1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "bundle_install_checker.h"
17
18 #include "app_log_tag_wrapper.h"
19 #include "bms_extension_data_mgr.h"
20 #include "bundle_mgr_service.h"
21 #include "bundle_parser.h"
22 #include "bundle_permission_mgr.h"
23 #include "parameter.h"
24 #include "parameters.h"
25 #include "privilege_extension_ability_type.h"
26 #include "scope_guard.h"
27 #include "systemcapability.h"
28
29 namespace OHOS {
30 namespace AppExecFwk {
31 namespace {
32 const std::string PRIVILEGE_ALLOW_APP_DATA_NOT_CLEARED = "AllowAppDataNotCleared";
33 const std::string PRIVILEGE_ALLOW_APP_MULTI_PROCESS = "AllowAppMultiProcess";
34 const std::string PRIVILEGE_ALLOW_APP_DESKTOP_ICON_HIDE = "AllowAppDesktopIconHide";
35 const std::string PRIVILEGE_ALLOW_ABILITY_PRIORITY_QUERIED = "AllowAbilityPriorityQueried";
36 const std::string PRIVILEGE_ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS = "AllowAbilityExcludeFromMissions";
37 const std::string PRIVILEGE_ALLOW_MISSION_NOT_CLEARED = "AllowMissionNotCleared";
38 const std::string PRIVILEGE_ALLOW_APP_USE_PRIVILEGE_EXTENSION = "AllowAppUsePrivilegeExtension";
39 const std::string PRIVILEGE_ALLOW_FORM_VISIBLE_NOTIFY = "AllowFormVisibleNotify";
40 const std::string PRIVILEGE_ALLOW_APP_SHARE_LIBRARY = "AllowAppShareLibrary";
41 const std::string PRIVILEGE_ALLOW_ENABLE_NOTIFICATION = "AllowEnableNotification";
42 const std::string ALLOW_APP_DATA_NOT_CLEARED = "allowAppDataNotCleared";
43 const std::string ALLOW_APP_MULTI_PROCESS = "allowAppMultiProcess";
44 const std::string ALLOW_APP_DESKTOP_ICON_HIDE = "allowAppDesktopIconHide";
45 const std::string ALLOW_ABILITY_PRIORITY_QUERIED = "allowAbilityPriorityQueried";
46 const std::string ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS = "allowAbilityExcludeFromMissions";
47 const std::string ALLOW_MISSION_NOT_CLEARED = "allowMissionNotCleared";
48 const std::string ALLOW_APP_USE_PRIVILEGE_EXTENSION = "allowAppUsePrivilegeExtension";
49 const std::string ALLOW_FORM_VISIBLE_NOTIFY = "allowFormVisibleNotify";
50 const std::string ALLOW_APP_SHARE_LIBRARY = "allowAppShareLibrary";
51 const std::string ALLOW_ENABLE_NOTIFICATION = "allowEnableNotification";
52 const std::string APL_NORMAL = "normal";
53 const std::string SLASH = "/";
54 const std::string DOUBLE_SLASH = "//";
55 const std::string SUPPORT_ISOLATION_MODE = "persist.bms.supportIsolationMode";
56 const std::string VALUE_TRUE = "true";
57 const std::string VALUE_TRUE_BOOL = "1";
58 const std::string VALUE_FALSE = "false";
59 const std::string NONISOLATION_ONLY = "nonisolationOnly";
60 const std::string ISOLATION_ONLY = "isolationOnly";
61 const std::string SUPPORT_APP_TYPES = "const.bms.supportAppTypes";
62 const std::string SUPPORT_APP_TYPES_SEPARATOR = ",";
63 const int32_t SLAH_OFFSET = 2;
64 const int32_t THRESHOLD_VAL_LEN = 40;
65 constexpr const char* SYSTEM_APP_SCAN_PATH = "/system/app";
66 constexpr const char* DEVICE_TYPE_OF_DEFAULT = "default";
67 constexpr const char* DEVICE_TYPE_OF_PHONE = "phone";
68 constexpr const char* APP_INSTALL_PATH = "/data/app/el1/bundle";
69
70 const std::unordered_map<std::string, void (*)(AppPrivilegeCapability &appPrivilegeCapability)>
71 PRIVILEGE_MAP = {
72 { PRIVILEGE_ALLOW_APP_DATA_NOT_CLEARED,
__anon37e41dcf0202() 73 [] (AppPrivilegeCapability &appPrivilegeCapability) {
74 appPrivilegeCapability.userDataClearable = false;
75 } },
76 { PRIVILEGE_ALLOW_APP_MULTI_PROCESS,
__anon37e41dcf0302() 77 [] (AppPrivilegeCapability &appPrivilegeCapability) {
78 appPrivilegeCapability.allowMultiProcess = true;
79 } },
80 { PRIVILEGE_ALLOW_APP_DESKTOP_ICON_HIDE,
__anon37e41dcf0402() 81 [] (AppPrivilegeCapability &appPrivilegeCapability) {
82 appPrivilegeCapability.hideDesktopIcon = true;
83 } },
84 { PRIVILEGE_ALLOW_ABILITY_PRIORITY_QUERIED,
__anon37e41dcf0502() 85 [] (AppPrivilegeCapability &appPrivilegeCapability) {
86 appPrivilegeCapability.allowQueryPriority = true;
87 } },
88 { PRIVILEGE_ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS,
__anon37e41dcf0602() 89 [] (AppPrivilegeCapability &appPrivilegeCapability) {
90 appPrivilegeCapability.allowExcludeFromMissions = true;
91 } },
92 { PRIVILEGE_ALLOW_MISSION_NOT_CLEARED,
__anon37e41dcf0702() 93 [] (AppPrivilegeCapability &appPrivilegeCapability) {
94 appPrivilegeCapability.allowMissionNotCleared = true;
95 } },
96 { PRIVILEGE_ALLOW_APP_USE_PRIVILEGE_EXTENSION,
__anon37e41dcf0802() 97 [] (AppPrivilegeCapability &appPrivilegeCapability) {
98 appPrivilegeCapability.allowUsePrivilegeExtension = true;
99 } },
100 { PRIVILEGE_ALLOW_FORM_VISIBLE_NOTIFY,
__anon37e41dcf0902() 101 [] (AppPrivilegeCapability &appPrivilegeCapability) {
102 appPrivilegeCapability.formVisibleNotify = true;
103 } },
104 { PRIVILEGE_ALLOW_APP_SHARE_LIBRARY,
__anon37e41dcf0a02() 105 [] (AppPrivilegeCapability &appPrivilegeCapability) {
106 appPrivilegeCapability.appShareLibrary = true;
107 } },
108 { PRIVILEGE_ALLOW_ENABLE_NOTIFICATION,
__anon37e41dcf0b02() 109 [] (AppPrivilegeCapability &appPrivilegeCapability) {
110 appPrivilegeCapability.allowEnableNotification = true;
111 } },
112 };
113
GetAppDistributionType(const Security::Verify::AppDistType & type)114 std::string GetAppDistributionType(const Security::Verify::AppDistType &type)
115 {
116 auto typeIter = APP_DISTRIBUTION_TYPE_MAPS.find(type);
117 if (typeIter == APP_DISTRIBUTION_TYPE_MAPS.end()) {
118 LOG_E(BMS_TAG_INSTALLER, "wrong AppDistType");
119 return Constants::APP_DISTRIBUTION_TYPE_NONE;
120 }
121
122 return typeIter->second;
123 }
124
GetAppProvisionType(const Security::Verify::ProvisionType & type)125 std::string GetAppProvisionType(const Security::Verify::ProvisionType &type)
126 {
127 if (type == Security::Verify::ProvisionType::DEBUG) {
128 return Constants::APP_PROVISION_TYPE_DEBUG;
129 }
130
131 return Constants::APP_PROVISION_TYPE_RELEASE;
132 }
133
IsPrivilegeExtensionAbilityType(ExtensionAbilityType type)134 bool IsPrivilegeExtensionAbilityType(ExtensionAbilityType type)
135 {
136 return PRIVILEGE_EXTENSION_ABILITY_TYPE.find(type) != PRIVILEGE_EXTENSION_ABILITY_TYPE.end();
137 }
138
IsSystemExtensionAbilityType(ExtensionAbilityType type)139 bool IsSystemExtensionAbilityType(ExtensionAbilityType type)
140 {
141 return SYSTEM_EXTENSION_ABILITY_TYPE.find(type) != SYSTEM_EXTENSION_ABILITY_TYPE.end();
142 }
143 }
144
CheckSysCap(const std::vector<std::string> & bundlePaths)145 ErrCode BundleInstallChecker::CheckSysCap(const std::vector<std::string> &bundlePaths)
146 {
147 LOG_D(BMS_TAG_INSTALLER, "check hap syscaps start");
148 if (bundlePaths.empty()) {
149 LOG_NOFUNC_E(BMS_TAG_INSTALLER, "empty bundlePaths check hap syscaps fail");
150 return ERR_APPEXECFWK_INSTALL_PARAM_ERROR;
151 }
152
153 ErrCode result = ERR_OK;
154 BundleParser bundleParser;
155 for (const auto &bundlePath : bundlePaths) {
156 std::vector<std::string> bundleSysCaps;
157 result = bundleParser.ParseSysCap(bundlePath, bundleSysCaps);
158 if (result != ERR_OK) {
159 LOG_E(BMS_TAG_INSTALLER, "parse bundle syscap failed, error: %{public}d", result);
160 return result;
161 }
162
163 for (const auto &bundleSysCapItem : bundleSysCaps) {
164 LOG_D(BMS_TAG_INSTALLER, "check syscap(%{public}s)", bundleSysCapItem.c_str());
165 if (!HasSystemCapability(bundleSysCapItem.c_str())) {
166 LOG_E(BMS_TAG_INSTALLER, "check syscap failed which %{public}s is not exsit",
167 bundleSysCapItem.c_str());
168 return ERR_APPEXECFWK_INSTALL_CHECK_SYSCAP_FAILED;
169 }
170 }
171 }
172
173 LOG_D(BMS_TAG_INSTALLER, "finish check hap syscaps");
174 return result;
175 }
176
CheckMultipleHapsSignInfo(const std::vector<std::string> & bundlePaths,std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes,bool readFile)177 ErrCode BundleInstallChecker::CheckMultipleHapsSignInfo(
178 const std::vector<std::string> &bundlePaths,
179 std::vector<Security::Verify::HapVerifyResult>& hapVerifyRes, bool readFile)
180 {
181 LOG_D(BMS_TAG_INSTALLER, "Check multiple haps signInfo");
182 if (bundlePaths.empty()) {
183 LOG_E(BMS_TAG_INSTALLER, "check hap sign info failed due to empty bundlePaths");
184 return ERR_APPEXECFWK_INSTALL_PARAM_ERROR;
185 }
186 for (const std::string &bundlePath : bundlePaths) {
187 Security::Verify::HapVerifyResult hapVerifyResult;
188 ErrCode verifyRes = ERR_OK;
189 if (readFile) {
190 verifyRes = Security::Verify::HapVerify(bundlePath, hapVerifyResult, true);
191 } else {
192 verifyRes = BundleVerifyMgr::HapVerify(bundlePath, hapVerifyResult);
193 }
194 #ifndef X86_EMULATOR_MODE
195 if (verifyRes != ERR_OK) {
196 LOG_E(BMS_TAG_INSTALLER, "hap file verify failed, bundlePath: %{public}s", bundlePath.c_str());
197 return readFile ? ERR_APPEXECFWK_INSTALL_FAILED_BUNDLE_SIGNATURE_VERIFICATION_FAILURE : verifyRes;
198 }
199 #endif
200 hapVerifyRes.emplace_back(hapVerifyResult);
201 }
202
203 if (hapVerifyRes.empty()) {
204 LOG_E(BMS_TAG_INSTALLER, "no sign info in the all haps");
205 return ERR_APPEXECFWK_INSTALL_FAILED_INCOMPATIBLE_SIGNATURE;
206 }
207
208 if (!CheckProvisionInfoIsValid(hapVerifyRes)) {
209 #ifndef X86_EMULATOR_MODE
210 return ERR_APPEXECFWK_INSTALL_FAILED_INCOMPATIBLE_SIGNATURE;
211 #else
212 // on emulator if check signature failed clear appid
213 for (auto &verifyRes : hapVerifyRes) {
214 Security::Verify::ProvisionInfo provisionInfo = verifyRes.GetProvisionInfo();
215 provisionInfo.appId = Constants::EMPTY_STRING;
216 verifyRes.SetProvisionInfo(provisionInfo);
217 }
