1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "bundle_install_checker.h"
17
18 #include "app_log_tag_wrapper.h"
19 #include "bms_extension_data_mgr.h"
20 #include "bundle_mgr_service.h"
21 #include "bundle_parser.h"
22 #include "bundle_permission_mgr.h"
23 #include "parameter.h"
24 #include "parameters.h"
25 #include "privilege_extension_ability_type.h"
26 #include "scope_guard.h"
27 #include "systemcapability.h"
28
29 namespace OHOS {
30 namespace AppExecFwk {
31 namespace {
32 constexpr const char* PRIVILEGE_ALLOW_APP_DATA_NOT_CLEARED = "AllowAppDataNotCleared";
33 constexpr const char* PRIVILEGE_ALLOW_APP_MULTI_PROCESS = "AllowAppMultiProcess";
34 constexpr const char* PRIVILEGE_ALLOW_APP_DESKTOP_ICON_HIDE = "AllowAppDesktopIconHide";
35 constexpr const char* PRIVILEGE_ALLOW_ABILITY_PRIORITY_QUERIED = "AllowAbilityPriorityQueried";
36 constexpr const char* PRIVILEGE_ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS = "AllowAbilityExcludeFromMissions";
37 constexpr const char* PRIVILEGE_ALLOW_MISSION_NOT_CLEARED = "AllowMissionNotCleared";
38 constexpr const char* PRIVILEGE_ALLOW_APP_USE_PRIVILEGE_EXTENSION = "AllowAppUsePrivilegeExtension";
39 constexpr const char* PRIVILEGE_ALLOW_FORM_VISIBLE_NOTIFY = "AllowFormVisibleNotify";
40 constexpr const char* PRIVILEGE_ALLOW_APP_SHARE_LIBRARY = "AllowAppShareLibrary";
41 constexpr const char* PRIVILEGE_ALLOW_ENABLE_NOTIFICATION = "AllowEnableNotification";
42 constexpr const char* PRIVILEGE_ALLOW_ARK_TS_LARGE_HEAP = "AllowArkTsLargeHeap";
43 constexpr const char* ALLOW_APP_DATA_NOT_CLEARED = "allowAppDataNotCleared";
44 constexpr const char* ALLOW_APP_MULTI_PROCESS = "allowAppMultiProcess";
45 constexpr const char* ALLOW_APP_DESKTOP_ICON_HIDE = "allowAppDesktopIconHide";
46 constexpr const char* ALLOW_ABILITY_PRIORITY_QUERIED = "allowAbilityPriorityQueried";
47 constexpr const char* ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS = "allowAbilityExcludeFromMissions";
48 constexpr const char* ALLOW_MISSION_NOT_CLEARED = "allowMissionNotCleared";
49 constexpr const char* ALLOW_APP_USE_PRIVILEGE_EXTENSION = "allowAppUsePrivilegeExtension";
50 constexpr const char* ALLOW_FORM_VISIBLE_NOTIFY = "allowFormVisibleNotify";
51 constexpr const char* ALLOW_APP_SHARE_LIBRARY = "allowAppShareLibrary";
52 constexpr const char* ALLOW_ENABLE_NOTIFICATION = "allowEnableNotification";
53 constexpr const char* ALLOW_ARK_TS_LARGE_HEAP = "allowArkTsLargeHeap";
54 constexpr const char* APL_NORMAL = "normal";
55 constexpr const char* SLASH = "/";
56 constexpr const char* DOUBLE_SLASH = "//";
57 constexpr const char* SUPPORT_ISOLATION_MODE = "persist.bms.supportIsolationMode";
58 constexpr const char* VALUE_TRUE = "true";
59 constexpr const char* VALUE_TRUE_BOOL = "1";
60 constexpr const char* VALUE_FALSE = "false";
61 constexpr const char* NONISOLATION_ONLY = "nonisolationOnly";
62 constexpr const char* ISOLATION_ONLY = "isolationOnly";
63 constexpr const char* SUPPORT_APP_TYPES = "const.bms.supportAppTypes";
64 constexpr const char* PROVIDED_DEVICE_FEATURES = "const.product.providedDeviceFeatures";
65 constexpr const char* SUPPORT_APP_TYPES_SEPARATOR = ",";
66 constexpr int8_t SLAH_OFFSET = 2;
67 constexpr int8_t THRESHOLD_VAL_LEN = 40;
68 constexpr const char* SYSTEM_APP_SCAN_PATH = "/system/app";
69 constexpr const char* DEVICE_TYPE_OF_DEFAULT = "default";
70 constexpr const char* DEVICE_TYPE_OF_PHONE = "phone";
71 constexpr const char* APP_INSTALL_PATH = "/data/app/el1/bundle";
72
73 const std::unordered_map<std::string, void (*)(AppPrivilegeCapability &appPrivilegeCapability)>
74 PRIVILEGE_MAP = {
75 { PRIVILEGE_ALLOW_APP_DATA_NOT_CLEARED,
__anonf97288790202() 76 [] (AppPrivilegeCapability &appPrivilegeCapability) {
77 appPrivilegeCapability.userDataClearable = false;
78 } },
79 { PRIVILEGE_ALLOW_APP_MULTI_PROCESS,
__anonf97288790302() 80 [] (AppPrivilegeCapability &appPrivilegeCapability) {
81 appPrivilegeCapability.allowMultiProcess = true;
82 } },
83 { PRIVILEGE_ALLOW_APP_DESKTOP_ICON_HIDE,
__anonf97288790402() 84 [] (AppPrivilegeCapability &appPrivilegeCapability) {
85 appPrivilegeCapability.hideDesktopIcon = true;
86 } },
87 { PRIVILEGE_ALLOW_ABILITY_PRIORITY_QUERIED,
__anonf97288790502() 88 [] (AppPrivilegeCapability &appPrivilegeCapability) {
89 appPrivilegeCapability.allowQueryPriority = true;
90 } },
91 { PRIVILEGE_ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS,
__anonf97288790602() 92 [] (AppPrivilegeCapability &appPrivilegeCapability) {
93 appPrivilegeCapability.allowExcludeFromMissions = true;
94 } },
95 { PRIVILEGE_ALLOW_MISSION_NOT_CLEARED,
__anonf97288790702() 96 [] (AppPrivilegeCapability &appPrivilegeCapability) {
97 appPrivilegeCapability.allowMissionNotCleared = true;
98 } },
99 { PRIVILEGE_ALLOW_APP_USE_PRIVILEGE_EXTENSION,
__anonf97288790802() 100 [] (AppPrivilegeCapability &appPrivilegeCapability) {
101 appPrivilegeCapability.allowUsePrivilegeExtension = true;
102 } },
103 { PRIVILEGE_ALLOW_FORM_VISIBLE_NOTIFY,
__anonf97288790902() 104 [] (AppPrivilegeCapability &appPrivilegeCapability) {
105 appPrivilegeCapability.formVisibleNotify = true;
106 } },
107 { PRIVILEGE_ALLOW_APP_SHARE_LIBRARY,
__anonf97288790a02() 108 [] (AppPrivilegeCapability &appPrivilegeCapability) {
109 appPrivilegeCapability.appShareLibrary = true;
110 } },
111 { PRIVILEGE_ALLOW_ENABLE_NOTIFICATION,
__anonf97288790b02() 112 [] (AppPrivilegeCapability &appPrivilegeCapability) {
113 appPrivilegeCapability.allowEnableNotification = true;
114 } },
115 { PRIVILEGE_ALLOW_ARK_TS_LARGE_HEAP,
__anonf97288790c02() 116 [] (AppPrivilegeCapability &appPrivilegeCapability) {
117 appPrivilegeCapability.allowArkTsLargeHeap = true;
118 } },
119 };
120
121 static std::map<std::string, AppDistributionTypeEnum> AppDistributionTypeEnumMap = {
122 { Constants::APP_DISTRIBUTION_TYPE_APP_GALLERY,
123 AppDistributionTypeEnum::APP_DISTRIBUTION_TYPE_APP_GALLERY },
124 { Constants::APP_DISTRIBUTION_TYPE_ENTERPRISE,
125 AppDistributionTypeEnum::APP_DISTRIBUTION_TYPE_ENTERPRISE },
126 { Constants::APP_DISTRIBUTION_TYPE_ENTERPRISE_NORMAL,
127 AppDistributionTypeEnum::APP_DISTRIBUTION_TYPE_ENTERPRISE_NORMAL },
128 { Constants::APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM,
129 AppDistributionTypeEnum::APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM },
130 { Constants::APP_DISTRIBUTION_TYPE_INTERNALTESTING,
131 AppDistributionTypeEnum::APP_DISTRIBUTION_TYPE_INTERNALTESTING },
132 { Constants::APP_DISTRIBUTION_TYPE_CROWDTESTING,
133 AppDistributionTypeEnum::APP_DISTRIBUTION_TYPE_CROWDTESTING },
134 };
135
GetAppDistributionType(const Security::Verify::AppDistType & type)136 std::string GetAppDistributionType(const Security::Verify::AppDistType &type)
137 {
138 auto typeIter = APP_DISTRIBUTION_TYPE_MAPS.find(type);
139 if (typeIter == APP_DISTRIBUTION_TYPE_MAPS.end()) {
140 LOG_E(BMS_TAG_INSTALLER, "wrong AppDistType");
141 return Constants::APP_DISTRIBUTION_TYPE_NONE;
142 }
143
144 return typeIter->second;
145 }
146
GetAppProvisionType(const Security::Verify::ProvisionType & type)147 std::string GetAppProvisionType(const Security::Verify::ProvisionType &type)
148 {
149 if (type == Security::Verify::ProvisionType::DEBUG) {
150 return Constants::APP_PROVISION_TYPE_DEBUG;
151 }
152
153 return Constants::APP_PROVISION_TYPE_RELEASE;
154 }
155
IsPrivilegeExtensionAbilityType(ExtensionAbilityType type)156 bool IsPrivilegeExtensionAbilityType(ExtensionAbilityType type)
157 {
158 return PRIVILEGE_EXTENSION_ABILITY_TYPE.find(type) != PRIVILEGE_EXTENSION_ABILITY_TYPE.end();
159 }
160
IsSystemExtensionAbilityType(ExtensionAbilityType type)161 bool IsSystemExtensionAbilityType(ExtensionAbilityType type)
162 {
163 return SYSTEM_EXTENSION_ABILITY_TYPE.find(type) != SYSTEM_EXTENSION_ABILITY_TYPE.end();
164 }
165 }
166
CheckSysCap(const std::vector<std::string> & bundlePaths)167 ErrCode BundleInstallChecker::CheckSysCap(const std::vector<std::string> &bundlePaths)
168 {
169 LOG_D(BMS_TAG_INSTALLER, "check hap syscaps start");
170 if (bundlePaths.empty()) {
171 LOG_NOFUNC_E(BMS_TAG_INSTALLER, "empty bundlePaths check hap syscaps fail");
172 return ERR_APPEXECFWK_INSTALL_PARAM_ERROR;
173 }
174
175 ErrCode result = ERR_OK;
176 BundleParser bundleParser;
177 for (const auto &bundlePath : bundlePaths) {
178 std::vector<std::string> bundleSysCaps;
179 result = bundleParser.ParseSysCap(bundlePath, bundleSysCaps);
180 if (result != ERR_OK) {
181 LOG_D(BMS_TAG_INSTALLER, "parse bundle syscap failed, error: %{public}d", result);
182 return result;
183 }
184
185 for (const auto &bundleSysCapItem : bundleSysCaps) {
186 LOG_D(BMS_TAG_INSTALLER, "check syscap(%{public}s)", bundleSysCapItem.c_str());
187 if (!HasSystemCapability(bundleSysCapItem.c_str())) {
188 LOG_E(BMS_TAG_INSTALLER, "check syscap failed which %{public}s is not exsit",
189 bundleSysCapItem.c_str());
190 return ERR_APPEXECFWK_INSTALL_CHECK_SYSCAP_FAILED;
191 }
192 }
193 }
194
195 LOG_D(BMS_TAG_INSTALLER, "finish check hap syscaps");
196 return result;
197 }
198
CheckMultipleHapsSignInfo(const std::vector<std::string> & bundlePaths,std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes,bool readFile)199 ErrCode BundleInstallChecker::CheckMultipleHapsSignInfo(
200 const std::vector<std::string> &bundlePaths,
201 std::vector<Security::Verify::HapVerifyResult>& hapVerifyRes, bool readFile)
202 {
203 LOG_D(BMS_TAG_INSTALLER, "Check multiple haps signInfo");
204 if (bundlePaths.empty()) {
205 LOG_E(BMS_TAG_INSTALLER, "check hap sign info failed due to empty bundlePaths");
206 return ERR_APPEXECFWK_INSTALL_PARAM_ERROR;
207 }
208 for (const std::string &bundlePath : bundlePaths) {
209 Security::Verify::HapVerifyResult hapVerifyResult;
210 ErrCode verifyRes = ERR_OK;
211 if (readFile) {
212 verifyRes = Security::Verify::HapVerify(bundlePath, hapVerifyResult, true);
213 } else {
214 verifyRes = BundleVerifyMgr::HapVerify(bundlePath, hapVerifyResult);
215 }
216 #ifndef X86_EMULATOR_MODE
217 if (verifyRes != ERR_OK) {
218 LOG_E(BMS_TAG_INSTALLER, "hap file verify failed, bundlePath: %{public}s", bundlePath.c_str());
219 return readFile ? ERR_APPEXECFWK_INSTALL_FAILED_BUNDLE_SIGNATURE_VERIFICATION_FAILURE : verifyRes;
220 }
221 #endif
222 hapVerifyRes.emplace_back(hapVerifyResult);
223 }
224
225 if (hapVerifyRes.empty()) {
226 LOG_E(BMS_TAG_INSTALLER, "no sign info in the all haps");
227 return ERR_APPEXECFWK_INSTALL_FAILED_INCOMPATIBLE_SIGNATURE;
228 }
229
