1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "enterprise_device_mgr_ability.h"
17
18 #include <cstring>
19 #include <string_ex.h>
20 #include <thread>
21
22 #include "application_state_observer.h"
23 #include "common_event_manager.h"
24 #include "common_event_support.h"
25 #include "device_policies_storage_rdb.h"
26 #include "directory_ex.h"
27 #include "ipc_skeleton.h"
28 #include "iservice_registry.h"
29 #include "matching_skills.h"
30 #include "message_parcel.h"
31 #include "parameters.h"
32 #include "system_ability.h"
33 #include "system_ability_definition.h"
34
35 #include "edm_constants.h"
36 #include "edm_data_ability_utils.h"
37 #include "edm_errors.h"
38 #include "edm_ipc_interface_code.h"
39 #include "edm_log.h"
40 #include "edm_sys_manager.h"
41 #include "enterprise_admin_connection.h"
42 #include "enterprise_bundle_connection.h"
43 #include "enterprise_conn_manager.h"
44 #include "func_code_utils.h"
45 #include "permission_manager.h"
46
47 #include "password_policy_serializer.h"
48 #include "usb_device_id.h"
49 #include "user_auth_client.h"
50
51 #ifdef PASTEBOARD_EDM_ENABLE
52 #include "clipboard_policy_serializer.h"
53 #include "clipboard_utils.h"
54 #endif
55
56 namespace OHOS {
57 namespace EDM {
58 const bool REGISTER_RESULT =
59 SystemAbility::MakeAndRegisterAbility(EnterpriseDeviceMgrAbility::GetInstance().GetRefPtr());
60
61 const std::string PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN = "ohos.permission.MANAGE_ENTERPRISE_DEVICE_ADMIN";
62 const std::string PERMISSION_SET_ENTERPRISE_INFO = "ohos.permission.SET_ENTERPRISE_INFO";
63 const std::string PERMISSION_ENTERPRISE_SUBSCRIBE_MANAGED_EVENT = "ohos.permission.ENTERPRISE_SUBSCRIBE_MANAGED_EVENT";
64 const std::string PERMISSION_UPDATE_SYSTEM = "ohos.permission.UPDATE_SYSTEM";
65 const std::string PERMISSION_SET_DELEGATED_POLICY = "ohos.permission.ENTERPRISE_MANAGE_DELEGATED_POLICY";
66 const std::string PERMISSION_GET_ADMINPROVISION_INFO = "ohos.permission.START_PROVISIONING_MESSAGE";
67 const std::string PARAM_EDM_ENABLE = "persist.edm.edm_enable";
68 const std::string PARAM_SECURITY_MODE = "ohos.boot.advsecmode.state";
69 const std::string SYSTEM_UPDATE_FOR_POLICY = "usual.event.DUE_SA_FIRMWARE_UPDATE_FOR_POLICY";
70 const std::string FIRMWARE_EVENT_INFO_NAME = "version";
71 const std::string FIRMWARE_EVENT_INFO_TYPE = "packageType";
72 const std::string FIRMWARE_EVENT_INFO_CHECK_TIME = "firstReceivedTime";
73 const std::string DEVELOP_MODE_STATE = "const.security.developermode.state";
74 const std::string APP_TYPE_ENTERPRISE_MDM = "enterprise_mdm";
75 const std::string APP_TYPE_ENTERPRISE_NORMAL = "enterprise_normal";
76 const char* const KEY_EDM_DISPLAY = "com.enterprise.enterprise_device_manager_display";
77
78 std::mutex EnterpriseDeviceMgrAbility::mutexLock_;
79
80 sptr<EnterpriseDeviceMgrAbility> EnterpriseDeviceMgrAbility::instance_;
81
82 constexpr int32_t TIMER_TIMEOUT = 360000; // 6 * 60 * 1000;
83
AddCommonEventFuncMap()84 void EnterpriseDeviceMgrAbility::AddCommonEventFuncMap()
85 {
86 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_USER_REMOVED] =
87 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
88 that->OnCommonEventUserRemoved(data);
89 };
90 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_ADDED] =
91 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
92 that->OnCommonEventPackageAdded(data);
93 };
94 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED] =
95 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
96 that->OnCommonEventPackageRemoved(data);
97 };
98 commonEventFuncMap_[SYSTEM_UPDATE_FOR_POLICY] =
99 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
100 that->OnCommonEventSystemUpdate(data);
101 };
102 }
103
OnCommonEventSystemUpdate(const EventFwk::CommonEventData & data)104 void EnterpriseDeviceMgrAbility::OnCommonEventSystemUpdate(const EventFwk::CommonEventData &data)
105 {
106 EDMLOGI("OnCommonEventSystemUpdate");
107 UpdateInfo updateInfo;
108 updateInfo.version = data.GetWant().GetStringParam(FIRMWARE_EVENT_INFO_NAME);
109 updateInfo.firstReceivedTime = data.GetWant().GetLongParam(FIRMWARE_EVENT_INFO_CHECK_TIME, 0);
110 updateInfo.packageType = data.GetWant().GetStringParam(FIRMWARE_EVENT_INFO_TYPE);
111
112 ConnectAbilityOnSystemUpdate(updateInfo);
113 }
114
ConnectAbilityOnSystemUpdate(const UpdateInfo & updateInfo)115 void EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemUpdate(const UpdateInfo &updateInfo)
116 {
117 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
118 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::SYSTEM_UPDATE, subAdmins);
119 if (subAdmins.empty()) {
120 EDMLOGW("Get subscriber by common event failed.");
121 return;
122 }
123 AAFwk::Want want;
124 for (const auto &subAdmin : subAdmins) {
125 for (const auto &it : subAdmin.second) {
126 want.SetElementName(it->adminInfo_.packageName_, it->adminInfo_.className_);
127 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
128 sptr<IEnterpriseConnection> connection =
129 manager->CreateUpdateConnection(want, subAdmin.first, updateInfo);
130 manager->ConnectAbility(connection);
131 }
132 }
133 }
134
AddOnAddSystemAbilityFuncMap()135 void EnterpriseDeviceMgrAbility::AddOnAddSystemAbilityFuncMap()
136 {
137 addSystemAbilityFuncMap_[APP_MGR_SERVICE_ID] =
138 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
139 that->OnAppManagerServiceStart();
140 };
141 addSystemAbilityFuncMap_[COMMON_EVENT_SERVICE_ID] =
142 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
143 that->OnCommonEventServiceStart();
144 };
145 addSystemAbilityFuncMap_[ABILITY_MGR_SERVICE_ID] =
146 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
147 that->OnAbilityManagerServiceStart();
148 };
149 addSystemAbilityFuncMap_[SUBSYS_USERIAM_SYS_ABILITY_USERAUTH] =
150 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
151 that->OnUserAuthFrameworkStart();
152 };
153 #ifdef PASTEBOARD_EDM_ENABLE
154 addSystemAbilityFuncMap_[PASTEBOARD_SERVICE_ID] =
155 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
156 that->OnPasteboardServiceStart();
157 };
158 #endif
159 #ifdef USB_EDM_ENABLE
160 addSystemAbilityFuncMap_[USB_SYSTEM_ABILITY_ID] =
161 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
162 that->OnUsbServiceStart();
163 };
164 #endif
165 }
166
167 #ifdef COMMON_EVENT_SERVICE_EDM_ENABLE
EnterpriseDeviceEventSubscriber(const EventFwk::CommonEventSubscribeInfo & subscribeInfo,EnterpriseDeviceMgrAbility & listener)168 EnterpriseDeviceEventSubscriber::EnterpriseDeviceEventSubscriber(
169 const EventFwk::CommonEventSubscribeInfo &subscribeInfo,
170 EnterpriseDeviceMgrAbility &listener) : EventFwk::CommonEventSubscriber(subscribeInfo), listener_(listener) {}
171
OnReceiveEvent(const EventFwk::CommonEventData & data)172 void EnterpriseDeviceEventSubscriber::OnReceiveEvent(const EventFwk::CommonEventData &data)
173 {
174 const std::string action = data.GetWant().GetAction();
175 EDMLOGI("EDM OnReceiveEvent get action: %{public}s", action.c_str());
176 auto func = listener_.commonEventFuncMap_.find(action);
177 if (func != listener_.commonEventFuncMap_.end()) {
178 auto commonEventFunc = func->second;
179 if (commonEventFunc != nullptr) {
180 return commonEventFunc(&listener_, data);
181 }
182 } else {
183 EDMLOGW("OnReceiveEvent action is invalid");
184 }
185 }
186
CreateEnterpriseDeviceEventSubscriber(EnterpriseDeviceMgrAbility & listener)187 std::shared_ptr<EventFwk::CommonEventSubscriber> EnterpriseDeviceMgrAbility::CreateEnterpriseDeviceEventSubscriber(
188 EnterpriseDeviceMgrAbility &listener)
189 {
190 EventFwk::MatchingSkills skill = EventFwk::MatchingSkills();
191 AddCommonEventFuncMap();
192 for (auto &item : commonEventFuncMap_) {
193 if (item.first == SYSTEM_UPDATE_FOR_POLICY) {
194 continue;
195 }
196 skill.AddEvent(item.first);
197 EDMLOGI("CreateEnterpriseDeviceEventSubscriber AddEvent: %{public}s", item.first.c_str());
198 }
199 EventFwk::CommonEventSubscribeInfo info(skill);
200 return std::make_shared<EnterpriseDeviceEventSubscriber>(info, listener);
201 }
202 #endif
203
OnCommonEventUserRemoved(const EventFwk::CommonEventData & data)204 void EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved(const EventFwk::CommonEventData &data)
205 {
206 int userIdToRemove = data.GetCode();
207 if (userIdToRemove == 0) {
208 return;
209 }
210 EDMLOGI("OnCommonEventUserRemoved");
211 std::lock_guard<std::mutex> autoLock(mutexLock_);
212 // include super admin, need to be removed
213 std::vector<std::shared_ptr<Admin>> userAdmin;
214 adminMgr_->GetAdminByUserId(userIdToRemove, userAdmin);
215 for (auto &item : userAdmin) {
216 if (FAILED(RemoveAdminAndAdminPolicy(item->adminInfo_.packageName_, userIdToRemove))) {
217 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved remove admin failed packagename = %{public}s",
218 item->adminInfo_.packageName_.c_str());
219 }
220 }
221 std::vector<std::shared_ptr<Admin>> subAndSuperAdmin;
222 adminMgr_->GetAdminByUserId(DEFAULT_USER_ID, subAndSuperAdmin);
223 for (const auto &subAdmin : subAndSuperAdmin) {
224 if ((subAdmin->GetAdminType() == AdminType::SUB_SUPER_ADMIN || subAdmin->GetAdminType() == AdminType::ENT ||
225 subAdmin->GetAdminType() == AdminType::VIRTUAL_ADMIN) &&
226 FAILED(RemoveAdminAndAdminPolicy(subAdmin->adminInfo_.packageName_, userIdToRemove))) {
227 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved: remove sub and super admin policy failed.");
228 }
229 }
230 }
231
OnCommonEventPackageAdded(const EventFwk::CommonEventData & data)232 void EnterpriseDeviceMgrAbility::OnCommonEventPackageAdded(const EventFwk::CommonEventData &data)
233 {
234 EDMLOGI("OnCommonEventPackageAdded");
235 AAFwk::Want want = data.GetWant();
236 std::string bundleName = want.GetElement().GetBundleName();
237 int32_t userId = want.GetIntParam(AppExecFwk::Constants::USER_ID, AppExecFwk::Constants::INVALID_USERID);
238 if (userId == AppExecFwk::Constants::INVALID_USERID) {
