1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "bundle_permission_mgr.h"
17
18 #include "app_log_wrapper.h"
19 #include "bundle_mgr_service.h"
20 #include "bundle_parser.h"
21 #include "ipc_skeleton.h"
22 #include "parameter.h"
23 #include "privacy_kit.h"
24 #include "tokenid_kit.h"
25
26 namespace OHOS {
27 namespace AppExecFwk {
28 namespace {
29 // pre bundle profile
30 constexpr const char* INSTALL_LIST_PERMISSIONS_CONFIG = "/etc/app/install_list_permissions.json";
31 constexpr const char* SCENEBOARD_BUNDLE_NAME = "com.ohos.sceneboard";
32 const int32_t BASE_API_VERSION = 1000;
33 }
34
35 using namespace OHOS::Security;
36 std::map<std::string, DefaultPermission> BundlePermissionMgr::defaultPermissions_;
37
Init()38 bool BundlePermissionMgr::Init()
39 {
40 std::vector<std::string> permissionFileList;
41 #ifdef USE_PRE_BUNDLE_PROFILE
42 std::vector<std::string> rootDirList;
43 BMSEventHandler::GetPreInstallRootDirList(rootDirList);
44 if (rootDirList.empty()) {
45 APP_LOGE("rootDirList is empty");
46 return false;
47 }
48 for (const auto &item : rootDirList) {
49 permissionFileList.push_back(item + INSTALL_LIST_PERMISSIONS_CONFIG);
50 }
51 #else
52 permissionFileList.emplace_back(Constants::INSTALL_LIST_PERMISSIONS_FILE_PATH);
53 #endif
54 BundleParser bundleParser;
55 std::set<DefaultPermission> permissions;
56 for (const auto &permissionFile : permissionFileList) {
57 if (bundleParser.ParseDefaultPermission(permissionFile, permissions) != ERR_OK) {
58 APP_LOGD("BundlePermissionMgr::Init failed");
59 continue;
60 }
61 }
62
63 defaultPermissions_.clear();
64 for (const auto &permission : permissions) {
65 defaultPermissions_.try_emplace(permission.bundleName, permission);
66 }
67 APP_LOGD("BundlePermissionMgr::Init success");
68 return true;
69 }
70
UnInit()71 void BundlePermissionMgr::UnInit()
72 {
73 APP_LOGD("BundlePermissionMgr::UnInit");
74 defaultPermissions_.clear();
75 }
76
ConvertPermissionDef(const AccessToken::PermissionDef & permDef,PermissionDef & permissionDef)77 void BundlePermissionMgr::ConvertPermissionDef(
78 const AccessToken::PermissionDef &permDef, PermissionDef &permissionDef)
79 {
80 permissionDef.permissionName = permDef.permissionName;
81 permissionDef.bundleName = permDef.bundleName;
82 permissionDef.grantMode = permDef.grantMode;
83 permissionDef.availableLevel = permDef.availableLevel;
84 permissionDef.provisionEnable = permDef.provisionEnable;
85 permissionDef.distributedSceneEnable = permDef.distributedSceneEnable;
86 permissionDef.label = permDef.label;
87 permissionDef.labelId = permDef.labelId;
88 permissionDef.description = permDef.description;
89 permissionDef.descriptionId = permDef.descriptionId;
90 permissionDef.availableType = permDef.availableType;
91 }
92
93 // Convert from the struct DefinePermission that parsed from config.json
ConvertPermissionDef(AccessToken::PermissionDef & permDef,const DefinePermission & definePermission,const std::string & bundleName)94 void BundlePermissionMgr::ConvertPermissionDef(
95 AccessToken::PermissionDef &permDef, const DefinePermission &definePermission, const std::string &bundleName)
96 {
97 permDef.permissionName = definePermission.name;
98 permDef.bundleName = bundleName;
99 permDef.grantMode = [&definePermission]() -> int {
100 if (definePermission.grantMode ==
101 Profile::DEFINEPERMISSION_GRANT_MODE_SYSTEM_GRANT) {
102 return AccessToken::GrantMode::SYSTEM_GRANT;
103 }
104 return AccessToken::GrantMode::USER_GRANT;
105 }();
106
107 permDef.availableLevel = GetTokenApl(definePermission.availableLevel);
108 permDef.provisionEnable = definePermission.provisionEnable;
109 permDef.distributedSceneEnable = definePermission.distributedSceneEnable;
110 permDef.label = definePermission.label;
111 permDef.labelId = definePermission.labelId;
112 permDef.description = definePermission.description;
113 permDef.descriptionId = definePermission.descriptionId;
114 permDef.availableType = GetAvailableType(definePermission.availableType);
115 }
116
GetAvailableType(const std::string & availableType)117 AccessToken::ATokenAvailableTypeEnum BundlePermissionMgr::GetAvailableType(
118 const std::string &availableType)
119 {
120 if (availableType == Profile::DEFINEPERMISSION_AVAILABLE_TYPE_MDM) {
121 return AccessToken::ATokenAvailableTypeEnum::MDM;
122 }
123 return AccessToken::ATokenAvailableTypeEnum::NORMAL;
124 }
125
GetTokenApl(const std::string & apl)126 AccessToken::ATokenAplEnum BundlePermissionMgr::GetTokenApl(const std::string &apl)
127 {
128 if (apl == Profile::AVAILABLELEVEL_SYSTEM_CORE) {
129 return AccessToken::ATokenAplEnum::APL_SYSTEM_CORE;
130 }
131 if (apl == Profile::AVAILABLELEVEL_SYSTEM_BASIC) {
132 return AccessToken::ATokenAplEnum::APL_SYSTEM_BASIC;
133 }
134 return AccessToken::ATokenAplEnum::APL_NORMAL;
135 }
136
CreateHapPolicyParam(const InnerBundleInfo & innerBundleInfo)137 AccessToken::HapPolicyParams BundlePermissionMgr::CreateHapPolicyParam(
138 const InnerBundleInfo &innerBundleInfo)
139 {
140 std::vector<AccessToken::PermissionStateFull> permStateFull = GetPermissionStateFullList(innerBundleInfo);
141 return CreateHapPolicyParam(innerBundleInfo, permStateFull);
142 }
143
CreateHapPolicyParam(const InnerBundleInfo & innerBundleInfo,const std::vector<Security::AccessToken::PermissionStateFull> & permissions)144 AccessToken::HapPolicyParams BundlePermissionMgr::CreateHapPolicyParam(
145 const InnerBundleInfo &innerBundleInfo, const std::vector<Security::AccessToken::PermissionStateFull> &permissions)
146 {
147 AccessToken::HapPolicyParams hapPolicy;
