1 /*
2 * Copyright (c) 2021-2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "bundle_permission_mgr.h"
17
18 #include "app_log_wrapper.h"
19 #include "bundle_mgr_service.h"
20 #include "bundle_parser.h"
21 #include "ipc_skeleton.h"
22 #include "parameter.h"
23 #include "privacy_kit.h"
24 #include "tokenid_kit.h"
25
26 namespace OHOS {
27 namespace AppExecFwk {
28 namespace {
29 // pre bundle profile
30 constexpr const char* INSTALL_LIST_PERMISSIONS_CONFIG = "/etc/app/install_list_permissions.json";
31 constexpr const char* SCENEBOARD_BUNDLE_NAME = "com.ohos.sceneboard";
32 }
33
34 using namespace OHOS::Security;
35 std::map<std::string, DefaultPermission> BundlePermissionMgr::defaultPermissions_;
36
Init()37 bool BundlePermissionMgr::Init()
38 {
39 std::vector<std::string> permissionFileList;
40 #ifdef USE_PRE_BUNDLE_PROFILE
41 std::vector<std::string> rootDirList;
42 BMSEventHandler::GetPreInstallRootDirList(rootDirList);
43 if (rootDirList.empty()) {
44 APP_LOGE("rootDirList is empty");
45 return false;
46 }
47 for (const auto &item : rootDirList) {
48 permissionFileList.push_back(item + INSTALL_LIST_PERMISSIONS_CONFIG);
49 }
50 #else
51 permissionFileList.emplace_back(Constants::INSTALL_LIST_PERMISSIONS_FILE_PATH);
52 #endif
53 BundleParser bundleParser;
54 std::set<DefaultPermission> permissions;
55 for (const auto &permissionFile : permissionFileList) {
56 if (bundleParser.ParseDefaultPermission(permissionFile, permissions) != ERR_OK) {
57 APP_LOGW("BundlePermissionMgr::Init failed");
58 continue;
59 }
60 }
61
62 defaultPermissions_.clear();
63 for (const auto &permission : permissions) {
64 defaultPermissions_.try_emplace(permission.bundleName, permission);
65 }
66 APP_LOGD("BundlePermissionMgr::Init success");
67 return true;
68 }
69
UnInit()70 void BundlePermissionMgr::UnInit()
71 {
72 APP_LOGD("BundlePermissionMgr::UnInit");
73 defaultPermissions_.clear();
74 }
75
ConvertPermissionDef(const AccessToken::PermissionDef & permDef,PermissionDef & permissionDef)76 void BundlePermissionMgr::ConvertPermissionDef(
77 const AccessToken::PermissionDef &permDef, PermissionDef &permissionDef)
78 {
79 permissionDef.permissionName = permDef.permissionName;
80 permissionDef.bundleName = permDef.bundleName;
81 permissionDef.grantMode = permDef.grantMode;
82 permissionDef.availableLevel = permDef.availableLevel;
83 permissionDef.provisionEnable = permDef.provisionEnable;
84 permissionDef.distributedSceneEnable = permDef.distributedSceneEnable;
85 permissionDef.label = permDef.label;
86 permissionDef.labelId = permDef.labelId;
87 permissionDef.description = permDef.description;
88 permissionDef.descriptionId = permDef.descriptionId;
89 }
90
91 // Convert from the struct DefinePermission that parsed from config.json
ConvertPermissionDef(AccessToken::PermissionDef & permDef,const DefinePermission & definePermission,const std::string & bundleName)92 void BundlePermissionMgr::ConvertPermissionDef(
93 AccessToken::PermissionDef &permDef, const DefinePermission &definePermission, const std::string &bundleName)
94 {
95 permDef.permissionName = definePermission.name;
96 permDef.bundleName = bundleName;
97 permDef.grantMode = [&definePermission]() -> int {
98 if (definePermission.grantMode ==
99 Profile::DEFINEPERMISSION_GRANT_MODE_SYSTEM_GRANT) {
100 return AccessToken::GrantMode::SYSTEM_GRANT;
101 }
102 return AccessToken::GrantMode::USER_GRANT;
103 }();
104
105 permDef.availableLevel = GetTokenApl(definePermission.availableLevel);
106 permDef.provisionEnable = definePermission.provisionEnable;
107 permDef.distributedSceneEnable = definePermission.distributedSceneEnable;
108 permDef.label = definePermission.label;
109 permDef.labelId = definePermission.labelId;
110 permDef.description = definePermission.description;
111 permDef.descriptionId = definePermission.descriptionId;
112 }
113
GetTokenApl(const std::string & apl)114 AccessToken::ATokenAplEnum BundlePermissionMgr::GetTokenApl(const std::string &apl)
115 {
116 if (apl == Profile::AVAILABLELEVEL_SYSTEM_CORE) {
117 return AccessToken::ATokenAplEnum::APL_SYSTEM_CORE;
118 }
119 if (apl == Profile::AVAILABLELEVEL_SYSTEM_BASIC) {
120 return AccessToken::ATokenAplEnum::APL_SYSTEM_BASIC;
121 }
122 return AccessToken::ATokenAplEnum::APL_NORMAL;
123 }
124
CreateHapPolicyParam(const InnerBundleInfo & innerBundleInfo)125 AccessToken::HapPolicyParams BundlePermissionMgr::CreateHapPolicyParam(
126 const InnerBundleInfo &innerBundleInfo)
127 {
128 std::vector<AccessToken::PermissionStateFull> permStateFull = GetPermissionStateFullList(innerBundleInfo);
129 return CreateHapPolicyParam(innerBundleInfo, permStateFull);
130 }
131
CreateHapPolicyParam(const InnerBundleInfo & innerBundleInfo,const std::vector<Security::AccessToken::PermissionStateFull> & permissions)132 AccessToken::HapPolicyParams BundlePermissionMgr::CreateHapPolicyParam(
133 const InnerBundleInfo &innerBundleInfo, const std::vector<Security::AccessToken::PermissionStateFull> &permissions)
134 {
135 AccessToken::HapPolicyParams hapPolicy;
136 std::string apl = innerBundleInfo.GetAppPrivilegeLevel();
137 APP_LOGD("BundlePermissionMgr::CreateHapPolicyParam apl : %{public}s", apl.c_str());