230 if (!CheckProvisionInfoIsValid(hapVerifyRes)) {
231 #ifndef X86_EMULATOR_MODE
232 return ERR_APPEXECFWK_INSTALL_FAILED_INCOMPATIBLE_SIGNATURE;
233 #else
234 // on emulator if check signature failed clear appid
235 for (auto &verifyRes : hapVerifyRes) {
236 Security::Verify::ProvisionInfo provisionInfo = verifyRes.GetProvisionInfo();
237 provisionInfo.appId = Constants::EMPTY_STRING;
238 verifyRes.SetProvisionInfo(provisionInfo);
239 }
240 #endif
241 }
242 LOG_D(BMS_TAG_INSTALLER, "finish check multiple haps signInfo");
243 return ERR_OK;
244 }
245
CheckProvisionInfoIsValid(const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)246 bool BundleInstallChecker::CheckProvisionInfoIsValid(
247 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
248 {
249 auto appId = hapVerifyRes[0].GetProvisionInfo().appId;
250 auto appIdentifier = hapVerifyRes[0].GetProvisionInfo().bundleInfo.appIdentifier;
251 auto apl = hapVerifyRes[0].GetProvisionInfo().bundleInfo.apl;
252 auto appDistributionType = hapVerifyRes[0].GetProvisionInfo().distributionType;
253 auto appProvisionType = hapVerifyRes[0].GetProvisionInfo().type;
254 bool isInvalid = std::any_of(hapVerifyRes.begin(), hapVerifyRes.end(),
255 [appId, apl, appDistributionType, appProvisionType, appIdentifier](const auto &hapVerifyResult) {
256 if (appId != hapVerifyResult.GetProvisionInfo().appId) {
257 LOG_E(BMS_TAG_INSTALLER, "error: hap files have different appId");
258 return true;
259 }
260 if (apl != hapVerifyResult.GetProvisionInfo().bundleInfo.apl) {
261 LOG_E(BMS_TAG_INSTALLER, "error: hap files have different apl");
262 return true;
263 }
264 if (appDistributionType != hapVerifyResult.GetProvisionInfo().distributionType) {
265 LOG_E(BMS_TAG_INSTALLER, "error: hap files have different appDistributionType");
266 return true;
267 }
268 if (appProvisionType != hapVerifyResult.GetProvisionInfo().type) {
269 LOG_E(BMS_TAG_INSTALLER, "error: hap files have different appProvisionType");
270 return true;
271 }
272 if (appIdentifier != hapVerifyResult.GetProvisionInfo().bundleInfo.appIdentifier) {
273 LOG_E(BMS_TAG_INSTALLER, "error: hap files have different appIdentifier");
274 return true;
275 }
276 return false;
277 });
278 return !isInvalid;
279 }
280
VaildInstallPermission(const InstallParam & installParam,const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)281 bool BundleInstallChecker::VaildInstallPermission(const InstallParam &installParam,
282 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
283 {
284 PermissionStatus installBundleStatus = installParam.installBundlePermissionStatus;
285 PermissionStatus installEnterpriseBundleStatus = installParam.installEnterpriseBundlePermissionStatus;
286 PermissionStatus installEtpMdmBundleStatus = installParam.installEtpMdmBundlePermissionStatus;
287 PermissionStatus installInternaltestingBundleStatus = installParam.installInternaltestingBundlePermissionStatus;
288 bool isCallByShell = installParam.isCallByShell;
289 if (!isCallByShell && installBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
290 installEnterpriseBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
291 installEtpMdmBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
292 installInternaltestingBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS) {
293 return true;
294 }
295 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
296 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
297 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE) {
298 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
299 LOG_E(BMS_TAG_INSTALLER, "enterprise bundle can not be installed by shell");
300 return false;
301 }
302 if (!isCallByShell && installEnterpriseBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
303 LOG_E(BMS_TAG_INSTALLER, "install enterprise bundle permission denied");
304 return false;
305 }
306 continue;
307 }
308 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
309 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
310 bool result = VaildEnterpriseInstallPermission(installParam, provisionInfo);
311 if (!result) {
312 return false;
313 }
314 continue;
315 }
316 if (provisionInfo.distributionType == Security::Verify::AppDistType::INTERNALTESTING) {
317 if (!isCallByShell && installInternaltestingBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
318 LOG_E(BMS_TAG_INSTALLER, "install internaltesting bundle permission denied");
319 return false;
320 }
321 continue;
322 }
323 if (installBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
324 LOG_E(BMS_TAG_INSTALLER, "install permission denied");
325 return false;
326 }
327 }
328 return true;
329 }
330
VaildEnterpriseInstallPermission(const InstallParam & installParam,const Security::Verify::ProvisionInfo & provisionInfo)331 bool BundleInstallChecker::VaildEnterpriseInstallPermission(const InstallParam &installParam,
332 const Security::Verify::ProvisionInfo &provisionInfo)
333 {
334 if (installParam.isSelfUpdate) {
335 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
336 LOG_I(BMS_TAG_INSTALLER, "Mdm self update");
337 return true;
338 }
339 LOG_E(BMS_TAG_INSTALLER, "Self update not MDM");
340 return false;
341 }
342 bool isCallByShell = installParam.isCallByShell;
343 PermissionStatus installEtpNormalBundleStatus = installParam.installEtpNormalBundlePermissionStatus;
344 PermissionStatus installEtpMdmBundleStatus = installParam.installEtpMdmBundlePermissionStatus;
345 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
346 LOG_E(BMS_TAG_INSTALLER, "enterprise normal/mdm bundle can not be installed by shell");
347 return false;
348 }
349 if (!isCallByShell &&
350 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL &&
351 installEtpNormalBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS &&
352 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
353 LOG_E(BMS_TAG_INSTALLER, "install enterprise normal bundle permission denied");
354 return false;
355 }
356 if (!isCallByShell &&
357 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM &&
358 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
359 LOG_E(BMS_TAG_INSTALLER, "install enterprise mdm bundle permission denied");
360 return false;
361 }
362 return true;
363 }
364
ParseHapFiles(const std::vector<std::string> & bundlePaths,const InstallCheckParam & checkParam,std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes,std::unordered_map<std::string,InnerBundleInfo> & infos)365 ErrCode BundleInstallChecker::ParseHapFiles(
366 const std::vector<std::string> &bundlePaths,
367 const InstallCheckParam &checkParam,
368 std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes,
369 std::unordered_map<std::string, InnerBundleInfo> &infos)
370 {
371 LOG_D(BMS_TAG_INSTALLER, "Parse hap file");
372 ErrCode result = ERR_OK;
373 for (uint32_t i = 0; i < bundlePaths.size(); ++i) {
374 InnerBundleInfo newInfo;
375 BundlePackInfo packInfo;
376 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
377 if (provisionInfo.bundleInfo.appFeature == ServiceConstants::HOS_SYSTEM_APP) {
378 newInfo.SetAppType(Constants::AppType::SYSTEM_APP);
379 } else {
380 newInfo.SetAppType(Constants::AppType::THIRD_PARTY_APP);
381 }
382 newInfo.SetIsPreInstallApp(checkParam.isPreInstallApp);
383 result = ParseBundleInfo(bundlePaths[i], newInfo, packInfo);
384 if (result != ERR_OK) {
385 LOG_E(BMS_TAG_INSTALLER, "bundle parse failed %{public}d", result);
386 return result;
387 }
388 newInfo.SetOrganization(provisionInfo.organization);
389 #ifndef X86_EMULATOR_MODE
390 result = CheckBundleName(provisionInfo.bundleInfo.bundleName, newInfo.GetBundleName());
391 if (result != ERR_OK) {
392 LOG_E(BMS_TAG_INSTALLER, "check provision bundleName failed");
393 return result;
394 }
395 #endif
396 if (newInfo.HasEntry()) {
397 if (isContainEntry_) {
398 LOG_E(BMS_TAG_INSTALLER, "more than one entry hap in the direction");
399 return ERR_APPEXECFWK_INSTALL_INVALID_NUMBER_OF_ENTRY_HAP;
400 }
401 isContainEntry_ = true;
402 }
403
404 SetEntryInstallationFree(packInfo, newInfo);
405 result = CheckMainElement(newInfo);
406 if (result != ERR_OK) {
407 return result;
408 }
409 AppPrivilegeCapability appPrivilegeCapability;
410 // from provision file
411 ParseAppPrivilegeCapability(provisionInfo, appPrivilegeCapability);
412 // form install_list_capability.json, higher priority than provision file
413 // allow appIdentifier/appId/fingerprint
414 newInfo.SetProvisionId(provisionInfo.appId);
415 std::vector<std::string> appSignatures;
416 appSignatures.emplace_back(provisionInfo.bundleInfo.appIdentifier);
417 appSignatures.emplace_back(newInfo.GetAppId());
418 appSignatures.emplace_back(provisionInfo.fingerprint);
419 FetchPrivilegeCapabilityFromPreConfig(
420 newInfo.GetBundleName(), appSignatures, appPrivilegeCapability);
421 // process bundleInfo by appPrivilegeCapability
422 result = ProcessBundleInfoByPrivilegeCapability(appPrivilegeCapability, newInfo);
423 if (result != ERR_OK) {
424 return result;
425 }
426 CollectProvisionInfo(provisionInfo, appPrivilegeCapability, newInfo);
427 #ifdef USE_PRE_BUNDLE_PROFILE
428 GetPrivilegeCapability(checkParam, newInfo);
429 #endif
430 if ((provisionInfo.distributionType == Security::Verify::AppDistType::CROWDTESTING) ||
431 (checkParam.specifiedDistributionType == Constants::APP_DISTRIBUTION_TYPE_CROWDTESTING)) {
432 newInfo.SetAppCrowdtestDeadline((checkParam.crowdtestDeadline >= 0) ? checkParam.crowdtestDeadline :
433 Constants::INHERIT_CROWDTEST_DEADLINE);
434 } else {
435 newInfo.SetAppCrowdtestDeadline(Constants::INVALID_CROWDTEST_DEADLINE);
436 }
437 if (!checkParam.isPreInstallApp) {
438 if ((result = CheckSystemSize(bundlePaths[i], checkParam.appType)) != ERR_OK) {
439 LOG_E(BMS_TAG_INSTALLER, "install failed due to insufficient disk memory");
440 return result;
441 }
442 }
443 infos.emplace(bundlePaths[i], newInfo);
444 }
445 if (!infos.empty()) {
446 result = CheckEnterpriseForAllUser(infos, checkParam, infos.begin()->second.GetAppDistributionType());
447 if (result != ERR_OK) {
448 return result;
449 }
450 }
451
452 if ((result = CheckModuleNameForMulitHaps(infos)) != ERR_OK) {
453 LOG_E(BMS_TAG_INSTALLER, "install failed due to duplicated moduleName");
454 return result;
455 }
456 LOG_D(BMS_TAG_INSTALLER, "finish parse hap file");
457 return result;
458 }
459
CheckEnterpriseForAllUser(std::unordered_map<std::string,InnerBundleInfo> & infos,const InstallCheckParam & checkParam,const std::string & distributionType)460 ErrCode BundleInstallChecker::CheckEnterpriseForAllUser(std::unordered_map<std::string, InnerBundleInfo> &infos,
