1 /*
2 * Copyright (c) 2022-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "enterprise_device_mgr_ability.h"
17
18 #include <bundle_info.h>
19 #include <bundle_mgr_interface.h>
20 #include <ipc_skeleton.h>
21 #include <iservice_registry.h>
22 #include <message_parcel.h>
23 #include <string_ex.h>
24 #include <system_ability.h>
25 #include <system_ability_definition.h>
26
27 #include "accesstoken_kit.h"
28 #include "application_state_observer.h"
29 #include "bundle_mgr_proxy.h"
30 #include "common_event_manager.h"
31 #include "common_event_support.h"
32 #include "device_policies_storage_rdb.h"
33 #include "directory_ex.h"
34 #include "edm_constants.h"
35 #include "edm_errors.h"
36 #include "edm_ipc_interface_code.h"
37 #include "edm_log.h"
38 #include "edm_sys_manager.h"
39 #include "enterprise_admin_connection.h"
40 #include "enterprise_bundle_connection.h"
41 #include "enterprise_conn_manager.h"
42 #include "func_code_utils.h"
43 #include "matching_skills.h"
44 #include "os_account_manager.h"
45 #include "parameters.h"
46 #include "security_report.h"
47 #include "tokenid_kit.h"
48
49 namespace OHOS {
50 namespace EDM {
51 const bool REGISTER_RESULT =
52 SystemAbility::MakeAndRegisterAbility(EnterpriseDeviceMgrAbility::GetInstance().GetRefPtr());
53
54 const std::string PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN = "ohos.permission.MANAGE_ENTERPRISE_DEVICE_ADMIN";
55 const std::string PERMISSION_SET_ENTERPRISE_INFO = "ohos.permission.SET_ENTERPRISE_INFO";
56 const std::string PERMISSION_ENTERPRISE_SUBSCRIBE_MANAGED_EVENT = "ohos.permission.ENTERPRISE_SUBSCRIBE_MANAGED_EVENT";
57 const std::string PARAM_EDM_ENABLE = "persist.edm.edm_enable";
58 const std::string PARAM_SECURITY_MODE = "ohos.boot.advsecmode.state";
59 const std::string SYSTEM_UPDATE_FOR_POLICY = "usual.event.DUE_SA_FIRMWARE_UPDATE_FOR_POLICY";
60 const std::string FIRMWARE_EVENT_INFO_NAME = "version";
61 const std::string FIRMWARE_EVENT_INFO_TYPE = "packageType";
62 const std::string FIRMWARE_EVENT_INFO_CHECK_TIME = "firstReceivedTime";
63
64 const std::vector<uint32_t> codeList = {
65 EdmInterfaceCode::RESET_FACTORY,
66 EdmInterfaceCode::DISABLED_PRINTER,
67 EdmInterfaceCode::DISABLED_HDC,
68 EdmInterfaceCode::NTP_SERVER,
69 };
70
71 std::mutex EnterpriseDeviceMgrAbility::mutexLock_;
72
73 sptr<EnterpriseDeviceMgrAbility> EnterpriseDeviceMgrAbility::instance_;
74
AddCommonEventFuncMap()75 void EnterpriseDeviceMgrAbility::AddCommonEventFuncMap()
76 {
77 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_USER_REMOVED] =
78 &EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved;
79 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_ADDED] =
80 &EnterpriseDeviceMgrAbility::OnCommonEventPackageAdded;
81 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED] =
82 &EnterpriseDeviceMgrAbility::OnCommonEventPackageRemoved;
83 commonEventFuncMap_[SYSTEM_UPDATE_FOR_POLICY] =
84 &EnterpriseDeviceMgrAbility::OnCommonEventSystemUpdate;
85 }
86
OnCommonEventSystemUpdate(const EventFwk::CommonEventData & data)87 void EnterpriseDeviceMgrAbility::OnCommonEventSystemUpdate(const EventFwk::CommonEventData &data)
88 {
89 EDMLOGI("OnCommonEventSystemUpdate");
90 UpdateInfo updateInfo;
91 updateInfo.version = data.GetWant().GetStringParam(FIRMWARE_EVENT_INFO_NAME);
92 updateInfo.firstReceivedTime = data.GetWant().GetLongParam(FIRMWARE_EVENT_INFO_CHECK_TIME, 0);
93 updateInfo.packageType = data.GetWant().GetStringParam(FIRMWARE_EVENT_INFO_TYPE);
94
95 ConnectAbilityOnSystemUpdate(updateInfo);
96 }
97
ConnectAbilityOnSystemUpdate(const UpdateInfo & updateInfo)98 void EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemUpdate(const UpdateInfo &updateInfo)
99 {
100 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
101 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::SYSTEM_UPDATE, subAdmins);
102 if (subAdmins.empty()) {
103 EDMLOGW("Get subscriber by common event failed.");
104 return;
105 }
106 AAFwk::Want want;
107 for (const auto &subAdmin : subAdmins) {
108 for (const auto &it : subAdmin.second) {
109 want.SetElementName(it->adminInfo_.packageName_, it->adminInfo_.className_);
110 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
111 sptr<IEnterpriseConnection> connection =
112 manager->CreateUpdateConnection(want, subAdmin.first, updateInfo);
113 manager->ConnectAbility(connection);
114 }
115 }
116 }
117
AddOnAddSystemAbilityFuncMap()118 void EnterpriseDeviceMgrAbility::AddOnAddSystemAbilityFuncMap()
119 {
120 addSystemAbilityFuncMap_[APP_MGR_SERVICE_ID] = &EnterpriseDeviceMgrAbility::OnAppManagerServiceStart;
121 addSystemAbilityFuncMap_[COMMON_EVENT_SERVICE_ID] = &EnterpriseDeviceMgrAbility::OnCommonEventServiceStart;
122 addSystemAbilityFuncMap_[ABILITY_MGR_SERVICE_ID] = &EnterpriseDeviceMgrAbility::OnAbilityManagerServiceStart;
123 }
124
EnterpriseDeviceEventSubscriber(const EventFwk::CommonEventSubscribeInfo & subscribeInfo,EnterpriseDeviceMgrAbility & listener)125 EnterpriseDeviceEventSubscriber::EnterpriseDeviceEventSubscriber(
126 const EventFwk::CommonEventSubscribeInfo &subscribeInfo,
127 EnterpriseDeviceMgrAbility &listener) : EventFwk::CommonEventSubscriber(subscribeInfo), listener_(listener) {}
128
OnReceiveEvent(const EventFwk::CommonEventData & data)129 void EnterpriseDeviceEventSubscriber::OnReceiveEvent(const EventFwk::CommonEventData &data)
130 {
131 const std::string action = data.GetWant().GetAction();
132 EDMLOGI("EDM OnReceiveEvent get action: %{public}s", action.c_str());
133 auto func = listener_.commonEventFuncMap_.find(action);
134 if (func != listener_.commonEventFuncMap_.end()) {
135 auto commonEventFunc = func->second;
136 if (commonEventFunc != nullptr) {
137 return (listener_.*commonEventFunc)(data);
138 }
139 } else {
140 EDMLOGW("OnReceiveEvent action is invalid");
141 }
142 }
143
CreateEnterpriseDeviceEventSubscriber(EnterpriseDeviceMgrAbility & listener)144 std::shared_ptr<EventFwk::CommonEventSubscriber> EnterpriseDeviceMgrAbility::CreateEnterpriseDeviceEventSubscriber(
145 EnterpriseDeviceMgrAbility &listener)
146 {
147 EventFwk::MatchingSkills skill = EventFwk::MatchingSkills();
148 AddCommonEventFuncMap();
149 for (auto &item : commonEventFuncMap_) {
150 skill.AddEvent(item.first);
151 EDMLOGI("CreateEnterpriseDeviceEventSubscriber AddEvent: %{public}s", item.first.c_str());
152 }
153 EventFwk::CommonEventSubscribeInfo info(skill);
154 return std::make_shared<EnterpriseDeviceEventSubscriber>(info, listener);
155 }
156
