1 /*
2 * Copyright (c) 2021-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_policy_set.h"
17
18 #include <algorithm>
19
20 #include "accesstoken_id_manager.h"
21 #include "accesstoken_log.h"
22 #include "access_token_db.h"
23 #include "access_token_error.h"
24 #include "permission_definition_cache.h"
25 #include "permission_map.h"
26 #include "permission_validator.h"
27 #include "data_translator.h"
28 #include "token_field_const.h"
29
30 namespace OHOS {
31 namespace Security {
32 namespace AccessToken {
33 namespace {
34 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "PermissionPolicySet"};
35 }
36
~PermissionPolicySet()37 PermissionPolicySet::~PermissionPolicySet()
38 {
39 ACCESSTOKEN_LOG_DEBUG(LABEL,
40 "%{public}s called, tokenID: 0x%{public}x destruction", __func__, tokenId_);
41 }
42
BuildPermissionPolicySet(AccessTokenID tokenId,const std::vector<PermissionStateFull> & permStateList)43 std::shared_ptr<PermissionPolicySet> PermissionPolicySet::BuildPermissionPolicySet(
44 AccessTokenID tokenId, const std::vector<PermissionStateFull>& permStateList)
45 {
46 ATokenTypeEnum tokenType = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenId);
47 std::shared_ptr<PermissionPolicySet> policySet = std::make_shared<PermissionPolicySet>();
48 PermissionValidator::FilterInvalidPermissionState(tokenType, true, permStateList, policySet->permStateList_);
49 policySet->tokenId_ = tokenId;
50 return policySet;
51 }
52
BuildPolicySetWithoutDefCheck(AccessTokenID tokenId,const std::vector<PermissionStateFull> & permStateList)53 std::shared_ptr<PermissionPolicySet> PermissionPolicySet::BuildPolicySetWithoutDefCheck(
54 AccessTokenID tokenId, const std::vector<PermissionStateFull>& permStateList)
55 {
56 std::shared_ptr<PermissionPolicySet> policySet = std::make_shared<PermissionPolicySet>();
57 PermissionValidator::FilterInvalidPermissionState(
58 TOKEN_TYPE_BUTT, false, permStateList, policySet->permStateList_);
59 policySet->tokenId_ = tokenId;
60 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d, permStateList_ size: %{public}zu",
61 tokenId, policySet->permStateList_.size());
62 return policySet;
63 }
64
UpdatePermStateFull(const PermissionStateFull & permOld,PermissionStateFull & permNew)65 void PermissionPolicySet::UpdatePermStateFull(const PermissionStateFull& permOld, PermissionStateFull& permNew)
66 {
67 if (permNew.isGeneral == permOld.isGeneral) {
68 // if user_grant permission is not operated by user, it keeps the new initalized state.
69 // the new state can be pre_authorization.
70 if ((permOld.grantFlags[0] == PERMISSION_DEFAULT_FLAG) && (permOld.grantStatus[0] == PERMISSION_DENIED)) {
71 return;
72 }
73 // if old user_grant permission is granted by pre_authorization fixed, it keeps the new initalized state.
74 // the new state can be pre_authorization or not.
75 if ((permOld.grantFlags[0] == PERMISSION_SYSTEM_FIXED) ||
76 // if old user_grant permission is granted by pre_authorization unfixed
77 // and the user has not operated this permission, it keeps the new initalized state.
78 (permOld.grantFlags[0] == PERMISSION_GRANTED_BY_POLICY)) {
79 return;
80 }
81
82 // if old user_grant permission has been operated by user, it keeps the old status and old flag.