461 const InstallCheckParam &checkParam, const std::string &distributionType)
462 {
463 if (!checkParam.isInstalledForAllUser) {
464 return ERR_OK;
465 }
466 if (Constants::APP_DISTRIBUTION_TYPE_ENTERPRISE_NORMAL != distributionType &&
467 Constants::APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM != distributionType) {
468 LOG_W(BMS_TAG_INSTALLER, "param is true, but not enterprise bundle");
469 return ERR_OK;
470 }
471 if (!OHOS::system::GetBoolParameter(ServiceConstants::IS_ENTERPRISE_DEVICE, false)) {
472 LOG_E(BMS_TAG_INSTALLER, "not enterprise device");
473 return ERR_APPEXECFWK_INSTALL_ENTERPRISE_BUNDLE_NOT_ALLOWED;
474 }
475 for (auto &info : infos) {
476 info.second.SetInstalledForAllUser(checkParam.isInstalledForAllUser);
477 }
478 LOG_I(BMS_TAG_INSTALLER, "install enterprise bundle for all user");
479 return ERR_OK;
480 }
481
CheckHspInstallCondition(std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes,const Security::AccessToken::AccessTokenID callerToken)482 ErrCode BundleInstallChecker::CheckHspInstallCondition(
483 std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes,
484 const Security::AccessToken::AccessTokenID callerToken)
485 {
486 ErrCode result = ERR_OK;
487 if ((result = CheckDeveloperMode(hapVerifyRes, callerToken)) != ERR_OK) {
488 LOG_E(BMS_TAG_INSTALLER, "install failed due to debug mode");
489 return result;
490 }
491 if ((result = CheckAllowEnterpriseBundle(hapVerifyRes)) != ERR_OK) {
492 LOG_E(BMS_TAG_INSTALLER, "install failed due to non-enterprise device");
493 return result;
494 }
495 return ERR_OK;
496 }
497
CheckInstallPermission(const InstallCheckParam & checkParam,const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)498 ErrCode BundleInstallChecker::CheckInstallPermission(const InstallCheckParam &checkParam,
499 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
500 {
501 if ((checkParam.installBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
502 checkParam.installEnterpriseBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
503 checkParam.installEtpNormalBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
504 checkParam.installInternaltestingBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
505 checkParam.installEtpMdmBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS) &&
506 !VaildInstallPermissionForShare(checkParam, hapVerifyRes)) {
507 // need vaild permission
508 LOG_E(BMS_TAG_INSTALLER, "install permission denied");
509 return ERR_APPEXECFWK_INSTALL_PERMISSION_DENIED;
510 }
511 return ERR_OK;
512 }
513
CheckNoU1Enable(const std::unordered_map<std::string,InnerBundleInfo> & newInfos)514 ErrCode BundleInstallChecker::CheckNoU1Enable(const std::unordered_map<std::string, InnerBundleInfo> &newInfos)
515 {
516 for (auto &item : newInfos) {
517 if (item.second.IsU1Enable()) {
518 LOG_E(BMS_TAG_INSTALLER, "%{public}s: u1Enable in bundleinfos are not same",
519 item.second.GetBundleName().c_str());
520 return ERR_APPEXECFWK_INSTALL_U1_ENABLE_NOT_SUPPORT_APP_SERVICE_AND_SHARED_BUNDLE;
521 }
522 }
523 return ERR_OK;
524 }
525
CheckU1EnableSameInHaps(const std::unordered_map<std::string,InnerBundleInfo> & infos,const std::string & bundleName,bool & u1Enable)526 ErrCode BundleInstallChecker::CheckU1EnableSameInHaps(const std::unordered_map<std::string, InnerBundleInfo> &infos,
527 const std::string &bundleName, bool &u1Enable)
528 {
529 if (infos.empty()) {
530 return ERR_OK;
531 }
532 u1Enable = infos.begin()->second.IsU1Enable();
533 for (auto &item : infos) {
534 if (u1Enable != item.second.IsU1Enable()) {
535 LOG_E(BMS_TAG_INSTALLER, "%{public}s: u1Enable in bundleinfos are not same",
536 bundleName.c_str());
537 return ERR_APPEXECFWK_INSTALL_U1_ENABLE_NOT_SAME_IN_ALL_BUNDLE_INFOS;
538 }
539 }
540 return ERR_OK;
541 }
542
VaildInstallPermissionForShare(const InstallCheckParam & checkParam,const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)543 bool BundleInstallChecker::VaildInstallPermissionForShare(const InstallCheckParam &checkParam,
544 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
545 {
546 PermissionStatus installBundleStatus = checkParam.installBundlePermissionStatus;
547 PermissionStatus installEnterpriseBundleStatus = checkParam.installEnterpriseBundlePermissionStatus;
548 PermissionStatus installEtpMdmBundleStatus = checkParam.installEtpMdmBundlePermissionStatus;
549 PermissionStatus installInternaltestingBundleStatus = checkParam.installInternaltestingBundlePermissionStatus;
550 bool isCallByShell = checkParam.isCallByShell;
551 if (!isCallByShell && installBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
552 installEnterpriseBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
553 installEtpMdmBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
554 installInternaltestingBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS) {
555 return true;
556 }
557 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
558 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
559 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE) {
560 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
561 LOG_E(BMS_TAG_INSTALLER, "enterprise bundle can not be installed by shell");
562 return false;
563 }
564 if (!isCallByShell && installEnterpriseBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
565 LOG_E(BMS_TAG_INSTALLER, "install enterprise bundle permission denied");
566 return false;
567 }
568 continue;
569 }
570 if (provisionInfo.distributionType == Security::Verify::AppDistType::INTERNALTESTING) {
571 if (!isCallByShell && installInternaltestingBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
572 LOG_E(BMS_TAG_INSTALLER, "install internaltesting bundle permission denied");
573 return false;
574 }
575 continue;
576 }
577 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
578 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
579 bool result = VaildEnterpriseInstallPermissionForShare(checkParam, provisionInfo);
580 if (!result) {
581 return false;
582 }
583 continue;
584 }
585 if (installBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
586 LOG_E(BMS_TAG_INSTALLER, "install permission denied");
587 return false;
588 }
589 }
590 return true;
591 }
592
VaildEnterpriseInstallPermissionForShare(const InstallCheckParam & checkParam,const Security::Verify::ProvisionInfo & provisionInfo)593 bool BundleInstallChecker::VaildEnterpriseInstallPermissionForShare(const InstallCheckParam &checkParam,
594 const Security::Verify::ProvisionInfo &provisionInfo)
595 {
596 bool isCallByShell = checkParam.isCallByShell;
597 PermissionStatus installEtpNormalBundleStatus = checkParam.installEtpNormalBundlePermissionStatus;
598 PermissionStatus installEtpMdmBundleStatus = checkParam.installEtpMdmBundlePermissionStatus;
599 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
600 LOG_E(BMS_TAG_INSTALLER, "enterprise normal/mdm bundle can not be installed by shell");
601 return false;
602 }
603 if (!isCallByShell &&
604 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL &&
605 installEtpNormalBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS &&
606 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
607 LOG_E(BMS_TAG_INSTALLER, "install enterprise normal bundle permission denied");
608 return false;
609 }
610 if (!isCallByShell &&
611 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM &&
612 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
613 LOG_E(BMS_TAG_INSTALLER, "install enterprise mdm bundle permission denied");
614 return false;
615 }
616 return true;
617 }
618
CheckDependency(std::unordered_map<std::string,InnerBundleInfo> & infos)619 ErrCode BundleInstallChecker::CheckDependency(std::unordered_map<std::string, InnerBundleInfo> &infos)
620 {
621 LOG_D(BMS_TAG_INSTALLER, "CheckDependency");
622
623 for (const auto &info : infos) {
624 if (info.second.GetInnerModuleInfos().empty()) {
625 LOG_D(BMS_TAG_INSTALLER, "GetInnerModuleInfos is empty");
626 continue;
627 }
628 // There is only one innerModuleInfo when installing
629 InnerModuleInfo moduleInfo = info.second.GetInnerModuleInfos().begin()->second;
630 LOG_D(BMS_TAG_INSTALLER, "current module:%{public}s, dependencies = %{public}s", moduleInfo.moduleName.c_str(),
631 GetJsonStrFromInfo(moduleInfo.dependencies).c_str());
632 for (const auto &dependency : moduleInfo.dependencies) {
633 if (!NeedCheckDependency(dependency, info.second)) {
634 LOG_D(BMS_TAG_INSTALLER, "deliveryWithInstall is false, do not check whether the dependency exists");
635 continue;
636 }
637 std::string bundleName =
638 dependency.bundleName.empty() ? info.second.GetBundleName() : dependency.bundleName;
639 if (FindModuleInInstallingPackage(dependency.moduleName, bundleName, infos)) {
640 continue;
641 }
642 LOG_W(BMS_TAG_INSTALLER, "The depend module:%{public}s is not exist in installing package",
643 dependency.moduleName.c_str());
644 if (!FindModuleInInstalledPackage(dependency.moduleName, bundleName, info.second.GetVersionCode())) {
645 LOG_E(BMS_TAG_INSTALLER, "The depend :%{public}s is not exist", dependency.moduleName.c_str());
646 SetCheckResultMsg(
647 moduleInfo.moduleName + "'s dependent module: " + dependency.moduleName + " does not exist");
648 return ERR_APPEXECFWK_INSTALL_DEPENDENT_MODULE_NOT_EXIST;
649 }
650 }
651 }
652
653 return ERR_OK;
654 }
655
NeedCheckDependency(const Dependency & dependency,const InnerBundleInfo & info)656 bool BundleInstallChecker::NeedCheckDependency(const Dependency &dependency, const InnerBundleInfo &info)
657 {
658 LOG_D(BMS_TAG_INSTALLER, "NeedCheckDependency the moduleName is %{public}s, the bundleName is %{public}s",
659 dependency.moduleName.c_str(), dependency.bundleName.c_str());
660
661 if (!dependency.bundleName.empty() && dependency.bundleName != info.GetBundleName()) {
662 LOG_D(BMS_TAG_INSTALLER, "Cross-app dependencies, check dependency with shared bundle installer");
663 return false;
664 }
665 std::vector<PackageModule> modules = info.GetBundlePackInfo().summary.modules;
666 if (modules.empty()) {
667 LOG_D(BMS_TAG_INSTALLER, "NeedCheckDependency modules is empty, need check dependency");
668 return true;
669 }
670 for (const auto &module : modules) {
671 if (module.distro.moduleName == dependency.moduleName) {
672 return module.distro.deliveryWithInstall;
673 }
674 }
675
