1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accesstoken_info_manager.h"
17
18 #include <cinttypes>
19 #include <cstdint>
20 #include <fcntl.h>
21 #include <unistd.h>
22 #include <securec.h>
23 #include "access_token.h"
24 #include "accesstoken_dfx_define.h"
25 #include "accesstoken_id_manager.h"
26 #include "accesstoken_log.h"
27 #include "accesstoken_remote_token_manager.h"
28 #include "access_token_error.h"
29 #include "atm_tools_param_info_parcel.h"
30 #include "callback_manager.h"
31 #include "constant_common.h"
32 #include "data_translator.h"
33 #include "data_validator.h"
34 #ifdef SUPPORT_SANDBOX_APP
35 #include "dlp_permission_set_manager.h"
36 #endif
37 #include "generic_values.h"
38 #include "hap_token_info_inner.h"
39 #include "hisysevent_adapter.h"
40 #include "ipc_skeleton.h"
41 #include "permission_definition_cache.h"
42 #include "permission_manager.h"
43 #include "access_token_db.h"
44 #include "token_field_const.h"
45 #include "token_setproc.h"
46 #ifdef TOKEN_SYNC_ENABLE
47 #include "token_modify_notifier.h"
48 #endif
49
50 namespace OHOS {
51 namespace Security {
52 namespace AccessToken {
53 namespace {
54 std::recursive_mutex g_instanceMutex;
55 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "AccessTokenInfoManager"};
56 static const unsigned int SYSTEM_APP_FLAG = 0x0001;
57 #ifdef TOKEN_SYNC_ENABLE
58 static const int MAX_PTHREAD_NAME_LEN = 15; // pthread name max length
59 static const std::string ACCESS_TOKEN_PACKAGE_NAME = "ohos.security.distributed_token_sync";
60 #endif
61 static const std::string DUMP_JSON_PATH = "/data/service/el1/public/access_token/nativetoken.log";
62 }
63
AccessTokenInfoManager()64 AccessTokenInfoManager::AccessTokenInfoManager() : hasInited_(false) {}
65
~AccessTokenInfoManager()66 AccessTokenInfoManager::~AccessTokenInfoManager()
67 {
68 if (!hasInited_) {
69 return;
70 }
71
72 #ifdef TOKEN_SYNC_ENABLE
73 int32_t ret = DistributedHardware::DeviceManager::GetInstance().UnInitDeviceManager(ACCESS_TOKEN_PACKAGE_NAME);
74 if (ret != ERR_OK) {
75 ACCESSTOKEN_LOG_ERROR(LABEL, "UnInitDeviceManager failed, code: %{public}d", ret);
76 }
77 #endif
78
79 this->hasInited_ = false;
80 }
81
Init()82 void AccessTokenInfoManager::Init()
83 {
84 OHOS::Utils::UniqueWriteGuard<OHOS::Utils::RWLock> lk(this->managerLock_);
85 if (hasInited_) {
86 return;
87 }
88
89 ACCESSTOKEN_LOG_INFO(LABEL, "Init begin!");
90 uint32_t hapSize = 0;
91 uint32_t nativeSize = 0;
92 InitHapTokenInfos(hapSize);
93 InitNativeTokenInfos(nativeSize);
94 uint32_t pefDefSize = PermissionDefinitionCache::GetInstance().GetDefPermissionsSize();
95 ReportSysEventServiceStart(getpid(), hapSize, nativeSize, pefDefSize);
96 ACCESSTOKEN_LOG_INFO(LABEL, "InitTokenInfo end, hapSize %{public}d, nativeSize %{public}d, pefDefSize %{public}d.",
97 hapSize, nativeSize, pefDefSize);
98
99 hasInited_ = true;
100 ACCESSTOKEN_LOG_INFO(LABEL, "Init success");
101 }
102
103 #ifdef TOKEN_SYNC_ENABLE
InitDmCallback(void)104 void AccessTokenInfoManager::InitDmCallback(void)
105 {
106 std::function<void()> runner = []() {
107 std::string name = "AtmInfoMgrInit";
108 pthread_setname_np(pthread_self(), name.substr(0, MAX_PTHREAD_NAME_LEN).c_str());
109 std::shared_ptr<AccessTokenDmInitCallback> ptrDmInitCallback = std::make_shared<AccessTokenDmInitCallback>();
110 int32_t ret = DistributedHardware::DeviceManager::GetInstance().InitDeviceManager(ACCESS_TOKEN_PACKAGE_NAME,
111 ptrDmInitCallback);
112 if (ret != ERR_OK) {
113 ACCESSTOKEN_LOG_ERROR(LABEL, "Initialize: InitDeviceManager error, result: %{public}d", ret);
114 }
115 ACCESSTOKEN_LOG_INFO(LABEL, "device manager part init end");
116 return;
117 };
118 std::thread initThread(runner);
119 initThread.detach();
120 }
121 #endif
122
InitHapTokenInfos(uint32_t & hapSize)123 void AccessTokenInfoManager::InitHapTokenInfos(uint32_t& hapSize)
124 {
125 GenericValues conditionValue;
126 std::vector<GenericValues> hapTokenRes;
127 std::vector<GenericValues> permDefRes;
128 std::vector<GenericValues> permStateRes;
129 int32_t ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_HAP_INFO, conditionValue, hapTokenRes);
130 if (ret != RET_SUCCESS || hapTokenRes.empty()) {
131 ReportSysEventServiceStartError(INIT_HAP_TOKENINFO_ERROR, "Load hap from db fail.", ret);
132 }
133 ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_DEF, conditionValue, permDefRes);
134 if (ret != RET_SUCCESS || permDefRes.empty()) {
135 ReportSysEventServiceStartError(INIT_HAP_TOKENINFO_ERROR, "Load perm def from db fail.", ret);
136 }
137 ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, conditionValue, permStateRes);
138 if (ret != RET_SUCCESS || permStateRes.empty()) {
139 ReportSysEventServiceStartError(INIT_HAP_TOKENINFO_ERROR, "Load perm state from db fail.", ret);
140 }
141 for (const GenericValues& tokenValue : hapTokenRes) {
142 AccessTokenID tokenId = (AccessTokenID)tokenValue.GetInt(TokenFiledConst::FIELD_TOKEN_ID);
143 std::string bundle = tokenValue.GetString(TokenFiledConst::FIELD_BUNDLE_NAME);
144 int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(tokenId, TOKEN_HAP);
145 if (ret != RET_SUCCESS) {
146 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenId %{public}u add id failed, error=%{public}d.", tokenId, ret);
147 ReportSysEventServiceStartError(INIT_HAP_TOKENINFO_ERROR,
148 "RegisterTokenId fail, " + bundle + std::to_string(tokenId), ret);
149 continue;
150 }
151 std::shared_ptr<HapTokenInfoInner> hap = std::make_shared<HapTokenInfoInner>();
152 ret = hap->RestoreHapTokenInfo(tokenId, tokenValue, permStateRes);
153 if (ret != RET_SUCCESS) {
154 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
155 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenId %{public}u restore failed.", tokenId);
156 continue;
157 }
158
159 ret = AddHapTokenInfo(hap);
160 if (ret != RET_SUCCESS) {
161 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
162 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenId %{public}u add failed.", tokenId);
163 ReportSysEventServiceStartError(INIT_HAP_TOKENINFO_ERROR,
164 "AddHapTokenInfo fail, " + bundle + std::to_string(tokenId), ret);
165 continue;
166 }
167 hapSize++;
168 ACCESSTOKEN_LOG_INFO(LABEL,
169 " Restore hap token %{public}u bundle name %{public}s user %{public}d,"
170 " permSize %{public}d, inst %{public}d ok!",
171 tokenId, hap->GetBundleName().c_str(), hap->GetUserID(), hap->GetReqPermissionSize(), hap->GetInstIndex());
172 }
173 PermissionDefinitionCache::GetInstance().RestorePermDefInfo(permDefRes);
174 }
175
InitNativeTokenInfos(uint32_t & nativeSize)176 void AccessTokenInfoManager::InitNativeTokenInfos(uint32_t& nativeSize)
177 {
178 GenericValues conditionValue;
179 std::vector<GenericValues> nativeTokenResults;
180 std::vector<GenericValues> permStateRes;
181 int32_t ret = AccessTokenDb::GetInstance().Find(
182 AtmDataType::ACCESSTOKEN_NATIVE_INFO, conditionValue, nativeTokenResults);
183 if (ret != RET_SUCCESS || nativeTokenResults.empty()) {
