1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_record_manager.h"
17
18 #include <algorithm>
19 #include <cinttypes>
20 #include <numeric>
21
22 #include "ability_manager_access_client.h"
23 #include "access_token.h"
24 #include "accesstoken_kit.h"
25 #include "accesstoken_log.h"
26 #include "active_status_callback_manager.h"
27 #include "app_manager_access_client.h"
28 #include "audio_manager_privacy_client.h"
29 #include "camera_manager_privacy_client.h"
30 #include "config_policy_loader.h"
31 #include "constant.h"
32 #include "constant_common.h"
33 #include "data_translator.h"
34 #include "i_state_change_callback.h"
35 #include "iservice_registry.h"
36 #include "libraryloader.h"
37 #include "parameter.h"
38 #include "parcel_utils.h"
39 #include "permission_used_record_db.h"
40 #include "power_manager_client.h"
41 #include "privacy_error.h"
42 #include "privacy_field_const.h"
43 #include "refbase.h"
44 #include "state_change_callback_proxy.h"
45 #include "system_ability_definition.h"
46 #include "time_util.h"
47 #include "want.h"
48 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
49 #include "privacy_window_manager_client.h"
50 #include "scene_board_judgement.h"
51 #endif
52
53 namespace OHOS {
54 namespace Security {
55 namespace AccessToken {
56 namespace {
57 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {
58 LOG_CORE, SECURITY_DOMAIN_PRIVACY, "PermissionRecordManager"
59 };
60 static const int32_t VALUE_MAX_LEN = 32;
61 constexpr const char* DEFAULT_DEVICEID = "0";
62 constexpr const char* CAMERA_PERMISSION_NAME = "ohos.permission.CAMERA";
63 constexpr const char* MICROPHONE_PERMISSION_NAME = "ohos.permission.MICROPHONE";
64 constexpr const char* EDM_MIC_MUTE_KEY = "persist.edm.mic_disable";
65 constexpr const char* EDM_CAMERA_MUTE_KEY = "persist.edm.camera_disable";
66 constexpr const char* DEFAULT_PERMISSION_MANAGER_BUNDLE_NAME = "com.ohos.permissionmanager";
67 constexpr const char* DEFAULT_PERMISSION_MANAGER_DIALOG_ABILITY = "com.ohos.permissionmanager.GlobalExtAbility";
68 constexpr const char* RESOURCE_KEY = "ohos.sensitive.resource";
69 static const int32_t DEFAULT_PERMISSION_USED_RECORD_SIZE_MAXIMUM = 500000;
70 static const int32_t DEFAULT_PERMISSION_USED_RECORD_AGING_TIME = 7;
71 static const uint32_t NORMAL_TYPE_ADD_VALUE = 1;
72 static const uint32_t PICKER_TYPE_ADD_VALUE = 2;
73 static const uint32_t SEC_COMPONENT_TYPE_ADD_VALUE = 4;
74 static constexpr int64_t ONE_MINUTE_MILLISECONDS = 60 * 1000; // 1 min = 60 * 1000 ms
75 std::recursive_mutex g_instanceMutex;
76 }
GetInstance()77 PermissionRecordManager& PermissionRecordManager::GetInstance()
78 {
79 static PermissionRecordManager* instance = nullptr;
80 if (instance == nullptr) {
81 std::lock_guard<std::recursive_mutex> lock(g_instanceMutex);
82 if (instance == nullptr) {
83 instance = new PermissionRecordManager();
84 }
85 }
86 return *instance;
87 }
88
PermissionRecordManager()89 PermissionRecordManager::PermissionRecordManager()
90 {
91 bool isEdmMute = false;
92 if (GetMuteParameter(EDM_MIC_MUTE_KEY, isEdmMute)) {
93 ModifyMuteStatus(MICROPHONE_PERMISSION_NAME, EDM, isEdmMute);
94 }
95 }
96
~PermissionRecordManager()97 PermissionRecordManager::~PermissionRecordManager()
98 {
99 if (!hasInited_) {
100 return;
101 }
102 hasInited_ = false;
103 Unregister();
104 }
105
OnAppStateChanged(const AppStateData & appStateData)106 void PrivacyAppStateObserver::OnAppStateChanged(const AppStateData &appStateData)
107 {
108 ACCESSTOKEN_LOG_DEBUG(LABEL, "OnChange(id=%{public}d, pid=%{public}d, state=%{public}d).",
109 appStateData.accessTokenId, appStateData.pid, appStateData.state);
110
111 ActiveChangeType status = PERM_INACTIVE;
112 if (appStateData.state == static_cast<int32_t>(ApplicationState::APP_STATE_FOREGROUND)) {
113 status = PERM_ACTIVE_IN_FOREGROUND;
114 } else if (appStateData.state == static_cast<int32_t>(ApplicationState::APP_STATE_BACKGROUND)) {
115 status = PERM_ACTIVE_IN_BACKGROUND;
116 }
117 PermissionRecordManager::GetInstance().NotifyAppStateChange(appStateData.accessTokenId, appStateData.pid, status);
118 }
119
OnAppStopped(const AppStateData & appStateData)120 void PrivacyAppStateObserver::OnAppStopped(const AppStateData &appStateData)
121 {
122 ACCESSTOKEN_LOG_DEBUG(LABEL, "OnChange(id=%{public}d, state=%{public}d).",
123 appStateData.accessTokenId, appStateData.state);
124
125 if (appStateData.state == static_cast<int32_t>(ApplicationState::APP_STATE_TERMINATED)) {
126 PermissionRecordManager::GetInstance().RemoveRecordFromStartListByToken(appStateData.accessTokenId);
127 }
128 }
129
OnProcessDied(const ProcessData & processData)130 void PrivacyAppStateObserver::OnProcessDied(const ProcessData &processData)
131 {
132 ACCESSTOKEN_LOG_DEBUG(LABEL, "OnChange(id=%{public}u, pid=%{public}d, state=%{public}d).",
133 processData.accessTokenId, processData.pid, processData.state);
134
135 PermissionRecordManager::GetInstance().RemoveRecordFromStartListByPid(processData.accessTokenId, processData.pid);
136 }
137
NotifyAppManagerDeath()138 void PrivacyAppManagerDeathCallback::NotifyAppManagerDeath()
139 {
140 PermissionRecordManager::GetInstance().OnAppMgrRemoteDiedHandle();
141 }
142
AddRecToCacheAndValueVec(const PermissionRecord & record,std::vector<GenericValues> & values)143 void PermissionRecordManager::AddRecToCacheAndValueVec(const PermissionRecord& record,
144 std::vector<GenericValues>& values)
145 {
146 PermissionRecordCache cache;
147 cache.record = record;
148 permUsedRecList_.emplace_back(cache);
149
150 GenericValues value;
151 PermissionRecord::TranslationIntoGenericValues(record, value);
152 values.emplace_back(value);
153 }
154
RecordMergeCheck(const PermissionRecord & record1,const PermissionRecord & record2)155 static bool RecordMergeCheck(const PermissionRecord& record1, const PermissionRecord& record2)
156 {
157 // timestamp in the same minute
158 if (!AccessToken::TimeUtil::IsTimeStampsSameMinute(record1.timestamp, record2.timestamp)) {
159 return false;
160 }
161
162 // the same tokenID + opCode + status + lockScreenStatus + usedType
163 if ((record1.tokenId != record2.tokenId) ||
164 (record1.opCode != record2.opCode) ||
165 (record1.status != record2.status) ||
166 (record1.lockScreenStatus != record2.lockScreenStatus) ||
167 (record1.type != record2.type)) {
168 return false;
169 }
170
171 // both success
172 if (((record1.accessCount > 0) && (record2.accessCount == 0)) ||
173 ((record1.accessCount == 0) && (record2.accessCount > 0))) {
174 return false;
175 }
176
177 // both failure
178 if (((record1.rejectCount > 0) && (record2.rejectCount == 0)) ||
179 ((record1.rejectCount == 0) && (record2.rejectCount > 0))) {
180 return false;
181 }
182
183 return true;
184 }
185
MergeOrInsertRecord(const PermissionRecord & record)186 int32_t PermissionRecordManager::MergeOrInsertRecord(const PermissionRecord& record)
187 {
188 std::vector<GenericValues> insertRecords;
189 {
190 std::lock_guard<std::mutex> lock(permUsedRecMutex_);
191 if (permUsedRecList_.empty()) {
192 ACCESSTOKEN_LOG_INFO(LABEL, "First record in cache!");
193
194 AddRecToCacheAndValueVec(record, insertRecords);
195 } else {
196 bool mergeFlag = false;
197 for (auto it = permUsedRecList_.begin(); it != permUsedRecList_.end(); ++it) {
198 if (RecordMergeCheck(it->record, record)) {
199 ACCESSTOKEN_LOG_INFO(LABEL, "Merge record, ori timestamp is %{public}" PRId64 ".",
200 it->record.timestamp);
201
202 // merge new record to older one if match the merge condition
203 it->record.accessCount += record.accessCount;
204 it->record.rejectCount += record.rejectCount;
205
206 // set update flag to true
207 it->needUpdateToDb = true;
208 mergeFlag = true;
209 break;
210 }
211 }
212
213 if (!mergeFlag) {
214 // record can't merge store to database immediately and add to cache
215 AddRecToCacheAndValueVec(record, insertRecords);
216 }
217 }
218 }
219
220 if (insertRecords.empty()) {
221 return Constant::SUCCESS;
222 }
223
224 Utils::UniqueWriteGuard<Utils::RWLock> lk(this->rwLock_);
225 int32_t res = PermissionUsedRecordDb::GetInstance().Add(PermissionUsedRecordDb::DataType::PERMISSION_RECORD,
226 insertRecords);
227 if (res != PermissionUsedRecordDb::ExecuteResult::SUCCESS) {
228 ACCESSTOKEN_LOG_INFO(LABEL, "Add permission_record_table failed!");
229 return res;
230 }
231
232 ACCESSTOKEN_LOG_INFO(LABEL, "Add record, id %{public}d, op %{public}d, status: %{public}d, sucCnt: %{public}d, "
233 "failCnt: %{public}d, lockScreenStatus %{public}d, timestamp %{public}" PRId64 ", type %{public}d.",
234 record.tokenId, record.opCode, record.status, record.accessCount, record.rejectCount, record.lockScreenStatus,
235 record.timestamp, record.type);
236
237 return Constant::SUCCESS;
238 }
239
UpdatePermissionUsedRecordToDb(const PermissionRecord & record)240 bool PermissionRecordManager::UpdatePermissionUsedRecordToDb(const PermissionRecord& record)
241 {
242 GenericValues modifyValue;
243 modifyValue.Put(PrivacyFiledConst::FIELD_ACCESS_COUNT, record.accessCount);
244 modifyValue.Put(PrivacyFiledConst::FIELD_REJECT_COUNT, record.rejectCount);
245
246 GenericValues conditionValue;
247 conditionValue.Put(PrivacyFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(record.tokenId));
248 conditionValue.Put(PrivacyFiledConst::FIELD_OP_CODE, record.opCode);
249 conditionValue.Put(PrivacyFiledConst::FIELD_STATUS, record.status);
250 conditionValue.Put(PrivacyFiledConst::FIELD_TIMESTAMP, record.timestamp);
251 conditionValue.Put(PrivacyFiledConst::FIELD_USED_TYPE, record.type);
252
253 {
254 Utils::UniqueWriteGuard<Utils::RWLock> lk(this->rwLock_);
255 return (PermissionUsedRecordDb::GetInstance().Update(PermissionUsedRecordDb::DataType::PERMISSION_RECORD,
256 modifyValue, conditionValue) == PermissionUsedRecordDb::ExecuteResult::SUCCESS);
257 }
258 }
259
AddRecord(const PermissionRecord & record)260 int32_t PermissionRecordManager::AddRecord(const PermissionRecord& record)
261 {
262 int32_t res = MergeOrInsertRecord(record);
263 if (res != Constant::SUCCESS) {
264 return res;
265 }
266
267 int64_t updateStamp = record.timestamp - ONE_MINUTE_MILLISECONDS; // timestamp less than 1 min from now
268 std::lock_guard<std::mutex> lock(permUsedRecMutex_);
269 auto it = permUsedRecList_.begin();
270 while (it != permUsedRecList_.end()) {
271 if ((it->record.timestamp > updateStamp) || (it->record.opCode != record.opCode)) {
272 // record from cache less than updateStamp may merge, ignore them
273 ++it;
274 continue;
275 }
276
277 /*
278 needUpdateToDb:
279 - flase means record not merge, when the timestamp of those records less than 1 min from now
280 they can not merge any more, remove them from cache
281 - true means record has merged, need to update database before remove from cache
282 whether update database succeed or not, recod remove from cache
283 */
