1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_manager.h"
17
18 #include <iostream>
19 #include <numeric>
20 #include <sstream>
21
22 #include "access_token.h"
23 #include "access_token_error.h"
24 #include "accesstoken_dfx_define.h"
25 #include "accesstoken_id_manager.h"
26 #include "accesstoken_info_manager.h"
27 #include "accesstoken_log.h"
28 #include "access_token_db.h"
29 #include "app_manager_access_client.h"
30 #include "callback_manager.h"
31 #ifdef SUPPORT_SANDBOX_APP
32 #include "dlp_permission_set_manager.h"
33 #endif
34 #include "ipc_skeleton.h"
35 #include "hisysevent_adapter.h"
36 #include "parameter.h"
37 #include "permission_definition_cache.h"
38 #include "short_grant_manager.h"
39 #include "permission_map.h"
40 #include "permission_validator.h"
41 #include "perm_setproc.h"
42 #include "token_field_const.h"
43 #ifdef TOKEN_SYNC_ENABLE
44 #include "token_modify_notifier.h"
45 #endif
46
47 namespace OHOS {
48 namespace Security {
49 namespace AccessToken {
50 namespace {
51 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "PermissionManager"};
52 static const char* PERMISSION_STATUS_CHANGE_KEY = "accesstoken.permission.change";
53 static constexpr int32_t VALUE_MAX_LEN = 32;
54 static constexpr int32_t BASE_USER_RANGE = 200000;
55 static const std::vector<std::string> g_notDisplayedPerms = {
56 "ohos.permission.ANSWER_CALL",
57 "ohos.permission.MANAGE_VOICEMAIL",
58 "ohos.permission.READ_CELL_MESSAGES",
59 "ohos.permission.READ_MESSAGES",
60 "ohos.permission.RECEIVE_MMS",
61 "ohos.permission.RECEIVE_SMS",
62 "ohos.permission.RECEIVE_WAP_MESSAGES",
63 "ohos.permission.SEND_MESSAGES",
64 "ohos.permission.READ_CALL_LOG",
65 "ohos.permission.WRITE_CALL_LOG",
66 "ohos.permission.SHORT_TERM_WRITE_IMAGEVIDEO"
67 };
68 constexpr const char* APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM = "enterprise_mdm";
69 }
70 PermissionManager* PermissionManager::implInstance_ = nullptr;
71 std::recursive_mutex PermissionManager::mutex_;
72
GetInstance()73 PermissionManager& PermissionManager::GetInstance()
74 {
75 if (implInstance_ == nullptr) {
76 std::lock_guard<std::recursive_mutex> lock_l(mutex_);
77 if (implInstance_ == nullptr) {
78 implInstance_ = new PermissionManager();
79 }
80 }
81 return *implInstance_;
82 }
83
RegisterImpl(PermissionManager * implInstance)84 void PermissionManager::RegisterImpl(PermissionManager* implInstance)
85 {
86 implInstance_ = implInstance;
87 }
88
PermissionManager()89 PermissionManager::PermissionManager()
90 {
91 char value[VALUE_MAX_LEN] = {0};
92 int32_t ret = GetParameter(PERMISSION_STATUS_CHANGE_KEY, "", value, VALUE_MAX_LEN - 1);
93 if (ret < 0) {
94 ACCESSTOKEN_LOG_ERROR(LABEL, "Return default value, ret=%{public}d", ret);
95 paramValue_ = 0;
96 return;
97 }
98 paramValue_ = static_cast<uint64_t>(std::atoll(value));
99 }
100
~PermissionManager()101 PermissionManager::~PermissionManager()
102 {}
103
ClearAllSecCompGrantedPerm(const std::vector<AccessTokenID> & tokenIdList)104 void PermissionManager::ClearAllSecCompGrantedPerm(const std::vector<AccessTokenID>& tokenIdList)
105 {
106 for (const auto& tokenId : tokenIdList) {
107 std::shared_ptr<HapTokenInfoInner> tokenInfoPtr =
108 AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenId);
109 if (tokenInfoPtr == nullptr) {
110 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenInfo is null, tokenId=%{public}u", tokenId);
111 continue;
112 }
113 std::shared_ptr<PermissionPolicySet> permPolicySet = tokenInfoPtr->GetHapInfoPermissionPolicySet();
114 if (permPolicySet != nullptr) {
115 permPolicySet->ClearSecCompGrantedPerm();
116 }
117 }
118 }
119
AddDefPermissions(const std::vector<PermissionDef> & permList,AccessTokenID tokenId,bool updateFlag)120 void PermissionManager::AddDefPermissions(const std::vector<PermissionDef>& permList, AccessTokenID tokenId,
121 bool updateFlag)
122 {
123 std::vector<PermissionDef> permFilterList;
124 PermissionValidator::FilterInvalidPermissionDef(permList, permFilterList);
125 ACCESSTOKEN_LOG_INFO(LABEL, "PermFilterList size: %{public}zu", permFilterList.size());
126 for (const auto& perm : permFilterList) {
127 if (updateFlag) {
128 PermissionDefinitionCache::GetInstance().Update(perm, tokenId);
129 continue;
130 }
131
132 if (!PermissionDefinitionCache::GetInstance().HasDefinition(perm.permissionName)) {
133 PermissionDefinitionCache::GetInstance().Insert(perm, tokenId);
134 } else {
135 PermissionDefinitionCache::GetInstance().Update(perm, tokenId);
136 ACCESSTOKEN_LOG_INFO(LABEL, "Permission %{public}s has define",
137 TransferPermissionDefToString(perm).c_str());
138 }
139 }
140 }
141
RemoveDefPermissions(AccessTokenID tokenID)142 void PermissionManager::RemoveDefPermissions(AccessTokenID tokenID)
143 {
144 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called, tokenID: %{public}u", __func__, tokenID);
145 PermissionDefinitionCache::GetInstance().DeleteByToken(tokenID);
146 }
147
VerifyHapAccessToken(AccessTokenID tokenID,const std::string & permissionName)148 int PermissionManager::VerifyHapAccessToken(AccessTokenID tokenID, const std::string& permissionName)
149 {
150 std::shared_ptr<HapTokenInfoInner> tokenInfoPtr =
151 AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenID);
152 if (tokenInfoPtr == nullptr) {
153 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenInfo is null, tokenId=%{public}u", tokenID);
154 return PERMISSION_DENIED;
155 }
156 std::shared_ptr<PermissionPolicySet> permPolicySet = tokenInfoPtr->GetHapInfoPermissionPolicySet();
157 if (permPolicySet == nullptr) {
158 ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", tokenID);
159 return PERMISSION_DENIED;
160 }
161
162 return permPolicySet->VerifyPermissionStatus(permissionName);
163 }
164
VerifyNativeAccessToken(AccessTokenID tokenID,const std::string & permissionName)165 int PermissionManager::VerifyNativeAccessToken(AccessTokenID tokenID, const std::string& permissionName)
166 {
167 std::shared_ptr<NativeTokenInfoInner> tokenInfoPtr =
168 AccessTokenInfoManager::GetInstance().GetNativeTokenInfoInner(tokenID);
169 if (tokenInfoPtr == nullptr) {
170 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenInfo is null, tokenId=%{public}u", tokenID);
171 return PERMISSION_DENIED;
172 }
173
174 NativeTokenInfo info;
175 tokenInfoPtr->TranslateToNativeTokenInfo(info);
176 if (!tokenInfoPtr->IsRemote() && !PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
177 if (PermissionDefinitionCache::GetInstance().IsHapPermissionDefEmpty()) {
178 ACCESSTOKEN_LOG_INFO(LABEL, "Permission definition set has not been installed!");
179 if (AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) == TOKEN_NATIVE) {
180 return PERMISSION_GRANTED;
181 }
182 ACCESSTOKEN_LOG_ERROR(LABEL, "Token: %{public}d type error!", tokenID);
183 return PERMISSION_DENIED;
184 }
185 ACCESSTOKEN_LOG_ERROR(LABEL, "No definition for permission: %{public}s!", permissionName.c_str());