184 ReportSysEventServiceStartError(INIT_NATIVE_TOKENINFO_ERROR, "Load native from db fail.", ret);
185 }
186 ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, conditionValue, permStateRes);
187 if (ret != RET_SUCCESS || permStateRes.empty()) {
188 ReportSysEventServiceStartError(INIT_NATIVE_TOKENINFO_ERROR, "Load perm state from db fail.", ret);
189 }
190 for (const GenericValues& nativeTokenValue : nativeTokenResults) {
191 AccessTokenID tokenId = (AccessTokenID)nativeTokenValue.GetInt(TokenFiledConst::FIELD_TOKEN_ID);
192 std::string process = nativeTokenValue.GetString(TokenFiledConst::FIELD_PROCESS_NAME);
193 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenId);
194 int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(tokenId, type);
195 if (ret != RET_SUCCESS) {
196 ReportSysEventServiceStartError(INIT_NATIVE_TOKENINFO_ERROR,
197 "RegisterTokenId fail, " + process + std::to_string(tokenId), ret);
198 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenId %{public}u add failed, error=%{public}d.", tokenId, ret);
199 continue;
200 }
201 std::shared_ptr<NativeTokenInfoInner> native = std::make_shared<NativeTokenInfoInner>();
202
203 ret = native->RestoreNativeTokenInfo(tokenId, nativeTokenValue, permStateRes);
204 if (ret != RET_SUCCESS) {
205 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
206 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenId %{public}u restore failed.", tokenId);
207 continue;
208 }
209
210 ret = AddNativeTokenInfo(native);
211 if (ret != RET_SUCCESS) {
212 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
213 ACCESSTOKEN_LOG_ERROR(LABEL, "Id %{public}u add failed.", tokenId);
214 ReportSysEventServiceStartError(INIT_NATIVE_TOKENINFO_ERROR,
215 "AddNativeTokenInfo fail, " + process + std::to_string(tokenId), ret);
216 continue;
217 }
218 nativeSize++;
219 ACCESSTOKEN_LOG_INFO(LABEL,
220 "restore native token %{public}u process name %{public}s, permSize %{public}d ok!",
221 tokenId, native->GetProcessName().c_str(), native->GetReqPermissionSize());
222 }
223 }
224
GetHapUniqueStr(const int & userID,const std::string & bundleName,const int & instIndex) const225 std::string AccessTokenInfoManager::GetHapUniqueStr(const int& userID,
226 const std::string& bundleName, const int& instIndex) const
227 {
228 return bundleName + "&" + std::to_string(userID) + "&" + std::to_string(instIndex);
229 }
230
GetHapUniqueStr(const std::shared_ptr<HapTokenInfoInner> & info) const231 std::string AccessTokenInfoManager::GetHapUniqueStr(const std::shared_ptr<HapTokenInfoInner>& info) const
232 {
233 if (info == nullptr) {
234 return std::string("");
235 }
236 return GetHapUniqueStr(info->GetUserID(), info->GetBundleName(), info->GetInstIndex());
237 }
238
AddHapTokenInfo(const std::shared_ptr<HapTokenInfoInner> & info)239 int AccessTokenInfoManager::AddHapTokenInfo(const std::shared_ptr<HapTokenInfoInner>& info)
240 {
241 if (info == nullptr) {
242 ACCESSTOKEN_LOG_ERROR(LABEL, "Token info is null.");
243 return AccessTokenError::ERR_PARAM_INVALID;
244 }
245 AccessTokenID id = info->GetTokenID();
246 AccessTokenID idRemoved = INVALID_TOKENID;
247 {
248 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
249 if (hapTokenInfoMap_.count(id) > 0) {
250 ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u info has exist.", id);
251 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
252 }
253
254 if (!info->IsRemote()) {
255 std::string hapUniqueKey = GetHapUniqueStr(info);
256 auto iter = hapTokenIdMap_.find(hapUniqueKey);
257 if (iter != hapTokenIdMap_.end()) {
258 ACCESSTOKEN_LOG_INFO(LABEL, "Token %{public}u Unique info has exist, update.", id);
259 idRemoved = iter->second;
260 }
261 hapTokenIdMap_[hapUniqueKey] = id;
262 }
263 hapTokenInfoMap_[id] = info;
264 }
265 if (idRemoved != INVALID_TOKENID) {
266 RemoveHapTokenInfo(idRemoved);
267 }
268 // add hap to kernel
269 std::shared_ptr<PermissionPolicySet> policySet = info->GetHapInfoPermissionPolicySet();
270 PermissionManager::GetInstance().AddPermToKernel(id, policySet);
271
272 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "ADD_HAP", HiviewDFX::HiSysEvent::EventType::STATISTIC,
273 "TOKENID", info->GetTokenID(), "USERID", info->GetUserID(), "BUNDLENAME", info->GetBundleName(),
274 "INSTINDEX", info->GetInstIndex());
275
276 return RET_SUCCESS;
277 }
278
AddNativeTokenInfo(const std::shared_ptr<NativeTokenInfoInner> & info)279 int AccessTokenInfoManager::AddNativeTokenInfo(const std::shared_ptr<NativeTokenInfoInner>& info)
280 {
281 if (info == nullptr) {
282 ACCESSTOKEN_LOG_ERROR(LABEL, "Token info is null.");
283 return AccessTokenError::ERR_PARAM_INVALID;
284 }
285
286 AccessTokenID id = info->GetTokenID();
287 std::string processName = info->GetProcessName();
288 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
289 if (nativeTokenInfoMap_.count(id) > 0) {
290 ACCESSTOKEN_LOG_ERROR(
291 LABEL, "Token %{public}u has exist.", id);
292 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
293 }
294 if (!info->IsRemote()) {
295 if (nativeTokenIdMap_.count(processName) > 0) {
296 ACCESSTOKEN_LOG_ERROR(
297 LABEL, "Token %{public}u process name %{public}s has exist.", id, processName.c_str());
298 return AccessTokenError::ERR_PROCESS_NOT_EXIST;
299 }
300 nativeTokenIdMap_[processName] = id;
301 }
302
303 ACCESSTOKEN_LOG_DEBUG(LABEL, "Token info is added %{public}u.", id);
304 nativeTokenInfoMap_[id] = info;
305
306 // add native to kernel
307 std::shared_ptr<PermissionPolicySet> policySet = info->GetNativeInfoPermissionPolicySet();
308 PermissionManager::GetInstance().AddPermToKernel(id, policySet);
309
310 return RET_SUCCESS;
311 }
312
GetHapTokenInfoInner(AccessTokenID id)313 std::shared_ptr<HapTokenInfoInner> AccessTokenInfoManager::GetHapTokenInfoInner(AccessTokenID id)
314 {
315 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
316 auto iter = hapTokenInfoMap_.find(id);
317 if (iter != hapTokenInfoMap_.end()) {
318 return iter->second;
319 }
320 GenericValues conditionValue;
321 if (PermissionDefinitionCache::GetInstance().IsHapPermissionDefEmpty()) {
322 std::vector<GenericValues> permDefRes;
323 AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_DEF, conditionValue, permDefRes);
324 PermissionDefinitionCache::GetInstance().RestorePermDefInfo(permDefRes); // restore all permission definition
325 ACCESSTOKEN_LOG_INFO(LABEL, "Restore perm def size: %{public}zu, mapSize: %{public}zu.",
326 permDefRes.size(), hapTokenInfoMap_.size());
327 }
328
329 conditionValue.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(id));
330 std::vector<GenericValues> hapTokenResults;
331 int32_t ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_HAP_INFO, conditionValue, hapTokenResults);
332 if (ret != RET_SUCCESS || hapTokenResults.empty()) {
333 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to find Id(%{public}u) from hap_token_table, err: %{public}d, "
334 "hapSize: %{public}zu, mapSize: %{public}zu.", id, ret, hapTokenResults.size(), hapTokenInfoMap_.size());
