1 /*
2  * Copyright (c) 2023-2024 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "dlp_permission_stub.h"
17 #include "accesstoken_kit.h"
18 #include "dlp_dfx_define.h"
19 #include "dlp_permission.h"
20 #include "dlp_permission_log.h"
21 #include "ipc_skeleton.h"
22 #include "securec.h"
23 #include "string_ex.h"
24 
25 namespace OHOS {
26 namespace Security {
27 namespace DlpPermission {
28 namespace {
29 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_DLP_PERMISSION, "DlpPermissionStub"};
30 static const std::string FOUNDATION_SERVICE_NAME = "foundation";
31 const std::string PERMISSION_ACCESS_DLP_FILE = "ohos.permission.ACCESS_DLP_FILE";
32 }  // namespace
33 
CheckPermission(const std::string & permission)34 static bool CheckPermission(const std::string& permission)
35 {
36     Security::AccessToken::AccessTokenID callingToken = IPCSkeleton::GetCallingTokenID();
37     int res = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callingToken, permission);
38     if (res == Security::AccessToken::PermissionState::PERMISSION_GRANTED) {
39         DLP_LOG_INFO(LABEL, "Check permission %{public}s pass", permission.c_str());
40         return true;
41     }
42 
43     HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::DLP, "DLP_PERMISSION_REPORT",
44         HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", DLP_PERMISSION_VERIFY_ERROR,
45         "CALLER_TOKENID", callingToken);
46 
47     DLP_LOG_ERROR(LABEL, "Check permission %{public}s fail", permission.c_str());
48     return false;
49 }
50 
IsSaCall()51 static bool IsSaCall()
52 {
53     Security::AccessToken::AccessTokenID callingToken = IPCSkeleton::GetCallingTokenID();
54     Security::AccessToken::TypeATokenTypeEnum res = Security::AccessToken::AccessTokenKit::GetTokenType(callingToken);
55     return (res == Security::AccessToken::TOKEN_NATIVE);
56 }
57 
CheckSandboxFlag(AccessToken::AccessTokenID tokenId,bool & sandboxFlag)58 static int32_t CheckSandboxFlag(AccessToken::AccessTokenID tokenId, bool& sandboxFlag)
59 {
60     int32_t res = AccessToken::AccessTokenKit::GetHapDlpFlag(tokenId);
61     if (res < 0) {
62         DLP_LOG_ERROR(LABEL, "Invalid tokenId, tokenId: %{public}d", tokenId);
63         return res;
64     }
65     sandboxFlag = (res == 1);
66     return DLP_OK;
67 }
68 
OnRemoteRequest(uint32_t code,MessageParcel & data,MessageParcel & reply,MessageOption & option)69 int32_t DlpPermissionStub::OnRemoteRequest(
70     uint32_t code, MessageParcel& data, MessageParcel& reply, MessageOption& option)
71 {
72     DLP_LOG_INFO(LABEL, "Called, code: 0x%{public}x, pid: %{public}d, uid: %{public}d", code,
73         IPCSkeleton::GetCallingRealPid(), IPCSkeleton::GetCallingUid());
74 
75     std::u16string descripter = DlpPermissionStub::GetDescriptor();
76     std::u16string remoteDescripter = data.ReadInterfaceToken();
77     if (descripter != remoteDescripter) {
78         DLP_LOG_ERROR(LABEL, "Deal remote request fail, descriptor is not matched");
79         return DLP_SERVICE_ERROR_IPC_REQUEST_FAIL;
80     }
81 
82     auto itFunc = requestFuncMap_.find(code);
83     if (itFunc != requestFuncMap_.end()) {
84         auto requestFunc = itFunc->second.funcType;
85         if (requestFunc != nullptr) {
86             int32_t res = requestFunc(data, reply);
87 #ifndef DLP_FUZZ_TEST
88             if (itFunc->second.isNeedStartTimer) {
89                 DLP_LOG_DEBUG(LABEL, "enter StartTimer");
90                 StartTimer();
91             }
92 #endif
93             return res;
94         }
95     }
96 
97     return IPCObjectStub::OnRemoteRequest(code, data, reply, option);
98 }
99 
GenerateDlpCertificateInner(MessageParcel & data,MessageParcel & reply)100 int32_t DlpPermissionStub::GenerateDlpCertificateInner(MessageParcel& data, MessageParcel& reply)
101 {
102     if (!CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
103         return DLP_SERVICE_ERROR_PERMISSION_DENY;
104     }
105 
106     sptr<DlpPolicyParcel> policyParcel = data.ReadParcelable<DlpPolicyParcel>();
107     if (policyParcel == nullptr) {
108         DLP_LOG_ERROR(LABEL, "Read dlp policy parcel fail");
109         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
110     }
111 
112     sptr<IRemoteObject> obj = data.ReadRemoteObject();
113     if (obj == nullptr) {
114         DLP_LOG_ERROR(LABEL, "Read generate cert callback object fail");
115         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
116     }
117 
118     sptr<IDlpPermissionCallback> callback = iface_cast<IDlpPermissionCallback>(obj);
