1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "bundle_install_checker.h"
17
18 #include <regex>
19
20 #include "bundle_data_mgr.h"
21 #include "bundle_mgr_service.h"
22 #include "bundle_mgr_service_event_handler.h"
23 #include "bundle_parser.h"
24 #include "bundle_permission_mgr.h"
25 #include "bundle_util.h"
26 #include "parameter.h"
27 #include "parameters.h"
28 #include "privilege_extension_ability_type.h"
29 #include "scope_guard.h"
30 #include "systemcapability.h"
31
32 namespace OHOS {
33 namespace AppExecFwk {
34 namespace {
35 const std::string PRIVILEGE_ALLOW_APP_DATA_NOT_CLEARED = "AllowAppDataNotCleared";
36 const std::string PRIVILEGE_ALLOW_APP_MULTI_PROCESS = "AllowAppMultiProcess";
37 const std::string PRIVILEGE_ALLOW_APP_DESKTOP_ICON_HIDE = "AllowAppDesktopIconHide";
38 const std::string PRIVILEGE_ALLOW_ABILITY_PRIORITY_QUERIED = "AllowAbilityPriorityQueried";
39 const std::string PRIVILEGE_ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS = "AllowAbilityExcludeFromMissions";
40 const std::string PRIVILEGE_ALLOW_MISSION_NOT_CLEARED = "AllowMissionNotCleared";
41 const std::string PRIVILEGE_ALLOW_APP_USE_PRIVILEGE_EXTENSION = "AllowAppUsePrivilegeExtension";
42 const std::string PRIVILEGE_ALLOW_FORM_VISIBLE_NOTIFY = "AllowFormVisibleNotify";
43 const std::string PRIVILEGE_ALLOW_APP_SHARE_LIBRARY = "AllowAppShareLibrary";
44 const std::string ALLOW_APP_DATA_NOT_CLEARED = "allowAppDataNotCleared";
45 const std::string ALLOW_APP_MULTI_PROCESS = "allowAppMultiProcess";
46 const std::string ALLOW_APP_DESKTOP_ICON_HIDE = "allowAppDesktopIconHide";
47 const std::string ALLOW_ABILITY_PRIORITY_QUERIED = "allowAbilityPriorityQueried";
48 const std::string ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS = "allowAbilityExcludeFromMissions";
49 const std::string ALLOW_MISSION_NOT_CLEARED = "allowMissionNotCleared";
50 const std::string ALLOW_APP_USE_PRIVILEGE_EXTENSION = "allowAppUsePrivilegeExtension";
51 const std::string ALLOW_FORM_VISIBLE_NOTIFY = "allowFormVisibleNotify";
52 const std::string ALLOW_APP_SHARE_LIBRARY = "allowAppShareLibrary";
53 const std::string APP_TEST_BUNDLE_NAME = "com.OpenHarmony.app.test";
54 const std::string BUNDLE_NAME_XTS_TEST = "com.acts.";
55 const std::string APL_NORMAL = "normal";
56 const std::string SLASH = "/";
57 const std::string DOUBLE_SLASH = "//";
58 const std::string SUPPORT_ISOLATION_MODE = "persist.bms.supportIsolationMode";
59 const std::string VALUE_TRUE = "true";
60 const std::string VALUE_TRUE_BOOL = "1";
61 const std::string VALUE_FALSE = "false";
62 const std::string NONISOLATION_ONLY = "nonisolationOnly";
63 const std::string ISOLATION_ONLY = "isolationOnly";
64 const int32_t SLAH_OFFSET = 2;
65 const int32_t THRESHOLD_VAL_LEN = 40;
66 constexpr const char* SYSTEM_APP_SCAN_PATH = "/system/app";
67 constexpr const char* DEVICE_TYPE_OF_DEFAULT = "default";
68 constexpr const char* DEVICE_TYPE_OF_PHONE = "phone";
69 constexpr const char* APP_INSTALL_PATH = "/data/app/el1/bundle";
70
71 const std::unordered_map<Security::Verify::AppDistType, std::string> APP_DISTRIBUTION_TYPE_MAPS = {
72 { Security::Verify::AppDistType::NONE_TYPE, Constants::APP_DISTRIBUTION_TYPE_NONE },
73 { Security::Verify::AppDistType::APP_GALLERY, Constants::APP_DISTRIBUTION_TYPE_APP_GALLERY },
74 { Security::Verify::AppDistType::ENTERPRISE, Constants::APP_DISTRIBUTION_TYPE_ENTERPRISE },
75 { Security::Verify::AppDistType::ENTERPRISE_NORMAL, Constants::APP_DISTRIBUTION_TYPE_ENTERPRISE_NORMAL },
76 { Security::Verify::AppDistType::ENTERPRISE_MDM, Constants::APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM },
77 { Security::Verify::AppDistType::OS_INTEGRATION, Constants::APP_DISTRIBUTION_TYPE_OS_INTEGRATION },
78 { Security::Verify::AppDistType::CROWDTESTING, Constants::APP_DISTRIBUTION_TYPE_CROWDTESTING },
79 };
80
81 const std::unordered_map<std::string, void (*)(AppPrivilegeCapability &appPrivilegeCapability)>
82 PRIVILEGE_MAP = {
83 { PRIVILEGE_ALLOW_APP_DATA_NOT_CLEARED,
__anona9b543960202() 84 [] (AppPrivilegeCapability &appPrivilegeCapability) {
85 appPrivilegeCapability.userDataClearable = false;
86 } },
87 { PRIVILEGE_ALLOW_APP_MULTI_PROCESS,
__anona9b543960302() 88 [] (AppPrivilegeCapability &appPrivilegeCapability) {
89 appPrivilegeCapability.allowMultiProcess = true;
90 } },
91 { PRIVILEGE_ALLOW_APP_DESKTOP_ICON_HIDE,
__anona9b543960402() 92 [] (AppPrivilegeCapability &appPrivilegeCapability) {
93 appPrivilegeCapability.hideDesktopIcon = true;
94 } },
95 { PRIVILEGE_ALLOW_ABILITY_PRIORITY_QUERIED,
__anona9b543960502() 96 [] (AppPrivilegeCapability &appPrivilegeCapability) {
97 appPrivilegeCapability.allowQueryPriority = true;
98 } },
99 { PRIVILEGE_ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS,
__anona9b543960602() 100 [] (AppPrivilegeCapability &appPrivilegeCapability) {
101 appPrivilegeCapability.allowExcludeFromMissions = true;
102 } },
103 { PRIVILEGE_ALLOW_MISSION_NOT_CLEARED,
__anona9b543960702() 104 [] (AppPrivilegeCapability &appPrivilegeCapability) {
105 appPrivilegeCapability.allowMissionNotCleared = true;
106 } },
107 { PRIVILEGE_ALLOW_APP_USE_PRIVILEGE_EXTENSION,
__anona9b543960802() 108 [] (AppPrivilegeCapability &appPrivilegeCapability) {
109 appPrivilegeCapability.allowUsePrivilegeExtension = true;
110 } },
111 { PRIVILEGE_ALLOW_FORM_VISIBLE_NOTIFY,
__anona9b543960902() 112 [] (AppPrivilegeCapability &appPrivilegeCapability) {
113 appPrivilegeCapability.formVisibleNotify = true;
114 } },
115 { PRIVILEGE_ALLOW_APP_SHARE_LIBRARY,
__anona9b543960a02() 116 [] (AppPrivilegeCapability &appPrivilegeCapability) {
117 appPrivilegeCapability.appShareLibrary = true;
118 } },
119 };
120
GetAppDistributionType(const Security::Verify::AppDistType & type)121 std::string GetAppDistributionType(const Security::Verify::AppDistType &type)
122 {
123 auto typeIter = APP_DISTRIBUTION_TYPE_MAPS.find(type);
124 if (typeIter == APP_DISTRIBUTION_TYPE_MAPS.end()) {
125 APP_LOGE("wrong AppDistType");
126 return Constants::APP_DISTRIBUTION_TYPE_NONE;
127 }
128
129 return typeIter->second;
130 }
131
GetAppProvisionType(const Security::Verify::ProvisionType & type)132 std::string GetAppProvisionType(const Security::Verify::ProvisionType &type)
133 {
134 if (type == Security::Verify::ProvisionType::DEBUG) {
135 return Constants::APP_PROVISION_TYPE_DEBUG;
136 }
137
138 return Constants::APP_PROVISION_TYPE_RELEASE;
139 }
140
IsPrivilegeExtensionAbilityType(ExtensionAbilityType type)141 bool IsPrivilegeExtensionAbilityType(ExtensionAbilityType type)
142 {
143 return PRIVILEGE_EXTENSION_ABILITY_TYPE.find(type) != PRIVILEGE_EXTENSION_ABILITY_TYPE.end();
144 }
145
IsSystemExtensionAbilityType(ExtensionAbilityType type)146 bool IsSystemExtensionAbilityType(ExtensionAbilityType type)
147 {
148 return SYSTEM_EXTENSION_ABILITY_TYPE.find(type) != SYSTEM_EXTENSION_ABILITY_TYPE.end();
149 }
150 }
151
CheckSysCap(const std::vector<std::string> & bundlePaths)152 ErrCode BundleInstallChecker::CheckSysCap(const std::vector<std::string> &bundlePaths)
153 {
154 APP_LOGD("check hap syscaps start.");
155 if (bundlePaths.empty()) {
156 APP_LOGE("check hap syscaps failed due to empty bundlePaths!");
157 return ERR_APPEXECFWK_INSTALL_PARAM_ERROR;
158 }
159
160 ErrCode result = ERR_OK;
161 BundleParser bundleParser;
162 for (const auto &bundlePath : bundlePaths) {
163 std::vector<std::string> bundleSysCaps;
164 result = bundleParser.ParseSysCap(bundlePath, bundleSysCaps);
165 if (result != ERR_OK) {
166 APP_LOGE("parse bundle syscap failed, error: %{public}d", result);
167 return result;
168 }
169
170 for (const auto &bundleSysCapItem : bundleSysCaps) {
171 APP_LOGD("check syscap(%{public}s)", bundleSysCapItem.c_str());
172 if (!HasSystemCapability(bundleSysCapItem.c_str())) {