186 return PERMISSION_DENIED;
187 }
188 std::shared_ptr<PermissionPolicySet> permPolicySet =
189 AccessTokenInfoManager::GetInstance().GetNativePermissionPolicySet(tokenID);
190 if (permPolicySet == nullptr) {
191 ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", tokenID);
192 return PERMISSION_DENIED;
193 }
194
195 return permPolicySet->VerifyPermissionStatus(permissionName);
196 }
197
GetUserGrantedPermissionUsedType(AccessTokenID tokenID,const std::string & permissionName)198 PermUsedTypeEnum PermissionManager::GetUserGrantedPermissionUsedType(
199 AccessTokenID tokenID, const std::string& permissionName)
200 {
201 if ((tokenID == INVALID_TOKENID) ||
202 (TOKEN_HAP != AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID))) {
203 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID: %{public}d is invalid.", tokenID);
204 return PermUsedTypeEnum::INVALID_USED_TYPE;
205 }
206
207 PermissionDef permissionDefResult;
208 int ret = GetDefPermission(permissionName, permissionDefResult);
209 if (RET_SUCCESS != ret) {
210 ACCESSTOKEN_LOG_ERROR(LABEL, "Query permission info of %{public}s failed.", permissionName.c_str());
211 return PermUsedTypeEnum::INVALID_USED_TYPE;
212 }
213
214 std::shared_ptr<PermissionPolicySet> permPolicySet =
215 AccessTokenInfoManager::GetInstance().GetHapPermissionPolicySet(tokenID);
216 if (permPolicySet == nullptr) {
217 ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", tokenID);
218 return PermUsedTypeEnum::INVALID_USED_TYPE;
219 }
220
221 return permPolicySet->GetUserGrantedPermissionUsedType(permissionName);
222 }
223
VerifyAccessToken(AccessTokenID tokenID,const std::string & permissionName)224 int PermissionManager::VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName)
225 {
226 if (tokenID == INVALID_TOKENID) {
227 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_CHECK",
228 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", VERIFY_TOKEN_ID_ERROR, "CALLER_TOKENID",
229 static_cast<AccessTokenID>(IPCSkeleton::GetCallingTokenID()), "PERMISSION_NAME", permissionName);
230 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID is invalid");
231 return PERMISSION_DENIED;
232 }
233
234 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
235 ACCESSTOKEN_LOG_ERROR(LABEL, "PermissionName: %{public}s, invalid params!", permissionName.c_str());
236 return PERMISSION_DENIED;
237 }
238
239 ATokenTypeEnum tokenType = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID);
240 if ((tokenType == TOKEN_NATIVE) || (tokenType == TOKEN_SHELL)) {
241 return VerifyNativeAccessToken(tokenID, permissionName);
242 }
243 if (tokenType == TOKEN_HAP) {
244 return VerifyHapAccessToken(tokenID, permissionName);
245 }
246 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID: %{public}d, invalid tokenType!", tokenID);
247 return PERMISSION_DENIED;
248 }
249
GetDefPermission(const std::string & permissionName,PermissionDef & permissionDefResult)250 int PermissionManager::GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult)
251 {
252 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
253 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid params!");
254 return AccessTokenError::ERR_PARAM_INVALID;
255 }
256 return PermissionDefinitionCache::GetInstance().FindByPermissionName(permissionName, permissionDefResult);
257 }
258
GetDefPermissions(AccessTokenID tokenID,std::vector<PermissionDef> & permList)259 int PermissionManager::GetDefPermissions(AccessTokenID tokenID, std::vector<PermissionDef>& permList)
260 {
261 std::shared_ptr<PermissionPolicySet> permPolicySet =
262 AccessTokenInfoManager::GetInstance().GetHapPermissionPolicySet(tokenID);
263 if (permPolicySet == nullptr) {
264 ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", tokenID);
265 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
266 }
267
268 permPolicySet->GetDefPermissions(permList);
269 return RET_SUCCESS;
270 }
271
GetReqPermissions(AccessTokenID tokenID,std::vector<PermissionStateFull> & reqPermList,bool isSystemGrant)272 int PermissionManager::GetReqPermissions(
273 AccessTokenID tokenID, std::vector<PermissionStateFull>& reqPermList, bool isSystemGrant)
274 {
275 ACCESSTOKEN_LOG_DEBUG(LABEL, "%{public}s called, tokenID: %{public}u, isSystemGrant: %{public}d",
276 __func__, tokenID, isSystemGrant);
277 std::shared_ptr<PermissionPolicySet> permPolicySet =
278 AccessTokenInfoManager::GetInstance().GetHapPermissionPolicySet(tokenID);
279 if (permPolicySet == nullptr) {
280 ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", tokenID);
281 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
282 }
283
284 GrantMode mode = isSystemGrant ? SYSTEM_GRANT : USER_GRANT;
285 std::vector<PermissionStateFull> tmpList;
286 permPolicySet->GetPermissionStateFulls(tmpList);
287 for (const auto& perm : tmpList) {
288 PermissionDef permDef;
289 GetDefPermission(perm.permissionName, permDef);
290 if (permDef.grantMode == mode) {
291 reqPermList.emplace_back(perm);
292 }
293 }
294 return RET_SUCCESS;
295 }
296
IsPermissionRequestedInHap(const std::vector<PermissionStateFull> & permsList,const std::string & permission,int32_t & status,uint32_t & flag)297 static bool IsPermissionRequestedInHap(const std::vector<PermissionStateFull>& permsList,
298 const std::string &permission, int32_t& status, uint32_t& flag)
299 {
300 if (!PermissionDefinitionCache::GetInstance().HasHapPermissionDefinitionForHap(permission)) {
301 ACCESSTOKEN_LOG_ERROR(LABEL, "No definition for hap permission: %{public}s!", permission.c_str());
302 return false;
303 }
304 auto iter = std::find_if(permsList.begin(), permsList.end(), [permission](const PermissionStateFull& perm) {
305 return permission == perm.permissionName;
306 });
307 if (iter == permsList.end()) {
308 ACCESSTOKEN_LOG_WARN(LABEL, "Can not find permission: %{public}s define!", permission.c_str());
309 return false;
310 }
311 ACCESSTOKEN_LOG_DEBUG(LABEL, "Find goal permission: %{public}s, status: %{public}d, flag: %{public}d",
312 permission.c_str(), iter->grantStatus[0], iter->grantFlags[0]);
313 status = iter->grantStatus[0];
314 flag = static_cast<uint32_t>(iter->grantFlags[0]);
315 return true;
316 }
317
IsPermissionRestrictedByRules(const std::string & permission)318 static bool IsPermissionRestrictedByRules(const std::string& permission)
319 {
320 // Several permission is not available to common apps.
321 // Specified apps can get the permission by pre-authorization instead of Pop-ups.
322 auto iterator = std::find(g_notDisplayedPerms.begin(), g_notDisplayedPerms.end(), permission);
323 if (iterator != g_notDisplayedPerms.end()) {
324 ACCESSTOKEN_LOG_WARN(LABEL, "Permission is not available to common apps: %{public}s!", permission.c_str());
325 return true;
326 }
327
328 #ifdef SUPPORT_SANDBOX_APP
329 // Specified dlp permissions are limited to specified dlp type hap.
