1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_record_manager.h"
17
18 #include <algorithm>
19 #include <cinttypes>
20 #include <numeric>
21
22 #include "ability_manager_access_client.h"
23 #include "access_token.h"
24 #include "accesstoken_kit.h"
25 #include "accesstoken_log.h"
26 #include "active_status_callback_manager.h"
27 #include "app_manager_access_client.h"
28 #include "audio_manager_privacy_client.h"
29 #include "camera_manager_privacy_client.h"
30 #include "config_policy_loader.h"
31 #include "constant.h"
32 #include "constant_common.h"
33 #include "data_translator.h"
34 #include "i_state_change_callback.h"
35 #include "iservice_registry.h"
36 #include "libraryloader.h"
37 #include "parameter.h"
38 #include "parcel_utils.h"
39 #include "permission_used_record_db.h"
40 #include "power_manager_client.h"
41 #include "privacy_error.h"
42 #include "privacy_field_const.h"
43 #include "refbase.h"
44 #include "state_change_callback_proxy.h"
45 #include "system_ability_definition.h"
46 #include "time_util.h"
47 #include "want.h"
48 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
49 #include "privacy_window_manager_client.h"
50 #include "scene_board_judgement.h"
51 #endif
52
53 namespace OHOS {
54 namespace Security {
55 namespace AccessToken {
56 namespace {
57 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {
58 LOG_CORE, SECURITY_DOMAIN_PRIVACY, "PermissionRecordManager"
59 };
60 static const int32_t VALUE_MAX_LEN = 32;
61 constexpr const char* DEFAULT_DEVICEID = "0";
62 constexpr const char* CAMERA_PERMISSION_NAME = "ohos.permission.CAMERA";
63 constexpr const char* MICROPHONE_PERMISSION_NAME = "ohos.permission.MICROPHONE";
64 constexpr const char* EDM_MIC_MUTE_KEY = "persist.edm.mic_disable";
65 constexpr const char* DEFAULT_PERMISSION_MANAGER_BUNDLE_NAME = "com.ohos.permissionmanager";
66 constexpr const char* DEFAULT_PERMISSION_MANAGER_DIALOG_ABILITY = "com.ohos.permissionmanager.GlobalExtAbility";
67 constexpr const char* RESOURCE_KEY = "ohos.sensitive.resource";
68 static const int32_t DEFAULT_PERMISSION_USED_RECORD_SIZE_MAXIMUM = 500000;
69 static const int32_t DEFAULT_PERMISSION_USED_RECORD_AGING_TIME = 7;
70 static const uint32_t NORMAL_TYPE_ADD_VALUE = 1;
71 static const uint32_t PICKER_TYPE_ADD_VALUE = 2;
72 static const uint32_t SEC_COMPONENT_TYPE_ADD_VALUE = 4;
73 static constexpr int64_t ONE_MINUTE_MILLISECONDS = 60 * 1000; // 1 min = 60 * 1000 ms
74 std::recursive_mutex g_instanceMutex;
75 }
GetInstance()76 PermissionRecordManager& PermissionRecordManager::GetInstance()
77 {
78 static PermissionRecordManager* instance = nullptr;
79 if (instance == nullptr) {
80 std::lock_guard<std::recursive_mutex> lock(g_instanceMutex);
81 if (instance == nullptr) {
82 instance = new PermissionRecordManager();
83 }
84 }
85 return *instance;
86 }
87
PermissionRecordManager()88 PermissionRecordManager::PermissionRecordManager()
89 {
90 bool isEdmMute = false;
91 if (GetMuteParameter(EDM_MIC_MUTE_KEY, isEdmMute)) {
92 ModifyMuteStatus(MICROPHONE_PERMISSION_NAME, EDM, isEdmMute);
93 }
94 }
95
~PermissionRecordManager()96 PermissionRecordManager::~PermissionRecordManager()
97 {
98 if (!hasInited_) {
99 return;
100 }
101 hasInited_ = false;
102 Unregister();
103 }
104
OnAppStateChanged(const AppStateData & appStateData)105 void PrivacyAppStateObserver::OnAppStateChanged(const AppStateData &appStateData)
106 {
107 ACCESSTOKEN_LOG_DEBUG(LABEL, "OnChange(id=%{public}d, pid=%{public}d, state=%{public}d).",
108 appStateData.accessTokenId, appStateData.pid, appStateData.state);
109
110 ActiveChangeType status = PERM_INACTIVE;
111 if (appStateData.state == static_cast<int32_t>(ApplicationState::APP_STATE_FOREGROUND)) {
112 status = PERM_ACTIVE_IN_FOREGROUND;
113 } else if (appStateData.state == static_cast<int32_t>(ApplicationState::APP_STATE_BACKGROUND)) {
114 status = PERM_ACTIVE_IN_BACKGROUND;
115 }
116 PermissionRecordManager::GetInstance().NotifyAppStateChange(appStateData.accessTokenId, appStateData.pid, status);
117 }
118
OnAppStopped(const AppStateData & appStateData)119 void PrivacyAppStateObserver::OnAppStopped(const AppStateData &appStateData)
120 {
121 ACCESSTOKEN_LOG_DEBUG(LABEL, "OnChange(id=%{public}d, state=%{public}d).",
122 appStateData.accessTokenId, appStateData.state);
123
124 if (appStateData.state == static_cast<int32_t>(ApplicationState::APP_STATE_TERMINATED)) {
125 PermissionRecordManager::GetInstance().RemoveRecordFromStartListByToken(appStateData.accessTokenId);
126 }
127 }
128
OnProcessDied(const ProcessData & processData)129 void PrivacyAppStateObserver::OnProcessDied(const ProcessData &processData)
130 {
131 ACCESSTOKEN_LOG_DEBUG(LABEL, "OnChange(id=%{public}u, pid=%{public}d, state=%{public}d).",
132 processData.accessTokenId, processData.pid, processData.state);
133
134 PermissionRecordManager::GetInstance().RemoveRecordFromStartListByPid(processData.accessTokenId, processData.pid);
135 }
136
NotifyAppManagerDeath()137 void PrivacyAppManagerDeathCallback::NotifyAppManagerDeath()
138 {
139 PermissionRecordManager::GetInstance().OnAppMgrRemoteDiedHandle();
140 }
141
AddRecToCacheAndValueVec(const PermissionRecord & record,std::vector<GenericValues> & values)142 void PermissionRecordManager::AddRecToCacheAndValueVec(const PermissionRecord& record,
143 std::vector<GenericValues>& values)
144 {
145 PermissionRecordCache cache;
146 cache.record = record;
147 permUsedRecList_.emplace_back(cache);
148
149 GenericValues value;
150 PermissionRecord::TranslationIntoGenericValues(record, value);
151 values.emplace_back(value);
152 }
153
RecordMergeCheck(const PermissionRecord & record1,const PermissionRecord & record2)154 static bool RecordMergeCheck(const PermissionRecord& record1, const PermissionRecord& record2)
155 {
156 // timestamp in the same minute
157 if (!AccessToken::TimeUtil::IsTimeStampsSameMinute(record1.timestamp, record2.timestamp)) {
158 return false;
159 }
160
161 // the same tokenID + opCode + status + lockScreenStatus + usedType
162 if ((record1.tokenId != record2.tokenId) ||
163 (record1.opCode != record2.opCode) ||
164 (record1.status != record2.status) ||
165 (record1.lockScreenStatus != record2.lockScreenStatus) ||
166 (record1.type != record2.type)) {
167 return false;
168 }
169
170 // both success
171 if (((record1.accessCount > 0) && (record2.accessCount == 0)) ||
172 ((record1.accessCount == 0) && (record2.accessCount > 0))) {
173 return false;
174 }
175
176 // both failure
177 if (((record1.rejectCount > 0) && (record2.rejectCount == 0)) ||
178 ((record1.rejectCount == 0) && (record2.rejectCount > 0))) {
179 return false;
180 }
181
182 return true;
183 }
184
MergeOrInsertRecord(const PermissionRecord & record)185 int32_t PermissionRecordManager::MergeOrInsertRecord(const PermissionRecord& record)
186 {
187 std::vector<GenericValues> insertRecords;
188 {
189 std::lock_guard<std::mutex> lock(permUsedRecMutex_);
190 if (permUsedRecList_.empty()) {
191 ACCESSTOKEN_LOG_INFO(LABEL, "First record in cache!");
192
193 AddRecToCacheAndValueVec(record, insertRecords);
194 } else {
195 bool mergeFlag = false;
196 for (auto it = permUsedRecList_.begin(); it != permUsedRecList_.end(); ++it) {
197 if (RecordMergeCheck(it->record, record)) {
198 ACCESSTOKEN_LOG_INFO(LABEL, "Merge record, ori timestamp is %{public}" PRId64 ".",
199 it->record.timestamp);
200
201 // merge new record to older one if match the merge condition
202 it->record.accessCount += record.accessCount;
203 it->record.rejectCount += record.rejectCount;
204
205 // set update flag to true
206 it->needUpdateToDb = true;
207 mergeFlag = true;
208 break;
209 }
210 }
211
212 if (!mergeFlag) {
213 // record can't merge store to database immediately and add to cache
214 AddRecToCacheAndValueVec(record, insertRecords);
215 }
216 }
217 }
218
219 if (insertRecords.empty()) {
220 return Constant::SUCCESS;
221 }
222
223 Utils::UniqueWriteGuard<Utils::RWLock> lk(this->rwLock_);
224 int32_t res = PermissionUsedRecordDb::GetInstance().Add(PermissionUsedRecordDb::DataType::PERMISSION_RECORD,
225 insertRecords);
226 if (res != PermissionUsedRecordDb::ExecuteResult::SUCCESS) {
227 ACCESSTOKEN_LOG_INFO(LABEL, "Add permission_record_table failed!");
228 return res;
229 }
230
231 ACCESSTOKEN_LOG_INFO(LABEL, "Add record, id %{public}d, op %{public}d, status: %{public}d, sucCnt: %{public}d, "
232 "failCnt: %{public}d, lockScreenStatus %{public}d, timestamp %{public}" PRId64 ", type %{public}d.",
233 record.tokenId, record.opCode, record.status, record.accessCount, record.rejectCount, record.lockScreenStatus,
234 record.timestamp, record.type);
235
236 return Constant::SUCCESS;
237 }
238
UpdatePermissionUsedRecordToDb(const PermissionRecord & record)239 bool PermissionRecordManager::UpdatePermissionUsedRecordToDb(const PermissionRecord& record)
240 {
241 GenericValues modifyValue;
242 modifyValue.Put(PrivacyFiledConst::FIELD_ACCESS_COUNT, record.accessCount);
243 modifyValue.Put(PrivacyFiledConst::FIELD_REJECT_COUNT, record.rejectCount);
244
245 GenericValues conditionValue;
246 conditionValue.Put(PrivacyFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(record.tokenId));
247 conditionValue.Put(PrivacyFiledConst::FIELD_OP_CODE, record.opCode);
248 conditionValue.Put(PrivacyFiledConst::FIELD_STATUS, record.status);
249 conditionValue.Put(PrivacyFiledConst::FIELD_TIMESTAMP, record.timestamp);
250 conditionValue.Put(PrivacyFiledConst::FIELD_USED_TYPE, record.type);
251
252 {
253 Utils::UniqueWriteGuard<Utils::RWLock> lk(this->rwLock_);
254 return (PermissionUsedRecordDb::GetInstance().Update(PermissionUsedRecordDb::DataType::PERMISSION_RECORD,
255 modifyValue, conditionValue) == PermissionUsedRecordDb::ExecuteResult::SUCCESS);
256 }
257 }
258
AddRecord(const PermissionRecord & record)259 int32_t PermissionRecordManager::AddRecord(const PermissionRecord& record)
260 {
261 int32_t res = MergeOrInsertRecord(record);
262 if (res != Constant::SUCCESS) {
263 return res;
264 }
265
266 int64_t updateStamp = record.timestamp - ONE_MINUTE_MILLISECONDS; // timestamp less than 1 min from now
267 std::lock_guard<std::mutex> lock(permUsedRecMutex_);
268 auto it = permUsedRecList_.begin();
269 while (it != permUsedRecList_.end()) {
270 if (it->record.timestamp > updateStamp) {
271 // record from cache less than updateStamp may merge, ignore them
272 ++it;
273 continue;
274 }
275
276 /*
277 needUpdateToDb:
278 - flase means record not merge, when the timestamp of those records less than 1 min from now
279 they can not merge any more, remove them from cache
280 - true means record has merged, need to update database before remove from cache
281 whether update database succeed or not, recod remove from cache
282 */
283 if ((it->needUpdateToDb) && (!UpdatePermissionUsedRecordToDb(it->record))) {
