• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "permission_manager.h"
17 
18 #include "accesstoken_kit.h"
19 #include "access_token.h"
20 #include "dm_anonymous.h"
21 #include "dm_log.h"
22 #include "hap_token_info.h"
23 #include "ipc_skeleton.h"
24 #include "native_token_info.h"
25 #include "securec.h"
26 #include "tokenid_kit.h"
27 
28 using namespace OHOS::Security::AccessToken;
29 
30 namespace OHOS {
31 namespace DistributedHardware {
32 DM_IMPLEMENT_SINGLE_INSTANCE(PermissionManager);
33 namespace {
34 constexpr const char* DM_SERVICE_ACCESS_PERMISSION = "ohos.permission.ACCESS_SERVICE_DM";
35 constexpr const char* DM_SERVICE_ACCESS_NEWPERMISSION = "ohos.permission.DISTRIBUTED_DATASYNC";
36 constexpr const char* DM_MONITOR_DEVICE_NETWORK_STATE_PERMISSION = "ohos.permission.MONITOR_DEVICE_NETWORK_STATE";
37 constexpr int32_t DM_OK = 0;
38 constexpr int32_t ERR_DM_FAILED = 96929744;
39 constexpr int32_t PKG_NAME_SIZE_MAX = 256;
40 #define AUTH_CODE_WHITE_LIST_NUM (3)
41 constexpr const static char g_authCodeWhiteList[AUTH_CODE_WHITE_LIST_NUM][PKG_NAME_SIZE_MAX] = {
42     "com.huawei.msdp.hmringgenerator",
43     "com.huawei.msdp.hmringdiscriminator",
44     "CollaborationFwk",
45 };
46 
47 #define PIN_HOLDER_WHITE_LIST_NUM (1)
48 constexpr const static char g_pinHolderWhiteList[PIN_HOLDER_WHITE_LIST_NUM][PKG_NAME_SIZE_MAX] = {
49     "CollaborationFwk",
50 };
51 
52 #define SYSTEM_SA_WHITE_LIST_NUM (7)
53 constexpr const static char systemSaWhiteList[SYSTEM_SA_WHITE_LIST_NUM][PKG_NAME_SIZE_MAX] = {
54     "Samgr_Networking",
55     "ohos.distributeddata.service",
56     "ohos.dslm",
57     "ohos.deviceprofile",
58     "distributed_bundle_framework",
59     "ohos.dhardware",
60     "ohos.security.distributed_access_token",
61 };
62 
63 constexpr uint32_t SETDNPOLICY_WHITE_LIST_NUM = 2;
64 constexpr const static char g_setDnPolicyWhiteList[SETDNPOLICY_WHITE_LIST_NUM][PKG_NAME_SIZE_MAX] = {
65     "collaboration_service",
66     "com.huawei.hmos.walletservice",
67 };
68 }
69 
CheckPermission(void)70 bool PermissionManager::CheckPermission(void)
71 {
72     AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
73     if (tokenCaller == 0) {
74         LOGE("CheckPermission GetCallingTokenID error.");
75         return false;
76     }
77     ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
78     if (tokenTypeFlag == ATokenTypeEnum::TOKEN_HAP || tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
79         if (AccessTokenKit::VerifyAccessToken(tokenCaller, DM_SERVICE_ACCESS_PERMISSION) !=
80             PermissionState::PERMISSION_GRANTED) {
81             LOGE("DM service access is denied, please apply for corresponding permissions");
82             return false;
83         }
84     }
85     return true;
86 }
87 
CheckNewPermission(void)88 bool PermissionManager::CheckNewPermission(void)
89 {
90     AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
91     if (tokenCaller == 0) {
92         LOGE("CheckNewPermission GetCallingTokenID error.");
93         return false;
94     }
95     ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
96     if (tokenTypeFlag == ATokenTypeEnum::TOKEN_HAP || tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
97         if (AccessTokenKit::VerifyAccessToken(tokenCaller, DM_SERVICE_ACCESS_NEWPERMISSION) !=
98             PermissionState::PERMISSION_GRANTED) {
99             LOGE("DM service access is denied, please apply for corresponding new permissions");
100             return false;
101         }
102     }
103     return true;
104 }
105 
CheckMonitorPermission(void)106 bool PermissionManager::CheckMonitorPermission(void)
107 {
108     AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
109     if (tokenCaller == 0) {
110         LOGE("CheckMonitorPermission GetCallingTokenID error.");
111         return false;
112     }
113     ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
114     if (tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
115         if (AccessTokenKit::VerifyAccessToken(tokenCaller, DM_MONITOR_DEVICE_NETWORK_STATE_PERMISSION) !=
116             PermissionState::PERMISSION_GRANTED) {
117             LOGE("DM service access is denied, please apply for corresponding permissions.");
118             return false;
119         }
120     }
121     return true;
122 }
123 
GetCallerProcessName(std::string & processName)124 int32_t PermissionManager::GetCallerProcessName(std::string &processName)
125 {
