1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accesstoken_manager_service.h"
17
18 #include <unistd.h>
19
20 #include "access_token.h"
21 #include "access_token_error.h"
22 #include "accesstoken_dfx_define.h"
23 #include "accesstoken_id_manager.h"
24 #include "accesstoken_info_manager.h"
25 #include "accesstoken_log.h"
26 #include "config_policy_loader.h"
27 #include "constant_common.h"
28 #ifdef SUPPORT_SANDBOX_APP
29 #include "dlp_permission_set_parser.h"
30 #endif
31 #include "hap_token_info.h"
32 #include "hap_token_info_inner.h"
33 #include "hisysevent_adapter.h"
34 #ifdef HITRACE_NATIVE_ENABLE
35 #include "hitrace_meter.h"
36 #endif
37 #include "ipc_skeleton.h"
38 #include "libraryloader.h"
39 #include "native_token_info_inner.h"
40 #include "native_token_receptor.h"
41 #include "parameter.h"
42 #include "permission_list_state.h"
43 #include "permission_manager.h"
44 #include "short_grant_manager.h"
45 #include "string_ex.h"
46 #include "system_ability_definition.h"
47 #include "permission_definition_parser.h"
48 #ifdef TOKEN_SYNC_ENABLE
49 #include "token_modify_notifier.h"
50 #endif // TOKEN_SYNC_ENABLE
51
52 namespace OHOS {
53 namespace Security {
54 namespace AccessToken {
55 namespace {
56 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {
57 LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "ATMServ"
58 };
59 static const char* ACCESS_TOKEN_SERVICE_INIT_KEY = "accesstoken.permission.init";
60 constexpr int TWO_ARGS = 2;
61 const std::string GRANT_ABILITY_BUNDLE_NAME = "com.ohos.permissionmanager";
62 const std::string GRANT_ABILITY_ABILITY_NAME = "com.ohos.permissionmanager.GrantAbility";
63 const std::string PERMISSION_STATE_SHEET_ABILITY_NAME = "com.ohos.permissionmanager.PermissionStateSheetAbility";
64 const std::string GLOBAL_SWITCH_SHEET_ABILITY_NAME = "com.ohos.permissionmanager.GlobalSwitchSheetAbility";
65 }
66
67 const bool REGISTER_RESULT =
68 SystemAbility::MakeAndRegisterAbility(DelayedSingleton<AccessTokenManagerService>::GetInstance().get());
69
AccessTokenManagerService()70 AccessTokenManagerService::AccessTokenManagerService()
71 : SystemAbility(SA_ID_ACCESSTOKEN_MANAGER_SERVICE, true), state_(ServiceRunningState::STATE_NOT_START)
72 {
73 ACCESSTOKEN_LOG_INFO(LABEL, "AccessTokenManagerService()");
74 }
75
~AccessTokenManagerService()76 AccessTokenManagerService::~AccessTokenManagerService()
77 {
78 ACCESSTOKEN_LOG_INFO(LABEL, "~AccessTokenManagerService()");
79 }
80
OnStart()81 void AccessTokenManagerService::OnStart()
82 {
83 if (state_ == ServiceRunningState::STATE_RUNNING) {
84 ACCESSTOKEN_LOG_INFO(LABEL, "AccessTokenManagerService has already started!");
85 return;
86 }
87 ACCESSTOKEN_LOG_INFO(LABEL, "AccessTokenManagerService is starting.");
88 if (!Initialize()) {
89 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to initialize.");
90 return;
91 }
92 state_ = ServiceRunningState::STATE_RUNNING;
93 bool ret = Publish(DelayedSingleton<AccessTokenManagerService>::GetInstance().get());
94 if (!ret) {
95 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to publish service!");
96 ReportSysEventServiceStartError(SA_PUBLISH_FAILED, "Publish accesstoken_service fail.", -1);
97 return;
98 }
99 AccessTokenServiceParamSet();
100 (void)AddSystemAbilityListener(SECURITY_COMPONENT_SERVICE_ID);
101 ACCESSTOKEN_LOG_INFO(LABEL, "Congratulations, AccessTokenManagerService start successfully!");
102 }
103
OnStop()104 void AccessTokenManagerService::OnStop()
105 {
106 ACCESSTOKEN_LOG_INFO(LABEL, "Stop service.");
107 state_ = ServiceRunningState::STATE_NOT_START;
108 }
109
