1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "enterprise_device_mgr_ability.h"
17
18 #include <cstring>
19 #include <string_ex.h>
20 #include <thread>
21
22 #include "application_state_observer.h"
23 #include "common_event_manager.h"
24 #include "common_event_support.h"
25 #include "device_policies_storage_rdb.h"
26 #include "directory_ex.h"
27 #include "ipc_skeleton.h"
28 #include "iservice_registry.h"
29 #include "matching_skills.h"
30 #include "message_parcel.h"
31 #include "parameters.h"
32 #include "system_ability.h"
33 #include "system_ability_definition.h"
34
35 #include "edm_constants.h"
36 #include "edm_errors.h"
37 #include "edm_ipc_interface_code.h"
38 #include "edm_log.h"
39 #include "edm_sys_manager.h"
40 #include "enterprise_admin_connection.h"
41 #include "enterprise_bundle_connection.h"
42 #include "enterprise_conn_manager.h"
43 #include "func_code_utils.h"
44 #include "permission_manager.h"
45
46 #include "password_policy_serializer.h"
47 #include "usb_device_id.h"
48 #include "user_auth_client.h"
49
50 #ifdef PASTEBOARD_EDM_ENABLE
51 #include "clipboard_policy_serializer.h"
52 #include "clipboard_utils.h"
53 #endif
54
55 namespace OHOS {
56 namespace EDM {
57 const bool REGISTER_RESULT =
58 SystemAbility::MakeAndRegisterAbility(EnterpriseDeviceMgrAbility::GetInstance().GetRefPtr());
59
60 const std::string PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN = "ohos.permission.MANAGE_ENTERPRISE_DEVICE_ADMIN";
61 const std::string PERMISSION_SET_ENTERPRISE_INFO = "ohos.permission.SET_ENTERPRISE_INFO";
62 const std::string PERMISSION_ENTERPRISE_SUBSCRIBE_MANAGED_EVENT = "ohos.permission.ENTERPRISE_SUBSCRIBE_MANAGED_EVENT";
63 const std::string PERMISSION_UPDATE_SYSTEM = "ohos.permission.UPDATE_SYSTEM";
64 const std::string PERMISSION_SET_DELEGATED_POLICY = "ohos.permission.ENTERPRISE_MANAGE_DELEGATED_POLICY";
65 const std::string PARAM_EDM_ENABLE = "persist.edm.edm_enable";
66 const std::string PARAM_SECURITY_MODE = "ohos.boot.advsecmode.state";
67 const std::string SYSTEM_UPDATE_FOR_POLICY = "usual.event.DUE_SA_FIRMWARE_UPDATE_FOR_POLICY";
68 const std::string FIRMWARE_EVENT_INFO_NAME = "version";
69 const std::string FIRMWARE_EVENT_INFO_TYPE = "packageType";
70 const std::string FIRMWARE_EVENT_INFO_CHECK_TIME = "firstReceivedTime";
71 const std::string DEVELOP_MODE_STATE = "const.security.developermode.state";
72 const std::string APP_TYPE_ENTERPRISE_MDM = "enterprise_mdm";
73 const std::string APP_TYPE_ENTERPRISE_NORMAL = "enterprise_normal";
74
75 std::mutex EnterpriseDeviceMgrAbility::mutexLock_;
76
77 sptr<EnterpriseDeviceMgrAbility> EnterpriseDeviceMgrAbility::instance_;
78
79 constexpr int32_t TIMER_TIMEOUT = 360000; // 6 * 60 * 1000;
80
AddCommonEventFuncMap()81 void EnterpriseDeviceMgrAbility::AddCommonEventFuncMap()
82 {
83 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_USER_REMOVED] =
84 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
85 that->OnCommonEventUserRemoved(data);
86 };
87 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_ADDED] =
88 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
89 that->OnCommonEventPackageAdded(data);
90 };
91 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED] =
92 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
93 that->OnCommonEventPackageRemoved(data);
94 };
95 commonEventFuncMap_[SYSTEM_UPDATE_FOR_POLICY] =
96 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
97 that->OnCommonEventSystemUpdate(data);
98 };
99 }
100
OnCommonEventSystemUpdate(const EventFwk::CommonEventData & data)101 void EnterpriseDeviceMgrAbility::OnCommonEventSystemUpdate(const EventFwk::CommonEventData &data)
102 {
103 EDMLOGI("OnCommonEventSystemUpdate");
104 UpdateInfo updateInfo;
105 updateInfo.version = data.GetWant().GetStringParam(FIRMWARE_EVENT_INFO_NAME);
106 updateInfo.firstReceivedTime = data.GetWant().GetLongParam(FIRMWARE_EVENT_INFO_CHECK_TIME, 0);
107 updateInfo.packageType = data.GetWant().GetStringParam(FIRMWARE_EVENT_INFO_TYPE);
108
109 ConnectAbilityOnSystemUpdate(updateInfo);
110 }
111
ConnectAbilityOnSystemUpdate(const UpdateInfo & updateInfo)112 void EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemUpdate(const UpdateInfo &updateInfo)
113 {
114 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
115 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::SYSTEM_UPDATE, subAdmins);
116 if (subAdmins.empty()) {
117 EDMLOGW("Get subscriber by common event failed.");
118 return;
119 }
120 AAFwk::Want want;
121 for (const auto &subAdmin : subAdmins) {
122 for (const auto &it : subAdmin.second) {
123 want.SetElementName(it->adminInfo_.packageName_, it->adminInfo_.className_);
124 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
125 sptr<IEnterpriseConnection> connection =
126 manager->CreateUpdateConnection(want, subAdmin.first, updateInfo);
127 manager->ConnectAbility(connection);
128 }
129 }
130 }
131
AddOnAddSystemAbilityFuncMap()132 void EnterpriseDeviceMgrAbility::AddOnAddSystemAbilityFuncMap()
133 {
134 addSystemAbilityFuncMap_[APP_MGR_SERVICE_ID] =
135 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
136 that->OnAppManagerServiceStart();
137 };
138 addSystemAbilityFuncMap_[COMMON_EVENT_SERVICE_ID] =
139 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
140 that->OnCommonEventServiceStart();
141 };
142 addSystemAbilityFuncMap_[ABILITY_MGR_SERVICE_ID] =
143 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
144 that->OnAbilityManagerServiceStart();
145 };
146 addSystemAbilityFuncMap_[SUBSYS_USERIAM_SYS_ABILITY_USERAUTH] =
147 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
148 that->OnUserAuthFrameworkStart();
149 };
150 #ifdef PASTEBOARD_EDM_ENABLE
151 addSystemAbilityFuncMap_[PASTEBOARD_SERVICE_ID] =
152 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
153 that->OnPasteboardServiceStart();
154 };
155 #endif
156 #ifdef USB_EDM_ENABLE
157 addSystemAbilityFuncMap_[USB_SYSTEM_ABILITY_ID] =
158 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
159 that->OnUsbServiceStart();
160 };
161 #endif
162 }
163
164 #ifdef COMMON_EVENT_SERVICE_EDM_ENABLE
EnterpriseDeviceEventSubscriber(const EventFwk::CommonEventSubscribeInfo & subscribeInfo,EnterpriseDeviceMgrAbility & listener)165 EnterpriseDeviceEventSubscriber::EnterpriseDeviceEventSubscriber(
166 const EventFwk::CommonEventSubscribeInfo &subscribeInfo,
167 EnterpriseDeviceMgrAbility &listener) : EventFwk::CommonEventSubscriber(subscribeInfo), listener_(listener) {}
168
OnReceiveEvent(const EventFwk::CommonEventData & data)169 void EnterpriseDeviceEventSubscriber::OnReceiveEvent(const EventFwk::CommonEventData &data)
170 {
171 const std::string action = data.GetWant().GetAction();
172 EDMLOGI("EDM OnReceiveEvent get action: %{public}s", action.c_str());
173 auto func = listener_.commonEventFuncMap_.find(action);
174 if (func != listener_.commonEventFuncMap_.end()) {
175 auto commonEventFunc = func->second;
176 if (commonEventFunc != nullptr) {
177 return commonEventFunc(&listener_, data);
178 }
179 } else {
180 EDMLOGW("OnReceiveEvent action is invalid");
181 }
182 }
183
CreateEnterpriseDeviceEventSubscriber(EnterpriseDeviceMgrAbility & listener)184 std::shared_ptr<EventFwk::CommonEventSubscriber> EnterpriseDeviceMgrAbility::CreateEnterpriseDeviceEventSubscriber(
185 EnterpriseDeviceMgrAbility &listener)
186 {
187 EventFwk::MatchingSkills skill = EventFwk::MatchingSkills();
188 AddCommonEventFuncMap();
189 for (auto &item : commonEventFuncMap_) {
190 if (item.first == SYSTEM_UPDATE_FOR_POLICY) {
191 continue;
192 }
193 skill.AddEvent(item.first);
194 EDMLOGI("CreateEnterpriseDeviceEventSubscriber AddEvent: %{public}s", item.first.c_str());
195 }
196 EventFwk::CommonEventSubscribeInfo info(skill);
197 return std::make_shared<EnterpriseDeviceEventSubscriber>(info, listener);
198 }
199 #endif
200
OnCommonEventUserRemoved(const EventFwk::CommonEventData & data)201 void EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved(const EventFwk::CommonEventData &data)
202 {
203 int userIdToRemove = data.GetCode();
204 if (userIdToRemove == 0) {
205 return;
206 }
207 EDMLOGI("OnCommonEventUserRemoved");
208 std::lock_guard<std::mutex> autoLock(mutexLock_);
209 // include super admin, need to be removed
210 std::vector<std::shared_ptr<Admin>> userAdmin;
211 adminMgr_->GetAdminByUserId(userIdToRemove, userAdmin);
212 for (auto &item : userAdmin) {
213 if (FAILED(RemoveAdminAndAdminPolicy(item->adminInfo_.packageName_, userIdToRemove))) {
214 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved remove admin failed packagename = %{public}s",
215 item->adminInfo_.packageName_.c_str());
216 }
217 }
218 std::vector<std::shared_ptr<Admin>> subAndSuperAdmin;
