1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accesstoken_manager_service.h"
17
18 #include <unistd.h>
19
20 #include "access_token.h"
21 #include "access_token_error.h"
22 #include "accesstoken_dfx_define.h"
23 #include "accesstoken_id_manager.h"
24 #include "accesstoken_info_manager.h"
25 #include "accesstoken_log.h"
26 #include "config_policy_loader.h"
27 #include "constant_common.h"
28 #ifdef SUPPORT_SANDBOX_APP
29 #include "dlp_permission_set_parser.h"
30 #endif
31 #include "hap_token_info.h"
32 #include "hap_token_info_inner.h"
33 #include "hisysevent_adapter.h"
34 #ifdef HITRACE_NATIVE_ENABLE
35 #include "hitrace_meter.h"
36 #endif
37 #include "ipc_skeleton.h"
38 #include "libraryloader.h"
39 #include "native_token_info_inner.h"
40 #include "native_token_receptor.h"
41 #include "parameter.h"
42 #include "permission_list_state.h"
43 #include "permission_manager.h"
44 #include "short_grant_manager.h"
45 #include "string_ex.h"
46 #include "system_ability_definition.h"
47 #include "permission_definition_parser.h"
48 #ifdef TOKEN_SYNC_ENABLE
49 #include "token_modify_notifier.h"
50 #endif // TOKEN_SYNC_ENABLE
51
52 namespace OHOS {
53 namespace Security {
54 namespace AccessToken {
55 namespace {
56 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {
57 LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "ATMServ"
58 };
59 static const char* ACCESS_TOKEN_SERVICE_INIT_KEY = "accesstoken.permission.init";
60 constexpr int TWO_ARGS = 2;
61 const std::string GRANT_ABILITY_BUNDLE_NAME = "com.ohos.permissionmanager";
62 const std::string GRANT_ABILITY_ABILITY_NAME = "com.ohos.permissionmanager.GrantAbility";
63 const std::string PERMISSION_STATE_SHEET_ABILITY_NAME = "com.ohos.permissionmanager.PermissionStateSheetAbility";
64 const std::string GLOBAL_SWITCH_SHEET_ABILITY_NAME = "com.ohos.permissionmanager.GlobalSwitchSheetAbility";
65 }
66
67 const bool REGISTER_RESULT =
68 SystemAbility::MakeAndRegisterAbility(DelayedSingleton<AccessTokenManagerService>::GetInstance().get());
69
AccessTokenManagerService()70 AccessTokenManagerService::AccessTokenManagerService()
71 : SystemAbility(SA_ID_ACCESSTOKEN_MANAGER_SERVICE, true), state_(ServiceRunningState::STATE_NOT_START)
72 {
73 ACCESSTOKEN_LOG_INFO(LABEL, "AccessTokenManagerService()");
74 }
75
~AccessTokenManagerService()76 AccessTokenManagerService::~AccessTokenManagerService()
77 {
78 ACCESSTOKEN_LOG_INFO(LABEL, "~AccessTokenManagerService()");
79 }
80
OnStart()81 void AccessTokenManagerService::OnStart()
82 {
83 if (state_ == ServiceRunningState::STATE_RUNNING) {
84 ACCESSTOKEN_LOG_INFO(LABEL, "AccessTokenManagerService has already started!");
85 return;
86 }
87 ACCESSTOKEN_LOG_INFO(LABEL, "AccessTokenManagerService is starting.");
88 if (!Initialize()) {
89 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to initialize.");
90 return;
91 }
92 state_ = ServiceRunningState::STATE_RUNNING;
93 bool ret = Publish(DelayedSingleton<AccessTokenManagerService>::GetInstance().get());
94 if (!ret) {
95 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to publish service!");
96 ReportSysEventServiceStartError(SA_PUBLISH_FAILED, "Publish accesstoken_service fail.", -1);
97 return;
98 }
99 AccessTokenServiceParamSet();
100 (void)AddSystemAbilityListener(SECURITY_COMPONENT_SERVICE_ID);
101 #ifdef TOKEN_SYNC_ENABLE
102 (void)AddSystemAbilityListener(DISTRIBUTED_HARDWARE_DEVICEMANAGER_SA_ID);
103 #endif
104 ACCESSTOKEN_LOG_INFO(LABEL, "Congratulations, AccessTokenManagerService start successfully!");
105 }
106
OnStop()107 void AccessTokenManagerService::OnStop()
108 {
109 ACCESSTOKEN_LOG_INFO(LABEL, "Stop service.");
110 state_ = ServiceRunningState::STATE_NOT_START;
111 }
112