148 std::string apl = innerBundleInfo.GetAppPrivilegeLevel();
149 APP_LOGD("BundlePermissionMgr::CreateHapPolicyParam apl : %{public}s", apl.c_str());
150 std::vector<AccessToken::PermissionDef> permDef = GetPermissionDefList(innerBundleInfo);
151 hapPolicy.apl = GetTokenApl(apl);
152 hapPolicy.domain = "domain";
153 hapPolicy.permList = permDef;
154 hapPolicy.permStateList = permissions;
155 return hapPolicy;
156 }
157
CreateAccessTokenIdEx(const InnerBundleInfo & innerBundleInfo,const std::string bundleName,const int32_t userId)158 AccessToken::AccessTokenIDEx BundlePermissionMgr::CreateAccessTokenIdEx(
159 const InnerBundleInfo &innerBundleInfo, const std::string bundleName, const int32_t userId)
160 {
161 APP_LOGD("BundlePermissionMgr::CreateAccessTokenId bundleName = %{public}s, userId = %{public}d",
162 bundleName.c_str(), userId);
163 AccessToken::HapPolicyParams hapPolicy = CreateHapPolicyParam(innerBundleInfo);
164 return CreateAccessTokenIdEx(innerBundleInfo, bundleName, userId, 0, hapPolicy);
165 }
166
CreateAccessTokenIdEx(const InnerBundleInfo & innerBundleInfo,const std::string bundleName,const int32_t userId,const int32_t dlpType,const AccessToken::HapPolicyParams & hapPolicy)167 AccessToken::AccessTokenIDEx BundlePermissionMgr::CreateAccessTokenIdEx(
168 const InnerBundleInfo &innerBundleInfo, const std::string bundleName, const int32_t userId, const int32_t dlpType,
169 const AccessToken::HapPolicyParams &hapPolicy)
170 {
171 APP_LOGD("CreateAccessTokenId bundleName = %{public}s, userId = %{public}d, dlpType = %{public}d",
172 bundleName.c_str(), userId, dlpType);
173 AccessToken::HapInfoParams hapInfo;
174 hapInfo.userID = userId;
175 hapInfo.bundleName = bundleName;
176 hapInfo.instIndex = innerBundleInfo.GetAppIndex();
177 hapInfo.appIDDesc = innerBundleInfo.GetAppId();
178 hapInfo.dlpType = dlpType;
179 hapInfo.apiVersion = innerBundleInfo.GetBaseApplicationInfo().apiTargetVersion;
180 hapInfo.isSystemApp = innerBundleInfo.IsSystemApp();
181 AccessToken::AccessTokenIDEx accessToken = AccessToken::AccessTokenKit::AllocHapToken(hapInfo, hapPolicy);
182 APP_LOGI("BundlePermissionMgr::CreateAccessTokenId bundleName: %{public}s, accessTokenId = %{public}u",
183 bundleName.c_str(), accessToken.tokenIdExStruct.tokenID);
184 return accessToken;
185 }
186
UpdateDefineAndRequestPermissions(Security::AccessToken::AccessTokenIDEx & tokenIdEx,const InnerBundleInfo & oldInfo,const InnerBundleInfo & newInfo,std::vector<std::string> & newRequestPermName)187 bool BundlePermissionMgr::UpdateDefineAndRequestPermissions(Security::AccessToken::AccessTokenIDEx &tokenIdEx,
188 const InnerBundleInfo &oldInfo, const InnerBundleInfo &newInfo, std::vector<std::string> &newRequestPermName)
189 {
190 APP_LOGD("UpdateDefineAndRequestPermissions bundleName = %{public}s", newInfo.GetBundleName().c_str());
191 std::vector<AccessToken::PermissionDef> newDefPermList = GetPermissionDefList(newInfo);
192
193 std::vector<AccessToken::PermissionStateFull> newPermissionStateList;
194 if (!InnerUpdateRequestPermission(tokenIdEx.tokenIdExStruct.tokenID, oldInfo, newInfo,
195 newPermissionStateList, newRequestPermName)) {
196 APP_LOGE("UpdateDefineAndRequestPermissions InnerUpdateRequestPermission failed");
197 return false;
198 }
199
200 AccessToken::HapPolicyParams hapPolicy;
201 std::string apl = newInfo.GetAppPrivilegeLevel();
202 APP_LOGI("newDefPermList size:%{public}zu, newPermissionStateList size:%{public}zu, isSystemApp: %{public}d",
203 newDefPermList.size(), newPermissionStateList.size(), newInfo.IsSystemApp());
204 hapPolicy.apl = GetTokenApl(apl);
205 hapPolicy.domain = "domain"; // default
206 hapPolicy.permList = newDefPermList;
207 hapPolicy.permStateList = newPermissionStateList;
208 std::string appId = newInfo.GetAppId();
209 int32_t ret = AccessToken::AccessTokenKit::UpdateHapToken(tokenIdEx, newInfo.IsSystemApp(), appId,
210 newInfo.GetBaseApplicationInfo().apiTargetVersion, hapPolicy);
211 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
212 APP_LOGE("UpdateDefineAndRequestPermissions UpdateHapToken failed errcode: %{public}d", ret);
213 return false;
214 }
215 APP_LOGD("BundlePermissionMgr::UpdateDefineAndRequestPermissions end");
216 return true;
217 }
218
GetNeedDeleteDefinePermissionName(const InnerBundleInfo & oldInfo,const InnerBundleInfo & newInfo)219 std::vector<std::string> BundlePermissionMgr::GetNeedDeleteDefinePermissionName(const InnerBundleInfo &oldInfo,
220 const InnerBundleInfo &newInfo)
221 {
222 std::vector<DefinePermission> oldDefinePermissions = oldInfo.GetAllDefinePermissions();
223 std::vector<DefinePermission> newDefinePermissions = newInfo.GetAllDefinePermissions();
224 std::vector<std::string> needDeleteDefinePermission;
225 for (const auto &defPerm : oldDefinePermissions) {
226 auto iter = std::find_if(newDefinePermissions.begin(), newDefinePermissions.end(),
227 [&defPerm](const auto &perm) {
228 return defPerm.name == perm.name;
229 });
230 if (iter == newDefinePermissions.end()) {
231 APP_LOGD("GetNeedDeleteDefinePermissionName need delete %{public}s", defPerm.name.c_str());
232 needDeleteDefinePermission.emplace_back(defPerm.name);
233 }
234 }
235 return needDeleteDefinePermission;
236 }
237
GetNeedDeleteRequestPermissionName(const InnerBundleInfo & oldInfo,const InnerBundleInfo & newInfo)238 std::vector<std::string> BundlePermissionMgr::GetNeedDeleteRequestPermissionName(const InnerBundleInfo &oldInfo,
239 const InnerBundleInfo &newInfo)
240 {
241 std::vector<RequestPermission> oldRequestPermissions = oldInfo.GetAllRequestPermissions();
