1 /*
2 * Copyright (c) 2023-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "dlp_permission_stub.h"
17 #include "accesstoken_kit.h"
18 #include "dlp_dfx_define.h"
19 #include "dlp_permission.h"
20 #include "dlp_permission_log.h"
21 #include "ipc_skeleton.h"
22 #include "securec.h"
23 #include "string_ex.h"
24
25 namespace OHOS {
26 namespace Security {
27 namespace DlpPermission {
28 namespace {
29 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_DLP_PERMISSION, "DlpPermissionStub"};
30 static const std::string FOUNDATION_SERVICE_NAME = "foundation";
31 const std::string PERMISSION_ACCESS_DLP_FILE = "ohos.permission.ACCESS_DLP_FILE";
32 } // namespace
33
CheckPermission(const std::string & permission)34 static bool CheckPermission(const std::string& permission)
35 {
36 Security::AccessToken::AccessTokenID callingToken = IPCSkeleton::GetCallingTokenID();
37 int res = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callingToken, permission);
38 if (res == Security::AccessToken::PermissionState::PERMISSION_GRANTED) {
39 DLP_LOG_INFO(LABEL, "Check permission %{public}s pass", permission.c_str());
40 return true;
41 }
42
43 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::DLP, "DLP_PERMISSION_REPORT",
44 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", DLP_PERMISSION_VERIFY_ERROR,
45 "CALLER_TOKENID", callingToken);
46
47 DLP_LOG_ERROR(LABEL, "Check permission %{public}s fail", permission.c_str());
48 return false;
49 }
50
IsSaCall()51 static bool IsSaCall()
52 {
53 Security::AccessToken::AccessTokenID callingToken = IPCSkeleton::GetCallingTokenID();
54 Security::AccessToken::TypeATokenTypeEnum res = Security::AccessToken::AccessTokenKit::GetTokenType(callingToken);
55 return (res == Security::AccessToken::TOKEN_NATIVE);
56 }
57
CheckSandboxFlag(AccessToken::AccessTokenID tokenId,bool & sandboxFlag)58 static int32_t CheckSandboxFlag(AccessToken::AccessTokenID tokenId, bool& sandboxFlag)
59 {
60 int32_t res = AccessToken::AccessTokenKit::GetHapDlpFlag(tokenId);
61 if (res < 0) {
62 DLP_LOG_ERROR(LABEL, "Invalid tokenId, tokenId: %{public}d", tokenId);
63 return res;
64 }
65 sandboxFlag = (res == 1);
66 return DLP_OK;
67 }
68
OnRemoteRequest(uint32_t code,MessageParcel & data,MessageParcel & reply,MessageOption & option)69 int32_t DlpPermissionStub::OnRemoteRequest(
70 uint32_t code, MessageParcel& data, MessageParcel& reply, MessageOption& option)
71 {
72 DLP_LOG_INFO(LABEL, "Called, code: 0x%{public}x, pid: %{public}d, uid: %{public}d", code,
73 IPCSkeleton::GetCallingRealPid(), IPCSkeleton::GetCallingUid());
74
75 std::u16string descripter = DlpPermissionStub::GetDescriptor();
76 std::u16string remoteDescripter = data.ReadInterfaceToken();
77 if (descripter != remoteDescripter) {
78 DLP_LOG_ERROR(LABEL, "Deal remote request fail, descriptor is not matched");
79 return DLP_SERVICE_ERROR_IPC_REQUEST_FAIL;
80 }
81
82 auto itFunc = requestFuncMap_.find(code);
83 if (itFunc != requestFuncMap_.end()) {
84 auto requestFunc = itFunc->second.funcType;
85 if (requestFunc != nullptr) {
86 int32_t res = requestFunc(data, reply);
87 #ifndef DLP_FUZZ_TEST
88 if (itFunc->second.isNeedStartTimer) {
89 DLP_LOG_DEBUG(LABEL, "enter StartTimer");
90 StartTimer();
91 }
92 #endif
93 return res;
94 }
95 }
96
97 return IPCObjectStub::OnRemoteRequest(code, data, reply, option);
98 }
99
GenerateDlpCertificateInner(MessageParcel & data,MessageParcel & reply)100 int32_t DlpPermissionStub::GenerateDlpCertificateInner(MessageParcel& data, MessageParcel& reply)
101 {
102 if (!CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
103 return DLP_SERVICE_ERROR_PERMISSION_DENY;
104 }
105
106 sptr<DlpPolicyParcel> policyParcel = data.ReadParcelable<DlpPolicyParcel>();
107 if (policyParcel == nullptr) {
108 DLP_LOG_ERROR(LABEL, "Read dlp policy parcel fail");
109 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
110 }
111
112 sptr<IRemoteObject> obj = data.ReadRemoteObject();
113 if (obj == nullptr) {
114 DLP_LOG_ERROR(LABEL, "Read generate cert callback object fail");
115 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
116 }
117