218 #endif
219 }
220 LOG_D(BMS_TAG_INSTALLER, "finish check multiple haps signInfo");
221 return ERR_OK;
222 }
223
CheckProvisionInfoIsValid(const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)224 bool BundleInstallChecker::CheckProvisionInfoIsValid(
225 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
226 {
227 auto appId = hapVerifyRes[0].GetProvisionInfo().appId;
228 auto appIdentifier = hapVerifyRes[0].GetProvisionInfo().bundleInfo.appIdentifier;
229 auto apl = hapVerifyRes[0].GetProvisionInfo().bundleInfo.apl;
230 auto appDistributionType = hapVerifyRes[0].GetProvisionInfo().distributionType;
231 auto appProvisionType = hapVerifyRes[0].GetProvisionInfo().type;
232 bool isInvalid = std::any_of(hapVerifyRes.begin(), hapVerifyRes.end(),
233 [appId, apl, appDistributionType, appProvisionType, appIdentifier](const auto &hapVerifyResult) {
234 if (appId != hapVerifyResult.GetProvisionInfo().appId) {
235 LOG_E(BMS_TAG_INSTALLER, "error: hap files have different appId");
236 return true;
237 }
238 if (apl != hapVerifyResult.GetProvisionInfo().bundleInfo.apl) {
239 LOG_E(BMS_TAG_INSTALLER, "error: hap files have different apl");
240 return true;
241 }
242 if (appDistributionType != hapVerifyResult.GetProvisionInfo().distributionType) {
243 LOG_E(BMS_TAG_INSTALLER, "error: hap files have different appDistributionType");
244 return true;
245 }
246 if (appProvisionType != hapVerifyResult.GetProvisionInfo().type) {
247 LOG_E(BMS_TAG_INSTALLER, "error: hap files have different appProvisionType");
248 return true;
249 }
250 if (appIdentifier != hapVerifyResult.GetProvisionInfo().bundleInfo.appIdentifier) {
251 LOG_E(BMS_TAG_INSTALLER, "error: hap files have different appIdentifier");
252 return true;
253 }
254 return false;
255 });
256 return !isInvalid;
257 }
258
VaildInstallPermission(const InstallParam & installParam,const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)259 bool BundleInstallChecker::VaildInstallPermission(const InstallParam &installParam,
260 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
261 {
262 PermissionStatus installBundleStatus = installParam.installBundlePermissionStatus;
263 PermissionStatus installEnterpriseBundleStatus = installParam.installEnterpriseBundlePermissionStatus;
264 PermissionStatus installEtpMdmBundleStatus = installParam.installEtpMdmBundlePermissionStatus;
265 PermissionStatus installInternaltestingBundleStatus = installParam.installInternaltestingBundlePermissionStatus;
266 bool isCallByShell = installParam.isCallByShell;
267 if (!isCallByShell && installBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
268 installEnterpriseBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
269 installEtpMdmBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
270 installInternaltestingBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS) {
271 return true;
272 }
273 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
274 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
275 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE) {
276 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
277 LOG_E(BMS_TAG_INSTALLER, "enterprise bundle can not be installed by shell");
278 return false;
279 }
280 if (!isCallByShell && installEnterpriseBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
281 LOG_E(BMS_TAG_INSTALLER, "install enterprise bundle permission denied");
282 return false;
283 }
284 continue;
285 }
286 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
287 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
288 bool result = VaildEnterpriseInstallPermission(installParam, provisionInfo);
289 if (!result) {
290 return false;
291 }
292 continue;
293 }
294 if (provisionInfo.distributionType == Security::Verify::AppDistType::INTERNALTESTING) {
295 if (!isCallByShell && installInternaltestingBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
296 LOG_E(BMS_TAG_INSTALLER, "install internaltesting bundle permission denied");
297 return false;
298 }
299 continue;
300 }
301 if (installBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
302 LOG_E(BMS_TAG_INSTALLER, "install permission denied");
303 return false;
304 }
305 }
306 return true;
307 }
308
VaildEnterpriseInstallPermission(const InstallParam & installParam,const Security::Verify::ProvisionInfo & provisionInfo)309 bool BundleInstallChecker::VaildEnterpriseInstallPermission(const InstallParam &installParam,
310 const Security::Verify::ProvisionInfo &provisionInfo)
311 {
312 if (installParam.isSelfUpdate) {
313 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
314 LOG_I(BMS_TAG_INSTALLER, "Mdm self update");
315 return true;
316 }
317 LOG_E(BMS_TAG_INSTALLER, "Self update not MDM");
318 return false;
319 }
320 bool isCallByShell = installParam.isCallByShell;
321 PermissionStatus installEtpNormalBundleStatus = installParam.installEtpNormalBundlePermissionStatus;
322 PermissionStatus installEtpMdmBundleStatus = installParam.installEtpMdmBundlePermissionStatus;
323 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
324 LOG_E(BMS_TAG_INSTALLER, "enterprise normal/mdm bundle can not be installed by shell");
325 return false;
326 }
327 if (!isCallByShell &&
328 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL &&
329 installEtpNormalBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS &&
330 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
331 LOG_E(BMS_TAG_INSTALLER, "install enterprise normal bundle permission denied");
332 return false;
333 }
334 if (!isCallByShell &&
335 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM &&
336 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
337 LOG_E(BMS_TAG_INSTALLER, "install enterprise mdm bundle permission denied");
338 return false;
339 }
340 return true;
341 }
342
ParseHapFiles(const std::vector<std::string> & bundlePaths,const InstallCheckParam & checkParam,std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes,std::unordered_map<std::string,InnerBundleInfo> & infos)343 ErrCode BundleInstallChecker::ParseHapFiles(
344 const std::vector<std::string> &bundlePaths,
345 const InstallCheckParam &checkParam,
346 std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes,
347 std::unordered_map<std::string, InnerBundleInfo> &infos)
348 {
349 LOG_D(BMS_TAG_INSTALLER, "Parse hap file");
350 ErrCode result = ERR_OK;
351 for (uint32_t i = 0; i < bundlePaths.size(); ++i) {
352 InnerBundleInfo newInfo;
353 BundlePackInfo packInfo;
354 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
355 if (provisionInfo.bundleInfo.appFeature == ServiceConstants::HOS_SYSTEM_APP) {
356 newInfo.SetAppType(Constants::AppType::SYSTEM_APP);
357 } else {
358 newInfo.SetAppType(Constants::AppType::THIRD_PARTY_APP);
359 }
360 newInfo.SetIsPreInstallApp(checkParam.isPreInstallApp);
361 result = ParseBundleInfo(bundlePaths[i], newInfo, packInfo);
362 if (result != ERR_OK) {
363 LOG_E(BMS_TAG_INSTALLER, "bundle parse failed %{public}d", result);
364 return result;
365 }
366 newInfo.SetOrganization(provisionInfo.organization);
367 #ifndef X86_EMULATOR_MODE
368 result = CheckBundleName(provisionInfo.bundleInfo.bundleName, newInfo.GetBundleName());
369 if (result != ERR_OK) {
370 LOG_E(BMS_TAG_INSTALLER, "check provision bundleName failed");
371 return result;
372 }
373 #endif
374 if (newInfo.HasEntry()) {
375 if (isContainEntry_) {
376 LOG_E(BMS_TAG_INSTALLER, "more than one entry hap in the direction");
377 return ERR_APPEXECFWK_INSTALL_INVALID_NUMBER_OF_ENTRY_HAP;
378 }
379 isContainEntry_ = true;
380 }
381
382 SetEntryInstallationFree(packInfo, newInfo);
383 result = CheckMainElement(newInfo);
384 if (result != ERR_OK) {
385 return result;
386 }
387 AppPrivilegeCapability appPrivilegeCapability;
388 // from provision file
389 ParseAppPrivilegeCapability(provisionInfo, appPrivilegeCapability);
390 // form install_list_capability.json, higher priority than provision file
391 // allow appIdentifier/appId/fingerprint
392 newInfo.SetProvisionId(provisionInfo.appId);
393 std::vector<std::string> appSignatures;
394 appSignatures.emplace_back(provisionInfo.bundleInfo.appIdentifier);
395 appSignatures.emplace_back(newInfo.GetAppId());
396 appSignatures.emplace_back(provisionInfo.fingerprint);
397 FetchPrivilegeCapabilityFromPreConfig(
398 newInfo.GetBundleName(), appSignatures, appPrivilegeCapability);
399 // process bundleInfo by appPrivilegeCapability
400 result = ProcessBundleInfoByPrivilegeCapability(appPrivilegeCapability, newInfo);
401 if (result != ERR_OK) {
402 return result;
403 }
404 CollectProvisionInfo(provisionInfo, appPrivilegeCapability, newInfo);
405 #ifdef USE_PRE_BUNDLE_PROFILE
406 GetPrivilegeCapability(checkParam, newInfo);
407 #endif
408 if ((provisionInfo.distributionType == Security::Verify::AppDistType::CROWDTESTING) ||
409 (checkParam.specifiedDistributionType == Constants::APP_DISTRIBUTION_TYPE_CROWDTESTING)) {
410 newInfo.SetAppCrowdtestDeadline((checkParam.crowdtestDeadline >= 0) ? checkParam.crowdtestDeadline :
411 Constants::INHERIT_CROWDTEST_DEADLINE);
412 } else {
413 newInfo.SetAppCrowdtestDeadline(Constants::INVALID_CROWDTEST_DEADLINE);
414 }
415 if (!checkParam.isPreInstallApp) {
416 if ((result = CheckSystemSize(bundlePaths[i], checkParam.appType)) != ERR_OK) {
417 LOG_E(BMS_TAG_INSTALLER, "install failed due to insufficient disk memory");
418 return result;
419 }
420 }
421 DetermineCloneNum(newInfo);
422
423 infos.emplace(bundlePaths[i], newInfo);
424 }