126     AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
127     if (tokenCaller == 0) {
128         LOGE("GetCallerProcessName GetCallingTokenID error.");
129         return ERR_DM_FAILED;
130     }
131     LOGI("GetCallerProcessName::tokenCaller ID == %{public}s", GetAnonyInt32(tokenCaller).c_str());
132     ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
133     if (tokenTypeFlag == ATokenTypeEnum::TOKEN_HAP) {
134         HapTokenInfo tokenInfo;
135         if (AccessTokenKit::GetHapTokenInfo(tokenCaller, tokenInfo) != EOK) {
136             LOGE("GetHapTokenInfo failed.");
137             return ERR_DM_FAILED;
138         }
139         processName = std::move(tokenInfo.bundleName);
140         uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
141         if (!OHOS::Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullTokenId)) {
142             LOGE("GetCallerProcessName %{public}s not system hap.", processName.c_str());
143             return ERR_DM_FAILED;
144         }
145     } else if (tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
146         NativeTokenInfo tokenInfo;
147         if (AccessTokenKit::GetNativeTokenInfo(tokenCaller, tokenInfo) != EOK) {
148             LOGE("GetNativeTokenInfo failed.");
149             return ERR_DM_FAILED;
150         }
151         processName = std::move(tokenInfo.processName);
152     } else {
153         LOGE("GetCallerProcessName failed, unsupported process.");
154         return ERR_DM_FAILED;
155     }
156 
157     LOGI("Get process name: %{public}s success.", processName.c_str());
158     return DM_OK;
159 }
160 
CheckProcessNameValidOnAuthCode(const std::string & processName)161 bool PermissionManager::CheckProcessNameValidOnAuthCode(const std::string &processName)
162 {
163     LOGI("Enter PermissionManager::CheckProcessNameValidOnAuthCode");
164     if (processName.empty()) {
165         LOGE("ProcessName is empty");
166         return false;
167     }
168 
169     uint16_t index = 0;
170     for (; index < AUTH_CODE_WHITE_LIST_NUM; ++index) {
171         std::string tmp(g_authCodeWhiteList[index]);
172         if (processName == tmp) {
173             return true;
174         }
175     }
176 
177     LOGE("CheckProcessNameValidOnAuthCode process name: %{public}s invalid.", processName.c_str());
178     return false;
179 }
180 
CheckProcessNameValidOnPinHolder(const std::string & processName)181 bool PermissionManager::CheckProcessNameValidOnPinHolder(const std::string &processName)
182 {
183     LOGI("Enter PermissionManager::CheckProcessNameValidOnPinHolder");
184     if (processName.empty()) {
185         LOGE("ProcessName is empty");
186         return false;
187     }
188 
189     uint16_t index = 0;
190     for (; index < PIN_HOLDER_WHITE_LIST_NUM; ++index) {
191         std::string tmp(g_pinHolderWhiteList[index]);
192         if (processName == tmp) {
193             return true;
194         }
195     }
196 
197     LOGE("CheckProcessNameValidOnPinHolder process name: %{public}s invalid.", processName.c_str());
198     return false;
199 }
200 
CheckSystemSA(const std::string & pkgName)201 bool PermissionManager::CheckSystemSA(const std::string &pkgName)
202 {
203     for (uint16_t index = 0; index < SYSTEM_SA_WHITE_LIST_NUM; ++index) {
204         std::string tmp(systemSaWhiteList[index]);
205         if (pkgName == tmp) {
206             return true;
207         }
208     }
209     return false;
210 }
211 
GetSystemSA()212 std::unordered_set<std::string> PermissionManager::GetSystemSA()
213 {
214     std::unordered_set<std::string> systemSA;
215     for (uint16_t index = 0; index < SYSTEM_SA_WHITE_LIST_NUM; ++index) {
216         std::string tmp(systemSaWhiteList[index]);
217         systemSA.insert(tmp);
218     }
219     return systemSA;
220 }
221 
CheckProcessNameValidOnSetDnPolicy(const std::string & processName)222 bool PermissionManager::CheckProcessNameValidOnSetDnPolicy(const std::string &processName)
223 {
224     if (processName.empty()) {
225         LOGE("ProcessName is empty");
226         return false;
227     }
228     uint16_t index = 0;
229     for (; index < SETDNPOLICY_WHITE_LIST_NUM; ++index) {
230         std::string tmp(g_setDnPolicyWhiteList[index]);
231         if (processName == tmp) {
232             return true;
233         }
234     }
235 
236     LOGE("Process name: %{public}s invalid.", processName.c_str());
237     return false;
238 }
239 } // namespace DistributedHardware
240 } // namespace OHOS
241