OnRemoveSystemAbility(int32_t systemAbilityId,const std::string & deviceId)110 void AccessTokenManagerService::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
111 {
112 if (systemAbilityId == SECURITY_COMPONENT_SERVICE_ID) {
113 std::vector<AccessTokenID> tokenIdList;
114 AccessTokenIDManager::GetInstance().GetHapTokenIdList(tokenIdList);
115 PermissionManager::GetInstance().ClearAllSecCompGrantedPerm(tokenIdList);
116 return;
117 }
118 }
119
GetUserGrantedPermissionUsedType(AccessTokenID tokenID,const std::string & permissionName)120 PermUsedTypeEnum AccessTokenManagerService::GetUserGrantedPermissionUsedType(
121 AccessTokenID tokenID, const std::string& permissionName)
122 {
123 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID=%{public}d, permission=%{public}s", tokenID, permissionName.c_str());
124 return PermissionManager::GetInstance().GetUserGrantedPermissionUsedType(tokenID, permissionName);
125 }
126
VerifyAccessToken(AccessTokenID tokenID,const std::string & permissionName)127 int AccessTokenManagerService::VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName)
128 {
129 #ifdef HITRACE_NATIVE_ENABLE
130 StartTrace(HITRACE_TAG_ACCESS_CONTROL, "AccessTokenVerifyPermission");
131 #endif
132 int32_t res = PermissionManager::GetInstance().VerifyAccessToken(tokenID, permissionName);
133 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID: %{public}d, permission: %{public}s, res %{public}d",
134 tokenID, permissionName.c_str(), res);
135 #ifdef HITRACE_NATIVE_ENABLE
136 FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
137 #endif
138 return res;
139 }
140
GetDefPermission(const std::string & permissionName,PermissionDefParcel & permissionDefResult)141 int AccessTokenManagerService::GetDefPermission(
142 const std::string& permissionName, PermissionDefParcel& permissionDefResult)
143 {
144 ACCESSTOKEN_LOG_INFO(LABEL, "Permission: %{public}s", permissionName.c_str());
145 return PermissionManager::GetInstance().GetDefPermission(permissionName, permissionDefResult.permissionDef);
146 }
147
GetDefPermissions(AccessTokenID tokenID,std::vector<PermissionDefParcel> & permList)148 int AccessTokenManagerService::GetDefPermissions(AccessTokenID tokenID, std::vector<PermissionDefParcel>& permList)
149 {
150 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d", tokenID);
151 std::vector<PermissionDef> permVec;
152 int ret = PermissionManager::GetInstance().GetDefPermissions(tokenID, permVec);
153 for (const auto& perm : permVec) {
154 PermissionDefParcel permParcel;
155 permParcel.permissionDef = perm;
156 permList.emplace_back(permParcel);
157 }
158 return ret;
159 }
160
GetReqPermissions(AccessTokenID tokenID,std::vector<PermissionStateFullParcel> & reqPermList,bool isSystemGrant)161 int AccessTokenManagerService::GetReqPermissions(
162 AccessTokenID tokenID, std::vector<PermissionStateFullParcel>& reqPermList, bool isSystemGrant)
163 {
164 std::vector<PermissionStateFull> permList;
165 int ret = PermissionManager::GetInstance().GetReqPermissions(tokenID, permList, isSystemGrant);
166
167 for (const auto& perm : permList) {
168 PermissionStateFullParcel permParcel;
169 permParcel.permStatFull = perm;
170 reqPermList.emplace_back(permParcel);
171 }
172 return ret;
173 }
174
GetSelfPermissionsState(std::vector<PermissionListStateParcel> & reqPermList,PermissionGrantInfoParcel & infoParcel)175 PermissionOper AccessTokenManagerService::GetSelfPermissionsState(std::vector<PermissionListStateParcel>& reqPermList,
176 PermissionGrantInfoParcel& infoParcel)
177 {
178 infoParcel.info.grantBundleName = grantBundleName_;
179 infoParcel.info.grantAbilityName = grantAbilityName_;
