• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2025 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "inituserpolicystub_fuzzer.h"
17 
18 #include <string>
19 #include <thread>
20 #include <vector>
21 
22 #undef private
23 #include "access_token.h"
24 #include "accesstoken_kit.h"
25 #include "accesstoken_manager_service.h"
26 #include "fuzzer/FuzzedDataProvider.h"
27 #include "iaccess_token_manager.h"
28 #include "nativetoken_kit.h"
29 #include "token_setproc.h"
30 
31 using namespace std;
32 using namespace OHOS::Security::AccessToken;
33 static AccessTokenID g_selfTokenId = 0;
34 static uint64_t g_mockTokenId = 0;
35 const int32_t CONSTANTS_NUMBER_TWO = 2;
36 static bool g_reload = true;
37 
38 namespace OHOS {
ReloadNativeTokenInfo()39 void ReloadNativeTokenInfo()
40 {
41     if (!g_reload) {
42         return;
43     }
44 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
45     MessageParcel reply;
46     MessageOption option;
47     MessageParcel datas;
48     if (!datas.WriteInterfaceToken(IAccessTokenManager::GetDescriptor())) {
49         return;
50     }
51     DelayedSingleton<AccessTokenManagerService>::GetInstance()->OnRemoteRequest(
52         static_cast<uint32_t>(IAccessTokenManagerIpcCode::COMMAND_RELOAD_NATIVE_TOKEN_INFO), datas, reply, option);
53 #endif
54     g_reload = false;
55 }
GetNativeToken()56 void GetNativeToken()
57 {
58     ReloadNativeTokenInfo();
59     if (g_mockTokenId != 0) {
60         (void)SetSelfTokenID(g_mockTokenId);
61         return;
62     }
63     g_selfTokenId = GetSelfTokenID();
64     g_mockTokenId = AccessTokenKit::GetNativeTokenId("foundation");
65     if (g_mockTokenId == 0) {
66         return;
67     }
68     (void)SetSelfTokenID(g_mockTokenId);
69 }
70 
ClearUserPolicy()71 void ClearUserPolicy()
72 {
73     MessageParcel reply;
74     MessageOption option;
75     MessageParcel datas;
76     if (!datas.WriteInterfaceToken(IAccessTokenManager::GetDescriptor())) {
77         return;
78     }
79     DelayedSingleton<AccessTokenManagerService>::GetInstance()->OnRemoteRequest(
80         static_cast<uint32_t>(IAccessTokenManagerIpcCode::COMMAND_CLEAR_USER_POLICY), datas, reply, option);
81 }
82 
UpdateUserPolicy(FuzzedDataProvider & provider)83 void UpdateUserPolicy(FuzzedDataProvider& provider)
84 {
85     UserStateIdl dataBlock;
86     dataBlock.userId = provider.ConsumeIntegral<int32_t>();
87     dataBlock.isActive = provider.ConsumeBool();
88 
89     MessageParcel datas;
90     if (!datas.WriteInterfaceToken(IAccessTokenManager::GetDescriptor())) {
91         return;
92     }
93     if (!datas.WriteUint32(1)) {
94         return;
95     }
96     if (UserStateIdlBlockMarshalling(datas, dataBlock) != ERR_NONE) {
97         return;
98     }
99 
100     MessageParcel reply;
101     MessageOption option;
102     DelayedSingleton<AccessTokenManagerService>::GetInstance()->OnRemoteRequest(
103         static_cast<uint32_t>(IAccessTokenManagerIpcCode::COMMAND_UPDATE_USER_POLICY), datas, reply, option);
104 }
105 
InitUserPolicyStubFuzzTest(const uint8_t * data,size_t size)106 bool InitUserPolicyStubFuzzTest(const uint8_t* data, size_t size)
107 {
108     if ((data == nullptr) || (size == 0)) {
109         return false;
110     }
111 
112     FuzzedDataProvider provider(data, size);
113     std::string permissionName = provider.ConsumeRandomLengthString();
114 
115     UserStateIdl dataBlock;
116     dataBlock.userId = provider.ConsumeIntegral<int32_t>();
117     dataBlock.isActive = provider.ConsumeBool();
118 
119     MessageParcel datas;
120     if (!datas.WriteInterfaceToken(IAccessTokenManager::GetDescriptor())) {
121         return false;
122     }
123     if (!datas.WriteUint32(1)) {
124         return false;
125     }
126     if (UserStateIdlBlockMarshalling(datas, dataBlock) != ERR_NONE) {
127         return false;
128     }
129     if (!datas.WriteUint32(1)) {
130         return false;
131     }
132     if (!datas.WriteString(permissionName)) {
133         return false;
134     }
135 
136     uint32_t code = static_cast<uint32_t>(
137         IAccessTokenManagerIpcCode::COMMAND_INIT_USER_POLICY);
138 
139     MessageParcel reply;
140     MessageOption option;
141     bool enable = ((provider.ConsumeIntegral<int32_t>() % CONSTANTS_NUMBER_TWO) == 0);
142     if (enable) {
143         GetNativeToken();
144     } else {
145         (void)SetSelfTokenID(g_selfTokenId);
146     }
147     DelayedSingleton<AccessTokenManagerService>::GetInstance()->OnRemoteRequest(code, datas, reply, option);
148     UpdateUserPolicy(provider);
149     ClearUserPolicy();
150 
151     return true;
152 }
153 } // namespace OHOS
154 
155 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)156 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
157 {
158     /* Run your code on data */
159     OHOS::InitUserPolicyStubFuzzTest(data, size);
160     return 0;
161 }
162