1 /*
2 * Copyright (c) 2022-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_checker.h"
17
18 #include "access_token.h"
19 #include "admin_manager.h"
20 #include "edm_constants.h"
21 #include "edm_ipc_interface_code.h"
22 #include "edm_log.h"
23 #include "func_code_utils.h"
24 #include "ipc_skeleton.h"
25 #include "permission_manager.h"
26
27 namespace OHOS {
28 namespace EDM {
29
30 std::shared_ptr<PermissionChecker> PermissionChecker::instance_;
31 std::once_flag PermissionChecker::flag_;
32
33 std::vector<uint32_t> PermissionChecker::supportAdminNullPolicyCode_ = {
34 EdmInterfaceCode::DISALLOW_ADD_OS_ACCOUNT_BY_USER,
35 EdmInterfaceCode::DISALLOW_ADD_LOCAL_ACCOUNT,
36 EdmInterfaceCode::DISABLE_BLUETOOTH,
37 EdmInterfaceCode::ALLOWED_BLUETOOTH_DEVICES,
38 EdmInterfaceCode::DISALLOWED_BLUETOOTH_DEVICES,
39 EdmInterfaceCode::SET_BROWSER_POLICIES,
40 EdmInterfaceCode::MANAGED_BROWSER_POLICY,
41 EdmInterfaceCode::DISALLOW_MODIFY_DATETIME,
42 EdmInterfaceCode::LOCATION_POLICY,
43 EdmInterfaceCode::FINGERPRINT_AUTH,
44 EdmInterfaceCode::DISABLE_MICROPHONE,
45 EdmInterfaceCode::DISABLED_PRINTER,
46 EdmInterfaceCode::DISABLED_HDC,
47 EdmInterfaceCode::DISABLE_USB,
48 EdmInterfaceCode::DISALLOWED_USB_DEVICES,
49 EdmInterfaceCode::USB_READ_ONLY,
50 EdmInterfaceCode::ALLOWED_USB_DEVICES,
51 EdmInterfaceCode::DISABLE_WIFI,
52 EdmInterfaceCode::DISABLE_MTP_CLIENT,
53 EdmInterfaceCode::DISABLE_MTP_SERVER,
54 EdmInterfaceCode::DISABLE_SAMBA_CLIENT,
55 EdmInterfaceCode::DISABLE_SAMBA_SERVER,
56 EdmInterfaceCode::DISALLOWED_TETHERING,
57 EdmInterfaceCode::INACTIVE_USER_FREEZE,
58 EdmInterfaceCode::DISABLE_CAMERA,
59 EdmInterfaceCode::PASSWORD_POLICY,
60 EdmInterfaceCode::DISABLE_SET_BIOMETRICS_AND_SCREENLOCK,
61 EdmInterfaceCode::DISABLE_SET_DEVICE_NAME,
62 EdmInterfaceCode::DISABLE_MAINTENANCE_MODE,
63 EdmInterfaceCode::DISALLOWED_SMS,
64 EdmInterfaceCode::DISALLOWED_MMS,
65 EdmInterfaceCode::DISABLE_BACKUP_AND_RESTORE,
66 EdmInterfaceCode::IS_APP_KIOSK_ALLOWED,
67 EdmInterfaceCode::DISALLOWED_MOBILE_DATA,
68 EdmInterfaceCode::DISALLOWED_SUDO,
69 EdmInterfaceCode::DISALLOW_MODIFY_ETHERNET_IP,
70 EdmInterfaceCode::DISALLOWED_AIRPLANE_MODE,
71 EdmInterfaceCode::DISALLOW_VPN,
72 EdmInterfaceCode::DISALLOWED_TELEPHONY_CALL,
73 EdmInterfaceCode::DISABLE_PRIVATE_SPACE,
74 EdmInterfaceCode::POLICY_CODE_END + EdmConstants::PolicyCode::DISALLOW_SCREEN_SHOT,
75 EdmInterfaceCode::POLICY_CODE_END + EdmConstants::PolicyCode::DISALLOW_SCREEN_RECORD,
76 EdmInterfaceCode::POLICY_CODE_END + EdmConstants::PolicyCode::DISABLE_DISK_RECOVERY_KEY,
77 EdmInterfaceCode::POLICY_CODE_END + EdmConstants::PolicyCode::DISALLOW_NEAR_LINK,
78 EdmInterfaceCode::POLICY_CODE_END + EdmConstants::PolicyCode::DISABLE_DEVELOPER_MODE,
79 EdmInterfaceCode::POLICY_CODE_END + EdmConstants::PolicyCode::DISABLE_RESET_FACTORY,
80 EdmInterfaceCode::DISALLOWED_NOTIFICATION,
81 EdmInterfaceCode::DISABLED_PRINT,
82 EdmInterfaceCode::POLICY_CODE_END + EdmConstants::PolicyCode::DISABLE_OTA,
83 EdmInterfaceCode::POLICY_CODE_END + EdmConstants::PolicyCode::DISALLOWED_NFC,
84 EdmInterfaceCode::POLICY_CODE_END + EdmConstants::PolicyCode::DISALLOW_REMOTE_DESK,
85 EdmInterfaceCode::POLICY_CODE_END + EdmConstants::PolicyCode::DISALLOW_REMOTE_DIAGNOSIS,
86 };
87
88 std::unordered_set<std::string> PermissionChecker::allowDelegatedPolicies_ = {
89 PolicyName::POLICY_DISALLOW_ADD_LOCAL_ACCOUNT, PolicyName::POLICY_DISALLOW_ADD_OS_ACCOUNT_BY_USER,
90 PolicyName::POLICY_DISALLOW_RUNNING_BUNDLES, PolicyName::POLICY_MANAGE_AUTO_START_APPS,
91 PolicyName::POLICY_ALLOWED_BLUETOOTH_DEVICES, PolicyName::POLICY_SET_BROWSER_POLICIES,
