1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16
17 #include <accesstoken_kit.h>
18 #include <bundle_constants.h>
19 #include <ipc_skeleton.h>
20 #include <bundle_mgr_proxy.h>
21 #include <bundle_mgr_interface.h>
22 #include <system_ability_definition.h>
23 #include <iservice_registry.h>
24 #include <tokenid_kit.h>
25 #include <input_method_controller.h>
26 #include "common/include/session_permission.h"
27 #include "window_manager_hilog.h"
28
29 namespace OHOS {
30 namespace Rosen {
31 namespace {
32 constexpr HiviewDFX::HiLogLabel LABEL = {LOG_CORE, HILOG_DOMAIN_WINDOW, "SessionPermission"};
33
GetBundleManagerProxy()34 sptr<AppExecFwk::IBundleMgr> GetBundleManagerProxy()
35 {
36 sptr<ISystemAbilityManager> systemAbilityManager =
37 SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
38 if (!systemAbilityManager) {
39 WLOGFE("Failed to get system ability mgr.");
40 return nullptr;
41 }
42 sptr<IRemoteObject> remoteObject
43 = systemAbilityManager->GetSystemAbility(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID);
44 if (!remoteObject) {
45 WLOGFE("Failed to get bundle manager service.");
46 return nullptr;
47 }
48 auto bundleManagerServiceProxy = iface_cast<AppExecFwk::IBundleMgr>(remoteObject);
49 if (!bundleManagerServiceProxy || !bundleManagerServiceProxy->AsObject()) {
50 WLOGFE("Failed to get bundle manager proxy.");
51 return nullptr;
52 }
53 return bundleManagerServiceProxy;
54 }
55
GetInputMethodBundleName(std::string & name)56 bool GetInputMethodBundleName(std::string &name)
57 {
58 auto imc = MiscServices::InputMethodController::GetInstance();
59 if (!imc) {
60 WLOGFE("InputMethodController is nullptr");
61 return false;
62 }
63 auto imProp = imc->GetCurrentInputMethod();
64 if (!imProp) {
65 WLOGFE("CurrentInputMethod is nullptr");
66 return false;
67 }
68 name = imProp->name;
69 return true;
70 }
71 }
72
IsSystemServiceCalling(bool needPrintLog)73 bool SessionPermission::IsSystemServiceCalling(bool needPrintLog)
74 {
75 Security::AccessToken::NativeTokenInfo tokenInfo;
76 Security::AccessToken::AccessTokenKit::GetNativeTokenInfo(IPCSkeleton::GetCallingTokenID(), tokenInfo);
77 if (tokenInfo.apl == Security::AccessToken::ATokenAplEnum::APL_SYSTEM_CORE ||
78 tokenInfo.apl == Security::AccessToken::ATokenAplEnum::APL_SYSTEM_BASIC) {
79 return true;
80 }
81 if (needPrintLog) {
82 WLOGFE("Is not system service calling, native apl: %{public}d", tokenInfo.apl);
83 }
84 return false;
85 }
86
IsSystemCalling()87 bool SessionPermission::IsSystemCalling()
88 {
89 const auto& tokenId = IPCSkeleton::GetCallingTokenID();
90 const auto& flag = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
91 if (flag == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE ||
92 flag == Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL) {
93 WLOGFD("tokenId: %{public}u, flag: %{public}u", tokenId, flag);
94 return true;
95 }
96 WLOGFD("tokenId: %{public}u, flag: %{public}u", tokenId, flag);
97 uint64_t accessTokenIDEx = IPCSkeleton::GetCallingFullTokenID();
98 bool isSystemApp = Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(accessTokenIDEx);
99 return isSystemApp;
100 }
101
IsSACalling()102 bool SessionPermission::IsSACalling()
103 {
104 const auto& tokenId = IPCSkeleton::GetCallingTokenID();
105 const auto& flag = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
106 if (flag == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
107 WLOGFW("SA Called, tokenId: %{public}u, flag: %{public}u", tokenId, flag);
108 return true;
109 }
110 WLOGFD("Not SA called");
111 return false;
112 }
113