138 std::vector<AccessToken::PermissionDef> permDef = GetPermissionDefList(innerBundleInfo);
139 hapPolicy.apl = GetTokenApl(apl);
140 hapPolicy.domain = "domain";
141 hapPolicy.permList = permDef;
142 hapPolicy.permStateList = permissions;
143 return hapPolicy;
144 }
145
CreateAccessTokenIdEx(const InnerBundleInfo & innerBundleInfo,const std::string bundleName,const int32_t userId)146 AccessToken::AccessTokenIDEx BundlePermissionMgr::CreateAccessTokenIdEx(
147 const InnerBundleInfo &innerBundleInfo, const std::string bundleName, const int32_t userId)
148 {
149 APP_LOGD("BundlePermissionMgr::CreateAccessTokenId bundleName = %{public}s, userId = %{public}d",
150 bundleName.c_str(), userId);
151 AccessToken::HapPolicyParams hapPolicy = CreateHapPolicyParam(innerBundleInfo);
152 return CreateAccessTokenIdEx(innerBundleInfo, bundleName, userId, 0, hapPolicy);
153 }
154
CreateAccessTokenIdEx(const InnerBundleInfo & innerBundleInfo,const std::string bundleName,const int32_t userId,const int32_t dlpType,const AccessToken::HapPolicyParams & hapPolicy)155 AccessToken::AccessTokenIDEx BundlePermissionMgr::CreateAccessTokenIdEx(
156 const InnerBundleInfo &innerBundleInfo, const std::string bundleName, const int32_t userId, const int32_t dlpType,
157 const AccessToken::HapPolicyParams &hapPolicy)
158 {
159 APP_LOGD("CreateAccessTokenId bundleName = %{public}s, userId = %{public}d, dlpType = %{public}d",
160 bundleName.c_str(), userId, dlpType);
161 AccessToken::HapInfoParams hapInfo;
162 hapInfo.userID = userId;
163 hapInfo.bundleName = bundleName;
164 hapInfo.instIndex = innerBundleInfo.GetAppIndex();
165 hapInfo.appIDDesc = innerBundleInfo.GetAppId();
166 hapInfo.dlpType = dlpType;
167 hapInfo.apiVersion = innerBundleInfo.GetBaseApplicationInfo().apiTargetVersion;
168 hapInfo.isSystemApp = innerBundleInfo.IsSystemApp();
169 AccessToken::AccessTokenIDEx accessToken = AccessToken::AccessTokenKit::AllocHapToken(hapInfo, hapPolicy);
170 APP_LOGD("BundlePermissionMgr::CreateAccessTokenId bundleName: %{public}s, accessTokenId = %{public}u",
171 bundleName.c_str(), accessToken.tokenIdExStruct.tokenID);
172 return accessToken;
173 }
174
UpdateDefineAndRequestPermissions(Security::AccessToken::AccessTokenIDEx & tokenIdEx,const InnerBundleInfo & oldInfo,const InnerBundleInfo & newInfo,std::vector<std::string> & newRequestPermName)175 bool BundlePermissionMgr::UpdateDefineAndRequestPermissions(Security::AccessToken::AccessTokenIDEx &tokenIdEx,
176 const InnerBundleInfo &oldInfo, const InnerBundleInfo &newInfo, std::vector<std::string> &newRequestPermName)
177 {
178 APP_LOGD("UpdateDefineAndRequestPermissions bundleName = %{public}s", newInfo.GetBundleName().c_str());
179 std::vector<AccessToken::PermissionDef> newDefPermList;
180 if (!InnerUpdateDefinePermission(tokenIdEx.tokenIdExStruct.tokenID, oldInfo, newInfo, newDefPermList)) {
181 APP_LOGE("UpdateDefineAndRequestPermissions InnerUpdateDefinePermission failed");
182 return false;
183 }
184
185 std::vector<AccessToken::PermissionStateFull> newPermissionStateList;
186 if (!InnerUpdateRequestPermission(tokenIdEx.tokenIdExStruct.tokenID, oldInfo, newInfo,
187 newPermissionStateList, newRequestPermName)) {
188 APP_LOGE("UpdateDefineAndRequestPermissions InnerUpdateRequestPermission failed");
189 return false;
190 }
191
192 AccessToken::HapPolicyParams hapPolicy;
193 std::string apl = newInfo.GetAppPrivilegeLevel();
194 APP_LOGD("newDefPermList size:%{public}zu, newPermissionStateList size:%{public}zu, isSystemApp: %{public}d",
195 newDefPermList.size(), newPermissionStateList.size(), newInfo.IsSystemApp());
196 hapPolicy.apl = GetTokenApl(apl);
197 hapPolicy.domain = "domain"; // default
198 hapPolicy.permList = newDefPermList;
199 hapPolicy.permStateList = newPermissionStateList;
200 std::string appId = newInfo.GetAppId();
201 int32_t ret = AccessToken::AccessTokenKit::UpdateHapToken(tokenIdEx, newInfo.IsSystemApp(), appId,
202 newInfo.GetBaseApplicationInfo().apiTargetVersion, hapPolicy);
203 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
204 APP_LOGE("UpdateDefineAndRequestPermissions UpdateHapToken failed errcode: %{public}d", ret);
205 return false;
206 }
207 APP_LOGD("BundlePermissionMgr::UpdateDefineAndRequestPermissions end");
208 return true;
209 }
210
GetNeedDeleteDefinePermissionName(const InnerBundleInfo & oldInfo,const InnerBundleInfo & newInfo)211 std::vector<std::string> BundlePermissionMgr::GetNeedDeleteDefinePermissionName(const InnerBundleInfo &oldInfo,
212 const InnerBundleInfo &newInfo)
213 {
214 std::vector<DefinePermission> oldDefinePermissions = oldInfo.GetAllDefinePermissions();
215 std::vector<DefinePermission> newDefinePermissions = newInfo.GetAllDefinePermissions();
216 std::vector<std::string> needDeleteDefinePermission;
217 for (const auto &defPerm : oldDefinePermissions) {
218 auto iter = std::find_if(newDefinePermissions.begin(), newDefinePermissions.end(),
219 [&defPerm](const auto &perm) {
220 return defPerm.name == perm.name;
221 });
222 if (iter == newDefinePermissions.end()) {
223 APP_LOGD("GetNeedDeleteDefinePermissionName need delete %{public}s", defPerm.name.c_str());
224 needDeleteDefinePermission.emplace_back(defPerm.name);
225 }
226 }
227 return needDeleteDefinePermission;
228 }
229
