1 /* 2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #ifndef FOUNDATION_APPEXECFWK_SERVICES_BUNDLEMGR_INCLUDE_BUNDLE_PERMISSION_MGR_H 17 #define FOUNDATION_APPEXECFWK_SERVICES_BUNDLEMGR_INCLUDE_BUNDLE_PERMISSION_MGR_H 18 19 #include "accesstoken_kit.h" 20 #include "bundle_constants.h" 21 #include "default_permission.h" 22 #include "inner_bundle_info.h" 23 #include "permission_define.h" 24 25 namespace OHOS { 26 namespace AppExecFwk { 27 class BundlePermissionMgr { 28 public: 29 /** 30 * @brief Initialize BundlePermissionMgr, which is only called when the system starts. 31 * @return Returns true if successfully initialized BundlePermissionMgr; returns false otherwise. 32 */ 33 static bool Init(); 34 35 static void UnInit(); 36 37 /** 38 * @brief Verify whether a specified bundle has been granted a specific permission. 39 * @param bundleName Indicates the name of the bundle to check. 40 * @param permission Indicates the permission to check. 41 * @param userId Indicates the userId of the bundle. 42 * @return Returns 0 if the bundle has the permission; returns -1 otherwise. 43 */ 44 static int32_t VerifyPermission(const std::string &bundleName, const std::string &permissionName, 45 const int32_t userId); 46 /** 47 * @brief Obtains detailed information about a specified permission. 48 * @param permissionName Indicates the name of the permission. 49 * @param permissionDef Indicates the object containing detailed information about the given permission. 50 * @return Returns true if the PermissionDef object is successfully obtained; returns false otherwise. 51 */ 52 static ErrCode GetPermissionDef(const std::string &permissionName, PermissionDef &permissionDef); 53 /** 54 * @brief Requests a certain permission from user. 55 * @param bundleName Indicates the name of the bundle. 56 * @param permission Indicates the permission to request. 57 * @param userId Indicates the userId of the bundle. 58 * @return Returns true if the permission request successfully; returns false otherwise. 59 */ 60 static bool RequestPermissionFromUser( 61 const std::string &bundleName, const std::string &permissionName, const int32_t userId); 62 63 static Security::AccessToken::AccessTokenIDEx CreateAccessTokenIdEx( 64 const InnerBundleInfo &innerBundleInfo, const std::string bundleName, const int32_t userId); 65 66 static Security::AccessToken::AccessTokenIDEx CreateAccessTokenIdEx( 67 const InnerBundleInfo &innerBundleInfo, const std::string bundleName, const int32_t userId, 68 const int32_t dlpType, const Security::AccessToken::HapPolicyParams &hapPolicy); 69 70 static bool UpdateDefineAndRequestPermissions(Security::AccessToken::AccessTokenIDEx &tokenIdEx, 71 const InnerBundleInfo &oldInfo, const InnerBundleInfo &newInfo, std::vector<std::string> &newRequestPermName); 72 73 static bool AddDefineAndRequestPermissions(Security::AccessToken::AccessTokenIDEx &tokenIdEx, 74 const InnerBundleInfo &innerBundleInfo, std::vector<std::string> &newRequestPermName); 75 76 static int32_t DeleteAccessTokenId(const Security::AccessToken::AccessTokenID tokenId); 77 78 static bool GrantRequestPermissions(const InnerBundleInfo &innerBundleInfo, 79 const Security::AccessToken::AccessTokenID tokenId); 80 81 static bool GrantRequestPermissions(const InnerBundleInfo &innerBundleInfo, 82 const std::vector<std::string> &requestPermName, 83 const Security::AccessToken::AccessTokenID tokenId); 84 85 static bool GetRequestPermissionStates(BundleInfo &bundleInfo, uint32_t tokenId, const std::string deviceId); 86 87 static int32_t ClearUserGrantedPermissionState(const Security::AccessToken::AccessTokenID tokenId); 88 89 static bool VerifyCallingPermission(const std::string &permissionName); 90 91 static Security::AccessToken::HapPolicyParams CreateHapPolicyParam(const InnerBundleInfo &innerBundleInfo, 92 const std::vector<Security::AccessToken::PermissionStateFull> &permissions); 93 94 static bool GetAllReqPermissionStateFull(Security::AccessToken::AccessTokenID tokenId, 95 std::vector<Security::AccessToken::PermissionStateFull> &newPermissionState); 96 97 static bool VerifySystemApp(int32_t beginApiVersion = Constants::INVALID_API_VERSION); 98 99 static bool IsSystemApp(); 100 101 static int32_t GetHapApiVersion(); 102 103 static bool IsNativeTokenType(); 104 105 static bool VerifyCallingUid(); 106 107 static bool VerifyPreload(const AAFwk::Want &want); 108 109 static bool VerifyCallingPermissionForAll(const std::string &permissionName); 110 111 static bool VerifyCallingPermissionsForAll(const