284 if ((it->needUpdateToDb) && (!UpdatePermissionUsedRecordToDb(it->record))) {
285 ACCESSTOKEN_LOG_ERROR(LABEL, "Record with timestamp %{public}" PRId64 "update database failed!",
286 it->record.timestamp);
287 }
288
289 it = permUsedRecList_.erase(it);
290 }
291
292 return Constant::SUCCESS;
293 }
294
UpdatePermRecImmediately()295 void PermissionRecordManager::UpdatePermRecImmediately()
296 {
297 std::lock_guard<std::mutex> lock(permUsedRecMutex_);
298 for (auto it = permUsedRecList_.begin(); it != permUsedRecList_.end(); ++it) {
299 if (it->needUpdateToDb) {
300 UpdatePermissionUsedRecordToDb(it->record);
301 }
302 }
303 }
304
GetPermissionRecord(const AddPermParamInfo & info,PermissionRecord & record)305 int32_t PermissionRecordManager::GetPermissionRecord(const AddPermParamInfo& info, PermissionRecord& record)
306 {
307 if (AccessTokenKit::GetTokenTypeFlag(info.tokenId) != TOKEN_HAP) {
308 ACCESSTOKEN_LOG_DEBUG(LABEL, "Not hap(%{public}d).", info.tokenId);
309 return PrivacyError::ERR_PARAM_INVALID;
310 }
311 int32_t opCode;
312 if (!Constant::TransferPermissionToOpcode(info.permissionName, opCode)) {
313 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid perm(%{public}s)", info.permissionName.c_str());
314 return PrivacyError::ERR_PERMISSION_NOT_EXIST;
315 }
316 if (GetMuteStatus(info.permissionName, EDM)) {
317 record.status = PERM_INACTIVE;
318 } else {
319 record.status = GetAppStatus(info.tokenId);
320 }
321 record.lockScreenStatus = GetLockScreenStatus();
322 record.tokenId = info.tokenId;
323 record.accessCount = info.successCount;
324 record.rejectCount = info.failCount;
325 record.opCode = opCode;
326 record.timestamp = AccessToken::TimeUtil::GetCurrentTimestamp();
327 record.accessDuration = 0;
328 record.type = info.type;
329 ACCESSTOKEN_LOG_DEBUG(LABEL, "Record status: %{public}d", record.status);
330 return Constant::SUCCESS;
331 }
332
TransformEnumToBitValue(const PermissionUsedType type,uint32_t & value)333 void PermissionRecordManager::TransformEnumToBitValue(const PermissionUsedType type, uint32_t& value)
334 {
335 if (type == PermissionUsedType::NORMAL_TYPE) {
336 value = NORMAL_TYPE_ADD_VALUE;
337 } else if (type == PermissionUsedType::PICKER_TYPE) {
338 value = PICKER_TYPE_ADD_VALUE;
339 } else if (type == PermissionUsedType::SECURITY_COMPONENT_TYPE) {
340 value = SEC_COMPONENT_TYPE_ADD_VALUE;
341 }
342 }
343
AddOrUpdateUsedTypeIfNeeded(const AccessTokenID tokenId,const int32_t opCode,const PermissionUsedType type)344 bool PermissionRecordManager::AddOrUpdateUsedTypeIfNeeded(const AccessTokenID tokenId, const int32_t opCode,
345 const PermissionUsedType type)
346 {
347 uint32_t inputType = 0;
348 TransformEnumToBitValue(type, inputType);
349
350 GenericValues conditionValue;
351 conditionValue.Put(PrivacyFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId));
352 conditionValue.Put(PrivacyFiledConst::FIELD_PERMISSION_CODE, opCode);
353
354 std::vector<GenericValues> results;
355 int32_t res = PermissionUsedRecordDb::GetInstance().Query(PermissionUsedRecordDb::DataType::PERMISSION_USED_TYPE,
356 conditionValue, results);
357 if (res != PermissionUsedRecordDb::SUCCESS) {
358 return false;
359 }
360
361 if (results.empty()) {
362 // empty means there is no permission used type record, add it
363 ACCESSTOKEN_LOG_DEBUG(LABEL, "No exsit record, add it.");
364
365 GenericValues recordValue;
366 recordValue.Put(PrivacyFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId));
367 recordValue.Put(PrivacyFiledConst::FIELD_PERMISSION_CODE, opCode);
368 recordValue.Put(PrivacyFiledConst::FIELD_USED_TYPE, static_cast<int32_t>(inputType));
369
370 std::vector<GenericValues> recordValues;
371 recordValues.emplace_back(recordValue);
372 int32_t res = PermissionUsedRecordDb::GetInstance().Add(PermissionUsedRecordDb::DataType::PERMISSION_USED_TYPE,
373 recordValues);
374 if (res != PermissionUsedRecordDb::ExecuteResult::SUCCESS) {
375 return false;
376 }
377 } else {
378 // not empty means there is permission used type record exsit, update it if needed
379 uint32_t dbType = static_cast<uint32_t>(results[0].GetInt(PrivacyFiledConst::FIELD_USED_TYPE));
380 ACCESSTOKEN_LOG_DEBUG(LABEL, "Record exsit, type is %{public}u.", dbType);
381
382 if ((dbType & inputType) == inputType) {
383 // true means visitTypeEnum has exsits, no need to add
384 ACCESSTOKEN_LOG_DEBUG(LABEL, "Used type has add.");
385 return true;
386 } else {
387 results[0].Remove(PrivacyFiledConst::FIELD_USED_TYPE);
388 dbType |= inputType;
389
390 // false means visitTypeEnum not exsits, update record
391 ACCESSTOKEN_LOG_DEBUG(LABEL, "Used type not add, generate new %{public}u.", dbType);
392
393 GenericValues newValue;
394 newValue.Put(PrivacyFiledConst::FIELD_USED_TYPE, static_cast<int32_t>(dbType));
395 return (PermissionUsedRecordDb::GetInstance().Update(PermissionUsedRecordDb::DataType::PERMISSION_USED_TYPE,
396 newValue, results[0]) == PermissionUsedRecordDb::ExecuteResult::SUCCESS);
397 }
398 }
399
400 return true;
401 }
402
AddPermissionUsedRecord(const AddPermParamInfo & info)403 int32_t PermissionRecordManager::AddPermissionUsedRecord(const AddPermParamInfo& info)
404 {
405 if ((info.successCount == 0) && (info.failCount == 0)) {
406 return PrivacyError::ERR_PARAM_INVALID;
407 }
408
409 PermissionRecord record;
410 int32_t result = GetPermissionRecord(info, record);
411 if ((result != Constant::SUCCESS) || (!GetGlobalSwitchStatus(info.permissionName))) {
412 return result;
413 }
414
415 result = AddRecord(record);
416 if (result != Constant::SUCCESS) {
417 return result;
418 }
419
420 return AddOrUpdateUsedTypeIfNeeded(
421 info.tokenId, record.opCode, info.type) ? Constant::SUCCESS : Constant::FAILURE;
422 }
423
RemovePermissionUsedRecords(AccessTokenID tokenId,const std::string & deviceID)424 void PermissionRecordManager::RemovePermissionUsedRecords(AccessTokenID tokenId, const std::string& deviceID)
425 {
426 // only support remove by tokenId(local)
427 std::string device = GetDeviceId(tokenId);
428 if (!deviceID.empty() && device != deviceID) {
429 ACCESSTOKEN_LOG_ERROR(LABEL, "DeviceID mismatch");
430 return;
431 }
432
433 {
434 // remove from record cache
435 std::lock_guard<std::mutex> lock(permUsedRecMutex_);
436 auto it = permUsedRecList_.begin();
437 while (it != permUsedRecList_.end()) {
438 if (tokenId == it->record.tokenId) {
439 it = permUsedRecList_.erase(it);
440 } else {
441 ++it;
442 }
443 }
444 }
445
446 GenericValues conditions;
447 conditions.Put(PrivacyFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId));
448 {
449 // remove from database
450 Utils::UniqueWriteGuard<Utils::RWLock> lk(this->rwLock_);
451 PermissionUsedRecordDb::GetInstance().Remove(PermissionUsedRecordDb::DataType::PERMISSION_RECORD, conditions);
452 PermissionUsedRecordDb::GetInstance().Remove(PermissionUsedRecordDb::DataType::PERMISSION_USED_TYPE,
453 conditions);
454 }
455
456 // remove from start list
457 RemoveRecordFromStartListByToken(tokenId);
458 }
459
GetPermissionUsedRecords(const PermissionUsedRequest & request,PermissionUsedResult & result)460 int32_t PermissionRecordManager::GetPermissionUsedRecords(
461 const PermissionUsedRequest& request, PermissionUsedResult& result)
462 {
463 if (!request.isRemote && !GetRecordsFromLocalDB(request, result)) {
464 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to GetRecordsFromLocalDB");
465 return PrivacyError::ERR_PARAM_INVALID;
466 }
467 return Constant::SUCCESS;
468 }
469
GetPermissionUsedRecordsAsync(const PermissionUsedRequest & request,const sptr<OnPermissionUsedRecordCallback> & callback)470 int32_t PermissionRecordManager::GetPermissionUsedRecordsAsync(
471 const PermissionUsedRequest& request, const sptr<OnPermissionUsedRecordCallback>& callback)
472 {
473 auto task = [request, callback]() {
474 ACCESSTOKEN_LOG_INFO(LABEL, "GetPermissionUsedRecordsAsync task called");
475 PermissionUsedResult result;
476 int32_t retCode = PermissionRecordManager::GetInstance().GetPermissionUsedRecords(request, result);
477 callback->OnQueried(retCode, result);
478 };
479 std::thread recordThread(task);
480 recordThread.detach();
481 return Constant::SUCCESS;
482 }
483
TransferToOpcode(const std::vector<std::string> & permissionList,std::set<int32_t> & opCodeList)484 static void TransferToOpcode(const std::vector<std::string>& permissionList, std::set<int32_t>& opCodeList)
485 {
486 for (const auto& permission : permissionList) {
487 int32_t opCode = Constant::OP_INVALID;
488 if (Constant::TransferPermissionToOpcode(permission, opCode)) {
489 opCodeList.insert(opCode);
490 }
491 }
492 }
493
GetMergedRecordsFromCache(std::vector<PermissionRecord> & mergedRecords)494 void PermissionRecordManager::GetMergedRecordsFromCache(std::vector<PermissionRecord>& mergedRecords)
495 {
496 std::lock_guard<std::mutex> lock(permUsedRecMutex_);
497 for (const auto& cache : permUsedRecList_) {
498 if (cache.needUpdateToDb) {
499 mergedRecords.emplace_back(cache.record);
500 }
501 }
502 }
503
InsteadMergedRecIfNecessary(GenericValues & queryValue,std::vector<PermissionRecord> & mergedRecords)504 void PermissionRecordManager::InsteadMergedRecIfNecessary(GenericValues& queryValue,
505 std::vector<PermissionRecord>& mergedRecords)
506 {
507 uint32_t tokenId = static_cast<uint32_t>(queryValue.GetInt(PrivacyFiledConst::FIELD_TOKEN_ID));
508 int32_t opCode = queryValue.GetInt(PrivacyFiledConst::FIELD_OP_CODE);
509 int32_t status = queryValue.GetInt(PrivacyFiledConst::FIELD_STATUS);
510 int64_t timestamp = queryValue.GetInt64(PrivacyFiledConst::FIELD_TIMESTAMP);
511 PermissionUsedType type = static_cast<PermissionUsedType>(queryValue.GetInt(PrivacyFiledConst::FIELD_USED_TYPE));
512
513 for (const auto& record : mergedRecords) {
514 if ((tokenId == record.tokenId) &&
515 (opCode == record.opCode) &&
516 (status == record.status) &&
517 (timestamp == record.timestamp) &&
518 (type == record.type)) {
519 // find merged record, instead accessCount and rejectCount
520 queryValue.Remove(PrivacyFiledConst::FIELD_ACCESS_COUNT);
521 queryValue.Put(PrivacyFiledConst::FIELD_ACCESS_COUNT, record.accessCount);
522 queryValue.Remove(PrivacyFiledConst::FIELD_REJECT_COUNT);
523 queryValue.Put(PrivacyFiledConst::FIELD_REJECT_COUNT, record.rejectCount);
524 return;
525 }
526 }
527 }
528
MergeSamePermission(const PermissionUsageFlag & flag,const PermissionUsedRecord & inRecord,PermissionUsedRecord & outRecord)529 void PermissionRecordManager::MergeSamePermission(const PermissionUsageFlag& flag, const PermissionUsedRecord& inRecord,
530 PermissionUsedRecord& outRecord)
531 {
532 outRecord.accessCount += inRecord.accessCount;
533 outRecord.rejectCount += inRecord.rejectCount;
534
535 // update lastAccessTime、lastRejectTime and lastAccessDuration to the nearer one
536 outRecord.lastAccessTime = (inRecord.lastAccessTime > outRecord.lastAccessTime) ?