173 APP_LOGE("check syscap failed which %{public}s is not exsit",
174 bundleSysCapItem.c_str());
175 return ERR_APPEXECFWK_INSTALL_CHECK_SYSCAP_FAILED;
176 }
177 }
178 }
179
180 APP_LOGD("finish check hap syscaps");
181 return result;
182 }
183
CheckMultipleHapsSignInfo(const std::vector<std::string> & bundlePaths,std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)184 ErrCode BundleInstallChecker::CheckMultipleHapsSignInfo(
185 const std::vector<std::string> &bundlePaths,
186 std::vector<Security::Verify::HapVerifyResult>& hapVerifyRes)
187 {
188 APP_LOGD("Check multiple haps signInfo");
189 if (bundlePaths.empty()) {
190 APP_LOGE("check hap sign info failed due to empty bundlePaths!");
191 return ERR_APPEXECFWK_INSTALL_PARAM_ERROR;
192 }
193
194 for (const std::string &bundlePath : bundlePaths) {
195 Security::Verify::HapVerifyResult hapVerifyResult;
196 #ifndef X86_EMULATOR_MODE
197 auto verifyRes = BundleVerifyMgr::HapVerify(bundlePath, hapVerifyResult);
198 if (verifyRes != ERR_OK) {
199 APP_LOGE("hap file verify failed");
200 return verifyRes;
201 }
202 #else
203 BundleVerifyMgr::ParseHapProfile(bundlePath, hapVerifyResult);
204 #endif
205 hapVerifyRes.emplace_back(hapVerifyResult);
206 }
207
208 if (hapVerifyRes.empty()) {
209 APP_LOGE("no sign info in the all haps!");
210 return ERR_APPEXECFWK_INSTALL_FAILED_INCOMPATIBLE_SIGNATURE;
211 }
212
213 #ifndef X86_EMULATOR_MODE
214 auto appId = hapVerifyRes[0].GetProvisionInfo().appId;
215 auto apl = hapVerifyRes[0].GetProvisionInfo().bundleInfo.apl;
216 auto appDistributionType = hapVerifyRes[0].GetProvisionInfo().distributionType;
217 auto appProvisionType = hapVerifyRes[0].GetProvisionInfo().type;
218 bool isInvalid = std::any_of(hapVerifyRes.begin(), hapVerifyRes.end(),
219 [appId, apl, appDistributionType, appProvisionType](const auto &hapVerifyResult) {
220 if (appId != hapVerifyResult.GetProvisionInfo().appId) {
221 APP_LOGE("error: hap files have different appId");
222 return true;
223 }
224 if (apl != hapVerifyResult.GetProvisionInfo().bundleInfo.apl) {
225 APP_LOGE("error: hap files have different apl");
226 return true;
227 }
228 if (appDistributionType != hapVerifyResult.GetProvisionInfo().distributionType) {
229 APP_LOGE("error: hap files have different appDistributionType");
230 return true;
231 }
232 if (appProvisionType != hapVerifyResult.GetProvisionInfo().type) {
233 APP_LOGE("error: hap files have different appProvisionType");
234 return true;
235 }
236 return false;
237 });
238 if (isInvalid) {
239 return ERR_APPEXECFWK_INSTALL_FAILED_INCOMPATIBLE_SIGNATURE;
240 }
241 #endif
242 APP_LOGD("finish check multiple haps signInfo");
243 return ERR_OK;
244 }
245
VaildInstallPermission(const InstallParam & installParam,const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)246 bool BundleInstallChecker::VaildInstallPermission(const InstallParam &installParam,
247 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
248 {
249 PermissionStatus installBundleStatus = installParam.installBundlePermissionStatus;
250 PermissionStatus installEnterpriseBundleStatus = installParam.installEnterpriseBundlePermissionStatus;
251 PermissionStatus installEtpMdmBundleStatus = installParam.installEtpMdmBundlePermissionStatus;
252 bool isCallByShell = installParam.isCallByShell;
253 if (!isCallByShell && installBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
254 installEnterpriseBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
255 installEtpMdmBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS) {
256 return true;
257 }
258 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
259 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
260 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE) {
261 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
262 APP_LOGE("enterprise bundle can not be installed by shell");
263 return false;
264 }
265 if (!isCallByShell && installEnterpriseBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
266 APP_LOGE("install enterprise bundle permission denied");
267 return false;
268 }
269 continue;
270 }
271 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
272 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
273 bool result = VaildEnterpriseInstallPermission(installParam, provisionInfo);
274 if (!result) {
275 return false;
276 }
277 continue;
278 }
279 if (installBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
280 APP_LOGE("install permission denied");
281 return false;
282 }
283 }
284 return true;
285 }
286
VaildEnterpriseInstallPermission(const InstallParam & installParam,const Security::Verify::ProvisionInfo & provisionInfo)287 bool BundleInstallChecker::VaildEnterpriseInstallPermission(const InstallParam &installParam,
288 const Security::Verify::ProvisionInfo &provisionInfo)
289 {
290 if (installParam.isSelfUpdate) {
291 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
292 APP_LOGI("Mdm self update");
293 return true;
294 }
295 APP_LOGE("Self update not MDM");
296 return false;
297 }
298 bool isCallByShell = installParam.isCallByShell;
299 PermissionStatus installEtpNormalBundleStatus = installParam.installEtpNormalBundlePermissionStatus;
300 PermissionStatus installEtpMdmBundleStatus = installParam.installEtpMdmBundlePermissionStatus;
301 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
302 APP_LOGE("enterprise normal/mdm bundle can not be installed by shell");
303 return false;
304 }
305 if (!isCallByShell &&
306 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL &&
307 installEtpNormalBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS &&
308 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
309 APP_LOGE("install enterprise normal bundle permission denied");
310 return false;
311 }
312 if (!isCallByShell &&
313 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM &&
314 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
315 APP_LOGE("install enterprise mdm bundle permission denied");
316 return false;
317 }
318 return true;
319 }
320
ParseHapFiles(const std::vector<std::string> & bundlePaths,const InstallCheckParam & checkParam,std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes,std::unordered_map<std::string,InnerBundleInfo> & infos)321 ErrCode BundleInstallChecker::ParseHapFiles(
322 const std::vector<std::string> &bundlePaths,
323 const InstallCheckParam &checkParam,
324 std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes,
325 std::unordered_map<std::string, InnerBundleInfo> &infos)
326 {
327 APP_LOGD("Parse hap file");
328 ErrCode result = ERR_OK;
329 for (uint32_t i = 0; i < bundlePaths.size(); ++i) {
330 InnerBundleInfo newInfo;
331 BundlePackInfo packInfo;
332 newInfo.SetAppType(checkParam.appType);
333 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
334 bool isSystemApp = (provisionInfo.bundleInfo.appFeature == Constants::HOS_SYSTEM_APP) ||
335 (bundlePaths[i].find(SYSTEM_APP_SCAN_PATH) == 0);
336 if (isSystemApp) {
337 newInfo.SetAppType(Constants::AppType::SYSTEM_APP);
338 }
339
340 newInfo.SetIsPreInstallApp(checkParam.isPreInstallApp);
341 result = ParseBundleInfo(bundlePaths[i], newInfo, packInfo);
342 if (result != ERR_OK) {
343 APP_LOGE("bundle parse failed %{public}d", result);
344 return result;
345 }
346 #ifndef X86_EMULATOR_MODE
347 result = CheckBundleName(provisionInfo.bundleInfo.bundleName, newInfo.GetBundleName());
348 if (result != ERR_OK) {
349 APP_LOGE("check provision bundleName failed");
350 return result;
351 }
352 #endif
353 if (newInfo.HasEntry()) {
354 if (isContainEntry_) {
355 APP_LOGE("more than one entry hap in the direction!");
356 return ERR_APPEXECFWK_INSTALL_INVALID_NUMBER_OF_ENTRY_HAP;
357 }
358 isContainEntry_ = true;
359 }
360
361 SetEntryInstallationFree(packInfo, newInfo);