OnCommonEventUserRemoved(const EventFwk::CommonEventData & data)157 void EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved(const EventFwk::CommonEventData &data)
158 {
159 int userIdToRemove = data.GetCode();
160 if (userIdToRemove == 0) {
161 return;
162 }
163 EDMLOGI("OnCommonEventUserRemoved");
164 std::lock_guard<std::mutex> autoLock(mutexLock_);
165 // include super admin, need to be removed
166 std::vector<std::shared_ptr<Admin>> userAdmin;
167 adminMgr_->GetAdminByUserId(userIdToRemove, userAdmin);
168 for (auto &item : userAdmin) {
169 if (FAILED(RemoveAdmin(item->adminInfo_.packageName_, userIdToRemove))) {
170 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved remove admin failed packagename = %{public}s",
171 item->adminInfo_.packageName_.c_str());
172 }
173 }
174 std::vector<std::shared_ptr<Admin>> subAndSuperAdmin;
175 adminMgr_->GetAdminByUserId(DEFAULT_USER_ID, subAndSuperAdmin);
176 for (const auto &subAdmin : subAndSuperAdmin) {
177 if ((subAdmin->GetAdminType() == AdminType::SUB_SUPER_ADMIN || subAdmin->GetAdminType() == AdminType::ENT) &&
178 FAILED(RemoveAdmin(subAdmin->adminInfo_.packageName_, userIdToRemove))) {
179 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved: remove sub and super admin policy failed.");
180 }
181 }
182 }
183
OnCommonEventPackageAdded(const EventFwk::CommonEventData & data)184 void EnterpriseDeviceMgrAbility::OnCommonEventPackageAdded(const EventFwk::CommonEventData &data)
185 {
186 EDMLOGI("OnCommonEventPackageAdded");
187 std::string bundleName = data.GetWant().GetElement().GetBundleName();
188 ConnectAbilityOnSystemEvent(bundleName, ManagedEvent::BUNDLE_ADDED);
189 }
190
OnCommonEventPackageRemoved(const EventFwk::CommonEventData & data)191 void EnterpriseDeviceMgrAbility::OnCommonEventPackageRemoved(const EventFwk::CommonEventData &data)
192 {
193 EDMLOGI("OnCommonEventPackageRemoved");
194 std::string bundleName = data.GetWant().GetElement().GetBundleName();
195 int32_t userId = data.GetWant().GetIntParam(AppExecFwk::Constants::USER_ID, AppExecFwk::Constants::INVALID_USERID);
196 std::lock_guard<std::mutex> autoLock(mutexLock_);
197 std::shared_ptr<Admin> admin = adminMgr_->GetAdminByPkgName(bundleName, userId);
198 if (admin != nullptr) {
199 if (admin->adminInfo_.adminType_ == AdminType::NORMAL) {
200 RemoveAdmin(bundleName, userId);
201 }
202 if (admin->adminInfo_.adminType_ == AdminType::SUB_SUPER_ADMIN && userId == DEFAULT_USER_ID) {
203 RemovePolicyAndAdmin(bundleName);
204 }
205 if (admin->adminInfo_.adminType_ == AdminType::ENT && userId == DEFAULT_USER_ID) {
206 // remove sub-super admin
207 std::vector<std::string> subAdmins;
208 adminMgr_->GetSubSuperAdminsByParentName(bundleName, subAdmins);
209 for (auto const &subAdminName : subAdmins) {
210 RemovePolicyAndAdmin(subAdminName);
211 }
212 // remove super admin
213 RemovePolicyAndAdmin(bundleName);
214 }
215 if (!adminMgr_->IsAdminExist()) {
216 system::SetParameter(PARAM_EDM_ENABLE, "false");
217 }
218 }
219 ConnectAbilityOnSystemEvent(bundleName, ManagedEvent::BUNDLE_REMOVED);
220 }
221
ConnectAbilityOnSystemEvent(const std::string & bundleName,ManagedEvent event)222 void EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemEvent(const std::string &bundleName, ManagedEvent event)
223 {
224 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
225 adminMgr_->GetAdminBySubscribeEvent(event, subAdmins);
226 if (subAdmins.empty()) {
227 EDMLOGW("Get subscriber by common event failed.");
228 return;
229 }
230 AAFwk::Want want;
231 for (const auto &subAdmin : subAdmins) {
232 for (const auto &it : subAdmin.second) {
233 want.SetElementName(it->adminInfo_.packageName_, it->adminInfo_.className_);
234 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
235 sptr<IEnterpriseConnection> connection =
236 manager->CreateBundleConnection(want, static_cast<uint32_t>(event), subAdmin.first, bundleName);
237 manager->ConnectAbility(connection);
238 }
239 }
240 }
241
GetInstance()242 sptr<EnterpriseDeviceMgrAbility> EnterpriseDeviceMgrAbility::GetInstance()
243 {
244 if (instance_ == nullptr) {
245 std::lock_guard<std::mutex> autoLock(mutexLock_);
246 if (instance_ == nullptr) {
247 EDMLOGD("EnterpriseDeviceMgrAbility:GetInstance instance = new EnterpriseDeviceMgrAbility()");
248 instance_ = new (std::nothrow) EnterpriseDeviceMgrAbility();
249 }
250 }
251 return instance_;
252 }
253
EnterpriseDeviceMgrAbility()254 EnterpriseDeviceMgrAbility::EnterpriseDeviceMgrAbility() : SystemAbility(ENTERPRISE_DEVICE_MANAGER_SA_ID, true)
255 {
256 EDMLOGI("EnterpriseDeviceMgrAbility:new instance");
257 }
258
~EnterpriseDeviceMgrAbility()259 EnterpriseDeviceMgrAbility::~EnterpriseDeviceMgrAbility()
260 {
261 instance_ = nullptr;
262
263 if (adminMgr_) {
264 adminMgr_.reset();
265 }
266
267 if (pluginMgr_) {
268 pluginMgr_.reset();
269 }
270
271 if (policyMgr_) {
272 policyMgr_.reset();
273 }
274 EDMLOGD("instance is destroyed");
275 }
276
Dump(int32_t fd,const std::vector<std::u16string> & args)277 int32_t EnterpriseDeviceMgrAbility::Dump(int32_t fd, const std::vector<std::u16string> &args)
278 {
279 EDMLOGI("EnterpriseDeviceMgrAbility::Dump");
280 if (fd < 0) {
281 EDMLOGE("Dump fd invalid");
282 return ERR_EDM_DUMP_FAILED;
283 }
284 std::string result;
285 result.append("Ohos enterprise device manager service: \n");
286 std::vector<std::string> enabledAdminList;
287 GetEnabledAdmin(AdminType::NORMAL, enabledAdminList);
288 if (enabledAdminList.empty()) {
289 result.append("There is no admin enabled\n");
290 } else {
291 result.append("Enabled admin exist :\n");
292 for (const auto &enabledAdmin : enabledAdminList) {
293 result.append(enabledAdmin);
294 result.append("\n");
295 }
296 }
297 int32_t ret = dprintf(fd, "%s", result.c_str());
298 if (ret < 0) {
299 EDMLOGE("dprintf to dump fd failed");
300 return ERR_EDM_DUMP_FAILED;
301 }
302 return ERR_OK;
303 }
304
OnStart()305 void EnterpriseDeviceMgrAbility::OnStart()
306 {
307 std::lock_guard<std::mutex> autoLock(mutexLock_);
308 EDMLOGD("EnterpriseDeviceMgrAbility::OnStart() Publish");
309 if (!registerToService_) {
310 if (!Publish(this)) {
311 EDMLOGE("EnterpriseDeviceMgrAbility: res == false");
312 return;
313 }
314 registerToService_ = true;
315 }
316 if (!adminMgr_) {
317 adminMgr_ = AdminManager::GetInstance();
318 }
319 EDMLOGD("create adminMgr_ success");
320 adminMgr_->Init();
321 InitAllPolices();
322
323 if (!pluginMgr_) {
324 pluginMgr_ = PluginManager::GetInstance();
325 }
326 EDMLOGD("create pluginMgr_ success");
327 pluginMgr_->Init();
328
329 AddOnAddSystemAbilityFuncMap();
