1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "enterprise_device_mgr_ability.h"
17
18 #include <cstring>
19 #include <string_ex.h>
20 #include <thread>
21
22 #include "application_state_observer.h"
23 #include "bundle_info.h"
24 #include "clipboard_policy.h"
25 #include "common_event_manager.h"
26 #include "common_event_support.h"
27 #include "device_policies_storage_rdb.h"
28 #include "directory_ex.h"
29 #include "ipc_skeleton.h"
30 #include "iservice_registry.h"
31 #include "matching_skills.h"
32 #include "message_parcel.h"
33 #include "parameters.h"
34 #include "system_ability.h"
35 #include "system_ability_definition.h"
36
37 #include "array_string_serializer.h"
38 #include "admin_action.h"
39 #include "edm_constants.h"
40 #include "edm_data_ability_utils.h"
41 #include "edm_errors.h"
42 #include "edm_ipc_interface_code.h"
43 #include "edm_log.h"
44 #include "edm_sys_manager.h"
45 #include "enterprise_admin_connection.h"
46 #include "enterprise_bundle_connection.h"
47 #include "enterprise_conn_manager.h"
48 #include "func_code_utils.h"
49 #include "hisysevent_adapter.h"
50 #include "plugin_policy_reader.h"
51 #include "policy_type.h"
52
53 #ifdef NET_MANAGER_BASE_EDM_ENABLE
54 #include "map_string_serializer.h"
55 #endif
56 #ifdef PASTEBOARD_EDM_ENABLE
57 #include "clipboard_policy_serializer.h"
58 #endif
59 #ifdef USERIAM_EDM_ENABLE
60 #include "fingerprint_policy.h"
61 #include "fingerprint_policy_serializer.h"
62 #include "password_policy_serializer.h"
63 #endif
64
65 namespace OHOS {
66 namespace EDM {
67 const bool REGISTER_RESULT =
68 SystemAbility::MakeAndRegisterAbility(EnterpriseDeviceMgrAbility::GetInstance().GetRefPtr());
69
70 const std::string PERMISSION_UPDATE_SYSTEM = "ohos.permission.UPDATE_SYSTEM";
71 const std::string PERMISSION_GET_ADMINPROVISION_INFO = "ohos.permission.START_PROVISIONING_MESSAGE";
72 const std::string PARAM_EDM_ENABLE = "persist.edm.edm_enable";
73 const std::string PARAM_SECURITY_MODE = "ohos.boot.advsecmode.state";
74 const std::string SYSTEM_UPDATE_FOR_POLICY = "usual.event.DUE_SA_FIRMWARE_UPDATE_FOR_POLICY";
75 const std::string WANT_BUNDLE_NAME = "bundleName";
76 const std::string FIRMWARE_EVENT_INFO_NAME = "version";
77 const std::string FIRMWARE_EVENT_INFO_TYPE = "packageType";
78 const std::string FIRMWARE_EVENT_INFO_CHECK_TIME = "firstReceivedTime";
79 const std::string DEVELOP_MODE_STATE = "const.security.developermode.state";
80 const std::string EDM_ADMIN_ENABLED_EVENT = "com.ohos.edm.edmadminenabled";
81 const std::string EDM_ADMIN_DISABLED_EVENT = "com.ohos.edm.edmadmindisabled";
82 const std::string APP_TYPE_ENTERPRISE_MDM = "enterprise_mdm";
83 const std::string APP_TYPE_ENTERPRISE_NORMAL = "enterprise_normal";
84 const char* const KEY_EDM_DISPLAY = "com.enterprise.enterprise_device_manager_display";
85 const std::string POLICY_ALLOW_ALL = "allow_all";
86 const int32_t INVALID_SYSTEM_ABILITY_ID = -1;
87 const int32_t MAX_POLICY_TYPE = 3;
88
89 std::shared_mutex EnterpriseDeviceMgrAbility::adminLock_;
90
91 sptr<EnterpriseDeviceMgrAbility> EnterpriseDeviceMgrAbility::instance_;
92
93 constexpr const char *WITHOUT_PERMISSION_TAG = "";
94 #ifndef EDM_FUZZ_TEST
95 const int EDM_UID = 3057;
96 #endif
97
98 const int EDC_UID = 7200;
99
AddCommonEventFuncMap()100 void EnterpriseDeviceMgrAbility::AddCommonEventFuncMap()
101 {
102 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_USER_ADDED] =
103 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
104 that->OnCommonEventUserAdded(data);
105 };
106 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_USER_SWITCHED] =
107 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
108 that->OnCommonEventUserSwitched(data);
109 };
110 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_USER_REMOVED] =
111 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
112 that->OnCommonEventUserRemoved(data);
113 };
114 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_ADDED] =
115 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
116 that->OnCommonEventPackageAdded(data);
117 };
118 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED] =
119 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
120 that->OnCommonEventPackageRemoved(data);
121 };
122 commonEventFuncMap_[SYSTEM_UPDATE_FOR_POLICY] =
123 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
124 that->OnCommonEventSystemUpdate(data);
125 };
126 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_CHANGED] =
127 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
128 that->OnCommonEventPackageChanged(data);
129 };
130 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_BUNDLE_SCAN_FINISHED] =
131 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
132 that->OnCommonEventBmsReady(data);
133 };
134 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_KIOSK_MODE_ON] =
135 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
136 that->OnCommonEventKioskMode(data, true);
137 };
138 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_KIOSK_MODE_OFF] =
139 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
140 that->OnCommonEventKioskMode(data, false);
141 };
142 }
143
OnCommonEventSystemUpdate(const EventFwk::CommonEventData & data)144 void EnterpriseDeviceMgrAbility::OnCommonEventSystemUpdate(const EventFwk::CommonEventData &data)
145 {
146 EDMLOGI("OnCommonEventSystemUpdate");
147 UpdateInfo updateInfo;
148 updateInfo.version = data.GetWant().GetStringParam(FIRMWARE_EVENT_INFO_NAME);
149 updateInfo.firstReceivedTime = data.GetWant().GetLongParam(FIRMWARE_EVENT_INFO_CHECK_TIME, 0);
150 updateInfo.packageType = data.GetWant().GetStringParam(FIRMWARE_EVENT_INFO_TYPE);
151
152 ConnectAbilityOnSystemUpdate(updateInfo);
153 }
154
ConnectAbilityOnSystemUpdate(const UpdateInfo & updateInfo)155 void EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemUpdate(const UpdateInfo &updateInfo)
156 {
157 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
158 AdminManager::GetInstance()->GetAdminBySubscribeEvent(ManagedEvent::SYSTEM_UPDATE, subAdmins);
159 if (subAdmins.empty()) {
160 EDMLOGW("Get subscriber by common event failed.");
161 return;
162 }
163 AAFwk::Want want;
164 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
165 if (manager == nullptr) {
166 EDMLOGW("EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemUpdate EnterpriseConnManager null");
167 return;
168 }
169 for (const auto &subAdmin : subAdmins) {
170 for (const auto &it : subAdmin.second) {
171 want.SetElementName(it->adminInfo_.packageName_, it->adminInfo_.className_);
172 bool ret = manager->CreateUpdateConnection(want, subAdmin.first, updateInfo);
173 if (!ret) {
174 EDMLOGW("EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemUpdate CreateUpdateConnection failed.");
175 }
176 }
177 }
178 }
179
AddOnAddSystemAbilityFuncMapSecond()180 void EnterpriseDeviceMgrAbility::AddOnAddSystemAbilityFuncMapSecond()
181 {
182 addSystemAbilityFuncMap_[BUNDLE_MGR_SERVICE_SYS_ABILITY_ID] =
183 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
184 that->CallOnOtherServiceStart(EdmInterfaceCode::ALLOWED_KIOSK_APPS, BUNDLE_MGR_SERVICE_SYS_ABILITY_ID);
185 };
186 addSystemAbilityFuncMap_[ABILITY_MGR_SERVICE_ID] =
187 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
188 that->OnAbilityManagerServiceStart();
189 that->CallOnOtherServiceStart(EdmInterfaceCode::ALLOWED_KIOSK_APPS, ABILITY_MGR_SERVICE_ID);
190 };
191 addSystemAbilityFuncMap_[WINDOW_MANAGER_SERVICE_ID] =
192 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
193 that->CallOnOtherServiceStart(EdmInterfaceCode::SNAPSHOT_SKIP);
194 that->CallOnOtherServiceStart(EdmInterfaceCode::ALLOWED_KIOSK_APPS, WINDOW_MANAGER_SERVICE_ID);
195 };
196 #ifdef MOBILE_DATA_ENABLE
197 addSystemAbilityFuncMap_[TELEPHONY_CALL_MANAGER_SYS_ABILITY_ID] =
198 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
199 that->CallOnOtherServiceStart(EdmInterfaceCode::TELEPHONY_CALL_POLICY);
200 };
201 #endif
202 }
203
AddOnAddSystemAbilityFuncMap()204 void EnterpriseDeviceMgrAbility::AddOnAddSystemAbilityFuncMap()
205 {
206 AddOnAddSystemAbilityFuncMapSecond();
207 addSystemAbilityFuncMap_[APP_MGR_SERVICE_ID] =
208 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
209 that->OnAppManagerServiceStart();
210 };
211 addSystemAbilityFuncMap_[COMMON_EVENT_SERVICE_ID] =
212 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
213 that->OnCommonEventServiceStart();
214 };
215 #ifdef PASTEBOARD_EDM_ENABLE
216 addSystemAbilityFuncMap_[PASTEBOARD_SERVICE_ID] =
217 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
218 that->CallOnOtherServiceStart(EdmInterfaceCode::CLIPBOARD_POLICY);
219 };
220 #endif
221 #ifdef NET_MANAGER_BASE_EDM_ENABLE
222 addSystemAbilityFuncMap_[COMM_NET_POLICY_MANAGER_SYS_ABILITY_ID] =
223 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
224 that->CallOnOtherServiceStart(EdmInterfaceCode::DISABLED_NETWORK_INTERFACE);
225 };
226 #endif
227 #ifdef USB_SERVICE_EDM_ENABLE
228 addSystemAbilityFuncMap_[USB_SYSTEM_ABILITY_ID] =
229 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
230 that->CallOnOtherServiceStart(EdmInterfaceCode::DISABLE_USB);
231 that->CallOnOtherServiceStart(EdmInterfaceCode::ALLOWED_USB_DEVICES);
232 that->CallOnOtherServiceStart(EdmInterfaceCode::DISALLOWED_USB_DEVICES);
233 };
234 #endif
235 #ifdef USERIAM_EDM_ENABLE
236 addSystemAbilityFuncMap_[SUBSYS_USERIAM_SYS_ABILITY_USERAUTH] =
237 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
238 that->CallOnOtherServiceStart(EdmInterfaceCode::PASSWORD_POLICY);
239 that->CallOnOtherServiceStart(EdmInterfaceCode::FINGERPRINT_AUTH);
240 };
241 #endif
242 addSystemAbilityFuncMap_[RENDER_SERVICE] =
243 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
244 that->CallOnOtherServiceStart(EdmInterfaceCode::WATERMARK_IMAGE);
245 };
246 }
247
248 #ifdef COMMON_EVENT_SERVICE_EDM_ENABLE
EnterpriseDeviceEventSubscriber(const EventFwk::CommonEventSubscribeInfo & subscribeInfo,EnterpriseDeviceMgrAbility & listener)249 EnterpriseDeviceEventSubscriber::EnterpriseDeviceEventSubscriber(
250 const EventFwk::CommonEventSubscribeInfo &subscribeInfo,
251 EnterpriseDeviceMgrAbility &listener) : EventFwk::CommonEventSubscriber(subscribeInfo), listener_(listener) {}
252
OnReceiveEvent(const EventFwk::CommonEventData & data)253 void EnterpriseDeviceEventSubscriber::OnReceiveEvent(const EventFwk::CommonEventData &data)
254 {
255 const std::string action = data.GetWant().GetAction();
256 EDMLOGI("EDM OnReceiveEvent get action: %{public}s", action.c_str());
257 auto func = listener_.commonEventFuncMap_.find(action);
258 if (func != listener_.commonEventFuncMap_.end()) {
259 auto commonEventFunc = func->second;
260 if (commonEventFunc != nullptr) {
261 return commonEventFunc(&listener_, data);
262 }
263 } else {
264 EDMLOGW("OnReceiveEvent action is invalid");
265 }
266 }
267
CreateEnterpriseDeviceEventSubscriber(EnterpriseDeviceMgrAbility & listener)268 std::shared_ptr<EventFwk::CommonEventSubscriber> EnterpriseDeviceMgrAbility::CreateEnterpriseDeviceEventSubscriber(
269 EnterpriseDeviceMgrAbility &listener)
270 {
271 EventFwk::MatchingSkills skill = EventFwk::MatchingSkills();
272 AddCommonEventFuncMap();
273 for (auto &item : commonEventFuncMap_) {
274 if (item.first == SYSTEM_UPDATE_FOR_POLICY) {
275 continue;
276 }
277 skill.AddEvent(item.first);
278 EDMLOGI("CreateEnterpriseDeviceEventSubscriber AddEvent: %{public}s", item.first.c_str());
279 }
280 EventFwk::CommonEventSubscribeInfo info(skill);
281 return std::make_shared<EnterpriseDeviceEventSubscriber>(info, listener);
282 }
283 #endif
284
OnCommonEventUserAdded(const EventFwk::CommonEventData & data)285 void EnterpriseDeviceMgrAbility::OnCommonEventUserAdded(const EventFwk::CommonEventData &data)
286 {
287 int userIdToAdd = data.GetCode();
288 if (userIdToAdd < 0) {
289 EDMLOGE("EnterpriseDeviceMgrAbility OnCommonEventUserAdded error");
290 return;
291 }
292 EDMLOGI("EnterpriseDeviceMgrAbility OnCommonEventUserAdded");
293 ConnectAbilityOnSystemAccountEvent(userIdToAdd, ManagedEvent::USER_ADDED);
294 }
295