83 permNew.resDeviceID = permOld.resDeviceID;
84 permNew.grantStatus = permOld.grantStatus;
85 permNew.grantFlags = permOld.grantFlags;
86 }
87 }
88
Update(const std::vector<PermissionStateFull> & permStateList)89 void PermissionPolicySet::Update(const std::vector<PermissionStateFull>& permStateList)
90 {
91 std::vector<PermissionStateFull> permStateFilterList;
92 PermissionValidator::FilterInvalidPermissionState(TOKEN_HAP, true, permStateList, permStateFilterList);
93 ACCESSTOKEN_LOG_INFO(LABEL, "PermStateFilterList size: %{public}zu.", permStateFilterList.size());
94 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
95
96 for (PermissionStateFull& permStateNew : permStateFilterList) {
97 auto iter = std::find_if(permStateList_.begin(), permStateList_.end(),
98 [permStateNew](const PermissionStateFull& permStateOld) {
99 return permStateNew.permissionName == permStateOld.permissionName;
100 });
101 if (iter != permStateList_.end()) {
102 UpdatePermStateFull(*iter, permStateNew);
103 }
104 }
105 permStateList_ = permStateFilterList;
106 }
107
GetFlagWroteToDb(uint32_t grantFlag)108 uint32_t PermissionPolicySet::GetFlagWroteToDb(uint32_t grantFlag)
109 {
110 return GetFlagWithoutSpecifiedElement(grantFlag, PERMISSION_COMPONENT_SET);
111 }
112
RestorePermissionPolicy(AccessTokenID tokenId,const std::vector<GenericValues> & permStateRes)113 std::shared_ptr<PermissionPolicySet> PermissionPolicySet::RestorePermissionPolicy(AccessTokenID tokenId,
114 const std::vector<GenericValues>& permStateRes)
115 {
116 std::shared_ptr<PermissionPolicySet> policySet = std::make_shared<PermissionPolicySet>();
117 policySet->tokenId_ = tokenId;
118
119 for (const GenericValues& stateValue : permStateRes) {
120 if ((AccessTokenID)stateValue.GetInt(TokenFiledConst::FIELD_TOKEN_ID) == tokenId) {
121 PermissionStateFull state;
122 int ret = DataTranslator::TranslationIntoPermissionStateFull(stateValue, state);
123 if (ret == RET_SUCCESS) {
124 MergePermissionStateFull(policySet->permStateList_, state);
125 } else {
126 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenId 0x%{public}x permState is wrong.", tokenId);
127 }
128 }
129 }
130 return policySet;
131 }
132
MergePermissionStateFull(std::vector<PermissionStateFull> & permStateList,PermissionStateFull & state)133 void PermissionPolicySet::MergePermissionStateFull(std::vector<PermissionStateFull>& permStateList,
134 PermissionStateFull& state)
135 {
136 uint32_t flag = GetFlagWroteToDb(state.grantFlags[0]);
137 state.grantFlags[0] = flag;
138 for (auto iter = permStateList.begin(); iter != permStateList.end(); iter++) {
139 if (state.permissionName == iter->permissionName) {
140 iter->resDeviceID.emplace_back(state.resDeviceID[0]);
141 iter->grantStatus.emplace_back(state.grantStatus[0]);
142 iter->grantFlags.emplace_back(state.grantFlags[0]);
143 ACCESSTOKEN_LOG_DEBUG(LABEL, "Update permission: %{public}s.", state.permissionName.c_str());
144 return;
145 }
146 }
147 ACCESSTOKEN_LOG_DEBUG(LABEL, "Add permission: %{public}s.", state.permissionName.c_str());
148 permStateList.emplace_back(state);
149 }
150
StorePermissionState(std::vector<GenericValues> & valueList) const151 void PermissionPolicySet::StorePermissionState(std::vector<GenericValues>& valueList) const
152 {
153 for (const auto& permissionState : permStateList_) {
154 ACCESSTOKEN_LOG_DEBUG(LABEL, "PermissionName: %{public}s", permissionState.permissionName.c_str());
155 if (permissionState.isGeneral) {
156 GenericValues genericValues;
157 genericValues.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId_));
158 DataTranslator::TranslationIntoGenericValues(permissionState, 0, genericValues);
159 valueList.emplace_back(genericValues);
160 continue;
161 }
162
163 unsigned int stateSize = permissionState.resDeviceID.size();
164 for (unsigned int i = 0; i < stateSize; i++) {
165 GenericValues genericValues;
166 genericValues.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId_));
167 DataTranslator::TranslationIntoGenericValues(permissionState, i, genericValues);
168 valueList.emplace_back(genericValues);
169 }
170 }
171 }
172
StorePermissionPolicySet(std::vector<GenericValues> & permStateValueList)173 void PermissionPolicySet::StorePermissionPolicySet(std::vector<GenericValues>& permStateValueList)