GetNeedDeleteRequestPermissionName(const InnerBundleInfo & oldInfo,const InnerBundleInfo & newInfo)230 std::vector<std::string> BundlePermissionMgr::GetNeedDeleteRequestPermissionName(const InnerBundleInfo &oldInfo,
231 const InnerBundleInfo &newInfo)
232 {
233 std::vector<RequestPermission> oldRequestPermissions = oldInfo.GetAllRequestPermissions();
234 std::vector<RequestPermission> newRequestPermissions = newInfo.GetAllRequestPermissions();
235 std::vector<std::string> needDeleteRequestPermission;
236 for (const auto &reqPerm : oldRequestPermissions) {
237 auto iter = std::find_if(newRequestPermissions.begin(), newRequestPermissions.end(),
238 [&reqPerm](const auto &perm) {
239 return reqPerm.name == perm.name;
240 });
241 if (iter == newRequestPermissions.end()) {
242 APP_LOGD("GetNeedDeleteRequestPermissionName need delete %{public}s", reqPerm.name.c_str());
243 needDeleteRequestPermission.emplace_back(reqPerm.name);
244 }
245 }
246 return needDeleteRequestPermission;
247 }
248
GetNewPermissionDefList(Security::AccessToken::AccessTokenID tokenId,const std::vector<Security::AccessToken::PermissionDef> & permissionDef,std::vector<Security::AccessToken::PermissionDef> & newPermissionDef)249 bool BundlePermissionMgr::GetNewPermissionDefList(Security::AccessToken::AccessTokenID tokenId,
250 const std::vector<Security::AccessToken::PermissionDef> &permissionDef,
251 std::vector<Security::AccessToken::PermissionDef> &newPermissionDef)
252 {
253 int32_t ret = AccessToken::AccessTokenKit::GetDefPermissions(tokenId, newPermissionDef);
254 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
255 APP_LOGE("BundlePermissionMgr::GetNewPermissionDefList GetDefPermissions failed errcode: %{public}d", ret);
256 return false;
257 }
258 for (const auto &perm : permissionDef) {
259 if (std::find_if(newPermissionDef.begin(), newPermissionDef.end(), [&perm](const auto &newPerm) {
260 return newPerm.permissionName == perm.permissionName;
261 }) == newPermissionDef.end()) {
262 APP_LOGD("BundlePermissionMgr::GetNewPermissionDefList add define permission %{public}s",
263 perm.permissionName.c_str());
264 newPermissionDef.emplace_back(perm);
265 }
266 }
267 return true;
268 }
269
GetNewPermissionStateFull(Security::AccessToken::AccessTokenID tokenId,const std::vector<Security::AccessToken::PermissionStateFull> & permissionState,std::vector<Security::AccessToken::PermissionStateFull> & newPermissionState,std::vector<std::string> & newRequestPermName)270 bool BundlePermissionMgr::GetNewPermissionStateFull(Security::AccessToken::AccessTokenID tokenId,
271 const std::vector<Security::AccessToken::PermissionStateFull> &permissionState,
272 std::vector<Security::AccessToken::PermissionStateFull> &newPermissionState,
273 std::vector<std::string> &newRequestPermName)
274 {
275 if (!GetAllReqPermissionStateFull(tokenId, newPermissionState)) {
276 APP_LOGE("BundlePermissionMgr::GetNewPermissionStateFull failed");
277 return false;
278 }
279 // add old permission which need grant again
280 for (const auto &state : newPermissionState) {
281 if ((state.grantStatus[0] == AccessToken::PermissionState::PERMISSION_DENIED) &&
282 (state.grantFlags[0] == AccessToken::PermissionFlag::PERMISSION_DEFAULT_FLAG)) {
283 APP_LOGD("BundlePermissionMgr::GetNewPermissionStateFull add old permission:%{public}s",
284 state.permissionName.c_str());
285 newRequestPermName.emplace_back(state.permissionName);
286 }
287 }
288
289 for (const auto &perm : permissionState) {
290 if (std::find_if(newPermissionState.begin(), newPermissionState.end(), [&perm](const auto &newPerm) {
291 return newPerm.permissionName == perm.permissionName;
292 }) == newPermissionState.end()) {
293 APP_LOGD("BundlePermissionMgr::GetNewPermissionStateFull add request permission %{public}s",
294 perm.permissionName.c_str());
295 newPermissionState.emplace_back(perm);
296 newRequestPermName.emplace_back(perm.permissionName);
297 }
298 }
299 return true;
300 }
301
AddDefineAndRequestPermissions(Security::AccessToken::AccessTokenIDEx & tokenIdEx,const InnerBundleInfo & innerBundleInfo,std::vector<std::string> & newRequestPermName)302 bool BundlePermissionMgr::AddDefineAndRequestPermissions(Security::AccessToken::AccessTokenIDEx &tokenIdEx,
303 const InnerBundleInfo &innerBundleInfo, std::vector<std::string> &newRequestPermName)
304 {
305 APP_LOGD("BundlePermissionMgr::AddDefineAndRequestPermissions start");
306 std::vector<AccessToken::PermissionDef> defPermList = GetPermissionDefList(innerBundleInfo);
307 std::vector<AccessToken::PermissionDef> newDefPermList;
308 if (!GetNewPermissionDefList(tokenIdEx.tokenIdExStruct.tokenID, defPermList, newDefPermList)) {
309 return false;
310 }
311
312 std::vector<AccessToken::PermissionStateFull> reqPermissionStateList = GetPermissionStateFullList(innerBundleInfo);
313 std::vector<AccessToken::PermissionStateFull> newPermissionStateList;
314 if (!GetNewPermissionStateFull(tokenIdEx.tokenIdExStruct.tokenID, reqPermissionStateList,
315 newPermissionStateList, newRequestPermName)) {
316 return false;
317 }
318
319 AccessToken::HapPolicyParams hapPolicy;
320 std::string apl = innerBundleInfo.GetAppPrivilegeLevel();