537 inRecord.lastAccessTime : outRecord.lastAccessTime;
538 outRecord.lastAccessDuration = (inRecord.lastAccessTime > outRecord.lastAccessTime) ?
539 inRecord.lastAccessDuration : outRecord.lastAccessDuration;
540 outRecord.lastRejectTime = (inRecord.lastRejectTime > outRecord.lastRejectTime) ?
541 inRecord.lastRejectTime : outRecord.lastRejectTime;
542
543 // summary do not handle detail
544 if (flag == FLAG_PERMISSION_USAGE_SUMMARY) {
545 return;
546 }
547
548 if (inRecord.lastAccessTime > 0) {
549 outRecord.accessRecords.emplace_back(inRecord.accessRecords[0]);
550 }
551 if (inRecord.lastRejectTime > 0) {
552 outRecord.rejectRecords.emplace_back(inRecord.rejectRecords[0]);
553 }
554 }
555
FillPermissionUsedRecords(const PermissionUsedRecord & record,const PermissionUsageFlag & flag,std::vector<PermissionUsedRecord> & permissionRecords)556 void PermissionRecordManager::FillPermissionUsedRecords(const PermissionUsedRecord& record,
557 const PermissionUsageFlag& flag, std::vector<PermissionUsedRecord>& permissionRecords)
558 {
559 // check whether the permission has exsit
560 auto iter = std::find_if(permissionRecords.begin(), permissionRecords.end(),
561 [record](const PermissionUsedRecord& rec) {
562 return record.permissionName == rec.permissionName;
563 });
564 if (iter != permissionRecords.end()) {
565 // permission exsit, merge it
566 MergeSamePermission(flag, record, *iter);
567 } else {
568 // permission not exsit, add it
569 permissionRecords.emplace_back(record);
570 }
571 }
572
FillBundleUsedRecord(const GenericValues & value,const PermissionUsageFlag & flag,std::map<int32_t,BundleUsedRecord> & tokenIdToBundleMap,std::map<int32_t,int32_t> & tokenIdToCountMap,PermissionUsedResult & result)573 bool PermissionRecordManager::FillBundleUsedRecord(const GenericValues& value, const PermissionUsageFlag& flag,
574 std::map<int32_t, BundleUsedRecord>& tokenIdToBundleMap, std::map<int32_t, int32_t>& tokenIdToCountMap,
575 PermissionUsedResult& result)
576 {
577 // translate database value into PermissionUsedRecord value
578 PermissionUsedRecord record;
579 if (DataTranslator::TranslationGenericValuesIntoPermissionUsedRecord(flag, value, record) != Constant::SUCCESS) {
580 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to transform op(%{public}d)",
581 value.GetInt(PrivacyFiledConst::FIELD_OP_CODE));
582 return false;
583 }
584
585 // update beginTimeMillis and endTimeMillis if necessary
586 int64_t timestamp = value.GetInt64(PrivacyFiledConst::FIELD_TIMESTAMP);
587 result.beginTimeMillis = ((result.beginTimeMillis == 0) || (timestamp < result.beginTimeMillis)) ?
588 timestamp : result.beginTimeMillis;
589 result.endTimeMillis = (timestamp > result.endTimeMillis) ? timestamp : result.endTimeMillis;
590
591 int32_t tokenId = value.GetInt(PrivacyFiledConst::FIELD_TOKEN_ID);
592 FillPermissionUsedRecords(record, flag, tokenIdToBundleMap[tokenId].permissionRecords);
593 tokenIdToCountMap[tokenId] += 1;
594
595 return true;
596 }
597
AddDebugLog(const AccessTokenID tokenId,const BundleUsedRecord & bundleRecord,const int32_t queryCount,int32_t & totalSuccCount,int32_t & totalFailCount)598 static void AddDebugLog(const AccessTokenID tokenId, const BundleUsedRecord& bundleRecord, const int32_t queryCount,
599 int32_t& totalSuccCount, int32_t& totalFailCount)
600 {
601 int32_t tokenTotalSuccCount = 0;
602 int32_t tokenTotalFailCount = 0;
603 for (const auto& permissionRecord : bundleRecord.permissionRecords) {
604 tokenTotalSuccCount += permissionRecord.accessCount;
605 tokenTotalFailCount += permissionRecord.rejectCount;
606 }
607 ACCESSTOKEN_LOG_INFO(LABEL, "TokenId %{public}d[%{public}s] get %{public}d records, success %{public}d,"
608 " failure %{public}d", tokenId, bundleRecord.bundleName.c_str(), queryCount, tokenTotalSuccCount,
609 tokenTotalFailCount);
610 totalSuccCount += tokenTotalSuccCount;
611 totalFailCount += tokenTotalFailCount;
612 }
613
GetRecordsFromLocalDB(const PermissionUsedRequest & request,PermissionUsedResult & result)614 bool PermissionRecordManager::GetRecordsFromLocalDB(const PermissionUsedRequest& request, PermissionUsedResult& result)
615 {
616 GenericValues andConditionValues;
617 if (DataTranslator::TranslationIntoGenericValues(request, andConditionValues) != Constant::SUCCESS) {
618 ACCESSTOKEN_LOG_ERROR(LABEL, "Query time or flag is invalid");
619 return false;
620 }
621
622 int32_t dataLimitNum = request.flag == FLAG_PERMISSION_USAGE_DETAIL ? MAX_ACCESS_RECORD_SIZE : recordSizeMaximum_;
623 int32_t totalSuccCount = 0;
624 int32_t totalFailCount = 0;
625 std::vector<GenericValues> findRecordsValues; // summary don't limit querry data num, detail do
626
627 std::set<int32_t> opCodeList;
628 TransferToOpcode(request.permissionList, opCodeList);
629 PermissionUsedRecordDb::GetInstance().FindByConditions(PermissionUsedRecordDb::DataType::PERMISSION_RECORD,
630 opCodeList, andConditionValues, findRecordsValues, dataLimitNum);
631
632 uint32_t currentCount = findRecordsValues.size(); // handle query result
633 if (currentCount == 0) {
634 ACCESSTOKEN_LOG_INFO(LABEL, "No record match the condition.");
635 return true;
636 }
637
638 std::vector<PermissionRecord> mergedRecords;
639 GetMergedRecordsFromCache(mergedRecords);
640
641 std::set<int32_t> tokenIdList;
642 std::map<int32_t, BundleUsedRecord> tokenIdToBundleMap;
643 std::map<int32_t, int32_t> tokenIdToCountMap;
644
645 for (auto& recordValue : findRecordsValues) {
646 InsteadMergedRecIfNecessary(recordValue, mergedRecords);
647
648 int32_t tokenId = recordValue.GetInt(PrivacyFiledConst::FIELD_TOKEN_ID);
649 if (tokenIdList.count(tokenId) == 0) {
650 tokenIdList.insert(tokenId); // new tokenId, inset into set
651
652 BundleUsedRecord bundleRecord; // get bundle info
653 if (!CreateBundleUsedRecord(tokenId, bundleRecord)) {
654 continue;
655 }
656
657 tokenIdToBundleMap[tokenId] = bundleRecord; // add into map
658 tokenIdToCountMap[tokenId] = 0;
659 }
660
661 if (!FillBundleUsedRecord(recordValue, request.flag, tokenIdToBundleMap, tokenIdToCountMap, result)) {
662 continue;
663 }
664 }
665
666 for (auto iter = tokenIdToBundleMap.begin(); iter != tokenIdToBundleMap.end(); ++iter) {
667 result.bundleRecords.emplace_back(iter->second);
668
669 AddDebugLog(iter->first, iter->second, tokenIdToCountMap[iter->first], totalSuccCount, totalFailCount);
670 }
671
672 if (request.flag == FLAG_PERMISSION_USAGE_SUMMARY) {
673 ACCESSTOKEN_LOG_INFO(LABEL, "Total success count is %{public}d, total failure count is %{public}d",
674 totalSuccCount, totalFailCount);
675 }
676
677 return true;
678 }
679
CreateBundleUsedRecord(const AccessTokenID tokenId,BundleUsedRecord & bundleRecord)680 bool PermissionRecordManager::CreateBundleUsedRecord(const AccessTokenID tokenId, BundleUsedRecord& bundleRecord)
681 {
682 HapTokenInfo tokenInfo;
683 if (AccessTokenKit::GetHapTokenInfo(tokenId, tokenInfo) != Constant::SUCCESS) {
684 ACCESSTOKEN_LOG_ERROR(LABEL, "GetHapTokenInfo failed, tokenId is %{public}u.", tokenId);
685 return false;
686 }
687 bundleRecord.tokenId = tokenId;
688 bundleRecord.isRemote = false;
689 bundleRecord.deviceId = GetDeviceId(tokenId);
690 bundleRecord.bundleName = tokenInfo.bundleName;
691 return true;
692 }
693
694 // call this when receive screen off common event
ExecuteDeletePermissionRecordTask()695 void PermissionRecordManager::ExecuteDeletePermissionRecordTask()
696 {
697 #ifdef EVENTHANDLER_ENABLE
698 if (GetCurDeleteTaskNum() > 1) {
699 ACCESSTOKEN_LOG_INFO(LABEL, "Has delete task!");
700 return;
701 }
702 AddDeleteTaskNum();
703 if (deleteEventHandler_ == nullptr) {
704 ACCESSTOKEN_LOG_ERROR(LABEL, "Fail to get EventHandler.");
705 ReduceDeleteTaskNum();
706 return;
707 }
708
709 std::function<void()> delayed = ([this]() {
710 DeletePermissionRecord(recordAgingTime_);
711 ACCESSTOKEN_LOG_INFO(LABEL, "Delete record end.");
712 // Sleep for one minute to avoid frequent refresh of the file.