174 {
175 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
176 StorePermissionState(permStateValueList);
177 }
178
IsPermOperatedByUser(int32_t flag)179 static bool IsPermOperatedByUser(int32_t flag)
180 {
181 uint32_t uFlag = static_cast<uint32_t>(flag);
182 return (uFlag & PERMISSION_USER_FIXED) || (uFlag & PERMISSION_USER_SET);
183 }
184
IsPermOperatedBySystem(int32_t flag)185 static bool IsPermOperatedBySystem(int32_t flag)
186 {
187 uint32_t uFlag = static_cast<uint32_t>(flag);
188 return (uFlag & PERMISSION_SYSTEM_FIXED) || (uFlag & PERMISSION_GRANTED_BY_POLICY);
189 }
190
IsPermGrantedBySecComp(int32_t flag)191 static bool IsPermGrantedBySecComp(int32_t flag)
192 {
193 uint32_t uFlag = static_cast<uint32_t>(flag);
194 return uFlag & PERMISSION_COMPONENT_SET;
195 }
196
GetFlagWithoutSpecifiedElement(uint32_t fullFlag,uint32_t removedFlag)197 uint32_t PermissionPolicySet::GetFlagWithoutSpecifiedElement(uint32_t fullFlag, uint32_t removedFlag)
198 {
199 uint32_t unmaskedFlag = (fullFlag) & (~removedFlag);
200 return unmaskedFlag;
201 }
202
GetUserGrantedPermissionUsedType(const std::string & permissionName)203 PermUsedTypeEnum PermissionPolicySet::GetUserGrantedPermissionUsedType(const std::string& permissionName)
204 {
205 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
206 auto iter = std::find_if(permStateList_.begin(), permStateList_.end(),
207 [permissionName](const PermissionStateFull& permState) {
208 return permissionName == permState.permissionName;
209 });
210 if (iter != permStateList_.end()) {
211 if (!iter->isGeneral) {
212 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s of %{public}d is not general.",
213 permissionName.c_str(), tokenId_);
214 return PermUsedTypeEnum::INVALID_USED_TYPE;
215 }
216
217 if (IsPermGrantedBySecComp(iter->grantFlags[0])) {
218 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s is granted by seccomp, tokenID=%{public}d.",
219 permissionName.c_str(), tokenId_);
220 return PermUsedTypeEnum::SEC_COMPONENT_TYPE;
221 }
222
223 if (iter->grantStatus[0] != PERMISSION_GRANTED) {
224 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s of %{public}d is requested, not granted.",
225 permissionName.c_str(), tokenId_);
226 return PermUsedTypeEnum::INVALID_USED_TYPE;
227 }
228 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s of %{public}d is applied for normally.",
229 permissionName.c_str(), tokenId_);
230 return PermUsedTypeEnum::NORMAL_TYPE;
231 }
232
233 if (std::any_of(secCompGrantedPermList_.begin(), secCompGrantedPermList_.end(),
234 [permissionName](const auto& permission) { return permission == permissionName; })) {
235 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s is granted by seccomp, tokenID=%{public}d.",
236 permissionName.c_str(), tokenId_);
237 return PermUsedTypeEnum::SEC_COMPONENT_TYPE;
238 }
239 ACCESSTOKEN_LOG_ERROR(LABEL, "Application %{public}u not apply for %{public}s.", tokenId_, permissionName.c_str());
240 return PermUsedTypeEnum::INVALID_USED_TYPE;
241 }
242
VerifyPermissionStatus(const std::string & permissionName)243 int PermissionPolicySet::VerifyPermissionStatus(const std::string& permissionName)
244 {
245 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
246 auto iter = std::find_if(permStateList_.begin(), permStateList_.end(),
247 [permissionName](const PermissionStateFull& permState) {
248 return permissionName == permState.permissionName;
249 });
250 if (iter != permStateList_.end()) {
251 if (!iter->isGeneral) {
252 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID: %{public}d, permission: %{public}s is not general",
253 tokenId_, permissionName.c_str());
254 return PERMISSION_DENIED;
255 }
256 if (IsPermGrantedBySecComp(iter->grantFlags[0])) {
257 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d, permission is granted by seccomp", tokenId_);
258 return PERMISSION_GRANTED;
259 }
260 if (iter->grantStatus[0] != PERMISSION_GRANTED) {
261 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID: %{public}d, permission: %{public}s is not granted, flag: %{public}d",
262 tokenId_, permissionName.c_str(), iter->grantFlags[0]);
263 return PERMISSION_DENIED;
264 }
265 return PERMISSION_GRANTED;
266 }
267 // check if undeclared permission is granted by security component.