118 sptr<IDlpPermissionCallback> callback = iface_cast<IDlpPermissionCallback>(obj);
119 if (callback == nullptr) {
120 DLP_LOG_ERROR(LABEL, "Iface cast generate cert callback fail");
121 return DLP_SERVICE_ERROR_VALUE_INVALID;
122 }
123
124 int32_t res = GenerateDlpCertificate(policyParcel, callback);
125 if (!reply.WriteInt32(res)) {
126 DLP_LOG_ERROR(LABEL, "Write generate cert result fail");
127 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
128 }
129 return DLP_OK;
130 }
131
ParseDlpCertificateInner(MessageParcel & data,MessageParcel & reply)132 int32_t DlpPermissionStub::ParseDlpCertificateInner(MessageParcel& data, MessageParcel& reply)
133 {
134 if (!CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
135 return DLP_SERVICE_ERROR_PERMISSION_DENY;
136 }
137 std::string appId;
138 if (!data.ReadString(appId)) {
139 DLP_LOG_ERROR(LABEL, "Read appId fail");
140 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
141 }
142 sptr<CertParcel> certParcel = data.ReadParcelable<CertParcel>();
143 if (certParcel == nullptr) {
144 DLP_LOG_ERROR(LABEL, "Read certParcel fail");
145 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
146 }
147 sptr<IRemoteObject> obj = data.ReadRemoteObject();
148 if (obj == nullptr) {
149 DLP_LOG_ERROR(LABEL, "Read parse cert callback object fail");
150 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
151 }
152 bool offlineAccess = false;
153 if (!data.ReadBool(offlineAccess)) {
154 DLP_LOG_ERROR(LABEL, "Read offlineAccess fail");
155 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
156 }
157 sptr<IDlpPermissionCallback> callback = iface_cast<IDlpPermissionCallback>(obj);
158 if (callback == nullptr) {
159 DLP_LOG_ERROR(LABEL, "Iface cast parse cert callback fail");
160 return DLP_SERVICE_ERROR_VALUE_INVALID;
161 }
162
163 int32_t res = ParseDlpCertificate(certParcel, callback, appId, offlineAccess);
164 if (!reply.WriteInt32(res)) {
165 DLP_LOG_ERROR(LABEL, "Write parse cert result fail");
166 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
167 }
168 return DLP_OK;
169 }
170
InstallDlpSandboxInner(MessageParcel & data,MessageParcel & reply)171 int32_t DlpPermissionStub::InstallDlpSandboxInner(MessageParcel& data, MessageParcel& reply)
172 {
173 if (!CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
174 return DLP_SERVICE_ERROR_PERMISSION_DENY;
175 }
176
177 std::string bundleName;
178 if (!data.ReadString(bundleName)) {
179 DLP_LOG_ERROR(LABEL, "Read bundle name fail");
180 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
181 }
182
183 uint32_t type;
184 if (!data.ReadUint32(type)) {
185 DLP_LOG_ERROR(LABEL, "Read auth perm type fail");
186 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
187 }
188 DLPFileAccess dlpFileAccess = static_cast<DLPFileAccess>(type);
189
190 int32_t userId;
191 if (!data.ReadInt32(userId)) {
192 DLP_LOG_ERROR(LABEL, "Read user id fail");
193 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
194 }
195
196 std::string uri;
197 if (!data.ReadString(uri)) {
198 DLP_LOG_ERROR(LABEL, "Read uri fail");
199 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
200 }
201
202 SandboxInfo sandboxInfo;
203 int32_t res = InstallDlpSandbox(bundleName, dlpFileAccess, userId, sandboxInfo, uri);
204 if (!reply.WriteInt32(res)) {
205 DLP_LOG_ERROR(LABEL, "Write install sandbox result fail");
206 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
207 }
208 if (!reply.WriteInt32(sandboxInfo.appIndex)) {
209 DLP_LOG_ERROR(LABEL, "Write sandbox index fail");
210 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
211 }
212 if (!reply.WriteUint32(sandboxInfo.tokenId)) {
213 DLP_LOG_ERROR(LABEL, "Write sandbox tokenId fail");
214 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
215 }
216 return DLP_OK;
217 }
218
UninstallDlpSandboxInner(MessageParcel & data,MessageParcel & reply)219 int32_t DlpPermissionStub::UninstallDlpSandboxInner(MessageParcel& data, MessageParcel& reply)
220 {
221 if (!CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
222 return DLP_SERVICE_ERROR_PERMISSION_DENY;
223 }
224
225 std::string bundleName;
226 if (!data.ReadString(bundleName)) {
