1 /*
2 * Copyright (c) 2022-2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "privacy_manager_service.h"
17
18 #include <cinttypes>
19 #include <cstring>
20
21 #include "access_token.h"
22 #include "accesstoken_kit.h"
23 #include "accesstoken_common_log.h"
24 #include "active_status_callback_manager.h"
25 #include "ipc_skeleton.h"
26 #ifdef COMMON_EVENT_SERVICE_ENABLE
27 #include "privacy_common_event_subscriber.h"
28 #endif //COMMON_EVENT_SERVICE_ENABLE
29 #include "constant_common.h"
30 #include "constant.h"
31 #include "data_usage_dfx.h"
32 #include "ipc_skeleton.h"
33 #include "permission_record_manager.h"
34 #include "privacy_error.h"
35 #include "privacy_manager_proxy_death_param.h"
36 #include "system_ability_definition.h"
37 #include "string_ex.h"
38 #include "tokenid_kit.h"
39
40 namespace OHOS {
41 namespace Security {
42 namespace AccessToken {
43 namespace {
44 constexpr const char* PERMISSION_USED_STATS = "ohos.permission.PERMISSION_USED_STATS";
45 constexpr const char* PERMISSION_RECORD_TOGGLE = "ohos.permission.PERMISSION_RECORD_TOGGLE";
46 constexpr const char* SET_FOREGROUND_HAP_REMINDER = "ohos.permission.SET_FOREGROUND_HAP_REMINDER";
47 constexpr const char* SET_MUTE_POLICY = "ohos.permission.SET_MUTE_POLICY";
48 static const int32_t SA_ID_PRIVACY_MANAGER_SERVICE = 3505;
49 static const uint32_t PERM_LIST_SIZE_MAX = 1024;
50 }
51
52 const bool REGISTER_RESULT =
53 SystemAbility::MakeAndRegisterAbility(DelayedSingleton<PrivacyManagerService>::GetInstance().get());
54
PrivacyManagerService()55 PrivacyManagerService::PrivacyManagerService()
56 : SystemAbility(SA_ID_PRIVACY_MANAGER_SERVICE, true), state_(ServiceRunningState::STATE_NOT_START)
57 {
58 LOGI(PRI_DOMAIN, PRI_TAG, "PrivacyManagerService()");
59 }
60
~PrivacyManagerService()61 PrivacyManagerService::~PrivacyManagerService()
62 {
63 LOGI(PRI_DOMAIN, PRI_TAG, "~PrivacyManagerService()");
64 #ifdef COMMON_EVENT_SERVICE_ENABLE
65 PrivacyCommonEventSubscriber::UnRegisterEvent();
66 #endif //COMMON_EVENT_SERVICE_ENABLE
67 }
68
OnStart()69 void PrivacyManagerService::OnStart()
70 {
71 if (state_ == ServiceRunningState::STATE_RUNNING) {
72 LOGI(PRI_DOMAIN, PRI_TAG, "PrivacyManagerService has already started!");
73 return;
74 }
75 LOGI(PRI_DOMAIN, PRI_TAG, "PrivacyManagerService is starting");
76 if (!Initialize()) {
77 LOGE(PRI_DOMAIN, PRI_TAG, "Failed to initialize");
78 return;
79 }
80
81 AddSystemAbilityListener(COMMON_EVENT_SERVICE_ID);
82 AddSystemAbilityListener(SCREENLOCK_SERVICE_ID);
83
84 state_ = ServiceRunningState::STATE_RUNNING;
85 bool ret = Publish(DelayedSingleton<PrivacyManagerService>::GetInstance().get());
86 if (!ret) {
87 LOGE(PRI_DOMAIN, PRI_TAG, "Failed to publish service!");
88 return;
89 }
90 LOGI(PRI_DOMAIN, PRI_TAG, "Congratulations, PrivacyManagerService start successfully!");
91 }
92
OnStop()93 void PrivacyManagerService::OnStop()
94 {
95 LOGI(PRI_DOMAIN, PRI_TAG, "Stop service");
96 state_ = ServiceRunningState::STATE_NOT_START;
97 }
98
AddPermissionUsedRecord(const AddPermParamInfoParcel & infoParcel)99 int32_t PrivacyManagerService::AddPermissionUsedRecord(const AddPermParamInfoParcel& infoParcel)
100 {
101 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
102 if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