268 if (std::any_of(secCompGrantedPermList_.begin(), secCompGrantedPermList_.end(),
269 [permissionName](const auto& permission) { return permission == permissionName; })) {
270 return PERMISSION_GRANTED;
271 }
272 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID: %{public}d, permission: %{public}s is undeclared",
273 tokenId_, permissionName.c_str());
274 return PERMISSION_DENIED;
275 }
276
277
IsPermissionGrantedWithSecComp(const std::string & permissionName)278 bool PermissionPolicySet::IsPermissionGrantedWithSecComp(const std::string& permissionName)
279 {
280 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
281 auto iter = std::find_if(permStateList_.begin(), permStateList_.end(),
282 [permissionName](const PermissionStateFull& permState) {
283 return permissionName == permState.permissionName;
284 });
285 if (iter != permStateList_.end()) {
286 if (!iter->isGeneral) {
287 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID: %{public}d, permission: %{public}s is not general",
288 tokenId_, permissionName.c_str());
289 return false;
290 }
291 if (IsPermGrantedBySecComp(iter->grantFlags[0])) {
292 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d, permission is granted by secComp", tokenId_);
293 return true;
294 }
295 }
296
297 if (std::any_of(secCompGrantedPermList_.begin(), secCompGrantedPermList_.end(),
298 [permissionName](const auto& permission) { return permission == permissionName; })) {
299 return true;
300 }
301 return false;
302 }
303
GetDefPermissions(std::vector<PermissionDef> & permList)304 void PermissionPolicySet::GetDefPermissions(std::vector<PermissionDef>& permList)
305 {
306 PermissionDefinitionCache::GetInstance().GetDefPermissionsByTokenId(permList, tokenId_);
307 }
308
GetPermissionStateFulls(std::vector<PermissionStateFull> & permList)309 void PermissionPolicySet::GetPermissionStateFulls(std::vector<PermissionStateFull>& permList)
310 {
311 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
312 permList.assign(permStateList_.begin(), permStateList_.end());
313 }
314
QueryPermissionFlag(const std::string & permissionName,int & flag)315 int PermissionPolicySet::QueryPermissionFlag(const std::string& permissionName, int& flag)
316 {
317 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
318 for (const auto& perm : permStateList_) {
319 if (perm.permissionName == permissionName) {
320 if (perm.isGeneral) {
321 flag = perm.grantFlags[0];
322 return RET_SUCCESS;
323 } else {
324 ACCESSTOKEN_LOG_ERROR(LABEL, "Permission %{public}s is invalid", permissionName.c_str());
325 return AccessTokenError::ERR_PARAM_INVALID;
326 }
327 }
328 }
329 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid params!");
330 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
331 }
332
UpdateWithNewFlag(uint32_t oldFlag,uint32_t currFlag)333 static uint32_t UpdateWithNewFlag(uint32_t oldFlag, uint32_t currFlag)
334 {
335 uint32_t newFlag = currFlag | (oldFlag & PERMISSION_GRANTED_BY_POLICY);
336 return newFlag;
337 }
338
UpdatePermStateList(const std::string & permissionName,bool isGranted,uint32_t flag)339 int32_t PermissionPolicySet::UpdatePermStateList(const std::string& permissionName, bool isGranted, uint32_t flag)