321 APP_LOGD("BundlePermissionMgr::AddDefineAndRequestPermissions apl : %{public}s, newDefPermList size : %{public}zu, \
322 newPermissionStateList size : %{public}zu", apl.c_str(), newDefPermList.size(),
323 newPermissionStateList.size());
324 hapPolicy.apl = GetTokenApl(apl);
325 hapPolicy.domain = "domain"; // default
326 hapPolicy.permList = newDefPermList;
327 hapPolicy.permStateList = newPermissionStateList;
328 std::string appId = innerBundleInfo.GetAppId();
329 int32_t ret = AccessToken::AccessTokenKit::UpdateHapToken(tokenIdEx, innerBundleInfo.IsSystemApp(), appId,
330 innerBundleInfo.GetBaseApplicationInfo().apiTargetVersion, hapPolicy);
331 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
332 APP_LOGE("BundlePermissionMgr::AddDefineAndRequestPermissions UpdateHapToken failed errcode: %{public}d", ret);
333 return false;
334 }
335 APP_LOGD("BundlePermissionMgr::AddDefineAndRequestPermissions end");
336 return true;
337 }
338
DeleteAccessTokenId(const AccessToken::AccessTokenID tokenId)339 int32_t BundlePermissionMgr::DeleteAccessTokenId(const AccessToken::AccessTokenID tokenId)
340 {
341 return AccessToken::AccessTokenKit::DeleteToken(tokenId);
342 }
343
ClearUserGrantedPermissionState(const AccessToken::AccessTokenID tokenId)344 int32_t BundlePermissionMgr::ClearUserGrantedPermissionState(const AccessToken::AccessTokenID tokenId)
345 {
346 return AccessToken::AccessTokenKit::ClearUserGrantedPermissionState(tokenId);
347 }
348
GetPermissionDefList(const InnerBundleInfo & innerBundleInfo)349 std::vector<AccessToken::PermissionDef> BundlePermissionMgr::GetPermissionDefList(
350 const InnerBundleInfo &innerBundleInfo)
351 {
352 const auto bundleName = innerBundleInfo.GetBundleName();
353 const auto defPermissions = innerBundleInfo.GetAllDefinePermissions();
354 std::vector<AccessToken::PermissionDef> permList;
355 if (!defPermissions.empty()) {
356 for (const auto &defPermission : defPermissions) {
357 AccessToken::PermissionDef perm;
358 APP_LOGD("defPermission %{public}s", defPermission.name.c_str());
359 ConvertPermissionDef(perm, defPermission, bundleName);
360 permList.emplace_back(perm);
361 }
362 }
363 return permList;
364 }
365
GetPermissionStateFullList(const InnerBundleInfo & innerBundleInfo)366 std::vector<AccessToken::PermissionStateFull> BundlePermissionMgr::GetPermissionStateFullList(
367 const InnerBundleInfo &innerBundleInfo)
368 {
369 auto reqPermissions = innerBundleInfo.GetAllRequestPermissions();
370 std::vector<AccessToken::PermissionStateFull> permStateFullList;
371 if (!reqPermissions.empty()) {
372 for (const auto &reqPermission : reqPermissions) {
373 AccessToken::PermissionStateFull perState;
374 perState.permissionName = reqPermission.name;
375 perState.isGeneral = true;
376 perState.resDeviceID.emplace_back(innerBundleInfo.GetBaseApplicationInfo().deviceId);
377 perState.grantStatus.emplace_back(AccessToken::PermissionState::PERMISSION_DENIED);
378 perState.grantFlags.emplace_back(AccessToken::PermissionFlag::PERMISSION_DEFAULT_FLAG);
379 permStateFullList.emplace_back(perState);
380 }
381 } else {
382 APP_LOGD("BundlePermissionMgr::GetPermissionStateFullList requestPermission is empty");
383 }
384 return permStateFullList;
385 }
386
GrantPermission(const Security::AccessToken::AccessTokenID tokenId,const std::string & permissionName,const Security::AccessToken::PermissionFlag flag,const std::string & bundleName)387 bool BundlePermissionMgr::GrantPermission(
388 const Security::AccessToken::AccessTokenID tokenId,
389 const std::string &permissionName,
390 const Security::AccessToken::PermissionFlag flag,
391 const std::string &bundleName)
392 {
393 int32_t ret = AccessToken::AccessTokenKit::GrantPermission(tokenId, permissionName, flag);
394 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
395 APP_LOGE("GrantPermission failed, bundleName:%{public}s, request permission:%{public}s, err:%{public}d",
396 bundleName.c_str(), permissionName.c_str(), ret);
397 return false;
398 }
399 return true;
400 }
401
InnerGrantRequestPermissions(Security::AccessToken::AccessTokenID tokenId,const std::vector<RequestPermission> & reqPermissions,const InnerBundleInfo & innerBundleInfo)402 bool BundlePermissionMgr::InnerGrantRequestPermissions(Security::AccessToken::AccessTokenID tokenId,
403 const std::vector<RequestPermission> &reqPermissions,
404 const InnerBundleInfo &innerBundleInfo)
405 {
406 std::string bundleName = innerBundleInfo.GetBundleName();
407 APP_LOGD("InnerGrantRequestPermissions start, bundleName:%{public}s", bundleName.c_str());
408 std::string apl = innerBundleInfo.GetAppPrivilegeLevel();
409 std::vector<std::string> acls = innerBundleInfo.GetAllowedAcls();
410 std::vector<std::string> systemGrantPermList;
411 std::vector<std::string> userGrantPermList;
412 for (const auto &reqPermission : reqPermissions) {
413 APP_LOGD("InnerGrantRequestPermissions add request permission %{public}s", reqPermission.name.c_str());
414 AccessToken::PermissionDef permDef;
415 int32_t ret = AccessToken::AccessTokenKit::GetDefPermission(reqPermission.name, permDef);
416 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
417 APP_LOGE("get permission def failed, request permission name: %{public}s", reqPermission.name.c_str());
418 continue;
419 }