676 LOG_D(BMS_TAG_INSTALLER, "NeedCheckDependency the module not found, need check dependency");
677 return true;
678 }
679
FindModuleInInstallingPackage(const std::string & moduleName,const std::string & bundleName,const std::unordered_map<std::string,InnerBundleInfo> & infos)680 bool BundleInstallChecker::FindModuleInInstallingPackage(
681 const std::string &moduleName,
682 const std::string &bundleName,
683 const std::unordered_map<std::string, InnerBundleInfo> &infos)
684 {
685 LOG_D(BMS_TAG_INSTALLER, "moduleName is %{public}s, the bundleName is %{public}s",
686 moduleName.c_str(), bundleName.c_str());
687 for (const auto &info : infos) {
688 if (info.second.GetBundleName() == bundleName) {
689 if (info.second.GetInnerModuleInfos().empty()) {
690 continue;
691 }
692 // There is only one innerModuleInfo when installing
693 InnerModuleInfo moduleInfo = info.second.GetInnerModuleInfos().begin()->second;
694 if (moduleInfo.moduleName == moduleName) {
695 return true;
696 }
697 }
698 }
699 return false;
700 }
701
FindModuleInInstalledPackage(const std::string & moduleName,const std::string & bundleName,uint32_t versionCode)702 bool BundleInstallChecker::FindModuleInInstalledPackage(
703 const std::string &moduleName,
704 const std::string &bundleName,
705 uint32_t versionCode)
706 {
707 LOG_D(BMS_TAG_INSTALLER, "FindModuleInInstalledPackage the moduleName is %{public}s, the bundleName is %{public}s",
708 moduleName.c_str(), bundleName.c_str());
709 std::shared_ptr<BundleDataMgr> dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
710 if (dataMgr == nullptr) {
711 LOG_E(BMS_TAG_INSTALLER, "Get dataMgr shared_ptr nullptr");
712 return false;
713 }
714
715 ScopeGuard enableGuard([&dataMgr, &bundleName] { dataMgr->EnableBundle(bundleName); });
716 InnerBundleInfo bundleInfo;
717 bool isBundleExist = dataMgr->FetchInnerBundleInfo(bundleName, bundleInfo);
718 if (!isBundleExist) {
719 LOG_E(BMS_TAG_INSTALLER, "the bundle: %{public}s is not install", bundleName.c_str());
720 return false;
721 }
722 if (!bundleInfo.FindModule(moduleName)) {
723 LOG_E(BMS_TAG_INSTALLER, "the module: %{public}s is not install", moduleName.c_str());
724 return false;
725 }
726 if (bundleInfo.GetVersionCode() != versionCode) {
727 LOG_E(BMS_TAG_INSTALLER, "the versionCode %{public}d of dependency is not consistent with the installed module",
728 bundleInfo.GetVersionCode());
729 return false;
730 }
731 return true;
732 }
733
CheckBundleName(const std::string & provisionBundleName,const std::string & bundleName)734 ErrCode BundleInstallChecker::CheckBundleName(const std::string &provisionBundleName, const std::string &bundleName)
735 {
736 LOG_D(BMS_TAG_INSTALLER, "CheckBundleName provisionBundleName:%{public}s, bundleName:%{public}s",
737 provisionBundleName.c_str(), bundleName.c_str());
738 if (provisionBundleName.empty() || bundleName.empty()) {
739 LOG_E(BMS_TAG_INSTALLER, "CheckBundleName provisionBundleName:%{public}s, bundleName:%{public}s failed",
740 provisionBundleName.c_str(), bundleName.c_str());
741 return ERR_APPEXECFWK_INSTALL_FAILED_BUNDLE_SIGNATURE_VERIFICATION_FAILURE;
742 }
743 if (provisionBundleName == bundleName) {
744 return ERR_OK;
745 }
746 LOG_E(BMS_TAG_INSTALLER, "CheckBundleName failed provisionBundleName:%{public}s, bundleName:%{public}s",
747 provisionBundleName.c_str(), bundleName.c_str());
748 return ERR_APPEXECFWK_INSTALL_FAILED_BUNDLE_SIGNATURE_VERIFICATION_FAILURE;
749 }
750
CollectProvisionInfo(const Security::Verify::ProvisionInfo & provisionInfo,const AppPrivilegeCapability & appPrivilegeCapability,InnerBundleInfo & newInfo)751 void BundleInstallChecker::CollectProvisionInfo(
752 const Security::Verify::ProvisionInfo &provisionInfo,
753 const AppPrivilegeCapability &appPrivilegeCapability,
754 InnerBundleInfo &newInfo)
755 {
756 newInfo.SetProvisionId(provisionInfo.appId);
757 newInfo.SetAppFeature(provisionInfo.bundleInfo.appFeature);
758 newInfo.SetAppPrivilegeLevel(provisionInfo.bundleInfo.apl);
759 newInfo.SetAllowedAcls(provisionInfo.acls.allowedAcls);
760 newInfo.SetCertificateFingerprint(provisionInfo.fingerprint);
761 newInfo.SetAppDistributionType(GetAppDistributionType(provisionInfo.distributionType));
762 newInfo.SetAppProvisionType(GetAppProvisionType(provisionInfo.type));
763 SetAppProvisionMetadata(provisionInfo.metadatas, newInfo);
764 #ifdef USE_PRE_BUNDLE_PROFILE
765 newInfo.SetUserDataClearable(appPrivilegeCapability.userDataClearable);
766 newInfo.SetHideDesktopIcon(appPrivilegeCapability.hideDesktopIcon);
767 newInfo.SetFormVisibleNotify(appPrivilegeCapability.formVisibleNotify);
768 newInfo.SetAllowMultiProcess(appPrivilegeCapability.allowMultiProcess);
769 #endif
770 newInfo.AddOldAppId(newInfo.GetAppId());
771 newInfo.SetAppIdentifier(provisionInfo.bundleInfo.appIdentifier);
772 }
773
SetAppProvisionMetadata(const std::vector<Security::Verify::Metadata> & provisionMetadatas,InnerBundleInfo & newInfo)774 void BundleInstallChecker::SetAppProvisionMetadata(const std::vector<Security::Verify::Metadata> &provisionMetadatas,
775 InnerBundleInfo &newInfo)
776 {
777 if (provisionMetadatas.empty()) {
778 LOG_E(BMS_TAG_INSTALLER, "provisionMetadatas is empty");
779 return;
780 }
781 std::vector<Metadata> metadatas;
782 for (const auto &it : provisionMetadatas) {
783 Metadata metadata;
784 metadata.name = it.name;
785 metadata.value = it.value;
786 metadatas.emplace_back(metadata);
787 }
788 newInfo.SetAppProvisionMetadata(metadatas);
789 }
790
GetPrivilegeCapability(const InstallCheckParam & checkParam,InnerBundleInfo & newInfo)791 void BundleInstallChecker::GetPrivilegeCapability(
792 const InstallCheckParam &checkParam, InnerBundleInfo &newInfo)
793 {
794 // Reset privilege capability
795 newInfo.SetKeepAlive(false);
796 newInfo.SetSingleton(false);
797
798 newInfo.SetRemovable(checkParam.removable);
799 PreBundleConfigInfo preBundleConfigInfo;
800 preBundleConfigInfo.bundleName = newInfo.GetBundleName();
801 if (!BMSEventHandler::GetPreInstallCapability(preBundleConfigInfo)) {
802 LOG_D(BMS_TAG_INSTALLER, "%{public}s not exist in preinstall capability list", newInfo.GetBundleName().c_str());
803 return;
804 }
805
806 if (!MatchSignature(preBundleConfigInfo.appSignature, newInfo.GetCertificateFingerprint()) &&
807 !MatchSignature(preBundleConfigInfo.appSignature, newInfo.GetAppId()) &&
808 !MatchSignature(preBundleConfigInfo.appSignature, newInfo.GetAppIdentifier()) &&
809 !MatchOldSignatures(newInfo.GetBundleName(), preBundleConfigInfo.appSignature)) {
810 LOG_E(BMS_TAG_INSTALLER, "%{public}s signature not match the capability list", newInfo.GetBundleName().c_str());
811 return;
812 }
813
814 newInfo.SetKeepAlive(preBundleConfigInfo.keepAlive);
815 newInfo.SetSingleton(preBundleConfigInfo.singleton);
816 newInfo.SetRunningResourcesApply(preBundleConfigInfo.runningResourcesApply);
817 newInfo.SetAssociatedWakeUp(preBundleConfigInfo.associatedWakeUp);
818 newInfo.SetAllowCommonEvent(preBundleConfigInfo.allowCommonEvent);
819 newInfo.SetResourcesApply(preBundleConfigInfo.resourcesApply);
820 newInfo.SetAllowAppRunWhenDeviceFirstLocked(preBundleConfigInfo.allowAppRunWhenDeviceFirstLocked);
821 newInfo.SetAllowEnableNotification(preBundleConfigInfo.allowEnableNotification);
822 }
823
SetPackInstallationFree(BundlePackInfo & bundlePackInfo,const InnerBundleInfo & innerBundleInfo) const824 void BundleInstallChecker::SetPackInstallationFree(BundlePackInfo &bundlePackInfo,
825 const InnerBundleInfo &innerBundleInfo) const
826 {
827 if (innerBundleInfo.GetIsNewVersion()) {
828 if (innerBundleInfo.GetApplicationBundleType() != BundleType::ATOMIC_SERVICE) {
829 for (auto &item : bundlePackInfo.summary.modules) {
830 item.distro.installationFree = false;
831 }
832 return;
833 }
834 for (auto &item : bundlePackInfo.summary.modules) {
835 item.distro.installationFree = true;
836 }
837 }
838 }
839
ParseBundleInfo(const std::string & bundleFilePath,InnerBundleInfo & info,BundlePackInfo & packInfo)840 ErrCode BundleInstallChecker::ParseBundleInfo(
841 const std::string &bundleFilePath,
842 InnerBundleInfo &info,
843 BundlePackInfo &packInfo)
844 {
845 BundleParser bundleParser;
846 ErrCode result = bundleParser.Parse(bundleFilePath, info);
847 if (result != ERR_OK) {
848 LOG_E(BMS_TAG_INSTALLER, "parse bundle info failed, error: %{public}d", result);
849 if (result == ERR_APPEXECFWK_PARSE_NATIVE_SO_FAILED) {
850 std::string resultMsg = "In the module named " + info.GetCurrentModulePackage() +
851 ", the Abi type supported by the device does not match the Abi type configured in the C++ project.";
852 LOG_E(BMS_TAG_INSTALLER, "%{public}s", resultMsg.c_str());
853 SetCheckResultMsg(resultMsg);
854 }
855 return result;
856 }
857
858 const auto extensions = info.GetInnerExtensionInfos();
859 for (const auto &item : extensions) {
860 if (item.second.type == ExtensionAbilityType::UNSPECIFIED &&
861 !BMSEventHandler::CheckExtensionTypeInConfig(item.second.extensionTypeName)) {
862 LOG_W(BMS_TAG_INSTALLER, "Parse error, There is no corresponding type in the configuration");
863 }
864 }
865
866 if (!packInfo.GetValid()) {
867 result = bundleParser.ParsePackInfo(bundleFilePath, packInfo);
868 if (result != ERR_OK) {
869 LOG_E(BMS_TAG_INSTALLER, "parse bundle pack info failed, error: %{public}d", result);
870 return result;
871 }
872
873 SetPackInstallationFree(packInfo, info);
874 info.SetBundlePackInfo(packInfo);
875 packInfo.SetValid(true);
876 }
877
878 return ERR_OK;
879 }
880
SetEntryInstallationFree(const BundlePackInfo & bundlePackInfo,InnerBundleInfo & innerBundleInfo)881 void BundleInstallChecker::SetEntryInstallationFree(
882 const BundlePackInfo &bundlePackInfo,
883 InnerBundleInfo &innerBundleInfo)
884 {
885 if (!bundlePackInfo.GetValid()) {
886 LOG_W(BMS_TAG_INSTALLER, "no pack.info in the hap file");
887 return;
888 }
889
890 auto packageModule = bundlePackInfo.summary.modules;
891 auto installationFree = std::any_of(packageModule.begin(), packageModule.end(), [&](const auto &module) {
892 return module.distro.moduleType == "entry" && module.distro.installationFree;
893 });
894 if (installationFree) {
895 LOG_I(BMS_TAG_INSTALLER, "install or update hm service");
896 }
897 if (innerBundleInfo.GetIsNewVersion()) {
898 installationFree = innerBundleInfo.GetApplicationBundleType() == BundleType::ATOMIC_SERVICE;
899 }
900
901 innerBundleInfo.SetEntryInstallationFree(installationFree);
902 if (installationFree && !innerBundleInfo.GetIsNewVersion()) {