std::vector<std::string> &permissionNames); 112 113 static bool IsSelfCalling(); 114 115 static bool VerifyUninstallPermission(); 116 117 static bool VerifyRecoverPermission(); 118 119 static void AddPermissionUsedRecord(const std::string &permission, int32_t successCount, int32_t failCount); 120 121 static bool IsBundleSelfCalling(const std::string &bundleName); 122 123 // for old api 124 static bool VerifyCallingBundleSdkVersion(int32_t beginApiVersion = Constants::INVALID_API_VERSION); 125 126 static bool IsCallingUidValid(int32_t uid); 127 128 private: 129 static std::vector<Security::AccessToken::PermissionDef> GetPermissionDefList( 130 const InnerBundleInfo &innerBundleInfo); 131 132 static std::vector<Security::AccessToken::PermissionStateFull> GetPermissionStateFullList( 133 const InnerBundleInfo &innerBundleInfo); 134 135 static bool CheckGrantPermission(const Security::AccessToken::PermissionDef &permDef, 136 const std::string &apl, 137 const std::vector<std::string> &acls); 138 139 static bool GetNewPermissionDefList(Security::AccessToken::AccessTokenID tokenId, 140 const std::vector<Security::AccessToken::PermissionDef> &permissionDef, 141 std::vector<Security::AccessToken::PermissionDef> &newPermission); 142 143 static bool GetNewPermissionStateFull(Security::AccessToken::AccessTokenID tokenId, 144 const std::vector<Security::AccessToken::PermissionStateFull> &permissionState, 145 std::vector<Security::AccessToken::PermissionStateFull> &newPermissionState, 146 std::vector<std::string> &newRequestPermName); 147 148 static bool InnerGrantRequestPermissions(Security::AccessToken::AccessTokenID tokenId, 149 const InnerBundleInfo &innerBundleInfo, 150 std::vector<std::string> systemGrantPermList, 151 std::vector<std::string> userGrantPermList); 152 153 static Security::AccessToken::ATokenAplEnum GetTokenApl(const std::string &apl); 154 155 static Security::AccessToken::HapPolicyParams CreateHapPolicyParam(const InnerBundleInfo &innerBundleInfo); 156 157 static void ConvertPermissionDef(const Security::AccessToken::PermissionDef &permDef, 158 PermissionDef &permissionDef); 159 static void ConvertPermissionDef( 160 Security::AccessToken::PermissionDef &permDef, const DefinePermission &defPermission, 161 const std::string &bundleName); 162 163 static Security::AccessToken::ATokenAvailableTypeEnum GetAvailableType(const std::string &availableType); 164 165 static std::vector<std::string> GetNeedDeleteDefinePermissionName(const InnerBundleInfo &oldInfo, 166 const InnerBundleInfo &newInfo); 167 168 static std::vector<std::string> GetNeedDeleteRequestPermissionName(const InnerBundleInfo &oldInfo, 169 const InnerBundleInfo &newInfo); 170 171 static bool GetDefaultPermission(const std::string &bundleName, DefaultPermission &permission); 172 173 static bool MatchSignature(const DefaultPermission &permission, const std::vector<std::string> &signatures); 174 175 static bool MatchSignature(const DefaultPermission &permission, const std::string &signature); 176 177 static bool CheckPermissionInDefaultPermissions(const DefaultPermission &defaultPermission, 178 const std::string &permissionName, bool &userCancellable); 179 180 static bool GrantPermission(const Security::AccessToken::AccessTokenID tokenId, 181 const std::string &permissionName, const Security::AccessToken::PermissionFlag flag, 182 const std::string &bundleName); 183 184 static bool InnerUpdateDefinePermission( 185 const Security::AccessToken::AccessTokenID tokenId, 186 const InnerBundleInfo &oldInfo, 187 const InnerBundleInfo &newInfo, 188 std::vector<Security::AccessToken::PermissionDef> &newDefPermList); 189 190 static bool InnerUpdateRequestPermission( 191 const Security::AccessToken::AccessTokenID tokenId, 192 const InnerBundleInfo &oldInfo, 193 const InnerBundleInfo &newInfo, 194 std::vector<Security::AccessToken::PermissionStateFull> &newPermissionStateList, 195 std::vector<std::string> &newRequestPermName); 196 197 static bool InnerFilterRequestPermissions( 198 const InnerBundleInfo &innerBundleInfo, 199 std::vector<std::string> &systemGrantPermList, 200 std::vector<std::string> &userGrantPermList); 201 202 static bool CheckPermissionAvailableType(const std::string &appDistributionType, 203 const Security::AccessToken::PermissionDef &permDef); 204 205 static std::map<std::string, DefaultPermission> defaultPermissions_; 206 }; 207 } // namespace AppExecFwk 208 } // namespace OHOS 209 #endif // FOUNDATION_APPEXECFWK_SERVICES_BUNDLEMGR_INCLUDE_BUNDLE_PERMISSION_MGR_H