239 EDMLOGE("OnCommonEventPackageAdded get INVALID_USERID");
240 return;
241 }
242 ConnectAbilityOnSystemEvent(bundleName, ManagedEvent::BUNDLE_ADDED, userId);
243 }
244
OnCommonEventPackageRemoved(const EventFwk::CommonEventData & data)245 void EnterpriseDeviceMgrAbility::OnCommonEventPackageRemoved(const EventFwk::CommonEventData &data)
246 {
247 EDMLOGI("OnCommonEventPackageRemoved");
248 std::string bundleName = data.GetWant().GetElement().GetBundleName();
249 int32_t userId = data.GetWant().GetIntParam(AppExecFwk::Constants::USER_ID, AppExecFwk::Constants::INVALID_USERID);
250 if (userId == AppExecFwk::Constants::INVALID_USERID) {
251 EDMLOGE("OnCommonEventPackageRemoved get INVALID_USERID");
252 return;
253 }
254 std::lock_guard<std::mutex> autoLock(mutexLock_);
255 std::shared_ptr<Admin> admin = adminMgr_->GetAdminByPkgName(bundleName, userId);
256 if (admin != nullptr) {
257 if (admin->adminInfo_.adminType_ == AdminType::NORMAL) {
258 RemoveAdminAndAdminPolicy(bundleName, userId);
259 }
260 if ((admin->adminInfo_.adminType_ == AdminType::SUB_SUPER_ADMIN ||
261 admin->adminInfo_.adminType_ == AdminType::VIRTUAL_ADMIN) && userId == DEFAULT_USER_ID) {
262 // remove sub super admin and sub super admin policy
263 RemoveSubSuperAdminAndAdminPolicy(bundleName);
264 }
265 if (admin->adminInfo_.adminType_ == AdminType::ENT && userId == DEFAULT_USER_ID) {
266 // remove super admin and super admin policy
267 RemoveSuperAdminAndAdminPolicy(bundleName);
268 }
269 if (admin->adminInfo_.adminType_ == AdminType::BYOD && userId == EdmConstants::DEFAULT_USER_ID) {
270 RemoveAdminAndAdminPolicy(bundleName, userId);
271 }
272 if (!adminMgr_->IsAdminExist()) {
273 system::SetParameter(PARAM_EDM_ENABLE, "false");
274 }
275 }
276 ConnectAbilityOnSystemEvent(bundleName, ManagedEvent::BUNDLE_REMOVED, userId);
277 }
278
ConnectAbilityOnSystemEvent(const std::string & bundleName,ManagedEvent event,int32_t userId)279 void EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemEvent(const std::string &bundleName,
280 ManagedEvent event, int32_t userId)
281 {
282 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
283 adminMgr_->GetAdminBySubscribeEvent(event, subAdmins);
284 if (subAdmins.empty()) {
285 EDMLOGW("Get subscriber by common event failed.");
286 return;
287 }
288 AAFwk::Want want;
289 for (const auto &subAdmin : subAdmins) {
290 for (const auto &it : subAdmin.second) {
291 want.SetElementName(it->adminInfo_.packageName_, it->adminInfo_.className_);
292 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
293 sptr<IEnterpriseConnection> connection =
294 manager->CreateBundleConnection(want, static_cast<uint32_t>(event), subAdmin.first, bundleName, userId);
295 manager->ConnectAbility(connection);
296 }
297 }
298 }
299
GetInstance()300 sptr<EnterpriseDeviceMgrAbility> EnterpriseDeviceMgrAbility::GetInstance()
301 {
302 if (instance_ == nullptr) {
303 std::lock_guard<std::mutex> autoLock(mutexLock_);
304 if (instance_ == nullptr) {
305 EDMLOGD("EnterpriseDeviceMgrAbility:GetInstance instance = new EnterpriseDeviceMgrAbility()");
306 instance_ = new (std::nothrow) EnterpriseDeviceMgrAbility();
307 }
308 }
309 return instance_;
310 }
311
EnterpriseDeviceMgrAbility()312 EnterpriseDeviceMgrAbility::EnterpriseDeviceMgrAbility() : SystemAbility(ENTERPRISE_DEVICE_MANAGER_SA_ID, true)
313 {
314 EDMLOGI("EnterpriseDeviceMgrAbility:new instance");
315 }
316
~EnterpriseDeviceMgrAbility()317 EnterpriseDeviceMgrAbility::~EnterpriseDeviceMgrAbility()
318 {
319 instance_ = nullptr;
320
321 if (adminMgr_) {
322 adminMgr_.reset();
323 }
324
325 if (pluginMgr_) {
326 pluginMgr_.reset();
327 }
328
329 if (policyMgr_) {
330 policyMgr_.reset();
331 }
332 EDMLOGD("instance is destroyed");
333 }
334
Dump(int32_t fd,const std::vector<std::u16string> & args)335 int32_t EnterpriseDeviceMgrAbility::Dump(int32_t fd, const std::vector<std::u16string> &args)
336 {
337 EDMLOGI("EnterpriseDeviceMgrAbility::Dump");
338 if (fd < 0) {
339 EDMLOGE("Dump fd invalid");
340 return ERR_EDM_DUMP_FAILED;
341 }
342 std::string result;
343 result.append("Ohos enterprise device manager service: \n");
344 std::vector<std::string> enabledAdminList;
345 GetEnabledAdmin(AdminType::NORMAL, enabledAdminList);
346 if (enabledAdminList.empty()) {
347 result.append("There is no admin enabled\n");
348 } else {
349 result.append("Enabled admin exist :\n");
350 for (const auto &enabledAdmin : enabledAdminList) {
351 result.append(enabledAdmin);
352 result.append("\n");
353 }
354 }
355 int32_t ret = dprintf(fd, "%s", result.c_str());
356 if (ret < 0) {
357 EDMLOGE("dprintf to dump fd failed");
358 return ERR_EDM_DUMP_FAILED;
359 }
360 return ERR_OK;
361 }
362
OnStart()363 void EnterpriseDeviceMgrAbility::OnStart()
364 {
365 std::lock_guard<std::mutex> autoLock(mutexLock_);
366 EDMLOGD("EnterpriseDeviceMgrAbility::OnStart() Publish");
367 InitAllAdmins();
368 InitAllPolices();
369 RemoveAllDebugAdmin();
370 if (!registerToService_) {
371 if (!Publish(this)) {
372 EDMLOGE("EnterpriseDeviceMgrAbility: res == false");
373 return;
374 }
375 registerToService_ = true;
376 }
377 AddOnAddSystemAbilityFuncMap();
378 AddSystemAbilityListeners();
379 CheckAndUpdateByodSettingsData();
380 }
381
CheckAndUpdateByodSettingsData()382 void EnterpriseDeviceMgrAbility::CheckAndUpdateByodSettingsData()
383 {
384 if (adminMgr_->IsByodAdminExist()) {
385 EDMLOGD("CheckAndUpdateByodSettingsData:byod exist.");
386 std::string data;
387 if (!FAILED(EdmDataAbilityUtils::GetStringFromSettingsDataShare(KEY_EDM_DISPLAY, data)) && data == "false") {
388 EDMLOGD("CheckAndUpdateByodSettingsData:settingsData is false.");
389 EdmDataAbilityUtils::UpdateSettingsData(KEY_EDM_DISPLAY, "true");
390 }
391 }
392 }
393
InitAllAdmins()394 void EnterpriseDeviceMgrAbility::InitAllAdmins()
395 {
396 if (!adminMgr_) {
397 adminMgr_ = AdminManager::GetInstance();
398 }
399 EDMLOGD("create adminMgr_ success");
400 adminMgr_->Init();
401 }
402
InitAllPlugins()403 void EnterpriseDeviceMgrAbility::InitAllPlugins()
404 {
405 if (!pluginMgr_) {
406 pluginMgr_ = PluginManager::GetInstance();
407 }
408 EDMLOGD("create pluginMgr_ success");
409 lastCallTime_ = std::chrono::system_clock::now();
410 if (pluginHasInit_) {
411 std::unique_lock<std::mutex> lock(waitMutex_);
412 notifySignal_ = true;
413 waitSignal_.notify_one();
414 } else {
415 pluginMgr_->LoadPlugin();
416 pluginHasInit_ = true;
417 std::thread timerThread([this]() {
418 this->UnloadPluginTask();
419 });
420 timerThread.detach();
421 }
422 }
423
UnloadPluginTask()424 void EnterpriseDeviceMgrAbility::UnloadPluginTask()
425 {
426 while (pluginHasInit_) {
427 std::unique_lock<std::mutex> lock(waitMutex_);
428 notifySignal_ = false;
429 waitSignal_.wait_for(lock, std::chrono::milliseconds(TIMER_TIMEOUT), [this] { return this->notifySignal_; });
430 auto now = std::chrono::system_clock::now();
431 auto diffTime = std::chrono::duration_cast<std::chrono::milliseconds>(now - lastCallTime_).count();
432 if (diffTime >= std::chrono::milliseconds(TIMER_TIMEOUT).count()) {
433 std::lock_guard<std::mutex> autoLock(mutexLock_);
434 if (pluginMgr_) {
435 pluginMgr_->UnloadPlugin();
436 }
437 pluginHasInit_ = false;
438 }
439 }
440 }
441
InitAllPolices()442 void EnterpriseDeviceMgrAbility::InitAllPolices()
443 {
444 if (!policyMgr_) {
445 policyMgr_ = std::make_shared<PolicyManager>();
446 IPolicyManager::policyManagerInstance_ = policyMgr_.get();
447 }
448 std::vector<int32_t> userIds;
449 auto devicePolicies = DevicePoliciesStorageRdb::GetInstance();
450 if (devicePolicies == nullptr) {
451 EDMLOGW("OnAddSystemAbility::InitAllPolices:get rdbStore failed.");
452 return;
453 }
454 EDMLOGI("InitAllPolices userIds size %{public}zu", userIds.size());
455 devicePolicies->QueryAllUserId(userIds);
456 policyMgr_->Init(userIds);
457 allowDelegatedPolicies_ = { "disallow_add_local_account", "disallow_add_os_account_by_user",
458 "disallow_running_bundles", "manage_auto_start_apps", "allowed_bluetooth_devices", "set_browser_policies",
459 "allowed_install_bundles", "disallowed_install_bundles", "disallowed_uninstall_bundles", "snapshot_skip",
460 "location_policy", "disabled_network_interface", "global_proxy", "disabled_bluetooth",
461 "disallow_modify_datetime", "disabled_printer", "policy_screen_shot", "disabled_hdc", "disable_microphone",
462 "fingerprint_auth", "disable_usb", "disable_wifi", "disallowed_tethering", "inactive_user_freeze",
463 "password_policy", "clipboard_policy", "ntp_server", "set_update_policy", "notify_upgrade_packages",
464 "allowed_usb_devices", "usb_read_only", "disallowed_usb_devices", "get_device_info", "watermark_image_policy",
465 "policy_screen_record" };
466 }
467
RemoveAllDebugAdmin()468 void EnterpriseDeviceMgrAbility::RemoveAllDebugAdmin()
469 {
470 bool isDebug = system::GetBoolParameter(DEVELOP_MODE_STATE, false);
471 if (!isDebug) {
472 std::vector<std::shared_ptr<Admin>> userAdmin;
473 adminMgr_->GetAdminByUserId(DEFAULT_USER_ID, userAdmin);
474 for (const auto &item: userAdmin) {
475 if (item->adminInfo_.isDebug_) {
476 EDMLOGD("remove debug admin %{public}s", item->adminInfo_.packageName_.c_str());
477 RemoveSuperAdminAndAdminPolicy(item->adminInfo_.packageName_);
478 }
479 }
480 }
481 }
482
AddSystemAbilityListeners()483 void EnterpriseDeviceMgrAbility::AddSystemAbilityListeners()
484 {
485 AddSystemAbilityListener(COMMON_EVENT_SERVICE_ID);
486 AddSystemAbilityListener(APP_MGR_SERVICE_ID);
487 AddSystemAbilityListener(ABILITY_MGR_SERVICE_ID);
488 AddSystemAbilityListener(SUBSYS_USERIAM_SYS_ABILITY_USERAUTH);
489 #ifdef PASTEBOARD_EDM_ENABLE
490 AddSystemAbilityListener(PASTEBOARD_SERVICE_ID);
491 #endif
492 #ifdef USB_EDM_ENABLE
493 AddSystemAbilityListener(USB_SYSTEM_ABILITY_ID);
494 #endif
495 }
496
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)497 void EnterpriseDeviceMgrAbility::OnAddSystemAbility(int32_t systemAbilityId, const std::string &deviceId)
498 {