713 std::this_thread::sleep_for(std::chrono::minutes(1));
714 ReduceDeleteTaskNum();
715 });
716
717 deleteEventHandler_->ProxyPostTask(delayed);
718 #endif
719 }
720
GetCurDeleteTaskNum()721 int32_t PermissionRecordManager::GetCurDeleteTaskNum()
722 {
723 return deleteTaskNum_.load();
724 }
725
AddDeleteTaskNum()726 void PermissionRecordManager::AddDeleteTaskNum()
727 {
728 deleteTaskNum_++;
729 }
730
ReduceDeleteTaskNum()731 void PermissionRecordManager::ReduceDeleteTaskNum()
732 {
733 deleteTaskNum_--;
734 }
735
DeletePermissionRecord(int32_t days)736 int32_t PermissionRecordManager::DeletePermissionRecord(int32_t days)
737 {
738 int64_t interval = days * Constant::ONE_DAY_MILLISECONDS;
739 int32_t total = PermissionUsedRecordDb::GetInstance().Count(PermissionUsedRecordDb::DataType::PERMISSION_RECORD);
740 if (total > recordSizeMaximum_) {
741 uint32_t excessiveSize = static_cast<uint32_t>(total) - static_cast<uint32_t>(recordSizeMaximum_);
742 int32_t res = PermissionUsedRecordDb::GetInstance().DeleteExcessiveRecords(
743 PermissionUsedRecordDb::DataType::PERMISSION_RECORD, excessiveSize);
744 if (res != PermissionUsedRecordDb::ExecuteResult::SUCCESS) {
745 return Constant::FAILURE;
746 }
747 }
748 GenericValues andConditionValues;
749 int64_t deleteTimestamp = AccessToken::TimeUtil::GetCurrentTimestamp() - interval;
750 andConditionValues.Put(PrivacyFiledConst::FIELD_TIMESTAMP_END, deleteTimestamp);
751 int32_t res = PermissionUsedRecordDb::GetInstance().DeleteExpireRecords(
752 PermissionUsedRecordDb::DataType::PERMISSION_RECORD, andConditionValues);
753 if (res != PermissionUsedRecordDb::ExecuteResult::SUCCESS) {
754 return Constant::FAILURE;
755 }
756 return Constant::SUCCESS;
757 }
758
AddRecordToStartList(uint32_t tokenId,int32_t pid,const std::string & permissionName,int32_t status)759 int32_t PermissionRecordManager::AddRecordToStartList(
760 uint32_t tokenId, int32_t pid, const std::string& permissionName, int32_t status)
761 {
762 int32_t ret = Constant::SUCCESS;
763 int32_t opCode;
764 if (!Constant::TransferPermissionToOpcode(permissionName, opCode)) {
765 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid perm(%{public}s)", permissionName.c_str());
766 return PrivacyError::ERR_PERMISSION_NOT_EXIST;
767 }
768
769 std::lock_guard<std::mutex> lock(startRecordListMutex_);
770 bool hasTokenStarted = false;
771 bool hasPidStarted = false;
772 for (auto& record : startRecordList_) {
773 if ((record.opCode == opCode) && (record.tokenId == tokenId)) { // find token
774 hasTokenStarted = true;
775 if (!IsPidValid(pid) || record.pidList.find(pid) != record.pidList.end()) {
776 hasPidStarted = true;
777 } else {
778 record.pidList.insert(pid);
779 }
780 break;
781 }
782 }
783 ACCESSTOKEN_LOG_INFO(LABEL, "Id(%{public}u), pid(%{public}d), opCode(%{public}d),\
784 hasTokenStarted(%{public}d), hasPidStarted(%{public}d).",
785 tokenId, pid, opCode, hasTokenStarted, hasPidStarted);
786 if (!hasTokenStarted) {
787 ContinusPermissionRecord record = { 0 };
788 record.tokenId = tokenId;
789 record.status = status;
790 record.opCode = opCode;
791 if (IsPidValid(pid)) {
792 record.pidList.insert(pid);
793 }
794 startRecordList_.emplace_back(record);
795 }
796 CallbackExecute(tokenId, permissionName, status);
797 if (hasTokenStarted && hasPidStarted) {
798 ret = PrivacyError::ERR_PERMISSION_ALREADY_START_USING;
799 }
800 return ret;
801 }
802
ExecuteAndUpdateRecord(uint32_t tokenId,int32_t pid,ActiveChangeType status)803 void PermissionRecordManager::ExecuteAndUpdateRecord(uint32_t tokenId, int32_t pid, ActiveChangeType status)
804 {
805 std::vector<std::string> camPermList;
806 std::lock_guard<std::mutex> lock(startRecordListMutex_);
807 for (auto it = startRecordList_.begin(); it != startRecordList_.end(); ++it) {
808 if ((it->tokenId == tokenId) && ((it->status) != PERM_INACTIVE) && ((it->status) != status)) {
809 std::string perm;
810 Constant::TransferOpcodeToPermission(it->opCode, perm);
811 if ((GetMuteStatus(perm, EDM)) || (!GetGlobalSwitchStatus(perm))) {
812 continue;
813 }
814
815 // app use camera background without float window
816 bool isShow = IsCameraWindowShow(tokenId);
817 bool isAllowedBackGround = false;
818 if (AccessTokenKit::VerifyAccessToken(tokenId, "ohos.permission.CAMERA_BACKGROUND") == PERMISSION_GRANTED) {
819 isAllowedBackGround = true;
820 }
821 if ((perm == CAMERA_PERMISSION_NAME) && (status == PERM_ACTIVE_IN_BACKGROUND) &&
822 (!isShow) && (!isAllowedBackGround)) {
823 ACCESSTOKEN_LOG_INFO(LABEL, "Camera float window is close!");
824 camPermList.emplace_back(perm);
825 continue;
826 }
827
828 // update status to input and timestamp to now in cache
829 it->status = status;
830 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenId %{public}d get permission %{public}s.", tokenId, perm.c_str());
831 }
832 }
833
834 if (!camPermList.empty()) {
835 ExecuteCameraCallbackAsync(tokenId, pid);
836 }
837 }
838
839 /*
840 * when foreground change background or background change foreground,change accessDuration and store in database,
841 * change status and accessDuration and timestamp in cache
842 */
NotifyAppStateChange(AccessTokenID tokenId,int32_t pid,ActiveChangeType status)843 void PermissionRecordManager::NotifyAppStateChange(AccessTokenID tokenId, int32_t pid, ActiveChangeType status)
844 {
845 ACCESSTOKEN_LOG_INFO(LABEL, "Id %{public}u, pid %{public}d, status %{public}d", tokenId, pid, status);
846 // find permissions from startRecordList_ by tokenId which status diff from currStatus
847 ExecuteAndUpdateRecord(tokenId, pid, status);
848 }
849
SetLockScreenStatus(int32_t lockScreenStatus)850 void PermissionRecordManager::SetLockScreenStatus(int32_t lockScreenStatus)
851 {
852 ACCESSTOKEN_LOG_INFO(LABEL, "LockScreenStatus %{public}d", lockScreenStatus);
853 std::lock_guard<std::mutex> lock(lockScreenStateMutex_);
854 lockScreenStatus_ = lockScreenStatus;
855 }
856
GetLockScreenStatus()857 int32_t PermissionRecordManager::GetLockScreenStatus()
858 {
859 std::lock_guard<std::mutex> lock(lockScreenStateMutex_);
860 return lockScreenStatus_;
861 }
862
RemoveRecordFromStartList(AccessTokenID tokenId,int32_t pid,const std::string & permissionName)863 int32_t PermissionRecordManager::RemoveRecordFromStartList(
864 AccessTokenID tokenId, int32_t pid, const std::string& permissionName)
865 {
866 int32_t opCode;
867 if (!Constant::TransferPermissionToOpcode(permissionName, opCode)) {
868 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid permission(%{public}s)", permissionName.c_str());
869 return PrivacyError::ERR_PERMISSION_NOT_EXIST;
870 }
871
872 ACCESSTOKEN_LOG_DEBUG(LABEL, "Id %{public}u, pid %{public}d, perm %{public}s",
873 tokenId, pid, permissionName.c_str());
874 int32_t status = PERM_INACTIVE;
875 bool isFind = false;
876 int32_t ret = Constant::SUCCESS;
877 std::lock_guard<std::mutex> lock(startRecordListMutex_);
878 for (auto it = startRecordList_.begin(); it != startRecordList_.end();) {
879 if ((it->opCode != opCode) || (it->tokenId != tokenId)) {
880 ++it;
881 continue;
882 }
883 isFind = !IsPidValid(pid);
884 // erase pid from pidList
885 if (!isFind && it->pidList.find(pid) != it->pidList.end()) {
886 isFind = true;
887 it->pidList.erase(pid);
888 }
889 if (it->pidList.empty()) {
890 status = it->status;
891 startRecordList_.erase(it);
892 }
893 break;
894 }
895 if (status != PERM_INACTIVE) {
896 CallbackExecute(tokenId, permissionName, PERM_INACTIVE);
897 }
898 if (!isFind) {
899 ret = PrivacyError::ERR_PERMISSION_NOT_START_USING;
900 ACCESSTOKEN_LOG_ERROR(LABEL, "No records started, tokenId=%{public}u, pid=%{public}d, opCode=%{public}d",
901 tokenId, pid, opCode);
902 }
903 return ret;
904 }
905
906 /*
907 * remove all record of pid,
908 * when pidList is empty, execute active callback
909 */
RemoveRecordFromStartListByPid(const AccessTokenID tokenId,int32_t pid)910 void PermissionRecordManager::RemoveRecordFromStartListByPid(const AccessTokenID tokenId, int32_t pid)
911 {
912 ACCESSTOKEN_LOG_INFO(LABEL, "TokenId %{public}u, pid %{public}d", tokenId, pid);
913 {
914 std::vector<std::string> permList;
915 std::lock_guard<std::mutex> lock(startRecordListMutex_);
916 for (auto it = startRecordList_.begin(); it != startRecordList_.end();) {
917 if (it->tokenId != tokenId || it->pidList.empty() || it->pidList.find(pid) == it->pidList.end()) {
918 ++it;
919 continue;
920 }
921 it->pidList.erase(pid);
922 if (it->pidList.empty()) {
923 std::string perm;
924 Constant::TransferOpcodeToPermission(it->opCode, perm);
925 permList.emplace_back(perm);
926 it = startRecordList_.erase(it);
927 }
928 }
929 for (const auto& perm : permList) {
930 CallbackExecute(tokenId, perm, PERM_INACTIVE);
931 }
932 }
933 cameraCallbackMap_.Erase(GetUniqueId(tokenId, pid));
934 }
935
936 /*
937 * remove all record of token, and execute active callback
938 */
RemoveRecordFromStartListByToken(const AccessTokenID tokenId)939 void PermissionRecordManager::RemoveRecordFromStartListByToken(const AccessTokenID tokenId)
