1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "bundle_install_checker.h"
17
18 #include "app_log_tag_wrapper.h"
19 #include "bms_extension_data_mgr.h"
20 #include "bundle_mgr_service.h"
21 #include "bundle_parser.h"
22 #include "bundle_permission_mgr.h"
23 #include "parameter.h"
24 #include "parameters.h"
25 #include "privilege_extension_ability_type.h"
26 #include "scope_guard.h"
27 #include "systemcapability.h"
28
29 namespace OHOS {
30 namespace AppExecFwk {
31 namespace {
32 const std::string PRIVILEGE_ALLOW_APP_DATA_NOT_CLEARED = "AllowAppDataNotCleared";
33 const std::string PRIVILEGE_ALLOW_APP_MULTI_PROCESS = "AllowAppMultiProcess";
34 const std::string PRIVILEGE_ALLOW_APP_DESKTOP_ICON_HIDE = "AllowAppDesktopIconHide";
35 const std::string PRIVILEGE_ALLOW_ABILITY_PRIORITY_QUERIED = "AllowAbilityPriorityQueried";
36 const std::string PRIVILEGE_ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS = "AllowAbilityExcludeFromMissions";
37 const std::string PRIVILEGE_ALLOW_MISSION_NOT_CLEARED = "AllowMissionNotCleared";
38 const std::string PRIVILEGE_ALLOW_APP_USE_PRIVILEGE_EXTENSION = "AllowAppUsePrivilegeExtension";
39 const std::string PRIVILEGE_ALLOW_FORM_VISIBLE_NOTIFY = "AllowFormVisibleNotify";
40 const std::string PRIVILEGE_ALLOW_APP_SHARE_LIBRARY = "AllowAppShareLibrary";
41 const std::string PRIVILEGE_ALLOW_ENABLE_NOTIFICATION = "AllowEnableNotification";
42 const std::string ALLOW_APP_DATA_NOT_CLEARED = "allowAppDataNotCleared";
43 const std::string ALLOW_APP_MULTI_PROCESS = "allowAppMultiProcess";
44 const std::string ALLOW_APP_DESKTOP_ICON_HIDE = "allowAppDesktopIconHide";
45 const std::string ALLOW_ABILITY_PRIORITY_QUERIED = "allowAbilityPriorityQueried";
46 const std::string ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS = "allowAbilityExcludeFromMissions";
47 const std::string ALLOW_MISSION_NOT_CLEARED = "allowMissionNotCleared";
48 const std::string ALLOW_APP_USE_PRIVILEGE_EXTENSION = "allowAppUsePrivilegeExtension";
49 const std::string ALLOW_FORM_VISIBLE_NOTIFY = "allowFormVisibleNotify";
50 const std::string ALLOW_APP_SHARE_LIBRARY = "allowAppShareLibrary";
51 const std::string ALLOW_ENABLE_NOTIFICATION = "allowEnableNotification";
52 const std::string APL_NORMAL = "normal";
53 const std::string SLASH = "/";
54 const std::string DOUBLE_SLASH = "//";
55 const std::string SUPPORT_ISOLATION_MODE = "persist.bms.supportIsolationMode";
56 const std::string VALUE_TRUE = "true";
57 const std::string VALUE_TRUE_BOOL = "1";
58 const std::string VALUE_FALSE = "false";
59 const std::string NONISOLATION_ONLY = "nonisolationOnly";
60 const std::string ISOLATION_ONLY = "isolationOnly";
61 const std::string SUPPORT_APP_TYPES = "const.bms.supportAppTypes";
62 const std::string SUPPORT_APP_TYPES_SEPARATOR = ",";
63 const int32_t SLAH_OFFSET = 2;
64 const int32_t THRESHOLD_VAL_LEN = 40;
65 constexpr const char* SYSTEM_APP_SCAN_PATH = "/system/app";
66 constexpr const char* DEVICE_TYPE_OF_DEFAULT = "default";
67 constexpr const char* DEVICE_TYPE_OF_PHONE = "phone";
68 constexpr const char* APP_INSTALL_PATH = "/data/app/el1/bundle";
69
70 const std::unordered_map<std::string, void (*)(AppPrivilegeCapability &appPrivilegeCapability)>
71 PRIVILEGE_MAP = {
72 { PRIVILEGE_ALLOW_APP_DATA_NOT_CLEARED,
__anond49500970202() 73 [] (AppPrivilegeCapability &appPrivilegeCapability) {
74 appPrivilegeCapability.userDataClearable = false;
75 } },
76 { PRIVILEGE_ALLOW_APP_MULTI_PROCESS,
__anond49500970302() 77 [] (AppPrivilegeCapability &appPrivilegeCapability) {
78 appPrivilegeCapability.allowMultiProcess = true;
79 } },
80 { PRIVILEGE_ALLOW_APP_DESKTOP_ICON_HIDE,
__anond49500970402() 81 [] (AppPrivilegeCapability &appPrivilegeCapability) {
82 appPrivilegeCapability.hideDesktopIcon = true;
83 } },
84 { PRIVILEGE_ALLOW_ABILITY_PRIORITY_QUERIED,
__anond49500970502() 85 [] (AppPrivilegeCapability &appPrivilegeCapability) {
86 appPrivilegeCapability.allowQueryPriority = true;
87 } },
88 { PRIVILEGE_ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS,
__anond49500970602() 89 [] (AppPrivilegeCapability &appPrivilegeCapability) {
90 appPrivilegeCapability.allowExcludeFromMissions = true;
91 } },
92 { PRIVILEGE_ALLOW_MISSION_NOT_CLEARED,
__anond49500970702() 93 [] (AppPrivilegeCapability &appPrivilegeCapability) {
94 appPrivilegeCapability.allowMissionNotCleared = true;
95 } },
96 { PRIVILEGE_ALLOW_APP_USE_PRIVILEGE_EXTENSION,
__anond49500970802() 97 [] (AppPrivilegeCapability &appPrivilegeCapability) {
98 appPrivilegeCapability.allowUsePrivilegeExtension = true;
99 } },
100 { PRIVILEGE_ALLOW_FORM_VISIBLE_NOTIFY,
__anond49500970902() 101 [] (AppPrivilegeCapability &appPrivilegeCapability) {
102 appPrivilegeCapability.formVisibleNotify = true;
103 } },
104 { PRIVILEGE_ALLOW_APP_SHARE_LIBRARY,
__anond49500970a02() 105 [] (AppPrivilegeCapability &appPrivilegeCapability) {
106 appPrivilegeCapability.appShareLibrary = true;
107 } },
108 { PRIVILEGE_ALLOW_ENABLE_NOTIFICATION,
__anond49500970b02() 109 [] (AppPrivilegeCapability &appPrivilegeCapability) {
110 appPrivilegeCapability.allowEnableNotification = true;
111 } },
112 };
113
GetAppDistributionType(const Security::Verify::AppDistType & type)114 std::string GetAppDistributionType(const Security::Verify::AppDistType &type)
115 {
116 auto typeIter = APP_DISTRIBUTION_TYPE_MAPS.find(type);
117 if (typeIter == APP_DISTRIBUTION_TYPE_MAPS.end()) {
118 LOG_E(BMS_TAG_INSTALLER, "wrong AppDistType");
119 return Constants::APP_DISTRIBUTION_TYPE_NONE;
120 }
121
122 return typeIter->second;
123 }
124
GetAppProvisionType(const Security::Verify::ProvisionType & type)125 std::string GetAppProvisionType(const Security::Verify::ProvisionType &type)
126 {
127 if (type == Security::Verify::ProvisionType::DEBUG) {
128 return Constants::APP_PROVISION_TYPE_DEBUG;
129 }
130
131 return Constants::APP_PROVISION_TYPE_RELEASE;
132 }
133
IsPrivilegeExtensionAbilityType(ExtensionAbilityType type)134 bool IsPrivilegeExtensionAbilityType(ExtensionAbilityType type)
135 {
136 return PRIVILEGE_EXTENSION_ABILITY_TYPE.find(type) != PRIVILEGE_EXTENSION_ABILITY_TYPE.end();
137 }
138
IsSystemExtensionAbilityType(ExtensionAbilityType type)139 bool IsSystemExtensionAbilityType(ExtensionAbilityType type)
140 {
141 return SYSTEM_EXTENSION_ABILITY_TYPE.find(type) != SYSTEM_EXTENSION_ABILITY_TYPE.end();
142 }
143 }
144
CheckSysCap(const std::vector<std::string> & bundlePaths)145 ErrCode BundleInstallChecker::CheckSysCap(const std::vector<std::string> &bundlePaths)
146 {
147 LOG_D(BMS_TAG_INSTALLER, "check hap syscaps start");
148 if (bundlePaths.empty()) {
149 LOG_NOFUNC_E(BMS_TAG_INSTALLER, "empty bundlePaths check hap syscaps fail");
150 return ERR_APPEXECFWK_INSTALL_PARAM_ERROR;
151 }
152
153 ErrCode result = ERR_OK;
154 BundleParser bundleParser;
155 for (const auto &bundlePath : bundlePaths) {
156 std::vector<std::string> bundleSysCaps;
157 result = bundleParser.ParseSysCap(bundlePath, bundleSysCaps);
158 if (result != ERR_OK) {
159 LOG_E(BMS_TAG_INSTALLER, "parse bundle syscap failed, error: %{public}d", result);
160 return result;
161 }
162
163 for (const auto &bundleSysCapItem : bundleSysCaps) {
164 LOG_D(BMS_TAG_INSTALLER, "check syscap(%{public}s)", bundleSysCapItem.c_str());
165 if (!HasSystemCapability(bundleSysCapItem.c_str())) {
166 LOG_E(BMS_TAG_INSTALLER, "check syscap failed which %{public}s is not exsit",
167 bundleSysCapItem.c_str());
168 return ERR_APPEXECFWK_INSTALL_CHECK_SYSCAP_FAILED;
169 }
170 }
171 }
172
173 LOG_D(BMS_TAG_INSTALLER, "finish check hap syscaps");
174 return result;
175 }
176
CheckMultipleHapsSignInfo(const std::vector<std::string> & bundlePaths,std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes,bool readFile)177 ErrCode BundleInstallChecker::CheckMultipleHapsSignInfo(
178 const std::vector<std::string> &bundlePaths,
179 std::vector<Security::Verify::HapVerifyResult>& hapVerifyRes, bool readFile)
180 {
181 LOG_D(BMS_TAG_INSTALLER, "Check multiple haps signInfo");
182 if (bundlePaths.empty()) {
183 LOG_E(BMS_TAG_INSTALLER, "check hap sign info failed due to empty bundlePaths");
184 return ERR_APPEXECFWK_INSTALL_PARAM_ERROR;
185 }
186 for (const std::string &bundlePath : bundlePaths) {
187 Security::Verify::HapVerifyResult hapVerifyResult;
188 ErrCode verifyRes = ERR_OK;
189 if (readFile) {
190 verifyRes = Security::Verify::HapVerify(bundlePath, hapVerifyResult, true);
191 } else {
192 verifyRes = BundleVerifyMgr::HapVerify(bundlePath, hapVerifyResult);
193 }
194 #ifndef X86_EMULATOR_MODE
195 if (verifyRes != ERR_OK) {
196 LOG_E(BMS_TAG_INSTALLER, "hap file verify failed, bundlePath: %{public}s", bundlePath.c_str());
197 return readFile ? ERR_APPEXECFWK_INSTALL_FAILED_BUNDLE_SIGNATURE_VERIFICATION_FAILURE : verifyRes;
198 }
199 #endif
200 hapVerifyRes.emplace_back(hapVerifyResult);
201 }
202
203 if (hapVerifyRes.empty()) {
204 LOG_E(BMS_TAG_INSTALLER, "no sign info in the all haps");
205 return ERR_APPEXECFWK_INSTALL_FAILED_INCOMPATIBLE_SIGNATURE;
206 }
207
208 if (!CheckProvisionInfoIsValid(hapVerifyRes)) {
209 #ifndef X86_EMULATOR_MODE
210 return ERR_APPEXECFWK_INSTALL_FAILED_INCOMPATIBLE_SIGNATURE;
211 #else
212 // on emulator if check signature failed clear appid