OnCommonEventUserSwitched(const EventFwk::CommonEventData & data)296 void EnterpriseDeviceMgrAbility::OnCommonEventUserSwitched(const EventFwk::CommonEventData &data)
297 {
298 int userIdToSwitch = data.GetCode();
299 if (userIdToSwitch < 0) {
300 EDMLOGE("EnterpriseDeviceMgrAbility OnCommonEventUserSwitched error");
301 return;
302 }
303 EDMLOGI("EnterpriseDeviceMgrAbility OnCommonEventUserSwitched");
304 auto superAdmin = AdminManager::GetInstance()->GetSuperAdmin();
305 if (superAdmin) {
306 bool isInstall = GetBundleMgr()->IsBundleInstalled(superAdmin->adminInfo_.packageName_, userIdToSwitch);
307 if (isInstall && superAdmin->adminInfo_.runningMode_ == RunningMode::MULTI_USER) {
308 ConnectAbility(userIdToSwitch, superAdmin);
309 } else {
310 ConnectAbility(EdmConstants::DEFAULT_USER_ID, superAdmin);
311 }
312 }
313 ConnectAbilityOnSystemAccountEvent(userIdToSwitch, ManagedEvent::USER_SWITCHED);
314 }
315
OnCommonEventUserRemoved(const EventFwk::CommonEventData & data)316 void EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved(const EventFwk::CommonEventData &data)
317 {
318 int userIdToRemove = data.GetCode();
319 if (userIdToRemove < 0) {
320 EDMLOGE("EnterpriseDeviceMgrAbility OnCommonEventUserRemoved error");
321 return;
322 }
323 EDMLOGI("OnCommonEventUserRemoved");
324 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
325 // include super admin, need to be removed
326 std::vector<std::shared_ptr<Admin>> userAdmin;
327 AdminManager::GetInstance()->GetAdminByUserId(userIdToRemove, userAdmin);
328 for (auto &item : userAdmin) {
329 if (FAILED(RemoveAdminAndAdminPolicy(item->adminInfo_.packageName_, userIdToRemove))) {
330 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved remove admin failed packagename = %{public}s",
331 item->adminInfo_.packageName_.c_str());
332 }
333 }
334 std::vector<std::shared_ptr<Admin>> subAndSuperAdmin;
335 AdminManager::GetInstance()->GetAdminByUserId(EdmConstants::DEFAULT_USER_ID, subAndSuperAdmin);
336 for (const auto &subAdmin : subAndSuperAdmin) {
337 if ((subAdmin->GetAdminType() == AdminType::SUB_SUPER_ADMIN || subAdmin->GetAdminType() == AdminType::ENT ||
338 subAdmin->GetAdminType() == AdminType::VIRTUAL_ADMIN) &&
339 FAILED(RemoveAdminAndAdminPolicy(subAdmin->adminInfo_.packageName_, userIdToRemove))) {
340 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved: remove sub and super admin policy failed.");
341 }
342 }
343 ConnectAbilityOnSystemAccountEvent(userIdToRemove, ManagedEvent::USER_REMOVED);
344 }
345
OnCommonEventPackageAdded(const EventFwk::CommonEventData & data)346 void EnterpriseDeviceMgrAbility::OnCommonEventPackageAdded(const EventFwk::CommonEventData &data)
347 {
348 EDMLOGI("OnCommonEventPackageAdded");
349 AAFwk::Want want = data.GetWant();
350 std::string bundleName = want.GetElement().GetBundleName();
351 int32_t userId = want.GetIntParam(AppExecFwk::Constants::USER_ID, AppExecFwk::Constants::INVALID_USERID);
352 if (userId == AppExecFwk::Constants::INVALID_USERID) {
353 EDMLOGE("OnCommonEventPackageAdded get INVALID_USERID");
354 return;
355 }
356 auto superAdmin = AdminManager::GetInstance()->GetSuperAdmin();
357 if (superAdmin && superAdmin->adminInfo_.runningMode_ == RunningMode::MULTI_USER &&
358 superAdmin->adminInfo_.packageName_ == bundleName &&
359 superAdmin->adminInfo_.adminType_ != AdminType::NORMAL) {
360 AddDisallowUninstallApp(bundleName, userId);
361 }
362 ConnectAbilityOnSystemEvent(bundleName, ManagedEvent::BUNDLE_ADDED, userId);
363 }
364
UpdateClipboardInfo(const std::string & bundleName,int32_t userId)365 void EnterpriseDeviceMgrAbility::UpdateClipboardInfo(const std::string &bundleName, int32_t userId)
366 {
367 EDMLOGI("OnCommonEventPackageRemoved UpdateClipboardInfo");
368 std::vector<std::shared_ptr<Admin>> admins;
369 AdminManager::GetInstance()->GetAdmins(admins, EdmConstants::DEFAULT_USER_ID);
370 for (const auto& admin : admins) {
371 std::uint32_t funcCode =
372 POLICY_FUNC_CODE((std::uint32_t)FuncOperateType::SET, EdmInterfaceCode::CLIPBOARD_POLICY);
373 MessageParcel reply;
374 MessageParcel data;
375 data.WriteString(WITHOUT_PERMISSION_TAG);
376 data.WriteInt32(ClipboardFunctionType::SET_HAS_BUNDLE_NAME);
377 data.WriteString(bundleName);
378 data.WriteInt32(userId);
379 data.WriteInt32(static_cast<int32_t>(ClipboardPolicy::DEFAULT));
380 OHOS::AppExecFwk::ElementName elementName;
381 elementName.SetBundleName(admin->adminInfo_.packageName_);
382 elementName.SetAbilityName(admin->adminInfo_.className_);
383 HandleDevicePolicy(funcCode, elementName, data, reply, EdmConstants::DEFAULT_USER_ID);
384 }
385 }
386
OnCommonEventPackageRemoved(const EventFwk::CommonEventData & data)387 void EnterpriseDeviceMgrAbility::OnCommonEventPackageRemoved(const EventFwk::CommonEventData &data)
388 {
389 EDMLOGI("OnCommonEventPackageRemoved");
390 std::string bundleName = data.GetWant().GetElement().GetBundleName();
391 int32_t userId = data.GetWant().GetIntParam(AppExecFwk::Constants::USER_ID, AppExecFwk::Constants::INVALID_USERID);
392 if (userId == AppExecFwk::Constants::INVALID_USERID) {
393 EDMLOGE("OnCommonEventPackageRemoved get INVALID_USERID");
394 return;
395 }
396 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
397 std::shared_ptr<Admin> admin = AdminManager::GetInstance()->GetAdminByPkgName(bundleName, userId);
398 if (admin != nullptr) {
399 if (admin->adminInfo_.adminType_ == AdminType::NORMAL) {
400 RemoveAdminAndAdminPolicy(bundleName, userId);
401 }
402 if ((admin->adminInfo_.adminType_ == AdminType::SUB_SUPER_ADMIN ||
403 admin->adminInfo_.adminType_ == AdminType::VIRTUAL_ADMIN) && userId == EdmConstants::DEFAULT_USER_ID) {
404 // remove sub super admin and sub super admin policy
405 RemoveSubSuperAdminAndAdminPolicy(bundleName);
406 }
407 if (admin->adminInfo_.adminType_ == AdminType::ENT && userId == EdmConstants::DEFAULT_USER_ID) {
408 // remove super admin and super admin policy
409 RemoveSuperAdminAndAdminPolicy(bundleName);
410 }
411 if (admin->adminInfo_.adminType_ == AdminType::BYOD && userId == EdmConstants::DEFAULT_USER_ID) {
412 RemoveAdminAndAdminPolicy(bundleName, userId);
413 }
414 if (!AdminManager::GetInstance()->IsAdminExist()) {
415 system::SetParameter(PARAM_EDM_ENABLE, "false");
416 NotifyAdminEnabled(false);
417 }
418 }
419 ConnectAbilityOnSystemEvent(bundleName, ManagedEvent::BUNDLE_REMOVED, userId);
420 autoLock.unlock();
421 UpdateClipboardInfo(bundleName, userId);
422 }
423
OnCommonEventPackageChanged(const EventFwk::CommonEventData & data)424 void EnterpriseDeviceMgrAbility::OnCommonEventPackageChanged(const EventFwk::CommonEventData &data)
425 {
426 EDMLOGI("OnCommonEventPackageChanged");
427 std::string bundleName = data.GetWant().GetElement().GetBundleName();
428 int32_t userId = data.GetWant().GetIntParam(AppExecFwk::Constants::USER_ID, AppExecFwk::Constants::INVALID_USERID);
429 std::shared_ptr<Admin> admin = AdminManager::GetInstance()->GetAdminByPkgName(bundleName, userId);
430 if (admin != nullptr && admin->GetAdminType() == AdminType::ENT) {
431 OnAdminEnabled(admin->adminInfo_.packageName_, admin->adminInfo_.className_,
432 IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED, userId, false);
433 }
434 }
435
OnCommonEventBmsReady(const EventFwk::CommonEventData & data)436 void EnterpriseDeviceMgrAbility::OnCommonEventBmsReady(const EventFwk::CommonEventData &data)
437 {
438 EDMLOGI("OnCommonEventBmsReady");
439 ConnectEnterpriseAbility();
440 }
441
OnCommonEventKioskMode(const EventFwk::CommonEventData & data,bool isModeOn)442 void EnterpriseDeviceMgrAbility::OnCommonEventKioskMode(const EventFwk::CommonEventData &data, bool isModeOn)
443 {
444 AAFwk::Want want = data.GetWant();
445 int32_t paramUserId = want.GetIntParam(AppExecFwk::Constants::USER_ID, EdmConstants::DEFAULT_USER_ID);
446 std::string bundleName = want.GetStringParam(WANT_BUNDLE_NAME);
447 auto code = static_cast<uint32_t>(
448 isModeOn ? IEnterpriseAdmin::COMMAND_ON_KIOSK_MODE_ENTERING : IEnterpriseAdmin::COMMAND_ON_KIOSK_MODE_EXITING);
449 std::vector<std::shared_ptr<Admin>> admins;
450 int32_t currentUserId = GetCurrentUserId();
451 if (currentUserId < 0) {
452 return;
453 }
454 AdminManager::GetInstance()->GetAdmins(admins, currentUserId);
455 for (const auto& admin : admins) {
456 EDMLOGI("OnCommonEventKioskMode packageName:%{public}s", admin->adminInfo_.packageName_.c_str());
457 AAFwk::Want connectWant;
458 connectWant.SetElementName(admin->adminInfo_.packageName_, admin->adminInfo_.className_);
459 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
460 bool ret = manager->CreateKioskConnection(connectWant, code, currentUserId, bundleName, paramUserId);
461 if (!ret) {
462 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventKioskMode CreateKioskConnection failed.");
463 }
464 }
465 }
466
OnAdminEnabled(const std::string & bundleName,const std::string & abilityName,uint32_t code,int32_t userId,bool isAdminEnabled)467 bool EnterpriseDeviceMgrAbility::OnAdminEnabled(const std::string &bundleName, const std::string &abilityName,
468 uint32_t code, int32_t userId, bool isAdminEnabled)
469 {
470 AAFwk::Want connectWant;
471 connectWant.SetElementName(bundleName, abilityName);
472 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
473 return manager->CreateAdminConnection(connectWant, code, userId, isAdminEnabled);
474 }
475
ConnectAbilityOnSystemAccountEvent(const int32_t accountId,ManagedEvent event)476 void EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemAccountEvent(const int32_t accountId, ManagedEvent event)
477 {
478 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
479 AdminManager::GetInstance()->GetAdminBySubscribeEvent(event, subAdmins);
480 if (subAdmins.empty()) {
481 EDMLOGW("SystemEventSubscriber Get subscriber by common event failed.");
482 return;
483 }
484 AAFwk::Want want;
485 for (const auto &subAdmin : subAdmins) {
486 for (const auto &it : subAdmin.second) {
487 want.SetElementName(it->adminInfo_.packageName_, it->adminInfo_.className_);
488 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
489 int32_t userId = subAdmin.first;
490 int32_t currentUserId = GetCurrentUserId();
491 if (currentUserId < 0) {
492 return;
493 }
494 if (it->adminInfo_.runningMode_ == RunningMode::MULTI_USER) {
495 userId = currentUserId;
496 }
497 bool ret = manager->CreateAccountConnection(want, static_cast<uint32_t>(event), userId, accountId);
498 if (!ret) {
499 EDMLOGW("EnterpriseDeviceMgrAbility CreateAccountConnection failed.");
500 }
501 }
502 }
503 }
504
ConnectAbility(const int32_t accountId,std::shared_ptr<Admin> admin)505 void EnterpriseDeviceMgrAbility::ConnectAbility(const int32_t accountId, std::shared_ptr<Admin> admin)
506 {
507 AAFwk::Want want;
508 want.SetElementName(admin->adminInfo_.packageName_, admin->adminInfo_.className_);
509 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
510 bool ret = manager->CreateAdminConnection(want, IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED, accountId, false);
511 if (!ret) {
512 EDMLOGW("EnterpriseDeviceMgrAbility::ConnectAbility CreateAdminConnection failed.");
513 }
514 }
515
ConnectAbilityOnSystemEvent(const std::string & bundleName,ManagedEvent event,int32_t userId)516 void EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemEvent(const std::string &bundleName,
517 ManagedEvent event, int32_t userId)
518 {
519 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
520 AdminManager::GetInstance()->GetAdminBySubscribeEvent(event, subAdmins);
521 if (subAdmins.empty()) {
522 EDMLOGW("Get subscriber by common event failed.");
523 return;
524 }
525 AAFwk::Want want;
526 for (const auto &subAdmin : subAdmins) {
527 for (const auto &it : subAdmin.second) {
528 want.SetElementName(it->adminInfo_.packageName_, it->adminInfo_.className_);
529 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
530 int32_t currentUserId = subAdmin.first;
531 int32_t tmpUserId = GetCurrentUserId();
532 if (it->adminInfo_.runningMode_ == RunningMode::MULTI_USER && tmpUserId >= 0) {
533 currentUserId = tmpUserId;
534 }