903 innerBundleInfo.SetApplicationBundleType(BundleType::ATOMIC_SERVICE);
904 }
905 }
906
CheckSystemSize(const std::string & bundlePath,const Constants::AppType appType) const907 ErrCode BundleInstallChecker::CheckSystemSize(
908 const std::string &bundlePath,
909 const Constants::AppType appType) const
910 {
911 if ((appType == Constants::AppType::SYSTEM_APP) &&
912 (BundleUtil::CheckSystemSize(bundlePath, APP_INSTALL_PATH))) {
913 return ERR_OK;
914 }
915
916 if ((appType == Constants::AppType::THIRD_SYSTEM_APP) &&
917 (BundleUtil::CheckSystemSize(bundlePath, APP_INSTALL_PATH))) {
918 return ERR_OK;
919 }
920
921 if ((appType == Constants::AppType::THIRD_PARTY_APP) &&
922 (BundleUtil::CheckSystemSize(bundlePath, APP_INSTALL_PATH))) {
923 return ERR_OK;
924 }
925
926 LOG_E(BMS_TAG_INSTALLER, "install failed due to insufficient disk memory");
927 return ERR_APPEXECFWK_INSTALL_DISK_MEM_INSUFFICIENT;
928 }
929
CheckHapHashParams(std::unordered_map<std::string,InnerBundleInfo> & infos,std::map<std::string,std::string> hashParams)930 ErrCode BundleInstallChecker::CheckHapHashParams(
931 std::unordered_map<std::string, InnerBundleInfo> &infos,
932 std::map<std::string, std::string> hashParams)
933 {
934 if (hashParams.empty()) {
935 LOG_D(BMS_TAG_INSTALLER, "hashParams is empty");
936 return ERR_OK;
937 }
938
939 std::vector<std::string> hapModuleNames;
940 for (auto &info : infos) {
941 std::vector<std::string> moduleNames;
942 info.second.GetModuleNames(moduleNames);
943 if (moduleNames.empty()) {
944 LOG_E(BMS_TAG_INSTALLER, "hap(%{public}s) moduleName is empty", info.first.c_str());
945 return ERR_APPEXECFWK_INSTALL_FAILED_MODULE_NAME_EMPTY;
946 }
947
948 if (std::find(hapModuleNames.begin(), hapModuleNames.end(), moduleNames[0]) != hapModuleNames.end()) {
949 LOG_E(BMS_TAG_INSTALLER, "hap moduleName(%{public}s) duplicate", moduleNames[0].c_str());
950 return ERR_APPEXECFWK_INSTALL_FAILED_MODULE_NAME_DUPLICATE;
951 }
952
953 hapModuleNames.emplace_back(moduleNames[0]);
954 auto hashParamIter = hashParams.find(moduleNames[0]);
955 if (hashParamIter != hashParams.end()) {
956 info.second.SetModuleHashValue(hashParamIter->second);
957 hashParams.erase(hashParamIter);
958 }
959 }
960
961 if (!hashParams.empty()) {
962 LOG_E(BMS_TAG_INSTALLER, "Some hashParam moduleName is not exist in hap moduleNames");
963 return ERR_APPEXECFWK_INSTALL_FAILED_CHECK_HAP_HASH_PARAM;
964 }
965
966 return ERR_OK;
967 }
968
GetValidReleaseType(const std::unordered_map<std::string,InnerBundleInfo> & infos)969 std::tuple<bool, std::string, std::string> BundleInstallChecker::GetValidReleaseType(
970 const std::unordered_map<std::string, InnerBundleInfo> &infos)
971 {
972 if (infos.empty()) {
973 LOG_E(BMS_TAG_INSTALLER, "infos is empty");
974 return std::make_tuple(false, "", "");
975 }
976 for (const auto &info : infos) {
977 if (!info.second.IsHsp()) {
978 return std::make_tuple(false, info.second.GetCurModuleName(), info.second.GetReleaseType());
979 }
980 }
981 return std::make_tuple(true, (infos.begin()->second).GetCurModuleName(),
982 (infos.begin()->second).GetReleaseType());
983 }
984
CheckAppLabelInfo(const std::unordered_map<std::string,InnerBundleInfo> & infos)985 ErrCode BundleInstallChecker::CheckAppLabelInfo(
986 const std::unordered_map<std::string, InnerBundleInfo> &infos)
987 {
988 LOG_D(BMS_TAG_INSTALLER, "Check APP label");
989 ErrCode ret = ERR_OK;
990 std::string bundleName = (infos.begin()->second).GetBundleName();
991 uint32_t versionCode = (infos.begin()->second).GetVersionCode();
992 auto [isHsp, moduleName, releaseType] = GetValidReleaseType(infos);
993 bool singleton = (infos.begin()->second).IsSingleton();
994 Constants::AppType appType = (infos.begin()->second).GetAppType();
995 bool isStage = (infos.begin()->second).GetIsNewVersion();
996 const std::string targetBundleName = (infos.begin()->second).GetTargetBundleName();
997 int32_t targetPriority = (infos.begin()->second).GetTargetPriority();
998 BundleType bundleType = (infos.begin()->second).GetApplicationBundleType();
999 bool isHmService = (infos.begin()->second).GetEntryInstallationFree();
1000 bool debug = (infos.begin()->second).GetBaseApplicationInfo().debug;
1001 bool hasEntry = (infos.begin()->second).HasEntry();
1002 bool isSameDebugType = true;
1003 bool entryDebug = hasEntry ? debug : false;
1004
1005 for (const auto &info : infos) {
1006 // check bundleName
1007 if (bundleName != info.second.GetBundleName()) {
1008 LOG_E(BMS_TAG_INSTALLER, "bundleName not same");
1009 return ERR_APPEXECFWK_INSTALL_BUNDLENAME_NOT_SAME;
1010 }
1011 // check version
1012 if (bundleType != BundleType::SHARED) {
1013 if (versionCode != info.second.GetVersionCode()) {
1014 LOG_E(BMS_TAG_INSTALLER, "versionCode not same");
1015 return ERR_APPEXECFWK_INSTALL_VERSIONCODE_NOT_SAME;
1016 }
1017 }
1018 // check release type
1019 if (releaseType != info.second.GetReleaseType()) {
1020 LOG_W(BMS_TAG_INSTALLER, "releaseType not same: [%{public}s, %{public}s] vs [%{public}s, %{public}s]",
1021 moduleName.c_str(), releaseType.c_str(),
1022 info.second.GetCurModuleName().c_str(), info.second.GetReleaseType().c_str());
1023 if (!isHsp && !info.second.IsHsp()) {
1024 LOG_E(BMS_TAG_INSTALLER, "releaseType not same");
1025 return ERR_APPEXECFWK_INSTALL_RELEASETYPE_NOT_SAME;
1026 }
1027 }
1028 if (singleton != info.second.IsSingleton()) {
1029 LOG_E(BMS_TAG_INSTALLER, "singleton not same");
1030 return ERR_APPEXECFWK_INSTALL_SINGLETON_NOT_SAME;
1031 }
1032 if (appType != info.second.GetAppType()) {
1033 LOG_E(BMS_TAG_INSTALLER, "appType not same");
1034 return ERR_APPEXECFWK_INSTALL_APPTYPE_NOT_SAME;
1035 }
1036 // check model type(FA or stage)
1037 if (isStage != info.second.GetIsNewVersion()) {
1038 LOG_E(BMS_TAG_INSTALLER, "must be all FA model or all stage model");
1039 return ERR_APPEXECFWK_INSTALL_STATE_ERROR;
1040 }
1041 if (targetBundleName != info.second.GetTargetBundleName()) {
1042 LOG_E(BMS_TAG_INSTALLER, "targetBundleName not same");
1043 return ERR_BUNDLEMANAGER_OVERLAY_INSTALLATION_FAILED_TARGET_BUNDLE_NAME_NOT_SAME;
1044 }
1045 if (targetPriority != info.second.GetTargetPriority()) {
1046 LOG_E(BMS_TAG_INSTALLER, "targetPriority not same");
1047 return ERR_BUNDLEMANAGER_OVERLAY_INSTALLATION_FAILED_TARGET_PRIORITY_NOT_SAME;
1048 }
1049 if (bundleType != info.second.GetApplicationBundleType()) {
1050 LOG_E(BMS_TAG_INSTALLER, "bundleType not same");
1051 return ERR_APPEXECFWK_BUNDLE_TYPE_NOT_SAME;
1052 }
1053 if (isHmService != info.second.GetEntryInstallationFree()) {
1054 LOG_E(BMS_TAG_INSTALLER, "application and hm service are not allowed installed simultaneously");
1055 return ERR_APPEXECFWK_INSTALL_TYPE_ERROR;
1056 }
1057 if (debug != info.second.GetBaseApplicationInfo().debug) {
1058 LOG_E(BMS_TAG_INSTALLER, "debug not same");
1059 isSameDebugType = false;
1060 }
1061 if (!hasEntry) {
1062 hasEntry = info.second.HasEntry();
1063 entryDebug = info.second.GetBaseApplicationInfo().debug;
1064 }
1065 }
1066
1067 if (hasEntry && !entryDebug && (debug || !isSameDebugType)) {
1068 LOG_E(BMS_TAG_INSTALLER, "debug type not same");
1069 return ERR_APPEXECFWK_INSTALL_DEBUG_NOT_SAME;
1070 }
1071 LOG_D(BMS_TAG_INSTALLER, "finish check APP label");
1072 return ret;
1073 }
1074
CheckMultiNativeFile(std::unordered_map<std::string,InnerBundleInfo> & infos)1075 ErrCode BundleInstallChecker::CheckMultiNativeFile(
1076 std::unordered_map<std::string, InnerBundleInfo> &infos)
1077 {
1078 ErrCode result = CheckMultiNativeSo(infos);
1079 if (result != ERR_OK) {
1080 LOG_E(BMS_TAG_INSTALLER, "Check multi nativeSo failed, result: %{public}d", result);
1081 return result;
1082 }
1083
1084 result = CheckMultiArkNativeFile(infos);
1085 if (result != ERR_OK) {
1086 LOG_E(BMS_TAG_INSTALLER, "Check multi arkNativeFile failed, result: %{public}d", result);
1087 return result;
1088 }
1089
1090 return ERR_OK;
1091 }
1092
CheckMultiArkNativeFile(std::unordered_map<std::string,InnerBundleInfo> & infos)1093 ErrCode BundleInstallChecker::CheckMultiArkNativeFile(
1094 std::unordered_map<std::string, InnerBundleInfo> &infos)
1095 {
1096 std::string arkNativeFileAbi = (infos.begin()->second).GetArkNativeFileAbi();
1097 for (const auto &info : infos) {
1098 if (info.second.GetArkNativeFileAbi().empty()) {
1099 continue;
1100 }
1101 if (arkNativeFileAbi.empty()) {
1102 arkNativeFileAbi = info.second.GetArkNativeFileAbi();
1103 continue;
1104 }
1105 }
1106
1107 // Ensure the an is consistent in multiple haps
1108 if (!arkNativeFileAbi.empty()) {
1109 for (auto &info : infos) {
1110 info.second.SetArkNativeFileAbi(arkNativeFileAbi);
1111 }
1112 }
1113
1114 return ERR_OK;
1115 }
1116
CheckMultiNativeSo(std::unordered_map<std::string,InnerBundleInfo> & infos)1117 ErrCode BundleInstallChecker::CheckMultiNativeSo(
1118 std::unordered_map<std::string, InnerBundleInfo> &infos)
1119 {
1120 std::string nativeLibraryPath = (infos.begin()->second).GetNativeLibraryPath();
1121 std::string cpuAbi = (infos.begin()->second).GetCpuAbi();
1122 for (const auto &info : infos) {
1123 if (info.second.GetNativeLibraryPath().empty()) {
1124 continue;
1125 }
1126 if (nativeLibraryPath.empty()) {
1127 nativeLibraryPath = info.second.GetNativeLibraryPath();
1128 cpuAbi = info.second.GetCpuAbi();
1129 continue;
1130 }
1131 }
1132
1133 // Ensure the so is consistent in multiple haps
1134 if (!nativeLibraryPath.empty()) {
1135 for (auto &info : infos) {
1136 info.second.SetNativeLibraryPath(nativeLibraryPath);
1137 info.second.SetCpuAbi(cpuAbi);
1138 }
1139 }
1140
1141 return ERR_OK;
1142 }
1143
ResetProperties()1144 void BundleInstallChecker::ResetProperties()
1145 {
1146 isContainEntry_ = false;
1147 }
1148
ParseAppPrivilegeCapability(const Security::Verify::ProvisionInfo & provisionInfo,AppPrivilegeCapability & appPrivilegeCapability)1149 void BundleInstallChecker::ParseAppPrivilegeCapability(
1150 const Security::Verify::ProvisionInfo &provisionInfo,
1151 AppPrivilegeCapability &appPrivilegeCapability)
1152 {
1153 for (const auto &appPrivilege : provisionInfo.appPrivilegeCapabilities) {
1154 auto iter = PRIVILEGE_MAP.find(appPrivilege);
1155 if (iter != PRIVILEGE_MAP.end()) {
1156 iter->second(appPrivilegeCapability);
1157 }
1158 }
1159 LOG_D(BMS_TAG_INSTALLER, "AppPrivilegeCapability %{public}s",
1160 appPrivilegeCapability.ToString().c_str());
1161 #ifndef USE_PRE_BUNDLE_PROFILE
1162 appPrivilegeCapability.allowMultiProcess = true;