284 ACCESSTOKEN_LOG_ERROR(LABEL, "Record with timestamp %{public}" PRId64 "update database failed!",
285 it->record.timestamp);
286 }
287
288 it = permUsedRecList_.erase(it);
289 }
290
291 return Constant::SUCCESS;
292 }
293
UpdatePermRecImmediately()294 void PermissionRecordManager::UpdatePermRecImmediately()
295 {
296 std::lock_guard<std::mutex> lock(permUsedRecMutex_);
297 for (auto it = permUsedRecList_.begin(); it != permUsedRecList_.end(); ++it) {
298 if (it->needUpdateToDb) {
299 UpdatePermissionUsedRecordToDb(it->record);
300 }
301 }
302 }
303
GetPermissionRecord(const AddPermParamInfo & info,PermissionRecord & record)304 int32_t PermissionRecordManager::GetPermissionRecord(const AddPermParamInfo& info, PermissionRecord& record)
305 {
306 if (AccessTokenKit::GetTokenTypeFlag(info.tokenId) != TOKEN_HAP) {
307 ACCESSTOKEN_LOG_DEBUG(LABEL, "Not hap(%{public}d).", info.tokenId);
308 return PrivacyError::ERR_PARAM_INVALID;
309 }
310 int32_t opCode;
311 if (!Constant::TransferPermissionToOpcode(info.permissionName, opCode)) {
312 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid perm(%{public}s)", info.permissionName.c_str());
313 return PrivacyError::ERR_PERMISSION_NOT_EXIST;
314 }
315 if (GetMuteStatus(info.permissionName, EDM)) {
316 record.status = PERM_INACTIVE;
317 } else {
318 record.status = GetAppStatus(info.tokenId);
319 }
320 record.lockScreenStatus = GetLockScreenStatus();
321 record.tokenId = info.tokenId;
322 record.accessCount = info.successCount;
323 record.rejectCount = info.failCount;
324 record.opCode = opCode;
325 record.timestamp = AccessToken::TimeUtil::GetCurrentTimestamp();
326 record.accessDuration = 0;
327 record.type = info.type;
328 ACCESSTOKEN_LOG_DEBUG(LABEL, "Record status: %{public}d", record.status);
329 return Constant::SUCCESS;
330 }
331
TransformEnumToBitValue(const PermissionUsedType type,uint32_t & value)332 void PermissionRecordManager::TransformEnumToBitValue(const PermissionUsedType type, uint32_t& value)
333 {
334 if (type == PermissionUsedType::NORMAL_TYPE) {
335 value = NORMAL_TYPE_ADD_VALUE;
336 } else if (type == PermissionUsedType::PICKER_TYPE) {
337 value = PICKER_TYPE_ADD_VALUE;
338 } else if (type == PermissionUsedType::SECURITY_COMPONENT_TYPE) {
339 value = SEC_COMPONENT_TYPE_ADD_VALUE;
340 }
341 }
342
AddOrUpdateUsedTypeIfNeeded(const AccessTokenID tokenId,const int32_t opCode,const PermissionUsedType type)343 bool PermissionRecordManager::AddOrUpdateUsedTypeIfNeeded(const AccessTokenID tokenId, const int32_t opCode,
344 const PermissionUsedType type)
345 {
346 uint32_t inputType = 0;
347 TransformEnumToBitValue(type, inputType);
348
349 GenericValues conditionValue;
350 conditionValue.Put(PrivacyFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId));
351 conditionValue.Put(PrivacyFiledConst::FIELD_PERMISSION_CODE, opCode);
352
353 std::vector<GenericValues> results;
354 int32_t res = PermissionUsedRecordDb::GetInstance().Query(PermissionUsedRecordDb::DataType::PERMISSION_USED_TYPE,
355 conditionValue, results);
356 if (res != PermissionUsedRecordDb::SUCCESS) {
357 return false;
358 }
359
360 if (results.empty()) {
361 // empty means there is no permission used type record, add it
362 ACCESSTOKEN_LOG_DEBUG(LABEL, "No exsit record, add it.");
363
364 GenericValues recordValue;
365 recordValue.Put(PrivacyFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId));
366 recordValue.Put(PrivacyFiledConst::FIELD_PERMISSION_CODE, opCode);
367 recordValue.Put(PrivacyFiledConst::FIELD_USED_TYPE, static_cast<int32_t>(inputType));
368
369 std::vector<GenericValues> recordValues;
370 recordValues.emplace_back(recordValue);
371 int32_t res = PermissionUsedRecordDb::GetInstance().Add(PermissionUsedRecordDb::DataType::PERMISSION_USED_TYPE,
372 recordValues);
373 if (res != PermissionUsedRecordDb::ExecuteResult::SUCCESS) {
374 return false;
375 }
376 } else {
377 // not empty means there is permission used type record exsit, update it if needed
378 uint32_t dbType = static_cast<uint32_t>(results[0].GetInt(PrivacyFiledConst::FIELD_USED_TYPE));
379 ACCESSTOKEN_LOG_DEBUG(LABEL, "Record exsit, type is %{public}u.", dbType);
380
381 if ((dbType & inputType) == inputType) {
382 // true means visitTypeEnum has exsits, no need to add
383 ACCESSTOKEN_LOG_DEBUG(LABEL, "Used type has add.");
384 return true;
385 } else {
386 results[0].Remove(PrivacyFiledConst::FIELD_USED_TYPE);
387 dbType |= inputType;
388
389 // false means visitTypeEnum not exsits, update record
390 ACCESSTOKEN_LOG_DEBUG(LABEL, "Used type not add, generate new %{public}u.", dbType);
391
392 GenericValues newValue;
393 newValue.Put(PrivacyFiledConst::FIELD_USED_TYPE, static_cast<int32_t>(dbType));
394 return (PermissionUsedRecordDb::GetInstance().Update(PermissionUsedRecordDb::DataType::PERMISSION_USED_TYPE,
395 newValue, results[0]) == PermissionUsedRecordDb::ExecuteResult::SUCCESS);
396 }
397 }
398
399 return true;
400 }
401
AddPermissionUsedRecord(const AddPermParamInfo & info)402 int32_t PermissionRecordManager::AddPermissionUsedRecord(const AddPermParamInfo& info)
403 {
404 ExecuteDeletePermissionRecordTask();
405
406 if ((info.successCount == 0) && (info.failCount == 0)) {
407 return PrivacyError::ERR_PARAM_INVALID;
408 }
409
410 PermissionRecord record;
411 int32_t result = GetPermissionRecord(info, record);
412 if ((result != Constant::SUCCESS) || (!GetGlobalSwitchStatus(info.permissionName))) {
413 return result;
414 }
415
416 result = AddRecord(record);
417 if (result != Constant::SUCCESS) {
418 return result;
419 }
420
421 return AddOrUpdateUsedTypeIfNeeded(
422 info.tokenId, record.opCode, info.type) ? Constant::SUCCESS : Constant::FAILURE;
423 }
424
RemovePermissionUsedRecords(AccessTokenID tokenId,const std::string & deviceID)425 void PermissionRecordManager::RemovePermissionUsedRecords(AccessTokenID tokenId, const std::string& deviceID)
426 {
427 // only support remove by tokenId(local)
428 std::string device = GetDeviceId(tokenId);
429 if (!deviceID.empty() && device != deviceID) {
430 ACCESSTOKEN_LOG_ERROR(LABEL, "DeviceID mismatch");
431 return;
432 }
433
434 {
435 // remove from record cache
436 std::lock_guard<std::mutex> lock(permUsedRecMutex_);
437 auto it = permUsedRecList_.begin();
438 while (it != permUsedRecList_.end()) {
439 if (tokenId == it->record.tokenId) {
440 it = permUsedRecList_.erase(it);
441 } else {
442 ++it;
443 }
444 }
445 }
446
447 GenericValues conditions;
448 conditions.Put(PrivacyFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId));
449 {
450 // remove from database
451 Utils::UniqueWriteGuard<Utils::RWLock> lk(this->rwLock_);
452 PermissionUsedRecordDb::GetInstance().Remove(PermissionUsedRecordDb::DataType::PERMISSION_RECORD, conditions);
453 PermissionUsedRecordDb::GetInstance().Remove(PermissionUsedRecordDb::DataType::PERMISSION_USED_TYPE,
454 conditions);
455 }
456
457 // remove from start list
458 RemoveRecordFromStartListByToken(tokenId);
459 }
460
GetPermissionUsedRecords(const PermissionUsedRequest & request,PermissionUsedResult & result)461 int32_t PermissionRecordManager::GetPermissionUsedRecords(
462 const PermissionUsedRequest& request, PermissionUsedResult& result)
463 {
464 ExecuteDeletePermissionRecordTask();
465
466 if (!request.isRemote && !GetRecordsFromLocalDB(request, result)) {
467 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to GetRecordsFromLocalDB");
468 return PrivacyError::ERR_PARAM_INVALID;
469 }
470 return Constant::SUCCESS;
471 }
472
GetPermissionUsedRecordsAsync(const PermissionUsedRequest & request,const sptr<OnPermissionUsedRecordCallback> & callback)473 int32_t PermissionRecordManager::GetPermissionUsedRecordsAsync(
474 const PermissionUsedRequest& request, const sptr<OnPermissionUsedRecordCallback>& callback)
475 {
476 auto task = [request, callback]() {
477 ACCESSTOKEN_LOG_INFO(LABEL, "GetPermissionUsedRecordsAsync task called");
478 PermissionUsedResult result;
479 int32_t retCode = PermissionRecordManager::GetInstance().GetPermissionUsedRecords(request, result);
480 callback->OnQueried(retCode, result);
481 };
482 std::thread recordThread(task);
483 recordThread.detach();
484 return Constant::SUCCESS;
485 }
486
TransferToOpcode(const std::vector<std::string> & permissionList,std::set<int32_t> & opCodeList)487 static void TransferToOpcode(const std::vector<std::string>& permissionList, std::set<int32_t>& opCodeList)
488 {
489 for (const auto& permission : permissionList) {
490 int32_t opCode = Constant::OP_INVALID;
491 if (Constant::TransferPermissionToOpcode(permission, opCode)) {
492 opCodeList.insert(opCode);
493 }
494 }
495 }
496
GetMergedRecordsFromCache(std::vector<PermissionRecord> & mergedRecords)497 void PermissionRecordManager::GetMergedRecordsFromCache(std::vector<PermissionRecord>& mergedRecords)
498 {
499 std::lock_guard<std::mutex> lock(permUsedRecMutex_);
500 for (const auto& cache : permUsedRecList_) {
501 if (cache.needUpdateToDb) {
502 mergedRecords.emplace_back(cache.record);
503 }
504 }
505 }
506
InsteadMergedRecIfNecessary(GenericValues & queryValue,std::vector<PermissionRecord> & mergedRecords)507 void PermissionRecordManager::InsteadMergedRecIfNecessary(GenericValues& queryValue,
508 std::vector<PermissionRecord>& mergedRecords)
509 {
510 uint32_t tokenId = static_cast<uint32_t>(queryValue.GetInt(PrivacyFiledConst::FIELD_TOKEN_ID));
511 int32_t opCode = queryValue.GetInt(PrivacyFiledConst::FIELD_OP_CODE);
512 int32_t status = queryValue.GetInt(PrivacyFiledConst::FIELD_STATUS);
513 int64_t timestamp = queryValue.GetInt64(PrivacyFiledConst::FIELD_TIMESTAMP);
514 PermissionUsedType type = static_cast<PermissionUsedType>(queryValue.GetInt(PrivacyFiledConst::FIELD_USED_TYPE));
515
516 for (const auto& record : mergedRecords) {
517 if ((tokenId == record.tokenId) &&
518 (opCode == record.opCode) &&
519 (status == record.status) &&
520 (timestamp == record.timestamp) &&
521 (type == record.type)) {
522 // find merged record, instead accessCount and rejectCount
523 queryValue.Remove(PrivacyFiledConst::FIELD_ACCESS_COUNT);
524 queryValue.Put(PrivacyFiledConst::FIELD_ACCESS_COUNT, record.accessCount);
525 queryValue.Remove(PrivacyFiledConst::FIELD_REJECT_COUNT);
526 queryValue.Put(PrivacyFiledConst::FIELD_REJECT_COUNT, record.rejectCount);
527 return;
528 }
529 }
530 }
531
MergeSamePermission(const PermissionUsageFlag & flag,const PermissionUsedRecord & inRecord,PermissionUsedRecord & outRecord)532 void PermissionRecordManager::MergeSamePermission(const PermissionUsageFlag& flag, const PermissionUsedRecord& inRecord,
533 PermissionUsedRecord& outRecord)
534 {
535 outRecord.accessCount += inRecord.accessCount;
536 outRecord.rejectCount += inRecord.rejectCount;
537
538 // update lastAccessTime、lastRejectTime and lastAccessDuration to the nearer one
539 outRecord.lastAccessTime = (inRecord.lastAccessTime > outRecord.lastAccessTime) ?