330 AddSystemAbilityListener(COMMON_EVENT_SERVICE_ID);
331 AddSystemAbilityListener(APP_MGR_SERVICE_ID);
332 AddSystemAbilityListener(ABILITY_MGR_SERVICE_ID);
333 }
334
InitAllPolices()335 void EnterpriseDeviceMgrAbility::InitAllPolices()
336 {
337 std::vector<int32_t> userIds;
338 auto devicePolicies = DevicePoliciesStorageRdb::GetInstance();
339 if (devicePolicies == nullptr) {
340 EDMLOGE("OnAddSystemAbility::InitAllPolices:get rdbStore failed.");
341 return;
342 }
343 devicePolicies->QueryAllUserId(userIds);
344 for (auto userId : userIds) {
345 if (userId < DEFAULT_USER_ID) {
346 continue;
347 }
348 GetAndSwitchPolicyManagerByUserId(userId);
349 }
350 policyMgr_ = GetAndSwitchPolicyManagerByUserId(DEFAULT_USER_ID);
351 }
352
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)353 void EnterpriseDeviceMgrAbility::OnAddSystemAbility(int32_t systemAbilityId, const std::string &deviceId)
354 {
355 EDMLOGD("OnAddSystemAbility systemAbilityId:%{public}d added!", systemAbilityId);
356 auto func = addSystemAbilityFuncMap_.find(systemAbilityId);
357 if (func != addSystemAbilityFuncMap_.end()) {
358 auto memberFunc = func->second;
359 if (memberFunc != nullptr) {
360 return (this->*memberFunc)(systemAbilityId, deviceId);
361 }
362 }
363 }
364
OnAppManagerServiceStart(int32_t systemAbilityId,const std::string & deviceId)365 void EnterpriseDeviceMgrAbility::OnAppManagerServiceStart(int32_t systemAbilityId, const std::string &deviceId)
366 {
367 EDMLOGI("OnAppManagerServiceStart");
368 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
369 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::APP_START, subAdmins);
370 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::APP_STOP, subAdmins);
371 if (!subAdmins.empty()) {
372 EDMLOGI("the admin that listened the APP_START or APP_STOP event is existed");
373 SubscribeAppState();
374 }
375 }
376
OnAbilityManagerServiceStart(int32_t systemAbilityId,const std::string & deviceId)377 void EnterpriseDeviceMgrAbility::OnAbilityManagerServiceStart(int32_t systemAbilityId, const std::string &deviceId)
378 {
379 EDMLOGI("OnAbilityManagerServiceStart");
380 auto superAdmin = adminMgr_->GetSuperAdmin();
381 if (superAdmin != nullptr) {
382 AAFwk::Want connectWant;
383 connectWant.SetElementName(superAdmin->adminInfo_.packageName_, superAdmin->adminInfo_.className_);
384 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
385 sptr<IEnterpriseConnection> connection = manager->CreateAdminConnection(connectWant,
386 IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED, DEFAULT_USER_ID, false);
387 manager->ConnectAbility(connection);
388 }
389 }
390
OnCommonEventServiceStart(int32_t systemAbilityId,const std::string & deviceId)391 void EnterpriseDeviceMgrAbility::OnCommonEventServiceStart(int32_t systemAbilityId, const std::string &deviceId)
392 {
393 commonEventSubscriber = CreateEnterpriseDeviceEventSubscriber(*this);
394 EventFwk::CommonEventManager::SubscribeCommonEvent(this->commonEventSubscriber);
395 EDMLOGI("create commonEventSubscriber success");
396 }
397
OnRemoveSystemAbility(int32_t systemAbilityId,const std::string & deviceId)398 void EnterpriseDeviceMgrAbility::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string &deviceId) {}
399
OnStop()400 void EnterpriseDeviceMgrAbility::OnStop()
401 {
402 EDMLOGD("EnterpriseDeviceMgrAbility::OnStop()");
403 }
404
GetAllPermissionsByAdmin(const std::string & bundleInfoName,std::vector<std::string> & permissionList,int32_t userId)405 ErrCode EnterpriseDeviceMgrAbility::GetAllPermissionsByAdmin(const std::string &bundleInfoName,
406 std::vector<std::string> &permissionList, int32_t userId)
407 {
408 bool ret = false;
409 AppExecFwk::BundleInfo bundleInfo;
410 auto bundleManager = GetBundleMgr();
411 if (!bundleManager) {
412 EDMLOGE("EnterpriseDeviceMgrAbility::GetAllPermissionsByAdmin GetBundleMgr failed.");
413 return ERR_EDM_BMS_ERROR;
414 }
415 permissionList.clear();
416 EDMLOGD("GetAllPermissionsByAdmin GetBundleInfo: bundleInfoName %{public}s userid %{public}d",
417 bundleInfoName.c_str(), userId);
418 ret = bundleManager->GetBundleInfo(bundleInfoName, AppExecFwk::BundleFlag::GET_BUNDLE_WITH_REQUESTED_PERMISSION,
419 bundleInfo, userId);
420 if (!ret) {
421 EDMLOGW("GetAllPermissionsByAdmin: GetBundleInfo failed %{public}d", ret);
422 return ERR_EDM_PARAM_ERROR;
423 }
424 std::vector<std::string> reqPermission = bundleInfo.reqPermissions;
425 if (reqPermission.empty()) {
426 EDMLOGW("GetAllPermissionsByAdmin: bundleInfo reqPermissions empty");
427 return ERR_OK;
428 }
429
430 std::vector<EdmPermission> edmPermissions;
431 ErrCode code = adminMgr_->GetReqPermission(reqPermission, edmPermissions);
432 if (SUCCEEDED(code)) {
433 for (const auto &perm : edmPermissions) {
434 permissionList.push_back(perm.getPermissionName());
435 }
436 }
437 return ERR_OK;
438 }
439
GetAppMgr()440 sptr<AppExecFwk::IAppMgr> EnterpriseDeviceMgrAbility::GetAppMgr()
441 {
442 auto remoteObject = EdmSysManager::GetRemoteObjectOfSystemAbility(OHOS::APP_MGR_SERVICE_ID);
443 return iface_cast<AppExecFwk::IAppMgr>(remoteObject);
444 }
445
GetBundleMgr()446 sptr<AppExecFwk::IBundleMgr> EnterpriseDeviceMgrAbility::GetBundleMgr()
447 {
448 auto remoteObject = EdmSysManager::GetRemoteObjectOfSystemAbility(OHOS::BUNDLE_MGR_SERVICE_SYS_ABILITY_ID);
449 sptr<AppExecFwk::IBundleMgr> proxy = iface_cast<AppExecFwk::IBundleMgr>(remoteObject);
450 return proxy;
451 }
452
SubscribeAppState()453 bool EnterpriseDeviceMgrAbility::SubscribeAppState()
454 {
455 if (appStateObserver_) {
456 EDMLOGD("appStateObserver has subscribed");
457 return true;
458 }
459 sptr<AppExecFwk::IAppMgr> appMgr = GetAppMgr();
460 if (!appMgr) {
461 EDMLOGE("GetAppMgr failed");
462 return false;
463 }
464 appStateObserver_ = new (std::nothrow) ApplicationStateObserver(*this);
465 if (!appStateObserver_) {
466 EDMLOGE("new ApplicationStateObserver failed");
467 return false;
468 }
469 if (appMgr->RegisterApplicationStateObserver(appStateObserver_) != ERR_OK) {
470 EDMLOGE("RegisterApplicationStateObserver fail!");
471 appStateObserver_.clear();
472 appStateObserver_ = nullptr;
473 return false;
474 }
475 return true;
476 }
477
UnsubscribeAppState()478 bool EnterpriseDeviceMgrAbility::UnsubscribeAppState()
479 {
480 if (!appStateObserver_) {
481 EDMLOGD("appStateObserver has subscribed");
482 return true;
483 }
484 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
485 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::APP_START, subAdmins);
486 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::APP_STOP, subAdmins);