213 for (auto &verifyRes : hapVerifyRes) {
214 Security::Verify::ProvisionInfo provisionInfo = verifyRes.GetProvisionInfo();
215 provisionInfo.appId = Constants::EMPTY_STRING;
216 verifyRes.SetProvisionInfo(provisionInfo);
217 }
218 #endif
219 }
220 LOG_D(BMS_TAG_INSTALLER, "finish check multiple haps signInfo");
221 return ERR_OK;
222 }
223
CheckProvisionInfoIsValid(const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)224 bool BundleInstallChecker::CheckProvisionInfoIsValid(
225 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
226 {
227 auto appId = hapVerifyRes[0].GetProvisionInfo().appId;
228 auto appIdentifier = hapVerifyRes[0].GetProvisionInfo().bundleInfo.appIdentifier;
229 auto apl = hapVerifyRes[0].GetProvisionInfo().bundleInfo.apl;
230 auto appDistributionType = hapVerifyRes[0].GetProvisionInfo().distributionType;
231 auto appProvisionType = hapVerifyRes[0].GetProvisionInfo().type;
232 bool isInvalid = std::any_of(hapVerifyRes.begin(), hapVerifyRes.end(),
233 [appId, apl, appDistributionType, appProvisionType, appIdentifier](const auto &hapVerifyResult) {
234 if (appId != hapVerifyResult.GetProvisionInfo().appId) {
235 LOG_E(BMS_TAG_INSTALLER, "error: hap files have different appId");
236 return true;
237 }
238 if (apl != hapVerifyResult.GetProvisionInfo().bundleInfo.apl) {
239 LOG_E(BMS_TAG_INSTALLER, "error: hap files have different apl");
240 return true;
241 }
242 if (appDistributionType != hapVerifyResult.GetProvisionInfo().distributionType) {
243 LOG_E(BMS_TAG_INSTALLER, "error: hap files have different appDistributionType");
244 return true;
245 }
246 if (appProvisionType != hapVerifyResult.GetProvisionInfo().type) {
247 LOG_E(BMS_TAG_INSTALLER, "error: hap files have different appProvisionType");
248 return true;
249 }
250 if (appIdentifier != hapVerifyResult.GetProvisionInfo().bundleInfo.appIdentifier) {
251 LOG_E(BMS_TAG_INSTALLER, "error: hap files have different appIdentifier");
252 return true;
253 }
254 return false;
255 });
256 return !isInvalid;
257 }
258
VaildInstallPermission(const InstallParam & installParam,const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)259 bool BundleInstallChecker::VaildInstallPermission(const InstallParam &installParam,
260 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
261 {
262 PermissionStatus installBundleStatus = installParam.installBundlePermissionStatus;
263 PermissionStatus installEnterpriseBundleStatus = installParam.installEnterpriseBundlePermissionStatus;
264 PermissionStatus installEtpMdmBundleStatus = installParam.installEtpMdmBundlePermissionStatus;
265 bool isCallByShell = installParam.isCallByShell;
266 if (!isCallByShell && installBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
267 installEnterpriseBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
268 installEtpMdmBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS) {
269 return true;
270 }
271 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
272 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
273 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE) {
274 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
275 LOG_E(BMS_TAG_INSTALLER, "enterprise bundle can not be installed by shell");
276 return false;
277 }
278 if (!isCallByShell && installEnterpriseBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
279 LOG_E(BMS_TAG_INSTALLER, "install enterprise bundle permission denied");
280 return false;
281 }
282 continue;
283 }
284 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
285 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
286 bool result = VaildEnterpriseInstallPermission(installParam, provisionInfo);
287 if (!result) {
288 return false;
289 }
290 continue;
291 }
292 if (installBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
293 LOG_E(BMS_TAG_INSTALLER, "install permission denied");
294 return false;
295 }
296 }
297 return true;
298 }
299
VaildEnterpriseInstallPermission(const InstallParam & installParam,const Security::Verify::ProvisionInfo & provisionInfo)300 bool BundleInstallChecker::VaildEnterpriseInstallPermission(const InstallParam &installParam,
301 const Security::Verify::ProvisionInfo &provisionInfo)
302 {
303 if (installParam.isSelfUpdate) {
304 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
305 LOG_I(BMS_TAG_INSTALLER, "Mdm self update");
306 return true;
307 }
308 LOG_E(BMS_TAG_INSTALLER, "Self update not MDM");
309 return false;
310 }
311 bool isCallByShell = installParam.isCallByShell;
312 PermissionStatus installEtpNormalBundleStatus = installParam.installEtpNormalBundlePermissionStatus;
313 PermissionStatus installEtpMdmBundleStatus = installParam.installEtpMdmBundlePermissionStatus;
314 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
315 LOG_E(BMS_TAG_INSTALLER, "enterprise normal/mdm bundle can not be installed by shell");
316 return false;
317 }
318 if (!isCallByShell &&
319 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL &&
320 installEtpNormalBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS &&
321 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
322 LOG_E(BMS_TAG_INSTALLER, "install enterprise normal bundle permission denied");
323 return false;
324 }
325 if (!isCallByShell &&
326 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM &&
327 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
328 LOG_E(BMS_TAG_INSTALLER, "install enterprise mdm bundle permission denied");
329 return false;
330 }
331 return true;
332 }
333
ParseHapFiles(const std::vector<std::string> & bundlePaths,const InstallCheckParam & checkParam,std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes,std::unordered_map<std::string,InnerBundleInfo> & infos)334 ErrCode BundleInstallChecker::ParseHapFiles(
335 const std::vector<std::string> &bundlePaths,
336 const InstallCheckParam &checkParam,
337 std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes,
338 std::unordered_map<std::string, InnerBundleInfo> &infos)
339 {
340 LOG_D(BMS_TAG_INSTALLER, "Parse hap file");
341 ErrCode result = ERR_OK;
342 for (uint32_t i = 0; i < bundlePaths.size(); ++i) {
343 InnerBundleInfo newInfo;
344 BundlePackInfo packInfo;
345 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
346 if (provisionInfo.bundleInfo.appFeature == ServiceConstants::HOS_SYSTEM_APP) {
347 newInfo.SetAppType(Constants::AppType::SYSTEM_APP);
348 } else {
349 newInfo.SetAppType(Constants::AppType::THIRD_PARTY_APP);
350 }
351 newInfo.SetIsPreInstallApp(checkParam.isPreInstallApp);
352 result = ParseBundleInfo(bundlePaths[i], newInfo, packInfo);
353 if (result != ERR_OK) {
354 LOG_E(BMS_TAG_INSTALLER, "bundle parse failed %{public}d", result);
355 return result;
356 }
357 newInfo.SetOrganization(provisionInfo.organization);
358 #ifndef X86_EMULATOR_MODE
359 result = CheckBundleName(provisionInfo.bundleInfo.bundleName, newInfo.GetBundleName());
360 if (result != ERR_OK) {
361 LOG_E(BMS_TAG_INSTALLER, "check provision bundleName failed");
362 return result;
363 }
364 #endif
365 if (newInfo.HasEntry()) {
366 if (isContainEntry_) {
367 LOG_E(BMS_TAG_INSTALLER, "more than one entry hap in the direction");
368 return ERR_APPEXECFWK_INSTALL_INVALID_NUMBER_OF_ENTRY_HAP;
369 }
370 isContainEntry_ = true;
371 }
372
373 SetEntryInstallationFree(packInfo, newInfo);
374 result = CheckMainElement(newInfo);
375 if (result != ERR_OK) {
376 return result;
377 }
378 AppPrivilegeCapability appPrivilegeCapability;
379 // from provision file
380 ParseAppPrivilegeCapability(provisionInfo, appPrivilegeCapability);
381 // form install_list_capability.json, higher priority than provision file
382 // allow appIdentifier/appId/fingerprint
383 newInfo.SetProvisionId(provisionInfo.appId);
384 std::vector<std::string> appSignatures;
385 appSignatures.emplace_back(provisionInfo.bundleInfo.appIdentifier);
386 appSignatures.emplace_back(newInfo.GetAppId());
387 appSignatures.emplace_back(provisionInfo.fingerprint);
388 FetchPrivilegeCapabilityFromPreConfig(
389 newInfo.GetBundleName(), appSignatures, appPrivilegeCapability);
390 // process bundleInfo by appPrivilegeCapability
391 result = ProcessBundleInfoByPrivilegeCapability(appPrivilegeCapability, newInfo);
392 if (result != ERR_OK) {
393 return result;
394 }
395 CollectProvisionInfo(provisionInfo, appPrivilegeCapability, newInfo);
396 #ifdef USE_PRE_BUNDLE_PROFILE
397 GetPrivilegeCapability(checkParam, newInfo);
398 #endif
399 if ((provisionInfo.distributionType == Security::Verify::AppDistType::CROWDTESTING) ||
400 (checkParam.specifiedDistributionType == Constants::APP_DISTRIBUTION_TYPE_CROWDTESTING)) {
401 newInfo.SetAppCrowdtestDeadline((checkParam.crowdtestDeadline >= 0) ? checkParam.crowdtestDeadline :
402 Constants::INHERIT_CROWDTEST_DEADLINE);
403 } else {
404 newInfo.SetAppCrowdtestDeadline(Constants::INVALID_CROWDTEST_DEADLINE);
405 }
406 if (!checkParam.isPreInstallApp) {
407 if ((result = CheckSystemSize(bundlePaths[i], checkParam.appType)) != ERR_OK) {
408 LOG_E(BMS_TAG_INSTALLER, "install failed due to insufficient disk memory");
409 return result;
410 }
411 }
412 DetermineCloneNum(newInfo);
413
414 infos.emplace(bundlePaths[i], newInfo);
415 }
