1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "bundle_permission_mgr.h"
17
18 #include "access_token_error.h"
19 #include "app_log_tag_wrapper.h"
20 #include "app_log_wrapper.h"
21 #include "bundle_mgr_service.h"
22 #include "bundle_parser.h"
23 #include "ipc_skeleton.h"
24 #include "parameter.h"
25 #include "privacy_kit.h"
26 #include "tokenid_kit.h"
27
28 namespace OHOS {
29 namespace AppExecFwk {
30 namespace {
31 // pre bundle profile
32 constexpr const char* INSTALL_LIST_PERMISSIONS_CONFIG = "/etc/app/install_list_permissions.json";
33 constexpr const char* SCENEBOARD_BUNDLE_NAME = "com.ohos.sceneboard";
34 // install list permissions file
35 constexpr const char* INSTALL_LIST_PERMISSIONS_FILE_PATH = "/system/etc/app/install_list_permissions.json";
36 const int32_t BASE_API_VERSION = 1000;
37 }
38
39 using namespace OHOS::Security;
40 std::map<std::string, DefaultPermission> BundlePermissionMgr::defaultPermissions_;
41
Init()42 bool BundlePermissionMgr::Init()
43 {
44 std::vector<std::string> permissionFileList;
45 #ifdef USE_PRE_BUNDLE_PROFILE
46 std::vector<std::string> rootDirList;
47 BMSEventHandler::GetPreInstallRootDirList(rootDirList);
48 if (rootDirList.empty()) {
49 LOG_E(BMS_TAG_DEFAULT, "rootDirList is empty");
50 return false;
51 }
52 for (const auto &item : rootDirList) {
53 permissionFileList.push_back(item + INSTALL_LIST_PERMISSIONS_CONFIG);
54 }
55 #else
56 permissionFileList.emplace_back(INSTALL_LIST_PERMISSIONS_FILE_PATH);
57 #endif
58 BundleParser bundleParser;
59 std::set<DefaultPermission> permissions;
60 for (const auto &permissionFile : permissionFileList) {
61 if (bundleParser.ParseDefaultPermission(permissionFile, permissions) != ERR_OK) {
62 LOG_D(BMS_TAG_DEFAULT, "BundlePermissionMgr::Init failed");
63 continue;
64 }
65 }
66
67 defaultPermissions_.clear();
68 for (const auto &permission : permissions) {
69 defaultPermissions_.try_emplace(permission.bundleName, permission);
70 }
71 LOG_D(BMS_TAG_DEFAULT, "BundlePermissionMgr::Init success");
72 return true;
73 }
74
UnInit()75 void BundlePermissionMgr::UnInit()
76 {
77 LOG_D(BMS_TAG_DEFAULT, "BundlePermissionMgr::UnInit");
78 defaultPermissions_.clear();
79 }
80
ConvertPermissionDef(const AccessToken::PermissionDef & permDef,PermissionDef & permissionDef)81 void BundlePermissionMgr::ConvertPermissionDef(
82 const AccessToken::PermissionDef &permDef, PermissionDef &permissionDef)
83 {
84 permissionDef.permissionName = permDef.permissionName;
85 permissionDef.bundleName = permDef.bundleName;
86 permissionDef.grantMode = permDef.grantMode;
87 permissionDef.availableLevel = permDef.availableLevel;
88 permissionDef.provisionEnable = permDef.provisionEnable;
89 permissionDef.distributedSceneEnable = permDef.distributedSceneEnable;
90 permissionDef.label = permDef.label;
91 permissionDef.labelId = permDef.labelId;
92 permissionDef.description = permDef.description;
93 permissionDef.descriptionId = permDef.descriptionId;
94 permissionDef.availableType = permDef.availableType;
95 }
96
97 // Convert from the struct DefinePermission that parsed from config.json
ConvertPermissionDef(AccessToken::PermissionDef & permDef,const DefinePermission & definePermission,const std::string & bundleName)98 void BundlePermissionMgr::ConvertPermissionDef(
99 AccessToken::PermissionDef &permDef, const DefinePermission &definePermission, const std::string &bundleName)
100 {
101 permDef.permissionName = definePermission.name;
102 permDef.bundleName = bundleName;
103 permDef.grantMode = [&definePermission]() -> int {
104 if (definePermission.grantMode ==
105 Profile::DEFINEPERMISSION_GRANT_MODE_SYSTEM_GRANT) {
106 return AccessToken::GrantMode::SYSTEM_GRANT;
107 }
108 return AccessToken::GrantMode::USER_GRANT;
109 }();
110
111 permDef.availableLevel = GetTokenApl(definePermission.availableLevel);
112 permDef.provisionEnable = definePermission.provisionEnable;
113 permDef.distributedSceneEnable = definePermission.distributedSceneEnable;
114 permDef.label = definePermission.label;
115 permDef.labelId = definePermission.labelId;
116 permDef.description = definePermission.description;
117 permDef.descriptionId = definePermission.descriptionId;
118 permDef.availableType = GetAvailableType(definePermission.availableType);