103 return PrivacyError::ERR_NOT_SYSTEM_APP;
104 }
105 if (!VerifyPermission(PERMISSION_USED_STATS)) {
106 return PrivacyError::ERR_PERMISSION_DENIED;
107 }
108
109 LOGD(PRI_DOMAIN, PRI_TAG, "id: %{public}d, perm: %{public}s, succCnt: %{public}d,"
110 " failCnt: %{public}d, type: %{public}d", infoParcel.info.tokenId, infoParcel.info.permissionName.c_str(),
111 infoParcel.info.successCount, infoParcel.info.failCount, infoParcel.info.type);
112 AddPermParamInfo info = infoParcel.info;
113 return PermissionRecordManager::GetInstance().AddPermissionUsedRecord(info);
114 }
115
AddPermissionUsedRecordAsync(const AddPermParamInfoParcel & infoParcel)116 int32_t PrivacyManagerService::AddPermissionUsedRecordAsync(const AddPermParamInfoParcel& infoParcel)
117 {
118 return AddPermissionUsedRecord(infoParcel);
119 }
120
SetPermissionUsedRecordToggleStatus(int32_t userID,bool status)121 int32_t PrivacyManagerService::SetPermissionUsedRecordToggleStatus(int32_t userID, bool status)
122 {
123 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
124 if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
125 return PrivacyError::ERR_NOT_SYSTEM_APP;
126 }
127 if (!IsPrivilegedCalling() && !VerifyPermission(PERMISSION_RECORD_TOGGLE)) {
128 return PrivacyError::ERR_PERMISSION_DENIED;
129 }
130
131 LOGI(PRI_DOMAIN, PRI_TAG, "userID: %{public}d, status: %{public}d", userID, status ? 1 : 0);
132 return PermissionRecordManager::GetInstance().SetPermissionUsedRecordToggleStatus(userID, status);
133 }
134
GetPermissionUsedRecordToggleStatus(int32_t userID,bool & status)135 int32_t PrivacyManagerService::GetPermissionUsedRecordToggleStatus(int32_t userID, bool& status)
136 {
137 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
138 if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
139 return PrivacyError::ERR_NOT_SYSTEM_APP;
140 }
141 if (!IsPrivilegedCalling() && !VerifyPermission(PERMISSION_USED_STATS)) {
142 return PrivacyError::ERR_PERMISSION_DENIED;
143 }
144
145 LOGD(PRI_DOMAIN, PRI_TAG, "userID: %{public}d, status: %{public}d", userID, status ? 1 : 0);
146 return PermissionRecordManager::GetInstance().GetPermissionUsedRecordToggleStatus(userID, status);
147 }
148
GetProxyDeathHandler()149 std::shared_ptr<ProxyDeathHandler> PrivacyManagerService::GetProxyDeathHandler()
150 {
151 std::lock_guard<std::mutex> lock(deathHandlerMutex_);
152 if (proxyDeathHandler_ == nullptr) {
153 proxyDeathHandler_ = std::make_shared<ProxyDeathHandler>();
154 }
155 return proxyDeathHandler_;
156 }
157
ProcessProxyDeathStub(const sptr<IRemoteObject> & anonyStub,int32_t callerPid)158 void PrivacyManagerService::ProcessProxyDeathStub(const sptr<IRemoteObject>& anonyStub, int32_t callerPid)
159 {
160 if (anonyStub == nullptr) {
161 LOGE(PRI_DOMAIN, PRI_TAG, "anonyStub is nullptr.");
162 return;
163 }
164 std::shared_ptr<ProxyDeathParam> param = std::make_shared<PrivacyManagerProxyDeathParam>(callerPid);
165 if (param == nullptr) {
166 LOGE(PRI_DOMAIN, PRI_TAG, "Create param failed.");
167 return;
168 }
169 auto handler = GetProxyDeathHandler();
170 if (handler == nullptr) {
171 LOGE(PRI_DOMAIN, PRI_TAG, "Handler is nullptr.");
172 return;
173 }
174 handler->AddProxyStub(anonyStub, param);
175 }
176
ReleaseDeathStub(int32_t callerPid)177 void PrivacyManagerService::ReleaseDeathStub(int32_t callerPid)