362 result = CheckMainElement(newInfo);
363 if (result != ERR_OK) {
364 return result;
365 }
366 AppPrivilegeCapability appPrivilegeCapability;
367 // from provision file
368 ParseAppPrivilegeCapability(provisionInfo, appPrivilegeCapability);
369 // form install_list_capability.json, higher priority than provision file
370 FetchPrivilegeCapabilityFromPreConfig(
371 newInfo.GetBundleName(), provisionInfo.fingerprint, appPrivilegeCapability);
372 // process bundleInfo by appPrivilegeCapability
373 result = ProcessBundleInfoByPrivilegeCapability(appPrivilegeCapability, newInfo);
374 if (result != ERR_OK) {
375 return result;
376 }
377 CollectProvisionInfo(provisionInfo, appPrivilegeCapability, newInfo);
378 #ifdef USE_PRE_BUNDLE_PROFILE
379 GetPrivilegeCapability(checkParam, newInfo);
380 #endif
381 if (provisionInfo.distributionType == Security::Verify::AppDistType::CROWDTESTING) {
382 newInfo.SetAppCrowdtestDeadline(checkParam.crowdtestDeadline);
383 } else {
384 newInfo.SetAppCrowdtestDeadline(Constants::INVALID_CROWDTEST_DEADLINE);
385 }
386 if ((result = CheckSystemSize(bundlePaths[i], checkParam.appType)) != ERR_OK) {
387 APP_LOGE("install failed due to insufficient disk memory");
388 return result;
389 }
390
391 infos.emplace(bundlePaths[i], newInfo);
392 }
393 if ((result = CheckModuleNameForMulitHaps(infos)) != ERR_OK) {
394 APP_LOGE("install failed due to duplicated moduleName");
395 return result;
396 }
397 if ((result = CheckAllowEnterpriseBundle(hapVerifyRes)) != ERR_OK) {
398 APP_LOGE("install failed due to non-enterprise device");
399 return result;
400 }
401 if ((checkParam.installBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
402 checkParam.installEnterpriseBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
403 checkParam.installEtpNormalBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
404 checkParam.installEtpMdmBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS) &&
405 !VaildInstallPermissionForShare(checkParam, hapVerifyRes)) {
406 // need vaild permission
407 APP_LOGE("install permission denied");
408 return ERR_APPEXECFWK_INSTALL_PERMISSION_DENIED;
409 }
410 APP_LOGD("finish parse hap file");
411 return result;
412 }
413
VaildInstallPermissionForShare(const InstallCheckParam & checkParam,const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)414 bool BundleInstallChecker::VaildInstallPermissionForShare(const InstallCheckParam &checkParam,
415 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
416 {
417 PermissionStatus installBundleStatus = checkParam.installBundlePermissionStatus;
418 PermissionStatus installEnterpriseBundleStatus = checkParam.installEnterpriseBundlePermissionStatus;
419 PermissionStatus installEtpMdmBundleStatus = checkParam.installEtpMdmBundlePermissionStatus;
420 bool isCallByShell = checkParam.isCallByShell;
421 if (!isCallByShell && installBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
422 installEnterpriseBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
423 installEtpMdmBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS) {
424 return true;
425 }
426 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
427 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
428 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE) {
429 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
430 APP_LOGE("enterprise bundle can not be installed by shell");
431 return false;
432 }
433 if (!isCallByShell && installEnterpriseBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
434 APP_LOGE("install enterprise bundle permission denied");
435 return false;
436 }
437 continue;
438 }
439 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
440 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
441 bool result = VaildEnterpriseInstallPermissionForShare(checkParam, provisionInfo);
442 if (!result) {
443 return false;
444 }
445 continue;
446 }
447 if (installBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
448 APP_LOGE("install permission denied");
449 return false;
450 }
451 }
452 return true;
453 }
454
VaildEnterpriseInstallPermissionForShare(const InstallCheckParam & checkParam,const Security::Verify::ProvisionInfo & provisionInfo)455 bool BundleInstallChecker::VaildEnterpriseInstallPermissionForShare(const InstallCheckParam &checkParam,
456 const Security::Verify::ProvisionInfo &provisionInfo)
457 {
458 bool isCallByShell = checkParam.isCallByShell;
459 PermissionStatus installEtpNormalBundleStatus = checkParam.installEtpNormalBundlePermissionStatus;
460 PermissionStatus installEtpMdmBundleStatus = checkParam.installEtpMdmBundlePermissionStatus;
461 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
462 APP_LOGE("enterprise normal/mdm bundle can not be installed by shell");
463 return false;
464 }
465 if (!isCallByShell &&
466 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL &&
467 installEtpNormalBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS &&
468 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
469 APP_LOGE("install enterprise normal bundle permission denied");
470 return false;
471 }
472 if (!isCallByShell &&
473 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM &&
474 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
475 APP_LOGE("install enterprise mdm bundle permission denied");
476 return false;
477 }
478 return true;
479 }
480
CheckDependency(std::unordered_map<std::string,InnerBundleInfo> & infos)481 ErrCode BundleInstallChecker::CheckDependency(std::unordered_map<std::string, InnerBundleInfo> &infos)
482 {
483 APP_LOGD("CheckDependency");
484
485 for (const auto &info : infos) {
486 if (info.second.GetInnerModuleInfos().empty()) {
487 continue;
488 }
489 // There is only one innerModuleInfo when installing
490 InnerModuleInfo moduleInfo = info.second.GetInnerModuleInfos().begin()->second;
491 APP_LOGD("current module:%s, dependencies = %s", moduleInfo.moduleName.c_str(),
492 GetJsonStrFromInfo(moduleInfo.dependencies).c_str());
493 bool isModuleExist = false;
494 for (const auto &dependency : moduleInfo.dependencies) {
495 if (!NeedCheckDependency(dependency, info.second)) {
496 APP_LOGD("deliveryWithInstall is false, do not check whether the dependency exists.");
497 continue;
498 }
499
500 std::string bundleName =
501 dependency.bundleName.empty() ? info.second.GetBundleName() : dependency.bundleName;
502 isModuleExist = FindModuleInInstallingPackage(dependency.moduleName, bundleName, infos);
503 if (!isModuleExist) {
504 APP_LOGW("The depend module:%{public}s is not exist in installing package.",
505 dependency.moduleName.c_str());
506 isModuleExist = FindModuleInInstalledPackage(dependency.moduleName, bundleName,
507 info.second.GetVersionCode());
508 if (!isModuleExist) {
509 APP_LOGE("The depend module:%{public}s is not exist.", dependency.moduleName.c_str());
510 return ERR_APPEXECFWK_INSTALL_DEPENDENT_MODULE_NOT_EXIST;
511 }
512 }
513 }
514 }
515
516 return ERR_OK;
517 }
518
NeedCheckDependency(const Dependency & dependency,const InnerBundleInfo & info)519 bool BundleInstallChecker::NeedCheckDependency(const Dependency &dependency, const InnerBundleInfo &info)
520 {
521 APP_LOGD("NeedCheckDependency the moduleName is %{public}s, the bundleName is %{public}s.",
522 dependency.moduleName.c_str(), dependency.bundleName.c_str());
523
524 if (!dependency.bundleName.empty() && dependency.bundleName != info.GetBundleName()) {
525 APP_LOGD("Cross-app dependencies, check dependency with shared bundle installer.");
526 return false;
527 }
528 std::vector<PackageModule> modules = info.GetBundlePackInfo().summary.modules;
529 if (modules.empty()) {
530 APP_LOGD("NeedCheckDependency modules is empty, need check dependency.");
531 return true;
532 }
533 for (const auto &module : modules) {