416 if ((result = CheckModuleNameForMulitHaps(infos)) != ERR_OK) {
417 LOG_E(BMS_TAG_INSTALLER, "install failed due to duplicated moduleName");
418 return result;
419 }
420 LOG_D(BMS_TAG_INSTALLER, "finish parse hap file");
421 return result;
422 }
423
CheckHspInstallCondition(std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)424 ErrCode BundleInstallChecker::CheckHspInstallCondition(
425 std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
426 {
427 ErrCode result = ERR_OK;
428 if ((result = CheckDeveloperMode(hapVerifyRes)) != ERR_OK) {
429 LOG_E(BMS_TAG_INSTALLER, "install failed due to debug mode");
430 return result;
431 }
432 if ((result = CheckAllowEnterpriseBundle(hapVerifyRes)) != ERR_OK) {
433 LOG_E(BMS_TAG_INSTALLER, "install failed due to non-enterprise device");
434 return result;
435 }
436 return ERR_OK;
437 }
438
CheckInstallPermission(const InstallCheckParam & checkParam,const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)439 ErrCode BundleInstallChecker::CheckInstallPermission(const InstallCheckParam &checkParam,
440 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
441 {
442 if ((checkParam.installBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
443 checkParam.installEnterpriseBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
444 checkParam.installEtpNormalBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
445 checkParam.installEtpMdmBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS) &&
446 !VaildInstallPermissionForShare(checkParam, hapVerifyRes)) {
447 // need vaild permission
448 LOG_E(BMS_TAG_INSTALLER, "install permission denied");
449 return ERR_APPEXECFWK_INSTALL_PERMISSION_DENIED;
450 }
451 return ERR_OK;
452 }
453
VaildInstallPermissionForShare(const InstallCheckParam & checkParam,const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)454 bool BundleInstallChecker::VaildInstallPermissionForShare(const InstallCheckParam &checkParam,
455 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
456 {
457 PermissionStatus installBundleStatus = checkParam.installBundlePermissionStatus;
458 PermissionStatus installEnterpriseBundleStatus = checkParam.installEnterpriseBundlePermissionStatus;
459 PermissionStatus installEtpMdmBundleStatus = checkParam.installEtpMdmBundlePermissionStatus;
460 bool isCallByShell = checkParam.isCallByShell;
461 if (!isCallByShell && installBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
462 installEnterpriseBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
463 installEtpMdmBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS) {
464 return true;
465 }
466 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
467 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
468 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE) {
469 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
470 LOG_E(BMS_TAG_INSTALLER, "enterprise bundle can not be installed by shell");
471 return false;
472 }
473 if (!isCallByShell && installEnterpriseBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
474 LOG_E(BMS_TAG_INSTALLER, "install enterprise bundle permission denied");
475 return false;
476 }
477 continue;
478 }
479 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
480 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
481 bool result = VaildEnterpriseInstallPermissionForShare(checkParam, provisionInfo);
482 if (!result) {
483 return false;
484 }
485 continue;
486 }
487 if (installBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
488 LOG_E(BMS_TAG_INSTALLER, "install permission denied");
489 return false;
490 }
491 }
492 return true;
493 }
494
VaildEnterpriseInstallPermissionForShare(const InstallCheckParam & checkParam,const Security::Verify::ProvisionInfo & provisionInfo)495 bool BundleInstallChecker::VaildEnterpriseInstallPermissionForShare(const InstallCheckParam &checkParam,
496 const Security::Verify::ProvisionInfo &provisionInfo)
497 {
498 bool isCallByShell = checkParam.isCallByShell;
499 PermissionStatus installEtpNormalBundleStatus = checkParam.installEtpNormalBundlePermissionStatus;
500 PermissionStatus installEtpMdmBundleStatus = checkParam.installEtpMdmBundlePermissionStatus;
501 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
502 LOG_E(BMS_TAG_INSTALLER, "enterprise normal/mdm bundle can not be installed by shell");
503 return false;
504 }
505 if (!isCallByShell &&
506 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL &&
507 installEtpNormalBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS &&
508 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
509 LOG_E(BMS_TAG_INSTALLER, "install enterprise normal bundle permission denied");
510 return false;
511 }
512 if (!isCallByShell &&
513 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM &&
514 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
515 LOG_E(BMS_TAG_INSTALLER, "install enterprise mdm bundle permission denied");
516 return false;
517 }
518 return true;
519 }
520
CheckDependency(std::unordered_map<std::string,InnerBundleInfo> & infos)521 ErrCode BundleInstallChecker::CheckDependency(std::unordered_map<std::string, InnerBundleInfo> &infos)
522 {
523 LOG_D(BMS_TAG_INSTALLER, "CheckDependency");
524
525 for (const auto &info : infos) {
526 if (info.second.GetInnerModuleInfos().empty()) {
527 LOG_D(BMS_TAG_INSTALLER, "GetInnerModuleInfos is empty");
528 continue;
529 }
530 // There is only one innerModuleInfo when installing
531 InnerModuleInfo moduleInfo = info.second.GetInnerModuleInfos().begin()->second;
532 LOG_D(BMS_TAG_INSTALLER, "current module:%{public}s, dependencies = %{public}s", moduleInfo.moduleName.c_str(),
533 GetJsonStrFromInfo(moduleInfo.dependencies).c_str());
534 for (const auto &dependency : moduleInfo.dependencies) {
535 if (!NeedCheckDependency(dependency, info.second)) {
536 LOG_D(BMS_TAG_INSTALLER, "deliveryWithInstall is false, do not check whether the dependency exists");
537 continue;
538 }
539 std::string bundleName =
540 dependency.bundleName.empty() ? info.second.GetBundleName() : dependency.bundleName;
541 if (FindModuleInInstallingPackage(dependency.moduleName, bundleName, infos)) {
542 continue;
543 }
544 LOG_W(BMS_TAG_INSTALLER, "The depend module:%{public}s is not exist in installing package",
545 dependency.moduleName.c_str());
546 if (!FindModuleInInstalledPackage(dependency.moduleName, bundleName, info.second.GetVersionCode())) {
547 LOG_E(BMS_TAG_INSTALLER, "The depend :%{public}s is not exist", dependency.moduleName.c_str());
548 SetCheckResultMsg(
549 moduleInfo.moduleName + "'s dependent module: " + dependency.moduleName + " does not exist");
550 return ERR_APPEXECFWK_INSTALL_DEPENDENT_MODULE_NOT_EXIST;
551 }
552 }
553 }
554
555 return ERR_OK;
556 }
557
NeedCheckDependency(const Dependency & dependency,const InnerBundleInfo & info)558 bool BundleInstallChecker::NeedCheckDependency(const Dependency &dependency, const InnerBundleInfo &info)
559 {
560 LOG_D(BMS_TAG_INSTALLER, "NeedCheckDependency the moduleName is %{public}s, the bundleName is %{public}s",
561 dependency.moduleName.c_str(), dependency.bundleName.c_str());
562
563 if (!dependency.bundleName.empty() && dependency.bundleName != info.GetBundleName()) {
564 LOG_D(BMS_TAG_INSTALLER, "Cross-app dependencies, check dependency with shared bundle installer");
565 return false;
566 }
567 std::vector<PackageModule> modules = info.GetBundlePackInfo().summary.modules;
568 if (modules.empty()) {
569 LOG_D(BMS_TAG_INSTALLER, "NeedCheckDependency modules is empty, need check dependency");
570 return true;
571 }
572 for (const auto &module : modules) {
573 if (module.distro.moduleName == dependency.moduleName) {
574 return module.distro.deliveryWithInstall;
575 }
576 }
577
578 LOG_D(BMS_TAG_INSTALLER, "NeedCheckDependency the module not found, need check dependency");
579 return true;
580 }
581
FindModuleInInstallingPackage(const std::string & moduleName,const std::string & bundleName,const std::unordered_map<std::string,InnerBundleInfo> & infos)582 bool BundleInstallChecker::FindModuleInInstallingPackage(
583 const std::string &moduleName,
584 const std::string &bundleName,
585 const std::unordered_map<std::string, InnerBundleInfo> &infos)
586 {
587 LOG_D(BMS_TAG_INSTALLER, "moduleName is %{public}s, the bundleName is %{public}s",
588 moduleName.c_str(), bundleName.c_str());
589 for (const auto &info : infos) {
590 if (info.second.GetBundleName() == bundleName) {
591 if (info.second.GetInnerModuleInfos().empty()) {
592 continue;
593 }
594 // There is only one innerModuleInfo when installing
595 InnerModuleInfo moduleInfo = info.second.GetInnerModuleInfos().begin()->second;
596 if (moduleInfo.moduleName == moduleName) {
597 return true;
598 }
599 }
600 }
601 return false;
602 }
603
FindModuleInInstalledPackage(const std::string & moduleName,const std::string & bundleName,uint32_t versionCode)604 bool BundleInstallChecker::FindModuleInInstalledPackage(
605 const std::string &moduleName,
606 const std::string &bundleName,
607 uint32_t versionCode)
608 {
609 LOG_D(BMS_TAG_INSTALLER, "FindModuleInInstalledPackage the moduleName is %{public}s, the bundleName is %{public}s",
610 moduleName.c_str(), bundleName.c_str());