227 DLP_LOG_ERROR(LABEL, "Read bundle name fail");
228 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
229 }
230
231 int32_t appIndex;
232 if (!data.ReadInt32(appIndex)) {
233 DLP_LOG_ERROR(LABEL, "Read sandbox index fail");
234 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
235 }
236
237 int32_t userId;
238 if (!data.ReadInt32(userId)) {
239 DLP_LOG_ERROR(LABEL, "Read user id fail");
240 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
241 }
242
243 int32_t res = UninstallDlpSandbox(bundleName, appIndex, userId);
244 if (!reply.WriteInt32(res)) {
245 DLP_LOG_ERROR(LABEL, "Write uninstall sandbox result fail");
246 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
247 }
248 return DLP_OK;
249 }
250
GetSandboxExternalAuthorizationInner(MessageParcel & data,MessageParcel & reply)251 int32_t DlpPermissionStub::GetSandboxExternalAuthorizationInner(MessageParcel& data, MessageParcel& reply)
252 {
253 if (!IsSaCall() && !CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
254 DLP_LOG_ERROR(LABEL, "Caller is not SA or has no ACCESS_DLP_FILE permission");
255 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
256 }
257 int32_t sandboxUid;
258 if (!data.ReadInt32(sandboxUid)) {
259 DLP_LOG_ERROR(LABEL, "Read sandbox uid fail");
260 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
261 }
262
263 std::unique_ptr<AAFwk::Want> want(data.ReadParcelable<AAFwk::Want>());
264 if (want == nullptr) {
265 DLP_LOG_ERROR(LABEL, "Read want fail");
266 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
267 }
268
269 SandBoxExternalAuthorType authType;
270 int32_t res = GetSandboxExternalAuthorization(sandboxUid, *want, authType);
271 if (res != DLP_OK) {
272 return res;
273 }
274
275 if (!reply.WriteInt32(authType)) {
276 DLP_LOG_ERROR(LABEL, "Write sandbox external auth type fail");
277 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
278 }
279 return DLP_OK;
280 }
281
QueryDlpFileCopyableByTokenIdInner(MessageParcel & data,MessageParcel & reply)282 int32_t DlpPermissionStub::QueryDlpFileCopyableByTokenIdInner(MessageParcel& data, MessageParcel& reply)
283 {
284 uint32_t tokenId;
285 if (!data.ReadUint32(tokenId)) {
286 DLP_LOG_ERROR(LABEL, "Read token id fail");
287 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
288 }
289 bool copyable = false;
290 int32_t res = QueryDlpFileCopyableByTokenId(copyable, tokenId);
291 if (!reply.WriteInt32(res)) {
292 DLP_LOG_ERROR(LABEL, "Write copyalbe query result fail");
293 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
294 }
295 if (!reply.WriteBool(copyable)) {
296 DLP_LOG_ERROR(LABEL, "Write copyalbe fail");
297 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
298 }
299 return DLP_OK;
300 }
301
QueryDlpFileAccessInner(MessageParcel & data,MessageParcel & reply)302 int32_t DlpPermissionStub::QueryDlpFileAccessInner(MessageParcel& data, MessageParcel& reply)
303 {
304 bool sandboxFlag;
305 if (CheckSandboxFlag(GetCallingTokenID(), sandboxFlag) != DLP_OK) {
306 return DLP_SERVICE_ERROR_VALUE_INVALID;
307 }
308 if (!sandboxFlag) {
309 DLP_LOG_ERROR(LABEL, "Forbid called by a non-sandbox app");
310 return DLP_SERVICE_ERROR_API_ONLY_FOR_SANDBOX_ERROR;
311 }
312 DLPPermissionInfoParcel permInfoParcel;
313 int32_t res = QueryDlpFileAccess(permInfoParcel);
314 if (!reply.WriteInt32(res)) {
315 DLP_LOG_ERROR(LABEL, "Write dlp file access query result fail");
316 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
317 }
318 if (!reply.WriteParcelable(&permInfoParcel)) {
319 DLP_LOG_ERROR(LABEL, "WriteParcelable fail");
320 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
321 }
322 return DLP_OK;
323 }
324
IsInDlpSandboxInner(MessageParcel & data,MessageParcel & reply)325 int32_t DlpPermissionStub::IsInDlpSandboxInner(MessageParcel& data, MessageParcel& reply)
326 {
327 bool inSandbox = false;
328 int32_t res = IsInDlpSandbox(inSandbox);
329 if (!reply.WriteInt32(res)) {
330 DLP_LOG_ERROR(LABEL, "Write sandbox query result fail");
331 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
332 }
333 if (!reply.WriteBool(inSandbox)) {
334 DLP_LOG_ERROR(LABEL, "Write sandbox flag fail");
