1 /* 2 * Copyright (c) 2022-2025 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #ifndef OHOS_ABILITY_RUNTIME_URI_PERMISSION_MANAGER_STUB_IMPL_H 17 #define OHOS_ABILITY_RUNTIME_URI_PERMISSION_MANAGER_STUB_IMPL_H 18 19 #include <functional> 20 #include <map> 21 #include <vector> 22 #include <unordered_set> 23 #include <sstream> 24 #include "app_mgr_interface.h" 25 #include "batch_uri.h" 26 #include "istorage_manager.h" 27 #include "tokenid_permission.h" 28 #include "uri.h" 29 #include "uri_permission_manager_stub.h" 30 #include "uri_permission_raw_data.h" 31 #include "access_token.h" 32 33 #ifdef ABILITY_RUNTIME_FEATURE_SANDBOXMANAGER 34 #include "policy_info.h" 35 #else 36 #include "upms_policy_info.h" 37 #endif // ABILITY_RUNTIME_FEATURE_SANDBOXMANAGER 38 39 namespace OHOS::AAFwk { 40 namespace { 41 using StubClearProxyCallback = std::function<void(const wptr<IRemoteObject>&)>; 42 using TokenId = Security::AccessToken::AccessTokenID; 43 #ifdef ABILITY_RUNTIME_FEATURE_SANDBOXMANAGER 44 using namespace AccessControl::SandboxManager; 45 #endif // ABILITY_RUNTIME_FEATURE_SANDBOXMANAGER 46 } 47 48 struct GrantInfo { 49 unsigned int flag; 50 const uint32_t fromTokenId; 51 const uint32_t targetTokenId; 52 }; 53 54 struct GrantPolicyInfo { 55 const uint32_t callerTokenId; 56 const uint32_t targetTokenId; EqualGrantPolicyInfo57 bool Equal(uint32_t cTokenId, uint32_t tTokenId) 58 { 59 return callerTokenId == cTokenId && targetTokenId == tTokenId; 60 } 61 }; 62 63 struct UPMSAppInfo { 64 uint32_t tokenId; 65 std::string bundleName; 66 std::string alterBundleName; 67 }; 68 69 class UriPermissionManagerStubImpl : public UriPermissionManagerStub, 70 public std::enable_shared_from_this<UriPermissionManagerStubImpl> { 71 public: 72 UriPermissionManagerStubImpl() = default; 73 virtual ~UriPermissionManagerStubImpl() = default; 74 75 /* 76 * not support local media file uri. 77 */ 78 ErrCode VerifyUriPermission(const Uri& uri, uint32_t flag, uint32_t tokenId, bool& funcResult) override; 79 80 /* 81 * only support local file uri, not support distribute docs and content uri. 82 */ 83 ErrCode GrantUriPermission(const Uri& uri, uint32_t flag, const std::string& targetBundleName, int32_t appIndex, 84 uint32_t initiatorTokenId, int32_t& funcResult) override; 85 86 /* 87 * only support local file uri, not support distribute docs and content uri. 88 */ 89 ErrCode GrantUriPermission(const std::vector<std::string>& uriVec, uint32_t flag, 90 const std::string& targetBundleName, int32_t appIndex, uint32_t initiatorTokenId, int32_t& funcResult) override; 91 92 /* 93 * only support local file uri, not support distribute docs and content uri. 94 */ 95 ErrCode GrantUriPermission(const UriPermissionRawData& rawData, uint32_t flag, const std::string& targetBundleName, 96 int32_t appIndex, uint32_t initiatorTokenId, int32_t& funcResult) override; 97 98 /* 99 * only support local file uri, not support distribute docs and content uri. 100 */ 101 ErrCode GrantUriPermissionPrivileged(const std::vector<std::string>& uriVec, uint32_t flag, 102 const std::string& targetBundleName, int32_t appIndex, uint32_t initiatorTokenId, int32_t hideSensitiveType, 103 int32_t& funcResult) override; 104 105 /* 106 * only support local file uri, not