178 {
179 std::shared_ptr<ProxyDeathParam> param = std::make_shared<PrivacyManagerProxyDeathParam>(callerPid);
180 if (param == nullptr) {
181 LOGE(PRI_DOMAIN, PRI_TAG, "Create param failed.");
182 return;
183 }
184 auto handler = GetProxyDeathHandler();
185 if (handler == nullptr) {
186 LOGE(PRI_DOMAIN, PRI_TAG, "Handler is nullptr.");
187 return;
188 }
189 handler->ReleaseProxyByParam(param);
190 }
191
StartUsingPermission(const PermissionUsedTypeInfoParcel & infoParcel,const sptr<IRemoteObject> & anonyStub)192 int32_t PrivacyManagerService::StartUsingPermission(
193 const PermissionUsedTypeInfoParcel &infoParcel, const sptr<IRemoteObject>& anonyStub)
194 {
195 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
196 if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
197 return PrivacyError::ERR_NOT_SYSTEM_APP;
198 }
199 if (!VerifyPermission(PERMISSION_USED_STATS)) {
200 return PrivacyError::ERR_PERMISSION_DENIED;
201 }
202
203 int32_t callerPid = IPCSkeleton::GetCallingPid();
204 LOGI(PRI_DOMAIN, PRI_TAG, "Caller pid = %{public}d.", callerPid);
205 ProcessProxyDeathStub(anonyStub, callerPid);
206 return PermissionRecordManager::GetInstance().StartUsingPermission(infoParcel.info, callerPid);
207 }
208
StartUsingPermissionCallback(const PermissionUsedTypeInfoParcel & infoParcel,const sptr<IRemoteObject> & callback,const sptr<IRemoteObject> & anonyStub)209 int32_t PrivacyManagerService::StartUsingPermissionCallback(const PermissionUsedTypeInfoParcel &infoParcel,
210 const sptr<IRemoteObject>& callback, const sptr<IRemoteObject>& anonyStub)
211 {
212 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
213 if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
214 return PrivacyError::ERR_NOT_SYSTEM_APP;
215 }
216 if (!VerifyPermission(PERMISSION_USED_STATS)) {
217 return PrivacyError::ERR_PERMISSION_DENIED;
218 }
219
220 int32_t callerPid = IPCSkeleton::GetCallingPid();
221 LOGI(PRI_DOMAIN, PRI_TAG, "Caller pid = %{public}d.", callerPid);
222 ProcessProxyDeathStub(anonyStub, callerPid);
223 return PermissionRecordManager::GetInstance().StartUsingPermission(infoParcel.info, callback, callerPid);
224 }
225
StopUsingPermission(AccessTokenID tokenId,int32_t pid,const std::string & permissionName)226 int32_t PrivacyManagerService::StopUsingPermission(
227 AccessTokenID tokenId, int32_t pid, const std::string& permissionName)
228 {
229 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
230 if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
231 return PrivacyError::ERR_NOT_SYSTEM_APP;
232 }
233 if (!VerifyPermission(PERMISSION_USED_STATS)) {
234 return PrivacyError::ERR_PERMISSION_DENIED;
235 }
236
237 LOGI(PRI_DOMAIN, PRI_TAG, "id: %{public}u, pid: %{public}d, perm: %{public}s",
238 tokenId, pid, permissionName.c_str());
239 int32_t callerPid = IPCSkeleton::GetCallingPid();
240 int32_t ret = PermissionRecordManager::GetInstance().StopUsingPermission(tokenId, pid, permissionName, callerPid);
241 if (ret != Constant::SUCCESS) {
242 return ret;
243 }
244 if (!PermissionRecordManager::GetInstance().HasCallerInStartList(callerPid)) {
245 LOGI(PRI_DOMAIN, PRI_TAG, "No permission record from caller = %{public}d", callerPid);
246 ReleaseDeathStub(callerPid);
247 }
248 return ret;
249 }
250