92 PolicyName::POLICY_ALLOWED_INSTALL_BUNDLES, PolicyName::POLICY_DISALLOWED_INSTALL_BUNDLES,
93 PolicyName::POLICY_DISALLOWED_UNINSTALL_BUNDLES, PolicyName::POLICY_SNAPSHOT_SKIP,
94 PolicyName::POLICY_LOCATION_POLICY, PolicyName::POLICY_DISABLED_NETWORK_INTERFACE,
95 PolicyName::POLICY_GLOBAL_PROXY, PolicyName::POLICY_DISABLED_BLUETOOTH,
96 PolicyName::POLICY_DISALLOW_MODIFY_DATETIME, PolicyName::POLICY_DISABLED_PRINTER,
97 PolicyName::POLICY_POLICY_SCREEN_SHOT, PolicyName::POLICY_DISABLED_HDC,
98 PolicyName::POLICY_DISABLE_MICROPHONE, PolicyName::POLICY_FINGERPRINT_AUTH,
99 PolicyName::POLICY_DISABLE_USB, PolicyName::POLICY_DISABLE_WIFI,
100 PolicyName::POLICY_DISALLOWED_TETHERING, PolicyName::POLICY_INACTIVE_USER_FREEZE,
101 PolicyName::POLICY_PASSWORD_POLICY, PolicyName::POLICY_CLIPBOARD_POLICY,
102 PolicyName::POLICY_NTP_SERVER, PolicyName::POLICY_SET_UPDATE_POLICY,
103 PolicyName::POLICY_NOTIFY_UPGRADE_PACKAGES, PolicyName::POLICY_ALLOWED_USB_DEVICES,
104 PolicyName::POLICY_USB_READ_ONLY, PolicyName::POLICY_DISALLOWED_USB_DEVICES,
105 PolicyName::POLICY_GET_DEVICE_INFO, PolicyName::POLICY_WATERMARK_IMAGE_POLICY,
106 PolicyName::POLICY_POLICY_SCREEN_RECORD, PolicyName::POLICY_DISALLOWED_SMS,
107 PolicyName::POLICY_DISALLOWED_MMS, PolicyName::POLICY_DISABLE_BACKUP_AND_RESTORE,
108 PolicyName::POLICY_INSTALLED_BUNDLE_INFO_LIST, PolicyName::POLICY_CLEAR_UP_APPLICATION_DATA,
109 PolicyName::POLICY_ALLOW_ALL,
110 };
111
GetInstance()112 std::shared_ptr<PermissionChecker> PermissionChecker::GetInstance()
113 {
114 std::call_once(flag_, []() {
115 if (instance_ == nullptr) {
116 instance_.reset(new (std::nothrow) PermissionChecker());
117 }
118 });
119 return instance_;
120 }
121
GetExternalManagerFactory()122 std::shared_ptr<IExternalManagerFactory> PermissionChecker::GetExternalManagerFactory()
123 {
124 return externalManagerFactory_;
125 }
126
IsAllowDelegatedPolicy(const std::string & policy)127 bool PermissionChecker::IsAllowDelegatedPolicy(const std::string &policy)
128 {
129 return allowDelegatedPolicies_.find(policy) != allowDelegatedPolicies_.end();
130 }
131
CheckCallerPermission(std::shared_ptr<Admin> admin,const std::string & permission,bool isNeedSuperAdmin)132 ErrCode PermissionChecker::CheckCallerPermission(std::shared_ptr<Admin> admin, const std::string &permission,
133 bool isNeedSuperAdmin)
134 {
135 if (admin == nullptr) {
136 return EdmReturnErrCode::ADMIN_INACTIVE;
137 }
138 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
139 if (!GetExternalManagerFactory()->CreateAccessTokenManager()->VerifyCallingPermission(tokenId, permission)) {
140 EDMLOGE("CheckCallerPermission verify calling permission failed.");
141 return EdmReturnErrCode::PERMISSION_DENIED;
142 }
143 if (FAILED(CheckCallingUid(admin->adminInfo_.packageName_))) {
144 EDMLOGE("CheckCallerPermission check calling uid failed.");
145 return EdmReturnErrCode::PERMISSION_DENIED;
146 }
147 if (isNeedSuperAdmin && admin->GetAdminType() != AdminType::ENT) {
148 EDMLOGE("CheckCallerPermission caller not a super admin.");
149 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
150 }
151 if (!isNeedSuperAdmin && admin->GetAdminType() == AdminType::VIRTUAL_ADMIN) {
152 EDMLOGE("CheckCallerPermission delegated admin does not have permission to handle.");
153 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
154 }
155 if (!isNeedSuperAdmin && admin->GetAdminType() == AdminType::BYOD) {
156 EDMLOGE("CheckCallerPermission byod admin does not have permission to handle.");
157 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