611 std::shared_ptr<BundleDataMgr> dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
612 if (dataMgr == nullptr) {
613 LOG_E(BMS_TAG_INSTALLER, "Get dataMgr shared_ptr nullptr");
614 return false;
615 }
616
617 ScopeGuard enableGuard([&dataMgr, &bundleName] { dataMgr->EnableBundle(bundleName); });
618 InnerBundleInfo bundleInfo;
619 bool isBundleExist = dataMgr->GetInnerBundleInfo(bundleName, bundleInfo);
620 if (!isBundleExist) {
621 LOG_E(BMS_TAG_INSTALLER, "the bundle: %{public}s is not install", bundleName.c_str());
622 return false;
623 }
624 if (!bundleInfo.FindModule(moduleName)) {
625 LOG_E(BMS_TAG_INSTALLER, "the module: %{public}s is not install", moduleName.c_str());
626 return false;
627 }
628 if (bundleInfo.GetVersionCode() != versionCode) {
629 LOG_E(BMS_TAG_INSTALLER, "the versionCode %{public}d of dependency is not consistent with the installed module",
630 bundleInfo.GetVersionCode());
631 return false;
632 }
633 return true;
634 }
635
CheckBundleName(const std::string & provisionBundleName,const std::string & bundleName)636 ErrCode BundleInstallChecker::CheckBundleName(const std::string &provisionBundleName, const std::string &bundleName)
637 {
638 LOG_D(BMS_TAG_INSTALLER, "CheckBundleName provisionBundleName:%{public}s, bundleName:%{public}s",
639 provisionBundleName.c_str(), bundleName.c_str());
640 if (provisionBundleName.empty() || bundleName.empty()) {
641 LOG_E(BMS_TAG_INSTALLER, "CheckBundleName provisionBundleName:%{public}s, bundleName:%{public}s failed",
642 provisionBundleName.c_str(), bundleName.c_str());
643 return ERR_APPEXECFWK_INSTALL_FAILED_BUNDLE_SIGNATURE_VERIFICATION_FAILURE;
644 }
645 if (provisionBundleName == bundleName) {
646 return ERR_OK;
647 }
648 LOG_E(BMS_TAG_INSTALLER, "CheckBundleName failed provisionBundleName:%{public}s, bundleName:%{public}s",
649 provisionBundleName.c_str(), bundleName.c_str());
650 return ERR_APPEXECFWK_INSTALL_FAILED_BUNDLE_SIGNATURE_VERIFICATION_FAILURE;
651 }
652
CollectProvisionInfo(const Security::Verify::ProvisionInfo & provisionInfo,const AppPrivilegeCapability & appPrivilegeCapability,InnerBundleInfo & newInfo)653 void BundleInstallChecker::CollectProvisionInfo(
654 const Security::Verify::ProvisionInfo &provisionInfo,
655 const AppPrivilegeCapability &appPrivilegeCapability,
656 InnerBundleInfo &newInfo)
657 {
658 newInfo.SetProvisionId(provisionInfo.appId);
659 newInfo.SetAppFeature(provisionInfo.bundleInfo.appFeature);
660 newInfo.SetAppPrivilegeLevel(provisionInfo.bundleInfo.apl);
661 newInfo.SetAllowedAcls(provisionInfo.acls.allowedAcls);
662 newInfo.SetCertificateFingerprint(provisionInfo.fingerprint);
663 newInfo.SetAppDistributionType(GetAppDistributionType(provisionInfo.distributionType));
664 newInfo.SetAppProvisionType(GetAppProvisionType(provisionInfo.type));
665 SetAppProvisionMetadata(provisionInfo.metadatas, newInfo);
666 #ifdef USE_PRE_BUNDLE_PROFILE
667 newInfo.SetUserDataClearable(appPrivilegeCapability.userDataClearable);
668 newInfo.SetHideDesktopIcon(appPrivilegeCapability.hideDesktopIcon);
669 newInfo.SetFormVisibleNotify(appPrivilegeCapability.formVisibleNotify);
670 #endif
671 newInfo.AddOldAppId(newInfo.GetAppId());
672 newInfo.SetAppIdentifier(provisionInfo.bundleInfo.appIdentifier);
673 }
674
SetAppProvisionMetadata(const std::vector<Security::Verify::Metadata> & provisionMetadatas,InnerBundleInfo & newInfo)675 void BundleInstallChecker::SetAppProvisionMetadata(const std::vector<Security::Verify::Metadata> &provisionMetadatas,
676 InnerBundleInfo &newInfo)
677 {
678 if (provisionMetadatas.empty()) {
679 LOG_E(BMS_TAG_INSTALLER, "provisionMetadatas is empty");
680 return;
681 }
682 std::vector<Metadata> metadatas;
683 for (const auto &it : provisionMetadatas) {
684 Metadata metadata;
685 metadata.name = it.name;
686 metadata.value = it.value;
687 metadatas.emplace_back(metadata);
688 }
689 newInfo.SetAppProvisionMetadata(metadatas);
690 }
691
GetPrivilegeCapability(const InstallCheckParam & checkParam,InnerBundleInfo & newInfo)692 void BundleInstallChecker::GetPrivilegeCapability(
693 const InstallCheckParam &checkParam, InnerBundleInfo &newInfo)
694 {
695 // Reset privilege capability
696 newInfo.SetKeepAlive(false);
697 newInfo.SetSingleton(false);
698
699 newInfo.SetRemovable(checkParam.removable);
700 PreBundleConfigInfo preBundleConfigInfo;
701 preBundleConfigInfo.bundleName = newInfo.GetBundleName();
702 if (!BMSEventHandler::GetPreInstallCapability(preBundleConfigInfo)) {
703 LOG_D(BMS_TAG_INSTALLER, "%{public}s not exist in preinstall capability list", newInfo.GetBundleName().c_str());
704 return;
705 }
706
707 if (!MatchSignature(preBundleConfigInfo.appSignature, newInfo.GetCertificateFingerprint()) &&
708 !MatchSignature(preBundleConfigInfo.appSignature, newInfo.GetAppId()) &&
709 !MatchSignature(preBundleConfigInfo.appSignature, newInfo.GetAppIdentifier()) &&
710 !MatchOldSignatures(newInfo.GetBundleName(), preBundleConfigInfo.appSignature)) {
711 LOG_E(BMS_TAG_INSTALLER, "%{public}s signature not match the capability list", newInfo.GetBundleName().c_str());
712 return;
713 }
714
715 newInfo.SetKeepAlive(preBundleConfigInfo.keepAlive);
716 newInfo.SetSingleton(preBundleConfigInfo.singleton);
717 newInfo.SetRunningResourcesApply(preBundleConfigInfo.runningResourcesApply);
718 newInfo.SetAssociatedWakeUp(preBundleConfigInfo.associatedWakeUp);
719 newInfo.SetAllowCommonEvent(preBundleConfigInfo.allowCommonEvent);
720 newInfo.SetResourcesApply(preBundleConfigInfo.resourcesApply);
721 newInfo.SetAllowAppRunWhenDeviceFirstLocked(preBundleConfigInfo.allowAppRunWhenDeviceFirstLocked);
722 newInfo.SetAllowEnableNotification(preBundleConfigInfo.allowEnableNotification);
723 }
724
SetPackInstallationFree(BundlePackInfo & bundlePackInfo,const InnerBundleInfo & innerBundleInfo) const725 void BundleInstallChecker::SetPackInstallationFree(BundlePackInfo &bundlePackInfo,
726 const InnerBundleInfo &innerBundleInfo) const
727 {
728 if (innerBundleInfo.GetIsNewVersion()) {
729 if (innerBundleInfo.GetApplicationBundleType() != BundleType::ATOMIC_SERVICE) {
730 for (auto &item : bundlePackInfo.summary.modules) {
731 item.distro.installationFree = false;
732 }
733 return;
734 }
735 for (auto &item : bundlePackInfo.summary.modules) {
736 item.distro.installationFree = true;
737 }
738 }
739 }
740
ParseBundleInfo(const std::string & bundleFilePath,InnerBundleInfo & info,BundlePackInfo & packInfo) const741 ErrCode BundleInstallChecker::ParseBundleInfo(
742 const std::string &bundleFilePath,
743 InnerBundleInfo &info,
744 BundlePackInfo &packInfo) const
745 {
746 BundleParser bundleParser;
747 ErrCode result = bundleParser.Parse(bundleFilePath, info);
748 if (result != ERR_OK) {
749 LOG_E(BMS_TAG_INSTALLER, "parse bundle info failed, error: %{public}d", result);
750 return result;
751 }
752
753 const auto extensions = info.GetInnerExtensionInfos();
754 for (const auto &item : extensions) {
755 if (item.second.type == ExtensionAbilityType::UNSPECIFIED &&
756 !BMSEventHandler::CheckExtensionTypeInConfig(item.second.extensionTypeName)) {
757 LOG_W(BMS_TAG_INSTALLER, "Parse error, There is no corresponding type in the configuration");
758 }
759 }
760
761 if (!packInfo.GetValid()) {
762 result = bundleParser.ParsePackInfo(bundleFilePath, packInfo);
763 if (result != ERR_OK) {
764 LOG_E(BMS_TAG_INSTALLER, "parse bundle pack info failed, error: %{public}d", result);
765 return result;
766 }
767
768 SetPackInstallationFree(packInfo, info);
769 info.SetBundlePackInfo(packInfo);
770 packInfo.SetValid(true);
771 }
772
773 return ERR_OK;
774 }
775
SetEntryInstallationFree(const BundlePackInfo & bundlePackInfo,InnerBundleInfo & innerBundleInfo)776 void BundleInstallChecker::SetEntryInstallationFree(
777 const BundlePackInfo &bundlePackInfo,
778 InnerBundleInfo &innerBundleInfo)
779 {
780 if (!bundlePackInfo.GetValid()) {
781 LOG_W(BMS_TAG_INSTALLER, "no pack.info in the hap file");
782 return;
783 }
784
785 auto packageModule = bundlePackInfo.summary.modules;
786 auto installationFree = std::any_of(packageModule.begin(), packageModule.end(), [&](const auto &module) {
787 return module.distro.moduleType == "entry" && module.distro.installationFree;
788 });
789 if (installationFree) {
790 LOG_I(BMS_TAG_INSTALLER, "install or update hm service");
791 }
792 if (innerBundleInfo.GetIsNewVersion()) {
793 installationFree = innerBundleInfo.GetApplicationBundleType() == BundleType::ATOMIC_SERVICE;
794 }
795
796 innerBundleInfo.SetEntryInstallationFree(installationFree);
797 if (installationFree && !innerBundleInfo.GetIsNewVersion()) {
798 innerBundleInfo.SetApplicationBundleType(BundleType::ATOMIC_SERVICE);
799 }
800 }
801
CheckSystemSize(const std::string & bundlePath,const Constants::AppType appType) const802 ErrCode BundleInstallChecker::CheckSystemSize(
803 const std::string &bundlePath,
804 const Constants::AppType appType) const
805 {
806 if ((appType == Constants::AppType::SYSTEM_APP) &&
807 (BundleUtil::CheckSystemSize(bundlePath, APP_INSTALL_PATH))) {
808 return ERR_OK;
809 }
810
811 if ((appType == Constants::AppType::THIRD_SYSTEM_APP) &&
812 (BundleUtil::CheckSystemSize(bundlePath, APP_INSTALL_PATH))) {
813 return ERR_OK;
814 }
815