219 adminMgr_->GetAdminByUserId(DEFAULT_USER_ID, subAndSuperAdmin);
220 for (const auto &subAdmin : subAndSuperAdmin) {
221 if ((subAdmin->GetAdminType() == AdminType::SUB_SUPER_ADMIN || subAdmin->GetAdminType() == AdminType::ENT ||
222 subAdmin->GetAdminType() == AdminType::VIRTUAL_ADMIN) &&
223 FAILED(RemoveAdminAndAdminPolicy(subAdmin->adminInfo_.packageName_, userIdToRemove))) {
224 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved: remove sub and super admin policy failed.");
225 }
226 }
227 }
228
OnCommonEventPackageAdded(const EventFwk::CommonEventData & data)229 void EnterpriseDeviceMgrAbility::OnCommonEventPackageAdded(const EventFwk::CommonEventData &data)
230 {
231 EDMLOGI("OnCommonEventPackageAdded");
232 AAFwk::Want want = data.GetWant();
233 std::string bundleName = want.GetElement().GetBundleName();
234 int32_t userId = want.GetIntParam(AppExecFwk::Constants::USER_ID, AppExecFwk::Constants::INVALID_USERID);
235 if (userId == AppExecFwk::Constants::INVALID_USERID) {
236 EDMLOGE("OnCommonEventPackageAdded get INVALID_USERID");
237 return;
238 }
239 ConnectAbilityOnSystemEvent(bundleName, ManagedEvent::BUNDLE_ADDED, userId);
240 }
241
OnCommonEventPackageRemoved(const EventFwk::CommonEventData & data)242 void EnterpriseDeviceMgrAbility::OnCommonEventPackageRemoved(const EventFwk::CommonEventData &data)
243 {
244 EDMLOGI("OnCommonEventPackageRemoved");
245 std::string bundleName = data.GetWant().GetElement().GetBundleName();
246 int32_t userId = data.GetWant().GetIntParam(AppExecFwk::Constants::USER_ID, AppExecFwk::Constants::INVALID_USERID);
247 if (userId == AppExecFwk::Constants::INVALID_USERID) {
248 EDMLOGE("OnCommonEventPackageRemoved get INVALID_USERID");
249 return;
250 }
251 std::lock_guard<std::mutex> autoLock(mutexLock_);
252 std::shared_ptr<Admin> admin = adminMgr_->GetAdminByPkgName(bundleName, userId);
253 if (admin != nullptr) {
254 if (admin->adminInfo_.adminType_ == AdminType::NORMAL) {
255 RemoveAdminAndAdminPolicy(bundleName, userId);
256 }
257 if ((admin->adminInfo_.adminType_ == AdminType::SUB_SUPER_ADMIN ||
258 admin->adminInfo_.adminType_ == AdminType::VIRTUAL_ADMIN) && userId == DEFAULT_USER_ID) {
259 // remove sub super admin and sub super admin policy
260 RemoveSubSuperAdminAndAdminPolicy(bundleName);
261 }
262 if (admin->adminInfo_.adminType_ == AdminType::ENT && userId == DEFAULT_USER_ID) {
263 // remove super admin and super admin policy
264 RemoveSuperAdminAndAdminPolicy(bundleName);
265 }
266 if (!adminMgr_->IsAdminExist()) {
267 system::SetParameter(PARAM_EDM_ENABLE, "false");
268 }
269 }
270 ConnectAbilityOnSystemEvent(bundleName, ManagedEvent::BUNDLE_REMOVED, userId);
271 }
272
ConnectAbilityOnSystemEvent(const std::string & bundleName,ManagedEvent event,int32_t userId)273 void EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemEvent(const std::string &bundleName,
274 ManagedEvent event, int32_t userId)
275 {
276 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
277 adminMgr_->GetAdminBySubscribeEvent(event, subAdmins);
278 if (subAdmins.empty()) {
279 EDMLOGW("Get subscriber by common event failed.");
280 return;
281 }
282 AAFwk::Want want;
283 for (const auto &subAdmin : subAdmins) {
284 for (const auto &it : subAdmin.second) {
285 want.SetElementName(it->adminInfo_.packageName_, it->adminInfo_.className_);
286 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
287 sptr<IEnterpriseConnection> connection =
288 manager->CreateBundleConnection(want, static_cast<uint32_t>(event), subAdmin.first, bundleName, userId);
289 manager->ConnectAbility(connection);
290 }
291 }
292 }
293
GetInstance()294 sptr<EnterpriseDeviceMgrAbility> EnterpriseDeviceMgrAbility::GetInstance()
295 {
296 if (instance_ == nullptr) {
297 std::lock_guard<std::mutex> autoLock(mutexLock_);
298 if (instance_ == nullptr) {
299 EDMLOGD("EnterpriseDeviceMgrAbility:GetInstance instance = new EnterpriseDeviceMgrAbility()");
300 instance_ = new (std::nothrow) EnterpriseDeviceMgrAbility();
301 }
302 }
303 return instance_;
304 }
305
EnterpriseDeviceMgrAbility()306 EnterpriseDeviceMgrAbility::EnterpriseDeviceMgrAbility() : SystemAbility(ENTERPRISE_DEVICE_MANAGER_SA_ID, true)
307 {
308 EDMLOGI("EnterpriseDeviceMgrAbility:new instance");
309 }
310
~EnterpriseDeviceMgrAbility()311 EnterpriseDeviceMgrAbility::~EnterpriseDeviceMgrAbility()
312 {
313 instance_ = nullptr;
314
315 if (adminMgr_) {
316 adminMgr_.reset();
317 }
318
319 if (pluginMgr_) {
320 pluginMgr_.reset();
321 }
322
323 if (policyMgr_) {
324 policyMgr_.reset();
325 }
326 EDMLOGD("instance is destroyed");
327 }
328
Dump(int32_t fd,const std::vector<std::u16string> & args)329 int32_t EnterpriseDeviceMgrAbility::Dump(int32_t fd, const std::vector<std::u16string> &args)
330 {
331 EDMLOGI("EnterpriseDeviceMgrAbility::Dump");
332 if (fd < 0) {
333 EDMLOGE("Dump fd invalid");
334 return ERR_EDM_DUMP_FAILED;
335 }
336 std::string result;
337 result.append("Ohos enterprise device manager service: \n");
338 std::vector<std::string> enabledAdminList;
339 GetEnabledAdmin(AdminType::NORMAL, enabledAdminList);
340 if (enabledAdminList.empty()) {
341 result.append("There is no admin enabled\n");
342 } else {
343 result.append("Enabled admin exist :\n");
344 for (const auto &enabledAdmin : enabledAdminList) {
345 result.append(enabledAdmin);
346 result.append("\n");
347 }
348 }
349 int32_t ret = dprintf(fd, "%s", result.c_str());
350 if (ret < 0) {
351 EDMLOGE("dprintf to dump fd failed");
352 return ERR_EDM_DUMP_FAILED;
353 }
354 return ERR_OK;
355 }
356
OnStart()357 void EnterpriseDeviceMgrAbility::OnStart()
358 {
359 std::lock_guard<std::mutex> autoLock(mutexLock_);
360 EDMLOGD("EnterpriseDeviceMgrAbility::OnStart() Publish");
361 InitAllAdmins();
362 InitAllPolices();
363 RemoveAllDebugAdmin();
364 if (!registerToService_) {
365 if (!Publish(this)) {
366 EDMLOGE("EnterpriseDeviceMgrAbility: res == false");
367 return;
368 }
369 registerToService_ = true;
370 }
371 AddOnAddSystemAbilityFuncMap();
372 AddSystemAbilityListeners();
373 }
374
InitAllAdmins()375 void EnterpriseDeviceMgrAbility::InitAllAdmins()
376 {
377 if (!adminMgr_) {
378 adminMgr_ = AdminManager::GetInstance();
379 }
380 EDMLOGD("create adminMgr_ success");
381 adminMgr_->Init();
382 }
383
InitAllPlugins()384 void EnterpriseDeviceMgrAbility::InitAllPlugins()
385 {
386 if (!pluginMgr_) {
387 pluginMgr_ = PluginManager::GetInstance();
388 }
389 EDMLOGD("create pluginMgr_ success");
390 lastCallTime_ = std::chrono::system_clock::now();
391 if (pluginHasInit_) {
392 std::unique_lock<std::mutex> lock(waitMutex_);
393 notifySignal_ = true;
394 waitSignal_.notify_one();
395 } else {
396 pluginMgr_->LoadPlugin();
397 pluginHasInit_ = true;
398 std::thread timerThread([this]() {
399 this->UnloadPluginTask();
400 });
401 timerThread.detach();
402 }
403 }
404
UnloadPluginTask()405 void EnterpriseDeviceMgrAbility::UnloadPluginTask()
406 {
407 while (pluginHasInit_) {
408 std::unique_lock<std::mutex> lock(waitMutex_);
409 notifySignal_ = false;
410 waitSignal_.wait_for(lock, std::chrono::milliseconds(TIMER_TIMEOUT), [this] { return this->notifySignal_; });
411 auto now = std::chrono::system_clock::now();
412 auto diffTime = std::chrono::duration_cast<std::chrono::milliseconds>(now - lastCallTime_).count();
413 if (diffTime >= std::chrono::milliseconds(TIMER_TIMEOUT).count()) {
414 std::lock_guard<std::mutex> autoLock(mutexLock_);
415 if (pluginMgr_) {
416 pluginMgr_->UnloadPlugin();
417 }
418 pluginHasInit_ = false;
419 }
420 }
421 }
422
InitAllPolices()423 void EnterpriseDeviceMgrAbility::InitAllPolices()
424 {
425 if (!policyMgr_) {
426 policyMgr_ = std::make_shared<PolicyManager>();
427 IPolicyManager::policyManagerInstance_ = policyMgr_.get();
428 }
429 std::vector<int32_t> userIds;
430 auto devicePolicies = DevicePoliciesStorageRdb::GetInstance();
431 if (devicePolicies == nullptr) {
432 EDMLOGW("OnAddSystemAbility::InitAllPolices:get rdbStore failed.");
433 return;
434 }
435 EDMLOGI("InitAllPolices userIds size %{public}zu", userIds.size());
436 devicePolicies->QueryAllUserId(userIds);
437 policyMgr_->Init(userIds);
438 allowDelegatedPolicies_ = { "disallow_add_local_account", "disallow_add_os_account_by_user",
439 "disallow_running_bundles", "manage_auto_start_apps", "allowed_bluetooth_devices", "set_browser_policies",
440 "allowed_install_bundles", "disallowed_install_bundles", "disallowed_uninstall_bundles", "snapshot_skip",
441 "location_policy", "disabled_network_interface", "global_proxy", "disabled_bluetooth",
442 "disallow_modify_datetime", "disabled_printer", "policy_screen_shot", "disabled_hdc", "disable_microphone",