158 }
159 return ERR_OK;
160 }
161
CheckAuthorizeAdminPermission(std::shared_ptr<Admin> admin,const std::string & permission)162 ErrCode PermissionChecker::CheckAuthorizeAdminPermission(std::shared_ptr<Admin> admin, const std::string &permission)
163 {
164 if (admin == nullptr) {
165 return EdmReturnErrCode::ADMIN_INACTIVE;
166 }
167 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
168 if (!GetExternalManagerFactory()->CreateAccessTokenManager()->VerifyCallingPermission(tokenId, permission)) {
169 EDMLOGE("CheckAuthorizeAdminPermission verify calling permission failed.");
170 return EdmReturnErrCode::PERMISSION_DENIED;
171 }
172 if (admin->GetAdminType() != AdminType::ENT) {
173 EDMLOGE("CheckAuthorizeAdminPermission caller not a super admin.");
174 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
175 }
176 return ERR_OK;
177 }
178
CheckCallingUid(const std::string & bundleName)179 ErrCode PermissionChecker::CheckCallingUid(const std::string &bundleName)
180 {
181 // super admin can be removed by itself
182 int uid = IPCSkeleton::GetCallingUid();
183 std::string callingBundleName;
184 if (GetExternalManagerFactory()->CreateBundleManager()->GetNameForUid(uid, callingBundleName) != ERR_OK) {
185 EDMLOGW("CheckCallingUid failed: get bundleName for uid %{public}d fail.", uid);
186 return ERR_EDM_PERMISSION_ERROR;
187 }
188 if (bundleName == callingBundleName) {
189 return ERR_OK;
190 }
191 EDMLOGW("CheckCallingUid failed: only the app %{public}s can remove itself.", callingBundleName.c_str());
192 return ERR_EDM_PERMISSION_ERROR;
193 }
194
CheckSystemCalling(IPlugin::ApiType apiType,const std::string & permissionTag)195 ErrCode PermissionChecker::CheckSystemCalling(IPlugin::ApiType apiType, const std::string &permissionTag)
196 {
197 bool isCheckSystem = (apiType == IPlugin::ApiType::SYSTEM)
198 || (permissionTag == EdmConstants::PERMISSION_TAG_SYSTEM_API);
199 if (isCheckSystem && !CheckIsSystemAppOrNative()) {
200 EDMLOGE("CheckSystemCalling: not system app or native process");
201 return EdmReturnErrCode::SYSTEM_API_DENIED;
202 }
203 return ERR_OK;
204 }
205
GetAllPermissionsByAdmin(const std::string & bundleInfoName,AdminType adminType,int32_t userId,std::vector<std::string> & permissionList)206 ErrCode PermissionChecker::GetAllPermissionsByAdmin(const std::string &bundleInfoName, AdminType adminType,
207 int32_t userId, std::vector<std::string> &permissionList)
208 {
209 permissionList.clear();
210 AppExecFwk::BundleInfo bundleInfo;
211 EDMLOGD("GetAllPermissionsByAdmin GetBundleInfo: bundleInfoName %{public}s", bundleInfoName.c_str());
212 bool ret = GetExternalManagerFactory()->CreateBundleManager()->GetBundleInfo(bundleInfoName,
213 AppExecFwk::BundleFlag::GET_BUNDLE_WITH_REQUESTED_PERMISSION, bundleInfo, userId);
214 if (!ret) {
215 EDMLOGW("GetAllPermissionsByAdmin: GetBundleInfo failed %{public}d", ret);
216 return ERR_EDM_PARAM_ERROR;
217 }
218 PermissionManager::GetInstance()->GetAdminGrantedPermission(bundleInfo.reqPermissions, adminType, permissionList);
219 return ERR_OK;
220 }
221
CheckHandlePolicyPermission(FuncOperateType operateType,const std::string & bundleName,const std::string & policyName,const std::string & permissionName,int32_t userId)222 ErrCode PermissionChecker::CheckHandlePolicyPermission(FuncOperateType operateType,
223 const std::string &bundleName, const std::string &policyName, const std::string &permissionName, int32_t userId)
224 {
225 if (operateType == FuncOperateType::SET && permissionName.empty()) {
226 EDMLOGE("CheckHandlePolicyPermission failed, set policy need permission.");