535 bool ret = manager->CreateBundleConnection(
536 want, static_cast<uint32_t>(event), currentUserId, bundleName, userId);
537 if (!ret) {
538 EDMLOGW("EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemEvent CreateBundleConnection failed.");
539 }
540 }
541 }
542 }
543
NotifyAdminEnabled(bool isEnabled)544 void EnterpriseDeviceMgrAbility::NotifyAdminEnabled(bool isEnabled)
545 {
546 EDMLOGI("EnterpriseDeviceMgrAbility notify admin enabled: %{public}d.", isEnabled);
547 AAFwk::Want want;
548 if (isEnabled) {
549 want.SetAction(EDM_ADMIN_ENABLED_EVENT);
550 } else {
551 want.SetAction(EDM_ADMIN_DISABLED_EVENT);
552 }
553 EventFwk::CommonEventData eventData;
554 eventData.SetWant(want);
555 if (!EventFwk::CommonEventManager::PublishCommonEvent(eventData)) {
556 EDMLOGE("EnterpriseDeviceMgrAbility notify admin enabled failed.");
557 }
558 }
559
GetInstance()560 sptr<EnterpriseDeviceMgrAbility> EnterpriseDeviceMgrAbility::GetInstance()
561 {
562 if (instance_ == nullptr) {
563 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
564 if (instance_ == nullptr) {
565 EDMLOGD("EnterpriseDeviceMgrAbility:GetInstance instance = new EnterpriseDeviceMgrAbility()");
566 instance_ = new (std::nothrow) EnterpriseDeviceMgrAbility();
567 }
568 }
569 return instance_;
570 }
571
EnterpriseDeviceMgrAbility()572 EnterpriseDeviceMgrAbility::EnterpriseDeviceMgrAbility() : SystemAbility(ENTERPRISE_DEVICE_MANAGER_SA_ID, true)
573 {
574 EDMLOGI("EnterpriseDeviceMgrAbility:new instance");
575 }
576
~EnterpriseDeviceMgrAbility()577 EnterpriseDeviceMgrAbility::~EnterpriseDeviceMgrAbility()
578 {
579 instance_ = nullptr;
580
581 if (AdminManager::GetInstance()) {
582 AdminManager::GetInstance().reset();
583 }
584
585 if (PluginManager::GetInstance()) {
586 PluginManager::GetInstance().reset();
587 }
588
589 if (policyMgr_) {
590 policyMgr_.reset();
591 }
592 EDMLOGD("instance is destroyed");
593 }
594
Dump(int32_t fd,const std::vector<std::u16string> & args)595 int32_t EnterpriseDeviceMgrAbility::Dump(int32_t fd, const std::vector<std::u16string> &args)
596 {
597 EDMLOGI("EnterpriseDeviceMgrAbility::Dump");
598 if (fd < 0) {
599 EDMLOGE("Dump fd invalid");
600 return ERR_EDM_DUMP_FAILED;
601 }
602 std::string result;
603 result.append("Ohos enterprise device manager service: \n");
604 std::vector<std::string> enabledAdminList;
605 GetEnabledAdmin(AdminType::NORMAL, enabledAdminList);
606 if (enabledAdminList.empty()) {
607 result.append("There is no admin enabled\n");
608 } else {
609 result.append("Enabled admin exist :\n");
610 for (const auto &enabledAdmin : enabledAdminList) {
611 result.append(enabledAdmin);
612 result.append("\n");
613 }
614 }
615 int32_t ret = dprintf(fd, "%s", result.c_str());
616 if (ret < 0) {
617 EDMLOGE("dprintf to dump fd failed");
618 return ERR_EDM_DUMP_FAILED;
619 }
620 return ERR_OK;
621 }
622
OnStart()623 void EnterpriseDeviceMgrAbility::OnStart()
624 {
625 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
626 EDMLOGD("EnterpriseDeviceMgrAbility::OnStart() Publish");
627 InitAllAdmins();
628 InitAllPolices();
629 RemoveAllDebugAdmin();
630 if (!registerToService_) {
631 if (!Publish(this)) {
632 EDMLOGE("EnterpriseDeviceMgrAbility: res == false");
633 return;
634 }
635 registerToService_ = true;
636 }
637 WatermarkObserverManager::GetInstance();
638 AddOnAddSystemAbilityFuncMap();
639 AddSystemAbilityListeners();
640 CheckAndUpdateByodSettingsData();
641 }
642
CheckAndUpdateByodSettingsData()643 void EnterpriseDeviceMgrAbility::CheckAndUpdateByodSettingsData()
644 {
645 if (AdminManager::GetInstance()->IsByodAdminExist()) {
646 EDMLOGD("CheckAndUpdateByodSettingsData:byod exist.");
647 std::string data = "false";
648 EdmDataAbilityUtils::GetStringFromSettingsDataShare(KEY_EDM_DISPLAY, data);
649 if (data == "false") {
650 EdmDataAbilityUtils::UpdateSettingsData(KEY_EDM_DISPLAY, "true");
651 }
652 }
653 }
654
InitAllAdmins()655 void EnterpriseDeviceMgrAbility::InitAllAdmins()
656 {
657 AdminManager::GetInstance()->Init();
658 EDMLOGD("create AdminManager::GetInstance() success");
659 }
660
InitAllPolices()661 void EnterpriseDeviceMgrAbility::InitAllPolices()
662 {
663 if (!policyMgr_) {
664 policyMgr_ = std::make_shared<PolicyManager>();
665 IPolicyManager::policyManagerInstance_ = policyMgr_.get();
666 }
667 std::vector<int32_t> userIds;
668 auto devicePolicies = DevicePoliciesStorageRdb::GetInstance();
669 if (devicePolicies == nullptr) {
670 EDMLOGW("OnAddSystemAbility::InitAllPolices:get rdbStore failed.");
671 return;
672 }
673 EDMLOGI("InitAllPolices userIds size %{public}zu", userIds.size());
674 devicePolicies->QueryAllUserId(userIds);
675 policyMgr_->Init(userIds);
676 }
677
RemoveAllDebugAdmin()678 void EnterpriseDeviceMgrAbility::RemoveAllDebugAdmin()
679 {
680 bool isDebug = system::GetBoolParameter(DEVELOP_MODE_STATE, false);
681 if (!isDebug) {
682 std::vector<std::shared_ptr<Admin>> userAdmin;
683 AdminManager::GetInstance()->GetAdminByUserId(EdmConstants::DEFAULT_USER_ID, userAdmin);
684 for (const auto &item: userAdmin) {
685 if (item->adminInfo_.isDebug_) {
686 EDMLOGD("remove debug admin %{public}s", item->adminInfo_.packageName_.c_str());
687 RemoveSuperAdminAndAdminPolicy(item->adminInfo_.packageName_);
688 }
689 }
690 }
691 }
692
AddSystemAbilityListeners()693 void EnterpriseDeviceMgrAbility::AddSystemAbilityListeners()
694 {
695 AddSystemAbilityListener(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID);
696 AddSystemAbilityListener(COMMON_EVENT_SERVICE_ID);
697 AddSystemAbilityListener(APP_MGR_SERVICE_ID);
698 AddSystemAbilityListener(ABILITY_MGR_SERVICE_ID);
699 AddSystemAbilityListener(SUBSYS_USERIAM_SYS_ABILITY_USERAUTH);
700 AddSystemAbilityListener(WINDOW_MANAGER_SERVICE_ID);
701 #ifdef PASTEBOARD_EDM_ENABLE
702 AddSystemAbilityListener(PASTEBOARD_SERVICE_ID);
703 #endif
704 #ifdef NET_MANAGER_BASE_EDM_ENABLE
705 AddSystemAbilityListener(COMM_NET_POLICY_MANAGER_SYS_ABILITY_ID);
706 #endif
707 #ifdef USB_EDM_ENABLE
708 AddSystemAbilityListener(USB_SYSTEM_ABILITY_ID);
709 #endif
710 AddSystemAbilityListener(RENDER_SERVICE);
711 #ifdef MOBILE_DATA_ENABLE
712 AddSystemAbilityListener(TELEPHONY_CALL_MANAGER_SYS_ABILITY_ID);
713 #endif
714 }
715
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)716 void EnterpriseDeviceMgrAbility::OnAddSystemAbility(int32_t systemAbilityId, const std::string &deviceId)
717 {
718 EDMLOGD("OnAddSystemAbility systemAbilityId:%{public}d added!", systemAbilityId);
719 auto func = addSystemAbilityFuncMap_.find(systemAbilityId);
720 if (func != addSystemAbilityFuncMap_.end()) {
721 auto memberFunc = func->second;
722 if (memberFunc != nullptr) {
723 return memberFunc(this, systemAbilityId, deviceId);
724 }
725 }
726 }
727
OnAppManagerServiceStart()728 void EnterpriseDeviceMgrAbility::OnAppManagerServiceStart()
729 {
730 EDMLOGI("OnAppManagerServiceStart");
731 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
732 AdminManager::GetInstance()->GetAdminBySubscribeEvent(ManagedEvent::APP_START, subAdmins);
733 AdminManager::GetInstance()->GetAdminBySubscribeEvent(ManagedEvent::APP_STOP, subAdmins);
734 if (!subAdmins.empty()) {
735 EDMLOGI("the admin that listened the APP_START or APP_STOP event is existed");
736 SubscribeAppState();
737 }
738 }
739
OnAbilityManagerServiceStart()740 void EnterpriseDeviceMgrAbility::OnAbilityManagerServiceStart()
741 {
742 EDMLOGI("OnAbilityManagerServiceStart");
743 ConnectEnterpriseAbility();
744 }
745
ConnectEnterpriseAbility()746 void EnterpriseDeviceMgrAbility::ConnectEnterpriseAbility()
747 {
748 auto superAdmin = AdminManager::GetInstance()->GetSuperAdmin();
749 if (superAdmin != nullptr && !hasConnect_) {
750 hasConnect_ = OnAdminEnabled(superAdmin->adminInfo_.packageName_, superAdmin->adminInfo_.className_,
751 IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED, EdmConstants::DEFAULT_USER_ID, false);
752 }
753 }
754
CallOnOtherServiceStart(uint32_t interfaceCode)755 void EnterpriseDeviceMgrAbility::CallOnOtherServiceStart(uint32_t interfaceCode)
756 {
757 CallOnOtherServiceStart(interfaceCode, INVALID_SYSTEM_ABILITY_ID);
758 }
759
CallOnOtherServiceStart(uint32_t interfaceCode,int32_t systemAbilityId)760 void EnterpriseDeviceMgrAbility::CallOnOtherServiceStart(uint32_t interfaceCode, int32_t systemAbilityId)
761 {
762 EDMLOGI("EnterpriseDeviceMgrAbility::CallOnOtherServiceStart %{public}d", interfaceCode);
763 auto ret = PluginManager::GetInstance()->LoadPluginByCode(interfaceCode);
764 if (ret != ERR_OK) {
765 return;
766 }
767 auto plugin = PluginManager::GetInstance()->GetPluginByCode(interfaceCode);
768 if (plugin == nullptr) {
769 EDMLOGE("get Plugin fail %{public}d", interfaceCode);
770 return;
771 }
772 plugin->OnOtherServiceStart(systemAbilityId);
773 }
774
OnCommonEventServiceStart()775 void EnterpriseDeviceMgrAbility::OnCommonEventServiceStart()
776 {
777 #ifdef COMMON_EVENT_SERVICE_EDM_ENABLE
778 commonEventSubscriber = CreateEnterpriseDeviceEventSubscriber(*this);
779 EventFwk::CommonEventManager::SubscribeCommonEvent(this->commonEventSubscriber);
780 EDMLOGI("create commonEventSubscriber success");
781
782 EventFwk::MatchingSkills skill = EventFwk::MatchingSkills();
783 skill.AddEvent(SYSTEM_UPDATE_FOR_POLICY);
784 EDMLOGI("CreateEnterpriseDeviceEventSubscriber AddEvent: %{public}s", SYSTEM_UPDATE_FOR_POLICY.c_str());
785 EventFwk::CommonEventSubscribeInfo info(skill);
786 info.SetPermission(PERMISSION_UPDATE_SYSTEM);
787 EventFwk::CommonEventManager::SubscribeCommonEvent(std::make_shared<EnterpriseDeviceEventSubscriber>(info, *this));
788 #else
789 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventServiceStart Unsupported Capabilities.");
790 return;
791 #endif
792 }
793
OnRemoveSystemAbility(int32_t systemAbilityId,const std::string & deviceId)794 void EnterpriseDeviceMgrAbility::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string &deviceId) {}
795
OnStop()796 void EnterpriseDeviceMgrAbility::OnStop()
797 {
798 PluginManager::GetInstance()->NotifyUnloadAllPlugin();
799 }
800
GetBundleMgr()801 std::shared_ptr<IEdmBundleManager> EnterpriseDeviceMgrAbility::GetBundleMgr()
802 {
803 return GetExternalManagerFactory()->CreateBundleManager();
804 }
805
GetAppMgr()806 std::shared_ptr<IEdmAppManager> EnterpriseDeviceMgrAbility::GetAppMgr()
807 {
808 return GetExternalManagerFactory()->CreateAppManager();
809 }
810
GetOsAccountMgr()811 std::shared_ptr<IEdmOsAccountManager> EnterpriseDeviceMgrAbility::GetOsAccountMgr()
812 {
813 return GetExternalManagerFactory()->CreateOsAccountManager();
814 }
815
GetPermissionChecker()816 std::shared_ptr<PermissionChecker> EnterpriseDeviceMgrAbility::GetPermissionChecker()
817 {
818 return PermissionChecker::GetInstance();
819 }
820
SubscribeAppState()821 bool EnterpriseDeviceMgrAbility::SubscribeAppState()
822 {
823 if (appStateObserver_) {
824 EDMLOGD("appStateObserver has subscribed");
825 return true;
826 }
827 appStateObserver_ = new (std::nothrow) ApplicationStateObserver(*this);
828 if (!appStateObserver_) {
829 EDMLOGE("new ApplicationStateObserver failed");
830 return false;
831 }
832 if (GetAppMgr()->RegisterApplicationStateObserver(appStateObserver_)) {
833 EDMLOGE("RegisterApplicationStateObserver fail!");
834 appStateObserver_.clear();
835 appStateObserver_ = nullptr;
836 return false;
837 }
838 return true;
839 }
840
UnsubscribeAppState()841 bool EnterpriseDeviceMgrAbility::UnsubscribeAppState()
842 {
843 if (!appStateObserver_) {
844 EDMLOGD("appStateObserver has subscribed");
845 return true;
846 }
847 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
848 AdminManager::GetInstance()->GetAdminBySubscribeEvent(ManagedEvent::APP_START, subAdmins);
849 AdminManager::GetInstance()->GetAdminBySubscribeEvent(ManagedEvent::APP_STOP, subAdmins);
850 if (!subAdmins.empty()) {
851 return true;
852 }
853 if (GetAppMgr()->UnregisterApplicationStateObserver(appStateObserver_)) {
854 EDMLOGE("UnregisterApplicationStateObserver fail!");
855 return false;
856 }
857 appStateObserver_.clear();
858 appStateObserver_ = nullptr;
859 return true;
860 }
861