335 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
336 }
337 return DLP_OK;
338 }
339
GetDlpSupportFileTypeInner(MessageParcel & data,MessageParcel & reply)340 int32_t DlpPermissionStub::GetDlpSupportFileTypeInner(MessageParcel& data, MessageParcel& reply)
341 {
342 std::vector<std::string> supportFileType;
343 int32_t res = GetDlpSupportFileType(supportFileType);
344 if (!reply.WriteInt32(res)) {
345 DLP_LOG_ERROR(LABEL, "Write support dlp file type query result fail");
346 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
347 }
348 size_t listNum = supportFileType.size();
349 if (!reply.WriteUint32(listNum)) {
350 DLP_LOG_ERROR(LABEL, "Write support dlp file type list num fail");
351 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
352 }
353 for (const auto& iter : supportFileType) {
354 if (!reply.WriteString(iter)) {
355 DLP_LOG_ERROR(LABEL, "Write support dlp file type string fail");
356 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
357 }
358 }
359 return DLP_OK;
360 }
361
RegisterDlpSandboxChangeCallbackInner(MessageParcel & data,MessageParcel & reply)362 int32_t DlpPermissionStub::RegisterDlpSandboxChangeCallbackInner(MessageParcel &data, MessageParcel &reply)
363 {
364 if (!CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
365 return DLP_SERVICE_ERROR_PERMISSION_DENY;
366 }
367 sptr<IRemoteObject> callback = data.ReadRemoteObject();
368 if (callback == nullptr) {
369 DLP_LOG_ERROR(LABEL, "read callback fail");
370 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
371 }
372 int32_t result = RegisterDlpSandboxChangeCallback(callback);
373 reply.WriteInt32(result);
374 return DLP_OK;
375 }
376
UnRegisterDlpSandboxChangeCallbackInner(MessageParcel & data,MessageParcel & reply)377 int32_t DlpPermissionStub::UnRegisterDlpSandboxChangeCallbackInner(MessageParcel &data, MessageParcel &reply)
378 {
379 if (!CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
380 return DLP_SERVICE_ERROR_PERMISSION_DENY;
381 }
382 bool res = false;
383 int32_t result = UnRegisterDlpSandboxChangeCallback(res);
384 if (!reply.WriteInt32(result)) {
385 DLP_LOG_ERROR(LABEL, "Write sandbox query result fail");
386 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
387 }
388 if (!reply.WriteBool(res)) {
389 DLP_LOG_ERROR(LABEL, "Write sandbox flag fail");
390 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
391 }
392 return DLP_OK;
393 }
394
RegisterOpenDlpFileCallbackInner(MessageParcel & data,MessageParcel & reply)395 int32_t DlpPermissionStub::RegisterOpenDlpFileCallbackInner(MessageParcel &data, MessageParcel &reply)
396 {
397 bool sandboxFlag;
398 if (CheckSandboxFlag(GetCallingTokenID(), sandboxFlag) != DLP_OK) {
399 return DLP_SERVICE_ERROR_VALUE_INVALID;
400 }
401 if (sandboxFlag) {
402 DLP_LOG_ERROR(LABEL, "Forbid called by a sandbox app");
403 return DLP_SERVICE_ERROR_API_NOT_FOR_SANDBOX_ERROR;
404 }
405 sptr<IRemoteObject> callback = data.ReadRemoteObject();
406 if (callback == nullptr) {
407 DLP_LOG_ERROR(LABEL, "read callback fail");
408 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
409 }
410 int32_t result = RegisterOpenDlpFileCallback(callback);
411 reply.WriteInt32(result);
412 return DLP_OK;
413 }
414
UnRegisterOpenDlpFileCallbackInner(MessageParcel & data,MessageParcel & reply)415 int32_t DlpPermissionStub::UnRegisterOpenDlpFileCallbackInner(MessageParcel &data, MessageParcel &reply)
416 {
417 bool sandboxFlag;
418 if (CheckSandboxFlag(GetCallingTokenID(), sandboxFlag) != DLP_OK) {
419 return DLP_SERVICE_ERROR_VALUE_INVALID;
420 }
421 if (sandboxFlag) {
422 DLP_LOG_ERROR(LABEL, "Forbid called by a sandbox app");
423 return DLP_SERVICE_ERROR_API_NOT_FOR_SANDBOX_ERROR;
424 }
425 sptr<IRemoteObject> callback = data.ReadRemoteObject();
426 if (callback == nullptr) {
427 DLP_LOG_ERROR(LABEL, "read callback fail");
428 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
429 }
430 int32_t result = UnRegisterOpenDlpFileCallback(callback);
431 if (!reply.WriteInt32(result)) {
432 DLP_LOG_ERROR(LABEL, "Write un-register open dlp file callback result fail");
433 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
434 }