119 }
120
GetAvailableType(const std::string & availableType)121 AccessToken::ATokenAvailableTypeEnum BundlePermissionMgr::GetAvailableType(
122 const std::string &availableType)
123 {
124 if (availableType == Profile::DEFINEPERMISSION_AVAILABLE_TYPE_MDM) {
125 return AccessToken::ATokenAvailableTypeEnum::MDM;
126 }
127 return AccessToken::ATokenAvailableTypeEnum::NORMAL;
128 }
129
GetTokenApl(const std::string & apl)130 AccessToken::ATokenAplEnum BundlePermissionMgr::GetTokenApl(const std::string &apl)
131 {
132 if (apl == Profile::AVAILABLELEVEL_SYSTEM_CORE) {
133 return AccessToken::ATokenAplEnum::APL_SYSTEM_CORE;
134 }
135 if (apl == Profile::AVAILABLELEVEL_SYSTEM_BASIC) {
136 return AccessToken::ATokenAplEnum::APL_SYSTEM_BASIC;
137 }
138 return AccessToken::ATokenAplEnum::APL_NORMAL;
139 }
140
CreateHapPolicyParam(const InnerBundleInfo & innerBundleInfo)141 AccessToken::HapPolicyParams BundlePermissionMgr::CreateHapPolicyParam(const InnerBundleInfo &innerBundleInfo)
142 {
143 AccessToken::HapPolicyParams hapPolicy;
144 std::string apl = innerBundleInfo.GetAppPrivilegeLevel();
145 std::vector<AccessToken::PermissionDef> permDef = GetPermissionDefList(innerBundleInfo);
146 hapPolicy.apl = GetTokenApl(apl);
147 hapPolicy.domain = "domain";
148 hapPolicy.permList = permDef;
149 hapPolicy.permStateList = GetPermissionStateFullList(innerBundleInfo);
150 hapPolicy.aclRequestedList = innerBundleInfo.GetAllowedAcls();
151 LOG_I(BMS_TAG_DEFAULT, "%{public}s apl:%{public}s req permission size:%{public}zu, acls size:%{public}zu",
152 innerBundleInfo.GetBundleName().c_str(), apl.c_str(), hapPolicy.permStateList.size(),
153 hapPolicy.aclRequestedList.size());
154 // default permission list
155 DefaultPermission permission;
156 if (!GetDefaultPermission(innerBundleInfo.GetBundleName(), permission)) {
157 return hapPolicy;
158 }
159
160 #ifdef USE_PRE_BUNDLE_PROFILE
161 if (!MatchSignature(permission, innerBundleInfo.GetCertificateFingerprint()) &&
162 !MatchSignature(permission, innerBundleInfo.GetAppId()) &&
163 !MatchSignature(permission, innerBundleInfo.GetAppIdentifier()) &&
164 !MatchSignature(permission, innerBundleInfo.GetOldAppIds())) {
165 LOG_W(BMS_TAG_DEFAULT, "bundleName:%{public}s MatchSignature failed", innerBundleInfo.GetBundleName().c_str());
166 return hapPolicy;
167 }
168 #endif
169 for (const auto &perm: innerBundleInfo.GetAllRequestPermissions()) {
170 bool userCancellable = false;
171 if (!CheckPermissionInDefaultPermissions(permission, perm.name, userCancellable)) {
172 continue;
173 }
174 AccessToken::PreAuthorizationInfo preAuthorizationInfo;
175 preAuthorizationInfo.permissionName = perm.name;
176 preAuthorizationInfo.userCancelable = userCancellable;
177 hapPolicy.preAuthorizationInfo.emplace_back(preAuthorizationInfo);
178 }
179 LOG_I(BMS_TAG_DEFAULT, "end, preAuthorizationInfo size :%{public}zu", hapPolicy.preAuthorizationInfo.size());
180 return hapPolicy;
181 }
182
DeleteAccessTokenId(const AccessToken::AccessTokenID tokenId)183 int32_t BundlePermissionMgr::DeleteAccessTokenId(const AccessToken::AccessTokenID tokenId)
184 {
185 return AccessToken::AccessTokenKit::DeleteToken(tokenId);
186 }
187
ClearUserGrantedPermissionState(const AccessToken::AccessTokenID tokenId)188 int32_t BundlePermissionMgr::ClearUserGrantedPermissionState(const AccessToken::AccessTokenID tokenId)
189 {
190 return AccessToken::AccessTokenKit::ClearUserGrantedPermissionState(tokenId);
191 }
192
GetPermissionDefList(const InnerBundleInfo & innerBundleInfo)193 std::vector<AccessToken::PermissionDef> BundlePermissionMgr::GetPermissionDefList(
194 const InnerBundleInfo &innerBundleInfo)
195 {
196 const auto bundleName = innerBundleInfo.GetBundleName();
197 const auto defPermissions = innerBundleInfo.GetAllDefinePermissions();
198 std::vector<AccessToken::PermissionDef> permList;
199 if (!defPermissions.empty()) {
200 for (const auto &defPermission : defPermissions) {
201 AccessToken::PermissionDef perm;
202 LOG_D(BMS_TAG_DEFAULT, "defPermission %{public}s", defPermission.name.c_str());
203 ConvertPermissionDef(perm, defPermission, bundleName);
204 permList.emplace_back(perm);
205 }
206 }
207 return permList;
208 }
209