180 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
181 return GetPermissionsState(callingTokenID, reqPermList);
182 }
183
GetPermissionsStatus(AccessTokenID tokenID,std::vector<PermissionListStateParcel> & reqPermList)184 int32_t AccessTokenManagerService::GetPermissionsStatus(AccessTokenID tokenID,
185 std::vector<PermissionListStateParcel>& reqPermList)
186 {
187 if (!AccessTokenInfoManager::GetInstance().IsTokenIdExist(tokenID)) {
188 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID=%{public}d does not exist", tokenID);
189 return ERR_TOKENID_NOT_EXIST;
190 }
191 PermissionOper ret = GetPermissionsState(tokenID, reqPermList);
192 return ret == INVALID_OPER ? RET_FAILED : RET_SUCCESS;
193 }
194
GetPermissionsState(AccessTokenID tokenID,std::vector<PermissionListStateParcel> & reqPermList)195 PermissionOper AccessTokenManagerService::GetPermissionsState(AccessTokenID tokenID,
196 std::vector<PermissionListStateParcel>& reqPermList)
197 {
198 int32_t apiVersion = 0;
199 if (!PermissionManager::GetInstance().GetApiVersionByTokenId(tokenID, apiVersion)) {
200 ACCESSTOKEN_LOG_ERROR(LABEL, "Get api version error");
201 return INVALID_OPER;
202 }
203 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d, apiVersion: %{public}d", tokenID, apiVersion);
204
205 bool needRes = false;
206 std::vector<PermissionStateFull> permsList;
207 int retUserGrant = PermissionManager::GetInstance().GetReqPermissions(tokenID, permsList, false);
208 int retSysGrant = PermissionManager::GetInstance().GetReqPermissions(tokenID, permsList, true);
209 if ((retSysGrant != RET_SUCCESS) || (retUserGrant != RET_SUCCESS)) {
210 ACCESSTOKEN_LOG_ERROR(LABEL,
211 "GetReqPermissions failed, retUserGrant:%{public}d, retSysGrant:%{public}d",
212 retUserGrant, retSysGrant);
213 return INVALID_OPER;
214 }
215
216 // api9 location permission handle here
217 if (apiVersion >= ACCURATE_LOCATION_API_VERSION) {
218 needRes = PermissionManager::GetInstance().LocationPermissionSpecialHandle(
219 tokenID, reqPermList, permsList, apiVersion);
220 }
221
222 uint32_t size = reqPermList.size();
223 for (uint32_t i = 0; i < size; i++) {
224 // api9 location permission special handle above
225 if (((reqPermList[i].permsState.permissionName == VAGUE_LOCATION_PERMISSION_NAME) ||
226 (reqPermList[i].permsState.permissionName == ACCURATE_LOCATION_PERMISSION_NAME) ||
227 (reqPermList[i].permsState.permissionName == BACKGROUND_LOCATION_PERMISSION_NAME)) &&
228 (apiVersion >= ACCURATE_LOCATION_API_VERSION)) {
229 continue;
230 }
231
232 PermissionManager::GetInstance().GetSelfPermissionState(permsList, reqPermList[i].permsState, apiVersion);
233 if (static_cast<PermissionOper>(reqPermList[i].permsState.state) == DYNAMIC_OPER) {
234 needRes = true;
235 }
236 ACCESSTOKEN_LOG_DEBUG(LABEL, "Perm: %{public}s, state: %{public}d",
237 reqPermList[i].permsState.permissionName.c_str(), reqPermList[i].permsState.state);
238 }
239 if (GetTokenType(tokenID) == TOKEN_HAP && AccessTokenInfoManager::GetInstance().GetPermDialogCap(tokenID)) {
240 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID=%{public}d is under control", tokenID);
241 uint32_t size = reqPermList.size();
242 for (uint32_t i = 0; i < size; i++) {
243 if (reqPermList[i].permsState.state != INVALID_OPER) {
244 reqPermList[i].permsState.state = FORBIDDEN_OPER;
245 }
246 }
247 return FORBIDDEN_OPER;
248 }
249 if (needRes) {
250 return DYNAMIC_OPER;
251 }
252 return PASS_OPER;
253 }
254
GetPermissionFlag(AccessTokenID tokenID,const std::string & permissionName,uint32_t & flag)255 int AccessTokenManagerService::GetPermissionFlag(