435 return DLP_OK;
436 }
437
GetDlpGatheringPolicyInner(MessageParcel & data,MessageParcel & reply)438 int32_t DlpPermissionStub::GetDlpGatheringPolicyInner(MessageParcel& data, MessageParcel& reply)
439 {
440 if (!CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
441 return DLP_SERVICE_ERROR_PERMISSION_DENY;
442 }
443 bool isGathering = false;
444 int32_t res = GetDlpGatheringPolicy(isGathering);
445 if (!reply.WriteInt32(res)) {
446 DLP_LOG_ERROR(LABEL, "Write GetDlpGatheringPolicy result fail");
447 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
448 }
449 if (!reply.WriteBool(isGathering)) {
450 DLP_LOG_ERROR(LABEL, "Write isGathering fail");
451 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
452 }
453
454 return DLP_OK;
455 }
456
SetRetentionStateInner(MessageParcel & data,MessageParcel & reply)457 int32_t DlpPermissionStub::SetRetentionStateInner(MessageParcel& data, MessageParcel& reply)
458 {
459 bool sandboxFlag;
460 if (CheckSandboxFlag(GetCallingTokenID(), sandboxFlag) != DLP_OK) {
461 return DLP_SERVICE_ERROR_VALUE_INVALID;
462 }
463 if (!sandboxFlag) {
464 DLP_LOG_ERROR(LABEL, "Forbid called by a non-sandbox app");
465 return DLP_SERVICE_ERROR_API_ONLY_FOR_SANDBOX_ERROR;
466 }
467 std::vector<std::string> docUriVec;
468 if (!data.ReadStringVector(&docUriVec)) {
469 DLP_LOG_ERROR(LABEL, "Read docUriVec id fail");
470 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
471 }
472
473 int32_t result = SetRetentionState(docUriVec);
474 if (!reply.WriteInt32(result)) {
475 DLP_LOG_ERROR(LABEL, "Write sandbox query result fail");
476 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
477 }
478 if (!reply.WriteBool(result == DLP_OK)) {
479 DLP_LOG_ERROR(LABEL, "Write sandbox flag fail");
480 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
481 }
482 return DLP_OK;
483 }
484
CancelRetentionStateInner(MessageParcel & data,MessageParcel & reply)485 int32_t DlpPermissionStub::CancelRetentionStateInner(MessageParcel& data, MessageParcel& reply)
486 {
487 std::vector<std::string> docUriVec;
488 if (!data.ReadStringVector(&docUriVec)) {
489 DLP_LOG_ERROR(LABEL, "Read token id fail");
490 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
491 }
492 int32_t result = CancelRetentionState(docUriVec);
493 if (!reply.WriteInt32(result)) {
494 DLP_LOG_ERROR(LABEL, "Write sandbox query result fail");
495 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
496 }
497 if (!reply.WriteBool(result == DLP_OK)) {
498 DLP_LOG_ERROR(LABEL, "Write sandbox flag fail");
499 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
500 }
501 return DLP_OK;
502 }
503
GetRetentionSandboxListInner(MessageParcel & data,MessageParcel & reply)504 int32_t DlpPermissionStub::GetRetentionSandboxListInner(MessageParcel& data, MessageParcel& reply)
505 {
506 bool sandboxFlag;
507 if (CheckSandboxFlag(GetCallingTokenID(), sandboxFlag) != DLP_OK) {
508 return DLP_SERVICE_ERROR_VALUE_INVALID;
509 }
510 if (sandboxFlag) {
511 DLP_LOG_ERROR(LABEL, "Forbid called by a sandbox app");
512 return DLP_SERVICE_ERROR_API_NOT_FOR_SANDBOX_ERROR;
513 }
514 std::string bundleName;
515 if (!data.ReadString(bundleName)) {
516 DLP_LOG_ERROR(LABEL, "Read bundle name fail");
517 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
518 }
519 std::vector<RetentionSandBoxInfo> retentionSandBoxInfoVec;
520 int32_t result = GetRetentionSandboxList(bundleName, retentionSandBoxInfoVec);
521 if (!reply.WriteInt32(result)) {
522 DLP_LOG_ERROR(LABEL, "Write sandbox query result fail");
523 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
524 }
525 if (!reply.WriteUint32(retentionSandBoxInfoVec.size())) {
526 DLP_LOG_ERROR(LABEL, "Write sandbox size result fail");
527 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
528 }
529 for (const auto& info : retentionSandBoxInfoVec) {
530 if (!reply.WriteParcelable(&info)) {
531 DLP_LOG_ERROR(LABEL, "Write sandbox size info fail");
532 }
533 }
534 return DLP_OK;
535 }
536
ClearUnreservedSandboxInner(MessageParcel & data,MessageParcel & reply)537 int32_t DlpPermissionStub::ClearUnreservedSandboxInner(MessageParcel& data, MessageParcel& reply)