242 std::vector<RequestPermission> newRequestPermissions = newInfo.GetAllRequestPermissions();
243 std::vector<std::string> needDeleteRequestPermission;
244 for (const auto &reqPerm : oldRequestPermissions) {
245 auto iter = std::find_if(newRequestPermissions.begin(), newRequestPermissions.end(),
246 [&reqPerm](const auto &perm) {
247 return reqPerm.name == perm.name;
248 });
249 if (iter == newRequestPermissions.end()) {
250 APP_LOGD("GetNeedDeleteRequestPermissionName need delete %{public}s", reqPerm.name.c_str());
251 needDeleteRequestPermission.emplace_back(reqPerm.name);
252 }
253 }
254 return needDeleteRequestPermission;
255 }
256
GetNewPermissionDefList(Security::AccessToken::AccessTokenID tokenId,const std::vector<Security::AccessToken::PermissionDef> & permissionDef,std::vector<Security::AccessToken::PermissionDef> & newPermissionDef)257 bool BundlePermissionMgr::GetNewPermissionDefList(Security::AccessToken::AccessTokenID tokenId,
258 const std::vector<Security::AccessToken::PermissionDef> &permissionDef,
259 std::vector<Security::AccessToken::PermissionDef> &newPermissionDef)
260 {
261 int32_t ret = AccessToken::AccessTokenKit::GetDefPermissions(tokenId, newPermissionDef);
262 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
263 APP_LOGE("BundlePermissionMgr::GetNewPermissionDefList GetDefPermissions failed errcode: %{public}d", ret);
264 return false;
265 }
266 for (const auto &perm : permissionDef) {
267 if (std::find_if(newPermissionDef.begin(), newPermissionDef.end(), [&perm](const auto &newPerm) {
268 return newPerm.permissionName == perm.permissionName;
269 }) == newPermissionDef.end()) {
270 APP_LOGD("BundlePermissionMgr::GetNewPermissionDefList add define permission %{public}s",
271 perm.permissionName.c_str());
272 newPermissionDef.emplace_back(perm);
273 }
274 }
275 return true;
276 }
277
GetNewPermissionStateFull(Security::AccessToken::AccessTokenID tokenId,const std::vector<Security::AccessToken::PermissionStateFull> & permissionState,std::vector<Security::AccessToken::PermissionStateFull> & newPermissionState,std::vector<std::string> & newRequestPermName)278 bool BundlePermissionMgr::GetNewPermissionStateFull(Security::AccessToken::AccessTokenID tokenId,
279 const std::vector<Security::AccessToken::PermissionStateFull> &permissionState,
280 std::vector<Security::AccessToken::PermissionStateFull> &newPermissionState,
281 std::vector<std::string> &newRequestPermName)
282 {
283 if (!GetAllReqPermissionStateFull(tokenId, newPermissionState)) {
284 APP_LOGE("BundlePermissionMgr::GetNewPermissionStateFull failed");
285 return false;
286 }
287 // add old permission which need grant again
288 for (const auto &state : newPermissionState) {
289 if ((state.grantStatus[0] == AccessToken::PermissionState::PERMISSION_DENIED) &&
290 (state.grantFlags[0] == AccessToken::PermissionFlag::PERMISSION_DEFAULT_FLAG)) {
291 APP_LOGD("BundlePermissionMgr::GetNewPermissionStateFull add old permission:%{public}s",
292 state.permissionName.c_str());
293 newRequestPermName.emplace_back(state.permissionName);
294 }
295 }
296
297 for (const auto &perm : permissionState) {
298 if (std::find_if(newPermissionState.begin(), newPermissionState.end(), [&perm](const auto &newPerm) {
299 return newPerm.permissionName == perm.permissionName;
300 }) == newPermissionState.end()) {
301 APP_LOGD("BundlePermissionMgr::GetNewPermissionStateFull add request permission %{public}s",
302 perm.permissionName.c_str());
303 newPermissionState.emplace_back(perm);
304 newRequestPermName.emplace_back(perm.permissionName);
305 }
306 }
307 return true;
308 }
309
AddDefineAndRequestPermissions(Security::AccessToken::AccessTokenIDEx & tokenIdEx,const InnerBundleInfo & innerBundleInfo,std::vector<std::string> & newRequestPermName)310 bool BundlePermissionMgr::AddDefineAndRequestPermissions(Security::AccessToken::AccessTokenIDEx &tokenIdEx,
311 const InnerBundleInfo &innerBundleInfo, std::vector<std::string> &newRequestPermName)
312 {
313 APP_LOGD("BundlePermissionMgr::AddDefineAndRequestPermissions start");
314 std::vector<AccessToken::PermissionDef> defPermList = GetPermissionDefList(innerBundleInfo);
315 std::vector<AccessToken::PermissionDef> newDefPermList;
316 if (!GetNewPermissionDefList(tokenIdEx.tokenIdExStruct.tokenID, defPermList, newDefPermList)) {
317 return false;
318 }
319
320 std::vector<AccessToken::PermissionStateFull> reqPermissionStateList = GetPermissionStateFullList(innerBundleInfo);
321 std::vector<AccessToken::PermissionStateFull> newPermissionStateList;
322 if (!GetNewPermissionStateFull(tokenIdEx.tokenIdExStruct.tokenID, reqPermissionStateList,
323 newPermissionStateList, newRequestPermName)) {
324 return false;
325 }
326
327 AccessToken::HapPolicyParams hapPolicy;
328 std::string apl = innerBundleInfo.GetAppPrivilegeLevel();
329 APP_LOGI("BundlePermissionMgr::AddDefineAndRequestPermissions apl : %{public}s, newDefPermList size : %{public}zu, \
330 newPermissionStateList size : %{public}zu", apl.c_str(), newDefPermList.size(),
331 newPermissionStateList.size());
332 hapPolicy.apl = GetTokenApl(apl);
333 hapPolicy.domain = "domain"; // default
334 hapPolicy.permList = newDefPermList;
335 hapPolicy.permStateList = newPermissionStateList;
336 std::string appId = innerBundleInfo.GetAppId();
337 int32_t ret = AccessToken::AccessTokenKit::UpdateHapToken(tokenIdEx, innerBundleInfo.IsSystemApp(), appId,
338 innerBundleInfo.GetBaseApplicationInfo().apiTargetVersion, hapPolicy);
339 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