487 if (!subAdmins.empty()) {
488 return true;
489 }
490 sptr<AppExecFwk::IAppMgr> appMgr = GetAppMgr();
491 if (!appMgr || appMgr->UnregisterApplicationStateObserver(appStateObserver_) != ERR_OK) {
492 EDMLOGE("UnregisterApplicationStateObserver fail!");
493 return false;
494 }
495 appStateObserver_.clear();
496 appStateObserver_ = nullptr;
497 return true;
498 }
499
VerifyCallingPermission(const std::string & permissionName)500 bool EnterpriseDeviceMgrAbility::VerifyCallingPermission(const std::string &permissionName)
501 {
502 EDMLOGD("VerifyCallingPermission permission %{public}s", permissionName.c_str());
503 Security::AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
504 int32_t ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName);
505 if (ret == Security::AccessToken::PermissionState::PERMISSION_GRANTED) {
506 EDMLOGI("permission %{public}s: PERMISSION_GRANTED", permissionName.c_str());
507 return true;
508 }
509 EDMLOGW("verify AccessToken failed");
510 return false;
511 }
512
VerifyEnableAdminCondition(AppExecFwk::ElementName & admin,AdminType type,int32_t userId)513 ErrCode EnterpriseDeviceMgrAbility::VerifyEnableAdminCondition(AppExecFwk::ElementName &admin, AdminType type,
514 int32_t userId)
515 {
516 if (type == AdminType::UNKNOWN) {
517 EDMLOGW("EnableAdmin: admin type is invalid.");
518 return ERR_EDM_ADD_ADMIN_FAILED;
519 }
520 if (type == AdminType::ENT && userId != DEFAULT_USER_ID) {
521 EDMLOGW("EnableAdmin: Super admin can only be enabled in default user.");
522 return ERR_EDM_ADD_ADMIN_FAILED;
523 }
524
525 if (type != AdminType::ENT && system::GetBoolParameter(PARAM_SECURITY_MODE, false)) {
526 EDMLOGW("EnableAdmin: The current mode is not supported.");
527 return ERR_EDM_ADD_ADMIN_FAILED;
528 }
529
530 std::shared_ptr<Admin> existAdmin = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), userId);
531 if (existAdmin != nullptr) {
532 if (existAdmin->GetAdminType() == AdminType::SUB_SUPER_ADMIN) {
533 EDMLOGW("EnableAdmin: sub-super admin can not be enabled as a normal or super admin.");
534 return ERR_EDM_ADD_ADMIN_FAILED;
535 }
536 if (existAdmin->GetAdminType() == AdminType::ENT && (type != AdminType::ENT || userId != DEFAULT_USER_ID)) {
537 EDMLOGW("EnableAdmin: an exist super admin can't be enabled twice with different role or user id.");
538 return ERR_EDM_ADD_ADMIN_FAILED;
539 }
540 /* An application can't be enabled twice with different ability name */
541 if (existAdmin->adminInfo_.className_ != admin.GetAbilityName()) {
542 EDMLOGW("EnableAdmin: There is another admin ability enabled with the same package name.");
543 return ERR_EDM_ADD_ADMIN_FAILED;
544 }
545 }
546 if (type == AdminType::ENT && adminMgr_->IsSuperAdminExist()) {
547 if (existAdmin == nullptr || existAdmin->adminInfo_.adminType_ != AdminType::ENT) {
548 EDMLOGW("EnableAdmin: There is another super admin enabled.");
549 return ERR_EDM_ADD_ADMIN_FAILED;
550 }
551 }
552 return ERR_OK;
553 }
554
EnableAdmin(AppExecFwk::ElementName & admin,EntInfo & entInfo,AdminType type,int32_t userId)555 ErrCode EnterpriseDeviceMgrAbility::EnableAdmin(AppExecFwk::ElementName &admin, EntInfo &entInfo, AdminType type,
556 int32_t userId)
557 {
558 EDMLOGD("EnterpriseDeviceMgrAbility::EnableAdmin user id = %{public}d", userId);
559 std::lock_guard<std::mutex> autoLock(mutexLock_);
560 if (!VerifyCallingPermission(PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
561 EDMLOGW("EnterpriseDeviceMgrAbility::EnableAdmin check permission failed");
562 return EdmReturnErrCode::PERMISSION_DENIED;
563 }
564 std::vector<AppExecFwk::ExtensionAbilityInfo> abilityInfo;
565 auto bundleManager = GetBundleMgr();
566 if (!bundleManager) {
567 EDMLOGW("can not get iBundleMgr");
568 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
569 }
570 AAFwk::Want want;
571 want.SetElement(admin);
572 if (!bundleManager->QueryExtensionAbilityInfos(want, AppExecFwk::ExtensionAbilityType::ENTERPRISE_ADMIN,
573 AppExecFwk::ExtensionAbilityInfoFlag::GET_EXTENSION_INFO_WITH_PERMISSION, userId, abilityInfo) ||
574 abilityInfo.empty()) {
575 EDMLOGW("EnableAdmin: QueryExtensionAbilityInfos failed");
576 return EdmReturnErrCode::COMPONENT_INVALID;
577 }
578 if (FAILED(VerifyEnableAdminCondition(admin, type, userId))) {
579 EDMLOGW("EnableAdmin: VerifyEnableAdminCondition failed.");
580 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
581 }
582
583 /* Get all request and registered permissions */
584 std::vector<std::string> permissionList;
585 if (FAILED(GetAllPermissionsByAdmin(admin.GetBundleName(), permissionList, userId))) {
586 EDMLOGW("EnableAdmin: GetAllPermissionsByAdmin failed");
587 return EdmReturnErrCode::COMPONENT_INVALID;
588 }
589 /* Filter permissions with AdminType, such as NORMAL can't request super permission */
590 if (FAILED(adminMgr_->GetGrantedPermission(permissionList, type))) {
591 EDMLOGW("EnableAdmin: GetGrantedPermission failed");
592 // permission verify, should throw exception if failed
593 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
594 }
595 if (FAILED(adminMgr_->SetAdminValue(abilityInfo.at(0), entInfo, type, permissionList, userId))) {
596 EDMLOGE("EnableAdmin: SetAdminValue failed.");
597 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
598 }
599 system::SetParameter(PARAM_EDM_ENABLE, "true");
600 EDMLOGI("EnableAdmin: SetAdminValue success %{public}s, type:%{public}d", admin.GetBundleName().c_str(),
601 static_cast<uint32_t>(type));
602 AAFwk::Want connectWant;
603 connectWant.SetElementName(admin.GetBundleName(), admin.GetAbilityName());
604 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
605 sptr<IEnterpriseConnection> connection =
606 manager->CreateAdminConnection(connectWant, IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED, userId);
607 manager->ConnectAbility(connection);
608 return ERR_OK;
609 }
610
RemoveAdminItem(const std::string & adminName,const std::string & policyName,const std::string & policyValue,int32_t userId)611 ErrCode EnterpriseDeviceMgrAbility::RemoveAdminItem(const std::string &adminName, const std::string &policyName,
612 const std::string &policyValue, int32_t userId)
613 {
614 ErrCode ret;
615 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByPolicyName(policyName);
616 if (plugin == nullptr) {
617 EDMLOGW("RemoveAdminItem: Get plugin by policy failed: %{public}s\n", policyName.c_str());
618 return ERR_EDM_GET_PLUGIN_MGR_FAILED;
619 }
620 if ((ret = plugin->OnAdminRemove(adminName, policyValue, userId)) != ERR_OK) {