534 if (module.distro.moduleName == dependency.moduleName) {
535 return module.distro.deliveryWithInstall;
536 }
537 }
538
539 APP_LOGD("NeedCheckDependency the module not found, need check dependency.");
540 return true;
541 }
542
FindModuleInInstallingPackage(const std::string & moduleName,const std::string & bundleName,const std::unordered_map<std::string,InnerBundleInfo> & infos)543 bool BundleInstallChecker::FindModuleInInstallingPackage(
544 const std::string &moduleName,
545 const std::string &bundleName,
546 const std::unordered_map<std::string, InnerBundleInfo> &infos)
547 {
548 APP_LOGD("FindModuleInInstallingPackage the moduleName is %{public}s, the bundleName is %{public}s.",
549 moduleName.c_str(), bundleName.c_str());
550 for (const auto &info : infos) {
551 if (info.second.GetBundleName() == bundleName) {
552 if (info.second.GetInnerModuleInfos().empty()) {
553 continue;
554 }
555 // There is only one innerModuleInfo when installing
556 InnerModuleInfo moduleInfo = info.second.GetInnerModuleInfos().begin()->second;
557 if (moduleInfo.moduleName == moduleName) {
558 return true;
559 }
560 }
561 }
562 return false;
563 }
564
FindModuleInInstalledPackage(const std::string & moduleName,const std::string & bundleName,uint32_t versionCode)565 bool BundleInstallChecker::FindModuleInInstalledPackage(
566 const std::string &moduleName,
567 const std::string &bundleName,
568 uint32_t versionCode)
569 {
570 APP_LOGD("FindModuleInInstalledPackage the moduleName is %{public}s, the bundleName is %{public}s",
571 moduleName.c_str(), bundleName.c_str());
572 std::shared_ptr<BundleDataMgr> dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
573 if (dataMgr == nullptr) {
574 APP_LOGE("Get dataMgr shared_ptr nullptr");
575 return false;
576 }
577
578 ScopeGuard enableGuard([&dataMgr, &bundleName] { dataMgr->EnableBundle(bundleName); });
579 InnerBundleInfo bundleInfo;
580 bool isBundleExist = dataMgr->GetInnerBundleInfo(bundleName, bundleInfo);
581 if (!isBundleExist) {
582 APP_LOGE("the bundle: %{public}s is not install", bundleName.c_str());
583 return false;
584 }
585 if (!bundleInfo.FindModule(moduleName)) {
586 APP_LOGE("the module: %{public}s is not install", moduleName.c_str());
587 return false;
588 }
589 if (bundleInfo.GetVersionCode() != versionCode) {
590 APP_LOGE("the versionCode %{public}d of dependency is not consistent with the installed module",
591 bundleInfo.GetVersionCode());
592 return false;
593 }
594 return true;
595 }
596
CheckBundleName(const std::string & provisionBundleName,const std::string & bundleName)597 ErrCode BundleInstallChecker::CheckBundleName(const std::string &provisionBundleName, const std::string &bundleName)
598 {
599 APP_LOGD("CheckBundleName provisionBundleName:%{public}s, bundleName:%{public}s",
600 provisionBundleName.c_str(), bundleName.c_str());
601 if (provisionBundleName.empty() || bundleName.empty()) {
602 APP_LOGE("CheckBundleName provisionBundleName:%{public}s, bundleName:%{public}s failed",
603 provisionBundleName.c_str(), bundleName.c_str());
604 return ERR_APPEXECFWK_INSTALL_FAILED_BUNDLE_SIGNATURE_VERIFICATION_FAILURE;
605 }
606 if (provisionBundleName == bundleName) {
607 return ERR_OK;
608 }
609 APP_LOGE("CheckBundleName failed provisionBundleName:%{public}s, bundleName:%{public}s",
610 provisionBundleName.c_str(), bundleName.c_str());
611 return ERR_APPEXECFWK_INSTALL_FAILED_BUNDLE_SIGNATURE_VERIFICATION_FAILURE;
612 }
613
CollectProvisionInfo(const Security::Verify::ProvisionInfo & provisionInfo,const AppPrivilegeCapability & appPrivilegeCapability,InnerBundleInfo & newInfo)614 void BundleInstallChecker::CollectProvisionInfo(
615 const Security::Verify::ProvisionInfo &provisionInfo,
616 const AppPrivilegeCapability &appPrivilegeCapability,
617 InnerBundleInfo &newInfo)
618 {
619 newInfo.SetProvisionId(provisionInfo.appId);
620 newInfo.SetAppFeature(provisionInfo.bundleInfo.appFeature);
621 newInfo.SetAppPrivilegeLevel(provisionInfo.bundleInfo.apl);
622 newInfo.SetAllowedAcls(provisionInfo.acls.allowedAcls);
623 newInfo.SetCertificateFingerprint(provisionInfo.fingerprint);
624 newInfo.SetAppDistributionType(GetAppDistributionType(provisionInfo.distributionType));
625 newInfo.SetAppProvisionType(GetAppProvisionType(provisionInfo.type));
626 SetAppProvisionMetadata(provisionInfo.metadatas, newInfo);
627 #ifdef USE_PRE_BUNDLE_PROFILE
628 newInfo.SetUserDataClearable(appPrivilegeCapability.userDataClearable);
629 newInfo.SetHideDesktopIcon(appPrivilegeCapability.hideDesktopIcon);
630 newInfo.SetFormVisibleNotify(appPrivilegeCapability.formVisibleNotify);
631 #endif
632 }
633
SetAppProvisionMetadata(const std::vector<Security::Verify::Metadata> & provisionMetadatas,InnerBundleInfo & newInfo)634 void BundleInstallChecker::SetAppProvisionMetadata(const std::vector<Security::Verify::Metadata> &provisionMetadatas,
635 InnerBundleInfo &newInfo)
636 {
637 if (provisionMetadatas.empty()) {
638 return;
639 }
640 std::vector<Metadata> metadatas;
641 for (const auto &it : provisionMetadatas) {
642 Metadata metadata;
643 metadata.name = it.name;
644 metadata.value = it.value;
645 metadatas.emplace_back(metadata);
646 }
647 newInfo.SetAppProvisionMetadata(metadatas);
648 }
649
GetPrivilegeCapability(const InstallCheckParam & checkParam,InnerBundleInfo & newInfo)650 void BundleInstallChecker::GetPrivilegeCapability(
651 const InstallCheckParam &checkParam, InnerBundleInfo &newInfo)
652 {
653 // Reset privilege capability
654 newInfo.SetKeepAlive(false);
655 newInfo.SetSingleton(false);
656
657 newInfo.SetRemovable(checkParam.removable);
658 PreBundleConfigInfo preBundleConfigInfo;
659 preBundleConfigInfo.bundleName = newInfo.GetBundleName();
660 BMSEventHandler::GetPreInstallCapability(preBundleConfigInfo);
661 bool ret = false;
662 if (!preBundleConfigInfo.appSignature.empty()) {
663 ret = std::find(
664 preBundleConfigInfo.appSignature.begin(),
665 preBundleConfigInfo.appSignature.end(),
666 newInfo.GetCertificateFingerprint()) !=
667 preBundleConfigInfo.appSignature.end();
668 }
669
670 if (!ret) {
671 APP_LOGW("appSignature is incompatible");
672 return;
673 }
674
675 newInfo.SetKeepAlive(preBundleConfigInfo.keepAlive);
676 newInfo.SetSingleton(preBundleConfigInfo.singleton);
677 newInfo.SetRunningResourcesApply(preBundleConfigInfo.runningResourcesApply);
678 newInfo.SetAssociatedWakeUp(preBundleConfigInfo.associatedWakeUp);
679 newInfo.SetAllowCommonEvent(preBundleConfigInfo.allowCommonEvent);
680 newInfo.SetResourcesApply(preBundleConfigInfo.resourcesApply);
681 }
682
SetPackInstallationFree(BundlePackInfo & bundlePackInfo,const InnerBundleInfo & innerBundleInfo) const683 void BundleInstallChecker::SetPackInstallationFree(BundlePackInfo &bundlePackInfo,
684 const InnerBundleInfo &innerBundleInfo) const
685 {
686 if (innerBundleInfo.GetIsNewVersion()) {
687 if (innerBundleInfo.GetApplicationBundleType() != BundleType::ATOMIC_SERVICE) {
688 for (auto &item : bundlePackInfo.summary.modules) {
689 item.distro.installationFree = false;
690 }
691 return;
692 }
693 for (auto &item : bundlePackInfo.summary.modules) {
694 item.distro.installationFree = true;
695 }
696 }
697 }
698
ParseBundleInfo(const std::string & bundleFilePath,InnerBundleInfo & info,BundlePackInfo & packInfo) const699 ErrCode BundleInstallChecker::ParseBundleInfo(
700 const std::string &bundleFilePath,
701 InnerBundleInfo &info,
702 BundlePackInfo &packInfo) const
703 {
704 BundleParser bundleParser;
705 ErrCode result = bundleParser.Parse(bundleFilePath, info);
706 if (result != ERR_OK) {
707 APP_LOGE("parse bundle info failed, error: %{public}d", result);
708 return result;
709 }
710
711 if (!packInfo.GetValid()) {
712 result = bundleParser.ParsePackInfo(bundleFilePath, packInfo);
713 if (result != ERR_OK) {
