• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include <map>
17 
18 #include "netmanager_base_permission.h"
19 
20 #include <accesstoken_kit.h>
21 #include <ipc_skeleton.h>
22 #include <tokenid_kit.h>
23 
24 #include "net_mgr_log_wrapper.h"
25 
26 namespace OHOS {
27 namespace NetManagerStandard {
28 /**
29  * @brief Permission check by callingTokenID.
30  * @param permissionName permission name.
31  * @return Returns true on success, false on failure.
32  */
CheckPermission(const std::string & permissionName)33 bool NetManagerPermission::CheckPermission(const std::string &permissionName)
34 {
35     if (permissionName.empty()) {
36         NETMGR_LOG_E("permission check failed,permission name is empty.");
37         return false;
38     }
39 
40     auto callerToken = IPCSkeleton::GetCallingTokenID();
41     auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
42     int result = Security::AccessToken::PERMISSION_DENIED;
43     if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
44         result = Security::AccessToken::PERMISSION_GRANTED;
45     } else if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_HAP) {
46         result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName);
47     } else {
48         NETMGR_LOG_E("permission check failed, callerToken:%{public}u, tokenType:%{public}d", callerToken, tokenType);
49     }
50 
51     if (result != Security::AccessToken::PERMISSION_GRANTED) {
52         NETMGR_LOG_E("permission check failed, permission:%{public}s, callerToken:%{public}u, tokenType:%{public}d",
53                      permissionName.c_str(), callerToken, tokenType);
54         return false;
55     }
56     return true;
57 }
58 
CheckPermissionWithCache(const std::string & permissionName)59 bool NetManagerPermission::CheckPermissionWithCache(const std::string &permissionName)
60 {
61     if (permissionName.empty()) {
62         NETMGR_LOG_E("permission check failed,permission name is empty.");
63         return false;
64     }
65     static std::map<uint32_t, bool> permissionMap;
66     static std::mutex mutex;
67     auto callerToken = IPCSkeleton::GetCallingTokenID();
68     {
69         std::lock_guard<std::mutex> lock(mutex);
70         auto iter = permissionMap.find(callerToken);
71         if (iter != permissionMap.end()) {
72             return iter->second;
73         }
74     }
75     auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
76     bool res = false;
77     if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
78         res = true;
79     } else if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_HAP) {
80         res = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName) ==
81               Security::AccessToken::PERMISSION_GRANTED;
82     }
83     {
84         std::lock_guard<std::mutex> lock(mutex);
85         permissionMap[callerToken] = res;
86     }
87     return res;
88 }
89 
IsSystemCaller()90 bool NetManagerPermission::IsSystemCaller()
91 {
92     if (Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(IPCSkeleton::GetCallingTokenID()) !=
93         Security::AccessToken::ATokenTypeEnum::TOKEN_HAP) {
94         return true;
95     }
96     bool checkResult =
97         Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(IPCSkeleton::GetCallingFullTokenID());
98     if (!checkResult) {
99         NETMGR_LOG_E("Caller is not allowed, need sys permissive");
100     }
101     return checkResult;
102 }
103 
CheckNetSysInternalPermission(const std::string & permissionName)104 bool NetManagerPermission::CheckNetSysInternalPermission(const std::string &permissionName)
105 {
106     if (permissionName.empty()) {
107         NETMGR_LOG_E("permission check failed,permission name is empty.");
108         return false;
109     }
110 
111     auto callerToken = IPCSkeleton::GetCallingTokenID();
112     auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
113     int result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName);
114     if (result != Security::AccessToken::PERMISSION_GRANTED) {
115         NETMGR_LOG_E("permission check failed, permission:%{public}s, callerToken:%{public}u, tokenType:%{public}d",
116                      permissionName.c_str(), callerToken, tokenType);
117         return false;
118     }
119     return true;
120 }
121 } // namespace NetManagerStandard
122 } // namespace OHOS