443 "fingerprint_auth", "disable_usb", "disable_wifi", "disallowed_tethering", "inactive_user_freeze",
444 "password_policy", "clipboard_policy", "ntp_server", "set_update_policy", "notify_upgrade_packages",
445 "allowed_usb_devices", "usb_read_only", "disallowed_usb_devices", "get_device_info", "watermark_image_policy",
446 "policy_screen_record" };
447 }
448
RemoveAllDebugAdmin()449 void EnterpriseDeviceMgrAbility::RemoveAllDebugAdmin()
450 {
451 bool isDebug = system::GetBoolParameter(DEVELOP_MODE_STATE, false);
452 if (!isDebug) {
453 std::vector<std::shared_ptr<Admin>> userAdmin;
454 adminMgr_->GetAdminByUserId(DEFAULT_USER_ID, userAdmin);
455 for (const auto &item: userAdmin) {
456 if (item->adminInfo_.isDebug_) {
457 EDMLOGD("remove debug admin %{public}s", item->adminInfo_.packageName_.c_str());
458 RemoveSuperAdminAndAdminPolicy(item->adminInfo_.packageName_);
459 }
460 }
461 }
462 }
463
AddSystemAbilityListeners()464 void EnterpriseDeviceMgrAbility::AddSystemAbilityListeners()
465 {
466 AddSystemAbilityListener(COMMON_EVENT_SERVICE_ID);
467 AddSystemAbilityListener(APP_MGR_SERVICE_ID);
468 AddSystemAbilityListener(ABILITY_MGR_SERVICE_ID);
469 AddSystemAbilityListener(SUBSYS_USERIAM_SYS_ABILITY_USERAUTH);
470 #ifdef PASTEBOARD_EDM_ENABLE
471 AddSystemAbilityListener(PASTEBOARD_SERVICE_ID);
472 #endif
473 #ifdef USB_EDM_ENABLE
474 AddSystemAbilityListener(USB_SYSTEM_ABILITY_ID);
475 #endif
476 }
477
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)478 void EnterpriseDeviceMgrAbility::OnAddSystemAbility(int32_t systemAbilityId, const std::string &deviceId)
479 {
480 EDMLOGD("OnAddSystemAbility systemAbilityId:%{public}d added!", systemAbilityId);
481 auto func = addSystemAbilityFuncMap_.find(systemAbilityId);
482 if (func != addSystemAbilityFuncMap_.end()) {
483 auto memberFunc = func->second;
484 if (memberFunc != nullptr) {
485 return memberFunc(this, systemAbilityId, deviceId);
486 }
487 }
488 }
489
OnAppManagerServiceStart()490 void EnterpriseDeviceMgrAbility::OnAppManagerServiceStart()
491 {
492 EDMLOGI("OnAppManagerServiceStart");
493 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
494 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::APP_START, subAdmins);
495 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::APP_STOP, subAdmins);
496 if (!subAdmins.empty()) {
497 EDMLOGI("the admin that listened the APP_START or APP_STOP event is existed");
498 SubscribeAppState();
499 }
500 }
501
OnAbilityManagerServiceStart()502 void EnterpriseDeviceMgrAbility::OnAbilityManagerServiceStart()
503 {
504 EDMLOGI("OnAbilityManagerServiceStart");
505 auto superAdmin = adminMgr_->GetSuperAdmin();
506 if (superAdmin != nullptr) {
507 AAFwk::Want connectWant;
508 connectWant.SetElementName(superAdmin->adminInfo_.packageName_, superAdmin->adminInfo_.className_);
509 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
510 sptr<IEnterpriseConnection> connection = manager->CreateAdminConnection(connectWant,
511 IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED, DEFAULT_USER_ID, false);
512 manager->ConnectAbility(connection);
513 }
514 }
515
OnCommonEventServiceStart()516 void EnterpriseDeviceMgrAbility::OnCommonEventServiceStart()
517 {
518 #ifdef COMMON_EVENT_SERVICE_EDM_ENABLE
519 commonEventSubscriber = CreateEnterpriseDeviceEventSubscriber(*this);
520 EventFwk::CommonEventManager::SubscribeCommonEvent(this->commonEventSubscriber);
521 EDMLOGI("create commonEventSubscriber success");
522
523 EventFwk::MatchingSkills skill = EventFwk::MatchingSkills();
524 skill.AddEvent(SYSTEM_UPDATE_FOR_POLICY);
525 EDMLOGI("CreateEnterpriseDeviceEventSubscriber AddEvent: %{public}s", SYSTEM_UPDATE_FOR_POLICY.c_str());
526 EventFwk::CommonEventSubscribeInfo info(skill);
527 info.SetPermission(PERMISSION_UPDATE_SYSTEM);
528 EventFwk::CommonEventManager::SubscribeCommonEvent(std::make_shared<EnterpriseDeviceEventSubscriber>(info, *this));
529 #else
530 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventServiceStart Unsupported Capabilities.");
531 return;
532 #endif
533 }
534
535 #ifdef PASTEBOARD_EDM_ENABLE
OnPasteboardServiceStart()536 void EnterpriseDeviceMgrAbility::OnPasteboardServiceStart()
537 {
538 EDMLOGI("OnPasteboardServiceStart");
539 std::string policyData;
540 policyMgr_->GetPolicy("", "clipboard_policy", policyData, DEFAULT_USER_ID);
541 auto clipboardSerializer_ = ClipboardSerializer::GetInstance();
542 std::map<int32_t, ClipboardPolicy> policyMap;
543 clipboardSerializer_->Deserialize(policyData, policyMap);
544 ClipboardUtils::HandlePasteboardPolicy(policyMap);
545 }
546 #endif
547
OnUserAuthFrameworkStart()548 void EnterpriseDeviceMgrAbility::OnUserAuthFrameworkStart()
549 {
550 EDMLOGI("OnUserAuthFrameworkStart");
551 std::string policyData;
552 policyMgr_->GetPolicy("", "password_policy", policyData, DEFAULT_USER_ID);
553 auto serializer_ = PasswordSerializer::GetInstance();
554 PasswordPolicy policy;
555 serializer_->Deserialize(policyData, policy);
556 UserIam::UserAuth::GlobalConfigParam param;
557 param.type = UserIam::UserAuth::GlobalConfigType::PIN_EXPIRED_PERIOD;
558 param.value.pinExpiredPeriod = policy.validityPeriod;
559 int32_t ret = UserIam::UserAuth::UserAuthClient::GetInstance().SetGlobalConfigParam(param);
560 if (ret != 0) {
561 EDMLOGW("SetGlobalConfigParam Error");
562 }
563 }
564
565 #ifdef USB_EDM_ENABLE
OnUsbServiceStart()566 void EnterpriseDeviceMgrAbility::OnUsbServiceStart()
567 {
568 EDMLOGI("OnUsbServiceStart");
569 std::string disableUsbPolicy;
570 policyMgr_->GetPolicy("", "disable_usb", disableUsbPolicy, DEFAULT_USER_ID);
571 bool isUsbDisabled = false;
572 BoolSerializer::GetInstance()->Deserialize(policyData, isUsbDisabled);
573 if (isUsbDisabled) {
574 ErrCode disableUsbRet = UsbPolicyUtils::SetUsbDisabled(isUsbDisabled);
575 if (disableUsbRet != ERR_OK) {
576 EDMLOGW("SetUsbDisabled Error: %{public}d", disableUsbRet);
577 }
578 return;
579 }
580
581 std::string allowUsbDevicePolicy;
582 policyMgr_->GetPolicy("", "allowed_usb_devices", allowUsbDevicePolicy, DEFAULT_USER_ID);
583 std::vector<UsbDeviceId> usbDeviceIds;
584 ArrayUsbDeviceIdSerializer::GetInstance()->Deserialize(policyData, usbDeviceIds);
585 if (!usbDeviceIds.empty()) {
586 ErrCode allowedUsbRet = UsbPolicyUtils::AddAllowedUsbDevices(usbDeviceIds);
587 if (allowedUsbRet != ERR_OK) {
588 EDMLOGW("AddAllowedUsbDevices Error: %{public}d", allowedUsbRet);
589 }
590 return;
591 }
592
593 std::string usbStoragePolicy;
594 policyMgr_->GetPolicy("", "usb_read_only", usbStoragePolicy, EdmConstants::DEFAULT_USER_ID);
595 std::string disallowUsbDevicePolicy;
596 policyMgr_->GetPolicy("", "disallowed_usb_devices", disallowUsbDevicePolicy, DEFAULT_USER_ID);
597 std::vector<USB::UsbDeviceType> disallowedDevices;
598 ArrayUsbDeviceTypeSerializer::GetInstance()->Deserialize(policyData, disallowedDevices);
599 if (usbStoragePolicy == std::to_string(EdmConstants::STORAGE_USB_POLICY_DISABLED)) {
600 USB::UsbDeviceType storageType;
601 storageType.baseClass = USB_DEVICE_TYPE_BASE_CLASS_STORAGE;
602 storageType.subClass = USB_DEVICE_TYPE_BASE_CLASS_STORAGE;
603 storageType.protocol = USB_DEVICE_TYPE_BASE_CLASS_STORAGE;
604 storageType.isDeviceType = false;
605 disallowedDevices.emplace_back(storageType);
606 }
607 if (!disallowedDevices.empty()) {
608 ErrCode disallowedUsbRet = UsbPolicyUtils::SetDisallowedUsbDevices(disallowedDevices);
609 if (disallowedUsbRet != ERR_OK) {
610 EDMLOGW("SetDisallowedUsbDevices Error: %{public}d", disableUsbRet);
611 }
612 }
613 }
614 #endif
615
OnRemoveSystemAbility(int32_t systemAbilityId,const std::string & deviceId)616 void EnterpriseDeviceMgrAbility::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string &deviceId) {}
617
OnStop()618 void EnterpriseDeviceMgrAbility::OnStop()
619 {
620 EDMLOGD("EnterpriseDeviceMgrAbility::OnStop()");
621 std::lock_guard<std::mutex> autoLock(mutexLock_);
622 if (pluginHasInit_) {
623 pluginHasInit_ = false;
624 std::unique_lock<std::mutex> lock(waitMutex_);
625 notifySignal_ = true;
626 waitSignal_.notify_one();
627 }
628 }
629
GetAllPermissionsByAdmin(const std::string & bundleInfoName,AdminType adminType,int32_t userId,std::vector<std::string> & permissionList)630 ErrCode EnterpriseDeviceMgrAbility::GetAllPermissionsByAdmin(const std::string &bundleInfoName, AdminType adminType,
631 int32_t userId, std::vector<std::string> &permissionList)
632 {
633 permissionList.clear();
634 AppExecFwk::BundleInfo bundleInfo;
635 EDMLOGD("GetAllPermissionsByAdmin GetBundleInfo: bundleInfoName %{public}s userid %{public}d",
636 bundleInfoName.c_str(), userId);
637 bool ret = GetBundleMgr()->GetBundleInfo(bundleInfoName,
638 AppExecFwk::BundleFlag::GET_BUNDLE_WITH_REQUESTED_PERMISSION, bundleInfo, userId);
