1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_record_manager.h"
17
18 #include <algorithm>
19 #include <cinttypes>
20 #include <numeric>
21
22 #include "ability_manager_access_client.h"
23 #include "access_token.h"
24 #include "accesstoken_kit.h"
25 #include "accesstoken_log.h"
26 #include "active_status_callback_manager.h"
27 #include "app_manager_access_client.h"
28 #include "audio_manager_privacy_client.h"
29 #include "camera_manager_privacy_client.h"
30 #include "config_policy_loader.h"
31 #include "constant.h"
32 #include "constant_common.h"
33 #include "data_translator.h"
34 #include "i_state_change_callback.h"
35 #include "iservice_registry.h"
36 #include "libraryloader.h"
37 #include "parameter.h"
38 #include "parcel_utils.h"
39 #include "permission_used_record_db.h"
40 #include "power_manager_client.h"
41 #include "privacy_error.h"
42 #include "privacy_field_const.h"
43 #include "refbase.h"
44 #include "state_change_callback_proxy.h"
45 #include "system_ability_definition.h"
46 #include "time_util.h"
47 #include "want.h"
48 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
49 #include "privacy_window_manager_client.h"
50 #include "scene_board_judgement.h"
51 #endif
52
53 namespace OHOS {
54 namespace Security {
55 namespace AccessToken {
56 namespace {
57 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {
58 LOG_CORE, SECURITY_DOMAIN_PRIVACY, "PermissionRecordManager"
59 };
60 static const int32_t VALUE_MAX_LEN = 32;
61 constexpr const char* DEFAULT_DEVICEID = "0";
62 constexpr const char* CAMERA_PERMISSION_NAME = "ohos.permission.CAMERA";
63 constexpr const char* MICROPHONE_PERMISSION_NAME = "ohos.permission.MICROPHONE";
64 constexpr const char* EDM_MIC_MUTE_KEY = "persist.edm.mic_disable";
65 constexpr const char* EDM_CAMERA_MUTE_KEY = "persist.edm.camera_disable";
66 constexpr const char* DEFAULT_PERMISSION_MANAGER_BUNDLE_NAME = "com.ohos.permissionmanager";
67 constexpr const char* DEFAULT_PERMISSION_MANAGER_DIALOG_ABILITY = "com.ohos.permissionmanager.GlobalExtAbility";
68 constexpr const char* RESOURCE_KEY = "ohos.sensitive.resource";
69 static const int32_t DEFAULT_PERMISSION_USED_RECORD_SIZE_MAXIMUM = 500000;
70 static const int32_t DEFAULT_PERMISSION_USED_RECORD_AGING_TIME = 7;
71 static const uint32_t NORMAL_TYPE_ADD_VALUE = 1;
72 static const uint32_t PICKER_TYPE_ADD_VALUE = 2;
73 static const uint32_t SEC_COMPONENT_TYPE_ADD_VALUE = 4;
74 static constexpr int64_t ONE_MINUTE_MILLISECONDS = 60 * 1000; // 1 min = 60 * 1000 ms
75 constexpr const char* EDM_PROCESS_NAME = "edm";
76 std::recursive_mutex g_instanceMutex;
77 }
GetInstance()78 PermissionRecordManager& PermissionRecordManager::GetInstance()
79 {
80 static PermissionRecordManager* instance = nullptr;
81 if (instance == nullptr) {
82 std::lock_guard<std::recursive_mutex> lock(g_instanceMutex);
83 if (instance == nullptr) {
84 instance = new PermissionRecordManager();
85 }
86 }
87 return *instance;
88 }
89
PermissionRecordManager()90 PermissionRecordManager::PermissionRecordManager()
91 {
92 bool isEdmMute = false;
93 if (GetMuteParameter(EDM_MIC_MUTE_KEY, isEdmMute)) {
94 ModifyMuteStatus(MICROPHONE_PERMISSION_NAME, EDM, isEdmMute);
95 }
96 }
97
~PermissionRecordManager()98 PermissionRecordManager::~PermissionRecordManager()
99 {
100 if (!hasInited_) {
101 return;
102 }
103 hasInited_ = false;
104 Unregister();
105 }
106
OnAppStateChanged(const AppStateData & appStateData)107 void PrivacyAppStateObserver::OnAppStateChanged(const AppStateData &appStateData)
108 {
109 ACCESSTOKEN_LOG_DEBUG(LABEL, "OnChange(id=%{public}d, pid=%{public}d, state=%{public}d).",
110 appStateData.accessTokenId, appStateData.pid, appStateData.state);
111
112 ActiveChangeType status = PERM_INACTIVE;
113 if (appStateData.state == static_cast<int32_t>(ApplicationState::APP_STATE_FOREGROUND)) {
114 status = PERM_ACTIVE_IN_FOREGROUND;
115 } else if (appStateData.state == static_cast<int32_t>(ApplicationState::APP_STATE_BACKGROUND)) {
116 status = PERM_ACTIVE_IN_BACKGROUND;
117 }
118 PermissionRecordManager::GetInstance().NotifyAppStateChange(appStateData.accessTokenId, appStateData.pid, status);
119 }
120
OnAppStopped(const AppStateData & appStateData)121 void PrivacyAppStateObserver::OnAppStopped(const AppStateData &appStateData)
122 {
123 ACCESSTOKEN_LOG_DEBUG(LABEL, "OnChange(id=%{public}d, state=%{public}d).",
124 appStateData.accessTokenId, appStateData.state);
125
126 if (appStateData.state == static_cast<int32_t>(ApplicationState::APP_STATE_TERMINATED)) {
127 PermissionRecordManager::GetInstance().RemoveRecordFromStartListByToken(appStateData.accessTokenId);
128 }
129 }
130
OnProcessDied(const ProcessData & processData)131 void PrivacyAppStateObserver::OnProcessDied(const ProcessData &processData)
132 {
133 ACCESSTOKEN_LOG_DEBUG(LABEL, "OnChange(id=%{public}u, pid=%{public}d, state=%{public}d).",
134 processData.accessTokenId, processData.pid, processData.state);
135
136 PermissionRecordManager::GetInstance().RemoveRecordFromStartListByPid(processData.accessTokenId, processData.pid);
137 }
138
NotifyAppManagerDeath()139 void PrivacyAppManagerDeathCallback::NotifyAppManagerDeath()
140 {
141 PermissionRecordManager::GetInstance().OnAppMgrRemoteDiedHandle();
142 }
143
AddRecToCacheAndValueVec(const PermissionRecord & record,std::vector<GenericValues> & values)144 void PermissionRecordManager::AddRecToCacheAndValueVec(const PermissionRecord& record,
145 std::vector<GenericValues>& values)
146 {
147 PermissionRecordCache cache;
148 cache.record = record;
149 permUsedRecList_.emplace_back(cache);
150
151 GenericValues value;
152 PermissionRecord::TranslationIntoGenericValues(record, value);
153 values.emplace_back(value);
154 }
155
RecordMergeCheck(const PermissionRecord & record1,const PermissionRecord & record2)156 static bool RecordMergeCheck(const PermissionRecord& record1, const PermissionRecord& record2)
157 {
158 // timestamp in the same minute
159 if (!AccessToken::TimeUtil::IsTimeStampsSameMinute(record1.timestamp, record2.timestamp)) {
160 return false;
161 }
162
163 // the same tokenID + opCode + status + lockScreenStatus + usedType
164 if ((record1.tokenId != record2.tokenId) ||
165 (record1.opCode != record2.opCode) ||
166 (record1.status != record2.status) ||
167 (record1.lockScreenStatus != record2.lockScreenStatus) ||
168 (record1.type != record2.type)) {
169 return false;
170 }
171
172 // both success
173 if (((record1.accessCount > 0) && (record2.accessCount == 0)) ||
174 ((record1.accessCount == 0) && (record2.accessCount > 0))) {
175 return false;
176 }
177
178 // both failure
179 if (((record1.rejectCount > 0) && (record2.rejectCount == 0)) ||
180 ((record1.rejectCount == 0) && (record2.rejectCount > 0))) {
181 return false;
182 }
183
184 return true;
185 }
186
MergeOrInsertRecord(const PermissionRecord & record)187 int32_t PermissionRecordManager::MergeOrInsertRecord(const PermissionRecord& record)
188 {
189 std::vector<GenericValues> insertRecords;
190 {
191 std::lock_guard<std::mutex> lock(permUsedRecMutex_);
192 if (permUsedRecList_.empty()) {
193 ACCESSTOKEN_LOG_INFO(LABEL, "First record in cache!");
194
195 AddRecToCacheAndValueVec(record, insertRecords);
196 } else {
197 bool mergeFlag = false;
198 for (auto it = permUsedRecList_.begin(); it != permUsedRecList_.end(); ++it) {
199 if (RecordMergeCheck(it->record, record)) {
200 ACCESSTOKEN_LOG_INFO(LABEL, "Merge record, ori timestamp is %{public}" PRId64 ".",
201 it->record.timestamp);
202
203 // merge new record to older one if match the merge condition
204 it->record.accessCount += record.accessCount;
205 it->record.rejectCount += record.rejectCount;
206
207 // set update flag to true
208 it->needUpdateToDb = true;
209 mergeFlag = true;
210 break;
211 }
212 }
213
214 if (!mergeFlag) {
215 // record can't merge store to database immediately and add to cache
216 AddRecToCacheAndValueVec(record, insertRecords);
217 }
218 }
219 }
220
221 if (insertRecords.empty()) {
222 return Constant::SUCCESS;
223 }
224
225 Utils::UniqueWriteGuard<Utils::RWLock> lk(this->rwLock_);
226 int32_t res = PermissionUsedRecordDb::GetInstance().Add(PermissionUsedRecordDb::DataType::PERMISSION_RECORD,
227 insertRecords);
228 if (res != PermissionUsedRecordDb::ExecuteResult::SUCCESS) {
229 ACCESSTOKEN_LOG_INFO(LABEL, "Add permission_record_table failed!");
230 return res;
231 }
232
233 ACCESSTOKEN_LOG_INFO(LABEL, "Add record, id %{public}d, op %{public}d, status: %{public}d, sucCnt: %{public}d, "
234 "failCnt: %{public}d, lockScreenStatus %{public}d, timestamp %{public}" PRId64 ", type %{public}d.",
235 record.tokenId, record.opCode, record.status, record.accessCount, record.rejectCount, record.lockScreenStatus,
236 record.timestamp, record.type);
237
238 return Constant::SUCCESS;
239 }
240
UpdatePermissionUsedRecordToDb(const PermissionRecord & record)241 bool PermissionRecordManager::UpdatePermissionUsedRecordToDb(const PermissionRecord& record)
242 {
243 GenericValues modifyValue;
244 modifyValue.Put(PrivacyFiledConst::FIELD_ACCESS_COUNT, record.accessCount);
245 modifyValue.Put(PrivacyFiledConst::FIELD_REJECT_COUNT, record.rejectCount);
246
247 GenericValues conditionValue;
248 conditionValue.Put(PrivacyFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(record.tokenId));
249 conditionValue.Put(PrivacyFiledConst::FIELD_OP_CODE, record.opCode);
250 conditionValue.Put(PrivacyFiledConst::FIELD_STATUS, record.status);
251 conditionValue.Put(PrivacyFiledConst::FIELD_TIMESTAMP, record.timestamp);
252 conditionValue.Put(PrivacyFiledConst::FIELD_USED_TYPE, record.type);
253
254 {
255 Utils::UniqueWriteGuard<Utils::RWLock> lk(this->rwLock_);
256 return (PermissionUsedRecordDb::GetInstance().Update(PermissionUsedRecordDb::DataType::PERMISSION_RECORD,
257 modifyValue, conditionValue) == PermissionUsedRecordDb::ExecuteResult::SUCCESS);
258 }
259 }
260
AddRecord(const PermissionRecord & record)261 int32_t PermissionRecordManager::AddRecord(const PermissionRecord& record)
262 {
263 int32_t res = MergeOrInsertRecord(record);
264 if (res != Constant::SUCCESS) {
265 return res;
266 }
267
268 int64_t updateStamp = record.timestamp - ONE_MINUTE_MILLISECONDS; // timestamp less than 1 min from now
269 std::lock_guard<std::mutex> lock(permUsedRecMutex_);
270 auto it = permUsedRecList_.begin();
271 while (it != permUsedRecList_.end()) {
272 if ((it->record.timestamp > updateStamp) || (it->record.opCode != record.opCode)) {
273 // record from cache less than updateStamp may merge, ignore them
274 ++it;
275 continue;
276 }
277
278 /*
279 needUpdateToDb:
280 - flase means record not merge, when the timestamp of those records less than 1 min from now
281 they can not merge any more, remove them from cache
282 - true means record has merged, need to update database before remove from cache
283 whether update database succeed or not, recod remove from cache