340 APP_LOGE("BundlePermissionMgr::AddDefineAndRequestPermissions UpdateHapToken failed errcode: %{public}d", ret);
341 return false;
342 }
343 APP_LOGD("BundlePermissionMgr::AddDefineAndRequestPermissions end");
344 return true;
345 }
346
DeleteAccessTokenId(const AccessToken::AccessTokenID tokenId)347 int32_t BundlePermissionMgr::DeleteAccessTokenId(const AccessToken::AccessTokenID tokenId)
348 {
349 return AccessToken::AccessTokenKit::DeleteToken(tokenId);
350 }
351
ClearUserGrantedPermissionState(const AccessToken::AccessTokenID tokenId)352 int32_t BundlePermissionMgr::ClearUserGrantedPermissionState(const AccessToken::AccessTokenID tokenId)
353 {
354 return AccessToken::AccessTokenKit::ClearUserGrantedPermissionState(tokenId);
355 }
356
GetPermissionDefList(const InnerBundleInfo & innerBundleInfo)357 std::vector<AccessToken::PermissionDef> BundlePermissionMgr::GetPermissionDefList(
358 const InnerBundleInfo &innerBundleInfo)
359 {
360 const auto bundleName = innerBundleInfo.GetBundleName();
361 const auto defPermissions = innerBundleInfo.GetAllDefinePermissions();
362 std::vector<AccessToken::PermissionDef> permList;
363 if (!defPermissions.empty()) {
364 for (const auto &defPermission : defPermissions) {
365 AccessToken::PermissionDef perm;
366 APP_LOGD("defPermission %{public}s", defPermission.name.c_str());
367 ConvertPermissionDef(perm, defPermission, bundleName);
368 permList.emplace_back(perm);
369 }
370 }
371 return permList;
372 }
373
GetPermissionStateFullList(const InnerBundleInfo & innerBundleInfo)374 std::vector<AccessToken::PermissionStateFull> BundlePermissionMgr::GetPermissionStateFullList(
375 const InnerBundleInfo &innerBundleInfo)
376 {
377 auto reqPermissions = innerBundleInfo.GetAllRequestPermissions();
378 std::vector<AccessToken::PermissionStateFull> permStateFullList;
379 if (!reqPermissions.empty()) {
380 for (const auto &reqPermission : reqPermissions) {
381 AccessToken::PermissionStateFull perState;
382 perState.permissionName = reqPermission.name;
383 perState.isGeneral = true;
384 perState.resDeviceID.emplace_back(innerBundleInfo.GetBaseApplicationInfo().deviceId);
385 perState.grantStatus.emplace_back(AccessToken::PermissionState::PERMISSION_DENIED);
386 perState.grantFlags.emplace_back(AccessToken::PermissionFlag::PERMISSION_DEFAULT_FLAG);
387 permStateFullList.emplace_back(perState);
388 }
389 } else {
390 APP_LOGD("BundlePermissionMgr::GetPermissionStateFullList requestPermission is empty");
391 }
392 return permStateFullList;
393 }
394
GrantPermission(const Security::AccessToken::AccessTokenID tokenId,const std::string & permissionName,const Security::AccessToken::PermissionFlag flag,const std::string & bundleName)395 bool BundlePermissionMgr::GrantPermission(
396 const Security::AccessToken::AccessTokenID tokenId,
397 const std::string &permissionName,
398 const Security::AccessToken::PermissionFlag flag,
399 const std::string &bundleName)
400 {
401 int32_t ret = AccessToken::AccessTokenKit::GrantPermission(tokenId, permissionName, flag);
402 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
403 APP_LOGE("GrantPermission failed, bundleName:%{public}s, request permission:%{public}s, err:%{public}d",
404 bundleName.c_str(), permissionName.c_str(), ret);
405 return false;
406 }
407 return true;
408 }
409
CheckPermissionAvailableType(const std::string & appDistributionType,const Security::AccessToken::PermissionDef & permDef)410 bool BundlePermissionMgr::CheckPermissionAvailableType(
411 const std::string &appDistributionType, const Security::AccessToken::PermissionDef &permDef)
412 {
413 if (appDistributionType != Constants::APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM &&
414 permDef.availableType == Security::AccessToken::ATokenAvailableTypeEnum::MDM) {
415 APP_LOGE("%{public}s is a mdm permission, which is not available for not mdm application",
416 permDef.permissionName.c_str());
417 return false;
418 }
419 return true;
420 }
421
InnerGrantRequestPermissions(Security::AccessToken::AccessTokenID tokenId,const InnerBundleInfo & innerBundleInfo,std::vector<std::string> systemGrantPermList,std::vector<std::string> userGrantPermList)422 bool BundlePermissionMgr::InnerGrantRequestPermissions(
423 Security::AccessToken::AccessTokenID tokenId,
424 const InnerBundleInfo &innerBundleInfo,
425 std::vector<std::string> systemGrantPermList,
426 std::vector<std::string> userGrantPermList)
427 {
428 std::string bundleName = innerBundleInfo.GetBundleName();
429 APP_LOGI("bundleName:%{public}s, add system_grant permission: %{public}zu, add user_grant permission: %{public}zu",
430 bundleName.c_str(), systemGrantPermList.size(), userGrantPermList.size());
431 for (const auto &perm : systemGrantPermList) {
432 if (!GrantPermission(tokenId, perm, AccessToken::PermissionFlag::PERMISSION_SYSTEM_FIXED, bundleName)) {
433 return false;
434 }
435 }
436
437 DefaultPermission permission;
438 if (!GetDefaultPermission(bundleName, permission)) {
439 return true;
440 }
441
442 #ifdef USE_PRE_BUNDLE_PROFILE
443 if (!MatchSignature(permission, innerBundleInfo.GetCertificateFingerprint()) &&
444 !MatchSignature(permission, innerBundleInfo.GetAppId()) &&
445 !MatchSignature(permission, innerBundleInfo.GetAppIdentifier()) &&
446 !MatchSignature(permission, innerBundleInfo.GetOldAppIds())) {
447 APP_LOGW("bundleName:%{public}s MatchSignature failed", bundleName.c_str());
448 return true;
449 }
450 #endif
451
452 for (const auto &perm: userGrantPermList) {
453 bool userCancellable = false;
454 if (!CheckPermissionInDefaultPermissions(permission, perm, userCancellable)) {
455 continue;