330 AccessTokenID callingTokenId = IPCSkeleton::GetCallingTokenID();
331 int32_t dlpType = AccessTokenInfoManager::GetInstance().GetHapTokenDlpType(callingTokenId);
332 if ((dlpType != DLP_COMMON) &&
333 !DlpPermissionSetManager::GetInstance().IsPermissionAvailableToDlpHap(dlpType, permission)) {
334 ACCESSTOKEN_LOG_WARN(LABEL,
335 "callingTokenId is not allowed to grant dlp permission: %{public}s!", permission.c_str());
336 return true;
337 }
338 #endif
339
340 return false;
341 }
342
GetSelfPermissionState(const std::vector<PermissionStateFull> & permsList,PermissionListState & permState,int32_t apiVersion)343 void PermissionManager::GetSelfPermissionState(const std::vector<PermissionStateFull>& permsList,
344 PermissionListState& permState, int32_t apiVersion)
345 {
346 int32_t goalGrantStatus;
347 uint32_t goalGrantFlag;
348
349 // api8 require vague location permission refuse directly because there is no vague location permission in api8
350 if ((permState.permissionName == VAGUE_LOCATION_PERMISSION_NAME) && (apiVersion < ACCURATE_LOCATION_API_VERSION)) {
351 permState.state = INVALID_OPER;
352 return;
353 }
354 if (!IsPermissionRequestedInHap(permsList, permState.permissionName, goalGrantStatus, goalGrantFlag)) {
355 permState.state = INVALID_OPER;
356 return;
357 }
358 if (IsPermissionRestrictedByRules(permState.permissionName)) {
359 permState.state = INVALID_OPER;
360 return;
361 }
362 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s: status: %{public}d, flag: %{public}d",
363 permState.permissionName.c_str(), goalGrantStatus, goalGrantFlag);
364 if (goalGrantStatus == PERMISSION_DENIED) {
365 if ((goalGrantFlag & PERMISSION_POLICY_FIXED) != 0) {
366 permState.state = SETTING_OPER;
367 return;
368 }
369
370 if ((goalGrantFlag == PERMISSION_DEFAULT_FLAG) || ((goalGrantFlag & PERMISSION_USER_SET) != 0) ||
371 ((goalGrantFlag & PERMISSION_COMPONENT_SET) != 0) || ((goalGrantFlag & PERMISSION_ALLOW_THIS_TIME) != 0)) {
372 permState.state = DYNAMIC_OPER;
373 return;
374 }
375 if ((goalGrantFlag & PERMISSION_USER_FIXED) != 0) {
376 permState.state = SETTING_OPER;
377 return;
378 }
379 }
380 permState.state = PASS_OPER;
381 return;
382 }
383
GetPermissionFlag(AccessTokenID tokenID,const std::string & permissionName,uint32_t & flag)384 int PermissionManager::GetPermissionFlag(AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag)
385 {
386 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called, tokenID: %{public}u, permissionName: %{public}s",
387 __func__, tokenID, permissionName.c_str());
388 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
389 ACCESSTOKEN_LOG_ERROR(LABEL, "PermissionName:%{public}s invalid!", permissionName.c_str());
390 return AccessTokenError::ERR_PARAM_INVALID;
391 }
392 if (!PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
393 ACCESSTOKEN_LOG_ERROR(
394 LABEL, "No definition for permission: %{public}s!", permissionName.c_str());
395 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
396 }
397 std::shared_ptr<PermissionPolicySet> permPolicySet =
398 AccessTokenInfoManager::GetInstance().GetHapPermissionPolicySet(tokenID);
399 if (permPolicySet == nullptr) {
400 ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", tokenID);
401 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
402 }
403 int32_t fullFlag;
404 int32_t ret = permPolicySet->QueryPermissionFlag(permissionName, fullFlag);
405 if (ret == RET_SUCCESS) {
406 flag = permPolicySet->GetFlagWithoutSpecifiedElement(fullFlag, PERMISSION_GRANTED_BY_POLICY);
407 }
408 return ret;
409 }
410
PermDefToString(const PermissionDef & def,std::string & info) const411 void PermissionManager::PermDefToString(const PermissionDef& def, std::string& info) const
412 {
413 info.append(R"( {)");
414 info.append("\n");
415 info.append(R"( "permissionName": ")" + def.permissionName + R"(")" + ",\n");
416 info.append(R"( "grantMode": )" + std::to_string(def.grantMode) + ",\n");
417 info.append(R"( "availableLevel": )" + std::to_string(def.availableLevel) + ",\n");
418 info.append(R"( "provisionEnable": )" + std::to_string(def.provisionEnable) + ",\n");
419 info.append(R"( "distributedSceneEnable": )" + std::to_string(def.distributedSceneEnable) + ",\n");
420 info.append(R"( "label": ")" + def.label + R"(")" + ",\n");
421 info.append(R"( "labelId": )" + std::to_string(def.labelId) + ",\n");
422 info.append(R"( "description": ")" + def.description + R"(")" + ",\n");
423 info.append(R"( "descriptionId": )" + std::to_string(def.descriptionId) + ",\n");
424 info.append(R"( })");
425 }
426
FindPermRequestToggleStatusFromDb(int32_t userID,const std::string & permissionName)427 int32_t PermissionManager::FindPermRequestToggleStatusFromDb(int32_t userID, const std::string& permissionName)
428 {
429 std::vector<GenericValues> permRequestToggleStatusRes;
430 GenericValues conditionValue;
431 conditionValue.Put(TokenFiledConst::FIELD_USER_ID, userID);
432 conditionValue.Put(TokenFiledConst::FIELD_PERMISSION_NAME, permissionName);
433
434 AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_REQUEST_TOGGLE_STATUS,
435 conditionValue, permRequestToggleStatusRes);
436 if (permRequestToggleStatusRes.empty()) {
437 // never set, return default status: CLOSED if APP_TRACKING_CONSENT
438 return (permissionName == "ohos.permission.APP_TRACKING_CONSENT") ?
439 PermissionRequestToggleStatus::CLOSED : PermissionRequestToggleStatus::OPEN;;
440 }
441 return permRequestToggleStatusRes[0].GetInt(TokenFiledConst::FIELD_REQUEST_TOGGLE_STATUS);
442 }
443
AddPermRequestToggleStatusToDb(int32_t userID,const std::string & permissionName,int32_t status)444 void PermissionManager::AddPermRequestToggleStatusToDb(
445 int32_t userID, const std::string& permissionName, int32_t status)
446 {
447 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permToggleStateLock_);
448 GenericValues value;
449 value.Put(TokenFiledConst::FIELD_USER_ID, userID);
450 value.Put(TokenFiledConst::FIELD_PERMISSION_NAME, permissionName);
451 AccessTokenDb::GetInstance().Remove(AtmDataType::ACCESSTOKEN_PERMISSION_REQUEST_TOGGLE_STATUS, value);
452
453 std::vector<GenericValues> permRequestToggleStatusValues;
454 value.Put(TokenFiledConst::FIELD_REQUEST_TOGGLE_STATUS, status);
455 permRequestToggleStatusValues.emplace_back(value);
456 AccessTokenDb::GetInstance().Add(AtmDataType::ACCESSTOKEN_PERMISSION_REQUEST_TOGGLE_STATUS,
457 permRequestToggleStatusValues);
458 }
459
SetPermissionRequestToggleStatus(const std::string & permissionName,uint32_t status,int32_t userID)460 int32_t PermissionManager::SetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t status,
461 int32_t userID)
462 {
463 if (userID == 0) {
464 userID = IPCSkeleton::GetCallingUid() / BASE_USER_RANGE;
465 }
466
467 ACCESSTOKEN_LOG_INFO(LABEL, "UserID=%{public}u, permissionName=%{public}s, status=%{public}d", userID,
468 permissionName.c_str(), status);
469 if (!PermissionValidator::IsUserIdValid(userID)) {
470 ACCESSTOKEN_LOG_ERROR(LABEL, "UserID is invalid.");
471 return AccessTokenError::ERR_PARAM_INVALID;
472 }
473 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
474 ACCESSTOKEN_LOG_ERROR(LABEL, "Permission name is invalid.");
475 return AccessTokenError::ERR_PARAM_INVALID;
476 }
477 if (!PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
478 ACCESSTOKEN_LOG_ERROR(
479 LABEL, "Permission=%{public}s is not defined.", permissionName.c_str());
480 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
481 }
482 if (PermissionDefinitionCache::GetInstance().IsSystemGrantedPermission(permissionName)) {
483 ACCESSTOKEN_LOG_ERROR(LABEL, "Only support permissions of user_grant to set.");
484 return AccessTokenError::ERR_PARAM_INVALID;
485 }
486 if (!PermissionValidator::IsToggleStatusValid(status)) {
487 ACCESSTOKEN_LOG_ERROR(LABEL, "Status is invalid.");
488 return AccessTokenError::ERR_PARAM_INVALID;
489 }
490
491 AddPermRequestToggleStatusToDb(userID, permissionName, status);
492
493 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERM_DIALOG_STATUS_INFO",
494 HiviewDFX::HiSysEvent::EventType::STATISTIC, "USERID", userID, "PERMISSION_NAME", permissionName,
