1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_manager.h"
17
18 #include <iostream>
19 #include <numeric>
20 #include <sstream>
21
22 #include "access_token.h"
23 #include "access_token_error.h"
24 #include "accesstoken_dfx_define.h"
25 #include "accesstoken_id_manager.h"
26 #include "accesstoken_info_manager.h"
27 #include "accesstoken_log.h"
28 #include "access_token_db.h"
29 #include "app_manager_access_client.h"
30 #include "callback_manager.h"
31 #ifdef SUPPORT_SANDBOX_APP
32 #include "dlp_permission_set_manager.h"
33 #endif
34 #include "ipc_skeleton.h"
35 #include "parameter.h"
36 #include "permission_definition_cache.h"
37 #include "short_grant_manager.h"
38 #include "permission_map.h"
39 #include "permission_validator.h"
40 #include "perm_setproc.h"
41 #include "token_field_const.h"
42 #ifdef TOKEN_SYNC_ENABLE
43 #include "token_modify_notifier.h"
44 #endif
45
46 namespace OHOS {
47 namespace Security {
48 namespace AccessToken {
49 namespace {
50 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "PermissionManager"};
51 static const char* PERMISSION_STATUS_CHANGE_KEY = "accesstoken.permission.change";
52 static constexpr int32_t VALUE_MAX_LEN = 32;
53 static constexpr int32_t BASE_USER_RANGE = 200000;
54 static const std::vector<std::string> g_notDisplayedPerms = {
55 "ohos.permission.ANSWER_CALL",
56 "ohos.permission.MANAGE_VOICEMAIL",
57 "ohos.permission.READ_CELL_MESSAGES",
58 "ohos.permission.READ_MESSAGES",
59 "ohos.permission.RECEIVE_MMS",
60 "ohos.permission.RECEIVE_SMS",
61 "ohos.permission.RECEIVE_WAP_MESSAGES",
62 "ohos.permission.SEND_MESSAGES",
63 "ohos.permission.READ_CALL_LOG",
64 "ohos.permission.WRITE_CALL_LOG",
65 "ohos.permission.SHORT_TERM_WRITE_IMAGEVIDEO"
66 };
67 constexpr const char* APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM = "enterprise_mdm";
68 }
69 PermissionManager* PermissionManager::implInstance_ = nullptr;
70 std::recursive_mutex PermissionManager::mutex_;
71
GetInstance()72 PermissionManager& PermissionManager::GetInstance()
73 {
74 if (implInstance_ == nullptr) {
75 std::lock_guard<std::recursive_mutex> lock_l(mutex_);
76 if (implInstance_ == nullptr) {
77 implInstance_ = new PermissionManager();
78 }
79 }
80 return *implInstance_;
81 }
82
RegisterImpl(PermissionManager * implInstance)83 void PermissionManager::RegisterImpl(PermissionManager* implInstance)
84 {
85 implInstance_ = implInstance;
86 }
87
PermissionManager()88 PermissionManager::PermissionManager()
89 {
90 char value[VALUE_MAX_LEN] = {0};
91 int32_t ret = GetParameter(PERMISSION_STATUS_CHANGE_KEY, "", value, VALUE_MAX_LEN - 1);
92 if (ret < 0) {
93 ACCESSTOKEN_LOG_ERROR(LABEL, "Return default value, ret=%{public}d", ret);
94 paramValue_ = 0;
95 return;
96 }
97 paramValue_ = static_cast<uint64_t>(std::atoll(value));
98 }
99
~PermissionManager()100 PermissionManager::~PermissionManager()
101 {}
102
ClearAllSecCompGrantedPerm(const std::vector<AccessTokenID> & tokenIdList)103 void PermissionManager::ClearAllSecCompGrantedPerm(const std::vector<AccessTokenID>& tokenIdList)
104 {
105 for (const auto& tokenId : tokenIdList) {
106 std::shared_ptr<HapTokenInfoInner> tokenInfoPtr =
107 AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenId);
108 if (tokenInfoPtr == nullptr) {
109 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenInfo is null, tokenId=%{public}u", tokenId);
110 continue;
111 }
112 std::shared_ptr<PermissionPolicySet> permPolicySet = tokenInfoPtr->GetHapInfoPermissionPolicySet();
113 if (permPolicySet != nullptr) {
114 permPolicySet->ClearSecCompGrantedPerm();
115 }
116 }
117 }
118
AddDefPermissions(const std::vector<PermissionDef> & permList,AccessTokenID tokenId,bool updateFlag)119 void PermissionManager::AddDefPermissions(const std::vector<PermissionDef>& permList, AccessTokenID tokenId,
120 bool updateFlag)
121 {
122 std::vector<PermissionDef> permFilterList;
123 PermissionValidator::FilterInvalidPermissionDef(permList, permFilterList);
124 ACCESSTOKEN_LOG_INFO(LABEL, "PermFilterList size: %{public}zu", permFilterList.size());
125 for (const auto& perm : permFilterList) {
126 if (updateFlag) {
127 PermissionDefinitionCache::GetInstance().Update(perm, tokenId);
128 continue;
129 }
130
131 if (!PermissionDefinitionCache::GetInstance().HasDefinition(perm.permissionName)) {
132 PermissionDefinitionCache::GetInstance().Insert(perm, tokenId);
133 } else {
134 PermissionDefinitionCache::GetInstance().Update(perm, tokenId);
135 ACCESSTOKEN_LOG_INFO(LABEL, "Permission %{public}s has define",
136 TransferPermissionDefToString(perm).c_str());
137 }
138 }
139 }
140
RemoveDefPermissions(AccessTokenID tokenID)141 void PermissionManager::RemoveDefPermissions(AccessTokenID tokenID)
142 {
143 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called, tokenID: %{public}u", __func__, tokenID);
144 PermissionDefinitionCache::GetInstance().DeleteByToken(tokenID);
145 }
146
VerifyHapAccessToken(AccessTokenID tokenID,const std::string & permissionName)147 int PermissionManager::VerifyHapAccessToken(AccessTokenID tokenID, const std::string& permissionName)
148 {
149 std::shared_ptr<HapTokenInfoInner> tokenInfoPtr =
150 AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenID);
151 if (tokenInfoPtr == nullptr) {
152 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenInfo is null, tokenId=%{public}u", tokenID);
153 return PERMISSION_DENIED;
154 }
155 std::shared_ptr<PermissionPolicySet> permPolicySet = tokenInfoPtr->GetHapInfoPermissionPolicySet();
156 if (permPolicySet == nullptr) {
157 ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", tokenID);
158 return PERMISSION_DENIED;
159 }
160
161 return permPolicySet->VerifyPermissionStatus(permissionName);
162 }
163
VerifyNativeAccessToken(AccessTokenID tokenID,const std::string & permissionName)164 int PermissionManager::VerifyNativeAccessToken(AccessTokenID tokenID, const std::string& permissionName)
165 {
166 std::shared_ptr<NativeTokenInfoInner> tokenInfoPtr =
167 AccessTokenInfoManager::GetInstance().GetNativeTokenInfoInner(tokenID);
168 if (tokenInfoPtr == nullptr) {
169 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenInfo is null, tokenId=%{public}u", tokenID);
170 return PERMISSION_DENIED;
171 }
172
173 NativeTokenInfo info;
174 tokenInfoPtr->TranslateToNativeTokenInfo(info);
175 if (!tokenInfoPtr->IsRemote() && !PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
176 if (PermissionDefinitionCache::GetInstance().IsHapPermissionDefEmpty()) {
177 ACCESSTOKEN_LOG_INFO(LABEL, "Permission definition set has not been installed!");
178 if (AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) == TOKEN_NATIVE) {
179 return PERMISSION_GRANTED;
180 }
181 ACCESSTOKEN_LOG_ERROR(LABEL, "Token: %{public}d type error!", tokenID);
182 return PERMISSION_DENIED;
183 }
184 ACCESSTOKEN_LOG_ERROR(LABEL, "No definition for permission: %{public}s!", permissionName.c_str());