256 AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag)
257 {
258 return PermissionManager::GetInstance().GetPermissionFlag(tokenID, permissionName, flag);
259 }
260
SetPermissionRequestToggleStatus(const std::string & permissionName,uint32_t status,int32_t userID=0)261 int32_t AccessTokenManagerService::SetPermissionRequestToggleStatus(
262 const std::string& permissionName, uint32_t status, int32_t userID = 0)
263 {
264 return PermissionManager::GetInstance().SetPermissionRequestToggleStatus(permissionName, status, userID);
265 }
266
GetPermissionRequestToggleStatus(const std::string & permissionName,uint32_t & status,int32_t userID=0)267 int32_t AccessTokenManagerService::GetPermissionRequestToggleStatus(
268 const std::string& permissionName, uint32_t& status, int32_t userID = 0)
269 {
270 return PermissionManager::GetInstance().GetPermissionRequestToggleStatus(permissionName, status, userID);
271 }
272
GrantPermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)273 int AccessTokenManagerService::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
274 {
275 return PermissionManager::GetInstance().GrantPermission(tokenID, permissionName, flag);
276 }
277
RevokePermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)278 int AccessTokenManagerService::RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
279 {
280 return PermissionManager::GetInstance().RevokePermission(tokenID, permissionName, flag);
281 }
282
GrantPermissionForSpecifiedTime(AccessTokenID tokenID,const std::string & permissionName,uint32_t onceTime)283 int AccessTokenManagerService::GrantPermissionForSpecifiedTime(
284 AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime)
285 {
286 int32_t ret = PermissionManager::GetInstance().GrantPermissionForSpecifiedTime(tokenID, permissionName, onceTime);
287 return ret;
288 }
289
ClearUserGrantedPermissionState(AccessTokenID tokenID)290 int AccessTokenManagerService::ClearUserGrantedPermissionState(AccessTokenID tokenID)
291 {
292 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d", tokenID);
293 PermissionManager::GetInstance().ClearUserGrantedPermissionState(tokenID);
294 AccessTokenInfoManager::GetInstance().SetPermDialogCap(tokenID, false);
295 return RET_SUCCESS;
296 }
297
RegisterPermStateChangeCallback(const PermStateChangeScopeParcel & scope,const sptr<IRemoteObject> & callback)298 int32_t AccessTokenManagerService::RegisterPermStateChangeCallback(
299 const PermStateChangeScopeParcel& scope, const sptr<IRemoteObject>& callback)
300 {
301 return PermissionManager::GetInstance().AddPermStateChangeCallback(scope.scope, callback);
302 }
303
UnRegisterPermStateChangeCallback(const sptr<IRemoteObject> & callback)304 int32_t AccessTokenManagerService::UnRegisterPermStateChangeCallback(const sptr<IRemoteObject>& callback)
305 {
306 return PermissionManager::GetInstance().RemovePermStateChangeCallback(callback);
307 }
308
AllocHapToken(const HapInfoParcel & info,const HapPolicyParcel & policy)309 AccessTokenIDEx AccessTokenManagerService::AllocHapToken(const HapInfoParcel& info, const HapPolicyParcel& policy)
310 {
311 ACCESSTOKEN_LOG_INFO(LABEL, "BundleName: %{public}s", info.hapInfoParameter.bundleName.c_str());
312 AccessTokenIDEx tokenIdEx;
313 tokenIdEx.tokenIDEx = 0LL;
314
315 int ret = AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(
316 info.hapInfoParameter, policy.hapPolicyParameter, tokenIdEx);
317 if (ret != RET_SUCCESS) {
318 ACCESSTOKEN_LOG_ERROR(LABEL, "Hap token info create failed");
319 }
320 return tokenIdEx;
321 }
322