816 if ((appType == Constants::AppType::THIRD_PARTY_APP) &&
817 (BundleUtil::CheckSystemSize(bundlePath, APP_INSTALL_PATH))) {
818 return ERR_OK;
819 }
820
821 LOG_E(BMS_TAG_INSTALLER, "install failed due to insufficient disk memory");
822 return ERR_APPEXECFWK_INSTALL_DISK_MEM_INSUFFICIENT;
823 }
824
CheckHapHashParams(std::unordered_map<std::string,InnerBundleInfo> & infos,std::map<std::string,std::string> hashParams)825 ErrCode BundleInstallChecker::CheckHapHashParams(
826 std::unordered_map<std::string, InnerBundleInfo> &infos,
827 std::map<std::string, std::string> hashParams)
828 {
829 if (hashParams.empty()) {
830 LOG_D(BMS_TAG_INSTALLER, "hashParams is empty");
831 return ERR_OK;
832 }
833
834 std::vector<std::string> hapModuleNames;
835 for (auto &info : infos) {
836 std::vector<std::string> moduleNames;
837 info.second.GetModuleNames(moduleNames);
838 if (moduleNames.empty()) {
839 LOG_E(BMS_TAG_INSTALLER, "hap(%{public}s) moduleName is empty", info.first.c_str());
840 return ERR_APPEXECFWK_INSTALL_FAILED_MODULE_NAME_EMPTY;
841 }
842
843 if (std::find(hapModuleNames.begin(), hapModuleNames.end(), moduleNames[0]) != hapModuleNames.end()) {
844 LOG_E(BMS_TAG_INSTALLER, "hap moduleName(%{public}s) duplicate", moduleNames[0].c_str());
845 return ERR_APPEXECFWK_INSTALL_FAILED_MODULE_NAME_DUPLICATE;
846 }
847
848 hapModuleNames.emplace_back(moduleNames[0]);
849 auto hashParamIter = hashParams.find(moduleNames[0]);
850 if (hashParamIter != hashParams.end()) {
851 info.second.SetModuleHashValue(hashParamIter->second);
852 hashParams.erase(hashParamIter);
853 }
854 }
855
856 if (!hashParams.empty()) {
857 LOG_E(BMS_TAG_INSTALLER, "Some hashParam moduleName is not exist in hap moduleNames");
858 return ERR_APPEXECFWK_INSTALL_FAILED_CHECK_HAP_HASH_PARAM;
859 }
860
861 return ERR_OK;
862 }
863
GetValidReleaseType(const std::unordered_map<std::string,InnerBundleInfo> & infos)864 std::tuple<bool, std::string, std::string> BundleInstallChecker::GetValidReleaseType(
865 const std::unordered_map<std::string, InnerBundleInfo> &infos)
866 {
867 if (infos.empty()) {
868 LOG_E(BMS_TAG_INSTALLER, "infos is empty");
869 return std::make_tuple(false, "", "");
870 }
871 for (const auto &info : infos) {
872 if (!info.second.IsHsp()) {
873 return std::make_tuple(false, info.second.GetCurModuleName(), info.second.GetReleaseType());
874 }
875 }
876 return std::make_tuple(true, (infos.begin()->second).GetCurModuleName(),
877 (infos.begin()->second).GetReleaseType());
878 }
879
CheckAppLabelInfo(const std::unordered_map<std::string,InnerBundleInfo> & infos)880 ErrCode BundleInstallChecker::CheckAppLabelInfo(
881 const std::unordered_map<std::string, InnerBundleInfo> &infos)
882 {
883 LOG_D(BMS_TAG_INSTALLER, "Check APP label");
884 ErrCode ret = ERR_OK;
885 std::string bundleName = (infos.begin()->second).GetBundleName();
886 uint32_t versionCode = (infos.begin()->second).GetVersionCode();
887 uint32_t minCompatibleVersionCode = (infos.begin()->second).GetMinCompatibleVersionCode();
888 uint32_t target = (infos.begin()->second).GetTargetVersion();
889 auto [isHsp, moduleName, releaseType] = GetValidReleaseType(infos);
890 uint32_t compatible = (infos.begin()->second).GetCompatibleVersion();
891 bool singleton = (infos.begin()->second).IsSingleton();
892 Constants::AppType appType = (infos.begin()->second).GetAppType();
893 bool isStage = (infos.begin()->second).GetIsNewVersion();
894 const std::string targetBundleName = (infos.begin()->second).GetTargetBundleName();
895 int32_t targetPriority = (infos.begin()->second).GetTargetPriority();
896 BundleType bundleType = (infos.begin()->second).GetApplicationBundleType();
897 bool isHmService = (infos.begin()->second).GetEntryInstallationFree();
898 bool debug = (infos.begin()->second).GetBaseApplicationInfo().debug;
899 bool hasEntry = (infos.begin()->second).HasEntry();
900 bool isSameDebugType = true;
901 bool entryDebug = hasEntry ? debug : false;
902
903 for (const auto &info : infos) {
904 // check bundleName
905 if (bundleName != info.second.GetBundleName()) {
906 LOG_E(BMS_TAG_INSTALLER, "bundleName not same");
907 return ERR_APPEXECFWK_INSTALL_BUNDLENAME_NOT_SAME;
908 }
909 // check version
910 if (bundleType != BundleType::SHARED) {
911 if (versionCode != info.second.GetVersionCode()) {
912 LOG_E(BMS_TAG_INSTALLER, "versionCode not same");
913 return ERR_APPEXECFWK_INSTALL_VERSIONCODE_NOT_SAME;
914 }
915 if (minCompatibleVersionCode != info.second.GetMinCompatibleVersionCode()) {
916 LOG_E(BMS_TAG_INSTALLER, "minCompatibleVersionCode not same");
917 return ERR_APPEXECFWK_INSTALL_MINCOMPATIBLE_VERSIONCODE_NOT_SAME;
918 }
919 }
920 // check release type
921 if (target != info.second.GetTargetVersion()) {
922 LOG_E(BMS_TAG_INSTALLER, "target version not same");
923 return ERR_APPEXECFWK_INSTALL_RELEASETYPE_TARGET_NOT_SAME;
924 }
925 if (compatible != info.second.GetCompatibleVersion()) {
926 LOG_E(BMS_TAG_INSTALLER, "compatible version not same");
927 return ERR_APPEXECFWK_INSTALL_RELEASETYPE_COMPATIBLE_NOT_SAME;
928 }
929 if (releaseType != info.second.GetReleaseType()) {
930 LOG_W(BMS_TAG_INSTALLER, "releaseType not same: [%{public}s, %{public}s] vs [%{public}s, %{public}s]",
931 moduleName.c_str(), releaseType.c_str(),
932 info.second.GetCurModuleName().c_str(), info.second.GetReleaseType().c_str());
933 if (!isHsp && !info.second.IsHsp()) {
934 LOG_E(BMS_TAG_INSTALLER, "releaseType not same");
935 return ERR_APPEXECFWK_INSTALL_RELEASETYPE_NOT_SAME;
936 }
937 }
938 if (singleton != info.second.IsSingleton()) {
939 LOG_E(BMS_TAG_INSTALLER, "singleton not same");
940 return ERR_APPEXECFWK_INSTALL_SINGLETON_NOT_SAME;
941 }
942 if (appType != info.second.GetAppType()) {
943 LOG_E(BMS_TAG_INSTALLER, "appType not same");
944 return ERR_APPEXECFWK_INSTALL_APPTYPE_NOT_SAME;
945 }
946 // check model type(FA or stage)
947 if (isStage != info.second.GetIsNewVersion()) {
948 LOG_E(BMS_TAG_INSTALLER, "must be all FA model or all stage model");
949 return ERR_APPEXECFWK_INSTALL_STATE_ERROR;
950 }
951 if (targetBundleName != info.second.GetTargetBundleName()) {
952 LOG_E(BMS_TAG_INSTALLER, "targetBundleName not same");
953 return ERR_BUNDLEMANAGER_OVERLAY_INSTALLATION_FAILED_TARGET_BUNDLE_NAME_NOT_SAME;
954 }
955 if (targetPriority != info.second.GetTargetPriority()) {
956 LOG_E(BMS_TAG_INSTALLER, "targetPriority not same");
957 return ERR_BUNDLEMANAGER_OVERLAY_INSTALLATION_FAILED_TARGET_PRIORITY_NOT_SAME;
958 }
959 if (bundleType != info.second.GetApplicationBundleType()) {
960 LOG_E(BMS_TAG_INSTALLER, "bundleType not same");
961 return ERR_APPEXECFWK_BUNDLE_TYPE_NOT_SAME;
962 }
963 if (isHmService != info.second.GetEntryInstallationFree()) {
964 LOG_E(BMS_TAG_INSTALLER, "application and hm service are not allowed installed simultaneously");
965 return ERR_APPEXECFWK_INSTALL_TYPE_ERROR;
966 }
967 if (debug != info.second.GetBaseApplicationInfo().debug) {
968 LOG_E(BMS_TAG_INSTALLER, "debug not same");
969 isSameDebugType = false;
970 }
971 if (!hasEntry) {
972 hasEntry = info.second.HasEntry();
973 entryDebug = info.second.GetBaseApplicationInfo().debug;
974 }
975 }
976
977 if (hasEntry && !entryDebug && (debug || !isSameDebugType)) {
978 LOG_E(BMS_TAG_INSTALLER, "debug type not same");
979 return ERR_APPEXECFWK_INSTALL_DEBUG_NOT_SAME;
980 }
981 LOG_D(BMS_TAG_INSTALLER, "finish check APP label");
982 return ret;
983 }
984
CheckMultiNativeFile(std::unordered_map<std::string,InnerBundleInfo> & infos)985 ErrCode BundleInstallChecker::CheckMultiNativeFile(
986 std::unordered_map<std::string, InnerBundleInfo> &infos)
987 {
988 ErrCode result = CheckMultiNativeSo(infos);
989 if (result != ERR_OK) {
990 LOG_E(BMS_TAG_INSTALLER, "Check multi nativeSo failed, result: %{public}d", result);
991 return result;
992 }
993
994 result = CheckMultiArkNativeFile(infos);
995 if (result != ERR_OK) {
996 LOG_E(BMS_TAG_INSTALLER, "Check multi arkNativeFile failed, result: %{public}d", result);
997 return result;
998 }
999
1000 return ERR_OK;
1001 }
1002
CheckMultiArkNativeFile(std::unordered_map<std::string,InnerBundleInfo> & infos)1003 ErrCode BundleInstallChecker::CheckMultiArkNativeFile(
1004 std::unordered_map<std::string, InnerBundleInfo> &infos)
1005 {
1006 std::string arkNativeFileAbi = (infos.begin()->second).GetArkNativeFileAbi();
1007 for (const auto &info : infos) {
1008 if (info.second.GetArkNativeFileAbi().empty()) {
1009 continue;
1010 }
1011 if (arkNativeFileAbi.empty()) {
1012 arkNativeFileAbi = info.second.GetArkNativeFileAbi();
1013 continue;
1014 }
1015 }
1016
1017 // Ensure the an is consistent in multiple haps
1018 if (!arkNativeFileAbi.empty()) {
1019 for (auto &info : infos) {
1020 info.second.SetArkNativeFileAbi(arkNativeFileAbi);
1021 }
1022 }
1023
1024 return ERR_OK;
1025 }
1026
CheckMultiNativeSo(std::unordered_map<std::string,InnerBundleInfo> & infos)1027 ErrCode BundleInstallChecker::CheckMultiNativeSo(
1028 std::unordered_map<std::string, InnerBundleInfo> &infos)
1029 {
1030 std::string nativeLibraryPath = (infos.begin()->second).GetNativeLibraryPath();
1031 std::string cpuAbi = (infos.begin()->second).GetCpuAbi();
1032 for (const auto &info : infos) {