VerifyEnableAdminCondition(const AppExecFwk::ElementName & admin,AdminType type,int32_t userId,bool isDebug)862 ErrCode EnterpriseDeviceMgrAbility::VerifyEnableAdminCondition(const AppExecFwk::ElementName &admin, AdminType type,
863 int32_t userId, bool isDebug)
864 {
865 if ((type == AdminType::ENT || type == AdminType::BYOD) && userId != DEFAULT_USER_ID) {
866 EDMLOGW("EnableAdmin: Super or byod admin can only be enabled in default user.");
867 return ERR_EDM_ADD_ADMIN_FAILED;
868 }
869
870 if (type != AdminType::ENT && system::GetBoolParameter(PARAM_SECURITY_MODE, false)) {
871 EDMLOGW("EnableAdmin: The current mode is not supported.");
872 return ERR_EDM_ADD_ADMIN_FAILED;
873 }
874
875 if (isDebug && AdminManager::GetInstance()->IsSuperAdminExist()) {
876 EDMLOGW("EnableAdmin: An official super admin exsit, cannot enable another debug admin");
877 return ERR_EDM_ADD_ADMIN_FAILED;
878 }
879
880 if (VerifyEnableAdminConditionCheckExistAdmin(admin, type, userId, isDebug) != ERR_OK) {
881 return ERR_EDM_ADD_ADMIN_FAILED;
882 }
883 return ERR_OK;
884 }
885
VerifyEnableAdminConditionCheckExistAdmin(const AppExecFwk::ElementName & admin,AdminType type,int32_t userId,bool isDebug)886 ErrCode EnterpriseDeviceMgrAbility::VerifyEnableAdminConditionCheckExistAdmin(const AppExecFwk::ElementName &admin,
887 AdminType type, int32_t userId, bool isDebug)
888 {
889 std::shared_ptr<Admin> existAdmin = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(), userId);
890 if (existAdmin != nullptr) {
891 if (type == AdminType::BYOD && existAdmin->GetAdminType() != AdminType::BYOD) {
892 EDMLOGW("EnableAdmin: a byod admin can't be enabled when alreadly enabled other admin.");
893 return ERR_EDM_ADD_ADMIN_FAILED;
894 }
895 if (type != AdminType::BYOD && existAdmin->GetAdminType() == AdminType::BYOD) {
896 EDMLOGW("EnableAdmin: a admin can't be enabled when alreadly enabled byod admin.");
897 return ERR_EDM_ADD_ADMIN_FAILED;
898 }
899 if (existAdmin->GetAdminType() == AdminType::SUB_SUPER_ADMIN ||
900 existAdmin->GetAdminType() == AdminType::VIRTUAL_ADMIN) {
901 EDMLOGW("EnableAdmin: sub-super admin can not be enabled as a normal or super admin.");
902 return ERR_EDM_ADD_ADMIN_FAILED;
903 }
904 if (existAdmin->GetAdminType() == AdminType::ENT && type != AdminType::ENT) {
905 EDMLOGW("EnableAdmin: an exist super admin can't be enabled twice with different role or user id.");
906 return ERR_EDM_ADD_ADMIN_FAILED;
907 }
908 if (isDebug != existAdmin->adminInfo_.isDebug_) {
909 EDMLOGW("EnableAdmin: debug parameter can not be changed.");
910 return ERR_EDM_ADD_ADMIN_FAILED;
911 }
912 /* An application can't be enabled twice with different ability name */
913 if (existAdmin->adminInfo_.className_ != admin.GetAbilityName()) {
914 EDMLOGW("EnableAdmin: There is another admin ability enabled with the same package name.");
915 return ERR_EDM_ADD_ADMIN_FAILED;
916 }
917 return ERR_OK;
918 }
919 if (!isDebug && type == AdminType::BYOD && AdminManager::GetInstance()->IsAdminExist()) {
920 EDMLOGW("EnableAdmin: byod admin not allowd enable when another admin enabled.");
921 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
922 }
923 if (!isDebug && type != AdminType::BYOD && AdminManager::GetInstance()->IsByodAdminExist()) {
924 EDMLOGW("EnableAdmin: other admin not allowd enable when byod admin enabled.");
925 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
926 }
927 return ERR_OK;
928 }
929
CheckReplaceAdmins(const AppExecFwk::ElementName & oldAdmin,const AppExecFwk::ElementName & newAdmin,std::vector<AppExecFwk::ExtensionAbilityInfo> & abilityInfo,std::vector<std::string> & permissionList)930 ErrCode EnterpriseDeviceMgrAbility::CheckReplaceAdmins(const AppExecFwk::ElementName &oldAdmin,
931 const AppExecFwk::ElementName &newAdmin, std::vector<AppExecFwk::ExtensionAbilityInfo> &abilityInfo,
932 std::vector<std::string> &permissionList)
933 {
934 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
935 if (!GetPermissionChecker()->VerifyCallingPermission(tokenId,
936 EdmPermission::PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
937 EDMLOGW("EnterpriseDeviceMgrAbility::ReplaceSuperAdmin check permission failed");
938 return EdmReturnErrCode::PERMISSION_DENIED;
939 }
940
941 auto edmAdmin = AdminManager::GetInstance()->GetSuperAdmin();
942 if (edmAdmin == nullptr || edmAdmin->adminInfo_.packageName_ != oldAdmin.GetBundleName() ||
943 edmAdmin->adminInfo_.className_ != oldAdmin.GetAbilityName()) {
944 EDMLOGE("CheckReplaceAdmins param oldAdmin is not super admin");
945 return EdmReturnErrCode::ADMIN_INACTIVE;
946 }
947
948 AAFwk::Want want;
949 want.SetElement(newAdmin);
950 if (!GetBundleMgr()->QueryExtensionAbilityInfos(want, AppExecFwk::ExtensionAbilityType::ENTERPRISE_ADMIN,
951 AppExecFwk::ExtensionAbilityInfoFlag::GET_EXTENSION_INFO_WITH_PERMISSION, DEFAULT_USER_ID, abilityInfo) ||
952 abilityInfo.empty()) {
953 EDMLOGW("ReplaceSuperAdmin: QueryExtensionAbilityInfos_newAdmin failed");
954 return EdmReturnErrCode::COMPONENT_INVALID;
955 }
956
957 if (FAILED(VerifyEnableAdminCondition(newAdmin, AdminType::ENT, DEFAULT_USER_ID, false))) {
958 EDMLOGW("ReplaceSuperAdmin: VerifyEnableAdminCondition failed.");
959 return EdmReturnErrCode::REPLACE_ADMIN_FAILED;
960 }
961 if (FAILED(GetPermissionChecker()->GetAllPermissionsByAdmin(newAdmin.GetBundleName(), AdminType::ENT,
962 DEFAULT_USER_ID, permissionList))) {
963 EDMLOGW("ReplaceSuperAdmin: GetAllPermissionsByAdmin failed");
964 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
965 }
966 return ERR_OK;
967 }
968
AddDisallowUninstallApp(const std::string & bundleName,int32_t userId)969 ErrCode EnterpriseDeviceMgrAbility::AddDisallowUninstallApp(const std::string &bundleName, int32_t userId)
970 {
971 AppExecFwk::BundleInfo bundleInfo;
972 GetBundleMgr()->GetBundleInfo(bundleName, AppExecFwk::BundleFlag::GET_BUNDLE_WITH_ABILITIES,
973 bundleInfo, userId);
974 std::vector<std::string> data = {bundleInfo.appId};
975 if (FAILED(GetBundleMgr()->AddAppInstallControlRule(data,
976 AppExecFwk::AppInstallControlRuleType::DISALLOWED_UNINSTALL, userId))) {
977 EDMLOGE("EnterpriseDeviceMgrAbility::AddDisallowUninstallApp failed");
978 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
979 }
980 return ERR_OK;
981 }
982
DelDisallowUninstallApp(const std::string & bundleName)983 ErrCode EnterpriseDeviceMgrAbility::DelDisallowUninstallApp(const std::string &bundleName)
984 {
985 AppExecFwk::BundleInfo bundleInfo;
986 GetBundleMgr()->GetBundleInfo(bundleName, AppExecFwk::BundleFlag::GET_BUNDLE_WITH_ABILITIES,
987 bundleInfo, DEFAULT_USER_ID);
988 std::vector<std::string> data = {bundleInfo.appId};
989 if (FAILED(GetBundleMgr()->DeleteAppInstallControlRule(
990 AppExecFwk::AppInstallControlRuleType::DISALLOWED_UNINSTALL, data, DEFAULT_USER_ID))) {
991 EDMLOGE("EnterpriseDeviceMgrAbility::DelDisallowUninstallApp failed");
992 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
993 }
994 return ERR_OK;
995 }
996
HandleKeepPolicy(std::string & adminName,std::string & newAdminName,const Admin & edmAdmin,std::shared_ptr<Admin> adminPtr)997 ErrCode EnterpriseDeviceMgrAbility::HandleKeepPolicy(std::string &adminName, std::string &newAdminName,
998 const Admin &edmAdmin, std::shared_ptr<Admin> adminPtr)
999 {
1000 if (FAILED(AdminManager::GetInstance()->ReplaceSuperAdminByPackageName(adminName, edmAdmin))) {
1001 EDMLOGE("ReplaceSuperAdmin update Admin Policies Failed");
1002 return EdmReturnErrCode::REPLACE_ADMIN_FAILED;
1003 }
1004 std::string adminPolicyValue;
1005 policyMgr_->GetPolicy(adminName, PolicyName::POLICY_DISALLOWED_UNINSTALL_BUNDLES, adminPolicyValue);
1006 std::string combinedPolicyValue;
1007 policyMgr_->GetPolicy("", PolicyName::POLICY_DISALLOWED_UNINSTALL_BUNDLES, combinedPolicyValue);
1008
1009 if (FAILED(policyMgr_->ReplaceAllPolicy(DEFAULT_USER_ID, adminName, newAdminName))) {
1010 EDMLOGE("ReplaceSuperAdmin update device Policies Failed");
1011 AdminManager::GetInstance()->ReplaceSuperAdminByPackageName(newAdminName, *adminPtr);
1012 return EdmReturnErrCode::REPLACE_ADMIN_FAILED;
1013 }
1014 if (!adminPolicyValue.empty() && adminPolicyValue.find(adminName) != std::string::npos) {
1015 if (FAILED(DelDisallowUninstallApp(adminName))) {
1016 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1017 }
1018 if (FAILED(AddDisallowUninstallApp(newAdminName))) {
1019 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1020 }
1021 adminPolicyValue.replace(adminPolicyValue.find(adminName), adminName.length(), newAdminName);
1022 combinedPolicyValue.replace(combinedPolicyValue.find(adminName), adminName.length(), newAdminName);
1023 EDMLOGD("ReplaceSuperAdmin uninstall new admin policy value: %{public}s", adminPolicyValue.c_str());
1024 EDMLOGD("ReplaceSuperAdmin uninstall new combined policy value: %{public}s", combinedPolicyValue.c_str());
1025 if (FAILED(policyMgr_->SetPolicy(newAdminName, PolicyName::POLICY_DISALLOWED_UNINSTALL_BUNDLES,
1026 adminPolicyValue, combinedPolicyValue))) {
1027 EDMLOGE("ReplaceSuperAdmin update uninstall policy failed");
1028 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1029 }
1030 }
1031 EDMLOGD("ReportEdmEventManagerAdmin HandleKeepPolicy");
1032 HiSysEventAdapter::ReportEdmEventManagerAdmin(newAdminName.c_str(),
1033 static_cast<int32_t>(AdminAction::REPLACE),
1034 static_cast<int32_t>(AdminType::ENT), adminName.c_str());
1035 return ERR_OK;
1036 }
1037
ReplaceSuperAdmin(const AppExecFwk::ElementName & oldAdmin,const AppExecFwk::ElementName & newAdmin,bool keepPolicy)1038 ErrCode EnterpriseDeviceMgrAbility::ReplaceSuperAdmin(const AppExecFwk::ElementName &oldAdmin,
1039 const AppExecFwk::ElementName &newAdmin, bool keepPolicy)
1040 {
1041 EDMLOGD("ReplaceSuperAdmin: oldAdmin.bundlename %{public}s, oldAdmin.abilityname:%{public}s "
1042 "ReplaceSuperAdmin: newAdmin.bundlename %{public}s, newAdmin.abilityname:%{public}s",
1043 oldAdmin.GetBundleName().c_str(), oldAdmin.GetAbilityName().c_str(), newAdmin.GetBundleName().c_str(),
1044 newAdmin.GetAbilityName().c_str());
1045 std::vector<AppExecFwk::ExtensionAbilityInfo> abilityInfo;
1046 std::vector<std::string> permissionList;
1047 ErrCode ret = CheckReplaceAdmins(oldAdmin, newAdmin, abilityInfo, permissionList);
1048 if (FAILED(ret)) {
1049 EDMLOGE("ReplaceSuperAdmin: CheckReplaceAdmins failed");
1050 return ret;
1051 }
1052 auto superAdmin = AdminManager::GetInstance()->GetSuperAdmin();
1053 if (superAdmin->adminInfo_.runningMode_ == RunningMode::MULTI_USER) {
1054 EDMLOGE("multi user not support replace admin");
1055 return EdmReturnErrCode::REPLACE_ADMIN_FAILED;
1056 }
1057 std::string adminName = oldAdmin.GetBundleName();
1058 std::shared_ptr<Admin> adminPtr = AdminManager::GetInstance()->GetAdminByPkgName(adminName, DEFAULT_USER_ID);
1059 if (adminPtr == nullptr) {
1060 EDMLOGE("ReplaceSuperAdmin adminName is not admin");
1061 return EdmReturnErrCode::ADMIN_INACTIVE;
1062 }
1063 EntInfo entInfo = adminPtr->adminInfo_.entInfo_;
1064 Admin edmAdmin(abilityInfo.at(0), AdminType::ENT, entInfo, permissionList, false);
1065 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1066 if (keepPolicy) {
1067 std::string newAdminName = newAdmin.GetBundleName();
1068 HandleKeepPolicy(adminName, newAdminName, edmAdmin, adminPtr);
1069 } else {
1070 ErrCode res = DoDisableAdmin(adminName, DEFAULT_USER_ID, AdminType::ENT);
1071 if (res != ERR_OK) {
1072 EDMLOGE("ReplaceSuperAdmin: delete admin failed");
1073 return EdmReturnErrCode::REPLACE_ADMIN_FAILED;
1074 }
1075 if (FAILED(AdminManager::GetInstance()->SetAdminValue(DEFAULT_USER_ID, edmAdmin))) {
1076 EDMLOGE("EnableAdmin: SetAdminValue failed.");
1077 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
1078 }
1079 }
1080 system::SetParameter(PARAM_EDM_ENABLE, "true");
1081 NotifyAdminEnabled(true);
1082 OnAdminEnabled(newAdmin.GetBundleName(), newAdmin.GetAbilityName(), IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED,
1083 DEFAULT_USER_ID, true);
1084 EDMLOGI("EnableAdmin: SetAdminEnabled success %{public}s", newAdmin.GetBundleName().c_str());
1085
