1 /*
2 * Copyright (C) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_manager.h"
17
18 #include "accesstoken_kit.h"
19 #include "bundle_mgr_interface.h"
20 #include "bundle_mgr_proxy.h"
21 #include "iservice_registry.h"
22 #include "os_account_manager.h"
23 #include "tokenid_kit.h"
24 #include "location_log.h"
25 #include "constant_definition.h"
26
27 namespace OHOS {
28 namespace Location {
CheckLocationPermission(uint32_t tokenId,uint32_t firstTokenId)29 bool PermissionManager::CheckLocationPermission(uint32_t tokenId, uint32_t firstTokenId)
30 {
31 return CheckPermission(ACCESS_LOCATION, tokenId, firstTokenId);
32 }
33
CheckPermission(const std::string & permission,uint32_t callerToken,uint32_t tokenFirstCaller)34 bool PermissionManager::CheckPermission(const std::string &permission, uint32_t callerToken, uint32_t tokenFirstCaller)
35 {
36 auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
37 int result = Security::AccessToken::PERMISSION_DENIED;
38 if (tokenFirstCaller == 0) {
39 if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_INVALID) {
40 LBSLOGD(LOCATOR, "tokenid = %{public}d has no permission.permission name=%{public}s",
41 callerToken, permission.c_str());
42 return false;
43 } else {
44 result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permission);
45 }
46 } else {
47 result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, tokenFirstCaller, permission);
48 }
49 if (result == Security::AccessToken::PERMISSION_GRANTED) {
50 return true;
51 } else {
52 LBSLOGD(LOCATOR, "tokenid = %{public}d has no permission.permission name=%{public}s",
53 callerToken, permission.c_str());
54 return false;
55 }
56 }
57
CheckRssProcessName(uint32_t tokenId)58 bool PermissionManager::CheckRssProcessName(uint32_t tokenId)
59 {
60 Security::AccessToken::NativeTokenInfo callingTokenInfo;
61 Security::AccessToken::AccessTokenKit::GetNativeTokenInfo(tokenId, callingTokenInfo);
62 if (callingTokenInfo.processName != RSS_PROCESS_NAME) {
63 LBSLOGE(LOCATOR, "CheckProcess failed, processName=%{public}s", callingTokenInfo.processName.c_str());
64 return false;
65 }
66 return true;
67 }
68
CheckBackgroundPermission(uint32_t tokenId,uint32_t firstTokenId)69 bool PermissionManager::CheckBackgroundPermission(uint32_t tokenId, uint32_t firstTokenId)
70 {
71 return CheckPermission(ACCESS_BACKGROUND_LOCATION, tokenId, firstTokenId);
72 }
73
CheckMockLocationPermission(uint32_t tokenId,uint32_t firstTokenId)74 bool PermissionManager::CheckMockLocationPermission(uint32_t tokenId, uint32_t firstTokenId)
75 {
76 return CheckPermission(ACCESS_MOCK_LOCATION, tokenId, firstTokenId);
77 }
78
CheckApproximatelyPermission(uint32_t tokenId,uint32_t firstTokenId)79 bool PermissionManager::CheckApproximatelyPermission(uint32_t tokenId, uint32_t firstTokenId)
80 {
81 return CheckPermission(ACCESS_APPROXIMATELY_LOCATION, tokenId, firstTokenId);
82 }
83
CheckSecureSettings(uint32_t tokenId,uint32_t firstTokenId)84 bool PermissionManager::CheckSecureSettings(uint32_t tokenId, uint32_t firstTokenId)
85 {
86 return CheckPermission(MANAGE_SECURE_SETTINGS, tokenId, firstTokenId);
87 }
88
CheckCallingPermission(pid_t callingUid,pid_t callingPid,MessageParcel & reply)89 bool PermissionManager::CheckCallingPermission(pid_t callingUid, pid_t callingPid, MessageParcel &reply)
90 {
91 if (callingUid != static_cast<pid_t>(getuid()) || callingPid != getpid()) {
92 LBSLOGE(LOCATOR, "uid pid not match locationhub process.");
93 reply.WriteInt32(ERRCODE_PERMISSION_DENIED);
94 return false;
95 }
96 return true;
97 }
98
GetPermissionLevel(uint32_t tokenId,uint32_t firstTokenId)99 int PermissionManager::GetPermissionLevel(uint32_t tokenId, uint32_t firstTokenId)
100 {
101 int ret = PERMISSION_INVALID;
102 if (CheckPermission(ACCESS_APPROXIMATELY_LOCATION, tokenId, firstTokenId) &&
103 CheckPermission(ACCESS_LOCATION, tokenId, firstTokenId)) {
104 ret = PERMISSION_ACCURATE;
105 } else if (CheckPermission(ACCESS_APPROXIMATELY_LOCATION, tokenId, firstTokenId) &&
106 !CheckPermission(ACCESS_LOCATION, tokenId, firstTokenId)) {
107 ret = PERMISSION_APPROXIMATELY;
108 } else if (!CheckPermission(ACCESS_APPROXIMATELY_LOCATION, tokenId, firstTokenId) &&
109 CheckPermission(ACCESS_LOCATION, tokenId, firstTokenId)) {
110 ret = PERMISSION_ACCURATE;
111 } else {
112 ret = PERMISSION_INVALID;
113 }
114 return ret;
115 }
116
CheckSystemPermission(uint32_t callerTokenId,uint64_t callerTokenIdEx)117 bool PermissionManager::CheckSystemPermission(uint32_t callerTokenId, uint64_t callerTokenIdEx)
118 {
119 auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerTokenId);
120 if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
121 return true;
122 }
123 if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL ||
124 tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_INVALID) {
125 return false;
126 }
127 bool isSysApp = Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(callerTokenIdEx);
128 return isSysApp;
129 }
130
CheckIsSystemSa(uint32_t tokenId)131 bool PermissionManager::CheckIsSystemSa(uint32_t tokenId)
132 {
133 auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
134 if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
135 return true;
136 }
137 return false;
138 }
139 } // namespace Location
140 } // namespace OHOS