessName %{public}s not system hap.", processName.c_str());
157 return ERR_DM_FAILED;
158 }
159 } else if (tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
160 NativeTokenInfo tokenInfo;
161 if (AccessTokenKit::GetNativeTokenInfo(tokenCaller, tokenInfo) != EOK) {
162 LOGE("GetNativeTokenInfo failed.");
163 return ERR_DM_FAILED;
164 }
165 processName = std::move(tokenInfo.processName);
166 } else {
167 LOGE("GetCallerProcessName failed, unsupported process.");
168 return ERR_DM_FAILED;
169 }
170
171 LOGI("Get process name: %{public}s success, tokenCaller ID == %{public}s.", processName.c_str(),
172 GetAnonyInt32(tokenCaller).c_str());
173 return DM_OK;
174 }
175
CheckProcessNameValidOnAuthCode(const std::string & processName)176 bool PermissionManager::CheckProcessNameValidOnAuthCode(const std::string &processName)
177 {
178 if (processName.empty()) {
179 LOGE("ProcessName is empty");
180 return false;
181 }
182 uint16_t index = 0;
183 for (; index < AUTH_CODE_WHITE_LIST_NUM; ++index) {
184 std::string tmp(AUTH_CODE_WHITE_LIST[index]);
185 if (processName == tmp) {
186 return true;
187 }
188 }
189 return false;
190 }
191
CheckProcessNameValidOnPinHolder(const std::string & processName)192 bool PermissionManager::CheckProcessNameValidOnPinHolder(const std::string &processName)
193 {
194 if (processName.empty()) {
195 LOGE("ProcessName is empty");
196 return false;
197 }
198
199 uint16_t index = 0;
200 for (; index < PIN_HOLDER_WHITE_LIST_NUM; ++index) {
201 std::string tmp(PIN_HOLDER_WHITE_LIST[index]);
202 if (processName == tmp) {
203 return true;
204 }
205 }
206 return false;
207 }
208
CheckWhiteListSystemSA(const std::string & pkgName)209 bool PermissionManager::CheckWhiteListSystemSA(const std::string &pkgName)
210 {
211 bool isInWhiteList = false;
212 for (uint16_t index = 0; index < SYSTEM_SA_WHITE_LIST_NUM; ++index) {
213 std::string tmp(SYSTEM_SA_WHITE_LIST[index]);
214 if (pkgName == tmp) {
215 isInWhiteList = true;
216 }
217 }
218 if (isInWhiteList) {
219 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
220 if (tokenCaller == 0) {
221 LOGE("GetCallingTokenID error.");
222 return false;
223 }
224 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
225 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
226 return true;
227 }
228 LOGE("callser not SA pkgName %{public}s.", GetAnonyString(pkgName).c_str());
229 return false;
230 }
231 return false;
232 }
233
GetWhiteListSystemSA()234 std::unordered_set<std::string> PermissionManager::GetWhiteListSystemSA()
235 {
236 std::unordered_set<std::string> systemSA;
237 for (uint16_t index = 0; index < SYSTEM_SA_WHITE_LIST_NUM; ++index) {
238 std::string tmp(SYSTEM_SA_WHITE_LIST[index]);
239 systemSA.insert(tmp);
240 }
241 return systemSA;
242 }
243
CheckSystemSA(const std::string & pkgName)244 bool PermissionManager::CheckSystemSA(const std::string &pkgName)
245 {
246 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
247 if (tokenCaller == 0) {
248 LOGE("CheckMonitorPermission GetCallingTokenID error.");
249 return false;
250 }
251 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
252 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
253 return true;
254 }
255 return false;
256 }
257
CheckProcessNameValidOnSetDnPolicy(const std::string & processName)258 bool PermissionManager::CheckProcessNameValidOnSetDnPolicy(const std::string &processName)
259 {
260 if (processName.empty()) {
261 LOGE("ProcessName is empty");
262 return false;
263 }
264 uint16_t index = 0;
265 for (; index < SETDNPOLICY_WHITE_LIST_NUM; ++index) {
266 std::string tmp(SETDNPOLICY_WHITE_LIST[index]);
267 if (processName == tmp) {
268 return true;
269 }
270 }
271 return false;
272 }
273
CheckProcessNameValidOnGetDeviceInfo(const std::string & processName)274 bool PermissionManager::CheckProcessNameValidOnGetDeviceInfo(const std::string &processName)
275 {
276 if (processName.empty()) {