456 }
457 AccessToken::PermissionFlag flag = userCancellable ?
458 AccessToken::PermissionFlag::PERMISSION_GRANTED_BY_POLICY :
459 AccessToken::PermissionFlag::PERMISSION_SYSTEM_FIXED;
460 if (!GrantPermission(tokenId, perm, flag, bundleName)) {
461 return false;
462 }
463 }
464 APP_LOGD("InnerGrantRequestPermissions end, bundleName:%{public}s", bundleName.c_str());
465 return true;
466 }
467
GrantRequestPermissions(const InnerBundleInfo & innerBundleInfo,const AccessToken::AccessTokenID tokenId)468 bool BundlePermissionMgr::GrantRequestPermissions(const InnerBundleInfo &innerBundleInfo,
469 const AccessToken::AccessTokenID tokenId)
470 {
471 // check all request permission when first install
472 std::vector<std::string> systemGrantPermList;
473 std::vector<std::string> userGrantPermList;
474 if (!InnerFilterRequestPermissions(innerBundleInfo, systemGrantPermList, userGrantPermList)) {
475 APP_LOGE("filer permission failed");
476 return false;
477 }
478 return InnerGrantRequestPermissions(tokenId, innerBundleInfo, systemGrantPermList, userGrantPermList);
479 }
480
GrantRequestPermissions(const InnerBundleInfo & innerBundleInfo,const std::vector<std::string> & requestPermName,const AccessToken::AccessTokenID tokenId)481 bool BundlePermissionMgr::GrantRequestPermissions(const InnerBundleInfo &innerBundleInfo,
482 const std::vector<std::string> &requestPermName,
483 const AccessToken::AccessTokenID tokenId)
484 {
485 // check all request permission when update
486 std::vector<std::string> systemGrantPermList;
487 std::vector<std::string> userGrantPermList;
488 if (!InnerFilterRequestPermissions(innerBundleInfo, systemGrantPermList, userGrantPermList)) {
489 APP_LOGE("filer permission failed");
490 return false;
491 }
492 for (auto iter = systemGrantPermList.begin(); iter != systemGrantPermList.end();) {
493 if (find(requestPermName.begin(), requestPermName.end(), *iter) == requestPermName.end()) {
494 iter = systemGrantPermList.erase(iter);
495 } else {
496 ++iter;
497 }
498 }
499
500 for (auto iter = userGrantPermList.begin(); iter != userGrantPermList.end();) {
501 if (find(requestPermName.begin(), requestPermName.end(), *iter) == requestPermName.end()) {
502 iter = userGrantPermList.erase(iter);
503 } else {
504 ++iter;
505 }
506 }
507
508 return InnerGrantRequestPermissions(tokenId, innerBundleInfo, systemGrantPermList, userGrantPermList);
509 }
510
GetAllReqPermissionStateFull(AccessToken::AccessTokenID tokenId,std::vector<AccessToken::PermissionStateFull> & newPermissionState)511 bool BundlePermissionMgr::GetAllReqPermissionStateFull(AccessToken::AccessTokenID tokenId,
512 std::vector<AccessToken::PermissionStateFull> &newPermissionState)
513 {
514 std::vector<AccessToken::PermissionStateFull> userGrantReqPermList;
515 int32_t ret = AccessToken::AccessTokenKit::GetReqPermissions(tokenId, userGrantReqPermList, false);
516 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
517 APP_LOGE("GetAllReqPermissionStateFull get user grant failed errcode: %{public}d", ret);
518 return false;
519 }
520 std::vector<AccessToken::PermissionStateFull> systemGrantReqPermList;
521 ret = AccessToken::AccessTokenKit::GetReqPermissions(tokenId, systemGrantReqPermList, true);
522 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
523 APP_LOGE("GetAllReqPermissionStateFull get system grant failed errcode: %{public}d", ret);
524 return false;
525 }
526 newPermissionState = userGrantReqPermList;
527 std::copy(systemGrantReqPermList.begin(), systemGrantReqPermList.end(), std::back_inserter(newPermissionState));
528 return true;
529 }
530
GetRequestPermissionStates(BundleInfo & bundleInfo,uint32_t tokenId,const std::string deviceId)531 bool BundlePermissionMgr::GetRequestPermissionStates(
532 BundleInfo &bundleInfo, uint32_t tokenId, const std::string deviceId)
533 {
534 std::vector<std::string> requestPermission = bundleInfo.reqPermissions;
535 if (requestPermission.empty()) {
536 APP_LOGD("GetRequestPermissionStates requestPermission empty");
537 return true;
538 }
539 std::vector<Security::AccessToken::PermissionStateFull> allPermissionState;
540 if (!GetAllReqPermissionStateFull(tokenId, allPermissionState)) {
541 APP_LOGW("BundlePermissionMgr::GetRequestPermissionStates failed");
542 }
543 for (auto &req : requestPermission) {
544 auto iter = std::find_if(allPermissionState.begin(), allPermissionState.end(),
545 [&req](const auto &perm) {
546 return perm.permissionName == req;
547 });
548 if (iter != allPermissionState.end()) {
549 APP_LOGD("GetRequestPermissionStates request permission name: %{public}s", req.c_str());
550 for (std::vector<std::string>::size_type i = 0; i < iter->resDeviceID.size(); i++) {
551 if (iter->resDeviceID[i] == deviceId) {
552 bundleInfo.reqPermissionStates.emplace_back(iter->grantStatus[i]);
553 break;
554 }
555 }
556 } else {
557 APP_LOGE("request permission name : %{public}s is not exit in AccessTokenMgr", req.c_str());
558 bundleInfo.reqPermissionStates.emplace_back(Constants::PERMISSION_NOT_GRANTED);
559 }
560 }
561 return true;
562 }
563
CheckGrantPermission(const AccessToken::PermissionDef & permDef,const std::string & apl,const std::vector<std::string> & acls)564 bool BundlePermissionMgr::CheckGrantPermission(
565 const AccessToken::PermissionDef &permDef,
566 const std::string &apl,
567 const std::vector<std::string> &acls)
568 {
569 AccessToken::ATokenAplEnum availableLevel = permDef.availableLevel;
570 APP_LOGD("BundlePermissionMgr::CheckGrantPermission availableLevel %{public}d, apl %{public}s",
571 availableLevel, apl.c_str());
572 switch (availableLevel) {
573 case AccessToken::ATokenAplEnum::APL_NORMAL: {
574 return true;
575 }
576 case AccessToken::ATokenAplEnum::APL_SYSTEM_BASIC: {
577 if ((apl == Profile::AVAILABLELEVEL_SYSTEM_BASIC) ||
578 (apl == Profile::AVAILABLELEVEL_SYSTEM_CORE)) {
579 return true;
580 }
581 break;
582 }
583 case AccessToken::ATokenAplEnum::APL_SYSTEM_CORE: {
584 if (apl == Profile::AVAILABLELEVEL_SYSTEM_CORE) {
585 return true;
586 }
587 break;
588 }
589 default:
590 APP_LOGE("availableLevel %{public}d error", availableLevel);
591 break;
592 }
593 if (permDef.provisionEnable) {
594 APP_LOGI("CheckGrantPermission acls size: %{public}zu", acls.size());
595 auto res = std::any_of(acls.begin(), acls.end(), [permDef](const auto &perm) {
596 return permDef.permissionName == perm;
597 });
598 if (res) {
599 return res;
600 }
601 }
602 APP_LOGE("CheckGrantPermission failed permission: %{public}s, availableLevel %{public}d, apl:%{public}s",
603 permDef.permissionName.c_str(), availableLevel, apl.c_str());
604 return false;
605 }
606
VerifyCallingPermission(const std::string & permissionName)607 bool BundlePermissionMgr::VerifyCallingPermission(const std::string &permissionName)