340 {
341 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
342 auto iter = std::find_if(permStateList_.begin(), permStateList_.end(),
343 [permissionName](const PermissionStateFull& permState) {
344 return permissionName == permState.permissionName;
345 });
346 if (iter != permStateList_.end()) {
347 if (iter->isGeneral) {
348 if ((static_cast<uint32_t>(iter->grantFlags[0]) & PERMISSION_SYSTEM_FIXED) == PERMISSION_SYSTEM_FIXED) {
349 ACCESSTOKEN_LOG_ERROR(LABEL, "Permission fixed by system!");
350 return AccessTokenError::ERR_PARAM_INVALID;
351 }
352 iter->grantStatus[0] = isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED;
353 iter->grantFlags[0] = UpdateWithNewFlag(iter->grantFlags[0], flag);
354 } else {
355 ACCESSTOKEN_LOG_WARN(LABEL, "Perm isGeneral is false.");
356 }
357 } else {
358 ACCESSTOKEN_LOG_ERROR(LABEL, "Permission not request!");
359 return AccessTokenError::ERR_PARAM_INVALID;
360 }
361 return RET_SUCCESS;
362 }
363
SecCompGrantedPermListUpdated(const std::string & permissionName,bool isAdded)364 void PermissionPolicySet::SecCompGrantedPermListUpdated(const std::string& permissionName, bool isAdded)
365 {
366 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
367 if (isAdded) {
368 ACCESSTOKEN_LOG_DEBUG(LABEL, "The permission in secCompGrantedPermList_ is added.");
369 auto iter = std::find_if(secCompGrantedPermList_.begin(), secCompGrantedPermList_.end(),
370 [permissionName](const std::string &grantedPerm) {
371 return permissionName == grantedPerm;
372 });
373 if (iter == secCompGrantedPermList_.end()) {
374 secCompGrantedPermList_.emplace_back(permissionName);
375 return;
376 }
377 } else {
378 ACCESSTOKEN_LOG_DEBUG(LABEL, "The permission in secCompGrantedPermList_ is deleted.");
379 auto iter = std::find_if(secCompGrantedPermList_.begin(), secCompGrantedPermList_.end(),
380 [permissionName](const std::string &grantedPerm) {
381 return permissionName == grantedPerm;
382 });
383 if (iter != secCompGrantedPermList_.end()) {
384 secCompGrantedPermList_.erase(iter);
385 return;
386 }
387 }
388 return;
389 }
390
SetPermissionFlag(const std::string & permissionName,uint32_t flag,bool needToAdd)391 void PermissionPolicySet::SetPermissionFlag(const std::string& permissionName, uint32_t flag, bool needToAdd)
392 {
393 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
394 for (auto& perm : permStateList_) {
395 if (perm.permissionName == permissionName) {
396 if (perm.isGeneral) {
397 uint32_t oldFlag = perm.grantFlags[0];
398 uint32_t newFlag =
399 needToAdd ? (oldFlag | flag) : (oldFlag & (~PERMISSION_COMPONENT_SET));
400 perm.grantFlags[0] = newFlag;
401 return;
402 }
403 }
404 }
405 return;
406 }
407
UpdateSecCompGrantedPermList(const std::string & permissionName,bool isToGrant)408 int32_t PermissionPolicySet::UpdateSecCompGrantedPermList(const std::string& permissionName, bool isToGrant)
409 {
410 int32_t flag = 0;
411 int32_t ret = QueryPermissionFlag(permissionName, flag);
412
413 ACCESSTOKEN_LOG_DEBUG(LABEL, "Ret is %{public}d. flag is %{public}d", ret, flag);
414 // if the permission has been operated by user or the permission has been granted by system.