284 */
285 if ((it->needUpdateToDb) && (!UpdatePermissionUsedRecordToDb(it->record))) {
286 ACCESSTOKEN_LOG_ERROR(LABEL, "Record with timestamp %{public}" PRId64 "update database failed!",
287 it->record.timestamp);
288 }
289
290 it = permUsedRecList_.erase(it);
291 }
292
293 return Constant::SUCCESS;
294 }
295
UpdatePermRecImmediately()296 void PermissionRecordManager::UpdatePermRecImmediately()
297 {
298 std::lock_guard<std::mutex> lock(permUsedRecMutex_);
299 for (auto it = permUsedRecList_.begin(); it != permUsedRecList_.end(); ++it) {
300 if (it->needUpdateToDb) {
301 UpdatePermissionUsedRecordToDb(it->record);
302 }
303 }
304 }
305
GetPermissionRecord(const AddPermParamInfo & info,PermissionRecord & record)306 int32_t PermissionRecordManager::GetPermissionRecord(const AddPermParamInfo& info, PermissionRecord& record)
307 {
308 if (AccessTokenKit::GetTokenTypeFlag(info.tokenId) != TOKEN_HAP) {
309 ACCESSTOKEN_LOG_DEBUG(LABEL, "Not hap(%{public}d).", info.tokenId);
310 return PrivacyError::ERR_PARAM_INVALID;
311 }
312 int32_t opCode;
313 if (!Constant::TransferPermissionToOpcode(info.permissionName, opCode)) {
314 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid perm(%{public}s)", info.permissionName.c_str());
315 return PrivacyError::ERR_PERMISSION_NOT_EXIST;
316 }
317 if (GetMuteStatus(info.permissionName, EDM)) {
318 record.status = PERM_INACTIVE;
319 } else {
320 record.status = GetAppStatus(info.tokenId);
321 }
322 record.lockScreenStatus = GetLockScreenStatus();
323 record.tokenId = info.tokenId;
324 record.accessCount = info.successCount;
325 record.rejectCount = info.failCount;
326 record.opCode = opCode;
327 record.timestamp = AccessToken::TimeUtil::GetCurrentTimestamp();
328 record.accessDuration = 0;
329 record.type = info.type;
330 ACCESSTOKEN_LOG_DEBUG(LABEL, "Record status: %{public}d", record.status);
331 return Constant::SUCCESS;
332 }
333
TransformEnumToBitValue(const PermissionUsedType type,uint32_t & value)334 void PermissionRecordManager::TransformEnumToBitValue(const PermissionUsedType type, uint32_t& value)
335 {
336 if (type == PermissionUsedType::NORMAL_TYPE) {
337 value = NORMAL_TYPE_ADD_VALUE;
338 } else if (type == PermissionUsedType::PICKER_TYPE) {
339 value = PICKER_TYPE_ADD_VALUE;
340 } else if (type == PermissionUsedType::SECURITY_COMPONENT_TYPE) {
341 value = SEC_COMPONENT_TYPE_ADD_VALUE;
342 }
343 }
344
AddOrUpdateUsedTypeIfNeeded(const AccessTokenID tokenId,const int32_t opCode,const PermissionUsedType type)345 bool PermissionRecordManager::AddOrUpdateUsedTypeIfNeeded(const AccessTokenID tokenId, const int32_t opCode,
346 const PermissionUsedType type)
347 {
348 uint32_t inputType = 0;
349 TransformEnumToBitValue(type, inputType);
350
351 GenericValues conditionValue;
352 conditionValue.Put(PrivacyFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId));
353 conditionValue.Put(PrivacyFiledConst::FIELD_PERMISSION_CODE, opCode);
354
355 std::vector<GenericValues> results;
356 int32_t res = PermissionUsedRecordDb::GetInstance().Query(PermissionUsedRecordDb::DataType::PERMISSION_USED_TYPE,
357 conditionValue, results);
358 if (res != PermissionUsedRecordDb::SUCCESS) {
359 return false;
360 }
361
362 if (results.empty()) {
363 // empty means there is no permission used type record, add it
364 ACCESSTOKEN_LOG_DEBUG(LABEL, "No exsit record, add it.");
365
366 GenericValues recordValue;
367 recordValue.Put(PrivacyFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId));
368 recordValue.Put(PrivacyFiledConst::FIELD_PERMISSION_CODE, opCode);
369 recordValue.Put(PrivacyFiledConst::FIELD_USED_TYPE, static_cast<int32_t>(inputType));
370
371 std::vector<GenericValues> recordValues;
372 recordValues.emplace_back(recordValue);
373 int32_t res = PermissionUsedRecordDb::GetInstance().Add(PermissionUsedRecordDb::DataType::PERMISSION_USED_TYPE,
374 recordValues);
375 if (res != PermissionUsedRecordDb::ExecuteResult::SUCCESS) {
376 return false;
377 }
378 } else {
379 // not empty means there is permission used type record exsit, update it if needed
380 uint32_t dbType = static_cast<uint32_t>(results[0].GetInt(PrivacyFiledConst::FIELD_USED_TYPE));
381 ACCESSTOKEN_LOG_DEBUG(LABEL, "Record exsit, type is %{public}u.", dbType);
382
383 if ((dbType & inputType) == inputType) {
384 // true means visitTypeEnum has exsits, no need to add
385 ACCESSTOKEN_LOG_DEBUG(LABEL, "Used type has add.");
386 return true;
387 } else {
388 results[0].Remove(PrivacyFiledConst::FIELD_USED_TYPE);
389 dbType |= inputType;
390
391 // false means visitTypeEnum not exsits, update record
392 ACCESSTOKEN_LOG_DEBUG(LABEL, "Used type not add, generate new %{public}u.", dbType);
393
394 GenericValues newValue;
395 newValue.Put(PrivacyFiledConst::FIELD_USED_TYPE, static_cast<int32_t>(dbType));
396 return (PermissionUsedRecordDb::GetInstance().Update(PermissionUsedRecordDb::DataType::PERMISSION_USED_TYPE,
397 newValue, results[0]) == PermissionUsedRecordDb::ExecuteResult::SUCCESS);
398 }
399 }
400
401 return true;
402 }
403
AddPermissionUsedRecord(const AddPermParamInfo & info)404 int32_t PermissionRecordManager::AddPermissionUsedRecord(const AddPermParamInfo& info)
405 {
406 if ((info.successCount == 0) && (info.failCount == 0)) {
407 return PrivacyError::ERR_PARAM_INVALID;
408 }
409
410 PermissionRecord record;
411 int32_t result = GetPermissionRecord(info, record);
412 if ((result != Constant::SUCCESS) || (!GetGlobalSwitchStatus(info.permissionName))) {
413 return result;
414 }
415
416 result = AddRecord(record);
417 if (result != Constant::SUCCESS) {
418 return result;
419 }
420
421 return AddOrUpdateUsedTypeIfNeeded(
422 info.tokenId, record.opCode, info.type) ? Constant::SUCCESS : Constant::FAILURE;
423 }
424
RemovePermissionUsedRecords(AccessTokenID tokenId,const std::string & deviceID)425 void PermissionRecordManager::RemovePermissionUsedRecords(AccessTokenID tokenId, const std::string& deviceID)
426 {
427 // only support remove by tokenId(local)
428 std::string device = GetDeviceId(tokenId);
429 if (!deviceID.empty() && device != deviceID) {
430 ACCESSTOKEN_LOG_ERROR(LABEL, "DeviceID mismatch");
431 return;
432 }
433
434 {
435 // remove from record cache
436 std::lock_guard<std::mutex> lock(permUsedRecMutex_);
437 auto it = permUsedRecList_.begin();
438 while (it != permUsedRecList_.end()) {
439 if (tokenId == it->record.tokenId) {
440 it = permUsedRecList_.erase(it);
441 } else {
442 ++it;
443 }
444 }
445 }
446
447 GenericValues conditions;
448 conditions.Put(PrivacyFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId));
449 {
450 // remove from database
451 Utils::UniqueWriteGuard<Utils::RWLock> lk(this->rwLock_);
452 PermissionUsedRecordDb::GetInstance().Remove(PermissionUsedRecordDb::DataType::PERMISSION_RECORD, conditions);
453 PermissionUsedRecordDb::GetInstance().Remove(PermissionUsedRecordDb::DataType::PERMISSION_USED_TYPE,
454 conditions);
455 }
456
457 // remove from start list
458 RemoveRecordFromStartListByToken(tokenId);
459 }
460
GetPermissionUsedRecords(const PermissionUsedRequest & request,PermissionUsedResult & result)461 int32_t PermissionRecordManager::GetPermissionUsedRecords(
462 const PermissionUsedRequest& request, PermissionUsedResult& result)
463 {
464 if (!request.isRemote && !GetRecordsFromLocalDB(request, result)) {
465 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to GetRecordsFromLocalDB");
466 return PrivacyError::ERR_PARAM_INVALID;
467 }
468 return Constant::SUCCESS;
469 }
470
GetPermissionUsedRecordsAsync(const PermissionUsedRequest & request,const sptr<OnPermissionUsedRecordCallback> & callback)471 int32_t PermissionRecordManager::GetPermissionUsedRecordsAsync(
472 const PermissionUsedRequest& request, const sptr<OnPermissionUsedRecordCallback>& callback)
473 {
474 auto task = [request, callback]() {
475 ACCESSTOKEN_LOG_INFO(LABEL, "GetPermissionUsedRecordsAsync task called");
476 PermissionUsedResult result;
477 int32_t retCode = PermissionRecordManager::GetInstance().GetPermissionUsedRecords(request, result);
478 callback->OnQueried(retCode, result);
479 };
480 std::thread recordThread(task);
481 recordThread.detach();
482 return Constant::SUCCESS;
483 }
484
TransferToOpcode(const std::vector<std::string> & permissionList,std::set<int32_t> & opCodeList)485 static void TransferToOpcode(const std::vector<std::string>& permissionList, std::set<int32_t>& opCodeList)
486 {
487 for (const auto& permission : permissionList) {
488 int32_t opCode = Constant::OP_INVALID;
489 if (Constant::TransferPermissionToOpcode(permission, opCode)) {
490 opCodeList.insert(opCode);
491 }
492 }
493 }
494
GetMergedRecordsFromCache(std::vector<PermissionRecord> & mergedRecords)495 void PermissionRecordManager::GetMergedRecordsFromCache(std::vector<PermissionRecord>& mergedRecords)
496 {
497 std::lock_guard<std::mutex> lock(permUsedRecMutex_);
498 for (const auto& cache : permUsedRecList_) {
499 if (cache.needUpdateToDb) {
500 mergedRecords.emplace_back(cache.record);
501 }
502 }
503 }
504
InsteadMergedRecIfNecessary(GenericValues & queryValue,std::vector<PermissionRecord> & mergedRecords)505 void PermissionRecordManager::InsteadMergedRecIfNecessary(GenericValues& queryValue,
506 std::vector<PermissionRecord>& mergedRecords)
507 {
508 uint32_t tokenId = static_cast<uint32_t>(queryValue.GetInt(PrivacyFiledConst::FIELD_TOKEN_ID));
509 int32_t opCode = queryValue.GetInt(PrivacyFiledConst::FIELD_OP_CODE);
510 int32_t status = queryValue.GetInt(PrivacyFiledConst::FIELD_STATUS);
511 int64_t timestamp = queryValue.GetInt64(PrivacyFiledConst::FIELD_TIMESTAMP);
512 PermissionUsedType type = static_cast<PermissionUsedType>(queryValue.GetInt(PrivacyFiledConst::FIELD_USED_TYPE));
513
514 for (const auto& record : mergedRecords) {
515 if ((tokenId == record.tokenId) &&
516 (opCode == record.opCode) &&
517 (status == record.status) &&
518 (timestamp == record.timestamp) &&
519 (type == record.type)) {
520 // find merged record, instead accessCount and rejectCount
521 queryValue.Remove(PrivacyFiledConst::FIELD_ACCESS_COUNT);
522 queryValue.Put(PrivacyFiledConst::FIELD_ACCESS_COUNT, record.accessCount);
523 queryValue.Remove(PrivacyFiledConst::FIELD_REJECT_COUNT);
524 queryValue.Put(PrivacyFiledConst::FIELD_REJECT_COUNT, record.rejectCount);
525 return;
526 }
527 }
528 }
529
MergeSamePermission(const PermissionUsageFlag & flag,const PermissionUsedRecord & inRecord,PermissionUsedRecord & outRecord)530 void PermissionRecordManager::MergeSamePermission(const PermissionUsageFlag& flag, const PermissionUsedRecord& inRecord,
531 PermissionUsedRecord& outRecord)
532 {
533 outRecord.accessCount += inRecord.accessCount;
534 outRecord.rejectCount += inRecord.rejectCount;
535
536 // update lastAccessTime、lastRejectTime and lastAccessDuration to the nearer one
537 outRecord.lastAccessTime = (inRecord.lastAccessTime > outRecord.lastAccessTime) ?