119     if (callback == nullptr) {
120         DLP_LOG_ERROR(LABEL, "Iface cast generate cert callback fail");
121         return DLP_SERVICE_ERROR_VALUE_INVALID;
122     }
123 
124     int32_t res = GenerateDlpCertificate(policyParcel, callback);
125     if (!reply.WriteInt32(res)) {
126         DLP_LOG_ERROR(LABEL, "Write generate cert result fail");
127         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
128     }
129     return DLP_OK;
130 }
131 
ParseDlpCertificateInner(MessageParcel & data,MessageParcel & reply)132 int32_t DlpPermissionStub::ParseDlpCertificateInner(MessageParcel& data, MessageParcel& reply)
133 {
134     if (!CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
135         return DLP_SERVICE_ERROR_PERMISSION_DENY;
136     }
137     std::string appId;
138     if (!data.ReadString(appId)) {
139         DLP_LOG_ERROR(LABEL, "Read appId fail");
140         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
141     }
142     sptr<CertParcel> certParcel = data.ReadParcelable<CertParcel>();
143     if (certParcel == nullptr) {
144         DLP_LOG_ERROR(LABEL, "Read certParcel fail");
145         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
146     }
147     sptr<IRemoteObject> obj = data.ReadRemoteObject();
148     if (obj == nullptr) {
149         DLP_LOG_ERROR(LABEL, "Read parse cert callback object fail");
150         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
151     }
152     bool offlineAccess = false;
153     if (!data.ReadBool(offlineAccess)) {
154         DLP_LOG_ERROR(LABEL, "Read offlineAccess fail");
155         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
156     }
157     sptr<IDlpPermissionCallback> callback = iface_cast<IDlpPermissionCallback>(obj);
158     if (callback == nullptr) {
159         DLP_LOG_ERROR(LABEL, "Iface cast parse cert callback fail");
160         return DLP_SERVICE_ERROR_VALUE_INVALID;
161     }
162 
163     int32_t res = ParseDlpCertificate(certParcel, callback, appId, offlineAccess);
164     if (!reply.WriteInt32(res)) {
165         DLP_LOG_ERROR(LABEL, "Write parse cert result fail");
166         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
167     }
168     return DLP_OK;
169 }
170 
InstallDlpSandboxInner(MessageParcel & data,MessageParcel & reply)171 int32_t DlpPermissionStub::InstallDlpSandboxInner(MessageParcel& data, MessageParcel& reply)
172 {
173     if (!CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
174         return DLP_SERVICE_ERROR_PERMISSION_DENY;
175     }
176 
177     std::string bundleName;
178     if (!data.ReadString(bundleName)) {
179         DLP_LOG_ERROR(LABEL, "Read bundle name fail");
180         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
181     }
182 
183     uint32_t type;
184     if (!data.ReadUint32(type)) {
185         DLP_LOG_ERROR(LABEL, "Read auth perm type fail");
186         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
187     }
188     DLPFileAccess dlpFileAccess = static_cast<DLPFileAccess>(type);
189 
190     int32_t userId;
191     if (!data.ReadInt32(userId)) {
192         DLP_LOG_ERROR(LABEL, "Read user id fail");
193         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
194     }
195 
196     std::string uri;
197     if (!data.ReadString(uri)) {
198         DLP_LOG_ERROR(LABEL, "Read uri fail");
199         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
200     }
201 
202     SandboxInfo sandboxInfo;
203     int32_t res = InstallDlpSandbox(bundleName, dlpFileAccess, userId, sandboxInfo, uri);
204     if (!reply.WriteInt32(res)) {
205         DLP_LOG_ERROR(LABEL, "Write install sandbox result fail");
206         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
207     }
208     if (!reply.WriteInt32(sandboxInfo.appIndex)) {
209         DLP_LOG_ERROR(LABEL, "Write sandbox index fail");
210         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
211     }
212     if (!reply.WriteUint32(sandboxInfo.tokenId)) {
213         DLP_LOG_ERROR(LABEL, "Write sandbox tokenId fail");
214         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
215     }
216     return DLP_OK;
217 }
218 
UninstallDlpSandboxInner(MessageParcel & data,MessageParcel & reply)219 int32_t DlpPermissionStub::UninstallDlpSandboxInner(MessageParcel& data, MessageParcel& reply)
220 {
221     if (!CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
222         return DLP_SERVICE_ERROR_PERMISSION_DENY;
223     }
224 
225     std::string bundleName;
226     if (!data.ReadString(bundleName)) {