608 {
609 APP_LOGD("VerifyCallingPermission permission %{public}s", permissionName.c_str());
610 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
611 APP_LOGD("callerToken : %{private}u", callerToken);
612 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
613 int32_t callingUid = IPCSkeleton::GetCallingUid();
614 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE || callingUid == Constants::ROOT_UID) {
615 APP_LOGD("caller tokenType is native, verify success");
616 return true;
617 }
618 int32_t ret = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName);
619 if (ret == AccessToken::PermissionState::PERMISSION_DENIED) {
620 APP_LOGE("permission %{public}s denied", permissionName.c_str());
621 return false;
622 }
623 APP_LOGD("verify AccessToken success");
624 return true;
625 }
626
VerifyCallingPermissionForAll(const std::string & permissionName)627 bool BundlePermissionMgr::VerifyCallingPermissionForAll(const std::string &permissionName)
628 {
629 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
630 APP_LOGD("VerifyCallingPermission permission %{public}s, callerToken : %{public}u",
631 permissionName.c_str(), callerToken);
632 if (AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName) ==
633 AccessToken::PermissionState::PERMISSION_DENIED) {
634 APP_LOGE("permission %{public}s denied, callerToken : %{public}u", permissionName.c_str(),
635 callerToken);
636 return false;
637 }
638 return true;
639 }
640
VerifyCallingPermissionsForAll(const std::vector<std::string> & permissionNames)641 bool BundlePermissionMgr::VerifyCallingPermissionsForAll(const std::vector<std::string> &permissionNames)
642 {
643 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
644 for (auto permissionName : permissionNames) {
645 if (AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName) ==
646 AccessToken::PermissionState::PERMISSION_GRANTED) {
647 APP_LOGD("verify success");
648 return true;
649 }
650 }
651 std::string errorMessage;
652 for (auto deniedPermission : permissionNames) {
653 errorMessage += deniedPermission + " ";
654 }
655 APP_LOGE("permission %{public}s denied, callerToken : %{public}u", errorMessage.c_str(), callerToken);
656 return false;
657 }
658
VerifyPermission(const std::string & bundleName,const std::string & permissionName,const int32_t userId)659 int32_t BundlePermissionMgr::VerifyPermission(
660 const std::string &bundleName, const std::string &permissionName, const int32_t userId)
661 {
662 APP_LOGD("VerifyPermission bundleName %{public}s, permission %{public}s", bundleName.c_str(),
663 permissionName.c_str());
664 AccessToken::AccessTokenID tokenId = AccessToken::AccessTokenKit::GetHapTokenID(userId,
665 bundleName, 0);
666 return AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permissionName);
667 }
668
GetPermissionDef(const std::string & permissionName,PermissionDef & permissionDef)669 ErrCode BundlePermissionMgr::GetPermissionDef(const std::string &permissionName, PermissionDef &permissionDef)
670 {
671 APP_LOGD("BundlePermissionMgr::GetPermissionDef permission %{public}s", permissionName.c_str());
672 AccessToken::PermissionDef accessTokenPermDef;
673 int32_t ret = AccessToken::AccessTokenKit::GetDefPermission(permissionName, accessTokenPermDef);
674 if (ret == AccessToken::AccessTokenKitRet::RET_SUCCESS) {
675 ConvertPermissionDef(accessTokenPermDef, permissionDef);
676 return ERR_OK;
677 }
678 return ERR_BUNDLE_MANAGER_QUERY_PERMISSION_DEFINE_FAILED;
679 }
680
CheckPermissionInDefaultPermissions(const DefaultPermission & defaultPermission,const std::string & permissionName,bool & userCancellable)681 bool BundlePermissionMgr::CheckPermissionInDefaultPermissions(const DefaultPermission &defaultPermission,
682 const std::string &permissionName, bool &userCancellable)
683 {
684 auto &grantPermission = defaultPermission.grantPermission;
685 auto iter = std::find_if(grantPermission.begin(), grantPermission.end(), [&permissionName](const auto &defPerm) {
686 return defPerm.name == permissionName;
687 });
688 if (iter == grantPermission.end()) {
689 APP_LOGW("can not find permission(%{public}s)", permissionName.c_str());
690 return false;
691 }
692
693 userCancellable = iter->userCancellable;
694 return true;
695 }
696
GetDefaultPermission(const std::string & bundleName,DefaultPermission & permission)697 bool BundlePermissionMgr::GetDefaultPermission(
698 const std::string &bundleName, DefaultPermission &permission)
699 {
700 auto iter = defaultPermissions_.find(bundleName);
701 if (iter == defaultPermissions_.end()) {
702 APP_LOGW("bundleName: %{public}s does not exist in defaultPermissions",
703 bundleName.c_str());
704 return false;
705 }
706
707 permission = iter->second;
708 return true;
709 }
710
MatchSignature(const DefaultPermission & permission,const std::vector<std::string> & signatures)711 bool BundlePermissionMgr::MatchSignature(
712 const DefaultPermission &permission, const std::vector<std::string> &signatures)
713 {
714 if (permission.appSignature.empty()) {
715 APP_LOGW("appSignature is empty");
716 return false;
717 }
718 for (const auto &signature : permission.appSignature) {
719 if (std::find(signatures.begin(), signatures.end(), signature) != signatures.end()) {
720 return true;
721 }
722 }
723
724 return false;
725 }
726
MatchSignature(const DefaultPermission & permission,const std::string & signature)727 bool BundlePermissionMgr::MatchSignature(
728 const DefaultPermission &permission, const std::string &signature)
729 {
730 if (permission.appSignature.empty() || signature.empty()) {
731 APP_LOGW("appSignature or signature is empty");
732 return false;
733 }
734 return std::find(permission.appSignature.begin(), permission.appSignature.end(),
735 signature) != permission.appSignature.end();
736 }
737
GetHapApiVersion()738 int32_t BundlePermissionMgr::GetHapApiVersion()
739 {
740 // get appApiVersion from applicationInfo
741 std::string bundleName;
742 auto uid = IPCSkeleton::GetCallingUid();
743 auto userId = uid / Constants::BASE_USER_RANGE;
744 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
745 if (dataMgr == nullptr) {
746 APP_LOGE("DataMgr is nullptr");
747 return Constants::INVALID_API_VERSION;
748 }
749 auto ret = dataMgr->GetBundleNameForUid(uid, bundleName);
750 if (!ret) {
751 APP_LOGE("getBundleName failed, uid : %{public}d", uid);
752 return Constants::INVALID_API_VERSION;
753 }
754 ApplicationInfo applicationInfo;
755 auto res = dataMgr->GetApplicationInfoV9(bundleName,
756 static_cast<int32_t>(GetApplicationFlag::GET_APPLICATION_INFO_WITH_DISABLE), userId, applicationInfo);
757 if (res != ERR_OK) {
758 APP_LOGE("getApplicationInfo failed");