714 APP_LOGE("parse bundle pack info failed, error: %{public}d", result);
715 return result;
716 }
717
718 SetPackInstallationFree(packInfo, info);
719 info.SetBundlePackInfo(packInfo);
720 packInfo.SetValid(true);
721 }
722
723 return ERR_OK;
724 }
725
SetEntryInstallationFree(const BundlePackInfo & bundlePackInfo,InnerBundleInfo & innerBundleInfo)726 void BundleInstallChecker::SetEntryInstallationFree(
727 const BundlePackInfo &bundlePackInfo,
728 InnerBundleInfo &innerBundleInfo)
729 {
730 APP_LOGI("SetEntryInstallationFree start");
731 if (!bundlePackInfo.GetValid()) {
732 APP_LOGW("no pack.info in the hap file");
733 return;
734 }
735
736 auto packageModule = bundlePackInfo.summary.modules;
737 auto installationFree = std::any_of(packageModule.begin(), packageModule.end(), [&](const auto &module) {
738 return module.distro.moduleType == "entry" && module.distro.installationFree;
739 });
740 if (installationFree) {
741 APP_LOGI("install or update hm service");
742 }
743 if (innerBundleInfo.GetIsNewVersion()) {
744 installationFree = innerBundleInfo.GetApplicationBundleType() == BundleType::ATOMIC_SERVICE;
745 }
746
747 innerBundleInfo.SetEntryInstallationFree(installationFree);
748 if (installationFree && !innerBundleInfo.GetIsNewVersion()) {
749 innerBundleInfo.SetApplicationBundleType(BundleType::ATOMIC_SERVICE);
750 }
751 APP_LOGI("SetEntryInstallationFree end");
752 }
753
CheckSystemSize(const std::string & bundlePath,const Constants::AppType appType) const754 ErrCode BundleInstallChecker::CheckSystemSize(
755 const std::string &bundlePath,
756 const Constants::AppType appType) const
757 {
758 if ((appType == Constants::AppType::SYSTEM_APP) &&
759 (BundleUtil::CheckSystemSize(bundlePath, APP_INSTALL_PATH))) {
760 return ERR_OK;
761 }
762
763 if ((appType == Constants::AppType::THIRD_SYSTEM_APP) &&
764 (BundleUtil::CheckSystemSize(bundlePath, APP_INSTALL_PATH))) {
765 return ERR_OK;
766 }
767
768 if ((appType == Constants::AppType::THIRD_PARTY_APP) &&
769 (BundleUtil::CheckSystemSize(bundlePath, APP_INSTALL_PATH))) {
770 return ERR_OK;
771 }
772
773 APP_LOGE("install failed due to insufficient disk memory");
774 return ERR_APPEXECFWK_INSTALL_DISK_MEM_INSUFFICIENT;
775 }
776
CheckHapHashParams(std::unordered_map<std::string,InnerBundleInfo> & infos,std::map<std::string,std::string> hashParams)777 ErrCode BundleInstallChecker::CheckHapHashParams(
778 std::unordered_map<std::string, InnerBundleInfo> &infos,
779 std::map<std::string, std::string> hashParams)
780 {
781 if (hashParams.empty()) {
782 APP_LOGD("hashParams is empty");
783 return ERR_OK;
784 }
785
786 std::vector<std::string> hapModuleNames;
787 for (auto &info : infos) {
788 std::vector<std::string> moduleNames;
789 info.second.GetModuleNames(moduleNames);
790 if (moduleNames.empty()) {
791 APP_LOGE("hap(%{public}s) moduleName is empty", info.first.c_str());
792 return ERR_APPEXECFWK_INSTALL_FAILED_MODULE_NAME_EMPTY;
793 }
794
795 if (std::find(hapModuleNames.begin(), hapModuleNames.end(), moduleNames[0]) != hapModuleNames.end()) {
796 APP_LOGE("hap moduleName(%{public}s) duplicate", moduleNames[0].c_str());
797 return ERR_APPEXECFWK_INSTALL_FAILED_MODULE_NAME_DUPLICATE;
798 }
799
800 hapModuleNames.emplace_back(moduleNames[0]);
801 auto hashParamIter = hashParams.find(moduleNames[0]);
802 if (hashParamIter != hashParams.end()) {
803 info.second.SetModuleHashValue(hashParamIter->second);
804 hashParams.erase(hashParamIter);
805 }
806 }
807
808 if (!hashParams.empty()) {
809 APP_LOGE("Some hashParam moduleName is not exist in hap moduleNames");
810 return ERR_APPEXECFWK_INSTALL_FAILED_CHECK_HAP_HASH_PARAM;
811 }
812
813 return ERR_OK;
814 }
815
CheckAppLabelInfo(const std::unordered_map<std::string,InnerBundleInfo> & infos)816 ErrCode BundleInstallChecker::CheckAppLabelInfo(
817 const std::unordered_map<std::string, InnerBundleInfo> &infos)
818 {
819 APP_LOGD("Check APP label");
820 ErrCode ret = ERR_OK;
821 std::string bundleName = (infos.begin()->second).GetBundleName();
822 std::string vendor = (infos.begin()->second).GetVendor();
823 uint32_t versionCode = (infos.begin()->second).GetVersionCode();
824 std::string versionName = (infos.begin()->second).GetVersionName();
825 uint32_t minCompatibleVersionCode = (infos.begin()->second).GetMinCompatibleVersionCode();
826 uint32_t target = (infos.begin()->second).GetTargetVersion();
827 std::string releaseType = (infos.begin()->second).GetReleaseType();
828 uint32_t compatible = (infos.begin()->second).GetCompatibleVersion();
829 bool singleton = (infos.begin()->second).IsSingleton();
830 Constants::AppType appType = (infos.begin()->second).GetAppType();
831 bool isStage = (infos.begin()->second).GetIsNewVersion();
832 const std::string targetBundleName = (infos.begin()->second).GetTargetBundleName();
833 int32_t targetPriority = (infos.begin()->second).GetTargetPriority();
834 bool asanEnabled = (infos.begin()->second).GetAsanEnabled();
835 BundleType bundleType = (infos.begin()->second).GetApplicationBundleType();
836 bool isHmService = (infos.begin()->second).GetEntryInstallationFree();
837 bool debug = (infos.begin()->second).GetBaseApplicationInfo().debug;
838 bool hasEntry = (infos.begin()->second).HasEntry();
839 bool isSameDebugType = true;
840 bool entryDebug = hasEntry ? debug : false;
841
842 for (const auto &info : infos) {
843 // check bundleName
844 if (bundleName != info.second.GetBundleName()) {
845 return ERR_APPEXECFWK_INSTALL_BUNDLENAME_NOT_SAME;
846 }
847 // check version
848 if (bundleType != BundleType::SHARED) {
849 if (versionCode != info.second.GetVersionCode()) {
850 return ERR_APPEXECFWK_INSTALL_VERSIONCODE_NOT_SAME;
851 }
852 if (versionName != info.second.GetVersionName()) {
853 return ERR_APPEXECFWK_INSTALL_VERSIONNAME_NOT_SAME;
854 }
855 if (minCompatibleVersionCode != info.second.GetMinCompatibleVersionCode()) {
856 return ERR_APPEXECFWK_INSTALL_MINCOMPATIBLE_VERSIONCODE_NOT_SAME;
857 }
858 }
859 // check vendor
860 if (vendor != info.second.GetVendor()) {
861 return ERR_APPEXECFWK_INSTALL_VENDOR_NOT_SAME;
862 }
863 // check release type
864 if (target != info.second.GetTargetVersion()) {
865 return ERR_APPEXECFWK_INSTALL_RELEASETYPE_TARGET_NOT_SAME;
866 }
867 if (compatible != info.second.GetCompatibleVersion()) {
868 return ERR_APPEXECFWK_INSTALL_RELEASETYPE_COMPATIBLE_NOT_SAME;
869 }
870 if (releaseType != info.second.GetReleaseType()) {
871 return ERR_APPEXECFWK_INSTALL_RELEASETYPE_NOT_SAME;
872 }
873 if (singleton != info.second.IsSingleton()) {
874 return ERR_APPEXECFWK_INSTALL_SINGLETON_NOT_SAME;
875 }
876 if (appType != info.second.GetAppType()) {
877 return ERR_APPEXECFWK_INSTALL_APPTYPE_NOT_SAME;
878 }
879 // check model type(FA or stage)
880 if (isStage != info.second.GetIsNewVersion()) {
881 APP_LOGE("must be all FA model or all stage model");
882 return ERR_APPEXECFWK_INSTALL_STATE_ERROR;
883 }
884 if (targetBundleName != info.second.GetTargetBundleName()) {
885 return ERR_BUNDLEMANAGER_OVERLAY_INSTALLATION_FAILED_TARGET_BUNDLE_NAME_NOT_SAME;
886 }
887 if (targetPriority != info.second.GetTargetPriority()) {
888 return ERR_BUNDLEMANAGER_OVERLAY_INSTALLATION_FAILED_TARGET_PRIORITY_NOT_SAME;
889 }
890 // check asanEnabled
891 if (asanEnabled != info.second.GetAsanEnabled()) {
892 APP_LOGE("asanEnabled is not same");
893 return ERR_APPEXECFWK_INSTALL_ASAN_ENABLED_NOT_SAME;
894 }
895 if (bundleType != info.second.GetApplicationBundleType()) {
896 return ERR_APPEXECFWK_BUNDLE_TYPE_NOT_SAME;
897 }
898 if (isHmService != info.second.GetEntryInstallationFree()) {
899 APP_LOGE("application and hm service are not allowed installed simultaneously.");
900 return ERR_APPEXECFWK_INSTALL_TYPE_ERROR;
901 }
902 if (debug != info.second.GetBaseApplicationInfo().debug) {