425 if ((result = CheckModuleNameForMulitHaps(infos)) != ERR_OK) {
426 LOG_E(BMS_TAG_INSTALLER, "install failed due to duplicated moduleName");
427 return result;
428 }
429 LOG_D(BMS_TAG_INSTALLER, "finish parse hap file");
430 return result;
431 }
432
CheckHspInstallCondition(std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)433 ErrCode BundleInstallChecker::CheckHspInstallCondition(
434 std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
435 {
436 ErrCode result = ERR_OK;
437 if ((result = CheckDeveloperMode(hapVerifyRes)) != ERR_OK) {
438 LOG_E(BMS_TAG_INSTALLER, "install failed due to debug mode");
439 return result;
440 }
441 if ((result = CheckAllowEnterpriseBundle(hapVerifyRes)) != ERR_OK) {
442 LOG_E(BMS_TAG_INSTALLER, "install failed due to non-enterprise device");
443 return result;
444 }
445 return ERR_OK;
446 }
447
CheckInstallPermission(const InstallCheckParam & checkParam,const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)448 ErrCode BundleInstallChecker::CheckInstallPermission(const InstallCheckParam &checkParam,
449 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
450 {
451 if ((checkParam.installBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
452 checkParam.installEnterpriseBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
453 checkParam.installEtpNormalBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
454 checkParam.installInternaltestingBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS ||
455 checkParam.installEtpMdmBundlePermissionStatus != PermissionStatus::NOT_VERIFIED_PERMISSION_STATUS) &&
456 !VaildInstallPermissionForShare(checkParam, hapVerifyRes)) {
457 // need vaild permission
458 LOG_E(BMS_TAG_INSTALLER, "install permission denied");
459 return ERR_APPEXECFWK_INSTALL_PERMISSION_DENIED;
460 }
461 return ERR_OK;
462 }
463
VaildInstallPermissionForShare(const InstallCheckParam & checkParam,const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes)464 bool BundleInstallChecker::VaildInstallPermissionForShare(const InstallCheckParam &checkParam,
465 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
466 {
467 PermissionStatus installBundleStatus = checkParam.installBundlePermissionStatus;
468 PermissionStatus installEnterpriseBundleStatus = checkParam.installEnterpriseBundlePermissionStatus;
469 PermissionStatus installEtpMdmBundleStatus = checkParam.installEtpMdmBundlePermissionStatus;
470 PermissionStatus installInternaltestingBundleStatus = checkParam.installInternaltestingBundlePermissionStatus;
471 bool isCallByShell = checkParam.isCallByShell;
472 if (!isCallByShell && installBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
473 installEnterpriseBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
474 installEtpMdmBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS &&
475 installInternaltestingBundleStatus == PermissionStatus::HAVE_PERMISSION_STATUS) {
476 return true;
477 }
478 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
479 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
480 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE) {
481 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
482 LOG_E(BMS_TAG_INSTALLER, "enterprise bundle can not be installed by shell");
483 return false;
484 }
485 if (!isCallByShell && installEnterpriseBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
486 LOG_E(BMS_TAG_INSTALLER, "install enterprise bundle permission denied");
487 return false;
488 }
489 continue;
490 }
491 if (provisionInfo.distributionType == Security::Verify::AppDistType::INTERNALTESTING) {
492 if (!isCallByShell && installInternaltestingBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
493 LOG_E(BMS_TAG_INSTALLER, "install internaltesting bundle permission denied");
494 return false;
495 }
496 continue;
497 }
498 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
499 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
500 bool result = VaildEnterpriseInstallPermissionForShare(checkParam, provisionInfo);
501 if (!result) {
502 return false;
503 }
504 continue;
505 }
506 if (installBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
507 LOG_E(BMS_TAG_INSTALLER, "install permission denied");
508 return false;
509 }
510 }
511 return true;
512 }
513
VaildEnterpriseInstallPermissionForShare(const InstallCheckParam & checkParam,const Security::Verify::ProvisionInfo & provisionInfo)514 bool BundleInstallChecker::VaildEnterpriseInstallPermissionForShare(const InstallCheckParam &checkParam,
515 const Security::Verify::ProvisionInfo &provisionInfo)
516 {
517 bool isCallByShell = checkParam.isCallByShell;
518 PermissionStatus installEtpNormalBundleStatus = checkParam.installEtpNormalBundlePermissionStatus;
519 PermissionStatus installEtpMdmBundleStatus = checkParam.installEtpMdmBundlePermissionStatus;
520 if (isCallByShell && provisionInfo.type != Security::Verify::ProvisionType::DEBUG) {
521 LOG_E(BMS_TAG_INSTALLER, "enterprise normal/mdm bundle can not be installed by shell");
522 return false;
523 }
524 if (!isCallByShell &&
525 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL &&
526 installEtpNormalBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS &&
527 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
528 LOG_E(BMS_TAG_INSTALLER, "install enterprise normal bundle permission denied");
529 return false;
530 }
531 if (!isCallByShell &&
532 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM &&
533 installEtpMdmBundleStatus != PermissionStatus::HAVE_PERMISSION_STATUS) {
534 LOG_E(BMS_TAG_INSTALLER, "install enterprise mdm bundle permission denied");
535 return false;
536 }
537 return true;
538 }
539
CheckDependency(std::unordered_map<std::string,InnerBundleInfo> & infos)540 ErrCode BundleInstallChecker::CheckDependency(std::unordered_map<std::string, InnerBundleInfo> &infos)
541 {
542 LOG_D(BMS_TAG_INSTALLER, "CheckDependency");
543
544 for (const auto &info : infos) {
545 if (info.second.GetInnerModuleInfos().empty()) {
546 LOG_D(BMS_TAG_INSTALLER, "GetInnerModuleInfos is empty");
547 continue;
548 }
549 // There is only one innerModuleInfo when installing
550 InnerModuleInfo moduleInfo = info.second.GetInnerModuleInfos().begin()->second;
551 LOG_D(BMS_TAG_INSTALLER, "current module:%{public}s, dependencies = %{public}s", moduleInfo.moduleName.c_str(),
552 GetJsonStrFromInfo(moduleInfo.dependencies).c_str());
553 for (const auto &dependency : moduleInfo.dependencies) {
554 if (!NeedCheckDependency(dependency, info.second)) {
555 LOG_D(BMS_TAG_INSTALLER, "deliveryWithInstall is false, do not check whether the dependency exists");
556 continue;
557 }
558 std::string bundleName =
559 dependency.bundleName.empty() ? info.second.GetBundleName() : dependency.bundleName;
560 if (FindModuleInInstallingPackage(dependency.moduleName, bundleName, infos)) {
561 continue;
562 }
563 LOG_W(BMS_TAG_INSTALLER, "The depend module:%{public}s is not exist in installing package",
564 dependency.moduleName.c_str());
565 if (!FindModuleInInstalledPackage(dependency.moduleName, bundleName, info.second.GetVersionCode())) {
566 LOG_E(BMS_TAG_INSTALLER, "The depend :%{public}s is not exist", dependency.moduleName.c_str());
567 SetCheckResultMsg(
568 moduleInfo.moduleName + "'s dependent module: " + dependency.moduleName + " does not exist");
569 return ERR_APPEXECFWK_INSTALL_DEPENDENT_MODULE_NOT_EXIST;
570 }
571 }
572 }
573
574 return ERR_OK;
575 }
576
NeedCheckDependency(const Dependency & dependency,const InnerBundleInfo & info)577 bool BundleInstallChecker::NeedCheckDependency(const Dependency &dependency, const InnerBundleInfo &info)
578 {
579 LOG_D(BMS_TAG_INSTALLER, "NeedCheckDependency the moduleName is %{public}s, the bundleName is %{public}s",
580 dependency.moduleName.c_str(), dependency.bundleName.c_str());
581
582 if (!dependency.bundleName.empty() && dependency.bundleName != info.GetBundleName()) {
583 LOG_D(BMS_TAG_INSTALLER, "Cross-app dependencies, check dependency with shared bundle installer");
584 return false;
585 }
586 std::vector<PackageModule> modules = info.GetBundlePackInfo().summary.modules;
587 if (modules.empty()) {
588 LOG_D(BMS_TAG_INSTALLER, "NeedCheckDependency modules is empty, need check dependency");
589 return true;
590 }
591 for (const auto &module : modules) {
592 if (module.distro.moduleName == dependency.moduleName) {
593 return module.distro.deliveryWithInstall;
594 }
595 }
596
597 LOG_D(BMS_TAG_INSTALLER, "NeedCheckDependency the module not found, need check dependency");
598 return true;
599 }
600
FindModuleInInstallingPackage(const std::string & moduleName,const std::string & bundleName,const std::unordered_map<std::string,InnerBundleInfo> & infos)601 bool BundleInstallChecker::FindModuleInInstallingPackage(
602 const std::string &moduleName,
603 const std::string &bundleName,
604 const std::unordered_map<std::string, InnerBundleInfo> &infos)
605 {
606 LOG_D(BMS_TAG_INSTALLER, "moduleName is %{public}s, the bundleName is %{public}s",
607 moduleName.c_str(), bundleName.c_str());
608 for (const auto &info : infos) {
609 if (info.second.GetBundleName() == bundleName) {
610 if (info.second.GetInnerModuleInfos().empty()) {
611 continue;
612 }
613 // There is only one innerModuleInfo when installing
614 InnerModuleInfo moduleInfo = info.second.GetInnerModuleInfos().begin()->second;
615 if (moduleInfo.moduleName == moduleName) {
616 return true;
617 }
618 }
619 }
620 return false;
621 }