RemovePermissionUsedRecords(AccessTokenID tokenId)251 int32_t PrivacyManagerService::RemovePermissionUsedRecords(AccessTokenID tokenId)
252 {
253 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
254 if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
255 return PrivacyError::ERR_NOT_SYSTEM_APP;
256 }
257 if (!IsAccessTokenCalling() && !VerifyPermission(PERMISSION_USED_STATS)) {
258 return PrivacyError::ERR_PERMISSION_DENIED;
259 }
260
261 LOGI(PRI_DOMAIN, PRI_TAG, "id: %{public}u", tokenId);
262 PermissionRecordManager::GetInstance().RemovePermissionUsedRecords(tokenId);
263 return Constant::SUCCESS;
264 }
265
GetPermissionUsedRecords(const PermissionUsedRequestParcel & request,PermissionUsedResultParcel & resultParcel)266 int32_t PrivacyManagerService::GetPermissionUsedRecords(
267 const PermissionUsedRequestParcel& request, PermissionUsedResultParcel& resultParcel)
268 {
269 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
270 if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
271 return PrivacyError::ERR_NOT_SYSTEM_APP;
272 }
273 if (!VerifyPermission(PERMISSION_USED_STATS)) {
274 return PrivacyError::ERR_PERMISSION_DENIED;
275 }
276
277 std::string permissionList;
278 for (const auto& perm : request.request.permissionList) {
279 permissionList.append(perm);
280 permissionList.append(" ");
281 }
282 LOGI(PRI_DOMAIN, PRI_TAG, "id: %{public}d, timestamp: [%{public}s-%{public}s], flag: %{public}d, perm: %{public}s.",
283 request.request.tokenId, std::to_string(request.request.beginTimeMillis).c_str(),
284 std::to_string(request.request.endTimeMillis).c_str(), request.request.flag, permissionList.c_str());
285
286 PermissionUsedResult permissionRecord;
287 int32_t ret = PermissionRecordManager::GetInstance().GetPermissionUsedRecords(request.request, permissionRecord);
288 resultParcel.result = permissionRecord;
289 return ret;
290 }
291
GetPermissionUsedRecordsAsync(const PermissionUsedRequestParcel & request,const sptr<OnPermissionUsedRecordCallback> & callback)292 int32_t PrivacyManagerService::GetPermissionUsedRecordsAsync(
293 const PermissionUsedRequestParcel& request, const sptr<OnPermissionUsedRecordCallback>& callback)
294 {
295 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
296 if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
297 return PrivacyError::ERR_NOT_SYSTEM_APP;
298 }
299 if (!VerifyPermission(PERMISSION_USED_STATS)) {
300 return PrivacyError::ERR_PERMISSION_DENIED;
301 }
302
303 LOGD(PRI_DOMAIN, PRI_TAG, "id: %{public}d", request.request.tokenId);
304 return PermissionRecordManager::GetInstance().GetPermissionUsedRecordsAsync(request.request, callback);
305 }
306
RegisterPermActiveStatusCallback(const std::vector<std::string> & permList,const sptr<IRemoteObject> & callback)307 int32_t PrivacyManagerService::RegisterPermActiveStatusCallback(
308 const std::vector<std::string>& permList, const sptr<IRemoteObject>& callback)
309 {
310 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
311 if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
312 return PrivacyError::ERR_NOT_SYSTEM_APP;
313 }
314 if (!VerifyPermission(PERMISSION_USED_STATS)) {
315 return PrivacyError::ERR_PERMISSION_DENIED;
316 }
317
318 if (permList.size() > PERM_LIST_SIZE_MAX) {
319 LOGE(PRI_DOMAIN, PRI_TAG, "permList oversize");
320 return PrivacyError::ERR_OVERSIZE;