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)113 void AccessTokenManagerService::OnAddSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
114 {
115 #ifdef TOKEN_SYNC_ENABLE
116 if (systemAbilityId == DISTRIBUTED_HARDWARE_DEVICEMANAGER_SA_ID) {
117 AccessTokenInfoManager::GetInstance().InitDmCallback();
118 }
119 #endif
120 }
121
OnRemoveSystemAbility(int32_t systemAbilityId,const std::string & deviceId)122 void AccessTokenManagerService::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
123 {
124 if (systemAbilityId == SECURITY_COMPONENT_SERVICE_ID) {
125 std::vector<AccessTokenID> tokenIdList;
126 AccessTokenIDManager::GetInstance().GetHapTokenIdList(tokenIdList);
127 PermissionManager::GetInstance().ClearAllSecCompGrantedPerm(tokenIdList);
128 return;
129 }
130 }
131
GetUserGrantedPermissionUsedType(AccessTokenID tokenID,const std::string & permissionName)132 PermUsedTypeEnum AccessTokenManagerService::GetUserGrantedPermissionUsedType(
133 AccessTokenID tokenID, const std::string& permissionName)
134 {
135 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID=%{public}d, permission=%{public}s", tokenID, permissionName.c_str());
136 return PermissionManager::GetInstance().GetUserGrantedPermissionUsedType(tokenID, permissionName);
137 }
138
VerifyAccessToken(AccessTokenID tokenID,const std::string & permissionName)139 int AccessTokenManagerService::VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName)
140 {
141 #ifdef HITRACE_NATIVE_ENABLE
142 StartTrace(HITRACE_TAG_ACCESS_CONTROL, "AccessTokenVerifyPermission");
143 #endif
144 int32_t res = PermissionManager::GetInstance().VerifyAccessToken(tokenID, permissionName);
145 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID: %{public}d, permission: %{public}s, res %{public}d",
146 tokenID, permissionName.c_str(), res);
147 #ifdef HITRACE_NATIVE_ENABLE
148 FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
149 #endif
150 return res;
151 }
152
GetDefPermission(const std::string & permissionName,PermissionDefParcel & permissionDefResult)153 int AccessTokenManagerService::GetDefPermission(
154 const std::string& permissionName, PermissionDefParcel& permissionDefResult)
155 {
156 ACCESSTOKEN_LOG_INFO(LABEL, "Permission: %{public}s", permissionName.c_str());
157 return PermissionManager::GetInstance().GetDefPermission(permissionName, permissionDefResult.permissionDef);
158 }
159
GetDefPermissions(AccessTokenID tokenID,std::vector<PermissionDefParcel> & permList)160 int AccessTokenManagerService::GetDefPermissions(AccessTokenID tokenID, std::vector<PermissionDefParcel>& permList)
161 {
162 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d", tokenID);
163 std::vector<PermissionDef> permVec;
164 int ret = PermissionManager::GetInstance().GetDefPermissions(tokenID, permVec);
165 for (const auto& perm : permVec) {
166 PermissionDefParcel permParcel;
167 permParcel.permissionDef = perm;
168 permList.emplace_back(permParcel);
169 }
170 return ret;
171 }
172
GetReqPermissions(AccessTokenID tokenID,std::vector<PermissionStateFullParcel> & reqPermList,bool isSystemGrant)173 int AccessTokenManagerService::GetReqPermissions(
174 AccessTokenID tokenID, std::vector<PermissionStateFullParcel>& reqPermList, bool isSystemGrant)
175 {
176 std::vector<PermissionStateFull> permList;
177 int ret = PermissionManager::GetInstance().GetReqPermissions(tokenID, permList, isSystemGrant);
178
179 for (const auto& perm : permList) {
180 PermissionStateFullParcel permParcel;
181 permParcel.permStatFull = perm;
182 reqPermList.emplace_back(permParcel);
183 }
184 return ret;
185 }
186
GetSelfPermissionsState(std::vector<PermissionListStateParcel> & reqPermList,PermissionGrantInfoParcel & infoParcel)187 PermissionOper AccessTokenManagerService::GetSelfPermissionsState(std::vector<PermissionListStateParcel>& reqPermList,