1033 if (info.second.GetNativeLibraryPath().empty()) {
1034 continue;
1035 }
1036 if (nativeLibraryPath.empty()) {
1037 nativeLibraryPath = info.second.GetNativeLibraryPath();
1038 cpuAbi = info.second.GetCpuAbi();
1039 continue;
1040 }
1041 }
1042
1043 // Ensure the so is consistent in multiple haps
1044 if (!nativeLibraryPath.empty()) {
1045 for (auto &info : infos) {
1046 info.second.SetNativeLibraryPath(nativeLibraryPath);
1047 info.second.SetCpuAbi(cpuAbi);
1048 }
1049 }
1050
1051 return ERR_OK;
1052 }
1053
ResetProperties()1054 void BundleInstallChecker::ResetProperties()
1055 {
1056 isContainEntry_ = false;
1057 }
1058
ParseAppPrivilegeCapability(const Security::Verify::ProvisionInfo & provisionInfo,AppPrivilegeCapability & appPrivilegeCapability)1059 void BundleInstallChecker::ParseAppPrivilegeCapability(
1060 const Security::Verify::ProvisionInfo &provisionInfo,
1061 AppPrivilegeCapability &appPrivilegeCapability)
1062 {
1063 for (const auto &appPrivilege : provisionInfo.appPrivilegeCapabilities) {
1064 auto iter = PRIVILEGE_MAP.find(appPrivilege);
1065 if (iter != PRIVILEGE_MAP.end()) {
1066 iter->second(appPrivilegeCapability);
1067 }
1068 }
1069 LOG_D(BMS_TAG_INSTALLER, "AppPrivilegeCapability %{public}s",
1070 appPrivilegeCapability.ToString().c_str());
1071 #ifndef USE_PRE_BUNDLE_PROFILE
1072 appPrivilegeCapability.allowMultiProcess = true;
1073 appPrivilegeCapability.allowUsePrivilegeExtension = true;
1074 #endif
1075 }
1076
CheckModuleNameForMulitHaps(const std::unordered_map<std::string,InnerBundleInfo> & infos)1077 ErrCode BundleInstallChecker::CheckModuleNameForMulitHaps(
1078 const std::unordered_map<std::string, InnerBundleInfo> &infos)
1079 {
1080 std::set<std::string> moduleSet;
1081 for (const auto &info : infos) {
1082 std::vector<std::string> moduleVec = info.second.GetDistroModuleName();
1083 if (moduleVec.empty()) {
1084 LOG_E(BMS_TAG_INSTALLER, "moduleName vector is empty");
1085 return ERR_APPEXECFWK_INSTALL_INTERNAL_ERROR;
1086 }
1087 if (moduleSet.count(moduleVec[0])) {
1088 LOG_E(BMS_TAG_INSTALLER, "the moduleName: %{public}s is not unique in the haps", moduleVec[0].c_str());
1089 SetCheckResultMsg("the moduleName: " + moduleVec[0] + " is not unique in the haps");
1090 return ERR_APPEXECFWK_INSTALL_NOT_UNIQUE_DISTRO_MODULE_NAME;
1091 }
1092 moduleSet.insert(moduleVec[0]);
1093 }
1094 return ERR_OK;
1095 }
1096
IsExistedDistroModule(const InnerBundleInfo & newInfo,const InnerBundleInfo & info) const1097 bool BundleInstallChecker::IsExistedDistroModule(const InnerBundleInfo &newInfo, const InnerBundleInfo &info) const
1098 {
1099 std::string moduleName = newInfo.GetCurModuleName();
1100 std::string packageName = newInfo.GetCurrentModulePackage();
1101 if (packageName.empty() || moduleName.empty()) {
1102 LOG_E(BMS_TAG_INSTALLER, "IsExistedDistroModule failed due to invalid packageName or moduleName");
1103 return false;
1104 }
1105 std::string oldModuleName = info.GetModuleNameByPackage(packageName);
1106 // if FA update to Stage, allow module name inconsistent
1107 bool isFAToStage = !info.GetIsNewVersion() && newInfo.GetIsNewVersion();
1108 if (!isFAToStage) {
1109 // if not FA update to Stage, check consistency of module name
1110 if (moduleName.compare(oldModuleName) != 0) {
1111 LOG_E(BMS_TAG_INSTALLER, "no moduleName in the innerModuleInfo");
1112 return false;
1113 }
1114 }
1115 // check consistency of module type
1116 std::string newModuleType = newInfo.GetModuleTypeByPackage(packageName);
1117 std::string oldModuleType = info.GetModuleTypeByPackage(packageName);
1118 if (newModuleType.compare(oldModuleType) != 0) {
1119 LOG_E(BMS_TAG_INSTALLER, "moduleType is different between the new hap and the original hap");
1120 return false;
1121 }
1122
1123 return true;
1124 }
1125
IsContainModuleName(const InnerBundleInfo & newInfo,const InnerBundleInfo & info) const1126 bool BundleInstallChecker::IsContainModuleName(const InnerBundleInfo &newInfo, const InnerBundleInfo &info) const
1127 {
1128 std::string moduleName = newInfo.GetCurModuleName();
1129 std::vector<std::string> moduleVec = info.GetDistroModuleName();
1130 if (moduleName.empty() || moduleVec.empty()) {
1131 LOG_E(BMS_TAG_INSTALLER, "IsContainModuleName failed due to invalid moduleName or modulevec");
1132 return false;
1133 }
1134 return (find(moduleVec.cbegin(), moduleVec.cend(), moduleName) == moduleVec.cend()) ? false : true;
1135 }
1136
CheckMainElement(const InnerBundleInfo & info)1137 ErrCode BundleInstallChecker::CheckMainElement(const InnerBundleInfo &info)
1138 {
1139 const std::map<std::string, InnerModuleInfo> &innerModuleInfos = info.GetInnerModuleInfos();
1140 if (innerModuleInfos.empty()) {
1141 return ERR_OK;
1142 }
1143 if (innerModuleInfos.cbegin()->second.distro.moduleType == Profile::MODULE_TYPE_SHARED) {
1144 return ERR_OK;
1145 }
1146 if (info.GetEntryInstallationFree() && innerModuleInfos.cbegin()->second.mainAbility.empty()) {
1147 LOG_E(BMS_TAG_INSTALLER, "atomic service's mainElement can't be empty");
1148 return ERR_APPEXECFWK_PARSE_PROFILE_PROP_CHECK_ERROR;
1149 }
1150 return ERR_OK;
1151 }
1152
GetPrivilegeCapabilityValue(const std::vector<std::string> & existInJson,const std::string & key,bool existInPreJson,bool existInProvision)1153 bool BundleInstallChecker::GetPrivilegeCapabilityValue(
1154 const std::vector<std::string> &existInJson,
1155 const std::string &key,
1156 bool existInPreJson,
1157 bool existInProvision)
1158 {
1159 if (find(existInJson.cbegin(), existInJson.cend(), key) != existInJson.cend()) {
1160 return existInPreJson;
1161 }
1162 return existInProvision;
1163 }
1164
FetchPrivilegeCapabilityFromPreConfig(const std::string & bundleName,const std::vector<std::string> & appSignatures,AppPrivilegeCapability & appPrivilegeCapability)1165 void BundleInstallChecker::FetchPrivilegeCapabilityFromPreConfig(
1166 const std::string &bundleName,
1167 const std::vector<std::string> &appSignatures,
1168 AppPrivilegeCapability &appPrivilegeCapability)
1169 {
1170 #ifdef USE_PRE_BUNDLE_PROFILE
1171 LOG_D(BMS_TAG_INSTALLER, "bundleName: %{public}s, FetchPrivilegeCapabilityFromPreConfig start", bundleName.c_str());
1172 PreBundleConfigInfo configInfo;
1173 configInfo.bundleName = bundleName;
1174 if (!BMSEventHandler::GetPreInstallCapability(configInfo)) {
1175 LOG_D(BMS_TAG_INSTALLER, "bundleName: %{public}s is not exist in pre install capability list",
1176 bundleName.c_str());
1177 return;
1178 }
1179 bool match = false;
1180 for (const auto &signature : appSignatures) {
1181 if (MatchSignature(configInfo.appSignature, signature)) {
1182 match = true;
1183 break;
1184 }
1185 }
1186 if (!match && !MatchOldSignatures(bundleName, configInfo.appSignature)) {
1187 LOG_NOFUNC_E(BMS_TAG_INSTALLER, "bundleName: %{public}s signature verify failed in capability list",
1188 bundleName.c_str());
1189 return;
1190 }
1191
1192 appPrivilegeCapability.allowUsePrivilegeExtension = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1193 ALLOW_APP_USE_PRIVILEGE_EXTENSION,
1194 configInfo.allowUsePrivilegeExtension, appPrivilegeCapability.allowUsePrivilegeExtension);
1195
1196 appPrivilegeCapability.allowMultiProcess = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1197 ALLOW_APP_MULTI_PROCESS, configInfo.allowMultiProcess, appPrivilegeCapability.allowMultiProcess);
1198
1199 appPrivilegeCapability.hideDesktopIcon = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1200 ALLOW_APP_DESKTOP_ICON_HIDE, configInfo.hideDesktopIcon, appPrivilegeCapability.hideDesktopIcon);
1201
1202 appPrivilegeCapability.allowQueryPriority = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1203 ALLOW_ABILITY_PRIORITY_QUERIED, configInfo.allowQueryPriority, appPrivilegeCapability.allowQueryPriority);
1204
1205 appPrivilegeCapability.allowExcludeFromMissions = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1206 ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS,
1207 configInfo.allowExcludeFromMissions, appPrivilegeCapability.allowExcludeFromMissions);
1208
1209 appPrivilegeCapability.allowMissionNotCleared = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1210 ALLOW_MISSION_NOT_CLEARED, configInfo.allowMissionNotCleared, appPrivilegeCapability.allowMissionNotCleared);
1211
1212 appPrivilegeCapability.formVisibleNotify = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1213 ALLOW_FORM_VISIBLE_NOTIFY, configInfo.formVisibleNotify, appPrivilegeCapability.formVisibleNotify);
1214
1215 appPrivilegeCapability.userDataClearable = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1216 ALLOW_APP_DATA_NOT_CLEARED, configInfo.userDataClearable, appPrivilegeCapability.userDataClearable);
1217
1218 appPrivilegeCapability.appShareLibrary = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1219 ALLOW_APP_SHARE_LIBRARY, configInfo.appShareLibrary, appPrivilegeCapability.appShareLibrary);
1220
1221 appPrivilegeCapability.allowEnableNotification = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1222 ALLOW_ENABLE_NOTIFICATION, configInfo.allowEnableNotification, appPrivilegeCapability.allowEnableNotification);
1223 LOG_D(BMS_TAG_INSTALLER, "AppPrivilegeCapability %{public}s", appPrivilegeCapability.ToString().c_str());