227 return EdmReturnErrCode::PERMISSION_DENIED;
228 }
229 if (permissionName == NONE_PERMISSION_MATCH) {
230 EDMLOGE("CheckHandlePolicyPermission: GetPermission failed!");
231 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
232 }
233 std::shared_ptr<Admin> deviceAdmin = AdminManager::GetInstance()->GetAdminByPkgName(bundleName, GetCurrentUserId());
234 if (deviceAdmin == nullptr) {
235 EDMLOGE("CheckHandlePolicyPermission: get admin failed");
236 return EdmReturnErrCode::ADMIN_INACTIVE;
237 }
238 if (FAILED(CheckCallingUid(deviceAdmin->adminInfo_.packageName_))) {
239 EDMLOGE("CheckHandlePolicyPermission: CheckCallingUid failed.");
240 return EdmReturnErrCode::PERMISSION_DENIED;
241 }
242 if (operateType == FuncOperateType::SET && deviceAdmin->GetAdminType() == AdminType::NORMAL &&
243 userId != GetCurrentUserId()) {
244 EDMLOGE("CheckHandlePolicyPermission: this admin does not have permission to handle policy of other account.");
245 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
246 }
247 if (!permissionName.empty()) {
248 EDMLOGI("CheckHandlePolicyPermission: permissionName:%{public}s", permissionName.c_str());
249 auto ret = CheckAndUpdatePermission(deviceAdmin, IPCSkeleton::GetCallingTokenID(), permissionName, userId);
250 if (FAILED(ret)) {
251 return ret;
252 }
253 }
254 if (permissionName.empty() && deviceAdmin->GetAdminType() == AdminType::BYOD) {
255 return EdmReturnErrCode::PERMISSION_DENIED;
256 }
257 if (!AdminManager::GetInstance()->HasPermissionToHandlePolicy(deviceAdmin, policyName)) {
258 EDMLOGE("CheckHandlePolicyPermission: this admin does not have permission to handle the policy.");
259 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
260 }
261 return ERR_OK;
262 }
263
CheckAndUpdatePermission(std::shared_ptr<Admin> admin,Security::AccessToken::AccessTokenID tokenId,const std::string & permission,int32_t userId)264 ErrCode PermissionChecker::CheckAndUpdatePermission(std::shared_ptr<Admin> admin,
265 Security::AccessToken::AccessTokenID tokenId, const std::string &permission, int32_t userId)
266 {
267 if (admin == nullptr) {
268 EDMLOGE("CheckHandlePolicyPermission: this admin does not have permission to handle the policy.");
269 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
270 }
271 bool callingPermission = VerifyCallingPermission(tokenId, permission);
272 bool adminPermission = admin->CheckPermission(permission);
273 EDMLOGI("CheckAndUpdatePermission::callingPermission: %{public}d.adminPermission:%{public}d", callingPermission,
274 adminPermission);
275 if (callingPermission != adminPermission) {
276 std::vector<std::string> permissionList;
277 if (FAILED(GetAllPermissionsByAdmin(admin->adminInfo_.packageName_,
278 admin->GetAdminType(), userId, permissionList))) {
279 EDMLOGE("CheckAndUpdatePermission get all permission that admin request failed.");
280 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
281 }
282 auto hasPermission = std::find(permissionList.begin(), permissionList.end(), permission);
283 if (!callingPermission && hasPermission != permissionList.end()) {
284 EDMLOGE("CheckAndUpdatePermission access token check abnormally.");
285 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
286 }
287 if (!adminPermission && hasPermission == permissionList.end()) {
288 EDMLOGE("CheckAndUpdatePermission this admin does not have the permission.");
289 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
290 }
291 Admin updateAdmin(admin->adminInfo_.packageName_, admin->GetAdminType(), permissionList);
292 updateAdmin.SetAccessiblePolicies(admin->adminInfo_.accessiblePolicies_);