185 return PERMISSION_DENIED;
186 }
187 std::shared_ptr<PermissionPolicySet> permPolicySet =
188 AccessTokenInfoManager::GetInstance().GetNativePermissionPolicySet(tokenID);
189 if (permPolicySet == nullptr) {
190 ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", tokenID);
191 return PERMISSION_DENIED;
192 }
193
194 return permPolicySet->VerifyPermissionStatus(permissionName);
195 }
196
GetUserGrantedPermissionUsedType(AccessTokenID tokenID,const std::string & permissionName)197 PermUsedTypeEnum PermissionManager::GetUserGrantedPermissionUsedType(
198 AccessTokenID tokenID, const std::string& permissionName)
199 {
200 if ((tokenID == INVALID_TOKENID) ||
201 (TOKEN_HAP != AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID))) {
202 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID: %{public}d is invalid.", tokenID);
203 return PermUsedTypeEnum::INVALID_USED_TYPE;
204 }
205
206 PermissionDef permissionDefResult;
207 int ret = GetDefPermission(permissionName, permissionDefResult);
208 if (RET_SUCCESS != ret) {
209 ACCESSTOKEN_LOG_ERROR(LABEL, "Query permission info of %{public}s failed.", permissionName.c_str());
210 return PermUsedTypeEnum::INVALID_USED_TYPE;
211 }
212
213 std::shared_ptr<PermissionPolicySet> permPolicySet =
214 AccessTokenInfoManager::GetInstance().GetHapPermissionPolicySet(tokenID);
215 if (permPolicySet == nullptr) {
216 ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", tokenID);
217 return PermUsedTypeEnum::INVALID_USED_TYPE;
218 }
219
220 return permPolicySet->GetUserGrantedPermissionUsedType(permissionName);
221 }
222
VerifyAccessToken(AccessTokenID tokenID,const std::string & permissionName)223 int PermissionManager::VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName)
224 {
225 if (tokenID == INVALID_TOKENID) {
226 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_CHECK",
227 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", VERIFY_TOKEN_ID_ERROR, "CALLER_TOKENID",
228 static_cast<AccessTokenID>(IPCSkeleton::GetCallingTokenID()), "PERMISSION_NAME", permissionName);
229 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID is invalid");
230 return PERMISSION_DENIED;
231 }
232
233 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
234 ACCESSTOKEN_LOG_ERROR(LABEL, "PermissionName: %{public}s, invalid params!", permissionName.c_str());
235 return PERMISSION_DENIED;
236 }
237
238 ATokenTypeEnum tokenType = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID);
239 if ((tokenType == TOKEN_NATIVE) || (tokenType == TOKEN_SHELL)) {
240 return VerifyNativeAccessToken(tokenID, permissionName);
241 }
242 if (tokenType == TOKEN_HAP) {
243 return VerifyHapAccessToken(tokenID, permissionName);
244 }
245 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID: %{public}d, invalid tokenType!", tokenID);
246 return PERMISSION_DENIED;
247 }
248
GetDefPermission(const std::string & permissionName,PermissionDef & permissionDefResult)249 int PermissionManager::GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult)
250 {
251 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
252 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid params!");
253 return AccessTokenError::ERR_PARAM_INVALID;
254 }
255 return PermissionDefinitionCache::GetInstance().FindByPermissionName(permissionName, permissionDefResult);
256 }
257
GetDefPermissions(AccessTokenID tokenID,std::vector<PermissionDef> & permList)258 int PermissionManager::GetDefPermissions(AccessTokenID tokenID, std::vector<PermissionDef>& permList)
259 {
260 std::shared_ptr<PermissionPolicySet> permPolicySet =
261 AccessTokenInfoManager::GetInstance().GetHapPermissionPolicySet(tokenID);
262 if (permPolicySet == nullptr) {
263 ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", tokenID);
264 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
265 }
266
267 permPolicySet->GetDefPermissions(permList);
268 return RET_SUCCESS;
269 }
270
GetReqPermissions(AccessTokenID tokenID,std::vector<PermissionStateFull> & reqPermList,bool isSystemGrant)271 int PermissionManager::GetReqPermissions(
272 AccessTokenID tokenID, std::vector<PermissionStateFull>& reqPermList, bool isSystemGrant)
273 {
274 ACCESSTOKEN_LOG_DEBUG(LABEL, "%{public}s called, tokenID: %{public}u, isSystemGrant: %{public}d",
275 __func__, tokenID, isSystemGrant);
276 std::shared_ptr<PermissionPolicySet> permPolicySet =
277 AccessTokenInfoManager::GetInstance().GetHapPermissionPolicySet(tokenID);
278 if (permPolicySet == nullptr) {
279 ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", tokenID);
280 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
281 }
282
283 GrantMode mode = isSystemGrant ? SYSTEM_GRANT : USER_GRANT;
284 std::vector<PermissionStateFull> tmpList;
285 permPolicySet->GetPermissionStateFulls(tmpList);
286 for (const auto& perm : tmpList) {
287 PermissionDef permDef;
288 GetDefPermission(perm.permissionName, permDef);
289 if (permDef.grantMode == mode) {
290 reqPermList.emplace_back(perm);
291 }
292 }
293 return RET_SUCCESS;
294 }
295
IsPermissionRequestedInHap(const std::vector<PermissionStateFull> & permsList,const std::string & permission,int32_t & status,uint32_t & flag)296 static bool IsPermissionRequestedInHap(const std::vector<PermissionStateFull>& permsList,
297 const std::string &permission, int32_t& status, uint32_t& flag)
298 {
299 if (!PermissionDefinitionCache::GetInstance().HasHapPermissionDefinitionForHap(permission)) {
300 ACCESSTOKEN_LOG_ERROR(LABEL, "No definition for hap permission: %{public}s!", permission.c_str());
301 return false;
302 }
303 auto iter = std::find_if(permsList.begin(), permsList.end(), [permission](const PermissionStateFull& perm) {
304 return permission == perm.permissionName;
305 });
306 if (iter == permsList.end()) {
307 ACCESSTOKEN_LOG_WARN(LABEL, "Can not find permission: %{public}s define!", permission.c_str());
308 return false;
309 }
310 ACCESSTOKEN_LOG_DEBUG(LABEL, "Find goal permission: %{public}s, status: %{public}d, flag: %{public}d",
311 permission.c_str(), iter->grantStatus[0], iter->grantFlags[0]);
312 status = iter->grantStatus[0];
313 flag = static_cast<uint32_t>(iter->grantFlags[0]);
314 return true;
315 }
316
IsPermissionRestrictedByRules(const std::string & permission)317 static bool IsPermissionRestrictedByRules(const std::string& permission)
318 {
319 // Several permission is not available to common apps.
320 // Specified apps can get the permission by pre-authorization instead of Pop-ups.
321 auto iterator = std::find(g_notDisplayedPerms.begin(), g_notDisplayedPerms.end(), permission);
322 if (iterator != g_notDisplayedPerms.end()) {
323 ACCESSTOKEN_LOG_WARN(LABEL, "Permission is not available to common apps: %{public}s!", permission.c_str());
324 return true;
325 }
326
327 #ifdef SUPPORT_SANDBOX_APP
328 // Specified dlp permissions are limited to specified dlp type hap.