499 EDMLOGD("OnAddSystemAbility systemAbilityId:%{public}d added!", systemAbilityId);
500 auto func = addSystemAbilityFuncMap_.find(systemAbilityId);
501 if (func != addSystemAbilityFuncMap_.end()) {
502 auto memberFunc = func->second;
503 if (memberFunc != nullptr) {
504 return memberFunc(this, systemAbilityId, deviceId);
505 }
506 }
507 }
508
OnAppManagerServiceStart()509 void EnterpriseDeviceMgrAbility::OnAppManagerServiceStart()
510 {
511 EDMLOGI("OnAppManagerServiceStart");
512 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
513 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::APP_START, subAdmins);
514 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::APP_STOP, subAdmins);
515 if (!subAdmins.empty()) {
516 EDMLOGI("the admin that listened the APP_START or APP_STOP event is existed");
517 SubscribeAppState();
518 }
519 }
520
OnAbilityManagerServiceStart()521 void EnterpriseDeviceMgrAbility::OnAbilityManagerServiceStart()
522 {
523 EDMLOGI("OnAbilityManagerServiceStart");
524 auto superAdmin = adminMgr_->GetSuperAdmin();
525 if (superAdmin != nullptr) {
526 AAFwk::Want connectWant;
527 connectWant.SetElementName(superAdmin->adminInfo_.packageName_, superAdmin->adminInfo_.className_);
528 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
529 sptr<IEnterpriseConnection> connection = manager->CreateAdminConnection(connectWant,
530 IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED, DEFAULT_USER_ID, false);
531 manager->ConnectAbility(connection);
532 }
533 }
534
OnCommonEventServiceStart()535 void EnterpriseDeviceMgrAbility::OnCommonEventServiceStart()
536 {
537 #ifdef COMMON_EVENT_SERVICE_EDM_ENABLE
538 commonEventSubscriber = CreateEnterpriseDeviceEventSubscriber(*this);
539 EventFwk::CommonEventManager::SubscribeCommonEvent(this->commonEventSubscriber);
540 EDMLOGI("create commonEventSubscriber success");
541
542 EventFwk::MatchingSkills skill = EventFwk::MatchingSkills();
543 skill.AddEvent(SYSTEM_UPDATE_FOR_POLICY);
544 EDMLOGI("CreateEnterpriseDeviceEventSubscriber AddEvent: %{public}s", SYSTEM_UPDATE_FOR_POLICY.c_str());
545 EventFwk::CommonEventSubscribeInfo info(skill);
546 info.SetPermission(PERMISSION_UPDATE_SYSTEM);
547 EventFwk::CommonEventManager::SubscribeCommonEvent(std::make_shared<EnterpriseDeviceEventSubscriber>(info, *this));
548 #else
549 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventServiceStart Unsupported Capabilities.");
550 return;
551 #endif
552 }
553
554 #ifdef PASTEBOARD_EDM_ENABLE
OnPasteboardServiceStart()555 void EnterpriseDeviceMgrAbility::OnPasteboardServiceStart()
556 {
557 EDMLOGI("OnPasteboardServiceStart");
558 std::string policyData;
559 policyMgr_->GetPolicy("", "clipboard_policy", policyData, DEFAULT_USER_ID);
560 auto clipboardSerializer_ = ClipboardSerializer::GetInstance();
561 std::map<int32_t, ClipboardPolicy> policyMap;
562 clipboardSerializer_->Deserialize(policyData, policyMap);
563 ClipboardUtils::HandlePasteboardPolicy(policyMap);
564 }
565 #endif
566
OnUserAuthFrameworkStart()567 void EnterpriseDeviceMgrAbility::OnUserAuthFrameworkStart()
568 {
569 EDMLOGI("OnUserAuthFrameworkStart");
570 std::string policyData;
571 policyMgr_->GetPolicy("", "password_policy", policyData, DEFAULT_USER_ID);
572 auto serializer_ = PasswordSerializer::GetInstance();
573 PasswordPolicy policy;
574 serializer_->Deserialize(policyData, policy);
575 UserIam::UserAuth::GlobalConfigParam param;
576 param.type = UserIam::UserAuth::GlobalConfigType::PIN_EXPIRED_PERIOD;
577 param.value.pinExpiredPeriod = policy.validityPeriod;
578 int32_t ret = UserIam::UserAuth::UserAuthClient::GetInstance().SetGlobalConfigParam(param);
579 if (ret != 0) {
580 EDMLOGW("SetGlobalConfigParam Error");
581 }
582 }
583
584 #ifdef USB_EDM_ENABLE
OnUsbServiceStart()585 void EnterpriseDeviceMgrAbility::OnUsbServiceStart()
586 {
587 EDMLOGI("OnUsbServiceStart");
588 std::string disableUsbPolicy;
589 policyMgr_->GetPolicy("", "disable_usb", disableUsbPolicy, DEFAULT_USER_ID);
590 bool isUsbDisabled = false;
591 BoolSerializer::GetInstance()->Deserialize(policyData, isUsbDisabled);
592 if (isUsbDisabled) {
593 ErrCode disableUsbRet = UsbPolicyUtils::SetUsbDisabled(isUsbDisabled);
594 if (disableUsbRet != ERR_OK) {
595 EDMLOGW("SetUsbDisabled Error: %{public}d", disableUsbRet);
596 }
597 return;
598 }
599
600 std::string allowUsbDevicePolicy;
601 policyMgr_->GetPolicy("", "allowed_usb_devices", allowUsbDevicePolicy, DEFAULT_USER_ID);
602 std::vector<UsbDeviceId> usbDeviceIds;
603 ArrayUsbDeviceIdSerializer::GetInstance()->Deserialize(policyData, usbDeviceIds);
604 if (!usbDeviceIds.empty()) {
605 ErrCode allowedUsbRet = UsbPolicyUtils::AddAllowedUsbDevices(usbDeviceIds);
606 if (allowedUsbRet != ERR_OK) {
607 EDMLOGW("AddAllowedUsbDevices Error: %{public}d", allowedUsbRet);
608 }
609 return;
610 }
611
612 std::string usbStoragePolicy;
613 policyMgr_->GetPolicy("", "usb_read_only", usbStoragePolicy, EdmConstants::DEFAULT_USER_ID);
614 std::string disallowUsbDevicePolicy;
615 policyMgr_->GetPolicy("", "disallowed_usb_devices", disallowUsbDevicePolicy, DEFAULT_USER_ID);
616 std::vector<USB::UsbDeviceType> disallowedDevices;
617 ArrayUsbDeviceTypeSerializer::GetInstance()->Deserialize(policyData, disallowedDevices);
618 if (usbStoragePolicy == std::to_string(EdmConstants::STORAGE_USB_POLICY_DISABLED)) {
619 USB::UsbDeviceType storageType;
620 storageType.baseClass = USB_DEVICE_TYPE_BASE_CLASS_STORAGE;
621 storageType.subClass = USB_DEVICE_TYPE_BASE_CLASS_STORAGE;
622 storageType.protocol = USB_DEVICE_TYPE_BASE_CLASS_STORAGE;
623 storageType.isDeviceType = false;
624 disallowedDevices.emplace_back(storageType);
625 }
626 if (!disallowedDevices.empty()) {
627 ErrCode disallowedUsbRet = UsbPolicyUtils::SetDisallowedUsbDevices(disallowedDevices);
628 if (disallowedUsbRet != ERR_OK) {
629 EDMLOGW("SetDisallowedUsbDevices Error: %{public}d", disableUsbRet);
630 }
631 }
632 }
633 #endif
634
OnRemoveSystemAbility(int32_t systemAbilityId,const std::string & deviceId)635 void EnterpriseDeviceMgrAbility::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string &deviceId) {}
636
OnStop()637 void EnterpriseDeviceMgrAbility::OnStop()
638 {
639 EDMLOGD("EnterpriseDeviceMgrAbility::OnStop()");
640 std::lock_guard<std::mutex> autoLock(mutexLock_);
641 if (pluginHasInit_) {
642 pluginHasInit_ = false;
643 std::unique_lock<std::mutex> lock(waitMutex_);
644 notifySignal_ = true;
645 waitSignal_.notify_one();
646 }
647 }
648
GetAllPermissionsByAdmin(const std::string & bundleInfoName,AdminType adminType,int32_t userId,std::vector<std::string> & permissionList)649 ErrCode EnterpriseDeviceMgrAbility::GetAllPermissionsByAdmin(const std::string &bundleInfoName, AdminType adminType,
650 int32_t userId, std::vector<std::string> &permissionList)
651 {
652 permissionList.clear();
653 AppExecFwk::BundleInfo bundleInfo;
654 EDMLOGD("GetAllPermissionsByAdmin GetBundleInfo: bundleInfoName %{public}s userid %{public}d",
655 bundleInfoName.c_str(), userId);
656 bool ret = GetBundleMgr()->GetBundleInfo(bundleInfoName,
657 AppExecFwk::BundleFlag::GET_BUNDLE_WITH_REQUESTED_PERMISSION, bundleInfo, userId);
658 if (!ret) {
659 EDMLOGW("GetAllPermissionsByAdmin: GetBundleInfo failed %{public}d", ret);
660 return ERR_EDM_PARAM_ERROR;
661 }
662 PermissionManager::GetInstance()->GetAdminGrantedPermission(bundleInfo.reqPermissions, adminType, permissionList);
663 return ERR_OK;
664 }
665
GetBundleMgr()666 std::shared_ptr<IEdmBundleManager> EnterpriseDeviceMgrAbility::GetBundleMgr()
667 {
668 return GetExternalManagerFactory()->CreateBundleManager();
669 }
670
GetAppMgr()671 std::shared_ptr<IEdmAppManager> EnterpriseDeviceMgrAbility::GetAppMgr()
672 {
673 return GetExternalManagerFactory()->CreateAppManager();
674 }
675
GetOsAccountMgr()676 std::shared_ptr<IEdmOsAccountManager> EnterpriseDeviceMgrAbility::GetOsAccountMgr()
677 {
678 return GetExternalManagerFactory()->CreateOsAccountManager();
679 }
680
SubscribeAppState()681 bool EnterpriseDeviceMgrAbility::SubscribeAppState()
682 {
683 if (appStateObserver_) {
684 EDMLOGD("appStateObserver has subscribed");
685 return true;
686 }
687 appStateObserver_ = new (std::nothrow) ApplicationStateObserver(*this);
688 if (!appStateObserver_) {
689 EDMLOGE("new ApplicationStateObserver failed");
690 return false;
691 }
692 if (GetAppMgr()->RegisterApplicationStateObserver(appStateObserver_)) {
693 EDMLOGE("RegisterApplicationStateObserver fail!");
694 appStateObserver_.clear();
695 appStateObserver_ = nullptr;
696 return false;
697 }
698 return true;
699 }
700
UnsubscribeAppState()701 bool EnterpriseDeviceMgrAbility::UnsubscribeAppState()
702 {
703 if (!appStateObserver_) {
704 EDMLOGD("appStateObserver has subscribed");
705 return true;
706 }
707 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
708 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::APP_START, subAdmins);
709 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::APP_STOP, subAdmins);
710 if (!subAdmins.empty()) {
711 return true;
712 }
713 if (GetAppMgr()->UnregisterApplicationStateObserver(appStateObserver_)) {
714 EDMLOGE("UnregisterApplicationStateObserver fail!");
715 return false;
716 }
717 appStateObserver_.clear();
718 appStateObserver_ = nullptr;
719 return true;
720 }
721
VerifyEnableAdminCondition(AppExecFwk::ElementName & admin,AdminType type,int32_t userId,bool isDebug)722 ErrCode EnterpriseDeviceMgrAbility::VerifyEnableAdminCondition(AppExecFwk::ElementName &admin, AdminType type,
723 int32_t userId, bool isDebug)
724 {
725 if ((type == AdminType::ENT || type == AdminType::BYOD) && userId != DEFAULT_USER_ID) {
726 EDMLOGW("EnableAdmin: Super or byod admin can only be enabled in default user.");
727 return ERR_EDM_ADD_ADMIN_FAILED;
728 }
729
730 if (type != AdminType::ENT && system::GetBoolParameter(PARAM_SECURITY_MODE, false)) {
731 EDMLOGW("EnableAdmin: The current mode is not supported.");
732 return ERR_EDM_ADD_ADMIN_FAILED;
733 }
734
735 if (isDebug && adminMgr_->IsSuperAdminExist()) {