227         DLP_LOG_ERROR(LABEL, "Read bundle name fail");
228         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
229     }
230 
231     int32_t appIndex;
232     if (!data.ReadInt32(appIndex)) {
233         DLP_LOG_ERROR(LABEL, "Read sandbox index fail");
234         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
235     }
236 
237     int32_t userId;
238     if (!data.ReadInt32(userId)) {
239         DLP_LOG_ERROR(LABEL, "Read user id fail");
240         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
241     }
242 
243     int32_t res = UninstallDlpSandbox(bundleName, appIndex, userId);
244     if (!reply.WriteInt32(res)) {
245         DLP_LOG_ERROR(LABEL, "Write uninstall sandbox result fail");
246         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
247     }
248     return DLP_OK;
249 }
250 
GetSandboxExternalAuthorizationInner(MessageParcel & data,MessageParcel & reply)251 int32_t DlpPermissionStub::GetSandboxExternalAuthorizationInner(MessageParcel& data, MessageParcel& reply)
252 {
253     if (!IsSaCall() && !CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
254         DLP_LOG_ERROR(LABEL, "Caller is not SA or has no ACCESS_DLP_FILE permission");
255         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
256     }
257     int32_t sandboxUid;
258     if (!data.ReadInt32(sandboxUid)) {
259         DLP_LOG_ERROR(LABEL, "Read sandbox uid fail");
260         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
261     }
262 
263     std::unique_ptr<AAFwk::Want> want(data.ReadParcelable<AAFwk::Want>());
264     if (want == nullptr) {
265         DLP_LOG_ERROR(LABEL, "Read want fail");
266         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
267     }
268 
269     SandBoxExternalAuthorType authType;
270     int32_t res = GetSandboxExternalAuthorization(sandboxUid, *want, authType);
271     if (res != DLP_OK) {
272         return res;
273     }
274 
275     if (!reply.WriteInt32(authType)) {
276         DLP_LOG_ERROR(LABEL, "Write sandbox external auth type fail");
277         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
278     }
279     return DLP_OK;
280 }
281 
QueryDlpFileCopyableByTokenIdInner(MessageParcel & data,MessageParcel & reply)282 int32_t DlpPermissionStub::QueryDlpFileCopyableByTokenIdInner(MessageParcel& data, MessageParcel& reply)
283 {
284     uint32_t tokenId;
285     if (!data.ReadUint32(tokenId)) {
286         DLP_LOG_ERROR(LABEL, "Read token id fail");
287         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
288     }
289     bool copyable = false;
290     int32_t res = QueryDlpFileCopyableByTokenId(copyable, tokenId);
291     if (!reply.WriteInt32(res)) {
292         DLP_LOG_ERROR(LABEL, "Write copyalbe query result fail");
293         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
294     }
295     if (!reply.WriteBool(copyable)) {
296         DLP_LOG_ERROR(LABEL, "Write copyalbe fail");
297         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
298     }
299     return DLP_OK;
300 }
301 
QueryDlpFileAccessInner(MessageParcel & data,MessageParcel & reply)302 int32_t DlpPermissionStub::QueryDlpFileAccessInner(MessageParcel& data, MessageParcel& reply)
303 {
304     bool sandboxFlag;
305     if (CheckSandboxFlag(GetCallingTokenID(), sandboxFlag) != DLP_OK) {
306         return DLP_SERVICE_ERROR_VALUE_INVALID;
307     }
308     if (!sandboxFlag) {
309         DLP_LOG_ERROR(LABEL, "Forbid called by a non-sandbox app");
310         return DLP_SERVICE_ERROR_API_ONLY_FOR_SANDBOX_ERROR;
311     }
312     DLPPermissionInfoParcel permInfoParcel;
313     int32_t res = QueryDlpFileAccess(permInfoParcel);
314     if (!reply.WriteInt32(res)) {
315         DLP_LOG_ERROR(LABEL, "Write dlp file access query result fail");
316         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
317     }
318     if (!reply.WriteParcelable(&permInfoParcel)) {
319         DLP_LOG_ERROR(LABEL, "WriteParcelable fail");
320         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
321     }
322     return DLP_OK;
323 }
324 
IsInDlpSandboxInner(MessageParcel & data,MessageParcel & reply)325 int32_t DlpPermissionStub::IsInDlpSandboxInner(MessageParcel& data, MessageParcel& reply)
326 {
327     bool inSandbox = false;
328     int32_t res = IsInDlpSandbox(inSandbox);
329     if (!reply.WriteInt32(res)) {
330         DLP_LOG_ERROR(LABEL, "Write sandbox query result fail");
331         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
332     }
333     if (!reply.WriteBool(inSandbox)) {