277 LOGE("ProcessName is empty");
278 return false;
279 }
280 uint16_t index = 0;
281 for (; index < GETDEVICEINFO_WHITE_LIST_NUM; ++index) {
282 std::string tmp(GETDEVICEINFO_WHITE_LIST[index]);
283 if (processName == tmp) {
284 return true;
285 }
286 }
287 return false;
288 }
289
CheckProcessNameValidModifyLocalDeviceName(const std::string & processName)290 bool PermissionManager::CheckProcessNameValidModifyLocalDeviceName(const std::string &processName)
291 {
292 if (processName.empty()) {
293 LOGE("ProcessName is empty");
294 return false;
295 }
296 uint16_t index = 0;
297 for (; index < MODIFY_LOCAL_DEVICE_NAME_WHITE_LIST_NUM; ++index) {
298 std::string tmp(MODIFY_LOCAL_DEVICE_NAME_WHITE_LIST[index]);
299 if (processName == tmp) {
300 return true;
301 }
302 }
303 return false;
304 }
305
CheckProcessNameValidModifyRemoteDeviceName(const std::string & processName)306 bool PermissionManager::CheckProcessNameValidModifyRemoteDeviceName(const std::string &processName)
307 {
308 if (processName.empty()) {
309 LOGE("ProcessName is empty");
310 return false;
311 }
312 uint16_t index = 0;
313 for (; index < MODIFY_REMOTE_DEVICE_NAME_WHITE_LIST_NUM; ++index) {
314 std::string tmp(MODIFY_REMOTE_DEVICE_NAME_WHITE_LIST[index]);
315 if (processName == tmp) {
316 return true;
317 }
318 }
319 return false;
320 }
321
CheckProcessNameValidPutDeviceProfileInfoList(const std::string & processName)322 bool PermissionManager::CheckProcessNameValidPutDeviceProfileInfoList(const std::string &processName)
323 {
324 if (processName.empty()) {
325 LOGE("ProcessName is empty");
326 return false;
327 }
328 uint16_t index = 0;
329 for (; index < PUT_DEVICE_PROFILE_INFO_LIST_WHITE_LIST_NUM; ++index) {
330 std::string tmp(PUT_DEVICE_PROFILE_INFO_LIST_WHITE_LIST[index]);
331 if (processName == tmp) {
332 return true;
333 }
334 }
335 return false;
336 }
337
VerifyAccessTokenByPermissionName(const std::string & permissionName)338 bool PermissionManager::VerifyAccessTokenByPermissionName(const std::string& permissionName)
339 {
340 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
341 if (tokenCaller == 0) {
342 LOGE("GetCallingTokenID error.");
343 return false;
344 }
345 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
346 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_HAP || tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
347 if (AccessTokenKit::VerifyAccessToken(tokenCaller, permissionName) == PermissionState::PERMISSION_GRANTED) {
348 return true;
349 }
350 }
351 LOGE("DM service access is denied, please apply for corresponding permissions");
352 return false;
353 }
354
CheckProcessValidOnGetTrustedDeviceList()355 bool PermissionManager::CheckProcessValidOnGetTrustedDeviceList()
356 {
357 std::string processName = "";
358 if (PermissionManager::GetInstance().GetCallerProcessName(processName) != DM_OK) {
359 LOGE("Get caller process name failed");
360 return false;
361 }
362 uint16_t index = 0;
363 for (; index < GET_TRUSTED_DEVICE_LIST_WHITE_LIST_NUM; ++index) {
364 std::string tmp(GET_TRUSTED_DEVICE_LIST_WHITE_LIST[index]);
365 if (processName == tmp) {
366 return true;
367 }
368 }
369 return false;
370 }
371
CheckReadLocalDeviceName(void)372 bool PermissionManager::CheckReadLocalDeviceName(void)
373 {
374 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
375 if (tokenCaller == 0) {
376 LOGE("CheckReadLocalDeviceName GetCallingTokenID error.");
377 return false;
378 }
379 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
380 if ((tokenTypeFlag == ATokenTypeEnum::TOKEN_HAP) &&
381 (AccessTokenKit::VerifyAccessToken(tokenCaller, READ_LOCAL_DEVICE_NAME_PERMISSION) ==
382 PermissionState::PERMISSION_GRANTED)) {
383 return true;
384 }
385 LOGE("Read local device name permission is denied, please apply for corresponding permissions.");
386 return false;
387 }
388 } // namespace DistributedHardware
389 } // namespace OHOS
390