1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "privacy_manager_service.h"
17
18 #include <cinttypes>
19 #include <cstring>
20
21 #include "access_token.h"
22 #include "accesstoken_log.h"
23 #include "active_status_callback_manager.h"
24 #include "ipc_skeleton.h"
25 #ifdef COMMON_EVENT_SERVICE_ENABLE
26 #include "privacy_common_event_subscriber.h"
27 #endif //COMMON_EVENT_SERVICE_ENABLE
28 #include "constant_common.h"
29 #include "constant.h"
30 #include "ipc_skeleton.h"
31 #include "permission_record_manager.h"
32 #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE
33 #include "privacy_sec_comp_enhance_agent.h"
34 #endif
35 #include "screenlock_manager_loader.h"
36 #include "system_ability_definition.h"
37 #include "string_ex.h"
38
39 namespace OHOS {
40 namespace Security {
41 namespace AccessToken {
42 namespace {
43 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {
44 LOG_CORE, SECURITY_DOMAIN_PRIVACY, "PrivacyManagerService"
45 };
46 }
47
48 const bool REGISTER_RESULT =
49 SystemAbility::MakeAndRegisterAbility(DelayedSingleton<PrivacyManagerService>::GetInstance().get());
50
PrivacyManagerService()51 PrivacyManagerService::PrivacyManagerService()
52 : SystemAbility(SA_ID_PRIVACY_MANAGER_SERVICE, true), state_(ServiceRunningState::STATE_NOT_START)
53 {
54 ACCESSTOKEN_LOG_INFO(LABEL, "PrivacyManagerService()");
55 }
56
~PrivacyManagerService()57 PrivacyManagerService::~PrivacyManagerService()
58 {
59 ACCESSTOKEN_LOG_INFO(LABEL, "~PrivacyManagerService()");
60 #ifdef COMMON_EVENT_SERVICE_ENABLE
61 PrivacyCommonEventSubscriber::UnRegisterEvent();
62 #endif //COMMON_EVENT_SERVICE_ENABLE
63 }
64
OnStart()65 void PrivacyManagerService::OnStart()
66 {
67 if (state_ == ServiceRunningState::STATE_RUNNING) {
68 ACCESSTOKEN_LOG_INFO(LABEL, "PrivacyManagerService has already started!");
69 return;
70 }
71 ACCESSTOKEN_LOG_INFO(LABEL, "PrivacyManagerService is starting");
72 if (!Initialize()) {
73 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to initialize");
74 return;
75 }
76
77 AddSystemAbilityListener(COMMON_EVENT_SERVICE_ID);
78 AddSystemAbilityListener(SCREENLOCK_SERVICE_ID);
79
80 state_ = ServiceRunningState::STATE_RUNNING;
81 bool ret = Publish(DelayedSingleton<PrivacyManagerService>::GetInstance().get());
82 if (!ret) {
83 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to publish service!");
84 return;
85 }
86 ACCESSTOKEN_LOG_INFO(LABEL, "Congratulations, PrivacyManagerService start successfully!");
87 }
88
OnStop()89 void PrivacyManagerService::OnStop()
90 {
91 ACCESSTOKEN_LOG_INFO(LABEL, "Stop service");
92 state_ = ServiceRunningState::STATE_NOT_START;
93 }
94
AddPermissionUsedRecord(const AddPermParamInfoParcel & infoParcel,bool asyncMode)95 int32_t PrivacyManagerService::AddPermissionUsedRecord(const AddPermParamInfoParcel& infoParcel,
96 bool asyncMode)
97 {
98 ACCESSTOKEN_LOG_DEBUG(LABEL, "id: %{public}d, perm: %{public}s, succCnt: %{public}d,"
99 " failCnt: %{public}d, type: %{public}d", infoParcel.info.tokenId, infoParcel.info.permissionName.c_str(),
100 infoParcel.info.successCount, infoParcel.info.failCount, infoParcel.info.type);
101 AddPermParamInfo info = infoParcel.info;