415 if ((IsPermOperatedByUser(flag) || IsPermOperatedBySystem(flag))) {
416 ACCESSTOKEN_LOG_DEBUG(LABEL, "The permission has been operated.");
417 if (isToGrant) {
418 int32_t status = VerifyPermissionStatus(permissionName);
419 // Permission has been granted, there is no need to add perm state in security component permList.
420 if (status == PERMISSION_GRANTED) {
421 return RET_SUCCESS;
422 } else {
423 ACCESSTOKEN_LOG_ERROR(LABEL, "Permission has been revoked by user.");
424 return ERR_PERMISSION_DENIED;
425 }
426 } else {
427 /* revoke is called while the permission has been operated by user or system */
428 /* the permission need to be deleted from secCompGrantedPermList_ */
429 SecCompGrantedPermListUpdated(permissionName, false);
430 return RET_SUCCESS;
431 }
432 }
433 // the permission has not been operated by user or the app has not applied for this permission in config.json
434 SecCompGrantedPermListUpdated(permissionName, isToGrant);
435 // If the app has applied for this permission and security component operation has taken effect.
436 SetPermissionFlag(permissionName, PERMISSION_COMPONENT_SET, isToGrant);
437 return RET_SUCCESS;
438 }
439
UpdatePermissionStatus(const std::string & permissionName,bool isGranted,uint32_t flag)440 int32_t PermissionPolicySet::UpdatePermissionStatus(const std::string& permissionName, bool isGranted, uint32_t flag)
441 {
442 if (!IsPermGrantedBySecComp(flag)) {
443 return UpdatePermStateList(permissionName, isGranted, flag);
444 }
445 ACCESSTOKEN_LOG_DEBUG(LABEL, "Permission is set by security component.");
446 return UpdateSecCompGrantedPermList(permissionName, isGranted);
447 }
448
ClearSecCompGrantedPerm(void)449 void PermissionPolicySet::ClearSecCompGrantedPerm(void)
450 {
451 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
452 secCompGrantedPermList_.erase(secCompGrantedPermList_.begin(), secCompGrantedPermList_.end());
453 for (auto& perm : permStateList_) {
454 if (perm.isGeneral) {
455 perm.grantFlags[0] = GetFlagWithoutSpecifiedElement(perm.grantFlags[0], PERMISSION_COMPONENT_SET);
456 }
457 }
458 }
459
ResetUserGrantPermissionStatus(void)460 void PermissionPolicySet::ResetUserGrantPermissionStatus(void)
461 {
462 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
463 for (auto& perm : permStateList_) {
464 if (perm.isGeneral) {
465 uint32_t oldFlag = static_cast<uint32_t>(perm.grantFlags[0]);
466 if ((oldFlag & PERMISSION_SYSTEM_FIXED) != 0) {
467 continue;
468 }
469 /* A user_grant permission has been set by system for cancellable pre-authorization. */
470 /* it should keep granted when the app reset. */
471 if ((oldFlag & PERMISSION_GRANTED_BY_POLICY) != 0) {
472 perm.grantStatus[0] = PERMISSION_GRANTED;
473 perm.grantFlags[0] = PERMISSION_GRANTED_BY_POLICY;
474 continue;
475 }
476 perm.grantStatus[0] = PERMISSION_DENIED;
477 perm.grantFlags[0] = PERMISSION_DEFAULT_FLAG;
478 } else {
479 continue;
480 }
481 }
482 }
483
GetPermissionStateList(std::vector<PermissionStateFull> & stateList)484 void PermissionPolicySet::GetPermissionStateList(std::vector<PermissionStateFull>& stateList)
485 {
486 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
487 for (const auto& state : permStateList_) {
488 stateList.emplace_back(state);
489 }
490 }
491
GetGrantedPermissionList(std::vector<std::string> & permissionList)492 void PermissionPolicySet::GetGrantedPermissionList(std::vector<std::string>& permissionList)
493 {
494 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