622
FindModuleInInstalledPackage(const std::string & moduleName,const std::string & bundleName,uint32_t versionCode)623 bool BundleInstallChecker::FindModuleInInstalledPackage(
624 const std::string &moduleName,
625 const std::string &bundleName,
626 uint32_t versionCode)
627 {
628 LOG_D(BMS_TAG_INSTALLER, "FindModuleInInstalledPackage the moduleName is %{public}s, the bundleName is %{public}s",
629 moduleName.c_str(), bundleName.c_str());
630 std::shared_ptr<BundleDataMgr> dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
631 if (dataMgr == nullptr) {
632 LOG_E(BMS_TAG_INSTALLER, "Get dataMgr shared_ptr nullptr");
633 return false;
634 }
635
636 ScopeGuard enableGuard([&dataMgr, &bundleName] { dataMgr->EnableBundle(bundleName); });
637 InnerBundleInfo bundleInfo;
638 bool isBundleExist = dataMgr->GetInnerBundleInfo(bundleName, bundleInfo);
639 if (!isBundleExist) {
640 LOG_E(BMS_TAG_INSTALLER, "the bundle: %{public}s is not install", bundleName.c_str());
641 return false;
642 }
643 if (!bundleInfo.FindModule(moduleName)) {
644 LOG_E(BMS_TAG_INSTALLER, "the module: %{public}s is not install", moduleName.c_str());
645 return false;
646 }
647 if (bundleInfo.GetVersionCode() != versionCode) {
648 LOG_E(BMS_TAG_INSTALLER, "the versionCode %{public}d of dependency is not consistent with the installed module",
649 bundleInfo.GetVersionCode());
650 return false;
651 }
652 return true;
653 }
654
CheckBundleName(const std::string & provisionBundleName,const std::string & bundleName)655 ErrCode BundleInstallChecker::CheckBundleName(const std::string &provisionBundleName, const std::string &bundleName)
656 {
657 LOG_D(BMS_TAG_INSTALLER, "CheckBundleName provisionBundleName:%{public}s, bundleName:%{public}s",
658 provisionBundleName.c_str(), bundleName.c_str());
659 if (provisionBundleName.empty() || bundleName.empty()) {
660 LOG_E(BMS_TAG_INSTALLER, "CheckBundleName provisionBundleName:%{public}s, bundleName:%{public}s failed",
661 provisionBundleName.c_str(), bundleName.c_str());
662 return ERR_APPEXECFWK_INSTALL_FAILED_BUNDLE_SIGNATURE_VERIFICATION_FAILURE;
663 }
664 if (provisionBundleName == bundleName) {
665 return ERR_OK;
666 }
667 LOG_E(BMS_TAG_INSTALLER, "CheckBundleName failed provisionBundleName:%{public}s, bundleName:%{public}s",
668 provisionBundleName.c_str(), bundleName.c_str());
669 return ERR_APPEXECFWK_INSTALL_FAILED_BUNDLE_SIGNATURE_VERIFICATION_FAILURE;
670 }
671
CollectProvisionInfo(const Security::Verify::ProvisionInfo & provisionInfo,const AppPrivilegeCapability & appPrivilegeCapability,InnerBundleInfo & newInfo)672 void BundleInstallChecker::CollectProvisionInfo(
673 const Security::Verify::ProvisionInfo &provisionInfo,
674 const AppPrivilegeCapability &appPrivilegeCapability,
675 InnerBundleInfo &newInfo)
676 {
677 newInfo.SetProvisionId(provisionInfo.appId);
678 newInfo.SetAppFeature(provisionInfo.bundleInfo.appFeature);
679 newInfo.SetAppPrivilegeLevel(provisionInfo.bundleInfo.apl);
680 newInfo.SetAllowedAcls(provisionInfo.acls.allowedAcls);
681 newInfo.SetCertificateFingerprint(provisionInfo.fingerprint);
682 newInfo.SetAppDistributionType(GetAppDistributionType(provisionInfo.distributionType));
683 newInfo.SetAppProvisionType(GetAppProvisionType(provisionInfo.type));
684 SetAppProvisionMetadata(provisionInfo.metadatas, newInfo);
685 #ifdef USE_PRE_BUNDLE_PROFILE
686 newInfo.SetUserDataClearable(appPrivilegeCapability.userDataClearable);
687 newInfo.SetHideDesktopIcon(appPrivilegeCapability.hideDesktopIcon);
688 newInfo.SetFormVisibleNotify(appPrivilegeCapability.formVisibleNotify);
689 #endif
690 newInfo.AddOldAppId(newInfo.GetAppId());
691 newInfo.SetAppIdentifier(provisionInfo.bundleInfo.appIdentifier);
692 if (provisionInfo.type == Security::Verify::ProvisionType::DEBUG) {
693 newInfo.SetCertificate(provisionInfo.bundleInfo.developmentCertificate);
694 } else {
695 newInfo.SetCertificate(provisionInfo.bundleInfo.distributionCertificate);
696 }
697 }
698
SetAppProvisionMetadata(const std::vector<Security::Verify::Metadata> & provisionMetadatas,InnerBundleInfo & newInfo)699 void BundleInstallChecker::SetAppProvisionMetadata(const std::vector<Security::Verify::Metadata> &provisionMetadatas,
700 InnerBundleInfo &newInfo)
701 {
702 if (provisionMetadatas.empty()) {
703 LOG_E(BMS_TAG_INSTALLER, "provisionMetadatas is empty");
704 return;
705 }
706 std::vector<Metadata> metadatas;
707 for (const auto &it : provisionMetadatas) {
708 Metadata metadata;
709 metadata.name = it.name;
710 metadata.value = it.value;
711 metadatas.emplace_back(metadata);
712 }
713 newInfo.SetAppProvisionMetadata(metadatas);
714 }
715
GetPrivilegeCapability(const InstallCheckParam & checkParam,InnerBundleInfo & newInfo)716 void BundleInstallChecker::GetPrivilegeCapability(
717 const InstallCheckParam &checkParam, InnerBundleInfo &newInfo)
718 {
719 // Reset privilege capability
720 newInfo.SetKeepAlive(false);
721 newInfo.SetSingleton(false);
722
723 newInfo.SetRemovable(checkParam.removable);
724 PreBundleConfigInfo preBundleConfigInfo;
725 preBundleConfigInfo.bundleName = newInfo.GetBundleName();
726 if (!BMSEventHandler::GetPreInstallCapability(preBundleConfigInfo)) {
727 LOG_D(BMS_TAG_INSTALLER, "%{public}s not exist in preinstall capability list", newInfo.GetBundleName().c_str());
728 return;
729 }
730
731 if (!MatchSignature(preBundleConfigInfo.appSignature, newInfo.GetCertificateFingerprint()) &&
732 !MatchSignature(preBundleConfigInfo.appSignature, newInfo.GetAppId()) &&
733 !MatchSignature(preBundleConfigInfo.appSignature, newInfo.GetAppIdentifier()) &&
734 !MatchOldSignatures(newInfo.GetBundleName(), preBundleConfigInfo.appSignature)) {
735 LOG_E(BMS_TAG_INSTALLER, "%{public}s signature not match the capability list", newInfo.GetBundleName().c_str());
736 return;
737 }
738
739 newInfo.SetKeepAlive(preBundleConfigInfo.keepAlive);
740 newInfo.SetSingleton(preBundleConfigInfo.singleton);
741 newInfo.SetRunningResourcesApply(preBundleConfigInfo.runningResourcesApply);
742 newInfo.SetAssociatedWakeUp(preBundleConfigInfo.associatedWakeUp);
743 newInfo.SetAllowCommonEvent(preBundleConfigInfo.allowCommonEvent);
744 newInfo.SetResourcesApply(preBundleConfigInfo.resourcesApply);
745 newInfo.SetAllowAppRunWhenDeviceFirstLocked(preBundleConfigInfo.allowAppRunWhenDeviceFirstLocked);
746 newInfo.SetAllowEnableNotification(preBundleConfigInfo.allowEnableNotification);
747 }
748
SetPackInstallationFree(BundlePackInfo & bundlePackInfo,const InnerBundleInfo & innerBundleInfo) const749 void BundleInstallChecker::SetPackInstallationFree(BundlePackInfo &bundlePackInfo,
750 const InnerBundleInfo &innerBundleInfo) const
751 {
752 if (innerBundleInfo.GetIsNewVersion()) {
753 if (innerBundleInfo.GetApplicationBundleType() != BundleType::ATOMIC_SERVICE) {
754 for (auto &item : bundlePackInfo.summary.modules) {
755 item.distro.installationFree = false;
756 }
757 return;
758 }
759 for (auto &item : bundlePackInfo.summary.modules) {
760 item.distro.installationFree = true;
761 }
762 }
763 }
764
ParseBundleInfo(const std::string & bundleFilePath,InnerBundleInfo & info,BundlePackInfo & packInfo) const765 ErrCode BundleInstallChecker::ParseBundleInfo(
766 const std::string &bundleFilePath,
767 InnerBundleInfo &info,
768 BundlePackInfo &packInfo) const
769 {
770 BundleParser bundleParser;
771 ErrCode result = bundleParser.Parse(bundleFilePath, info);
772 if (result != ERR_OK) {
773 LOG_E(BMS_TAG_INSTALLER, "parse bundle info failed, error: %{public}d", result);
774 return result;
775 }
776
777 const auto extensions = info.GetInnerExtensionInfos();
778 for (const auto &item : extensions) {
779 if (item.second.type == ExtensionAbilityType::UNSPECIFIED &&
780 !BMSEventHandler::CheckExtensionTypeInConfig(item.second.extensionTypeName)) {
781 LOG_W(BMS_TAG_INSTALLER, "Parse error, There is no corresponding type in the configuration");
782 }
783 }
784
785 if (!packInfo.GetValid()) {
786 result = bundleParser.ParsePackInfo(bundleFilePath, packInfo);
787 if (result != ERR_OK) {
788 LOG_E(BMS_TAG_INSTALLER, "parse bundle pack info failed, error: %{public}d", result);
789 return result;
790 }
791
792 SetPackInstallationFree(packInfo, info);
793 info.SetBundlePackInfo(packInfo);
794 packInfo.SetValid(true);
795 }
796
797 return ERR_OK;
798 }
799
SetEntryInstallationFree(const BundlePackInfo & bundlePackInfo,InnerBundleInfo & innerBundleInfo)800 void BundleInstallChecker::SetEntryInstallationFree(
801 const BundlePackInfo &bundlePackInfo,
802 InnerBundleInfo &innerBundleInfo)
803 {
804 if (!bundlePackInfo.GetValid()) {
805 LOG_W(BMS_TAG_INSTALLER, "no pack.info in the hap file");
806 return;
807 }
808
809 auto packageModule = bundlePackInfo.summary.modules;
810 auto installationFree = std::any_of(packageModule.begin(), packageModule.end(), [&](const auto &module) {
811 return module.distro.moduleType == "entry" && module.distro.installationFree;
812 });
813 if (installationFree) {
814 LOG_I(BMS_TAG_INSTALLER, "install or update hm service");
815 }
816 if (innerBundleInfo.GetIsNewVersion()) {
817 installationFree = innerBundleInfo.GetApplicationBundleType() == BundleType::ATOMIC_SERVICE;
818 }
819
820 innerBundleInfo.SetEntryInstallationFree(installationFree);
821 if (installationFree && !innerBundleInfo.GetIsNewVersion()) {
822 innerBundleInfo.SetApplicationBundleType(BundleType::ATOMIC_SERVICE);
823 }
824 }
825
CheckSystemSize(const std::string & bundlePath,const Constants::AppType appType) const826 ErrCode BundleInstallChecker::CheckSystemSize(