335 return nullptr;
336 }
337 std::vector<GenericValues> permStateRes;
338 ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, conditionValue, permStateRes);
339 if (ret != RET_SUCCESS) {
340 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to find Id(%{public}u) from perm_state_table, err: %{public}d, "
341 "mapSize: %{public}zu.", id, ret, hapTokenInfoMap_.size());
342 return nullptr;
343 }
344
345 std::shared_ptr<HapTokenInfoInner> hap = std::make_shared<HapTokenInfoInner>();
346 ret = hap->RestoreHapTokenInfo(id, hapTokenResults[0], permStateRes);
347 if (ret != RET_SUCCESS) {
348 ACCESSTOKEN_LOG_ERROR(LABEL, "Id %{public}u restore failed, err: %{public}d, mapSize: %{public}zu.",
349 id, ret, hapTokenInfoMap_.size());
350 return nullptr;
351 }
352 AccessTokenIDManager::GetInstance().RegisterTokenId(id, TOKEN_HAP);
353 hapTokenIdMap_[GetHapUniqueStr(hap)] = id;
354 hapTokenInfoMap_[id] = hap;
355 std::shared_ptr<PermissionPolicySet> policySet = hap->GetHapInfoPermissionPolicySet();
356 PermissionManager::GetInstance().AddPermToKernel(id, policySet);
357 ACCESSTOKEN_LOG_INFO(LABEL, " Token %{public}u is not found in map(mapSize: %{public}zu), begin load from DB,"
358 " restore bundle %{public}s user %{public}d, idx %{public}d, permSize %{public}d.", id, hapTokenInfoMap_.size(),
359 hap->GetBundleName().c_str(), hap->GetUserID(), hap->GetInstIndex(), hap->GetReqPermissionSize());
360 return hap;
361 }
362
GetHapTokenDlpType(AccessTokenID id)363 int32_t AccessTokenInfoManager::GetHapTokenDlpType(AccessTokenID id)
364 {
365 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
366 auto iter = hapTokenInfoMap_.find(id);
367 if ((iter != hapTokenInfoMap_.end()) && (iter->second != nullptr)) {
368 return iter->second->GetDlpType();
369 }
370 ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u is invalid, mapSize: %{public}zu.", id, hapTokenInfoMap_.size());
371 return BUTT_DLP_TYPE;
372 }
373
IsTokenIdExist(AccessTokenID id)374 bool AccessTokenInfoManager::IsTokenIdExist(AccessTokenID id)
375 {
376 {
377 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
378 if (hapTokenInfoMap_.count(id) != 0) {
379 return true;
380 }
381 }
382 {
383 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
384 if (nativeTokenInfoMap_.count(id) != 0) {
385 return true;
386 }
387 }
388 return false;
389 }
390
GetHapTokenInfo(AccessTokenID tokenID,HapTokenInfo & info)391 int AccessTokenInfoManager::GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfo& info)
392 {
393 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(tokenID);
394 if (infoPtr == nullptr) {
395 ACCESSTOKEN_LOG_ERROR(
396 LABEL, "Token %{public}u is invalid.", tokenID);
397 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
398 }
399 infoPtr->TranslateToHapTokenInfo(info);
400 return RET_SUCCESS;
401 }
402
GetHapPermissionPolicySet(AccessTokenID id)403 std::shared_ptr<PermissionPolicySet> AccessTokenInfoManager::GetHapPermissionPolicySet(AccessTokenID id)
404 {
405 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(id);
406 if (infoPtr == nullptr) {
407 ACCESSTOKEN_LOG_ERROR(
408 LABEL, "Token %{public}u is invalid.", id);
409 return nullptr;
410 }
411 return infoPtr->GetHapInfoPermissionPolicySet();
412 }
413
GetNativeTokenInfoInner(AccessTokenID id)414 std::shared_ptr<NativeTokenInfoInner> AccessTokenInfoManager::GetNativeTokenInfoInner(AccessTokenID id)
415 {
416 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
417 auto iter = nativeTokenInfoMap_.find(id);
418 if (iter != nativeTokenInfoMap_.end()) {
419 return iter->second;
420 }
421
422 ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u is invalid.", id);
423 return nullptr;
424 }
425
GetNativeTokenInfo(AccessTokenID tokenID,NativeTokenInfo & infoParcel)426 int AccessTokenInfoManager::GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfo& infoParcel)
427 {
428 std::shared_ptr<NativeTokenInfoInner> infoPtr = GetNativeTokenInfoInner(tokenID);
429 if (infoPtr == nullptr) {
430 ACCESSTOKEN_LOG_ERROR(
431 LABEL, "Token %{public}u is invalid.", tokenID);
432 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
433 }
434
435 infoPtr->TranslateToNativeTokenInfo(infoParcel);
436 return RET_SUCCESS;
437 }
438
GetNativePermissionPolicySet(AccessTokenID id)439 std::shared_ptr<PermissionPolicySet> AccessTokenInfoManager::GetNativePermissionPolicySet(AccessTokenID id)
440 {
441 std::shared_ptr<NativeTokenInfoInner> infoPtr = GetNativeTokenInfoInner(id);
442 if (infoPtr == nullptr) {
443 ACCESSTOKEN_LOG_ERROR(
444 LABEL, "Token %{public}u is invalid.", id);
445 return nullptr;
446 }
447 return infoPtr->GetNativeInfoPermissionPolicySet();
448 }
449
RemoveHapTokenInfo(AccessTokenID id)450 int AccessTokenInfoManager::RemoveHapTokenInfo(AccessTokenID id)
451 {
452 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(id);
453 if (type != TOKEN_HAP) {
454 ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u is not hap.", id);
455 return ERR_PARAM_INVALID;
456 }
457 std::shared_ptr<HapTokenInfoInner> info;
458 // make sure that RemoveDefPermissions is called outside of the lock to avoid deadlocks.
459 PermissionManager::GetInstance().RemoveDefPermissions(id);
460 {
461 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
462 RemoveHapTokenInfoFromDb(id);
463 // remove hap to kernel
464 PermissionManager::GetInstance().RemovePermFromKernel(id);
465 AccessTokenIDManager::GetInstance().ReleaseTokenId(id);
466
467 if (hapTokenInfoMap_.count(id) == 0) {
468 ACCESSTOKEN_LOG_ERROR(LABEL, "Hap token %{public}u no exist.", id);
469 return ERR_TOKENID_NOT_EXIST;
470 }
471
472 info = hapTokenInfoMap_[id];
473 if (info == nullptr) {
474 ACCESSTOKEN_LOG_ERROR(LABEL, "Hap token %{public}u is null.", id);
475 return ERR_TOKEN_INVALID;
476 }
477 if (info->IsRemote()) {
478 ACCESSTOKEN_LOG_ERROR(LABEL, "Remote hap token %{public}u can not delete.", id);
479 return ERR_IDENTITY_CHECK_FAILED;
480 }
481 std::string HapUniqueKey = GetHapUniqueStr(info);
482 auto iter = hapTokenIdMap_.find(HapUniqueKey);
483 if ((iter != hapTokenIdMap_.end()) && (iter->second == id)) {
484 hapTokenIdMap_.erase(HapUniqueKey);
485 }
486 hapTokenInfoMap_.erase(id);
487 }
488
489 ACCESSTOKEN_LOG_INFO(LABEL, "Remove hap token %{public}u ok!", id);
490 PermissionStateNotify(info, id);
491 #ifdef TOKEN_SYNC_ENABLE
492 TokenModifyNotifier::GetInstance().NotifyTokenDelete(id);
493 #endif
494
495 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "DEL_HAP", HiviewDFX::HiSysEvent::EventType::STATISTIC,
496 "TOKENID", info->GetTokenID(), "USERID", info->GetUserID(), "BUNDLENAME", info->GetBundleName(),
497 "INSTINDEX", info->GetInstIndex());
498
499 return RET_SUCCESS;
500 }
501
RemoveNativeTokenInfo(AccessTokenID id)502 int AccessTokenInfoManager::RemoveNativeTokenInfo(AccessTokenID id)
503 {
504 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(id);
505 if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) {
506 ACCESSTOKEN_LOG_ERROR(