538 inRecord.lastAccessTime : outRecord.lastAccessTime;
539 outRecord.lastAccessDuration = (inRecord.lastAccessTime > outRecord.lastAccessTime) ?
540 inRecord.lastAccessDuration : outRecord.lastAccessDuration;
541 outRecord.lastRejectTime = (inRecord.lastRejectTime > outRecord.lastRejectTime) ?
542 inRecord.lastRejectTime : outRecord.lastRejectTime;
543
544 // summary do not handle detail
545 if (flag == FLAG_PERMISSION_USAGE_SUMMARY) {
546 return;
547 }
548
549 if (inRecord.lastAccessTime > 0) {
550 outRecord.accessRecords.emplace_back(inRecord.accessRecords[0]);
551 }
552 if (inRecord.lastRejectTime > 0) {
553 outRecord.rejectRecords.emplace_back(inRecord.rejectRecords[0]);
554 }
555 }
556
FillPermissionUsedRecords(const PermissionUsedRecord & record,const PermissionUsageFlag & flag,std::vector<PermissionUsedRecord> & permissionRecords)557 void PermissionRecordManager::FillPermissionUsedRecords(const PermissionUsedRecord& record,
558 const PermissionUsageFlag& flag, std::vector<PermissionUsedRecord>& permissionRecords)
559 {
560 // check whether the permission has exsit
561 auto iter = std::find_if(permissionRecords.begin(), permissionRecords.end(),
562 [record](const PermissionUsedRecord& rec) {
563 return record.permissionName == rec.permissionName;
564 });
565 if (iter != permissionRecords.end()) {
566 // permission exsit, merge it
567 MergeSamePermission(flag, record, *iter);
568 } else {
569 // permission not exsit, add it
570 permissionRecords.emplace_back(record);
571 }
572 }
573
FillBundleUsedRecord(const GenericValues & value,const PermissionUsageFlag & flag,std::map<int32_t,BundleUsedRecord> & tokenIdToBundleMap,std::map<int32_t,int32_t> & tokenIdToCountMap,PermissionUsedResult & result)574 bool PermissionRecordManager::FillBundleUsedRecord(const GenericValues& value, const PermissionUsageFlag& flag,
575 std::map<int32_t, BundleUsedRecord>& tokenIdToBundleMap, std::map<int32_t, int32_t>& tokenIdToCountMap,
576 PermissionUsedResult& result)
577 {
578 // translate database value into PermissionUsedRecord value
579 PermissionUsedRecord record;
580 if (DataTranslator::TranslationGenericValuesIntoPermissionUsedRecord(flag, value, record) != Constant::SUCCESS) {
581 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to transform op(%{public}d)",
582 value.GetInt(PrivacyFiledConst::FIELD_OP_CODE));
583 return false;
584 }
585
586 // update beginTimeMillis and endTimeMillis if necessary
587 int64_t timestamp = value.GetInt64(PrivacyFiledConst::FIELD_TIMESTAMP);
588 result.beginTimeMillis = ((result.beginTimeMillis == 0) || (timestamp < result.beginTimeMillis)) ?
589 timestamp : result.beginTimeMillis;
590 result.endTimeMillis = (timestamp > result.endTimeMillis) ? timestamp : result.endTimeMillis;
591
592 int32_t tokenId = value.GetInt(PrivacyFiledConst::FIELD_TOKEN_ID);
593 FillPermissionUsedRecords(record, flag, tokenIdToBundleMap[tokenId].permissionRecords);
594 tokenIdToCountMap[tokenId] += 1;
595
596 return true;
597 }
598
AddDebugLog(const AccessTokenID tokenId,const BundleUsedRecord & bundleRecord,const int32_t queryCount,int32_t & totalSuccCount,int32_t & totalFailCount)599 static void AddDebugLog(const AccessTokenID tokenId, const BundleUsedRecord& bundleRecord, const int32_t queryCount,
600 int32_t& totalSuccCount, int32_t& totalFailCount)
601 {
602 int32_t tokenTotalSuccCount = 0;
603 int32_t tokenTotalFailCount = 0;
604 for (const auto& permissionRecord : bundleRecord.permissionRecords) {
605 tokenTotalSuccCount += permissionRecord.accessCount;
606 tokenTotalFailCount += permissionRecord.rejectCount;
607 }
608 ACCESSTOKEN_LOG_INFO(LABEL, "TokenId %{public}d[%{public}s] get %{public}d records, success %{public}d,"
609 " failure %{public}d", tokenId, bundleRecord.bundleName.c_str(), queryCount, tokenTotalSuccCount,
610 tokenTotalFailCount);
611 totalSuccCount += tokenTotalSuccCount;
612 totalFailCount += tokenTotalFailCount;
613 }
614
GetRecordsFromLocalDB(const PermissionUsedRequest & request,PermissionUsedResult & result)615 bool PermissionRecordManager::GetRecordsFromLocalDB(const PermissionUsedRequest& request, PermissionUsedResult& result)
616 {
617 GenericValues andConditionValues;
618 if (DataTranslator::TranslationIntoGenericValues(request, andConditionValues) != Constant::SUCCESS) {
619 ACCESSTOKEN_LOG_ERROR(LABEL, "Query time or flag is invalid");
620 return false;
621 }
622
623 int32_t dataLimitNum = request.flag == FLAG_PERMISSION_USAGE_DETAIL ? MAX_ACCESS_RECORD_SIZE : recordSizeMaximum_;
624 int32_t totalSuccCount = 0;
625 int32_t totalFailCount = 0;
626 std::vector<GenericValues> findRecordsValues; // summary don't limit querry data num, detail do
627
628 std::set<int32_t> opCodeList;
629 TransferToOpcode(request.permissionList, opCodeList);
630 PermissionUsedRecordDb::GetInstance().FindByConditions(PermissionUsedRecordDb::DataType::PERMISSION_RECORD,
631 opCodeList, andConditionValues, findRecordsValues, dataLimitNum);
632
633 uint32_t currentCount = findRecordsValues.size(); // handle query result
634 if (currentCount == 0) {
635 ACCESSTOKEN_LOG_INFO(LABEL, "No record match the condition.");
636 return true;
637 }
638
639 std::vector<PermissionRecord> mergedRecords;
640 GetMergedRecordsFromCache(mergedRecords);
641
642 std::set<int32_t> tokenIdList;
643 std::map<int32_t, BundleUsedRecord> tokenIdToBundleMap;
644 std::map<int32_t, int32_t> tokenIdToCountMap;
645
646 for (auto& recordValue : findRecordsValues) {
647 InsteadMergedRecIfNecessary(recordValue, mergedRecords);
648
649 int32_t tokenId = recordValue.GetInt(PrivacyFiledConst::FIELD_TOKEN_ID);
650 if (tokenIdList.count(tokenId) == 0) {
651 tokenIdList.insert(tokenId); // new tokenId, inset into set
652
653 BundleUsedRecord bundleRecord; // get bundle info
654 if (!CreateBundleUsedRecord(tokenId, bundleRecord)) {
655 continue;
656 }
657
658 tokenIdToBundleMap[tokenId] = bundleRecord; // add into map
659 tokenIdToCountMap[tokenId] = 0;
660 }
661
662 if (!FillBundleUsedRecord(recordValue, request.flag, tokenIdToBundleMap, tokenIdToCountMap, result)) {
663 continue;
664 }
665 }
666
667 for (auto iter = tokenIdToBundleMap.begin(); iter != tokenIdToBundleMap.end(); ++iter) {
668 result.bundleRecords.emplace_back(iter->second);
669
670 AddDebugLog(iter->first, iter->second, tokenIdToCountMap[iter->first], totalSuccCount, totalFailCount);
671 }
672
673 if (request.flag == FLAG_PERMISSION_USAGE_SUMMARY) {
674 ACCESSTOKEN_LOG_INFO(LABEL, "Total success count is %{public}d, total failure count is %{public}d",
675 totalSuccCount, totalFailCount);
676 }
677
678 return true;
679 }
680
CreateBundleUsedRecord(const AccessTokenID tokenId,BundleUsedRecord & bundleRecord)681 bool PermissionRecordManager::CreateBundleUsedRecord(const AccessTokenID tokenId, BundleUsedRecord& bundleRecord)
682 {
683 HapTokenInfo tokenInfo;
684 if (AccessTokenKit::GetHapTokenInfo(tokenId, tokenInfo) != Constant::SUCCESS) {
685 ACCESSTOKEN_LOG_ERROR(LABEL, "GetHapTokenInfo failed, tokenId is %{public}u.", tokenId);
686 return false;
687 }
688 bundleRecord.tokenId = tokenId;
689 bundleRecord.isRemote = false;
690 bundleRecord.deviceId = GetDeviceId(tokenId);
691 bundleRecord.bundleName = tokenInfo.bundleName;
692 return true;
693 }
694
695 // call this when receive screen off common event
ExecuteDeletePermissionRecordTask()696 void PermissionRecordManager::ExecuteDeletePermissionRecordTask()
697 {
698 #ifdef EVENTHANDLER_ENABLE
699 if (GetCurDeleteTaskNum() > 1) {
700 ACCESSTOKEN_LOG_INFO(LABEL, "Has delete task!");
701 return;
702 }
703 AddDeleteTaskNum();
704 if (deleteEventHandler_ == nullptr) {
705 ACCESSTOKEN_LOG_ERROR(LABEL, "Fail to get EventHandler.");
706 ReduceDeleteTaskNum();
707 return;
708 }
709
710 std::function<void()> delayed = ([this]() {
711 DeletePermissionRecord(recordAgingTime_);
712 ACCESSTOKEN_LOG_INFO(LABEL, "Delete record end.");
713 // Sleep for one minute to avoid frequent refresh of the file.