GetPermissionStateFullList(const InnerBundleInfo & innerBundleInfo)210 std::vector<AccessToken::PermissionStateFull> BundlePermissionMgr::GetPermissionStateFullList(
211 const InnerBundleInfo &innerBundleInfo)
212 {
213 auto reqPermissions = innerBundleInfo.GetAllRequestPermissions();
214 LOG_I(BMS_TAG_DEFAULT, "bundleName:%{public}s requestPermission size :%{public}zu",
215 innerBundleInfo.GetBundleName().c_str(), reqPermissions.size());
216 std::vector<AccessToken::PermissionStateFull> permStateFullList;
217 if (!reqPermissions.empty()) {
218 for (const auto &reqPermission : reqPermissions) {
219 AccessToken::PermissionStateFull perState;
220 perState.permissionName = reqPermission.name;
221 perState.isGeneral = true;
222 perState.resDeviceID.emplace_back(innerBundleInfo.GetBaseApplicationInfo().deviceId);
223 perState.grantStatus.emplace_back(AccessToken::PermissionState::PERMISSION_DENIED);
224 perState.grantFlags.emplace_back(AccessToken::PermissionFlag::PERMISSION_DEFAULT_FLAG);
225 permStateFullList.emplace_back(perState);
226 }
227 } else {
228 LOG_D(BMS_TAG_DEFAULT, "BundlePermissionMgr::GetPermissionStateFullList requestPermission is empty");
229 }
230 return permStateFullList;
231 }
232
GetAllReqPermissionStateFull(AccessToken::AccessTokenID tokenId,std::vector<AccessToken::PermissionStateFull> & newPermissionState)233 bool BundlePermissionMgr::GetAllReqPermissionStateFull(AccessToken::AccessTokenID tokenId,
234 std::vector<AccessToken::PermissionStateFull> &newPermissionState)
235 {
236 std::vector<AccessToken::PermissionStateFull> userGrantReqPermList;
237 int32_t ret = AccessToken::AccessTokenKit::GetReqPermissions(tokenId, userGrantReqPermList, false);
238 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
239 LOG_E(BMS_TAG_DEFAULT, "GetAllReqPermissionStateFull get user grant failed errcode: %{public}d", ret);
240 return false;
241 }
242 std::vector<AccessToken::PermissionStateFull> systemGrantReqPermList;
243 ret = AccessToken::AccessTokenKit::GetReqPermissions(tokenId, systemGrantReqPermList, true);
244 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
245 LOG_E(BMS_TAG_DEFAULT, "GetAllReqPermissionStateFull get system grant failed errcode: %{public}d", ret);
246 return false;
247 }
248 newPermissionState = userGrantReqPermList;
249 std::copy(systemGrantReqPermList.begin(), systemGrantReqPermList.end(), std::back_inserter(newPermissionState));
250 return true;
251 }
252
GetRequestPermissionStates(BundleInfo & bundleInfo,uint32_t tokenId,const std::string deviceId)253 bool BundlePermissionMgr::GetRequestPermissionStates(
254 BundleInfo &bundleInfo, uint32_t tokenId, const std::string deviceId)
255 {
256 std::vector<std::string> requestPermission = bundleInfo.reqPermissions;
257 if (requestPermission.empty()) {
258 LOG_D(BMS_TAG_DEFAULT, "GetRequestPermissionStates requestPermission empty");
259 return true;
260 }
261 std::vector<Security::AccessToken::PermissionStateFull> allPermissionState;
262 if (!GetAllReqPermissionStateFull(tokenId, allPermissionState)) {
263 LOG_W(BMS_TAG_DEFAULT, "BundlePermissionMgr::GetRequestPermissionStates failed");
264 }
265 for (auto &req : requestPermission) {
266 auto iter = std::find_if(allPermissionState.begin(), allPermissionState.end(),
267 [&req](const auto &perm) {
268 return perm.permissionName == req;
269 });
270 if (iter != allPermissionState.end()) {
271 LOG_D(BMS_TAG_DEFAULT, "GetRequestPermissionStates request permission name: %{public}s", req.c_str());
272 for (std::vector<std::string>::size_type i = 0; i < iter->resDeviceID.size(); i++) {
273 if (iter->resDeviceID[i] == deviceId) {
274 bundleInfo.reqPermissionStates.emplace_back(iter->grantStatus[i]);
275 break;
276 }
277 }
278 } else {
279 LOG_E(BMS_TAG_DEFAULT, "request permission name : %{public}s is not exit in AccessTokenMgr", req.c_str());
280 bundleInfo.reqPermissionStates.emplace_back(
281 static_cast<int32_t>(AccessToken::PermissionState::PERMISSION_DENIED));
282 }
283 }
284 return true;
285 }
286
VerifyCallingPermissionForAll(const std::string & permissionName)287 bool BundlePermissionMgr::VerifyCallingPermissionForAll(const std::string &permissionName)
288 {
289 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