InitHapToken(const HapInfoParcel & info,HapPolicyParcel & policy,AccessTokenIDEx & fullTokenId)323 int32_t AccessTokenManagerService::InitHapToken(
324 const HapInfoParcel& info, HapPolicyParcel& policy, AccessTokenIDEx& fullTokenId)
325 {
326 ACCESSTOKEN_LOG_INFO(LABEL, "Init hap %{public}s.", info.hapInfoParameter.bundleName.c_str());
327 std::vector<PermissionStateFull> initializedList;
328 if (info.hapInfoParameter.dlpType == DLP_COMMON) {
329 if (!PermissionManager::GetInstance().InitPermissionList(info.hapInfoParameter.appDistributionType,
330 policy.hapPolicyParameter, initializedList)) {
331 return ERR_PERM_REQUEST_CFG_FAILED;
332 }
333 } else {
334 if (!PermissionManager::GetInstance().InitDlpPermissionList(
335 info.hapInfoParameter.bundleName, info.hapInfoParameter.userID, initializedList)) {
336 return ERR_PERM_REQUEST_CFG_FAILED;
337 }
338 }
339 policy.hapPolicyParameter.permStateList = initializedList;
340
341 int32_t ret = AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(
342 info.hapInfoParameter, policy.hapPolicyParameter, fullTokenId);
343 if (ret != RET_SUCCESS) {
344 return ret;
345 }
346
347 return ret;
348 }
349
DeleteToken(AccessTokenID tokenID)350 int AccessTokenManagerService::DeleteToken(AccessTokenID tokenID)
351 {
352 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d", tokenID);
353 // only support hap token deletion
354 return AccessTokenInfoManager::GetInstance().RemoveHapTokenInfo(tokenID);
355 }
356
GetTokenType(AccessTokenID tokenID)357 int AccessTokenManagerService::GetTokenType(AccessTokenID tokenID)
358 {
359 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID: %{public}d", tokenID);
360 return AccessTokenIDManager::GetInstance().GetTokenIdType(tokenID);
361 }
362
CheckNativeDCap(AccessTokenID tokenID,const std::string & dcap)363 int AccessTokenManagerService::CheckNativeDCap(AccessTokenID tokenID, const std::string& dcap)
364 {
365 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d, dcap: %{public}s",
366 tokenID, dcap.c_str());
367 return AccessTokenInfoManager::GetInstance().CheckNativeDCap(tokenID, dcap);
368 }
369
GetHapTokenID(int32_t userID,const std::string & bundleName,int32_t instIndex)370 AccessTokenIDEx AccessTokenManagerService::GetHapTokenID(
371 int32_t userID, const std::string& bundleName, int32_t instIndex)
372 {
373 ACCESSTOKEN_LOG_DEBUG(LABEL, "UserID: %{public}d, bundle: %{public}s, instIndex: %{public}d",
374 userID, bundleName.c_str(), instIndex);
375 return AccessTokenInfoManager::GetInstance().GetHapTokenID(userID, bundleName, instIndex);
376 }
377
AllocLocalTokenID(const std::string & remoteDeviceID,AccessTokenID remoteTokenID)378 AccessTokenID AccessTokenManagerService::AllocLocalTokenID(
379 const std::string& remoteDeviceID, AccessTokenID remoteTokenID)
380 {
381 ACCESSTOKEN_LOG_INFO(LABEL, "RemoteDeviceID: %{public}s, remoteTokenID: %{public}d",
382 ConstantCommon::EncryptDevId(remoteDeviceID).c_str(), remoteTokenID);
383 AccessTokenID tokenID = AccessTokenInfoManager::GetInstance().AllocLocalTokenID(remoteDeviceID, remoteTokenID);
384 return tokenID;
385 }
386
UpdateHapToken(AccessTokenIDEx & tokenIdEx,const UpdateHapInfoParams & info,const HapPolicyParcel & policyParcel)387 int32_t AccessTokenManagerService::UpdateHapToken(AccessTokenIDEx& tokenIdEx,
388 const UpdateHapInfoParams& info, const HapPolicyParcel& policyParcel)
389 {
390 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d", tokenIdEx.tokenIdExStruct.tokenID);
391 std::vector<PermissionStateFull> InitializedList;
392 if (!PermissionManager::GetInstance().InitPermissionList(
393 info.appDistributionType, policyParcel.hapPolicyParameter, InitializedList)) {