329 AccessTokenID callingTokenId = IPCSkeleton::GetCallingTokenID();
330 int32_t dlpType = AccessTokenInfoManager::GetInstance().GetHapTokenDlpType(callingTokenId);
331 if ((dlpType != DLP_COMMON) &&
332 !DlpPermissionSetManager::GetInstance().IsPermissionAvailableToDlpHap(dlpType, permission)) {
333 ACCESSTOKEN_LOG_WARN(LABEL,
334 "callingTokenId is not allowed to grant dlp permission: %{public}s!", permission.c_str());
335 return true;
336 }
337 #endif
338
339 return false;
340 }
341
GetSelfPermissionState(const std::vector<PermissionStateFull> & permsList,PermissionListState & permState,int32_t apiVersion)342 void PermissionManager::GetSelfPermissionState(const std::vector<PermissionStateFull>& permsList,
343 PermissionListState& permState, int32_t apiVersion)
344 {
345 int32_t goalGrantStatus;
346 uint32_t goalGrantFlag;
347
348 // api8 require vague location permission refuse directly because there is no vague location permission in api8
349 if ((permState.permissionName == VAGUE_LOCATION_PERMISSION_NAME) && (apiVersion < ACCURATE_LOCATION_API_VERSION)) {
350 permState.state = INVALID_OPER;
351 return;
352 }
353 if (!IsPermissionRequestedInHap(permsList, permState.permissionName, goalGrantStatus, goalGrantFlag)) {
354 permState.state = INVALID_OPER;
355 return;
356 }
357 if (IsPermissionRestrictedByRules(permState.permissionName)) {
358 permState.state = INVALID_OPER;
359 return;
360 }
361 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s: status: %{public}d, flag: %{public}d",
362 permState.permissionName.c_str(), goalGrantStatus, goalGrantFlag);
363 if (goalGrantStatus == PERMISSION_DENIED) {
364 if ((goalGrantFlag & PERMISSION_POLICY_FIXED) != 0) {
365 permState.state = SETTING_OPER;
366 return;
367 }
368
369 if ((goalGrantFlag == PERMISSION_DEFAULT_FLAG) || ((goalGrantFlag & PERMISSION_USER_SET) != 0) ||
370 ((goalGrantFlag & PERMISSION_COMPONENT_SET) != 0) || ((goalGrantFlag & PERMISSION_ALLOW_THIS_TIME) != 0)) {
371 permState.state = DYNAMIC_OPER;
372 return;
373 }
374 if ((goalGrantFlag & PERMISSION_USER_FIXED) != 0) {
375 permState.state = SETTING_OPER;
376 return;
377 }
378 }
379 permState.state = PASS_OPER;
380 return;
381 }
382
GetPermissionFlag(AccessTokenID tokenID,const std::string & permissionName,uint32_t & flag)383 int PermissionManager::GetPermissionFlag(AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag)
384 {
385 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called, tokenID: %{public}u, permissionName: %{public}s",
386 __func__, tokenID, permissionName.c_str());
387 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
388 ACCESSTOKEN_LOG_ERROR(LABEL, "PermissionName:%{public}s invalid!", permissionName.c_str());
389 return AccessTokenError::ERR_PARAM_INVALID;
390 }
391 if (!PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
392 ACCESSTOKEN_LOG_ERROR(
393 LABEL, "No definition for permission: %{public}s!", permissionName.c_str());
394 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
395 }
396 std::shared_ptr<PermissionPolicySet> permPolicySet =
397 AccessTokenInfoManager::GetInstance().GetHapPermissionPolicySet(tokenID);
398 if (permPolicySet == nullptr) {
399 ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", tokenID);
400 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
401 }
402 int32_t fullFlag;
403 int32_t ret = permPolicySet->QueryPermissionFlag(permissionName, fullFlag);
404 if (ret == RET_SUCCESS) {
405 flag = permPolicySet->GetFlagWithoutSpecifiedElement(fullFlag, PERMISSION_GRANTED_BY_POLICY);
406 }
407 return ret;
408 }
409
PermDefToString(const PermissionDef & def,std::string & info) const410 void PermissionManager::PermDefToString(const PermissionDef& def, std::string& info) const
411 {
412 info.append(R"( {)");
413 info.append("\n");
414 info.append(R"( "permissionName": ")" + def.permissionName + R"(")" + ",\n");
415 info.append(R"( "grantMode": )" + std::to_string(def.grantMode) + ",\n");
416 info.append(R"( "availableLevel": )" + std::to_string(def.availableLevel) + ",\n");
417 info.append(R"( "provisionEnable": )" + std::to_string(def.provisionEnable) + ",\n");
418 info.append(R"( "distributedSceneEnable": )" + std::to_string(def.distributedSceneEnable) + ",\n");
419 info.append(R"( "label": ")" + def.label + R"(")" + ",\n");
420 info.append(R"( "labelId": )" + std::to_string(def.labelId) + ",\n");
421 info.append(R"( "description": ")" + def.description + R"(")" + ",\n");
422 info.append(R"( "descriptionId": )" + std::to_string(def.descriptionId) + ",\n");
423 info.append(R"( })");
424 }
425
FindPermRequestToggleStatusFromDb(int32_t userID,const std::string & permissionName)426 int32_t PermissionManager::FindPermRequestToggleStatusFromDb(int32_t userID, const std::string& permissionName)
427 {
428 std::vector<GenericValues> permRequestToggleStatusRes;
429 GenericValues conditionValue;
430 conditionValue.Put(TokenFiledConst::FIELD_USER_ID, userID);
431 conditionValue.Put(TokenFiledConst::FIELD_PERMISSION_NAME, permissionName);
432
433 AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_REQUEST_TOGGLE_STATUS,
434 conditionValue, permRequestToggleStatusRes);
435 if (permRequestToggleStatusRes.empty()) {
436 // never set, return default status: CLOSED if APP_TRACKING_CONSENT
437 return (permissionName == "ohos.permission.APP_TRACKING_CONSENT") ?