827 const std::string &bundlePath,
828 const Constants::AppType appType) const
829 {
830 if ((appType == Constants::AppType::SYSTEM_APP) &&
831 (BundleUtil::CheckSystemSize(bundlePath, APP_INSTALL_PATH))) {
832 return ERR_OK;
833 }
834
835 if ((appType == Constants::AppType::THIRD_SYSTEM_APP) &&
836 (BundleUtil::CheckSystemSize(bundlePath, APP_INSTALL_PATH))) {
837 return ERR_OK;
838 }
839
840 if ((appType == Constants::AppType::THIRD_PARTY_APP) &&
841 (BundleUtil::CheckSystemSize(bundlePath, APP_INSTALL_PATH))) {
842 return ERR_OK;
843 }
844
845 LOG_E(BMS_TAG_INSTALLER, "install failed due to insufficient disk memory");
846 return ERR_APPEXECFWK_INSTALL_DISK_MEM_INSUFFICIENT;
847 }
848
CheckHapHashParams(std::unordered_map<std::string,InnerBundleInfo> & infos,std::map<std::string,std::string> hashParams)849 ErrCode BundleInstallChecker::CheckHapHashParams(
850 std::unordered_map<std::string, InnerBundleInfo> &infos,
851 std::map<std::string, std::string> hashParams)
852 {
853 if (hashParams.empty()) {
854 LOG_D(BMS_TAG_INSTALLER, "hashParams is empty");
855 return ERR_OK;
856 }
857
858 std::vector<std::string> hapModuleNames;
859 for (auto &info : infos) {
860 std::vector<std::string> moduleNames;
861 info.second.GetModuleNames(moduleNames);
862 if (moduleNames.empty()) {
863 LOG_E(BMS_TAG_INSTALLER, "hap(%{public}s) moduleName is empty", info.first.c_str());
864 return ERR_APPEXECFWK_INSTALL_FAILED_MODULE_NAME_EMPTY;
865 }
866
867 if (std::find(hapModuleNames.begin(), hapModuleNames.end(), moduleNames[0]) != hapModuleNames.end()) {
868 LOG_E(BMS_TAG_INSTALLER, "hap moduleName(%{public}s) duplicate", moduleNames[0].c_str());
869 return ERR_APPEXECFWK_INSTALL_FAILED_MODULE_NAME_DUPLICATE;
870 }
871
872 hapModuleNames.emplace_back(moduleNames[0]);
873 auto hashParamIter = hashParams.find(moduleNames[0]);
874 if (hashParamIter != hashParams.end()) {
875 info.second.SetModuleHashValue(hashParamIter->second);
876 hashParams.erase(hashParamIter);
877 }
878 }
879
880 if (!hashParams.empty()) {
881 LOG_E(BMS_TAG_INSTALLER, "Some hashParam moduleName is not exist in hap moduleNames");
882 return ERR_APPEXECFWK_INSTALL_FAILED_CHECK_HAP_HASH_PARAM;
883 }
884
885 return ERR_OK;
886 }
887
GetValidReleaseType(const std::unordered_map<std::string,InnerBundleInfo> & infos)888 std::tuple<bool, std::string, std::string> BundleInstallChecker::GetValidReleaseType(
889 const std::unordered_map<std::string, InnerBundleInfo> &infos)
890 {
891 if (infos.empty()) {
892 LOG_E(BMS_TAG_INSTALLER, "infos is empty");
893 return std::make_tuple(false, "", "");
894 }
895 for (const auto &info : infos) {
896 if (!info.second.IsHsp()) {
897 return std::make_tuple(false, info.second.GetCurModuleName(), info.second.GetReleaseType());
898 }
899 }
900 return std::make_tuple(true, (infos.begin()->second).GetCurModuleName(),
901 (infos.begin()->second).GetReleaseType());
902 }
903
CheckAppLabelInfo(const std::unordered_map<std::string,InnerBundleInfo> & infos)904 ErrCode BundleInstallChecker::CheckAppLabelInfo(
905 const std::unordered_map<std::string, InnerBundleInfo> &infos)
906 {
907 LOG_D(BMS_TAG_INSTALLER, "Check APP label");
908 ErrCode ret = ERR_OK;
909 std::string bundleName = (infos.begin()->second).GetBundleName();
910 uint32_t versionCode = (infos.begin()->second).GetVersionCode();
911 uint32_t minCompatibleVersionCode = (infos.begin()->second).GetMinCompatibleVersionCode();
912 uint32_t target = (infos.begin()->second).GetTargetVersion();
913 auto [isHsp, moduleName, releaseType] = GetValidReleaseType(infos);
914 uint32_t compatible = (infos.begin()->second).GetCompatibleVersion();
915 bool singleton = (infos.begin()->second).IsSingleton();
916 Constants::AppType appType = (infos.begin()->second).GetAppType();
917 bool isStage = (infos.begin()->second).GetIsNewVersion();
918 const std::string targetBundleName = (infos.begin()->second).GetTargetBundleName();
919 int32_t targetPriority = (infos.begin()->second).GetTargetPriority();
920 BundleType bundleType = (infos.begin()->second).GetApplicationBundleType();
921 bool isHmService = (infos.begin()->second).GetEntryInstallationFree();
922 bool debug = (infos.begin()->second).GetBaseApplicationInfo().debug;
923 bool hasEntry = (infos.begin()->second).HasEntry();
924 bool isSameDebugType = true;
925 bool entryDebug = hasEntry ? debug : false;
926
927 for (const auto &info : infos) {
928 // check bundleName
929 if (bundleName != info.second.GetBundleName()) {
930 LOG_E(BMS_TAG_INSTALLER, "bundleName not same");
931 return ERR_APPEXECFWK_INSTALL_BUNDLENAME_NOT_SAME;
932 }
933 // check version
934 if (bundleType != BundleType::SHARED) {
935 if (versionCode != info.second.GetVersionCode()) {
936 LOG_E(BMS_TAG_INSTALLER, "versionCode not same");
937 return ERR_APPEXECFWK_INSTALL_VERSIONCODE_NOT_SAME;
938 }
939 if (minCompatibleVersionCode != info.second.GetMinCompatibleVersionCode()) {
940 LOG_E(BMS_TAG_INSTALLER, "minCompatibleVersionCode not same");
941 return ERR_APPEXECFWK_INSTALL_MINCOMPATIBLE_VERSIONCODE_NOT_SAME;
942 }
943 }
944 // check release type
945 if (target != info.second.GetTargetVersion()) {
946 LOG_E(BMS_TAG_INSTALLER, "target version not same");
947 return ERR_APPEXECFWK_INSTALL_RELEASETYPE_TARGET_NOT_SAME;
948 }
949 if (compatible != info.second.GetCompatibleVersion()) {
950 LOG_E(BMS_TAG_INSTALLER, "compatible version not same");
951 return ERR_APPEXECFWK_INSTALL_RELEASETYPE_COMPATIBLE_NOT_SAME;
952 }
953 if (releaseType != info.second.GetReleaseType()) {
954 LOG_W(BMS_TAG_INSTALLER, "releaseType not same: [%{public}s, %{public}s] vs [%{public}s, %{public}s]",
955 moduleName.c_str(), releaseType.c_str(),
956 info.second.GetCurModuleName().c_str(), info.second.GetReleaseType().c_str());
957 if (!isHsp && !info.second.IsHsp()) {
958 LOG_E(BMS_TAG_INSTALLER, "releaseType not same");
959 return ERR_APPEXECFWK_INSTALL_RELEASETYPE_NOT_SAME;
960 }
961 }
962 if (singleton != info.second.IsSingleton()) {
963 LOG_E(BMS_TAG_INSTALLER, "singleton not same");
964 return ERR_APPEXECFWK_INSTALL_SINGLETON_NOT_SAME;
965 }
966 if (appType != info.second.GetAppType()) {
967 LOG_E(BMS_TAG_INSTALLER, "appType not same");
968 return ERR_APPEXECFWK_INSTALL_APPTYPE_NOT_SAME;
969 }
970 // check model type(FA or stage)
971 if (isStage != info.second.GetIsNewVersion()) {
972 LOG_E(BMS_TAG_INSTALLER, "must be all FA model or all stage model");
973 return ERR_APPEXECFWK_INSTALL_STATE_ERROR;
974 }
975 if (targetBundleName != info.second.GetTargetBundleName()) {
976 LOG_E(BMS_TAG_INSTALLER, "targetBundleName not same");
977 return ERR_BUNDLEMANAGER_OVERLAY_INSTALLATION_FAILED_TARGET_BUNDLE_NAME_NOT_SAME;
978 }
979 if (targetPriority != info.second.GetTargetPriority()) {
980 LOG_E(BMS_TAG_INSTALLER, "targetPriority not same");
981 return ERR_BUNDLEMANAGER_OVERLAY_INSTALLATION_FAILED_TARGET_PRIORITY_NOT_SAME;
982 }
983 if (bundleType != info.second.GetApplicationBundleType()) {
984 LOG_E(BMS_TAG_INSTALLER, "bundleType not same");
985 return ERR_APPEXECFWK_BUNDLE_TYPE_NOT_SAME;
986 }
987 if (isHmService != info.second.GetEntryInstallationFree()) {
988 LOG_E(BMS_TAG_INSTALLER, "application and hm service are not allowed installed simultaneously");
989 return ERR_APPEXECFWK_INSTALL_TYPE_ERROR;
990 }
991 if (debug != info.second.GetBaseApplicationInfo().debug) {
992 LOG_E(BMS_TAG_INSTALLER, "debug not same");
993 isSameDebugType = false;
994 }
995 if (!hasEntry) {
996 hasEntry = info.second.HasEntry();
997 entryDebug = info.second.GetBaseApplicationInfo().debug;
998 }
999 }
1000
1001 if (hasEntry && !entryDebug && (debug || !isSameDebugType)) {
1002 LOG_E(BMS_TAG_INSTALLER, "debug type not same");
1003 return ERR_APPEXECFWK_INSTALL_DEBUG_NOT_SAME;
1004 }
1005 LOG_D(BMS_TAG_INSTALLER, "finish check APP label");
1006 return ret;
1007 }
1008
CheckMultiNativeFile(std::unordered_map<std::string,InnerBundleInfo> & infos)1009 ErrCode BundleInstallChecker::CheckMultiNativeFile(
1010 std::unordered_map<std::string, InnerBundleInfo> &infos)
1011 {
1012 ErrCode result = CheckMultiNativeSo(infos);
1013 if (result != ERR_OK) {
1014 LOG_E(BMS_TAG_INSTALLER, "Check multi nativeSo failed, result: %{public}d", result);
1015 return result;
1016 }
1017
1018 result = CheckMultiArkNativeFile(infos);
1019 if (result != ERR_OK) {
1020 LOG_E(BMS_TAG_INSTALLER, "Check multi arkNativeFile failed, result: %{public}d", result);
1021 return result;
1022 }
1023
1024 return ERR_OK;
1025 }
1026
CheckMultiArkNativeFile(std::unordered_map<std::string,InnerBundleInfo> & infos)1027 ErrCode BundleInstallChecker::CheckMultiArkNativeFile(
1028 std::unordered_map<std::string, InnerBundleInfo> &infos)
1029 {
1030 std::string arkNativeFileAbi = (infos.begin()->second).GetArkNativeFileAbi();
1031 for (const auto &info : infos) {
1032 if (info.second.GetArkNativeFileAbi().empty()) {
1033 continue;
1034 }
1035 if (arkNativeFileAbi.empty()) {
1036 arkNativeFileAbi = info.second.GetArkNativeFileAbi();
1037 continue;
1038 }
1039 }
1040
1041 // Ensure the an is consistent in multiple haps
1042 if (!arkNativeFileAbi.empty()) {
1043 for (auto &info : infos) {
1044 info.second.SetArkNativeFileAbi(arkNativeFileAbi);
1045 }
1046 }
1047
1048 return ERR_OK;
1049 }
1050
CheckMultiNativeSo(std::unordered_map<std::string,InnerBundleInfo> & infos)1051 ErrCode BundleInstallChecker::CheckMultiNativeSo(
1052 std::unordered_map<std::string, InnerBundleInfo> &infos)
