• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "ipc_skeleton.h"
17 #include "permission_helper.h"
18 #include "proto.h"
19 
20 #include "mmi_log.h"
21 
22 #include "tokenid_kit.h"
23 
24 namespace OHOS {
25 namespace MMI {
26 namespace {
27 constexpr OHOS::HiviewDFX::HiLogLabel LABEL = { LOG_CORE, MMI_LOG_DOMAIN, "PermissionHelper" };
28 } // namespace
29 
PermissionHelper()30 PermissionHelper::PermissionHelper() {}
~PermissionHelper()31 PermissionHelper::~PermissionHelper() {}
32 
VerifySystemApp()33 bool PermissionHelper::VerifySystemApp()
34 {
35     MMI_HILOGD("verify system App");
36     auto callerToken = IPCSkeleton::GetCallingTokenID();
37     auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
38     MMI_HILOGD("token type is %{public}d", static_cast<int32_t>(tokenType));
39     int32_t callingUid = IPCSkeleton::GetCallingUid();
40     if (tokenType == OHOS::Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE
41         || tokenType == OHOS::Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL
42         || callingUid == ROOT_UID) {
43         MMI_HILOGD("called tokenType is native, verify success");
44         return true;
45     }
46     uint64_t accessTokenIdEx = IPCSkeleton::GetCallingFullTokenID();
47     if (!OHOS::Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(accessTokenIdEx)) {
48         MMI_HILOGE("system api is called by non-system app");
49         return false;
50     }
51     return true;
52 }
53 
CheckPermission(uint32_t required)54 bool PermissionHelper::CheckPermission(uint32_t required)
55 {
56     CALL_DEBUG_ENTER;
57     auto tokenId = IPCSkeleton::GetCallingTokenID();
58     auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
59     if (tokenType == OHOS::Security::AccessToken::TOKEN_HAP) {
60         return CheckHapPermission(tokenId, required);
61     } else if (tokenType == OHOS::Security::AccessToken::TOKEN_NATIVE) {
62         MMI_HILOGD("Token type is native");
63         return true;
64     } else if (tokenType == OHOS::Security::AccessToken::TOKEN_SHELL) {
65         MMI_HILOGI("Token type is shell");
66         return true;
67     } else {
68         MMI_HILOGE("Unsupported token type:%{public}d", tokenType);
69         return false;
70     }
71 }
72 
CheckMonitor()73 bool PermissionHelper::CheckMonitor()
74 {
75     CALL_DEBUG_ENTER;
76     auto tokenId = IPCSkeleton::GetCallingTokenID();
77     auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
78     if ((tokenType == OHOS::Security::AccessToken::TOKEN_HAP) ||
79         (tokenType == OHOS::Security::AccessToken::TOKEN_NATIVE)) {
80         return CheckMonitorPermission(tokenId);
81     } else if (tokenType == OHOS::Security::AccessToken::TOKEN_SHELL) {
82         MMI_HILOGI("Token type is shell");
83         return true;
84     } else {
85         MMI_HILOGE("Unsupported token type:%{public}d", tokenType);
86         return false;
87     }
88 }
89 
CheckHapPermission(uint32_t tokenId,uint32_t required)90 bool PermissionHelper::CheckHapPermission(uint32_t tokenId, uint32_t required)
91 {
92     OHOS::Security::AccessToken::HapTokenInfo findInfo;
93     if (OHOS::Security::AccessToken::AccessTokenKit::GetHapTokenInfo(tokenId, findInfo) != 0) {
94         MMI_HILOGE("GetHapTokenInfo failed");
95         return false;
96     }
97     if (!((1 << findInfo.apl) & required)) {
98         MMI_HILOGE("Check hap permission failed, name:%{public}s, apl:%{public}d, required:%{public}d",
99             findInfo.bundleName.c_str(), findInfo.apl, required);
100         return false;
101     }
102     MMI_HILOGD("Check hap permission success");
103     return true;
104 }
105 
CheckMonitorPermission(uint32_t tokenId)106 bool PermissionHelper::CheckMonitorPermission(uint32_t tokenId)
107 {
108     static const std::string inputMonitor = "ohos.permission.INPUT_MONITORING";
109     int32_t ret = OHOS::Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, inputMonitor);
110     if (ret != OHOS::Security::AccessToken::PERMISSION_GRANTED) {
111         MMI_HILOGE("Check monitor permission failed ret:%{public}d", ret);
112         return false;
113     }
114     MMI_HILOGD("Check monitor permission success");
115     return true;
116 }
117 
GetTokenType()118 int32_t PermissionHelper::GetTokenType()
119 {
120     CALL_DEBUG_ENTER;
121     auto tokenId = IPCSkeleton::GetCallingTokenID();
122     auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
123     if (tokenType == OHOS::Security::AccessToken::TOKEN_HAP) {
124         return TokenType::TOKEN_HAP;
125     } else if (tokenType == OHOS::Security::AccessToken::TOKEN_NATIVE) {
126         return TokenType::TOKEN_NATIVE;
127     }  else if (tokenType == OHOS::Security::AccessToken::TOKEN_SHELL) {
128         return TokenType::TOKEN_SHELL;
129     } else {
130         MMI_HILOGW("Unsupported token type:%{public}d", tokenType);
131         return TokenType::TOKEN_INVALID;
132     }
133 }
134 } // namespace MMI
135 } // namespace OHOS
136