420 if (CheckGrantPermission(permDef, apl, acls)) {
421 if (permDef.grantMode == AccessToken::GrantMode::SYSTEM_GRANT) {
422 systemGrantPermList.emplace_back(reqPermission.name);
423 } else {
424 userGrantPermList.emplace_back(reqPermission.name);
425 }
426 } else {
427 return false;
428 }
429 }
430 APP_LOGD("bundleName:%{public}s, add system_grant permission: %{public}zu, add user_grant permission: %{public}zu",
431 bundleName.c_str(), systemGrantPermList.size(), userGrantPermList.size());
432 for (const auto &perm : systemGrantPermList) {
433 if (!GrantPermission(tokenId, perm, AccessToken::PermissionFlag::PERMISSION_SYSTEM_FIXED, bundleName)) {
434 return false;
435 }
436 }
437 if (innerBundleInfo.IsPreInstallApp()) {
438 for (const auto &perm: userGrantPermList) {
439 bool userCancellable = false;
440 DefaultPermission permission;
441 if (!GetDefaultPermission(bundleName, permission)) {
442 continue;
443 }
444
445 #ifdef USE_PRE_BUNDLE_PROFILE
446 if (!MatchSignature(permission, innerBundleInfo.GetCertificateFingerprint())) {
447 continue;
448 }
449 #endif
450
451 if (!CheckPermissionInDefaultPermissions(permission, perm, userCancellable)) {
452 continue;
453 }
454 AccessToken::PermissionFlag flag = userCancellable ?
455 AccessToken::PermissionFlag::PERMISSION_GRANTED_BY_POLICY :
456 AccessToken::PermissionFlag::PERMISSION_SYSTEM_FIXED;
457 if (!GrantPermission(tokenId, perm, flag, bundleName)) {
458 return false;
459 }
460 }
461 }
462 APP_LOGD("InnerGrantRequestPermissions end, bundleName:%{public}s", bundleName.c_str());
463 return true;
464 }
465
GrantRequestPermissions(const InnerBundleInfo & innerBundleInfo,const AccessToken::AccessTokenID tokenId)466 bool BundlePermissionMgr::GrantRequestPermissions(const InnerBundleInfo &innerBundleInfo,
467 const AccessToken::AccessTokenID tokenId)
468 {
469 std::vector<RequestPermission> reqPermissions = innerBundleInfo.GetAllRequestPermissions();
470 return InnerGrantRequestPermissions(tokenId, reqPermissions, innerBundleInfo);
471 }
472
GrantRequestPermissions(const InnerBundleInfo & innerBundleInfo,const std::vector<std::string> & requestPermName,const AccessToken::AccessTokenID tokenId)473 bool BundlePermissionMgr::GrantRequestPermissions(const InnerBundleInfo &innerBundleInfo,
474 const std::vector<std::string> &requestPermName,
475 const AccessToken::AccessTokenID tokenId)
476 {
477 std::vector<RequestPermission> reqPermissions = innerBundleInfo.GetAllRequestPermissions();
478 std::vector<RequestPermission> newRequestPermissions;
479 for (const auto &name : requestPermName) {
480 auto iter = find_if(reqPermissions.begin(), reqPermissions.end(), [&name](const auto &req) {
481 return name == req.name;
482 });
483 if (iter != reqPermissions.end()) {
484 newRequestPermissions.emplace_back(*iter);
485 }
486 }
487 return InnerGrantRequestPermissions(tokenId, newRequestPermissions, innerBundleInfo);
488 }
489
GetAllReqPermissionStateFull(AccessToken::AccessTokenID tokenId,std::vector<AccessToken::PermissionStateFull> & newPermissionState)490 bool BundlePermissionMgr::GetAllReqPermissionStateFull(AccessToken::AccessTokenID tokenId,
491 std::vector<AccessToken::PermissionStateFull> &newPermissionState)
492 {
493 std::vector<AccessToken::PermissionStateFull> userGrantReqPermList;
494 int32_t ret = AccessToken::AccessTokenKit::GetReqPermissions(tokenId, userGrantReqPermList, false);
495 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
496 APP_LOGE("GetAllReqPermissionStateFull get user grant failed errcode: %{public}d", ret);
497 return false;
498 }
499 std::vector<AccessToken::PermissionStateFull> systemGrantReqPermList;
500 ret = AccessToken::AccessTokenKit::GetReqPermissions(tokenId, systemGrantReqPermList, true);
501 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
502 APP_LOGE("GetAllReqPermissionStateFull get system grant failed errcode: %{public}d", ret);
503 return false;
504 }
505 newPermissionState = userGrantReqPermList;
506 std::copy(systemGrantReqPermList.begin(), systemGrantReqPermList.end(), std::back_inserter(newPermissionState));
507 return true;
508 }
509
GetRequestPermissionStates(BundleInfo & bundleInfo,uint32_t tokenId,const std::string deviceId)510 bool BundlePermissionMgr::GetRequestPermissionStates(
511 BundleInfo &bundleInfo, uint32_t tokenId, const std::string deviceId)
512 {
513 std::vector<std::string> requestPermission = bundleInfo.reqPermissions;
514 if (requestPermission.empty()) {
515 APP_LOGD("GetRequestPermissionStates requestPermission empty");
516 return true;
517 }
518 std::vector<Security::AccessToken::PermissionStateFull> allPermissionState;
519 if (!GetAllReqPermissionStateFull(tokenId, allPermissionState)) {
520 APP_LOGW("BundlePermissionMgr::GetRequestPermissionStates failed");
521 }
522 for (auto &req : requestPermission) {
523 auto iter = std::find_if(allPermissionState.begin(), allPermissionState.end(),
524 [&req](const auto &perm) {
525 return perm.permissionName == req;
526 });
527 if (iter != allPermissionState.end()) {
528 APP_LOGD("GetRequestPermissionStates request permission name: %{public}s", req.c_str());
529 for (std::vector<std::string>::size_type i = 0; i < iter->resDeviceID.size(); i++) {
530 if (iter->resDeviceID[i] == deviceId) {