495 for (const auto& perm : permStateList_) {
496 if (perm.isGeneral && (perm.grantStatus[0] == PERMISSION_GRANTED)) {
497 permissionList.emplace_back(perm.permissionName);
498 }
499 }
500
501 for (const auto& permission : secCompGrantedPermList_) {
502 permissionList.emplace_back(permission);
503 }
504 }
505
GetDeletedPermissionListToNotify(std::vector<std::string> & permissionList)506 void PermissionPolicySet::GetDeletedPermissionListToNotify(std::vector<std::string>& permissionList)
507 {
508 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
509 for (const auto& perm : permStateList_) {
510 if (perm.isGeneral) {
511 if (perm.grantStatus[0] == PERMISSION_GRANTED) {
512 permissionList.emplace_back(perm.permissionName);
513 }
514 }
515 }
516 for (const auto& permission : secCompGrantedPermList_) {
517 permissionList.emplace_back(permission);
518 }
519 }
520
GetPermissionStateList(std::vector<uint32_t> & opCodeList,std::vector<bool> & statusList)521 void PermissionPolicySet::GetPermissionStateList(std::vector<uint32_t>& opCodeList, std::vector<bool>& statusList)
522 {
523 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
524 for (const auto& state : permStateList_) {
525 uint32_t code;
526 if (TransferPermissionToOpcode(state.permissionName, code)) {
527 opCodeList.emplace_back(code);
528 statusList.emplace_back(state.grantStatus[0] == PERMISSION_GRANTED);
529 }
530 }
531 }
532
GetReqPermissionSize()533 uint32_t PermissionPolicySet::GetReqPermissionSize()
534 {
535 return static_cast<uint32_t>(permStateList_.size());
536 }
537
PermDefToString(const PermissionDef & def,std::string & info) const538 void PermissionPolicySet::PermDefToString(const PermissionDef& def, std::string& info) const
539 {
540 info.append(R"( {)");
541 info.append("\n");
542 info.append(R"( "permissionName": ")" + def.permissionName + R"(")" + ",\n");
543 info.append(R"( "bundleName": ")" + def.bundleName + R"(")" + ",\n");
544 info.append(R"( "grantMode": )" + std::to_string(def.grantMode) + ",\n");
545 info.append(R"( "availableLevel": )" + std::to_string(def.availableLevel) + ",\n");
546 info.append(R"( "provisionEnable": )" + std::to_string(def.provisionEnable) + ",\n");
547 info.append(R"( "distributedSceneEnable": )" + std::to_string(def.distributedSceneEnable) + ",\n");
548 info.append(R"( "label": ")" + def.label + R"(")" + ",\n");
549 info.append(R"( "labelId": )" + std::to_string(def.labelId) + ",\n");
550 info.append(R"( "description": ")" + def.description + R"(")" + ",\n");
551 info.append(R"( "descriptionId": )" + std::to_string(def.descriptionId) + ",\n");
552 info.append(R"( })");
553 }
554
PermStateFullToString(const PermissionStateFull & state,std::string & info) const555 void PermissionPolicySet::PermStateFullToString(const PermissionStateFull& state, std::string& info) const
556 {
557 info.append(R"( {)");
558 info.append("\n");
559 info.append(R"( "permissionName": ")" + state.permissionName + R"(")" + ",\n");
560 info.append(R"( "isGeneral": )" + std::to_string(state.isGeneral) + ",\n");
561 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
562 info.append(R"( "resDeviceIDList": [ )");
563 for (auto iter = state.resDeviceID.begin(); iter != state.resDeviceID.end(); iter++) {
564 info.append("\n");
565 info.append(R"( { "resDeviceID": ")" + *iter + R"(")" + " }");
566 if (iter != (state.resDeviceID.end() - 1)) {
567 info.append(",");
568 }
569 }
570 info.append("\n ],\n");
571 #endif
572 info.append(R"( "grantStatusList": [)");