507 LABEL, "Token %{public}u is not hap.", id);
508 return ERR_PARAM_INVALID;
509 }
510
511 {
512 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
513 if (nativeTokenInfoMap_.count(id) == 0) {
514 ACCESSTOKEN_LOG_ERROR(LABEL, "Native token %{public}u is null.", id);
515 return ERR_TOKENID_NOT_EXIST;
516 }
517
518 std::shared_ptr<NativeTokenInfoInner> info = nativeTokenInfoMap_[id];
519 if (info->IsRemote()) {
520 ACCESSTOKEN_LOG_ERROR(LABEL, "Remote native token %{public}u can not delete.", id);
521 return ERR_TOKEN_INVALID;
522 }
523 std::string processName = nativeTokenInfoMap_[id]->GetProcessName();
524 if (nativeTokenIdMap_.count(processName) != 0) {
525 nativeTokenIdMap_.erase(processName);
526 }
527 nativeTokenInfoMap_.erase(id);
528 }
529 AccessTokenIDManager::GetInstance().ReleaseTokenId(id);
530 ACCESSTOKEN_LOG_INFO(LABEL, "Remove native token %{public}u ok!", id);
531
532 if (!RemoveNativeInfoFromDatabase(id)) {
533 return AccessTokenError::ERR_DATABASE_OPERATE_FAILED;
534 }
535
536 // remove native to kernel
537 PermissionManager::GetInstance().RemovePermFromKernel(id);
538 return RET_SUCCESS;
539 }
540
541 #ifdef SUPPORT_SANDBOX_APP
GetPolicyCopied(const HapPolicyParams & policy,HapPolicyParams & policyNew)542 static void GetPolicyCopied(const HapPolicyParams& policy, HapPolicyParams& policyNew)
543 {
544 policyNew.apl = policy.apl;
545 policyNew.domain = policy.domain;
546
547 for (const auto& state : policy.permStateList) {
548 policyNew.permStateList.emplace_back(state);
549 }
550 for (const auto& def : policy.permList) {
551 policyNew.permList.emplace_back(def);
552 }
553 }
554 #endif
555
CreateHapTokenInfo(const HapInfoParams & info,const HapPolicyParams & policy,AccessTokenIDEx & tokenIdEx)556 int AccessTokenInfoManager::CreateHapTokenInfo(
557 const HapInfoParams& info, const HapPolicyParams& policy, AccessTokenIDEx& tokenIdEx)
558 {
559 if ((!DataValidator::IsUserIdValid(info.userID)) || (!DataValidator::IsBundleNameValid(info.bundleName)) ||
560 (!DataValidator::IsAppIDDescValid(info.appIDDesc)) || (!DataValidator::IsDomainValid(policy.domain)) ||
561 (!DataValidator::IsDlpTypeValid(info.dlpType))) {
562 ACCESSTOKEN_LOG_ERROR(LABEL, "Hap token param failed");
563 return AccessTokenError::ERR_PARAM_INVALID;
564 }
565 int32_t dlpFlag = (info.dlpType > DLP_COMMON) ? 1 : 0;
566 int32_t cloneFlag = ((dlpFlag == 0) && (info.instIndex) > 0) ? 1 : 0;
567 AccessTokenID tokenId = AccessTokenIDManager::GetInstance().CreateAndRegisterTokenId(TOKEN_HAP, dlpFlag, cloneFlag);
568 if (tokenId == 0) {
569 ACCESSTOKEN_LOG_ERROR(LABEL, "Token Id create failed");
570 return ERR_TOKENID_CREATE_FAILED;
571 }
572 PermissionManager::GetInstance().AddDefPermissions(policy.permList, tokenId, false);
573 #ifdef SUPPORT_SANDBOX_APP
574 std::shared_ptr<HapTokenInfoInner> tokenInfo;
575 if (info.dlpType != DLP_COMMON) {
576 HapPolicyParams policyNew;
577 GetPolicyCopied(policy, policyNew);
578 DlpPermissionSetManager::GetInstance().UpdatePermStateWithDlpInfo(info.dlpType, policyNew.permStateList);
579 tokenInfo = std::make_shared<HapTokenInfoInner>(tokenId, info, policyNew);
580 } else {
581 tokenInfo = std::make_shared<HapTokenInfoInner>(tokenId, info, policy);
582 }
583 #else
584 std::shared_ptr<HapTokenInfoInner> tokenInfo = std::make_shared<HapTokenInfoInner>(tokenId, info, policy);
585 #endif
586 int ret = AddHapTokenInfo(tokenInfo);
587 if (ret != RET_SUCCESS) {
588 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s add token info failed", info.bundleName.c_str());
589 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
590 PermissionManager::GetInstance().RemoveDefPermissions(tokenId);
591 return ret;
592 }
593 ACCESSTOKEN_LOG_INFO(LABEL, "Create hap token %{public}u bundleName %{public}s user %{public}d inst %{public}d ok",
594 tokenId, tokenInfo->GetBundleName().c_str(), tokenInfo->GetUserID(), tokenInfo->GetInstIndex());
595 AllocAccessTokenIDEx(info, tokenId, tokenIdEx);
596 AddHapTokenInfoToDb(tokenId, tokenInfo);
597 return RET_SUCCESS;
598 }
599
AllocAccessTokenIDEx(const HapInfoParams & info,AccessTokenID tokenId,AccessTokenIDEx & tokenIdEx)600 int AccessTokenInfoManager::AllocAccessTokenIDEx(
601 const HapInfoParams& info, AccessTokenID tokenId, AccessTokenIDEx& tokenIdEx)
602 {
603 tokenIdEx.tokenIdExStruct.tokenID = tokenId;
604 if (info.isSystemApp) {
605 tokenIdEx.tokenIdExStruct.tokenAttr |= SYSTEM_APP_FLAG;
606 }
607 return RET_SUCCESS;
608 }
609
CheckNativeDCap(AccessTokenID tokenID,const std::string & dcap)610 int AccessTokenInfoManager::CheckNativeDCap(AccessTokenID tokenID, const std::string& dcap)
611 {
612 std::shared_ptr<NativeTokenInfoInner> infoPtr = GetNativeTokenInfoInner(tokenID);
613 if (infoPtr == nullptr) {
614 ACCESSTOKEN_LOG_ERROR(
615 LABEL, "Token %{public}u is invalid.", tokenID);
616 return ERR_TOKENID_NOT_EXIST;
617 }
618
619 std::vector<std::string> dcaps = infoPtr->GetDcap();
620 for (auto iter = dcaps.begin(); iter != dcaps.end(); iter++) {
621 if (*iter == dcap) {
622 return RET_SUCCESS;
623 }
624 }
625 return ERR_CHECK_DCAP_FAIL;
626 }
627
GetHapTokenID(int32_t userID,const std::string & bundleName,int32_t instIndex)628 AccessTokenIDEx AccessTokenInfoManager::GetHapTokenID(int32_t userID, const std::string& bundleName, int32_t instIndex)
629 {
630 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
631 std::string HapUniqueKey = GetHapUniqueStr(userID, bundleName, instIndex);
632 AccessTokenIDEx tokenIdEx = {0};
633 auto iter = hapTokenIdMap_.find(HapUniqueKey);
634 if (iter != hapTokenIdMap_.end()) {
635 AccessTokenID tokenId = iter->second;
636 auto infoIter = hapTokenInfoMap_.find(tokenId);
637 if (infoIter != hapTokenInfoMap_.end()) {
638 if (infoIter->second == nullptr) {
639 ACCESSTOKEN_LOG_ERROR(LABEL, "HapTokenInfoInner is nullptr");
640 return tokenIdEx;
641 }
642 HapTokenInfo info = infoIter->second->GetHapInfoBasic();
643 tokenIdEx.tokenIdExStruct.tokenID = info.tokenID;
644 tokenIdEx.tokenIdExStruct.tokenAttr = info.tokenAttr;
645 }
646 }
647 return tokenIdEx;
648 }
649
TryUpdateExistNativeToken(const std::shared_ptr<NativeTokenInfoInner> & infoPtr)650 bool AccessTokenInfoManager::TryUpdateExistNativeToken(const std::shared_ptr<NativeTokenInfoInner>& infoPtr)
651 {
652 if (infoPtr == nullptr) {
653 ACCESSTOKEN_LOG_WARN(LABEL, "Info is null.");
654 return false;
655 }
656
657 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
658 AccessTokenID id = infoPtr->GetTokenID();
659 std::string processName = infoPtr->GetProcessName();
660 bool idExist = (nativeTokenInfoMap_.count(id) > 0);
661 bool processExist = (nativeTokenIdMap_.count(processName) > 0);
662 // id is exist, but it is not this process, so neither update nor add.
663 if (idExist && !processExist) {
664 ACCESSTOKEN_LOG_ERROR(
665 LABEL, "Token Id is exist, but process name is not exist, can not update.");
666 return true;
667 }
668
669 // this process is exist, but id is not same, perhaps libat lose his data, we need delete old, add new later.