293 if (FAILED(AdminManager::GetInstance()->UpdateAdmin(admin, userId, updateAdmin))) {
294 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
295 }
296 }
297 if (!callingPermission) {
298 return EdmReturnErrCode::PERMISSION_DENIED;
299 }
300 return ERR_OK;
301 }
302
GetCurrentUserId()303 int32_t PermissionChecker::GetCurrentUserId()
304 {
305 std::vector<int32_t> ids;
306 auto fac = GetExternalManagerFactory();
307 ErrCode ret = fac->CreateOsAccountManager()->QueryActiveOsAccountIds(ids);
308 if (FAILED(ret) || ids.empty()) {
309 EDMLOGE("PermissionChecker GetCurrentUserId failed");
310 return -1;
311 }
312 EDMLOGD("PermissionChecker GetCurrentUserId");
313 return (ids.at(0));
314 }
315
AdminTypeToPermissionType(AdminType adminType)316 IPlugin::PermissionType PermissionChecker::AdminTypeToPermissionType(AdminType adminType)
317 {
318 if (adminType == AdminType::BYOD) {
319 return IPlugin::PermissionType::BYOD_DEVICE_ADMIN;
320 }
321 return IPlugin::PermissionType::SUPER_DEVICE_ADMIN;
322 }
323
CheckElementNullPermission(uint32_t funcCode,const std::string & permissionName)324 bool PermissionChecker::CheckElementNullPermission(uint32_t funcCode, const std::string &permissionName)
325 {
326 std::uint32_t code = FuncCodeUtils::GetPolicyCode(funcCode);
327 auto item = std::find(supportAdminNullPolicyCode_.begin(), supportAdminNullPolicyCode_.end(), code);
328 if (item == supportAdminNullPolicyCode_.end()) {
329 EDMLOGE("PermissionChecker not support element null query code is %{public}d", code);
330 return false;
331 }
332 if (permissionName.empty()) {
333 return true;
334 }
335 if (CheckSpecialPolicyCallQuery(code)) {
336 return true;
337 }
338 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
339 if (!VerifyCallingPermission(tokenId, permissionName)) {
340 EDMLOGE("PermissionChecker element null query no permission code is %{public}d", code);
341 return false;
342 }
343 return true;
344 }
345
CheckSpecialPolicyCallQuery(uint32_t code)346 bool PermissionChecker::CheckSpecialPolicyCallQuery(uint32_t code)
347 {
348 bool isSystemAppCall = GetExternalManagerFactory()->CreateAccessTokenManager()->IsSystemAppCall();
349 if (isSystemAppCall) {
350 return true;
351 }
352 bool isNativeCall = GetExternalManagerFactory()->CreateAccessTokenManager()->IsNativeCall();
353 if (isNativeCall) {
354 int uid = IPCSkeleton::GetCallingUid();
355 if (code == EdmInterfaceCode::ALLOWED_BLUETOOTH_DEVICES ||
356 code == EdmInterfaceCode::DISALLOWED_BLUETOOTH_DEVICES) {
357 return uid == EdmConstants::BLUETOOTH_SERVICE_UID;
358 } else if (code == EdmInterfaceCode::PASSWORD_POLICY) {
359 return uid == EdmConstants::USERIAM_SERVICE_UID;
360 } else if (code == EdmInterfaceCode::DISABLE_USB) {
361 return uid == EdmConstants::USB_SERVICE_UID;
362 }
363 }
364 return false;
365 }
366
CheckIsDebug()367 bool PermissionChecker::CheckIsDebug()
368 {
369 return GetExternalManagerFactory()->CreateAccessTokenManager()->IsDebug();
370 }
371
CheckIsSystemAppOrNative()372 bool PermissionChecker::CheckIsSystemAppOrNative()
373 {
374 return GetExternalManagerFactory()->CreateAccessTokenManager()->IsSystemAppOrNative();
375 }
376
VerifyCallingPermission(Security::AccessToken::AccessTokenID tokenId,const std::string & permissionName)377 bool PermissionChecker::VerifyCallingPermission(Security::AccessToken::AccessTokenID tokenId,
378 const std::string &permissionName)
379 {
380 return GetExternalManagerFactory()->CreateAccessTokenManager()->VerifyCallingPermission(tokenId, permissionName);
381 }
382 } // namespace EDM
383 } // namespace OHOS
384