188 PermissionGrantInfoParcel& infoParcel)
189 {
190 infoParcel.info.grantBundleName = grantBundleName_;
191 infoParcel.info.grantAbilityName = grantAbilityName_;
192 infoParcel.info.grantServiceAbilityName = grantServiceAbilityName_;
193 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
194 return GetPermissionsState(callingTokenID, reqPermList);
195 }
196
GetPermissionsStatus(AccessTokenID tokenID,std::vector<PermissionListStateParcel> & reqPermList)197 int32_t AccessTokenManagerService::GetPermissionsStatus(AccessTokenID tokenID,
198 std::vector<PermissionListStateParcel>& reqPermList)
199 {
200 if (!AccessTokenInfoManager::GetInstance().IsTokenIdExist(tokenID)) {
201 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID=%{public}d does not exist", tokenID);
202 return ERR_TOKENID_NOT_EXIST;
203 }
204 PermissionOper ret = GetPermissionsState(tokenID, reqPermList);
205 return ret == INVALID_OPER ? RET_FAILED : RET_SUCCESS;
206 }
207
GetPermissionsState(AccessTokenID tokenID,std::vector<PermissionListStateParcel> & reqPermList)208 PermissionOper AccessTokenManagerService::GetPermissionsState(AccessTokenID tokenID,
209 std::vector<PermissionListStateParcel>& reqPermList)
210 {
211 int32_t apiVersion = 0;
212 if (!PermissionManager::GetInstance().GetApiVersionByTokenId(tokenID, apiVersion)) {
213 ACCESSTOKEN_LOG_ERROR(LABEL, "Get api version error");
214 return INVALID_OPER;
215 }
216 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d, apiVersion: %{public}d", tokenID, apiVersion);
217
218 bool needRes = false;
219 std::vector<PermissionStateFull> permsList;
220 int retUserGrant = PermissionManager::GetInstance().GetReqPermissions(tokenID, permsList, false);
221 int retSysGrant = PermissionManager::GetInstance().GetReqPermissions(tokenID, permsList, true);
222 if ((retSysGrant != RET_SUCCESS) || (retUserGrant != RET_SUCCESS)) {
223 ACCESSTOKEN_LOG_ERROR(LABEL,
224 "GetReqPermissions failed, retUserGrant:%{public}d, retSysGrant:%{public}d",
225 retUserGrant, retSysGrant);
226 return INVALID_OPER;
227 }
228
229 // api9 location permission handle here
230 if (apiVersion >= ACCURATE_LOCATION_API_VERSION) {
231 needRes = PermissionManager::GetInstance().LocationPermissionSpecialHandle(
232 tokenID, reqPermList, permsList, apiVersion);
233 }
234
235 uint32_t size = reqPermList.size();
236 for (uint32_t i = 0; i < size; i++) {
237 // api9 location permission special handle above
238 if (((reqPermList[i].permsState.permissionName == VAGUE_LOCATION_PERMISSION_NAME) ||
239 (reqPermList[i].permsState.permissionName == ACCURATE_LOCATION_PERMISSION_NAME) ||
240 (reqPermList[i].permsState.permissionName == BACKGROUND_LOCATION_PERMISSION_NAME)) &&
241 (apiVersion >= ACCURATE_LOCATION_API_VERSION)) {
242 continue;
243 }
244
245 PermissionManager::GetInstance().GetSelfPermissionState(permsList, reqPermList[i].permsState, apiVersion);
246 if (static_cast<PermissionOper>(reqPermList[i].permsState.state) == DYNAMIC_OPER) {
247 needRes = true;
248 }
249 ACCESSTOKEN_LOG_DEBUG(LABEL, "Perm: %{public}s, state: %{public}d",
250 reqPermList[i].permsState.permissionName.c_str(), reqPermList[i].permsState.state);
251 }
252 if (GetTokenType(tokenID) == TOKEN_HAP && AccessTokenInfoManager::GetInstance().GetPermDialogCap(tokenID)) {
253 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID=%{public}d is under control", tokenID);
254 uint32_t size = reqPermList.size();
255 for (uint32_t i = 0; i < size; i++) {
256 if (reqPermList[i].permsState.state != INVALID_OPER) {
257 reqPermList[i].permsState.state = FORBIDDEN_OPER;
258 }
259 }
260 return FORBIDDEN_OPER;
261 }