639 if (!ret) {
640 EDMLOGW("GetAllPermissionsByAdmin: GetBundleInfo failed %{public}d", ret);
641 return ERR_EDM_PARAM_ERROR;
642 }
643 PermissionManager::GetInstance()->GetAdminGrantedPermission(bundleInfo.reqPermissions, adminType, permissionList);
644 return ERR_OK;
645 }
646
GetBundleMgr()647 std::shared_ptr<IEdmBundleManager> EnterpriseDeviceMgrAbility::GetBundleMgr()
648 {
649 return GetExternalManagerFactory()->CreateBundleManager();
650 }
651
GetAppMgr()652 std::shared_ptr<IEdmAppManager> EnterpriseDeviceMgrAbility::GetAppMgr()
653 {
654 return GetExternalManagerFactory()->CreateAppManager();
655 }
656
GetOsAccountMgr()657 std::shared_ptr<IEdmOsAccountManager> EnterpriseDeviceMgrAbility::GetOsAccountMgr()
658 {
659 return GetExternalManagerFactory()->CreateOsAccountManager();
660 }
661
SubscribeAppState()662 bool EnterpriseDeviceMgrAbility::SubscribeAppState()
663 {
664 if (appStateObserver_) {
665 EDMLOGD("appStateObserver has subscribed");
666 return true;
667 }
668 appStateObserver_ = new (std::nothrow) ApplicationStateObserver(*this);
669 if (!appStateObserver_) {
670 EDMLOGE("new ApplicationStateObserver failed");
671 return false;
672 }
673 if (GetAppMgr()->RegisterApplicationStateObserver(appStateObserver_)) {
674 EDMLOGE("RegisterApplicationStateObserver fail!");
675 appStateObserver_.clear();
676 appStateObserver_ = nullptr;
677 return false;
678 }
679 return true;
680 }
681
UnsubscribeAppState()682 bool EnterpriseDeviceMgrAbility::UnsubscribeAppState()
683 {
684 if (!appStateObserver_) {
685 EDMLOGD("appStateObserver has subscribed");
686 return true;
687 }
688 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
689 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::APP_START, subAdmins);
690 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::APP_STOP, subAdmins);
691 if (!subAdmins.empty()) {
692 return true;
693 }
694 if (GetAppMgr()->UnregisterApplicationStateObserver(appStateObserver_)) {
695 EDMLOGE("UnregisterApplicationStateObserver fail!");
696 return false;
697 }
698 appStateObserver_.clear();
699 appStateObserver_ = nullptr;
700 return true;
701 }
702
VerifyEnableAdminCondition(AppExecFwk::ElementName & admin,AdminType type,int32_t userId,bool isDebug)703 ErrCode EnterpriseDeviceMgrAbility::VerifyEnableAdminCondition(AppExecFwk::ElementName &admin, AdminType type,
704 int32_t userId, bool isDebug)
705 {
706 if (type == AdminType::ENT && userId != DEFAULT_USER_ID) {
707 EDMLOGW("EnableAdmin: Super admin can only be enabled in default user.");
708 return ERR_EDM_ADD_ADMIN_FAILED;
709 }
710
711 if (type != AdminType::ENT && system::GetBoolParameter(PARAM_SECURITY_MODE, false)) {
712 EDMLOGW("EnableAdmin: The current mode is not supported.");
713 return ERR_EDM_ADD_ADMIN_FAILED;
714 }
715
716 std::shared_ptr<Admin> existAdmin = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), userId);
717 if (existAdmin != nullptr) {
718 if (existAdmin->GetAdminType() == AdminType::SUB_SUPER_ADMIN ||
719 existAdmin->GetAdminType() == AdminType::VIRTUAL_ADMIN) {
720 EDMLOGW("EnableAdmin: sub-super admin can not be enabled as a normal or super admin.");
721 return ERR_EDM_ADD_ADMIN_FAILED;
722 }
723 if (existAdmin->GetAdminType() == AdminType::ENT && (type != AdminType::ENT || userId != DEFAULT_USER_ID)) {
724 EDMLOGW("EnableAdmin: an exist super admin can't be enabled twice with different role or user id.");
725 return ERR_EDM_ADD_ADMIN_FAILED;
726 }
727 if (isDebug != existAdmin->adminInfo_.isDebug_) {
728 EDMLOGW("EnableAdmin: debug parameter can not be changed.");
729 return ERR_EDM_ADD_ADMIN_FAILED;
730 }
731 /* An application can't be enabled twice with different ability name */
732 if (existAdmin->adminInfo_.className_ != admin.GetAbilityName()) {
733 EDMLOGW("EnableAdmin: There is another admin ability enabled with the same package name.");
734 return ERR_EDM_ADD_ADMIN_FAILED;
735 }
736 }
737 if (!isDebug && type == AdminType::ENT && adminMgr_->IsSuperAdminExist()) {
738 if (existAdmin == nullptr || existAdmin->adminInfo_.adminType_ != AdminType::ENT) {
739 EDMLOGW("EnableAdmin: There is another super admin enabled.");
740 return ERR_EDM_ADD_ADMIN_FAILED;
741 }
742 }
743 return ERR_OK;
744 }
745
EnableAdmin(AppExecFwk::ElementName & admin,EntInfo & entInfo,AdminType type,int32_t userId)746 ErrCode EnterpriseDeviceMgrAbility::EnableAdmin(AppExecFwk::ElementName &admin, EntInfo &entInfo, AdminType type,
747 int32_t userId)
748 {
749 EDMLOGD("EnterpriseDeviceMgrAbility::EnableAdmin user id = %{public}d", userId);
750 std::lock_guard<std::mutex> autoLock(mutexLock_);
751 bool isDebug = GetAccessTokenMgr()->IsDebug();
752 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
753 if (!isDebug && !GetAccessTokenMgr()->VerifyCallingPermission(tokenId, PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
754 EDMLOGW("EnterpriseDeviceMgrAbility::EnableAdmin check permission failed");
755 return EdmReturnErrCode::PERMISSION_DENIED;
756 }
757 std::vector<AppExecFwk::ExtensionAbilityInfo> abilityInfo;
758 AAFwk::Want want;
759 want.SetElement(admin);
760 if (!GetBundleMgr()->QueryExtensionAbilityInfos(want, AppExecFwk::ExtensionAbilityType::ENTERPRISE_ADMIN,
761 AppExecFwk::ExtensionAbilityInfoFlag::GET_EXTENSION_INFO_WITH_PERMISSION, userId, abilityInfo) ||
762 abilityInfo.empty()) {
763 EDMLOGW("EnableAdmin: QueryExtensionAbilityInfos failed");
764 return EdmReturnErrCode::COMPONENT_INVALID;
765 }
766 if (FAILED(VerifyEnableAdminCondition(admin, type, userId, isDebug))) {
767 EDMLOGW("EnableAdmin: VerifyEnableAdminCondition failed.");
768 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
769 }
770
771 /* Get all request and registered permissions */
772 std::vector<std::string> permissionList;
773 if (FAILED(GetAllPermissionsByAdmin(admin.GetBundleName(), type, userId, permissionList))) {
774 EDMLOGW("EnableAdmin: GetAllPermissionsByAdmin failed");
775 return EdmReturnErrCode::COMPONENT_INVALID;
776 }
777 Admin edmAdmin(abilityInfo.at(0), type, entInfo, permissionList, isDebug);
778 if (FAILED(adminMgr_->SetAdminValue(userId, edmAdmin))) {
779 EDMLOGE("EnableAdmin: SetAdminValue failed.");
780 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
781 }
782 system::SetParameter(PARAM_EDM_ENABLE, "true");
783 EDMLOGI("EnableAdmin: SetAdminValue success %{public}s, type:%{public}d", admin.GetBundleName().c_str(),
784 static_cast<uint32_t>(type));
785 AAFwk::Want connectWant;
786 connectWant.SetElementName(admin.GetBundleName(), admin.GetAbilityName());
787 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
788 sptr<IEnterpriseConnection> connection =
789 manager->CreateAdminConnection(connectWant, IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED, userId);
790 manager->ConnectAbility(connection);
791 return ERR_OK;
792 }
793
RemoveAdminItem(const std::string & adminName,const std::string & policyName,const std::string & policyValue,int32_t userId)794 ErrCode EnterpriseDeviceMgrAbility::RemoveAdminItem(const std::string &adminName, const std::string &policyName,
795 const std::string &policyValue, int32_t userId)
796 {
797 InitAllPlugins();
798 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByPolicyName(policyName);
799 if (plugin == nullptr) {
800 EDMLOGW("RemoveAdminItem: Get plugin by policy failed: %{public}s\n", policyName.c_str());
801 return ERR_EDM_GET_PLUGIN_MGR_FAILED;
802 }
803 ErrCode ret = plugin->OnAdminRemove(adminName, policyValue, userId);
804 if (ret != ERR_OK) {
805 EDMLOGW("RemoveAdminItem: OnAdminRemove failed, admin:%{public}s, value:%{public}s, res:%{public}d\n",
806 adminName.c_str(), policyValue.c_str(), ret);
807 }
808 if (plugin->NeedSavePolicy()) {
809 std::string mergedPolicyData;
810 ret = plugin->MergePolicyData(adminName, mergedPolicyData);
811 if (ret != ERR_OK) {
812 EDMLOGW("RemoveAdminItem: Get admin by policy name failed: %{public}s, ErrCode:%{public}d\n",
813 policyName.c_str(), ret);
814 }
815
816 ErrCode setRet = ERR_OK;
817 std::unordered_map<std::string, std::string> adminListMap;
818 ret = policyMgr_->GetAdminByPolicyName(policyName, adminListMap, userId);
819 if ((ret == ERR_EDM_POLICY_NOT_FOUND) || adminListMap.empty()) {
820 setRet = policyMgr_->SetPolicy("", policyName, "", "", userId);
821 } else {
822 setRet = policyMgr_->SetPolicy(adminName, policyName, "", mergedPolicyData, userId);
823 }
824
825 if (FAILED(setRet)) {
826 EDMLOGW("RemoveAdminItem: DeleteAdminPolicy failed, admin:%{public}s, policy:%{public}s, res:%{public}d\n",
827 adminName.c_str(), policyName.c_str(), ret);
828 return ERR_EDM_DEL_ADMIN_FAILED;
829 }
830 }
831 plugin->OnAdminRemoveDone(adminName, policyValue, userId);
832 return ERR_OK;