1163 appPrivilegeCapability.allowUsePrivilegeExtension = true;
1164 #endif
1165 }
1166
CheckModuleNameForMulitHaps(const std::unordered_map<std::string,InnerBundleInfo> & infos)1167 ErrCode BundleInstallChecker::CheckModuleNameForMulitHaps(
1168 const std::unordered_map<std::string, InnerBundleInfo> &infos)
1169 {
1170 std::set<std::string> moduleSet;
1171 for (const auto &info : infos) {
1172 std::vector<std::string> moduleVec = info.second.GetDistroModuleName();
1173 if (moduleVec.empty()) {
1174 LOG_E(BMS_TAG_INSTALLER, "moduleName vector is empty");
1175 return ERR_APPEXECFWK_INSTALL_INTERNAL_ERROR;
1176 }
1177 if (moduleSet.count(moduleVec[0])) {
1178 LOG_E(BMS_TAG_INSTALLER, "the moduleName: %{public}s is not unique in the haps", moduleVec[0].c_str());
1179 SetCheckResultMsg("the moduleName: " + moduleVec[0] + " is not unique in the haps");
1180 return ERR_APPEXECFWK_INSTALL_NOT_UNIQUE_DISTRO_MODULE_NAME;
1181 }
1182 moduleSet.insert(moduleVec[0]);
1183 }
1184 return ERR_OK;
1185 }
1186
IsExistedDistroModule(const InnerBundleInfo & newInfo,const InnerBundleInfo & info) const1187 bool BundleInstallChecker::IsExistedDistroModule(const InnerBundleInfo &newInfo, const InnerBundleInfo &info) const
1188 {
1189 std::string moduleName = newInfo.GetCurModuleName();
1190 std::string packageName = newInfo.GetCurrentModulePackage();
1191 if (packageName.empty() || moduleName.empty()) {
1192 LOG_E(BMS_TAG_INSTALLER, "IsExistedDistroModule failed due to invalid packageName or moduleName");
1193 return false;
1194 }
1195 std::string oldModuleName = info.GetModuleNameByPackage(packageName);
1196 // if FA update to Stage, allow module name inconsistent
1197 bool isFAToStage = !info.GetIsNewVersion() && newInfo.GetIsNewVersion();
1198 if (!isFAToStage) {
1199 // if not FA update to Stage, check consistency of module name
1200 if (moduleName.compare(oldModuleName) != 0) {
1201 LOG_E(BMS_TAG_INSTALLER, "no moduleName in the innerModuleInfo");
1202 return false;
1203 }
1204 }
1205 // check consistency of module type
1206 std::string newModuleType = newInfo.GetModuleTypeByPackage(packageName);
1207 std::string oldModuleType = info.GetModuleTypeByPackage(packageName);
1208 if (newModuleType.compare(oldModuleType) != 0) {
1209 LOG_E(BMS_TAG_INSTALLER, "moduleType is different between the new hap and the original hap");
1210 return false;
1211 }
1212
1213 return true;
1214 }
1215
IsContainModuleName(const InnerBundleInfo & newInfo,const InnerBundleInfo & info) const1216 bool BundleInstallChecker::IsContainModuleName(const InnerBundleInfo &newInfo, const InnerBundleInfo &info) const
1217 {
1218 std::string moduleName = newInfo.GetCurModuleName();
1219 std::vector<std::string> moduleVec = info.GetDistroModuleName();
1220 if (moduleName.empty() || moduleVec.empty()) {
1221 LOG_E(BMS_TAG_INSTALLER, "IsContainModuleName failed due to invalid moduleName or modulevec");
1222 return false;
1223 }
1224 return (find(moduleVec.cbegin(), moduleVec.cend(), moduleName) == moduleVec.cend()) ? false : true;
1225 }
1226
CheckMainElement(const InnerBundleInfo & info)1227 ErrCode BundleInstallChecker::CheckMainElement(const InnerBundleInfo &info)
1228 {
1229 const std::map<std::string, InnerModuleInfo> &innerModuleInfos = info.GetInnerModuleInfos();
1230 if (innerModuleInfos.empty()) {
1231 return ERR_OK;
1232 }
1233 if (innerModuleInfos.cbegin()->second.distro.moduleType == Profile::MODULE_TYPE_SHARED) {
1234 return ERR_OK;
1235 }
1236 if (info.GetEntryInstallationFree() && innerModuleInfos.cbegin()->second.mainAbility.empty()) {
1237 LOG_E(BMS_TAG_INSTALLER, "atomic service's mainElement can't be empty");
1238 return ERR_APPEXECFWK_PARSE_PROFILE_PROP_CHECK_ERROR;
1239 }
1240 return ERR_OK;
1241 }
1242
GetPrivilegeCapabilityValue(const std::vector<std::string> & existInJson,const std::string & key,bool existInPreJson,bool existInProvision)1243 bool BundleInstallChecker::GetPrivilegeCapabilityValue(
1244 const std::vector<std::string> &existInJson,
1245 const std::string &key,
1246 bool existInPreJson,
1247 bool existInProvision)
1248 {
1249 if (find(existInJson.cbegin(), existInJson.cend(), key) != existInJson.cend()) {
1250 return existInPreJson;
1251 }
1252 return existInProvision;
1253 }
1254
FetchPrivilegeCapabilityFromPreConfig(const std::string & bundleName,const std::vector<std::string> & appSignatures,AppPrivilegeCapability & appPrivilegeCapability)1255 void BundleInstallChecker::FetchPrivilegeCapabilityFromPreConfig(
1256 const std::string &bundleName,
1257 const std::vector<std::string> &appSignatures,
1258 AppPrivilegeCapability &appPrivilegeCapability)
1259 {
1260 #ifdef USE_PRE_BUNDLE_PROFILE
1261 LOG_D(BMS_TAG_INSTALLER, "bundleName: %{public}s, FetchPrivilegeCapabilityFromPreConfig start", bundleName.c_str());
1262 PreBundleConfigInfo configInfo;
1263 configInfo.bundleName = bundleName;
1264 if (!BMSEventHandler::GetPreInstallCapability(configInfo)) {
1265 LOG_D(BMS_TAG_INSTALLER, "bundleName: %{public}s is not exist in pre install capability list",
1266 bundleName.c_str());
1267 return;
1268 }
1269 bool match = false;
1270 for (const auto &signature : appSignatures) {
1271 if (MatchSignature(configInfo.appSignature, signature)) {
1272 match = true;
1273 break;
1274 }
1275 }
1276 if (!match && !MatchOldSignatures(bundleName, configInfo.appSignature)) {
1277 LOG_NOFUNC_E(BMS_TAG_INSTALLER, "bundleName: %{public}s signature verify failed in capability list",
1278 bundleName.c_str());
1279 return;
1280 }
1281
1282 appPrivilegeCapability.allowUsePrivilegeExtension = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1283 ALLOW_APP_USE_PRIVILEGE_EXTENSION,
1284 configInfo.allowUsePrivilegeExtension, appPrivilegeCapability.allowUsePrivilegeExtension);
1285
1286 appPrivilegeCapability.allowMultiProcess = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1287 ALLOW_APP_MULTI_PROCESS, configInfo.allowMultiProcess, appPrivilegeCapability.allowMultiProcess);
1288
1289 appPrivilegeCapability.hideDesktopIcon = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1290 ALLOW_APP_DESKTOP_ICON_HIDE, configInfo.hideDesktopIcon, appPrivilegeCapability.hideDesktopIcon);
1291
1292 appPrivilegeCapability.allowQueryPriority = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1293 ALLOW_ABILITY_PRIORITY_QUERIED, configInfo.allowQueryPriority, appPrivilegeCapability.allowQueryPriority);
1294
1295 appPrivilegeCapability.allowExcludeFromMissions = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1296 ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS,
1297 configInfo.allowExcludeFromMissions, appPrivilegeCapability.allowExcludeFromMissions);
1298
1299 appPrivilegeCapability.allowMissionNotCleared = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1300 ALLOW_MISSION_NOT_CLEARED, configInfo.allowMissionNotCleared, appPrivilegeCapability.allowMissionNotCleared);
1301
1302 appPrivilegeCapability.formVisibleNotify = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1303 ALLOW_FORM_VISIBLE_NOTIFY, configInfo.formVisibleNotify, appPrivilegeCapability.formVisibleNotify);
1304
1305 appPrivilegeCapability.userDataClearable = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1306 ALLOW_APP_DATA_NOT_CLEARED, configInfo.userDataClearable, appPrivilegeCapability.userDataClearable);
1307
1308 appPrivilegeCapability.appShareLibrary = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1309 ALLOW_APP_SHARE_LIBRARY, configInfo.appShareLibrary, appPrivilegeCapability.appShareLibrary);
1310
1311 appPrivilegeCapability.allowEnableNotification = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1312 ALLOW_ENABLE_NOTIFICATION, configInfo.allowEnableNotification, appPrivilegeCapability.allowEnableNotification);
1313 LOG_D(BMS_TAG_INSTALLER, "AppPrivilegeCapability %{public}s", appPrivilegeCapability.ToString().c_str());
1314 #endif
1315 }
1316
MatchOldSignatures(const std::string & bundleName,const std::vector<std::string> & appSignatures)1317 bool BundleInstallChecker::MatchOldSignatures(const std::string &bundleName,
1318 const std::vector<std::string> &appSignatures)
1319 {
1320 std::vector<std::string> oldAppIds;
1321 std::shared_ptr<BundleDataMgr> dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
1322 if (!dataMgr->GetOldAppIds(bundleName, oldAppIds)) {
1323 LOG_D(BMS_TAG_INSTALLER, "Get OldAppIds failed");
1324 return false;
1325 }
1326 for (const auto &signature : appSignatures) {
1327 if (std::find(oldAppIds.begin(), oldAppIds.end(), signature) != oldAppIds.end()) {
1328 return true;
1329 }
1330 }
1331
1332 return false;
1333 }
1334
MatchSignature(const std::vector<std::string> & appSignatures,const std::string & signature)1335 bool BundleInstallChecker::MatchSignature(
1336 const std::vector<std::string> &appSignatures, const std::string &signature)
1337 {
1338 if (appSignatures.empty() || signature.empty()) {
1339 LOG_NOFUNC_W(BMS_TAG_INSTALLER, "appSignature of signature is empty");
1340 return false;
1341 }
1342
1343 return std::find(
1344 appSignatures.begin(), appSignatures.end(), signature) != appSignatures.end();
1345 }
1346
ProcessBundleInfoByPrivilegeCapability(const AppPrivilegeCapability & appPrivilegeCapability,InnerBundleInfo & innerBundleInfo)1347 ErrCode BundleInstallChecker::ProcessBundleInfoByPrivilegeCapability(
1348 const AppPrivilegeCapability &appPrivilegeCapability,
1349 InnerBundleInfo &innerBundleInfo)
1350 {
1351 // process application
1352 ApplicationInfo applicationInfo = innerBundleInfo.GetBaseApplicationInfo();
1353 if (!appPrivilegeCapability.allowMultiProcess || applicationInfo.process.empty()) {
1354 applicationInfo.process = applicationInfo.bundleName;
1355 }
1356 applicationInfo.allowEnableNotification = appPrivilegeCapability.allowEnableNotification;
1357 applicationInfo.allowArkTsLargeHeap = appPrivilegeCapability.allowArkTsLargeHeap;
1358 innerBundleInfo.SetBaseApplicationInfo(applicationInfo);
1359 BundleInfo bundleInfo = innerBundleInfo.GetBaseBundleInfo();
1360 // process allow app share library
1361 if (applicationInfo.bundleType == BundleType::SHARED && !appPrivilegeCapability.appShareLibrary) {
1362 LOG_E(BMS_TAG_INSTALLER, "not allow app share library");
1363 return ERR_APPEXECFWK_INSTALL_SHARE_APP_LIBRARY_NOT_ALLOWED;
1364 }
1365 // process ability
1366 auto &abilityInfos = innerBundleInfo.FetchAbilityInfos();
1367 for (auto iter = abilityInfos.begin(); iter != abilityInfos.end(); ++iter) {
1368 #ifdef USE_PRE_BUNDLE_PROFILE