538 {
539 Security::AccessToken::AccessTokenID callingToken = IPCSkeleton::GetCallingTokenID();
540 Security::AccessToken::AccessTokenID bmsToken =
541 Security::AccessToken::AccessTokenKit::GetNativeTokenId(FOUNDATION_SERVICE_NAME);
542 if (callingToken != bmsToken) {
543 return DLP_SERVICE_ERROR_PERMISSION_DENY;
544 }
545 ClearUnreservedSandbox();
546 return DLP_OK;
547 }
548
GetDLPFileVisitRecordInner(MessageParcel & data,MessageParcel & reply)549 int32_t DlpPermissionStub::GetDLPFileVisitRecordInner(MessageParcel& data, MessageParcel& reply)
550 {
551 bool sandboxFlag;
552 if (CheckSandboxFlag(GetCallingTokenID(), sandboxFlag) != DLP_OK) {
553 return DLP_SERVICE_ERROR_VALUE_INVALID;
554 }
555 if (sandboxFlag) {
556 DLP_LOG_ERROR(LABEL, "Forbid called by a sandbox app");
557 return DLP_SERVICE_ERROR_API_NOT_FOR_SANDBOX_ERROR;
558 }
559 std::vector<VisitedDLPFileInfo> infoVec;
560 int32_t res = GetDLPFileVisitRecord(infoVec);
561 if (!reply.WriteInt32(res)) {
562 DLP_LOG_ERROR(LABEL, "Write support visit file record query result fail");
563 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
564 }
565 if (res != DLP_OK) {
566 return DLP_OK;
567 }
568 size_t listNum = infoVec.size();
569 if (!reply.WriteUint32(listNum)) {
570 DLP_LOG_ERROR(LABEL, "Write support visit file record list num fail");
571 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
572 }
573 for (const auto& iter : infoVec) {
574 if (!reply.WriteParcelable(&iter)) {
575 DLP_LOG_ERROR(LABEL, "Write support visit file record docUri string fail");
576 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
577 }
578 }
579 return DLP_OK;
580 }
581
SetMDMPolicyInner(MessageParcel & data,MessageParcel & reply)582 int32_t DlpPermissionStub::SetMDMPolicyInner(MessageParcel& data, MessageParcel& reply)
583 {
584 std::vector<std::string> appIdList;
585 if (!data.ReadStringVector(&appIdList)) {
586 DLP_LOG_ERROR(LABEL, "Read appId List fail");
587 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
588 }
589 int32_t result = SetMDMPolicy(appIdList);
590 if (!reply.WriteInt32(result)) {
591 DLP_LOG_ERROR(LABEL, "Write set policy result fail");
592 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
593 }
594 return DLP_OK;
595 }
596
GetMDMPolicyInner(MessageParcel & data,MessageParcel & reply)597 int32_t DlpPermissionStub::GetMDMPolicyInner(MessageParcel& data, MessageParcel& reply)
598 {
599 std::vector<std::string> appIdList;
600 int32_t result = GetMDMPolicy(appIdList);
601 if (!reply.WriteInt32(result)) {
602 DLP_LOG_ERROR(LABEL, "Write get policy result fail");
603 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
604 }
605 size_t listNum = appIdList.size();
606 if (!reply.WriteUint32(listNum)) {
607 DLP_LOG_ERROR(LABEL, "Write appId list num fail");
608 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
609 }
610 if (!reply.WriteStringVector(appIdList)) {
611 DLP_LOG_ERROR(LABEL, "Write string vector fail");
612 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
613 }
614 return DLP_OK;
615 }
616
RemoveMDMPolicyInner(MessageParcel & data,MessageParcel & reply)617 int32_t DlpPermissionStub::RemoveMDMPolicyInner(MessageParcel& data, MessageParcel& reply)
618 {
619 int32_t result = RemoveMDMPolicy();
620 if (!reply.WriteInt32(result)) {
621 DLP_LOG_ERROR(LABEL, "Write remove policy result fail");
622 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
623 }
624 return DLP_OK;
625 }
626
SetSandboxAppConfigInner(MessageParcel & data,MessageParcel & reply)627 int32_t DlpPermissionStub::SetSandboxAppConfigInner(MessageParcel& data, MessageParcel& reply)
628 {
629 std::string configInfo;
630 if (!data.ReadString(configInfo)) {
631 DLP_LOG_ERROR(LABEL, "Read configInfo fail");
632 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
633 }
634 int32_t res = SetSandboxAppConfig(configInfo);
635 if (!reply.WriteInt32(res)) {
636 DLP_LOG_ERROR(LABEL, "Write SetSandboxAppConfig result fail");
637 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
638 }
639 return res;
640 }
641
CleanSandboxAppConfigInner(MessageParcel & data,MessageParcel & reply)642 int32_t DlpPermissionStub::CleanSandboxAppConfigInner(MessageParcel& data, MessageParcel& reply)