736 EDMLOGW("EnableAdmin: An official super admin exsit, cannot enable another debug admin");
737 return ERR_EDM_ADD_ADMIN_FAILED;
738 }
739
740 if (VerifyEnableAdminConditionCheckExistAdmin(admin, type, userId, isDebug) != ERR_OK) {
741 return ERR_EDM_ADD_ADMIN_FAILED;
742 }
743 return ERR_OK;
744 }
745
VerifyEnableAdminConditionCheckExistAdmin(AppExecFwk::ElementName & admin,AdminType type,int32_t userId,bool isDebug)746 ErrCode EnterpriseDeviceMgrAbility::VerifyEnableAdminConditionCheckExistAdmin(AppExecFwk::ElementName &admin,
747 AdminType type, int32_t userId, bool isDebug)
748 {
749 std::shared_ptr<Admin> existAdmin = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), userId);
750 if (existAdmin != nullptr) {
751 if (type == AdminType::BYOD && existAdmin->GetAdminType() != AdminType::BYOD) {
752 EDMLOGW("EnableAdmin: a byod admin can't be enabled when alreadly enabled other admin.");
753 return ERR_EDM_ADD_ADMIN_FAILED;
754 }
755 if (type != AdminType::BYOD && existAdmin->GetAdminType() == AdminType::BYOD) {
756 EDMLOGW("EnableAdmin: a admin can't be enabled when alreadly enabled byod admin.");
757 return ERR_EDM_ADD_ADMIN_FAILED;
758 }
759 if (existAdmin->GetAdminType() == AdminType::SUB_SUPER_ADMIN ||
760 existAdmin->GetAdminType() == AdminType::VIRTUAL_ADMIN) {
761 EDMLOGW("EnableAdmin: sub-super admin can not be enabled as a normal or super admin.");
762 return ERR_EDM_ADD_ADMIN_FAILED;
763 }
764 if (existAdmin->GetAdminType() == AdminType::ENT && type != AdminType::ENT) {
765 EDMLOGW("EnableAdmin: an exist super admin can't be enabled twice with different role or user id.");
766 return ERR_EDM_ADD_ADMIN_FAILED;
767 }
768 if (isDebug != existAdmin->adminInfo_.isDebug_) {
769 EDMLOGW("EnableAdmin: debug parameter can not be changed.");
770 return ERR_EDM_ADD_ADMIN_FAILED;
771 }
772 /* An application can't be enabled twice with different ability name */
773 if (existAdmin->adminInfo_.className_ != admin.GetAbilityName()) {
774 EDMLOGW("EnableAdmin: There is another admin ability enabled with the same package name.");
775 return ERR_EDM_ADD_ADMIN_FAILED;
776 }
777 return ERR_OK;
778 }
779 if (!isDebug && type == AdminType::BYOD && adminMgr_->IsAdminExist()) {
780 EDMLOGW("EnableAdmin: byod admin not allowd enable when another admin enabled.");
781 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
782 }
783 if (!isDebug && type != AdminType::BYOD && adminMgr_->IsByodAdminExist()) {
784 EDMLOGW("EnableAdmin: other admin not allowd enable when byod admin enabled.");
785 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
786 }
787 return ERR_OK;
788 }
789
AddDisallowUninstallApp(const std::string & bundleName)790 ErrCode EnterpriseDeviceMgrAbility::AddDisallowUninstallApp(const std::string &bundleName)
791 {
792 AppExecFwk::BundleInfo bundleInfo;
793 GetBundleMgr()->GetBundleInfo(bundleName, AppExecFwk::BundleFlag::GET_BUNDLE_WITH_ABILITIES,
794 bundleInfo, DEFAULT_USER_ID);
795 std::vector<std::string> data = {bundleInfo.appId};
796 if (FAILED(GetBundleMgr()->AddAppInstallControlRule(data,
797 AppExecFwk::AppInstallControlRuleType::DISALLOWED_UNINSTALL, DEFAULT_USER_ID))) {
798 EDMLOGE("EnterpriseDeviceMgrAbility::AddDisallowUninstallApp failed");
799 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
800 }
801 return ERR_OK;
802 }
803
DelDisallowUninstallApp(const std::string & bundleName)804 ErrCode EnterpriseDeviceMgrAbility::DelDisallowUninstallApp(const std::string &bundleName)
805 {
806 AppExecFwk::BundleInfo bundleInfo;
807 GetBundleMgr()->GetBundleInfo(bundleName, AppExecFwk::BundleFlag::GET_BUNDLE_WITH_ABILITIES,
808 bundleInfo, DEFAULT_USER_ID);
809 std::vector<std::string> data = {bundleInfo.appId};
810 if (FAILED(GetBundleMgr()->DeleteAppInstallControlRule(
811 AppExecFwk::AppInstallControlRuleType::DISALLOWED_UNINSTALL, data, DEFAULT_USER_ID))) {
812 EDMLOGE("EnterpriseDeviceMgrAbility::DelDisallowUninstallApp failed");
813 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
814 }
815 return ERR_OK;
816 }
817
EnableAdmin(AppExecFwk::ElementName & admin,EntInfo & entInfo,AdminType type,int32_t userId)818 ErrCode EnterpriseDeviceMgrAbility::EnableAdmin(AppExecFwk::ElementName &admin, EntInfo &entInfo, AdminType type,
819 int32_t userId)
820 {
821 EDMLOGD("EnterpriseDeviceMgrAbility::EnableAdmin user id = %{public}d", userId);
822 std::lock_guard<std::mutex> autoLock(mutexLock_);
823 bool isDebug = GetAccessTokenMgr()->IsDebug();
824 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
825 if (!isDebug && !GetAccessTokenMgr()->VerifyCallingPermission(tokenId, PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
826 EDMLOGW("EnterpriseDeviceMgrAbility::EnableAdmin check permission failed");
827 return EdmReturnErrCode::PERMISSION_DENIED;
828 }
829 std::vector<AppExecFwk::ExtensionAbilityInfo> abilityInfo;
830 AAFwk::Want want;
831 want.SetElement(admin);
832 if (!GetBundleMgr()->QueryExtensionAbilityInfos(want, AppExecFwk::ExtensionAbilityType::ENTERPRISE_ADMIN,
833 AppExecFwk::ExtensionAbilityInfoFlag::GET_EXTENSION_INFO_WITH_PERMISSION, userId, abilityInfo) ||
834 abilityInfo.empty()) {
835 EDMLOGW("EnableAdmin: QueryExtensionAbilityInfos failed");
836 return EdmReturnErrCode::COMPONENT_INVALID;
837 }
838 if (FAILED(VerifyEnableAdminCondition(admin, type, userId, isDebug))) {
839 EDMLOGW("EnableAdmin: VerifyEnableAdminCondition failed.");
840 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
841 }
842 std::shared_ptr<Admin> existAdmin = AdminManager::GetInstance()->GetAdminByPkgName(admin.GetBundleName(), userId);
843 if (!isDebug && type == AdminType::ENT && AdminManager::GetInstance()->IsSuperAdminExist()) {
844 if ((existAdmin == nullptr) || existAdmin->adminInfo_.adminType_ != AdminType::ENT) {
845 EDMLOGW("EnableAdmin: There is another super admin enabled.");
846 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
847 }
848 }
849 /* Get all request and registered permissions */
850 std::vector<std::string> permissionList;
851 if (FAILED(GetAllPermissionsByAdmin(admin.GetBundleName(), type, userId, permissionList))) {
852 EDMLOGW("EnableAdmin: GetAllPermissionsByAdmin failed");
853 return EdmReturnErrCode::COMPONENT_INVALID;
854 }
855 Admin edmAdmin(abilityInfo.at(0), type, entInfo, permissionList, isDebug);
856 if (FAILED(adminMgr_->SetAdminValue(userId, edmAdmin))) {
857 EDMLOGE("EnableAdmin: SetAdminValue failed.");
858 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
859 }
860 AfterEnableAdmin(admin, type, userId);
861 return ERR_OK;
862 }
863
AfterEnableAdmin(AppExecFwk::ElementName & admin,AdminType type,int32_t userId)864 void EnterpriseDeviceMgrAbility::AfterEnableAdmin(AppExecFwk::ElementName &admin, AdminType type, int32_t userId)
865 {
866 system::SetParameter(PARAM_EDM_ENABLE, "true");
867 EDMLOGI("EnableAdmin suc.:%{public}s type:%{public}d", admin.GetBundleName().c_str(), static_cast<uint32_t>(type));
868 AAFwk::Want connectWant;
869 connectWant.SetElementName(admin.GetBundleName(), admin.GetAbilityName());
870 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
871 sptr<IEnterpriseConnection> connection =
872 manager->CreateAdminConnection(connectWant, IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED, userId);
873 manager->ConnectAbility(connection);
874 if (type == AdminType::BYOD) {
875 AddDisallowUninstallApp(admin.GetBundleName());
876 EdmDataAbilityUtils::UpdateSettingsData(KEY_EDM_DISPLAY, "true");
877 }
878 }
879
RemoveAdminItem(const std::string & adminName,const std::string & policyName,const std::string & policyValue,int32_t userId)880 ErrCode EnterpriseDeviceMgrAbility::RemoveAdminItem(const std::string &adminName, const std::string &policyName,
881 const std::string &policyValue, int32_t userId)
882 {
883 InitAllPlugins();
884 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByPolicyName(policyName);
885 if (plugin == nullptr) {
886 EDMLOGW("RemoveAdminItem: Get plugin by policy failed: %{public}s\n", policyName.c_str());
887 return ERR_EDM_GET_PLUGIN_MGR_FAILED;
888 }
889 ErrCode ret = plugin->OnAdminRemove(adminName, policyValue, userId);
890 if (ret != ERR_OK) {
891 EDMLOGW("RemoveAdminItem: OnAdminRemove failed, admin:%{public}s, value:%{public}s, res:%{public}d\n",
892 adminName.c_str(), policyValue.c_str(), ret);
893 }
894 if (plugin->NeedSavePolicy()) {
895 std::string mergedPolicyData;
896 ret = plugin->MergePolicyData(adminName, mergedPolicyData);
897 if (ret != ERR_OK) {
898 EDMLOGW("RemoveAdminItem: Get admin by policy name failed: %{public}s, ErrCode:%{public}d\n",
899 policyName.c_str(), ret);
900 }
901
902 ErrCode setRet = ERR_OK;
903 std::unordered_map<std::string, std::string> adminListMap;
904 ret = policyMgr_->GetAdminByPolicyName(policyName, adminListMap, userId);
905 if ((ret == ERR_EDM_POLICY_NOT_FOUND) || adminListMap.empty()) {
906 setRet = policyMgr_->SetPolicy("", policyName, "", "", userId);
907 } else {
908 setRet = policyMgr_->SetPolicy(adminName, policyName, "", mergedPolicyData, userId);
909 }
910
911 if (FAILED(setRet)) {
912 EDMLOGW("RemoveAdminItem: DeleteAdminPolicy failed, admin:%{public}s, policy:%{public}s, res:%{public}d\n",
913 adminName.c_str(), policyName.c_str(), ret);
914 return ERR_EDM_DEL_ADMIN_FAILED;
915 }
916 }
917 plugin->OnAdminRemoveDone(adminName, policyValue, userId);
918 return ERR_OK;
919 }
920
RemoveAdminAndAdminPolicy(const std::string & adminName,int32_t userId)921 ErrCode EnterpriseDeviceMgrAbility::RemoveAdminAndAdminPolicy(const std::string &adminName, int32_t userId)
922 {
923 EDMLOGD("RemoveAdminAndAdminPolicy:admin: %{public}s, user id:%{public}d.", adminName.c_str(), userId);
924 ErrCode removeAdminPolicyRet = RemoveAdminPolicy(adminName, userId);
925 if (FAILED(removeAdminPolicyRet)) {
926 EDMLOGE("Remove admin %{public}s policy with user id = %{public}d fail.", adminName.c_str(), userId);
927 return removeAdminPolicyRet;
928 }
929
930 ErrCode removeAdminRet = RemoveAdmin(adminName, userId);