714 std::this_thread::sleep_for(std::chrono::minutes(1));
715 ReduceDeleteTaskNum();
716 });
717
718 deleteEventHandler_->ProxyPostTask(delayed);
719 #endif
720 }
721
GetCurDeleteTaskNum()722 int32_t PermissionRecordManager::GetCurDeleteTaskNum()
723 {
724 return deleteTaskNum_.load();
725 }
726
AddDeleteTaskNum()727 void PermissionRecordManager::AddDeleteTaskNum()
728 {
729 deleteTaskNum_++;
730 }
731
ReduceDeleteTaskNum()732 void PermissionRecordManager::ReduceDeleteTaskNum()
733 {
734 deleteTaskNum_--;
735 }
736
DeletePermissionRecord(int32_t days)737 int32_t PermissionRecordManager::DeletePermissionRecord(int32_t days)
738 {
739 int64_t interval = days * Constant::ONE_DAY_MILLISECONDS;
740 int32_t total = PermissionUsedRecordDb::GetInstance().Count(PermissionUsedRecordDb::DataType::PERMISSION_RECORD);
741 if (total > recordSizeMaximum_) {
742 uint32_t excessiveSize = static_cast<uint32_t>(total) - static_cast<uint32_t>(recordSizeMaximum_);
743 int32_t res = PermissionUsedRecordDb::GetInstance().DeleteExcessiveRecords(
744 PermissionUsedRecordDb::DataType::PERMISSION_RECORD, excessiveSize);
745 if (res != PermissionUsedRecordDb::ExecuteResult::SUCCESS) {
746 return Constant::FAILURE;
747 }
748 }
749 GenericValues andConditionValues;
750 int64_t deleteTimestamp = AccessToken::TimeUtil::GetCurrentTimestamp() - interval;
751 andConditionValues.Put(PrivacyFiledConst::FIELD_TIMESTAMP_END, deleteTimestamp);
752 int32_t res = PermissionUsedRecordDb::GetInstance().DeleteExpireRecords(
753 PermissionUsedRecordDb::DataType::PERMISSION_RECORD, andConditionValues);
754 if (res != PermissionUsedRecordDb::ExecuteResult::SUCCESS) {
755 return Constant::FAILURE;
756 }
757 return Constant::SUCCESS;
758 }
759
AddRecordToStartList(uint32_t tokenId,int32_t pid,const std::string & permissionName,int32_t status)760 int32_t PermissionRecordManager::AddRecordToStartList(
761 uint32_t tokenId, int32_t pid, const std::string& permissionName, int32_t status)
762 {
763 int32_t ret = Constant::SUCCESS;
764 int32_t opCode;
765 if (!Constant::TransferPermissionToOpcode(permissionName, opCode)) {
766 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid perm(%{public}s)", permissionName.c_str());
767 return PrivacyError::ERR_PERMISSION_NOT_EXIST;
768 }
769
770 std::lock_guard<std::mutex> lock(startRecordListMutex_);
771 bool hasTokenStarted = false;
772 bool hasPidStarted = false;
773 for (auto& record : startRecordList_) {
774 if ((record.opCode == opCode) && (record.tokenId == tokenId)) { // find token
775 hasTokenStarted = true;
776 if (!IsPidValid(pid) || record.pidList.find(pid) != record.pidList.end()) {
777 hasPidStarted = true;
778 } else {
779 record.pidList.insert(pid);
780 }
781 break;
782 }
783 }
784 ACCESSTOKEN_LOG_INFO(LABEL, "Id(%{public}u), pid(%{public}d), opCode(%{public}d),\
785 hasTokenStarted(%{public}d), hasPidStarted(%{public}d).",
786 tokenId, pid, opCode, hasTokenStarted, hasPidStarted);
787 if (!hasTokenStarted) {
788 ContinusPermissionRecord record = { 0 };
789 record.tokenId = tokenId;
790 record.status = status;
791 record.opCode = opCode;
792 if (IsPidValid(pid)) {
793 record.pidList.insert(pid);
794 }
795 startRecordList_.emplace_back(record);
796 }
797 CallbackExecute(tokenId, permissionName, status);
798 if (hasTokenStarted && hasPidStarted) {
799 ret = PrivacyError::ERR_PERMISSION_ALREADY_START_USING;
800 }
801 return ret;
802 }
803
ExecuteAndUpdateRecord(uint32_t tokenId,int32_t pid,ActiveChangeType status)804 void PermissionRecordManager::ExecuteAndUpdateRecord(uint32_t tokenId, int32_t pid, ActiveChangeType status)
805 {
806 std::vector<std::string> camPermList;
807 std::lock_guard<std::mutex> lock(startRecordListMutex_);
808 for (auto it = startRecordList_.begin(); it != startRecordList_.end(); ++it) {
809 if ((it->tokenId == tokenId) && ((it->status) != PERM_INACTIVE) && ((it->status) != status)) {
810 std::string perm;
811 Constant::TransferOpcodeToPermission(it->opCode, perm);
812 if ((GetMuteStatus(perm, EDM)) || (!GetGlobalSwitchStatus(perm))) {
813 continue;
814 }
815
816 // app use camera background without float window
817 bool isShow = IsCameraWindowShow(tokenId);
818 bool isAllowedBackGround = false;
819 if (AccessTokenKit::VerifyAccessToken(tokenId, "ohos.permission.CAMERA_BACKGROUND") == PERMISSION_GRANTED) {
820 isAllowedBackGround = true;
821 }
822 if ((perm == CAMERA_PERMISSION_NAME) && (status == PERM_ACTIVE_IN_BACKGROUND) &&
823 (!isShow) && (!isAllowedBackGround)) {
824 ACCESSTOKEN_LOG_INFO(LABEL, "Camera float window is close!");
825 camPermList.emplace_back(perm);
826 continue;
827 }
828
829 // update status to input and timestamp to now in cache
830 it->status = status;
831 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenId %{public}d get permission %{public}s.", tokenId, perm.c_str());
832 }
833 }
834
835 if (!camPermList.empty()) {
836 ExecuteCameraCallbackAsync(tokenId, pid);
837 }
838 }
839
840 /*
841 * when foreground change background or background change foreground,change accessDuration and store in database,
842 * change status and accessDuration and timestamp in cache
843 */
NotifyAppStateChange(AccessTokenID tokenId,int32_t pid,ActiveChangeType status)844 void PermissionRecordManager::NotifyAppStateChange(AccessTokenID tokenId, int32_t pid, ActiveChangeType status)
845 {
846 ACCESSTOKEN_LOG_INFO(LABEL, "Id %{public}u, pid %{public}d, status %{public}d", tokenId, pid, status);
847 // find permissions from startRecordList_ by tokenId which status diff from currStatus
848 ExecuteAndUpdateRecord(tokenId, pid, status);
849 }
850
SetLockScreenStatus(int32_t lockScreenStatus)851 void PermissionRecordManager::SetLockScreenStatus(int32_t lockScreenStatus)
852 {
853 ACCESSTOKEN_LOG_INFO(LABEL, "LockScreenStatus %{public}d", lockScreenStatus);
854 std::lock_guard<std::mutex> lock(lockScreenStateMutex_);
855 lockScreenStatus_ = lockScreenStatus;
856 }
857
GetLockScreenStatus()858 int32_t PermissionRecordManager::GetLockScreenStatus()
859 {
860 std::lock_guard<std::mutex> lock(lockScreenStateMutex_);
861 return lockScreenStatus_;
862 }
863
RemoveRecordFromStartList(AccessTokenID tokenId,int32_t pid,const std::string & permissionName)864 int32_t PermissionRecordManager::RemoveRecordFromStartList(
865 AccessTokenID tokenId, int32_t pid, const std::string& permissionName)
866 {
867 int32_t opCode;
868 if (!Constant::TransferPermissionToOpcode(permissionName, opCode)) {
869 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid permission(%{public}s)", permissionName.c_str());
870 return PrivacyError::ERR_PERMISSION_NOT_EXIST;
871 }
872
873 ACCESSTOKEN_LOG_DEBUG(LABEL, "Id %{public}u, pid %{public}d, perm %{public}s",
874 tokenId, pid, permissionName.c_str());
875 int32_t status = PERM_INACTIVE;
876 bool isFind = false;
877 int32_t ret = Constant::SUCCESS;
878 std::lock_guard<std::mutex> lock(startRecordListMutex_);
879 for (auto it = startRecordList_.begin(); it != startRecordList_.end();) {
880 if ((it->opCode != opCode) || (it->tokenId != tokenId)) {
881 ++it;
882 continue;
883 }
884 isFind = !IsPidValid(pid);
885 // erase pid from pidList
886 if (!isFind && it->pidList.find(pid) != it->pidList.end()) {
887 isFind = true;
888 it->pidList.erase(pid);
889 }
890 if (it->pidList.empty()) {
891 status = it->status;
892 startRecordList_.erase(it);
893 }
894 break;
895 }
896 if (status != PERM_INACTIVE) {
897 CallbackExecute(tokenId, permissionName, PERM_INACTIVE);
898 }
899 if (!isFind) {
900 ret = PrivacyError::ERR_PERMISSION_NOT_START_USING;
901 ACCESSTOKEN_LOG_ERROR(LABEL, "No records started, tokenId=%{public}u, pid=%{public}d, opCode=%{public}d",
902 tokenId, pid, opCode);
903 }
904 return ret;
905 }
906
907 /*
908 * remove all record of pid,
909 * when pidList is empty, execute active callback
910 */
RemoveRecordFromStartListByPid(const AccessTokenID tokenId,int32_t pid)911 void PermissionRecordManager::RemoveRecordFromStartListByPid(const AccessTokenID tokenId, int32_t pid)
912 {
913 ACCESSTOKEN_LOG_INFO(LABEL, "TokenId %{public}u, pid %{public}d", tokenId, pid);
914 {
915 std::vector<std::string> permList;
916 std::lock_guard<std::mutex> lock(startRecordListMutex_);
917 for (auto it = startRecordList_.begin(); it != startRecordList_.end();) {
918 if (it->tokenId != tokenId || it->pidList.empty() || it->pidList.find(pid) == it->pidList.end()) {
919 ++it;
920 continue;
921 }
922 it->pidList.erase(pid);
923 if (it->pidList.empty()) {
924 std::string perm;
925 Constant::TransferOpcodeToPermission(it->opCode, perm);
926 permList.emplace_back(perm);
927 it = startRecordList_.erase(it);
928 }
929 }
930 for (const auto& perm : permList) {
931 CallbackExecute(tokenId, perm, PERM_INACTIVE);
932 }
933 }
934 cameraCallbackMap_.Erase(GetUniqueId(tokenId, pid));
935 }
936
937 /*
938 * remove all record of token, and execute active callback
939 */
RemoveRecordFromStartListByToken(const AccessTokenID tokenId)940 void PermissionRecordManager::RemoveRecordFromStartListByToken(const AccessTokenID tokenId)