321 }
322
323 return PermissionRecordManager::GetInstance().RegisterPermActiveStatusCallback(
324 IPCSkeleton::GetCallingTokenID(), permList, callback);
325 }
326
ResponseDumpCommand(int32_t fd,const std::vector<std::u16string> & args)327 int32_t PrivacyManagerService::ResponseDumpCommand(int32_t fd, const std::vector<std::u16string>& args)
328 {
329 if (args.size() < 2) { // 2 :need two args 0:command 1:tokenId
330 return ERR_INVALID_VALUE;
331 }
332 long long tokenId = atoll(static_cast<const char*>(Str16ToStr8(args.at(1)).c_str()));
333 PermissionUsedRequest request;
334 if (tokenId <= 0) {
335 return ERR_INVALID_VALUE;
336 }
337 request.tokenId = static_cast<uint32_t>(tokenId);
338 request.flag = FLAG_PERMISSION_USAGE_SUMMARY;
339 PermissionUsedResult result;
340 if (PermissionRecordManager::GetInstance().GetPermissionUsedRecords(request, result) != 0) {
341 return ERR_INVALID_VALUE;
342 }
343 std::string infos;
344 if (result.bundleRecords.empty() || result.bundleRecords[0].permissionRecords.empty()) {
345 dprintf(fd, "No Record \n");
346 return ERR_OK;
347 }
348 size_t size = result.bundleRecords[0].permissionRecords.size();
349 infos.append("{\n");
350 infos.append(R"( "permissionRecord": [)");
351 infos.append("\n");
352 for (size_t index = 0; index < size; index++) {
353 infos.append(" {\n");
354 infos.append(R"( "bundleName": ")" + result.bundleRecords[0].bundleName + R"(")" + ",\n");
355 std::string isRemoteStr = (result.bundleRecords[0].isRemote ? "true" : "false");
356 infos.append(R"( "isRemote": )" + isRemoteStr + ",\n");
357 infos.append(R"( "permissionName": ")" + result.bundleRecords[0].permissionRecords[index].permissionName +
358 R"(")" + ",\n");
359 time_t lastAccessTime = static_cast<time_t>(result.bundleRecords[0].permissionRecords[index].lastAccessTime);
360 infos.append(R"( "lastAccessTime": )" + std::to_string(lastAccessTime) + ",\n");
361 infos.append(R"( "lastAccessDuration": )" +
362 std::to_string(result.bundleRecords[0].permissionRecords[index].lastAccessDuration) + ",\n");
363 infos.append(R"( "accessCount": )" +
364 std::to_string(result.bundleRecords[0].permissionRecords[index].accessCount) + "\n");
365 infos.append(" }");
366 if (index != (size - 1)) {
367 infos.append(",");
368 }
369 infos.append("\n");
370 }
371 infos.append(" ]\n");
372 infos.append("}");
373 dprintf(fd, "%s\n", infos.c_str());
374 return ERR_OK;
375 }
376
Dump(int32_t fd,const std::vector<std::u16string> & args)377 int32_t PrivacyManagerService::Dump(int32_t fd, const std::vector<std::u16string>& args)
378 {
379 if (fd < 0) {
380 LOGE(PRI_DOMAIN, PRI_TAG, "Dump fd invalid value");
381 return ERR_INVALID_VALUE;
382 }
383 int32_t ret = ERR_OK;
384 dprintf(fd, "Privacy Dump:\n");
385 if (args.size() == 0) {
386 dprintf(fd, "please use hidumper -s said -a '-h' command help\n");
387 return ret;
388 }
389 std::string arg0 = Str16ToStr8(args.at(0));
390 if (arg0.compare("-h") == 0) {
391 dprintf(fd, "Usage:\n");
392 dprintf(fd, " -h: command help\n");
393 dprintf(fd, " -t <TOKEN_ID>: according to specific token id dump permission used records\n");
394 } else if (arg0.compare("-t") == 0) {
395 ret = PrivacyManagerService::ResponseDumpCommand(fd, args);
396 } else {
397 dprintf(fd, "please use hidumper -s said -a '-h' command help\n");