495 "TOGGLE_STATUS", status);
496
497 return 0;
498 }
499
GetPermissionRequestToggleStatus(const std::string & permissionName,uint32_t & status,int32_t userID)500 int32_t PermissionManager::GetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t& status,
501 int32_t userID)
502 {
503 if (userID == 0) {
504 userID = IPCSkeleton::GetCallingUid() / BASE_USER_RANGE;
505 }
506
507 ACCESSTOKEN_LOG_INFO(LABEL, "UserID=%{public}u, permissionName=%{public}s", userID, permissionName.c_str());
508 if (!PermissionValidator::IsUserIdValid(userID)) {
509 ACCESSTOKEN_LOG_ERROR(LABEL, "UserID is invalid.");
510 return AccessTokenError::ERR_PARAM_INVALID;
511 }
512 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
513 ACCESSTOKEN_LOG_ERROR(LABEL, "Permission name is invalid.");
514 return AccessTokenError::ERR_PARAM_INVALID;
515 }
516 if (!PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
517 ACCESSTOKEN_LOG_ERROR(
518 LABEL, "Permission=%{public}s is not defined.", permissionName.c_str());
519 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
520 }
521 if (PermissionDefinitionCache::GetInstance().IsSystemGrantedPermission(permissionName)) {
522 ACCESSTOKEN_LOG_ERROR(LABEL, "Only support permissions of user_grant to get.");
523 return AccessTokenError::ERR_PARAM_INVALID;
524 }
525
526 status = static_cast<uint32_t>(FindPermRequestToggleStatusFromDb(userID, permissionName));
527
528 return 0;
529 }
530
ParamUpdate(const std::string & permissionName,uint32_t flag,bool filtered)531 void PermissionManager::ParamUpdate(const std::string& permissionName, uint32_t flag, bool filtered)
532 {
533 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permParamSetLock_);
534 if (filtered || (PermissionDefinitionCache::GetInstance().IsUserGrantedPermission(permissionName) &&
535 ((flag != PERMISSION_GRANTED_BY_POLICY) && (flag != PERMISSION_SYSTEM_FIXED)))) {
536 paramValue_++;
537 ACCESSTOKEN_LOG_DEBUG(LABEL,
538 "paramValue_ change %{public}llu", static_cast<unsigned long long>(paramValue_));
539 int32_t res = SetParameter(PERMISSION_STATUS_CHANGE_KEY, std::to_string(paramValue_).c_str());
540 if (res != 0) {
541 ACCESSTOKEN_LOG_ERROR(LABEL, "SetParameter failed %{public}d", res);
542 }
543 }
544 }
545
NotifyWhenPermissionStateUpdated(AccessTokenID tokenID,const std::string & permissionName,bool isGranted,uint32_t flag,const std::shared_ptr<HapTokenInfoInner> & infoPtr)546 void PermissionManager::NotifyWhenPermissionStateUpdated(AccessTokenID tokenID, const std::string& permissionName,
547 bool isGranted, uint32_t flag, const std::shared_ptr<HapTokenInfoInner>& infoPtr)
548 {
549 ACCESSTOKEN_LOG_INFO(LABEL, "IsUpdated");
550 int32_t changeType = isGranted ? STATE_CHANGE_GRANTED : STATE_CHANGE_REVOKED;
551
552 // set to kernel(grant/revoke)
553 SetPermToKernel(tokenID, permissionName, isGranted);
554
555 // To notify the listener register.
556 CallbackManager::GetInstance().ExecuteCallbackAsync(tokenID, permissionName, changeType);
557
558 // To notify the client cache to update by resetting paramValue_.
559 ParamUpdate(permissionName, flag, false);
560
561 // DFX.
562 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_CHECK_EVENT",
563 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "CODE", USER_GRANT_PERMISSION_EVENT,
564 "CALLER_TOKENID", tokenID, "PERMISSION_NAME", permissionName, "FLAG", flag,
565 "PERMISSION_GRANT_TYPE", changeType);
566 grantEvent_.AddEvent(tokenID, permissionName, infoPtr->permUpdateTimestamp_);
567 }
568
UpdateTokenPermissionState(AccessTokenID id,const std::string & permission,bool isGranted,uint32_t flag,bool needKill)569 int32_t PermissionManager::UpdateTokenPermissionState(
570 AccessTokenID id, const std::string& permission, bool isGranted, uint32_t flag, bool needKill)
571 {
572 std::shared_ptr<HapTokenInfoInner> infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(id);
573 if (infoPtr == nullptr) {
574 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenInfo is null, tokenId=%{public}u", id);
575 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
576 }
577
578 int32_t ret = UpdateTokenPermissionStateCheck(infoPtr, id, permission, isGranted, flag);
579 if (ret != ERR_OK) {
580 return ret;
581 }
582
583 std::shared_ptr<PermissionPolicySet> permPolicySet = infoPtr->GetHapInfoPermissionPolicySet();
584 if (permPolicySet == nullptr) {
585 ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", id);
586 return AccessTokenError::ERR_PARAM_INVALID;
587 }
588
589 int32_t statusBefore = permPolicySet->VerifyPermissionStatus(permission);
590 bool isSecCompGrantedBefore = permPolicySet->IsPermissionGrantedWithSecComp(permission);
591 ret = permPolicySet->UpdatePermissionStatus(permission, isGranted, flag);
592 if (ret != RET_SUCCESS) {
593 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR",
594 HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", UPDATE_PERMISSION_STATUS_FAILED, "TOKENID", id,
595 "PERM", permission, "BUNDLE_NAME", infoPtr->GetBundleName(), "INT_VAL1", ret,
596 "INT_VAL2", static_cast<int32_t>(flag), "NEED_KILL", needKill);
597 return ret;
598 }
599 int32_t statusAfter = permPolicySet->VerifyPermissionStatus(permission);
600 if (statusAfter != statusBefore) {
601 NotifyWhenPermissionStateUpdated(id, permission, isGranted, flag, infoPtr);
602 // To notify kill process when perm is revoke
603 if (needKill && (!isGranted && !isSecCompGrantedBefore)) {
604 ACCESSTOKEN_LOG_INFO(LABEL, "(%{public}s) is revoked, kill process(%{public}u).", permission.c_str(), id);
605 AppManagerAccessClient::GetInstance().KillProcessesByAccessTokenId(id);
606 }
607 }
608
609 #ifdef TOKEN_SYNC_ENABLE
610 TokenModifyNotifier::GetInstance().NotifyTokenModify(id);
611 #endif
612 if (!ShortGrantManager::GetInstance().IsShortGrantPermission(permission)) {
613 return AccessTokenInfoManager::GetInstance().ModifyHapPermStateFromDb(id, permission, infoPtr);
614 }
615 return RET_SUCCESS;
616 }
617
UpdateTokenPermissionStateCheck(const std::shared_ptr<HapTokenInfoInner> & infoPtr,AccessTokenID id,const std::string & permission,bool isGranted,uint32_t flag)618 int32_t PermissionManager::UpdateTokenPermissionStateCheck(const std::shared_ptr<HapTokenInfoInner>& infoPtr,
619 AccessTokenID id, const std::string& permission, bool isGranted, uint32_t flag)
620 {
621 if (infoPtr->IsRemote()) {
622 ACCESSTOKEN_LOG_ERROR(LABEL, "Remote token can not update");
623 return AccessTokenError::ERR_IDENTITY_CHECK_FAILED;
624 }
625 if ((flag == PERMISSION_ALLOW_THIS_TIME) && isGranted) {
626 if (!TempPermissionObserver::GetInstance().IsAllowGrantTempPermission(id, permission)) {
627 ACCESSTOKEN_LOG_ERROR(LABEL, "Id:%{public}d fail to grant permission:%{public}s", id, permission.c_str());
628 return ERR_IDENTITY_CHECK_FAILED;
629 }
630 }
631
632 #ifdef SUPPORT_SANDBOX_APP
633 int32_t hapDlpType = infoPtr->GetDlpType();
634 if (hapDlpType != DLP_COMMON) {
635 int32_t permDlpMode = DlpPermissionSetManager::GetInstance().GetPermDlpMode(permission);
636 if (!DlpPermissionSetManager::GetInstance().IsPermDlpModeAvailableToDlpHap(hapDlpType, permDlpMode)) {
637 ACCESSTOKEN_LOG_DEBUG(LABEL, "%{public}s cannot to be granted to %{public}u", permission.c_str(), id);
638 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR",
639 HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", DLP_CHECK_FAILED, "TOKENID", id, "PERM",
640 permission, "BUNDLE_NAME", infoPtr->GetBundleName(), "INT_VAL1", hapDlpType, "INT_VAL2", permDlpMode);
641 return AccessTokenError::ERR_IDENTITY_CHECK_FAILED;
642 }
643 }
644 #endif
645 return ERR_OK;
646 }
647
UpdatePermission(AccessTokenID tokenID,const std::string & permissionName,bool isGranted,uint32_t flag,bool needKill)648 int32_t PermissionManager::UpdatePermission(AccessTokenID tokenID, const std::string& permissionName,
649 bool isGranted, uint32_t flag, bool needKill)
650 {
651 int32_t ret = UpdateTokenPermissionState(tokenID, permissionName, isGranted, flag, needKill);
652 if (ret != RET_SUCCESS) {
653 return ret;
654 }
655
656 #ifdef SUPPORT_SANDBOX_APP
657 // The action of sharing would be taken place only if the grant operation or revoke operation equals to success.