931 if (FAILED(removeAdminRet)) {
932 EDMLOGE("Remove admin %{public}s with user id = %{public}d fail.", adminName.c_str(), userId);
933 return removeAdminRet;
934 }
935 return ERR_OK;
936 }
937
RemoveAdmin(const std::string & adminName,int32_t userId)938 ErrCode EnterpriseDeviceMgrAbility::RemoveAdmin(const std::string &adminName, int32_t userId)
939 {
940 bool shouldUnsubscribeAppState = ShouldUnsubscribeAppState(adminName, userId);
941 auto ret = adminMgr_->DeleteAdmin(adminName, userId);
942 if (ret != ERR_OK && ret != ERR_EDM_UNKNOWN_ADMIN) {
943 return ERR_EDM_DEL_ADMIN_FAILED;
944 }
945 if (shouldUnsubscribeAppState) {
946 UnsubscribeAppState();
947 }
948 return ERR_OK;
949 }
950
RemoveAdminPolicy(const std::string & adminName,int32_t userId)951 ErrCode EnterpriseDeviceMgrAbility::RemoveAdminPolicy(const std::string &adminName, int32_t userId)
952 {
953 std::unordered_map<std::string, std::string> policyItems;
954 policyMgr_->GetAllPolicyByAdmin(adminName, policyItems, userId);
955 for (const auto &policyItem : policyItems) {
956 std::string policyItemName = policyItem.first;
957 std::string policyItemValue = policyItem.second;
958 EDMLOGD("RemoveAdminPolicy:policyName:%{public}s", policyItemName.c_str());
959 if (RemoveAdminItem(adminName, policyItemName, policyItemValue, userId) != ERR_OK) {
960 return ERR_EDM_DEL_ADMIN_FAILED;
961 }
962 }
963 return ERR_OK;
964 }
965
RemoveSubSuperAdminAndAdminPolicy(const std::string & bundleName)966 ErrCode EnterpriseDeviceMgrAbility::RemoveSubSuperAdminAndAdminPolicy(const std::string &bundleName)
967 {
968 std::vector<int32_t> userIds;
969 policyMgr_->GetPolicyUserIds(userIds);
970 return RemoveSubOrSuperAdminAndAdminPolicy(bundleName, userIds);
971 }
972
RemoveSuperAdminAndAdminPolicy(const std::string & bundleName)973 ErrCode EnterpriseDeviceMgrAbility::RemoveSuperAdminAndAdminPolicy(const std::string &bundleName)
974 {
975 std::vector<int32_t> userIds;
976 policyMgr_->GetPolicyUserIds(userIds);
977 // remove sub-super admin
978 std::vector<std::string> subAdmins;
979 adminMgr_->GetSubSuperAdminsByParentName(bundleName, subAdmins);
980 for (auto const &subAdminName : subAdmins) {
981 if (RemoveSubOrSuperAdminAndAdminPolicy(subAdminName, userIds) != ERR_OK) {
982 return ERR_EDM_DEL_ADMIN_FAILED;
983 }
984 }
985 // remove super admin on other userid
986 return RemoveSubOrSuperAdminAndAdminPolicy(bundleName, userIds);
987 }
988
RemoveSubOrSuperAdminAndAdminPolicy(const std::string & bundleName,const std::vector<int32_t> & nonDefaultUserIds)989 ErrCode EnterpriseDeviceMgrAbility::RemoveSubOrSuperAdminAndAdminPolicy(const std::string &bundleName,
990 const std::vector<int32_t> &nonDefaultUserIds)
991 {
992 // remove super admin on other userid
993 for (auto const &userId : nonDefaultUserIds) {
994 if (RemoveAdminAndAdminPolicy(bundleName, userId) != ERR_OK) {
995 return ERR_EDM_DEL_ADMIN_FAILED;
996 }
997 }
998 // remove super admin default userid
999 return RemoveAdminAndAdminPolicy(bundleName, DEFAULT_USER_ID);
1000 }
1001
ShouldUnsubscribeAppState(const std::string & adminName,int32_t userId)1002 bool EnterpriseDeviceMgrAbility::ShouldUnsubscribeAppState(const std::string &adminName, int32_t userId)
1003 {
1004 std::shared_ptr<Admin> adminPtr = adminMgr_->GetAdminByPkgName(adminName, userId);
1005 if (adminPtr == nullptr) {
1006 EDMLOGE("ShouldUnsubscribeAppState adminPtr null");
1007 return false;
1008 }
1009 return std::any_of(adminPtr->adminInfo_.managedEvents_.begin(), adminPtr->adminInfo_.managedEvents_.end(),
1010 [](ManagedEvent event) { return event == ManagedEvent::APP_START || event == ManagedEvent::APP_STOP; });
1011 }
1012
DisableAdmin(AppExecFwk::ElementName & admin,int32_t userId)1013 ErrCode EnterpriseDeviceMgrAbility::DisableAdmin(AppExecFwk::ElementName &admin, int32_t userId)
1014 {
1015 EDMLOGI("EnterpriseDeviceMgrAbility::DisableAdmin user id = %{public}d", userId);
1016 std::shared_ptr<Admin> deviceAdmin = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), userId);
1017 if (deviceAdmin == nullptr) {
1018 EDMLOGE("DisableAdmin: %{public}s is not activated", admin.GetBundleName().c_str());
1019 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1020 }
1021 AdminType adminType = deviceAdmin->GetAdminType();
1022 if (adminType == AdminType::ENT || adminType == AdminType::BYOD) {
1023 userId = DEFAULT_USER_ID;
1024 }
1025 return DoDisableAdmin(admin.GetBundleName(), userId, adminType);
1026 }
1027
CheckCallingUid(const std::string & bundleName)1028 ErrCode EnterpriseDeviceMgrAbility::CheckCallingUid(const std::string &bundleName)
1029 {
1030 // super admin can be removed by itself
1031 int uid = GetCallingUid();
1032 std::string callingBundleName;
1033 if (GetBundleMgr()->GetNameForUid(uid, callingBundleName) != ERR_OK) {
1034 EDMLOGW("CheckCallingUid failed: get bundleName for uid %{public}d fail.", uid);
1035 return ERR_EDM_PERMISSION_ERROR;
1036 }
1037 if (bundleName == callingBundleName) {
1038 return ERR_OK;
1039 }
1040 EDMLOGW("CheckCallingUid failed: only the app %{public}s can remove itself.", callingBundleName.c_str());
1041 return ERR_EDM_PERMISSION_ERROR;
1042 }
1043
DisableSuperAdmin(const std::string & bundleName)1044 ErrCode EnterpriseDeviceMgrAbility::DisableSuperAdmin(const std::string &bundleName)
1045 {
1046 EDMLOGI("EnterpriseDeviceMgrAbility::DisableSuperAdmin bundle name = %{public}s", bundleName.c_str());
1047 return DoDisableAdmin(bundleName, DEFAULT_USER_ID, AdminType::ENT);
1048 }
1049
DoDisableAdmin(const std::string & bundleName,int32_t userId,AdminType adminType)1050 ErrCode EnterpriseDeviceMgrAbility::DoDisableAdmin(const std::string &bundleName, int32_t userId, AdminType adminType)
1051 {
1052 std::lock_guard<std::mutex> autoLock(mutexLock_);
1053 bool isDebug = GetAccessTokenMgr()->IsDebug();
1054 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
1055 if (!isDebug && !GetAccessTokenMgr()->VerifyCallingPermission(tokenId, PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
1056 EDMLOGW("DoDisableAdmin::DisableSuperAdmin check permission failed.");
1057 return EdmReturnErrCode::PERMISSION_DENIED;
1058 }
1059 std::shared_ptr<Admin> admin = adminMgr_->GetAdminByPkgName(bundleName, userId);
1060 if (admin == nullptr) {
1061 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1062 }
1063 if (isDebug && !admin->adminInfo_.isDebug_) {
1064 EDMLOGW("DoDisableAdmin: shell command can only remove debug super admin.");
1065 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1066 }
1067 if (admin->adminInfo_.adminType_ != adminType) {
1068 EDMLOGW("DoDisableAdmin: only remove the certain admin.");
1069 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1070 }
1071 if (adminType == AdminType::ENT && FAILED(RemoveSuperAdminAndAdminPolicy(bundleName))) {
1072 EDMLOGW("DoDisableAdmin: remove admin failed.");
1073 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1074 } else if ((adminType == AdminType::NORMAL || adminType == AdminType::BYOD) &&
1075 FAILED(RemoveAdminAndAdminPolicy(bundleName, userId))) {
1076 EDMLOGW("DoDisableAdmin: disable normal or byod admin failed.");
1077 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
1078 }
1079 if (!adminMgr_->IsAdminExist()) {
1080 system::SetParameter(PARAM_EDM_ENABLE, "false");
1081 }
1082 AAFwk::Want want;
1083 want.SetElementName(admin->adminInfo_.packageName_, admin->adminInfo_.className_);
1084 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
1085 sptr<IEnterpriseConnection> connection =
1086 manager->CreateAdminConnection(want, IEnterpriseAdmin::COMMAND_ON_ADMIN_DISABLED, userId);
1087 manager->ConnectAbility(connection);
1088 if (adminType == AdminType::BYOD) {
1089 DelDisallowUninstallApp(bundleName);
1090 EdmDataAbilityUtils::UpdateSettingsData(KEY_EDM_DISPLAY, "false");
1091 }
1092 return ERR_OK;
1093 }
1094
IsSuperAdmin(const std::string & bundleName)1095 bool EnterpriseDeviceMgrAbility::IsSuperAdmin(const std::string &bundleName)
1096 {
1097 std::lock_guard<std::mutex> autoLock(mutexLock_);
1098 return adminMgr_->IsSuperAdmin(bundleName);
1099 }
1100
IsAdminEnabled(AppExecFwk::ElementName & admin,int32_t userId)1101 bool EnterpriseDeviceMgrAbility::IsAdminEnabled(AppExecFwk::ElementName &admin, int32_t userId)
1102 {
1103 std::lock_guard<std::mutex> autoLock(mutexLock_);
1104 std::shared_ptr<Admin> existAdmin = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), userId);
1105 if (existAdmin != nullptr) {
1106 EDMLOGD("IsAdminEnabled: get admin successed");
1107 return true;
1108 }
1109 return false;
1110 }
1111
GetCurrentUserId()1112 int32_t EnterpriseDeviceMgrAbility::GetCurrentUserId()
1113 {
1114 std::vector<int32_t> ids;
1115 ErrCode ret = GetOsAccountMgr()->QueryActiveOsAccountIds(ids);
1116 if (FAILED(ret) || ids.empty()) {
1117 EDMLOGE("EnterpriseDeviceMgrAbility GetCurrentUserId failed");
1118 return -1;
1119 }
1120 EDMLOGD("EnterpriseDeviceMgrAbility GetCurrentUserId user id = %{public}d", ids.at(0));
1121 return (ids.at(0));
1122 }
1123
UpdateDevicePolicy(uint32_t code,const std::string & bundleName,MessageParcel & data,MessageParcel & reply,int32_t userId)1124 ErrCode EnterpriseDeviceMgrAbility::UpdateDevicePolicy(uint32_t code, const std::string &bundleName,
1125 MessageParcel &data, MessageParcel &reply, int32_t userId)
1126 {
1127 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
1128 if (plugin == nullptr) {
1129 EDMLOGW("UpdateDevicePolicy: get plugin failed, code:%{public}d", code);
1130 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
1131 }
1132
1133 std::string policyName = plugin->GetPolicyName();
1134 HandlePolicyData handlePolicyData{"", false};
1135 policyMgr_->GetPolicy(bundleName, policyName, handlePolicyData.policyData, userId);
1136 ErrCode ret = plugin->GetExecuteStrategy()->OnSetExecute(code, data, reply, handlePolicyData, userId);
1137 if (FAILED(ret)) {
1138 EDMLOGW("UpdateDevicePolicy: OnHandlePolicy failed");
1139 return ret;
1140 }