398 ret = ERR_INVALID_VALUE;
399 }
400 return ret;
401 }
402
UnRegisterPermActiveStatusCallback(const sptr<IRemoteObject> & callback)403 int32_t PrivacyManagerService::UnRegisterPermActiveStatusCallback(const sptr<IRemoteObject>& callback)
404 {
405 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
406 if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
407 return PrivacyError::ERR_NOT_SYSTEM_APP;
408 }
409 if (!VerifyPermission(PERMISSION_USED_STATS)) {
410 return PrivacyError::ERR_PERMISSION_DENIED;
411 }
412
413 return PermissionRecordManager::GetInstance().UnRegisterPermActiveStatusCallback(callback);
414 }
415
IsAllowedUsingPermission(AccessTokenID tokenId,const std::string & permissionName,int32_t pid,bool & isAllowed)416 int32_t PrivacyManagerService::IsAllowedUsingPermission(AccessTokenID tokenId, const std::string& permissionName,
417 int32_t pid, bool& isAllowed)
418 {
419 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
420 if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
421 LOGE(PRI_DOMAIN, PRI_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID);
422 return PrivacyError::ERR_NOT_SYSTEM_APP;
423 }
424 if (!VerifyPermission(PERMISSION_USED_STATS)) {
425 return PrivacyError::ERR_PERMISSION_DENIED;
426 }
427
428 LOGI(PRI_DOMAIN, PRI_TAG, "Id: %{public}d, perm: %{public}s, pid: %{public}d.",
429 tokenId, permissionName.c_str(), pid);
430 isAllowed = PermissionRecordManager::GetInstance().IsAllowedUsingPermission(tokenId, permissionName, pid);
431 return ERR_OK;
432 }
433
SetMutePolicy(uint32_t policyType,uint32_t callerType,bool isMute,AccessTokenID tokenID)434 int32_t PrivacyManagerService::SetMutePolicy(uint32_t policyType, uint32_t callerType, bool isMute,
435 AccessTokenID tokenID)
436 {
437 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
438 if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) != TOKEN_NATIVE) &&
439 (AccessTokenKit::GetTokenTypeFlag(callingTokenID) != TOKEN_SHELL)) {
440 return PrivacyError::ERR_PERMISSION_DENIED;
441 }
442
443 if (!VerifyPermission(SET_MUTE_POLICY)) {
444 return PrivacyError::ERR_PERMISSION_DENIED;
445 }
446
447 LOGI(PRI_DOMAIN, PRI_TAG, "PolicyType %{public}d, callerType %{public}d, isMute %{public}d, tokenId %{public}u",
448 policyType, callerType, isMute, tokenID);
449 return PermissionRecordManager::GetInstance().SetMutePolicy(
450 static_cast<PolicyType>(policyType), static_cast<CallerType>(callerType), isMute, tokenID);
451 }
452
SetHapWithFGReminder(uint32_t tokenId,bool isAllowed)453 int32_t PrivacyManagerService::SetHapWithFGReminder(uint32_t tokenId, bool isAllowed)
454 {
455 if (!VerifyPermission(SET_FOREGROUND_HAP_REMINDER)) {
456 return PrivacyError::ERR_PERMISSION_DENIED;
457 }
458
459 LOGI(PRI_DOMAIN, PRI_TAG, "id: %{public}d, isAllowed: %{public}d", tokenId, isAllowed);
460 return PermissionRecordManager::GetInstance().SetHapWithFGReminder(tokenId, isAllowed);
461 }
462
GetPermissionUsedTypeInfos(const AccessTokenID tokenId,const std::string & permissionName,std::vector<PermissionUsedTypeInfoParcel> & resultsParcel)463 int32_t PrivacyManagerService::GetPermissionUsedTypeInfos(const AccessTokenID tokenId,
464 const std::string& permissionName, std::vector<PermissionUsedTypeInfoParcel>& resultsParcel)
465 {
466 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