658 std::vector<AccessTokenID> tokenIdList;
659 AccessTokenInfoManager::GetInstance().GetRelatedSandBoxHapList(tokenID, tokenIdList);
660 for (const auto& id : tokenIdList) {
661 (void)UpdateTokenPermissionState(id, permissionName, isGranted, flag, needKill);
662 }
663 #endif
664 return RET_SUCCESS;
665 }
666
CheckAndUpdatePermission(AccessTokenID tokenID,const std::string & permissionName,bool isGranted,uint32_t flag)667 int32_t PermissionManager::CheckAndUpdatePermission(AccessTokenID tokenID, const std::string& permissionName,
668 bool isGranted, uint32_t flag)
669 {
670 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
671 ACCESSTOKEN_LOG_ERROR(LABEL, "permissionName: %{public}s, Invalid params!", permissionName.c_str());
672 return AccessTokenError::ERR_PARAM_INVALID;
673 }
674 if (!PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
675 ACCESSTOKEN_LOG_ERROR(
676 LABEL, "No definition for permission: %{public}s!", permissionName.c_str());
677 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
678 }
679 if (!PermissionValidator::IsPermissionFlagValid(flag)) {
680 ACCESSTOKEN_LOG_ERROR(LABEL, "flag: %{public}d, Invalid params!", flag);
681 return AccessTokenError::ERR_PARAM_INVALID;
682 }
683 bool needKill = false;
684 // To kill process when perm is revoke
685 if (!isGranted && (flag != PERMISSION_ALLOW_THIS_TIME) && (flag != PERMISSION_COMPONENT_SET)) {
686 ACCESSTOKEN_LOG_INFO(LABEL, "Perm(%{public}s) is revoked, kill process(%{public}u).",
687 permissionName.c_str(), tokenID);
688 needKill = true;
689 }
690
691 return UpdatePermission(tokenID, permissionName, isGranted, flag, needKill);
692 }
693
GrantPermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)694 int32_t PermissionManager::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
695 {
696 ACCESSTOKEN_LOG_INFO(LABEL,
697 "%{public}s called, tokenID: %{public}u, permissionName: %{public}s, flag: %{public}d",
698 __func__, tokenID, permissionName.c_str(), flag);
699 return CheckAndUpdatePermission(tokenID, permissionName, true, flag);
700 }
701
RevokePermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)702 int32_t PermissionManager::RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
703 {
704 ACCESSTOKEN_LOG_INFO(LABEL,
705 "%{public}s called, tokenID: %{public}u, permissionName: %{public}s, flag: %{public}d",
706 __func__, tokenID, permissionName.c_str(), flag);
707 return CheckAndUpdatePermission(tokenID, permissionName, false, flag);
708 }
709
GrantPermissionForSpecifiedTime(AccessTokenID tokenID,const std::string & permissionName,uint32_t onceTime)710 int32_t PermissionManager::GrantPermissionForSpecifiedTime(
711 AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime)
712 {
713 ACCESSTOKEN_LOG_INFO(LABEL,
714 "%{public}s called, tokenID: %{public}u, permissionName: %{public}s, onceTime: %{public}d",
715 __func__, tokenID, permissionName.c_str(), onceTime);
716 return ShortGrantManager::GetInstance().RefreshPermission(tokenID, permissionName, onceTime);
717 }
718
ScopeToString(const std::vector<AccessTokenID> & tokenIDs,const std::vector<std::string> & permList)719 void PermissionManager::ScopeToString(
720 const std::vector<AccessTokenID>& tokenIDs, const std::vector<std::string>& permList)
721 {
722 std::stringstream str;
723 copy(tokenIDs.begin(), tokenIDs.end(), std::ostream_iterator<uint32_t>(str, ", "));
724 std::string tokenidStr = str.str();
725
726 std::string permStr;
727 permStr = accumulate(permList.begin(), permList.end(), std::string(" "));
728
729 ACCESSTOKEN_LOG_INFO(LABEL, "TokenidStr = %{public}s permStr =%{public}s",
730 tokenidStr.c_str(), permStr.c_str());
731 }
732
ScopeFilter(const PermStateChangeScope & scopeSrc,PermStateChangeScope & scopeRes)733 int32_t PermissionManager::ScopeFilter(const PermStateChangeScope& scopeSrc, PermStateChangeScope& scopeRes)
734 {
735 std::set<uint32_t> tokenIdSet;
736 for (const auto& tokenId : scopeSrc.tokenIDs) {
737 if (AccessTokenInfoManager::GetInstance().IsTokenIdExist(tokenId) &&
738 (tokenIdSet.count(tokenId) == 0)) {
739 scopeRes.tokenIDs.emplace_back(tokenId);
740 tokenIdSet.insert(tokenId);
741 continue;
742 }
743 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenId %{public}d invalid!", tokenId);
744 }
745 std::set<std::string> permSet;
746 for (const auto& permissionName : scopeSrc.permList) {
747 if (PermissionDefinitionCache::GetInstance().HasDefinition(permissionName) &&
748 permSet.count(permissionName) == 0) {
749 scopeRes.permList.emplace_back(permissionName);
750 permSet.insert(permissionName);
751 continue;
752 }
753 ACCESSTOKEN_LOG_ERROR(LABEL, "Permission %{public}s invalid!", permissionName.c_str());
754 }
755 if ((scopeRes.tokenIDs.empty()) && (!scopeSrc.tokenIDs.empty())) {
756 ACCESSTOKEN_LOG_ERROR(LABEL, "Valid tokenid size is 0!");
757 return AccessTokenError::ERR_PARAM_INVALID;
758 }
759 if ((scopeRes.permList.empty()) && (!scopeSrc.permList.empty())) {
760 ACCESSTOKEN_LOG_ERROR(LABEL, "Valid permission size is 0!");
761 return AccessTokenError::ERR_PARAM_INVALID;
762 }
763 ScopeToString(scopeRes.tokenIDs, scopeRes.permList);
764 return RET_SUCCESS;
765 }
766
AddPermStateChangeCallback(const PermStateChangeScope & scope,const sptr<IRemoteObject> & callback)767 int32_t PermissionManager::AddPermStateChangeCallback(
768 const PermStateChangeScope& scope, const sptr<IRemoteObject>& callback)
769 {
770 ACCESSTOKEN_LOG_INFO(LABEL, "Called");
771 PermStateChangeScope scopeRes;
772 int32_t result = ScopeFilter(scope, scopeRes);
773 if (result != RET_SUCCESS) {
774 return result;
775 }
776 return CallbackManager::GetInstance().AddCallback(scope, callback);
777 }
778
RemovePermStateChangeCallback(const sptr<IRemoteObject> & callback)779 int32_t PermissionManager::RemovePermStateChangeCallback(const sptr<IRemoteObject>& callback)
780 {
781 ACCESSTOKEN_LOG_INFO(LABEL, "Called");
782 return CallbackManager::GetInstance().RemoveCallback(callback);
783 }
784
GetApiVersionByTokenId(AccessTokenID tokenID,int32_t & apiVersion)785 bool PermissionManager::GetApiVersionByTokenId(AccessTokenID tokenID, int32_t& apiVersion)
786 {
787 // only hap can do this
788 AccessTokenIDInner *idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenID);
789 ATokenTypeEnum tokenType = (ATokenTypeEnum)(idInner->type);
790 if (tokenType != TOKEN_HAP) {
791 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid token type %{public}d", tokenType);