941 {
942 ACCESSTOKEN_LOG_INFO(LABEL, "TokenId %{public}u", tokenId);
943 {
944 std::vector<std::string> permList;
945 std::lock_guard<std::mutex> lock(startRecordListMutex_);
946 for (auto it = startRecordList_.begin(); it != startRecordList_.end();) {
947 if (it->tokenId != tokenId) {
948 ++it;
949 continue;
950 }
951 std::string perm;
952 Constant::TransferOpcodeToPermission(it->opCode, perm);
953 permList.emplace_back(perm);
954 it = startRecordList_.erase(it);
955 }
956 for (const auto& perm : permList) {
957 CallbackExecute(tokenId, perm, PERM_INACTIVE);
958 }
959 }
960 cameraCallbackMap_.Erase(GetUniqueId(tokenId, -1));
961 }
962
RemoveRecordFromStartListByOp(int32_t opCode)963 void PermissionRecordManager::RemoveRecordFromStartListByOp(int32_t opCode)
964 {
965 ACCESSTOKEN_LOG_INFO(LABEL, "OpCode %{public}d", opCode);
966 std::string perm;
967 Constant::TransferOpcodeToPermission(opCode, perm);
968 {
969 std::vector<AccessTokenID> tokenList;
970 std::lock_guard<std::mutex> lock(startRecordListMutex_);
971 for (auto it = startRecordList_.begin(); it != startRecordList_.end();) {
972 if (it->opCode != opCode) {
973 ++it;
974 continue;
975 }
976 tokenList.emplace_back(it->tokenId);
977 it = startRecordList_.erase(it);
978 }
979 for (size_t i = 0; i < tokenList.size(); ++i) {
980 CallbackExecute(tokenList[i], perm, PERM_INACTIVE);
981 }
982 }
983 }
984
CallbackExecute(AccessTokenID tokenId,const std::string & permissionName,int32_t status)985 void PermissionRecordManager::CallbackExecute(
986 AccessTokenID tokenId, const std::string& permissionName, int32_t status)
987 {
988 ACCESSTOKEN_LOG_INFO(LABEL,
989 "ExecuteCallbackAsync, tokenId %{public}d using permission %{public}s, status %{public}d",
990 tokenId, permissionName.c_str(), status);
991 ActiveStatusCallbackManager::GetInstance().ExecuteCallbackAsync(
992 tokenId, permissionName, GetDeviceId(tokenId), (ActiveChangeType)status);
993 }
994
GetGlobalSwitchStatus(const std::string & permissionName)995 bool PermissionRecordManager::GetGlobalSwitchStatus(const std::string& permissionName)
996 {
997 bool isOpen = true;
998 // only manage camera and microphone global switch now, other default true
999 if (permissionName == MICROPHONE_PERMISSION_NAME) {
1000 isOpen = !isMicMixMute_;
1001 ACCESSTOKEN_LOG_INFO(LABEL, "Permission is %{public}s, status is %{public}d", permissionName.c_str(), isOpen);
1002 } else if (permissionName == CAMERA_PERMISSION_NAME) {
1003 isOpen = !isCamMixMute_;
1004 ACCESSTOKEN_LOG_INFO(LABEL, "Permission is %{public}s, status is %{public}d", permissionName.c_str(), isOpen);
1005 }
1006 return isOpen;
1007 }
1008 #ifndef APP_SECURITY_PRIVACY_SERVICE
1009 /*
1010 * StartUsing when close and choose open, update status to foreground or background from inactive
1011 * StartUsing when open and choose close, update status to inactive and store in database
1012 */
ExecuteAndUpdateRecordByPerm(const std::string & permissionName,bool switchStatus)1013 void PermissionRecordManager::ExecuteAndUpdateRecordByPerm(const std::string& permissionName, bool switchStatus)
1014 {
1015 int32_t opCode;
1016 Constant::TransferPermissionToOpcode(permissionName, opCode);
1017 std::vector<ContinusPermissionRecord> recordList;
1018 std::lock_guard<std::mutex> lock(startRecordListMutex_);
1019 for (auto it = startRecordList_.begin(); it != startRecordList_.end(); ++it) {
1020 ContinusPermissionRecord& record = *it;
1021 if ((record.opCode) != static_cast<int32_t>(opCode)) {
1022 continue;
1023 }
1024 if (switchStatus) {
1025 ACCESSTOKEN_LOG_INFO(LABEL, "Global switch is open, update record from inactive");
1026 // no need to store in database when status from inactive to foreground or background
1027 record.status = GetAppStatus(record.tokenId);
1028 } else {
1029 ACCESSTOKEN_LOG_INFO(LABEL, "Global switch is close, update record to inactive");
1030 record.status = PERM_INACTIVE;
1031 }
1032 recordList.emplace_back(*it);
1033 }
1034 // each permission sends a status change notice
1035 for (const auto& record : recordList) {
1036 CallbackExecute(record.tokenId, permissionName, record.status);
1037 }
1038 }
1039 #endif
ShowGlobalDialog(const std::string & permissionName)1040 bool PermissionRecordManager::ShowGlobalDialog(const std::string& permissionName)
1041 {
1042 std::string resource;
1043 if (permissionName == CAMERA_PERMISSION_NAME) {
1044 resource = "camera";
1045 } else if (permissionName == MICROPHONE_PERMISSION_NAME) {
1046 resource = "microphone";
1047 } else {
1048 ACCESSTOKEN_LOG_INFO(LABEL, "Invalid permissionName(%{public}s).", permissionName.c_str());
1049 return true;
1050 }
1051
1052 AAFwk::Want want;
1053 want.SetElementName(globalDialogBundleName_, globalDialogAbilityName_);
1054 want.SetParam(RESOURCE_KEY, resource);
1055 ErrCode err = AbilityManagerAccessClient::GetInstance().StartAbility(want, nullptr);
1056 if (err != ERR_OK) {
1057 ACCESSTOKEN_LOG_ERROR(LABEL, "Fail to StartAbility, err:%{public}d", err);
1058 return false;
1059 }
1060 return true;
1061 }
1062
ExecuteAllCameraExecuteCallback()1063 void PermissionRecordManager::ExecuteAllCameraExecuteCallback()
1064 {
1065 ACCESSTOKEN_LOG_INFO(LABEL, "ExecuteAllCameraExecuteCallback called");
1066 auto it = [&](uint64_t id, sptr<IRemoteObject> cameraCallback) {
1067 auto callback = iface_cast<IStateChangeCallback>(cameraCallback);
1068 AccessTokenID tokenId = static_cast<AccessTokenID>(id);
1069 if (callback != nullptr) {
1070 ACCESSTOKEN_LOG_INFO(
1071 LABEL, "CameraCallback tokenId %{public}d changeType %{public}d.", tokenId, PERM_INACTIVE);
1072 callback->StateChangeNotify(tokenId, false);
1073 }
1074 };
1075 this->cameraCallbackMap_.Iterate(it);
1076 }
1077
ExecuteCameraCallbackAsync(AccessTokenID tokenId,int32_t pid)1078 void PermissionRecordManager::ExecuteCameraCallbackAsync(AccessTokenID tokenId, int32_t pid)
1079 {
1080 ACCESSTOKEN_LOG_DEBUG(LABEL, "Entry.");
1081 auto task = [tokenId, pid, this]() {
1082 uint64_t uniqueId = GetUniqueId(tokenId, pid);
1083 ACCESSTOKEN_LOG_INFO(LABEL, "ExecuteCameraCallbackAsync task called.");
1084 auto it = [&](uint64_t id, sptr<IRemoteObject> cameraCallback) {
1085 auto callback = iface_cast<IStateChangeCallback>(cameraCallback);
1086 if ((uniqueId == id) && (callback != nullptr)) {
1087 ACCESSTOKEN_LOG_INFO(LABEL, "CameraCallback tokenId(%{public}u) pid( %{public}d) changeType %{public}d",
1088 tokenId, pid, PERM_INACTIVE);
1089 callback->StateChangeNotify(tokenId, false);
1090 }
1091 };
1092 this->cameraCallbackMap_.Iterate(it);
1093 };
1094 std::thread executeThread(task);
1095 executeThread.detach();
1096 ACCESSTOKEN_LOG_DEBUG(LABEL, "The cameraCallback execution is complete.");
1097 }
1098
StartUsingPermission(AccessTokenID tokenId,int32_t pid,const std::string & permissionName)1099 int32_t PermissionRecordManager::StartUsingPermission(
1100 AccessTokenID tokenId, int32_t pid, const std::string& permissionName)
1101 {
1102 if (AccessTokenKit::GetTokenTypeFlag(tokenId) != TOKEN_HAP) {
1103 ACCESSTOKEN_LOG_DEBUG(LABEL, "Not hap(%{public}d).", tokenId);
1104 return PrivacyError::ERR_PARAM_INVALID;
1105 }
1106
1107 InitializeMuteState(permissionName);
1108 if (GetMuteStatus(permissionName, EDM)) {
1109 ACCESSTOKEN_LOG_ERROR(LABEL, "EDM not allow.");
1110 return PrivacyError::ERR_EDM_POLICY_CHECK_FAILED;
1111 }
1112 if (!Register()) {
1113 return PrivacyError::ERR_MALLOC_FAILED;
1114 }
1115
1116 int32_t status = GetAppStatus(tokenId);
1117 #ifndef APP_SECURITY_PRIVACY_SERVICE
1118 if (!GetGlobalSwitchStatus(permissionName)) {
1119 if (!ShowGlobalDialog(permissionName)) {
1120 return ERR_SERVICE_ABNORMAL;
1121 }
1122 status = PERM_INACTIVE;
1123 }
1124 #endif
1125 return AddRecordToStartList(tokenId, pid, permissionName, status);
1126 }
1127
StartUsingPermission(AccessTokenID tokenId,int32_t pid,const std::string & permissionName,const sptr<IRemoteObject> & callback)1128 int32_t PermissionRecordManager::StartUsingPermission(
1129 AccessTokenID tokenId, int32_t pid, const std::string& permissionName, const sptr<IRemoteObject>& callback)
1130 {
1131 if ((permissionName != CAMERA_PERMISSION_NAME) || (AccessTokenKit::GetTokenTypeFlag(tokenId) != TOKEN_HAP)) {
1132 ACCESSTOKEN_LOG_DEBUG(LABEL, "Token(%{public}u), perm(%{public}s).", tokenId, permissionName.c_str());
1133 return PrivacyError::ERR_PARAM_INVALID;
1134 }
1135
1136 InitializeMuteState(permissionName);
1137 if (GetMuteStatus(permissionName, EDM)) {
1138 ACCESSTOKEN_LOG_ERROR(LABEL, "EDM not allow.");
1139 return PrivacyError::ERR_EDM_POLICY_CHECK_FAILED;
1140 }
1141
1142 if (!Register()) {
1143 return PrivacyError::ERR_MALLOC_FAILED;
1144 }
1145 int32_t status = GetAppStatus(tokenId);
1146 #ifndef APP_SECURITY_PRIVACY_SERVICE
1147 if (!GetGlobalSwitchStatus(permissionName)) {
1148 if (!ShowGlobalDialog(permissionName)) {
1149 return ERR_SERVICE_ABNORMAL;
1150 }
1151 status = PERM_INACTIVE;
1152 }
1153 #endif
1154 uint64_t id = GetUniqueId(tokenId, pid);
1155 cameraCallbackMap_.EnsureInsert(id, callback);