940 {
941 ACCESSTOKEN_LOG_INFO(LABEL, "TokenId %{public}u", tokenId);
942 {
943 std::vector<std::string> permList;
944 std::lock_guard<std::mutex> lock(startRecordListMutex_);
945 for (auto it = startRecordList_.begin(); it != startRecordList_.end();) {
946 if (it->tokenId != tokenId) {
947 ++it;
948 continue;
949 }
950 std::string perm;
951 Constant::TransferOpcodeToPermission(it->opCode, perm);
952 permList.emplace_back(perm);
953 it = startRecordList_.erase(it);
954 }
955 for (const auto& perm : permList) {
956 CallbackExecute(tokenId, perm, PERM_INACTIVE);
957 }
958 }
959 cameraCallbackMap_.Erase(GetUniqueId(tokenId, -1));
960 }
961
RemoveRecordFromStartListByOp(int32_t opCode)962 void PermissionRecordManager::RemoveRecordFromStartListByOp(int32_t opCode)
963 {
964 ACCESSTOKEN_LOG_INFO(LABEL, "OpCode %{public}d", opCode);
965 std::string perm;
966 Constant::TransferOpcodeToPermission(opCode, perm);
967 {
968 std::vector<AccessTokenID> tokenList;
969 std::lock_guard<std::mutex> lock(startRecordListMutex_);
970 for (auto it = startRecordList_.begin(); it != startRecordList_.end();) {
971 if (it->opCode != opCode) {
972 ++it;
973 continue;
974 }
975 tokenList.emplace_back(it->tokenId);
976 it = startRecordList_.erase(it);
977 }
978 for (size_t i = 0; i < tokenList.size(); ++i) {
979 CallbackExecute(tokenList[i], perm, PERM_INACTIVE);
980 }
981 }
982 }
983
CallbackExecute(AccessTokenID tokenId,const std::string & permissionName,int32_t status)984 void PermissionRecordManager::CallbackExecute(
985 AccessTokenID tokenId, const std::string& permissionName, int32_t status)
986 {
987 ACCESSTOKEN_LOG_INFO(LABEL,
988 "ExecuteCallbackAsync, tokenId %{public}d using permission %{public}s, status %{public}d",
989 tokenId, permissionName.c_str(), status);
990 ActiveStatusCallbackManager::GetInstance().ExecuteCallbackAsync(
991 tokenId, permissionName, GetDeviceId(tokenId), (ActiveChangeType)status);
992 }
993
GetGlobalSwitchStatus(const std::string & permissionName)994 bool PermissionRecordManager::GetGlobalSwitchStatus(const std::string& permissionName)
995 {
996 bool isOpen = true;
997 // only manage camera and microphone global switch now, other default true
998 if (permissionName == MICROPHONE_PERMISSION_NAME) {
999 isOpen = !isMicMixMute_;
1000 ACCESSTOKEN_LOG_INFO(LABEL, "Permission is %{public}s, status is %{public}d", permissionName.c_str(), isOpen);
1001 } else if (permissionName == CAMERA_PERMISSION_NAME) {
1002 isOpen = !isCamMixMute_;
1003 ACCESSTOKEN_LOG_INFO(LABEL, "Permission is %{public}s, status is %{public}d", permissionName.c_str(), isOpen);
1004 }
1005 return isOpen;
1006 }
1007 #ifndef APP_SECURITY_PRIVACY_SERVICE
1008 /*
1009 * StartUsing when close and choose open, update status to foreground or background from inactive
1010 * StartUsing when open and choose close, update status to inactive and store in database
1011 */
ExecuteAndUpdateRecordByPerm(const std::string & permissionName,bool switchStatus)1012 void PermissionRecordManager::ExecuteAndUpdateRecordByPerm(const std::string& permissionName, bool switchStatus)
1013 {
1014 int32_t opCode;
1015 Constant::TransferPermissionToOpcode(permissionName, opCode);
1016 std::vector<ContinusPermissionRecord> recordList;
1017 std::lock_guard<std::mutex> lock(startRecordListMutex_);
1018 for (auto it = startRecordList_.begin(); it != startRecordList_.end(); ++it) {
1019 ContinusPermissionRecord& record = *it;
1020 if ((record.opCode) != static_cast<int32_t>(opCode)) {
1021 continue;
1022 }
1023 if (switchStatus) {
1024 ACCESSTOKEN_LOG_INFO(LABEL, "Global switch is open, update record from inactive");
1025 // no need to store in database when status from inactive to foreground or background
1026 record.status = GetAppStatus(record.tokenId);
1027 } else {
1028 ACCESSTOKEN_LOG_INFO(LABEL, "Global switch is close, update record to inactive");
1029 record.status = PERM_INACTIVE;
1030 }
1031 recordList.emplace_back(*it);
1032 }
1033 // each permission sends a status change notice
1034 for (const auto& record : recordList) {
1035 CallbackExecute(record.tokenId, permissionName, record.status);
1036 }
1037 }
1038 #endif
ShowGlobalDialog(const std::string & permissionName)1039 bool PermissionRecordManager::ShowGlobalDialog(const std::string& permissionName)
1040 {
1041 std::string resource;
1042 if (permissionName == CAMERA_PERMISSION_NAME) {
1043 resource = "camera";
1044 } else if (permissionName == MICROPHONE_PERMISSION_NAME) {
1045 resource = "microphone";
1046 } else {
1047 ACCESSTOKEN_LOG_INFO(LABEL, "Invalid permissionName(%{public}s).", permissionName.c_str());
1048 return true;
1049 }
1050
1051 AAFwk::Want want;
1052 want.SetElementName(globalDialogBundleName_, globalDialogAbilityName_);
1053 want.SetParam(RESOURCE_KEY, resource);
1054 ErrCode err = AbilityManagerAccessClient::GetInstance().StartAbility(want, nullptr);
1055 if (err != ERR_OK) {
1056 ACCESSTOKEN_LOG_ERROR(LABEL, "Fail to StartAbility, err:%{public}d", err);
1057 return false;
1058 }
1059 return true;
1060 }
1061
ExecuteAllCameraExecuteCallback()1062 void PermissionRecordManager::ExecuteAllCameraExecuteCallback()
1063 {
1064 ACCESSTOKEN_LOG_INFO(LABEL, "ExecuteAllCameraExecuteCallback called");
1065 auto it = [&](uint64_t id, sptr<IRemoteObject> cameraCallback) {
1066 auto callback = iface_cast<IStateChangeCallback>(cameraCallback);
1067 AccessTokenID tokenId = static_cast<AccessTokenID>(id);
1068 if (callback != nullptr) {
1069 ACCESSTOKEN_LOG_INFO(
1070 LABEL, "CameraCallback tokenId %{public}d changeType %{public}d.", tokenId, PERM_INACTIVE);
1071 callback->StateChangeNotify(tokenId, false);
1072 }
1073 };
1074 this->cameraCallbackMap_.Iterate(it);
1075 }
1076
ExecuteCameraCallbackAsync(AccessTokenID tokenId,int32_t pid)1077 void PermissionRecordManager::ExecuteCameraCallbackAsync(AccessTokenID tokenId, int32_t pid)
1078 {
1079 ACCESSTOKEN_LOG_DEBUG(LABEL, "Entry.");
1080 auto task = [tokenId, pid, this]() {
1081 uint64_t uniqueId = GetUniqueId(tokenId, pid);
1082 ACCESSTOKEN_LOG_INFO(LABEL, "ExecuteCameraCallbackAsync task called.");
1083 auto it = [&](uint64_t id, sptr<IRemoteObject> cameraCallback) {
1084 auto callback = iface_cast<IStateChangeCallback>(cameraCallback);
1085 if ((uniqueId == id) && (callback != nullptr)) {
1086 ACCESSTOKEN_LOG_INFO(LABEL, "CameraCallback tokenId(%{public}u) pid( %{public}d) changeType %{public}d",
1087 tokenId, pid, PERM_INACTIVE);
1088 callback->StateChangeNotify(tokenId, false);
1089 }
1090 };
1091 this->cameraCallbackMap_.Iterate(it);
1092 };
1093 std::thread executeThread(task);
1094 executeThread.detach();
1095 ACCESSTOKEN_LOG_DEBUG(LABEL, "The cameraCallback execution is complete.");
1096 }
1097
StartUsingPermission(AccessTokenID tokenId,int32_t pid,const std::string & permissionName)1098 int32_t PermissionRecordManager::StartUsingPermission(
1099 AccessTokenID tokenId, int32_t pid, const std::string& permissionName)
1100 {
1101 if (AccessTokenKit::GetTokenTypeFlag(tokenId) != TOKEN_HAP) {
1102 ACCESSTOKEN_LOG_DEBUG(LABEL, "Not hap(%{public}d).", tokenId);
1103 return PrivacyError::ERR_PARAM_INVALID;
1104 }
1105
1106 InitializeMuteState(permissionName);
1107 if (GetMuteStatus(permissionName, EDM)) {
1108 ACCESSTOKEN_LOG_ERROR(LABEL, "EDM not allow.");
1109 return PrivacyError::ERR_EDM_POLICY_CHECK_FAILED;
1110 }
1111 if (!Register()) {
1112 return PrivacyError::ERR_MALLOC_FAILED;
1113 }
1114
1115 int32_t status = GetAppStatus(tokenId);
1116 #ifndef APP_SECURITY_PRIVACY_SERVICE
1117 if (!GetGlobalSwitchStatus(permissionName)) {
1118 if (!ShowGlobalDialog(permissionName)) {
1119 return ERR_SERVICE_ABNORMAL;
1120 }
1121 status = PERM_INACTIVE;
1122 }
1123 #endif
1124 return AddRecordToStartList(tokenId, pid, permissionName, status);
1125 }
1126
StartUsingPermission(AccessTokenID tokenId,int32_t pid,const std::string & permissionName,const sptr<IRemoteObject> & callback)1127 int32_t PermissionRecordManager::StartUsingPermission(
1128 AccessTokenID tokenId, int32_t pid, const std::string& permissionName, const sptr<IRemoteObject>& callback)
1129 {
1130 if ((permissionName != CAMERA_PERMISSION_NAME) || (AccessTokenKit::GetTokenTypeFlag(tokenId) != TOKEN_HAP)) {
1131 ACCESSTOKEN_LOG_DEBUG(LABEL, "Token(%{public}u), perm(%{public}s).", tokenId, permissionName.c_str());
1132 return PrivacyError::ERR_PARAM_INVALID;
1133 }
1134
1135 InitializeMuteState(permissionName);
1136 if (GetMuteStatus(permissionName, EDM)) {
1137 ACCESSTOKEN_LOG_ERROR(LABEL, "EDM not allow.");
1138 return PrivacyError::ERR_EDM_POLICY_CHECK_FAILED;
1139 }
1140
1141 if (!Register()) {
1142 return PrivacyError::ERR_MALLOC_FAILED;
1143 }
1144 int32_t status = GetAppStatus(tokenId);
1145 #ifndef APP_SECURITY_PRIVACY_SERVICE
1146 if (!GetGlobalSwitchStatus(permissionName)) {
1147 if (!ShowGlobalDialog(permissionName)) {
1148 return ERR_SERVICE_ABNORMAL;
1149 }
1150 status = PERM_INACTIVE;
1151 }
1152 #endif