621 EDMLOGW("RemoveAdminItem: OnAdminRemove failed, admin:%{public}s, value:%{public}s, res:%{public}d\n",
622 adminName.c_str(), policyValue.c_str(), ret);
623 }
624 if (plugin->NeedSavePolicy()) {
625 std::string mergedPolicyData;
626 if ((ret = plugin->MergePolicyData(adminName, mergedPolicyData)) != ERR_OK) {
627 EDMLOGW("RemoveAdminItem: Get admin by policy name failed: %{public}s, ErrCode:%{public}d\n",
628 policyName.c_str(), ret);
629 }
630
631 ErrCode setRet = ERR_OK;
632 std::unordered_map<std::string, std::string> adminListMap;
633 ret = policyMgr_->GetAdminByPolicyName(policyName, adminListMap);
634 if ((ret == ERR_EDM_POLICY_NOT_FOUND) || adminListMap.empty()) {
635 setRet = policyMgr_->SetPolicy("", policyName, "", "");
636 } else {
637 setRet = policyMgr_->SetPolicy(adminName, policyName, "", mergedPolicyData);
638 }
639
640 if (FAILED(setRet)) {
641 EDMLOGW("RemoveAdminItem: DeleteAdminPolicy failed, admin:%{public}s, policy:%{public}s, res:%{public}d\n",
642 adminName.c_str(), policyName.c_str(), ret);
643 return ERR_EDM_DEL_ADMIN_FAILED;
644 }
645 }
646 plugin->OnAdminRemoveDone(adminName, policyValue, userId);
647 return ERR_OK;
648 }
649
RemoveAdmin(const std::string & adminName,int32_t userId)650 ErrCode EnterpriseDeviceMgrAbility::RemoveAdmin(const std::string &adminName, int32_t userId)
651 {
652 EDMLOGD("RemoveAdmin %{public}s, user id = %{public}d", adminName.c_str(), userId);
653 std::unordered_map<std::string, std::string> policyItems;
654 policyMgr_ = GetAndSwitchPolicyManagerByUserId(userId);
655 policyMgr_->GetAllPolicyByAdmin(adminName, policyItems);
656 for (const auto &policyItem : policyItems) {
657 std::string policyItemName = policyItem.first;
658 std::string policyItemValue = policyItem.second;
659 EDMLOGD("RemoveAdmin: RemoveAdminItem policyName:%{public}s,policyValue:%{public}s", policyItemName.c_str(),
660 policyItemValue.c_str());
661 if (RemoveAdminItem(adminName, policyItemName, policyItemValue, userId) != ERR_OK) {
662 return ERR_EDM_DEL_ADMIN_FAILED;
663 }
664 }
665
666 if (adminMgr_->IsSuperOrSubSuperAdmin(adminName) && userId != DEFAULT_USER_ID) {
667 EDMLOGI("Remove super admin %{public}s and user id = %{public}d", adminName.c_str(), userId);
668 return ERR_OK;
669 }
670
671 bool shouldUnsubscribeAppState = ShouldUnsubscribeAppState(adminName, userId);
672 if (adminMgr_->DeleteAdmin(adminName, userId) != ERR_OK) {
673 return ERR_EDM_DEL_ADMIN_FAILED;
674 }
675 if (shouldUnsubscribeAppState) {
676 UnsubscribeAppState();
677 }
678 policyMgr_ = GetAndSwitchPolicyManagerByUserId(DEFAULT_USER_ID);
679 return ERR_OK;
680 }
681
RemovePolicyAndAdmin(const std::string & bundleName)682 ErrCode EnterpriseDeviceMgrAbility::RemovePolicyAndAdmin(const std::string &bundleName)
683 {
684 for (auto it = policyMgrMap_.rbegin(); it != policyMgrMap_.rend(); ++it) {
685 EDMLOGD("RemovePolicyAndAdmin: policyMgrMap_ it->first %{public}d", it->first);
686 if (FAILED(RemoveAdmin(bundleName, it->first))) {
687 return ERR_EDM_DEL_ADMIN_FAILED;
688 }
689 }
690 return ERR_OK;
691 }
692
ShouldUnsubscribeAppState(const std::string & adminName,int32_t userId)693 bool EnterpriseDeviceMgrAbility::ShouldUnsubscribeAppState(const std::string &adminName, int32_t userId)
694 {
695 std::shared_ptr<Admin> adminPtr = adminMgr_->GetAdminByPkgName(adminName, userId);
696 return std::any_of(adminPtr->adminInfo_.managedEvents_.begin(), adminPtr->adminInfo_.managedEvents_.end(),
697 [](ManagedEvent event) { return event == ManagedEvent::APP_START || event == ManagedEvent::APP_STOP; });
698 }
699
DisableAdmin(AppExecFwk::ElementName & admin,int32_t userId)700 ErrCode EnterpriseDeviceMgrAbility::DisableAdmin(AppExecFwk::ElementName &admin, int32_t userId)
701 {
702 EDMLOGW("EnterpriseDeviceMgrAbility::DisableAdmin user id = %{public}d", userId);
703 std::lock_guard<std::mutex> autoLock(mutexLock_);
704 if (!VerifyCallingPermission(PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
705 EDMLOGW("EnterpriseDeviceMgrAbility::DisableAdmin check permission failed");
706 return EdmReturnErrCode::PERMISSION_DENIED;
707 }
708
709 std::shared_ptr<Admin> adminPtr = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), userId);
710 if (adminPtr == nullptr) {
711 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
712 }
713 if (adminPtr->adminInfo_.adminType_ != AdminType::NORMAL) {
714 EDMLOGW("DisableAdmin: only remove normal admin.");
715 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
716 }
717
718 if (FAILED(RemoveAdmin(admin.GetBundleName(), userId))) {
719 EDMLOGW("DisableAdmin: disable admin failed.");
720 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
721 }
722 if (!adminMgr_->IsAdminExist()) {
723 system::SetParameter(PARAM_EDM_ENABLE, "false");
724 }
725 AAFwk::Want want;
726 want.SetElementName(admin.GetBundleName(), admin.GetAbilityName());
727 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
728 sptr<IEnterpriseConnection> connection =
729 manager->CreateAdminConnection(want, IEnterpriseAdmin::COMMAND_ON_ADMIN_DISABLED, userId);
730 manager->ConnectAbility(connection);
731 return ERR_OK;
732 }
733
CheckCallingUid(const std::string & bundleName)734 ErrCode EnterpriseDeviceMgrAbility::CheckCallingUid(const std::string &bundleName)
735 {
736 // super admin can be removed by itself
737 int uid = GetCallingUid();
738 auto bundleManager = GetBundleMgr();
739 if (!bundleManager) {
740 EDMLOGE("EnterpriseDeviceMgrAbility::CheckCallingUid GetBundleMgr failed.");
741 return ERR_EDM_BMS_ERROR;
742 }
743 std::string callingBundleName;
744 if (bundleManager->GetNameForUid(uid, callingBundleName) != ERR_OK) {
745 EDMLOGW("CheckCallingUid failed: get bundleName for uid %{public}d fail.", uid);
746 return ERR_EDM_PERMISSION_ERROR;
747 }
748 if (bundleName == callingBundleName) {
749 return ERR_OK;
750 }
751 EDMLOGW("CheckCallingUid failed: only the app %{public}s can remove itself.", callingBundleName.c_str());
752 return ERR_EDM_PERMISSION_ERROR;
753 }
754
DisableSuperAdmin(const std::string & bundleName)755 ErrCode EnterpriseDeviceMgrAbility::DisableSuperAdmin(const std::string &bundleName)
756 {
757 std::lock_guard<std::mutex> autoLock(mutexLock_);
758 if (!VerifyCallingPermission(PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
759 EDMLOGW("EnterpriseDeviceMgrAbility::DisableSuperAdmin check permission failed.");
760 return EdmReturnErrCode::PERMISSION_DENIED;
761 }
762 std::shared_ptr<Admin> admin = adminMgr_->GetAdminByPkgName(bundleName, DEFAULT_USER_ID);
763 if (admin == nullptr) {