1224 #endif
1225 }
1226
MatchOldSignatures(const std::string & bundleName,const std::vector<std::string> & appSignatures)1227 bool BundleInstallChecker::MatchOldSignatures(const std::string &bundleName,
1228 const std::vector<std::string> &appSignatures)
1229 {
1230 std::vector<std::string> oldAppIds;
1231 std::shared_ptr<BundleDataMgr> dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
1232 if (!dataMgr->GetOldAppIds(bundleName, oldAppIds)) {
1233 LOG_D(BMS_TAG_INSTALLER, "Get OldAppIds failed");
1234 return false;
1235 }
1236 for (const auto &signature : appSignatures) {
1237 if (std::find(oldAppIds.begin(), oldAppIds.end(), signature) != oldAppIds.end()) {
1238 return true;
1239 }
1240 }
1241
1242 return false;
1243 }
1244
MatchSignature(const std::vector<std::string> & appSignatures,const std::string & signature)1245 bool BundleInstallChecker::MatchSignature(
1246 const std::vector<std::string> &appSignatures, const std::string &signature)
1247 {
1248 if (appSignatures.empty() || signature.empty()) {
1249 LOG_W(BMS_TAG_INSTALLER, "appSignature of signature is empty");
1250 return false;
1251 }
1252
1253 return std::find(
1254 appSignatures.begin(), appSignatures.end(), signature) != appSignatures.end();
1255 }
1256
ProcessBundleInfoByPrivilegeCapability(const AppPrivilegeCapability & appPrivilegeCapability,InnerBundleInfo & innerBundleInfo)1257 ErrCode BundleInstallChecker::ProcessBundleInfoByPrivilegeCapability(
1258 const AppPrivilegeCapability &appPrivilegeCapability,
1259 InnerBundleInfo &innerBundleInfo)
1260 {
1261 // process application
1262 ApplicationInfo applicationInfo = innerBundleInfo.GetBaseApplicationInfo();
1263 if (!appPrivilegeCapability.allowMultiProcess || applicationInfo.process.empty()) {
1264 applicationInfo.process = applicationInfo.bundleName;
1265 }
1266 applicationInfo.allowEnableNotification = appPrivilegeCapability.allowEnableNotification;
1267 innerBundleInfo.SetBaseApplicationInfo(applicationInfo);
1268 BundleInfo bundleInfo = innerBundleInfo.GetBaseBundleInfo();
1269 // process allow app share library
1270 if (applicationInfo.bundleType == BundleType::SHARED && !appPrivilegeCapability.appShareLibrary) {
1271 LOG_E(BMS_TAG_INSTALLER, "not allow app share library");
1272 return ERR_APPEXECFWK_INSTALL_SHARE_APP_LIBRARY_NOT_ALLOWED;
1273 }
1274 // process ability
1275 auto &abilityInfos = innerBundleInfo.FetchAbilityInfos();
1276 for (auto iter = abilityInfos.begin(); iter != abilityInfos.end(); ++iter) {
1277 #ifdef USE_PRE_BUNDLE_PROFILE
1278 if (!appPrivilegeCapability.allowQueryPriority) {
1279 iter->second.priority = 0;
1280 }
1281 if (!appPrivilegeCapability.allowExcludeFromMissions) {
1282 iter->second.excludeFromMissions = false;
1283 }
1284 if (!appPrivilegeCapability.allowMissionNotCleared) {
1285 iter->second.unclearableMission = false;
1286 }
1287 #else
1288 if (!applicationInfo.isSystemApp || !bundleInfo.isPreInstallApp) {
1289 iter->second.priority = 0;
1290 iter->second.excludeFromMissions = false;
1291 }
1292 #endif
1293 }
1294 // process ExtensionAbility
1295 auto &extensionAbilityInfos = innerBundleInfo.FetchInnerExtensionInfos();
1296 for (auto iter = extensionAbilityInfos.begin(); iter != extensionAbilityInfos.end(); ++iter) {
1297 bool privilegeType = IsPrivilegeExtensionAbilityType(iter->second.type);
1298 if (privilegeType && !appPrivilegeCapability.allowUsePrivilegeExtension) {
1299 LOG_E(BMS_TAG_INSTALLER, "not allow use privilege extension");
1300 return ERR_APPEXECFWK_PARSE_PROFILE_PROP_CHECK_ERROR;
1301 }
1302
1303 bool systemType = IsSystemExtensionAbilityType(iter->second.type);
1304 if (systemType && !applicationInfo.isSystemApp) {
1305 LOG_E(BMS_TAG_INSTALLER, "not allow use system extension");
1306 return ERR_APPEXECFWK_PARSE_PROFILE_PROP_CHECK_ERROR;
1307 }
1308
1309 #ifdef USE_PRE_BUNDLE_PROFILE
1310 if (!appPrivilegeCapability.allowQueryPriority) {
1311 iter->second.priority = 0;
1312 }
1313 #else
1314 if (!applicationInfo.isSystemApp || !bundleInfo.isPreInstallApp) {
1315 iter->second.priority = 0;
1316 }
1317 #endif
1318 if (appPrivilegeCapability.allowMultiProcess) {
1319 LOG_D(BMS_TAG_INSTALLER, "%{public}s support allowMultiProcess", iter->second.bundleName.c_str());
1320 auto hapModuleInfo = innerBundleInfo.GetInnerModuleInfoByModuleName(iter->second.moduleName);
1321 if (hapModuleInfo && !hapModuleInfo->process.empty()) {
1322 iter->second.process = hapModuleInfo->process;
1323 }
1324 }
1325 }
1326 // process InnerModuleInfo
1327 auto &innerModuleInfos = innerBundleInfo.FetchInnerModuleInfos();
1328 for (auto iter = innerModuleInfos.begin(); iter != innerModuleInfos.end(); ++iter) {
1329 if (iter->second.isModuleJson && (!appPrivilegeCapability.allowMultiProcess || iter->second.process.empty())) {
1330 iter->second.process = applicationInfo.bundleName;
1331 }
1332 }
1333 return ERR_OK;
1334 }
1335
CheckSupportAppTypes(const std::unordered_map<std::string,InnerBundleInfo> & infos,const std::string & supportAppTypes) const1336 bool BundleInstallChecker::CheckSupportAppTypes(
1337 const std::unordered_map<std::string, InnerBundleInfo> &infos, const std::string &supportAppTypes) const
1338 {
1339 LOG_D(BMS_TAG_INSTALLER, "CheckSupportAppTypes begin, supportAppTypes: %{public}s", supportAppTypes.c_str());
1340 std::vector<std::string> appTypesVec;
1341 OHOS::SplitStr(supportAppTypes, SUPPORT_APP_TYPES_SEPARATOR, appTypesVec);
1342 if (find(appTypesVec.begin(), appTypesVec.end(), DEVICE_TYPE_OF_DEFAULT) != appTypesVec.end() &&
1343 find(appTypesVec.begin(), appTypesVec.end(), DEVICE_TYPE_OF_PHONE) == appTypesVec.end()) {
1344 appTypesVec.emplace_back(DEVICE_TYPE_OF_PHONE);
1345 }
1346 sort(appTypesVec.begin(), appTypesVec.end());
1347 for (const auto &info : infos) {
1348 std::vector<std::string> devVec = info.second.GetDeviceType(info.second.GetCurrentModulePackage());
1349 if (find(devVec.begin(), devVec.end(), DEVICE_TYPE_OF_DEFAULT) != devVec.end() &&
1350 find(devVec.begin(), devVec.end(), DEVICE_TYPE_OF_PHONE) == devVec.end()) {
1351 devVec.emplace_back(DEVICE_TYPE_OF_PHONE);
1352 }
1353 sort(devVec.begin(), devVec.end());
1354 std::vector<std::string> intersectionVec;
1355 set_intersection(appTypesVec.begin(), appTypesVec.end(),
1356 devVec.begin(), devVec.end(), back_inserter(intersectionVec));
1357 if (intersectionVec.empty()) {
1358 LOG_W(BMS_TAG_INSTALLER, "check supportAppTypes failed");
1359 return false;
1360 }
1361 }
1362 return true;
1363 }
1364
CheckDeviceType(std::unordered_map<std::string,InnerBundleInfo> & infos) const1365 ErrCode BundleInstallChecker::CheckDeviceType(std::unordered_map<std::string, InnerBundleInfo> &infos) const
1366 {
1367 std::string supportAppTypes = OHOS::system::GetParameter(SUPPORT_APP_TYPES, "");
1368 if (!supportAppTypes.empty() && CheckSupportAppTypes(infos, supportAppTypes)) {
1369 return ERR_OK;
1370 }
1371 std::string deviceType = GetDeviceType();
1372 LOG_D(BMS_TAG_INSTALLER, "deviceType is %{public}s", deviceType.c_str());
1373 for (const auto &info : infos) {
1374 std::vector<std::string> devVec = info.second.GetDeviceType(info.second.GetCurrentModulePackage());
1375 if (devVec.empty()) {
1376 LOG_W(BMS_TAG_INSTALLER, "deviceTypes is empty");
1377 continue;
1378 }
1379
1380 if ((deviceType == DEVICE_TYPE_OF_PHONE) &&
1381 (find(devVec.begin(), devVec.end(), DEVICE_TYPE_OF_DEFAULT) != devVec.end())) {
1382 LOG_W(BMS_TAG_INSTALLER, "current deviceType is phone and bundle is matched with default");
1383 continue;
1384 }
1385
1386 if ((deviceType == DEVICE_TYPE_OF_DEFAULT) &&
1387 (find(devVec.begin(), devVec.end(), DEVICE_TYPE_OF_PHONE) != devVec.end())) {
1388 LOG_W(BMS_TAG_INSTALLER, "current deviceType is default and bundle is matched with phone");
1389 continue;
1390 }
1391
1392 if (find(devVec.begin(), devVec.end(), deviceType) == devVec.end()) {
1393 LOG_E(BMS_TAG_INSTALLER, "%{public}s is not supported", deviceType.c_str());
1394 return ERR_APPEXECFWK_INSTALL_DEVICE_TYPE_NOT_SUPPORTED;
1395 }
1396 }
1397 return ERR_OK;
1398 }
1399
ConvertToAppProvisionInfo(const Security::Verify::ProvisionInfo & provisionInfo) const1400 AppProvisionInfo BundleInstallChecker::ConvertToAppProvisionInfo(
1401 const Security::Verify::ProvisionInfo &provisionInfo) const
1402 {
1403 AppProvisionInfo appProvisionInfo;
1404 appProvisionInfo.versionCode = provisionInfo.versionCode;
1405 appProvisionInfo.versionName = provisionInfo.versionName;
1406 if (provisionInfo.type == Security::Verify::ProvisionType::DEBUG) {
1407 appProvisionInfo.type = Constants::APP_PROVISION_TYPE_DEBUG;
1408 appProvisionInfo.certificate = provisionInfo.bundleInfo.developmentCertificate;
1409 } else {
1410 appProvisionInfo.type = Constants::APP_PROVISION_TYPE_RELEASE;
1411 appProvisionInfo.certificate = provisionInfo.bundleInfo.distributionCertificate;
1412 }
1413 appProvisionInfo.appDistributionType = GetAppDistributionType(provisionInfo.distributionType);
1414 appProvisionInfo.apl = provisionInfo.bundleInfo.apl.empty() ? APL_NORMAL : provisionInfo.bundleInfo.apl;
1415 appProvisionInfo.developerId = provisionInfo.bundleInfo.developerId;
1416 appProvisionInfo.issuer = provisionInfo.issuer;
1417 appProvisionInfo.uuid = provisionInfo.uuid;