438 PermissionRequestToggleStatus::CLOSED : PermissionRequestToggleStatus::OPEN;;
439 }
440 return permRequestToggleStatusRes[0].GetInt(TokenFiledConst::FIELD_REQUEST_TOGGLE_STATUS);
441 }
442
AddPermRequestToggleStatusToDb(int32_t userID,const std::string & permissionName,int32_t status)443 void PermissionManager::AddPermRequestToggleStatusToDb(
444 int32_t userID, const std::string& permissionName, int32_t status)
445 {
446 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permToggleStateLock_);
447 GenericValues value;
448 value.Put(TokenFiledConst::FIELD_USER_ID, userID);
449 value.Put(TokenFiledConst::FIELD_PERMISSION_NAME, permissionName);
450 AccessTokenDb::GetInstance().Remove(AtmDataType::ACCESSTOKEN_PERMISSION_REQUEST_TOGGLE_STATUS, value);
451
452 std::vector<GenericValues> permRequestToggleStatusValues;
453 value.Put(TokenFiledConst::FIELD_REQUEST_TOGGLE_STATUS, status);
454 permRequestToggleStatusValues.emplace_back(value);
455 AccessTokenDb::GetInstance().Add(AtmDataType::ACCESSTOKEN_PERMISSION_REQUEST_TOGGLE_STATUS,
456 permRequestToggleStatusValues);
457 }
458
SetPermissionRequestToggleStatus(const std::string & permissionName,uint32_t status,int32_t userID)459 int32_t PermissionManager::SetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t status,
460 int32_t userID)
461 {
462 if (userID == 0) {
463 userID = IPCSkeleton::GetCallingUid() / BASE_USER_RANGE;
464 }
465
466 ACCESSTOKEN_LOG_INFO(LABEL, "UserID=%{public}u, permissionName=%{public}s, status=%{public}d", userID,
467 permissionName.c_str(), status);
468 if (!PermissionValidator::IsUserIdValid(userID)) {
469 ACCESSTOKEN_LOG_ERROR(LABEL, "UserID is invalid.");
470 return AccessTokenError::ERR_PARAM_INVALID;
471 }
472 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
473 ACCESSTOKEN_LOG_ERROR(LABEL, "Permission name is invalid.");
474 return AccessTokenError::ERR_PARAM_INVALID;
475 }
476 if (!PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
477 ACCESSTOKEN_LOG_ERROR(
478 LABEL, "Permission=%{public}s is not defined.", permissionName.c_str());
479 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
480 }
481 if (PermissionDefinitionCache::GetInstance().IsSystemGrantedPermission(permissionName)) {
482 ACCESSTOKEN_LOG_ERROR(LABEL, "Only support permissions of user_grant to set.");
483 return AccessTokenError::ERR_PARAM_INVALID;
484 }
485 if (!PermissionValidator::IsToggleStatusValid(status)) {
486 ACCESSTOKEN_LOG_ERROR(LABEL, "Status is invalid.");
487 return AccessTokenError::ERR_PARAM_INVALID;
488 }
489
490 AddPermRequestToggleStatusToDb(userID, permissionName, status);
491
492 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERM_DIALOG_STATUS_INFO",
493 HiviewDFX::HiSysEvent::EventType::STATISTIC, "USERID", userID, "PERMISSION_NAME", permissionName,
494 "TOGGLE_STATUS", status);
495
496 return 0;
497 }
498
GetPermissionRequestToggleStatus(const std::string & permissionName,uint32_t & status,int32_t userID)499 int32_t PermissionManager::GetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t& status,
500 int32_t userID)
501 {
502 if (userID == 0) {
503 userID = IPCSkeleton::GetCallingUid() / BASE_USER_RANGE;
504 }
505
506 ACCESSTOKEN_LOG_INFO(LABEL, "UserID=%{public}u, permissionName=%{public}s", userID, permissionName.c_str());
507 if (!PermissionValidator::IsUserIdValid(userID)) {
508 ACCESSTOKEN_LOG_ERROR(LABEL, "UserID is invalid.");
509 return AccessTokenError::ERR_PARAM_INVALID;
510 }
511 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
512 ACCESSTOKEN_LOG_ERROR(LABEL, "Permission name is invalid.");
513 return AccessTokenError::ERR_PARAM_INVALID;
514 }
515 if (!PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
516 ACCESSTOKEN_LOG_ERROR(
517 LABEL, "Permission=%{public}s is not defined.", permissionName.c_str());
518 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
519 }
520 if (PermissionDefinitionCache::GetInstance().IsSystemGrantedPermission(permissionName)) {
521 ACCESSTOKEN_LOG_ERROR(LABEL, "Only support permissions of user_grant to get.");
522 return AccessTokenError::ERR_PARAM_INVALID;
523 }
524
525 status = static_cast<uint32_t>(FindPermRequestToggleStatusFromDb(userID, permissionName));
526
527 return 0;
528 }
529
ParamUpdate(const std::string & permissionName,uint32_t flag,bool filtered)530 void PermissionManager::ParamUpdate(const std::string& permissionName, uint32_t flag, bool filtered)
531 {
532 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permParamSetLock_);
533 if (filtered || (PermissionDefinitionCache::GetInstance().IsUserGrantedPermission(permissionName) &&
534 ((flag != PERMISSION_GRANTED_BY_POLICY) && (flag != PERMISSION_SYSTEM_FIXED)))) {
535 paramValue_++;
536 ACCESSTOKEN_LOG_DEBUG(LABEL,
537 "paramValue_ change %{public}llu", static_cast<unsigned long long>(paramValue_));
538 int32_t res = SetParameter(PERMISSION_STATUS_CHANGE_KEY, std::to_string(paramValue_).c_str());
539 if (res != 0) {
540 ACCESSTOKEN_LOG_ERROR(LABEL, "SetParameter failed %{public}d", res);
541 }
542 }
543 }
544
NotifyWhenPermissionStateUpdated(AccessTokenID tokenID,const std::string & permissionName,bool isGranted,uint32_t flag,const std::shared_ptr<HapTokenInfoInner> & infoPtr)545 void PermissionManager::NotifyWhenPermissionStateUpdated(AccessTokenID tokenID, const std::string& permissionName,
546 bool isGranted, uint32_t flag, const std::shared_ptr<HapTokenInfoInner>& infoPtr)
547 {
548 ACCESSTOKEN_LOG_INFO(LABEL, "IsUpdated");
549 int32_t changeType = isGranted ? STATE_CHANGE_GRANTED : STATE_CHANGE_REVOKED;
550
551 // set to kernel(grant/revoke)
552 SetPermToKernel(tokenID, permissionName, isGranted);
553
554 // To notify the listener register.
555 CallbackManager::GetInstance().ExecuteCallbackAsync(tokenID, permissionName, changeType);
556
557 // To notify the client cache to update by resetting paramValue_.
558 ParamUpdate(permissionName, flag, false);
559
560 // DFX.
561 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_CHECK_EVENT",
562 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "CODE", USER_GRANT_PERMISSION_EVENT,
563 "CALLER_TOKENID", tokenID, "PERMISSION_NAME", permissionName, "FLAG", flag,
564 "PERMISSION_GRANT_TYPE", changeType);
565 grantEvent_.AddEvent(tokenID, permissionName, infoPtr->permUpdateTimestamp_);
566 }
567
UpdateTokenPermissionState(AccessTokenID id,const std::string & permission,bool isGranted,uint32_t flag,bool needKill)568 int32_t PermissionManager::UpdateTokenPermissionState(
569 AccessTokenID id, const std::string& permission, bool isGranted, uint32_t flag, bool needKill)
570 {
571 std::shared_ptr<HapTokenInfoInner> infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(id);
572 if (infoPtr == nullptr) {
573 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenInfo is null, tokenId=%{public}u", id);
574 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
575 }
576 if (infoPtr->IsRemote()) {
577 ACCESSTOKEN_LOG_ERROR(LABEL, "Remote token can not update");
578 return AccessTokenError::ERR_IDENTITY_CHECK_FAILED;
579 }
580 if ((flag == PERMISSION_ALLOW_THIS_TIME) && isGranted) {
581 if (!TempPermissionObserver::GetInstance().IsAllowGrantTempPermission(id, permission)) {
582 ACCESSTOKEN_LOG_ERROR(LABEL, "Id:%{public}d fail to grant permission:%{public}s", id, permission.c_str());
583 return ERR_IDENTITY_CHECK_FAILED;
584 }
585 }
586 std::shared_ptr<PermissionPolicySet> permPolicySet = infoPtr->GetHapInfoPermissionPolicySet();
587 if (permPolicySet == nullptr) {
588 ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", id);
589 return AccessTokenError::ERR_PARAM_INVALID;
590 }
591 #ifdef SUPPORT_SANDBOX_APP
592 int32_t hapDlpType = infoPtr->GetDlpType();
593 if (hapDlpType != DLP_COMMON) {
594 int32_t permDlpMode = DlpPermissionSetManager::GetInstance().GetPermDlpMode(permission);
595 if (!DlpPermissionSetManager::GetInstance().IsPermDlpModeAvailableToDlpHap(hapDlpType, permDlpMode)) {
596 ACCESSTOKEN_LOG_DEBUG(LABEL, "%{public}s cannot to be granted to %{public}u", permission.c_str(), id);
597 return AccessTokenError::ERR_IDENTITY_CHECK_FAILED;
598 }
599 }
600 #endif
601 int32_t statusBefore = permPolicySet->VerifyPermissionStatus(permission);
602 bool isSecCompGrantedBefore = permPolicySet->IsPermissionGrantedWithSecComp(permission);
603 int32_t ret = permPolicySet->UpdatePermissionStatus(permission, isGranted, flag);
604 if (ret != RET_SUCCESS) {
605 return ret;
606 }
607 int32_t statusAfter = permPolicySet->VerifyPermissionStatus(permission);
608 if (statusAfter != statusBefore) {
609 NotifyWhenPermissionStateUpdated(id, permission, isGranted, flag, infoPtr);
610 // To notify kill process when perm is revoke
611 if (needKill && (!isGranted && !isSecCompGrantedBefore)) {
612 ACCESSTOKEN_LOG_INFO(LABEL, "(%{public}s) is revoked, kill process(%{public}u).", permission.c_str(), id);
613 AppManagerAccessClient::GetInstance().KillProcessesByAccessTokenId(id);
614 }
615 }
616
617 #ifdef TOKEN_SYNC_ENABLE
618 TokenModifyNotifier::GetInstance().NotifyTokenModify(id);
619 #endif
620 if (!ShortGrantManager::GetInstance().IsShortGrantPermission(permission)) {
621 return AccessTokenInfoManager::GetInstance().ModifyHapPermStateFromDb(id, permission, infoPtr);
622 }
623 return RET_SUCCESS;
624 }
625
UpdatePermission(AccessTokenID tokenID,const std::string & permissionName,bool isGranted,uint32_t flag,bool needKill)626 int32_t PermissionManager::UpdatePermission(AccessTokenID tokenID, const std::string& permissionName,
627 bool isGranted, uint32_t flag, bool needKill)
628 {
629 int32_t ret = UpdateTokenPermissionState(tokenID, permissionName, isGranted, flag, needKill);
630 if (ret != RET_SUCCESS) {
631 return ret;
632 }
633
634 #ifdef SUPPORT_SANDBOX_APP
635 // The action of sharing would be taken place only if the grant operation or revoke operation equals to success.