290 LOG_D(BMS_TAG_DEFAULT, "VerifyCallingPermission permission %{public}s, callerToken : %{public}u",
291 permissionName.c_str(), callerToken);
292 if (AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName) ==
293 AccessToken::PermissionState::PERMISSION_GRANTED) {
294 return true;
295 }
296 LOG_NOFUNC_E(BMS_TAG_DEFAULT, "permission denied caller:%{public}u", callerToken);
297 return false;
298 }
299
VerifyCallingPermissionsForAll(const std::vector<std::string> & permissionNames)300 bool BundlePermissionMgr::VerifyCallingPermissionsForAll(const std::vector<std::string> &permissionNames)
301 {
302 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
303 for (auto permissionName : permissionNames) {
304 if (AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName) ==
305 AccessToken::PermissionState::PERMISSION_GRANTED) {
306 LOG_D(BMS_TAG_DEFAULT, "verify success");
307 return true;
308 }
309 }
310 std::string errorMessage;
311 for (auto deniedPermission : permissionNames) {
312 errorMessage += deniedPermission + " ";
313 }
314 LOG_NOFUNC_E(BMS_TAG_DEFAULT, "%{public}s denied callerToken:%{public}u", errorMessage.c_str(), callerToken);
315 return false;
316 }
317
VerifyPermission(const std::string & bundleName,const std::string & permissionName,const int32_t userId)318 int32_t BundlePermissionMgr::VerifyPermission(
319 const std::string &bundleName, const std::string &permissionName, const int32_t userId)
320 {
321 LOG_D(BMS_TAG_DEFAULT, "VerifyPermission bundleName %{public}s, permission %{public}s", bundleName.c_str(),
322 permissionName.c_str());
323 AccessToken::AccessTokenID tokenId = AccessToken::AccessTokenKit::GetHapTokenID(userId,
324 bundleName, 0);
325 return AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permissionName);
326 }
327
GetPermissionDef(const std::string & permissionName,PermissionDef & permissionDef)328 ErrCode BundlePermissionMgr::GetPermissionDef(const std::string &permissionName, PermissionDef &permissionDef)
329 {
330 LOG_D(BMS_TAG_DEFAULT, "BundlePermissionMgr::GetPermissionDef permission %{public}s", permissionName.c_str());
331 AccessToken::PermissionDef accessTokenPermDef;
332 int32_t ret = AccessToken::AccessTokenKit::GetDefPermission(permissionName, accessTokenPermDef);
333 if (ret == AccessToken::AccessTokenKitRet::RET_SUCCESS) {
334 ConvertPermissionDef(accessTokenPermDef, permissionDef);
335 return ERR_OK;
336 }
337 return ERR_BUNDLE_MANAGER_QUERY_PERMISSION_DEFINE_FAILED;
338 }
339
CheckPermissionInDefaultPermissions(const DefaultPermission & defaultPermission,const std::string & permissionName,bool & userCancellable)340 bool BundlePermissionMgr::CheckPermissionInDefaultPermissions(const DefaultPermission &defaultPermission,
341 const std::string &permissionName, bool &userCancellable)
342 {
343 auto &grantPermission = defaultPermission.grantPermission;
344 auto iter = std::find_if(grantPermission.begin(), grantPermission.end(), [&permissionName](const auto &defPerm) {
345 return defPerm.name == permissionName;
346 });
347 if (iter == grantPermission.end()) {
348 LOG_D(BMS_TAG_DEFAULT, "can not find permission(%{public}s)", permissionName.c_str());
349 return false;
350 }
351
352 userCancellable = iter->userCancellable;
353 return true;
354 }
355
GetDefaultPermission(const std::string & bundleName,DefaultPermission & permission)356 bool BundlePermissionMgr::GetDefaultPermission(
357 const std::string &bundleName, DefaultPermission &permission)
358 {
359 auto iter = defaultPermissions_.find(bundleName);
360 if (iter == defaultPermissions_.end()) {
361 LOG_W(BMS_TAG_DEFAULT, "bundleName: %{public}s does not exist in defaultPermissions",
362 bundleName.c_str());
363 return false;
364 }
365
366 permission = iter->second;
367 return true;
368 }
369
MatchSignature(const DefaultPermission & permission,const std::vector<std::string> & signatures)370 bool BundlePermissionMgr::MatchSignature(
371 const DefaultPermission &permission, const std::vector<std::string> &signatures)
372 {
373 if (permission.appSignature.empty()) {
374 LOG_W(BMS_TAG_DEFAULT, "appSignature is empty");
375 return false;
376 }
377 for (const auto &signature : permission.appSignature) {
378 if (std::find(signatures.begin(), signatures.end(), signature) != signatures.end()) {