394 return ERR_PERM_REQUEST_CFG_FAILED;
395 }
396 int32_t ret = AccessTokenInfoManager::GetInstance().UpdateHapToken(tokenIdEx, info,
397 InitializedList, policyParcel.hapPolicyParameter.apl, policyParcel.hapPolicyParameter.permList);
398 return ret;
399 }
400
GetHapTokenInfo(AccessTokenID tokenID,HapTokenInfoParcel & infoParcel)401 int AccessTokenManagerService::GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfoParcel& infoParcel)
402 {
403 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID: %{public}d", tokenID);
404
405 return AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, infoParcel.hapTokenInfoParams);
406 }
407
GetNativeTokenInfo(AccessTokenID tokenID,NativeTokenInfoParcel & infoParcel)408 int AccessTokenManagerService::GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfoParcel& infoParcel)
409 {
410 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID: %{public}d", tokenID);
411
412 return AccessTokenInfoManager::GetInstance().GetNativeTokenInfo(tokenID, infoParcel.nativeTokenInfoParams);
413 }
414
415 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
ReloadNativeTokenInfo()416 int32_t AccessTokenManagerService::ReloadNativeTokenInfo()
417 {
418 return NativeTokenReceptor::GetInstance().Init();
419 }
420
421 #endif
422
GetNativeTokenId(const std::string & processName)423 AccessTokenID AccessTokenManagerService::GetNativeTokenId(const std::string& processName)
424 {
425 return AccessTokenInfoManager::GetInstance().GetNativeTokenId(processName);
426 }
427
428 #ifdef TOKEN_SYNC_ENABLE
GetHapTokenInfoFromRemote(AccessTokenID tokenID,HapTokenInfoForSyncParcel & hapSyncParcel)429 int AccessTokenManagerService::GetHapTokenInfoFromRemote(AccessTokenID tokenID,
430 HapTokenInfoForSyncParcel& hapSyncParcel)
431 {
432 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d", tokenID);
433
434 return AccessTokenInfoManager::GetInstance().GetHapTokenInfoFromRemote(tokenID,
435 hapSyncParcel.hapTokenInfoForSyncParams);
436 }
437
SetRemoteHapTokenInfo(const std::string & deviceID,HapTokenInfoForSyncParcel & hapSyncParcel)438 int AccessTokenManagerService::SetRemoteHapTokenInfo(const std::string& deviceID,
439 HapTokenInfoForSyncParcel& hapSyncParcel)
440 {
441 ACCESSTOKEN_LOG_INFO(LABEL, "DeviceID: %{public}s", ConstantCommon::EncryptDevId(deviceID).c_str());
442 int ret = AccessTokenInfoManager::GetInstance().SetRemoteHapTokenInfo(deviceID,
443 hapSyncParcel.hapTokenInfoForSyncParams);
444 return ret;
445 }
446
DeleteRemoteToken(const std::string & deviceID,AccessTokenID tokenID)447 int AccessTokenManagerService::DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID)
448 {
449 ACCESSTOKEN_LOG_INFO(LABEL, "DeviceID: %{public}s, token id %{public}d",
450 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
451 return AccessTokenInfoManager::GetInstance().DeleteRemoteToken(deviceID, tokenID);
452 }
453
GetRemoteNativeTokenID(const std::string & deviceID,AccessTokenID tokenID)454 AccessTokenID AccessTokenManagerService::GetRemoteNativeTokenID(const std::string& deviceID,
455 AccessTokenID tokenID)
456 {
457 ACCESSTOKEN_LOG_INFO(LABEL, "DeviceID: %{public}s, token id %{public}d",
458 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
459
460 return AccessTokenInfoManager::GetInstance().GetRemoteNativeTokenID(deviceID, tokenID);
461 }
462
DeleteRemoteDeviceTokens(const std::string & deviceID)463 int AccessTokenManagerService::DeleteRemoteDeviceTokens(const std::string& deviceID)
464 {
465 ACCESSTOKEN_LOG_INFO(LABEL, "DeviceID: %{public}s", ConstantCommon::EncryptDevId(deviceID).c_str());
466 return AccessTokenInfoManager::GetInstance().DeleteRemoteDeviceTokens(deviceID);