903 isSameDebugType = false;
904 }
905 if (!hasEntry) {
906 hasEntry = info.second.HasEntry();
907 entryDebug = info.second.GetBaseApplicationInfo().debug;
908 }
909 }
910
911 if (hasEntry && !entryDebug && (debug || !isSameDebugType)) {
912 return ERR_APPEXECFWK_INSTALL_DEBUG_NOT_SAME;
913 }
914 APP_LOGD("finish check APP label");
915 return ret;
916 }
917
CheckMultiNativeFile(std::unordered_map<std::string,InnerBundleInfo> & infos)918 ErrCode BundleInstallChecker::CheckMultiNativeFile(
919 std::unordered_map<std::string, InnerBundleInfo> &infos)
920 {
921 ErrCode result = CheckMultiNativeSo(infos);
922 if (result != ERR_OK) {
923 APP_LOGE("Check multi nativeSo failed, result: %{public}d", result);
924 return result;
925 }
926
927 result = CheckMultiArkNativeFile(infos);
928 if (result != ERR_OK) {
929 APP_LOGE("Check multi arkNativeFile failed, result: %{public}d", result);
930 return result;
931 }
932
933 return ERR_OK;
934 }
935
CheckMultiArkNativeFile(std::unordered_map<std::string,InnerBundleInfo> & infos)936 ErrCode BundleInstallChecker::CheckMultiArkNativeFile(
937 std::unordered_map<std::string, InnerBundleInfo> &infos)
938 {
939 std::string arkNativeFileAbi = (infos.begin()->second).GetArkNativeFileAbi();
940 for (const auto &info : infos) {
941 if (info.second.GetArkNativeFileAbi().empty()) {
942 continue;
943 }
944 if (arkNativeFileAbi.empty()) {
945 arkNativeFileAbi = info.second.GetArkNativeFileAbi();
946 continue;
947 }
948 if (arkNativeFileAbi != info.second.GetArkNativeFileAbi()) {
949 return ERR_APPEXECFWK_INSTALL_AN_INCOMPATIBLE;
950 }
951 }
952
953 // Ensure the an is consistent in multiple haps
954 if (!arkNativeFileAbi.empty()) {
955 for (auto &info : infos) {
956 info.second.SetArkNativeFileAbi(arkNativeFileAbi);
957 }
958 }
959
960 return ERR_OK;
961 }
962
CheckMultiNativeSo(std::unordered_map<std::string,InnerBundleInfo> & infos)963 ErrCode BundleInstallChecker::CheckMultiNativeSo(
964 std::unordered_map<std::string, InnerBundleInfo> &infos)
965 {
966 std::string nativeLibraryPath = (infos.begin()->second).GetNativeLibraryPath();
967 std::string cpuAbi = (infos.begin()->second).GetCpuAbi();
968 for (const auto &info : infos) {
969 if (info.second.GetNativeLibraryPath().empty()) {
970 continue;
971 }
972 if (nativeLibraryPath.empty()) {
973 nativeLibraryPath = info.second.GetNativeLibraryPath();
974 cpuAbi = info.second.GetCpuAbi();
975 continue;
976 }
977 if (nativeLibraryPath != info.second.GetNativeLibraryPath()
978 || cpuAbi != info.second.GetCpuAbi()) {
979 return ERR_APPEXECFWK_INSTALL_SO_INCOMPATIBLE;
980 }
981 }
982
983 // Ensure the so is consistent in multiple haps
984 if (!nativeLibraryPath.empty()) {
985 for (auto &info : infos) {
986 info.second.SetNativeLibraryPath(nativeLibraryPath);
987 info.second.SetCpuAbi(cpuAbi);
988 }
989 }
990
991 return ERR_OK;
992 }
993
ResetProperties()994 void BundleInstallChecker::ResetProperties()
995 {
996 isContainEntry_ = false;
997 }
998
ParseAppPrivilegeCapability(const Security::Verify::ProvisionInfo & provisionInfo,AppPrivilegeCapability & appPrivilegeCapability)999 void BundleInstallChecker::ParseAppPrivilegeCapability(
1000 const Security::Verify::ProvisionInfo &provisionInfo,
1001 AppPrivilegeCapability &appPrivilegeCapability)
1002 {
1003 for (const auto &appPrivilege : provisionInfo.appPrivilegeCapabilities) {
1004 auto iter = PRIVILEGE_MAP.find(appPrivilege);
1005 if (iter != PRIVILEGE_MAP.end()) {
1006 iter->second(appPrivilegeCapability);
1007 }
1008 }
1009 if ((provisionInfo.bundleInfo.bundleName != APP_TEST_BUNDLE_NAME) &&
1010 (provisionInfo.bundleInfo.bundleName.find(BUNDLE_NAME_XTS_TEST) != 0)) {
1011 appPrivilegeCapability.allowMultiProcess = false;
1012 appPrivilegeCapability.allowUsePrivilegeExtension = false;
1013 appPrivilegeCapability.formVisibleNotify = false;
1014 }
1015
1016 APP_LOGD("AppPrivilegeCapability %{public}s",
1017 appPrivilegeCapability.ToString().c_str());
1018 #ifndef USE_PRE_BUNDLE_PROFILE
1019 appPrivilegeCapability.allowMultiProcess = true;
1020 appPrivilegeCapability.allowUsePrivilegeExtension = true;
1021 #endif
1022 }
1023
CheckModuleNameForMulitHaps(const std::unordered_map<std::string,InnerBundleInfo> & infos) const1024 ErrCode BundleInstallChecker::CheckModuleNameForMulitHaps(
1025 const std::unordered_map<std::string, InnerBundleInfo> &infos) const
1026 {
1027 std::set<std::string> moduleSet;
1028 for (const auto &info : infos) {
1029 std::vector<std::string> moduleVec = info.second.GetDistroModuleName();
1030 if (moduleVec.empty()) {
1031 APP_LOGE("moduleName vector is empty");
1032 return ERR_APPEXECFWK_INSTALL_INTERNAL_ERROR;
1033 }
1034 moduleSet.insert(moduleVec[0]);
1035 }
1036
1037 if (moduleSet.size() != infos.size()) {
1038 APP_LOGE("someone moduleName is not unique in the haps");
1039 return ERR_APPEXECFWK_INSTALL_NOT_UNIQUE_DISTRO_MODULE_NAME;
1040 }
1041 return ERR_OK;
1042 }
1043
IsExistedDistroModule(const InnerBundleInfo & newInfo,const InnerBundleInfo & info) const1044 bool BundleInstallChecker::IsExistedDistroModule(const InnerBundleInfo &newInfo, const InnerBundleInfo &info) const
1045 {
1046 std::string moduleName = newInfo.GetCurModuleName();
1047 std::string packageName = newInfo.GetCurrentModulePackage();
1048 if (packageName.empty() || moduleName.empty()) {
1049 APP_LOGE("IsExistedDistroModule failed due to invalid packageName or moduleName");
1050 return false;
1051 }
1052 std::string oldModuleName = info.GetModuleNameByPackage(packageName);
1053 // if FA update to Stage, allow module name inconsistent
1054 bool isFAToStage = !info.GetIsNewVersion() && newInfo.GetIsNewVersion();
1055 if (!isFAToStage) {
1056 // if not FA update to Stage, check consistency of module name
1057 if (moduleName.compare(oldModuleName) != 0) {
1058 APP_LOGE("no moduleName in the innerModuleInfo");
1059 return false;
1060 }
1061 }
1062 // check consistency of module type
1063 std::string newModuleType = newInfo.GetModuleTypeByPackage(packageName);
1064 std::string oldModuleType = info.GetModuleTypeByPackage(packageName);
1065 if (newModuleType.compare(oldModuleType) != 0) {
1066 APP_LOGE("moduleType is different between the new hap and the original hap");
1067 return false;
1068 }
1069
1070 return true;
1071 }
1072
IsContainModuleName(const InnerBundleInfo & newInfo,const InnerBundleInfo & info) const1073 bool BundleInstallChecker::IsContainModuleName(const InnerBundleInfo &newInfo, const InnerBundleInfo &info) const
1074 {
1075 std::string moduleName = newInfo.GetCurModuleName();
1076 std::vector<std::string> moduleVec = info.GetDistroModuleName();
1077 if (moduleName.empty() || moduleVec.empty()) {
1078 APP_LOGE("IsContainModuleName failed due to invalid moduleName or modulevec");
1079 return false;
1080 }
1081 return (find(moduleVec.cbegin(), moduleVec.cend(), moduleName) == moduleVec.cend()) ? false : true;
1082 }
1083
CheckMainElement(const InnerBundleInfo & info)1084 ErrCode BundleInstallChecker::CheckMainElement(const InnerBundleInfo &info)
1085 {
1086 const std::map<std::string, InnerModuleInfo> &innerModuleInfos = info.GetInnerModuleInfos();
1087 if (innerModuleInfos.empty()) {
1088 return ERR_OK;
1089 }
1090 if (innerModuleInfos.cbegin()->second.distro.moduleType == Profile::MODULE_TYPE_SHARED) {
1091 return ERR_OK;
1092 }
1093 if (info.GetEntryInstallationFree() && innerModuleInfos.cbegin()->second.mainAbility.empty()) {
1094 APP_LOGE("atomic service's mainElement can't be empty.");
1095 return ERR_APPEXECFWK_PARSE_PROFILE_PROP_CHECK_ERROR;
1096 }
1097 return ERR_OK;
1098 }
1099
GetPrivilegeCapabilityValue(const std::vector<std::string> & existInJson,const std::string & key,bool existInPreJson,bool existInProvision)1100 bool BundleInstallChecker::GetPrivilegeCapabilityValue(