833 }
834
RemoveAdminAndAdminPolicy(const std::string & adminName,int32_t userId)835 ErrCode EnterpriseDeviceMgrAbility::RemoveAdminAndAdminPolicy(const std::string &adminName, int32_t userId)
836 {
837 EDMLOGD("RemoveAdminAndAdminPolicy:admin: %{public}s, user id:%{public}d.", adminName.c_str(), userId);
838 ErrCode removeAdminPolicyRet = RemoveAdminPolicy(adminName, userId);
839 if (FAILED(removeAdminPolicyRet)) {
840 EDMLOGE("Remove admin %{public}s policy with user id = %{public}d fail.", adminName.c_str(), userId);
841 return removeAdminPolicyRet;
842 }
843
844 ErrCode removeAdminRet = RemoveAdmin(adminName, userId);
845 if (FAILED(removeAdminRet)) {
846 EDMLOGE("Remove admin %{public}s with user id = %{public}d fail.", adminName.c_str(), userId);
847 return removeAdminRet;
848 }
849 return ERR_OK;
850 }
851
RemoveAdmin(const std::string & adminName,int32_t userId)852 ErrCode EnterpriseDeviceMgrAbility::RemoveAdmin(const std::string &adminName, int32_t userId)
853 {
854 bool shouldUnsubscribeAppState = ShouldUnsubscribeAppState(adminName, userId);
855 auto ret = adminMgr_->DeleteAdmin(adminName, userId);
856 if (ret != ERR_OK && ret != ERR_EDM_UNKNOWN_ADMIN) {
857 return ERR_EDM_DEL_ADMIN_FAILED;
858 }
859 if (shouldUnsubscribeAppState) {
860 UnsubscribeAppState();
861 }
862 return ERR_OK;
863 }
864
RemoveAdminPolicy(const std::string & adminName,int32_t userId)865 ErrCode EnterpriseDeviceMgrAbility::RemoveAdminPolicy(const std::string &adminName, int32_t userId)
866 {
867 std::unordered_map<std::string, std::string> policyItems;
868 policyMgr_->GetAllPolicyByAdmin(adminName, policyItems, userId);
869 for (const auto &policyItem : policyItems) {
870 std::string policyItemName = policyItem.first;
871 std::string policyItemValue = policyItem.second;
872 EDMLOGD("RemoveAdminPolicy:policyName:%{public}s", policyItemName.c_str());
873 if (RemoveAdminItem(adminName, policyItemName, policyItemValue, userId) != ERR_OK) {
874 return ERR_EDM_DEL_ADMIN_FAILED;
875 }
876 }
877 return ERR_OK;
878 }
879
RemoveSubSuperAdminAndAdminPolicy(const std::string & bundleName)880 ErrCode EnterpriseDeviceMgrAbility::RemoveSubSuperAdminAndAdminPolicy(const std::string &bundleName)
881 {
882 std::vector<int32_t> userIds;
883 policyMgr_->GetPolicyUserIds(userIds);
884 return RemoveSubOrSuperAdminAndAdminPolicy(bundleName, userIds);
885 }
886
RemoveSuperAdminAndAdminPolicy(const std::string & bundleName)887 ErrCode EnterpriseDeviceMgrAbility::RemoveSuperAdminAndAdminPolicy(const std::string &bundleName)
888 {
889 std::vector<int32_t> userIds;
890 policyMgr_->GetPolicyUserIds(userIds);
891 // remove sub-super admin
892 std::vector<std::string> subAdmins;
893 adminMgr_->GetSubSuperAdminsByParentName(bundleName, subAdmins);
894 for (auto const &subAdminName : subAdmins) {
895 if (RemoveSubOrSuperAdminAndAdminPolicy(subAdminName, userIds) != ERR_OK) {
896 return ERR_EDM_DEL_ADMIN_FAILED;
897 }
898 }
899 // remove super admin on other userid
900 return RemoveSubOrSuperAdminAndAdminPolicy(bundleName, userIds);
901 }
902
RemoveSubOrSuperAdminAndAdminPolicy(const std::string & bundleName,const std::vector<int32_t> & nonDefaultUserIds)903 ErrCode EnterpriseDeviceMgrAbility::RemoveSubOrSuperAdminAndAdminPolicy(const std::string &bundleName,
904 const std::vector<int32_t> &nonDefaultUserIds)
905 {
906 // remove super admin on other userid
907 for (auto const &userId : nonDefaultUserIds) {
908 if (RemoveAdminAndAdminPolicy(bundleName, userId) != ERR_OK) {
909 return ERR_EDM_DEL_ADMIN_FAILED;
910 }
911 }
912 // remove super admin default userid
913 return RemoveAdminAndAdminPolicy(bundleName, DEFAULT_USER_ID);
914 }
915
ShouldUnsubscribeAppState(const std::string & adminName,int32_t userId)916 bool EnterpriseDeviceMgrAbility::ShouldUnsubscribeAppState(const std::string &adminName, int32_t userId)
917 {
918 std::shared_ptr<Admin> adminPtr = adminMgr_->GetAdminByPkgName(adminName, userId);
919 if (adminPtr == nullptr) {
920 EDMLOGE("ShouldUnsubscribeAppState adminPtr null");
921 return false;
922 }
923 return std::any_of(adminPtr->adminInfo_.managedEvents_.begin(), adminPtr->adminInfo_.managedEvents_.end(),
924 [](ManagedEvent event) { return event == ManagedEvent::APP_START || event == ManagedEvent::APP_STOP; });
925 }
926
DisableAdmin(AppExecFwk::ElementName & admin,int32_t userId)927 ErrCode EnterpriseDeviceMgrAbility::DisableAdmin(AppExecFwk::ElementName &admin, int32_t userId)
928 {
929 EDMLOGI("EnterpriseDeviceMgrAbility::DisableAdmin user id = %{public}d", userId);
930 bool isSDA = IsSuperAdmin(admin.GetBundleName());
931 userId = isSDA ? DEFAULT_USER_ID : userId;
932 AdminType adminType = isSDA ? AdminType::ENT : AdminType::NORMAL;
933 return DoDisableAdmin(admin.GetBundleName(), userId, adminType);
934 }
935
CheckCallingUid(const std::string & bundleName)936 ErrCode EnterpriseDeviceMgrAbility::CheckCallingUid(const std::string &bundleName)
937 {
938 // super admin can be removed by itself
939 int uid = GetCallingUid();
940 std::string callingBundleName;
941 if (GetBundleMgr()->GetNameForUid(uid, callingBundleName) != ERR_OK) {
942 EDMLOGW("CheckCallingUid failed: get bundleName for uid %{public}d fail.", uid);
943 return ERR_EDM_PERMISSION_ERROR;
944 }
945 if (bundleName == callingBundleName) {
946 return ERR_OK;
947 }
948 EDMLOGW("CheckCallingUid failed: only the app %{public}s can remove itself.", callingBundleName.c_str());
949 return ERR_EDM_PERMISSION_ERROR;
950 }
951
DisableSuperAdmin(const std::string & bundleName)952 ErrCode EnterpriseDeviceMgrAbility::DisableSuperAdmin(const std::string &bundleName)
953 {
954 EDMLOGI("EnterpriseDeviceMgrAbility::DisableSuperAdmin bundle name = %{public}s", bundleName.c_str());
955 return DoDisableAdmin(bundleName, DEFAULT_USER_ID, AdminType::ENT);
956 }
957
DoDisableAdmin(const std::string & bundleName,int32_t userId,AdminType adminType)958 ErrCode EnterpriseDeviceMgrAbility::DoDisableAdmin(const std::string &bundleName, int32_t userId, AdminType adminType)
959 {
960 std::lock_guard<std::mutex> autoLock(mutexLock_);
961 bool isDebug = GetAccessTokenMgr()->IsDebug();
962 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
963 if (!isDebug && !GetAccessTokenMgr()->VerifyCallingPermission(tokenId, PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
964 EDMLOGW("DoDisableAdmin::DisableSuperAdmin check permission failed.");
965 return EdmReturnErrCode::PERMISSION_DENIED;
966 }
967 std::shared_ptr<Admin> admin = adminMgr_->GetAdminByPkgName(bundleName, userId);
968 if (admin == nullptr) {
969 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
970 }
971 if (isDebug && !admin->adminInfo_.isDebug_) {
972 EDMLOGW("DoDisableAdmin: shell command can only remove debug super admin.");
973 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
974 }
975 if (admin->adminInfo_.adminType_ != adminType) {
976 EDMLOGW("DoDisableAdmin: only remove the certain admin.");
977 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
978 }
979 if (adminType == AdminType::ENT && FAILED(RemoveSuperAdminAndAdminPolicy(bundleName))) {
980 EDMLOGW("DoDisableAdmin: remove admin failed.");
981 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
982 } else if (adminType == AdminType::NORMAL && FAILED(RemoveAdminAndAdminPolicy(bundleName, userId))) {
983 EDMLOGW("DoDisableAdmin: disable admin failed.");
984 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
985 }
986 if (!adminMgr_->IsAdminExist()) {
987 system::SetParameter(PARAM_EDM_ENABLE, "false");
988 }
989 AAFwk::Want want;
990 want.SetElementName(admin->adminInfo_.packageName_, admin->adminInfo_.className_);
991 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
992 sptr<IEnterpriseConnection> connection =
993 manager->CreateAdminConnection(want, IEnterpriseAdmin::COMMAND_ON_ADMIN_DISABLED, userId);
994 manager->ConnectAbility(connection);
995 return ERR_OK;
996 }
997
IsSuperAdmin(const std::string & bundleName)998 bool EnterpriseDeviceMgrAbility::IsSuperAdmin(const std::string &bundleName)
999 {
1000 std::lock_guard<std::mutex> autoLock(mutexLock_);
1001 return adminMgr_->IsSuperAdmin(bundleName);
1002 }
1003
IsAdminEnabled(AppExecFwk::ElementName & admin,int32_t userId)1004 bool EnterpriseDeviceMgrAbility::IsAdminEnabled(AppExecFwk::ElementName &admin, int32_t userId)
1005 {
1006 std::lock_guard<std::mutex> autoLock(mutexLock_);
1007 std::shared_ptr<Admin> existAdmin = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), userId);
1008 if (existAdmin != nullptr) {
1009 EDMLOGD("IsAdminEnabled: get admin successed");
1010 return true;
1011 }
1012 return false;
1013 }
1014
GetCurrentUserId()1015 int32_t EnterpriseDeviceMgrAbility::GetCurrentUserId()
1016 {