1369 if (!appPrivilegeCapability.allowQueryPriority) {
1370 iter->second.priority = 0;
1371 }
1372 if (!appPrivilegeCapability.allowExcludeFromMissions) {
1373 iter->second.excludeFromMissions = false;
1374 }
1375 if (!appPrivilegeCapability.allowMissionNotCleared) {
1376 iter->second.unclearableMission = false;
1377 }
1378 #else
1379 if (!applicationInfo.isSystemApp || !bundleInfo.isPreInstallApp) {
1380 iter->second.priority = 0;
1381 iter->second.excludeFromMissions = false;
1382 }
1383 #endif
1384 }
1385 // process ExtensionAbility
1386 auto &innerExtensionInfos = innerBundleInfo.FetchInnerExtensionInfos();
1387 for (auto iter = innerExtensionInfos.begin(); iter != innerExtensionInfos.end(); ++iter) {
1388 bool privilegeType = IsPrivilegeExtensionAbilityType(iter->second.type);
1389 if (privilegeType && !appPrivilegeCapability.allowUsePrivilegeExtension) {
1390 LOG_E(BMS_TAG_INSTALLER, "not allow use privilege extension");
1391 return ERR_APPEXECFWK_PARSE_PROFILE_PROP_CHECK_ERROR;
1392 }
1393
1394 bool systemType = IsSystemExtensionAbilityType(iter->second.type);
1395 if (systemType && !applicationInfo.isSystemApp) {
1396 LOG_E(BMS_TAG_INSTALLER, "not allow use system extension");
1397 return ERR_APPEXECFWK_PARSE_PROFILE_PROP_CHECK_ERROR;
1398 }
1399
1400 #ifdef USE_PRE_BUNDLE_PROFILE
1401 if (!appPrivilegeCapability.allowQueryPriority) {
1402 iter->second.priority = 0;
1403 }
1404 #else
1405 if (!applicationInfo.isSystemApp || !bundleInfo.isPreInstallApp) {
1406 iter->second.priority = 0;
1407 }
1408 #endif
1409 if (appPrivilegeCapability.allowMultiProcess) {
1410 LOG_D(BMS_TAG_INSTALLER, "%{public}s support allowMultiProcess", iter->second.bundleName.c_str());
1411 auto hapModuleInfo = innerBundleInfo.GetInnerModuleInfoByModuleName(iter->second.moduleName);
1412 if (hapModuleInfo && !hapModuleInfo->process.empty()) {
1413 iter->second.process = hapModuleInfo->process;
1414 }
1415 }
1416 }
1417 // process InnerModuleInfo
1418 auto &innerModuleInfos = innerBundleInfo.FetchInnerModuleInfos();
1419 for (auto iter = innerModuleInfos.begin(); iter != innerModuleInfos.end(); ++iter) {
1420 if (iter->second.isModuleJson && (!appPrivilegeCapability.allowMultiProcess || iter->second.process.empty())) {
1421 iter->second.process = applicationInfo.bundleName;
1422 }
1423 }
1424 return ERR_OK;
1425 }
1426
CheckSupportAppTypes(const std::unordered_map<std::string,InnerBundleInfo> & infos,const std::string & supportAppTypes) const1427 bool BundleInstallChecker::CheckSupportAppTypes(
1428 const std::unordered_map<std::string, InnerBundleInfo> &infos, const std::string &supportAppTypes) const
1429 {
1430 LOG_D(BMS_TAG_INSTALLER, "supportAppTypes: %{public}s", supportAppTypes.c_str());
1431 std::vector<std::string> appTypesVec;
1432 OHOS::SplitStr(supportAppTypes, SUPPORT_APP_TYPES_SEPARATOR, appTypesVec);
1433 if (find(appTypesVec.begin(), appTypesVec.end(), DEVICE_TYPE_OF_DEFAULT) != appTypesVec.end() &&
1434 find(appTypesVec.begin(), appTypesVec.end(), DEVICE_TYPE_OF_PHONE) == appTypesVec.end()) {
1435 appTypesVec.emplace_back(DEVICE_TYPE_OF_PHONE);
1436 }
1437 sort(appTypesVec.begin(), appTypesVec.end());
1438 for (const auto &info : infos) {
1439 std::vector<std::string> devVec = info.second.GetDeviceType(info.second.GetCurrentModulePackage());
1440 if (find(devVec.begin(), devVec.end(), DEVICE_TYPE_OF_DEFAULT) != devVec.end() &&
1441 find(devVec.begin(), devVec.end(), DEVICE_TYPE_OF_PHONE) == devVec.end()) {
1442 devVec.emplace_back(DEVICE_TYPE_OF_PHONE);
1443 }
1444 sort(devVec.begin(), devVec.end());
1445 std::vector<std::string> intersectionVec;
1446 set_intersection(appTypesVec.begin(), appTypesVec.end(),
1447 devVec.begin(), devVec.end(), back_inserter(intersectionVec));
1448 if (intersectionVec.empty()) {
1449 LOG_W(BMS_TAG_INSTALLER, "check supportAppTypes failed");
1450 return false;
1451 }
1452 }
1453 return true;
1454 }
1455
CheckDeviceType(std::unordered_map<std::string,InnerBundleInfo> & infos) const1456 ErrCode BundleInstallChecker::CheckDeviceType(std::unordered_map<std::string, InnerBundleInfo> &infos) const
1457 {
1458 std::string supportAppTypes = OHOS::system::GetParameter(SUPPORT_APP_TYPES, "");
1459 if (!supportAppTypes.empty() && CheckSupportAppTypes(infos, supportAppTypes)) {
1460 return ERR_OK;
1461 }
1462 std::string deviceType = GetDeviceType();
1463 LOG_D(BMS_TAG_INSTALLER, "deviceType is %{public}s", deviceType.c_str());
1464 for (const auto &info : infos) {
1465 std::vector<std::string> devVec = info.second.GetDeviceType(info.second.GetCurrentModulePackage());
1466 if (devVec.empty()) {
1467 LOG_NOFUNC_W(BMS_TAG_INSTALLER, "deviceTypes is empty");
1468 continue;
1469 }
1470
1471 if ((deviceType == DEVICE_TYPE_OF_PHONE) &&
1472 (find(devVec.begin(), devVec.end(), DEVICE_TYPE_OF_DEFAULT) != devVec.end())) {
1473 LOG_NOFUNC_W(BMS_TAG_INSTALLER, "current deviceType is phone and bundle is matched with default");
1474 continue;
1475 }
1476
1477 if ((deviceType == DEVICE_TYPE_OF_DEFAULT) &&
1478 (find(devVec.begin(), devVec.end(), DEVICE_TYPE_OF_PHONE) != devVec.end())) {
1479 LOG_NOFUNC_W(BMS_TAG_INSTALLER, "current deviceType is default and bundle is matched with phone");
1480 continue;
1481 }
1482
1483 if (find(devVec.begin(), devVec.end(), deviceType) == devVec.end()) {
1484 LOG_NOFUNC_E(BMS_TAG_INSTALLER, "%{public}s is not supported", deviceType.c_str());
1485 return CheckRequiredDeviceFeatures(infos);
1486 }
1487 }
1488 return ERR_OK;
1489 }
1490
IsSubSet(const std::vector<std::string> & mainSet,const std::vector<std::string> & subSet) const1491 bool BundleInstallChecker::IsSubSet(
1492 const std::vector<std::string> &mainSet, const std::vector<std::string> &subSet) const
1493 {
1494 for (std::string item : subSet) {
1495 if (std::find(mainSet.begin(), mainSet.end(), item) == mainSet.end()) {
1496 LOG_NOFUNC_D(BMS_TAG_INSTALLER, "not SubSet: %{public}s", item.c_str());
1497 return false;
1498 }
1499 }
1500 return true;
1501 }
1502
CheckRequiredDeviceFeatures(std::unordered_map<std::string,InnerBundleInfo> & infos) const1503 ErrCode BundleInstallChecker::CheckRequiredDeviceFeatures(
1504 std::unordered_map<std::string, InnerBundleInfo> &infos) const
1505 {
1506 std::string providedDeviceFeaturesValue = OHOS::system::GetParameter(PROVIDED_DEVICE_FEATURES, "");
1507 LOG_NOFUNC_D(BMS_TAG_INSTALLER, "providedDeviceFeatures: %{public}s", providedDeviceFeaturesValue.c_str());
1508 if (providedDeviceFeaturesValue.empty()) {
1509 LOG_NOFUNC_W(BMS_TAG_INSTALLER, "providedDeviceFeatures empty");
1510 return ERR_APPEXECFWK_INSTALL_DEVICE_TYPE_NOT_SUPPORTED;
1511 }
1512 std::vector<std::string> providedDeviceFeatures;
1513 OHOS::SplitStr(providedDeviceFeaturesValue, SUPPORT_APP_TYPES_SEPARATOR, providedDeviceFeatures);
1514
1515 std::string deviceType = GetDeviceType();
1516 LOG_D(BMS_TAG_INSTALLER, "deviceType is %{public}s", deviceType.c_str());
1517 for (const auto &info : infos) {
1518 auto requiredDeviceFeatures = info.second.GetRequiredDeviceFeatures(info.second.GetCurrentModulePackage());
1519 auto it = requiredDeviceFeatures.find(deviceType);
1520 if (it == requiredDeviceFeatures.end()) {
1521 LOG_NOFUNC_W(BMS_TAG_INSTALLER, "requiredDeviceFeatures not support: %{public}s", deviceType.c_str());
1522 return ERR_APPEXECFWK_INSTALL_DEVICE_TYPE_NOT_SUPPORTED;
1523 }
1524 if (!IsSubSet(providedDeviceFeatures, it->second)) {
1525 LOG_NOFUNC_W(BMS_TAG_INSTALLER, "requiredDeviceFeatures not in provided");
1526 return ERR_APPEXECFWK_INSTALL_DEVICE_TYPE_NOT_SUPPORTED;
1527 }
1528 }
1529 return ERR_OK;
1530 }
1531
ConvertToAppProvisionInfo(const Security::Verify::ProvisionInfo & provisionInfo) const1532 AppProvisionInfo BundleInstallChecker::ConvertToAppProvisionInfo(
1533 const Security::Verify::ProvisionInfo &provisionInfo) const
1534 {
1535 AppProvisionInfo appProvisionInfo;
1536 appProvisionInfo.versionCode = provisionInfo.versionCode;
1537 appProvisionInfo.versionName = provisionInfo.versionName;
1538 if (provisionInfo.type == Security::Verify::ProvisionType::DEBUG) {
1539 appProvisionInfo.type = Constants::APP_PROVISION_TYPE_DEBUG;
1540 appProvisionInfo.certificate = provisionInfo.bundleInfo.developmentCertificate;
1541 } else {
1542 appProvisionInfo.type = Constants::APP_PROVISION_TYPE_RELEASE;
1543 appProvisionInfo.certificate = provisionInfo.bundleInfo.distributionCertificate;
1544 }
1545 appProvisionInfo.appDistributionType = GetAppDistributionType(provisionInfo.distributionType);
1546 appProvisionInfo.apl = provisionInfo.bundleInfo.apl.empty() ? APL_NORMAL : provisionInfo.bundleInfo.apl;
1547 appProvisionInfo.developerId = provisionInfo.bundleInfo.developerId;
1548 appProvisionInfo.issuer = provisionInfo.issuer;
1549 appProvisionInfo.uuid = provisionInfo.uuid;
1550 appProvisionInfo.validity.notBefore = provisionInfo.validity.notBefore;
1551 appProvisionInfo.validity.notAfter = provisionInfo.validity.notAfter;
1552 appProvisionInfo.appIdentifier = provisionInfo.bundleInfo.appIdentifier;
1553 appProvisionInfo.appServiceCapabilities = provisionInfo.appServiceCapabilities;
1554 appProvisionInfo.organization = provisionInfo.organization;
1555 return appProvisionInfo;
1556 }
1557
GetBundleNameFromUri(const std::string & uri)1558 std::string GetBundleNameFromUri(const std::string &uri)
1559 {
1560 std::size_t firstSlashPos = uri.find(DOUBLE_SLASH);
1561 if (firstSlashPos == std::string::npos) {
1562 LOG_E(BMS_TAG_INSTALLER, "dataproxy uri is invalid");
1563 return Constants::EMPTY_STRING;
1564 }
1565
1566 std::size_t secondSlashPos = uri.find(SLASH, firstSlashPos + SLAH_OFFSET);
1567 if (secondSlashPos == std::string::npos) {
1568 LOG_E(BMS_TAG_INSTALLER, "dataproxy uri is invalid");
1569 return Constants::EMPTY_STRING;
1570 }
1571
1572 std::string bundleName = uri.substr(firstSlashPos + SLAH_OFFSET, secondSlashPos - firstSlashPos - SLAH_OFFSET);
1573 return bundleName;
1574 }
1575
CheckProxyPermissionLevel(const std::string & permissionName) const1576 bool BundleInstallChecker::CheckProxyPermissionLevel(const std::string &permissionName) const
1577 {
1578 // no permission name, only for self usage
1579 if (permissionName.empty()) {
1580 return true;
1581 }
1582 PermissionDef permissionDef;
1583 ErrCode ret = BundlePermissionMgr::GetPermissionDef(permissionName, permissionDef);
1584 if (ret != ERR_OK) {
1585 LOG_E(BMS_TAG_INSTALLER, "getPermissionDef failed");
1586 return false;
1587 }