670 if (!idExist && processExist) {
671 AccessTokenID idRemove = nativeTokenIdMap_[processName];
672 nativeTokenIdMap_.erase(processName);
673 if (nativeTokenInfoMap_.count(idRemove) > 0) {
674 nativeTokenInfoMap_.erase(idRemove);
675 }
676 AccessTokenIDManager::GetInstance().ReleaseTokenId(idRemove);
677 return false;
678 }
679
680 if (!idExist && !processExist) {
681 return false;
682 }
683
684 nativeTokenInfoMap_[id] = infoPtr;
685
686 // add native to kernel
687 std::shared_ptr<PermissionPolicySet> policySet = infoPtr->GetNativeInfoPermissionPolicySet();
688 PermissionManager::GetInstance().AddPermToKernel(id, policySet);
689 return true;
690 }
691
ProcessNativeTokenInfos(const std::vector<std::shared_ptr<NativeTokenInfoInner>> & tokenInfos)692 void AccessTokenInfoManager::ProcessNativeTokenInfos(
693 const std::vector<std::shared_ptr<NativeTokenInfoInner>>& tokenInfos)
694 {
695 for (const auto& infoPtr: tokenInfos) {
696 if (infoPtr == nullptr) {
697 ACCESSTOKEN_LOG_WARN(LABEL, "Token info from libat is null");
698 continue;
699 }
700 bool isUpdated = TryUpdateExistNativeToken(infoPtr);
701 if (!isUpdated) {
702 ACCESSTOKEN_LOG_INFO(LABEL,
703 "Token %{public}u process name %{public}s is new, add to manager!",
704 infoPtr->GetTokenID(), infoPtr->GetProcessName().c_str());
705 AccessTokenID id = infoPtr->GetTokenID();
706 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(id);
707 int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(id, type);
708 if (ret != RET_SUCCESS) {
709 ACCESSTOKEN_LOG_ERROR(LABEL, "Token Id register fail");
710 continue;
711 }
712 ret = AddNativeTokenInfo(infoPtr);
713 if (ret != RET_SUCCESS) {
714 AccessTokenIDManager::GetInstance().ReleaseTokenId(id);
715 ACCESSTOKEN_LOG_ERROR(LABEL,
716 "Token %{public}u process name %{public}s add to manager failed!",
717 infoPtr->GetTokenID(), infoPtr->GetProcessName().c_str());
718 }
719 }
720 }
721 AddAllNativeTokenInfoToDb();
722 }
723
UpdateHapToken(AccessTokenIDEx & tokenIdEx,const UpdateHapInfoParams & info,const std::vector<PermissionStateFull> & permStateList,ATokenAplEnum apl,const std::vector<PermissionDef> & permList)724 int32_t AccessTokenInfoManager::UpdateHapToken(AccessTokenIDEx& tokenIdEx, const UpdateHapInfoParams& info,
725 const std::vector<PermissionStateFull>& permStateList, ATokenAplEnum apl,
726 const std::vector<PermissionDef>& permList)
727 {
728 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
729 if (!DataValidator::IsAppIDDescValid(info.appIDDesc)) {
730 ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u parm format error!", tokenID);
731 return AccessTokenError::ERR_PARAM_INVALID;
732 }
733 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(tokenID);
734 if (infoPtr == nullptr) {
735 ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u is invalid, can not update!", tokenID);
736 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
737 }
738
739 if (infoPtr->IsRemote()) {
740 ACCESSTOKEN_LOG_ERROR(LABEL, "Remote hap token %{public}u can not update!", tokenID);
741 return ERR_IDENTITY_CHECK_FAILED;
742 }
743 if (info.isSystemApp) {
744 tokenIdEx.tokenIdExStruct.tokenAttr |= SYSTEM_APP_FLAG;
745 } else {
746 tokenIdEx.tokenIdExStruct.tokenAttr &= ~SYSTEM_APP_FLAG;
747 }
748 {
749 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
750 infoPtr->Update(info, permStateList, apl);
751 ACCESSTOKEN_LOG_INFO(LABEL,
752 "Token %{public}u bundle name %{public}s user %{public}d inst %{public}d tokenAttr %{public}d update ok!",
753 tokenID, infoPtr->GetBundleName().c_str(), infoPtr->GetUserID(), infoPtr->GetInstIndex(),
754 infoPtr->GetHapInfoBasic().tokenAttr);
755 }
756 PermissionManager::GetInstance().AddDefPermissions(permList, tokenID, true);
757 #ifdef TOKEN_SYNC_ENABLE
758 TokenModifyNotifier::GetInstance().NotifyTokenModify(tokenID);
759 #endif
760 // update hap to kernel
761 std::shared_ptr<PermissionPolicySet> policySet = infoPtr->GetHapInfoPermissionPolicySet();
762 PermissionManager::GetInstance().AddPermToKernel(tokenID, policySet);
763 return ModifyHapTokenInfoFromDb(tokenID, infoPtr);
764 }
765
766 #ifdef TOKEN_SYNC_ENABLE
GetHapTokenSync(AccessTokenID tokenID,HapTokenInfoForSync & hapSync)767 int AccessTokenInfoManager::GetHapTokenSync(AccessTokenID tokenID, HapTokenInfoForSync& hapSync)
768 {
769 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(tokenID);
770 if (infoPtr == nullptr || infoPtr->IsRemote()) {
771 ACCESSTOKEN_LOG_ERROR(
772 LABEL, "Token %{public}u is invalid.", tokenID);
773 return ERR_IDENTITY_CHECK_FAILED;
774 }
775 hapSync.baseInfo = infoPtr->GetHapInfoBasic();
776 std::shared_ptr<PermissionPolicySet> permSetPtr = infoPtr->GetHapInfoPermissionPolicySet();
777 if (permSetPtr == nullptr) {
778 ACCESSTOKEN_LOG_ERROR(
779 LABEL, "Token %{public}u permSet is invalid.", tokenID);
780 return ERR_TOKEN_INVALID;
781 }
782 permSetPtr->GetPermissionStateList(hapSync.permStateList);
783 return RET_SUCCESS;
784 }
785
GetHapTokenInfoFromRemote(AccessTokenID tokenID,HapTokenInfoForSync & hapSync)786 int AccessTokenInfoManager::GetHapTokenInfoFromRemote(AccessTokenID tokenID,
787 HapTokenInfoForSync& hapSync)
788 {
789 int ret = GetHapTokenSync(tokenID, hapSync);
790 TokenModifyNotifier::GetInstance().AddHapTokenObservation(tokenID);
791 return ret;
792 }
793
UpdateRemoteHapTokenInfo(AccessTokenID mapID,HapTokenInfoForSync & hapSync)794 int AccessTokenInfoManager::UpdateRemoteHapTokenInfo(AccessTokenID mapID, HapTokenInfoForSync& hapSync)
795 {
796 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(mapID);
797 if (infoPtr == nullptr || !infoPtr->IsRemote()) {
798 ACCESSTOKEN_LOG_INFO(LABEL, "Token %{public}u is null or not remote, can not update!", mapID);
799 return ERR_IDENTITY_CHECK_FAILED;
800 }
801
802 std::shared_ptr<PermissionPolicySet> newPermPolicySet =
803 PermissionPolicySet::BuildPolicySetWithoutDefCheck(mapID, hapSync.permStateList);
804
805 {
806 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
807 infoPtr->SetTokenBaseInfo(hapSync.baseInfo);
808 infoPtr->SetPermissionPolicySet(newPermPolicySet);
809 }
810 // update remote hap to kernel
811 PermissionManager::GetInstance().AddPermToKernel(mapID, newPermPolicySet);
812 return RET_SUCCESS;
813 }
814
CreateRemoteHapTokenInfo(AccessTokenID mapID,HapTokenInfoForSync & hapSync)815 int AccessTokenInfoManager::CreateRemoteHapTokenInfo(AccessTokenID mapID, HapTokenInfoForSync& hapSync)
816 {
817 std::shared_ptr<HapTokenInfoInner> hap = std::make_shared<HapTokenInfoInner>(mapID, hapSync);
818 hap->SetRemote(true);
819
820 int ret = AddHapTokenInfo(hap);
821 if (ret != RET_SUCCESS) {
822 ACCESSTOKEN_LOG_ERROR(LABEL, "Add local token failed.");
823 return ret;
824 }
825
826 return RET_SUCCESS;
827 }
828
IsRemoteHapTokenValid(const std::string & deviceID,const HapTokenInfoForSync & hapSync)829 bool AccessTokenInfoManager::IsRemoteHapTokenValid(const std::string& deviceID, const HapTokenInfoForSync& hapSync)
830 {
831 std::string errReason;
832 if (!DataValidator::IsDeviceIdValid(deviceID) || !DataValidator::IsDeviceIdValid(hapSync.baseInfo.deviceID)) {
833 errReason = "respond deviceID error";
834 } else if (!DataValidator::IsUserIdValid(hapSync.baseInfo.userID)) {
835 errReason = "respond userID error";
836 } else if (!DataValidator::IsBundleNameValid(hapSync.baseInfo.bundleName)) {
837 errReason = "respond bundleName error";
838 } else if (!DataValidator::IsAplNumValid(hapSync.baseInfo.apl)) {
839 errReason = "respond apl error";
840 } else if (!DataValidator::IsTokenIDValid(hapSync.baseInfo.tokenID)) {
841 errReason = "respond tokenID error";
842 } else if (!DataValidator::IsAppIDDescValid(hapSync.baseInfo.appID)) {
843 errReason = "respond appID error";
844 } else if (!DataValidator::IsDlpTypeValid(hapSync.baseInfo.dlpType)) {
845 errReason = "respond dlpType error";
846 } else if (hapSync.baseInfo.ver != DEFAULT_TOKEN_VERSION) {
847 errReason = "respond version error";
848 } else if (AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(hapSync.baseInfo.tokenID) != TOKEN_HAP) {
849 errReason = "respond token type error";
850 } else {
851 return true;
852 }
853
