1 /* 2 * Copyright (c) 2021-2022 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #ifndef FOUNDATION_APPEXECFWK_SERVICES_BUNDLEMGR_INCLUDE_BUNDLE_PERMISSION_MGR_H 17 #define FOUNDATION_APPEXECFWK_SERVICES_BUNDLEMGR_INCLUDE_BUNDLE_PERMISSION_MGR_H 18 19 #include "accesstoken_kit.h" 20 #include "bundle_constants.h" 21 #include "default_permission.h" 22 #include "inner_bundle_info.h" 23 #include "permission_define.h" 24 25 namespace OHOS { 26 namespace AppExecFwk { 27 class BundlePermissionMgr { 28 public: 29 /** 30 * @brief Initialize BundlePermissionMgr, which is only called when the system starts. 31 * @return Returns true if successfully initialized BundlePermissionMgr; returns false otherwise. 32 */ 33 static bool Init(); 34 35 static void UnInit(); 36 37 /** 38 * @brief Verify whether a specified bundle has been granted a specific permission. 39 * @param bundleName Indicates the name of the bundle to check. 40 * @param permission Indicates the permission to check. 41 * @param userId Indicates the userId of the bundle. 42 * @return Returns 0 if the bundle has the permission; returns -1 otherwise. 43 */ 44 static int32_t VerifyPermission(const std::string &bundleName, const std::string &permissionName, 45 const int32_t userId); 46 /** 47 * @brief Obtains detailed information about a specified permission. 48 * @param permissionName Indicates the name of the permission. 49 * @param permissionDef Indicates the object containing detailed information about the given permission. 50 * @return Returns true if the PermissionDef object is successfully obtained; returns false otherwise. 51 */ 52 static ErrCode GetPermissionDef(const std::string &permissionName, PermissionDef &permissionDef); 53 /** 54 * @brief Requests a certain permission from user. 55 * @param bundleName Indicates the name of the bundle. 56 * @param permission Indicates the permission to request. 57 * @param userId Indicates the userId of the bundle. 58 * @return Returns true if the permission request successfully; returns false otherwise. 59 */ 60 static bool RequestPermissionFromUser( 61 const std::string &bundleName, const std::string &permissionName, const int32_t userId); 62 63 static Security::AccessToken::AccessTokenIDEx CreateAccessTokenIdEx( 64 const InnerBundleInfo &innerBundleInfo, const std::string bundleName, const int32_t userId); 65 66 static Security::AccessToken::AccessTokenIDEx CreateAccessTokenIdEx( 67 const InnerBundleInfo &innerBundleInfo, const std::string bundleName, const int32_t userId, 68 const int32_t dlpType, const Security::AccessToken::HapPolicyParams &hapPolicy); 69 70 static bool UpdateDefineAndRequestPermissions(Security::AccessToken::AccessTokenIDEx &tokenIdEx, 71 const InnerBundleInfo &oldInfo, const InnerBundleInfo &newInfo, std::vector<std::string> &newRequestPermName); 72 73 static bool AddDefineAndRequestPermissions(Security::AccessToken::AccessTokenIDEx &tokenIdEx, 74 const InnerBundleInfo &innerBundleInfo, std::vector<std::string> &newRequestPermName); 75 76 static int32_t DeleteAccessTokenId(const Security::AccessToken::AccessTokenID tokenId); 77 78 static bool GrantRequestPermissions(const InnerBundleInfo &innerBundleInfo, 79 const Security::AccessToken::AccessTokenID tokenId); 80 81 static bool GrantRequestPermissions(const InnerBundleInfo &innerBundleInfo, 82 const std::vector<std::string> &requestPermName, 83 const Security::AccessToken::AccessTokenID tokenId); 84 85 static bool GetRequestPermissionStates(BundleInfo &bundleInfo, uint32_t tokenId, const std::string deviceId); 86 87 static int32_t ClearUserGrantedPermissionState(const Security::AccessToken::AccessTokenID tokenId); 88 89 static bool VerifyCallingPermission(const std::string &permissionName); 90 91 static Security::AccessToken::HapPolicyParams CreateHapPolicyParam(const InnerBundleInfo &innerBundleInfo, 92 const std::vector<Security::AccessToken::PermissionStateFull> &permissions); 93 94 static bool GetAllReqPermissionStateFull(Security::AccessToken::AccessTokenID tokenId, 95 