1086 EDMLOGD("ReportEdmEventManagerAdmin ReplaceSuperAdmin");
1087 HiSysEventAdapter::ReportEdmEventManagerAdmin(newAdmin.GetBundleName().c_str(),
1088 static_cast<int32_t>(AdminAction::REPLACE),
1089 static_cast<int32_t>(AdminType::ENT), oldAdmin.GetBundleName().c_str());
1090 return ERR_OK;
1091 }
1092
EnableAdmin(const AppExecFwk::ElementName & admin,const EntInfo & entInfo,AdminType type,int32_t userId)1093 ErrCode EnterpriseDeviceMgrAbility::EnableAdmin(
1094 const AppExecFwk::ElementName &admin, const EntInfo &entInfo, AdminType type, int32_t userId)
1095 {
1096 EDMLOGD("EnterpriseDeviceMgrAbility::EnableAdmin");
1097 if (type != AdminType::NORMAL && type != AdminType::ENT && type != AdminType::BYOD) {
1098 EDMLOGE("EnterpriseDeviceMgrAbility::EnableAdmin admin type is invalid.");
1099 return EdmReturnErrCode::PARAM_ERROR;
1100 }
1101 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1102 bool isDebug = GetPermissionChecker()->CheckIsDebug();
1103 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
1104 if (!isDebug && !GetPermissionChecker()->VerifyCallingPermission(tokenId,
1105 EdmPermission::PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
1106 EDMLOGW("EnterpriseDeviceMgrAbility::EnableAdmin check permission failed");
1107 return EdmReturnErrCode::PERMISSION_DENIED;
1108 }
1109 std::vector<AppExecFwk::ExtensionAbilityInfo> abilityInfo;
1110 AAFwk::Want want;
1111 want.SetElement(admin);
1112 if (!GetBundleMgr()->QueryExtensionAbilityInfos(want, AppExecFwk::ExtensionAbilityType::ENTERPRISE_ADMIN,
1113 AppExecFwk::ExtensionAbilityInfoFlag::GET_EXTENSION_INFO_WITH_PERMISSION, userId, abilityInfo) ||
1114 abilityInfo.empty()) {
1115 EDMLOGW("EnableAdmin: QueryExtensionAbilityInfos failed");
1116 return EdmReturnErrCode::COMPONENT_INVALID;
1117 }
1118 if (FAILED(VerifyEnableAdminCondition(admin, type, userId, isDebug))) {
1119 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
1120 }
1121 std::shared_ptr<Admin> existAdmin = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(), userId);
1122 if (!isDebug && type == AdminType::ENT && AdminManager::GetInstance()->IsSuperAdminExist()) {
1123 if ((existAdmin == nullptr) || existAdmin->adminInfo_.adminType_ != AdminType::ENT) {
1124 EDMLOGW("EnableAdmin: There is another super admin enabled.");
1125 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
1126 }
1127 }
1128 /* Get all request and registered permissions */
1129 PluginManager::GetInstance()->LoadAllPlugin();
1130 std::vector<std::string> permissionList;
1131 if (FAILED(GetPermissionChecker()->GetAllPermissionsByAdmin(admin.GetBundleName(), type, userId,
1132 permissionList))) {
1133 EDMLOGW("EnableAdmin: GetAllPermissionsByAdmin failed");
1134 return EdmReturnErrCode::COMPONENT_INVALID;
1135 }
1136 Admin edmAdmin(abilityInfo.at(0), type, entInfo, permissionList, isDebug);
1137 if (FAILED(AdminManager::GetInstance()->SetAdminValue(userId, edmAdmin))) {
1138 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
1139 }
1140 AfterEnableAdmin(admin, type, userId);
1141
1142 EDMLOGD("ReportEdmEventManagerAdmin EnableAdmin");
1143 HiSysEventAdapter::ReportEdmEventManagerAdmin(admin.GetBundleName().c_str(),
1144 static_cast<int32_t>(AdminAction::ENABLE), static_cast<int32_t>(type));
1145 return ERR_OK;
1146 }
1147
AfterEnableAdmin(const AppExecFwk::ElementName & admin,AdminType type,int32_t userId)1148 void EnterpriseDeviceMgrAbility::AfterEnableAdmin(const AppExecFwk::ElementName &admin, AdminType type, int32_t userId)
1149 {
1150 system::SetParameter(PARAM_EDM_ENABLE, "true");
1151 NotifyAdminEnabled(true);
1152 EDMLOGI("EnableAdmin suc.:%{public}s type:%{public}d", admin.GetBundleName().c_str(), static_cast<uint32_t>(type));
1153 OnAdminEnabled(admin.GetBundleName(), admin.GetAbilityName(), IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED, userId,
1154 true);
1155 if (type != AdminType::NORMAL) {
1156 AddDisallowUninstallApp(admin.GetBundleName());
1157 EdmDataAbilityUtils::UpdateSettingsData(KEY_EDM_DISPLAY, "true");
1158 }
1159 }
1160
RemoveAdminItem(const std::string & adminName,const std::string & policyName,const std::string & policyValue,int32_t userId)1161 ErrCode EnterpriseDeviceMgrAbility::RemoveAdminItem(const std::string &adminName, const std::string &policyName,
1162 const std::string &policyValue, int32_t userId)
1163 {
1164 PluginManager::GetInstance()->LoadAllPlugin();
1165 std::shared_ptr<IPlugin> plugin = PluginManager::GetInstance()->GetPluginByPolicyName(policyName);
1166 if (plugin == nullptr) {
1167 EDMLOGW("RemoveAdminItem: Get plugin by policy failed: %{public}s\n", policyName.c_str());
1168 return ERR_EDM_GET_PLUGIN_MGR_FAILED;
1169 }
1170 std::string mergedPolicyData;
1171 plugin->GetOthersMergePolicyData(adminName, userId, mergedPolicyData);
1172 ErrCode ret = plugin->OnAdminRemove(adminName, policyValue, mergedPolicyData, userId);
1173 if (ret != ERR_OK) {
1174 EDMLOGW("RemoveAdminItem: OnAdminRemove failed, admin:%{public}s, value:%{public}s, res:%{public}d\n",
1175 adminName.c_str(), policyValue.c_str(), ret);
1176 }
1177 if (plugin->NeedSavePolicy()) {
1178 ErrCode setRet = ERR_OK;
1179 std::unordered_map<std::string, std::string> adminListMap;
1180 ret = policyMgr_->GetAdminByPolicyName(policyName, adminListMap, userId);
1181 if ((ret == ERR_EDM_POLICY_NOT_FOUND) || adminListMap.empty()) {
1182 setRet = policyMgr_->SetPolicy("", policyName, "", "", userId);
1183 } else {
1184 setRet = policyMgr_->SetPolicy(adminName, policyName, "", mergedPolicyData, userId);
1185 }
1186
1187 if (FAILED(setRet)) {
1188 EDMLOGW("RemoveAdminItem: DeleteAdminPolicy failed, admin:%{public}s, policy:%{public}s, res:%{public}d\n",
1189 adminName.c_str(), policyName.c_str(), ret);
1190 return ERR_EDM_DEL_ADMIN_FAILED;
1191 }
1192 }
1193 plugin->OnAdminRemoveDone(adminName, policyValue, userId);
1194 return ERR_OK;
1195 }
1196
RemoveAdminAndAdminPolicy(const std::string & adminName,int32_t userId)1197 ErrCode EnterpriseDeviceMgrAbility::RemoveAdminAndAdminPolicy(const std::string &adminName, int32_t userId)
1198 {
1199 EDMLOGD("RemoveAdminAndAdminPolicy:admin: %{public}s.", adminName.c_str());
1200 ErrCode removeAdminPolicyRet = RemoveAdminPolicy(adminName, userId);
1201 if (FAILED(removeAdminPolicyRet)) {
1202 EDMLOGE("Remove admin %{public}s policy fail.", adminName.c_str());
1203 return removeAdminPolicyRet;
1204 }
1205
1206 ErrCode removeAdminRet = RemoveAdmin(adminName, userId);
1207 if (FAILED(removeAdminRet)) {
1208 EDMLOGE("Remove admin %{public}s fail.", adminName.c_str());
1209 return removeAdminRet;
1210 }
1211 return ERR_OK;
1212 }
1213
RemoveAdmin(const std::string & adminName,int32_t userId)1214 ErrCode EnterpriseDeviceMgrAbility::RemoveAdmin(const std::string &adminName, int32_t userId)
1215 {
1216 bool shouldUnsubscribeAppState = ShouldUnsubscribeAppState(adminName, userId);
1217 auto ret = AdminManager::GetInstance()->DeleteAdmin(adminName, userId);
1218 if (ret != ERR_OK && ret != ERR_EDM_UNKNOWN_ADMIN) {
1219 return ERR_EDM_DEL_ADMIN_FAILED;
1220 }
1221 if (shouldUnsubscribeAppState) {
1222 UnsubscribeAppState();
1223 }
1224 return ERR_OK;
1225 }
1226
RemoveAdminPolicy(const std::string & adminName,int32_t userId)1227 ErrCode EnterpriseDeviceMgrAbility::RemoveAdminPolicy(const std::string &adminName, int32_t userId)
1228 {
1229 std::unordered_map<std::string, std::string> policyItems;
1230 policyMgr_->GetAllPolicyByAdmin(adminName, policyItems, userId);
1231 for (const auto &policyItem : policyItems) {
1232 std::string policyItemName = policyItem.first;
1233 std::string policyItemValue = policyItem.second;
1234 EDMLOGD("RemoveAdminPolicy:policyName:%{public}s", policyItemName.c_str());
1235 if (RemoveAdminItem(adminName, policyItemName, policyItemValue, userId) != ERR_OK) {
1236 return ERR_EDM_DEL_ADMIN_FAILED;
1237 }
1238 }
1239 return ERR_OK;
1240 }
1241
RemoveSubSuperAdminAndAdminPolicy(const std::string & bundleName)1242 ErrCode EnterpriseDeviceMgrAbility::RemoveSubSuperAdminAndAdminPolicy(const std::string &bundleName)
1243 {
1244 std::vector<int32_t> userIds;
1245 policyMgr_->GetPolicyUserIds(userIds);
1246 return RemoveSubOrSuperAdminAndAdminPolicy(bundleName, userIds);
1247 }
1248
RemoveSuperAdminAndAdminPolicy(const std::string & bundleName)1249 ErrCode EnterpriseDeviceMgrAbility::RemoveSuperAdminAndAdminPolicy(const std::string &bundleName)
1250 {
1251 std::vector<int32_t> userIds;
1252 policyMgr_->GetPolicyUserIds(userIds);
1253 // remove sub-super admin
1254 std::vector<std::string> subAdmins;
1255 AdminManager::GetInstance()->GetSubSuperAdminsByParentName(bundleName, subAdmins);
1256 for (auto const &subAdminName : subAdmins) {
1257 if (RemoveSubOrSuperAdminAndAdminPolicy(subAdminName, userIds) != ERR_OK) {
1258 return ERR_EDM_DEL_ADMIN_FAILED;
1259 }
1260 }
1261 // remove super admin on other userid
1262 return RemoveSubOrSuperAdminAndAdminPolicy(bundleName, userIds);
1263 }
1264
RemoveSubOrSuperAdminAndAdminPolicy(const std::string & bundleName,const std::vector<int32_t> & nonDefaultUserIds)1265 ErrCode EnterpriseDeviceMgrAbility::RemoveSubOrSuperAdminAndAdminPolicy(const std::string &bundleName,
1266 const std::vector<int32_t> &nonDefaultUserIds)
1267 {
1268 // remove super admin on other userid
1269 for (auto const &userId : nonDefaultUserIds) {
1270 if (RemoveAdminAndAdminPolicy(bundleName, userId) != ERR_OK) {
1271 return ERR_EDM_DEL_ADMIN_FAILED;
1272 }
1273 }
1274 // remove super admin default userid
1275 return RemoveAdminAndAdminPolicy(bundleName, EdmConstants::DEFAULT_USER_ID);
1276 }
1277
ShouldUnsubscribeAppState(const std::string & adminName,int32_t userId)1278 bool EnterpriseDeviceMgrAbility::ShouldUnsubscribeAppState(const std::string &adminName, int32_t userId)
1279 {
1280 std::shared_ptr<Admin> adminPtr = AdminManager::GetInstance()->GetAdminByPkgName(adminName, userId);
1281 if (adminPtr == nullptr) {
1282 EDMLOGE("ShouldUnsubscribeAppState adminPtr null");
1283 return false;
1284 }
1285 return std::any_of(adminPtr->adminInfo_.managedEvents_.begin(), adminPtr->adminInfo_.managedEvents_.end(),
1286 [](ManagedEvent event) { return event == ManagedEvent::APP_START || event == ManagedEvent::APP_STOP; });
1287 }
1288
DisableAdmin(const AppExecFwk::ElementName & admin,int32_t userId)1289 ErrCode EnterpriseDeviceMgrAbility::DisableAdmin(const AppExecFwk::ElementName &admin, int32_t userId)
1290 {
1291 EDMLOGI("EnterpriseDeviceMgrAbility::DisableAdmin");
1292 std::shared_ptr<Admin> deviceAdmin = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(), userId);
1293 if (deviceAdmin == nullptr) {
1294 EDMLOGE("DisableAdmin: %{public}s is not activated", admin.GetBundleName().c_str());
1295 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1296 }
1297 AdminType adminType = deviceAdmin->GetAdminType();
1298 if (adminType == AdminType::ENT || adminType == AdminType::BYOD) {
1299 userId = DEFAULT_USER_ID;
1300 }
1301 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1302 return DoDisableAdmin(admin.GetBundleName(), userId, adminType);
1303 }
1304
DisableSuperAdmin(const std::string & bundleName)1305 ErrCode EnterpriseDeviceMgrAbility::DisableSuperAdmin(const std::string &bundleName)
1306 {
1307 EDMLOGI("EnterpriseDeviceMgrAbility::DisableSuperAdmin bundle name = %{public}s", bundleName.c_str());
1308 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1309 return DoDisableAdmin(bundleName, DEFAULT_USER_ID, AdminType::ENT);
1310 }
1311
CheckDisableAdmin(const std::string & bundleName,AdminType adminType,bool isDebug)1312 bool EnterpriseDeviceMgrAbility::CheckDisableAdmin(const std::string &bundleName, AdminType adminType, bool isDebug)
1313 {
1314 if (isDebug) {
1315 return true;
1316 }
1317 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
1318 if (GetPermissionChecker()->VerifyCallingPermission(tokenId,
1319 EdmPermission::PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
1320 return true;
1321 }
1322 Security::AccessToken::HapTokenInfo hapTokenInfo;
1323 if (FAILED(Security::AccessToken::AccessTokenKit::GetHapTokenInfo(tokenId, hapTokenInfo))) {