102 return PermissionRecordManager::GetInstance().AddPermissionUsedRecord(info);
103 }
104
StartUsingPermission(AccessTokenID tokenId,int32_t pid,const std::string & permissionName)105 int32_t PrivacyManagerService::StartUsingPermission(
106 AccessTokenID tokenId, int32_t pid, const std::string& permissionName)
107 {
108 ACCESSTOKEN_LOG_INFO(LABEL, "id: %{public}u, pid: %{public}d, perm: %{public}s",
109 tokenId, pid, permissionName.c_str());
110 return PermissionRecordManager::GetInstance().StartUsingPermission(tokenId, pid, permissionName);
111 }
112
StartUsingPermission(AccessTokenID tokenId,int32_t pid,const std::string & permissionName,const sptr<IRemoteObject> & callback)113 int32_t PrivacyManagerService::StartUsingPermission(
114 AccessTokenID tokenId, int32_t pid, const std::string& permissionName, const sptr<IRemoteObject>& callback)
115 {
116 ACCESSTOKEN_LOG_INFO(LABEL, "id: %{public}u, pid: %{public}d, perm: %{public}s",
117 tokenId, pid, permissionName.c_str());
118 return PermissionRecordManager::GetInstance().StartUsingPermission(tokenId, pid, permissionName, callback);
119 }
120
StopUsingPermission(AccessTokenID tokenId,int32_t pid,const std::string & permissionName)121 int32_t PrivacyManagerService::StopUsingPermission(
122 AccessTokenID tokenId, int32_t pid, const std::string& permissionName)
123 {
124 ACCESSTOKEN_LOG_INFO(LABEL, "id: %{public}u, pid: %{public}d, perm: %{public}s",
125 tokenId, pid, permissionName.c_str());
126 return PermissionRecordManager::GetInstance().StopUsingPermission(tokenId, pid, permissionName);
127 }
128
RemovePermissionUsedRecords(AccessTokenID tokenId,const std::string & deviceID)129 int32_t PrivacyManagerService::RemovePermissionUsedRecords(AccessTokenID tokenId, const std::string& deviceID)
130 {
131 ACCESSTOKEN_LOG_INFO(LABEL, "id: %{public}u", tokenId);
132 PermissionRecordManager::GetInstance().RemovePermissionUsedRecords(tokenId, deviceID);
133 return Constant::SUCCESS;
134 }
135
GetPermissionUsedRecords(const PermissionUsedRequestParcel & request,PermissionUsedResultParcel & result)136 int32_t PrivacyManagerService::GetPermissionUsedRecords(
137 const PermissionUsedRequestParcel& request, PermissionUsedResultParcel& result)
138 {
139 std::string permissionList;
140 for (const auto& perm : request.request.permissionList) {
141 permissionList.append(perm);
142 permissionList.append(" ");
143 }
144 ACCESSTOKEN_LOG_INFO(LABEL, "id: %{public}d, timestamp: [%{public}" PRId64 "-%{public}" PRId64
145 "], flag: %{public}d, perm: %{public}s", request.request.tokenId, request.request.beginTimeMillis,
146 request.request.endTimeMillis, request.request.flag, permissionList.c_str());
147
148 PermissionUsedResult permissionRecord;
149 int32_t ret = PermissionRecordManager::GetInstance().GetPermissionUsedRecords(request.request, permissionRecord);
150 result.result = permissionRecord;
151 return ret;
152 }
153
GetPermissionUsedRecords(const PermissionUsedRequestParcel & request,const sptr<OnPermissionUsedRecordCallback> & callback)154 int32_t PrivacyManagerService::GetPermissionUsedRecords(
155 const PermissionUsedRequestParcel& request, const sptr<OnPermissionUsedRecordCallback>& callback)