1418 appProvisionInfo.validity.notBefore = provisionInfo.validity.notBefore;
1419 appProvisionInfo.validity.notAfter = provisionInfo.validity.notAfter;
1420 appProvisionInfo.appIdentifier = provisionInfo.bundleInfo.appIdentifier;
1421 appProvisionInfo.appServiceCapabilities = provisionInfo.appServiceCapabilities;
1422 appProvisionInfo.organization = provisionInfo.organization;
1423 return appProvisionInfo;
1424 }
1425
GetBundleNameFromUri(const std::string & uri)1426 std::string GetBundleNameFromUri(const std::string &uri)
1427 {
1428 std::size_t firstSlashPos = uri.find(DOUBLE_SLASH);
1429 if (firstSlashPos == std::string::npos) {
1430 LOG_E(BMS_TAG_INSTALLER, "dataproxy uri is invalid");
1431 return Constants::EMPTY_STRING;
1432 }
1433
1434 std::size_t secondSlashPos = uri.find(SLASH, firstSlashPos + SLAH_OFFSET);
1435 if (secondSlashPos == std::string::npos) {
1436 LOG_E(BMS_TAG_INSTALLER, "dataproxy uri is invalid");
1437 return Constants::EMPTY_STRING;
1438 }
1439
1440 std::string bundleName = uri.substr(firstSlashPos + SLAH_OFFSET, secondSlashPos - firstSlashPos - SLAH_OFFSET);
1441 return bundleName;
1442 }
1443
CheckProxyPermissionLevel(const std::string & permissionName) const1444 bool BundleInstallChecker::CheckProxyPermissionLevel(const std::string &permissionName) const
1445 {
1446 // no permission name, only for self usage
1447 if (permissionName.empty()) {
1448 return true;
1449 }
1450 PermissionDef permissionDef;
1451 ErrCode ret = BundlePermissionMgr::GetPermissionDef(permissionName, permissionDef);
1452 if (ret != ERR_OK) {
1453 LOG_E(BMS_TAG_INSTALLER, "getPermissionDef failed");
1454 return false;
1455 }
1456 if (permissionDef.availableLevel < Security::AccessToken::ATokenAplEnum::APL_SYSTEM_BASIC) {
1457 LOG_E(BMS_TAG_INSTALLER, "permission %{public}s level too low", permissionName.c_str());
1458 return false;
1459 }
1460 return true;
1461 }
1462
CheckProxyDatas(const InnerBundleInfo & innerBundleInfo) const1463 ErrCode BundleInstallChecker::CheckProxyDatas(const InnerBundleInfo &innerBundleInfo) const
1464 {
1465 auto bundleName = innerBundleInfo.GetBundleName();
1466 auto moduleInfos = innerBundleInfo.GetInnerModuleInfos();
1467 if (moduleInfos.empty()) {
1468 return ERR_OK;
1469 }
1470 for (const auto &moduleInfo : moduleInfos) {
1471 for (const auto &proxyData : moduleInfo.second.proxyDatas) {
1472 auto name = GetBundleNameFromUri(proxyData.uri);
1473 if (bundleName != name) {
1474 LOG_E(BMS_TAG_INSTALLER, "bundleName from uri %{public}s different from origin bundleName %{public}s",
1475 name.c_str(), bundleName.c_str());
1476 return ERR_APPEXECFWK_INSTALL_CHECK_PROXY_DATA_URI_FAILED;
1477 }
1478 if (innerBundleInfo.IsSystemApp()) {
1479 continue;
1480 }
1481 if (!CheckProxyPermissionLevel(proxyData.requiredReadPermission)
1482 || !CheckProxyPermissionLevel(proxyData.requiredWritePermission)) {
1483 return ERR_APPEXECFWK_INSTALL_CHECK_PROXY_DATA_PERMISSION_FAILED;
1484 }
1485 }
1486 }
1487 return ERR_OK;
1488 }
1489
CheckSupportIsolation(const char * szIsolationModeThresholdMb,const std::string & isolationMode)1490 bool CheckSupportIsolation(const char *szIsolationModeThresholdMb, const std::string &isolationMode)
1491 {
1492 if ((std::strcmp(szIsolationModeThresholdMb, VALUE_TRUE.c_str()) == 0) ||
1493 (std::strcmp(szIsolationModeThresholdMb, VALUE_TRUE_BOOL.c_str()) == 0)) {
1494 if (isolationMode == NONISOLATION_ONLY) {
1495 LOG_E(BMS_TAG_INSTALLER, "check isolation mode failed");
1496 return false;
1497 }
1498 } else {
1499 if (isolationMode == ISOLATION_ONLY) {
1500 LOG_E(BMS_TAG_INSTALLER, "check isolation mode failed");
1501 return false;
1502 }
1503 }
1504 return true;
1505 }
1506
CheckIsolationMode(const std::unordered_map<std::string,InnerBundleInfo> & infos) const1507 ErrCode BundleInstallChecker::CheckIsolationMode(const std::unordered_map<std::string, InnerBundleInfo> &infos) const
1508 {
1509 for (const auto &info : infos) {
1510 auto moduleInfos = info.second.GetInnerModuleInfos();
1511 for (const auto &moduleInfo : moduleInfos) {
1512 std::string isolationMode = moduleInfo.second.isolationMode;
1513 char szIsolationModeThresholdMb[THRESHOLD_VAL_LEN] = {0};
1514 int32_t ret = GetParameter(SUPPORT_ISOLATION_MODE.c_str(), "",
1515 szIsolationModeThresholdMb, THRESHOLD_VAL_LEN);
1516 if (ret <= 0) {
1517 LOG_W(BMS_TAG_INSTALLER, "GetParameter failed");
1518 }
1519 if (!CheckSupportIsolation(szIsolationModeThresholdMb, isolationMode)) {
1520 LOG_E(BMS_TAG_INSTALLER, "check isolation mode failed");
1521 return ERR_APPEXECFWK_INSTALL_ISOLATION_MODE_FAILED;
1522 }
1523 }
1524 }
1525 return ERR_OK;
1526 }
1527
CheckSignatureFileDir(const std::string & signatureFileDir) const1528 ErrCode BundleInstallChecker::CheckSignatureFileDir(const std::string &signatureFileDir) const
1529 {
1530 if (!BundleUtil::CheckFileName(signatureFileDir)) {
1531 LOG_E(BMS_TAG_INSTALLER, "code signature file dir is invalid");
1532 return ERR_BUNDLEMANAGER_INSTALL_CODE_SIGNATURE_FILE_IS_INVALID;
1533 }
1534 if (!BundleUtil::CheckFileType(signatureFileDir, ServiceConstants::CODE_SIGNATURE_FILE_SUFFIX)) {
1535 LOG_E(BMS_TAG_INSTALLER, "signatureFileDir is not suffixed with .sig");
1536 return ERR_BUNDLEMANAGER_INSTALL_CODE_SIGNATURE_FILE_IS_INVALID;
1537 }
1538 // signatureFileDir not support relevant dir
1539 if (signatureFileDir.find(ServiceConstants::RELATIVE_PATH) != std::string::npos) {
1540 LOG_E(BMS_TAG_INSTALLER, "signatureFileDir is invalid");
1541 return ERR_BUNDLEMANAGER_INSTALL_CODE_SIGNATURE_FILE_IS_INVALID;
1542 }
1543 return ERR_OK;
1544 }
1545
CheckDeveloperMode(const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes) const1546 ErrCode BundleInstallChecker::CheckDeveloperMode(
1547 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes) const
1548 {
1549 if (system::GetBoolParameter(ServiceConstants::DEVELOPERMODE_STATE, true)) {
1550 return ERR_OK;
1551 }
1552 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
1553 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
1554 if (provisionInfo.type == Security::Verify::ProvisionType::DEBUG) {
1555 LOG_E(BMS_TAG_INSTALLER, "debug bundle can only be installed in developer mode");
1556 return ERR_APPEXECFWK_INSTALL_DEBUG_BUNDLE_NOT_ALLOWED;
1557 }
1558 }
1559 return ERR_OK;
1560 }
1561
CheckAllowEnterpriseBundle(const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes) const1562 ErrCode BundleInstallChecker::CheckAllowEnterpriseBundle(
1563 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes) const
1564 {
1565 if (system::GetBoolParameter(ServiceConstants::ALLOW_ENTERPRISE_BUNDLE, false) ||
1566 system::GetBoolParameter(ServiceConstants::IS_ENTERPRISE_DEVICE, false) ||
1567 system::GetBoolParameter(ServiceConstants::DEVELOPERMODE_STATE, false)) {
1568 return ERR_OK;
1569 }
1570 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
1571 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
1572 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
1573 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
1574 LOG_E(BMS_TAG_INSTALLER, "enterprise normal/mdm bundle cannot be installed on non-enterprise device");
1575 return ERR_APPEXECFWK_INSTALL_ENTERPRISE_BUNDLE_NOT_ALLOWED;
1576 }
1577 }
1578 return ERR_OK;
1579 }
1580
CheckEnterpriseBundle(Security::Verify::HapVerifyResult & hapVerifyRes) const1581 bool BundleInstallChecker::CheckEnterpriseBundle(Security::Verify::HapVerifyResult &hapVerifyRes) const
1582 {
1583 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes.GetProvisionInfo();
1584 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
1585 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM ||
1586 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE) {
1587 return true;
1588 }
1589 return false;
1590 }
1591
GetCheckResultMsg() const1592 std::string BundleInstallChecker::GetCheckResultMsg() const
1593 {
1594 return checkResultMsg_;
1595 }
1596
SetCheckResultMsg(const std::string checkResultMsg)1597 void BundleInstallChecker::SetCheckResultMsg(const std::string checkResultMsg)
1598 {
1599 checkResultMsg_ = checkResultMsg;
1600 }
1601
DetermineCloneNum(InnerBundleInfo & innerBundleInfo)1602 void BundleInstallChecker::DetermineCloneNum(InnerBundleInfo &innerBundleInfo)
1603 {
1604 ApplicationInfo applicationInfo = innerBundleInfo.GetBaseApplicationInfo();
1605 if (applicationInfo.multiAppMode.multiAppModeType != MultiAppModeType::APP_CLONE
1606 || applicationInfo.multiAppMode.maxCount == 0) {
1607 BmsExtensionDataMgr bmsExtensionDataMgr;
1608 int32_t cloneNum = 0;
1609 const std::string appIdentifier = innerBundleInfo.GetAppIdentifier();
1610 if (!bmsExtensionDataMgr.DetermineCloneNum(applicationInfo.bundleName, appIdentifier, cloneNum)) {
1611 return;
1612 }
1613 LOG_I(BMS_TAG_INSTALLER, "install -n %{public}s -c %{public}d",
1614 applicationInfo.bundleName.c_str(), cloneNum);
1615 if (cloneNum == 0) {
1616 return;
1617 }
1618 applicationInfo.multiAppMode.multiAppModeType = MultiAppModeType::APP_CLONE;
1619 applicationInfo.multiAppMode.maxCount = cloneNum;
1620 innerBundleInfo.SetBaseApplicationInfo(applicationInfo);
1621 }
1622 }
1623
1624 } // namespace AppExecFwk
1625 } // namespace OHOS