379 return true;
380 }
381 }
382
383 return false;
384 }
385
MatchSignature(const DefaultPermission & permission,const std::string & signature)386 bool BundlePermissionMgr::MatchSignature(
387 const DefaultPermission &permission, const std::string &signature)
388 {
389 if (permission.appSignature.empty() || signature.empty()) {
390 LOG_W(BMS_TAG_DEFAULT, "appSignature or signature is empty");
391 return false;
392 }
393 return std::find(permission.appSignature.begin(), permission.appSignature.end(),
394 signature) != permission.appSignature.end();
395 }
396
GetHapApiVersion()397 int32_t BundlePermissionMgr::GetHapApiVersion()
398 {
399 // get appApiVersion from applicationInfo
400 std::string bundleName;
401 auto uid = IPCSkeleton::GetCallingUid();
402 auto userId = uid / Constants::BASE_USER_RANGE;
403 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
404 if (dataMgr == nullptr) {
405 LOG_E(BMS_TAG_DEFAULT, "DataMgr is nullptr");
406 return Constants::INVALID_API_VERSION;
407 }
408 auto ret = dataMgr->GetBundleNameForUid(uid, bundleName);
409 if (!ret) {
410 LOG_E(BMS_TAG_DEFAULT, "getBundleName failed, uid : %{public}d", uid);
411 return Constants::INVALID_API_VERSION;
412 }
413 ApplicationInfo applicationInfo;
414 auto res = dataMgr->GetApplicationInfoV9(bundleName,
415 static_cast<int32_t>(GetApplicationFlag::GET_APPLICATION_INFO_WITH_DISABLE), userId, applicationInfo);
416 if (res != ERR_OK) {
417 LOG_E(BMS_TAG_DEFAULT, "getApplicationInfo failed");
418 return Constants::INVALID_API_VERSION;
419 }
420 auto appApiVersion = applicationInfo.apiTargetVersion % BASE_API_VERSION;
421 LOG_D(BMS_TAG_DEFAULT, "appApiVersion is %{public}d", appApiVersion);
422 auto systemApiVersion = GetSdkApiVersion();
423 // api version is the minimum value of {appApiVersion, systemApiVersion}
424 return systemApiVersion < appApiVersion ? systemApiVersion :appApiVersion;
425 }
426
427 // if the api has been system api since it is published, then beginSystemApiVersion can be omitted
VerifySystemApp(int32_t beginSystemApiVersion)428 bool BundlePermissionMgr::VerifySystemApp(int32_t beginSystemApiVersion)
429 {
430 LOG_D(BMS_TAG_DEFAULT, "verifying systemApp");
431 uint64_t accessTokenIdEx = IPCSkeleton::GetCallingFullTokenID();
432 if (Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(accessTokenIdEx)) {
433 return true;
434 }
435 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
436 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
437 LOG_D(BMS_TAG_DEFAULT, "tokenType is %{private}d", tokenType);
438 int32_t callingUid = IPCSkeleton::GetCallingUid();
439 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE ||
440 tokenType == AccessToken::ATokenTypeEnum::TOKEN_SHELL ||
441 callingUid == Constants::ROOT_UID ||
442 callingUid == ServiceConstants::SHELL_UID) {
443 LOG_D(BMS_TAG_DEFAULT, "caller tokenType is native, verify success");
444 return true;
445 }
446 if (beginSystemApiVersion != Constants::ALL_VERSIONCODE) {
447 auto apiVersion = GetHapApiVersion();
448 if (apiVersion == Constants::INVALID_API_VERSION) {
449 LOG_E(BMS_TAG_DEFAULT, "get api version failed, system app verification failed");
450 return false;
451 }
452 if (apiVersion < beginSystemApiVersion) {
453 LOG_I(BMS_TAG_DEFAULT, "previous app calling, verify success");
454 return true;
455 }
456 }
457 LOG_E(BMS_TAG_DEFAULT, "system app verification failed");
458 return false;
459 }
460
IsSystemApp()461 bool BundlePermissionMgr::IsSystemApp()
462 {
463 LOG_D(BMS_TAG_DEFAULT, "verifying systemApp");
464 uint64_t accessTokenIdEx = IPCSkeleton::GetCallingFullTokenID();
465 if (Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(accessTokenIdEx)) {
466 return true;
467 }
468 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
469 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
470 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_HAP) {
471 LOG_E(BMS_TAG_DEFAULT, "IsSystemApp %{public}d,%{public}d,%{public}u",
472 IPCSkeleton::GetCallingUid(), IPCSkeleton::GetCallingPid(), callerToken);
473 return false;
474 }
475 LOG_D(BMS_TAG_DEFAULT, "caller tokenType is not hap, ignore");
476 return true;
477 }
478
IsNativeTokenType()479 bool BundlePermissionMgr::IsNativeTokenType()