1324 EDMLOGE("DoDisableAdmin GetHapTokenInfo failed.");
1325 return false;
1326 }
1327 if (adminType == AdminType::BYOD && GetPermissionChecker()->VerifyCallingPermission(tokenId,
1328 PERMISSION_GET_ADMINPROVISION_INFO) && hapTokenInfo.bundleName == bundleName) {
1329 return true;
1330 }
1331 return false;
1332 }
1333
1334 // non-thread-safe function
DoDisableAdmin(const std::string & bundleName,int32_t userId,AdminType adminType)1335 ErrCode EnterpriseDeviceMgrAbility::DoDisableAdmin(const std::string &bundleName, int32_t userId, AdminType adminType)
1336 {
1337 bool isDebug = GetPermissionChecker()->CheckIsDebug();
1338 if (!CheckDisableAdmin(bundleName, adminType, isDebug)) {
1339 EDMLOGW("DoDisableAdmin::DisableSuperAdmin or DisableByodAdmin check permission failed.");
1340 return EdmReturnErrCode::PERMISSION_DENIED;
1341 }
1342 std::shared_ptr<Admin> admin = AdminManager::GetInstance()->GetAdminByPkgName(bundleName, userId);
1343 if (admin == nullptr) {
1344 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1345 }
1346 if (isDebug && !admin->adminInfo_.isDebug_) {
1347 EDMLOGW("DoDisableAdmin: shell command can only remove debug super admin.");
1348 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1349 }
1350 if (admin->adminInfo_.adminType_ != adminType) {
1351 EDMLOGW("DoDisableAdmin: only remove the certain admin.");
1352 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1353 }
1354 if (adminType == AdminType::ENT && FAILED(RemoveSuperAdminAndAdminPolicy(bundleName))) {
1355 EDMLOGW("DoDisableAdmin: remove admin failed.");
1356 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1357 } else if ((adminType == AdminType::NORMAL || adminType == AdminType::BYOD) &&
1358 FAILED(RemoveAdminAndAdminPolicy(bundleName, userId))) {
1359 EDMLOGW("DoDisableAdmin: disable normal or byod admin failed.");
1360 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1361 }
1362 if (!AdminManager::GetInstance()->IsAdminExist()) {
1363 system::SetParameter(PARAM_EDM_ENABLE, "false");
1364 NotifyAdminEnabled(false);
1365 }
1366 OnAdminEnabled(admin->adminInfo_.packageName_, admin->adminInfo_.className_,
1367 IEnterpriseAdmin::COMMAND_ON_ADMIN_DISABLED, userId, true);
1368 if (adminType != AdminType::NORMAL) {
1369 DelDisallowUninstallApp(bundleName);
1370 EdmDataAbilityUtils::UpdateSettingsData(KEY_EDM_DISPLAY, "false");
1371 }
1372
1373 EDMLOGD("ReportEdmEventManagerAdmin DisableAdmin");
1374 HiSysEventAdapter::ReportEdmEventManagerAdmin(bundleName.c_str(),
1375 static_cast<int32_t>(AdminAction::DISABLE), static_cast<int32_t>(adminType));
1376 return ERR_OK;
1377 }
1378
IsSuperAdmin(const std::string & bundleName,bool & isSuper)1379 ErrCode EnterpriseDeviceMgrAbility::IsSuperAdmin(const std::string &bundleName, bool &isSuper)
1380 {
1381 isSuper = AdminManager::GetInstance()->IsSuperAdmin(bundleName);
1382 return ERR_OK;
1383 }
1384
IsByodAdmin(const AppExecFwk::ElementName & admin,bool & isByod)1385 ErrCode EnterpriseDeviceMgrAbility::IsByodAdmin(const AppExecFwk::ElementName &admin, bool &isByod)
1386 {
1387 EDMLOGI("EnterpriseDeviceMgrAbility::IsByodAdmin calling.");
1388 isByod = false;
1389 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
1390 if (!GetPermissionChecker()->VerifyCallingPermission(tokenId, PERMISSION_GET_ADMINPROVISION_INFO)) {
1391 EDMLOGE("IsByodAdmin::VerifyCallingPermission check permission failed.");
1392 return EdmReturnErrCode::PERMISSION_DENIED;
1393 }
1394 Security::AccessToken::HapTokenInfo hapTokenInfo;
1395 std::string bundleName = admin.GetBundleName();
1396 if (FAILED(Security::AccessToken::AccessTokenKit::GetHapTokenInfo(tokenId, hapTokenInfo)) ||
1397 hapTokenInfo.bundleName != bundleName) {
1398 EDMLOGE("IsByodAdmin::calling bundleName is not input bundleName.");
1399 return EdmReturnErrCode::PARAMETER_VERIFICATION_FAILED;
1400 }
1401 isByod = AdminManager::GetInstance()->IsByodAdmin(bundleName, GetCurrentUserId());
1402 return ERR_OK;
1403 }
1404
IsAdminEnabled(const AppExecFwk::ElementName & admin,int32_t userId,bool & isEnabled)1405 ErrCode EnterpriseDeviceMgrAbility::IsAdminEnabled(
1406 const AppExecFwk::ElementName &admin, int32_t userId, bool &isEnabled)
1407 {
1408 std::shared_ptr<Admin> existAdmin = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(), userId);
1409 if (existAdmin != nullptr) {
1410 EDMLOGD("IsAdminEnabled: get admin successed");
1411 isEnabled = true;
1412 } else {
1413 isEnabled = false;
1414 }
1415 return ERR_OK;
1416 }
1417
GetCurrentUserId()1418 int32_t EnterpriseDeviceMgrAbility::GetCurrentUserId()
1419 {
1420 std::vector<int32_t> ids;
1421 ErrCode ret = GetOsAccountMgr()->QueryActiveOsAccountIds(ids);
1422 if (FAILED(ret) || ids.empty()) {
1423 EDMLOGE("EnterpriseDeviceMgrAbility GetCurrentUserId failed");
1424 return -1;
1425 }
1426 EDMLOGD("EnterpriseDeviceMgrAbility GetCurrentUserId");
1427 return (ids.at(0));
1428 }
1429
UpdateDevicePolicy(uint32_t code,const std::string & bundleName,MessageParcel & data,MessageParcel & reply,int32_t userId)1430 ErrCode EnterpriseDeviceMgrAbility::UpdateDevicePolicy(uint32_t code, const std::string &bundleName,
1431 MessageParcel &data, MessageParcel &reply, int32_t userId)
1432 {
1433 std::shared_ptr<IPlugin> plugin = PluginManager::GetInstance()->GetPluginByFuncCode(code);
1434 if (plugin == nullptr) {
1435 EDMLOGW("UpdateDevicePolicy: get plugin failed, code:%{public}d", code);
1436 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
1437 }
1438
1439 std::string policyName = plugin->GetPolicyName();
1440 std::string oldCombinePolicy;
1441 policyMgr_->GetPolicy("", policyName, oldCombinePolicy, userId);
1442 HandlePolicyData handlePolicyData{"", "", false};
1443 policyMgr_->GetPolicy(bundleName, policyName, handlePolicyData.policyData, userId);
1444 plugin->GetOthersMergePolicyData(bundleName, userId, handlePolicyData.mergePolicyData);
1445 ErrCode ret = plugin->GetExecuteStrategy()->OnSetExecute(code, data, reply, handlePolicyData, userId);
1446 if (FAILED(ret)) {
1447 EDMLOGW("UpdateDevicePolicy: OnHandlePolicy failed");
1448 return ret;
1449 }
1450 EDMLOGD("UpdateDevicePolicy: isChanged:%{public}d, needSave:%{public}d", handlePolicyData.isChanged,
1451 plugin->NeedSavePolicy());
1452 bool isGlobalChanged = false;
1453 if (plugin->NeedSavePolicy() && handlePolicyData.isChanged) {
1454 policyMgr_->SetPolicy(bundleName, policyName, handlePolicyData.policyData, handlePolicyData.mergePolicyData,
1455 userId);
1456 isGlobalChanged = (oldCombinePolicy != handlePolicyData.mergePolicyData);
1457 }
1458 plugin->OnHandlePolicyDone(code, bundleName, isGlobalChanged, userId);
1459 EDMLOGI("UpdateDevicePolicy: handle policy success.");
1460 return ERR_OK;
1461 }
1462
HandleDevicePolicy(uint32_t code,AppExecFwk::ElementName & admin,MessageParcel & data,MessageParcel & reply,int32_t userId)1463 ErrCode EnterpriseDeviceMgrAbility::HandleDevicePolicy(uint32_t code, AppExecFwk::ElementName &admin,
1464 MessageParcel &data, MessageParcel &reply, int32_t userId)
1465 {
1466 auto loadRet = PluginManager::GetInstance()->LoadPluginByFuncCode(code);
1467 if (loadRet != ERR_OK) {
1468 return loadRet;
1469 }
1470 std::shared_ptr<IPlugin> plugin = PluginManager::GetInstance()->GetPluginByFuncCode(code);
1471 if (plugin == nullptr) {
1472 EDMLOGW("HandleDevicePolicy: get plugin failed, code:%{public}d", code);
1473 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
1474 }
1475 #ifndef EDM_FUZZ_TEST
1476 bool isUserExist = false;
1477 GetOsAccountMgr()->IsOsAccountExists(userId, isUserExist);
1478 if (!isUserExist) {
1479 return EdmReturnErrCode::PARAM_ERROR;
1480 }
1481 ErrCode systemCalling = GetPermissionChecker()->CheckSystemCalling(plugin->GetApiType(FuncOperateType::SET), "");
1482 if (FAILED(systemCalling)) {
1483 return systemCalling;
1484 }
1485 EDMLOGI("HandleDevicePolicy: HandleDevicePolicy");
1486 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1487 std::shared_ptr<Admin> deviceAdmin = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(),
1488 GetCurrentUserId());
1489 if (deviceAdmin == nullptr) {
1490 EDMLOGE("HandleDevicePolicy: %{public}s is not activated", admin.GetBundleName().c_str());
1491 return EdmReturnErrCode::ADMIN_INACTIVE;
1492 }
1493 int uid = IPCSkeleton::GetCallingUid();
1494 std::string permissionTag = data.ReadString();
1495 if (uid != EDM_UID) {
1496 std::string setPermission = plugin->GetPermission(FuncOperateType::SET,
1497 GetPermissionChecker()->AdminTypeToPermissionType(deviceAdmin->GetAdminType()), permissionTag);
1498 EDMLOGD("HandleDevicePolicy: HandleDevicePolicy GetPermission = %{public}s", setPermission.c_str());
1499 ErrCode checkAdminPermission = GetPermissionChecker()->CheckHandlePolicyPermission(FuncOperateType::SET,
1500 admin.GetBundleName(), plugin->GetPolicyName(), setPermission, userId);
1501 if (FAILED(checkAdminPermission)) {
1502 return checkAdminPermission;
1503 }
1504 }
1505 #endif
1506 ReportFuncEvent(code);
1507 ErrCode ret = UpdateDevicePolicy(code, admin.GetBundleName(), data, reply, userId);
1508 ReportInfo info = ReportInfo(FuncCodeUtils::GetOperateType(code), plugin->GetPolicyName(), std::to_string(ret));
1509 SecurityReport::ReportSecurityInfo(admin.GetBundleName(), admin.GetAbilityName(), info, false);
1510 return ret;
1511 }
1512
ReportFuncEvent(uint32_t code)1513 void EnterpriseDeviceMgrAbility::ReportFuncEvent(uint32_t code)
1514 {
1515 std::uint32_t ipcCode = FuncCodeUtils::GetPolicyCode(code);
1516 std::string apiNameParam = std::to_string(ipcCode);
1517 HiSysEventAdapter::ReportEdmEvent(ReportType::EDM_FUNC_EVENT, apiNameParam);
1518 }
1519
GetDevicePolicy(uint32_t code,MessageParcel & data,MessageParcel & reply,int32_t userId,int32_t hasUserId)1520 ErrCode EnterpriseDeviceMgrAbility::GetDevicePolicy(uint32_t code, MessageParcel &data, MessageParcel &reply,
1521 int32_t userId, int32_t hasUserId)
1522 {
1523 if (hasUserId != 0) {
1524 bool isUserExist = false;
1525 GetOsAccountMgr()->IsOsAccountExists(userId, isUserExist);
1526 if (!isUserExist) {
1527 EDMLOGW("GetDevicePolicy: IsOsAccountExists failed");
1528 return EdmReturnErrCode::PARAM_ERROR;
1529 }
1530 }
1531
1532 std::shared_lock<std::shared_mutex> autoLock(adminLock_);
1533 ErrCode errCode = PluginPolicyReader::GetInstance()->GetPolicyByCode(policyMgr_, code, data, reply, userId);
1534 if (errCode == EdmReturnErrCode::INTERFACE_UNSUPPORTED) {
1535 EDMLOGW("GetDevicePolicy: GetPolicyByCode INTERFACE_UNSUPPORTED");
1536 return errCode;
1537 }
1538 if (errCode == ERR_CANNOT_FIND_QUERY_FAILED) {
1539 return GetDevicePolicyFromPlugin(code, data, reply, userId);
1540 }
1541 EDMLOGI("policy query get finished");
1542 return errCode;
1543 }
1544
GetDevicePolicyFromPlugin(uint32_t code,MessageParcel & data,MessageParcel & reply,int32_t userId)1545 ErrCode EnterpriseDeviceMgrAbility::GetDevicePolicyFromPlugin(uint32_t code, MessageParcel &data, MessageParcel &reply,
1546 int32_t userId)
1547 {
1548 auto loadRet = PluginManager::GetInstance()->LoadPluginByFuncCode(code);
1549 if (loadRet != ERR_OK) {
1550 return loadRet;
1551 }
1552 std::shared_ptr<IPlugin> plugin = PluginManager::GetInstance()->GetPluginByFuncCode(code);
1553 if (plugin == nullptr) {
1554 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
1555 }
1556 std::string permissionTag = data.ReadString();
1557 ErrCode systemCallingCheck = GetPermissionChecker()->CheckSystemCalling(
1558 plugin->GetApiType(FuncOperateType::GET), permissionTag);
1559 if (FAILED(systemCallingCheck)) {
1560 return systemCallingCheck;
1561 }
1562 AppExecFwk::ElementName elementName;
1563 // has admin
1564 if (data.ReadInt32() == 0) {
1565 ErrCode errCode = CheckGetPolicyParam(data, plugin, elementName, permissionTag, userId);
1566 if (errCode != ERR_OK) {
1567 return errCode;
1568 }
1569 } else {
1570 std::string getPermission = plugin->GetPermission(FuncOperateType::GET,
1571 IPlugin::PermissionType::SUPER_DEVICE_ADMIN, permissionTag);
1572 if (!PermissionChecker::GetInstance()->CheckElementNullPermission(code, getPermission)) {