1153 uint64_t id = GetUniqueId(tokenId, pid);
1154 cameraCallbackMap_.EnsureInsert(id, callback);
1155 if (!RegisterWindowCallback()) {
1156 cameraCallbackMap_.Erase(id);
1157 return PrivacyError::ERR_WINDOW_CALLBACK_FAILED;
1158 }
1159 int32_t ret = AddRecordToStartList(tokenId, pid, permissionName, status);
1160 if (ret != RET_SUCCESS) {
1161 cameraCallbackMap_.Erase(id);
1162 }
1163 return ret;
1164 }
1165
StopUsingPermission(AccessTokenID tokenId,int32_t pid,const std::string & permissionName)1166 int32_t PermissionRecordManager::StopUsingPermission(
1167 AccessTokenID tokenId, int32_t pid, const std::string& permissionName)
1168 {
1169 if (AccessTokenKit::GetTokenTypeFlag(tokenId) != TOKEN_HAP) {
1170 ACCESSTOKEN_LOG_DEBUG(LABEL, "Not hap(%{public}d).", tokenId);
1171 return PrivacyError::ERR_PARAM_INVALID;
1172 }
1173
1174 return RemoveRecordFromStartList(tokenId, pid, permissionName);
1175 }
1176
PermListToString(const std::vector<std::string> & permList)1177 void PermissionRecordManager::PermListToString(const std::vector<std::string>& permList)
1178 {
1179 std::string permStr;
1180 permStr = accumulate(permList.begin(), permList.end(), std::string(" "));
1181
1182 ACCESSTOKEN_LOG_INFO(LABEL, "PermStr =%{public}s.", permStr.c_str());
1183 }
1184
PermissionListFilter(const std::vector<std::string> & listSrc,std::vector<std::string> & listRes)1185 int32_t PermissionRecordManager::PermissionListFilter(
1186 const std::vector<std::string>& listSrc, std::vector<std::string>& listRes)
1187 {
1188 // filter legal permissions
1189 PermissionDef permissionDef;
1190 std::set<std::string> permSet;
1191 for (const auto& perm : listSrc) {
1192 if (AccessTokenKit::GetDefPermission(perm, permissionDef) == Constant::SUCCESS &&
1193 permSet.count(perm) == 0) {
1194 listRes.emplace_back(perm);
1195 permSet.insert(perm);
1196 continue;
1197 }
1198 ACCESSTOKEN_LOG_ERROR(LABEL, "Permission %{public}s invalid!", perm.c_str());
1199 }
1200 if ((listRes.empty()) && (!listSrc.empty())) {
1201 ACCESSTOKEN_LOG_ERROR(LABEL, "Valid permission size is 0!");
1202 return PrivacyError::ERR_PARAM_INVALID;
1203 }
1204 PermListToString(listRes);
1205 return Constant::SUCCESS;
1206 }
1207
IsAllowedUsingCamera(AccessTokenID tokenId)1208 bool PermissionRecordManager::IsAllowedUsingCamera(AccessTokenID tokenId)
1209 {
1210 int32_t status = GetAppStatus(tokenId);
1211 bool isAllowedBackGround = false;
1212 if (AccessTokenKit::VerifyAccessToken(tokenId, "ohos.permission.CAMERA_BACKGROUND") == PERMISSION_GRANTED) {
1213 isAllowedBackGround = true;
1214 }
1215 ACCESSTOKEN_LOG_INFO(LABEL,
1216 "Id(%{public}d), appStatus(%{public}d), isAllowedBackGround(%{public}d)).",
1217 tokenId, status, isAllowedBackGround);
1218 return (status == ActiveChangeType::PERM_ACTIVE_IN_FOREGROUND) || isAllowedBackGround;
1219 }
1220
IsAllowedUsingMicrophone(AccessTokenID tokenId)1221 bool PermissionRecordManager::IsAllowedUsingMicrophone(AccessTokenID tokenId)
1222 {
1223 int32_t status = GetAppStatus(tokenId);
1224 ACCESSTOKEN_LOG_INFO(LABEL, "Id %{public}d, status is %{public}d.", tokenId, status);
1225 if (status == ActiveChangeType::PERM_ACTIVE_IN_FOREGROUND) {
1226 return true;
1227 }
1228
1229 std::lock_guard<std::mutex> lock(foreReminderMutex_);
1230 auto iter = std::find(foreTokenIdList_.begin(), foreTokenIdList_.end(), tokenId);
1231 if (iter != foreTokenIdList_.end()) {
1232 return true;
1233 }
1234 return false;
1235 }
1236
IsAllowedUsingPermission(AccessTokenID tokenId,const std::string & permissionName)1237 bool PermissionRecordManager::IsAllowedUsingPermission(AccessTokenID tokenId, const std::string& permissionName)
1238 {
1239 if (AccessTokenKit::GetTokenTypeFlag(tokenId) != TOKEN_HAP) {
1240 ACCESSTOKEN_LOG_DEBUG(LABEL, "Id(%{public}d) is not hap.", tokenId);
1241 return false;
1242 }
1243
1244 if (GetMuteStatus(permissionName, EDM)) {
1245 ACCESSTOKEN_LOG_ERROR(LABEL, "EDM not allow.");
1246 return false;
1247 }
1248
1249 if (permissionName == CAMERA_PERMISSION_NAME) {
1250 return IsAllowedUsingCamera(tokenId);
1251 } else if (permissionName == MICROPHONE_PERMISSION_NAME) {
1252 return IsAllowedUsingMicrophone(tokenId);
1253 }
1254 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid permission(%{public}s).", permissionName.c_str());
1255 return false;
1256 }
1257
SetMutePolicy(const PolicyType & policyType,const CallerType & callerType,bool isMute)1258 int32_t PermissionRecordManager::SetMutePolicy(const PolicyType& policyType, const CallerType& callerType, bool isMute)
1259 {
1260 std::string permissionName;
1261 if (callerType == MICROPHONE) {
1262 permissionName = MICROPHONE_PERMISSION_NAME;
1263 } else if (callerType == CAMERA) {
1264 permissionName = CAMERA_PERMISSION_NAME;
1265 } else {
1266 return PrivacyError::ERR_PARAM_INVALID;
1267 }
1268
1269 if (policyType == EDM) {
1270 return SetEdmMutePolicy(permissionName, isMute);
1271 }
1272
1273 if (policyType == PRIVACY) {
1274 return SetPrivacyMutePolicy(permissionName, isMute);
1275 }
1276
1277 if (policyType == TEMPORARY) {
1278 return SetTempMutePolicy(permissionName, isMute);
1279 }
1280 return ERR_PARAM_INVALID;
1281 }
1282
SetHapWithFGReminder(uint32_t tokenId,bool isAllowed)1283 int32_t PermissionRecordManager::SetHapWithFGReminder(uint32_t tokenId, bool isAllowed)
1284 {
1285 if (AccessTokenKit::GetTokenTypeFlag(tokenId) != TOKEN_HAP) {
1286 ACCESSTOKEN_LOG_ERROR(LABEL, "Not hap(%{public}d).", tokenId);
1287 return PrivacyError::ERR_PARAM_INVALID;
1288 }
1289 std::lock_guard<std::mutex> lock(foreReminderMutex_);
1290 auto iter = std::find(foreTokenIdList_.begin(), foreTokenIdList_.end(), tokenId);
1291 if (iter == foreTokenIdList_.end() && isAllowed) {
1292 foreTokenIdList_.emplace_back(tokenId);
1293 ACCESSTOKEN_LOG_INFO(LABEL, "Set hap(%{public}d) foreground.", tokenId);
1294 return RET_SUCCESS;
1295 }
1296 if (iter != foreTokenIdList_.end() && !isAllowed) {
1297 foreTokenIdList_.erase(iter);
1298 ACCESSTOKEN_LOG_INFO(LABEL, "cancel hap(%{public}d) foreground.", tokenId);
1299 return RET_SUCCESS;
1300 }
1301 ACCESSTOKEN_LOG_ERROR(LABEL, "(%{public}d) is invalid to be operated.", tokenId);
1302 return PrivacyError::ERR_PARAM_INVALID;
1303 }
1304
SetEdmMutePolicy(const std::string permissionName,bool isMute)1305 int32_t PermissionRecordManager::SetEdmMutePolicy(const std::string permissionName, bool isMute)
1306 {
1307 if (isMute) {
1308 ModifyMuteStatus(permissionName, EDM, isMute);
1309 ModifyMuteStatus(permissionName, MIXED, isMute);
1310 #ifndef APP_SECURITY_PRIVACY_SERVICE
1311 ExecuteAndUpdateRecordByPerm(permissionName, false);
1312 #endif
1313 } else {
1314 ModifyMuteStatus(permissionName, EDM, isMute);
1315 if (GetMuteStatus(permissionName, MIXED)) {
1316 return ERR_PRIVACY_POLICY_CHECK_FAILED;
1317 }
1318 }
1319 return RET_SUCCESS;
1320 }
1321
SetPrivacyMutePolicy(const std::string permissionName,bool isMute)1322 int32_t PermissionRecordManager::SetPrivacyMutePolicy(const std::string permissionName, bool isMute)
1323 {
1324 if (isMute) {
1325 ModifyMuteStatus(permissionName, MIXED, isMute);
1326 } else {
1327 if (GetMuteStatus(permissionName, EDM)) {
1328 return PrivacyError::ERR_EDM_POLICY_CHECK_FAILED;
1329 }
1330 ModifyMuteStatus(permissionName, MIXED, isMute);
1331 }
1332 #ifndef APP_SECURITY_PRIVACY_SERVICE
1333 ExecuteAndUpdateRecordByPerm(permissionName, !isMute);
1334 #endif
1335 return RET_SUCCESS;
1336 }
1337
SetTempMutePolicy(const std::string permissionName,bool isMute)1338 int32_t PermissionRecordManager::SetTempMutePolicy(const std::string permissionName, bool isMute)
1339 {
1340 if (!isMute) {
1341 if (GetMuteStatus(permissionName, EDM)) {
1342 return PrivacyError::ERR_EDM_POLICY_CHECK_FAILED;
1343 }
1344 if (GetMuteStatus(permissionName, MIXED)) {
1345 if (!ShowGlobalDialog(permissionName)) {
1346 return ERR_SERVICE_ABNORMAL;
1347 }
1348 return PrivacyError::ERR_PRIVACY_POLICY_CHECK_FAILED;
1349 }
1350 }
1351 return RET_SUCCESS;
1352 }
1353
ModifyMuteStatus(const std::string & permissionName,int32_t index,bool isMute)1354 void PermissionRecordManager::ModifyMuteStatus(const std::string& permissionName, int32_t index, bool isMute)
1355 {
1356 if (permissionName == MICROPHONE_PERMISSION_NAME) {
1357 std::lock_guard<std::mutex> lock(micMuteMutex_);
1358 if (index == EDM) {
1359 isMicEdmMute_ = isMute;
1360 } else {
1361 isMicMixMute_ = isMute;
1362 }
1363 } else if (permissionName == CAMERA_PERMISSION_NAME) {
1364 std::lock_guard<std::mutex> lock(camMuteMutex_);
1365 if (index == EDM) {
1366 isCamEdmMute_ = isMute;
1367 } else {
1368 isCamMixMute_ = isMute;
1369 }
1370 }
1371 ACCESSTOKEN_LOG_INFO(LABEL, "permissionName: %{public}s, isMute: %{public}d, index: %{public}d.",
1372 permissionName.c_str(), isMute, index);
1373 }
1374
GetMuteStatus(const std::string & permissionName,int32_t index)1375 bool PermissionRecordManager::GetMuteStatus(const std::string& permissionName, int32_t index)
1376 {
1377 bool isMute = false;