643 {
644 bool sandboxFlag;
645 if (CheckSandboxFlag(GetCallingTokenID(), sandboxFlag) != DLP_OK) {
646 return DLP_SERVICE_ERROR_VALUE_INVALID;
647 }
648 if (sandboxFlag) {
649 DLP_LOG_ERROR(LABEL, "Forbid called by a sandbox app");
650 return DLP_SERVICE_ERROR_API_NOT_FOR_SANDBOX_ERROR;
651 }
652 int32_t res = CleanSandboxAppConfig();
653 if (!reply.WriteInt32(res)) {
654 DLP_LOG_ERROR(LABEL, "Write CleanSandboxAppConfig result fail");
655 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
656 }
657 return res;
658 }
659
GetSandboxAppConfigInner(MessageParcel & data,MessageParcel & reply)660 int32_t DlpPermissionStub::GetSandboxAppConfigInner(MessageParcel& data, MessageParcel& reply)
661 {
662 std::string configInfo;
663 int32_t res = GetSandboxAppConfig(configInfo);
664 if (!reply.WriteInt32(res)) {
665 DLP_LOG_ERROR(LABEL, "Write support sandbox app config query result fail");
666 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
667 }
668 if (res != DLP_OK) {
669 return res;
670 }
671 if (!reply.WriteString(configInfo)) {
672 DLP_LOG_ERROR(LABEL, "Write configInfo fail");
673 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
674 }
675 return DLP_OK;
676 }
677
IsDLPFeatureProvidedInner(MessageParcel & data,MessageParcel & reply)678 int32_t DlpPermissionStub::IsDLPFeatureProvidedInner(MessageParcel& data, MessageParcel& reply)
679 {
680 bool isProvideDLPFeature;
681 IsDLPFeatureProvided(isProvideDLPFeature);
682 if (!reply.WriteBool(isProvideDLPFeature)) {
683 DLP_LOG_ERROR(LABEL, "Write isProvideDLPFeature fail.");
684 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
685 }
686 return DLP_OK;
687 }
688
SetReadFlagInner(MessageParcel & data,MessageParcel & reply)689 int32_t DlpPermissionStub::SetReadFlagInner(MessageParcel& data, MessageParcel& reply)
690 {
691 if (!CheckPermission(PERMISSION_ACCESS_DLP_FILE)) {
692 return DLP_SERVICE_ERROR_PERMISSION_DENY;
693 }
694
695 uint32_t uid;
696 if (!data.ReadUint32(uid)) {
697 DLP_LOG_ERROR(LABEL, "Read uid fail.");
698 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
699 }
700 int32_t res = SetReadFlag(uid);
701 if (!reply.WriteInt32(res)) {
702 DLP_LOG_ERROR(LABEL, "Write result fail.");
703 return DLP_SERVICE_ERROR_PARCEL_OPERATE_FAIL;
704 }
705 return res;
706 }
707
InitMDMPolicy()708 void DlpPermissionStub::InitMDMPolicy()
709 {
710 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::SET_MDM_POLICY)] = {
711 [this](MessageParcel &data, MessageParcel &reply) { return SetMDMPolicyInner(data, reply); }};
712 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::GET_MDM_POLICY)] = {
713 [this](MessageParcel &data, MessageParcel &reply) { return GetMDMPolicyInner(data, reply); }};
714 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::REMOVE_MDM_POLICY)] = {
715 [this](MessageParcel &data, MessageParcel &reply) { return RemoveMDMPolicyInner(data, reply); }};
716 }
717
InitTimerFuncMap()718 void DlpPermissionStub::InitTimerFuncMap()
719 {
720 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::SET_SANDBOX_APP_CONFIG)] = {
721 [this](MessageParcel &data, MessageParcel &reply) { return SetSandboxAppConfigInner(data, reply); }, true};
722 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::CLEAN_SANDBOX_APP_CONFIG)] = {
723 [this](MessageParcel &data, MessageParcel &reply) { return CleanSandboxAppConfigInner(data, reply); }, true};
724 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::GET_SANDBOX_APP_CONFIG)] = {
725 [this](MessageParcel &data, MessageParcel &reply) { return GetSandboxAppConfigInner(data, reply); }, true};
726 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::GET_DLP_SUPPORT_FILE_TYPE)] = {
727 [this](MessageParcel &data, MessageParcel &reply) { return GetDlpSupportFileTypeInner(data, reply); }, true};
728 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::UN_REGISTER_OPEN_DLP_FILE_CALLBACK)] = {
729 [this](MessageParcel &data, MessageParcel &reply) { return UnRegisterOpenDlpFileCallbackInner(data, reply); },
730 true};
731 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::SET_NOT_RETENTION_STATE)] = {