764 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
765 }
766 if (admin->adminInfo_.adminType_ != AdminType::ENT) {
767 EDMLOGW("DisableSuperAdmin: only remove super admin.");
768 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
769 }
770 // disable sub-super admin
771 std::vector<std::string> subAdmins;
772 adminMgr_->GetSubSuperAdminsByParentName(bundleName, subAdmins);
773 for (auto const &subAdminName : subAdmins) {
774 if (FAILED(RemovePolicyAndAdmin(subAdminName))) {
775 EDMLOGW("DisableSuperAdmin: remove sub-super admin failed.");
776 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
777 }
778 }
779 // disable super admin
780 if (FAILED(RemovePolicyAndAdmin(bundleName))) {
781 EDMLOGW("DisableSuperAdmin: remove super admin failed.");
782 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
783 }
784 if (!adminMgr_->IsAdminExist()) {
785 system::SetParameter(PARAM_EDM_ENABLE, "false");
786 }
787 AAFwk::Want want;
788 want.SetElementName(admin->adminInfo_.packageName_, admin->adminInfo_.className_);
789 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
790 sptr<IEnterpriseConnection> connection =
791 manager->CreateAdminConnection(want, IEnterpriseAdmin::COMMAND_ON_ADMIN_DISABLED, DEFAULT_USER_ID);
792 manager->ConnectAbility(connection);
793 return ERR_OK;
794 }
795
IsSuperAdmin(const std::string & bundleName)796 bool EnterpriseDeviceMgrAbility::IsSuperAdmin(const std::string &bundleName)
797 {
798 std::lock_guard<std::mutex> autoLock(mutexLock_);
799 return adminMgr_->IsSuperAdmin(bundleName);
800 }
801
IsAdminEnabled(AppExecFwk::ElementName & admin,int32_t userId)802 bool EnterpriseDeviceMgrAbility::IsAdminEnabled(AppExecFwk::ElementName &admin, int32_t userId)
803 {
804 std::lock_guard<std::mutex> autoLock(mutexLock_);
805 std::shared_ptr<Admin> existAdmin = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), userId);
806 if (existAdmin != nullptr) {
807 EDMLOGD("IsAdminEnabled: get admin successed");
808 return true;
809 }
810 return false;
811 }
812
GetCurrentUserId()813 int32_t EnterpriseDeviceMgrAbility::GetCurrentUserId()
814 {
815 std::vector<int32_t> ids;
816 ErrCode ret = AccountSA::OsAccountManager::QueryActiveOsAccountIds(ids);
817 if (FAILED(ret) || ids.empty()) {
818 EDMLOGE("EnterpriseDeviceMgrAbility GetCurrentUserId failed");
819 return -1;
820 }
821 EDMLOGD("EnterpriseDeviceMgrAbility GetCurrentUserId user id = %{public}d", ids.at(0));
822 return (ids.at(0));
823 }
824
GetAndSwitchPolicyManagerByUserId(int32_t userId)825 std::shared_ptr<PolicyManager> EnterpriseDeviceMgrAbility::GetAndSwitchPolicyManagerByUserId(int32_t userId)
826 {
827 auto iter = policyMgrMap_.find(userId);
828 std::shared_ptr<PolicyManager> policyMgr;
829 if (iter == policyMgrMap_.end()) {
830 policyMgr.reset(new (std::nothrow) PolicyManager(userId));
831 policyMgrMap_.insert(std::make_pair(userId, policyMgr));
832 EDMLOGI("get policyMgr failed create success userId : %{public}d", userId);
833 policyMgr->Init();
834 } else {
835 policyMgr = iter->second;
836 }
837 IPolicyManager::policyManagerInstance_ = policyMgr.get();
838 return policyMgr;
839 }
840
UpdateDevicePolicy(uint32_t code,AppExecFwk::ElementName & admin,MessageParcel & data,MessageParcel & reply,int32_t userId)841 ErrCode EnterpriseDeviceMgrAbility::UpdateDevicePolicy(uint32_t code, AppExecFwk::ElementName &admin,
842 MessageParcel &data, MessageParcel &reply, int32_t userId)
843 {
844 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
845 if (plugin == nullptr) {
846 EDMLOGW("UpdateDevicePolicy: get plugin failed, code:%{public}d", code);
847 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
848 }
849
850 // Set policy to other users except 100
851 policyMgr_ = GetAndSwitchPolicyManagerByUserId(userId);
852 std::string policyName = plugin->GetPolicyName();
853 std::string policyValue;
854 policyMgr_->GetPolicy(admin.GetBundleName(), policyName, policyValue);
855 bool isChanged = false;
856 ErrCode ret = plugin->OnHandlePolicy(code, data, reply, policyValue, isChanged, userId);
857 if (FAILED(ret)) {
858 EDMLOGW("UpdateDevicePolicy: OnHandlePolicy failed");
859 return ret;
860 }
861 EDMLOGD("UpdateDevicePolicy: isChanged:%{public}d, needSave:%{public}d\n", isChanged, plugin->NeedSavePolicy());
862 std::string oldCombinePolicy;
863 policyMgr_->GetPolicy("", policyName, oldCombinePolicy);
864 std::string mergedPolicy = policyValue;
865 bool isGlobalChanged = false;
866 if (plugin->NeedSavePolicy() && isChanged) {
867 ret = plugin->MergePolicyData(admin.GetBundleName(), mergedPolicy);
868 if (FAILED(ret)) {
869 EDMLOGW("UpdateDevicePolicy: MergePolicyData failed error:%{public}d", ret);
870 return ret;
871 }
872 policyMgr_->SetPolicy(admin.GetBundleName(), policyName, policyValue, mergedPolicy);
873 isGlobalChanged = (oldCombinePolicy != mergedPolicy);
874 }
875 plugin->OnHandlePolicyDone(code, admin.GetBundleName(), isGlobalChanged, userId);
876 // Reset to 100 policyMgr
877 policyMgr_ = GetAndSwitchPolicyManagerByUserId(DEFAULT_USER_ID);
878 return ERR_OK;
879 }
880
HandleDevicePolicy(uint32_t code,AppExecFwk::ElementName & admin,MessageParcel & data,MessageParcel & reply,int32_t userId)881 ErrCode EnterpriseDeviceMgrAbility::HandleDevicePolicy(uint32_t code, AppExecFwk::ElementName &admin,
882 MessageParcel &data, MessageParcel &reply, int32_t userId)
883 {
884 std::lock_guard<std::mutex> autoLock(mutexLock_);
885 #ifndef EDM_FUZZ_TEST
886 bool isUserExist = false;
887 AccountSA::OsAccountManager::IsOsAccountExists(userId, isUserExist);
888 if (!isUserExist) {
889 return EdmReturnErrCode::PARAM_ERROR;
890 }
891 EDMLOGI("HandleDevicePolicy: HandleDevicePolicy userId = %{public}d", userId);
892 std::shared_ptr<Admin> deviceAdmin = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), GetCurrentUserId());
893 if (deviceAdmin == nullptr) {
894 EDMLOGW("HandleDevicePolicy: get admin failed");
895 return EdmReturnErrCode::ADMIN_INACTIVE;
896 }
897 if (FAILED(CheckCallingUid(deviceAdmin->adminInfo_.packageName_))) {
898 EDMLOGW("HandleDevicePolicy: CheckCallingUid failed.");
899 return EdmReturnErrCode::PERMISSION_DENIED;
900 }
901 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
902 if (plugin == nullptr) {
903 EDMLOGW("HandleDevicePolicy: get plugin failed, code:%{public}d", code);
904 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
905 }
906 EDMLOGD("HandleDevicePolicy: plugin info:%{public}d , %{public}s , %{public}s", plugin->GetCode(),
907 plugin->GetPolicyName().c_str(), plugin->GetPermission(FuncOperateType::SET).c_str());