1588 if (permissionDef.availableLevel < Security::AccessToken::ATokenAplEnum::APL_SYSTEM_BASIC) {
1589 LOG_E(BMS_TAG_INSTALLER, "permission %{public}s level too low", permissionName.c_str());
1590 return false;
1591 }
1592 return true;
1593 }
1594
CheckProxyDatas(const InnerBundleInfo & innerBundleInfo) const1595 ErrCode BundleInstallChecker::CheckProxyDatas(const InnerBundleInfo &innerBundleInfo) const
1596 {
1597 auto bundleName = innerBundleInfo.GetBundleName();
1598 auto moduleInfos = innerBundleInfo.GetInnerModuleInfos();
1599 if (moduleInfos.empty()) {
1600 return ERR_OK;
1601 }
1602 for (const auto &moduleInfo : moduleInfos) {
1603 for (const auto &proxyData : moduleInfo.second.proxyDatas) {
1604 auto name = GetBundleNameFromUri(proxyData.uri);
1605 if (bundleName != name) {
1606 LOG_E(BMS_TAG_INSTALLER, "bundleName from uri %{public}s different from origin bundleName %{public}s",
1607 name.c_str(), bundleName.c_str());
1608 return ERR_APPEXECFWK_INSTALL_CHECK_PROXY_DATA_URI_FAILED;
1609 }
1610 if (innerBundleInfo.IsSystemApp()) {
1611 continue;
1612 }
1613 if (!CheckProxyPermissionLevel(proxyData.requiredReadPermission)
1614 || !CheckProxyPermissionLevel(proxyData.requiredWritePermission)) {
1615 return ERR_APPEXECFWK_INSTALL_CHECK_PROXY_DATA_PERMISSION_FAILED;
1616 }
1617 }
1618 }
1619 return ERR_OK;
1620 }
1621
CheckSupportIsolation(const char * szIsolationModeThresholdMb,const std::string & isolationMode)1622 bool CheckSupportIsolation(const char *szIsolationModeThresholdMb, const std::string &isolationMode)
1623 {
1624 if ((std::strcmp(szIsolationModeThresholdMb, VALUE_TRUE) == 0) ||
1625 (std::strcmp(szIsolationModeThresholdMb, VALUE_TRUE_BOOL) == 0)) {
1626 if (isolationMode == NONISOLATION_ONLY) {
1627 LOG_E(BMS_TAG_INSTALLER, "check isolation mode failed");
1628 return false;
1629 }
1630 } else {
1631 if (isolationMode == ISOLATION_ONLY) {
1632 LOG_E(BMS_TAG_INSTALLER, "check isolation mode failed");
1633 return false;
1634 }
1635 }
1636 return true;
1637 }
1638
CheckIsolationMode(const std::unordered_map<std::string,InnerBundleInfo> & infos) const1639 ErrCode BundleInstallChecker::CheckIsolationMode(const std::unordered_map<std::string, InnerBundleInfo> &infos) const
1640 {
1641 for (const auto &info : infos) {
1642 auto moduleInfos = info.second.GetInnerModuleInfos();
1643 for (const auto &moduleInfo : moduleInfos) {
1644 std::string isolationMode = moduleInfo.second.isolationMode;
1645 char szIsolationModeThresholdMb[THRESHOLD_VAL_LEN] = {0};
1646 int32_t ret = GetParameter(SUPPORT_ISOLATION_MODE, "",
1647 szIsolationModeThresholdMb, THRESHOLD_VAL_LEN);
1648 if (ret <= 0) {
1649 LOG_D(BMS_TAG_INSTALLER, "GetParameter failed");
1650 }
1651 if (!CheckSupportIsolation(szIsolationModeThresholdMb, isolationMode)) {
1652 LOG_E(BMS_TAG_INSTALLER, "check isolation mode failed");
1653 return ERR_APPEXECFWK_INSTALL_ISOLATION_MODE_FAILED;
1654 }
1655 }
1656 }
1657 return ERR_OK;
1658 }
1659
CheckSignatureFileDir(const std::string & signatureFileDir) const1660 ErrCode BundleInstallChecker::CheckSignatureFileDir(const std::string &signatureFileDir) const
1661 {
1662 if (!BundleUtil::CheckFileName(signatureFileDir)) {
1663 LOG_E(BMS_TAG_INSTALLER, "code signature file dir is invalid");
1664 return ERR_BUNDLEMANAGER_INSTALL_CODE_SIGNATURE_FILE_IS_INVALID;
1665 }
1666 if (!BundleUtil::CheckFileType(signatureFileDir, ServiceConstants::CODE_SIGNATURE_FILE_SUFFIX)) {
1667 LOG_E(BMS_TAG_INSTALLER, "signatureFileDir is not suffixed with .sig");
1668 return ERR_BUNDLEMANAGER_INSTALL_CODE_SIGNATURE_FILE_IS_INVALID;
1669 }
1670 // signatureFileDir not support relevant dir
1671 if (signatureFileDir.find(ServiceConstants::RELATIVE_PATH) != std::string::npos) {
1672 LOG_E(BMS_TAG_INSTALLER, "signatureFileDir is invalid");
1673 return ERR_BUNDLEMANAGER_INSTALL_CODE_SIGNATURE_FILE_IS_INVALID;
1674 }
1675 return ERR_OK;
1676 }
1677
CheckDeveloperMode(const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes,const Security::AccessToken::AccessTokenID callerToken) const1678 ErrCode BundleInstallChecker::CheckDeveloperMode(
1679 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes,
1680 const Security::AccessToken::AccessTokenID callerToken) const
1681 {
1682 bool hasDebugBundle = false;
1683 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
1684 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
1685 if (provisionInfo.type == Security::Verify::ProvisionType::DEBUG) {
1686 hasDebugBundle = true;
1687 break;
1688 }
1689 }
1690 if (!hasDebugBundle) {
1691 return ERR_OK;
1692 }
1693 if (system::GetBoolParameter(ServiceConstants::DEVELOPERMODE_STATE, true)) {
1694 return ERR_OK;
1695 }
1696 if (BundlePermissionMgr::VerifyPermissionByCallingTokenId(
1697 Constants::PERMISSION_PERFORM_LOCAL_DEBUG, callerToken)) {
1698 LOG_I(BMS_TAG_INSTALLER, "dev assistant is allowed to install debug bundle");
1699 return ERR_OK;
1700 }
1701 LOG_E(BMS_TAG_INSTALLER, "debug bundle can only be installed in developer mode");
1702 return ERR_APPEXECFWK_INSTALL_DEBUG_BUNDLE_NOT_ALLOWED;
1703 }
1704
CheckAllowEnterpriseBundle(const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes) const1705 ErrCode BundleInstallChecker::CheckAllowEnterpriseBundle(
1706 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes) const
1707 {
1708 if (system::GetBoolParameter(ServiceConstants::ALLOW_ENTERPRISE_BUNDLE, false) ||
1709 system::GetBoolParameter(ServiceConstants::IS_ENTERPRISE_DEVICE, false) ||
1710 system::GetBoolParameter(ServiceConstants::DEVELOPERMODE_STATE, false)) {
1711 return ERR_OK;
1712 }
1713 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
1714 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
1715 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
1716 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
1717 LOG_E(BMS_TAG_INSTALLER, "enterprise normal/mdm bundle cannot be installed on non-enterprise device");
1718 return ERR_APPEXECFWK_INSTALL_ENTERPRISE_BUNDLE_NOT_ALLOWED;
1719 }
1720 }
1721 return ERR_OK;
1722 }
1723
CheckAppDistributionType(const Security::Verify::AppDistType type)1724 ErrCode BundleInstallChecker::CheckAppDistributionType(const Security::Verify::AppDistType type)
1725 {
1726 return CheckAppDistributionType(GetAppDistributionType(type));
1727 }
1728
CheckAppDistributionType(const std::string distributionType)1729 ErrCode BundleInstallChecker::CheckAppDistributionType(const std::string distributionType)
1730 {
1731 if (distributionType == Constants::APP_DISTRIBUTION_TYPE_OS_INTEGRATION) {
1732 APP_LOGD("os_integration is pass");
1733 return ERR_OK;
1734 }
1735 auto bmsPara = DelayedSingleton<BundleMgrService>::GetInstance()->GetBmsParam();
1736 if (bmsPara == nullptr) {
1737 APP_LOGW("bmsPara is nullptr");
1738 return ERR_OK;
1739 }
1740 std::string val;
1741 bmsPara->GetBmsParam(Constants::APP_DISTRIBUTION_TYPE_WHITE_LIST, val);
1742 if (val.length() <= 0) {
1743 APP_LOGE("GetBmsParam is null or exsit");
1744 return ERR_OK;
1745 }
1746 int32_t appDisnTypeEnum = GetAppDistributionTypeEnum(distributionType);
1747 std::vector<std::string> appDistributionTypeEnums;
1748 OHOS::SplitStr(val, Constants::SUPPORT_APP_TYPES_SEPARATOR, appDistributionTypeEnums);
1749 if (std::find(appDistributionTypeEnums.begin(), appDistributionTypeEnums.end(), std::to_string(appDisnTypeEnum))
1750 == appDistributionTypeEnums.end()) {
1751 APP_LOGE("bmsParam %{public}s not allow %{public}s install", val.c_str(), distributionType.c_str());
1752 return ERR_APP_DISTRIBUTION_TYPE_NOT_ALLOW_INSTALL;
1753 }
1754 return ERR_OK;
1755 }
1756
GetAppDistributionTypeEnum(const std::string distributionType) const1757 int32_t BundleInstallChecker::GetAppDistributionTypeEnum(const std::string distributionType) const
1758 {
1759 if (AppDistributionTypeEnumMap.find(distributionType) != AppDistributionTypeEnumMap.end()) {
1760 return static_cast<int32_t>(AppDistributionTypeEnumMap[distributionType]);
1761 }
1762 return 0;
1763 }
1764
CheckEnterpriseBundle(Security::Verify::HapVerifyResult & hapVerifyRes) const1765 bool BundleInstallChecker::CheckEnterpriseBundle(Security::Verify::HapVerifyResult &hapVerifyRes) const
1766 {
1767 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes.GetProvisionInfo();
1768 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
1769 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM ||
1770 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE) {
1771 return true;
1772 }
1773 return false;
1774 }
1775
CheckInternaltestingBundle(Security::Verify::HapVerifyResult & hapVerifyRes) const1776 bool BundleInstallChecker::CheckInternaltestingBundle(Security::Verify::HapVerifyResult &hapVerifyRes) const
1777 {
1778 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes.GetProvisionInfo();
1779 if (provisionInfo.distributionType == Security::Verify::AppDistType::INTERNALTESTING) {
1780 return true;
1781 }
1782 return false;
1783 }
1784
GetCheckResultMsg() const1785 std::string BundleInstallChecker::GetCheckResultMsg() const
1786 {
1787 return checkResultMsg_;
1788 }
1789
SetCheckResultMsg(const std::string checkResultMsg)1790 void BundleInstallChecker::SetCheckResultMsg(const std::string checkResultMsg)
1791 {
1792 checkResultMsg_ = checkResultMsg;
1793 }
1794
DetermineCloneApp(InnerBundleInfo & innerBundleInfo)1795 bool BundleInstallChecker::DetermineCloneApp(InnerBundleInfo &innerBundleInfo)
1796 {
1797 ApplicationInfo applicationInfo = innerBundleInfo.GetBaseApplicationInfo();
1798 if (applicationInfo.multiAppMode.multiAppModeType != MultiAppModeType::APP_CLONE
1799 || applicationInfo.multiAppMode.maxCount == 0) {
1800 BmsExtensionDataMgr bmsExtensionDataMgr;
1801 int32_t cloneNum = 0;
1802 const std::string appIdentifier = innerBundleInfo.GetAppIdentifier();
1803 if (!bmsExtensionDataMgr.DetermineCloneNum(applicationInfo.bundleName, appIdentifier, cloneNum)) {
1804 LOG_W(BMS_TAG_INSTALLER, "DetermineCloneNum failed");
1805 return false;
1806 }
1807 if (cloneNum == 0) {
1808 LOG_W(BMS_TAG_INSTALLER, "DetermineCloneNum -c %{public}d", cloneNum);
1809 return false;
1810 }
1811 LOG_I(BMS_TAG_INSTALLER, "install -n %{public}s -c %{public}d",
1812 applicationInfo.bundleName.c_str(), cloneNum);
1813 applicationInfo.multiAppMode.multiAppModeType = MultiAppModeType::APP_CLONE;
1814 applicationInfo.multiAppMode.maxCount = cloneNum;
1815 innerBundleInfo.SetBaseApplicationInfo(applicationInfo);
1816 }
1817 return true;
1818 }
1819 } // namespace AppExecFwk
1820 } // namespace OHOS