636 std::vector<AccessTokenID> tokenIdList;
637 AccessTokenInfoManager::GetInstance().GetRelatedSandBoxHapList(tokenID, tokenIdList);
638 for (const auto& id : tokenIdList) {
639 (void)UpdateTokenPermissionState(id, permissionName, isGranted, flag, needKill);
640 }
641 #endif
642 return RET_SUCCESS;
643 }
644
CheckAndUpdatePermission(AccessTokenID tokenID,const std::string & permissionName,bool isGranted,uint32_t flag)645 int32_t PermissionManager::CheckAndUpdatePermission(AccessTokenID tokenID, const std::string& permissionName,
646 bool isGranted, uint32_t flag)
647 {
648 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
649 ACCESSTOKEN_LOG_ERROR(LABEL, "permissionName: %{public}s, Invalid params!", permissionName.c_str());
650 return AccessTokenError::ERR_PARAM_INVALID;
651 }
652 if (!PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
653 ACCESSTOKEN_LOG_ERROR(
654 LABEL, "No definition for permission: %{public}s!", permissionName.c_str());
655 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
656 }
657 if (!PermissionValidator::IsPermissionFlagValid(flag)) {
658 ACCESSTOKEN_LOG_ERROR(LABEL, "flag: %{public}d, Invalid params!", flag);
659 return AccessTokenError::ERR_PARAM_INVALID;
660 }
661 bool needKill = false;
662 // To kill process when perm is revoke
663 if (!isGranted && (flag != PERMISSION_ALLOW_THIS_TIME) && (flag != PERMISSION_COMPONENT_SET)) {
664 ACCESSTOKEN_LOG_INFO(LABEL, "Perm(%{public}s) is revoked, kill process(%{public}u).",
665 permissionName.c_str(), tokenID);
666 needKill = true;
667 }
668
669 return UpdatePermission(tokenID, permissionName, isGranted, flag, needKill);
670 }
671
GrantPermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)672 int32_t PermissionManager::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
673 {
674 ACCESSTOKEN_LOG_INFO(LABEL,
675 "%{public}s called, tokenID: %{public}u, permissionName: %{public}s, flag: %{public}d",
676 __func__, tokenID, permissionName.c_str(), flag);
677 return CheckAndUpdatePermission(tokenID, permissionName, true, flag);
678 }
679
RevokePermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)680 int32_t PermissionManager::RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
681 {
682 ACCESSTOKEN_LOG_INFO(LABEL,
683 "%{public}s called, tokenID: %{public}u, permissionName: %{public}s, flag: %{public}d",
684 __func__, tokenID, permissionName.c_str(), flag);
685 return CheckAndUpdatePermission(tokenID, permissionName, false, flag);
686 }
687
GrantPermissionForSpecifiedTime(AccessTokenID tokenID,const std::string & permissionName,uint32_t onceTime)688 int32_t PermissionManager::GrantPermissionForSpecifiedTime(
689 AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime)
690 {
691 ACCESSTOKEN_LOG_INFO(LABEL,
692 "%{public}s called, tokenID: %{public}u, permissionName: %{public}s, onceTime: %{public}d",
693 __func__, tokenID, permissionName.c_str(), onceTime);
694 return ShortGrantManager::GetInstance().RefreshPermission(tokenID, permissionName, onceTime);
695 }
696
ScopeToString(const std::vector<AccessTokenID> & tokenIDs,const std::vector<std::string> & permList)697 void PermissionManager::ScopeToString(
698 const std::vector<AccessTokenID>& tokenIDs, const std::vector<std::string>& permList)
699 {
700 std::stringstream str;
701 copy(tokenIDs.begin(), tokenIDs.end(), std::ostream_iterator<uint32_t>(str, ", "));
702 std::string tokenidStr = str.str();
703
704 std::string permStr;
705 permStr = accumulate(permList.begin(), permList.end(), std::string(" "));
706
707 ACCESSTOKEN_LOG_INFO(LABEL, "TokenidStr = %{public}s permStr =%{public}s",
708 tokenidStr.c_str(), permStr.c_str());
709 }
710
ScopeFilter(const PermStateChangeScope & scopeSrc,PermStateChangeScope & scopeRes)711 int32_t PermissionManager::ScopeFilter(const PermStateChangeScope& scopeSrc, PermStateChangeScope& scopeRes)
712 {
713 std::set<uint32_t> tokenIdSet;
714 for (const auto& tokenId : scopeSrc.tokenIDs) {
715 if (AccessTokenInfoManager::GetInstance().IsTokenIdExist(tokenId) &&
716 (tokenIdSet.count(tokenId) == 0)) {
717 scopeRes.tokenIDs.emplace_back(tokenId);
718 tokenIdSet.insert(tokenId);
719 continue;
720 }
721 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenId %{public}d invalid!", tokenId);
722 }
723 std::set<std::string> permSet;
724 for (const auto& permissionName : scopeSrc.permList) {
725 if (PermissionDefinitionCache::GetInstance().HasDefinition(permissionName) &&
726 permSet.count(permissionName) == 0) {
727 scopeRes.permList.emplace_back(permissionName);
728 permSet.insert(permissionName);
729 continue;
730 }
731 ACCESSTOKEN_LOG_ERROR(LABEL, "Permission %{public}s invalid!", permissionName.c_str());
732 }
733 if ((scopeRes.tokenIDs.empty()) && (!scopeSrc.tokenIDs.empty())) {
734 ACCESSTOKEN_LOG_ERROR(LABEL, "Valid tokenid size is 0!");
735 return AccessTokenError::ERR_PARAM_INVALID;
736 }
737 if ((scopeRes.permList.empty()) && (!scopeSrc.permList.empty())) {
738 ACCESSTOKEN_LOG_ERROR(LABEL, "Valid permission size is 0!");
739 return AccessTokenError::ERR_PARAM_INVALID;
740 }
741 ScopeToString(scopeRes.tokenIDs, scopeRes.permList);
742 return RET_SUCCESS;
743 }
744
AddPermStateChangeCallback(const PermStateChangeScope & scope,const sptr<IRemoteObject> & callback)745 int32_t PermissionManager::AddPermStateChangeCallback(
746 const PermStateChangeScope& scope, const sptr<IRemoteObject>& callback)
747 {
748 ACCESSTOKEN_LOG_INFO(LABEL, "Called");
749 PermStateChangeScope scopeRes;
750 int32_t result = ScopeFilter(scope, scopeRes);
751 if (result != RET_SUCCESS) {
752 return result;
753 }
754 return CallbackManager::GetInstance().AddCallback(scope, callback);
755 }
756
RemovePermStateChangeCallback(const sptr<IRemoteObject> & callback)757 int32_t PermissionManager::RemovePermStateChangeCallback(const sptr<IRemoteObject>& callback)
758 {
759 ACCESSTOKEN_LOG_INFO(LABEL, "Called");
760 return CallbackManager::GetInstance().RemoveCallback(callback);
761 }
762
GetApiVersionByTokenId(AccessTokenID tokenID,int32_t & apiVersion)763 bool PermissionManager::GetApiVersionByTokenId(AccessTokenID tokenID, int32_t& apiVersion)
764 {
765 // only hap can do this
766 AccessTokenIDInner *idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenID);
767 ATokenTypeEnum tokenType = (ATokenTypeEnum)(idInner->type);
768 if (tokenType != TOKEN_HAP) {
769 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid token type %{public}d", tokenType);