792 return false;
793 }
794
795 HapTokenInfo hapInfo;
796 int ret = AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapInfo);
797 if (ret != RET_SUCCESS) {
798 ACCESSTOKEN_LOG_ERROR(LABEL, "Get hap token info error!");
799 return false;
800 }
801
802 apiVersion = hapInfo.apiVersion;
803
804 return true;
805 }
806
IsPermissionVaild(const std::string & permissionName)807 bool PermissionManager::IsPermissionVaild(const std::string& permissionName)
808 {
809 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
810 ACCESSTOKEN_LOG_WARN(LABEL, "Invalid permissionName %{public}s", permissionName.c_str());
811 return false;
812 }
813
814 if (!PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
815 ACCESSTOKEN_LOG_WARN(LABEL, "Permission %{public}s has no definition ", permissionName.c_str());
816 return false;
817 }
818 return true;
819 }
820
GetLocationPermissionIndex(std::vector<PermissionListStateParcel> & reqPermList,LocationIndex & locationIndex)821 bool PermissionManager::GetLocationPermissionIndex(std::vector<PermissionListStateParcel>& reqPermList,
822 LocationIndex& locationIndex)
823 {
824 uint32_t index = 0;
825 bool hasFound = false;
826
827 for (const auto& perm : reqPermList) {
828 if (perm.permsState.permissionName == VAGUE_LOCATION_PERMISSION_NAME) {
829 locationIndex.vagueIndex = index;
830 hasFound = true;
831 } else if (perm.permsState.permissionName == ACCURATE_LOCATION_PERMISSION_NAME) {
832 locationIndex.accurateIndex = index;
833 hasFound = true;
834 } else if (perm.permsState.permissionName == BACKGROUND_LOCATION_PERMISSION_NAME) {
835 locationIndex.backIndex = index;
836 hasFound = true;
837 }
838
839 index++;
840
841 if ((locationIndex.vagueIndex != PERMISSION_NOT_REQUSET) &&
842 (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) &&
843 (locationIndex.backIndex != PERMISSION_NOT_REQUSET)) {
844 break;
845 }
846 }
847
848 ACCESSTOKEN_LOG_INFO(LABEL,
849 "vague index is %{public}d, accurate index is %{public}d, background index is %{public}d!",
850 locationIndex.vagueIndex, locationIndex.accurateIndex, locationIndex.backIndex);
851
852 return hasFound;
853 }
854
GetLocationPermissionState(AccessTokenID tokenID,std::vector<PermissionListStateParcel> & reqPermList,std::vector<PermissionStateFull> & permsList,int32_t apiVersion,const LocationIndex & locationIndex)855 bool PermissionManager::GetLocationPermissionState(AccessTokenID tokenID,
856 std::vector<PermissionListStateParcel>& reqPermList, std::vector<PermissionStateFull>& permsList,
857 int32_t apiVersion, const LocationIndex& locationIndex)
858 {
859 bool needVagueDynamic = false;
860 bool needAccurateDynamic = false; // needVagueDynamic-false, 1. not request;2. request but not equal to DYNAMIC_OPER
861 if (locationIndex.vagueIndex != PERMISSION_NOT_REQUSET) {
862 GetSelfPermissionState(permsList, reqPermList[locationIndex.vagueIndex].permsState, apiVersion);
863 needVagueDynamic = reqPermList[locationIndex.vagueIndex].permsState.state == DYNAMIC_OPER;
864 }
865
866 if (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) {
867 bool isVagueGranted = VerifyHapAccessToken(tokenID, VAGUE_LOCATION_PERMISSION_NAME) == PERMISSION_GRANTED;
868 // request accurate and vague permission, if vague has been set or invalid, accurate can't be requested
869 GetSelfPermissionState(permsList, reqPermList[locationIndex.accurateIndex].permsState, apiVersion);
870 needAccurateDynamic = reqPermList[locationIndex.accurateIndex].permsState.state == DYNAMIC_OPER;
871
872 // update permsState
873 if (needAccurateDynamic) {
874 // vague permissoion is not pop and permission status os not granted
875 if (!needVagueDynamic && !isVagueGranted) {
876 reqPermList[locationIndex.accurateIndex].permsState.state = INVALID_OPER;
877 needAccurateDynamic = false;
878 }
879 }
880 }
881
882 if (locationIndex.backIndex != PERMISSION_NOT_REQUSET) {
883 if (apiVersion >= BACKGROUND_LOCATION_API_VERSION) {
884 // background permission
885 // with back and vague permission, request back can not pop dynamic dialog
886 if (locationIndex.vagueIndex != PERMISSION_NOT_REQUSET) {
887 reqPermList[locationIndex.vagueIndex].permsState.state = INVALID_OPER;
888 }
889 if (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) {
890 reqPermList[locationIndex.accurateIndex].permsState.state = INVALID_OPER;
891 }
892 reqPermList[locationIndex.backIndex].permsState.state = INVALID_OPER;
893 return false;
894 }
895 // with back and vague permission
896 // back state is SETTING_OPER when dynamic pop-up dialog appears and INVALID_OPER when it doesn't
897 GetSelfPermissionState(permsList, reqPermList[locationIndex.backIndex].permsState, apiVersion);
898 if (reqPermList[locationIndex.backIndex].permsState.state == DYNAMIC_OPER) {
899 if (needAccurateDynamic || needVagueDynamic) {
900 reqPermList[locationIndex.backIndex].permsState.state = SETTING_OPER;
901 } else {
902 reqPermList[locationIndex.backIndex].permsState.state = INVALID_OPER;
903 }
904 }
905 }
906 return needVagueDynamic || needAccurateDynamic;
907 }
908
LocationPermissionSpecialHandle(AccessTokenID tokenID,std::vector<PermissionListStateParcel> & reqPermList,std::vector<PermissionStateFull> & permsList,int32_t apiVersion)909 bool PermissionManager::LocationPermissionSpecialHandle(
910 AccessTokenID tokenID,
911 std::vector<PermissionListStateParcel>& reqPermList,
912 std::vector<PermissionStateFull>& permsList, int32_t apiVersion)
913 {
914 struct LocationIndex locationIndex;
915 if (!GetLocationPermissionIndex(reqPermList, locationIndex)) {
916 return false;
917 }
918 return GetLocationPermissionState(tokenID, reqPermList, permsList, apiVersion, locationIndex);
919 }
920
ClearUserGrantedPermissionState(AccessTokenID tokenID)921 void PermissionManager::ClearUserGrantedPermissionState(AccessTokenID tokenID)
922 {
923 if (ClearUserGrantedPermission(tokenID) != RET_SUCCESS) {
924 return;
925 }
926 std::vector<AccessTokenID> tokenIdList;
927 AccessTokenInfoManager::GetInstance().GetRelatedSandBoxHapList(tokenID, tokenIdList);
928 for (const auto& id : tokenIdList) {
929 (void)ClearUserGrantedPermission(id);
930 }
931 }
932
NotifyUpdatedPermList(const std::vector<std::string> & grantedPermListBefore,const std::vector<std::string> & grantedPermListAfter,AccessTokenID tokenID)933 void PermissionManager::NotifyUpdatedPermList(const std::vector<std::string>& grantedPermListBefore,