1141 EDMLOGD("UpdateDevicePolicy: isChanged:%{public}d, needSave:%{public}d", handlePolicyData.isChanged,
1142 plugin->NeedSavePolicy());
1143 std::string oldCombinePolicy;
1144 policyMgr_->GetPolicy("", policyName, oldCombinePolicy, userId);
1145 std::string mergedPolicy = handlePolicyData.policyData;
1146 bool isGlobalChanged = false;
1147 if (plugin->NeedSavePolicy() && handlePolicyData.isChanged) {
1148 ret = plugin->MergePolicyData(bundleName, mergedPolicy);
1149 if (FAILED(ret)) {
1150 EDMLOGW("UpdateDevicePolicy: MergePolicyData failed error:%{public}d", ret);
1151 return ret;
1152 }
1153 policyMgr_->SetPolicy(bundleName, policyName, handlePolicyData.policyData, mergedPolicy, userId);
1154 isGlobalChanged = (oldCombinePolicy != mergedPolicy);
1155 }
1156 plugin->OnHandlePolicyDone(code, bundleName, isGlobalChanged, userId);
1157 return ERR_OK;
1158 }
1159
HandleDevicePolicy(uint32_t code,AppExecFwk::ElementName & admin,MessageParcel & data,MessageParcel & reply,int32_t userId)1160 ErrCode EnterpriseDeviceMgrAbility::HandleDevicePolicy(uint32_t code, AppExecFwk::ElementName &admin,
1161 MessageParcel &data, MessageParcel &reply, int32_t userId)
1162 {
1163 std::lock_guard<std::mutex> autoLock(mutexLock_);
1164 InitAllPlugins();
1165 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
1166 if (plugin == nullptr) {
1167 EDMLOGW("HandleDevicePolicy: get plugin failed, code:%{public}d", code);
1168 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
1169 }
1170 #ifndef EDM_FUZZ_TEST
1171 bool isUserExist = false;
1172 GetOsAccountMgr()->IsOsAccountExists(userId, isUserExist);
1173 if (!isUserExist) {
1174 return EdmReturnErrCode::PARAM_ERROR;
1175 }
1176 ErrCode checkSystemCalling = CheckSystemCalling(plugin->GetApiType(FuncOperateType::SET), "");
1177 if (FAILED(checkSystemCalling)) {
1178 return checkSystemCalling;
1179 }
1180 EDMLOGI("HandleDevicePolicy: HandleDevicePolicy userId = %{public}d", userId);
1181 std::shared_ptr<Admin> deviceAdmin = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), GetCurrentUserId());
1182 if (deviceAdmin == nullptr) {
1183 EDMLOGE("HandleDevicePolicy: %{public}s is not activated", admin.GetBundleName().c_str());
1184 return EdmReturnErrCode::ADMIN_INACTIVE;
1185 }
1186 std::string setPermission = plugin->GetPermission(FuncOperateType::SET,
1187 AdminTypeToPermissionType(deviceAdmin->GetAdminType()), data.ReadString());
1188 EDMLOGD("HandleDevicePolicy: HandleDevicePolicy GetPermission = %{public}s", setPermission.c_str());
1189 ErrCode checkAdminPermission = CheckHandlePolicyPermission(FuncOperateType::SET, admin.GetBundleName(),
1190 plugin->GetPolicyName(), setPermission, userId);
1191 if (FAILED(checkAdminPermission)) {
1192 return checkAdminPermission;
1193 }
1194 #endif
1195 ErrCode ret = UpdateDevicePolicy(code, admin.GetBundleName(), data, reply, userId);
1196 CreateSecurityContent(admin.GetBundleName(), admin.GetAbilityName(), code, plugin->GetPolicyName(), ret);
1197 return ret;
1198 }
1199
AdminTypeToPermissionType(AdminType adminType)1200 IPlugin::PermissionType EnterpriseDeviceMgrAbility::AdminTypeToPermissionType(AdminType adminType)
1201 {
1202 if (adminType == AdminType::BYOD) {
1203 return IPlugin::PermissionType::BYOD_DEVICE_ADMIN;
1204 }
1205 return IPlugin::PermissionType::SUPER_DEVICE_ADMIN;
1206 }
1207
CreateSecurityContent(const std::string & bundleName,const std::string & abilityName,uint32_t code,const std::string & policyName,ErrCode errorCode)1208 void EnterpriseDeviceMgrAbility::CreateSecurityContent(const std::string &bundleName, const std::string &abilityName,
1209 uint32_t code, const std::string &policyName, ErrCode errorCode)
1210 {
1211 ReportInfo reportInfo = ReportInfo(FuncCodeUtils::GetOperateType(code), policyName, std::to_string(errorCode));
1212 SecurityReport::ReportSecurityInfo(bundleName, abilityName, reportInfo);
1213 }
1214
GetDevicePolicy(uint32_t code,MessageParcel & data,MessageParcel & reply,int32_t userId)1215 ErrCode EnterpriseDeviceMgrAbility::GetDevicePolicy(uint32_t code, MessageParcel &data, MessageParcel &reply,
1216 int32_t userId)
1217 {
1218 std::lock_guard<std::mutex> autoLock(mutexLock_);
1219 bool isUserExist = false;
1220 GetOsAccountMgr()->IsOsAccountExists(userId, isUserExist);
1221 if (!isUserExist) {
1222 return EdmReturnErrCode::PARAM_ERROR;
1223 }
1224 InitAllPlugins();
1225 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
1226 if (plugin == nullptr) {
1227 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
1228 }
1229 std::string permissionTag = data.ReadString();
1230 ErrCode checkSystemCalling = CheckSystemCalling(plugin->GetApiType(FuncOperateType::GET), permissionTag);
1231 if (FAILED(checkSystemCalling)) {
1232 return checkSystemCalling;
1233 }
1234 AppExecFwk::ElementName elementName;
1235 // has admin
1236 if (data.ReadInt32() == 0) {
1237 std::unique_ptr<AppExecFwk::ElementName> admin(data.ReadParcelable<AppExecFwk::ElementName>());
1238 if (!admin) {
1239 EDMLOGW("GetDevicePolicy: ReadParcelable failed");
1240 return EdmReturnErrCode::PARAM_ERROR;
1241 }
1242 #ifndef EDM_FUZZ_TEST
1243 std::shared_ptr<Admin> deviceAdmin = adminMgr_->GetAdminByPkgName(admin->GetBundleName(), GetCurrentUserId());
1244 if (deviceAdmin == nullptr) {
1245 return EdmReturnErrCode::ADMIN_INACTIVE;
1246 }
1247 std::string getPermission = plugin->GetPermission(FuncOperateType::GET,
1248 AdminTypeToPermissionType(deviceAdmin->GetAdminType()), permissionTag);
1249 ErrCode ret = CheckHandlePolicyPermission(FuncOperateType::GET, admin->GetBundleName(), plugin->GetPolicyName(),
1250 getPermission, userId);
1251 if (FAILED(ret)) {
1252 return ret;
1253 }
1254 #endif
1255 elementName.SetBundleName(admin->GetBundleName());
1256 elementName.SetAbilityName(admin->GetAbilityName());
1257 }
1258 std::string policyName = plugin->GetPolicyName();
1259 std::string policyValue;
1260
1261 if (plugin->NeedSavePolicy()) {
1262 policyMgr_->GetPolicy(elementName.GetBundleName(), policyName, policyValue, userId);
1263 }
1264 ErrCode getRet = plugin->GetExecuteStrategy()->OnGetExecute(code, policyValue, data, reply, userId);
1265 CreateSecurityContent(elementName.GetBundleName(), elementName.GetAbilityName(), code, plugin->GetPolicyName(),
1266 getRet);
1267 return getRet;
1268 }
1269
1270
CheckAndGetAdminProvisionInfo(uint32_t code,MessageParcel & data,MessageParcel & reply,int32_t userId)1271 ErrCode EnterpriseDeviceMgrAbility::CheckAndGetAdminProvisionInfo(uint32_t code, MessageParcel &data,
1272 MessageParcel &reply, int32_t userId)
1273 {
1274 std::unique_ptr<AppExecFwk::ElementName> admin(data.ReadParcelable<AppExecFwk::ElementName>());
1275 if (!admin) {
1276 EDMLOGW("CheckAndGetAdminProvisionInfo: ReadParcelable failed");
1277 return EdmReturnErrCode::PARAM_ERROR;
1278 }
1279 EDMLOGD("CheckAndGetAdminProvisionInfo bundleName: %{public}s, abilityName : %{public}s ",
1280 admin->GetBundleName().c_str(), admin->GetAbilityName().c_str());
1281
1282 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
1283 if (!GetAccessTokenMgr()->VerifyCallingPermission(tokenId, PERMISSION_GET_ADMINPROVISION_INFO)) {
1284 EDMLOGE("CheckAndGetAdminProvisionInfo::VerifyCallingPermission check permission failed.");
1285 return EdmReturnErrCode::PERMISSION_DENIED;
1286 }
1287 Security::AccessToken::HapTokenInfo hapTokenInfo;
1288 if (FAILED(Security::AccessToken::AccessTokenKit::GetHapTokenInfo(tokenId, hapTokenInfo)) ||
1289 hapTokenInfo.bundleName != admin->GetBundleName()) {
1290 EDMLOGE("CheckAndGetAdminProvisionInfo::calling bundleName is not input bundleName.");
1291 return EdmReturnErrCode::PARAM_ERROR;
1292 }
1293 std::vector<AppExecFwk::ExtensionAbilityInfo> abilityInfo;
1294 AAFwk::Want want;
1295 want.SetElement(*admin);
1296 if (!GetBundleMgr()->QueryExtensionAbilityInfos(want, AppExecFwk::ExtensionAbilityType::ENTERPRISE_ADMIN,
1297 AppExecFwk::ExtensionAbilityInfoFlag::GET_EXTENSION_INFO_WITH_PERMISSION, userId, abilityInfo) ||
1298 abilityInfo.empty()) {
1299 EDMLOGW("CheckAndGetAdminProvisionInfo: QueryExtensionAbilityInfos failed");
1300 return EdmReturnErrCode::PARAM_ERROR;
1301 }
1302 InitAllPlugins();
1303 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
1304 if (plugin == nullptr) {
1305 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1306 }
1307 if (adminMgr_->IsAdminExist()) {
1308 EDMLOGE("CheckAndGetAdminProvisionInfo::device exist admin.");
1309 return EdmReturnErrCode::PARAM_ERROR;
1310 }
1311 std::string policyValue;
1312 AppExecFwk::ElementName elementName;
1313 ErrCode getRet = plugin->GetExecuteStrategy()->OnGetExecute(code, policyValue, data, reply, userId);
1314 CreateSecurityContent(elementName.GetBundleName(), elementName.GetAbilityName(), code, plugin->GetPolicyName(),
1315 getRet);
1316 return getRet;
1317 }
1318
CheckSystemCalling(IPlugin::ApiType apiType,const std::string & permissionTag)1319 ErrCode EnterpriseDeviceMgrAbility::CheckSystemCalling(IPlugin::ApiType apiType, const std::string &permissionTag)
1320 {
1321 bool isCheckSystem = (apiType == IPlugin::ApiType::SYSTEM)
1322 || (permissionTag == EdmConstants::PERMISSION_TAG_SYSTEM_API);
1323 if (isCheckSystem && !GetAccessTokenMgr()->IsSystemAppOrNative()) {
1324 EDMLOGE("CheckSystemCalling: not system app or native process");
1325 return EdmReturnErrCode::SYSTEM_API_DENIED;
1326 }
1327 return ERR_OK;
1328 }
1329
CheckHandlePolicyPermission(FuncOperateType operateType,const std::string & bundleName,const std::string & policyName,const std::string & permissionName,int32_t userId)1330 ErrCode EnterpriseDeviceMgrAbility::CheckHandlePolicyPermission(FuncOperateType operateType,
1331 const std::string &bundleName, const std::string &policyName, const std::string &permissionName, int32_t userId)
1332 {
1333 if (operateType == FuncOperateType::SET && permissionName.empty()) {
1334 EDMLOGE("CheckHandlePolicyPermission failed, set policy need permission.");
1335 return EdmReturnErrCode::PERMISSION_DENIED;