1101 const std::vector<std::string> &existInJson,
1102 const std::string &key,
1103 bool existInPreJson,
1104 bool existInProvision)
1105 {
1106 if (find(existInJson.cbegin(), existInJson.cend(), key) != existInJson.cend()) {
1107 return existInPreJson;
1108 }
1109 return existInProvision;
1110 }
1111
FetchPrivilegeCapabilityFromPreConfig(const std::string & bundleName,const std::string & appSignature,AppPrivilegeCapability & appPrivilegeCapability)1112 void BundleInstallChecker::FetchPrivilegeCapabilityFromPreConfig(
1113 const std::string &bundleName,
1114 const std::string &appSignature,
1115 AppPrivilegeCapability &appPrivilegeCapability)
1116 {
1117 #ifdef USE_PRE_BUNDLE_PROFILE
1118 APP_LOGD("bundleName: %{public}s, FetchPrivilegeCapabilityFromPreConfig start", bundleName.c_str());
1119 PreBundleConfigInfo configInfo;
1120 configInfo.bundleName = bundleName;
1121 if (!BMSEventHandler::GetPreInstallCapability(configInfo)) {
1122 APP_LOGD("bundleName: %{public}s is not exist in pre install capability list", bundleName.c_str());
1123 return;
1124 }
1125 if (!MatchSignature(configInfo.appSignature, appSignature)) {
1126 APP_LOGE("bundleName: %{public}s signature verify failed", bundleName.c_str());
1127 return;
1128 }
1129 appPrivilegeCapability.allowUsePrivilegeExtension = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1130 ALLOW_APP_USE_PRIVILEGE_EXTENSION,
1131 configInfo.allowUsePrivilegeExtension, appPrivilegeCapability.allowUsePrivilegeExtension);
1132
1133 appPrivilegeCapability.allowMultiProcess = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1134 ALLOW_APP_MULTI_PROCESS,
1135 configInfo.allowMultiProcess, appPrivilegeCapability.allowMultiProcess);
1136
1137 appPrivilegeCapability.hideDesktopIcon = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1138 ALLOW_APP_DESKTOP_ICON_HIDE,
1139 configInfo.hideDesktopIcon, appPrivilegeCapability.hideDesktopIcon);
1140
1141 appPrivilegeCapability.allowQueryPriority = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1142 ALLOW_ABILITY_PRIORITY_QUERIED,
1143 configInfo.allowQueryPriority, appPrivilegeCapability.allowQueryPriority);
1144
1145 appPrivilegeCapability.allowExcludeFromMissions = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1146 ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS,
1147 configInfo.allowExcludeFromMissions, appPrivilegeCapability.allowExcludeFromMissions);
1148
1149 appPrivilegeCapability.allowMissionNotCleared = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1150 ALLOW_MISSION_NOT_CLEARED,
1151 configInfo.allowMissionNotCleared, appPrivilegeCapability.allowMissionNotCleared);
1152
1153 appPrivilegeCapability.formVisibleNotify = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1154 ALLOW_FORM_VISIBLE_NOTIFY,
1155 configInfo.formVisibleNotify, appPrivilegeCapability.formVisibleNotify);
1156
1157 appPrivilegeCapability.userDataClearable = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1158 ALLOW_APP_DATA_NOT_CLEARED,
1159 configInfo.userDataClearable, appPrivilegeCapability.userDataClearable);
1160
1161 appPrivilegeCapability.appShareLibrary = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1162 ALLOW_APP_SHARE_LIBRARY,
1163 configInfo.appShareLibrary, appPrivilegeCapability.appShareLibrary);
1164 APP_LOGD("AppPrivilegeCapability %{public}s", appPrivilegeCapability.ToString().c_str());
1165 #endif
1166 }
1167
MatchSignature(const std::vector<std::string> & appSignatures,const std::string & signature)1168 bool BundleInstallChecker::MatchSignature(
1169 const std::vector<std::string> &appSignatures, const std::string &signature)
1170 {
1171 if (appSignatures.empty()) {
1172 APP_LOGW("appSignature is empty");
1173 return false;
1174 }
1175
1176 return std::find(
1177 appSignatures.begin(), appSignatures.end(), signature) != appSignatures.end();
1178 }
1179
ProcessBundleInfoByPrivilegeCapability(const AppPrivilegeCapability & appPrivilegeCapability,InnerBundleInfo & innerBundleInfo)1180 ErrCode BundleInstallChecker::ProcessBundleInfoByPrivilegeCapability(
1181 const AppPrivilegeCapability &appPrivilegeCapability,
1182 InnerBundleInfo &innerBundleInfo)
1183 {
1184 // process application
1185 ApplicationInfo applicationInfo = innerBundleInfo.GetBaseApplicationInfo();
1186 if (!appPrivilegeCapability.allowMultiProcess || applicationInfo.process.empty()) {
1187 applicationInfo.process = applicationInfo.bundleName;
1188 }
1189 innerBundleInfo.SetBaseApplicationInfo(applicationInfo);
1190 BundleInfo bundleInfo = innerBundleInfo.GetBaseBundleInfo();
1191 // process allow app share library
1192 if (applicationInfo.bundleType == BundleType::SHARED && !appPrivilegeCapability.appShareLibrary) {
1193 APP_LOGE("not allow app share library");
1194 return ERR_APPEXECFWK_INSTALL_SHARE_APP_LIBRARY_NOT_ALLOWED;
1195 }
1196 // process ability
1197 auto &abilityInfos = innerBundleInfo.FetchAbilityInfos();
1198 for (auto iter = abilityInfos.begin(); iter != abilityInfos.end(); ++iter) {
1199 #ifdef USE_PRE_BUNDLE_PROFILE
1200 if (!appPrivilegeCapability.allowQueryPriority) {
1201 iter->second.priority = 0;
1202 }
1203 if (!appPrivilegeCapability.allowExcludeFromMissions) {
1204 iter->second.excludeFromMissions = false;
1205 }
1206 if (!appPrivilegeCapability.allowMissionNotCleared) {
1207 iter->second.unclearableMission = false;
1208 }
1209 #else
1210 if (!applicationInfo.isSystemApp || !bundleInfo.isPreInstallApp) {
1211 iter->second.priority = 0;
1212 iter->second.excludeFromMissions = false;
1213 }
1214 #endif
1215 }
1216 // process ExtensionAbility
1217 auto &extensionAbilityInfos = innerBundleInfo.FetchInnerExtensionInfos();
1218 for (auto iter = extensionAbilityInfos.begin(); iter != extensionAbilityInfos.end(); ++iter) {
1219 bool privilegeType = IsPrivilegeExtensionAbilityType(iter->second.type);
1220 if (privilegeType && !appPrivilegeCapability.allowUsePrivilegeExtension) {
1221 APP_LOGE("not allow use privilege extension");
1222 return ERR_APPEXECFWK_PARSE_PROFILE_PROP_CHECK_ERROR;
1223 }
1224
1225 bool systemType = IsSystemExtensionAbilityType(iter->second.type);
1226 if (systemType && !applicationInfo.isSystemApp) {
1227 APP_LOGE("not allow use system extension");
1228 return ERR_APPEXECFWK_PARSE_PROFILE_PROP_CHECK_ERROR;
1229 }
1230
1231 #ifdef USE_PRE_BUNDLE_PROFILE
1232 if (!appPrivilegeCapability.allowQueryPriority) {
1233 iter->second.priority = 0;
1234 }
1235 #else
1236 if (!applicationInfo.isSystemApp || !bundleInfo.isPreInstallApp) {
1237 iter->second.priority = 0;
1238 }
1239 #endif
1240 if (appPrivilegeCapability.allowMultiProcess) {
1241 APP_LOGD("bundleName: %{public}s support allowMultiProcess", iter->second.bundleName.c_str());
1242 auto hapModuleInfo = innerBundleInfo.GetInnerModuleInfoByModuleName(iter->second.moduleName);
1243 if (hapModuleInfo && !hapModuleInfo->process.empty()) {
1244 iter->second.process = hapModuleInfo->process;
1245 }
1246 }
1247 }
1248 // process InnerModuleInfo
1249 auto &innerModuleInfos = innerBundleInfo.FetchInnerModuleInfos();
1250 for (auto iter = innerModuleInfos.begin(); iter != innerModuleInfos.end(); ++iter) {
1251 if (iter->second.isModuleJson && (!appPrivilegeCapability.allowMultiProcess || iter->second.process.empty())) {
1252 iter->second.process = applicationInfo.bundleName;
1253 }
1254 }
1255 return ERR_OK;
1256 }
1257
CheckDeviceType(std::unordered_map<std::string,InnerBundleInfo> & infos) const1258 ErrCode BundleInstallChecker::CheckDeviceType(std::unordered_map<std::string, InnerBundleInfo> &infos) const
1259 {
1260 std::string deviceType = GetDeviceType();
1261 APP_LOGD("deviceType is %{public}s", deviceType.c_str());
1262 for (const auto &info : infos) {
1263 std::vector<std::string> devVec = info.second.GetDeviceType(info.second.GetCurrentModulePackage());