1156 if (!RegisterWindowCallback()) {
1157 cameraCallbackMap_.Erase(id);
1158 return PrivacyError::ERR_WINDOW_CALLBACK_FAILED;
1159 }
1160 int32_t ret = AddRecordToStartList(tokenId, pid, permissionName, status);
1161 if (ret != RET_SUCCESS) {
1162 cameraCallbackMap_.Erase(id);
1163 }
1164 return ret;
1165 }
1166
StopUsingPermission(AccessTokenID tokenId,int32_t pid,const std::string & permissionName)1167 int32_t PermissionRecordManager::StopUsingPermission(
1168 AccessTokenID tokenId, int32_t pid, const std::string& permissionName)
1169 {
1170 if (AccessTokenKit::GetTokenTypeFlag(tokenId) != TOKEN_HAP) {
1171 ACCESSTOKEN_LOG_DEBUG(LABEL, "Not hap(%{public}d).", tokenId);
1172 return PrivacyError::ERR_PARAM_INVALID;
1173 }
1174
1175 return RemoveRecordFromStartList(tokenId, pid, permissionName);
1176 }
1177
PermListToString(const std::vector<std::string> & permList)1178 void PermissionRecordManager::PermListToString(const std::vector<std::string>& permList)
1179 {
1180 std::string permStr;
1181 permStr = accumulate(permList.begin(), permList.end(), std::string(" "));
1182
1183 ACCESSTOKEN_LOG_INFO(LABEL, "PermStr =%{public}s.", permStr.c_str());
1184 }
1185
PermissionListFilter(const std::vector<std::string> & listSrc,std::vector<std::string> & listRes)1186 int32_t PermissionRecordManager::PermissionListFilter(
1187 const std::vector<std::string>& listSrc, std::vector<std::string>& listRes)
1188 {
1189 // filter legal permissions
1190 PermissionDef permissionDef;
1191 std::set<std::string> permSet;
1192 for (const auto& perm : listSrc) {
1193 if (AccessTokenKit::GetDefPermission(perm, permissionDef) == Constant::SUCCESS &&
1194 permSet.count(perm) == 0) {
1195 listRes.emplace_back(perm);
1196 permSet.insert(perm);
1197 continue;
1198 }
1199 ACCESSTOKEN_LOG_ERROR(LABEL, "Permission %{public}s invalid!", perm.c_str());
1200 }
1201 if ((listRes.empty()) && (!listSrc.empty())) {
1202 ACCESSTOKEN_LOG_ERROR(LABEL, "Valid permission size is 0!");
1203 return PrivacyError::ERR_PARAM_INVALID;
1204 }
1205 PermListToString(listRes);
1206 return Constant::SUCCESS;
1207 }
1208
IsAllowedUsingCamera(AccessTokenID tokenId)1209 bool PermissionRecordManager::IsAllowedUsingCamera(AccessTokenID tokenId)
1210 {
1211 int32_t status = GetAppStatus(tokenId);
1212 bool isAllowedBackGround = false;
1213 if (AccessTokenKit::VerifyAccessToken(tokenId, "ohos.permission.CAMERA_BACKGROUND") == PERMISSION_GRANTED) {
1214 isAllowedBackGround = true;
1215 }
1216 ACCESSTOKEN_LOG_INFO(LABEL,
1217 "Id(%{public}d), appStatus(%{public}d), isAllowedBackGround(%{public}d)).",
1218 tokenId, status, isAllowedBackGround);
1219 return (status == ActiveChangeType::PERM_ACTIVE_IN_FOREGROUND) || isAllowedBackGround;
1220 }
1221
IsAllowedUsingMicrophone(AccessTokenID tokenId)1222 bool PermissionRecordManager::IsAllowedUsingMicrophone(AccessTokenID tokenId)
1223 {
1224 int32_t status = GetAppStatus(tokenId);
1225 ACCESSTOKEN_LOG_INFO(LABEL, "Id %{public}d, status is %{public}d.", tokenId, status);
1226 if (status == ActiveChangeType::PERM_ACTIVE_IN_FOREGROUND) {
1227 return true;
1228 }
1229
1230 std::lock_guard<std::mutex> lock(foreReminderMutex_);
1231 auto iter = std::find(foreTokenIdList_.begin(), foreTokenIdList_.end(), tokenId);
1232 if (iter != foreTokenIdList_.end()) {
1233 return true;
1234 }
1235 return false;
1236 }
1237
IsAllowedUsingPermission(AccessTokenID tokenId,const std::string & permissionName)1238 bool PermissionRecordManager::IsAllowedUsingPermission(AccessTokenID tokenId, const std::string& permissionName)
1239 {
1240 if (AccessTokenKit::GetTokenTypeFlag(tokenId) != TOKEN_HAP) {
1241 ACCESSTOKEN_LOG_DEBUG(LABEL, "Id(%{public}d) is not hap.", tokenId);
1242 return false;
1243 }
1244
1245 if (GetMuteStatus(permissionName, EDM)) {
1246 ACCESSTOKEN_LOG_ERROR(LABEL, "EDM not allow.");
1247 return false;
1248 }
1249
1250 if (permissionName == CAMERA_PERMISSION_NAME) {
1251 return IsAllowedUsingCamera(tokenId);
1252 } else if (permissionName == MICROPHONE_PERMISSION_NAME) {
1253 return IsAllowedUsingMicrophone(tokenId);
1254 }
1255 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid permission(%{public}s).", permissionName.c_str());
1256 return false;
1257 }
1258
SetMutePolicy(const PolicyType & policyType,const CallerType & callerType,bool isMute,AccessTokenID tokenID)1259 int32_t PermissionRecordManager::SetMutePolicy(const PolicyType& policyType, const CallerType& callerType, bool isMute,
1260 AccessTokenID tokenID)
1261 {
1262 std::string permissionName;
1263 if (callerType == MICROPHONE) {
1264 permissionName = MICROPHONE_PERMISSION_NAME;
1265 } else if (callerType == CAMERA) {
1266 permissionName = CAMERA_PERMISSION_NAME;
1267 } else {
1268 return PrivacyError::ERR_PARAM_INVALID;
1269 }
1270
1271 if (policyType == EDM) {
1272 static uint32_t edmTokenID = AccessTokenKit::GetNativeTokenId(EDM_PROCESS_NAME);
1273 if (edmTokenID != tokenID) {
1274 return PrivacyError::ERR_FIRST_CALLER_NOT_EDM;
1275 }
1276
1277 return SetEdmMutePolicy(permissionName, isMute);
1278 }
1279
1280 if (policyType == PRIVACY) {
1281 return SetPrivacyMutePolicy(permissionName, isMute);
1282 }
1283
1284 if (policyType == TEMPORARY) {
1285 return SetTempMutePolicy(permissionName, isMute);
1286 }
1287 return ERR_PARAM_INVALID;
1288 }
1289
SetHapWithFGReminder(uint32_t tokenId,bool isAllowed)1290 int32_t PermissionRecordManager::SetHapWithFGReminder(uint32_t tokenId, bool isAllowed)
1291 {
1292 if (AccessTokenKit::GetTokenTypeFlag(tokenId) != TOKEN_HAP) {
1293 ACCESSTOKEN_LOG_ERROR(LABEL, "Not hap(%{public}d).", tokenId);
1294 return PrivacyError::ERR_PARAM_INVALID;
1295 }
1296 std::lock_guard<std::mutex> lock(foreReminderMutex_);
1297 auto iter = std::find(foreTokenIdList_.begin(), foreTokenIdList_.end(), tokenId);
1298 if (iter == foreTokenIdList_.end() && isAllowed) {
1299 foreTokenIdList_.emplace_back(tokenId);
1300 ACCESSTOKEN_LOG_INFO(LABEL, "Set hap(%{public}d) foreground.", tokenId);
1301 return RET_SUCCESS;
1302 }
1303 if (iter != foreTokenIdList_.end() && !isAllowed) {
1304 foreTokenIdList_.erase(iter);
1305 ACCESSTOKEN_LOG_INFO(LABEL, "cancel hap(%{public}d) foreground.", tokenId);
1306 return RET_SUCCESS;
1307 }
1308 ACCESSTOKEN_LOG_ERROR(LABEL, "(%{public}d) is invalid to be operated.", tokenId);
1309 return PrivacyError::ERR_PARAM_INVALID;
1310 }
1311
SetEdmMutePolicy(const std::string permissionName,bool isMute)1312 int32_t PermissionRecordManager::SetEdmMutePolicy(const std::string permissionName, bool isMute)
1313 {
1314 if (isMute) {
1315 ModifyMuteStatus(permissionName, EDM, isMute);
1316 ModifyMuteStatus(permissionName, MIXED, isMute);
1317 #ifndef APP_SECURITY_PRIVACY_SERVICE
1318 ExecuteAndUpdateRecordByPerm(permissionName, false);
1319 #endif
1320 } else {
1321 ModifyMuteStatus(permissionName, EDM, isMute);
1322 if (GetMuteStatus(permissionName, MIXED)) {
1323 return ERR_PRIVACY_POLICY_CHECK_FAILED;
1324 }
1325 }
1326 return RET_SUCCESS;
1327 }
1328
SetPrivacyMutePolicy(const std::string permissionName,bool isMute)1329 int32_t PermissionRecordManager::SetPrivacyMutePolicy(const std::string permissionName, bool isMute)
1330 {
1331 if (isMute) {
1332 ModifyMuteStatus(permissionName, MIXED, isMute);
1333 } else {
1334 if (GetMuteStatus(permissionName, EDM)) {
1335 return PrivacyError::ERR_EDM_POLICY_CHECK_FAILED;
1336 }
1337 ModifyMuteStatus(permissionName, MIXED, isMute);
1338 }
1339 #ifndef APP_SECURITY_PRIVACY_SERVICE
1340 ExecuteAndUpdateRecordByPerm(permissionName, !isMute);
1341 #endif
1342 return RET_SUCCESS;
1343 }
1344
SetTempMutePolicy(const std::string permissionName,bool isMute)1345 int32_t PermissionRecordManager::SetTempMutePolicy(const std::string permissionName, bool isMute)
1346 {
1347 if (!isMute) {
1348 if (GetMuteStatus(permissionName, EDM)) {
1349 return PrivacyError::ERR_EDM_POLICY_CHECK_FAILED;
1350 }
1351 if (GetMuteStatus(permissionName, MIXED)) {
1352 if (!ShowGlobalDialog(permissionName)) {
1353 return ERR_SERVICE_ABNORMAL;
1354 }
1355 return PrivacyError::ERR_PRIVACY_POLICY_CHECK_FAILED;
1356 }
1357 }
1358 return RET_SUCCESS;
1359 }
1360
ModifyMuteStatus(const std::string & permissionName,int32_t index,bool isMute)1361 void PermissionRecordManager::ModifyMuteStatus(const std::string& permissionName, int32_t index, bool isMute)
1362 {
1363 if (permissionName == MICROPHONE_PERMISSION_NAME) {
1364 std::lock_guard<std::mutex> lock(micMuteMutex_);
1365 if (index == EDM) {
1366 isMicEdmMute_ = isMute;
1367 } else {
1368 isMicMixMute_ = isMute;
1369 }
1370 } else if (permissionName == CAMERA_PERMISSION_NAME) {
1371 std::lock_guard<std::mutex> lock(camMuteMutex_);
1372 if (index == EDM) {
1373 isCamEdmMute_ = isMute;
1374 } else {
1375 isCamMixMute_ = isMute;
1376 }
1377 }
1378 ACCESSTOKEN_LOG_INFO(LABEL, "permissionName: %{public}s, isMute: %{public}d, index: %{public}d.",
1379 permissionName.c_str(), isMute, index);
1380 }
1381
GetMuteStatus(const std::string & permissionName,int32_t index)1382 bool PermissionRecordManager::GetMuteStatus(const std::string& permissionName, int32_t index)