467 }
468
RegisterTokenSyncCallback(const sptr<IRemoteObject> & callback)469 int32_t AccessTokenManagerService::RegisterTokenSyncCallback(const sptr<IRemoteObject>& callback)
470 {
471 ACCESSTOKEN_LOG_INFO(LABEL, "Call token sync callback registed.");
472 return TokenModifyNotifier::GetInstance().RegisterTokenSyncCallback(callback);
473 }
474
UnRegisterTokenSyncCallback()475 int32_t AccessTokenManagerService::UnRegisterTokenSyncCallback()
476 {
477 ACCESSTOKEN_LOG_INFO(LABEL, "Call token sync callback unregisted.");
478 return TokenModifyNotifier::GetInstance().UnRegisterTokenSyncCallback();
479 }
480 #endif
481
DumpTokenInfo(const AtmToolsParamInfoParcel & infoParcel,std::string & dumpInfo)482 void AccessTokenManagerService::DumpTokenInfo(const AtmToolsParamInfoParcel& infoParcel, std::string& dumpInfo)
483 {
484 ACCESSTOKEN_LOG_INFO(LABEL, "Called");
485
486 AccessTokenInfoManager::GetInstance().DumpTokenInfo(infoParcel.info, dumpInfo);
487 }
488
GetVersion(uint32_t & version)489 int32_t AccessTokenManagerService::GetVersion(uint32_t& version)
490 {
491 ACCESSTOKEN_LOG_INFO(LABEL, "Called");
492 version = DEFAULT_TOKEN_VERSION;
493 return RET_SUCCESS;
494 }
495
SetPermDialogCap(const HapBaseInfoParcel & hapBaseInfoParcel,bool enable)496 int32_t AccessTokenManagerService::SetPermDialogCap(const HapBaseInfoParcel& hapBaseInfoParcel, bool enable)
497 {
498 AccessTokenIDEx tokenIdEx = AccessTokenInfoManager::GetInstance().GetHapTokenID(
499 hapBaseInfoParcel.hapBaseInfo.userID,
500 hapBaseInfoParcel.hapBaseInfo.bundleName,
501 hapBaseInfoParcel.hapBaseInfo.instIndex);
502
503 return AccessTokenInfoManager::GetInstance().SetPermDialogCap(tokenIdEx.tokenIdExStruct.tokenID, enable);
504 }
505
GetPermissionManagerInfo(PermissionGrantInfoParcel & infoParcel)506 void AccessTokenManagerService::GetPermissionManagerInfo(PermissionGrantInfoParcel& infoParcel)
507 {
508 infoParcel.info.grantBundleName = grantBundleName_;
509 infoParcel.info.grantAbilityName = grantAbilityName_;
510 infoParcel.info.permStateAbilityName = permStateAbilityName_;
511 infoParcel.info.globalSwitchAbilityName = globalSwitchAbilityName_;
512 }
513
Dump(int fd,const std::vector<std::u16string> & args)514 int AccessTokenManagerService::Dump(int fd, const std::vector<std::u16string>& args)
515 {
516 if (fd < 0) {
517 return ERR_INVALID_VALUE;
518 }
519
520 dprintf(fd, "AccessToken Dump:\n");
521 std::string arg0 = ((args.size() == 0)? "" : Str16ToStr8(args.at(0)));
522 if (arg0.compare("-h") == 0) {
523 dprintf(fd, "Usage:\n");
524 dprintf(fd, " -h: command help\n");
525 dprintf(fd, " -a: dump all tokens\n");
526 dprintf(fd, " -t <TOKEN_ID>: dump special token id\n");
527 } else if (arg0.compare("-t") == 0) {
528 if (args.size() < TWO_ARGS) {
529 return ERR_INVALID_VALUE;
530 }
531 long long tokenID = atoll(static_cast<const char *>(Str16ToStr8(args.at(1)).c_str()));
532 if (tokenID <= 0) {
533 return ERR_INVALID_VALUE;
534 }
535 AtmToolsParamInfoParcel infoParcel;
536 infoParcel.info.tokenId = static_cast<AccessTokenID>(tokenID);
537 std::string dumpStr;
538 DumpTokenInfo(infoParcel, dumpStr);
539 dprintf(fd, "%s\n", dumpStr.c_str());
540 } else if (arg0.compare("-a") == 0 || arg0 == "") {
541 std::string dumpStr;
542 AtmToolsParamInfoParcel infoParcel;
543 DumpTokenInfo(infoParcel, dumpStr);
544 dprintf(fd, "%s\n", dumpStr.c_str());
545 }
546 return ERR_OK;
547 }
548
AccessTokenServiceParamSet() const549 void AccessTokenManagerService::AccessTokenServiceParamSet() const
550 {
551 int32_t res = SetParameter(ACCESS_TOKEN_SERVICE_INIT_KEY, std::to_string(1).c_str());