854 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_SYNC",
855 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", TOKEN_SYNC_RESPONSE_ERROR,
856 "REMOTE_ID", ConstantCommon::EncryptDevId(deviceID), "ERROR_REASON", errReason);
857 return false;
858 }
859
SetRemoteHapTokenInfo(const std::string & deviceID,HapTokenInfoForSync & hapSync)860 int AccessTokenInfoManager::SetRemoteHapTokenInfo(const std::string& deviceID, HapTokenInfoForSync& hapSync)
861 {
862 if (!IsRemoteHapTokenValid(deviceID, hapSync)) {
863 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s parms invalid", ConstantCommon::EncryptDevId(deviceID).c_str());
864 return ERR_IDENTITY_CHECK_FAILED;
865 }
866
867 AccessTokenID remoteID = hapSync.baseInfo.tokenID;
868 AccessTokenID mapID = AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(deviceID, remoteID);
869 if (mapID != 0) {
870 ACCESSTOKEN_LOG_INFO(LABEL, "Device %{public}s token %{public}u update exist remote hap token %{public}u.",
871 ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID, mapID);
872 // update remote token mapping id
873 hapSync.baseInfo.tokenID = mapID;
874 hapSync.baseInfo.deviceID = deviceID;
875 return UpdateRemoteHapTokenInfo(mapID, hapSync);
876 }
877
878 mapID = AccessTokenRemoteTokenManager::GetInstance().MapRemoteDeviceTokenToLocal(deviceID, remoteID);
879 if (mapID == 0) {
880 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s token %{public}u map failed.",
881 ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID);
882 return ERR_TOKEN_MAP_FAILED;
883 }
884
885 // update remote token mapping id
886 hapSync.baseInfo.tokenID = mapID;
887 hapSync.baseInfo.deviceID = deviceID;
888 int ret = CreateRemoteHapTokenInfo(mapID, hapSync);
889 if (ret != RET_SUCCESS) {
890 AccessTokenRemoteTokenManager::GetInstance().RemoveDeviceMappingTokenID(deviceID, mapID);
891 ACCESSTOKEN_LOG_INFO(LABEL, "Device %{public}s token %{public}u map to local token %{public}u failed.",
892 ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID, mapID);
893 return ret;
894 }
895 ACCESSTOKEN_LOG_INFO(LABEL, "Device %{public}s token %{public}u map to local token %{public}u success.",
896 ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID, mapID);
897 return RET_SUCCESS;
898 }
899
DeleteRemoteToken(const std::string & deviceID,AccessTokenID tokenID)900 int AccessTokenInfoManager::DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID)
901 {
902 if (!DataValidator::IsDeviceIdValid(deviceID)) {
903 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s parms invalid.",
904 ConstantCommon::EncryptDevId(deviceID).c_str());
905 return AccessTokenError::ERR_PARAM_INVALID;
906 }
907 AccessTokenID mapID = AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(deviceID, tokenID);
908 if (mapID == 0) {
909 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s tokenId %{public}u is not mapped.",
910 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
911 return ERR_TOKEN_MAP_FAILED;
912 }
913
914 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(mapID);
915 if (type == TOKEN_HAP) {
916 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
917 if (hapTokenInfoMap_.count(mapID) == 0) {
918 ACCESSTOKEN_LOG_ERROR(LABEL, "Hap token %{public}u no exist.", mapID);
919 return ERR_TOKEN_INVALID;
920 }
921 hapTokenInfoMap_.erase(mapID);
922 } else if ((type == TOKEN_NATIVE) || (type == TOKEN_SHELL)) {
923 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
924 if (nativeTokenInfoMap_.count(mapID) == 0) {
925 ACCESSTOKEN_LOG_ERROR(
926 LABEL, "Native token %{public}u is null.", mapID);
927 return ERR_TOKEN_INVALID;
928 }
929 nativeTokenInfoMap_.erase(mapID);
930 } else {
931 ACCESSTOKEN_LOG_ERROR(LABEL, "Mapping tokenId %{public}u type is unknown.", mapID);
932 }
933
934 return AccessTokenRemoteTokenManager::GetInstance().RemoveDeviceMappingTokenID(deviceID, tokenID);
935 }
936
GetRemoteNativeTokenID(const std::string & deviceID,AccessTokenID tokenID)937 AccessTokenID AccessTokenInfoManager::GetRemoteNativeTokenID(const std::string& deviceID, AccessTokenID tokenID)
938 {
939 if ((!DataValidator::IsDeviceIdValid(deviceID)) || (tokenID == 0) ||
940 ((AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_NATIVE) &&
941 (AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_SHELL))) {
942 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s parms invalid.",
943 ConstantCommon::EncryptDevId(deviceID).c_str());
944 return 0;
945 }
946 return AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(deviceID, tokenID);
947 }
948
DeleteRemoteDeviceTokens(const std::string & deviceID)949 int AccessTokenInfoManager::DeleteRemoteDeviceTokens(const std::string& deviceID)
950 {
951 if (!DataValidator::IsDeviceIdValid(deviceID)) {
952 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s parms invalid.",
953 ConstantCommon::EncryptDevId(deviceID).c_str());
954 return AccessTokenError::ERR_PARAM_INVALID;
955 }
956 std::vector<AccessTokenID> remoteTokens;
957 int ret = AccessTokenRemoteTokenManager::GetInstance().GetDeviceAllRemoteTokenID(deviceID, remoteTokens);
958 if (ret != RET_SUCCESS) {
959 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s have no remote token.",
960 ConstantCommon::EncryptDevId(deviceID).c_str());
961 return ret;
962 }
963 for (AccessTokenID remoteID : remoteTokens) {
964 DeleteRemoteToken(deviceID, remoteID);
965 }
966 return RET_SUCCESS;
967 }
968
AllocLocalTokenID(const std::string & remoteDeviceID,AccessTokenID remoteTokenID)969 AccessTokenID AccessTokenInfoManager::AllocLocalTokenID(const std::string& remoteDeviceID,
970 AccessTokenID remoteTokenID)
971 {
972 if (!DataValidator::IsDeviceIdValid(remoteDeviceID)) {
973 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s parms invalid.",
974 ConstantCommon::EncryptDevId(remoteDeviceID).c_str());
975 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_SYNC",
976 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", TOKEN_SYNC_CALL_ERROR,
977 "REMOTE_ID", ConstantCommon::EncryptDevId(remoteDeviceID), "ERROR_REASON", "deviceID error");
978 return 0;
979 }
980 uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
981 SetFirstCallerTokenID(fullTokenId);
982 ACCESSTOKEN_LOG_INFO(LABEL, "Set first caller %{public}" PRIu64 ".", fullTokenId);
983
984 std::string remoteUdid;
985 DistributedHardware::DeviceManager::GetInstance().GetUdidByNetworkId(ACCESS_TOKEN_PACKAGE_NAME, remoteDeviceID,
986 remoteUdid);
987 ACCESSTOKEN_LOG_INFO(LABEL, "Device %{public}s remoteUdid.", ConstantCommon::EncryptDevId(remoteUdid).c_str());
988 AccessTokenID mapID = AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(remoteUdid,
989 remoteTokenID);
990 if (mapID != 0) {
991 return mapID;
992 }
993 int ret = TokenModifyNotifier::GetInstance().GetRemoteHapTokenInfo(remoteUdid, remoteTokenID);
994 if (ret != RET_SUCCESS) {
995 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s token %{public}u sync failed",
996 ConstantCommon::EncryptDevId(remoteUdid).c_str(), remoteTokenID);
997 std::string errorReason = "token sync call error, error number is " + std::to_string(ret);
998 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_SYNC",
999 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", TOKEN_SYNC_CALL_ERROR,
1000 "REMOTE_ID", ConstantCommon::EncryptDevId(remoteDeviceID), "ERROR_REASON", errorReason);
1001 return 0;
1002 }
1003
1004 return AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(remoteUdid, remoteTokenID);
1005 }
1006 #else
AllocLocalTokenID(const std::string & remoteDeviceID,AccessTokenID remoteTokenID)1007 AccessTokenID AccessTokenInfoManager::AllocLocalTokenID(const std::string& remoteDeviceID,
1008 AccessTokenID remoteTokenID)
1009 {
1010 ACCESSTOKEN_LOG_ERROR(LABEL, "Tokensync is disable, check dependent components");
1011 return 0;
1012 }
1013 #endif
1014
GetInstance()1015 AccessTokenInfoManager& AccessTokenInfoManager::GetInstance()
1016 {
1017 static AccessTokenInfoManager* instance = nullptr;
1018 if (instance == nullptr) {
1019 std::lock_guard<std::recursive_mutex> lock(g_instanceMutex);
1020 if (instance == nullptr) {
1021 instance = new AccessTokenInfoManager();
1022 }
1023 }
1024 return *instance;
1025 }