540 inRecord.lastAccessTime : outRecord.lastAccessTime;
541 outRecord.lastAccessDuration = (inRecord.lastAccessTime > outRecord.lastAccessTime) ?
542 inRecord.lastAccessDuration : outRecord.lastAccessDuration;
543 outRecord.lastRejectTime = (inRecord.lastRejectTime > outRecord.lastRejectTime) ?
544 inRecord.lastRejectTime : outRecord.lastRejectTime;
545
546 // summary do not handle detail
547 if (flag == FLAG_PERMISSION_USAGE_SUMMARY) {
548 return;
549 }
550
551 if (inRecord.lastAccessTime > 0) {
552 outRecord.accessRecords.emplace_back(inRecord.accessRecords[0]);
553 }
554 if (inRecord.lastRejectTime > 0) {
555 outRecord.rejectRecords.emplace_back(inRecord.rejectRecords[0]);
556 }
557 }
558
FillPermissionUsedRecords(const PermissionUsedRecord & record,const PermissionUsageFlag & flag,std::vector<PermissionUsedRecord> & permissionRecords)559 void PermissionRecordManager::FillPermissionUsedRecords(const PermissionUsedRecord& record,
560 const PermissionUsageFlag& flag, std::vector<PermissionUsedRecord>& permissionRecords)
561 {
562 // check whether the permission has exsit
563 auto iter = std::find_if(permissionRecords.begin(), permissionRecords.end(),
564 [record](const PermissionUsedRecord& rec) {
565 return record.permissionName == rec.permissionName;
566 });
567 if (iter != permissionRecords.end()) {
568 // permission exsit, merge it
569 MergeSamePermission(flag, record, *iter);
570 } else {
571 // permission not exsit, add it
572 permissionRecords.emplace_back(record);
573 }
574 }
575
FillBundleUsedRecord(const GenericValues & value,const PermissionUsageFlag & flag,std::map<int32_t,BundleUsedRecord> & tokenIdToBundleMap,std::map<int32_t,int32_t> & tokenIdToCountMap,PermissionUsedResult & result)576 bool PermissionRecordManager::FillBundleUsedRecord(const GenericValues& value, const PermissionUsageFlag& flag,
577 std::map<int32_t, BundleUsedRecord>& tokenIdToBundleMap, std::map<int32_t, int32_t>& tokenIdToCountMap,
578 PermissionUsedResult& result)
579 {
580 // translate database value into PermissionUsedRecord value
581 PermissionUsedRecord record;
582 if (DataTranslator::TranslationGenericValuesIntoPermissionUsedRecord(flag, value, record) != Constant::SUCCESS) {
583 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to transform op(%{public}d)",
584 value.GetInt(PrivacyFiledConst::FIELD_OP_CODE));
585 return false;
586 }
587
588 // update beginTimeMillis and endTimeMillis if necessary
589 int64_t timestamp = value.GetInt64(PrivacyFiledConst::FIELD_TIMESTAMP);
590 result.beginTimeMillis = ((result.beginTimeMillis == 0) || (timestamp < result.beginTimeMillis)) ?
591 timestamp : result.beginTimeMillis;
592 result.endTimeMillis = (timestamp > result.endTimeMillis) ? timestamp : result.endTimeMillis;
593
594 int32_t tokenId = value.GetInt(PrivacyFiledConst::FIELD_TOKEN_ID);
595 FillPermissionUsedRecords(record, flag, tokenIdToBundleMap[tokenId].permissionRecords);
596 tokenIdToCountMap[tokenId] += 1;
597
598 return true;
599 }
600
AddDebugLog(const AccessTokenID tokenId,const BundleUsedRecord & bundleRecord,const int32_t queryCount,int32_t & totalSuccCount,int32_t & totalFailCount)601 static void AddDebugLog(const AccessTokenID tokenId, const BundleUsedRecord& bundleRecord, const int32_t queryCount,
602 int32_t& totalSuccCount, int32_t& totalFailCount)
603 {
604 int32_t tokenTotalSuccCount = 0;
605 int32_t tokenTotalFailCount = 0;
606 for (const auto& permissionRecord : bundleRecord.permissionRecords) {
607 tokenTotalSuccCount += permissionRecord.accessCount;
608 tokenTotalFailCount += permissionRecord.rejectCount;
609 }
610 ACCESSTOKEN_LOG_INFO(LABEL, "TokenId %{public}d[%{public}s] get %{public}d records, success %{public}d,"
611 " failure %{public}d", tokenId, bundleRecord.bundleName.c_str(), queryCount, tokenTotalSuccCount,
612 tokenTotalFailCount);
613 totalSuccCount += tokenTotalSuccCount;
614 totalFailCount += tokenTotalFailCount;
615 }
616
GetRecordsFromLocalDB(const PermissionUsedRequest & request,PermissionUsedResult & result)617 bool PermissionRecordManager::GetRecordsFromLocalDB(const PermissionUsedRequest& request, PermissionUsedResult& result)
618 {
619 GenericValues andConditionValues;
620 if (DataTranslator::TranslationIntoGenericValues(request, andConditionValues) != Constant::SUCCESS) {
621 ACCESSTOKEN_LOG_ERROR(LABEL, "Query time or flag is invalid");
622 return false;
623 }
624
625 int32_t dataLimitNum = request.flag == FLAG_PERMISSION_USAGE_DETAIL ? MAX_ACCESS_RECORD_SIZE : recordSizeMaximum_;
626 int32_t totalSuccCount = 0;
627 int32_t totalFailCount = 0;
628 std::vector<GenericValues> findRecordsValues; // summary don't limit querry data num, detail do
629
630 std::set<int32_t> opCodeList;
631 TransferToOpcode(request.permissionList, opCodeList);
632 PermissionUsedRecordDb::GetInstance().FindByConditions(PermissionUsedRecordDb::DataType::PERMISSION_RECORD,
633 opCodeList, andConditionValues, findRecordsValues, dataLimitNum);
634
635 uint32_t currentCount = findRecordsValues.size(); // handle query result
636 if (currentCount == 0) {
637 ACCESSTOKEN_LOG_INFO(LABEL, "No record match the condition.");
638 return true;
639 }
640
641 std::vector<PermissionRecord> mergedRecords;
642 GetMergedRecordsFromCache(mergedRecords);
643
644 std::set<int32_t> tokenIdList;
645 std::map<int32_t, BundleUsedRecord> tokenIdToBundleMap;
646 std::map<int32_t, int32_t> tokenIdToCountMap;
647
648 for (auto& recordValue : findRecordsValues) {
649 InsteadMergedRecIfNecessary(recordValue, mergedRecords);
650
651 int32_t tokenId = recordValue.GetInt(PrivacyFiledConst::FIELD_TOKEN_ID);
652 if (tokenIdList.count(tokenId) == 0) {
653 tokenIdList.insert(tokenId); // new tokenId, inset into set
654
655 BundleUsedRecord bundleRecord; // get bundle info
656 if (!CreateBundleUsedRecord(tokenId, bundleRecord)) {
657 continue;
658 }
659
660 tokenIdToBundleMap[tokenId] = bundleRecord; // add into map
661 tokenIdToCountMap[tokenId] = 0;
662 }
663
664 if (!FillBundleUsedRecord(recordValue, request.flag, tokenIdToBundleMap, tokenIdToCountMap, result)) {
665 continue;
666 }
667 }
668
669 for (auto iter = tokenIdToBundleMap.begin(); iter != tokenIdToBundleMap.end(); ++iter) {
670 result.bundleRecords.emplace_back(iter->second);
671
672 AddDebugLog(iter->first, iter->second, tokenIdToCountMap[iter->first], totalSuccCount, totalFailCount);
673 }
674
675 if (request.flag == FLAG_PERMISSION_USAGE_SUMMARY) {
676 ACCESSTOKEN_LOG_INFO(LABEL, "Total success count is %{public}d, total failure count is %{public}d",
677 totalSuccCount, totalFailCount);
678 }
679
680 return true;
681 }
682
CreateBundleUsedRecord(const AccessTokenID tokenId,BundleUsedRecord & bundleRecord)683 bool PermissionRecordManager::CreateBundleUsedRecord(const AccessTokenID tokenId, BundleUsedRecord& bundleRecord)
684 {
685 HapTokenInfo tokenInfo;
686 if (AccessTokenKit::GetHapTokenInfo(tokenId, tokenInfo) != Constant::SUCCESS) {
687 ACCESSTOKEN_LOG_ERROR(LABEL, "GetHapTokenInfo failed, tokenId is %{public}u.", tokenId);
688 return false;
689 }
690 bundleRecord.tokenId = tokenId;
691 bundleRecord.isRemote = false;
692 bundleRecord.deviceId = GetDeviceId(tokenId);
693 bundleRecord.bundleName = tokenInfo.bundleName;
694 return true;
695 }
696
ExecuteDeletePermissionRecordTask()697 void PermissionRecordManager::ExecuteDeletePermissionRecordTask()
698 {
699 #ifdef EVENTHANDLER_ENABLE
700 if (GetCurDeleteTaskNum() > 1) {
701 ACCESSTOKEN_LOG_INFO(LABEL, "Has delete task!");
702 return;
703 }
704 AddDeleteTaskNum();
705 if (deleteEventHandler_ == nullptr) {
706 ACCESSTOKEN_LOG_ERROR(LABEL, "Fail to get EventHandler.");
707 ReduceDeleteTaskNum();
708 return;
709 }
710
711 std::function<void()> delayed = ([this]() {
712 DeletePermissionRecord(recordAgingTime_);
713 ACCESSTOKEN_LOG_INFO(LABEL, "Delete record end.");
714 // Sleep for one minute to avoid frequent refresh of the file.
