1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 //! This module is used to check permission.
17
18 use std::{ffi::CString, os::raw::c_char};
19
20 use ipc::Skeleton;
21
22 use asset_common::{get_user_id, ROOT_USER_UPPERBOUND};
23 use asset_definition::{log_throw_error, AssetMap, ErrCode, Result, Tag};
24
25 extern "C" {
CheckPermission(permission: *const c_char) -> bool26 fn CheckPermission(permission: *const c_char) -> bool;
CheckSystemHapPermission() -> bool27 fn CheckSystemHapPermission() -> bool;
28 }
29
check_system_permission(attrs: &AssetMap) -> Result<()>30 pub(crate) fn check_system_permission(attrs: &AssetMap) -> Result<()> {
31 if attrs.get(&Tag::UserId).is_some() {
32 if unsafe { !CheckSystemHapPermission() } {
33 return log_throw_error!(ErrCode::NotSystemApplication, "[FATAL]The caller is not system application.");
34 }
35
36 let permission = CString::new("ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS").unwrap();
37 if unsafe { !CheckPermission(permission.as_ptr()) } {
38 return log_throw_error!(ErrCode::PermissionDenied, "[FATAL][SA]Permission check failed.");
39 }
40
41 let uid = Skeleton::calling_uid();
42 let user_id = get_user_id(uid)?;
43 if user_id > ROOT_USER_UPPERBOUND {
44 return log_throw_error!(
45 ErrCode::AccessDenied,
46 "[FATAL]The caller user_id is: {}. Not in range[0, 99]",
47 user_id
48 );
49 }
50 }
51 Ok(())
52 }
53