1 /*
2 * Copyright (C) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <map>
17
18 #include "netmanager_base_permission.h"
19
20 #include <accesstoken_kit.h>
21 #include <ipc_skeleton.h>
22 #include <tokenid_kit.h>
23
24 #include "net_mgr_log_wrapper.h"
25
26 namespace OHOS {
27 namespace NetManagerStandard {
28 /**
29 * @brief Permission check by callingTokenID.
30 * @param permissionName permission name.
31 * @return Returns true on success, false on failure.
32 */
CheckPermission(const std::string & permissionName)33 bool NetManagerPermission::CheckPermission(const std::string &permissionName)
34 {
35 if (permissionName.empty()) {
36 NETMGR_LOG_E("permission check failed,permission name is empty.");
37 return false;
38 }
39 auto callerToken = IPCSkeleton::GetCallingTokenID();
40 int result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName);
41 if (result != Security::AccessToken::PERMISSION_GRANTED) {
42 NETMGR_LOG_E("permission check failed, permission:%{public}s, callerToken:%{public}u", permissionName.c_str(),
43 callerToken);
44 return false;
45 }
46 return true;
47 }
48
CheckPermissionWithCache(const std::string & permissionName)49 bool NetManagerPermission::CheckPermissionWithCache(const std::string &permissionName)
50 {
51 if (permissionName.empty()) {
52 NETMGR_LOG_E("permission check failed,permission name is empty.");
53 return false;
54 }
55 static std::map<uint32_t, bool> permissionMap;
56 static std::mutex mutex;
57 auto callerToken = IPCSkeleton::GetCallingTokenID();
58 {
59 std::lock_guard<std::mutex> lock(mutex);
60 auto iter = permissionMap.find(callerToken);
61 if (iter != permissionMap.end()) {
62 return iter->second;
63 }
64 }
65 bool res = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName) ==
66 Security::AccessToken::PERMISSION_GRANTED;
67 {
68 std::lock_guard<std::mutex> lock(mutex);
69 permissionMap[callerToken] = res;
70 }
71 return res;
72 }
73
IsSystemCaller()74 bool NetManagerPermission::IsSystemCaller()
75 {
76 if (Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(IPCSkeleton::GetCallingTokenID()) !=
77 Security::AccessToken::ATokenTypeEnum::TOKEN_HAP) {
78 return true;
79 }
80 bool checkResult =
81 Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(IPCSkeleton::GetCallingFullTokenID());
82 if (!checkResult) {
83 NETMGR_LOG_E("Caller is not allowed, need sys permissive");
84 }
85 return checkResult;
86 }
87
CheckNetSysInternalPermission(const std::string & permissionName)88 bool NetManagerPermission::CheckNetSysInternalPermission(const std::string &permissionName)
89 {
90 if (permissionName.empty()) {
91 NETMGR_LOG_E("permission check failed,permission name is empty.");
92 return false;
93 }
94
95 auto callerToken = IPCSkeleton::GetCallingTokenID();
96 auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
97 int result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName);
98 if (result != Security::AccessToken::PERMISSION_GRANTED) {
99 NETMGR_LOG_E("permission check failed, permission:%{public}s, callerToken:%{public}u, tokenType:%{public}d",
100 permissionName.c_str(), callerToken, tokenType);
101 return false;
102 }
103 return true;
104 }
105 } // namespace NetManagerStandard
106 } // namespace OHOS