334         DLP_LOG_ERROR(LABEL, "Write sandbox flag fail");
335         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
336     }
337     return DLP_OK;
338 }
339 
GetDlpSupportFileTypeInner(MessageParcel & data,MessageParcel & reply)340 int32_t DlpPermissionStub::GetDlpSupportFileTypeInner(MessageParcel& data, MessageParcel& reply)
341 {
342     std::vector<std::string> supportFileType;
343     int32_t res = GetDlpSupportFileType(supportFileType);
344     if (!reply.WriteInt32(res)) {
345         DLP_LOG_ERROR(LABEL, "Write support dlp file type query result fail");
346         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
347     }
348     size_t listNum = supportFileType.size();
349     if (!reply.WriteUint32(listNum)) {
350         DLP_LOG_ERROR(LABEL, "Write support dlp file type list num fail");
351         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
352     }
353     for (const auto& iter : supportFileType) {
354         if (!reply.WriteString(iter)) {
355             DLP_LOG_ERROR(LABEL, "Write support dlp file type string fail");
356             return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
357         }
358     }
359     return DLP_OK;
360 }
361 
RegisterDlpSandboxChangeCallbackInner(MessageParcel & data,MessageParcel & reply)362 int32_t DlpPermissionStub::RegisterDlpSandboxChangeCallbackInner(MessageParcel &data, MessageParcel &reply)
363 {
364     if (!CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
365         return DLP_SERVICE_ERROR_PERMISSION_DENY;
366     }
367     sptr<IRemoteObject> callback = data.ReadRemoteObject();
368     if (callback == nullptr) {
369         DLP_LOG_ERROR(LABEL, "read callback fail");
370         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
371     }
372     int32_t result = RegisterDlpSandboxChangeCallback(callback);
373     reply.WriteInt32(result);
374     return DLP_OK;
375 }
376 
UnRegisterDlpSandboxChangeCallbackInner(MessageParcel & data,MessageParcel & reply)377 int32_t DlpPermissionStub::UnRegisterDlpSandboxChangeCallbackInner(MessageParcel &data, MessageParcel &reply)
378 {
379     if (!CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
380         return DLP_SERVICE_ERROR_PERMISSION_DENY;
381     }
382     bool res = false;
383     int32_t result = UnRegisterDlpSandboxChangeCallback(res);
384     if (!reply.WriteInt32(result)) {
385         DLP_LOG_ERROR(LABEL, "Write sandbox query result fail");
386         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
387     }
388     if (!reply.WriteBool(res)) {
389         DLP_LOG_ERROR(LABEL, "Write sandbox flag fail");
390         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
391     }
392     return DLP_OK;
393 }
394 
RegisterOpenDlpFileCallbackInner(MessageParcel & data,MessageParcel & reply)395 int32_t DlpPermissionStub::RegisterOpenDlpFileCallbackInner(MessageParcel &data, MessageParcel &reply)
396 {
397     bool sandboxFlag;
398     if (CheckSandboxFlag(GetCallingTokenID(), sandboxFlag) != DLP_OK) {
399         return DLP_SERVICE_ERROR_VALUE_INVALID;
400     }
401     if (sandboxFlag) {
402         DLP_LOG_ERROR(LABEL, "Forbid called by a sandbox app");
403         return DLP_SERVICE_ERROR_API_NOT_FOR_SANDBOX_ERROR;
404     }
405     sptr<IRemoteObject> callback = data.ReadRemoteObject();
406     if (callback == nullptr) {
407         DLP_LOG_ERROR(LABEL, "read callback fail");
408         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
409     }
410     int32_t result = RegisterOpenDlpFileCallback(callback);
411     reply.WriteInt32(result);
412     return DLP_OK;
413 }
414 
UnRegisterOpenDlpFileCallbackInner(MessageParcel & data,MessageParcel & reply)415 int32_t DlpPermissionStub::UnRegisterOpenDlpFileCallbackInner(MessageParcel &data, MessageParcel &reply)
416 {
417     bool sandboxFlag;
418     if (CheckSandboxFlag(GetCallingTokenID(), sandboxFlag) != DLP_OK) {
419         return DLP_SERVICE_ERROR_VALUE_INVALID;
420     }
421     if (sandboxFlag) {
422         DLP_LOG_ERROR(LABEL, "Forbid called by a sandbox app");
423         return DLP_SERVICE_ERROR_API_NOT_FOR_SANDBOX_ERROR;
424     }
425     sptr<IRemoteObject> callback = data.ReadRemoteObject();
426     if (callback == nullptr) {
427         DLP_LOG_ERROR(LABEL, "read callback fail");
428         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
429     }
430     int32_t result = UnRegisterOpenDlpFileCallback(callback);
431     if (!reply.WriteInt32(result)) {
432         DLP_LOG_ERROR(LABEL, "Write un-register open dlp file callback result fail");
