1 /*
2  * Copyright (C) 2022-2023 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *    http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "permission_adapter.h"
17 
18 #include <string>
19 #include <unordered_map>
20 #include <vector>
21 
22 #include "accesstoken_kit.h"
23 #include "ipc_sdk.h"
24 #include "ipc_skeleton.h"
25 
26 #include "device_auth_defines.h"
27 #include "hc_log.h"
28 
29 using namespace std;
30 using namespace OHOS;
31 using namespace OHOS::Security::AccessToken;
32 
33 #define PROC_NAME_DEVICE_MANAGER "device_manager"
34 #define PROC_NAME_SOFT_BUS "softbus_server"
35 #define PROC_NAME_DEVICE_SECURITY_LEVEL "dslm_service"
36 #define PROC_NAME_ISHARE "CollaborationFwk"
37 
38 static unordered_map<int32_t, vector<string>> g_apiAccessWhitelist = {
39     { IPC_CALL_ID_PROCESS_CREDENTIAL, { PROC_NAME_DEVICE_MANAGER } },
40     { IPC_CALL_ID_DA_AUTH_DEVICE, { PROC_NAME_DEVICE_MANAGER, PROC_NAME_SOFT_BUS } },
41     { IPC_CALL_ID_DA_PROC_DATA, { PROC_NAME_DEVICE_MANAGER, PROC_NAME_SOFT_BUS } },
42     { IPC_CALL_ID_DA_CANCEL_REQUEST, { PROC_NAME_DEVICE_MANAGER, PROC_NAME_SOFT_BUS } },
43 };
44 
45 static unordered_map<int32_t, vector<string>> g_apiAccessConfig = {
46     { IPC_CALL_ID_REG_CB, { PROC_NAME_DEVICE_MANAGER } },
47     { IPC_CALL_ID_UNREG_CB, { PROC_NAME_DEVICE_MANAGER } },
48     { IPC_CALL_ID_CREATE_GROUP, { PROC_NAME_DEVICE_MANAGER } },
49     { IPC_CALL_ID_DEL_GROUP, { PROC_NAME_DEVICE_MANAGER } },
50     { IPC_CALL_ID_ADD_GROUP_MEMBER, { PROC_NAME_DEVICE_MANAGER } },
51     { IPC_CALL_ID_DEL_GROUP_MEMBER, { PROC_NAME_DEVICE_MANAGER } },
52     { IPC_CALL_ID_GM_PROC_DATA, { PROC_NAME_DEVICE_MANAGER } },
53     { IPC_CALL_ID_APPLY_REG_INFO, { PROC_NAME_DEVICE_MANAGER } },
54     { IPC_CALL_ID_ADD_MULTI_GROUP_MEMBERS, { PROC_NAME_DEVICE_MANAGER } },
55     { IPC_CALL_ID_DEL_MULTI_GROUP_MEMBERS, { PROC_NAME_DEVICE_MANAGER } },
56     { IPC_CALL_GM_CANCEL_REQUEST, { PROC_NAME_DEVICE_MANAGER } },
57     { IPC_CALL_ID_AUTH_DEVICE, { PROC_NAME_SOFT_BUS, PROC_NAME_DEVICE_MANAGER, PROC_NAME_ISHARE } },
58     { IPC_CALL_ID_GA_PROC_DATA, { PROC_NAME_SOFT_BUS, PROC_NAME_DEVICE_MANAGER, PROC_NAME_ISHARE } },
59     { IPC_CALL_GA_CANCEL_REQUEST, { PROC_NAME_SOFT_BUS, PROC_NAME_DEVICE_MANAGER, PROC_NAME_ISHARE } },
60     { IPC_CALL_ID_GET_PK_INFO_LIST, { PROC_NAME_DEVICE_SECURITY_LEVEL } },
61 };
62 
IsProcessAllowAccess(const string & processName,int32_t methodId)63 static bool IsProcessAllowAccess(const string &processName, int32_t methodId)
64 {
65     if (g_apiAccessConfig.find(methodId) == g_apiAccessConfig.end()) {
66         return true;
67     }
68     return find(g_apiAccessConfig[methodId].begin(), g_apiAccessConfig[methodId].end(), processName) !=
69         g_apiAccessConfig[methodId].end();
70 }
71 
IsProcessInWhitelist(const string & processName,int32_t methodId)72 static bool IsProcessInWhitelist(const string& processName, int32_t methodId)
73 {
74     if (g_apiAccessWhitelist.find(methodId) == g_apiAccessWhitelist.end()) {
75         return true;
76     }
77     bool ret = find(g_apiAccessWhitelist[methodId].begin(), g_apiAccessWhitelist[methodId].end(), processName) !=
78                   g_apiAccessWhitelist[methodId].end();
79     if (!ret) {
80         LOGE("Access Denied: Process(%s) not in access whitlist", processName.c_str());
81     }
82     return ret;
83 }
84 
CheckPermission(int32_t methodId)85 int32_t CheckPermission(int32_t methodId)
86 {
87     AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
88     ATokenTypeEnum tokenType = AccessTokenKit::GetTokenTypeFlag(tokenId);
89     if (tokenType != TOKEN_NATIVE) {
90         LOGE("Invalid token type: %d", tokenType);
91         return HC_ERROR;
92     }
93     NativeTokenInfo findInfo;
94     if (AccessTokenKit::GetNativeTokenInfo(tokenId, findInfo) != 0) {
95         LOGE("GetNativeTokenInfo failed!");
96         return HC_ERROR;
97     }
98     if ((findInfo.apl != APL_SYSTEM_CORE) && (findInfo.apl != APL_SYSTEM_BASIC)) {
99         LOGE("Check permission(APL3=SYSTEM_CORE or APL2=SYSTEM_BASIC) failed! APL: %d", findInfo.apl);
100         return HC_ERROR;
101     }
102 
103     if (!IsProcessInWhitelist(findInfo.processName, methodId)) {
104         LOGE("Check permission(Access Whitelist) failed!");
105         return HC_ERROR;
106     }
107 
108     if (!IsProcessAllowAccess(findInfo.processName, methodId)) {
109         LOGE("Check permission(Interface Access List) failed!");
110         return HC_ERROR;
111     }
112     return HC_SUCCESS;
113 }