934 const std::vector<std::string>& grantedPermListAfter, AccessTokenID tokenID)
935 {
936 for (uint32_t i = 0; i < grantedPermListBefore.size(); i++) {
937 auto it = find(grantedPermListAfter.begin(), grantedPermListAfter.end(), grantedPermListBefore[i]);
938 if (it == grantedPermListAfter.end()) {
939 CallbackManager::GetInstance().ExecuteCallbackAsync(
940 tokenID, grantedPermListBefore[i], STATE_CHANGE_REVOKED);
941 ParamUpdate(grantedPermListBefore[i], 0, true);
942 }
943 }
944 for (uint32_t i = 0; i < grantedPermListAfter.size(); i++) {
945 auto it = find(grantedPermListBefore.begin(), grantedPermListBefore.end(), grantedPermListAfter[i]);
946 if (it == grantedPermListBefore.end()) {
947 CallbackManager::GetInstance().ExecuteCallbackAsync(
948 tokenID, grantedPermListAfter[i], STATE_CHANGE_GRANTED);
949 ParamUpdate(grantedPermListAfter[i], 0, false);
950 }
951 }
952 }
953
IsPermissionStateOrFlagMatched(const PermissionStateFull & state1,const PermissionStateFull & state2)954 bool PermissionManager::IsPermissionStateOrFlagMatched(const PermissionStateFull& state1,
955 const PermissionStateFull& state2)
956 {
957 return ((state1.grantStatus[0] == state2.grantStatus[0]) && (state1.grantFlags[0] == state2.grantFlags[0]));
958 }
959
GetStateOrFlagChangedList(std::vector<PermissionStateFull> & stateListBefore,std::vector<PermissionStateFull> & stateListAfter,std::vector<PermissionStateFull> & stateChangeList)960 void PermissionManager::GetStateOrFlagChangedList(std::vector<PermissionStateFull>& stateListBefore,
961 std::vector<PermissionStateFull>& stateListAfter, std::vector<PermissionStateFull>& stateChangeList)
962 {
963 uint32_t size = stateListBefore.size();
964
965 for (uint32_t i = 0; i < size; ++i) {
966 PermissionStateFull state1 = stateListBefore[i];
967 PermissionStateFull state2 = stateListAfter[i];
968
969 if (!IsPermissionStateOrFlagMatched(state1, state2)) {
970 stateChangeList.emplace_back(state2);
971 }
972 }
973 }
974
ClearUserGrantedPermission(AccessTokenID tokenID)975 int32_t PermissionManager::ClearUserGrantedPermission(AccessTokenID tokenID)
976 {
977 std::shared_ptr<HapTokenInfoInner> infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenID);
978 if (infoPtr == nullptr) {
979 ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u is invalid.", tokenID);
980 return ERR_PARAM_INVALID;
981 }
982 if (infoPtr->IsRemote()) {
983 ACCESSTOKEN_LOG_ERROR(LABEL, "It is a remote hap token %{public}u!", tokenID);
984 return ERR_IDENTITY_CHECK_FAILED;
985 }
986 std::shared_ptr<PermissionPolicySet> permPolicySet = infoPtr->GetHapInfoPermissionPolicySet();
987 if (permPolicySet == nullptr) {
988 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid params!");
989 return ERR_PARAM_INVALID;
990 }
991 std::vector<std::string> grantedPermListBefore;
992 permPolicySet->GetGrantedPermissionList(grantedPermListBefore);
993 std::vector<PermissionStateFull> stateListBefore;
994 permPolicySet->GetPermissionStateList(stateListBefore);
995
996 // reset permission.
997 permPolicySet->ResetUserGrantPermissionStatus();
998 // clear security component granted permission which is not requested in module.json.
999 permPolicySet->ClearSecCompGrantedPerm();
1000
1001 #ifdef SUPPORT_SANDBOX_APP
1002 // update permission status with dlp permission rule.
1003 std::vector<PermissionStateFull> permListOfHap;
1004 permPolicySet->GetPermissionStateFulls(permListOfHap);
1005 DlpPermissionSetManager::GetInstance().UpdatePermStateWithDlpInfo(
1006 infoPtr->GetDlpType(), permListOfHap);
1007 permPolicySet->Update(permListOfHap);
1008 #endif
1009
1010 std::vector<std::string> grantedPermListAfter;
1011 permPolicySet->GetGrantedPermissionList(grantedPermListAfter);
1012 std::vector<PermissionStateFull> stateListAfter;
1013 permPolicySet->GetPermissionStateList(stateListAfter);
1014 std::vector<PermissionStateFull> stateChangeList;
1015 GetStateOrFlagChangedList(stateListBefore, stateListAfter, stateChangeList);
1016 if (!AccessTokenInfoManager::GetInstance().UpdateStatesToDatabase(tokenID, stateChangeList)) {
1017 return ERR_DATABASE_OPERATE_FAILED;
1018 }
1019
1020 // clear
1021 AddPermToKernel(tokenID, permPolicySet);
1022
1023 NotifyUpdatedPermList(grantedPermListBefore, grantedPermListAfter, tokenID);
1024 return RET_SUCCESS;
1025 }
1026
NotifyPermGrantStoreResult(bool result,uint64_t timestamp)1027 void PermissionManager::NotifyPermGrantStoreResult(bool result, uint64_t timestamp)
1028 {
1029 grantEvent_.NotifyPermGrantStoreResult(result, timestamp);
1030 }
1031
TransferPermissionDefToString(const PermissionDef & inPermissionDef)1032 std::string PermissionManager::TransferPermissionDefToString(const PermissionDef& inPermissionDef)
1033 {
1034 std::string infos;
1035 infos.append(R"({"permissionName": ")" + inPermissionDef.permissionName + R"(")");
1036 infos.append(R"(, "bundleName": ")" + inPermissionDef.bundleName + R"(")");
1037 infos.append(R"(, "grantMode": )" + std::to_string(inPermissionDef.grantMode));
1038 infos.append(R"(, "availableLevel": )" + std::to_string(inPermissionDef.availableLevel));
1039 infos.append(R"(, "provisionEnable": )" + std::to_string(inPermissionDef.provisionEnable));
1040 infos.append(R"(, "distributedSceneEnable": )" + std::to_string(inPermissionDef.distributedSceneEnable));
1041 infos.append(R"(, "label": ")" + inPermissionDef.label + R"(")");
1042 infos.append(R"(, "labelId": )" + std::to_string(inPermissionDef.labelId));
1043 infos.append(R"(, "description": ")" + inPermissionDef.description + R"(")");
1044 infos.append(R"(, "descriptionId": )" + std::to_string(inPermissionDef.descriptionId));
1045 infos.append(R"(, "availableType": )" + std::to_string(inPermissionDef.availableType));
1046 infos.append("}");
1047 return infos;
1048 }
1049
AddPermToKernel(AccessTokenID tokenID,const std::shared_ptr<PermissionPolicySet> & policy)1050 void PermissionManager::AddPermToKernel(AccessTokenID tokenID, const std::shared_ptr<PermissionPolicySet>& policy)
1051 {
1052 if (policy == nullptr) {
1053 return;
1054 }
1055 std::vector<uint32_t> opCodeList;
1056 std::vector<bool> statusList;
1057 policy->GetPermissionStateList(opCodeList, statusList);
1058 int32_t ret = AddPermissionToKernel(tokenID, opCodeList, statusList);
1059 if (ret != ACCESS_TOKEN_OK) {
1060 ACCESSTOKEN_LOG_ERROR(LABEL, "AddPermissionToKernel(token=%{public}d), size=%{public}zu, err=%{public}d",