480 {
481 LOG_D(BMS_TAG_DEFAULT, "begin to verify token type");
482 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
483 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
484 LOG_D(BMS_TAG_DEFAULT, "tokenType is %{private}d", tokenType);
485 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE
486 || tokenType == AccessToken::ATokenTypeEnum::TOKEN_SHELL) {
487 LOG_D(BMS_TAG_DEFAULT, "caller tokenType is native, verify success");
488 return true;
489 }
490 if (VerifyCallingUid()) {
491 LOG_D(BMS_TAG_DEFAULT, "caller is root or foundation or BMS_UID, verify success");
492 return true;
493 }
494 LOG_E(BMS_TAG_DEFAULT, "caller tokenType not native, verify failed");
495 return false;
496 }
497
IsShellTokenType()498 bool BundlePermissionMgr::IsShellTokenType()
499 {
500 LOG_D(BMS_TAG_DEFAULT, "IsShellTokenType begin");
501 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
502 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
503 LOG_D(BMS_TAG_DEFAULT, "tokenType is %{private}d", tokenType);
504 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_SHELL) {
505 LOG_D(BMS_TAG_DEFAULT, "caller is shell, success");
506 return true;
507 }
508 LOG_I(BMS_TAG_DEFAULT, "caller not shell");
509 return false;
510 }
511
VerifyCallingUid()512 bool BundlePermissionMgr::VerifyCallingUid()
513 {
514 LOG_D(BMS_TAG_DEFAULT, "begin to verify calling uid");
515 int32_t callingUid = IPCSkeleton::GetCallingUid();
516 LOG_D(BMS_TAG_DEFAULT, "calling uid is %{public}d", callingUid);
517 if (callingUid == Constants::ROOT_UID ||
518 callingUid == Constants::FOUNDATION_UID ||
519 callingUid == ServiceConstants::SHELL_UID ||
520 callingUid == ServiceConstants::BMS_UID) {
521 LOG_D(BMS_TAG_DEFAULT, "caller is root or foundation, verify success");
522 return true;
523 }
524 LOG_E(BMS_TAG_DEFAULT, "verify calling uid failed");
525 return false;
526 }
527
VerifyPreload(const AAFwk::Want & want)528 bool BundlePermissionMgr::VerifyPreload(const AAFwk::Want &want)
529 {
530 std::string callingBundleName;
531 auto uid = IPCSkeleton::GetCallingUid();
532 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
533 if (dataMgr == nullptr) {
534 LOG_E(BMS_TAG_DEFAULT, "DataMgr is nullptr");
535 return false;
536 }
537 auto ret = dataMgr->GetBundleNameForUid(uid, callingBundleName);
538 if (!ret) {
539 return BundlePermissionMgr::VerifyCallingPermissionForAll(Constants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED);
540 }
541 std::string bundleName = want.GetElement().GetBundleName();
542 return bundleName == callingBundleName || callingBundleName == SCENEBOARD_BUNDLE_NAME;
543 }
544
IsCallingUidValid(int32_t uid)545 bool BundlePermissionMgr::IsCallingUidValid(int32_t uid)
546 {
547 int32_t callingUid = IPCSkeleton::GetCallingUid();
548 if (callingUid == uid) {
549 return true;
550 }
551 LOG_E(BMS_TAG_DEFAULT, "IsCallingUidValid failed, uid = %{public}d, calling uid = %{public}d", uid, callingUid);
552 return false;
553 }
554
IsSelfCalling()555 bool BundlePermissionMgr::IsSelfCalling()
556 {
557 int32_t callingUid = IPCSkeleton::GetCallingUid();
558 if (callingUid == Constants::FOUNDATION_UID) {
559 return true;
560 }
561 return false;
562 }
563
VerifyUninstallPermission()564 bool BundlePermissionMgr::VerifyUninstallPermission()
565 {
566 if (!BundlePermissionMgr::IsSelfCalling() &&
567 !BundlePermissionMgr::VerifyCallingPermissionsForAll({Constants::PERMISSION_INSTALL_BUNDLE,
568 ServiceConstants::PERMISSION_UNINSTALL_BUNDLE})) {
569 LOG_E(BMS_TAG_DEFAULT, "uninstall bundle permission denied");
570 return false;
571 }
572 return true;
573 }
574
VerifyRecoverPermission()575 bool BundlePermissionMgr::VerifyRecoverPermission()
576 {
577 if (!BundlePermissionMgr::IsSelfCalling() &&
578 !BundlePermissionMgr::VerifyCallingPermissionsForAll({Constants::PERMISSION_INSTALL_BUNDLE,
579 ServiceConstants::PERMISSION_RECOVER_BUNDLE})) {
580 LOG_E(BMS_TAG_DEFAULT, "recover bundle permission denied");
581 return false;
582 }
583 return true;
584 }
585
AddPermissionUsedRecord(const std::string & permission,int32_t successCount,int32_t failCount)586 void BundlePermissionMgr::AddPermissionUsedRecord(
587 const std::string &permission, int32_t successCount, int32_t failCount)
588 {