908 if (!deviceAdmin->CheckPermission(plugin->GetPermission(FuncOperateType::SET)) ||
909 (deviceAdmin->adminInfo_.adminType_ != AdminType::ENT &&
910 deviceAdmin->adminInfo_.adminType_ != AdminType::SUB_SUPER_ADMIN && userId != GetCurrentUserId())) {
911 EDMLOGW("HandleDevicePolicy: admin check permission failed");
912 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
913 }
914 if (!VerifyCallingPermission(plugin->GetPermission(FuncOperateType::SET))) {
915 EDMLOGW("HandleDevicePolicy: VerifyCallingPermission failed");
916 return EdmReturnErrCode::PERMISSION_DENIED;
917 }
918 CreateSecurityContent(deviceAdmin, plugin);
919 #endif
920 return UpdateDevicePolicy(code, admin, data, reply, userId);
921 }
922
CreateSecurityContent(std::shared_ptr<Admin> deviceAdmin,std::shared_ptr<IPlugin> plugin)923 void EnterpriseDeviceMgrAbility::CreateSecurityContent(std::shared_ptr<Admin> deviceAdmin,
924 std::shared_ptr<IPlugin> plugin)
925 {
926 if (std::find(codeList.begin(), codeList.end(), plugin->GetCode()) == codeList.end()) {
927 EDMLOGE("EnterpriseDeviceMgrAbility::CreateSecurityContent code not in list: %{public}d", plugin->GetCode());
928 return;
929 }
930 std::string bundleName = deviceAdmin->adminInfo_.packageName_;
931 std::string abilityName = deviceAdmin->adminInfo_.className_;
932 std::string policyName = plugin->GetPolicyName();
933 SecurityReport::ReportSecurityInfo(bundleName, abilityName, policyName);
934 }
935
GetDevicePolicy(uint32_t code,MessageParcel & data,MessageParcel & reply,int32_t userId)936 ErrCode EnterpriseDeviceMgrAbility::GetDevicePolicy(uint32_t code, MessageParcel &data, MessageParcel &reply,
937 int32_t userId)
938 {
939 std::lock_guard<std::mutex> autoLock(mutexLock_);
940 bool isUserExist = false;
941 AccountSA::OsAccountManager::IsOsAccountExists(userId, isUserExist);
942 if (!isUserExist) {
943 reply.WriteInt32(EdmReturnErrCode::PARAM_ERROR);
944 return EdmReturnErrCode::PARAM_ERROR;
945 }
946 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
947 if (plugin == nullptr) {
948 EDMLOGW("GetDevicePolicy: get plugin failed");
949 reply.WriteInt32(EdmReturnErrCode::INTERFACE_UNSUPPORTED);
950 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
951 }
952 std::string adminName;
953 std::string getPermission = plugin->GetPermission(FuncOperateType::GET);
954 // has admin
955 if (data.ReadInt32() == 0) {
956 ErrCode ret = CheckGetPolicyPermission(data, reply, getPermission, adminName, userId);
957 if (FAILED(ret)) {
958 return ret;
959 }
960 }
961 std::string policyName = plugin->GetPolicyName();
962 std::string policyValue;
963
964 policyMgr_ = GetAndSwitchPolicyManagerByUserId(userId);
965 if (plugin->NeedSavePolicy()) {
966 policyMgr_->GetPolicy(adminName, policyName, policyValue);
967 }
968 ErrCode ret = plugin->OnGetPolicy(policyValue, data, reply, userId);
969 policyMgr_ = GetAndSwitchPolicyManagerByUserId(DEFAULT_USER_ID);
970 return ret;
971 }
972
CheckGetPolicyPermission(MessageParcel & data,MessageParcel & reply,const std::string & getPermission,std::string & adminName,const int32_t userId)973 ErrCode EnterpriseDeviceMgrAbility::CheckGetPolicyPermission(MessageParcel &data, MessageParcel &reply,
974 const std::string &getPermission, std::string &adminName, const int32_t userId)
975 {
976 std::unique_ptr<AppExecFwk::ElementName> admin(data.ReadParcelable<AppExecFwk::ElementName>());
977 if (!admin) {
978 EDMLOGW("GetDevicePolicy: ReadParcelable failed");
979 reply.WriteInt32(EdmReturnErrCode::PARAM_ERROR);
980 return ERR_EDM_PARAM_ERROR;
981 }
982 std::shared_ptr<Admin> deviceAdmin = adminMgr_->GetAdminByPkgName(admin->GetBundleName(), userId);
983 if (deviceAdmin == nullptr) {
984 EDMLOGW("GetDevicePolicy: get admin failed");
985 reply.WriteInt32(EdmReturnErrCode::ADMIN_INACTIVE);
986 return EdmReturnErrCode::ADMIN_INACTIVE;
987 }
988 if (FAILED(CheckCallingUid(deviceAdmin->adminInfo_.packageName_))) {
989 EDMLOGW("GetDevicePolicy: CheckCallingUid failed.");
990 reply.WriteInt32(EdmReturnErrCode::PERMISSION_DENIED);
991 return EdmReturnErrCode::PERMISSION_DENIED;
992 }
993 if (!getPermission.empty() && !deviceAdmin->CheckPermission(getPermission)) {
994 EDMLOGW("GetDevicePolicy: admin check permission failed %{public}s", getPermission.c_str());
995 reply.WriteInt32(EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED);
996 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
997 }
998 adminName = admin->GetBundleName();
999 return ERR_OK;
1000 }
1001
GetEnabledAdmin(AdminType type,std::vector<std::string> & enabledAdminList)1002 ErrCode EnterpriseDeviceMgrAbility::GetEnabledAdmin(AdminType type, std::vector<std::string> &enabledAdminList)
1003 {
1004 std::lock_guard<std::mutex> autoLock(mutexLock_);
1005 std::vector<std::string> superList;
1006 std::vector<std::string> normalList;
1007 switch (type) {
1008 case AdminType::NORMAL:
1009 adminMgr_->GetEnabledAdmin(AdminType::NORMAL, normalList, GetCurrentUserId());
1010 adminMgr_->GetEnabledAdmin(AdminType::ENT, superList, DEFAULT_USER_ID);
1011 break;
1012 case AdminType::ENT:
1013 adminMgr_->GetEnabledAdmin(AdminType::ENT, superList, DEFAULT_USER_ID);
1014 break;
1015 case AdminType::UNKNOWN:
1016 break;
1017 default:
1018 return ERR_EDM_PARAM_ERROR;
1019 }
1020 if (!superList.empty()) {
1021 enabledAdminList.insert(enabledAdminList.begin(), superList.begin(), superList.end());
1022 }
1023 if (!normalList.empty()) {
1024 enabledAdminList.insert(enabledAdminList.begin(), normalList.begin(), normalList.end());
1025 }
1026 for (const auto &enabledAdmin : enabledAdminList) {
1027 EDMLOGD("GetEnabledAdmin: %{public}s", enabledAdmin.c_str());
1028 }
1029 return ERR_OK;
1030 }
1031
GetEnterpriseInfo(AppExecFwk::ElementName & admin,MessageParcel & reply)1032 ErrCode EnterpriseDeviceMgrAbility::GetEnterpriseInfo(AppExecFwk::ElementName &admin, MessageParcel &reply)
1033 {
1034 std::lock_guard<std::mutex> autoLock(mutexLock_);
1035 EntInfo entInfo;
1036 int32_t userId = adminMgr_->IsSuperOrSubSuperAdmin(admin.GetBundleName()) ? DEFAULT_USER_ID : GetCurrentUserId();
1037 ErrCode code = adminMgr_->GetEntInfo(admin.GetBundleName(), entInfo, userId);
1038 if (code != ERR_OK) {
1039 reply.WriteInt32(EdmReturnErrCode::ADMIN_INACTIVE);
1040 return EdmReturnErrCode::ADMIN_INACTIVE;
1041 }
1042 reply.WriteInt32(ERR_OK);
1043 entInfo.Marshalling(reply);
1044 EDMLOGD(
1045 "EnterpriseDeviceMgrAbility::GetEnterpriseInfo: entInfo->enterpriseName %{public}s, "
1046 "entInfo->description:%{public}s",
1047 entInfo.enterpriseName.c_str(), entInfo.description.c_str());