262 if (needRes) {
263 return DYNAMIC_OPER;
264 }
265 return PASS_OPER;
266 }
267
GetPermissionFlag(AccessTokenID tokenID,const std::string & permissionName,uint32_t & flag)268 int AccessTokenManagerService::GetPermissionFlag(
269 AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag)
270 {
271 return PermissionManager::GetInstance().GetPermissionFlag(tokenID, permissionName, flag);
272 }
273
SetPermissionRequestToggleStatus(const std::string & permissionName,uint32_t status,int32_t userID=0)274 int32_t AccessTokenManagerService::SetPermissionRequestToggleStatus(
275 const std::string& permissionName, uint32_t status, int32_t userID = 0)
276 {
277 return PermissionManager::GetInstance().SetPermissionRequestToggleStatus(permissionName, status, userID);
278 }
279
GetPermissionRequestToggleStatus(const std::string & permissionName,uint32_t & status,int32_t userID=0)280 int32_t AccessTokenManagerService::GetPermissionRequestToggleStatus(
281 const std::string& permissionName, uint32_t& status, int32_t userID = 0)
282 {
283 return PermissionManager::GetInstance().GetPermissionRequestToggleStatus(permissionName, status, userID);
284 }
285
GrantPermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)286 int AccessTokenManagerService::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
287 {
288 return PermissionManager::GetInstance().GrantPermission(tokenID, permissionName, flag);
289 }
290
RevokePermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)291 int AccessTokenManagerService::RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
292 {
293 return PermissionManager::GetInstance().RevokePermission(tokenID, permissionName, flag);
294 }
295
GrantPermissionForSpecifiedTime(AccessTokenID tokenID,const std::string & permissionName,uint32_t onceTime)296 int AccessTokenManagerService::GrantPermissionForSpecifiedTime(
297 AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime)
298 {
299 int32_t ret = PermissionManager::GetInstance().GrantPermissionForSpecifiedTime(tokenID, permissionName, onceTime);
300 return ret;
301 }
302
ClearUserGrantedPermissionState(AccessTokenID tokenID)303 int AccessTokenManagerService::ClearUserGrantedPermissionState(AccessTokenID tokenID)
304 {
305 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d", tokenID);
306 PermissionManager::GetInstance().ClearUserGrantedPermissionState(tokenID);
307 AccessTokenInfoManager::GetInstance().SetPermDialogCap(tokenID, false);
308 return RET_SUCCESS;
309 }
310
RegisterPermStateChangeCallback(const PermStateChangeScopeParcel & scope,const sptr<IRemoteObject> & callback)311 int32_t AccessTokenManagerService::RegisterPermStateChangeCallback(
312 const PermStateChangeScopeParcel& scope, const sptr<IRemoteObject>& callback)
313 {
314 return PermissionManager::GetInstance().AddPermStateChangeCallback(scope.scope, callback);
315 }
316
UnRegisterPermStateChangeCallback(const sptr<IRemoteObject> & callback)317 int32_t AccessTokenManagerService::UnRegisterPermStateChangeCallback(const sptr<IRemoteObject>& callback)
318 {
319 return PermissionManager::GetInstance().RemovePermStateChangeCallback(callback);
320 }
321
AllocHapToken(const HapInfoParcel & info,const HapPolicyParcel & policy)322 AccessTokenIDEx AccessTokenManagerService::AllocHapToken(const HapInfoParcel& info, const HapPolicyParcel& policy)
323 {
324 ACCESSTOKEN_LOG_INFO(LABEL, "BundleName: %{public}s", info.hapInfoParameter.bundleName.c_str());
325 AccessTokenIDEx tokenIdEx;
326 tokenIdEx.tokenIDEx = 0LL;
327
328 int ret = AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(
329 info.hapInfoParameter, policy.hapPolicyParameter, tokenIdEx);
330 if (ret != RET_SUCCESS) {
331 ACCESSTOKEN_LOG_ERROR(LABEL, "Hap token info create failed");