759 return Constants::INVALID_API_VERSION;
760 }
761 auto appApiVersion = applicationInfo.apiTargetVersion;
762 APP_LOGD("appApiVersion is %{public}d", appApiVersion);
763 auto systemApiVersion = GetSdkApiVersion();
764 // api version is the minimum value of {appApiVersion, systemApiVersion}
765 return systemApiVersion < appApiVersion ? systemApiVersion :appApiVersion;
766 }
767
768 // if the api has been system api since it is published, then beginSystemApiVersion can be omitted
VerifySystemApp(int32_t beginSystemApiVersion)769 bool BundlePermissionMgr::VerifySystemApp(int32_t beginSystemApiVersion)
770 {
771 APP_LOGD("verifying systemApp");
772 uint64_t accessTokenIdEx = IPCSkeleton::GetCallingFullTokenID();
773 if (Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(accessTokenIdEx)) {
774 return true;
775 }
776 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
777 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
778 APP_LOGD("tokenType is %{private}d", tokenType);
779 int32_t callingUid = IPCSkeleton::GetCallingUid();
780 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE ||
781 tokenType == AccessToken::ATokenTypeEnum::TOKEN_SHELL ||
782 callingUid == Constants::ROOT_UID ||
783 callingUid == Constants::SHELL_UID) {
784 APP_LOGD("caller tokenType is native, verify success");
785 return true;
786 }
787 if (beginSystemApiVersion != Constants::ALL_VERSIONCODE) {
788 auto apiVersion = GetHapApiVersion();
789 if (apiVersion == Constants::INVALID_API_VERSION) {
790 APP_LOGE("get api version failed, system app verification failed");
791 return false;
792 }
793 if (apiVersion < beginSystemApiVersion) {
794 APP_LOGI("previous app calling, verify success");
795 return true;
796 }
797 }
798 APP_LOGE("system app verification failed");
799 return false;
800 }
801
IsSystemApp()802 bool BundlePermissionMgr::IsSystemApp()
803 {
804 APP_LOGD("verifying systemApp");
805 uint64_t accessTokenIdEx = IPCSkeleton::GetCallingFullTokenID();
806 if (Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(accessTokenIdEx)) {
807 return true;
808 }
809 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
810 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
811 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_HAP) {
812 APP_LOGE("system app verification failed");
813 return false;
814 }
815 APP_LOGD("caller tokenType is not hap, ignore");
816 return true;
817 }
818
IsNativeTokenType()819 bool BundlePermissionMgr::IsNativeTokenType()
820 {
821 APP_LOGD("begin to verify token type");
822 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
823 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
824 APP_LOGD("tokenType is %{private}d", tokenType);
825 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE
826 || tokenType == AccessToken::ATokenTypeEnum::TOKEN_SHELL) {
827 APP_LOGD("caller tokenType is native, verify success");
828 return true;
829 }
830 if (VerifyCallingUid()) {
831 APP_LOGD("caller is root or foundation or BMS_UID, verify success");
832 return true;
833 }
834 APP_LOGE("caller tokenType not native, verify failed");
835 return false;
836 }
837
VerifyCallingUid()838 bool BundlePermissionMgr::VerifyCallingUid()
839 {
840 APP_LOGD("begin to verify calling uid");
841 int32_t callingUid = IPCSkeleton::GetCallingUid();
842 APP_LOGD("calling uid is %{public}d", callingUid);
843 if (callingUid == Constants::ROOT_UID ||
844 callingUid == Constants::FOUNDATION_UID ||
845 callingUid == Constants::SHELL_UID ||
846 callingUid == Constants::BMS_UID) {
847 APP_LOGD("caller is root or foundation, verify success");
848 return true;
849 }
850 APP_LOGE("verify calling uid failed");
851 return false;
852 }
853
VerifyPreload(const AAFwk::Want & want)854 bool BundlePermissionMgr::VerifyPreload(const AAFwk::Want &want)
855 {
856 std::string callingBundleName;
857 auto uid = IPCSkeleton::GetCallingUid();
858 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
859 if (dataMgr == nullptr) {
860 APP_LOGE("DataMgr is nullptr");
861 return false;
862 }
863 auto ret = dataMgr->GetBundleNameForUid(uid, callingBundleName);
864 if (!ret) {
865 return BundlePermissionMgr::VerifyCallingPermissionForAll(Constants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED);
866 }
867 std::string bundleName = want.GetElement().GetBundleName();
868 return bundleName == callingBundleName || callingBundleName == SCENEBOARD_BUNDLE_NAME;
869 }
870
InnerUpdateDefinePermission(const Security::AccessToken::AccessTokenID tokenId,const InnerBundleInfo & oldInfo,const InnerBundleInfo & newInfo,std::vector<Security::AccessToken::PermissionDef> & newDefPermList)871 bool BundlePermissionMgr::InnerUpdateDefinePermission(
872 const Security::AccessToken::AccessTokenID tokenId,
873 const InnerBundleInfo &oldInfo,
874 const InnerBundleInfo &newInfo,
875 std::vector<Security::AccessToken::PermissionDef> &newDefPermList)
876 {
877 std::vector<AccessToken::PermissionDef> defPermList = GetPermissionDefList(newInfo);
878 if (!GetNewPermissionDefList(tokenId, defPermList, newDefPermList)) {
879 return false;
880 }
881
882 // delete old definePermission
883 std::vector<std::string> needDeleteDefinePermission = GetNeedDeleteDefinePermissionName(oldInfo, newInfo);
884 for (const auto &name : needDeleteDefinePermission) {
885 auto iter = std::find_if(newDefPermList.begin(), newDefPermList.end(), [&name](const auto &defPerm) {
886 return defPerm.permissionName == name;
887 });
888 if (iter != newDefPermList.end()) {
889 APP_LOGD("delete definePermission %{public}s", name.c_str());
890 newDefPermList.erase(iter);
891 }
892 }
893 return true;
894 }
895
IsCallingUidValid(int32_t uid)896 bool BundlePermissionMgr::IsCallingUidValid(int32_t uid)
897 {
898 int32_t callingUid = IPCSkeleton::GetCallingUid();
899 if (callingUid == uid) {
900 return true;
901 }
902 APP_LOGE("IsCallingUidValid failed, uid = %{public}d, calling uid = %{public}d", uid, callingUid);
903 return false;
904 }
905
InnerUpdateRequestPermission(const Security::AccessToken::AccessTokenID tokenId,const InnerBundleInfo & oldInfo,const InnerBundleInfo & newInfo,std::vector<Security::AccessToken::PermissionStateFull> & newPermissionStateList,std::vector<std::string> & newRequestPermName)906 bool BundlePermissionMgr::InnerUpdateRequestPermission(
907 const Security::AccessToken::AccessTokenID tokenId,
908 const InnerBundleInfo &oldInfo,
909 const InnerBundleInfo &newInfo,
910 std::vector<Security::AccessToken::PermissionStateFull> &newPermissionStateList,
911 std::vector<std::string> &newRequestPermName)
912 {
913 // get access token permission
914 std::vector<AccessToken::PermissionStateFull> reqPermissionStateList = GetPermissionStateFullList(newInfo);