573 for (auto iter = state.grantStatus.begin(); iter != state.grantStatus.end(); iter++) {
574 info.append("\n");
575 info.append(R"( { "grantStatus": )" + std::to_string(*iter) + " }");
576 if (iter != (state.grantStatus.end() - 1)) {
577 info.append(",");
578 }
579 }
580 info.append("\n ],\n");
581
582 info.append(R"( "grantFlagsList": [)");
583 for (auto iter = state.grantFlags.begin(); iter != state.grantFlags.end(); iter++) {
584 info.append("\n");
585 info.append(R"( { "grantFlag": )" + std::to_string(*iter) + " }");
586 if (iter != (state.grantFlags.end() - 1)) {
587 info.append(",");
588 }
589 }
590 info.append("\n ],\n");
591
592 info.append(R"( })");
593 }
594
ToString(std::string & info)595 void PermissionPolicySet::ToString(std::string& info)
596 {
597 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
598 info.append(R"( "permDefList": [)");
599 info.append("\n");
600 std::vector<PermissionDef> permList;
601 PermissionDefinitionCache::GetInstance().GetDefPermissionsByTokenId(permList, tokenId_);
602 for (auto iter = permList.begin(); iter != permList.end(); iter++) {
603 PermDefToString(*iter, info);
604 if (iter != (permList.end() - 1)) {
605 info.append(",\n");
606 }
607 }
608 info.append("\n ],\n");
609
610 info.append(R"( "permStateList": [)");
611 info.append("\n");
612 for (auto iter = permStateList_.begin(); iter != permStateList_.end(); iter++) {
613 PermStateFullToString(*iter, info);
614 if (iter != (permStateList_.end() - 1)) {
615 info.append(",\n");
616 }
617 }
618 info.append("\n ]\n");
619 }
620
IsPermissionReqValid(int32_t tokenApl,const std::string & permissionName,const std::vector<std::string> & nativeAcls)621 bool PermissionPolicySet::IsPermissionReqValid(int32_t tokenApl, const std::string& permissionName,
622 const std::vector<std::string>& nativeAcls)
623 {
624 PermissionDef permissionDef;
625 int ret = PermissionDefinitionCache::GetInstance().FindByPermissionName(
626 permissionName, permissionDef);
627 if (ret != RET_SUCCESS) {
628 return false;
629 }
630 if (tokenApl >= permissionDef.availableLevel) {
631 return true;
632 }
633
634 auto iter = std::find(nativeAcls.begin(), nativeAcls.end(), permissionName);
635 if (iter != nativeAcls.end()) {
636 return true;
637 }
638 return false;
639 }
640
PermStateToString(int32_t tokenApl,const std::vector<std::string> & nativeAcls,std::string & info)641 void PermissionPolicySet::PermStateToString(int32_t tokenApl,
642 const std::vector<std::string>& nativeAcls, std::string& info)
643 {
644 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
645
646 std::vector<std::string> invalidPermList = {};
647 info.append(R"( "permStateList": [)");
648 info.append("\n");
649 for (auto iter = permStateList_.begin(); iter != permStateList_.end(); iter++) {
650 if (!IsPermissionReqValid(tokenApl, iter->permissionName, nativeAcls)) {
651 invalidPermList.emplace_back(iter->permissionName);
652 continue;
653 }
654 PermStateFullToString(*iter, info);
655 if (iter != (permStateList_.end() - 1)) {
656 info.append(",\n");
657 }
658 }
659 info.append("\n ]\n");
660
661 if (invalidPermList.empty()) {
662 return;
663 }
664
665 info.append(R"( "invalidPermList": [)");
666 info.append("\n");
667 for (auto iter = invalidPermList.begin(); iter != invalidPermList.end(); iter++) {
668 info.append(R"( "permissionName": ")" + *iter + R"(")" + ",\n");
669 }
670 info.append("\n ]\n");
671 }
672 } // namespace AccessToken
673 } // namespace Security
674 } // namespace OHOS
675