332 }
333 return tokenIdEx;
334 }
335
InitHapToken(const HapInfoParcel & info,HapPolicyParcel & policy,AccessTokenIDEx & fullTokenId)336 int32_t AccessTokenManagerService::InitHapToken(
337 const HapInfoParcel& info, HapPolicyParcel& policy, AccessTokenIDEx& fullTokenId)
338 {
339 ACCESSTOKEN_LOG_INFO(LABEL, "Init hap %{public}s.", info.hapInfoParameter.bundleName.c_str());
340 std::vector<PermissionStateFull> initializedList;
341 if (info.hapInfoParameter.dlpType == DLP_COMMON) {
342 if (!PermissionManager::GetInstance().InitPermissionList(info.hapInfoParameter.appDistributionType,
343 policy.hapPolicyParameter, initializedList)) {
344 return ERR_PERM_REQUEST_CFG_FAILED;
345 }
346 } else {
347 if (!PermissionManager::GetInstance().InitDlpPermissionList(
348 info.hapInfoParameter.bundleName, info.hapInfoParameter.userID, initializedList)) {
349 return ERR_PERM_REQUEST_CFG_FAILED;
350 }
351 }
352 policy.hapPolicyParameter.permStateList = initializedList;
353
354 int32_t ret = AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(
355 info.hapInfoParameter, policy.hapPolicyParameter, fullTokenId);
356 if (ret != RET_SUCCESS) {
357 return ret;
358 }
359
360 return ret;
361 }
362
DeleteToken(AccessTokenID tokenID)363 int AccessTokenManagerService::DeleteToken(AccessTokenID tokenID)
364 {
365 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d", tokenID);
366 // only support hap token deletion
367 return AccessTokenInfoManager::GetInstance().RemoveHapTokenInfo(tokenID);
368 }
369
GetTokenType(AccessTokenID tokenID)370 int AccessTokenManagerService::GetTokenType(AccessTokenID tokenID)
371 {
372 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID: %{public}d", tokenID);
373 return AccessTokenIDManager::GetInstance().GetTokenIdType(tokenID);
374 }
375
CheckNativeDCap(AccessTokenID tokenID,const std::string & dcap)376 int AccessTokenManagerService::CheckNativeDCap(AccessTokenID tokenID, const std::string& dcap)
377 {
378 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d, dcap: %{public}s",
379 tokenID, dcap.c_str());
380 return AccessTokenInfoManager::GetInstance().CheckNativeDCap(tokenID, dcap);
381 }
382
GetHapTokenID(int32_t userID,const std::string & bundleName,int32_t instIndex)383 AccessTokenIDEx AccessTokenManagerService::GetHapTokenID(
384 int32_t userID, const std::string& bundleName, int32_t instIndex)
385 {
386 ACCESSTOKEN_LOG_DEBUG(LABEL, "UserID: %{public}d, bundle: %{public}s, instIndex: %{public}d",
387 userID, bundleName.c_str(), instIndex);
388 return AccessTokenInfoManager::GetInstance().GetHapTokenID(userID, bundleName, instIndex);
389 }
390
AllocLocalTokenID(const std::string & remoteDeviceID,AccessTokenID remoteTokenID)391 AccessTokenID AccessTokenManagerService::AllocLocalTokenID(
392 const std::string& remoteDeviceID, AccessTokenID remoteTokenID)
393 {
394 ACCESSTOKEN_LOG_INFO(LABEL, "RemoteDeviceID: %{public}s, remoteTokenID: %{public}d",
395 ConstantCommon::EncryptDevId(remoteDeviceID).c_str(), remoteTokenID);
396 AccessTokenID tokenID = AccessTokenInfoManager::GetInstance().AllocLocalTokenID(remoteDeviceID, remoteTokenID);
397 return tokenID;
398 }
399
UpdateHapToken(AccessTokenIDEx & tokenIdEx,const UpdateHapInfoParams & info,const HapPolicyParcel & policyParcel)400 int32_t AccessTokenManagerService::UpdateHapToken(AccessTokenIDEx& tokenIdEx,
401 const UpdateHapInfoParams& info, const HapPolicyParcel& policyParcel)
402 {
403 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d", tokenIdEx.tokenIdExStruct.tokenID);
404 std::vector<PermissionStateFull> InitializedList;
405 if (!PermissionManager::GetInstance().InitPermissionList(
406 info.appDistributionType, policyParcel.hapPolicyParameter, InitializedList)) {