156 {
157 ACCESSTOKEN_LOG_DEBUG(LABEL, "id: %{public}d", request.request.tokenId);
158 return PermissionRecordManager::GetInstance().GetPermissionUsedRecordsAsync(request.request, callback);
159 }
160
RegisterPermActiveStatusCallback(std::vector<std::string> & permList,const sptr<IRemoteObject> & callback)161 int32_t PrivacyManagerService::RegisterPermActiveStatusCallback(
162 std::vector<std::string>& permList, const sptr<IRemoteObject>& callback)
163 {
164 return PermissionRecordManager::GetInstance().RegisterPermActiveStatusCallback(
165 IPCSkeleton::GetCallingTokenID(), permList, callback);
166 }
167
168 #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE
RegisterSecCompEnhance(const SecCompEnhanceDataParcel & enhanceParcel)169 int32_t PrivacyManagerService::RegisterSecCompEnhance(const SecCompEnhanceDataParcel& enhanceParcel)
170 {
171 ACCESSTOKEN_LOG_INFO(LABEL, "Pid: %{public}d", enhanceParcel.enhanceData.pid);
172 return PrivacySecCompEnhanceAgent::GetInstance().RegisterSecCompEnhance(enhanceParcel.enhanceData);
173 }
174
UpdateSecCompEnhance(int32_t pid,uint32_t seqNum)175 int32_t PrivacyManagerService::UpdateSecCompEnhance(int32_t pid, uint32_t seqNum)
176 {
177 return PrivacySecCompEnhanceAgent::GetInstance().UpdateSecCompEnhance(pid, seqNum);
178 }
179
GetSecCompEnhance(int32_t pid,SecCompEnhanceDataParcel & enhanceParcel)180 int32_t PrivacyManagerService::GetSecCompEnhance(int32_t pid, SecCompEnhanceDataParcel& enhanceParcel)
181 {
182 SecCompEnhanceData enhanceData;
183 int32_t res = PrivacySecCompEnhanceAgent::GetInstance().GetSecCompEnhance(pid, enhanceData);
184 if (res != RET_SUCCESS) {
185 ACCESSTOKEN_LOG_WARN(LABEL, "Pid: %{public}d get enhance failed ", pid);
186 return res;
187 }
188
189 enhanceParcel.enhanceData = enhanceData;
190 return RET_SUCCESS;
191 }
192
GetSpecialSecCompEnhance(const std::string & bundleName,std::vector<SecCompEnhanceDataParcel> & enhanceParcelList)193 int32_t PrivacyManagerService::GetSpecialSecCompEnhance(const std::string& bundleName,
194 std::vector<SecCompEnhanceDataParcel>& enhanceParcelList)
195 {
196 std::vector<SecCompEnhanceData> enhanceList;
197 PrivacySecCompEnhanceAgent::GetInstance().GetSpecialSecCompEnhance(bundleName, enhanceList);
198 for (const auto& enhance : enhanceList) {
199 SecCompEnhanceDataParcel parcel;
200 parcel.enhanceData = enhance;
201 enhanceParcelList.emplace_back(parcel);
202 }
203 return RET_SUCCESS;
204 }
205 #endif
206
ResponseDumpCommand(int32_t fd,const std::vector<std::u16string> & args)207 int32_t PrivacyManagerService::ResponseDumpCommand(int32_t fd, const std::vector<std::u16string>& args)
208 {
209 if (args.size() < 2) { // 2 :need two args 0:command 1:tokenId
210 return ERR_INVALID_VALUE;
211 }
212 long long tokenId = atoll(static_cast<const char*>(Str16ToStr8(args.at(1)).c_str()));
213 PermissionUsedRequest request;
214 if (tokenId <= 0) {
215 return ERR_INVALID_VALUE;
216 }
217 request.tokenId = static_cast<uint32_t>(tokenId);
218 request.flag = FLAG_PERMISSION_USAGE_SUMMARY;
219 PermissionUsedResult result;
220 if (PermissionRecordManager::GetInstance().GetPermissionUsedRecords(request, result) != 0) {