433         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
434     }
435     return DLP_OK;
436 }
437 
GetDlpGatheringPolicyInner(MessageParcel & data,MessageParcel & reply)438 int32_t DlpPermissionStub::GetDlpGatheringPolicyInner(MessageParcel& data, MessageParcel& reply)
439 {
440     if (!CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
441         return DLP_SERVICE_ERROR_PERMISSION_DENY;
442     }
443     bool isGathering = false;
444     int32_t res = GetDlpGatheringPolicy(isGathering);
445     if (!reply.WriteInt32(res)) {
446         DLP_LOG_ERROR(LABEL, "Write GetDlpGatheringPolicy result fail");
447         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
448     }
449     if (!reply.WriteBool(isGathering)) {
450         DLP_LOG_ERROR(LABEL, "Write isGathering fail");
451         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
452     }
453 
454     return DLP_OK;
455 }
456 
SetRetentionStateInner(MessageParcel & data,MessageParcel & reply)457 int32_t DlpPermissionStub::SetRetentionStateInner(MessageParcel& data, MessageParcel& reply)
458 {
459     bool sandboxFlag;
460     if (CheckSandboxFlag(GetCallingTokenID(), sandboxFlag) != DLP_OK) {
461         return DLP_SERVICE_ERROR_VALUE_INVALID;
462     }
463     if (!sandboxFlag) {
464         DLP_LOG_ERROR(LABEL, "Forbid called by a non-sandbox app");
465         return DLP_SERVICE_ERROR_API_ONLY_FOR_SANDBOX_ERROR;
466     }
467     std::vector<std::string> docUriVec;
468     if (!data.ReadStringVector(&docUriVec)) {
469         DLP_LOG_ERROR(LABEL, "Read docUriVec id fail");
470         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
471     }
472 
473     int32_t result = SetRetentionState(docUriVec);
474     if (!reply.WriteInt32(result)) {
475         DLP_LOG_ERROR(LABEL, "Write sandbox query result fail");
476         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
477     }
478     if (!reply.WriteBool(result == DLP_OK)) {
479         DLP_LOG_ERROR(LABEL, "Write sandbox flag fail");
480         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
481     }
482     return DLP_OK;
483 }
484 
CancelRetentionStateInner(MessageParcel & data,MessageParcel & reply)485 int32_t DlpPermissionStub::CancelRetentionStateInner(MessageParcel& data, MessageParcel& reply)
486 {
487     std::vector<std::string> docUriVec;
488     if (!data.ReadStringVector(&docUriVec)) {
489         DLP_LOG_ERROR(LABEL, "Read token id fail");
490         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
491     }
492     int32_t result = CancelRetentionState(docUriVec);
493     if (!reply.WriteInt32(result)) {
494         DLP_LOG_ERROR(LABEL, "Write sandbox query result fail");
495         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
496     }
497     if (!reply.WriteBool(result == DLP_OK)) {
498         DLP_LOG_ERROR(LABEL, "Write sandbox flag fail");
499         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
500     }
501     return DLP_OK;
502 }
503 
GetRetentionSandboxListInner(MessageParcel & data,MessageParcel & reply)504 int32_t DlpPermissionStub::GetRetentionSandboxListInner(MessageParcel& data, MessageParcel& reply)
505 {
506     bool sandboxFlag;
507     if (CheckSandboxFlag(GetCallingTokenID(), sandboxFlag) != DLP_OK) {
508         return DLP_SERVICE_ERROR_VALUE_INVALID;
509     }
510     if (sandboxFlag) {
511         DLP_LOG_ERROR(LABEL, "Forbid called by a sandbox app");
512         return DLP_SERVICE_ERROR_API_NOT_FOR_SANDBOX_ERROR;
513     }
514     std::string bundleName;
515     if (!data.ReadString(bundleName)) {
516         DLP_LOG_ERROR(LABEL, "Read bundle name fail");
517         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
518     }
519     std::vector<RetentionSandBoxInfo> retentionSandBoxInfoVec;
520     int32_t result = GetRetentionSandboxList(bundleName, retentionSandBoxInfoVec);
521     if (!reply.WriteInt32(result)) {
522         DLP_LOG_ERROR(LABEL, "Write sandbox query result fail");
523         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
524     }
525     if (!reply.WriteUint32(retentionSandBoxInfoVec.size())) {
526         DLP_LOG_ERROR(LABEL, "Write sandbox size result fail");
527         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
528     }
529     for (const auto& info : retentionSandBoxInfoVec) {
530         if (!reply.WriteParcelable(&info)) {
531             DLP_LOG_ERROR(LABEL, "Write sandbox size info fail");
532         }
533     }
534     return DLP_OK;
535 }
536 