467 if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
468 return PrivacyError::ERR_NOT_SYSTEM_APP;
469 }
470 if (!VerifyPermission(PERMISSION_USED_STATS)) {
471 return PrivacyError::ERR_PERMISSION_DENIED;
472 }
473
474 LOGD(PRI_DOMAIN, PRI_TAG, "id: %{public}d, perm: %{public}s", tokenId, permissionName.c_str());
475 std::vector<PermissionUsedTypeInfo> results;
476 int32_t res = PermissionRecordManager::GetInstance().GetPermissionUsedTypeInfos(tokenId, permissionName, results);
477 if (res != RET_SUCCESS) {
478 return res;
479 }
480
481 for (const auto& result : results) {
482 PermissionUsedTypeInfoParcel parcel;
483 parcel.info = result;
484 resultsParcel.emplace_back(parcel);
485 }
486
487 return RET_SUCCESS;
488 }
489
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)490 void PrivacyManagerService::OnAddSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
491 {
492 LOGI(PRI_DOMAIN, PRI_TAG, "saId is %{public}d", systemAbilityId);
493 #ifdef COMMON_EVENT_SERVICE_ENABLE
494 if (systemAbilityId == COMMON_EVENT_SERVICE_ID) {
495 PrivacyCommonEventSubscriber::RegisterEvent();
496 return;
497 }
498 #endif //COMMON_EVENT_SERVICE_ENABLE
499
500 if (systemAbilityId == SCREENLOCK_SERVICE_ID) {
501 int32_t lockScreenStatus = PermissionRecordManager::GetInstance().GetLockScreenStatus(true);
502 PermissionRecordManager::GetInstance().SetLockScreenStatus(lockScreenStatus);
503 return;
504 }
505 }
506
Initialize()507 bool PrivacyManagerService::Initialize()
508 {
509 PermissionRecordManager::GetInstance().Init();
510 #ifdef EVENTHANDLER_ENABLE
511 eventRunner_ = AppExecFwk::EventRunner::Create(true, AppExecFwk::ThreadMode::FFRT);
512 if (!eventRunner_) {
513 LOGE(PRI_DOMAIN, PRI_TAG, "Failed to create eventRunner.");
514 return false;
515 }
516 eventHandler_ = std::make_shared<AccessEventHandler>(eventRunner_);
517 ActiveStatusCallbackManager::GetInstance().InitEventHandler(eventHandler_);
518 #endif
519 ReportPrivacyUserData();
520 return true;
521 }
522
IsPrivilegedCalling() const523 bool PrivacyManagerService::IsPrivilegedCalling() const
524 {
525 // shell process is root in debug mode.
526 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
527 int32_t callingUid = IPCSkeleton::GetCallingUid();
528 return callingUid == ROOT_UID;
529 #else
530 return false;
531 #endif
532 }
533
IsAccessTokenCalling() const534 bool PrivacyManagerService::IsAccessTokenCalling() const
535 {
536 int32_t callingUid = IPCSkeleton::GetCallingUid();
537 return callingUid == ACCESSTOKEN_UID;
538 }
539
IsSystemAppCalling() const540 bool PrivacyManagerService::IsSystemAppCalling() const
541 {
542 uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
543 return TokenIdKit::IsSystemAppByFullTokenID(fullTokenId);
544 }
545
VerifyPermission(const std::string & permission) const546 bool PrivacyManagerService::VerifyPermission(const std::string& permission) const
547 {
548 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
549 if (AccessTokenKit::VerifyAccessToken(callingTokenID, permission) == PERMISSION_DENIED) {
550 LOGE(PRI_DOMAIN, PRI_TAG, "Permission denied(callingTokenID=%{public}d)", callingTokenID);
551 return false;
552 }
553 return true;
554 }
555 } // namespace AccessToken
556 } // namespace Security
557 } // namespace OHOS
558