1026
AddAllNativeTokenInfoToDb(void)1027 int AccessTokenInfoManager::AddAllNativeTokenInfoToDb(void)
1028 {
1029 std::vector<GenericValues> permStateValues;
1030 std::vector<GenericValues> nativeTokenValues;
1031
1032 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
1033 for (auto iter = nativeTokenInfoMap_.begin(); iter != nativeTokenInfoMap_.end(); iter++) {
1034 if (iter->second != nullptr) {
1035 iter->second->StoreNativeInfo(nativeTokenValues);
1036 iter->second->StorePermissionPolicy(permStateValues);
1037 }
1038 }
1039 ACCESSTOKEN_LOG_INFO(LABEL, "permStateValues %{public}zu, nativeTokenValues %{public}zu.",
1040 permStateValues.size(), nativeTokenValues.size());
1041 AccessTokenDb::GetInstance().Add(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, permStateValues);
1042 AccessTokenDb::GetInstance().Add(AtmDataType::ACCESSTOKEN_NATIVE_INFO, nativeTokenValues);
1043 return RET_SUCCESS;
1044 }
1045
ModifyHapTokenInfoFromDb(AccessTokenID tokenID,const std::shared_ptr<HapTokenInfoInner> & hapInner)1046 int AccessTokenInfoManager::ModifyHapTokenInfoFromDb(
1047 AccessTokenID tokenID, const std::shared_ptr<HapTokenInfoInner>& hapInner)
1048 {
1049 if (hapInner == nullptr) {
1050 ACCESSTOKEN_LOG_INFO(LABEL, "token %{public}u info is null!", tokenID);
1051 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
1052 }
1053
1054 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->modifyLock_);
1055 // get new hap token info from cache
1056 std::vector<GenericValues> hapInfoValues;
1057 hapInner->StoreHapInfo(hapInfoValues); // only exsit one if empty something is wrong
1058 if (hapInfoValues.empty()) {
1059 ACCESSTOKEN_LOG_INFO(LABEL, "Hap token info is empty!");
1060 return AccessTokenError::ERR_PARAM_INVALID;
1061 }
1062
1063 // get new permission def from cache if exsits
1064 std::vector<GenericValues> permDefValues;
1065 PermissionDefinitionCache::GetInstance().StorePermissionDef(tokenID, permDefValues);
1066
1067 // get new permission def from cache if exsits
1068 std::vector<GenericValues> permStateValues;
1069 hapInner->StorePermissionPolicy(permStateValues);
1070
1071 return AccessTokenDb::GetInstance().DeleteAndInsertHap(tokenID, hapInfoValues, permDefValues,
1072 permStateValues);
1073 }
1074
ModifyHapPermStateFromDb(AccessTokenID tokenID,const std::string & permission,const std::shared_ptr<HapTokenInfoInner> & hapInfo)1075 int32_t AccessTokenInfoManager::ModifyHapPermStateFromDb(
1076 AccessTokenID tokenID, const std::string& permission, const std::shared_ptr<HapTokenInfoInner>& hapInfo)
1077 {
1078 std::vector<GenericValues> permStateValues;
1079 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->modifyLock_);
1080 if (hapInfo == nullptr) {
1081 ACCESSTOKEN_LOG_INFO(LABEL, "Token %{public}u info is null!", tokenID);
1082 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
1083 }
1084 hapInfo->StorePermissionPolicy(permStateValues);
1085
1086 for (size_t i = 0; i < permStateValues.size(); i++) {
1087 if (permStateValues[i].GetString(TokenFiledConst::FIELD_PERMISSION_NAME) != permission) {
1088 continue;
1089 }
1090 GenericValues conditions;
1091 conditions.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
1092 conditions.Put(TokenFiledConst::FIELD_PERMISSION_NAME, permission);
1093 AccessTokenDb::GetInstance().Modify(
1094 AtmDataType::ACCESSTOKEN_PERMISSION_STATE, permStateValues[i], conditions);
1095 }
1096 return RET_SUCCESS;
1097 }
1098
AddHapTokenInfoToDb(AccessTokenID tokenID,const std::shared_ptr<HapTokenInfoInner> & hapInfo)1099 int AccessTokenInfoManager::AddHapTokenInfoToDb(
1100 AccessTokenID tokenID, const std::shared_ptr<HapTokenInfoInner>& hapInfo)
1101 {
1102 std::vector<GenericValues> hapInfoValues;
1103 std::vector<GenericValues> permDefValues;
1104 std::vector<GenericValues> permStateValues;
1105 if (hapInfo == nullptr) {
1106 ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u info is null!", tokenID);
1107 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
1108 }
1109 hapInfo->StoreHapInfo(hapInfoValues);
1110 hapInfo->StorePermissionPolicy(permStateValues);
1111
1112 PermissionDefinitionCache::GetInstance().StorePermissionDef(tokenID, permDefValues);
1113 AccessTokenDb::GetInstance().Add(AtmDataType::ACCESSTOKEN_HAP_INFO, hapInfoValues);
1114 AccessTokenDb::GetInstance().Add(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, permStateValues);
1115 AccessTokenDb::GetInstance().Add(AtmDataType::ACCESSTOKEN_PERMISSION_DEF, permDefValues);
1116 return RET_SUCCESS;
1117 }
1118
RemoveHapTokenInfoFromDb(AccessTokenID tokenID)1119 int AccessTokenInfoManager::RemoveHapTokenInfoFromDb(AccessTokenID tokenID)
1120 {
1121 GenericValues values;
1122 values.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
1123
1124 AccessTokenDb::GetInstance().Remove(AtmDataType::ACCESSTOKEN_HAP_INFO, values);
1125 AccessTokenDb::GetInstance().Remove(AtmDataType::ACCESSTOKEN_PERMISSION_DEF, values);
1126 AccessTokenDb::GetInstance().Remove(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, values);
1127 return RET_SUCCESS;
1128 }
1129
PermissionStateNotify(const std::shared_ptr<HapTokenInfoInner> & info,AccessTokenID id)1130 void AccessTokenInfoManager::PermissionStateNotify(const std::shared_ptr<HapTokenInfoInner>& info, AccessTokenID id)
1131 {
1132 std::shared_ptr<PermissionPolicySet> policy = info->GetHapInfoPermissionPolicySet();
1133 if (policy == nullptr) {
1134 return;
1135 }
1136
1137 std::vector<std::string> permissionList;
1138 policy->GetDeletedPermissionListToNotify(permissionList);
1139 if (permissionList.size() != 0) {
1140 PermissionManager::GetInstance().ParamUpdate(permissionList[0], 0, true);
1141 }
1142 for (const auto& permissionName : permissionList) {
1143 CallbackManager::GetInstance().ExecuteCallbackAsync(
1144 id, permissionName, PermStateChangeType::STATE_CHANGE_REVOKED);
1145 }
1146 }
1147
GetNativeTokenId(const std::string & processName)1148 AccessTokenID AccessTokenInfoManager::GetNativeTokenId(const std::string& processName)
1149 {
1150 AccessTokenID tokenID = INVALID_TOKENID;
1151 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
1152 for (auto iter = nativeTokenInfoMap_.begin(); iter != nativeTokenInfoMap_.end(); iter++) {
1153 if (iter->second != nullptr && iter->second->GetProcessName() == processName) {
1154 tokenID = iter->first;
1155 break;
1156 }
1157 }
1158 return tokenID;
1159 }
1160
DumpHapTokenInfoByTokenId(const AccessTokenID tokenId,std::string & dumpInfo)1161 void AccessTokenInfoManager::DumpHapTokenInfoByTokenId(const AccessTokenID tokenId, std::string& dumpInfo)
1162 {
1163 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(tokenId);
1164 if (type == TOKEN_HAP) {
1165 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(tokenId);
1166 if (infoPtr != nullptr) {
1167 infoPtr->ToString(dumpInfo);
1168 }
1169 } else if (type == TOKEN_NATIVE || type == TOKEN_SHELL) {
1170 std::shared_ptr<NativeTokenInfoInner> infoPtr = GetNativeTokenInfoInner(tokenId);
1171 if (infoPtr != nullptr) {
1172 infoPtr->ToString(dumpInfo);
1173 }
1174 } else {
1175 dumpInfo.append("invalid tokenId");
1176 }
1177 }
1178
DumpHapTokenInfoByBundleName(const std::string & bundleName,std::string & dumpInfo)1179 void AccessTokenInfoManager::DumpHapTokenInfoByBundleName(const std::string& bundleName, std::string& dumpInfo)
1180 {
1181 Utils::UniqueReadGuard<Utils::RWLock> hapInfoGuard(this->hapTokenInfoLock_);
1182 for (auto iter = hapTokenInfoMap_.begin(); iter != hapTokenInfoMap_.end(); iter++) {
1183 if (iter->second != nullptr) {
1184 if (bundleName != iter->second->GetBundleName()) {
1185 continue;
1186 }
1187
1188 iter->second->ToString(dumpInfo);
1189 dumpInfo.append("\n");
1190 }
1191 }
1192 }
1193
DumpAllHapTokenInfo(std::string & dumpInfo)1194 void AccessTokenInfoManager::DumpAllHapTokenInfo(std::string& dumpInfo)
1195 {
1196 ACCESSTOKEN_LOG_DEBUG(LABEL, "Get all hap token info.");
1197
1198 Utils::UniqueReadGuard<Utils::RWLock> hapInfoGuard(this->hapTokenInfoLock_);
1199 for (auto iter = hapTokenInfoMap_.begin(); iter != hapTokenInfoMap_.end(); iter++) {
1200 if (iter->second != nullptr) {
1201 iter->second->ToString(dumpInfo);