1264 if (devVec.empty()) {
1265 APP_LOGW("deviceTypes is empty");
1266 continue;
1267 }
1268
1269 if ((deviceType == DEVICE_TYPE_OF_PHONE) &&
1270 (find(devVec.begin(), devVec.end(), DEVICE_TYPE_OF_DEFAULT) != devVec.end())) {
1271 APP_LOGW("current deviceType is phone and bundle is matched with default");
1272 continue;
1273 }
1274
1275 if ((deviceType == DEVICE_TYPE_OF_DEFAULT) &&
1276 (find(devVec.begin(), devVec.end(), DEVICE_TYPE_OF_PHONE) != devVec.end())) {
1277 APP_LOGW("current deviceType is default and bundle is matched with phone");
1278 continue;
1279 }
1280
1281 if (find(devVec.begin(), devVec.end(), deviceType) == devVec.end()) {
1282 APP_LOGE("%{public}s is not supported", deviceType.c_str());
1283 return ERR_APPEXECFWK_INSTALL_DEVICE_TYPE_NOT_SUPPORTED;
1284 }
1285 }
1286 return ERR_OK;
1287 }
1288
ConvertToAppProvisionInfo(const Security::Verify::ProvisionInfo & provisionInfo) const1289 AppProvisionInfo BundleInstallChecker::ConvertToAppProvisionInfo(
1290 const Security::Verify::ProvisionInfo &provisionInfo) const
1291 {
1292 AppProvisionInfo appProvisionInfo;
1293 appProvisionInfo.versionCode = provisionInfo.versionCode;
1294 appProvisionInfo.versionName = provisionInfo.versionName;
1295 if (provisionInfo.type == Security::Verify::ProvisionType::DEBUG) {
1296 appProvisionInfo.type = Constants::APP_PROVISION_TYPE_DEBUG;
1297 appProvisionInfo.certificate = provisionInfo.bundleInfo.developmentCertificate;
1298 } else {
1299 appProvisionInfo.type = Constants::APP_PROVISION_TYPE_RELEASE;
1300 appProvisionInfo.certificate = provisionInfo.bundleInfo.distributionCertificate;
1301 }
1302 appProvisionInfo.appDistributionType = GetAppDistributionType(provisionInfo.distributionType);
1303 appProvisionInfo.apl = provisionInfo.bundleInfo.apl.empty() ? APL_NORMAL : provisionInfo.bundleInfo.apl;
1304 appProvisionInfo.developerId = provisionInfo.bundleInfo.developerId;
1305 appProvisionInfo.issuer = provisionInfo.issuer;
1306 appProvisionInfo.uuid = provisionInfo.uuid;
1307 appProvisionInfo.validity.notBefore = provisionInfo.validity.notBefore;
1308 appProvisionInfo.validity.notAfter = provisionInfo.validity.notAfter;
1309 return appProvisionInfo;
1310 }
1311
GetBundleNameFromUri(const std::string & uri)1312 std::string GetBundleNameFromUri(const std::string &uri)
1313 {
1314 std::size_t firstSlashPos = uri.find(DOUBLE_SLASH);
1315 if (firstSlashPos == std::string::npos) {
1316 APP_LOGE("dataproxy uri is invalid");
1317 return Constants::EMPTY_STRING;
1318 }
1319
1320 std::size_t secondSlashPos = uri.find(SLASH, firstSlashPos + SLAH_OFFSET);
1321 if (secondSlashPos == std::string::npos) {
1322 APP_LOGE("dataproxy uri is invalid");
1323 return Constants::EMPTY_STRING;
1324 }
1325
1326 std::string bundleName = uri.substr(firstSlashPos + SLAH_OFFSET, secondSlashPos - firstSlashPos - SLAH_OFFSET);
1327 return bundleName;
1328 }
1329
CheckProxyPermissionLevel(const std::string & permissionName) const1330 bool BundleInstallChecker::CheckProxyPermissionLevel(const std::string &permissionName) const
1331 {
1332 // no permission name, only for self usage
1333 if (permissionName.empty()) {
1334 return true;
1335 }
1336 PermissionDef permissionDef;
1337 ErrCode ret = BundlePermissionMgr::GetPermissionDef(permissionName, permissionDef);
1338 if (ret != ERR_OK) {
1339 APP_LOGE("getPermissionDef failed");
1340 return false;
1341 }
1342 if (permissionDef.availableLevel < Security::AccessToken::ATokenAplEnum::APL_SYSTEM_BASIC) {
1343 APP_LOGE("permission %{public}s level too low", permissionName.c_str());
1344 return false;
1345 }
1346 return true;
1347 }
1348
CheckProxyDatas(const InnerBundleInfo & innerBundleInfo) const1349 ErrCode BundleInstallChecker::CheckProxyDatas(const InnerBundleInfo &innerBundleInfo) const
1350 {
1351 auto bundleName = innerBundleInfo.GetBundleName();
1352 auto moduleInfos = innerBundleInfo.GetInnerModuleInfos();
1353 if (moduleInfos.empty()) {
1354 return ERR_OK;
1355 }
1356 for (const auto &moduleInfo : moduleInfos) {
1357 for (const auto &proxyData : moduleInfo.second.proxyDatas) {
1358 auto name = GetBundleNameFromUri(proxyData.uri);
1359 if (bundleName != name) {
1360 APP_LOGE("bundleName from uri %{public}s different from origin bundleName %{public}s",
1361 name.c_str(), bundleName.c_str());
1362 return ERR_APPEXECFWK_INSTALL_CHECK_PROXY_DATA_URI_FAILED;
1363 }
1364 if (innerBundleInfo.IsSystemApp()) {
1365 continue;
1366 }
1367 if (!CheckProxyPermissionLevel(proxyData.requiredReadPermission)
1368 || !CheckProxyPermissionLevel(proxyData.requiredWritePermission)) {
1369 return ERR_APPEXECFWK_INSTALL_CHECK_PROXY_DATA_PERMISSION_FAILED;
1370 }
1371 }
1372 }
1373 return ERR_OK;
1374 }
1375
CheckSupportIsolation(const char * szIsolationModeThresholdMb,const std::string & isolationMode)1376 bool CheckSupportIsolation(const char *szIsolationModeThresholdMb, const std::string &isolationMode)
1377 {
1378 if ((std::strcmp(szIsolationModeThresholdMb, VALUE_TRUE.c_str()) == 0) ||
1379 (std::strcmp(szIsolationModeThresholdMb, VALUE_TRUE_BOOL.c_str()) == 0)) {
1380 if (isolationMode == NONISOLATION_ONLY) {
1381 APP_LOGE("check isolation mode failed.");
1382 return false;
1383 }
1384 } else {
1385 if (isolationMode == ISOLATION_ONLY) {
1386 APP_LOGE("check isolation mode failed.");
1387 return false;
1388 }
1389 }
1390 return true;
1391 }
1392
CheckIsolationMode(const std::unordered_map<std::string,InnerBundleInfo> & infos) const1393 ErrCode BundleInstallChecker::CheckIsolationMode(const std::unordered_map<std::string, InnerBundleInfo> &infos) const
1394 {
1395 for (const auto &info : infos) {
1396 auto moduleInfos = info.second.GetInnerModuleInfos();
1397 for (const auto &moduleInfo : moduleInfos) {
1398 std::string isolationMode = moduleInfo.second.isolationMode;
1399 char szIsolationModeThresholdMb[THRESHOLD_VAL_LEN] = {0};
1400 int32_t ret = GetParameter(SUPPORT_ISOLATION_MODE.c_str(), "",
1401 szIsolationModeThresholdMb, THRESHOLD_VAL_LEN);
1402 if (ret <= 0) {
1403 APP_LOGW("GetParameter failed");
1404 }
1405 if (!CheckSupportIsolation(szIsolationModeThresholdMb, isolationMode)) {
1406 APP_LOGE("check isolation mode failed.");
1407 return ERR_APPEXECFWK_INSTALL_ISOLATION_MODE_FAILED;
1408 }
1409 }
1410 }
1411 return ERR_OK;
1412 }
1413
CheckSignatureFileDir(const std::string & signatureFileDir) const1414 ErrCode BundleInstallChecker::CheckSignatureFileDir(const std::string &signatureFileDir) const
1415 {
1416 if (!BundleUtil::CheckFileName(signatureFileDir)) {
1417 APP_LOGE("code signature file dir is invalid");
1418 return ERR_BUNDLEMANAGER_INSTALL_CODE_SIGNATURE_FILE_IS_INVALID;
1419 }
1420 if (!BundleUtil::CheckFileType(signatureFileDir, Constants::CODE_SIGNATURE_FILE_SUFFIX)) {
1421 APP_LOGE("signatureFileDir is not suffixed with .sig");
1422 return ERR_BUNDLEMANAGER_INSTALL_CODE_SIGNATURE_FILE_IS_INVALID;
1423 }
1424 return ERR_OK;
1425 }
1426
CheckAllowEnterpriseBundle(const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes) const1427 ErrCode BundleInstallChecker::CheckAllowEnterpriseBundle(
1428 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes) const
1429 {
1430 if (system::GetBoolParameter(Constants::ALLOW_ENTERPRISE_BUNDLE, false)) {
1431 return ERR_OK;
1432 }
1433 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
1434 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
1435 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
1436 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
1437 APP_LOGE("enterprise normal/mdm bundle cannot be installed on non-enterprise device");
1438 return ERR_APPEXECFWK_INSTALL_ENTERPRISE_BUNDLE_NOT_ALLOWED;
1439 }
1440 }
1441 return ERR_OK;
1442 }
1443 } // namespace AppExecFwk
1444 } // namespace OHOS