221 return ERR_INVALID_VALUE;
222 }
223 std::string infos;
224 if (result.bundleRecords.empty() || result.bundleRecords[0].permissionRecords.empty()) {
225 dprintf(fd, "No Record \n");
226 return ERR_OK;
227 }
228 for (size_t index = 0; index < result.bundleRecords[0].permissionRecords.size(); index++) {
229 infos.append(R"( "permissionRecord": [)");
230 infos.append("\n");
231 infos.append(R"( "bundleName": )" + result.bundleRecords[0].bundleName + ",\n");
232 infos.append(R"( "isRemote": )" + std::to_string(result.bundleRecords[0].isRemote) + ",\n");
233 infos.append(R"( "permissionName": ")" + result.bundleRecords[0].permissionRecords[index].permissionName +
234 R"(")" + ",\n");
235 time_t lastAccessTime = static_cast<time_t>(result.bundleRecords[0].permissionRecords[index].lastAccessTime);
236 infos.append(R"( "lastAccessTime": )" + std::to_string(lastAccessTime) + ",\n");
237 infos.append(R"( "lastAccessDuration": )" +
238 std::to_string(result.bundleRecords[0].permissionRecords[index].lastAccessDuration) + ",\n");
239 infos.append(R"( "accessCount": ")" +
240 std::to_string(result.bundleRecords[0].permissionRecords[index].accessCount) + R"(")" + ",\n");
241 infos.append(" ]");
242 infos.append("\n");
243 }
244 dprintf(fd, "%s\n", infos.c_str());
245 return ERR_OK;
246 }
247
Dump(int32_t fd,const std::vector<std::u16string> & args)248 int32_t PrivacyManagerService::Dump(int32_t fd, const std::vector<std::u16string>& args)
249 {
250 if (fd < 0) {
251 ACCESSTOKEN_LOG_ERROR(LABEL, "Dump fd invalid value");
252 return ERR_INVALID_VALUE;
253 }
254 int32_t ret = ERR_OK;
255 dprintf(fd, "Privacy Dump:\n");
256 if (args.size() == 0) {
257 dprintf(fd, "please use hidumper -s said -a '-h' command help\n");
258 return ret;
259 }
260 std::string arg0 = Str16ToStr8(args.at(0));
261 if (arg0.compare("-h") == 0) {
262 dprintf(fd, "Usage:\n");
263 dprintf(fd, " -h: command help\n");
264 dprintf(fd, " -t <TOKEN_ID>: according to specific token id dump permission used records\n");
265 } else if (arg0.compare("-t") == 0) {
266 ret = PrivacyManagerService::ResponseDumpCommand(fd, args);
267 } else {
268 dprintf(fd, "please use hidumper -s said -a '-h' command help\n");
269 ret = ERR_INVALID_VALUE;
270 }
271 return ret;
272 }
273
UnRegisterPermActiveStatusCallback(const sptr<IRemoteObject> & callback)274 int32_t PrivacyManagerService::UnRegisterPermActiveStatusCallback(const sptr<IRemoteObject>& callback)
275 {
276 return PermissionRecordManager::GetInstance().UnRegisterPermActiveStatusCallback(callback);
277 }
278
IsAllowedUsingPermission(AccessTokenID tokenId,const std::string & permissionName)279 bool PrivacyManagerService::IsAllowedUsingPermission(AccessTokenID tokenId, const std::string& permissionName)
280 {
281 ACCESSTOKEN_LOG_INFO(LABEL, "id: %{public}d, perm: %{public}s", tokenId, permissionName.c_str());
282 return PermissionRecordManager::GetInstance().IsAllowedUsingPermission(tokenId, permissionName);
283 }
284
SetMutePolicy(uint32_t policyType,uint32_t callerType,bool isMute)285 int32_t PrivacyManagerService::SetMutePolicy(uint32_t policyType, uint32_t callerType, bool isMute)
286 {