715 std::this_thread::sleep_for(std::chrono::minutes(1));
716 ReduceDeleteTaskNum();
717 });
718
719 deleteEventHandler_->ProxyPostTask(delayed);
720 #endif
721 }
722
GetCurDeleteTaskNum()723 int32_t PermissionRecordManager::GetCurDeleteTaskNum()
724 {
725 return deleteTaskNum_.load();
726 }
727
AddDeleteTaskNum()728 void PermissionRecordManager::AddDeleteTaskNum()
729 {
730 deleteTaskNum_++;
731 }
732
ReduceDeleteTaskNum()733 void PermissionRecordManager::ReduceDeleteTaskNum()
734 {
735 deleteTaskNum_--;
736 }
737
DeletePermissionRecord(int32_t days)738 int32_t PermissionRecordManager::DeletePermissionRecord(int32_t days)
739 {
740 int64_t interval = days * Constant::ONE_DAY_MILLISECONDS;
741 int32_t total = PermissionUsedRecordDb::GetInstance().Count(PermissionUsedRecordDb::DataType::PERMISSION_RECORD);
742 if (total > recordSizeMaximum_) {
743 uint32_t excessiveSize = static_cast<uint32_t>(total) - static_cast<uint32_t>(recordSizeMaximum_);
744 int32_t res = PermissionUsedRecordDb::GetInstance().DeleteExcessiveRecords(
745 PermissionUsedRecordDb::DataType::PERMISSION_RECORD, excessiveSize);
746 if (res != PermissionUsedRecordDb::ExecuteResult::SUCCESS) {
747 return Constant::FAILURE;
748 }
749 }
750 GenericValues andConditionValues;
751 int64_t deleteTimestamp = AccessToken::TimeUtil::GetCurrentTimestamp() - interval;
752 andConditionValues.Put(PrivacyFiledConst::FIELD_TIMESTAMP_END, deleteTimestamp);
753 int32_t res = PermissionUsedRecordDb::GetInstance().DeleteExpireRecords(
754 PermissionUsedRecordDb::DataType::PERMISSION_RECORD, andConditionValues);
755 if (res != PermissionUsedRecordDb::ExecuteResult::SUCCESS) {
756 return Constant::FAILURE;
757 }
758 return Constant::SUCCESS;
759 }
760
AddRecordToStartList(uint32_t tokenId,int32_t pid,const std::string & permissionName,int32_t status)761 int32_t PermissionRecordManager::AddRecordToStartList(
762 uint32_t tokenId, int32_t pid, const std::string& permissionName, int32_t status)
763 {
764 int32_t ret = Constant::SUCCESS;
765 int32_t opCode;
766 if (!Constant::TransferPermissionToOpcode(permissionName, opCode)) {
767 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid perm(%{public}s)", permissionName.c_str());
768 return PrivacyError::ERR_PERMISSION_NOT_EXIST;
769 }
770
771 std::lock_guard<std::mutex> lock(startRecordListMutex_);
772 bool hasTokenStarted = false;
773 bool hasPidStarted = false;
774 for (auto& record : startRecordList_) {
775 if ((record.opCode == opCode) && (record.tokenId == tokenId)) { // find token
776 hasTokenStarted = true;
777 if (!IsPidValid(pid) || record.pidList.find(pid) != record.pidList.end()) {
778 hasPidStarted = true;
779 } else {
780 record.pidList.insert(pid);
781 }
782 break;
783 }
784 }
785 ACCESSTOKEN_LOG_INFO(LABEL, "Id(%{public}u), pid(%{public}d), opCode(%{public}d),\
786 hasTokenStarted(%{public}d), hasPidStarted(%{public}d).",
787 tokenId, pid, opCode, hasTokenStarted, hasPidStarted);
788 if (!hasTokenStarted) {
789 ContinusPermissionRecord record = { 0 };
790 record.tokenId = tokenId;
791 record.status = status;
792 record.opCode = opCode;
793 if (IsPidValid(pid)) {
794 record.pidList.insert(pid);
795 }
796 startRecordList_.emplace_back(record);
797 }
798 CallbackExecute(tokenId, permissionName, status);
799 if (hasTokenStarted && hasPidStarted) {
800 ret = PrivacyError::ERR_PERMISSION_ALREADY_START_USING;
801 }
802 return ret;
803 }
804
ExecuteAndUpdateRecord(uint32_t tokenId,int32_t pid,ActiveChangeType status)805 void PermissionRecordManager::ExecuteAndUpdateRecord(uint32_t tokenId, int32_t pid, ActiveChangeType status)
806 {
807 std::vector<std::string> camPermList;
808 std::lock_guard<std::mutex> lock(startRecordListMutex_);
809 for (auto it = startRecordList_.begin(); it != startRecordList_.end(); ++it) {
810 if ((it->tokenId == tokenId) && ((it->status) != PERM_INACTIVE) && ((it->status) != status)) {
811 std::string perm;
812 Constant::TransferOpcodeToPermission(it->opCode, perm);
813 if ((GetMuteStatus(perm, EDM)) || (!GetGlobalSwitchStatus(perm))) {
814 continue;
815 }
816
817 // app use camera background without float window
818 bool isShow = IsCameraWindowShow(tokenId);
819 bool isAllowedBackGround = false;
820 if (AccessTokenKit::VerifyAccessToken(tokenId, "ohos.permission.CAMERA_BACKGROUND") == PERMISSION_GRANTED) {
821 isAllowedBackGround = true;
822 }
823 if ((perm == CAMERA_PERMISSION_NAME) && (status == PERM_ACTIVE_IN_BACKGROUND) &&
824 (!isShow) && (!isAllowedBackGround)) {
825 ACCESSTOKEN_LOG_INFO(LABEL, "Camera float window is close!");
826 camPermList.emplace_back(perm);
827 continue;
828 }
829
830 // update status to input and timestamp to now in cache
831 it->status = status;
832 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenId %{public}d get permission %{public}s.", tokenId, perm.c_str());
833 }
834 }
835
836 if (!camPermList.empty()) {
837 ExecuteCameraCallbackAsync(tokenId, pid);
838 }
839 }
840
841 /*
842 * when foreground change background or background change foreground,change accessDuration and store in database,
843 * change status and accessDuration and timestamp in cache
844 */
NotifyAppStateChange(AccessTokenID tokenId,int32_t pid,ActiveChangeType status)845 void PermissionRecordManager::NotifyAppStateChange(AccessTokenID tokenId, int32_t pid, ActiveChangeType status)
846 {
847 ACCESSTOKEN_LOG_INFO(LABEL, "Id %{public}u, pid %{public}d, status %{public}d", tokenId, pid, status);
848 // find permissions from startRecordList_ by tokenId which status diff from currStatus
849 ExecuteAndUpdateRecord(tokenId, pid, status);
850 }
851
SetLockScreenStatus(int32_t lockScreenStatus)852 void PermissionRecordManager::SetLockScreenStatus(int32_t lockScreenStatus)
853 {
854 ACCESSTOKEN_LOG_INFO(LABEL, "LockScreenStatus %{public}d", lockScreenStatus);
855 std::lock_guard<std::mutex> lock(lockScreenStateMutex_);
856 lockScreenStatus_ = lockScreenStatus;
857 }
858
GetLockScreenStatus()859 int32_t PermissionRecordManager::GetLockScreenStatus()
860 {
861 std::lock_guard<std::mutex> lock(lockScreenStateMutex_);
862 return lockScreenStatus_;
863 }
864
IsScreenOn()865 bool PermissionRecordManager::IsScreenOn()
866 {
867 return PowerMgrClient::GetInstance().IsScreenOn();
868 }
869
RemoveRecordFromStartList(AccessTokenID tokenId,int32_t pid,const std::string & permissionName)870 int32_t PermissionRecordManager::RemoveRecordFromStartList(
871 AccessTokenID tokenId, int32_t pid, const std::string& permissionName)
872 {
873 int32_t opCode;
874 if (!Constant::TransferPermissionToOpcode(permissionName, opCode)) {
875 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid permission(%{public}s)", permissionName.c_str());
876 return PrivacyError::ERR_PERMISSION_NOT_EXIST;
877 }
878
879 ACCESSTOKEN_LOG_DEBUG(LABEL, "Id %{public}u, pid %{public}d, perm %{public}s",
880 tokenId, pid, permissionName.c_str());
881 int32_t status = PERM_INACTIVE;
882 bool isFind = false;
883 int32_t ret = Constant::SUCCESS;
884 std::lock_guard<std::mutex> lock(startRecordListMutex_);
885 for (auto it = startRecordList_.begin(); it != startRecordList_.end();) {
886 if ((it->opCode != opCode) || (it->tokenId != tokenId)) {
887 ++it;
888 continue;
889 }
890 isFind = !IsPidValid(pid);
891 // erase pid from pidList
892 if (!isFind && it->pidList.find(pid) != it->pidList.end()) {
893 isFind = true;
894 it->pidList.erase(pid);
895 }
896 if (it->pidList.empty()) {
897 status = it->status;
898 startRecordList_.erase(it);
899 }
900 break;
901 }
902 if (status != PERM_INACTIVE) {
903 CallbackExecute(tokenId, permissionName, PERM_INACTIVE);
904 }
905 if (!isFind) {
906 ret = PrivacyError::ERR_PERMISSION_NOT_START_USING;
907 ACCESSTOKEN_LOG_ERROR(LABEL, "No records started, tokenId=%{public}u, pid=%{public}d, opCode=%{public}d",
908 tokenId, pid, opCode);
909 }
910 return ret;
911 }
912
913 /*
914 * remove all record of pid,
915 * when pidList is empty, execute active callback
916 */
RemoveRecordFromStartListByPid(const AccessTokenID tokenId,int32_t pid)917 void PermissionRecordManager::RemoveRecordFromStartListByPid(const AccessTokenID tokenId, int32_t pid)
918 {
919 ACCESSTOKEN_LOG_INFO(LABEL, "TokenId %{public}u, pid %{public}d", tokenId, pid);
920 bool isUsingCamera = false;
921 {
922 std::vector<std::string> permList;
923 std::lock_guard<std::mutex> lock(startRecordListMutex_);
924 for (auto it = startRecordList_.begin(); it != startRecordList_.end();) {
925 if (it->tokenId != tokenId || it->pidList.empty() || it->pidList.find(pid) == it->pidList.end()) {
926 ++it;
927 continue;
928 }
929 it->pidList.erase(pid);
930 isUsingCamera = (it->opCode == Constant::OP_CAMERA);
931 if (it->pidList.empty()) {
932 std::string perm;
933 Constant::TransferOpcodeToPermission(it->opCode, perm);
934 permList.emplace_back(perm);
935 it = startRecordList_.erase(it);
936 }
937 }
938 for (const auto& perm : permList) {
939 CallbackExecute(tokenId, perm, PERM_INACTIVE);
940 }
941 }
942 if (isUsingCamera) {
943 cameraCallbackMap_.Erase(GetUniqueId(tokenId, pid));
944 }
945 }
946
947 /*