552 if (res != 0) {
553 ACCESSTOKEN_LOG_ERROR(LABEL, "SetParameter ACCESS_TOKEN_SERVICE_INIT_KEY failed %{public}d", res);
554 }
555 ACCESSTOKEN_LOG_INFO(LABEL, "SetParameter ACCESS_TOKEN_SERVICE_INIT_KEY success");
556 }
557
GetConfigValue()558 void AccessTokenManagerService::GetConfigValue()
559 {
560 LibraryLoader loader(CONFIG_POLICY_LIBPATH);
561 ConfigPolicyLoaderInterface* policy = loader.GetObject<ConfigPolicyLoaderInterface>();
562 if (policy == nullptr) {
563 ACCESSTOKEN_LOG_ERROR(LABEL, "Dlopen libaccesstoken_config_policy failed.");
564 return;
565 }
566 AccessTokenConfigValue value;
567 if (policy->GetConfigValue(ServiceType::ACCESSTOKEN_SERVICE, value)) {
568 // set value from config
569 grantBundleName_ = value.atConfig.grantBundleName.empty()
570 ? GRANT_ABILITY_BUNDLE_NAME : value.atConfig.grantBundleName;
571 grantAbilityName_ = value.atConfig.grantAbilityName.empty()
572 ? GRANT_ABILITY_ABILITY_NAME : value.atConfig.grantAbilityName;
573 permStateAbilityName_ = value.atConfig.permStateAbilityName.empty()
574 ? PERMISSION_STATE_SHEET_ABILITY_NAME : value.atConfig.permStateAbilityName;
575 globalSwitchAbilityName_ = value.atConfig.globalSwitchAbilityName.empty()
576 ? GLOBAL_SWITCH_SHEET_ABILITY_NAME : value.atConfig.globalSwitchAbilityName;
577 } else {
578 ACCESSTOKEN_LOG_INFO(LABEL, "No config file or config file is not valid, use default values");
579 grantBundleName_ = GRANT_ABILITY_BUNDLE_NAME;
580 grantAbilityName_ = GRANT_ABILITY_ABILITY_NAME;
581 permStateAbilityName_ = PERMISSION_STATE_SHEET_ABILITY_NAME;
582 globalSwitchAbilityName_ = GLOBAL_SWITCH_SHEET_ABILITY_NAME;
583 }
584
585 ACCESSTOKEN_LOG_INFO(LABEL, "GrantBundleName_ is %{public}s, grantAbilityName_ is %{public}s, \
586 permStateAbilityName_ is %{public}s, permStateAbilityName_ is %{public}s",
587 grantBundleName_.c_str(), grantAbilityName_.c_str(),
588 permStateAbilityName_.c_str(), permStateAbilityName_.c_str());
589 }
590
Initialize()591 bool AccessTokenManagerService::Initialize()
592 {
593 ReportSysEventPerformance();
594 AccessTokenInfoManager::GetInstance().Init();
595 NativeTokenReceptor::GetInstance().Init();
596
597 #ifdef EVENTHANDLER_ENABLE
598 eventRunner_ = AppExecFwk::EventRunner::Create(true, AppExecFwk::ThreadMode::FFRT);
599 if (!eventRunner_) {
600 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to create a recvRunner.");
601 ReportSysEventServiceStartError(EVENTRUNNER_CREATE_ERROR, "Create temp eventRunner error.", -1);
602 return false;
603 }
604 eventHandler_ = std::make_shared<AccessEventHandler>(eventRunner_);
605 TempPermissionObserver::GetInstance().InitEventHandler(eventHandler_);
606
607 shortGrantEventRunner_ = AppExecFwk::EventRunner::Create(true, AppExecFwk::ThreadMode::FFRT);
608 if (!shortGrantEventRunner_) {
609 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to create a shortGrantEventRunner_.");
610 ReportSysEventServiceStartError(EVENTRUNNER_CREATE_ERROR, "Create short grant eventRunner error.", -1);
611 return false;
612 }
613 shortGrantEventHandler_ = std::make_shared<AccessEventHandler>(shortGrantEventRunner_);
614 ShortGrantManager::GetInstance().InitEventHandler(shortGrantEventHandler_);
615 #endif
616
617 #ifdef SUPPORT_SANDBOX_APP
618 DlpPermissionSetParser::GetInstance().Init();
619 #endif
620 PermissionDefinitionParser::GetInstance().Init();
621 GetConfigValue();
622 TempPermissionObserver::GetInstance().GetConfigValue();
623 ACCESSTOKEN_LOG_INFO(LABEL, "Initialize success");
624 return true;
625 }
626 } // namespace AccessToken
627 } // namespace Security
628 } // namespace OHOS
629