1573 EDMLOGE("GetDevicePolicy: permission check failed");
1574 return EdmReturnErrCode::PERMISSION_DENIED;
1575 }
1576 }
1577 std::string policyName = plugin->GetPolicyName();
1578 std::string policyValue;
1579
1580 if (plugin->NeedSavePolicy()) {
1581 policyMgr_->GetPolicy(elementName.GetBundleName(), policyName, policyValue, userId);
1582 }
1583 ErrCode getRet = plugin->GetExecuteStrategy()->OnGetExecute(code, policyValue, data, reply, userId);
1584 ReportInfo info = ReportInfo(FuncCodeUtils::GetOperateType(code), plugin->GetPolicyName(), std::to_string(getRet));
1585 SecurityReport::ReportSecurityInfo(elementName.GetBundleName(), elementName.GetAbilityName(), info, true);
1586 return getRet;
1587 }
1588
CheckGetPolicyParam(MessageParcel & data,std::shared_ptr<IPlugin> & plugin,AppExecFwk::ElementName & elementName,const std::string & permissionTag,int32_t userId)1589 ErrCode EnterpriseDeviceMgrAbility::CheckGetPolicyParam(MessageParcel &data, std::shared_ptr<IPlugin> &plugin,
1590 AppExecFwk::ElementName &elementName, const std::string &permissionTag, int32_t userId)
1591 {
1592 std::unique_ptr<AppExecFwk::ElementName> admin(data.ReadParcelable<AppExecFwk::ElementName>());
1593 if (!admin) {
1594 EDMLOGW("GetDevicePolicy: ReadParcelable failed");
1595 return EdmReturnErrCode::PARAM_ERROR;
1596 }
1597 #ifndef EDM_FUZZ_TEST
1598 std::shared_ptr<Admin> deviceAdmin = AdminManager::GetInstance()->GetAdminByPkgName(admin->GetBundleName(),
1599 GetCurrentUserId());
1600 if (deviceAdmin == nullptr) {
1601 return EdmReturnErrCode::ADMIN_INACTIVE;
1602 }
1603 std::string getPermission = plugin->GetPermission(FuncOperateType::GET,
1604 GetPermissionChecker()->AdminTypeToPermissionType(deviceAdmin->GetAdminType()), permissionTag);
1605 ErrCode ret = GetPermissionChecker()->CheckHandlePolicyPermission(FuncOperateType::GET,
1606 admin->GetBundleName(), plugin->GetPolicyName(), getPermission, userId);
1607 if (FAILED(ret)) {
1608 return ret;
1609 }
1610 #endif
1611 elementName.SetBundleName(admin->GetBundleName());
1612 elementName.SetAbilityName(admin->GetAbilityName());
1613 return ERR_OK;
1614 }
1615
CheckAndGetAdminProvisionInfo(uint32_t code,MessageParcel & data,MessageParcel & reply,int32_t userId)1616 ErrCode EnterpriseDeviceMgrAbility::CheckAndGetAdminProvisionInfo(uint32_t code, MessageParcel &data,
1617 MessageParcel &reply, int32_t userId)
1618 {
1619 std::unique_ptr<AppExecFwk::ElementName> admin(data.ReadParcelable<AppExecFwk::ElementName>());
1620 if (!admin) {
1621 EDMLOGW("CheckAndGetAdminProvisionInfo: ReadParcelable failed");
1622 return EdmReturnErrCode::PARAM_ERROR;
1623 }
1624 EDMLOGD("CheckAndGetAdminProvisionInfo bundleName: %{public}s, abilityName : %{public}s ",
1625 admin->GetBundleName().c_str(), admin->GetAbilityName().c_str());
1626
1627 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
1628 if (!GetPermissionChecker()->VerifyCallingPermission(tokenId, PERMISSION_GET_ADMINPROVISION_INFO)) {
1629 EDMLOGE("CheckAndGetAdminProvisionInfo::VerifyCallingPermission check permission failed.");
1630 return EdmReturnErrCode::PERMISSION_DENIED;
1631 }
1632 Security::AccessToken::HapTokenInfo hapTokenInfo;
1633 if (FAILED(Security::AccessToken::AccessTokenKit::GetHapTokenInfo(tokenId, hapTokenInfo)) ||
1634 hapTokenInfo.bundleName != admin->GetBundleName()) {
1635 EDMLOGE("CheckAndGetAdminProvisionInfo::calling bundleName is not input bundleName.");
1636 return EdmReturnErrCode::PARAM_ERROR;
1637 }
1638 std::vector<AppExecFwk::ExtensionAbilityInfo> abilityInfo;
1639 AAFwk::Want want;
1640 want.SetElement(*admin);
1641 if (!GetBundleMgr()->QueryExtensionAbilityInfos(want, AppExecFwk::ExtensionAbilityType::ENTERPRISE_ADMIN,
1642 AppExecFwk::ExtensionAbilityInfoFlag::GET_EXTENSION_INFO_WITH_PERMISSION, userId, abilityInfo) ||
1643 abilityInfo.empty()) {
1644 EDMLOGW("CheckAndGetAdminProvisionInfo: QueryExtensionAbilityInfos failed");
1645 return EdmReturnErrCode::PARAM_ERROR;
1646 }
1647 auto loadRet = PluginManager::GetInstance()->LoadPluginByFuncCode(code);
1648 if (loadRet != ERR_OK) {
1649 return loadRet;
1650 }
1651 std::shared_ptr<IPlugin> plugin = PluginManager::GetInstance()->GetPluginByFuncCode(code);
1652 if (plugin == nullptr) {
1653 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1654 }
1655 if (AdminManager::GetInstance()->IsAdminExist()) {
1656 EDMLOGE("CheckAndGetAdminProvisionInfo::device exist admin.");
1657 return EdmReturnErrCode::PARAM_ERROR;
1658 }
1659 std::string policyValue;
1660 AppExecFwk::ElementName elementName;
1661 ErrCode getRet = plugin->GetExecuteStrategy()->OnGetExecute(code, policyValue, data, reply, userId);
1662 ReportInfo info = ReportInfo(FuncCodeUtils::GetOperateType(code), plugin->GetPolicyName(), std::to_string(getRet));
1663 SecurityReport::ReportSecurityInfo(elementName.GetBundleName(), elementName.GetAbilityName(), info, false);
1664 return getRet;
1665 }
1666
GetEnabledAdmin(AdminType adminType,std::vector<std::string> & enabledAdminList)1667 ErrCode EnterpriseDeviceMgrAbility::GetEnabledAdmin(AdminType adminType, std::vector<std::string> &enabledAdminList)
1668 {
1669 std::shared_lock<std::shared_mutex> autoLock(adminLock_);
1670 std::vector<std::string> superList;
1671 std::vector<std::string> normalList;
1672 std::vector<std::string> byodList;
1673 switch (adminType) {
1674 case AdminType::NORMAL:
1675 AdminManager::GetInstance()->GetEnabledAdmin(AdminType::NORMAL, normalList, GetCurrentUserId());
1676 AdminManager::GetInstance()->GetEnabledAdmin(AdminType::ENT, superList, EdmConstants::DEFAULT_USER_ID);
1677 break;
1678 case AdminType::ENT:
1679 AdminManager::GetInstance()->GetEnabledAdmin(AdminType::ENT, superList, EdmConstants::DEFAULT_USER_ID);
1680 break;
1681 case AdminType::BYOD:
1682 AdminManager::GetInstance()->GetEnabledAdmin(AdminType::BYOD, byodList, EdmConstants::DEFAULT_USER_ID);
1683 break;
1684 case AdminType::UNKNOWN:
1685 break;
1686 default:
1687 return ERR_EDM_PARAM_ERROR;
1688 }
1689 if (!superList.empty()) {
1690 enabledAdminList.insert(enabledAdminList.begin(), superList.begin(), superList.end());
1691 }
1692 if (!normalList.empty()) {
1693 enabledAdminList.insert(enabledAdminList.begin(), normalList.begin(), normalList.end());
1694 }
1695 if (!byodList.empty()) {
1696 enabledAdminList.insert(enabledAdminList.begin(), byodList.begin(), byodList.end());
1697 }
1698 for (const auto &enabledAdmin : enabledAdminList) {
1699 EDMLOGD("GetEnabledAdmin: %{public}s", enabledAdmin.c_str());
1700 }
1701 return ERR_OK;
1702 }
1703
GetEnterpriseInfo(const AppExecFwk::ElementName & admin,EntInfo & entInfo)1704 ErrCode EnterpriseDeviceMgrAbility::GetEnterpriseInfo(const AppExecFwk::ElementName &admin, EntInfo &entInfo)
1705 {
1706 std::shared_lock<std::shared_mutex> autoLock(adminLock_);
1707 auto adminItem = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(), GetCurrentUserId());
1708 if (adminItem != nullptr && adminItem->GetAdminType() == AdminType::VIRTUAL_ADMIN) {
1709 EDMLOGE("GetEnterpriseInfo delegated admin does not have permission to get enterprise info.");
1710 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1711 }
1712 int32_t userId = (adminItem != nullptr && (adminItem->GetAdminType() == AdminType::ENT ||
1713 adminItem->GetAdminType() == AdminType::SUB_SUPER_ADMIN)) ? EdmConstants::DEFAULT_USER_ID : GetCurrentUserId();
1714 ErrCode code = AdminManager::GetInstance()->GetEntInfo(admin.GetBundleName(), entInfo, userId);
1715 if (code != ERR_OK) {
1716 return EdmReturnErrCode::ADMIN_INACTIVE;
1717 }
1718 EDMLOGD(
1719 "EnterpriseDeviceMgrAbility::GetEnterpriseInfo: entInfo->enterpriseName %{public}s, "
1720 "entInfo->description:%{public}s",
1721 entInfo.enterpriseName.c_str(), entInfo.description.c_str());
1722 return ERR_OK;
1723 }
1724
SetEnterpriseInfo(const AppExecFwk::ElementName & admin,const EntInfo & entInfo)1725 ErrCode EnterpriseDeviceMgrAbility::SetEnterpriseInfo(const AppExecFwk::ElementName &admin, const EntInfo &entInfo)
1726 {
1727 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1728 int32_t userId = GetCurrentUserId();
1729 std::shared_ptr<Admin> adminItem = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(), userId);
1730 if (adminItem == nullptr) {
1731 return EdmReturnErrCode::ADMIN_INACTIVE;
1732 }
1733 ErrCode ret = GetPermissionChecker()->CheckCallerPermission(adminItem,
1734 EdmPermission::PERMISSION_SET_ENTERPRISE_INFO, false);
1735 if (FAILED(ret)) {
1736 return ret;
1737 }
1738 if (adminItem->GetAdminType() == AdminType::ENT || adminItem->GetAdminType() == AdminType::SUB_SUPER_ADMIN) {
1739 userId = EdmConstants::DEFAULT_USER_ID;
1740 }
1741 ErrCode code = AdminManager::GetInstance()->SetEntInfo(admin.GetBundleName(), entInfo, userId);
1742 return (code != ERR_OK) ? EdmReturnErrCode::ADMIN_INACTIVE : ERR_OK;
1743 }
1744
SetAdminRunningMode(const AppExecFwk::ElementName & admin,uint32_t runningMode)1745 ErrCode EnterpriseDeviceMgrAbility::SetAdminRunningMode(const AppExecFwk::ElementName &admin, uint32_t runningMode)
1746 {
1747 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1748 int32_t userId = GetCurrentUserId();
1749 std::shared_ptr<Admin> adminItem = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(), userId);
1750 if (adminItem == nullptr) {
1751 return EdmReturnErrCode::ADMIN_INACTIVE;
1752 }
1753 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
1754 if (!GetPermissionChecker()->VerifyCallingPermission(tokenId,
1755 EdmPermission::PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
1756 EDMLOGW("EnterpriseDeviceMgrAbility::SetAdminRunningMode check permission failed");
1757 return EdmReturnErrCode::PERMISSION_DENIED;
1758 }
1759 if (!CheckRunningMode(runningMode)) {
1760 return EdmReturnErrCode::PARAM_ERROR;
1761 }
1762 adminItem->adminInfo_.runningMode_ = static_cast<RunningMode>(runningMode);
1763 return AdminManager::GetInstance()->SetAdminValue(EdmConstants::DEFAULT_USER_ID, *adminItem);
1764 }
1765
CheckRunningMode(uint32_t runningMode)1766 bool EnterpriseDeviceMgrAbility::CheckRunningMode(uint32_t runningMode)
1767 {
1768 if (runningMode >= static_cast<uint32_t>(RunningMode::DEFAULT) &&
1769 runningMode <= static_cast<uint32_t>(RunningMode::MULTI_USER)) {
1770 return true;
1771 }
1772 return false;
1773 }
1774
HandleApplicationEvent(const std::vector<uint32_t> & events,bool subscribe)1775 ErrCode EnterpriseDeviceMgrAbility::HandleApplicationEvent(const std::vector<uint32_t> &events, bool subscribe)
1776 {
1777 bool shouldHandleAppState = std::any_of(events.begin(), events.end(), [](uint32_t event) {
1778 return event == static_cast<uint32_t>(ManagedEvent::APP_START) ||
1779 event == static_cast<uint32_t>(ManagedEvent::APP_STOP);
1780 });
1781 if (!shouldHandleAppState) {
1782 return ERR_OK;
1783 }
1784 if (subscribe) {
1785 return SubscribeAppState() ? ERR_OK : EdmReturnErrCode::SYSTEM_ABNORMALLY;
1786 } else {
1787 return UnsubscribeAppState() ? ERR_OK : EdmReturnErrCode::SYSTEM_ABNORMALLY;
1788 }
1789 }
1790
SubscribeManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1791 ErrCode EnterpriseDeviceMgrAbility::SubscribeManagedEvent(const AppExecFwk::ElementName &admin,
1792 const std::vector<uint32_t> &events)
1793 {
1794 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1795 RETURN_IF_FAILED(VerifyManagedEvent(admin, events));
1796 RETURN_IF_FAILED(HandleApplicationEvent(events, true));
1797 int32_t userId = AdminManager::GetInstance()->IsSuperOrSubSuperAdmin(admin.GetBundleName()) ?
1798 EdmConstants::DEFAULT_USER_ID : GetCurrentUserId();
1799 AdminManager::GetInstance()->SaveSubscribeEvents(events, admin.GetBundleName(), userId);
1800 return ERR_OK;
1801 }
1802
UnsubscribeManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1803 ErrCode EnterpriseDeviceMgrAbility::UnsubscribeManagedEvent(const AppExecFwk::ElementName &admin,
1804 const std::vector<uint32_t> &events)
1805 {
1806 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1807 RETURN_IF_FAILED(VerifyManagedEvent(admin, events));
1808 int32_t userId = AdminManager::GetInstance()->IsSuperOrSubSuperAdmin(admin.GetBundleName()) ?