407 return ERR_PERM_REQUEST_CFG_FAILED;
408 }
409 int32_t ret = AccessTokenInfoManager::GetInstance().UpdateHapToken(tokenIdEx, info,
410 InitializedList, policyParcel.hapPolicyParameter.apl, policyParcel.hapPolicyParameter.permList);
411 return ret;
412 }
413
GetHapTokenInfo(AccessTokenID tokenID,HapTokenInfoParcel & infoParcel)414 int AccessTokenManagerService::GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfoParcel& infoParcel)
415 {
416 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID: %{public}d", tokenID);
417
418 return AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, infoParcel.hapTokenInfoParams);
419 }
420
GetNativeTokenInfo(AccessTokenID tokenID,NativeTokenInfoParcel & infoParcel)421 int AccessTokenManagerService::GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfoParcel& infoParcel)
422 {
423 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID: %{public}d", tokenID);
424
425 return AccessTokenInfoManager::GetInstance().GetNativeTokenInfo(tokenID, infoParcel.nativeTokenInfoParams);
426 }
427
428 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
ReloadNativeTokenInfo()429 int32_t AccessTokenManagerService::ReloadNativeTokenInfo()
430 {
431 return NativeTokenReceptor::GetInstance().Init();
432 }
433
434 #endif
435
GetNativeTokenId(const std::string & processName)436 AccessTokenID AccessTokenManagerService::GetNativeTokenId(const std::string& processName)
437 {
438 return AccessTokenInfoManager::GetInstance().GetNativeTokenId(processName);
439 }
440
441 #ifdef TOKEN_SYNC_ENABLE
GetHapTokenInfoFromRemote(AccessTokenID tokenID,HapTokenInfoForSyncParcel & hapSyncParcel)442 int AccessTokenManagerService::GetHapTokenInfoFromRemote(AccessTokenID tokenID,
443 HapTokenInfoForSyncParcel& hapSyncParcel)
444 {
445 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d", tokenID);
446
447 return AccessTokenInfoManager::GetInstance().GetHapTokenInfoFromRemote(tokenID,
448 hapSyncParcel.hapTokenInfoForSyncParams);
449 }
450
SetRemoteHapTokenInfo(const std::string & deviceID,HapTokenInfoForSyncParcel & hapSyncParcel)451 int AccessTokenManagerService::SetRemoteHapTokenInfo(const std::string& deviceID,
452 HapTokenInfoForSyncParcel& hapSyncParcel)
453 {
454 ACCESSTOKEN_LOG_INFO(LABEL, "DeviceID: %{public}s", ConstantCommon::EncryptDevId(deviceID).c_str());
455 int ret = AccessTokenInfoManager::GetInstance().SetRemoteHapTokenInfo(deviceID,
456 hapSyncParcel.hapTokenInfoForSyncParams);
457 return ret;
458 }
459
DeleteRemoteToken(const std::string & deviceID,AccessTokenID tokenID)460 int AccessTokenManagerService::DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID)
461 {
462 ACCESSTOKEN_LOG_INFO(LABEL, "DeviceID: %{public}s, token id %{public}d",
463 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
464 return AccessTokenInfoManager::GetInstance().DeleteRemoteToken(deviceID, tokenID);
465 }
466
GetRemoteNativeTokenID(const std::string & deviceID,AccessTokenID tokenID)467 AccessTokenID AccessTokenManagerService::GetRemoteNativeTokenID(const std::string& deviceID,
468 AccessTokenID tokenID)
469 {
470 ACCESSTOKEN_LOG_INFO(LABEL, "DeviceID: %{public}s, token id %{public}d",
471 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
472
473 return AccessTokenInfoManager::GetInstance().GetRemoteNativeTokenID(deviceID, tokenID);
474 }
475
DeleteRemoteDeviceTokens(const std::string & deviceID)476 int AccessTokenManagerService::DeleteRemoteDeviceTokens(const std::string& deviceID)
477 {
478 ACCESSTOKEN_LOG_INFO(LABEL, "DeviceID: %{public}s", ConstantCommon::EncryptDevId(deviceID).c_str());
479 return AccessTokenInfoManager::GetInstance().DeleteRemoteDeviceTokens(deviceID);
480 }
481