ClearUnreservedSandboxInner(MessageParcel & data,MessageParcel & reply)537 int32_t DlpPermissionStub::ClearUnreservedSandboxInner(MessageParcel& data, MessageParcel& reply)
538 {
539     Security::AccessToken::AccessTokenID callingToken = IPCSkeleton::GetCallingTokenID();
540     Security::AccessToken::AccessTokenID bmsToken =
541         Security::AccessToken::AccessTokenKit::GetNativeTokenId(FOUNDATION_SERVICE_NAME);
542     if (callingToken != bmsToken) {
543         return DLP_SERVICE_ERROR_PERMISSION_DENY;
544     }
545     ClearUnreservedSandbox();
546     return DLP_OK;
547 }
548 
GetDLPFileVisitRecordInner(MessageParcel & data,MessageParcel & reply)549 int32_t DlpPermissionStub::GetDLPFileVisitRecordInner(MessageParcel& data, MessageParcel& reply)
550 {
551     bool sandboxFlag;
552     if (CheckSandboxFlag(GetCallingTokenID(), sandboxFlag) != DLP_OK) {
553         return DLP_SERVICE_ERROR_VALUE_INVALID;
554     }
555     if (sandboxFlag) {
556         DLP_LOG_ERROR(LABEL, "Forbid called by a sandbox app");
557         return DLP_SERVICE_ERROR_API_NOT_FOR_SANDBOX_ERROR;
558     }
559     std::vector<VisitedDLPFileInfo> infoVec;
560     int32_t res = GetDLPFileVisitRecord(infoVec);
561     if (!reply.WriteInt32(res)) {
562         DLP_LOG_ERROR(LABEL, "Write support visit file record query result fail");
563         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
564     }
565     if (res != DLP_OK) {
566         return DLP_OK;
567     }
568     size_t listNum = infoVec.size();
569     if (!reply.WriteUint32(listNum)) {
570         DLP_LOG_ERROR(LABEL, "Write support visit file record list num fail");
571         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
572     }
573     for (const auto& iter : infoVec) {
574         if (!reply.WriteParcelable(&iter)) {
575             DLP_LOG_ERROR(LABEL, "Write support visit file record docUri string fail");
576             return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
577         }
578     }
579     return DLP_OK;
580 }
581 
SetMDMPolicyInner(MessageParcel & data,MessageParcel & reply)582 int32_t DlpPermissionStub::SetMDMPolicyInner(MessageParcel& data, MessageParcel& reply)
583 {
584     std::vector<std::string> appIdList;
585     if (!data.ReadStringVector(&appIdList)) {
586         DLP_LOG_ERROR(LABEL, "Read appId List fail");
587         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
588     }
589     int32_t result = SetMDMPolicy(appIdList);
590     if (!reply.WriteInt32(result)) {
591         DLP_LOG_ERROR(LABEL, "Write set policy result fail");
592         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
593     }
594     return DLP_OK;
595 }
596 
GetMDMPolicyInner(MessageParcel & data,MessageParcel & reply)597 int32_t DlpPermissionStub::GetMDMPolicyInner(MessageParcel& data, MessageParcel& reply)
598 {
599     std::vector<std::string> appIdList;
600     int32_t result = GetMDMPolicy(appIdList);
601     if (!reply.WriteInt32(result)) {
602         DLP_LOG_ERROR(LABEL, "Write get policy result fail");
603         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
604     }
605     size_t listNum = appIdList.size();
606     if (!reply.WriteUint32(listNum)) {
607         DLP_LOG_ERROR(LABEL, "Write appId list num fail");
608         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
609     }
610     if (!reply.WriteStringVector(appIdList)) {
611         DLP_LOG_ERROR(LABEL, "Write string vector fail");
612         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
613     }
614     return DLP_OK;
615 }
616 
RemoveMDMPolicyInner(MessageParcel & data,MessageParcel & reply)617 int32_t DlpPermissionStub::RemoveMDMPolicyInner(MessageParcel& data, MessageParcel& reply)
618 {
619     int32_t result = RemoveMDMPolicy();
620     if (!reply.WriteInt32(result)) {
621         DLP_LOG_ERROR(LABEL, "Write remove policy result fail");
622         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
623     }
624     return DLP_OK;
625 }
626 
SetSandboxAppConfigInner(MessageParcel & data,MessageParcel & reply)627 int32_t DlpPermissionStub::SetSandboxAppConfigInner(MessageParcel& data, MessageParcel& reply)
628 {
629     std::string configInfo;
630     if (!data.ReadString(configInfo)) {
631         DLP_LOG_ERROR(LABEL, "Read configInfo fail");
632         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
633     }
634     int32_t res = SetSandboxAppConfig(configInfo);
635     if (!reply.WriteInt32(res)) {
636         DLP_LOG_ERROR(LABEL, "Write SetSandboxAppConfig result fail");
637         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