770 return false;
771 }
772
773 HapTokenInfo hapInfo;
774 int ret = AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapInfo);
775 if (ret != RET_SUCCESS) {
776 ACCESSTOKEN_LOG_ERROR(LABEL, "Get hap token info error!");
777 return false;
778 }
779
780 apiVersion = hapInfo.apiVersion;
781
782 return true;
783 }
784
IsPermissionVaild(const std::string & permissionName)785 bool PermissionManager::IsPermissionVaild(const std::string& permissionName)
786 {
787 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
788 ACCESSTOKEN_LOG_WARN(LABEL, "Invalid permissionName %{public}s", permissionName.c_str());
789 return false;
790 }
791
792 if (!PermissionDefinitionCache::GetInstance().HasDefinition(permissionName)) {
793 ACCESSTOKEN_LOG_WARN(LABEL, "Permission %{public}s has no definition ", permissionName.c_str());
794 return false;
795 }
796 return true;
797 }
798
GetLocationPermissionIndex(std::vector<PermissionListStateParcel> & reqPermList,LocationIndex & locationIndex)799 bool PermissionManager::GetLocationPermissionIndex(std::vector<PermissionListStateParcel>& reqPermList,
800 LocationIndex& locationIndex)
801 {
802 uint32_t index = 0;
803 bool hasFound = false;
804
805 for (const auto& perm : reqPermList) {
806 if (perm.permsState.permissionName == VAGUE_LOCATION_PERMISSION_NAME) {
807 locationIndex.vagueIndex = index;
808 hasFound = true;
809 } else if (perm.permsState.permissionName == ACCURATE_LOCATION_PERMISSION_NAME) {
810 locationIndex.accurateIndex = index;
811 hasFound = true;
812 } else if (perm.permsState.permissionName == BACKGROUND_LOCATION_PERMISSION_NAME) {
813 locationIndex.backIndex = index;
814 hasFound = true;
815 }
816
817 index++;
818
819 if ((locationIndex.vagueIndex != PERMISSION_NOT_REQUSET) &&
820 (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) &&
821 (locationIndex.backIndex != PERMISSION_NOT_REQUSET)) {
822 break;
823 }
824 }
825
826 ACCESSTOKEN_LOG_INFO(LABEL,
827 "vague index is %{public}d, accurate index is %{public}d, background index is %{public}d!",
828 locationIndex.vagueIndex, locationIndex.accurateIndex, locationIndex.backIndex);
829
830 return hasFound;
831 }
832
GetLocationPermissionState(AccessTokenID tokenID,std::vector<PermissionListStateParcel> & reqPermList,std::vector<PermissionStateFull> & permsList,int32_t apiVersion,const LocationIndex & locationIndex)833 bool PermissionManager::GetLocationPermissionState(AccessTokenID tokenID,
834 std::vector<PermissionListStateParcel>& reqPermList, std::vector<PermissionStateFull>& permsList,
835 int32_t apiVersion, const LocationIndex& locationIndex)
836 {
837 bool needVagueDynamic = false;
838 bool needAccurateDynamic = false; // needVagueDynamic-false, 1. not request;2. request but not equal to DYNAMIC_OPER
839 if (locationIndex.vagueIndex != PERMISSION_NOT_REQUSET) {
840 GetSelfPermissionState(permsList, reqPermList[locationIndex.vagueIndex].permsState, apiVersion);
841 needVagueDynamic = reqPermList[locationIndex.vagueIndex].permsState.state == DYNAMIC_OPER;
842 }
843
844 if (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) {
845 bool isVagueGranted = VerifyHapAccessToken(tokenID, VAGUE_LOCATION_PERMISSION_NAME) == PERMISSION_GRANTED;
846 // request accurate and vague permission, if vague has been set or invalid, accurate can't be requested
847 GetSelfPermissionState(permsList, reqPermList[locationIndex.accurateIndex].permsState, apiVersion);
848 needAccurateDynamic = reqPermList[locationIndex.accurateIndex].permsState.state == DYNAMIC_OPER;
849
850 // update permsState
851 if (needAccurateDynamic) {
852 // vague permissoion is not pop and permission status os not granted
853 if (!needVagueDynamic && !isVagueGranted) {
854 reqPermList[locationIndex.accurateIndex].permsState.state = INVALID_OPER;
855 needAccurateDynamic = false;
856 }
857 }
858 }
859
860 if (locationIndex.backIndex != PERMISSION_NOT_REQUSET) {
861 if (apiVersion >= BACKGROUND_LOCATION_API_VERSION) {
862 // background permission
863 // with back and vague permission, request back can not pop dynamic dialog
864 if (locationIndex.vagueIndex != PERMISSION_NOT_REQUSET) {
865 reqPermList[locationIndex.vagueIndex].permsState.state = INVALID_OPER;
866 }
867 if (locationIndex.accurateIndex != PERMISSION_NOT_REQUSET) {
868 reqPermList[locationIndex.accurateIndex].permsState.state = INVALID_OPER;
869 }
870 reqPermList[locationIndex.backIndex].permsState.state = INVALID_OPER;
871 return false;
872 }
873 // with back and vague permission
874 // back state is SETTING_OPER when dynamic pop-up dialog appears and INVALID_OPER when it doesn't
875 GetSelfPermissionState(permsList, reqPermList[locationIndex.backIndex].permsState, apiVersion);
876 if (reqPermList[locationIndex.backIndex].permsState.state == DYNAMIC_OPER) {
877 if (needAccurateDynamic || needVagueDynamic) {
878 reqPermList[locationIndex.backIndex].permsState.state = SETTING_OPER;
879 } else {
880 reqPermList[locationIndex.backIndex].permsState.state = INVALID_OPER;
881 }
882 }
883 }
884 return needVagueDynamic || needAccurateDynamic;
885 }
886
LocationPermissionSpecialHandle(AccessTokenID tokenID,std::vector<PermissionListStateParcel> & reqPermList,std::vector<PermissionStateFull> & permsList,int32_t apiVersion)887 bool PermissionManager::LocationPermissionSpecialHandle(
888 AccessTokenID tokenID,
889 std::vector<PermissionListStateParcel>& reqPermList,
890 std::vector<PermissionStateFull>& permsList, int32_t apiVersion)
891 {
892 struct LocationIndex locationIndex;
893 if (!GetLocationPermissionIndex(reqPermList, locationIndex)) {
894 return false;
895 }
896 return GetLocationPermissionState(tokenID, reqPermList, permsList, apiVersion, locationIndex);
897 }
898
ClearUserGrantedPermissionState(AccessTokenID tokenID)899 void PermissionManager::ClearUserGrantedPermissionState(AccessTokenID tokenID)
900 {
901 if (ClearUserGrantedPermission(tokenID) != RET_SUCCESS) {
902 return;
903 }
904 std::vector<AccessTokenID> tokenIdList;
905 AccessTokenInfoManager::GetInstance().GetRelatedSandBoxHapList(tokenID, tokenIdList);
906 for (const auto& id : tokenIdList) {
907 (void)ClearUserGrantedPermission(id);
908 }
909 }
910
NotifyUpdatedPermList(const std::vector<std::string> & grantedPermListBefore,const std::vector<std::string> & grantedPermListAfter,AccessTokenID tokenID)911 void PermissionManager::NotifyUpdatedPermList(const std::vector<std::string>& grantedPermListBefore,