1336 }
1337 if (permissionName == NONE_PERMISSION_MATCH) {
1338 EDMLOGE("CheckHandlePolicyPermission: GetPermission failed!");
1339 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1340 }
1341 std::shared_ptr<Admin> deviceAdmin = adminMgr_->GetAdminByPkgName(bundleName, GetCurrentUserId());
1342 if (deviceAdmin == nullptr) {
1343 EDMLOGE("CheckHandlePolicyPermission: get admin failed");
1344 return EdmReturnErrCode::ADMIN_INACTIVE;
1345 }
1346 if (FAILED(CheckCallingUid(deviceAdmin->adminInfo_.packageName_))) {
1347 EDMLOGE("CheckHandlePolicyPermission: CheckCallingUid failed.");
1348 return EdmReturnErrCode::PERMISSION_DENIED;
1349 }
1350 if (operateType == FuncOperateType::SET && deviceAdmin->GetAdminType() == AdminType::NORMAL &&
1351 userId != GetCurrentUserId()) {
1352 EDMLOGE("CheckHandlePolicyPermission: this admin does not have permission to handle policy of other account.");
1353 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1354 }
1355 if (!permissionName.empty()) {
1356 EDMLOGI("CheckHandlePolicyPermission: permissionName:%{public}s", permissionName.c_str());
1357 auto ret = CheckAndUpdatePermission(deviceAdmin, IPCSkeleton::GetCallingTokenID(), permissionName, userId);
1358 if (FAILED(ret)) {
1359 return ret;
1360 }
1361 }
1362 if (permissionName.empty() && deviceAdmin->GetAdminType() == AdminType::BYOD) {
1363 return EdmReturnErrCode::PERMISSION_DENIED;
1364 }
1365 if (!adminMgr_->HasPermissionToHandlePolicy(deviceAdmin, policyName)) {
1366 EDMLOGE("CheckHandlePolicyPermission: this admin does not have permission to handle the policy.");
1367 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1368 }
1369 return ERR_OK;
1370 }
1371
CheckAndUpdatePermission(std::shared_ptr<Admin> admin,Security::AccessToken::AccessTokenID tokenId,const std::string & permission,int32_t userId)1372 ErrCode EnterpriseDeviceMgrAbility::CheckAndUpdatePermission(std::shared_ptr<Admin> admin,
1373 Security::AccessToken::AccessTokenID tokenId, const std::string &permission, int32_t userId)
1374 {
1375 if (admin == nullptr) {
1376 EDMLOGE("CheckHandlePolicyPermission: this admin does not have permission to handle the policy.");
1377 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1378 }
1379 bool callingPermission = GetAccessTokenMgr()->VerifyCallingPermission(tokenId, permission);
1380 bool adminPermission = admin->CheckPermission(permission);
1381 EDMLOGI("CheckAndUpdatePermission: callingPermission = %{public}d adminPermission = %{public}d.",
1382 callingPermission, adminPermission);
1383 if (callingPermission != adminPermission) {
1384 std::vector<std::string> permissionList;
1385 if (FAILED(GetAllPermissionsByAdmin(admin->adminInfo_.packageName_, admin->GetAdminType(), userId,
1386 permissionList))) {
1387 EDMLOGE("CheckAndUpdatePermission get all permission that admin request failed.");
1388 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1389 }
1390 auto hasPermission = std::find(permissionList.begin(), permissionList.end(), permission);
1391 if (!callingPermission && hasPermission != permissionList.end()) {
1392 EDMLOGE("CheckAndUpdatePermission access token check abnormally.");
1393 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1394 }
1395 if (!adminPermission && hasPermission == permissionList.end()) {
1396 EDMLOGE("CheckAndUpdatePermission this admin does not have the permission.");
1397 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1398 }
1399 Admin updateAdmin(admin->adminInfo_.packageName_, admin->GetAdminType(), permissionList);
1400 updateAdmin.SetAccessiblePolicies(admin->adminInfo_.accessiblePolicies_);
1401 if (FAILED(adminMgr_->UpdateAdmin(admin, userId, updateAdmin))) {
1402 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1403 }
1404 }
1405 if (!callingPermission) {
1406 return EdmReturnErrCode::PERMISSION_DENIED;
1407 }
1408 return ERR_OK;
1409 }
1410
GetEnabledAdmin(AdminType type,std::vector<std::string> & enabledAdminList)1411 ErrCode EnterpriseDeviceMgrAbility::GetEnabledAdmin(AdminType type, std::vector<std::string> &enabledAdminList)
1412 {
1413 std::lock_guard<std::mutex> autoLock(mutexLock_);
1414 std::vector<std::string> superList;
1415 std::vector<std::string> normalList;
1416 std::vector<std::string> byodList;
1417 switch (type) {
1418 case AdminType::NORMAL:
1419 adminMgr_->GetEnabledAdmin(AdminType::NORMAL, normalList, GetCurrentUserId());
1420 adminMgr_->GetEnabledAdmin(AdminType::ENT, superList, DEFAULT_USER_ID);
1421 break;
1422 case AdminType::ENT:
1423 adminMgr_->GetEnabledAdmin(AdminType::ENT, superList, DEFAULT_USER_ID);
1424 break;
1425 case AdminType::BYOD:
1426 adminMgr_->GetEnabledAdmin(AdminType::BYOD, byodList, EdmConstants::DEFAULT_USER_ID);
1427 break;
1428 case AdminType::UNKNOWN:
1429 break;
1430 default:
1431 return ERR_EDM_PARAM_ERROR;
1432 }
1433 if (!superList.empty()) {
1434 enabledAdminList.insert(enabledAdminList.begin(), superList.begin(), superList.end());
1435 }
1436 if (!normalList.empty()) {
1437 enabledAdminList.insert(enabledAdminList.begin(), normalList.begin(), normalList.end());
1438 }
1439 if (!byodList.empty()) {
1440 enabledAdminList.insert(enabledAdminList.begin(), byodList.begin(), byodList.end());
1441 }
1442 for (const auto &enabledAdmin : enabledAdminList) {
1443 EDMLOGD("GetEnabledAdmin: %{public}s", enabledAdmin.c_str());
1444 }
1445 return ERR_OK;
1446 }
1447
GetEnterpriseInfo(AppExecFwk::ElementName & admin,MessageParcel & reply)1448 ErrCode EnterpriseDeviceMgrAbility::GetEnterpriseInfo(AppExecFwk::ElementName &admin, MessageParcel &reply)
1449 {
1450 std::lock_guard<std::mutex> autoLock(mutexLock_);
1451 auto adminItem = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), GetCurrentUserId());
1452 if (adminItem != nullptr && adminItem->GetAdminType() == AdminType::VIRTUAL_ADMIN) {
1453 EDMLOGE("GetEnterpriseInfo delegated admin does not have permission to get enterprise info.");
1454 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1455 }
1456 EntInfo entInfo;
1457 int32_t userId = (adminItem != nullptr && (adminItem->GetAdminType() == AdminType::ENT ||
1458 adminItem->GetAdminType() == AdminType::SUB_SUPER_ADMIN)) ? DEFAULT_USER_ID : GetCurrentUserId();
1459 ErrCode code = adminMgr_->GetEntInfo(admin.GetBundleName(), entInfo, userId);
1460 if (code != ERR_OK) {
1461 reply.WriteInt32(EdmReturnErrCode::ADMIN_INACTIVE);
1462 return EdmReturnErrCode::ADMIN_INACTIVE;
1463 }
1464 reply.WriteInt32(ERR_OK);
1465 entInfo.Marshalling(reply);
1466 EDMLOGD(
1467 "EnterpriseDeviceMgrAbility::GetEnterpriseInfo: entInfo->enterpriseName %{public}s, "
1468 "entInfo->description:%{public}s",
1469 entInfo.enterpriseName.c_str(), entInfo.description.c_str());
1470 return ERR_OK;
1471 }
1472
SetEnterpriseInfo(AppExecFwk::ElementName & admin,EntInfo & entInfo)1473 ErrCode EnterpriseDeviceMgrAbility::SetEnterpriseInfo(AppExecFwk::ElementName &admin, EntInfo &entInfo)
1474 {
1475 std::lock_guard<std::mutex> autoLock(mutexLock_);
1476 int32_t userId = GetCurrentUserId();
1477 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), userId);
1478 if (adminItem == nullptr) {
1479 return EdmReturnErrCode::ADMIN_INACTIVE;
1480 }
1481 ErrCode ret = CheckCallerPermission(adminItem, PERMISSION_SET_ENTERPRISE_INFO, false);
1482 if (FAILED(ret)) {
1483 return ret;
1484 }
1485 if (adminItem->GetAdminType() == AdminType::ENT || adminItem->GetAdminType() == AdminType::SUB_SUPER_ADMIN) {
1486 userId = DEFAULT_USER_ID;
1487 }
1488 ErrCode code = adminMgr_->SetEntInfo(admin.GetBundleName(), entInfo, userId);
1489 return (code != ERR_OK) ? EdmReturnErrCode::ADMIN_INACTIVE : ERR_OK;
1490 }
1491
HandleApplicationEvent(const std::vector<uint32_t> & events,bool subscribe)1492 ErrCode EnterpriseDeviceMgrAbility::HandleApplicationEvent(const std::vector<uint32_t> &events, bool subscribe)
1493 {
1494 bool shouldHandleAppState = std::any_of(events.begin(), events.end(), [](uint32_t event) {
1495 return event == static_cast<uint32_t>(ManagedEvent::APP_START) ||
1496 event == static_cast<uint32_t>(ManagedEvent::APP_STOP);
1497 });
1498 if (!shouldHandleAppState) {
1499 return ERR_OK;
1500 }
1501 if (subscribe) {
1502 return SubscribeAppState() ? ERR_OK : EdmReturnErrCode::SYSTEM_ABNORMALLY;
1503 } else {
1504 return UnsubscribeAppState() ? ERR_OK : EdmReturnErrCode::SYSTEM_ABNORMALLY;
1505 }
1506 }
1507
SubscribeManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1508 ErrCode EnterpriseDeviceMgrAbility::SubscribeManagedEvent(const AppExecFwk::ElementName &admin,
1509 const std::vector<uint32_t> &events)
1510 {
1511 std::lock_guard<std::mutex> autoLock(mutexLock_);
1512 RETURN_IF_FAILED(VerifyManagedEvent(admin, events));
1513 RETURN_IF_FAILED(HandleApplicationEvent(events, true));
1514 int32_t userId = adminMgr_->IsSuperOrSubSuperAdmin(admin.GetBundleName()) ? DEFAULT_USER_ID : GetCurrentUserId();
1515 adminMgr_->SaveSubscribeEvents(events, admin.GetBundleName(), userId);
1516 return ERR_OK;
1517 }
1518
UnsubscribeManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1519 ErrCode EnterpriseDeviceMgrAbility::UnsubscribeManagedEvent(const AppExecFwk::ElementName &admin,
1520 const std::vector<uint32_t> &events)
1521 {
1522 std::lock_guard<std::mutex> autoLock(mutexLock_);
1523 RETURN_IF_FAILED(VerifyManagedEvent(admin, events));
1524 int32_t userId = adminMgr_->IsSuperOrSubSuperAdmin(admin.GetBundleName()) ? DEFAULT_USER_ID : GetCurrentUserId();
1525 adminMgr_->RemoveSubscribeEvents(events, admin.GetBundleName(), userId);
1526 return HandleApplicationEvent(events, false);
1527 }
1528
VerifyManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1529 ErrCode EnterpriseDeviceMgrAbility::VerifyManagedEvent(const AppExecFwk::ElementName &admin,
1530 const std::vector<uint32_t> &events)
1531 {
1532 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), GetCurrentUserId());
1533 ErrCode ret = CheckCallerPermission(adminItem, PERMISSION_ENTERPRISE_SUBSCRIBE_MANAGED_EVENT, false);