1017 std::vector<int32_t> ids;
1018 ErrCode ret = GetOsAccountMgr()->QueryActiveOsAccountIds(ids);
1019 if (FAILED(ret) || ids.empty()) {
1020 EDMLOGE("EnterpriseDeviceMgrAbility GetCurrentUserId failed");
1021 return -1;
1022 }
1023 EDMLOGD("EnterpriseDeviceMgrAbility GetCurrentUserId user id = %{public}d", ids.at(0));
1024 return (ids.at(0));
1025 }
1026
UpdateDevicePolicy(uint32_t code,const std::string & bundleName,MessageParcel & data,MessageParcel & reply,int32_t userId)1027 ErrCode EnterpriseDeviceMgrAbility::UpdateDevicePolicy(uint32_t code, const std::string &bundleName,
1028 MessageParcel &data, MessageParcel &reply, int32_t userId)
1029 {
1030 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
1031 if (plugin == nullptr) {
1032 EDMLOGW("UpdateDevicePolicy: get plugin failed, code:%{public}d", code);
1033 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
1034 }
1035
1036 std::string policyName = plugin->GetPolicyName();
1037 HandlePolicyData handlePolicyData{"", false};
1038 policyMgr_->GetPolicy(bundleName, policyName, handlePolicyData.policyData, userId);
1039 ErrCode ret = plugin->GetExecuteStrategy()->OnSetExecute(code, data, reply, handlePolicyData, userId);
1040 if (FAILED(ret)) {
1041 EDMLOGW("UpdateDevicePolicy: OnHandlePolicy failed");
1042 return ret;
1043 }
1044 EDMLOGD("UpdateDevicePolicy: isChanged:%{public}d, needSave:%{public}d", handlePolicyData.isChanged,
1045 plugin->NeedSavePolicy());
1046 std::string oldCombinePolicy;
1047 policyMgr_->GetPolicy("", policyName, oldCombinePolicy, userId);
1048 std::string mergedPolicy = handlePolicyData.policyData;
1049 bool isGlobalChanged = false;
1050 if (plugin->NeedSavePolicy() && handlePolicyData.isChanged) {
1051 ret = plugin->MergePolicyData(bundleName, mergedPolicy);
1052 if (FAILED(ret)) {
1053 EDMLOGW("UpdateDevicePolicy: MergePolicyData failed error:%{public}d", ret);
1054 return ret;
1055 }
1056 policyMgr_->SetPolicy(bundleName, policyName, handlePolicyData.policyData, mergedPolicy, userId);
1057 isGlobalChanged = (oldCombinePolicy != mergedPolicy);
1058 }
1059 plugin->OnHandlePolicyDone(code, bundleName, isGlobalChanged, userId);
1060 return ERR_OK;
1061 }
1062
HandleDevicePolicy(uint32_t code,AppExecFwk::ElementName & admin,MessageParcel & data,MessageParcel & reply,int32_t userId)1063 ErrCode EnterpriseDeviceMgrAbility::HandleDevicePolicy(uint32_t code, AppExecFwk::ElementName &admin,
1064 MessageParcel &data, MessageParcel &reply, int32_t userId)
1065 {
1066 std::lock_guard<std::mutex> autoLock(mutexLock_);
1067 InitAllPlugins();
1068 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
1069 if (plugin == nullptr) {
1070 EDMLOGW("HandleDevicePolicy: get plugin failed, code:%{public}d", code);
1071 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
1072 }
1073 #ifndef EDM_FUZZ_TEST
1074 bool isUserExist = false;
1075 GetOsAccountMgr()->IsOsAccountExists(userId, isUserExist);
1076 if (!isUserExist) {
1077 return EdmReturnErrCode::PARAM_ERROR;
1078 }
1079 ErrCode checkSystemCalling = CheckSystemCalling(plugin->GetApiType(FuncOperateType::SET), "");
1080 if (FAILED(checkSystemCalling)) {
1081 return checkSystemCalling;
1082 }
1083 EDMLOGI("HandleDevicePolicy: HandleDevicePolicy userId = %{public}d", userId);
1084 std::string setPermission = plugin->GetPermission(FuncOperateType::SET, data.ReadString());
1085 ErrCode checkAdminPermission = CheckHandlePolicyPermission(FuncOperateType::SET, admin.GetBundleName(),
1086 plugin->GetPolicyName(), setPermission, userId);
1087 if (FAILED(checkAdminPermission)) {
1088 return checkAdminPermission;
1089 }
1090 #endif
1091 ErrCode ret = UpdateDevicePolicy(code, admin.GetBundleName(), data, reply, userId);
1092 CreateSecurityContent(admin.GetBundleName(), admin.GetAbilityName(), code, plugin->GetPolicyName(), ret);
1093 return ret;
1094 }
1095
CreateSecurityContent(const std::string & bundleName,const std::string & abilityName,uint32_t code,const std::string & policyName,ErrCode errorCode)1096 void EnterpriseDeviceMgrAbility::CreateSecurityContent(const std::string &bundleName, const std::string &abilityName,
1097 uint32_t code, const std::string &policyName, ErrCode errorCode)
1098 {
1099 ReportInfo reportInfo = ReportInfo(FuncCodeUtils::GetOperateType(code), policyName, std::to_string(errorCode));
1100 SecurityReport::ReportSecurityInfo(bundleName, abilityName, reportInfo);
1101 }
1102
GetDevicePolicy(uint32_t code,MessageParcel & data,MessageParcel & reply,int32_t userId)1103 ErrCode EnterpriseDeviceMgrAbility::GetDevicePolicy(uint32_t code, MessageParcel &data, MessageParcel &reply,
1104 int32_t userId)
1105 {
1106 std::lock_guard<std::mutex> autoLock(mutexLock_);
1107 bool isUserExist = false;
1108 GetOsAccountMgr()->IsOsAccountExists(userId, isUserExist);
1109 if (!isUserExist) {
1110 return EdmReturnErrCode::PARAM_ERROR;
1111 }
1112 InitAllPlugins();
1113 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
1114 if (plugin == nullptr) {
1115 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
1116 }
1117 std::string permissionTag = data.ReadString();
1118 ErrCode checkSystemCalling = CheckSystemCalling(plugin->GetApiType(FuncOperateType::GET), permissionTag);
1119 if (FAILED(checkSystemCalling)) {
1120 return checkSystemCalling;
1121 }
1122 AppExecFwk::ElementName elementName;
1123 // has admin
1124 if (data.ReadInt32() == 0) {
1125 std::unique_ptr<AppExecFwk::ElementName> admin(data.ReadParcelable<AppExecFwk::ElementName>());
1126 if (!admin) {
1127 EDMLOGW("GetDevicePolicy: ReadParcelable failed");
1128 return EdmReturnErrCode::PARAM_ERROR;
1129 }
1130 #ifndef EDM_FUZZ_TEST
1131 std::string getPermission = plugin->GetPermission(FuncOperateType::GET, permissionTag);
1132 ErrCode ret = CheckHandlePolicyPermission(FuncOperateType::GET, admin->GetBundleName(), plugin->GetPolicyName(),
1133 getPermission, userId);
1134 if (FAILED(ret)) {
1135 return ret;
1136 }
1137 #endif
1138 elementName.SetBundleName(admin->GetBundleName());
1139 elementName.SetAbilityName(admin->GetAbilityName());
1140 }
1141 std::string policyName = plugin->GetPolicyName();
1142 std::string policyValue;
1143
1144 if (plugin->NeedSavePolicy()) {
1145 policyMgr_->GetPolicy(elementName.GetBundleName(), policyName, policyValue, userId);
1146 }
1147 ErrCode getRet = plugin->GetExecuteStrategy()->OnGetExecute(code, policyValue, data, reply, userId);
1148 CreateSecurityContent(elementName.GetBundleName(), elementName.GetAbilityName(), code, plugin->GetPolicyName(),
1149 getRet);
1150 return getRet;
1151 }
1152
CheckSystemCalling(IPlugin::ApiType apiType,const std::string & permissionTag)1153 ErrCode EnterpriseDeviceMgrAbility::CheckSystemCalling(IPlugin::ApiType apiType, const std::string &permissionTag)
1154 {
1155 bool isCheckSystem = (apiType == IPlugin::ApiType::SYSTEM)
1156 || (permissionTag == EdmConstants::PERMISSION_TAG_SYSTEM_API);
1157 if (isCheckSystem && !GetAccessTokenMgr()->IsSystemAppOrNative()) {
1158 EDMLOGE("CheckSystemCalling: not system app or native process");
1159 return EdmReturnErrCode::SYSTEM_API_DENIED;
1160 }
1161 return ERR_OK;
1162 }
1163
CheckHandlePolicyPermission(FuncOperateType operateType,const std::string & bundleName,const std::string & policyName,const std::string & permissionName,int32_t userId)1164 ErrCode EnterpriseDeviceMgrAbility::CheckHandlePolicyPermission(FuncOperateType operateType,
1165 const std::string &bundleName, const std::string &policyName, const std::string &permissionName, int32_t userId)
1166 {
1167 if (operateType == FuncOperateType::SET && permissionName.empty()) {
1168 EDMLOGE("CheckHandlePolicyPermission failed, set policy need permission.");
1169 return EdmReturnErrCode::PERMISSION_DENIED;
1170 }
1171 if (permissionName == NONE_PERMISSION_MATCH) {
1172 EDMLOGE("CheckHandlePolicyPermission: GetPermission failed!");
1173 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1174 }
1175 std::shared_ptr<Admin> deviceAdmin = adminMgr_->GetAdminByPkgName(bundleName, GetCurrentUserId());
1176 if (deviceAdmin == nullptr) {
1177 EDMLOGE("CheckHandlePolicyPermission: get admin failed");
1178 return EdmReturnErrCode::ADMIN_INACTIVE;
1179 }
1180 if (FAILED(CheckCallingUid(deviceAdmin->adminInfo_.packageName_))) {
1181 EDMLOGE("CheckHandlePolicyPermission: CheckCallingUid failed.");
1182 return EdmReturnErrCode::PERMISSION_DENIED;
1183 }
1184 if (operateType == FuncOperateType::SET && deviceAdmin->GetAdminType() != AdminType::ENT &&
1185 deviceAdmin->GetAdminType() != AdminType::SUB_SUPER_ADMIN &&
1186 deviceAdmin->GetAdminType() != AdminType::VIRTUAL_ADMIN && userId != GetCurrentUserId()) {
1187 EDMLOGE("CheckHandlePolicyPermission: this admin does not have permission to handle policy of other account.");