589 LOG_D(BMS_TAG_DEFAULT, "AddPermissionUsedRecord permission:%{public}s", permission.c_str());
590 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
591 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
592 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_HAP) {
593 int32_t ret = AccessToken::PrivacyKit::AddPermissionUsedRecord(callerToken, permission,
594 successCount, failCount);
595 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
596 APP_LOGE("AddPermissionUsedRecord failed, ret = %{public}d", ret);
597 }
598 }
599 }
600
IsBundleSelfCalling(const std::string & bundleName)601 bool BundlePermissionMgr::IsBundleSelfCalling(const std::string &bundleName)
602 {
603 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
604 if (dataMgr == nullptr) {
605 LOG_E(BMS_TAG_DEFAULT, "DataMgr is nullptr");
606 return false;
607 }
608 int32_t callingUid = IPCSkeleton::GetCallingUid();
609 LOG_D(BMS_TAG_DEFAULT, "start, callingUid: %{public}d", callingUid);
610 std::string callingBundleName;
611 if (dataMgr->GetNameForUid(callingUid, callingBundleName) != ERR_OK) {
612 return false;
613 }
614 LOG_D(BMS_TAG_DEFAULT, "bundleName :%{public}s, callingBundleName : %{public}s",
615 bundleName.c_str(), callingBundleName.c_str());
616 if (bundleName != callingBundleName) {
617 LOG_W(BMS_TAG_DEFAULT, "failed, callingUid: %{public}d", callingUid);
618 return false;
619 }
620 LOG_D(BMS_TAG_DEFAULT, "end, verify success");
621 return true;
622 }
623
IsBundleSelfCalling(const std::string & bundleName,const int32_t & appIndex)624 bool BundlePermissionMgr::IsBundleSelfCalling(const std::string &bundleName, const int32_t &appIndex)
625 {
626 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
627 if (dataMgr == nullptr) {
628 LOG_E(BMS_TAG_DEFAULT, "DataMgr is nullptr");
629 return false;
630 }
631 int32_t callingUid = IPCSkeleton::GetCallingUid();
632 LOG_D(BMS_TAG_DEFAULT, "start, callingUid: %{public}d", callingUid);
633 std::string callingBundleName;
634 int32_t callerAppIndex = 0;
635 ErrCode ret = dataMgr->GetBundleNameAndIndexForUid(callingUid, callingBundleName, callerAppIndex);
636 if (ret != ERR_OK) {
637 LOG_E(BMS_TAG_DEFAULT, "failed, code: %{public}d", ret);
638 return false;
639 }
640 LOG_D(BMS_TAG_DEFAULT,
641 "bundleName :%{public}s, callingBundleName : %{public}s appIndex: %{public}d callerAppIndex: %{public}d",
642 bundleName.c_str(), callingBundleName.c_str(), appIndex, callerAppIndex);
643 if (bundleName != callingBundleName || appIndex != callerAppIndex) {
644 LOG_W(BMS_TAG_DEFAULT, "failed, callingUid: %{public}d", callingUid);
645 return false;
646 }
647 LOG_D(BMS_TAG_DEFAULT, "end, verify success");
648 return true;
649 }
650
VerifyCallingBundleSdkVersion(int32_t beginApiVersion)651 bool BundlePermissionMgr::VerifyCallingBundleSdkVersion(int32_t beginApiVersion)
652 {
653 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
654 if (dataMgr == nullptr) {
655 LOG_E(BMS_TAG_DEFAULT, "DataMgr is nullptr");
656 return false;
657 }
658 int32_t callingUid = IPCSkeleton::GetCallingUid();
659 LOG_D(BMS_TAG_DEFAULT, "start, callingUid: %{public}d", callingUid);
660 std::string callingBundleName;
661 if (dataMgr->GetNameForUid(callingUid, callingBundleName) != ERR_OK) {
662 return false;
663 }
664 auto userId = callingUid / Constants::BASE_USER_RANGE;
665 ApplicationInfo applicationInfo;
666 auto res = dataMgr->GetApplicationInfoV9(callingBundleName,
667 static_cast<int32_t>(GetApplicationFlag::GET_APPLICATION_INFO_WITH_DISABLE), userId, applicationInfo);
668 if (res != ERR_OK) {
669 LOG_E(BMS_TAG_DEFAULT, "getApplicationInfo failed, callingBundleName:%{public}s", callingBundleName.c_str());
670 return false;
671 }
672 auto systemApiVersion = GetSdkApiVersion();
673 auto appApiVersion = applicationInfo.apiTargetVersion;
674 // api version is the minimum value of {appApiVersion, systemApiVersion}
675 appApiVersion = systemApiVersion < appApiVersion ? systemApiVersion : appApiVersion;
676 LOG_D(BMS_TAG_DEFAULT, "appApiVersion: %{public}d", appApiVersion);
677
678 if ((appApiVersion % BASE_API_VERSION) < beginApiVersion) {
679 LOG_I(BMS_TAG_DEFAULT, "previous app calling, verify success");
680 return true;
681 }
682 return false;
683 }
684