1383 {
1384 bool isMute = false;
1385 if (permissionName == MICROPHONE_PERMISSION_NAME) {
1386 std::lock_guard<std::mutex> lock(micMuteMutex_);
1387 isMute = (index == EDM) ? isMicEdmMute_ : isMicMixMute_;
1388 } else if (permissionName == CAMERA_PERMISSION_NAME) {
1389 std::lock_guard<std::mutex> lock(camMuteMutex_);
1390 isMute = (index == EDM) ? isCamEdmMute_ : isCamMixMute_;
1391 } else {
1392 return false;
1393 }
1394 ACCESSTOKEN_LOG_INFO(LABEL, "perm: %{public}s, isMute: %{public}d, index: %{public}d.",
1395 permissionName.c_str(), isMute, index);
1396 return isMute;
1397 }
1398
RegisterPermActiveStatusCallback(AccessTokenID regiterTokenId,const std::vector<std::string> & permList,const sptr<IRemoteObject> & callback)1399 int32_t PermissionRecordManager::RegisterPermActiveStatusCallback(
1400 AccessTokenID regiterTokenId, const std::vector<std::string>& permList, const sptr<IRemoteObject>& callback)
1401 {
1402 std::vector<std::string> permListRes;
1403 int32_t res = PermissionListFilter(permList, permListRes);
1404 if (res != Constant::SUCCESS) {
1405 return res;
1406 }
1407 return ActiveStatusCallbackManager::GetInstance().AddCallback(regiterTokenId, permListRes, callback);
1408 }
1409
UnRegisterPermActiveStatusCallback(const sptr<IRemoteObject> & callback)1410 int32_t PermissionRecordManager::UnRegisterPermActiveStatusCallback(const sptr<IRemoteObject>& callback)
1411 {
1412 return ActiveStatusCallbackManager::GetInstance().RemoveCallback(callback);
1413 }
1414
AddDataValueToResults(const GenericValues value,std::vector<PermissionUsedTypeInfo> & results)1415 void PermissionRecordManager::AddDataValueToResults(const GenericValues value,
1416 std::vector<PermissionUsedTypeInfo>& results)
1417 {
1418 PermissionUsedTypeInfo info;
1419 info.tokenId = static_cast<AccessTokenID>(value.GetInt(PrivacyFiledConst::FIELD_TOKEN_ID));
1420 Constant::TransferOpcodeToPermission(value.GetInt(PrivacyFiledConst::FIELD_PERMISSION_CODE), info.permissionName);
1421 uint32_t type = static_cast<uint32_t>(value.GetInt(PrivacyFiledConst::FIELD_USED_TYPE));
1422 if ((type & NORMAL_TYPE_ADD_VALUE) == NORMAL_TYPE_ADD_VALUE) { // normal first
1423 info.type = PermissionUsedType::NORMAL_TYPE;
1424 results.emplace_back(info);
1425 }
1426 if ((type & PICKER_TYPE_ADD_VALUE) == PICKER_TYPE_ADD_VALUE) { // picker second
1427 info.type = PermissionUsedType::PICKER_TYPE;
1428 results.emplace_back(info);
1429 }
1430 if ((type & SEC_COMPONENT_TYPE_ADD_VALUE) == SEC_COMPONENT_TYPE_ADD_VALUE) { // security component last
1431 info.type = PermissionUsedType::SECURITY_COMPONENT_TYPE;
1432 results.emplace_back(info);
1433 }
1434 }
1435
GetPermissionUsedTypeInfos(AccessTokenID tokenId,const std::string & permissionName,std::vector<PermissionUsedTypeInfo> & results)1436 int32_t PermissionRecordManager::GetPermissionUsedTypeInfos(AccessTokenID tokenId, const std::string& permissionName,
1437 std::vector<PermissionUsedTypeInfo>& results)
1438 {
1439 GenericValues value;
1440
1441 if (tokenId != INVALID_TOKENID) {
1442 HapTokenInfo tokenInfo;
1443 if (AccessTokenKit::GetHapTokenInfo(tokenId, tokenInfo) != Constant::SUCCESS) {
1444 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid tokenId(%{public}d).", tokenId);
1445 return PrivacyError::ERR_TOKENID_NOT_EXIST;
1446 }
1447 value.Put(PrivacyFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId));
1448 }
1449
1450 if (!permissionName.empty()) {
1451 int32_t opCode;
1452 if (!Constant::TransferPermissionToOpcode(permissionName, opCode)) {
1453 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid (%{public}s).", permissionName.c_str());
1454 return PrivacyError::ERR_PERMISSION_NOT_EXIST;
1455 }
1456 value.Put(PrivacyFiledConst::FIELD_PERMISSION_CODE, opCode);
1457 }
1458
1459 std::vector<GenericValues> valueResults;
1460 if (PermissionUsedRecordDb::GetInstance().Query(PermissionUsedRecordDb::DataType::PERMISSION_USED_TYPE,
1461 value, valueResults) != PermissionUsedRecordDb::ExecuteResult::SUCCESS) {
1462 return Constant::FAILURE;
1463 }
1464
1465 for (const auto& valueResult : valueResults) {
1466 AddDataValueToResults(valueResult, results);
1467 }
1468
1469 ACCESSTOKEN_LOG_INFO(LABEL, "Get %{public}zu permission used type records.", results.size());
1470
1471 return Constant::SUCCESS;
1472 }
1473
GetDeviceId(AccessTokenID tokenId)1474 std::string PermissionRecordManager::GetDeviceId(AccessTokenID tokenId)
1475 {
1476 HapTokenInfo tokenInfo;
1477 if (AccessTokenKit::GetHapTokenInfo(tokenId, tokenInfo) != Constant::SUCCESS) {
1478 return "";
1479 }
1480 if (tokenInfo.deviceID == DEFAULT_DEVICEID) { // local
1481 return ConstantCommon::GetLocalDeviceId();
1482 }
1483 return tokenInfo.deviceID;
1484 }
1485
GetAppStatus(AccessTokenID tokenId)1486 int32_t PermissionRecordManager::GetAppStatus(AccessTokenID tokenId)
1487 {
1488 int32_t status = PERM_ACTIVE_IN_BACKGROUND;
1489 std::vector<AppStateData> foreGroundAppList;
1490 AppManagerAccessClient::GetInstance().GetForegroundApplications(foreGroundAppList);
1491 if (std::any_of(foreGroundAppList.begin(), foreGroundAppList.end(),
1492 [=](const auto& foreGroundApp) { return foreGroundApp.accessTokenId == tokenId; })) {
1493 status = PERM_ACTIVE_IN_FOREGROUND;
1494 }
1495 return status;
1496 }
1497
Register()1498 bool PermissionRecordManager::Register()
1499 {
1500 // app manager death callback register
1501 {
1502 std::lock_guard<std::mutex> lock(appManagerDeathMutex_);
1503 if (appManagerDeathCallback_ == nullptr) {
1504 appManagerDeathCallback_ = std::make_shared<PrivacyAppManagerDeathCallback>();
1505 if (appManagerDeathCallback_ == nullptr) {
1506 ACCESSTOKEN_LOG_ERROR(LABEL, "Register appManagerDeathCallback failed.");
1507 return false;
1508 }
1509 AppManagerAccessClient::GetInstance().RegisterDeathCallback(appManagerDeathCallback_);
1510 }
1511 }
1512 // app state change callback register
1513 {
1514 std::lock_guard<std::mutex> lock(appStateMutex_);
1515 if (appStateCallback_ == nullptr) {
1516 appStateCallback_ = new (std::nothrow) PrivacyAppStateObserver();
1517 if (appStateCallback_ == nullptr) {
1518 ACCESSTOKEN_LOG_ERROR(LABEL, "Register appStateCallback failed.");
1519 return false;
1520 }
1521 AppManagerAccessClient::GetInstance().RegisterApplicationStateObserver(appStateCallback_);
1522 }
1523 }
1524 return true;
1525 }
1526
1527 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
HasUsingCamera()1528 bool PermissionRecordManager::HasUsingCamera()
1529 {
1530 std::lock_guard<std::mutex> lock(startRecordListMutex_);
1531 bool hasCamera = std::any_of(startRecordList_.begin(), startRecordList_.end(),
1532 [](const auto& record) { return record.opCode == Constant::OP_CAMERA; });
1533 return hasCamera;
1534 }
1535
UpdateCameraFloatWindowStatus(AccessTokenID tokenId,bool isShowing)1536 void UpdateCameraFloatWindowStatus(AccessTokenID tokenId, bool isShowing)
1537 {
1538 PermissionRecordManager::GetInstance().NotifyCameraWindowChange(false, tokenId, isShowing);
1539 }
1540
UpdatePipWindowStatus(AccessTokenID tokenId,bool isShowing)1541 void UpdatePipWindowStatus(AccessTokenID tokenId, bool isShowing)
1542 {
1543 PermissionRecordManager::GetInstance().NotifyCameraWindowChange(true, tokenId, isShowing);
1544 }
1545
1546 /* Handle window manager die */
HandleWindowDied()1547 void HandleWindowDied()
1548 {
1549 PermissionRecordManager::GetInstance().OnWindowMgrRemoteDied();
1550 }
1551 #endif
1552
RegisterWindowCallback()1553 bool PermissionRecordManager::RegisterWindowCallback()
1554 {
1555 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
1556 ACCESSTOKEN_LOG_INFO(LABEL, "Begin to RegisterWindowCallback.");
1557
1558 std::lock_guard<std::mutex> lock(windowMutex_);
1559 WindowChangeCallback floatCallback = UpdateCameraFloatWindowStatus;
1560 if (floatWindowCallback_ == nullptr) {
1561 floatWindowCallback_ = new (std::nothrow) PrivacyWindowManagerAgent(floatCallback);
1562 if (floatWindowCallback_ == nullptr) {
1563 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to new PrivacyWindowManagerAgent.");
1564 return false;
1565 }
1566 }
1567 ErrCode err = PrivacyWindowManagerClient::GetInstance().RegisterWindowManagerAgent(
1568 WindowManagerAgentType::WINDOW_MANAGER_AGENT_TYPE_CAMERA_FLOAT, floatWindowCallback_);
1569 if (err != ERR_OK) {
1570 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to register float window listener, err:%{public}d", err);
1571 return false;
1572 }
1573
1574 if (Rosen::SceneBoardJudgement::IsSceneBoardEnabled()) {
1575 WindowChangeCallback pipCallback = UpdatePipWindowStatus;
1576
1577 if (pipWindowCallback_ == nullptr) {
1578 pipWindowCallback_ = new (std::nothrow) PrivacyWindowManagerAgent(pipCallback);
1579 if (floatWindowCallback_ == nullptr) {
1580 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to new PrivacyWindowManagerAgent.");
1581 return false;
1582 }
1583 }
1584
1585 err = PrivacyWindowManagerClient::GetInstance().RegisterWindowManagerAgent(