1053 {
1054 std::string nativeLibraryPath = (infos.begin()->second).GetNativeLibraryPath();
1055 std::string cpuAbi = (infos.begin()->second).GetCpuAbi();
1056 for (const auto &info : infos) {
1057 if (info.second.GetNativeLibraryPath().empty()) {
1058 continue;
1059 }
1060 if (nativeLibraryPath.empty()) {
1061 nativeLibraryPath = info.second.GetNativeLibraryPath();
1062 cpuAbi = info.second.GetCpuAbi();
1063 continue;
1064 }
1065 }
1066
1067 // Ensure the so is consistent in multiple haps
1068 if (!nativeLibraryPath.empty()) {
1069 for (auto &info : infos) {
1070 info.second.SetNativeLibraryPath(nativeLibraryPath);
1071 info.second.SetCpuAbi(cpuAbi);
1072 }
1073 }
1074
1075 return ERR_OK;
1076 }
1077
ResetProperties()1078 void BundleInstallChecker::ResetProperties()
1079 {
1080 isContainEntry_ = false;
1081 }
1082
ParseAppPrivilegeCapability(const Security::Verify::ProvisionInfo & provisionInfo,AppPrivilegeCapability & appPrivilegeCapability)1083 void BundleInstallChecker::ParseAppPrivilegeCapability(
1084 const Security::Verify::ProvisionInfo &provisionInfo,
1085 AppPrivilegeCapability &appPrivilegeCapability)
1086 {
1087 for (const auto &appPrivilege : provisionInfo.appPrivilegeCapabilities) {
1088 auto iter = PRIVILEGE_MAP.find(appPrivilege);
1089 if (iter != PRIVILEGE_MAP.end()) {
1090 iter->second(appPrivilegeCapability);
1091 }
1092 }
1093 LOG_D(BMS_TAG_INSTALLER, "AppPrivilegeCapability %{public}s",
1094 appPrivilegeCapability.ToString().c_str());
1095 #ifndef USE_PRE_BUNDLE_PROFILE
1096 appPrivilegeCapability.allowMultiProcess = true;
1097 appPrivilegeCapability.allowUsePrivilegeExtension = true;
1098 #endif
1099 }
1100
CheckModuleNameForMulitHaps(const std::unordered_map<std::string,InnerBundleInfo> & infos)1101 ErrCode BundleInstallChecker::CheckModuleNameForMulitHaps(
1102 const std::unordered_map<std::string, InnerBundleInfo> &infos)
1103 {
1104 std::set<std::string> moduleSet;
1105 for (const auto &info : infos) {
1106 std::vector<std::string> moduleVec = info.second.GetDistroModuleName();
1107 if (moduleVec.empty()) {
1108 LOG_E(BMS_TAG_INSTALLER, "moduleName vector is empty");
1109 return ERR_APPEXECFWK_INSTALL_INTERNAL_ERROR;
1110 }
1111 if (moduleSet.count(moduleVec[0])) {
1112 LOG_E(BMS_TAG_INSTALLER, "the moduleName: %{public}s is not unique in the haps", moduleVec[0].c_str());
1113 SetCheckResultMsg("the moduleName: " + moduleVec[0] + " is not unique in the haps");
1114 return ERR_APPEXECFWK_INSTALL_NOT_UNIQUE_DISTRO_MODULE_NAME;
1115 }
1116 moduleSet.insert(moduleVec[0]);
1117 }
1118 return ERR_OK;
1119 }
1120
IsExistedDistroModule(const InnerBundleInfo & newInfo,const InnerBundleInfo & info) const1121 bool BundleInstallChecker::IsExistedDistroModule(const InnerBundleInfo &newInfo, const InnerBundleInfo &info) const
1122 {
1123 std::string moduleName = newInfo.GetCurModuleName();
1124 std::string packageName = newInfo.GetCurrentModulePackage();
1125 if (packageName.empty() || moduleName.empty()) {
1126 LOG_E(BMS_TAG_INSTALLER, "IsExistedDistroModule failed due to invalid packageName or moduleName");
1127 return false;
1128 }
1129 std::string oldModuleName = info.GetModuleNameByPackage(packageName);
1130 // if FA update to Stage, allow module name inconsistent
1131 bool isFAToStage = !info.GetIsNewVersion() && newInfo.GetIsNewVersion();
1132 if (!isFAToStage) {
1133 // if not FA update to Stage, check consistency of module name
1134 if (moduleName.compare(oldModuleName) != 0) {
1135 LOG_E(BMS_TAG_INSTALLER, "no moduleName in the innerModuleInfo");
1136 return false;
1137 }
1138 }
1139 // check consistency of module type
1140 std::string newModuleType = newInfo.GetModuleTypeByPackage(packageName);
1141 std::string oldModuleType = info.GetModuleTypeByPackage(packageName);
1142 if (newModuleType.compare(oldModuleType) != 0) {
1143 LOG_E(BMS_TAG_INSTALLER, "moduleType is different between the new hap and the original hap");
1144 return false;
1145 }
1146
1147 return true;
1148 }
1149
IsContainModuleName(const InnerBundleInfo & newInfo,const InnerBundleInfo & info) const1150 bool BundleInstallChecker::IsContainModuleName(const InnerBundleInfo &newInfo, const InnerBundleInfo &info) const
1151 {
1152 std::string moduleName = newInfo.GetCurModuleName();
1153 std::vector<std::string> moduleVec = info.GetDistroModuleName();
1154 if (moduleName.empty() || moduleVec.empty()) {
1155 LOG_E(BMS_TAG_INSTALLER, "IsContainModuleName failed due to invalid moduleName or modulevec");
1156 return false;
1157 }
1158 return (find(moduleVec.cbegin(), moduleVec.cend(), moduleName) == moduleVec.cend()) ? false : true;
1159 }
1160
CheckMainElement(const InnerBundleInfo & info)1161 ErrCode BundleInstallChecker::CheckMainElement(const InnerBundleInfo &info)
1162 {
1163 const std::map<std::string, InnerModuleInfo> &innerModuleInfos = info.GetInnerModuleInfos();
1164 if (innerModuleInfos.empty()) {
1165 return ERR_OK;
1166 }
1167 if (innerModuleInfos.cbegin()->second.distro.moduleType == Profile::MODULE_TYPE_SHARED) {
1168 return ERR_OK;
1169 }
1170 if (info.GetEntryInstallationFree() && innerModuleInfos.cbegin()->second.mainAbility.empty()) {
1171 LOG_E(BMS_TAG_INSTALLER, "atomic service's mainElement can't be empty");
1172 return ERR_APPEXECFWK_PARSE_PROFILE_PROP_CHECK_ERROR;
1173 }
1174 return ERR_OK;
1175 }
1176
GetPrivilegeCapabilityValue(const std::vector<std::string> & existInJson,const std::string & key,bool existInPreJson,bool existInProvision)1177 bool BundleInstallChecker::GetPrivilegeCapabilityValue(
1178 const std::vector<std::string> &existInJson,
1179 const std::string &key,
1180 bool existInPreJson,
1181 bool existInProvision)
1182 {
1183 if (find(existInJson.cbegin(), existInJson.cend(), key) != existInJson.cend()) {
1184 return existInPreJson;
1185 }
1186 return existInProvision;
1187 }
1188
FetchPrivilegeCapabilityFromPreConfig(const std::string & bundleName,const std::vector<std::string> & appSignatures,AppPrivilegeCapability & appPrivilegeCapability)1189 void BundleInstallChecker::FetchPrivilegeCapabilityFromPreConfig(
1190 const std::string &bundleName,
1191 const std::vector<std::string> &appSignatures,
1192 AppPrivilegeCapability &appPrivilegeCapability)
1193 {
1194 #ifdef USE_PRE_BUNDLE_PROFILE
1195 LOG_D(BMS_TAG_INSTALLER, "bundleName: %{public}s, FetchPrivilegeCapabilityFromPreConfig start", bundleName.c_str());
1196 PreBundleConfigInfo configInfo;
1197 configInfo.bundleName = bundleName;
1198 if (!BMSEventHandler::GetPreInstallCapability(configInfo)) {
1199 LOG_D(BMS_TAG_INSTALLER, "bundleName: %{public}s is not exist in pre install capability list",
1200 bundleName.c_str());
1201 return;
1202 }
1203 bool match = false;
1204 for (const auto &signature : appSignatures) {
1205 if (MatchSignature(configInfo.appSignature, signature)) {
1206 match = true;
1207 break;
1208 }
1209 }
1210 if (!match && !MatchOldSignatures(bundleName, configInfo.appSignature)) {
1211 LOG_NOFUNC_E(BMS_TAG_INSTALLER, "bundleName: %{public}s signature verify failed in capability list",
1212 bundleName.c_str());
1213 return;
1214 }
1215
1216 appPrivilegeCapability.allowUsePrivilegeExtension = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1217 ALLOW_APP_USE_PRIVILEGE_EXTENSION,
1218 configInfo.allowUsePrivilegeExtension, appPrivilegeCapability.allowUsePrivilegeExtension);
1219
1220 appPrivilegeCapability.allowMultiProcess = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1221 ALLOW_APP_MULTI_PROCESS, configInfo.allowMultiProcess, appPrivilegeCapability.allowMultiProcess);
1222
1223 appPrivilegeCapability.hideDesktopIcon = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1224 ALLOW_APP_DESKTOP_ICON_HIDE, configInfo.hideDesktopIcon, appPrivilegeCapability.hideDesktopIcon);
1225
1226 appPrivilegeCapability.allowQueryPriority = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1227 ALLOW_ABILITY_PRIORITY_QUERIED, configInfo.allowQueryPriority, appPrivilegeCapability.allowQueryPriority);
1228
1229 appPrivilegeCapability.allowExcludeFromMissions = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1230 ALLOW_ABILITY_EXCLUDE_FROM_MISSIONS,
1231 configInfo.allowExcludeFromMissions, appPrivilegeCapability.allowExcludeFromMissions);
1232
1233 appPrivilegeCapability.allowMissionNotCleared = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1234 ALLOW_MISSION_NOT_CLEARED, configInfo.allowMissionNotCleared, appPrivilegeCapability.allowMissionNotCleared);
1235
1236 appPrivilegeCapability.formVisibleNotify = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1237 ALLOW_FORM_VISIBLE_NOTIFY, configInfo.formVisibleNotify, appPrivilegeCapability.formVisibleNotify);
1238
1239 appPrivilegeCapability.userDataClearable = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1240 ALLOW_APP_DATA_NOT_CLEARED, configInfo.userDataClearable, appPrivilegeCapability.userDataClearable);
1241
1242 appPrivilegeCapability.appShareLibrary = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1243 ALLOW_APP_SHARE_LIBRARY, configInfo.appShareLibrary, appPrivilegeCapability.appShareLibrary);
1244
1245 appPrivilegeCapability.allowEnableNotification = GetPrivilegeCapabilityValue(configInfo.existInJsonFile,
1246 ALLOW_ENABLE_NOTIFICATION, configInfo.allowEnableNotification, appPrivilegeCapability.allowEnableNotification);
1247 LOG_D(BMS_TAG_INSTALLER, "AppPrivilegeCapability %{public}s", appPrivilegeCapability.ToString().c_str());
1248 #endif
1249 }
1250