support distribute docs and content uri. 107 */ 108 ErrCode GrantUriPermissionPrivileged(const UriPermissionRawData& rawData, uint32_t flag, 109 const std::string& targetBundleName, int32_t appIndex, uint32_t initiatorTokenId, 110 int32_t hideSensitiveType, int32_t& funcResult) override; 111 112 ErrCode GrantUriPermissionByKeyAsCaller(const std::string &key, uint32_t flag, uint32_t callerTokenId, 113 uint32_t targetTokenId, int32_t &funcResult) override; 114 115 ErrCode GrantUriPermissionByKey(const std::string &key, uint32_t flag, 116 uint32_t targetTokenId, int32_t &funcResult) override; 117 118 /* 119 * only support local file uri, not support distribute docs and content uri. 120 */ 121 ErrCode CheckUriAuthorization(const std::vector<std::string>& uriVec, uint32_t flag, uint32_t tokenId, 122 std::vector<bool>& funcResult) override; 123 124 /* 125 * only support local file uri, not support distribute docs and content uri. 126 */ 127 ErrCode CheckUriAuthorization(const UriPermissionRawData& rawData, uint32_t flag, uint32_t tokenId, 128 UriPermissionRawData& funcResult) override; 129 130 ErrCode RevokeAllUriPermissions(uint32_t tokenId, int32_t& funcResult) override; 131 132 ErrCode RevokeUriPermissionManually(const Uri& uri, const std::string& bundleName, 133 int32_t appIndex, int32_t& funcResult) override; 134 135 private: 136 template<typename T> 137 void ConnectManager(sptr<T> &mgr, int32_t serviceId); 138 139 std::vector<bool> VerifyUriPermissionByMap(std::vector<Uri> &uriVec, uint32_t flag, uint32_t tokenId); 140 141 bool VerifySingleUriPermissionByMap(const std::string &uri, uint32_t flag, uint32_t tokenId); 142 143 int32_t AddTempUriPermission(const std::string &uri, uint32_t flag, TokenId fromTokenId, TokenId targetTokenId); 144 145 int32_t GrantUriPermissionInner(const std::vector<std::string> &uriVec, uint32_t flag, 146 uint32_t callerTokenId, uint32_t targetTokenId, const std::string &targetBundleName); 147 148 int32_t GrantUriPermissionPrivilegedInner(const std::vector<Uri> &uriVec, uint32_t flag, uint32_t callerTokenId, 149 UPMSAppInfo &targetAppInfo, int32_t hideSensitiveType); 150 151 int32_t GrantUriPermissionPrivilegedImpl(BatchStringUri &batchUris, uint32_t flag, 152 uint32_t callerTokenId, UPMSAppInfo &targetAppInfo, int32_t hideSensitiveType); 153 154 int32_t GrantBatchContentUriPermissionImpl(const std::vector<std::string> &contentUris, 155 uint32_t flag, uint32_t targetTokenId, const std::string &targetBundleName); 156 157 int32_t RevokeContentUriPermission(uint32_t tokenId); 158 159 bool IsContentUriGranted(uint32_t tokenId); 160 161 void AddContentTokenIdRecord(uint32_t tokenId); 162 163 void RemoveContentTokenIdRecord(uint32_t tokenId); 164 165 int32_t GrantBatchMediaUriPermissionImpl(const std::vector<std::string> &mediaUris, uint32_t flag, 166 uint32_t callerTokenId, uint32_t targetTokenId, int32_t hideSensitiveType); 167 168 int32_t GrantBatchUriPermissionImpl(const std::vector<std::string> &uriVec, 169 uint32_t flag, TokenId callerTokenId, TokenId targetTokenId); 170 171 std::vector<bool> CheckUriPermission(TokenIdPermission &tokenIdPermission, const std::vector<std::string> &uriVec, 172 uint32_t flag); 173 174 void CheckProxyUriPermission(TokenIdPermission &tokenIdPermission, const std::vector<std::string> &uriVec, 175 uint32_t flag, std::vector<bool> &result); 176 177 void RevokeMapUriPermission(uint32_t tokenId); 178 179 int32_t RevokeAllMapUriPermissions(uint32_t tokenId); 180 181 int32_t RevokeUriPermissionManuallyInner(Uri &uri, uint32_t targetTokenId); 182 183 int32_t RevokeMapUriPermissionManually(uint32_t callerTokenId, uint32_t targetTokenId, Uri &uri); 184 185 int32_t DeleteShareFile(uint32_t targetTokenId, const std::vector<std::string> &uriVec); 186 187 int32_t RevokeMediaUriPermissionManually(uint32_t callerTokenId, uint32_t targetTokenId, Uri &uri); 188 189 int32_t CheckCalledBySandBox(); 190 191 bool VerifySubDirUriPermission(const std::string &uriStr, uint32_t newFlag, uint32_t tokenId); 192 193 bool IsDistributedSubDirUri(const std::string &inputUri, const std::string &cachedUri); 194 195 ErrCode ClearPermissionTokenByMap(const uint32_t tokenId, int32_t& funcResult) override; 196 197 void BoolVecToCharVec(const std::vector<bool>& boolVector, std::vector<char>& charVector); 198 199 void BoolVecToRawData(const std::vector<bool>& boolVec, UriPermissionRawData& rawData, 200 std::vector<char>& charVector); 201 202 ErrCode RawDataToStringVec(const UriPermissionRawData& rawData, std::vector<std::string>& stringVec); 203 204 ErrCode CheckGrantUriPermissionPrivileged(uint32_t callerTokenId, uint32_t flag, int32_t& funcResult); 205 206 int32_t GrantUriPermissionByKeyInner(const std::string &key, uint32_t flag, 207 uint32_t callerTokenId, uint32_t targetTokenId); 208 209 int32_t CheckGrantUriPermissionByKeyAsCaller(); 210 211 int32_t CheckGrantUriPermissionByKey(); 212 213 int32_t CheckGrantUriPermissionByKeyParams(const std::string &key, uint32_t flag, 214 UPMSAppInfo &callerAppInfo, UPMSAppInfo &targetAppInfo, std::vector<std::string> &uris); 215 216 inline int32_t WrapErrorCode(int32_t errorCode, int32_t &funcRet); 217 218 void StringVecToRawData(const std::vector<std::string> &stringVec, StorageFileRawData &rawData); 219 220 #ifdef ABILITY_RUNTIME_FEATURE_SANDBOXMANAGER 221 ErrCode Active(const UriPermissionRawData& policyRawData, std::vector<uint32_t>& res, int32_t& funcResult) override; 222 ErrCode RawDataToPolicyInfo(const UriPermissionRawData& policyRawData, std::vector<PolicyInfo>& policy); 223 #endif // ABILITY_RUNTIME_FEATURE_SANDBOXMANAGER 224 225 class ProxyDeathRecipient : public IRemoteObject::DeathRecipient { 226 public: ProxyDeathRecipient(StubClearProxyCallback && proxy)227 explicit ProxyDeathRecipient(StubClearProxyCallback&& proxy) : proxy_(proxy) {} 228 ~ProxyDeathRecipient() = default; 229 virtual void OnRemoteDied([[maybe_unused]] const wptr<IRemoteObject>& remote) override; 230 231 private: 232 StubClearProxyCallback proxy_; 233 }; 234 235 private: 236 std::map<std::string, std::list<GrantInfo>> uriMap_; 237 std::mutex mutex_; 238 std::mutex mgrMutex_; 239 sptr<AppExecFwk::IAppMgr> appMgr_ = nullptr; 240 sptr<StorageManager::IStorageManager> storageManager_ = nullptr; 241 std::set<uint32_t> permissionTokenMap_; 242 std::mutex ptMapMutex_; 243 std::set<uint32_t> contentTokenIdSet_; 244 std::mutex contentTokenIdSetMutex_; 245 }; 246 } // namespace OHOS::AAFwk 247 #endif // OHOS_ABILITY_RUNTIME_URI_PERMISSION_MANAGER_STUB_IMPL_H 248