732 [this](MessageParcel &data, MessageParcel &reply) { return CancelRetentionStateInner(data, reply); }, true};
733 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::CLEAR_UNRESERVED_SANDBOX)] = {
734 [this](MessageParcel &data, MessageParcel &reply) { return ClearUnreservedSandboxInner(data, reply); }, true};
735 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::GET_VISTI_FILE_RECORD_LIST)] = {
736 [this](MessageParcel &data, MessageParcel &reply) { return GetDLPFileVisitRecordInner(data, reply); }, true};
737 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::IS_DLP_FEATURE_PROVIDED)] = {
738 [this](MessageParcel &data, MessageParcel &reply) { return IsDLPFeatureProvidedInner(data, reply); }, true};
739 }
740
DlpPermissionStub()741 DlpPermissionStub::DlpPermissionStub()
742 {
743 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::GENERATE_DLP_CERTIFICATE)] = {
744 [this](MessageParcel &data, MessageParcel &reply) { return GenerateDlpCertificateInner(data, reply); }};
745 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::PARSE_DLP_CERTIFICATE)] = {
746 [this](MessageParcel &data, MessageParcel &reply) { return ParseDlpCertificateInner(data, reply); }};
747 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::INSTALL_DLP_SANDBOX)] = {
748 [this](MessageParcel &data, MessageParcel &reply) { return InstallDlpSandboxInner(data, reply); }};
749 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::UNINSTALL_DLP_SANDBOX)] = {
750 [this](MessageParcel &data, MessageParcel &reply) { return UninstallDlpSandboxInner(data, reply); }};
751 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::GET_SANDBOX_EXTERNAL_AUTH)] = {
752 [this](MessageParcel &data, MessageParcel &reply) { return GetSandboxExternalAuthorizationInner(data, reply); }
753 };
754 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::QUERY_DLP_FILE_ACCESS_BY_TOKEN_ID)] = {
755 [this](MessageParcel &data, MessageParcel &reply) { return QueryDlpFileCopyableByTokenIdInner(data, reply); }};
756 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::QUERY_DLP_FILE_ACCESS)] = {
757 [this](MessageParcel &data, MessageParcel &reply) { return QueryDlpFileAccessInner(data, reply); }};
758 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::IS_IN_DLP_SANDBOX)] = {
759 [this](MessageParcel &data, MessageParcel &reply) { return IsInDlpSandboxInner(data, reply); }};
760 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::REGISTER_DLP_SANDBOX_CHANGE_CALLBACK)] = {
761 [this](MessageParcel &data, MessageParcel &reply) { return RegisterDlpSandboxChangeCallbackInner(data, reply); }
762 };
763 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::UNREGISTER_DLP_SANDBOX_CHANGE_CALLBACK)]
764 = {
765 [this](MessageParcel &data, MessageParcel &reply) {
766 return UnRegisterDlpSandboxChangeCallbackInner(data, reply);
767 }
768 };
769 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::GET_DLP_GATHERING_POLICY)] = {
770 [this](MessageParcel &data, MessageParcel &reply) { return GetDlpGatheringPolicyInner(data, reply); }};
771 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::SET_RETENTION_STATE)] = {
772 [this](MessageParcel &data, MessageParcel &reply) { return SetRetentionStateInner(data, reply); }};
773 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::GET_RETENTION_SANDBOX_LIST)] = {
774 [this](MessageParcel &data, MessageParcel &reply) { return GetRetentionSandboxListInner(data, reply); }};
775 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::REGISTER_OPEN_DLP_FILE_CALLBACK)] = {
776 [this](MessageParcel &data, MessageParcel &reply) { return RegisterOpenDlpFileCallbackInner(data, reply); }};
777 requestFuncMap_[static_cast<uint32_t>(DlpPermissionServiceInterfaceCode::SET_READ_FLAG)] = {
778 [this](MessageParcel& data, MessageParcel& reply) { return SetReadFlagInner(data, reply); }};
779 InitMDMPolicy();
780 InitTimerFuncMap();
781 }
782
~DlpPermissionStub()783 DlpPermissionStub::~DlpPermissionStub()
784 {
785 requestFuncMap_.clear();
786 }
787 } // namespace DlpPermission
788 } // namespace Security
789 } // namespace OHOS
790