1188 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1189 }
1190 if (!permissionName.empty()) {
1191 auto ret = CheckAndUpdatePermission(deviceAdmin, IPCSkeleton::GetCallingTokenID(), permissionName, userId);
1192 if (FAILED(ret)) {
1193 return ret;
1194 }
1195 }
1196 if (!adminMgr_->HasPermissionToHandlePolicy(deviceAdmin, policyName)) {
1197 EDMLOGE("CheckHandlePolicyPermission: this admin does not have permission to handle the policy.");
1198 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1199 }
1200 return ERR_OK;
1201 }
1202
CheckAndUpdatePermission(std::shared_ptr<Admin> admin,Security::AccessToken::AccessTokenID tokenId,const std::string & permission,int32_t userId)1203 ErrCode EnterpriseDeviceMgrAbility::CheckAndUpdatePermission(std::shared_ptr<Admin> admin,
1204 Security::AccessToken::AccessTokenID tokenId, const std::string &permission, int32_t userId)
1205 {
1206 if (admin == nullptr) {
1207 EDMLOGE("CheckHandlePolicyPermission: this admin does not have permission to handle the policy.");
1208 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1209 }
1210 bool callingPermission = GetAccessTokenMgr()->VerifyCallingPermission(tokenId, permission);
1211 bool adminPermission = admin->CheckPermission(permission);
1212 if (callingPermission != adminPermission) {
1213 std::vector<std::string> permissionList;
1214 if (FAILED(GetAllPermissionsByAdmin(admin->adminInfo_.packageName_, admin->GetAdminType(), userId,
1215 permissionList))) {
1216 EDMLOGE("CheckAndUpdatePermission get all permission that admin request failed.");
1217 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1218 }
1219 auto hasPermission = std::find(permissionList.begin(), permissionList.end(), permission);
1220 if (!callingPermission && hasPermission != permissionList.end()) {
1221 EDMLOGE("CheckAndUpdatePermission access token check abnormally.");
1222 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1223 }
1224 if (!adminPermission && hasPermission == permissionList.end()) {
1225 EDMLOGE("CheckAndUpdatePermission this admin does not have the permission.");
1226 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1227 }
1228 Admin updateAdmin(admin->adminInfo_.packageName_, admin->GetAdminType(), permissionList);
1229 updateAdmin.SetAccessiblePolicies(admin->adminInfo_.accessiblePolicies_);
1230 if (FAILED(adminMgr_->UpdateAdmin(admin, userId, updateAdmin))) {
1231 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1232 }
1233 }
1234 if (!callingPermission) {
1235 return EdmReturnErrCode::PERMISSION_DENIED;
1236 }
1237 return ERR_OK;
1238 }
1239
GetEnabledAdmin(AdminType type,std::vector<std::string> & enabledAdminList)1240 ErrCode EnterpriseDeviceMgrAbility::GetEnabledAdmin(AdminType type, std::vector<std::string> &enabledAdminList)
1241 {
1242 std::lock_guard<std::mutex> autoLock(mutexLock_);
1243 std::vector<std::string> superList;
1244 std::vector<std::string> normalList;
1245 switch (type) {
1246 case AdminType::NORMAL:
1247 adminMgr_->GetEnabledAdmin(AdminType::NORMAL, normalList, GetCurrentUserId());
1248 adminMgr_->GetEnabledAdmin(AdminType::ENT, superList, DEFAULT_USER_ID);
1249 break;
1250 case AdminType::ENT:
1251 adminMgr_->GetEnabledAdmin(AdminType::ENT, superList, DEFAULT_USER_ID);
1252 break;
1253 case AdminType::UNKNOWN:
1254 break;
1255 default:
1256 return ERR_EDM_PARAM_ERROR;
1257 }
1258 if (!superList.empty()) {
1259 enabledAdminList.insert(enabledAdminList.begin(), superList.begin(), superList.end());
1260 }
1261 if (!normalList.empty()) {
1262 enabledAdminList.insert(enabledAdminList.begin(), normalList.begin(), normalList.end());
1263 }
1264 for (const auto &enabledAdmin : enabledAdminList) {
1265 EDMLOGD("GetEnabledAdmin: %{public}s", enabledAdmin.c_str());
1266 }
1267 return ERR_OK;
1268 }
1269
GetEnterpriseInfo(AppExecFwk::ElementName & admin,MessageParcel & reply)1270 ErrCode EnterpriseDeviceMgrAbility::GetEnterpriseInfo(AppExecFwk::ElementName &admin, MessageParcel &reply)
1271 {
1272 std::lock_guard<std::mutex> autoLock(mutexLock_);
1273 auto adminItem = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), GetCurrentUserId());
1274 if (adminItem != nullptr && adminItem->GetAdminType() == AdminType::VIRTUAL_ADMIN) {
1275 EDMLOGE("GetEnterpriseInfo delegated admin does not have permission to get enterprise info.");
1276 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1277 }
1278 EntInfo entInfo;
1279 int32_t userId = (adminItem != nullptr && (adminItem->GetAdminType() == AdminType::ENT ||
1280 adminItem->GetAdminType() == AdminType::SUB_SUPER_ADMIN)) ? DEFAULT_USER_ID : GetCurrentUserId();
1281 ErrCode code = adminMgr_->GetEntInfo(admin.GetBundleName(), entInfo, userId);
1282 if (code != ERR_OK) {
1283 reply.WriteInt32(EdmReturnErrCode::ADMIN_INACTIVE);
1284 return EdmReturnErrCode::ADMIN_INACTIVE;
1285 }
1286 reply.WriteInt32(ERR_OK);
1287 entInfo.Marshalling(reply);
1288 EDMLOGD(
1289 "EnterpriseDeviceMgrAbility::GetEnterpriseInfo: entInfo->enterpriseName %{public}s, "
1290 "entInfo->description:%{public}s",
1291 entInfo.enterpriseName.c_str(), entInfo.description.c_str());
1292 return ERR_OK;
1293 }
1294
SetEnterpriseInfo(AppExecFwk::ElementName & admin,EntInfo & entInfo)1295 ErrCode EnterpriseDeviceMgrAbility::SetEnterpriseInfo(AppExecFwk::ElementName &admin, EntInfo &entInfo)
1296 {
1297 std::lock_guard<std::mutex> autoLock(mutexLock_);
1298 int32_t userId = GetCurrentUserId();
1299 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), userId);
1300 if (adminItem == nullptr) {
1301 return EdmReturnErrCode::ADMIN_INACTIVE;
1302 }
1303 ErrCode ret = CheckCallerPermission(adminItem, PERMISSION_SET_ENTERPRISE_INFO, false);
1304 if (FAILED(ret)) {
1305 return ret;
1306 }
1307 if (adminItem->GetAdminType() == AdminType::ENT || adminItem->GetAdminType() == AdminType::SUB_SUPER_ADMIN) {
1308 userId = DEFAULT_USER_ID;
1309 }
1310 ErrCode code = adminMgr_->SetEntInfo(admin.GetBundleName(), entInfo, userId);
1311 return (code != ERR_OK) ? EdmReturnErrCode::ADMIN_INACTIVE : ERR_OK;
1312 }
1313
HandleApplicationEvent(const std::vector<uint32_t> & events,bool subscribe)1314 ErrCode EnterpriseDeviceMgrAbility::HandleApplicationEvent(const std::vector<uint32_t> &events, bool subscribe)
1315 {
1316 bool shouldHandleAppState = std::any_of(events.begin(), events.end(), [](uint32_t event) {
1317 return event == static_cast<uint32_t>(ManagedEvent::APP_START) ||
1318 event == static_cast<uint32_t>(ManagedEvent::APP_STOP);
1319 });
1320 if (!shouldHandleAppState) {
1321 return ERR_OK;
1322 }
1323 if (subscribe) {
1324 return SubscribeAppState() ? ERR_OK : EdmReturnErrCode::SYSTEM_ABNORMALLY;
1325 } else {
1326 return UnsubscribeAppState() ? ERR_OK : EdmReturnErrCode::SYSTEM_ABNORMALLY;
1327 }
1328 }
1329
SubscribeManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1330 ErrCode EnterpriseDeviceMgrAbility::SubscribeManagedEvent(const AppExecFwk::ElementName &admin,
1331 const std::vector<uint32_t> &events)
1332 {
1333 std::lock_guard<std::mutex> autoLock(mutexLock_);
1334 RETURN_IF_FAILED(VerifyManagedEvent(admin, events));
1335 RETURN_IF_FAILED(HandleApplicationEvent(events, true));
1336 int32_t userId = adminMgr_->IsSuperOrSubSuperAdmin(admin.GetBundleName()) ? DEFAULT_USER_ID : GetCurrentUserId();
1337 adminMgr_->SaveSubscribeEvents(events, admin.GetBundleName(), userId);
1338 return ERR_OK;
1339 }
1340
UnsubscribeManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1341 ErrCode EnterpriseDeviceMgrAbility::UnsubscribeManagedEvent(const AppExecFwk::ElementName &admin,
1342 const std::vector<uint32_t> &events)
1343 {
1344 std::lock_guard<std::mutex> autoLock(mutexLock_);
1345 RETURN_IF_FAILED(VerifyManagedEvent(admin, events));
1346 int32_t userId = adminMgr_->IsSuperOrSubSuperAdmin(admin.GetBundleName()) ? DEFAULT_USER_ID : GetCurrentUserId();
1347 adminMgr_->RemoveSubscribeEvents(events, admin.GetBundleName(), userId);
1348 return HandleApplicationEvent(events, false);
1349 }
1350
VerifyManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1351 ErrCode EnterpriseDeviceMgrAbility::VerifyManagedEvent(const AppExecFwk::ElementName &admin,
1352 const std::vector<uint32_t> &events)
1353 {
1354 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), GetCurrentUserId());
1355 ErrCode ret = CheckCallerPermission(adminItem, PERMISSION_ENTERPRISE_SUBSCRIBE_MANAGED_EVENT, false);
1356 if (FAILED(ret)) {
1357 return ret;
1358 }
1359 if (events.empty()) {
1360 return EdmReturnErrCode::MANAGED_EVENTS_INVALID;
1361 }
1362 auto iter =
1363 std::find_if(events.begin(), events.end(), [this](uint32_t event) { return !CheckManagedEvent(event); });
1364 if (iter != std::end(events)) {