638     }
639     return res;
640 }
641 
CleanSandboxAppConfigInner(MessageParcel & data,MessageParcel & reply)642 int32_t DlpPermissionStub::CleanSandboxAppConfigInner(MessageParcel& data, MessageParcel& reply)
643 {
644     bool sandboxFlag;
645     if (CheckSandboxFlag(GetCallingTokenID(), sandboxFlag) != DLP_OK) {
646         return DLP_SERVICE_ERROR_VALUE_INVALID;
647     }
648     if (sandboxFlag) {
649         DLP_LOG_ERROR(LABEL, "Forbid called by a sandbox app");
650         return DLP_SERVICE_ERROR_API_NOT_FOR_SANDBOX_ERROR;
651     }
652     int32_t res = CleanSandboxAppConfig();
653     if (!reply.WriteInt32(res)) {
654         DLP_LOG_ERROR(LABEL, "Write CleanSandboxAppConfig result fail");
655         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
656     }
657     return res;
658 }
659 
GetSandboxAppConfigInner(MessageParcel & data,MessageParcel & reply)660 int32_t DlpPermissionStub::GetSandboxAppConfigInner(MessageParcel& data, MessageParcel& reply)
661 {
662     std::string configInfo;
663     int32_t res = GetSandboxAppConfig(configInfo);
664     if (!reply.WriteInt32(res)) {
665         DLP_LOG_ERROR(LABEL, "Write support sandbox app config query result fail");
666         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
667     }
668     if (res != DLP_OK) {
669         return res;
670     }
671     if (!reply.WriteString(configInfo)) {
672         DLP_LOG_ERROR(LABEL, "Write configInfo fail");
673         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
674     }
675     return DLP_OK;
676 }
677 
IsDLPFeatureProvidedInner(MessageParcel & data,MessageParcel & reply)678 int32_t DlpPermissionStub::IsDLPFeatureProvidedInner(MessageParcel& data, MessageParcel& reply)
679 {
680     bool isProvideDLPFeature;
681     IsDLPFeatureProvided(isProvideDLPFeature);
682     if (!reply.WriteBool(isProvideDLPFeature)) {
683         DLP_LOG_ERROR(LABEL, "Write isProvideDLPFeature fail.");
684         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
685     }
686     return DLP_OK;
687 }
688 
SetReadFlagInner(MessageParcel & data,MessageParcel & reply)689 int32_t DlpPermissionStub::SetReadFlagInner(MessageParcel& data, MessageParcel& reply)
690 {
691     if (!CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
692         return DLP_SERVICE_ERROR_PERMISSION_DENY;
693     }
694 
695     uint32_t uid;
696     if (!data.ReadUint32(uid)) {
697         DLP_LOG_ERROR(LABEL, "Read uid fail.");
698         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
699     }
700     int32_t res = SetReadFlag(uid);
701     if (!reply.WriteInt32(res)) {
702         DLP_LOG_ERROR(LABEL, "Write result fail.");
703         return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
704     }
705     return res;
706 }
707 
InitMDMPolicy()708 void DlpPermissionStub::InitMDMPolicy()
709 {
710     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::SET_MDM_POLICY)] = {
711         [this](MessageParcel &data, MessageParcel &reply) { return SetMDMPolicyInner(data, reply); }};
712     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::GET_MDM_POLICY)] = {
713         [this](MessageParcel &data, MessageParcel &reply) { return GetMDMPolicyInner(data, reply); }};
714     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::REMOVE_MDM_POLICY)] = {
715         [this](MessageParcel &data, MessageParcel &reply) { return RemoveMDMPolicyInner(data, reply); }};
716 }
717 
InitTimerFuncMap()718 void DlpPermissionStub::InitTimerFuncMap()
719 {
720     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::SET_SANDBOX_APP_CONFIG)] = {
721         [this](MessageParcel &data, MessageParcel &reply) { return SetSandboxAppConfigInner(data, reply); }, true};
722     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::CLEAN_SANDBOX_APP_CONFIG)] = {
723         [this](MessageParcel &data, MessageParcel &reply) { return CleanSandboxAppConfigInner(data, reply); }, true};
724     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::GET_SANDBOX_APP_CONFIG)] = {
725         [this](MessageParcel &data, MessageParcel &reply) { return GetSandboxAppConfigInner(data, reply); }, true};
726     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::GET_DLP_SUPPORT_FILE_TYPE)] = {
727         [this](MessageParcel &data, MessageParcel &reply) { return GetDlpSupportFileTypeInner(data, reply); }, true};
728     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::UN_REGISTER_OPEN_DLP_FILE_CALLBACK)] = {