948 * remove all record of token, and execute active callback
949 */
RemoveRecordFromStartListByToken(const AccessTokenID tokenId)950 void PermissionRecordManager::RemoveRecordFromStartListByToken(const AccessTokenID tokenId)
951 {
952 ACCESSTOKEN_LOG_INFO(LABEL, "TokenId %{public}u", tokenId);
953 bool isUsingCamera = false;
954 {
955 std::vector<std::string> permList;
956 std::lock_guard<std::mutex> lock(startRecordListMutex_);
957 for (auto it = startRecordList_.begin(); it != startRecordList_.end();) {
958 if (it->tokenId != tokenId) {
959 ++it;
960 continue;
961 }
962 isUsingCamera = (it->opCode == Constant::OP_CAMERA);
963 std::string perm;
964 Constant::TransferOpcodeToPermission(it->opCode, perm);
965 permList.emplace_back(perm);
966 it = startRecordList_.erase(it);
967 }
968 for (const auto& perm : permList) {
969 CallbackExecute(tokenId, perm, PERM_INACTIVE);
970 }
971 }
972 if (isUsingCamera) {
973 cameraCallbackMap_.Erase(GetUniqueId(tokenId, -1));
974 }
975 }
976
RemoveRecordFromStartListByOp(int32_t opCode)977 void PermissionRecordManager::RemoveRecordFromStartListByOp(int32_t opCode)
978 {
979 ACCESSTOKEN_LOG_INFO(LABEL, "OpCode %{public}d", opCode);
980 std::string perm;
981 Constant::TransferOpcodeToPermission(opCode, perm);
982 {
983 std::vector<AccessTokenID> tokenList;
984 std::lock_guard<std::mutex> lock(startRecordListMutex_);
985 for (auto it = startRecordList_.begin(); it != startRecordList_.end();) {
986 if (it->opCode != opCode) {
987 ++it;
988 continue;
989 }
990 tokenList.emplace_back(it->tokenId);
991 it = startRecordList_.erase(it);
992 }
993 for (size_t i = 0; i < tokenList.size(); ++i) {
994 CallbackExecute(tokenList[i], perm, PERM_INACTIVE);
995 }
996 }
997 }
998
CallbackExecute(AccessTokenID tokenId,const std::string & permissionName,int32_t status)999 void PermissionRecordManager::CallbackExecute(
1000 AccessTokenID tokenId, const std::string& permissionName, int32_t status)
1001 {
1002 ACCESSTOKEN_LOG_INFO(LABEL,
1003 "ExecuteCallbackAsync, tokenId %{public}d using permission %{public}s, status %{public}d",
1004 tokenId, permissionName.c_str(), status);
1005 ActiveStatusCallbackManager::GetInstance().ExecuteCallbackAsync(
1006 tokenId, permissionName, GetDeviceId(tokenId), (ActiveChangeType)status);
1007 }
1008
GetGlobalSwitchStatus(const std::string & permissionName)1009 bool PermissionRecordManager::GetGlobalSwitchStatus(const std::string& permissionName)
1010 {
1011 bool isOpen = true;
1012 // only manage camera and microphone global switch now, other default true
1013 if (permissionName == MICROPHONE_PERMISSION_NAME) {
1014 isOpen = !isMicMixMute_;
1015 ACCESSTOKEN_LOG_INFO(LABEL, "Permission is %{public}s, status is %{public}d", permissionName.c_str(), isOpen);
1016 } else if (permissionName == CAMERA_PERMISSION_NAME) {
1017 isOpen = !isCamMixMute_;
1018 ACCESSTOKEN_LOG_INFO(LABEL, "Permission is %{public}s, status is %{public}d", permissionName.c_str(), isOpen);
1019 }
1020 return isOpen;
1021 }
1022 #ifndef APP_SECURITY_PRIVACY_SERVICE
1023 /*
1024 * StartUsing when close and choose open, update status to foreground or background from inactive
1025 * StartUsing when open and choose close, update status to inactive and store in database
1026 */
ExecuteAndUpdateRecordByPerm(const std::string & permissionName,bool switchStatus)1027 void PermissionRecordManager::ExecuteAndUpdateRecordByPerm(const std::string& permissionName, bool switchStatus)
1028 {
1029 int32_t opCode;
1030 Constant::TransferPermissionToOpcode(permissionName, opCode);
1031 std::vector<ContinusPermissionRecord> recordList;
1032 std::lock_guard<std::mutex> lock(startRecordListMutex_);
1033 for (auto it = startRecordList_.begin(); it != startRecordList_.end(); ++it) {
1034 ContinusPermissionRecord& record = *it;
1035 if ((record.opCode) != static_cast<int32_t>(opCode)) {
1036 continue;
1037 }
1038 if (switchStatus) {
1039 ACCESSTOKEN_LOG_INFO(LABEL, "Global switch is open, update record from inactive");
1040 // no need to store in database when status from inactive to foreground or background
1041 record.status = GetAppStatus(record.tokenId);
1042 } else {
1043 ACCESSTOKEN_LOG_INFO(LABEL, "Global switch is close, update record to inactive");
1044 record.status = PERM_INACTIVE;
1045 }
1046 recordList.emplace_back(*it);
1047 }
1048 // each permission sends a status change notice
1049 for (const auto& record : recordList) {
1050 CallbackExecute(record.tokenId, permissionName, record.status);
1051 }
1052 }
1053 #endif
ShowGlobalDialog(const std::string & permissionName)1054 bool PermissionRecordManager::ShowGlobalDialog(const std::string& permissionName)
1055 {
1056 std::string resource;
1057 if (permissionName == CAMERA_PERMISSION_NAME) {
1058 resource = "camera";
1059 } else if (permissionName == MICROPHONE_PERMISSION_NAME) {
1060 resource = "microphone";
1061 } else {
1062 ACCESSTOKEN_LOG_INFO(LABEL, "Invalid permissionName(%{public}s).", permissionName.c_str());
1063 return true;
1064 }
1065
1066 AAFwk::Want want;
1067 want.SetElementName(globalDialogBundleName_, globalDialogAbilityName_);
1068 want.SetParam(RESOURCE_KEY, resource);
1069 ErrCode err = AbilityManagerAccessClient::GetInstance().StartAbility(want, nullptr);
1070 if (err != ERR_OK) {
1071 ACCESSTOKEN_LOG_ERROR(LABEL, "Fail to StartAbility, err:%{public}d", err);
1072 return false;
1073 }
1074 return true;
1075 }
1076
ExecuteAllCameraExecuteCallback()1077 void PermissionRecordManager::ExecuteAllCameraExecuteCallback()
1078 {
1079 ACCESSTOKEN_LOG_INFO(LABEL, "ExecuteAllCameraExecuteCallback called");
1080 auto it = [&](uint64_t id, sptr<IRemoteObject> cameraCallback) {
1081 auto callback = iface_cast<IStateChangeCallback>(cameraCallback);
1082 AccessTokenID tokenId = static_cast<AccessTokenID>(id);
1083 if (callback != nullptr) {
1084 ACCESSTOKEN_LOG_INFO(
1085 LABEL, "CameraCallback tokenId %{public}d changeType %{public}d.", tokenId, PERM_INACTIVE);
1086 callback->StateChangeNotify(tokenId, false);
1087 }
1088 };
1089 this->cameraCallbackMap_.Iterate(it);
1090 }
1091
ExecuteCameraCallbackAsync(AccessTokenID tokenId,int32_t pid)1092 void PermissionRecordManager::ExecuteCameraCallbackAsync(AccessTokenID tokenId, int32_t pid)
1093 {
1094 ACCESSTOKEN_LOG_DEBUG(LABEL, "Entry.");
1095 auto task = [tokenId, pid, this]() {
1096 uint64_t uniqueId = GetUniqueId(tokenId, pid);
1097 ACCESSTOKEN_LOG_INFO(LABEL, "ExecuteCameraCallbackAsync task called.");
1098 auto it = [&](uint64_t id, sptr<IRemoteObject> cameraCallback) {
1099 auto callback = iface_cast<IStateChangeCallback>(cameraCallback);
1100 if ((uniqueId == id) && (callback != nullptr)) {
1101 ACCESSTOKEN_LOG_INFO(LABEL, "CameraCallback tokenId(%{public}u) pid( %{public}d) changeType %{public}d",
1102 tokenId, pid, PERM_INACTIVE);
1103 callback->StateChangeNotify(tokenId, false);
1104 }
1105 };
1106 this->cameraCallbackMap_.Iterate(it);
1107 };
1108 std::thread executeThread(task);
1109 executeThread.detach();
1110 ACCESSTOKEN_LOG_DEBUG(LABEL, "The cameraCallback execution is complete.");
1111 }
1112
StartUsingPermission(AccessTokenID tokenId,int32_t pid,const std::string & permissionName)1113 int32_t PermissionRecordManager::StartUsingPermission(
1114 AccessTokenID tokenId, int32_t pid, const std::string& permissionName)
1115 {
1116 if (AccessTokenKit::GetTokenTypeFlag(tokenId) != TOKEN_HAP) {
1117 ACCESSTOKEN_LOG_DEBUG(LABEL, "Not hap(%{public}d).", tokenId);
1118 return PrivacyError::ERR_PARAM_INVALID;
1119 }
1120
1121 InitializeMuteState(permissionName);
1122 if (GetMuteStatus(permissionName, EDM)) {
1123 ACCESSTOKEN_LOG_ERROR(LABEL, "EDM not allow.");
1124 return PrivacyError::ERR_EDM_POLICY_CHECK_FAILED;
1125 }
1126 if (!Register()) {
1127 return PrivacyError::ERR_MALLOC_FAILED;
1128 }
1129
1130 int32_t status = GetAppStatus(tokenId);
1131 #ifndef APP_SECURITY_PRIVACY_SERVICE
1132 if (!GetGlobalSwitchStatus(permissionName)) {
1133 if (!ShowGlobalDialog(permissionName)) {
1134 return ERR_SERVICE_ABNORMAL;
1135 }
1136 status = PERM_INACTIVE;
1137 }
1138 #endif
1139 return AddRecordToStartList(tokenId, pid, permissionName, status);
1140 }
1141
StartUsingPermission(AccessTokenID tokenId,int32_t pid,const std::string & permissionName,const sptr<IRemoteObject> & callback)1142 int32_t PermissionRecordManager::StartUsingPermission(
1143 AccessTokenID tokenId, int32_t pid, const std::string& permissionName, const sptr<IRemoteObject>& callback)
1144 {
1145 if ((permissionName != CAMERA_PERMISSION_NAME) || (AccessTokenKit::GetTokenTypeFlag(tokenId) != TOKEN_HAP)) {
1146 ACCESSTOKEN_LOG_DEBUG(LABEL, "Token(%{public}u), perm(%{public}s).", tokenId, permissionName.c_str());
1147 return PrivacyError::ERR_PARAM_INVALID;
1148 }
1149
1150 InitializeMuteState(permissionName);
1151 if (GetMuteStatus(permissionName, EDM)) {
1152 ACCESSTOKEN_LOG_ERROR(LABEL, "EDM not allow.");
1153 return PrivacyError::ERR_EDM_POLICY_CHECK_FAILED;
1154 }
1155
1156 if (!Register()) {
1157 return PrivacyError::ERR_MALLOC_FAILED;
1158 }
1159 int32_t status = GetAppStatus(tokenId);