1809 EdmConstants::DEFAULT_USER_ID : GetCurrentUserId();
1810 AdminManager::GetInstance()->RemoveSubscribeEvents(events, admin.GetBundleName(), userId);
1811 return HandleApplicationEvent(events, false);
1812 }
1813
VerifyManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1814 ErrCode EnterpriseDeviceMgrAbility::VerifyManagedEvent(const AppExecFwk::ElementName &admin,
1815 const std::vector<uint32_t> &events)
1816 {
1817 std::shared_ptr<Admin> adminItem = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(),
1818 GetCurrentUserId());
1819 ErrCode ret = GetPermissionChecker()->CheckCallerPermission(adminItem,
1820 EdmPermission::PERMISSION_ENTERPRISE_SUBSCRIBE_MANAGED_EVENT, false);
1821 if (FAILED(ret)) {
1822 return ret;
1823 }
1824 if (events.empty()) {
1825 return EdmReturnErrCode::MANAGED_EVENTS_INVALID;
1826 }
1827 auto iter =
1828 std::find_if(events.begin(), events.end(), [this](uint32_t event) { return !CheckManagedEvent(event); });
1829 if (iter != std::end(events)) {
1830 return EdmReturnErrCode::MANAGED_EVENTS_INVALID;
1831 }
1832 return ERR_OK;
1833 }
1834
CheckManagedEvent(uint32_t event)1835 bool EnterpriseDeviceMgrAbility::CheckManagedEvent(uint32_t event)
1836 {
1837 if (event >= static_cast<uint32_t>(ManagedEvent::BUNDLE_ADDED) &&
1838 event <= static_cast<uint32_t>(ManagedEvent::USER_REMOVED)) {
1839 return true;
1840 }
1841 return false;
1842 }
1843
AuthorizeAdmin(const AppExecFwk::ElementName & admin,const std::string & bundleName)1844 ErrCode EnterpriseDeviceMgrAbility::AuthorizeAdmin(const AppExecFwk::ElementName &admin, const std::string &bundleName)
1845 {
1846 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1847 std::shared_ptr<Admin> adminItem = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(),
1848 GetCurrentUserId());
1849 ErrCode ret = GetPermissionChecker()->CheckAuthorizeAdminPermission(adminItem,
1850 EdmPermission::PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN);
1851 if (FAILED(ret)) {
1852 return ret;
1853 }
1854 /* Get all request and registered permissions */
1855 std::vector<std::string> permissionList;
1856 if (FAILED(GetPermissionChecker()->GetAllPermissionsByAdmin(bundleName, AdminType::SUB_SUPER_ADMIN,
1857 EdmConstants::DEFAULT_USER_ID, permissionList))) {
1858 EDMLOGW("AuthorizeAdmin: GetAllPermissionsByAdmin failed.");
1859 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1860 }
1861 EntInfo entInfo;
1862 AppExecFwk::ExtensionAbilityInfo abilityInfo;
1863 abilityInfo.bundleName = bundleName;
1864 Admin subAdmin(abilityInfo, AdminType::SUB_SUPER_ADMIN, entInfo, permissionList, adminItem->adminInfo_.isDebug_);
1865 subAdmin.SetParentAdminName(admin.GetBundleName());
1866 ret = AdminManager::GetInstance()->SetAdminValue(EdmConstants::DEFAULT_USER_ID, subAdmin);
1867 if (ret != ERR_OK) {
1868 return ret;
1869 }
1870 EDMLOGD("ReportEdmEventManagerAdmin AuthorizeAdmin");
1871 HiSysEventAdapter::ReportEdmEventManagerAdmin(bundleName, static_cast<int32_t>(AdminAction::ENABLE),
1872 static_cast<int32_t>(AdminType::SUB_SUPER_ADMIN), admin.GetBundleName().c_str());
1873 return ret;
1874 }
1875
GetSuperAdmin(std::string & bundleName,std::string & abilityName)1876 ErrCode EnterpriseDeviceMgrAbility::GetSuperAdmin(std::string &bundleName, std::string &abilityName)
1877 {
1878 std::shared_lock<std::shared_mutex> autoLock(adminLock_);
1879 auto superAdmin = AdminManager::GetInstance()->GetSuperAdmin();
1880 if (superAdmin == nullptr) {
1881 bundleName = "";
1882 abilityName = "";
1883 } else {
1884 bundleName = superAdmin->adminInfo_.packageName_;
1885 abilityName = superAdmin->adminInfo_.className_;
1886 }
1887 return ERR_OK;
1888 }
1889
SetDelegatedPolicies(const std::string & bundleName,const std::vector<std::string> & policies,int32_t userId)1890 ErrCode EnterpriseDeviceMgrAbility::SetDelegatedPolicies(const std::string &bundleName,
1891 const std::vector<std::string> &policies, int32_t userId)
1892 {
1893 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1894 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
1895 if (!GetPermissionChecker()->VerifyCallingPermission(tokenId,
1896 EdmPermission::PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
1897 EDMLOGW("EnterpriseDeviceMgrAbility::SetDelegatedPolicies check permission failed");
1898 return EdmReturnErrCode::PERMISSION_DENIED;
1899 }
1900 std::vector<std::string> setPolicies = policies;
1901 if (setPolicies.size() > EdmConstants::POLICIES_MAX_SIZE) {
1902 return EdmReturnErrCode::PARAM_ERROR;
1903 }
1904 for (const std::string &policy : setPolicies) {
1905 if (!GetPermissionChecker()->IsAllowDelegatedPolicy(policy)) {
1906 return EdmReturnErrCode::PARAM_ERROR;
1907 }
1908 }
1909 std::shared_ptr<Admin> adminItem = AdminManager::GetInstance()->GetAdminByPkgName(bundleName, userId);
1910 if (adminItem != nullptr) {
1911 return ERR_EDM_ADD_ADMIN_FAILED;
1912 }
1913 if (!GetBundleMgr()->IsBundleInstalled(bundleName, userId)) {
1914 EDMLOGE("SetDelegatedPolicies the delegated application does not installed.");
1915 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1916 }
1917 std::string appDistributionType = GetBundleMgr()->GetApplicationInfo(bundleName, userId);
1918 if (appDistributionType != APP_TYPE_ENTERPRISE_MDM && appDistributionType != APP_TYPE_ENTERPRISE_NORMAL) {
1919 EDMLOGE("SetDelegatedPolicies get appDistributionType %{public}s.", appDistributionType.c_str());
1920 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1921 }
1922 if (std::find(setPolicies.begin(), setPolicies.end(), POLICY_ALLOW_ALL) != setPolicies.end()) {
1923 setPolicies = { POLICY_ALLOW_ALL };
1924 }
1925 int uid = IPCSkeleton::GetCallingUid();
1926 std::string callingBundleName;
1927 if (GetExternalManagerFactory()->CreateBundleManager()->GetNameForUid(uid, callingBundleName) != ERR_OK) {
1928 EDMLOGW("SetDelegatedPolicies CheckCallingUid failed: get bundleName for uid %{public}d fail.", uid);
1929 return ERR_EDM_PERMISSION_ERROR;
1930 }
1931 EntInfo entInfo;
1932 AppExecFwk::ExtensionAbilityInfo abilityInfo;
1933 abilityInfo.bundleName = bundleName;
1934 Admin virtualAdmin(abilityInfo, AdminType::VIRTUAL_ADMIN, entInfo, {}, false);
1935 virtualAdmin.SetParentAdminName(callingBundleName);
1936 virtualAdmin.SetAccessiblePolicies(setPolicies);
1937 system::SetParameter(PARAM_EDM_ENABLE, "true");
1938 NotifyAdminEnabled(true);
1939 return AdminManager::GetInstance()->SetAdminValue(userId, virtualAdmin);
1940 }
1941
SetDelegatedPolicies(const AppExecFwk::ElementName & parentAdmin,const std::string & bundleName,const std::vector<std::string> & policies)1942 ErrCode EnterpriseDeviceMgrAbility::SetDelegatedPolicies(const AppExecFwk::ElementName &parentAdmin,
1943 const std::string &bundleName, const std::vector<std::string> &policies)
1944 {
1945 if (policies.size() > EdmConstants::POLICIES_MAX_SIZE) {
1946 return EdmReturnErrCode::PARAM_ERROR;
1947 }
1948 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
1949 std::string parentAdminName = parentAdmin.GetBundleName();
1950 std::shared_ptr<Admin> adminItem = AdminManager::GetInstance()->GetAdminByPkgName(parentAdminName,
1951 GetCurrentUserId());
1952 ErrCode ret = GetPermissionChecker()->CheckCallerPermission(adminItem,
1953 EdmPermission::PERMISSION_ENTERPRISE_MANAGE_DELEGATED_POLICY, true);
1954 if (FAILED(ret)) {
1955 return ret;
1956 }
1957 if (parentAdminName == bundleName) {
1958 EDMLOGE("SetDelegatedPolicies does not delegated policies to self.");
1959 return EdmReturnErrCode::PARAM_ERROR;
1960 }
1961 if (policies.empty()) {
1962 EDMLOGW("SetDelegatedPolicies remove delegated policies.");
1963 ret = RemoveSubSuperAdminAndAdminPolicy(bundleName);
1964 if (ret == ERR_OK) {
1965 HiSysEventAdapter::ReportEdmEventManagerAdmin(bundleName, static_cast<int32_t>(AdminAction::DISABLE),
1966 static_cast<int32_t>(AdminType::VIRTUAL_ADMIN), parentAdminName);
1967 }
1968 return ret;
1969 }
1970 ret = CheckDelegatedPolicies(adminItem, policies);
1971 if (FAILED(ret)) {
1972 return ret;
1973 }
1974 if (!GetBundleMgr()->IsBundleInstalled(bundleName, GetCurrentUserId())) {
1975 EDMLOGE("SetDelegatedPolicies the delegated application does not installed.");
1976 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1977 }
1978 std::string appDistributionType = GetBundleMgr()->GetApplicationInfo(bundleName, GetCurrentUserId());
1979 if (appDistributionType != APP_TYPE_ENTERPRISE_MDM && appDistributionType != APP_TYPE_ENTERPRISE_NORMAL) {
1980 EDMLOGE("SetDelegatedPolicies get appDistributionType %{public}s.", appDistributionType.c_str());
1981 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1982 }
1983 EntInfo entInfo;
1984 AppExecFwk::ExtensionAbilityInfo abilityInfo;
1985 abilityInfo.bundleName = bundleName;
1986 Admin virtualAdmin(abilityInfo, AdminType::VIRTUAL_ADMIN, entInfo, {}, adminItem->adminInfo_.isDebug_);
1987 virtualAdmin.SetParentAdminName(parentAdminName);
1988 virtualAdmin.SetAccessiblePolicies(policies);
1989 ret = AdminManager::GetInstance()->SetAdminValue(GetCurrentUserId(), virtualAdmin);
1990 if (ret == ERR_OK) {
1991 HiSysEventAdapter::ReportEdmEventManagerAdmin(bundleName, static_cast<int32_t>(AdminAction::ENABLE),
1992 static_cast<int32_t>(AdminType::VIRTUAL_ADMIN), parentAdminName);
1993 }
1994 return ret;
1995 }
1996
GetDelegatedPolicies(const AppExecFwk::ElementName & parentAdmin,const std::string & bundleName,std::vector<std::string> & policies)1997 ErrCode EnterpriseDeviceMgrAbility::GetDelegatedPolicies(const AppExecFwk::ElementName &parentAdmin,
1998 const std::string &bundleName, std::vector<std::string> &policies)
1999 {
2000 std::shared_lock<std::shared_mutex> autoLock(adminLock_);
2001 std::string parentAdminName = parentAdmin.GetBundleName();
2002 std::shared_ptr<Admin> adminItem = AdminManager::GetInstance()->GetAdminByPkgName(parentAdminName,
2003 GetCurrentUserId());
2004 ErrCode ret = GetPermissionChecker()->CheckCallerPermission(adminItem,
2005 EdmPermission::PERMISSION_ENTERPRISE_MANAGE_DELEGATED_POLICY, true);
2006 if (FAILED(ret)) {
2007 return ret;
2008 }
2009 return AdminManager::GetInstance()->GetPoliciesByVirtualAdmin(bundleName, parentAdminName, policies);
2010 }
2011
GetDelegatedBundleNames(const AppExecFwk::ElementName & parentAdmin,const std::string & policyName,std::vector<std::string> & bundleNames)2012 ErrCode EnterpriseDeviceMgrAbility::GetDelegatedBundleNames(const AppExecFwk::ElementName &parentAdmin,
2013 const std::string &policyName, std::vector<std::string> &bundleNames)
2014 {
2015 std::string parentAdminName = parentAdmin.GetBundleName();
2016 if (!GetPermissionChecker()->IsAllowDelegatedPolicy(policyName)) {
2017 return EdmReturnErrCode::PARAM_ERROR;
2018 }
2019 std::shared_lock<std::shared_mutex> autoLock(adminLock_);
2020 std::shared_ptr<Admin> adminItem = AdminManager::GetInstance()->GetAdminByPkgName(parentAdminName,
2021 GetCurrentUserId());
2022 ErrCode ret = GetPermissionChecker()->CheckCallerPermission(adminItem,
2023 EdmPermission::PERMISSION_ENTERPRISE_MANAGE_DELEGATED_POLICY, true);
2024 if (FAILED(ret)) {
2025 return ret;
2026 }
2027 AdminManager::GetInstance()->GetVirtualAdminsByPolicy(policyName, parentAdminName, bundleNames);
2028 return ERR_OK;
2029 }
2030
CheckDelegatedPolicies(std::shared_ptr<Admin> admin,const std::vector<std::string> & policies)2031 ErrCode EnterpriseDeviceMgrAbility::CheckDelegatedPolicies(std::shared_ptr<Admin> admin,
2032 const std::vector<std::string> &policies)
2033 {
2034 if (admin == nullptr) {
2035 return EdmReturnErrCode::ADMIN_INACTIVE;
2036 }
2037 PluginManager::GetInstance()->LoadAllPlugin();
2038 for (const std::string &policy : policies) {
2039 if (!GetPermissionChecker()->IsAllowDelegatedPolicy(policy)) {
2040 return EdmReturnErrCode::PARAM_ERROR;
2041 }
2042 auto plugin = PluginManager::GetInstance()->GetPluginByPolicyName(policy);
2043 if (plugin == nullptr) {
2044 EDMLOGE("CheckDelegatedPolicies get policyName is not exist.");
2045 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
2046 }
2047 auto permission = plugin->GetPermission(FuncOperateType::SET,
2048 GetPermissionChecker()->AdminTypeToPermissionType(admin->GetAdminType()));
2049 if (permission == NONE_PERMISSION_MATCH) {
2050 permission = plugin->GetPermission(FuncOperateType::SET,
2051 GetPermissionChecker()->AdminTypeToPermissionType(admin->GetAdminType()),
2052 EdmConstants::PERMISSION_TAG_VERSION_12);
2053 }
2054 if (permission.empty() || permission == NONE_PERMISSION_MATCH) {
2055 EDMLOGE("CheckDelegatedPolicies get plugin access permission failed.");
2056 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
2057 }
2058 auto ret = GetPermissionChecker()->CheckAndUpdatePermission(admin, IPCSkeleton::GetCallingTokenID(),
2059 permission, EdmConstants::DEFAULT_USER_ID);
2060 if (FAILED(ret)) {
2061 return ret;
2062 }
2063 }
2064 return ERR_OK;
2065 }
2066
GetAdmins(std::vector<std::shared_ptr<AAFwk::Want>> & wants)2067 ErrCode EnterpriseDeviceMgrAbility::GetAdmins(std::vector<std::shared_ptr<AAFwk::Want>> &wants)
2068 {
2069 std::vector<std::shared_ptr<Admin>> admins;
2070 AdminManager::GetInstance()->GetAdmins(admins, GetCurrentUserId());
2071 for (auto admin : admins) {
2072 std::shared_ptr<AAFwk::Want> want = std::make_shared<AAFwk::Want>();
2073 want->SetParam("bundleName", admin->adminInfo_.packageName_);
2074 want->SetParam("abilityName", admin->adminInfo_.className_);
2075 want->SetParam("adminType", static_cast<int32_t>(admin->adminInfo_.adminType_));
2076 wants.push_back(want);
2077 }
2078 return ERR_OK;
2079 }
2080
SetBundleInstallPolicies(const std::vector<std::string> & bundles,int32_t userId,int32_t policyType)2081 ErrCode EnterpriseDeviceMgrAbility::SetBundleInstallPolicies(const std::vector<std::string> &bundles, int32_t userId,
2082 int32_t policyType)
2083 {
2084 std::unique_lock<std::shared_mutex> autoLock(adminLock_);
2085 if (policyType < 0 || policyType > MAX_POLICY_TYPE) {
2086 EDMLOGE("SetBundleInstallPolicies policy type is abnormal, value : %{public}d.", policyType);
2087 return EdmReturnErrCode::PARAM_ERROR;
2088 }
2089 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
2090 if (GetPermissionChecker()->VerifyCallingPermission(tokenId,
2091 EdmPermission::PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN) && IPCSkeleton::GetCallingUid() == EDC_UID) {
2092 auto ruleMap = std::vector<AppExecFwk::AppInstallControlRuleType> {
2093 AppExecFwk::AppInstallControlRuleType::UNSPECIFIED,
2094 AppExecFwk::AppInstallControlRuleType::DISALLOWED_UNINSTALL,
2095 AppExecFwk::AppInstallControlRuleType::ALLOWED_INSTALL,
2096 AppExecFwk::AppInstallControlRuleType::DISALLOWED_INSTALL,
2097 };
2098 AppExecFwk::AppInstallControlRuleType rule = ruleMap[policyType];
2099 std::vector<std::string> data = bundles;
2100 return GetBundleMgr()->AddAppInstallControlRule(data, rule, userId);
2101 }
2102 return EdmReturnErrCode::PERMISSION_DENIED;
2103 }
2104
2105 } // namespace EDM
2106 } // namespace OHOS