1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "risk_analysis_manager_service.h"
17
18 #include <thread>
19 #include <cinttypes>
20
21 #include "accesstoken_kit.h"
22 #include "tokenid_kit.h"
23 #include "ipc_skeleton.h"
24 #include "cJSON.h"
25 #include "ffrt.h"
26
27 #include "bigdata.h"
28 #include "database_manager.h"
29 #include "errors.h"
30 #include "model_manager.h"
31 #include "event_group_config.h"
32 #include "risk_analysis_define.h"
33 #include "risk_analysis_manager_callback_proxy.h"
34 #include "security_guard_define.h"
35 #include "security_guard_log.h"
36 #include "security_guard_utils.h"
37 #include "system_ability_definition.h"
38 #include "ffrt.h"
39 #include "config_manager.h"
40 #include "store_define.h"
41 #include "detect_plugin_manager.h"
42
43 namespace OHOS::Security::SecurityGuard {
44 REGISTER_SYSTEM_ABILITY_BY_ID(RiskAnalysisManagerService, RISK_ANALYSIS_MANAGER_SA_ID, true);
45
46 namespace {
47 constexpr int32_t TIMEOUT_REPLY = 15000;
48 constexpr int32_t DELAY_TIME = 10000;
49 constexpr const char* REQUEST_PERMISSION = "ohos.permission.securityguard.REQUEST_SECURITY_MODEL_RESULT";
50 constexpr const char* QUERY_SECURITY_MODEL_RESULT_PERMISSION = "ohos.permission.QUERY_SECURITY_MODEL_RESULT";
51 const std::vector<uint32_t> MODELIDS = {
52 3001000000, 3001000001, 3001000002, 3001000005, 3001000006, 3001000007, 3001000009, 3001000011
53 };
54 const std::unordered_map<std::string, std::vector<std::string>> g_apiPermissionsMap {
55 {"RequestSecurityModelResult", {REQUEST_PERMISSION, QUERY_SECURITY_MODEL_RESULT_PERMISSION}},
56 {"StartSecurityModel", {QUERY_SECURITY_MODEL_RESULT_PERMISSION}},
57 };
58 typedef void (*InitAllConfigFunc)();
59 }
60
RiskAnalysisManagerService(int32_t saId,bool runOnCreate)61 RiskAnalysisManagerService::RiskAnalysisManagerService(int32_t saId, bool runOnCreate)
62 : SystemAbility(saId, runOnCreate)
63 {
64 SGLOGW("%{public}s", __func__);
65 }
66
67 // LCOV_EXCL_START
OnStart()68 void RiskAnalysisManagerService::OnStart()
69 {
70 SGLOGI("RiskAnalysisManagerService %{public}s", __func__);
71 void *handle = dlopen("libsg_config_manager.z.so", RTLD_LAZY);
72 if (handle == nullptr) {
73 SGLOGE("dlopen error: %{public}s", dlerror());
74 } else {
75 auto func = (InitAllConfigFunc)dlsym(handle, "InitAllConfig");
76 if (func != nullptr) {
77 func();
78 SGLOGI("Call Init All Config");
79 } else {
80 SGLOGE("dlsym error: %{public}s", dlerror());
81 }
82 dlclose(handle);
83 }
84 ModelManager::GetInstance().Init();
85 if (!Publish(this)) {
86 SGLOGE("Publish error");
87 }
88 ffrt::submit([this] {
89 ffrt::this_task::sleep_for(std::chrono::milliseconds(DELAY_TIME));
90 DetectPluginManager::getInstance().LoadAllPlugins();
91 });
92 }
93
OnStop()94 void RiskAnalysisManagerService::OnStop()
95 {
96 }
97 // LCOV_EXCL_STOP
98
IsApiHasPermission(const std::string & api)99 int32_t RiskAnalysisManagerService::IsApiHasPermission(const std::string &api)
100 {
101 if (g_apiPermissionsMap.count(api) == 0) {
102 SGLOGE("api not in map");
103 return FAILED;
104 }
105 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
106 if (std::any_of(g_apiPermissionsMap.at(api).cbegin(), g_apiPermissionsMap.at(api).cend(),
107 [callerToken](const std::string &per) {
108 int code = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, per);
109 return code == AccessToken::PermissionState::PERMISSION_GRANTED;
110 })) {
111 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenType(callerToken);
112 if (tokenType != AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
113 uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