1160 #ifndef APP_SECURITY_PRIVACY_SERVICE
1161 if (!GetGlobalSwitchStatus(permissionName)) {
1162 if (!ShowGlobalDialog(permissionName)) {
1163 return ERR_SERVICE_ABNORMAL;
1164 }
1165 status = PERM_INACTIVE;
1166 }
1167 #endif
1168 uint64_t id = GetUniqueId(tokenId, pid);
1169 cameraCallbackMap_.EnsureInsert(id, callback);
1170 if (!RegisterWindowCallback()) {
1171 cameraCallbackMap_.Erase(id);
1172 return PrivacyError::ERR_WINDOW_CALLBACK_FAILED;
1173 }
1174 int32_t ret = AddRecordToStartList(tokenId, pid, permissionName, status);
1175 if (ret != RET_SUCCESS) {
1176 cameraCallbackMap_.Erase(id);
1177 }
1178 return ret;
1179 }
1180
StopUsingPermission(AccessTokenID tokenId,int32_t pid,const std::string & permissionName)1181 int32_t PermissionRecordManager::StopUsingPermission(
1182 AccessTokenID tokenId, int32_t pid, const std::string& permissionName)
1183 {
1184 ExecuteDeletePermissionRecordTask();
1185
1186 if (AccessTokenKit::GetTokenTypeFlag(tokenId) != TOKEN_HAP) {
1187 ACCESSTOKEN_LOG_DEBUG(LABEL, "Not hap(%{public}d).", tokenId);
1188 return PrivacyError::ERR_PARAM_INVALID;
1189 }
1190
1191 return RemoveRecordFromStartList(tokenId, pid, permissionName);
1192 }
1193
PermListToString(const std::vector<std::string> & permList)1194 void PermissionRecordManager::PermListToString(const std::vector<std::string>& permList)
1195 {
1196 std::string permStr;
1197 permStr = accumulate(permList.begin(), permList.end(), std::string(" "));
1198
1199 ACCESSTOKEN_LOG_INFO(LABEL, "PermStr =%{public}s.", permStr.c_str());
1200 }
1201
PermissionListFilter(const std::vector<std::string> & listSrc,std::vector<std::string> & listRes)1202 int32_t PermissionRecordManager::PermissionListFilter(
1203 const std::vector<std::string>& listSrc, std::vector<std::string>& listRes)
1204 {
1205 // filter legal permissions
1206 PermissionDef permissionDef;
1207 std::set<std::string> permSet;
1208 for (const auto& perm : listSrc) {
1209 if (AccessTokenKit::GetDefPermission(perm, permissionDef) == Constant::SUCCESS &&
1210 permSet.count(perm) == 0) {
1211 listRes.emplace_back(perm);
1212 permSet.insert(perm);
1213 continue;
1214 }
1215 ACCESSTOKEN_LOG_ERROR(LABEL, "Permission %{public}s invalid!", perm.c_str());
1216 }
1217 if ((listRes.empty()) && (!listSrc.empty())) {
1218 ACCESSTOKEN_LOG_ERROR(LABEL, "Valid permission size is 0!");
1219 return PrivacyError::ERR_PARAM_INVALID;
1220 }
1221 PermListToString(listRes);
1222 return Constant::SUCCESS;
1223 }
1224
IsAllowedUsingCamera(AccessTokenID tokenId)1225 bool PermissionRecordManager::IsAllowedUsingCamera(AccessTokenID tokenId)
1226 {
1227 int32_t status = GetAppStatus(tokenId);
1228 bool isScreenOn = IsScreenOn();
1229 bool isAllowedBackGround = false;
1230 if (AccessTokenKit::VerifyAccessToken(tokenId, "ohos.permission.CAMERA_BACKGROUND") == PERMISSION_GRANTED) {
1231 isAllowedBackGround = true;
1232 }
1233 ACCESSTOKEN_LOG_INFO(LABEL,
1234 "Id(%{public}d), appStatus(%{public}d), isScreenOn(%{public}d, isAllowedBackGround(%{public}d)).",
1235 tokenId, status, isScreenOn, isAllowedBackGround);
1236 return ((status == ActiveChangeType::PERM_ACTIVE_IN_FOREGROUND) && isScreenOn) || isAllowedBackGround;
1237 }
1238
IsAllowedUsingMicrophone(AccessTokenID tokenId)1239 bool PermissionRecordManager::IsAllowedUsingMicrophone(AccessTokenID tokenId)
1240 {
1241 int32_t status = GetAppStatus(tokenId);
1242 ACCESSTOKEN_LOG_INFO(LABEL, "Id %{public}d, status is %{public}d.", tokenId, status);
1243 if (status == ActiveChangeType::PERM_ACTIVE_IN_FOREGROUND) {
1244 return true;
1245 }
1246
1247 std::lock_guard<std::mutex> lock(foreReminderMutex_);
1248 auto iter = std::find(foreTokenIdList_.begin(), foreTokenIdList_.end(), tokenId);
1249 if (iter != foreTokenIdList_.end()) {
1250 return true;
1251 }
1252 return false;
1253 }
1254
IsAllowedUsingPermission(AccessTokenID tokenId,const std::string & permissionName)1255 bool PermissionRecordManager::IsAllowedUsingPermission(AccessTokenID tokenId, const std::string& permissionName)
1256 {
1257 if (AccessTokenKit::GetTokenTypeFlag(tokenId) != TOKEN_HAP) {
1258 ACCESSTOKEN_LOG_DEBUG(LABEL, "Id(%{public}d) is not hap.", tokenId);
1259 return false;
1260 }
1261
1262 if (GetMuteStatus(permissionName, EDM)) {
1263 ACCESSTOKEN_LOG_ERROR(LABEL, "EDM not allow.");
1264 return false;
1265 }
1266
1267 if (permissionName == CAMERA_PERMISSION_NAME) {
1268 return IsAllowedUsingCamera(tokenId);
1269 } else if (permissionName == MICROPHONE_PERMISSION_NAME) {
1270 return IsAllowedUsingMicrophone(tokenId);
1271 }
1272 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid permission(%{public}s).", permissionName.c_str());
1273 return false;
1274 }
1275
SetMutePolicy(const PolicyType & policyType,const CallerType & callerType,bool isMute)1276 int32_t PermissionRecordManager::SetMutePolicy(const PolicyType& policyType, const CallerType& callerType, bool isMute)
1277 {
1278 std::string permissionName;
1279 if (callerType == MICROPHONE) {
1280 permissionName = MICROPHONE_PERMISSION_NAME;
1281 } else if (callerType == CAMERA) {
1282 permissionName = CAMERA_PERMISSION_NAME;
1283 } else {
1284 return PrivacyError::ERR_PARAM_INVALID;
1285 }
1286
1287 if (policyType == EDM) {
1288 return SetEdmMutePolicy(permissionName, isMute);
1289 }
1290
1291 if (policyType == PRIVACY) {
1292 return SetPrivacyMutePolicy(permissionName, isMute);
1293 }
1294
1295 if (policyType == TEMPORARY) {
1296 return SetTempMutePolicy(permissionName, isMute);
1297 }
1298 return ERR_PARAM_INVALID;
1299 }
1300
SetHapWithFGReminder(uint32_t tokenId,bool isAllowed)1301 int32_t PermissionRecordManager::SetHapWithFGReminder(uint32_t tokenId, bool isAllowed)
1302 {
1303 if (AccessTokenKit::GetTokenTypeFlag(tokenId) != TOKEN_HAP) {
1304 ACCESSTOKEN_LOG_ERROR(LABEL, "Not hap(%{public}d).", tokenId);
1305 return PrivacyError::ERR_PARAM_INVALID;
1306 }
1307 std::lock_guard<std::mutex> lock(foreReminderMutex_);
1308 auto iter = std::find(foreTokenIdList_.begin(), foreTokenIdList_.end(), tokenId);
1309 if (iter == foreTokenIdList_.end() && isAllowed) {
1310 foreTokenIdList_.emplace_back(tokenId);
1311 ACCESSTOKEN_LOG_INFO(LABEL, "Set hap(%{public}d) foreground.", tokenId);
1312 return RET_SUCCESS;
1313 }
1314 if (iter != foreTokenIdList_.end() && !isAllowed) {
1315 foreTokenIdList_.erase(iter);
1316 ACCESSTOKEN_LOG_INFO(LABEL, "cancel hap(%{public}d) foreground.", tokenId);
1317 return RET_SUCCESS;
1318 }
1319 ACCESSTOKEN_LOG_ERROR(LABEL, "(%{public}d) is invalid to be operated.", tokenId);
1320 return PrivacyError::ERR_PARAM_INVALID;
1321 }
1322
SetEdmMutePolicy(const std::string permissionName,bool isMute)1323 int32_t PermissionRecordManager::SetEdmMutePolicy(const std::string permissionName, bool isMute)
1324 {
1325 if (isMute) {
1326 ModifyMuteStatus(permissionName, EDM, isMute);
1327 ModifyMuteStatus(permissionName, MIXED, isMute);
1328 #ifndef APP_SECURITY_PRIVACY_SERVICE
1329 ExecuteAndUpdateRecordByPerm(permissionName, false);
1330 #endif
1331 } else {
1332 ModifyMuteStatus(permissionName, EDM, isMute);
1333 if (GetMuteStatus(permissionName, MIXED)) {
1334 return ERR_PRIVACY_POLICY_CHECK_FAILED;
1335 }
1336 }
1337 return RET_SUCCESS;
1338 }
1339
SetPrivacyMutePolicy(const std::string permissionName,bool isMute)1340 int32_t PermissionRecordManager::SetPrivacyMutePolicy(const std::string permissionName, bool isMute)
1341 {
1342 if (isMute) {
1343 ModifyMuteStatus(permissionName, MIXED, isMute);
1344 } else {
1345 if (GetMuteStatus(permissionName, EDM)) {
1346 return PrivacyError::ERR_EDM_POLICY_CHECK_FAILED;
1347 }
1348 ModifyMuteStatus(permissionName, MIXED, isMute);
1349 }
1350 #ifndef APP_SECURITY_PRIVACY_SERVICE
1351 ExecuteAndUpdateRecordByPerm(permissionName, !isMute);
1352 #endif
1353 return RET_SUCCESS;
1354 }
1355
SetTempMutePolicy(const std::string permissionName,bool isMute)1356 int32_t PermissionRecordManager::SetTempMutePolicy(const std::string permissionName, bool isMute)
1357 {
1358 if (!isMute) {
1359 if (GetMuteStatus(permissionName, EDM)) {
1360 return PrivacyError::ERR_EDM_POLICY_CHECK_FAILED;
1361 }
1362 if (GetMuteStatus(permissionName, MIXED)) {
1363 if (!ShowGlobalDialog(permissionName)) {
1364 return ERR_SERVICE_ABNORMAL;
1365 }
1366 return PrivacyError::ERR_PRIVACY_POLICY_CHECK_FAILED;
1367 }
1368 }
1369 return RET_SUCCESS;
1370 }
1371
ModifyMuteStatus(const std::string & permissionName,int32_t index,bool isMute)1372 void PermissionRecordManager::ModifyMuteStatus(const std::string& permissionName, int32_t index, bool isMute)
1373 {
1374 if (permissionName == MICROPHONE_PERMISSION_NAME) {
1375 std::lock_guard<std::mutex> lock(micMuteMutex_);
1376 if (index == EDM) {
1377 isMicEdmMute_ = isMute;
1378 } else {
1379 isMicMixMute_ = isMute;
1380 }
1381 } else if (permissionName == CAMERA_PERMISSION_NAME) {
1382 std::lock_guard<std::mutex> lock(camMuteMutex_);
1383 if (index == EDM) {
1384 isCamEdmMute_ = isMute;
1385 } else {
1386 isCamMixMute_ = isMute;
1387 }
1388 }
1389 ACCESSTOKEN_LOG_INFO(LABEL, "permissionName: %{public}s, isMute: %{public}d, index: %{public}d.",