std::vector<Security::AccessToken::PermissionStateFull> &newPermissionState); 96 97 static bool VerifySystemApp(int32_t beginApiVersion = Constants::INVALID_API_VERSION); 98 99 static int32_t GetHapApiVersion(); 100 101 static bool IsNativeTokenType(); 102 103 static bool VerifyCallingUid(); 104 105 static bool VerifyPreload(const AAFwk::Want &want); 106 107 static bool VerifyCallingPermissionForAll(const std::string &permissionName); 108 109 static bool IsSelfCalling(); 110 111 static bool VerifyUninstallPermission(); 112 113 static bool VerifyRecoverPermission(); 114 115 static void AddPermissionUsedRecord(const std::string &permission, int32_t successCount, int32_t failCount); 116 117 private: 118 static std::vector<Security::AccessToken::PermissionDef> GetPermissionDefList( 119 const InnerBundleInfo &innerBundleInfo); 120 121 static std::vector<Security::AccessToken::PermissionStateFull> GetPermissionStateFullList( 122 const InnerBundleInfo &innerBundleInfo); 123 124 static bool CheckGrantPermission(const Security::AccessToken::PermissionDef &permDef, 125 const std::string &apl, 126 const std::vector<std::string> &acls); 127 128 static bool GetNewPermissionDefList(Security::AccessToken::AccessTokenID tokenId, 129 const std::vector<Security::AccessToken::PermissionDef> &permissionDef, 130 std::vector<Security::AccessToken::PermissionDef> &newPermission); 131 132 static bool GetNewPermissionStateFull(Security::AccessToken::AccessTokenID tokenId, 133 const std::vector<Security::AccessToken::PermissionStateFull> &permissionState, 134 std::vector<Security::AccessToken::PermissionStateFull> &newPermissionState, 135 std::vector<std::string> &newRequestPermName); 136 137 static bool InnerGrantRequestPermissions(Security::AccessToken::AccessTokenID tokenId, 138 const std::vector<RequestPermission> &reqPermissions, 139 const InnerBundleInfo &innerBundleInfo); 140 141 static Security::AccessToken::ATokenAplEnum GetTokenApl(const std::string &apl); 142 143 static Security::AccessToken::HapPolicyParams CreateHapPolicyParam(const InnerBundleInfo &innerBundleInfo); 144 145 static void ConvertPermissionDef(const Security::AccessToken::PermissionDef &permDef, 146 PermissionDef &permissionDef); 147 static void ConvertPermissionDef( 148 Security::AccessToken::PermissionDef &permDef, const DefinePermission &defPermission, 149 const std::string &bundleName); 150 151 static std::vector<std::string> GetNeedDeleteDefinePermissionName(const InnerBundleInfo &oldInfo, 152 const InnerBundleInfo &newInfo); 153 154 static std::vector<std::string> GetNeedDeleteRequestPermissionName(const InnerBundleInfo &oldInfo, 155 const InnerBundleInfo &newInfo); 156 157 static bool GetDefaultPermission(const std::string &bundleName, DefaultPermission &permission); 158 159 static bool MatchSignature(const DefaultPermission &permission, const std::string &signature); 160 161 static bool CheckPermissionInDefaultPermissions(const DefaultPermission &defaultPermission, 162 const std::string &permissionName, bool &userCancellable); 163 164 static bool GrantPermission(const Security::AccessToken::AccessTokenID tokenId, 165 const std::string &permissionName, const Security::AccessToken::PermissionFlag flag, 166 const std::string &bundleName); 167 168 static bool InnerUpdateDefinePermission( 169 const Security::AccessToken::AccessTokenID tokenId, 170 const InnerBundleInfo &oldInfo, 171 const InnerBundleInfo &newInfo, 172 std::vector<Security::AccessToken::PermissionDef> &newDefPermList); 173 174 static bool InnerUpdateRequestPermission( 175 const Security::AccessToken::AccessTokenID tokenId, 176 const InnerBundleInfo &oldInfo, 177 const InnerBundleInfo &newInfo, 178 std::vector<Security::AccessToken::PermissionStateFull> &newPermissionStateList, 179 std::vector<std::string> &newRequestPermName); 180 181 static std::map<std::string, DefaultPermission> defaultPermissions_; 182 }; 183 } // namespace AppExecFwk 184 } // namespace OHOS 185 #endif // FOUNDATION_APPEXECFWK_SERVICES_BUNDLEMGR_INCLUDE_BUNDLE_PERMISSION_MGR_H