CreateHapInfoParams(const InnerBundleInfo & innerBundleInfo,const int32_t userId,const int32_t dlpType)685 Security::AccessToken::HapInfoParams BundlePermissionMgr::CreateHapInfoParams(const InnerBundleInfo &innerBundleInfo,
686 const int32_t userId, const int32_t dlpType)
687 {
688 AccessToken::HapInfoParams hapInfo;
689 hapInfo.userID = userId;
690 hapInfo.bundleName = innerBundleInfo.GetBundleName();
691 hapInfo.instIndex = innerBundleInfo.GetAppIndex();
692 hapInfo.appIDDesc = innerBundleInfo.GetAppId();
693 hapInfo.dlpType = dlpType;
694 hapInfo.apiVersion = innerBundleInfo.GetBaseApplicationInfo().apiTargetVersion;
695 hapInfo.isSystemApp = innerBundleInfo.IsSystemApp();
696 hapInfo.appDistributionType = innerBundleInfo.GetAppDistributionType();
697 return hapInfo;
698 }
699
InitHapToken(const InnerBundleInfo & innerBundleInfo,const int32_t userId,const int32_t dlpType,Security::AccessToken::AccessTokenIDEx & tokenIdeEx)700 int32_t BundlePermissionMgr::InitHapToken(const InnerBundleInfo &innerBundleInfo, const int32_t userId,
701 const int32_t dlpType, Security::AccessToken::AccessTokenIDEx& tokenIdeEx)
702 {
703 LOG_I(BMS_TAG_DEFAULT, "start, init hap token bundleName:%{public}s", innerBundleInfo.GetBundleName().c_str());
704 AccessToken::HapInfoParams hapInfo = CreateHapInfoParams(innerBundleInfo, userId, dlpType);
705 AccessToken::HapPolicyParams hapPolicy = CreateHapPolicyParam(innerBundleInfo);
706 auto ret = AccessToken::AccessTokenKit::InitHapToken(hapInfo, hapPolicy, tokenIdeEx);
707 if (AccessToken::AccessTokenError::ERR_SERVICE_ABNORMAL == ret ||
708 AccessToken::AccessTokenError::ERR_WRITE_PARCEL_FAILED == ret ||
709 AccessToken::AccessTokenError::ERR_READ_PARCEL_FAILED == ret) {
710 // try again
711 ret = AccessToken::AccessTokenKit::InitHapToken(hapInfo, hapPolicy, tokenIdeEx);
712 }
713 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
714 LOG_E(BMS_TAG_DEFAULT, "InitHapToken failed, bundleName:%{public}s errCode:%{public}d",
715 innerBundleInfo.GetBundleName().c_str(), ret);
716 return ret;
717 }
718 LOG_I(BMS_TAG_DEFAULT, "bundleName: %{public}s tokenId:%{public}u", innerBundleInfo.GetBundleName().c_str(),
719 tokenIdeEx.tokenIdExStruct.tokenID);
720 return ERR_OK;
721 }
722
UpdateHapToken(Security::AccessToken::AccessTokenIDEx & tokenIdeEx,const InnerBundleInfo & innerBundleInfo,int32_t userId)723 int32_t BundlePermissionMgr::UpdateHapToken(Security::AccessToken::AccessTokenIDEx& tokenIdeEx,
724 const InnerBundleInfo &innerBundleInfo, int32_t userId)
725 {
726 LOG_I(BMS_TAG_DEFAULT, "start, update hap token bundleName:%{public}s", innerBundleInfo.GetBundleName().c_str());
727 AccessToken::UpdateHapInfoParams updateHapInfoParams;
728 updateHapInfoParams.appIDDesc = innerBundleInfo.GetAppId();
729 updateHapInfoParams.apiVersion = innerBundleInfo.GetBaseApplicationInfo().apiTargetVersion;
730 updateHapInfoParams.isSystemApp = innerBundleInfo.IsSystemApp();
731 updateHapInfoParams.appDistributionType = innerBundleInfo.GetAppDistributionType();
732
733 AccessToken::HapPolicyParams hapPolicy = CreateHapPolicyParam(innerBundleInfo);
734
735 auto ret = AccessToken::AccessTokenKit::UpdateHapToken(tokenIdeEx, updateHapInfoParams, hapPolicy);
736 if (AccessToken::AccessTokenError::ERR_SERVICE_ABNORMAL == ret ||
737 AccessToken::AccessTokenError::ERR_WRITE_PARCEL_FAILED == ret) {
738 // try again
739 ret = AccessToken::AccessTokenKit::UpdateHapToken(tokenIdeEx, updateHapInfoParams, hapPolicy);
740 }
741 if (AccessToken::AccessTokenError::ERR_TOKENID_NOT_EXIST == ret) {
742 AccessToken::HapInfoParams hapInfo = CreateHapInfoParams(innerBundleInfo, userId, 0);
743 hapInfo.isRestore = true;
744 hapInfo.tokenID = tokenIdeEx.tokenIdExStruct.tokenID;
745 ret = AccessToken::AccessTokenKit::InitHapToken(hapInfo, hapPolicy, tokenIdeEx);
746 }
747 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
748 LOG_E(BMS_TAG_DEFAULT, "UpdateHapToken failed, bundleName:%{public}s errCode:%{public}d",
749 innerBundleInfo.GetBundleName().c_str(), ret);
750 return ret;
751 }
752 LOG_I(BMS_TAG_DEFAULT, "end, update hap token bundleName:%{public}s", innerBundleInfo.GetBundleName().c_str());
753 return ERR_OK;
754 }
755 } // namespace AppExecFwk
756 } // namespace OHOS