1586 WindowManagerAgentType::WINDOW_MANAGER_AGENT_TYPE_CAMERA_WINDOW, pipWindowCallback_);
1587 if (err != ERR_OK) {
1588 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to register pip window listener, err:%{public}d", err);
1589 PrivacyWindowManagerClient::GetInstance().UnregisterWindowManagerAgent(
1590 WindowManagerAgentType::WINDOW_MANAGER_AGENT_TYPE_CAMERA_FLOAT, floatWindowCallback_);
1591 return false;
1592 }
1593 }
1594
1595 PrivacyWindowManagerClient::GetInstance().AddDeathCallback(HandleWindowDied);
1596 #endif
1597 return true;
1598 }
1599
InitializeMuteState(const std::string & permissionName)1600 void PermissionRecordManager::InitializeMuteState(const std::string& permissionName)
1601 {
1602 if (permissionName == MICROPHONE_PERMISSION_NAME) {
1603 bool isMicMute = AudioManagerPrivacyClient::GetInstance().GetPersistentMicMuteState();
1604 ACCESSTOKEN_LOG_INFO(LABEL, "Mic mute state: %{public}d.", isMicMute);
1605 ModifyMuteStatus(MICROPHONE_PERMISSION_NAME, MIXED, isMicMute);
1606 {
1607 std::lock_guard<std::mutex> lock(micLoadMutex_);
1608 if (!isMicLoad_) {
1609 ACCESSTOKEN_LOG_INFO(LABEL, "Mic mute state: %{public}d.", isMicLoad_);
1610 bool isEdmMute = false;
1611 if (!GetMuteParameter(EDM_MIC_MUTE_KEY, isEdmMute)) {
1612 ACCESSTOKEN_LOG_ERROR(LABEL, "Get param failed");
1613 return;
1614 }
1615 ModifyMuteStatus(MICROPHONE_PERMISSION_NAME, EDM, isEdmMute);
1616 }
1617 }
1618 } else if (permissionName == CAMERA_PERMISSION_NAME) {
1619 bool isCameraMute = CameraManagerPrivacyClient::GetInstance().IsCameraMuted();
1620 ACCESSTOKEN_LOG_INFO(LABEL, "Camera mute state: %{public}d.", isCameraMute);
1621 ModifyMuteStatus(CAMERA_PERMISSION_NAME, MIXED, isCameraMute);
1622 {
1623 std::lock_guard<std::mutex> lock(camLoadMutex_);
1624 if (!isCamLoad_) {
1625 bool isEdmMute = false;
1626 if (!GetMuteParameter(EDM_CAMERA_MUTE_KEY, isEdmMute)) {
1627 ACCESSTOKEN_LOG_ERROR(LABEL, "Get camera param failed");
1628 return;
1629 }
1630 ModifyMuteStatus(CAMERA_PERMISSION_NAME, EDM, isEdmMute);
1631 }
1632 }
1633 }
1634 }
1635
Unregister()1636 void PermissionRecordManager::Unregister()
1637 {
1638 // app state change callback unregister
1639 std::lock_guard<std::mutex> lock(appStateMutex_);
1640 if (appStateCallback_ != nullptr) {
1641 AppManagerAccessClient::GetInstance().UnregisterApplicationStateObserver(appStateCallback_);
1642 appStateCallback_= nullptr;
1643 }
1644 }
1645
GetMuteParameter(const char * key,bool & isMute)1646 bool PermissionRecordManager::GetMuteParameter(const char* key, bool& isMute)
1647 {
1648 char value[VALUE_MAX_LEN] = {0};
1649 int32_t ret = GetParameter(key, "", value, VALUE_MAX_LEN - 1);
1650 if (ret < 0) {
1651 ACCESSTOKEN_LOG_ERROR(LABEL, "Return default value, ret=%{public}d", ret);
1652 return false;
1653 }
1654 isMute = false;
1655 if (strncmp(value, "true", VALUE_MAX_LEN) == 0) {
1656 ACCESSTOKEN_LOG_INFO(LABEL, "EDM not allow.");
1657 isMute = true;
1658 }
1659 return true;
1660 }
1661
OnAppMgrRemoteDiedHandle()1662 void PermissionRecordManager::OnAppMgrRemoteDiedHandle()
1663 {
1664 ACCESSTOKEN_LOG_INFO(LABEL, "Handle app fwk died.");
1665 std::lock_guard<std::mutex> lock(appStateMutex_);
1666 appStateCallback_ = nullptr;
1667 }
1668
OnAudioMgrRemoteDiedHandle()1669 void PermissionRecordManager::OnAudioMgrRemoteDiedHandle()
1670 {
1671 ACCESSTOKEN_LOG_INFO(LABEL, "Handle audio fwk died.");
1672 {
1673 std::lock_guard<std::mutex> lock(micLoadMutex_);
1674 isMicLoad_ = false;
1675 }
1676 RemoveRecordFromStartListByOp(Constant::OP_MICROPHONE);
1677 }
1678
OnCameraMgrRemoteDiedHandle()1679 void PermissionRecordManager::OnCameraMgrRemoteDiedHandle()
1680 {
1681 ACCESSTOKEN_LOG_INFO(LABEL, "Handle camera fwk died.");
1682 {
1683 std::lock_guard<std::mutex> lock(camLoadMutex_);
1684 isCamLoad_ = false;
1685 }
1686 RemoveRecordFromStartListByOp(Constant::OP_CAMERA);
1687 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
1688 ClearWindowShowing();
1689 #endif
1690 }
1691
IsCameraWindowShow(AccessTokenID tokenId)1692 bool PermissionRecordManager::IsCameraWindowShow(AccessTokenID tokenId)
1693 {
1694 bool isShow = true;
1695 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
1696 std::lock_guard<std::mutex> lock(windowStatusMutex_);
1697 isShow = (((floatWindowTokenId_ == tokenId) && camFloatWindowShowing_) ||
1698 ((pipWindowTokenId_ == tokenId) && pipWindowShowing_));
1699 #endif
1700 return isShow;
1701 }
1702
1703 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
1704 /*
1705 * when camera float window is not show, notice camera service to use StopUsingPermission
1706 */
NotifyCameraWindowChange(bool isPip,AccessTokenID tokenId,bool isShowing)1707 void PermissionRecordManager::NotifyCameraWindowChange(bool isPip, AccessTokenID tokenId, bool isShowing)
1708 {
1709 ACCESSTOKEN_LOG_INFO(LABEL, "Update window, isPip(%{public}d), id(%{public}u), status(%{public}d)",
1710 isPip, tokenId, isShowing);
1711 {
1712 std::lock_guard<std::mutex> lock(windowStatusMutex_);
1713 if (isPip) {
1714 pipWindowShowing_ = isShowing;
1715 pipWindowTokenId_ = tokenId;
1716 } else {
1717 camFloatWindowShowing_ = isShowing;
1718 floatWindowTokenId_ = tokenId;
1719 }
1720 }
1721 if (isShowing) {
1722 ACCESSTOKEN_LOG_INFO(LABEL, "Camera float window is showing!");
1723 } else {
1724 if ((GetAppStatus(tokenId) == ActiveChangeType::PERM_ACTIVE_IN_BACKGROUND) &&
1725 !IsCameraWindowShow(tokenId)) {
1726 ACCESSTOKEN_LOG_INFO(LABEL, "Token(%{public}d) is background, pip and float window is not show.", tokenId);
1727 ExecuteCameraCallbackAsync(tokenId, -1);
1728 }
1729 }
1730 }
1731
ClearWindowShowing()1732 void PermissionRecordManager::ClearWindowShowing()
1733 {
1734 ACCESSTOKEN_LOG_INFO(LABEL, "Clear window show status.");
1735 {
1736 std::lock_guard<std::mutex> lock(windowStatusMutex_);
1737 camFloatWindowShowing_ = false;
1738 floatWindowTokenId_ = 0;
1739
1740 pipWindowShowing_ = false;
1741 pipWindowTokenId_ = 0;
1742 }
1743 }
1744
1745 /* Handle window manager die */
OnWindowMgrRemoteDied()1746 void PermissionRecordManager::OnWindowMgrRemoteDied()
1747 {
1748 ACCESSTOKEN_LOG_INFO(LABEL, "Handle window manager died.");
1749 ClearWindowShowing();
1750 }
1751 #endif
1752
SetDefaultConfigValue()1753 void PermissionRecordManager::SetDefaultConfigValue()
1754 {
1755 recordSizeMaximum_ = DEFAULT_PERMISSION_USED_RECORD_SIZE_MAXIMUM;
1756 recordAgingTime_ = DEFAULT_PERMISSION_USED_RECORD_AGING_TIME;
1757 globalDialogBundleName_ = DEFAULT_PERMISSION_MANAGER_BUNDLE_NAME;
1758 globalDialogAbilityName_ = DEFAULT_PERMISSION_MANAGER_DIALOG_ABILITY;
1759 }
1760
GetConfigValue()1761 void PermissionRecordManager::GetConfigValue()
1762 {
1763 LibraryLoader loader(CONFIG_POLICY_LIBPATH);
1764 ConfigPolicyLoaderInterface* policy = loader.GetObject<ConfigPolicyLoaderInterface>();
1765 if (policy == nullptr) {
1766 ACCESSTOKEN_LOG_ERROR(LABEL, "Dlopen libaccesstoken_config_policy failed.");
1767 return;
1768 }
1769 AccessTokenConfigValue value;
1770 if (policy->GetConfigValue(ServiceType::PRIVACY_SERVICE, value)) {
1771 // set value from config
1772 recordSizeMaximum_ = value.pConfig.sizeMaxImum == 0
1773 ? DEFAULT_PERMISSION_USED_RECORD_SIZE_MAXIMUM : value.pConfig.sizeMaxImum;
1774 recordAgingTime_ = value.pConfig.agingTime == 0
1775 ? DEFAULT_PERMISSION_USED_RECORD_AGING_TIME : value.pConfig.agingTime;
1776 globalDialogBundleName_ = value.pConfig.globalDialogBundleName.empty()
1777 ? DEFAULT_PERMISSION_MANAGER_BUNDLE_NAME : value.pConfig.globalDialogBundleName;
1778 globalDialogAbilityName_ = value.pConfig.globalDialogAbilityName.empty()
1779 ? DEFAULT_PERMISSION_MANAGER_DIALOG_ABILITY : value.pConfig.globalDialogAbilityName;
1780 } else {
1781 SetDefaultConfigValue();
1782 }
1783
1784 ACCESSTOKEN_LOG_INFO(LABEL, "RecordSizeMaximum_ is %{public}d, recordAgingTime_ is %{public}d,"
1785 " globalDialogBundleName_ is %{public}s, globalDialogAbilityName_ is %{public}s.",
1786 recordSizeMaximum_, recordAgingTime_, globalDialogBundleName_.c_str(), globalDialogAbilityName_.c_str());
1787 }
1788
GetUniqueId(uint32_t tokenId,int32_t pid) const1789 uint64_t PermissionRecordManager::GetUniqueId(uint32_t tokenId, int32_t pid) const
1790 {
1791 uint32_t tmpPid = (pid <= 0) ? 0 : (uint32_t)pid;
1792 return ((uint64_t)tmpPid << 32) | ((uint64_t)tokenId & 0xFFFFFFFF); // 32: bit
1793 }
1794
IsPidValid(int32_t pid) const1795 bool PermissionRecordManager::IsPidValid(int32_t pid) const
1796 {
1797 return pid > 0;
1798 }
1799
Init()1800 void PermissionRecordManager::Init()
1801 {
1802 if (hasInited_) {
1803 return;
1804 }
1805 ACCESSTOKEN_LOG_INFO(LABEL, "Init");
1806 hasInited_ = true;
1807
1808 #ifdef EVENTHANDLER_ENABLE
1809 deleteEventRunner_ = AppExecFwk::EventRunner::Create(true, AppExecFwk::ThreadMode::FFRT);
1810 if (deleteEventRunner_ != nullptr) {
1811 deleteEventHandler_ = std::make_shared<AccessEventHandler>(deleteEventRunner_);
1812 }
1813 #endif
1814
1815 GetConfigValue();
1816 }
1817 } // namespace AccessToken
1818 } // namespace Security
1819 } // namespace OHOS