RegisterTokenSyncCallback(const sptr<IRemoteObject> & callback)482 int32_t AccessTokenManagerService::RegisterTokenSyncCallback(const sptr<IRemoteObject>& callback)
483 {
484 ACCESSTOKEN_LOG_INFO(LABEL, "Call token sync callback registed.");
485 return TokenModifyNotifier::GetInstance().RegisterTokenSyncCallback(callback);
486 }
487
UnRegisterTokenSyncCallback()488 int32_t AccessTokenManagerService::UnRegisterTokenSyncCallback()
489 {
490 ACCESSTOKEN_LOG_INFO(LABEL, "Call token sync callback unregisted.");
491 return TokenModifyNotifier::GetInstance().UnRegisterTokenSyncCallback();
492 }
493 #endif
494
DumpTokenInfo(const AtmToolsParamInfoParcel & infoParcel,std::string & dumpInfo)495 void AccessTokenManagerService::DumpTokenInfo(const AtmToolsParamInfoParcel& infoParcel, std::string& dumpInfo)
496 {
497 ACCESSTOKEN_LOG_INFO(LABEL, "Called");
498
499 AccessTokenInfoManager::GetInstance().DumpTokenInfo(infoParcel.info, dumpInfo);
500 }
501
GetVersion(uint32_t & version)502 int32_t AccessTokenManagerService::GetVersion(uint32_t& version)
503 {
504 ACCESSTOKEN_LOG_INFO(LABEL, "Called");
505 version = DEFAULT_TOKEN_VERSION;
506 return RET_SUCCESS;
507 }
508
SetPermDialogCap(const HapBaseInfoParcel & hapBaseInfoParcel,bool enable)509 int32_t AccessTokenManagerService::SetPermDialogCap(const HapBaseInfoParcel& hapBaseInfoParcel, bool enable)
510 {
511 AccessTokenIDEx tokenIdEx = AccessTokenInfoManager::GetInstance().GetHapTokenID(
512 hapBaseInfoParcel.hapBaseInfo.userID,
513 hapBaseInfoParcel.hapBaseInfo.bundleName,
514 hapBaseInfoParcel.hapBaseInfo.instIndex);
515
516 return AccessTokenInfoManager::GetInstance().SetPermDialogCap(tokenIdEx.tokenIdExStruct.tokenID, enable);
517 }
518
GetPermissionManagerInfo(PermissionGrantInfoParcel & infoParcel)519 void AccessTokenManagerService::GetPermissionManagerInfo(PermissionGrantInfoParcel& infoParcel)
520 {
521 infoParcel.info.grantBundleName = grantBundleName_;
522 infoParcel.info.grantAbilityName = grantAbilityName_;
523 infoParcel.info.grantServiceAbilityName = grantServiceAbilityName_;
524 infoParcel.info.permStateAbilityName = permStateAbilityName_;
525 infoParcel.info.globalSwitchAbilityName = globalSwitchAbilityName_;
526 }
527
Dump(int fd,const std::vector<std::u16string> & args)528 int AccessTokenManagerService::Dump(int fd, const std::vector<std::u16string>& args)
529 {
530 if (fd < 0) {
531 return ERR_INVALID_VALUE;
532 }
533
534 dprintf(fd, "AccessToken Dump:\n");
535 std::string arg0 = ((args.size() == 0)? "" : Str16ToStr8(args.at(0)));
536 if (arg0.compare("-h") == 0) {
537 dprintf(fd, "Usage:\n");
538 dprintf(fd, " -h: command help\n");
539 dprintf(fd, " -a: dump all tokens\n");
540 dprintf(fd, " -t <TOKEN_ID>: dump special token id\n");
541 } else if (arg0.compare("-t") == 0) {
542 if (args.size() < TWO_ARGS) {
543 return ERR_INVALID_VALUE;
544 }
545 long long tokenID = atoll(static_cast<const char *>(Str16ToStr8(args.at(1)).c_str()));
546 if (tokenID <= 0) {
547 return ERR_INVALID_VALUE;
548 }
549 AtmToolsParamInfoParcel infoParcel;
550 infoParcel.info.tokenId = static_cast<AccessTokenID>(tokenID);
551 std::string dumpStr;
552 DumpTokenInfo(infoParcel, dumpStr);
553 dprintf(fd, "%s\n", dumpStr.c_str());
554 } else if (arg0.compare("-a") == 0 || arg0 == "") {
555 std::string dumpStr;
556 AtmToolsParamInfoParcel infoParcel;
557 DumpTokenInfo(infoParcel, dumpStr);
558 dprintf(fd, "%s\n", dumpStr.c_str());
559 }
560 return ERR_OK;
561 }
562
AccessTokenServiceParamSet() const563 void AccessTokenManagerService::AccessTokenServiceParamSet() const
564 {
565 int32_t res = SetParameter(ACCESS_TOKEN_SERVICE_INIT_KEY, std::to_string(1).c_str());
566 if (res != 0) {
567 ACCESSTOKEN_LOG_ERROR(LABEL, "SetParameter ACCESS_TOKEN_SERVICE_INIT_KEY failed %{public}d", res);