1390 permissionName.c_str(), isMute, index);
1391 }
1392
GetMuteStatus(const std::string & permissionName,int32_t index)1393 bool PermissionRecordManager::GetMuteStatus(const std::string& permissionName, int32_t index)
1394 {
1395 bool isMute = false;
1396 if (permissionName == MICROPHONE_PERMISSION_NAME) {
1397 std::lock_guard<std::mutex> lock(micMuteMutex_);
1398 isMute = (index == EDM) ? isMicEdmMute_ : isMicMixMute_;
1399 } else if (permissionName == CAMERA_PERMISSION_NAME) {
1400 std::lock_guard<std::mutex> lock(camMuteMutex_);
1401 isMute = (index == EDM) ? isCamEdmMute_ : isCamMixMute_;
1402 } else {
1403 return false;
1404 }
1405 ACCESSTOKEN_LOG_INFO(LABEL, "perm: %{public}s, isMute: %{public}d, index: %{public}d.",
1406 permissionName.c_str(), isMute, index);
1407 return isMute;
1408 }
1409
RegisterPermActiveStatusCallback(AccessTokenID regiterTokenId,const std::vector<std::string> & permList,const sptr<IRemoteObject> & callback)1410 int32_t PermissionRecordManager::RegisterPermActiveStatusCallback(
1411 AccessTokenID regiterTokenId, const std::vector<std::string>& permList, const sptr<IRemoteObject>& callback)
1412 {
1413 std::vector<std::string> permListRes;
1414 int32_t res = PermissionListFilter(permList, permListRes);
1415 if (res != Constant::SUCCESS) {
1416 return res;
1417 }
1418 return ActiveStatusCallbackManager::GetInstance().AddCallback(regiterTokenId, permListRes, callback);
1419 }
1420
UnRegisterPermActiveStatusCallback(const sptr<IRemoteObject> & callback)1421 int32_t PermissionRecordManager::UnRegisterPermActiveStatusCallback(const sptr<IRemoteObject>& callback)
1422 {
1423 return ActiveStatusCallbackManager::GetInstance().RemoveCallback(callback);
1424 }
1425
AddDataValueToResults(const GenericValues value,std::vector<PermissionUsedTypeInfo> & results)1426 void PermissionRecordManager::AddDataValueToResults(const GenericValues value,
1427 std::vector<PermissionUsedTypeInfo>& results)
1428 {
1429 PermissionUsedTypeInfo info;
1430 info.tokenId = static_cast<AccessTokenID>(value.GetInt(PrivacyFiledConst::FIELD_TOKEN_ID));
1431 Constant::TransferOpcodeToPermission(value.GetInt(PrivacyFiledConst::FIELD_PERMISSION_CODE), info.permissionName);
1432 uint32_t type = static_cast<uint32_t>(value.GetInt(PrivacyFiledConst::FIELD_USED_TYPE));
1433 if ((type & NORMAL_TYPE_ADD_VALUE) == NORMAL_TYPE_ADD_VALUE) { // normal first
1434 info.type = PermissionUsedType::NORMAL_TYPE;
1435 results.emplace_back(info);
1436 }
1437 if ((type & PICKER_TYPE_ADD_VALUE) == PICKER_TYPE_ADD_VALUE) { // picker second
1438 info.type = PermissionUsedType::PICKER_TYPE;
1439 results.emplace_back(info);
1440 }
1441 if ((type & SEC_COMPONENT_TYPE_ADD_VALUE) == SEC_COMPONENT_TYPE_ADD_VALUE) { // security component last
1442 info.type = PermissionUsedType::SECURITY_COMPONENT_TYPE;
1443 results.emplace_back(info);
1444 }
1445 }
1446
GetPermissionUsedTypeInfos(AccessTokenID tokenId,const std::string & permissionName,std::vector<PermissionUsedTypeInfo> & results)1447 int32_t PermissionRecordManager::GetPermissionUsedTypeInfos(AccessTokenID tokenId, const std::string& permissionName,
1448 std::vector<PermissionUsedTypeInfo>& results)
1449 {
1450 GenericValues value;
1451
1452 if (tokenId != INVALID_TOKENID) {
1453 HapTokenInfo tokenInfo;
1454 if (AccessTokenKit::GetHapTokenInfo(tokenId, tokenInfo) != Constant::SUCCESS) {
1455 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid tokenId(%{public}d).", tokenId);
1456 return PrivacyError::ERR_TOKENID_NOT_EXIST;
1457 }
1458 value.Put(PrivacyFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId));
1459 }
1460
1461 if (!permissionName.empty()) {
1462 int32_t opCode;
1463 if (!Constant::TransferPermissionToOpcode(permissionName, opCode)) {
1464 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid (%{public}s).", permissionName.c_str());
1465 return PrivacyError::ERR_PERMISSION_NOT_EXIST;
1466 }
1467 value.Put(PrivacyFiledConst::FIELD_PERMISSION_CODE, opCode);
1468 }
1469
1470 std::vector<GenericValues> valueResults;
1471 if (PermissionUsedRecordDb::GetInstance().Query(PermissionUsedRecordDb::DataType::PERMISSION_USED_TYPE,
1472 value, valueResults) != PermissionUsedRecordDb::ExecuteResult::SUCCESS) {
1473 return Constant::FAILURE;
1474 }
1475
1476 for (const auto& valueResult : valueResults) {
1477 AddDataValueToResults(valueResult, results);
1478 }
1479
1480 ACCESSTOKEN_LOG_INFO(LABEL, "Get %{public}zu permission used type records.", results.size());
1481
1482 return Constant::SUCCESS;
1483 }
1484
GetDeviceId(AccessTokenID tokenId)1485 std::string PermissionRecordManager::GetDeviceId(AccessTokenID tokenId)
1486 {
1487 HapTokenInfo tokenInfo;
1488 if (AccessTokenKit::GetHapTokenInfo(tokenId, tokenInfo) != Constant::SUCCESS) {
1489 return "";
1490 }
1491 if (tokenInfo.deviceID == DEFAULT_DEVICEID) { // local
1492 return ConstantCommon::GetLocalDeviceId();
1493 }
1494 return tokenInfo.deviceID;
1495 }
1496
GetAppStatus(AccessTokenID tokenId)1497 int32_t PermissionRecordManager::GetAppStatus(AccessTokenID tokenId)
1498 {
1499 int32_t status = PERM_ACTIVE_IN_BACKGROUND;
1500 std::vector<AppStateData> foreGroundAppList;
1501 AppManagerAccessClient::GetInstance().GetForegroundApplications(foreGroundAppList);
1502 if (std::any_of(foreGroundAppList.begin(), foreGroundAppList.end(),
1503 [=](const auto& foreGroundApp) { return foreGroundApp.accessTokenId == tokenId; })) {
1504 status = PERM_ACTIVE_IN_FOREGROUND;
1505 }
1506 return status;
1507 }
1508
Register()1509 bool PermissionRecordManager::Register()
1510 {
1511 // app manager death callback register
1512 {
1513 std::lock_guard<std::mutex> lock(appManagerDeathMutex_);
1514 if (appManagerDeathCallback_ == nullptr) {
1515 appManagerDeathCallback_ = std::make_shared<PrivacyAppManagerDeathCallback>();
1516 if (appManagerDeathCallback_ == nullptr) {
1517 ACCESSTOKEN_LOG_ERROR(LABEL, "Register appManagerDeathCallback failed.");
1518 return false;
1519 }
1520 AppManagerAccessClient::GetInstance().RegisterDeathCallback(appManagerDeathCallback_);
1521 }
1522 }
1523 // app state change callback register
1524 {
1525 std::lock_guard<std::mutex> lock(appStateMutex_);
1526 if (appStateCallback_ == nullptr) {
1527 appStateCallback_ = new (std::nothrow) PrivacyAppStateObserver();
1528 if (appStateCallback_ == nullptr) {
1529 ACCESSTOKEN_LOG_ERROR(LABEL, "Register appStateCallback failed.");
1530 return false;
1531 }
1532 AppManagerAccessClient::GetInstance().RegisterApplicationStateObserver(appStateCallback_);
1533 }
1534 }
1535 return true;
1536 }
1537
1538 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
HasUsingCamera()1539 bool PermissionRecordManager::HasUsingCamera()
1540 {
1541 std::lock_guard<std::mutex> lock(startRecordListMutex_);
1542 bool hasCamera = std::any_of(startRecordList_.begin(), startRecordList_.end(),
1543 [](const auto& record) { return record.opCode == Constant::OP_CAMERA; });
1544 return hasCamera;
1545 }
1546
UpdateCameraFloatWindowStatus(AccessTokenID tokenId,bool isShowing)1547 void UpdateCameraFloatWindowStatus(AccessTokenID tokenId, bool isShowing)
1548 {
1549 PermissionRecordManager::GetInstance().NotifyCameraWindowChange(false, tokenId, isShowing);
1550 }
1551
UpdatePipWindowStatus(AccessTokenID tokenId,bool isShowing)1552 void UpdatePipWindowStatus(AccessTokenID tokenId, bool isShowing)
1553 {
1554 PermissionRecordManager::GetInstance().NotifyCameraWindowChange(true, tokenId, isShowing);
1555 }
1556
1557 /* Handle window manager die */
HandleWindowDied()1558 void HandleWindowDied()
1559 {
1560 PermissionRecordManager::GetInstance().OnWindowMgrRemoteDied();
1561 }
1562 #endif
1563
RegisterWindowCallback()1564 bool PermissionRecordManager::RegisterWindowCallback()
1565 {
1566 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
1567 ACCESSTOKEN_LOG_INFO(LABEL, "Begin to RegisterWindowCallback.");
1568
1569 std::lock_guard<std::mutex> lock(windowMutex_);
1570 WindowChangeCallback floatCallback = UpdateCameraFloatWindowStatus;
1571 if (floatWindowCallback_ == nullptr) {
1572 floatWindowCallback_ = new (std::nothrow) PrivacyWindowManagerAgent(floatCallback);
1573 if (floatWindowCallback_ == nullptr) {
1574 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to new PrivacyWindowManagerAgent.");
1575 return false;
1576 }
1577 }
1578 ErrCode err = PrivacyWindowManagerClient::GetInstance().RegisterWindowManagerAgent(
1579 WindowManagerAgentType::WINDOW_MANAGER_AGENT_TYPE_CAMERA_FLOAT, floatWindowCallback_);
1580 if (err != ERR_OK) {
1581 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to register float window listener, err:%{public}d", err);
1582 return false;
1583 }
1584
1585 if (Rosen::SceneBoardJudgement::IsSceneBoardEnabled()) {
1586 WindowChangeCallback pipCallback = UpdatePipWindowStatus;
1587
1588 if (pipWindowCallback_ == nullptr) {
1589 pipWindowCallback_ = new (std::nothrow) PrivacyWindowManagerAgent(pipCallback);
1590 if (floatWindowCallback_ == nullptr) {
1591 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to new PrivacyWindowManagerAgent.");