912 const std::vector<std::string>& grantedPermListAfter, AccessTokenID tokenID)
913 {
914 for (uint32_t i = 0; i < grantedPermListBefore.size(); i++) {
915 auto it = find(grantedPermListAfter.begin(), grantedPermListAfter.end(), grantedPermListBefore[i]);
916 if (it == grantedPermListAfter.end()) {
917 CallbackManager::GetInstance().ExecuteCallbackAsync(
918 tokenID, grantedPermListBefore[i], STATE_CHANGE_REVOKED);
919 ParamUpdate(grantedPermListBefore[i], 0, true);
920 }
921 }
922 for (uint32_t i = 0; i < grantedPermListAfter.size(); i++) {
923 auto it = find(grantedPermListBefore.begin(), grantedPermListBefore.end(), grantedPermListAfter[i]);
924 if (it == grantedPermListBefore.end()) {
925 CallbackManager::GetInstance().ExecuteCallbackAsync(
926 tokenID, grantedPermListAfter[i], STATE_CHANGE_GRANTED);
927 ParamUpdate(grantedPermListAfter[i], 0, false);
928 }
929 }
930 }
931
IsPermissionStateOrFlagMatched(const PermissionStateFull & state1,const PermissionStateFull & state2)932 bool PermissionManager::IsPermissionStateOrFlagMatched(const PermissionStateFull& state1,
933 const PermissionStateFull& state2)
934 {
935 return ((state1.grantStatus[0] == state2.grantStatus[0]) && (state1.grantFlags[0] == state2.grantFlags[0]));
936 }
937
GetStateOrFlagChangedList(std::vector<PermissionStateFull> & stateListBefore,std::vector<PermissionStateFull> & stateListAfter,std::vector<PermissionStateFull> & stateChangeList)938 void PermissionManager::GetStateOrFlagChangedList(std::vector<PermissionStateFull>& stateListBefore,
939 std::vector<PermissionStateFull>& stateListAfter, std::vector<PermissionStateFull>& stateChangeList)
940 {
941 uint32_t size = stateListBefore.size();
942
943 for (uint32_t i = 0; i < size; ++i) {
944 PermissionStateFull state1 = stateListBefore[i];
945 PermissionStateFull state2 = stateListAfter[i];
946
947 if (!IsPermissionStateOrFlagMatched(state1, state2)) {
948 stateChangeList.emplace_back(state2);
949 }
950 }
951 }
952
ClearUserGrantedPermission(AccessTokenID tokenID)953 int32_t PermissionManager::ClearUserGrantedPermission(AccessTokenID tokenID)
954 {
955 std::shared_ptr<HapTokenInfoInner> infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenID);
956 if (infoPtr == nullptr) {
957 ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u is invalid.", tokenID);
958 return ERR_PARAM_INVALID;
959 }
960 if (infoPtr->IsRemote()) {
961 ACCESSTOKEN_LOG_ERROR(LABEL, "It is a remote hap token %{public}u!", tokenID);
962 return ERR_IDENTITY_CHECK_FAILED;
963 }
964 std::shared_ptr<PermissionPolicySet> permPolicySet = infoPtr->GetHapInfoPermissionPolicySet();
965 if (permPolicySet == nullptr) {
966 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid params!");
967 return ERR_PARAM_INVALID;
968 }
969 std::vector<std::string> grantedPermListBefore;
970 permPolicySet->GetGrantedPermissionList(grantedPermListBefore);
971 std::vector<PermissionStateFull> stateListBefore;
972 permPolicySet->GetPermissionStateList(stateListBefore);
973
974 // reset permission.
975 permPolicySet->ResetUserGrantPermissionStatus();
976 // clear security component granted permission which is not requested in module.json.
977 permPolicySet->ClearSecCompGrantedPerm();
978
979 #ifdef SUPPORT_SANDBOX_APP
980 // update permission status with dlp permission rule.
981 std::vector<PermissionStateFull> permListOfHap;
982 permPolicySet->GetPermissionStateFulls(permListOfHap);
983 DlpPermissionSetManager::GetInstance().UpdatePermStateWithDlpInfo(
984 infoPtr->GetDlpType(), permListOfHap);
985 permPolicySet->Update(permListOfHap);
986 #endif
987
988 std::vector<std::string> grantedPermListAfter;
989 permPolicySet->GetGrantedPermissionList(grantedPermListAfter);
990 std::vector<PermissionStateFull> stateListAfter;
991 permPolicySet->GetPermissionStateList(stateListAfter);
992 std::vector<PermissionStateFull> stateChangeList;
993 GetStateOrFlagChangedList(stateListBefore, stateListAfter, stateChangeList);
994 if (!AccessTokenInfoManager::GetInstance().UpdateStatesToDatabase(tokenID, stateChangeList)) {
995 return ERR_DATABASE_OPERATE_FAILED;
996 }
997
998 // clear
999 AddPermToKernel(tokenID, permPolicySet);
1000
1001 NotifyUpdatedPermList(grantedPermListBefore, grantedPermListAfter, tokenID);
1002 return RET_SUCCESS;
1003 }
1004
NotifyPermGrantStoreResult(bool result,uint64_t timestamp)1005 void PermissionManager::NotifyPermGrantStoreResult(bool result, uint64_t timestamp)
1006 {
1007 grantEvent_.NotifyPermGrantStoreResult(result, timestamp);
1008 }
1009
TransferPermissionDefToString(const PermissionDef & inPermissionDef)1010 std::string PermissionManager::TransferPermissionDefToString(const PermissionDef& inPermissionDef)
1011 {
1012 std::string infos;
1013 infos.append(R"({"permissionName": ")" + inPermissionDef.permissionName + R"(")");
1014 infos.append(R"(, "bundleName": ")" + inPermissionDef.bundleName + R"(")");
1015 infos.append(R"(, "grantMode": )" + std::to_string(inPermissionDef.grantMode));
1016 infos.append(R"(, "availableLevel": )" + std::to_string(inPermissionDef.availableLevel));
1017 infos.append(R"(, "provisionEnable": )" + std::to_string(inPermissionDef.provisionEnable));
1018 infos.append(R"(, "distributedSceneEnable": )" + std::to_string(inPermissionDef.distributedSceneEnable));
1019 infos.append(R"(, "label": ")" + inPermissionDef.label + R"(")");
1020 infos.append(R"(, "labelId": )" + std::to_string(inPermissionDef.labelId));
1021 infos.append(R"(, "description": ")" + inPermissionDef.description + R"(")");
1022 infos.append(R"(, "descriptionId": )" + std::to_string(inPermissionDef.descriptionId));
1023 infos.append(R"(, "availableType": )" + std::to_string(inPermissionDef.availableType));
1024 infos.append("}");
1025 return infos;
1026 }
1027
AddPermToKernel(AccessTokenID tokenID,const std::shared_ptr<PermissionPolicySet> & policy)1028 void PermissionManager::AddPermToKernel(AccessTokenID tokenID, const std::shared_ptr<PermissionPolicySet>& policy)
1029 {
1030 if (policy == nullptr) {
1031 return;
1032 }
1033 std::vector<uint32_t> opCodeList;
1034 std::vector<bool> statusList;
1035 policy->GetPermissionStateList(opCodeList, statusList);
1036 int32_t ret = AddPermissionToKernel(tokenID, opCodeList, statusList);
1037 if (ret != ACCESS_TOKEN_OK) {
1038 ACCESSTOKEN_LOG_ERROR(LABEL, "AddPermissionToKernel(token=%{public}d), size=%{public}zu, err=%{public}d",