729         [this](MessageParcel &data, MessageParcel &reply) { return UnRegisterOpenDlpFileCallbackInner(data, reply); },
730         true};
731     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::SET_NOT_RETENTION_STATE)] = {
732         [this](MessageParcel &data, MessageParcel &reply) { return CancelRetentionStateInner(data, reply); }, true};
733     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::CLEAR_UNRESERVED_SANDBOX)] = {
734         [this](MessageParcel &data, MessageParcel &reply) { return ClearUnreservedSandboxInner(data, reply); }, true};
735     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::GET_VISTI_FILE_RECORD_LIST)] = {
736         [this](MessageParcel &data, MessageParcel &reply) { return GetDLPFileVisitRecordInner(data, reply); }, true};
737     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::IS_DLP_FEATURE_PROVIDED)] = {
738         [this](MessageParcel &data, MessageParcel &reply) { return IsDLPFeatureProvidedInner(data, reply); }, true};
739 }
740 
DlpPermissionStub()741 DlpPermissionStub::DlpPermissionStub()
742 {
743     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::GENERATE_DLP_CERTIFICATE)] = {
744         [this](MessageParcel &data, MessageParcel &reply) { return GenerateDlpCertificateInner(data, reply); }};
745     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::PARSE_DLP_CERTIFICATE)] = {
746         [this](MessageParcel &data, MessageParcel &reply) { return ParseDlpCertificateInner(data, reply); }};
747     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::INSTALL_DLP_SANDBOX)] = {
748         [this](MessageParcel &data, MessageParcel &reply) { return InstallDlpSandboxInner(data, reply); }};
749     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::UNINSTALL_DLP_SANDBOX)] = {
750         [this](MessageParcel &data, MessageParcel &reply) { return UninstallDlpSandboxInner(data, reply); }};
751     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::GET_SANDBOX_EXTERNAL_AUTH)] = {
752         [this](MessageParcel &data, MessageParcel &reply) { return GetSandboxExternalAuthorizationInner(data, reply); }
753     };
754     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::QUERY_DLP_FILE_ACCESS_BY_TOKEN_ID)] = {
755         [this](MessageParcel &data, MessageParcel &reply) { return QueryDlpFileCopyableByTokenIdInner(data, reply); }};
756     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::QUERY_DLP_FILE_ACCESS)] = {
757         [this](MessageParcel &data, MessageParcel &reply) { return QueryDlpFileAccessInner(data, reply); }};
758     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::IS_IN_DLP_SANDBOX)] = {
759         [this](MessageParcel &data, MessageParcel &reply) { return IsInDlpSandboxInner(data, reply); }};
760     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::REGISTER_DLP_SANDBOX_CHANGE_CALLBACK)] = {
761         [this](MessageParcel &data, MessageParcel &reply) { return RegisterDlpSandboxChangeCallbackInner(data, reply); }
762     };
763     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::UNREGISTER_DLP_SANDBOX_CHANGE_CALLBACK)]
764         = {
765             [this](MessageParcel &data, MessageParcel &reply) {
766                 return UnRegisterDlpSandboxChangeCallbackInner(data, reply);
767             }
768         };
769     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::GET_DLP_GATHERING_POLICY)] = {
770         [this](MessageParcel &data, MessageParcel &reply) { return GetDlpGatheringPolicyInner(data, reply); }};
771     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::SET_RETENTION_STATE)] = {
772         [this](MessageParcel &data, MessageParcel &reply) { return SetRetentionStateInner(data, reply); }};
773     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::GET_RETENTION_SANDBOX_LIST)] = {
774         [this](MessageParcel &data, MessageParcel &reply) { return GetRetentionSandboxListInner(data, reply); }};
775     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::REGISTER_OPEN_DLP_FILE_CALLBACK)] = {
776         [this](MessageParcel &data, MessageParcel &reply) { return RegisterOpenDlpFileCallbackInner(data, reply); }};
777     requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::SET_READ_FLAG)] = {
778         [this](MessageParcel& data, MessageParcel& reply) { return SetReadFlagInner(data, reply); }};
779     InitMDMPolicy();
780     InitTimerFuncMap();
781 }
782 
~DlpPermissionStub()783 DlpPermissionStub::~DlpPermissionStub()
784 {
785     requestFuncMap_.clear();
786 }
787 }  // namespace DlpPermission
788 }  // namespace Security
789 }  // namespace OHOS
790