MatchOldSignatures(const std::string & bundleName,const std::vector<std::string> & appSignatures)1251 bool BundleInstallChecker::MatchOldSignatures(const std::string &bundleName,
1252 const std::vector<std::string> &appSignatures)
1253 {
1254 std::vector<std::string> oldAppIds;
1255 std::shared_ptr<BundleDataMgr> dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
1256 if (!dataMgr->GetOldAppIds(bundleName, oldAppIds)) {
1257 LOG_D(BMS_TAG_INSTALLER, "Get OldAppIds failed");
1258 return false;
1259 }
1260 for (const auto &signature : appSignatures) {
1261 if (std::find(oldAppIds.begin(), oldAppIds.end(), signature) != oldAppIds.end()) {
1262 return true;
1263 }
1264 }
1265
1266 return false;
1267 }
1268
MatchSignature(const std::vector<std::string> & appSignatures,const std::string & signature)1269 bool BundleInstallChecker::MatchSignature(
1270 const std::vector<std::string> &appSignatures, const std::string &signature)
1271 {
1272 if (appSignatures.empty() || signature.empty()) {
1273 LOG_W(BMS_TAG_INSTALLER, "appSignature of signature is empty");
1274 return false;
1275 }
1276
1277 return std::find(
1278 appSignatures.begin(), appSignatures.end(), signature) != appSignatures.end();
1279 }
1280
ProcessBundleInfoByPrivilegeCapability(const AppPrivilegeCapability & appPrivilegeCapability,InnerBundleInfo & innerBundleInfo)1281 ErrCode BundleInstallChecker::ProcessBundleInfoByPrivilegeCapability(
1282 const AppPrivilegeCapability &appPrivilegeCapability,
1283 InnerBundleInfo &innerBundleInfo)
1284 {
1285 // process application
1286 ApplicationInfo applicationInfo = innerBundleInfo.GetBaseApplicationInfo();
1287 if (!appPrivilegeCapability.allowMultiProcess || applicationInfo.process.empty()) {
1288 applicationInfo.process = applicationInfo.bundleName;
1289 }
1290 applicationInfo.allowEnableNotification = appPrivilegeCapability.allowEnableNotification;
1291 innerBundleInfo.SetBaseApplicationInfo(applicationInfo);
1292 BundleInfo bundleInfo = innerBundleInfo.GetBaseBundleInfo();
1293 // process allow app share library
1294 if (applicationInfo.bundleType == BundleType::SHARED && !appPrivilegeCapability.appShareLibrary) {
1295 LOG_E(BMS_TAG_INSTALLER, "not allow app share library");
1296 return ERR_APPEXECFWK_INSTALL_SHARE_APP_LIBRARY_NOT_ALLOWED;
1297 }
1298 // process ability
1299 auto &abilityInfos = innerBundleInfo.FetchAbilityInfos();
1300 for (auto iter = abilityInfos.begin(); iter != abilityInfos.end(); ++iter) {
1301 #ifdef USE_PRE_BUNDLE_PROFILE
1302 if (!appPrivilegeCapability.allowQueryPriority) {
1303 iter->second.priority = 0;
1304 }
1305 if (!appPrivilegeCapability.allowExcludeFromMissions) {
1306 iter->second.excludeFromMissions = false;
1307 }
1308 if (!appPrivilegeCapability.allowMissionNotCleared) {
1309 iter->second.unclearableMission = false;
1310 }
1311 #else
1312 if (!applicationInfo.isSystemApp || !bundleInfo.isPreInstallApp) {
1313 iter->second.priority = 0;
1314 iter->second.excludeFromMissions = false;
1315 }
1316 #endif
1317 }
1318 // process ExtensionAbility
1319 auto &extensionAbilityInfos = innerBundleInfo.FetchInnerExtensionInfos();
1320 for (auto iter = extensionAbilityInfos.begin(); iter != extensionAbilityInfos.end(); ++iter) {
1321 bool privilegeType = IsPrivilegeExtensionAbilityType(iter->second.type);
1322 if (privilegeType && !appPrivilegeCapability.allowUsePrivilegeExtension) {
1323 LOG_E(BMS_TAG_INSTALLER, "not allow use privilege extension");
1324 return ERR_APPEXECFWK_PARSE_PROFILE_PROP_CHECK_ERROR;
1325 }
1326
1327 bool systemType = IsSystemExtensionAbilityType(iter->second.type);
1328 if (systemType && !applicationInfo.isSystemApp) {
1329 LOG_E(BMS_TAG_INSTALLER, "not allow use system extension");
1330 return ERR_APPEXECFWK_PARSE_PROFILE_PROP_CHECK_ERROR;
1331 }
1332
1333 #ifdef USE_PRE_BUNDLE_PROFILE
1334 if (!appPrivilegeCapability.allowQueryPriority) {
1335 iter->second.priority = 0;
1336 }
1337 #else
1338 if (!applicationInfo.isSystemApp || !bundleInfo.isPreInstallApp) {
1339 iter->second.priority = 0;
1340 }
1341 #endif
1342 if (appPrivilegeCapability.allowMultiProcess) {
1343 LOG_D(BMS_TAG_INSTALLER, "%{public}s support allowMultiProcess", iter->second.bundleName.c_str());
1344 auto hapModuleInfo = innerBundleInfo.GetInnerModuleInfoByModuleName(iter->second.moduleName);
1345 if (hapModuleInfo && !hapModuleInfo->process.empty()) {
1346 iter->second.process = hapModuleInfo->process;
1347 }
1348 }
1349 }
1350 // process InnerModuleInfo
1351 auto &innerModuleInfos = innerBundleInfo.FetchInnerModuleInfos();
1352 for (auto iter = innerModuleInfos.begin(); iter != innerModuleInfos.end(); ++iter) {
1353 if (iter->second.isModuleJson && (!appPrivilegeCapability.allowMultiProcess || iter->second.process.empty())) {
1354 iter->second.process = applicationInfo.bundleName;
1355 }
1356 }
1357 return ERR_OK;
1358 }
1359
CheckSupportAppTypes(const std::unordered_map<std::string,InnerBundleInfo> & infos,const std::string & supportAppTypes) const1360 bool BundleInstallChecker::CheckSupportAppTypes(
1361 const std::unordered_map<std::string, InnerBundleInfo> &infos, const std::string &supportAppTypes) const
1362 {
1363 LOG_D(BMS_TAG_INSTALLER, "CheckSupportAppTypes begin, supportAppTypes: %{public}s", supportAppTypes.c_str());
1364 std::vector<std::string> appTypesVec;
1365 OHOS::SplitStr(supportAppTypes, SUPPORT_APP_TYPES_SEPARATOR, appTypesVec);
1366 if (find(appTypesVec.begin(), appTypesVec.end(), DEVICE_TYPE_OF_DEFAULT) != appTypesVec.end() &&
1367 find(appTypesVec.begin(), appTypesVec.end(), DEVICE_TYPE_OF_PHONE) == appTypesVec.end()) {
1368 appTypesVec.emplace_back(DEVICE_TYPE_OF_PHONE);
1369 }
1370 sort(appTypesVec.begin(), appTypesVec.end());
1371 for (const auto &info : infos) {
1372 std::vector<std::string> devVec = info.second.GetDeviceType(info.second.GetCurrentModulePackage());
1373 if (find(devVec.begin(), devVec.end(), DEVICE_TYPE_OF_DEFAULT) != devVec.end() &&
1374 find(devVec.begin(), devVec.end(), DEVICE_TYPE_OF_PHONE) == devVec.end()) {
1375 devVec.emplace_back(DEVICE_TYPE_OF_PHONE);
1376 }
1377 sort(devVec.begin(), devVec.end());
1378 std::vector<std::string> intersectionVec;
1379 set_intersection(appTypesVec.begin(), appTypesVec.end(),
1380 devVec.begin(), devVec.end(), back_inserter(intersectionVec));
1381 if (intersectionVec.empty()) {
1382 LOG_W(BMS_TAG_INSTALLER, "check supportAppTypes failed");
1383 return false;
1384 }
1385 }
1386 return true;
1387 }
1388
CheckDeviceType(std::unordered_map<std::string,InnerBundleInfo> & infos) const1389 ErrCode BundleInstallChecker::CheckDeviceType(std::unordered_map<std::string, InnerBundleInfo> &infos) const
1390 {
1391 std::string supportAppTypes = OHOS::system::GetParameter(SUPPORT_APP_TYPES, "");
1392 if (!supportAppTypes.empty() && CheckSupportAppTypes(infos, supportAppTypes)) {
1393 return ERR_OK;
1394 }
1395 std::string deviceType = GetDeviceType();
1396 LOG_D(BMS_TAG_INSTALLER, "deviceType is %{public}s", deviceType.c_str());
1397 for (const auto &info : infos) {
1398 std::vector<std::string> devVec = info.second.GetDeviceType(info.second.GetCurrentModulePackage());
1399 if (devVec.empty()) {
1400 LOG_W(BMS_TAG_INSTALLER, "deviceTypes is empty");
1401 continue;
1402 }
1403
1404 if ((deviceType == DEVICE_TYPE_OF_PHONE) &&
1405 (find(devVec.begin(), devVec.end(), DEVICE_TYPE_OF_DEFAULT) != devVec.end())) {
1406 LOG_W(BMS_TAG_INSTALLER, "current deviceType is phone and bundle is matched with default");
1407 continue;
1408 }
1409
1410 if ((deviceType == DEVICE_TYPE_OF_DEFAULT) &&
1411 (find(devVec.begin(), devVec.end(), DEVICE_TYPE_OF_PHONE) != devVec.end())) {
1412 LOG_W(BMS_TAG_INSTALLER, "current deviceType is default and bundle is matched with phone");
1413 continue;
1414 }
1415
1416 if (find(devVec.begin(), devVec.end(), deviceType) == devVec.end()) {
1417 LOG_E(BMS_TAG_INSTALLER, "%{public}s is not supported", deviceType.c_str());
1418 return ERR_APPEXECFWK_INSTALL_DEVICE_TYPE_NOT_SUPPORTED;
1419 }
1420 }
1421 return ERR_OK;
1422 }
1423
ConvertToAppProvisionInfo(const Security::Verify::ProvisionInfo & provisionInfo) const1424 AppProvisionInfo BundleInstallChecker::ConvertToAppProvisionInfo(
1425 const Security::Verify::ProvisionInfo &provisionInfo) const
1426 {
1427 AppProvisionInfo appProvisionInfo;
1428 appProvisionInfo.versionCode = provisionInfo.versionCode;
1429 appProvisionInfo.versionName = provisionInfo.versionName;
1430 if (provisionInfo.type == Security::Verify::ProvisionType::DEBUG) {
1431 appProvisionInfo.type = Constants::APP_PROVISION_TYPE_DEBUG;
1432 appProvisionInfo.certificate = provisionInfo.bundleInfo.developmentCertificate;
1433 } else {
1434 appProvisionInfo.type = Constants::APP_PROVISION_TYPE_RELEASE;
1435 appProvisionInfo.certificate = provisionInfo.bundleInfo.distributionCertificate;
1436 }
1437 appProvisionInfo.appDistributionType = GetAppDistributionType(provisionInfo.distributionType);
1438 appProvisionInfo.apl = provisionInfo.bundleInfo.apl.empty() ? APL_NORMAL : provisionInfo.bundleInfo.apl;
1439 appProvisionInfo.developerId = provisionInfo.bundleInfo.developerId;
1440 appProvisionInfo.issuer = provisionInfo.issuer;
1441 appProvisionInfo.uuid = provisionInfo.uuid;
1442 appProvisionInfo.validity.notBefore = provisionInfo.validity.notBefore;
1443 appProvisionInfo.validity.notAfter = provisionInfo.validity.notAfter;
1444 appProvisionInfo.appIdentifier = provisionInfo.bundleInfo.appIdentifier;