1202 dumpInfo.append("\n");
1203 }
1204 }
1205 }
1206
DumpNativeTokenInfoByProcessName(const std::string & processName,std::string & dumpInfo)1207 void AccessTokenInfoManager::DumpNativeTokenInfoByProcessName(const std::string& processName, std::string& dumpInfo)
1208 {
1209 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
1210 for (auto iter = nativeTokenInfoMap_.begin(); iter != nativeTokenInfoMap_.end(); iter++) {
1211 if ((iter->second != nullptr) && (processName == iter->second->GetProcessName())) {
1212 iter->second->ToString(dumpInfo);
1213 dumpInfo.append("\n");
1214 break;
1215 }
1216 }
1217 }
1218
DumpAllNativeTokenInfo(std::string & dumpInfo)1219 void AccessTokenInfoManager::DumpAllNativeTokenInfo(std::string& dumpInfo)
1220 {
1221 ACCESSTOKEN_LOG_DEBUG(LABEL, "Get all native token info.");
1222
1223 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
1224 for (auto iter = nativeTokenInfoMap_.begin(); iter != nativeTokenInfoMap_.end(); iter++) {
1225 if (iter->second != nullptr) {
1226 iter->second->ToString(dumpInfo);
1227 dumpInfo.append("\n");
1228 }
1229 }
1230 }
1231
GetCurDumpTaskNum()1232 int32_t AccessTokenInfoManager::GetCurDumpTaskNum()
1233 {
1234 return dumpTaskNum_.load();
1235 }
1236
AddDumpTaskNum()1237 void AccessTokenInfoManager::AddDumpTaskNum()
1238 {
1239 dumpTaskNum_++;
1240 }
1241
ReduceDumpTaskNum()1242 void AccessTokenInfoManager::ReduceDumpTaskNum()
1243 {
1244 dumpTaskNum_--;
1245 }
1246
DumpToken()1247 void AccessTokenInfoManager::DumpToken()
1248 {
1249 ACCESSTOKEN_LOG_INFO(LABEL, "AccessToken Dump");
1250 int32_t fd = open(DUMP_JSON_PATH.c_str(), O_RDWR | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP);
1251 if (fd < 0) {
1252 ACCESSTOKEN_LOG_ERROR(LABEL, "Open failed errno %{public}d.", errno);
1253 return;
1254 }
1255 std::string dumpStr;
1256 AtmToolsParamInfoParcel infoParcel;
1257 DumpTokenInfo(infoParcel.info, dumpStr);
1258 dprintf(fd, "%s\n", dumpStr.c_str());
1259 close(fd);
1260 }
1261
DumpTokenInfo(const AtmToolsParamInfo & info,std::string & dumpInfo)1262 void AccessTokenInfoManager::DumpTokenInfo(const AtmToolsParamInfo& info, std::string& dumpInfo)
1263 {
1264 if (info.tokenId != 0) {
1265 DumpHapTokenInfoByTokenId(info.tokenId, dumpInfo);
1266 return;
1267 }
1268
1269 if ((!info.bundleName.empty()) && (info.bundleName.length() > 0)) {
1270 DumpHapTokenInfoByBundleName(info.bundleName, dumpInfo);
1271 return;
1272 }
1273
1274 if ((!info.processName.empty()) && (info.processName.length() > 0)) {
1275 DumpNativeTokenInfoByProcessName(info.processName, dumpInfo);
1276 return;
1277 }
1278
1279 DumpAllHapTokenInfo(dumpInfo);
1280 DumpAllNativeTokenInfo(dumpInfo);
1281 }
1282
GetRelatedSandBoxHapList(AccessTokenID tokenId,std::vector<AccessTokenID> & tokenIdList)1283 void AccessTokenInfoManager::GetRelatedSandBoxHapList(AccessTokenID tokenId, std::vector<AccessTokenID>& tokenIdList)
1284 {
1285 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
1286
1287 auto infoIter = hapTokenInfoMap_.find(tokenId);
1288 if (infoIter == hapTokenInfoMap_.end()) {
1289 return;
1290 }
1291 if (infoIter->second == nullptr) {
1292 ACCESSTOKEN_LOG_ERROR(LABEL, "HapTokenInfoInner is nullptr.");
1293 return;
1294 }
1295 std::string bundleName = infoIter->second->GetBundleName();
1296 int32_t userID = infoIter->second->GetUserID();
1297 int32_t index = infoIter->second->GetInstIndex();
1298 int32_t dlpType = infoIter->second->GetDlpType();
1299 // the permissions of a common application whose index is not equal 0 are managed independently.
1300 if ((dlpType == DLP_COMMON) && (index != 0)) {
1301 return;
1302 }
1303
1304 for (auto iter = hapTokenInfoMap_.begin(); iter != hapTokenInfoMap_.end(); ++iter) {
1305 if (iter->second == nullptr) {
1306 continue;
1307 }
1308 if ((bundleName == iter->second->GetBundleName()) && (userID == iter->second->GetUserID()) &&
1309 (tokenId != iter->second->GetTokenID())) {
1310 if ((iter->second->GetDlpType() == DLP_COMMON) && (iter->second->GetInstIndex() != 0)) {
1311 continue;
1312 }
1313 tokenIdList.emplace_back(iter->second->GetTokenID());
1314 }
1315 }
1316 }
1317
SetPermDialogCap(AccessTokenID tokenID,bool enable)1318 int32_t AccessTokenInfoManager::SetPermDialogCap(AccessTokenID tokenID, bool enable)
1319 {
1320 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
1321 auto infoIter = hapTokenInfoMap_.find(tokenID);
1322 if ((infoIter == hapTokenInfoMap_.end()) || (infoIter->second == nullptr)) {
1323 ACCESSTOKEN_LOG_ERROR(LABEL, "HapTokenInfoInner is nullptr.");
1324 return ERR_TOKENID_NOT_EXIST;
1325 }
1326 infoIter->second->SetPermDialogForbidden(enable);
1327
1328 if (!UpdateCapStateToDatabase(tokenID, enable)) {
1329 return RET_FAILED;
1330 }
1331
1332 return RET_SUCCESS;
1333 }
1334
GetPermDialogCap(AccessTokenID tokenID)1335 bool AccessTokenInfoManager::GetPermDialogCap(AccessTokenID tokenID)
1336 {
1337 if (tokenID == INVALID_TOKENID) {
1338 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid tokenId.");
1339 return true;
1340 }
1341 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
1342 auto infoIter = hapTokenInfoMap_.find(tokenID);
1343 if ((infoIter == hapTokenInfoMap_.end()) || (infoIter->second == nullptr)) {
1344 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenId is not exist in map.");
1345 return true;
1346 }
1347 return infoIter->second->IsPermDialogForbidden();
1348 }
1349
UpdateStatesToDatabase(AccessTokenID tokenID,std::vector<PermissionStateFull> & stateChangeList)1350 bool AccessTokenInfoManager::UpdateStatesToDatabase(AccessTokenID tokenID,
1351 std::vector<PermissionStateFull>& stateChangeList)
1352 {
1353 for (const auto& state : stateChangeList) {
1354 GenericValues modifyValue;
1355 modifyValue.Put(TokenFiledConst::FIELD_GRANT_STATE, state.grantStatus[0]);
1356 modifyValue.Put(TokenFiledConst::FIELD_GRANT_FLAG, static_cast<int32_t>(state.grantFlags[0]));
1357
1358 GenericValues conditionValue;
1359 conditionValue.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
1360 conditionValue.Put(TokenFiledConst::FIELD_PERMISSION_NAME, state.permissionName);
1361
1362 int32_t res = AccessTokenDb::GetInstance().Modify(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, modifyValue,
1363 conditionValue);
1364 if (res != 0) {
1365 ACCESSTOKEN_LOG_ERROR(LABEL, "Update tokenID %{public}u permission %{public}s to database failed",
1366 tokenID, state.permissionName.c_str());
1367 return false;
1368 }
1369 }
1370
1371 return true;
1372 }
1373
UpdateCapStateToDatabase(AccessTokenID tokenID,bool enable)1374 bool AccessTokenInfoManager::UpdateCapStateToDatabase(AccessTokenID tokenID, bool enable)
1375 {
1376 GenericValues modifyValue;
1377 modifyValue.Put(TokenFiledConst::FIELD_FORBID_PERM_DIALOG, enable);
1378
1379 GenericValues conditionValue;
1380 conditionValue.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
1381
1382 int32_t res = AccessTokenDb::GetInstance().Modify(AtmDataType::ACCESSTOKEN_HAP_INFO, modifyValue, conditionValue);
1383 if (res != 0) {
1384 ACCESSTOKEN_LOG_ERROR(LABEL,
1385 "Update tokenID %{public}u permissionDialogForbidden %{public}d to database failed", tokenID, enable);
1386 return false;
1387 }
1388
1389 return true;
1390 }
1391
RemoveNativeInfoFromDatabase(AccessTokenID tokenID)1392 bool AccessTokenInfoManager::RemoveNativeInfoFromDatabase(AccessTokenID tokenID)
1393 {
1394 GenericValues conditionValue;
1395 conditionValue.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
1396
1397 int32_t res = AccessTokenDb::GetInstance().Remove(AtmDataType::ACCESSTOKEN_NATIVE_INFO, conditionValue);
1398 if (res != 0) {
1399 ACCESSTOKEN_LOG_ERROR(LABEL, "Remove tokenID %{public}u from table native_token_info failed.", tokenID);
1400 return false;
1401 }
1402
1403 res = AccessTokenDb::GetInstance().Remove(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, conditionValue);
1404 if (res != 0) {
1405 ACCESSTOKEN_LOG_ERROR(LABEL, "Remove tokenID %{public}u from table permission_state failed.", tokenID);
1406 return false;
1407 }
1408
1409 return true;
1410 }
1411 } // namespace AccessToken
1412 } // namespace Security
1413 } // namespace OHOS
1414