1048 return ERR_OK;
1049 }
1050
SetEnterpriseInfo(AppExecFwk::ElementName & admin,EntInfo & entInfo)1051 ErrCode EnterpriseDeviceMgrAbility::SetEnterpriseInfo(AppExecFwk::ElementName &admin, EntInfo &entInfo)
1052 {
1053 std::lock_guard<std::mutex> autoLock(mutexLock_);
1054 if (!VerifyCallingPermission(PERMISSION_SET_ENTERPRISE_INFO)) {
1055 EDMLOGW("EnterpriseDeviceMgrAbility::SetEnterpriseInfo: check permission failed");
1056 return EdmReturnErrCode::PERMISSION_DENIED;
1057 }
1058 int32_t userId = adminMgr_->IsSuperOrSubSuperAdmin(admin.GetBundleName()) ? DEFAULT_USER_ID : GetCurrentUserId();
1059 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), userId);
1060 if (adminItem == nullptr) {
1061 return EdmReturnErrCode::ADMIN_INACTIVE;
1062 }
1063 int32_t ret = CheckCallingUid(adminItem->adminInfo_.packageName_);
1064 if (ret != ERR_OK) {
1065 EDMLOGW("SetEnterpriseInfo: CheckCallingUid failed: %{public}d", ret);
1066 return EdmReturnErrCode::PERMISSION_DENIED;
1067 }
1068 ErrCode code = adminMgr_->SetEntInfo(admin.GetBundleName(), entInfo, userId);
1069 return (code != ERR_OK) ? EdmReturnErrCode::ADMIN_INACTIVE : ERR_OK;
1070 }
1071
HandleApplicationEvent(const std::vector<uint32_t> & events,bool subscribe)1072 ErrCode EnterpriseDeviceMgrAbility::HandleApplicationEvent(const std::vector<uint32_t> &events, bool subscribe)
1073 {
1074 bool shouldHandleAppState = std::any_of(events.begin(), events.end(), [](uint32_t event) {
1075 return event == static_cast<uint32_t>(ManagedEvent::APP_START) ||
1076 event == static_cast<uint32_t>(ManagedEvent::APP_STOP);
1077 });
1078 if (!shouldHandleAppState) {
1079 return ERR_OK;
1080 }
1081 if (subscribe) {
1082 return SubscribeAppState() ? ERR_OK : EdmReturnErrCode::SYSTEM_ABNORMALLY;
1083 } else {
1084 return UnsubscribeAppState() ? ERR_OK : EdmReturnErrCode::SYSTEM_ABNORMALLY;
1085 }
1086 }
1087
SubscribeManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1088 ErrCode EnterpriseDeviceMgrAbility::SubscribeManagedEvent(const AppExecFwk::ElementName &admin,
1089 const std::vector<uint32_t> &events)
1090 {
1091 std::lock_guard<std::mutex> autoLock(mutexLock_);
1092 RETURN_IF_FAILED(VerifyManagedEvent(admin, events));
1093 RETURN_IF_FAILED(HandleApplicationEvent(events, true));
1094 int32_t userId = adminMgr_->IsSuperOrSubSuperAdmin(admin.GetBundleName()) ? DEFAULT_USER_ID : GetCurrentUserId();
1095 adminMgr_->SaveSubscribeEvents(events, admin.GetBundleName(), userId);
1096 return ERR_OK;
1097 }
1098
UnsubscribeManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1099 ErrCode EnterpriseDeviceMgrAbility::UnsubscribeManagedEvent(const AppExecFwk::ElementName &admin,
1100 const std::vector<uint32_t> &events)
1101 {
1102 std::lock_guard<std::mutex> autoLock(mutexLock_);
1103 RETURN_IF_FAILED(VerifyManagedEvent(admin, events));
1104 int32_t userId = adminMgr_->IsSuperOrSubSuperAdmin(admin.GetBundleName()) ? DEFAULT_USER_ID : GetCurrentUserId();
1105 adminMgr_->RemoveSubscribeEvents(events, admin.GetBundleName(), userId);
1106 return HandleApplicationEvent(events, false);
1107 }
1108
VerifyManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1109 ErrCode EnterpriseDeviceMgrAbility::VerifyManagedEvent(const AppExecFwk::ElementName &admin,
1110 const std::vector<uint32_t> &events)
1111 {
1112 if (!VerifyCallingPermission(PERMISSION_ENTERPRISE_SUBSCRIBE_MANAGED_EVENT)) {
1113 EDMLOGW("EnterpriseDeviceMgrAbility::VerifyManagedEvent: check permission failed");
1114 return EdmReturnErrCode::PERMISSION_DENIED;
1115 }
1116 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), GetCurrentUserId());
1117 if (adminItem == nullptr) {
1118 return EdmReturnErrCode::ADMIN_INACTIVE;
1119 }
1120 int32_t ret = CheckCallingUid(adminItem->adminInfo_.packageName_);
1121 if (ret != ERR_OK) {
1122 EDMLOGW("VerifyManagedEvent: CheckCallingUid failed: %{public}d", ret);
1123 return EdmReturnErrCode::PERMISSION_DENIED;
1124 }
1125 if (events.empty()) {
1126 return EdmReturnErrCode::MANAGED_EVENTS_INVALID;
1127 }
1128 auto iter =
1129 std::find_if(events.begin(), events.end(), [this](uint32_t event) { return !CheckManagedEvent(event); });
1130 if (iter != std::end(events)) {
1131 return EdmReturnErrCode::MANAGED_EVENTS_INVALID;
1132 }
1133 return ERR_OK;
1134 }
1135
CheckManagedEvent(uint32_t event)1136 bool EnterpriseDeviceMgrAbility::CheckManagedEvent(uint32_t event)
1137 {
1138 switch (event) {
1139 case static_cast<uint32_t>(ManagedEvent::BUNDLE_ADDED):
1140 case static_cast<uint32_t>(ManagedEvent::BUNDLE_REMOVED):
1141 case static_cast<uint32_t>(ManagedEvent::APP_START):
1142 case static_cast<uint32_t>(ManagedEvent::APP_STOP):
1143 case static_cast<uint32_t>(ManagedEvent::SYSTEM_UPDATE):
1144 break;
1145 default:
1146 return false;
1147 }
1148 return true;
1149 }
1150
AuthorizeAdmin(const AppExecFwk::ElementName & admin,const std::string & bundleName)1151 ErrCode EnterpriseDeviceMgrAbility::AuthorizeAdmin(const AppExecFwk::ElementName &admin, const std::string &bundleName)
1152 {
1153 std::lock_guard<std::mutex> autoLock(mutexLock_);
1154 if (!VerifyCallingPermission(PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
1155 EDMLOGW("EnterpriseDeviceMgrAbility::AuthorizeAdmin: check permission failed");
1156 return EdmReturnErrCode::PERMISSION_DENIED;
1157 }
1158 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), GetCurrentUserId());
1159 if (adminItem == nullptr) {
1160 EDMLOGW("EnterpriseDeviceMgrAbility::AuthorizeAdmin: not active admin.");
1161 return EdmReturnErrCode::ADMIN_INACTIVE;
1162 }
1163 if (adminItem->GetAdminType() != AdminType::ENT) {
1164 EDMLOGW("AuthorizeAdmin: Caller is not super admin.");
1165 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1166 }
1167 if (FAILED(CheckCallingUid(admin.GetBundleName()))) {
1168 EDMLOGW("AuthorizeAdmin: CheckCallingUid failed.");
1169 return EdmReturnErrCode::PERMISSION_DENIED;
1170 }
1171 /* Get all request and registered permissions */
1172 std::vector<std::string> permissionList;
1173 if (FAILED(GetAllPermissionsByAdmin(bundleName, permissionList, DEFAULT_USER_ID))) {
1174 EDMLOGW("EnableAdmin: GetAllPermissionsByAdmin failed.");
1175 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1176 }
1177 if (FAILED(adminMgr_->SaveAuthorizedAdmin(bundleName, permissionList, admin.GetBundleName()))) {
1178 EDMLOGW("EnableAdmin: SaveAuthorizedAdmin failed.");
1179 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1180 }
1181 return ERR_OK;
1182 }
1183 } // namespace EDM
1184 } // namespace OHOS