568 }
569 ACCESSTOKEN_LOG_INFO(LABEL, "SetParameter ACCESS_TOKEN_SERVICE_INIT_KEY success");
570 }
571
GetConfigValue()572 void AccessTokenManagerService::GetConfigValue()
573 {
574 LibraryLoader loader(CONFIG_POLICY_LIBPATH);
575 ConfigPolicyLoaderInterface* policy = loader.GetObject<ConfigPolicyLoaderInterface>();
576 if (policy == nullptr) {
577 ACCESSTOKEN_LOG_ERROR(LABEL, "Dlopen libaccesstoken_config_policy failed.");
578 return;
579 }
580 AccessTokenConfigValue value;
581 if (policy->GetConfigValue(ServiceType::ACCESSTOKEN_SERVICE, value)) {
582 // set value from config
583 grantBundleName_ = value.atConfig.grantBundleName.empty()
584 ? GRANT_ABILITY_BUNDLE_NAME : value.atConfig.grantBundleName;
585 grantAbilityName_ = value.atConfig.grantAbilityName.empty()
586 ? GRANT_ABILITY_ABILITY_NAME : value.atConfig.grantAbilityName;
587 grantServiceAbilityName_ = value.atConfig.grantServiceAbilityName.empty()
588 ? GRANT_ABILITY_ABILITY_NAME : value.atConfig.grantServiceAbilityName;
589 permStateAbilityName_ = value.atConfig.permStateAbilityName.empty()
590 ? PERMISSION_STATE_SHEET_ABILITY_NAME : value.atConfig.permStateAbilityName;
591 globalSwitchAbilityName_ = value.atConfig.globalSwitchAbilityName.empty()
592 ? GLOBAL_SWITCH_SHEET_ABILITY_NAME : value.atConfig.globalSwitchAbilityName;
593 } else {
594 ACCESSTOKEN_LOG_INFO(LABEL, "No config file or config file is not valid, use default values");
595 grantBundleName_ = GRANT_ABILITY_BUNDLE_NAME;
596 grantAbilityName_ = GRANT_ABILITY_ABILITY_NAME;
597 grantServiceAbilityName_ = GRANT_ABILITY_ABILITY_NAME;
598 permStateAbilityName_ = PERMISSION_STATE_SHEET_ABILITY_NAME;
599 globalSwitchAbilityName_ = GLOBAL_SWITCH_SHEET_ABILITY_NAME;
600 }
601
602 ACCESSTOKEN_LOG_INFO(LABEL, "GrantBundleName_ is %{public}s, grantAbilityName_ is %{public}s, \
603 permStateAbilityName_ is %{public}s, permStateAbilityName_ is %{public}s",
604 grantBundleName_.c_str(), grantAbilityName_.c_str(),
605 permStateAbilityName_.c_str(), permStateAbilityName_.c_str());
606 }
607
Initialize()608 bool AccessTokenManagerService::Initialize()
609 {
610 ReportSysEventPerformance();
611 AccessTokenInfoManager::GetInstance().Init();
612 NativeTokenReceptor::GetInstance().Init();
613
614 #ifdef EVENTHANDLER_ENABLE
615 eventRunner_ = AppExecFwk::EventRunner::Create(true, AppExecFwk::ThreadMode::FFRT);
616 if (!eventRunner_) {
617 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to create a recvRunner.");
618 ReportSysEventServiceStartError(EVENTRUNNER_CREATE_ERROR, "Create temp eventRunner error.", -1);
619 return false;
620 }
621 eventHandler_ = std::make_shared<AccessEventHandler>(eventRunner_);
622 TempPermissionObserver::GetInstance().InitEventHandler(eventHandler_);
623
624 shortGrantEventRunner_ = AppExecFwk::EventRunner::Create(true, AppExecFwk::ThreadMode::FFRT);
625 if (!shortGrantEventRunner_) {
626 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to create a shortGrantEventRunner_.");
627 ReportSysEventServiceStartError(EVENTRUNNER_CREATE_ERROR, "Create short grant eventRunner error.", -1);
628 return false;
629 }
630 shortGrantEventHandler_ = std::make_shared<AccessEventHandler>(shortGrantEventRunner_);
631 ShortGrantManager::GetInstance().InitEventHandler(shortGrantEventHandler_);
632 #endif
633
634 #ifdef SUPPORT_SANDBOX_APP
635 DlpPermissionSetParser::GetInstance().Init();
636 #endif
637 PermissionDefinitionParser::GetInstance().Init();
638 GetConfigValue();
639 TempPermissionObserver::GetInstance().GetConfigValue();
640 ACCESSTOKEN_LOG_INFO(LABEL, "Initialize success");
641 return true;
642 }
643 } // namespace AccessToken
644 } // namespace Security
645 } // namespace OHOS
646