1445 appProvisionInfo.appServiceCapabilities = provisionInfo.appServiceCapabilities;
1446 appProvisionInfo.organization = provisionInfo.organization;
1447 return appProvisionInfo;
1448 }
1449
GetBundleNameFromUri(const std::string & uri)1450 std::string GetBundleNameFromUri(const std::string &uri)
1451 {
1452 std::size_t firstSlashPos = uri.find(DOUBLE_SLASH);
1453 if (firstSlashPos == std::string::npos) {
1454 LOG_E(BMS_TAG_INSTALLER, "dataproxy uri is invalid");
1455 return Constants::EMPTY_STRING;
1456 }
1457
1458 std::size_t secondSlashPos = uri.find(SLASH, firstSlashPos + SLAH_OFFSET);
1459 if (secondSlashPos == std::string::npos) {
1460 LOG_E(BMS_TAG_INSTALLER, "dataproxy uri is invalid");
1461 return Constants::EMPTY_STRING;
1462 }
1463
1464 std::string bundleName = uri.substr(firstSlashPos + SLAH_OFFSET, secondSlashPos - firstSlashPos - SLAH_OFFSET);
1465 return bundleName;
1466 }
1467
CheckProxyPermissionLevel(const std::string & permissionName) const1468 bool BundleInstallChecker::CheckProxyPermissionLevel(const std::string &permissionName) const
1469 {
1470 // no permission name, only for self usage
1471 if (permissionName.empty()) {
1472 return true;
1473 }
1474 PermissionDef permissionDef;
1475 ErrCode ret = BundlePermissionMgr::GetPermissionDef(permissionName, permissionDef);
1476 if (ret != ERR_OK) {
1477 LOG_E(BMS_TAG_INSTALLER, "getPermissionDef failed");
1478 return false;
1479 }
1480 if (permissionDef.availableLevel < Security::AccessToken::ATokenAplEnum::APL_SYSTEM_BASIC) {
1481 LOG_E(BMS_TAG_INSTALLER, "permission %{public}s level too low", permissionName.c_str());
1482 return false;
1483 }
1484 return true;
1485 }
1486
CheckProxyDatas(const InnerBundleInfo & innerBundleInfo) const1487 ErrCode BundleInstallChecker::CheckProxyDatas(const InnerBundleInfo &innerBundleInfo) const
1488 {
1489 auto bundleName = innerBundleInfo.GetBundleName();
1490 auto moduleInfos = innerBundleInfo.GetInnerModuleInfos();
1491 if (moduleInfos.empty()) {
1492 return ERR_OK;
1493 }
1494 for (const auto &moduleInfo : moduleInfos) {
1495 for (const auto &proxyData : moduleInfo.second.proxyDatas) {
1496 auto name = GetBundleNameFromUri(proxyData.uri);
1497 if (bundleName != name) {
1498 LOG_E(BMS_TAG_INSTALLER, "bundleName from uri %{public}s different from origin bundleName %{public}s",
1499 name.c_str(), bundleName.c_str());
1500 return ERR_APPEXECFWK_INSTALL_CHECK_PROXY_DATA_URI_FAILED;
1501 }
1502 if (innerBundleInfo.IsSystemApp()) {
1503 continue;
1504 }
1505 if (!CheckProxyPermissionLevel(proxyData.requiredReadPermission)
1506 || !CheckProxyPermissionLevel(proxyData.requiredWritePermission)) {
1507 return ERR_APPEXECFWK_INSTALL_CHECK_PROXY_DATA_PERMISSION_FAILED;
1508 }
1509 }
1510 }
1511 return ERR_OK;
1512 }
1513
CheckSupportIsolation(const char * szIsolationModeThresholdMb,const std::string & isolationMode)1514 bool CheckSupportIsolation(const char *szIsolationModeThresholdMb, const std::string &isolationMode)
1515 {
1516 if ((std::strcmp(szIsolationModeThresholdMb, VALUE_TRUE.c_str()) == 0) ||
1517 (std::strcmp(szIsolationModeThresholdMb, VALUE_TRUE_BOOL.c_str()) == 0)) {
1518 if (isolationMode == NONISOLATION_ONLY) {
1519 LOG_E(BMS_TAG_INSTALLER, "check isolation mode failed");
1520 return false;
1521 }
1522 } else {
1523 if (isolationMode == ISOLATION_ONLY) {
1524 LOG_E(BMS_TAG_INSTALLER, "check isolation mode failed");
1525 return false;
1526 }
1527 }
1528 return true;
1529 }
1530
CheckIsolationMode(const std::unordered_map<std::string,InnerBundleInfo> & infos) const1531 ErrCode BundleInstallChecker::CheckIsolationMode(const std::unordered_map<std::string, InnerBundleInfo> &infos) const
1532 {
1533 for (const auto &info : infos) {
1534 auto moduleInfos = info.second.GetInnerModuleInfos();
1535 for (const auto &moduleInfo : moduleInfos) {
1536 std::string isolationMode = moduleInfo.second.isolationMode;
1537 char szIsolationModeThresholdMb[THRESHOLD_VAL_LEN] = {0};
1538 int32_t ret = GetParameter(SUPPORT_ISOLATION_MODE.c_str(), "",
1539 szIsolationModeThresholdMb, THRESHOLD_VAL_LEN);
1540 if (ret <= 0) {
1541 LOG_W(BMS_TAG_INSTALLER, "GetParameter failed");
1542 }
1543 if (!CheckSupportIsolation(szIsolationModeThresholdMb, isolationMode)) {
1544 LOG_E(BMS_TAG_INSTALLER, "check isolation mode failed");
1545 return ERR_APPEXECFWK_INSTALL_ISOLATION_MODE_FAILED;
1546 }
1547 }
1548 }
1549 return ERR_OK;
1550 }
1551
CheckSignatureFileDir(const std::string & signatureFileDir) const1552 ErrCode BundleInstallChecker::CheckSignatureFileDir(const std::string &signatureFileDir) const
1553 {
1554 if (!BundleUtil::CheckFileName(signatureFileDir)) {
1555 LOG_E(BMS_TAG_INSTALLER, "code signature file dir is invalid");
1556 return ERR_BUNDLEMANAGER_INSTALL_CODE_SIGNATURE_FILE_IS_INVALID;
1557 }
1558 if (!BundleUtil::CheckFileType(signatureFileDir, ServiceConstants::CODE_SIGNATURE_FILE_SUFFIX)) {
1559 LOG_E(BMS_TAG_INSTALLER, "signatureFileDir is not suffixed with .sig");
1560 return ERR_BUNDLEMANAGER_INSTALL_CODE_SIGNATURE_FILE_IS_INVALID;
1561 }
1562 // signatureFileDir not support relevant dir
1563 if (signatureFileDir.find(ServiceConstants::RELATIVE_PATH) != std::string::npos) {
1564 LOG_E(BMS_TAG_INSTALLER, "signatureFileDir is invalid");
1565 return ERR_BUNDLEMANAGER_INSTALL_CODE_SIGNATURE_FILE_IS_INVALID;
1566 }
1567 return ERR_OK;
1568 }
1569
CheckDeveloperMode(const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes) const1570 ErrCode BundleInstallChecker::CheckDeveloperMode(
1571 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes) const
1572 {
1573 if (system::GetBoolParameter(ServiceConstants::DEVELOPERMODE_STATE, true)) {
1574 return ERR_OK;
1575 }
1576 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
1577 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
1578 if (provisionInfo.type == Security::Verify::ProvisionType::DEBUG) {
1579 LOG_E(BMS_TAG_INSTALLER, "debug bundle can only be installed in developer mode");
1580 return ERR_APPEXECFWK_INSTALL_DEBUG_BUNDLE_NOT_ALLOWED;
1581 }
1582 }
1583 return ERR_OK;
1584 }
1585
CheckAllowEnterpriseBundle(const std::vector<Security::Verify::HapVerifyResult> & hapVerifyRes) const1586 ErrCode BundleInstallChecker::CheckAllowEnterpriseBundle(
1587 const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes) const
1588 {
1589 if (system::GetBoolParameter(ServiceConstants::ALLOW_ENTERPRISE_BUNDLE, false) ||
1590 system::GetBoolParameter(ServiceConstants::IS_ENTERPRISE_DEVICE, false) ||
1591 system::GetBoolParameter(ServiceConstants::DEVELOPERMODE_STATE, false)) {
1592 return ERR_OK;
1593 }
1594 for (uint32_t i = 0; i < hapVerifyRes.size(); ++i) {
1595 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes[i].GetProvisionInfo();
1596 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
1597 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM) {
1598 LOG_E(BMS_TAG_INSTALLER, "enterprise normal/mdm bundle cannot be installed on non-enterprise device");
1599 return ERR_APPEXECFWK_INSTALL_ENTERPRISE_BUNDLE_NOT_ALLOWED;
1600 }
1601 }
1602 return ERR_OK;
1603 }
1604
CheckEnterpriseBundle(Security::Verify::HapVerifyResult & hapVerifyRes) const1605 bool BundleInstallChecker::CheckEnterpriseBundle(Security::Verify::HapVerifyResult &hapVerifyRes) const
1606 {
1607 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes.GetProvisionInfo();
1608 if (provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_NORMAL ||
1609 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE_MDM ||
1610 provisionInfo.distributionType == Security::Verify::AppDistType::ENTERPRISE) {
1611 return true;
1612 }
1613 return false;
1614 }
1615
CheckInternaltestingBundle(Security::Verify::HapVerifyResult & hapVerifyRes) const1616 bool BundleInstallChecker::CheckInternaltestingBundle(Security::Verify::HapVerifyResult &hapVerifyRes) const
1617 {
1618 Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes.GetProvisionInfo();
1619 if (provisionInfo.distributionType == Security::Verify::AppDistType::INTERNALTESTING) {
1620 return true;
1621 }
1622 return false;
1623 }
1624
GetCheckResultMsg() const1625 std::string BundleInstallChecker::GetCheckResultMsg() const
1626 {
1627 return checkResultMsg_;
1628 }
1629
SetCheckResultMsg(const std::string checkResultMsg)1630 void BundleInstallChecker::SetCheckResultMsg(const std::string checkResultMsg)
1631 {
1632 checkResultMsg_ = checkResultMsg;
1633 }
1634
DetermineCloneNum(InnerBundleInfo & innerBundleInfo)1635 void BundleInstallChecker::DetermineCloneNum(InnerBundleInfo &innerBundleInfo)
1636 {
1637 ApplicationInfo applicationInfo = innerBundleInfo.GetBaseApplicationInfo();
1638 if (applicationInfo.multiAppMode.multiAppModeType != MultiAppModeType::APP_CLONE
1639 || applicationInfo.multiAppMode.maxCount == 0) {
1640 BmsExtensionDataMgr bmsExtensionDataMgr;
1641 int32_t cloneNum = 0;
1642 const std::string appIdentifier = innerBundleInfo.GetAppIdentifier();
1643 if (!bmsExtensionDataMgr.DetermineCloneNum(applicationInfo.bundleName, appIdentifier, cloneNum)) {
1644 return;
1645 }
1646 LOG_I(BMS_TAG_INSTALLER, "install -n %{public}s -c %{public}d",
1647 applicationInfo.bundleName.c_str(), cloneNum);
1648 if (cloneNum == 0) {
1649 return;
1650 }
1651 applicationInfo.multiAppMode.multiAppModeType = MultiAppModeType::APP_CLONE;
1652 applicationInfo.multiAppMode.maxCount = cloneNum;
1653 innerBundleInfo.SetBaseApplicationInfo(applicationInfo);
1654 }
1655 }
1656
1657 } // namespace AppExecFwk
1658 } // namespace OHOS