287 ACCESSTOKEN_LOG_INFO(LABEL, "PolicyType: %{public}d, callerType: %{public}d, isMute: %{public}d",
288 policyType, callerType, isMute);
289 return PermissionRecordManager::GetInstance().SetMutePolicy(
290 static_cast<PolicyType>(policyType), static_cast<CallerType>(callerType), isMute);
291 }
292
SetHapWithFGReminder(uint32_t tokenId,bool isAllowed)293 int32_t PrivacyManagerService::SetHapWithFGReminder(uint32_t tokenId, bool isAllowed)
294 {
295 ACCESSTOKEN_LOG_INFO(LABEL, "id: %{public}d, isAllowed: %{public}d", tokenId, isAllowed);
296 return PermissionRecordManager::GetInstance().SetHapWithFGReminder(tokenId, isAllowed);
297 }
298
GetPermissionUsedTypeInfos(const AccessTokenID tokenId,const std::string & permissionName,std::vector<PermissionUsedTypeInfoParcel> & resultsParcel)299 int32_t PrivacyManagerService::GetPermissionUsedTypeInfos(const AccessTokenID tokenId,
300 const std::string& permissionName, std::vector<PermissionUsedTypeInfoParcel>& resultsParcel)
301 {
302 ACCESSTOKEN_LOG_DEBUG(LABEL, "id: %{public}d, perm: %{public}s", tokenId, permissionName.c_str());
303
304 std::vector<PermissionUsedTypeInfo> results;
305 int32_t res = PermissionRecordManager::GetInstance().GetPermissionUsedTypeInfos(tokenId, permissionName, results);
306 if (res != RET_SUCCESS) {
307 return res;
308 }
309
310 for (const auto& result : results) {
311 PermissionUsedTypeInfoParcel parcel;
312 parcel.info = result;
313 resultsParcel.emplace_back(parcel);
314 }
315
316 return RET_SUCCESS;
317 }
318
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)319 void PrivacyManagerService::OnAddSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
320 {
321 ACCESSTOKEN_LOG_INFO(LABEL, "saId is %{public}d", systemAbilityId);
322 #ifdef COMMON_EVENT_SERVICE_ENABLE
323 if (systemAbilityId == COMMON_EVENT_SERVICE_ID) {
324 PrivacyCommonEventSubscriber::RegisterEvent();
325 return;
326 }
327 #endif //COMMON_EVENT_SERVICE_ENABLE
328
329 if (systemAbilityId == SCREENLOCK_SERVICE_ID) {
330 LibraryLoader loader(SCREENLOCK_MANAGER_LIBPATH);
331 ScreenLockManagerAccessLoaderInterface* screenlockManagerLoader =
332 loader.GetObject<ScreenLockManagerAccessLoaderInterface>();
333 if (screenlockManagerLoader != nullptr) {
334 int32_t lockScreenStatus = LockScreenStatusChangeType::PERM_ACTIVE_IN_UNLOCKED;
335 if (screenlockManagerLoader->IsScreenLocked()) {
336 lockScreenStatus = LockScreenStatusChangeType::PERM_ACTIVE_IN_LOCKED;
337 }
338
339 PermissionRecordManager::GetInstance().SetLockScreenStatus(lockScreenStatus);
340 }
341 return;
342 }
343 }
344
Initialize()345 bool PrivacyManagerService::Initialize()
346 {
347 PermissionRecordManager::GetInstance().Init();
348 #ifdef EVENTHANDLER_ENABLE
349 eventRunner_ = AppExecFwk::EventRunner::Create(true, AppExecFwk::ThreadMode::FFRT);
350 if (!eventRunner_) {
351 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to create eventRunner.");
352 return false;
353 }
354 eventHandler_ = std::make_shared<AccessEventHandler>(eventRunner_);
355 ActiveStatusCallbackManager::GetInstance().InitEventHandler(eventHandler_);
356 #endif
357 return true;
358 }
359 } // namespace AccessToken
360 } // namespace Security
361 } // namespace OHOS
362