531 bundleInfo.reqPermissionStates.emplace_back(iter->grantStatus[i]);
532 break;
533 }
534 }
535 } else {
536 APP_LOGE("request permission name : %{public}s is not exit in AccessTokenMgr", req.c_str());
537 bundleInfo.reqPermissionStates.emplace_back(Constants::PERMISSION_NOT_GRANTED);
538 }
539 }
540 return true;
541 }
542
CheckGrantPermission(const AccessToken::PermissionDef & permDef,const std::string & apl,const std::vector<std::string> & acls)543 bool BundlePermissionMgr::CheckGrantPermission(
544 const AccessToken::PermissionDef &permDef,
545 const std::string &apl,
546 const std::vector<std::string> &acls)
547 {
548 AccessToken::ATokenAplEnum availableLevel = permDef.availableLevel;
549 APP_LOGD("BundlePermissionMgr::CheckGrantPermission availableLevel %{public}d, apl %{public}s",
550 availableLevel, apl.c_str());
551 switch (availableLevel) {
552 case AccessToken::ATokenAplEnum::APL_NORMAL: {
553 return true;
554 }
555 case AccessToken::ATokenAplEnum::APL_SYSTEM_BASIC: {
556 if ((apl == Profile::AVAILABLELEVEL_SYSTEM_BASIC) ||
557 (apl == Profile::AVAILABLELEVEL_SYSTEM_CORE)) {
558 return true;
559 }
560 break;
561 }
562 case AccessToken::ATokenAplEnum::APL_SYSTEM_CORE: {
563 if (apl == Profile::AVAILABLELEVEL_SYSTEM_CORE) {
564 return true;
565 }
566 break;
567 }
568 default:
569 APP_LOGE("availableLevel %{public}d error", availableLevel);
570 break;
571 }
572 if (permDef.provisionEnable) {
573 APP_LOGD("CheckGrantPermission acls size: %{public}zu", acls.size());
574 auto res = std::any_of(acls.begin(), acls.end(), [permDef](const auto &perm) {
575 return permDef.permissionName == perm;
576 });
577 if (res) {
578 return res;
579 }
580 }
581 APP_LOGE("BundlePermissionMgr::CheckGrantPermission failed permission name : %{public}s",
582 permDef.permissionName.c_str());
583 return false;
584 }
585
VerifyCallingPermission(const std::string & permissionName)586 bool BundlePermissionMgr::VerifyCallingPermission(const std::string &permissionName)
587 {
588 APP_LOGD("VerifyCallingPermission permission %{public}s", permissionName.c_str());
589 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
590 APP_LOGD("callerToken : %{private}u", callerToken);
591 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
592 int32_t callingUid = IPCSkeleton::GetCallingUid();
593 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE || callingUid == Constants::ROOT_UID) {
594 APP_LOGD("caller tokenType is native, verify success");
595 return true;
596 }
597 int32_t ret = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName);
598 if (ret == AccessToken::PermissionState::PERMISSION_DENIED) {
599 APP_LOGE("permission %{public}s: PERMISSION_DENIED", permissionName.c_str());
600 return false;
601 }
602 APP_LOGD("verify AccessToken success");
603 return true;
604 }
605
VerifyCallingPermissionForAll(const std::string & permissionName)606 bool BundlePermissionMgr::VerifyCallingPermissionForAll(const std::string &permissionName)
607 {
608 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
609 APP_LOGD("VerifyCallingPermission permission %{public}s, callerToken : %{private}u",
610 permissionName.c_str(), callerToken);
611 if (AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName) ==
612 AccessToken::PermissionState::PERMISSION_DENIED) {
613 APP_LOGE("permission %{public}s: PERMISSION_DENIED", permissionName.c_str());
614 return false;
615 }
616 return true;
617 }
618
VerifyPermission(const std::string & bundleName,const std::string & permissionName,const int32_t userId)619 int32_t BundlePermissionMgr::VerifyPermission(
620 const std::string &bundleName, const std::string &permissionName, const int32_t userId)
621 {
622 APP_LOGD("VerifyPermission bundleName %{public}s, permission %{public}s", bundleName.c_str(),
623 permissionName.c_str());
624 AccessToken::AccessTokenID tokenId = AccessToken::AccessTokenKit::GetHapTokenID(userId,
625 bundleName, 0);
626 return AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permissionName);
627 }
628
GetPermissionDef(const std::string & permissionName,PermissionDef & permissionDef)629 ErrCode BundlePermissionMgr::GetPermissionDef(const std::string &permissionName, PermissionDef &permissionDef)
630 {
631 APP_LOGD("BundlePermissionMgr::GetPermissionDef permission %{public}s", permissionName.c_str());
632 AccessToken::PermissionDef accessTokenPermDef;
633 int32_t ret = AccessToken::AccessTokenKit::GetDefPermission(permissionName, accessTokenPermDef);
634 if (ret == AccessToken::AccessTokenKitRet::RET_SUCCESS) {
635 ConvertPermissionDef(accessTokenPermDef, permissionDef);
636 return ERR_OK;
637 }
638 return ERR_BUNDLE_MANAGER_QUERY_PERMISSION_DEFINE_FAILED;
639 }
640
CheckPermissionInDefaultPermissions(const DefaultPermission & defaultPermission,const std::string & permissionName,bool & userCancellable)641 bool BundlePermissionMgr::CheckPermissionInDefaultPermissions(const DefaultPermission &defaultPermission,
642 const std::string &permissionName, bool &userCancellable)
643 {
644 auto &grantPermission = defaultPermission.grantPermission;
645 auto iter = std::find_if(grantPermission.begin(), grantPermission.end(), [&permissionName](const auto &defPerm) {
646 return defPerm.name == permissionName;