114 if (!AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullTokenId)) {
115 SGLOGE("not system app no permission");
116 return NO_SYSTEMCALL;
117 }
118 }
119 return SUCCESS;
120 }
121 SGLOGE("caller no permission");
122 return NO_PERMISSION;
123 }
124
RequestSecurityModelResult(const std::string & devId,uint32_t modelId,const std::string & param,const sptr<IRemoteObject> & cb)125 ErrCode RiskAnalysisManagerService::RequestSecurityModelResult(const std::string &devId, uint32_t modelId,
126 const std::string ¶m, const sptr<IRemoteObject> &cb)
127 {
128 SGLOGI("enter RiskAnalysisManagerService RequestSecurityModelResult");
129 int32_t ret = IsApiHasPermission("RequestSecurityModelResult");
130 if (ret != SUCCESS) {
131 return ret;
132 }
133 ClassifyEvent event;
134 event.pid = IPCSkeleton::GetCallingPid();
135 event.time = SecurityGuardUtils::GetDate();
136 auto promise = std::make_shared<std::promise<std::string>>();
137 auto future = promise->get_future();
138 PushRiskAnalysisTask(modelId, param, promise);
139 std::chrono::milliseconds span(TIMEOUT_REPLY);
140 std::string result{};
141 if (future.wait_for(span) == std::future_status::timeout) {
142 SGLOGE("wait for result timeout");
143 ret = TIME_OUT;
144 } else {
145 result = future.get();
146 ret = SUCCESS;
147 }
148 SGLOGI("ReportClassifyEvent");
149 event.status = result;
150 BigData::ReportClassifyEvent(event);
151 auto proxy = iface_cast<RiskAnalysisManagerCallbackProxy>(cb);
152 if (proxy == nullptr) {
153 return NULL_OBJECT;
154 }
155 proxy->ResponseSecurityModelResult(devId, modelId, result);
156 SGLOGI("get analysis result=%{private}s", result.c_str());
157 return ret;
158 }
159
PushRiskAnalysisTask(uint32_t modelId,std::string param,std::shared_ptr<std::promise<std::string>> promise)160 void RiskAnalysisManagerService::PushRiskAnalysisTask(uint32_t modelId, std::string param,
161 std::shared_ptr<std::promise<std::string>> promise)
162 {
163 auto task = [modelId, param, promise] {
164 SGLOGD("modelId=%{public}u", modelId);
165 if (std::count(MODELIDS.begin(), MODELIDS.end(), modelId) == 0) {
166 SGLOGE("model not support, no need to analyse, modelId=%{public}u", modelId);
167 promise->set_value(UNKNOWN_STATUS);
168 return;
169 }
170 std::string result = ModelManager::GetInstance().GetResult(modelId, param);
171 SGLOGI("result is %{private}s", result.c_str());
172 promise->set_value(result);
173 };
174 ffrt::submit(task);
175 }
176
SetModelState(uint32_t modelId,bool enable)177 ErrCode RiskAnalysisManagerService::SetModelState(uint32_t modelId, bool enable)
178 {
179 return SUCCESS;
180 }
181
StartSecurityModel(uint32_t modelId,const std::string & param)182 ErrCode RiskAnalysisManagerService::StartSecurityModel(uint32_t modelId, const std::string ¶m)
183 {
184 SGLOGI("enter RiskAnalysisManagerService StartSecurityModel");
185 int32_t ret = IsApiHasPermission("StartSecurityModel");
186 if (ret != SUCCESS) {
187 return ret;
188 }
189 return ModelManager::GetInstance().StartSecurityModel(modelId, param);
190 }
191
192 // LCOV_EXCL_START
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)193 void RiskAnalysisManagerService::OnAddSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
194 {
195 SGLOGI("OnAddSystemAbility, systemAbilityId=%{public}d", systemAbilityId);
196 }
197
OnRemoveSystemAbility(int32_t systemAbilityId,const std::string & deviceId)198 void RiskAnalysisManagerService::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
199 {
200 SGLOGW("OnRemoveSystemAbility, systemAbilityId=%{public}d", systemAbilityId);
201 }
202 // LCOV_EXCL_STOP
203 }
204