1592 return false;
1593 }
1594 }
1595
1596 err = PrivacyWindowManagerClient::GetInstance().RegisterWindowManagerAgent(
1597 WindowManagerAgentType::WINDOW_MANAGER_AGENT_TYPE_CAMERA_WINDOW, pipWindowCallback_);
1598 if (err != ERR_OK) {
1599 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to register pip window listener, err:%{public}d", err);
1600 PrivacyWindowManagerClient::GetInstance().UnregisterWindowManagerAgent(
1601 WindowManagerAgentType::WINDOW_MANAGER_AGENT_TYPE_CAMERA_FLOAT, floatWindowCallback_);
1602 return false;
1603 }
1604 }
1605
1606 PrivacyWindowManagerClient::GetInstance().AddDeathCallback(HandleWindowDied);
1607 #endif
1608 return true;
1609 }
1610
InitializeMuteState(const std::string & permissionName)1611 void PermissionRecordManager::InitializeMuteState(const std::string& permissionName)
1612 {
1613 if (permissionName == MICROPHONE_PERMISSION_NAME) {
1614 bool isMicMute = AudioManagerPrivacyClient::GetInstance().GetPersistentMicMuteState();
1615 ACCESSTOKEN_LOG_INFO(LABEL, "Mic mute state: %{public}d.", isMicMute);
1616 ModifyMuteStatus(MICROPHONE_PERMISSION_NAME, MIXED, isMicMute);
1617 {
1618 std::lock_guard<std::mutex> lock(micLoadMutex_);
1619 if (!isMicLoad_) {
1620 ACCESSTOKEN_LOG_INFO(LABEL, "Mic mute state: %{public}d.", isMicLoad_);
1621 bool isEdmMute = false;
1622 if (!GetMuteParameter(EDM_MIC_MUTE_KEY, isEdmMute)) {
1623 ACCESSTOKEN_LOG_ERROR(LABEL, "Get param failed");
1624 return;
1625 }
1626 ModifyMuteStatus(MICROPHONE_PERMISSION_NAME, EDM, isEdmMute);
1627 }
1628 }
1629 } else if (permissionName == CAMERA_PERMISSION_NAME) {
1630 bool isCameraMute = CameraManagerPrivacyClient::GetInstance().IsCameraMuted();
1631 ACCESSTOKEN_LOG_INFO(LABEL, "Camera mute state: %{public}d.", isCameraMute);
1632 ModifyMuteStatus(CAMERA_PERMISSION_NAME, MIXED, isCameraMute);
1633 {
1634 std::lock_guard<std::mutex> lock(camLoadMutex_);
1635 if (!isCamLoad_) {
1636 bool isEdmMute = false;
1637 ModifyMuteStatus(CAMERA_PERMISSION_NAME, EDM, isEdmMute);
1638 }
1639 }
1640 }
1641 }
1642
Unregister()1643 void PermissionRecordManager::Unregister()
1644 {
1645 // app state change callback unregister
1646 std::lock_guard<std::mutex> lock(appStateMutex_);
1647 if (appStateCallback_ != nullptr) {
1648 AppManagerAccessClient::GetInstance().UnregisterApplicationStateObserver(appStateCallback_);
1649 appStateCallback_= nullptr;
1650 }
1651 }
1652
GetMuteParameter(const char * key,bool & isMute)1653 bool PermissionRecordManager::GetMuteParameter(const char* key, bool& isMute)
1654 {
1655 char value[VALUE_MAX_LEN] = {0};
1656 int32_t ret = GetParameter(key, "", value, VALUE_MAX_LEN - 1);
1657 if (ret < 0) {
1658 ACCESSTOKEN_LOG_ERROR(LABEL, "Return default value, ret=%{public}d", ret);
1659 return false;
1660 }
1661 isMute = false;
1662 if (strncmp(value, "true", VALUE_MAX_LEN) == 0) {
1663 ACCESSTOKEN_LOG_INFO(LABEL, "EDM not allow.");
1664 isMute = true;
1665 }
1666 return true;
1667 }
1668
OnAppMgrRemoteDiedHandle()1669 void PermissionRecordManager::OnAppMgrRemoteDiedHandle()
1670 {
1671 ACCESSTOKEN_LOG_INFO(LABEL, "Handle app fwk died.");
1672 std::lock_guard<std::mutex> lock(appStateMutex_);
1673 appStateCallback_ = nullptr;
1674 }
1675
OnAudioMgrRemoteDiedHandle()1676 void PermissionRecordManager::OnAudioMgrRemoteDiedHandle()
1677 {
1678 ACCESSTOKEN_LOG_INFO(LABEL, "Handle audio fwk died.");
1679 {
1680 std::lock_guard<std::mutex> lock(micLoadMutex_);
1681 isMicLoad_ = false;
1682 }
1683 RemoveRecordFromStartListByOp(Constant::OP_MICROPHONE);
1684 }
1685
OnCameraMgrRemoteDiedHandle()1686 void PermissionRecordManager::OnCameraMgrRemoteDiedHandle()
1687 {
1688 ACCESSTOKEN_LOG_INFO(LABEL, "Handle camera fwk died.");
1689 {
1690 std::lock_guard<std::mutex> lock(camLoadMutex_);
1691 isCamLoad_ = false;
1692 }
1693 RemoveRecordFromStartListByOp(Constant::OP_CAMERA);
1694 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
1695 ClearWindowShowing();
1696 #endif
1697 }
1698
IsCameraWindowShow(AccessTokenID tokenId)1699 bool PermissionRecordManager::IsCameraWindowShow(AccessTokenID tokenId)
1700 {
1701 bool isShow = true;
1702 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
1703 std::lock_guard<std::mutex> lock(windowStatusMutex_);
1704 isShow = (((floatWindowTokenId_ == tokenId) && camFloatWindowShowing_) ||
1705 ((pipWindowTokenId_ == tokenId) && pipWindowShowing_));
1706 #endif
1707 return isShow;
1708 }
1709
1710 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
1711 /*
1712 * when camera float window is not show, notice camera service to use StopUsingPermission
1713 */
NotifyCameraWindowChange(bool isPip,AccessTokenID tokenId,bool isShowing)1714 void PermissionRecordManager::NotifyCameraWindowChange(bool isPip, AccessTokenID tokenId, bool isShowing)
1715 {
1716 ACCESSTOKEN_LOG_INFO(LABEL, "Update window, isPip(%{public}d), id(%{public}u), status(%{public}d)",
1717 isPip, tokenId, isShowing);
1718 {
1719 std::lock_guard<std::mutex> lock(windowStatusMutex_);
1720 if (isPip) {
1721 pipWindowShowing_ = isShowing;
1722 pipWindowTokenId_ = tokenId;
1723 } else {
1724 camFloatWindowShowing_ = isShowing;
1725 floatWindowTokenId_ = tokenId;
1726 }
1727 }
1728 if (isShowing) {
1729 ACCESSTOKEN_LOG_INFO(LABEL, "Camera float window is showing!");
1730 } else {
1731 if ((GetAppStatus(tokenId) == ActiveChangeType::PERM_ACTIVE_IN_BACKGROUND) &&
1732 !IsCameraWindowShow(tokenId)) {
1733 ACCESSTOKEN_LOG_INFO(LABEL, "Token(%{public}d) is background, pip and float window is not show.", tokenId);
1734 ExecuteCameraCallbackAsync(tokenId, -1);
1735 }
1736 }
1737 }
1738
ClearWindowShowing()1739 void PermissionRecordManager::ClearWindowShowing()
1740 {
1741 ACCESSTOKEN_LOG_INFO(LABEL, "Clear window show status.");
1742 {
1743 std::lock_guard<std::mutex> lock(windowStatusMutex_);
1744 camFloatWindowShowing_ = false;
1745 floatWindowTokenId_ = 0;
1746
1747 pipWindowShowing_ = false;
1748 pipWindowTokenId_ = 0;
1749 }
1750 }
1751
1752 /* Handle window manager die */
OnWindowMgrRemoteDied()1753 void PermissionRecordManager::OnWindowMgrRemoteDied()
1754 {
1755 ACCESSTOKEN_LOG_INFO(LABEL, "Handle window manager died.");
1756 ClearWindowShowing();
1757 }
1758 #endif
1759
SetDefaultConfigValue()1760 void PermissionRecordManager::SetDefaultConfigValue()
1761 {
1762 recordSizeMaximum_ = DEFAULT_PERMISSION_USED_RECORD_SIZE_MAXIMUM;
1763 recordAgingTime_ = DEFAULT_PERMISSION_USED_RECORD_AGING_TIME;
1764 globalDialogBundleName_ = DEFAULT_PERMISSION_MANAGER_BUNDLE_NAME;
1765 globalDialogAbilityName_ = DEFAULT_PERMISSION_MANAGER_DIALOG_ABILITY;
1766 }
1767
GetConfigValue()1768 void PermissionRecordManager::GetConfigValue()
1769 {
1770 LibraryLoader loader(CONFIG_POLICY_LIBPATH);
1771 ConfigPolicyLoaderInterface* policy = loader.GetObject<ConfigPolicyLoaderInterface>();
1772 if (policy == nullptr) {
1773 ACCESSTOKEN_LOG_ERROR(LABEL, "Dlopen libaccesstoken_config_policy failed.");
1774 return;
1775 }
1776 AccessTokenConfigValue value;
1777 if (policy->GetConfigValue(ServiceType::PRIVACY_SERVICE, value)) {
1778 // set value from config
1779 recordSizeMaximum_ = value.pConfig.sizeMaxImum == 0
1780 ? DEFAULT_PERMISSION_USED_RECORD_SIZE_MAXIMUM : value.pConfig.sizeMaxImum;
1781 recordAgingTime_ = value.pConfig.agingTime == 0
1782 ? DEFAULT_PERMISSION_USED_RECORD_AGING_TIME : value.pConfig.agingTime;
1783 globalDialogBundleName_ = value.pConfig.globalDialogBundleName.empty()
1784 ? DEFAULT_PERMISSION_MANAGER_BUNDLE_NAME : value.pConfig.globalDialogBundleName;
1785 globalDialogAbilityName_ = value.pConfig.globalDialogAbilityName.empty()
1786 ? DEFAULT_PERMISSION_MANAGER_DIALOG_ABILITY : value.pConfig.globalDialogAbilityName;
1787 } else {
1788 SetDefaultConfigValue();
1789 }
1790
1791 ACCESSTOKEN_LOG_INFO(LABEL, "RecordSizeMaximum_ is %{public}d, recordAgingTime_ is %{public}d,"
1792 " globalDialogBundleName_ is %{public}s, globalDialogAbilityName_ is %{public}s.",
1793 recordSizeMaximum_, recordAgingTime_, globalDialogBundleName_.c_str(), globalDialogAbilityName_.c_str());
1794 }
1795
GetUniqueId(uint32_t tokenId,int32_t pid) const1796 uint64_t PermissionRecordManager::GetUniqueId(uint32_t tokenId, int32_t pid) const
1797 {
1798 uint32_t tmpPid = (pid <= 0) ? 0 : (uint32_t)pid;
1799 return ((uint64_t)tmpPid << 32) | ((uint64_t)tokenId & 0xFFFFFFFF); // 32: bit
1800 }
1801
IsPidValid(int32_t pid) const1802 bool PermissionRecordManager::IsPidValid(int32_t pid) const
1803 {
1804 return pid > 0;
1805 }
1806
Init()1807 void PermissionRecordManager::Init()
1808 {
1809 if (hasInited_) {
1810 return;
1811 }
1812 ACCESSTOKEN_LOG_INFO(LABEL, "Init");
1813 hasInited_ = true;
1814
1815 #ifdef EVENTHANDLER_ENABLE
1816 deleteEventRunner_ = AppExecFwk::EventRunner::Create(true, AppExecFwk::ThreadMode::FFRT);
1817 if (deleteEventRunner_ != nullptr) {
1818 deleteEventHandler_ = std::make_shared<AccessEventHandler>(deleteEventRunner_);
1819 }
1820 #endif
1821
1822 GetConfigValue();
1823 }
1824 } // namespace AccessToken
1825 } // namespace Security
1826 } // namespace OHOS