1378 if (permissionName == MICROPHONE_PERMISSION_NAME) {
1379 std::lock_guard<std::mutex> lock(micMuteMutex_);
1380 isMute = (index == EDM) ? isMicEdmMute_ : isMicMixMute_;
1381 } else if (permissionName == CAMERA_PERMISSION_NAME) {
1382 std::lock_guard<std::mutex> lock(camMuteMutex_);
1383 isMute = (index == EDM) ? isCamEdmMute_ : isCamMixMute_;
1384 } else {
1385 return false;
1386 }
1387 ACCESSTOKEN_LOG_INFO(LABEL, "perm: %{public}s, isMute: %{public}d, index: %{public}d.",
1388 permissionName.c_str(), isMute, index);
1389 return isMute;
1390 }
1391
RegisterPermActiveStatusCallback(AccessTokenID regiterTokenId,const std::vector<std::string> & permList,const sptr<IRemoteObject> & callback)1392 int32_t PermissionRecordManager::RegisterPermActiveStatusCallback(
1393 AccessTokenID regiterTokenId, const std::vector<std::string>& permList, const sptr<IRemoteObject>& callback)
1394 {
1395 std::vector<std::string> permListRes;
1396 int32_t res = PermissionListFilter(permList, permListRes);
1397 if (res != Constant::SUCCESS) {
1398 return res;
1399 }
1400 return ActiveStatusCallbackManager::GetInstance().AddCallback(regiterTokenId, permListRes, callback);
1401 }
1402
UnRegisterPermActiveStatusCallback(const sptr<IRemoteObject> & callback)1403 int32_t PermissionRecordManager::UnRegisterPermActiveStatusCallback(const sptr<IRemoteObject>& callback)
1404 {
1405 return ActiveStatusCallbackManager::GetInstance().RemoveCallback(callback);
1406 }
1407
AddDataValueToResults(const GenericValues value,std::vector<PermissionUsedTypeInfo> & results)1408 void PermissionRecordManager::AddDataValueToResults(const GenericValues value,
1409 std::vector<PermissionUsedTypeInfo>& results)
1410 {
1411 PermissionUsedTypeInfo info;
1412 info.tokenId = static_cast<AccessTokenID>(value.GetInt(PrivacyFiledConst::FIELD_TOKEN_ID));
1413 Constant::TransferOpcodeToPermission(value.GetInt(PrivacyFiledConst::FIELD_PERMISSION_CODE), info.permissionName);
1414 uint32_t type = static_cast<uint32_t>(value.GetInt(PrivacyFiledConst::FIELD_USED_TYPE));
1415 if ((type & NORMAL_TYPE_ADD_VALUE) == NORMAL_TYPE_ADD_VALUE) { // normal first
1416 info.type = PermissionUsedType::NORMAL_TYPE;
1417 results.emplace_back(info);
1418 }
1419 if ((type & PICKER_TYPE_ADD_VALUE) == PICKER_TYPE_ADD_VALUE) { // picker second
1420 info.type = PermissionUsedType::PICKER_TYPE;
1421 results.emplace_back(info);
1422 }
1423 if ((type & SEC_COMPONENT_TYPE_ADD_VALUE) == SEC_COMPONENT_TYPE_ADD_VALUE) { // security component last
1424 info.type = PermissionUsedType::SECURITY_COMPONENT_TYPE;
1425 results.emplace_back(info);
1426 }
1427 }
1428
GetPermissionUsedTypeInfos(AccessTokenID tokenId,const std::string & permissionName,std::vector<PermissionUsedTypeInfo> & results)1429 int32_t PermissionRecordManager::GetPermissionUsedTypeInfos(AccessTokenID tokenId, const std::string& permissionName,
1430 std::vector<PermissionUsedTypeInfo>& results)
1431 {
1432 GenericValues value;
1433
1434 if (tokenId != INVALID_TOKENID) {
1435 HapTokenInfo tokenInfo;
1436 if (AccessTokenKit::GetHapTokenInfo(tokenId, tokenInfo) != Constant::SUCCESS) {
1437 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid tokenId(%{public}d).", tokenId);
1438 return PrivacyError::ERR_TOKENID_NOT_EXIST;
1439 }
1440 value.Put(PrivacyFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId));
1441 }
1442
1443 if (!permissionName.empty()) {
1444 int32_t opCode;
1445 if (!Constant::TransferPermissionToOpcode(permissionName, opCode)) {
1446 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid (%{public}s).", permissionName.c_str());
1447 return PrivacyError::ERR_PERMISSION_NOT_EXIST;
1448 }
1449 value.Put(PrivacyFiledConst::FIELD_PERMISSION_CODE, opCode);
1450 }
1451
1452 std::vector<GenericValues> valueResults;
1453 if (PermissionUsedRecordDb::GetInstance().Query(PermissionUsedRecordDb::DataType::PERMISSION_USED_TYPE,
1454 value, valueResults) != PermissionUsedRecordDb::ExecuteResult::SUCCESS) {
1455 return Constant::FAILURE;
1456 }
1457
1458 for (const auto& valueResult : valueResults) {
1459 AddDataValueToResults(valueResult, results);
1460 }
1461
1462 ACCESSTOKEN_LOG_INFO(LABEL, "Get %{public}zu permission used type records.", results.size());
1463
1464 return Constant::SUCCESS;
1465 }
1466
GetDeviceId(AccessTokenID tokenId)1467 std::string PermissionRecordManager::GetDeviceId(AccessTokenID tokenId)
1468 {
1469 HapTokenInfo tokenInfo;
1470 if (AccessTokenKit::GetHapTokenInfo(tokenId, tokenInfo) != Constant::SUCCESS) {
1471 return "";
1472 }
1473 if (tokenInfo.deviceID == DEFAULT_DEVICEID) { // local
1474 return ConstantCommon::GetLocalDeviceId();
1475 }
1476 return tokenInfo.deviceID;
1477 }
1478
GetAppStatus(AccessTokenID tokenId)1479 int32_t PermissionRecordManager::GetAppStatus(AccessTokenID tokenId)
1480 {
1481 int32_t status = PERM_ACTIVE_IN_BACKGROUND;
1482 std::vector<AppStateData> foreGroundAppList;
1483 AppManagerAccessClient::GetInstance().GetForegroundApplications(foreGroundAppList);
1484 if (std::any_of(foreGroundAppList.begin(), foreGroundAppList.end(),
1485 [=](const auto& foreGroundApp) { return foreGroundApp.accessTokenId == tokenId; })) {
1486 status = PERM_ACTIVE_IN_FOREGROUND;
1487 }
1488 return status;
1489 }
1490
Register()1491 bool PermissionRecordManager::Register()
1492 {
1493 // app manager death callback register
1494 {
1495 std::lock_guard<std::mutex> lock(appManagerDeathMutex_);
1496 if (appManagerDeathCallback_ == nullptr) {
1497 appManagerDeathCallback_ = std::make_shared<PrivacyAppManagerDeathCallback>();
1498 if (appManagerDeathCallback_ == nullptr) {
1499 ACCESSTOKEN_LOG_ERROR(LABEL, "Register appManagerDeathCallback failed.");
1500 return false;
1501 }
1502 AppManagerAccessClient::GetInstance().RegisterDeathCallback(appManagerDeathCallback_);
1503 }
1504 }
1505 // app state change callback register
1506 {
1507 std::lock_guard<std::mutex> lock(appStateMutex_);
1508 if (appStateCallback_ == nullptr) {
1509 appStateCallback_ = new (std::nothrow) PrivacyAppStateObserver();
1510 if (appStateCallback_ == nullptr) {
1511 ACCESSTOKEN_LOG_ERROR(LABEL, "Register appStateCallback failed.");
1512 return false;
1513 }
1514 AppManagerAccessClient::GetInstance().RegisterApplicationStateObserver(appStateCallback_);
1515 }
1516 }
1517 return true;
1518 }
1519
1520 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
HasUsingCamera()1521 bool PermissionRecordManager::HasUsingCamera()
1522 {
1523 std::lock_guard<std::mutex> lock(startRecordListMutex_);
1524 bool hasCamera = std::any_of(startRecordList_.begin(), startRecordList_.end(),
1525 [](const auto& record) { return record.opCode == Constant::OP_CAMERA; });
1526 return hasCamera;
1527 }
1528
UpdateCameraFloatWindowStatus(AccessTokenID tokenId,bool isShowing)1529 void UpdateCameraFloatWindowStatus(AccessTokenID tokenId, bool isShowing)
1530 {
1531 PermissionRecordManager::GetInstance().NotifyCameraWindowChange(false, tokenId, isShowing);
1532 }
1533
UpdatePipWindowStatus(AccessTokenID tokenId,bool isShowing)1534 void UpdatePipWindowStatus(AccessTokenID tokenId, bool isShowing)
1535 {
1536 PermissionRecordManager::GetInstance().NotifyCameraWindowChange(true, tokenId, isShowing);
1537 }
1538
1539 /* Handle window manager die */
HandleWindowDied()1540 void HandleWindowDied()
1541 {
1542 PermissionRecordManager::GetInstance().OnWindowMgrRemoteDied();
1543 }
1544 #endif
1545
RegisterWindowCallback()1546 bool PermissionRecordManager::RegisterWindowCallback()
1547 {
1548 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
1549 ACCESSTOKEN_LOG_INFO(LABEL, "Begin to RegisterWindowCallback.");
1550
1551 std::lock_guard<std::mutex> lock(windowMutex_);
1552 WindowChangeCallback floatCallback = UpdateCameraFloatWindowStatus;
1553 if (floatWindowCallback_ == nullptr) {
1554 floatWindowCallback_ = new (std::nothrow) PrivacyWindowManagerAgent(floatCallback);
1555 if (floatWindowCallback_ == nullptr) {
1556 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to new PrivacyWindowManagerAgent.");
1557 return false;
1558 }
1559 }
1560 ErrCode err = PrivacyWindowManagerClient::GetInstance().RegisterWindowManagerAgent(
1561 WindowManagerAgentType::WINDOW_MANAGER_AGENT_TYPE_CAMERA_FLOAT, floatWindowCallback_);
1562 if (err != ERR_OK) {
1563 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to register float window listener, err:%{public}d", err);
1564 return false;
1565 }
1566
1567 if (Rosen::SceneBoardJudgement::IsSceneBoardEnabled()) {
1568 WindowChangeCallback pipCallback = UpdatePipWindowStatus;
1569
1570 if (pipWindowCallback_ == nullptr) {
1571 pipWindowCallback_ = new (std::nothrow) PrivacyWindowManagerAgent(pipCallback);
1572 if (floatWindowCallback_ == nullptr) {
1573 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to new PrivacyWindowManagerAgent.");
1574 return false;
1575 }
1576 }
1577
1578 err = PrivacyWindowManagerClient::GetInstance().RegisterWindowManagerAgent(
1579 WindowManagerAgentType::WINDOW_MANAGER_AGENT_TYPE_CAMERA_WINDOW, pipWindowCallback_);