VerifyCallingPermission(const std::string & permissionName)114 bool SessionPermission::VerifyCallingPermission(const std::string &permissionName)
115 {
116 WLOGFI("VerifyCallingPermission permission %{public}s", permissionName.c_str());
117 auto callerToken = IPCSkeleton::GetCallingTokenID();
118 int32_t ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName);
119 if (ret != Security::AccessToken::PermissionState::PERMISSION_GRANTED) {
120 WLOGFE("permission %{public}s: PERMISSION_DENIED", permissionName.c_str());
121 return false;
122 }
123 WLOGFI("verify AccessToken success");
124 return true;
125 }
126
VerifySessionPermission()127 bool SessionPermission::VerifySessionPermission()
128 {
129 if (IsSACalling()) {
130 WLOGFI("this is SA Calling, Permission verification succeeded.");
131 return true;
132 }
133 if (VerifyCallingPermission(PermissionConstants::PERMISSION_MANAGE_MISSION)) {
134 WLOGFI("Permission verification succeeded.");
135 return true;
136 }
137 WLOGFE("Permission verification failed");
138 return false;
139 }
140
JudgeCallerIsAllowedToUseSystemAPI()141 bool SessionPermission::JudgeCallerIsAllowedToUseSystemAPI()
142 {
143 if (IsSACalling() || IsShellCall()) {
144 return true;
145 }
146 auto callerToken = IPCSkeleton::GetCallingFullTokenID();
147 return Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(callerToken);
148 }
149
IsShellCall()150 bool SessionPermission::IsShellCall()
151 {
152 auto callerToken = IPCSkeleton::GetCallingTokenID();
153 auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
154 if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL) {
155 WLOGFI("caller tokenType is shell, verify success");
156 return true;
157 }
158 WLOGFI("Not shell called.");
159 return false;
160 }
161
IsStartByHdcd()162 bool SessionPermission::IsStartByHdcd()
163 {
164 OHOS::Security::AccessToken::NativeTokenInfo info;
165 if (Security::AccessToken::AccessTokenKit::GetNativeTokenInfo(IPCSkeleton::GetCallingTokenID(), info) != 0) {
166 return false;
167 }
168 if (info.processName.compare("hdcd") == 0) {
169 return true;
170 }
171 return false;
172 }
173
IsStartedByInputMethod()174 bool SessionPermission::IsStartedByInputMethod()
175 {
176 auto bundleManagerServiceProxy_ = GetBundleManagerProxy();
177 if (!bundleManagerServiceProxy_) {
178 WLOGFE("failed to get BundleManagerServiceProxy");
179 return false;
180 }
181 std::string inputMethodBundleName;
182 if (!GetInputMethodBundleName(inputMethodBundleName)) {
183 WLOGFE("failed to get input method bundle name");
184 return false;
185 }
186
187 int uid = IPCSkeleton::GetCallingUid();
188 // reset ipc identity
189 std::string identity = IPCSkeleton::ResetCallingIdentity();
190 std::string bundleName;
191 bundleManagerServiceProxy_->GetNameForUid(uid, bundleName);
192 AppExecFwk::BundleInfo bundleInfo;
193 // 200000 use uid to caculate userId
194 int userId = uid / 200000;
195 bool result = bundleManagerServiceProxy_->GetBundleInfo(bundleName,
196 AppExecFwk::BundleFlag::GET_BUNDLE_WITH_EXTENSION_INFO, bundleInfo, userId);
197 // set ipc identity to raw
198 IPCSkeleton::SetCallingIdentity(identity);
199 if (!result) {
200 WLOGFE("failed to query extension ability info");
201 return false;
202 }
203
204 auto extensionInfo = std::find_if(bundleInfo.extensionInfos.begin(), bundleInfo.extensionInfos.end(),
205 [](AppExecFwk::ExtensionAbilityInfo extensionInfo) {
206 return (extensionInfo.type == AppExecFwk::ExtensionAbilityType::INPUTMETHOD);
207 });
208 return extensionInfo != bundleInfo.extensionInfos.end() && extensionInfo->bundleName == inputMethodBundleName;
209 }
210 } // namespace Rosen
211 } // namespace OHOS