915 if (!GetNewPermissionStateFull(tokenId, reqPermissionStateList,
916 newPermissionStateList, newRequestPermName)) {
917 return false;
918 }
919 // delete old requestPermission
920 std::vector<std::string> needDeleteRequestPermission = GetNeedDeleteRequestPermissionName(oldInfo, newInfo);
921 for (const auto &name : needDeleteRequestPermission) {
922 auto iter = std::find_if(newPermissionStateList.begin(), newPermissionStateList.end(),
923 [&name](const auto &defPerm) {
924 return defPerm.permissionName == name;
925 });
926 if (iter != newPermissionStateList.end()) {
927 APP_LOGD("delete requestPermission %{public}s", name.c_str());
928 newPermissionStateList.erase(iter);
929 }
930 auto deleteIter = std::find(newRequestPermName.begin(), newRequestPermName.end(), name);
931 if (deleteIter != newRequestPermName.end()) {
932 newRequestPermName.erase(deleteIter);
933 }
934 }
935 return true;
936 }
937
IsSelfCalling()938 bool BundlePermissionMgr::IsSelfCalling()
939 {
940 int32_t callingUid = IPCSkeleton::GetCallingUid();
941 if (callingUid == Constants::FOUNDATION_UID) {
942 return true;
943 }
944 return false;
945 }
946
VerifyUninstallPermission()947 bool BundlePermissionMgr::VerifyUninstallPermission()
948 {
949 if (!BundlePermissionMgr::IsSelfCalling() &&
950 !BundlePermissionMgr::VerifyCallingPermissionsForAll({Constants::PERMISSION_INSTALL_BUNDLE,
951 Constants::PERMISSION_UNINSTALL_BUNDLE})) {
952 APP_LOGE("uninstall bundle permission denied");
953 return false;
954 }
955 return true;
956 }
957
VerifyRecoverPermission()958 bool BundlePermissionMgr::VerifyRecoverPermission()
959 {
960 if (!BundlePermissionMgr::IsSelfCalling() &&
961 !BundlePermissionMgr::VerifyCallingPermissionsForAll({Constants::PERMISSION_INSTALL_BUNDLE,
962 Constants::PERMISSION_RECOVER_BUNDLE})) {
963 APP_LOGE("recover bundle permission denied");
964 return false;
965 }
966 return true;
967 }
968
AddPermissionUsedRecord(const std::string & permission,int32_t successCount,int32_t failCount)969 void BundlePermissionMgr::AddPermissionUsedRecord(
970 const std::string &permission, int32_t successCount, int32_t failCount)
971 {
972 APP_LOGD("AddPermissionUsedRecord permission:%{public}s", permission.c_str());
973 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
974 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
975 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_HAP) {
976 AccessToken::PrivacyKit::AddPermissionUsedRecord(callerToken, permission, successCount, failCount);
977 }
978 }
979
InnerFilterRequestPermissions(const InnerBundleInfo & innerBundleInfo,std::vector<std::string> & systemGrantPermList,std::vector<std::string> & userGrantPermList)980 bool BundlePermissionMgr::InnerFilterRequestPermissions(
981 const InnerBundleInfo &innerBundleInfo,
982 std::vector<std::string> &systemGrantPermList,
983 std::vector<std::string> &userGrantPermList)
984 {
985 APP_LOGD("start, bundleName:%{public}s", innerBundleInfo.GetBundleName().c_str());
986 std::vector<RequestPermission> reqPermissions = innerBundleInfo.GetAllRequestPermissions();
987 std::string apl = innerBundleInfo.GetAppPrivilegeLevel();
988 std::vector<std::string> acls = innerBundleInfo.GetAllowedAcls();
989 for (const auto &reqPermission : reqPermissions) {
990 APP_LOGD("add request permission %{public}s", reqPermission.name.c_str());
991 AccessToken::PermissionDef permDef;
992 int32_t ret = AccessToken::AccessTokenKit::GetDefPermission(reqPermission.name, permDef);
993 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
994 APP_LOGE("get permission def failed, request permission name: %{public}s", reqPermission.name.c_str());
995 continue;
996 }
997 if (CheckGrantPermission(permDef, apl, acls)) {
998 if (permDef.grantMode == AccessToken::GrantMode::SYSTEM_GRANT) {
999 systemGrantPermList.emplace_back(reqPermission.name);
1000 } else {
1001 userGrantPermList.emplace_back(reqPermission.name);
1002 }
1003 } else {
1004 return false;
1005 }
1006 if (!CheckPermissionAvailableType(innerBundleInfo.GetBaseApplicationInfo().appDistributionType, permDef)) {
1007 APP_LOGE("CheckPermissionAvailableType failed, request permission name: %{public}s",
1008 reqPermission.name.c_str());
1009 return false;
1010 }
1011 }
1012 return true;
1013 }
1014
IsBundleSelfCalling(const std::string & bundleName)1015 bool BundlePermissionMgr::IsBundleSelfCalling(const std::string &bundleName)
1016 {
1017 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
1018 if (dataMgr == nullptr) {
1019 APP_LOGE("DataMgr is nullptr");
1020 return false;
1021 }
1022 int32_t callingUid = IPCSkeleton::GetCallingUid();
1023 APP_LOGD("start, callingUid: %{public}d", callingUid);
1024 std::string callingBundleName;
1025 if (dataMgr->GetNameForUid(callingUid, callingBundleName) != ERR_OK) {
1026 return false;
1027 }
1028 APP_LOGD("bundleName :%{public}s, callingBundleName : %{public}s",
1029 bundleName.c_str(), callingBundleName.c_str());
1030 if (bundleName != callingBundleName) {
1031 APP_LOGW("failed, callingUid: %{public}d", callingUid);
1032 return false;
1033 }
1034 APP_LOGD("end, verify success");
1035 return true;
1036 }
1037
VerifyCallingBundleSdkVersion(int32_t beginApiVersion)1038 bool BundlePermissionMgr::VerifyCallingBundleSdkVersion(int32_t beginApiVersion)
1039 {
1040 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
1041 if (dataMgr == nullptr) {
1042 APP_LOGE("DataMgr is nullptr");
1043 return false;
1044 }
1045 int32_t callingUid = IPCSkeleton::GetCallingUid();
1046 APP_LOGD("start, callingUid: %{public}d", callingUid);
1047 std::string callingBundleName;
1048 if (dataMgr->GetNameForUid(callingUid, callingBundleName) != ERR_OK) {
1049 return false;
1050 }
1051 auto userId = callingUid / Constants::BASE_USER_RANGE;
1052 ApplicationInfo applicationInfo;
1053 auto res = dataMgr->GetApplicationInfoV9(callingBundleName,
1054 static_cast<int32_t>(GetApplicationFlag::GET_APPLICATION_INFO_WITH_DISABLE), userId, applicationInfo);
1055 if (res != ERR_OK) {
1056 APP_LOGE("getApplicationInfo failed, callingBundleName:%{public}s", callingBundleName.c_str());
1057 return false;
1058 }
1059 auto systemApiVersion = GetSdkApiVersion();
1060 auto appApiVersion = applicationInfo.apiTargetVersion;
1061 // api version is the minimum value of {appApiVersion, systemApiVersion}
1062 appApiVersion = systemApiVersion < appApiVersion ? systemApiVersion : appApiVersion;
1063 APP_LOGD("appApiVersion: %{public}d", appApiVersion);
1064
1065 if ((appApiVersion % BASE_API_VERSION) < beginApiVersion) {
1066 APP_LOGI("previous app calling, verify success");
1067 return true;
1068 }
1069 return false;
1070 }
1071 } // namespace AppExecFwk
1072 } // namespace OHOS