1580 if (err != ERR_OK) {
1581 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to register pip window listener, err:%{public}d", err);
1582 PrivacyWindowManagerClient::GetInstance().UnregisterWindowManagerAgent(
1583 WindowManagerAgentType::WINDOW_MANAGER_AGENT_TYPE_CAMERA_FLOAT, floatWindowCallback_);
1584 return false;
1585 }
1586 }
1587
1588 PrivacyWindowManagerClient::GetInstance().AddDeathCallback(HandleWindowDied);
1589 #endif
1590 return true;
1591 }
1592
InitializeMuteState(const std::string & permissionName)1593 void PermissionRecordManager::InitializeMuteState(const std::string& permissionName)
1594 {
1595 if (permissionName == MICROPHONE_PERMISSION_NAME) {
1596 bool isMicMute = AudioManagerPrivacyClient::GetInstance().GetPersistentMicMuteState();
1597 ACCESSTOKEN_LOG_INFO(LABEL, "Mic mute state: %{public}d.", isMicMute);
1598 ModifyMuteStatus(MICROPHONE_PERMISSION_NAME, MIXED, isMicMute);
1599 {
1600 std::lock_guard<std::mutex> lock(micLoadMutex_);
1601 if (!isMicLoad_) {
1602 ACCESSTOKEN_LOG_INFO(LABEL, "Mic mute state: %{public}d.", isMicLoad_);
1603 bool isEdmMute = false;
1604 if (!GetMuteParameter(EDM_MIC_MUTE_KEY, isEdmMute)) {
1605 ACCESSTOKEN_LOG_ERROR(LABEL, "Get param failed");
1606 return;
1607 }
1608 ModifyMuteStatus(MICROPHONE_PERMISSION_NAME, EDM, isEdmMute);
1609 }
1610 }
1611 } else if (permissionName == CAMERA_PERMISSION_NAME) {
1612 bool isCameraMute = CameraManagerPrivacyClient::GetInstance().IsCameraMuted();
1613 ACCESSTOKEN_LOG_INFO(LABEL, "Camera mute state: %{public}d.", isCameraMute);
1614 ModifyMuteStatus(CAMERA_PERMISSION_NAME, MIXED, isCameraMute);
1615 {
1616 std::lock_guard<std::mutex> lock(camLoadMutex_);
1617 if (!isCamLoad_) {
1618 bool isEdmMute = false;
1619 if (!GetMuteParameter(EDM_CAMERA_MUTE_KEY, isEdmMute)) {
1620 ACCESSTOKEN_LOG_ERROR(LABEL, "Get camera param failed");
1621 return;
1622 }
1623 ModifyMuteStatus(CAMERA_PERMISSION_NAME, EDM, isEdmMute);
1624 }
1625 }
1626 }
1627 }
1628
Unregister()1629 void PermissionRecordManager::Unregister()
1630 {
1631 // app state change callback unregister
1632 std::lock_guard<std::mutex> lock(appStateMutex_);
1633 if (appStateCallback_ != nullptr) {
1634 AppManagerAccessClient::GetInstance().UnregisterApplicationStateObserver(appStateCallback_);
1635 appStateCallback_= nullptr;
1636 }
1637 }
1638
GetMuteParameter(const char * key,bool & isMute)1639 bool PermissionRecordManager::GetMuteParameter(const char* key, bool& isMute)
1640 {
1641 char value[VALUE_MAX_LEN] = {0};
1642 int32_t ret = GetParameter(key, "", value, VALUE_MAX_LEN - 1);
1643 if (ret < 0) {
1644 ACCESSTOKEN_LOG_ERROR(LABEL, "Return default value, ret=%{public}d", ret);
1645 return false;
1646 }
1647 isMute = false;
1648 if (strncmp(value, "true", VALUE_MAX_LEN) == 0) {
1649 ACCESSTOKEN_LOG_INFO(LABEL, "EDM not allow.");
1650 isMute = true;
1651 }
1652 return true;
1653 }
1654
OnAppMgrRemoteDiedHandle()1655 void PermissionRecordManager::OnAppMgrRemoteDiedHandle()
1656 {
1657 ACCESSTOKEN_LOG_INFO(LABEL, "Handle app fwk died.");
1658 std::lock_guard<std::mutex> lock(appStateMutex_);
1659 appStateCallback_ = nullptr;
1660 }
1661
OnAudioMgrRemoteDiedHandle()1662 void PermissionRecordManager::OnAudioMgrRemoteDiedHandle()
1663 {
1664 ACCESSTOKEN_LOG_INFO(LABEL, "Handle audio fwk died.");
1665 {
1666 std::lock_guard<std::mutex> lock(micLoadMutex_);
1667 isMicLoad_ = false;
1668 }
1669 RemoveRecordFromStartListByOp(Constant::OP_MICROPHONE);
1670 }
1671
OnCameraMgrRemoteDiedHandle()1672 void PermissionRecordManager::OnCameraMgrRemoteDiedHandle()
1673 {
1674 ACCESSTOKEN_LOG_INFO(LABEL, "Handle camera fwk died.");
1675 {
1676 std::lock_guard<std::mutex> lock(camLoadMutex_);
1677 isCamLoad_ = false;
1678 }
1679 RemoveRecordFromStartListByOp(Constant::OP_CAMERA);
1680 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
1681 ClearWindowShowing();
1682 #endif
1683 }
1684
IsCameraWindowShow(AccessTokenID tokenId)1685 bool PermissionRecordManager::IsCameraWindowShow(AccessTokenID tokenId)
1686 {
1687 bool isShow = true;
1688 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
1689 std::lock_guard<std::mutex> lock(windowStatusMutex_);
1690 isShow = (((floatWindowTokenId_ == tokenId) && camFloatWindowShowing_) ||
1691 ((pipWindowTokenId_ == tokenId) && pipWindowShowing_));
1692 #endif
1693 return isShow;
1694 }
1695
1696 #ifdef CAMERA_FLOAT_WINDOW_ENABLE
1697 /*
1698 * when camera float window is not show, notice camera service to use StopUsingPermission
1699 */
NotifyCameraWindowChange(bool isPip,AccessTokenID tokenId,bool isShowing)1700 void PermissionRecordManager::NotifyCameraWindowChange(bool isPip, AccessTokenID tokenId, bool isShowing)
1701 {
1702 ACCESSTOKEN_LOG_INFO(LABEL, "Update window, isPip(%{public}d), id(%{public}u), status(%{public}d)",
1703 isPip, tokenId, isShowing);
1704 {
1705 std::lock_guard<std::mutex> lock(windowStatusMutex_);
1706 if (isPip) {
1707 pipWindowShowing_ = isShowing;
1708 pipWindowTokenId_ = tokenId;
1709 } else {
1710 camFloatWindowShowing_ = isShowing;
1711 floatWindowTokenId_ = tokenId;
1712 }
1713 }
1714 if (isShowing) {
1715 ACCESSTOKEN_LOG_INFO(LABEL, "Camera float window is showing!");
1716 } else {
1717 if ((GetAppStatus(tokenId) == ActiveChangeType::PERM_ACTIVE_IN_BACKGROUND) &&
1718 !IsCameraWindowShow(tokenId)) {
1719 ACCESSTOKEN_LOG_INFO(LABEL, "Token(%{public}d) is background, pip and float window is not show.", tokenId);
1720 ExecuteCameraCallbackAsync(tokenId, -1);
1721 }
1722 }
1723 }
1724
ClearWindowShowing()1725 void PermissionRecordManager::ClearWindowShowing()
1726 {
1727 ACCESSTOKEN_LOG_INFO(LABEL, "Clear window show status.");
1728 {
1729 std::lock_guard<std::mutex> lock(windowStatusMutex_);
1730 camFloatWindowShowing_ = false;
1731 floatWindowTokenId_ = 0;
1732
1733 pipWindowShowing_ = false;
1734 pipWindowTokenId_ = 0;
1735 }
1736 }
1737
1738 /* Handle window manager die */
OnWindowMgrRemoteDied()1739 void PermissionRecordManager::OnWindowMgrRemoteDied()
1740 {
1741 ACCESSTOKEN_LOG_INFO(LABEL, "Handle window manager died.");
1742 ClearWindowShowing();
1743 }
1744 #endif
1745
SetDefaultConfigValue()1746 void PermissionRecordManager::SetDefaultConfigValue()
1747 {
1748 recordSizeMaximum_ = DEFAULT_PERMISSION_USED_RECORD_SIZE_MAXIMUM;
1749 recordAgingTime_ = DEFAULT_PERMISSION_USED_RECORD_AGING_TIME;
1750 globalDialogBundleName_ = DEFAULT_PERMISSION_MANAGER_BUNDLE_NAME;
1751 globalDialogAbilityName_ = DEFAULT_PERMISSION_MANAGER_DIALOG_ABILITY;
1752 }
1753
GetConfigValue()1754 void PermissionRecordManager::GetConfigValue()
1755 {
1756 LibraryLoader loader(CONFIG_POLICY_LIBPATH);
1757 ConfigPolicyLoaderInterface* policy = loader.GetObject<ConfigPolicyLoaderInterface>();
1758 if (policy == nullptr) {
1759 ACCESSTOKEN_LOG_ERROR(LABEL, "Dlopen libaccesstoken_config_policy failed.");
1760 return;
1761 }
1762 AccessTokenConfigValue value;
1763 if (policy->GetConfigValue(ServiceType::PRIVACY_SERVICE, value)) {
1764 // set value from config
1765 recordSizeMaximum_ = value.pConfig.sizeMaxImum == 0
1766 ? DEFAULT_PERMISSION_USED_RECORD_SIZE_MAXIMUM : value.pConfig.sizeMaxImum;
1767 recordAgingTime_ = value.pConfig.agingTime == 0
1768 ? DEFAULT_PERMISSION_USED_RECORD_AGING_TIME : value.pConfig.agingTime;
1769 globalDialogBundleName_ = value.pConfig.globalDialogBundleName.empty()
1770 ? DEFAULT_PERMISSION_MANAGER_BUNDLE_NAME : value.pConfig.globalDialogBundleName;
1771 globalDialogAbilityName_ = value.pConfig.globalDialogAbilityName.empty()
1772 ? DEFAULT_PERMISSION_MANAGER_DIALOG_ABILITY : value.pConfig.globalDialogAbilityName;
1773 } else {
1774 SetDefaultConfigValue();
1775 }
1776
1777 ACCESSTOKEN_LOG_INFO(LABEL, "RecordSizeMaximum_ is %{public}d, recordAgingTime_ is %{public}d,"
1778 " globalDialogBundleName_ is %{public}s, globalDialogAbilityName_ is %{public}s.",
1779 recordSizeMaximum_, recordAgingTime_, globalDialogBundleName_.c_str(), globalDialogAbilityName_.c_str());
1780 }
1781
GetUniqueId(uint32_t tokenId,int32_t pid) const1782 uint64_t PermissionRecordManager::GetUniqueId(uint32_t tokenId, int32_t pid) const
1783 {
1784 uint32_t tmpPid = (pid <= 0) ? 0 : (uint32_t)pid;
1785 return ((uint64_t)tmpPid << 32) | ((uint64_t)tokenId & 0xFFFFFFFF); // 32: bit
1786 }
1787
IsPidValid(int32_t pid) const1788 bool PermissionRecordManager::IsPidValid(int32_t pid) const
1789 {
1790 return pid > 0;
1791 }
1792
Init()1793 void PermissionRecordManager::Init()
1794 {
1795 if (hasInited_) {
1796 return;
1797 }
1798 ACCESSTOKEN_LOG_INFO(LABEL, "Init");
1799 hasInited_ = true;
1800
1801 #ifdef EVENTHANDLER_ENABLE
1802 deleteEventRunner_ = AppExecFwk::EventRunner::Create(true, AppExecFwk::ThreadMode::FFRT);
1803 if (deleteEventRunner_ != nullptr) {
1804 deleteEventHandler_ = std::make_shared<AccessEventHandler>(deleteEventRunner_);
1805 }
1806 #endif
1807
1808 GetConfigValue();
1809 }
1810 } // namespace AccessToken
1811 } // namespace Security
1812 } // namespace OHOS