1061 tokenID, opCodeList.size(), ret);
1062 }
1063 }
1064
RemovePermFromKernel(AccessTokenID tokenID)1065 void PermissionManager::RemovePermFromKernel(AccessTokenID tokenID)
1066 {
1067 int32_t ret = RemovePermissionFromKernel(tokenID);
1068 ACCESSTOKEN_LOG_INFO(LABEL,
1069 "RemovePermissionFromKernel(token=%{public}d), err=%{public}d", tokenID, ret);
1070 }
1071
SetPermToKernel(AccessTokenID tokenID,const std::string & permissionName,bool isGranted)1072 void PermissionManager::SetPermToKernel(AccessTokenID tokenID, const std::string& permissionName, bool isGranted)
1073 {
1074 uint32_t code;
1075 if (!TransferPermissionToOpcode(permissionName, code)) {
1076 return;
1077 }
1078 int32_t ret = SetPermissionToKernel(tokenID, code, isGranted);
1079 ACCESSTOKEN_LOG_INFO(LABEL,
1080 "SetPermissionToKernel(token=%{public}d, permission=(%{public}s), err=%{public}d",
1081 tokenID, permissionName.c_str(), ret);
1082 }
1083
IsAclSatisfied(const PermissionDef & permDef,const HapPolicyParams & policy)1084 bool IsAclSatisfied(const PermissionDef& permDef, const HapPolicyParams& policy)
1085 {
1086 if (policy.apl < permDef.availableLevel) {
1087 if (!permDef.provisionEnable) {
1088 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s provisionEnable is false.", permDef.permissionName.c_str());
1089 return false;
1090 }
1091 auto isAclExist = std::any_of(
1092 policy.aclRequestedList.begin(), policy.aclRequestedList.end(), [permDef](const auto &perm) {
1093 return permDef.permissionName == perm;
1094 });
1095 if (!isAclExist) {
1096 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s need acl.", permDef.permissionName.c_str());
1097 return false;
1098 }
1099 }
1100 return true;
1101 }
1102
IsPermAvailableRangeSatisfied(const PermissionDef & permDef,const std::string & appDistributionType)1103 bool IsPermAvailableRangeSatisfied(const PermissionDef& permDef, const std::string& appDistributionType)
1104 {
1105 if (permDef.availableType == ATokenAvailableTypeEnum::MDM) {
1106 if (appDistributionType == "none") {
1107 ACCESSTOKEN_LOG_INFO(LABEL, "Debug app use permission: %{public}s.",
1108 permDef.permissionName.c_str());
1109 return true;
1110 }
1111 if (appDistributionType != APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM) {
1112 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s is a mdm permission, the hap is not a mdm application.",
1113 permDef.permissionName.c_str());
1114 return false;
1115 }
1116 }
1117 return true;
1118 }
1119
IsUserGrantPermPreAuthorized(const std::vector<PreAuthorizationInfo> & list,const std::string & permissionName,bool & userCancelable)1120 bool IsUserGrantPermPreAuthorized(const std::vector<PreAuthorizationInfo> &list,
1121 const std::string &permissionName, bool &userCancelable)
1122 {
1123 auto iter = std::find_if(list.begin(), list.end(), [&permissionName](const auto &info) {
1124 return info.permissionName == permissionName;
1125 });
1126 if (iter == list.end()) {
1127 ACCESSTOKEN_LOG_INFO(LABEL, "Permission(%{public}s) is not in the list", permissionName.c_str());
1128 return false;
1129 }
1130
1131 userCancelable = iter->userCancelable;
1132 return true;
1133 }
1134
InitDlpPermissionList(const std::string & bundleName,int32_t userId,std::vector<PermissionStateFull> & initializedList)1135 bool PermissionManager::InitDlpPermissionList(const std::string& bundleName, int32_t userId,
1136 std::vector<PermissionStateFull>& initializedList)
1137 {
1138 // get dlp original app
1139 AccessTokenIDEx tokenId = AccessTokenInfoManager::GetInstance().GetHapTokenID(userId, bundleName, 0);
1140 std::shared_ptr<PermissionPolicySet> permPolicySet =
1141 AccessTokenInfoManager::GetInstance().GetHapPermissionPolicySet(tokenId.tokenIdExStruct.tokenID);
1142 if (permPolicySet == nullptr) {
1143 ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", tokenId.tokenIdExStruct.tokenID);
1144 return false;
1145 }
1146 permPolicySet->GetPermissionStateFulls(initializedList);
1147 return true;
1148 }
1149
InitPermissionList(const std::string & appDistributionType,const HapPolicyParams & policy,std::vector<PermissionStateFull> & initializedList)1150 bool PermissionManager::InitPermissionList(const std::string& appDistributionType,
1151 const HapPolicyParams& policy, std::vector<PermissionStateFull>& initializedList)
1152 {
1153 ACCESSTOKEN_LOG_INFO(LABEL, "Before, request perm list size: %{public}zu, preAuthorizationInfo size %{public}zu, "
1154 "ACLRequestedList size %{public}zu.",
1155 policy.permStateList.size(), policy.preAuthorizationInfo.size(), policy.aclRequestedList.size());
1156
1157 for (auto state : policy.permStateList) {
1158 PermissionDef permDef;
1159 int32_t ret = PermissionManager::GetInstance().GetDefPermission(
1160 state.permissionName, permDef);
1161 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
1162 ACCESSTOKEN_LOG_ERROR(LABEL, "Get definition of %{public}s failed, ret = %{public}d.",
1163 state.permissionName.c_str(), ret);
1164 continue;
1165 }
1166 if (!IsAclSatisfied(permDef, policy)) {
1167 ACCESSTOKEN_LOG_ERROR(LABEL, "Acl of %{public}s is invalid.", permDef.permissionName.c_str());
1168 return false;
1169 }
1170
1171 // edm check
1172 if (!IsPermAvailableRangeSatisfied(permDef, appDistributionType)) {
1173 ACCESSTOKEN_LOG_ERROR(LABEL, "Available range of %{public}s is invalid.", permDef.permissionName.c_str());
1174 return false;
1175 }
1176 state.grantFlags[0] = PERMISSION_DEFAULT_FLAG;
1177 state.grantStatus[0] = PERMISSION_DENIED;
1178
1179 if (permDef.grantMode == AccessToken::GrantMode::SYSTEM_GRANT) {
1180 state.grantFlags[0] = PERMISSION_SYSTEM_FIXED;
1181 state.grantStatus[0] = PERMISSION_GRANTED;
1182 initializedList.emplace_back(state);
1183 continue;
1184 }
1185 if (policy.preAuthorizationInfo.size() == 0) {
1186 initializedList.emplace_back(state);
1187 continue;
1188 }
1189 bool userCancelable = true;
1190 if (IsUserGrantPermPreAuthorized(policy.preAuthorizationInfo, state.permissionName, userCancelable)) {
1191 state.grantFlags[0] = userCancelable ? PERMISSION_GRANTED_BY_POLICY : PERMISSION_SYSTEM_FIXED;
1192 state.grantStatus[0] = PERMISSION_GRANTED;
1193 }
1194 initializedList.emplace_back(state);
1195 }
1196 ACCESSTOKEN_LOG_INFO(LABEL, "After, request perm list size: %{public}zu.", initializedList.size());
1197 return true;
1198 }
1199
1200 } // namespace AccessToken
1201 } // namespace Security
1202 } // namespace OHOS
1203