647 });
648 if (iter == grantPermission.end()) {
649 APP_LOGW("can not find permission(%{public}s)", permissionName.c_str());
650 return false;
651 }
652
653 userCancellable = iter->userCancellable;
654 return true;
655 }
656
GetDefaultPermission(const std::string & bundleName,DefaultPermission & permission)657 bool BundlePermissionMgr::GetDefaultPermission(
658 const std::string &bundleName, DefaultPermission &permission)
659 {
660 auto iter = defaultPermissions_.find(bundleName);
661 if (iter == defaultPermissions_.end()) {
662 APP_LOGW("bundleName: %{public}s does not exist in defaultPermissions",
663 bundleName.c_str());
664 return false;
665 }
666
667 permission = iter->second;
668 return true;
669 }
670
MatchSignature(const DefaultPermission & permission,const std::string & signature)671 bool BundlePermissionMgr::MatchSignature(
672 const DefaultPermission &permission, const std::string &signature)
673 {
674 if (permission.appSignature.empty()) {
675 APP_LOGW("appSignature is empty");
676 return false;
677 }
678
679 return std::find(permission.appSignature.begin(),
680 permission.appSignature.end(), signature) != permission.appSignature.end();
681 }
682
GetHapApiVersion()683 int32_t BundlePermissionMgr::GetHapApiVersion()
684 {
685 // get appApiVersion from applicationInfo
686 std::string bundleName;
687 auto uid = IPCSkeleton::GetCallingUid();
688 auto userId = uid / Constants::BASE_USER_RANGE;
689 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
690 if (dataMgr == nullptr) {
691 APP_LOGE("DataMgr is nullptr");
692 return Constants::INVALID_API_VERSION;
693 }
694 auto ret = dataMgr->GetBundleNameForUid(uid, bundleName);
695 if (!ret) {
696 APP_LOGE("getBundleName failed");
697 return Constants::INVALID_API_VERSION;
698 }
699 ApplicationInfo applicationInfo;
700 auto res = dataMgr->GetApplicationInfoV9(bundleName,
701 static_cast<int32_t>(GetApplicationFlag::GET_APPLICATION_INFO_WITH_DISABLE), userId, applicationInfo);
702 if (res != ERR_OK) {
703 APP_LOGE("getApplicationInfo failed");
704 return Constants::INVALID_API_VERSION;
705 }
706 auto appApiVersion = applicationInfo.apiTargetVersion;
707 APP_LOGD("appApiVersion is %{public}d", appApiVersion);
708 auto systemApiVersion = GetSdkApiVersion();
709 // api version is the minimum value of {appApiVersion, systemApiVersion}
710 return systemApiVersion < appApiVersion ? systemApiVersion :appApiVersion;
711 }
712
713 // if the api has been system api since it is published, then beginSystemApiVersion can be omitted
VerifySystemApp(int32_t beginSystemApiVersion)714 bool BundlePermissionMgr::VerifySystemApp(int32_t beginSystemApiVersion)
715 {
716 APP_LOGD("verifying systemApp");
717 uint64_t accessTokenIdEx = IPCSkeleton::GetCallingFullTokenID();
718 if (Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(accessTokenIdEx)) {
719 return true;
720 }
721 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
722 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
723 APP_LOGD("tokenType is %{private}d", tokenType);
724 int32_t callingUid = IPCSkeleton::GetCallingUid();
725 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE ||
726 tokenType == AccessToken::ATokenTypeEnum::TOKEN_SHELL ||
727 callingUid == Constants::ROOT_UID ||
728 callingUid == Constants::SHELL_UID) {
729 APP_LOGD("caller tokenType is native, verify success");
730 return true;
731 }
732 if (beginSystemApiVersion != Constants::ALL_VERSIONCODE) {
733 auto apiVersion = GetHapApiVersion();
734 if (apiVersion == Constants::INVALID_API_VERSION) {
735 APP_LOGE("get api version failed, system app verification failed");
736 return false;
737 }
738 if (apiVersion < beginSystemApiVersion) {
739 APP_LOGI("previous app calling, verify success");
740 return true;
741 }
742 }
743 APP_LOGE("system app verification failed");
744 return false;
745 }
746
IsNativeTokenType()747 bool BundlePermissionMgr::IsNativeTokenType()
748 {
749 APP_LOGD("begin to verify token type");
750 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
751 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
752 APP_LOGD("tokenType is %{private}d", tokenType);
753 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE
754 || tokenType == AccessToken::ATokenTypeEnum::TOKEN_SHELL) {
755 APP_LOGD("caller tokenType is native, verify success");
756 return true;
757 }
758 if (VerifyCallingUid()) {
759 APP_LOGD("caller is root or foundation or BMS_UID, verify success");
760 return true;
761 }
762 APP_LOGE("caller tokenType not native, verify failed");
763 return false;
764 }
765
VerifyCallingUid()766 bool BundlePermissionMgr::VerifyCallingUid()
767 {
768 APP_LOGD("begin to verify calling uid");
769 int32_t callingUid = IPCSkeleton::GetCallingUid();
770 APP_LOGD("calling uid is %{public}d", callingUid);
771 if (callingUid == Constants::ROOT_UID ||
772 callingUid == Constants::FOUNDATION_UID ||
773 callingUid == Constants::SHELL_UID ||
774 callingUid == Constants::BMS_UID) {
775 APP_LOGD("caller is root or foundation, verify success");
776 return true;
777 }
778 APP_LOGE("verify calling uid failed");
779 return false;
780 }
781
VerifyPreload(const AAFwk::Want & want)782 bool BundlePermissionMgr::VerifyPreload(const AAFwk::Want &want)