1039 tokenID, opCodeList.size(), ret);
1040 }
1041 }
1042
RemovePermFromKernel(AccessTokenID tokenID)1043 void PermissionManager::RemovePermFromKernel(AccessTokenID tokenID)
1044 {
1045 int32_t ret = RemovePermissionFromKernel(tokenID);
1046 ACCESSTOKEN_LOG_INFO(LABEL,
1047 "RemovePermissionFromKernel(token=%{public}d), err=%{public}d", tokenID, ret);
1048 }
1049
SetPermToKernel(AccessTokenID tokenID,const std::string & permissionName,bool isGranted)1050 void PermissionManager::SetPermToKernel(AccessTokenID tokenID, const std::string& permissionName, bool isGranted)
1051 {
1052 uint32_t code;
1053 if (!TransferPermissionToOpcode(permissionName, code)) {
1054 return;
1055 }
1056 int32_t ret = SetPermissionToKernel(tokenID, code, isGranted);
1057 ACCESSTOKEN_LOG_INFO(LABEL,
1058 "SetPermissionToKernel(token=%{public}d, permission=(%{public}s), err=%{public}d",
1059 tokenID, permissionName.c_str(), ret);
1060 }
1061
IsAclSatisfied(const PermissionDef & permDef,const HapPolicyParams & policy)1062 bool IsAclSatisfied(const PermissionDef& permDef, const HapPolicyParams& policy)
1063 {
1064 if (policy.apl < permDef.availableLevel) {
1065 if (!permDef.provisionEnable) {
1066 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s provisionEnable is false.", permDef.permissionName.c_str());
1067 return false;
1068 }
1069 auto isAclExist = std::any_of(
1070 policy.aclRequestedList.begin(), policy.aclRequestedList.end(), [permDef](const auto &perm) {
1071 return permDef.permissionName == perm;
1072 });
1073 if (!isAclExist) {
1074 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s need acl.", permDef.permissionName.c_str());
1075 return false;
1076 }
1077 }
1078 return true;
1079 }
1080
IsPermAvailableRangeSatisfied(const PermissionDef & permDef,const std::string & appDistributionType)1081 bool IsPermAvailableRangeSatisfied(const PermissionDef& permDef, const std::string& appDistributionType)
1082 {
1083 if (permDef.availableType == ATokenAvailableTypeEnum::MDM) {
1084 if (appDistributionType == "none") {
1085 ACCESSTOKEN_LOG_INFO(LABEL, "Debug app use permission: %{public}s.",
1086 permDef.permissionName.c_str());
1087 return true;
1088 }
1089 if (appDistributionType != APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM) {
1090 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s is a mdm permission, the hap is not a mdm application.",
1091 permDef.permissionName.c_str());
1092 return false;
1093 }
1094 }
1095 return true;
1096 }
1097
IsUserGrantPermPreAuthorized(const std::vector<PreAuthorizationInfo> & list,const std::string & permissionName,bool & userCancelable)1098 bool IsUserGrantPermPreAuthorized(const std::vector<PreAuthorizationInfo> &list,
1099 const std::string &permissionName, bool &userCancelable)
1100 {
1101 auto iter = std::find_if(list.begin(), list.end(), [&permissionName](const auto &info) {
1102 return info.permissionName == permissionName;
1103 });
1104 if (iter == list.end()) {
1105 ACCESSTOKEN_LOG_INFO(LABEL, "Permission(%{public}s) is not in the list", permissionName.c_str());
1106 return false;
1107 }
1108
1109 userCancelable = iter->userCancelable;
1110 return true;
1111 }
1112
InitDlpPermissionList(const std::string & bundleName,int32_t userId,std::vector<PermissionStateFull> & initializedList)1113 bool PermissionManager::InitDlpPermissionList(const std::string& bundleName, int32_t userId,
1114 std::vector<PermissionStateFull>& initializedList)
1115 {
1116 // get dlp original app
1117 AccessTokenIDEx tokenId = AccessTokenInfoManager::GetInstance().GetHapTokenID(userId, bundleName, 0);
1118 std::shared_ptr<PermissionPolicySet> permPolicySet =
1119 AccessTokenInfoManager::GetInstance().GetHapPermissionPolicySet(tokenId.tokenIdExStruct.tokenID);
1120 if (permPolicySet == nullptr) {
1121 ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", tokenId.tokenIdExStruct.tokenID);
1122 return false;
1123 }
1124 permPolicySet->GetPermissionStateFulls(initializedList);
1125 return true;
1126 }
1127
InitPermissionList(const std::string & appDistributionType,const HapPolicyParams & policy,std::vector<PermissionStateFull> & initializedList)1128 bool PermissionManager::InitPermissionList(const std::string& appDistributionType,
1129 const HapPolicyParams& policy, std::vector<PermissionStateFull>& initializedList)
1130 {
1131 ACCESSTOKEN_LOG_INFO(LABEL, "Before, request perm list size: %{public}zu, preAuthorizationInfo size %{public}zu, "
1132 "ACLRequestedList size %{public}zu.",
1133 policy.permStateList.size(), policy.preAuthorizationInfo.size(), policy.aclRequestedList.size());
1134
1135 for (auto state : policy.permStateList) {
1136 PermissionDef permDef;
1137 int32_t ret = PermissionManager::GetInstance().GetDefPermission(
1138 state.permissionName, permDef);
1139 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
1140 ACCESSTOKEN_LOG_ERROR(LABEL, "Get definition of %{public}s failed, ret = %{public}d.",
1141 state.permissionName.c_str(), ret);
1142 continue;
1143 }
1144 if (!IsAclSatisfied(permDef, policy)) {
1145 ACCESSTOKEN_LOG_ERROR(LABEL, "Acl of %{public}s is invalid.", permDef.permissionName.c_str());
1146 return false;
1147 }
1148
1149 // edm check
1150 if (!IsPermAvailableRangeSatisfied(permDef, appDistributionType)) {
1151 ACCESSTOKEN_LOG_ERROR(LABEL, "Available range of %{public}s is invalid.", permDef.permissionName.c_str());
1152 return false;
1153 }
1154 state.grantFlags[0] = PERMISSION_DEFAULT_FLAG;
1155 state.grantStatus[0] = PERMISSION_DENIED;
1156
1157 if (permDef.grantMode == AccessToken::GrantMode::SYSTEM_GRANT) {
1158 state.grantFlags[0] = PERMISSION_SYSTEM_FIXED;
1159 state.grantStatus[0] = PERMISSION_GRANTED;
1160 initializedList.emplace_back(state);
1161 continue;
1162 }
1163 if (policy.preAuthorizationInfo.size() == 0) {
1164 initializedList.emplace_back(state);
1165 continue;
1166 }
1167 bool userCancelable = true;
1168 if (IsUserGrantPermPreAuthorized(policy.preAuthorizationInfo, state.permissionName, userCancelable)) {
1169 state.grantFlags[0] = userCancelable ? PERMISSION_GRANTED_BY_POLICY : PERMISSION_SYSTEM_FIXED;
1170 state.grantStatus[0] = PERMISSION_GRANTED;
1171 }
1172 initializedList.emplace_back(state);
1173 }
1174 ACCESSTOKEN_LOG_INFO(LABEL, "After, request perm list size: %{public}zu.", initializedList.size());
1175 return true;
1176 }
1177
1178 } // namespace AccessToken
1179 } // namespace Security
1180 } // namespace OHOS
1181