1534 if (FAILED(ret)) {
1535 return ret;
1536 }
1537 if (events.empty()) {
1538 return EdmReturnErrCode::MANAGED_EVENTS_INVALID;
1539 }
1540 auto iter =
1541 std::find_if(events.begin(), events.end(), [this](uint32_t event) { return !CheckManagedEvent(event); });
1542 if (iter != std::end(events)) {
1543 return EdmReturnErrCode::MANAGED_EVENTS_INVALID;
1544 }
1545 return ERR_OK;
1546 }
1547
CheckManagedEvent(uint32_t event)1548 bool EnterpriseDeviceMgrAbility::CheckManagedEvent(uint32_t event)
1549 {
1550 switch (event) {
1551 case static_cast<uint32_t>(ManagedEvent::BUNDLE_ADDED):
1552 case static_cast<uint32_t>(ManagedEvent::BUNDLE_REMOVED):
1553 case static_cast<uint32_t>(ManagedEvent::APP_START):
1554 case static_cast<uint32_t>(ManagedEvent::APP_STOP):
1555 case static_cast<uint32_t>(ManagedEvent::SYSTEM_UPDATE):
1556 break;
1557 default:
1558 return false;
1559 }
1560 return true;
1561 }
1562
AuthorizeAdmin(const AppExecFwk::ElementName & admin,const std::string & bundleName)1563 ErrCode EnterpriseDeviceMgrAbility::AuthorizeAdmin(const AppExecFwk::ElementName &admin, const std::string &bundleName)
1564 {
1565 std::lock_guard<std::mutex> autoLock(mutexLock_);
1566 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), GetCurrentUserId());
1567 ErrCode ret = CheckCallerPermission(adminItem, PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN, true);
1568 if (FAILED(ret)) {
1569 return ret;
1570 }
1571 /* Get all request and registered permissions */
1572 std::vector<std::string> permissionList;
1573 if (FAILED(GetAllPermissionsByAdmin(bundleName, AdminType::SUB_SUPER_ADMIN, DEFAULT_USER_ID, permissionList))) {
1574 EDMLOGW("AuthorizeAdmin: GetAllPermissionsByAdmin failed.");
1575 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1576 }
1577 EntInfo entInfo;
1578 AppExecFwk::ExtensionAbilityInfo abilityInfo;
1579 abilityInfo.bundleName = bundleName;
1580 Admin subAdmin(abilityInfo, AdminType::SUB_SUPER_ADMIN, entInfo, permissionList, adminItem->adminInfo_.isDebug_);
1581 subAdmin.SetParentAdminName(admin.GetBundleName());
1582 return adminMgr_->SetAdminValue(DEFAULT_USER_ID, subAdmin);
1583 }
1584
GetSuperAdmin(MessageParcel & reply)1585 ErrCode EnterpriseDeviceMgrAbility::GetSuperAdmin(MessageParcel &reply)
1586 {
1587 std::lock_guard<std::mutex> autoLock(mutexLock_);
1588 auto superAdmin = adminMgr_->GetSuperAdmin();
1589 reply.WriteInt32(ERR_OK);
1590 if (superAdmin == nullptr) {
1591 reply.WriteString("");
1592 reply.WriteString("");
1593 } else {
1594 reply.WriteString(superAdmin->adminInfo_.packageName_);
1595 reply.WriteString(superAdmin->adminInfo_.className_);
1596 }
1597 return ERR_OK;
1598 }
1599
SetDelegatedPolicies(const std::string & parentAdminName,const std::string & bundleName,const std::vector<std::string> & policies)1600 ErrCode EnterpriseDeviceMgrAbility::SetDelegatedPolicies(const std::string &parentAdminName,
1601 const std::string &bundleName, const std::vector<std::string> &policies)
1602 {
1603 std::lock_guard<std::mutex> autoLock(mutexLock_);
1604 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(parentAdminName, GetCurrentUserId());
1605 ErrCode ret = CheckCallerPermission(adminItem, PERMISSION_SET_DELEGATED_POLICY, true);
1606 if (FAILED(ret)) {
1607 return ret;
1608 }
1609 if (parentAdminName == bundleName) {
1610 EDMLOGE("SetDelegatedPolicies does not delegated policies to self.");
1611 return EdmReturnErrCode::PARAM_ERROR;
1612 }
1613 if (policies.empty()) {
1614 EDMLOGW("SetDelegatedPolicies remove delegated policies.");
1615 return RemoveSubSuperAdminAndAdminPolicy(bundleName);
1616 }
1617 ret = CheckDelegatedPolicies(adminItem, policies);
1618 if (FAILED(ret)) {
1619 return ret;
1620 }
1621 if (!GetBundleMgr()->IsBundleInstalled(bundleName, DEFAULT_USER_ID)) {
1622 EDMLOGE("SetDelegatedPolicies the delegated application does not installed.");
1623 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1624 }
1625 std::string appDistributionType = GetBundleMgr()->GetApplicationInfo(bundleName, DEFAULT_USER_ID);
1626 if (appDistributionType != APP_TYPE_ENTERPRISE_MDM && appDistributionType != APP_TYPE_ENTERPRISE_NORMAL) {
1627 EDMLOGE("SetDelegatedPolicies get appDistributionType %{public}s.", appDistributionType.c_str());
1628 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1629 }
1630 EntInfo entInfo;
1631 AppExecFwk::ExtensionAbilityInfo abilityInfo;
1632 abilityInfo.bundleName = bundleName;
1633 Admin virtualAdmin(abilityInfo, AdminType::VIRTUAL_ADMIN, entInfo, {}, adminItem->adminInfo_.isDebug_);
1634 virtualAdmin.SetParentAdminName(parentAdminName);
1635 virtualAdmin.SetAccessiblePolicies(policies);
1636 return adminMgr_->SetAdminValue(DEFAULT_USER_ID, virtualAdmin);
1637 }
1638
GetDelegatedPolicies(const std::string & parentAdminName,const std::string & bundleName,std::vector<std::string> & policies)1639 ErrCode EnterpriseDeviceMgrAbility::GetDelegatedPolicies(const std::string &parentAdminName,
1640 const std::string &bundleName, std::vector<std::string> &policies)
1641 {
1642 std::lock_guard<std::mutex> autoLock(mutexLock_);
1643 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(parentAdminName, GetCurrentUserId());
1644 ErrCode ret = CheckCallerPermission(adminItem, PERMISSION_SET_DELEGATED_POLICY, true);
1645 if (FAILED(ret)) {
1646 return ret;
1647 }
1648 return adminMgr_->GetPoliciesByVirtualAdmin(bundleName, parentAdminName, policies);
1649 }
1650
GetDelegatedBundleNames(const std::string & parentAdminName,const std::string & policyName,std::vector<std::string> & bundleNames)1651 ErrCode EnterpriseDeviceMgrAbility::GetDelegatedBundleNames(const std::string &parentAdminName,
1652 const std::string &policyName, std::vector<std::string> &bundleNames)
1653 {
1654 if (allowDelegatedPolicies_.find(policyName) == allowDelegatedPolicies_.end()) {
1655 return EdmReturnErrCode::PARAM_ERROR;
1656 }
1657 std::lock_guard<std::mutex> autoLock(mutexLock_);
1658 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(parentAdminName, GetCurrentUserId());
1659 ErrCode ret = CheckCallerPermission(adminItem, PERMISSION_SET_DELEGATED_POLICY, true);
1660 if (FAILED(ret)) {
1661 return ret;
1662 }
1663 adminMgr_->GetVirtualAdminsByPolicy(policyName, parentAdminName, bundleNames);
1664 return ERR_OK;
1665 }
1666
CheckCallerPermission(std::shared_ptr<Admin> admin,const std::string & permission,bool isNeedSuperAdmin)1667 ErrCode EnterpriseDeviceMgrAbility::CheckCallerPermission(std::shared_ptr<Admin> admin, const std::string &permission,
1668 bool isNeedSuperAdmin)
1669 {
1670 if (admin == nullptr) {
1671 return EdmReturnErrCode::ADMIN_INACTIVE;
1672 }
1673 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
1674 if (!GetAccessTokenMgr()->VerifyCallingPermission(tokenId, permission)) {
1675 EDMLOGE("CheckCallerPermission verify calling permission failed.");
1676 return EdmReturnErrCode::PERMISSION_DENIED;
1677 }
1678 if (FAILED(CheckCallingUid(admin->adminInfo_.packageName_))) {
1679 EDMLOGE("CheckCallerPermission check calling uid failed.");
1680 return EdmReturnErrCode::PERMISSION_DENIED;
1681 }
1682 if (isNeedSuperAdmin && admin->GetAdminType() != AdminType::ENT) {
1683 EDMLOGE("CheckCallerPermission caller not a super admin.");
1684 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1685 }
1686 if (!isNeedSuperAdmin && admin->GetAdminType() == AdminType::VIRTUAL_ADMIN) {
1687 EDMLOGE("CheckCallerPermission delegated admin does not have permission to handle.");
1688 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1689 }
1690 if (!isNeedSuperAdmin && admin->GetAdminType() == AdminType::BYOD) {
1691 EDMLOGE("CheckCallerPermission byod admin does not have permission to handle.");
1692 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1693 }
1694 return ERR_OK;
1695 }
1696
CheckDelegatedPolicies(std::shared_ptr<Admin> admin,const std::vector<std::string> & policies)1697 ErrCode EnterpriseDeviceMgrAbility::CheckDelegatedPolicies(std::shared_ptr<Admin> admin,
1698 const std::vector<std::string> &policies)
1699 {
1700 if (admin == nullptr) {
1701 return EdmReturnErrCode::ADMIN_INACTIVE;
1702 }
1703 for (const std::string &policy : policies) {
1704 if (allowDelegatedPolicies_.find(policy) == allowDelegatedPolicies_.end()) {
1705 return EdmReturnErrCode::PARAM_ERROR;
1706 }
1707 auto plugin = pluginMgr_->GetPluginByPolicyName(policy);
1708 if (plugin == nullptr) {
1709 EDMLOGE("CheckDelegatedPolicies get policyName is not exist.");
1710 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1711 }
1712 auto permission = plugin->GetPermission(FuncOperateType::SET, AdminTypeToPermissionType(admin->GetAdminType()));
1713 if (permission == NONE_PERMISSION_MATCH) {
1714 permission = plugin->GetPermission(FuncOperateType::SET,
1715 AdminTypeToPermissionType(admin->GetAdminType()), EdmConstants::PERMISSION_TAG_VERSION_12);
1716 }
1717 if (permission.empty() || permission == NONE_PERMISSION_MATCH) {
1718 EDMLOGE("CheckDelegatedPolicies get plugin access permission failed.");
1719 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1720 }
1721 auto ret = CheckAndUpdatePermission(admin, IPCSkeleton::GetCallingTokenID(), permission, DEFAULT_USER_ID);
1722 if (FAILED(ret)) {
1723 return ret;
1724 }
1725 }
1726 return ERR_OK;
1727 }
1728
GetAdmins(std::vector<std::shared_ptr<AAFwk::Want>> & wants)1729 ErrCode EnterpriseDeviceMgrAbility::GetAdmins(std::vector<std::shared_ptr<AAFwk::Want>> &wants)
1730 {
1731 std::vector<std::shared_ptr<Admin>> admins;
1732 adminMgr_->GetAdmins(admins, GetCurrentUserId());
1733 for (auto admin : admins) {
1734 std::shared_ptr<AAFwk::Want> want = std::make_shared<AAFwk::Want>();
1735 want->SetParam("bundleName", admin->adminInfo_.packageName_);
1736 want->SetParam("abilityName", admin->adminInfo_.className_);
1737 want->SetParam("adminType", static_cast<int32_t>(admin->adminInfo_.adminType_));
1738 wants.push_back(want);
1739 }
1740 return ERR_OK;
1741 }
1742 } // namespace EDM
1743 } // namespace OHOS