783 {
784 if (VerifyCallingUid()) {
785 return true;
786 }
787 std::string callingBundleName;
788 auto uid = IPCSkeleton::GetCallingUid();
789 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
790 if (dataMgr == nullptr) {
791 APP_LOGE("DataMgr is nullptr");
792 return false;
793 }
794 auto ret = dataMgr->GetBundleNameForUid(uid, callingBundleName);
795 if (!ret) {
796 APP_LOGE("getBundleName failed");
797 return false;
798 }
799 std::string bundleName = want.GetElement().GetBundleName();
800 return bundleName == callingBundleName || callingBundleName == SCENEBOARD_BUNDLE_NAME;
801 }
802
InnerUpdateDefinePermission(const Security::AccessToken::AccessTokenID tokenId,const InnerBundleInfo & oldInfo,const InnerBundleInfo & newInfo,std::vector<Security::AccessToken::PermissionDef> & newDefPermList)803 bool BundlePermissionMgr::InnerUpdateDefinePermission(
804 const Security::AccessToken::AccessTokenID tokenId,
805 const InnerBundleInfo &oldInfo,
806 const InnerBundleInfo &newInfo,
807 std::vector<Security::AccessToken::PermissionDef> &newDefPermList)
808 {
809 std::vector<AccessToken::PermissionDef> defPermList = GetPermissionDefList(newInfo);
810 if (!GetNewPermissionDefList(tokenId, defPermList, newDefPermList)) {
811 return false;
812 }
813
814 // delete old definePermission
815 std::vector<std::string> needDeleteDefinePermission = GetNeedDeleteDefinePermissionName(oldInfo, newInfo);
816 for (const auto &name : needDeleteDefinePermission) {
817 auto iter = std::find_if(newDefPermList.begin(), newDefPermList.end(), [&name](const auto &defPerm) {
818 return defPerm.permissionName == name;
819 });
820 if (iter != newDefPermList.end()) {
821 APP_LOGD("delete definePermission %{public}s", name.c_str());
822 newDefPermList.erase(iter);
823 }
824 }
825 return true;
826 }
827
InnerUpdateRequestPermission(const Security::AccessToken::AccessTokenID tokenId,const InnerBundleInfo & oldInfo,const InnerBundleInfo & newInfo,std::vector<Security::AccessToken::PermissionStateFull> & newPermissionStateList,std::vector<std::string> & newRequestPermName)828 bool BundlePermissionMgr::InnerUpdateRequestPermission(
829 const Security::AccessToken::AccessTokenID tokenId,
830 const InnerBundleInfo &oldInfo,
831 const InnerBundleInfo &newInfo,
832 std::vector<Security::AccessToken::PermissionStateFull> &newPermissionStateList,
833 std::vector<std::string> &newRequestPermName)
834 {
835 // get access token permission
836 std::vector<AccessToken::PermissionStateFull> reqPermissionStateList = GetPermissionStateFullList(newInfo);
837 if (!GetNewPermissionStateFull(tokenId, reqPermissionStateList,
838 newPermissionStateList, newRequestPermName)) {
839 return false;
840 }
841 // delete old requestPermission
842 std::vector<std::string> needDeleteRequestPermission = GetNeedDeleteRequestPermissionName(oldInfo, newInfo);
843 for (const auto &name : needDeleteRequestPermission) {
844 auto iter = std::find_if(newPermissionStateList.begin(), newPermissionStateList.end(),
845 [&name](const auto &defPerm) {
846 return defPerm.permissionName == name;
847 });
848 if (iter != newPermissionStateList.end()) {
849 APP_LOGD("delete requestPermission %{public}s", name.c_str());
850 newPermissionStateList.erase(iter);
851 }
852 auto deleteIter = std::find(newRequestPermName.begin(), newRequestPermName.end(), name);
853 if (deleteIter != newRequestPermName.end()) {
854 newRequestPermName.erase(deleteIter);
855 }
856 }
857 return true;
858 }
859
IsSelfCalling()860 bool BundlePermissionMgr::IsSelfCalling()
861 {
862 int32_t callingUid = IPCSkeleton::GetCallingUid();
863 if (callingUid == Constants::FOUNDATION_UID) {
864 return true;
865 }
866 return false;
867 }
868
VerifyUninstallPermission()869 bool BundlePermissionMgr::VerifyUninstallPermission()
870 {
871 if (!BundlePermissionMgr::IsSelfCalling() &&
872 !BundlePermissionMgr::VerifyCallingPermissionForAll(Constants::PERMISSION_INSTALL_BUNDLE) &&
873 !BundlePermissionMgr::VerifyCallingPermissionForAll(Constants::PERMISSION_UNINSTALL_BUNDLE)) {
874 APP_LOGE("uninstall bundle permission denied");
875 return false;
876 }
877 return true;
878 }
879
VerifyRecoverPermission()880 bool BundlePermissionMgr::VerifyRecoverPermission()
881 {
882 if (!BundlePermissionMgr::IsSelfCalling() &&
883 !BundlePermissionMgr::VerifyCallingPermissionForAll(Constants::PERMISSION_INSTALL_BUNDLE) &&
884 !BundlePermissionMgr::VerifyCallingPermissionForAll(Constants::PERMISSION_RECOVER_BUNDLE)) {
885 APP_LOGE("recover bundle permission denied");
886 return false;
887 }
888 return true;
889 }
890
AddPermissionUsedRecord(const std::string & permission,int32_t successCount,int32_t failCount)891 void BundlePermissionMgr::AddPermissionUsedRecord(
892 const std::string &permission, int32_t successCount, int32_t failCount)
893 {
894 APP_LOGD("AddPermissionUsedRecord permission:%{public}s", permission.c_str());
895 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
896 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
897 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_HAP) {
898 AccessToken::PrivacyKit::AddPermissionUsedRecord(callerToken, permission, successCount, failCount);
899 }
900 }
901 } // namespace AppExecFwk
902 } // namespace OHOS