1365 return EdmReturnErrCode::MANAGED_EVENTS_INVALID;
1366 }
1367 return ERR_OK;
1368 }
1369
CheckManagedEvent(uint32_t event)1370 bool EnterpriseDeviceMgrAbility::CheckManagedEvent(uint32_t event)
1371 {
1372 switch (event) {
1373 case static_cast<uint32_t>(ManagedEvent::BUNDLE_ADDED):
1374 case static_cast<uint32_t>(ManagedEvent::BUNDLE_REMOVED):
1375 case static_cast<uint32_t>(ManagedEvent::APP_START):
1376 case static_cast<uint32_t>(ManagedEvent::APP_STOP):
1377 case static_cast<uint32_t>(ManagedEvent::SYSTEM_UPDATE):
1378 break;
1379 default:
1380 return false;
1381 }
1382 return true;
1383 }
1384
AuthorizeAdmin(const AppExecFwk::ElementName & admin,const std::string & bundleName)1385 ErrCode EnterpriseDeviceMgrAbility::AuthorizeAdmin(const AppExecFwk::ElementName &admin, const std::string &bundleName)
1386 {
1387 std::lock_guard<std::mutex> autoLock(mutexLock_);
1388 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), GetCurrentUserId());
1389 ErrCode ret = CheckCallerPermission(adminItem, PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN, true);
1390 if (FAILED(ret)) {
1391 return ret;
1392 }
1393 /* Get all request and registered permissions */
1394 std::vector<std::string> permissionList;
1395 if (FAILED(GetAllPermissionsByAdmin(bundleName, AdminType::SUB_SUPER_ADMIN, DEFAULT_USER_ID, permissionList))) {
1396 EDMLOGW("AuthorizeAdmin: GetAllPermissionsByAdmin failed.");
1397 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1398 }
1399 EntInfo entInfo;
1400 AppExecFwk::ExtensionAbilityInfo abilityInfo;
1401 abilityInfo.bundleName = bundleName;
1402 Admin subAdmin(abilityInfo, AdminType::SUB_SUPER_ADMIN, entInfo, permissionList, adminItem->adminInfo_.isDebug_);
1403 subAdmin.SetParentAdminName(admin.GetBundleName());
1404 return adminMgr_->SetAdminValue(DEFAULT_USER_ID, subAdmin);
1405 }
1406
GetSuperAdmin(MessageParcel & reply)1407 ErrCode EnterpriseDeviceMgrAbility::GetSuperAdmin(MessageParcel &reply)
1408 {
1409 std::lock_guard<std::mutex> autoLock(mutexLock_);
1410 auto superAdmin = adminMgr_->GetSuperAdmin();
1411 reply.WriteInt32(ERR_OK);
1412 if (superAdmin == nullptr) {
1413 reply.WriteString("");
1414 reply.WriteString("");
1415 } else {
1416 reply.WriteString(superAdmin->adminInfo_.packageName_);
1417 reply.WriteString(superAdmin->adminInfo_.className_);
1418 }
1419 return ERR_OK;
1420 }
1421
SetDelegatedPolicies(const std::string & parentAdminName,const std::string & bundleName,const std::vector<std::string> & policies)1422 ErrCode EnterpriseDeviceMgrAbility::SetDelegatedPolicies(const std::string &parentAdminName,
1423 const std::string &bundleName, const std::vector<std::string> &policies)
1424 {
1425 std::lock_guard<std::mutex> autoLock(mutexLock_);
1426 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(parentAdminName, GetCurrentUserId());
1427 ErrCode ret = CheckCallerPermission(adminItem, PERMISSION_SET_DELEGATED_POLICY, true);
1428 if (FAILED(ret)) {
1429 return ret;
1430 }
1431 if (parentAdminName == bundleName) {
1432 EDMLOGE("SetDelegatedPolicies does not delegated policies to self.");
1433 return EdmReturnErrCode::PARAM_ERROR;
1434 }
1435 if (policies.empty()) {
1436 EDMLOGW("SetDelegatedPolicies remove delegated policies.");
1437 return RemoveSubSuperAdminAndAdminPolicy(bundleName);
1438 }
1439 ret = CheckDelegatedPolicies(adminItem, policies);
1440 if (FAILED(ret)) {
1441 return ret;
1442 }
1443 if (!GetBundleMgr()->IsBundleInstalled(bundleName, DEFAULT_USER_ID)) {
1444 EDMLOGE("SetDelegatedPolicies the delegated application does not installed.");
1445 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1446 }
1447 std::string appDistributionType = GetBundleMgr()->GetApplicationInfo(bundleName, DEFAULT_USER_ID);
1448 if (appDistributionType != APP_TYPE_ENTERPRISE_MDM && appDistributionType != APP_TYPE_ENTERPRISE_NORMAL) {
1449 EDMLOGE("SetDelegatedPolicies get appDistributionType %{public}s.", appDistributionType.c_str());
1450 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1451 }
1452 EntInfo entInfo;
1453 AppExecFwk::ExtensionAbilityInfo abilityInfo;
1454 abilityInfo.bundleName = bundleName;
1455 Admin virtualAdmin(abilityInfo, AdminType::VIRTUAL_ADMIN, entInfo, {}, adminItem->adminInfo_.isDebug_);
1456 virtualAdmin.SetParentAdminName(parentAdminName);
1457 virtualAdmin.SetAccessiblePolicies(policies);
1458 return adminMgr_->SetAdminValue(DEFAULT_USER_ID, virtualAdmin);
1459 }
1460
GetDelegatedPolicies(const std::string & parentAdminName,const std::string & bundleName,std::vector<std::string> & policies)1461 ErrCode EnterpriseDeviceMgrAbility::GetDelegatedPolicies(const std::string &parentAdminName,
1462 const std::string &bundleName, std::vector<std::string> &policies)
1463 {
1464 std::lock_guard<std::mutex> autoLock(mutexLock_);
1465 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(parentAdminName, GetCurrentUserId());
1466 ErrCode ret = CheckCallerPermission(adminItem, PERMISSION_SET_DELEGATED_POLICY, true);
1467 if (FAILED(ret)) {
1468 return ret;
1469 }
1470 return adminMgr_->GetPoliciesByVirtualAdmin(bundleName, parentAdminName, policies);
1471 }
1472
GetDelegatedBundleNames(const std::string & parentAdminName,const std::string & policyName,std::vector<std::string> & bundleNames)1473 ErrCode EnterpriseDeviceMgrAbility::GetDelegatedBundleNames(const std::string &parentAdminName,
1474 const std::string &policyName, std::vector<std::string> &bundleNames)
1475 {
1476 if (allowDelegatedPolicies_.find(policyName) == allowDelegatedPolicies_.end()) {
1477 return EdmReturnErrCode::PARAM_ERROR;
1478 }
1479 std::lock_guard<std::mutex> autoLock(mutexLock_);
1480 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(parentAdminName, GetCurrentUserId());
1481 ErrCode ret = CheckCallerPermission(adminItem, PERMISSION_SET_DELEGATED_POLICY, true);
1482 if (FAILED(ret)) {
1483 return ret;
1484 }
1485 adminMgr_->GetVirtualAdminsByPolicy(policyName, parentAdminName, bundleNames);
1486 return ERR_OK;
1487 }
1488
CheckCallerPermission(std::shared_ptr<Admin> admin,const std::string & permission,bool isNeedSuperAdmin)1489 ErrCode EnterpriseDeviceMgrAbility::CheckCallerPermission(std::shared_ptr<Admin> admin, const std::string &permission,
1490 bool isNeedSuperAdmin)
1491 {
1492 if (admin == nullptr) {
1493 return EdmReturnErrCode::ADMIN_INACTIVE;
1494 }
1495 Security::AccessToken::AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
1496 if (!GetAccessTokenMgr()->VerifyCallingPermission(tokenId, permission)) {
1497 EDMLOGE("CheckCallerPermission verify calling permission failed.");
1498 return EdmReturnErrCode::PERMISSION_DENIED;
1499 }
1500 if (FAILED(CheckCallingUid(admin->adminInfo_.packageName_))) {
1501 EDMLOGE("CheckCallerPermission check calling uid failed.");
1502 return EdmReturnErrCode::PERMISSION_DENIED;
1503 }
1504 if (isNeedSuperAdmin && admin->GetAdminType() != AdminType::ENT) {
1505 EDMLOGE("CheckCallerPermission caller not a super admin.");
1506 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1507 }
1508 if (!isNeedSuperAdmin && admin->GetAdminType() == AdminType::VIRTUAL_ADMIN) {
1509 EDMLOGE("CheckCallerPermission delegated admin does not have permission to handle.");
1510 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1511 }
1512 return ERR_OK;
1513 }
1514
CheckDelegatedPolicies(std::shared_ptr<Admin> admin,const std::vector<std::string> & policies)1515 ErrCode EnterpriseDeviceMgrAbility::CheckDelegatedPolicies(std::shared_ptr<Admin> admin,
1516 const std::vector<std::string> &policies)
1517 {
1518 if (admin == nullptr) {
1519 return EdmReturnErrCode::ADMIN_INACTIVE;
1520 }
1521 for (const std::string &policy : policies) {
1522 if (allowDelegatedPolicies_.find(policy) == allowDelegatedPolicies_.end()) {
1523 return EdmReturnErrCode::PARAM_ERROR;
1524 }
1525 auto plugin = pluginMgr_->GetPluginByPolicyName(policy);
1526 if (plugin == nullptr) {
1527 EDMLOGE("CheckDelegatedPolicies get policyName is not exist.");
1528 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1529 }
1530 auto permission = plugin->GetPermission(FuncOperateType::SET);
1531 if (permission == NONE_PERMISSION_MATCH) {
1532 permission = plugin->GetPermission(FuncOperateType::SET, EdmConstants::PERMISSION_TAG_VERSION_12);
1533 }
1534 if (permission.empty() || permission == NONE_PERMISSION_MATCH) {
1535 EDMLOGE("CheckDelegatedPolicies get plugin access permission failed.");
1536 return EdmReturnErrCode::SYSTEM_ABNORMALLY;
1537 }
1538 auto ret = CheckAndUpdatePermission(admin, IPCSkeleton::GetCallingTokenID(), permission, DEFAULT_USER_ID);
1539 if (FAILED(ret)) {
1540 return ret;
1541 }
1542 }
1543 return ERR_OK;
1544 }
1545 } // namespace EDM
1546 } // namespace OHOS