1 /*
2  * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #ifndef OHOS_ABILITY_RUNTIME_DLP_UTILS_H
17 #define OHOS_ABILITY_RUNTIME_DLP_UTILS_H
18 
19 #include "ability_record.h"
20 #include "bundle_mgr_helper.h"
21 #ifdef WITH_DLP
22 #include "dlp_permission_kit.h"
23 #endif // WITH_DLP
24 #include "global_constant.h"
25 #include "hilog_tag_wrapper.h"
26 #include "in_process_call_wrapper.h"
27 #include "iremote_object.h"
28 #include "permission_verification.h"
29 #include "server_constant.h"
30 #include "want.h"
31 
32 namespace OHOS {
33 namespace AAFwk {
34 namespace DlpUtils {
35 #ifdef WITH_DLP
36 using Dlp = Security::DlpPermission::DlpPermissionKit;
37 #endif // WITH_DLP
DlpAccessOtherAppsCheck(const sptr<IRemoteObject> & callerToken,const Want & want)38 [[maybe_unused]]static bool DlpAccessOtherAppsCheck(const sptr<IRemoteObject> &callerToken, const Want &want)
39 {
40 #ifdef WITH_DLP
41     auto isSaCall = AAFwk::PermissionVerification::GetInstance()->IsSACall();
42     if (isSaCall) {
43         return true;
44     }
45     if (callerToken == nullptr) {
46         return true;
47     }
48     auto abilityRecord = Token::GetAbilityRecordByToken(callerToken);
49     if (abilityRecord == nullptr) {
50         TAG_LOGE(AAFwkTag::ABILITYMGR, "Ability destroyed");
51         return true;
52     }
53     if (abilityRecord->GetAppIndex() <= AbilityRuntime::GlobalConstant::MAX_APP_CLONE_INDEX) {
54         return true;
55     }
56     if (abilityRecord->GetApplicationInfo().bundleName == want.GetElement().GetBundleName()) {
57         return true;
58     }
59     int32_t uid = abilityRecord->GetApplicationInfo().uid;
60     Security::DlpPermission::SandBoxExternalAuthorType authResult;
61     int result = Dlp::GetSandboxExternalAuthorization(uid, want, authResult);
62     if (result != ERR_OK) {
63         TAG_LOGE(AAFwkTag::ABILITYMGR, "GetSandboxExternalAuthorization failed %{public}d", result);
64         return false;
65     }
66     if (authResult != Security::DlpPermission::SandBoxExternalAuthorType::ALLOW_START_ABILITY) {
67         TAG_LOGE(AAFwkTag::ABILITYMGR, "Auth failed, not allow start %{public}d", uid);
68         return false;
69     }
70 #endif // WITH_DLP
71     return true;
72 }
73 
74 #ifdef WITH_DLP
OtherAppsAccessDlpCheck(const sptr<IRemoteObject> & callerToken,const Want & want)75 [[maybe_unused]]static bool OtherAppsAccessDlpCheck(const sptr<IRemoteObject> &callerToken, const Want &want)
76 {
77     int32_t dlpIndex = want.GetIntParam(AbilityRuntime::ServerConstant::DLP_INDEX, 0);
78     if (dlpIndex <= AbilityRuntime::GlobalConstant::MAX_APP_CLONE_INDEX && dlpIndex != 0) {
79         return false;
80     }
81 
82     if (callerToken != nullptr) {
83         auto abilityRecord = Token::GetAbilityRecordByToken(callerToken);
84         if (abilityRecord != nullptr &&
85             abilityRecord->GetAppIndex() > AbilityRuntime::GlobalConstant::MAX_APP_CLONE_INDEX) {
86             return true;
87         }
88     }
89 
90     return PermissionVerification::GetInstance()->VerifyDlpPermission(const_cast<Want &>(want));
91 }
92 #endif // WITH_DLP
93 
SandboxAuthCheck(const AbilityRecord & callerRecord,const Want & want)94 [[maybe_unused]]static bool SandboxAuthCheck(const AbilityRecord &callerRecord, const Want &want)
95 {
96 #ifdef WITH_DLP
97     int32_t uid = callerRecord.GetApplicationInfo().uid;
98     Security::DlpPermission::SandBoxExternalAuthorType authResult;
99     int result = Dlp::GetSandboxExternalAuthorization(uid, want, authResult);
100     if (result != ERR_OK) {
101         TAG_LOGE(AAFwkTag::ABILITYMGR, "GetSandboxExternalAuthorization failed %{public}d", result);
102         return false;
103     }
104     if (authResult != Security::DlpPermission::SandBoxExternalAuthorType::ALLOW_START_ABILITY) {
105         TAG_LOGE(AAFwkTag::ABILITYMGR, "Auth failed, not allow start %{public}d", uid);
106         return false;
107     }
108 #endif // WITH_DLP
109     return true;
110 }
111 
CheckCallerIsDlpManager(const std::shared_ptr<AppExecFwk::BundleMgrHelper> & bundleManager)112 static bool CheckCallerIsDlpManager(const std::shared_ptr<AppExecFwk::BundleMgrHelper> &bundleManager)
113 {
114     if (!bundleManager) {
115         return false;
116     }
117 
118     std::string bundleName;
119     auto callerUid = IPCSkeleton::GetCallingUid();
120     if (IN_PROCESS_CALL(bundleManager->GetNameForUid(callerUid, bundleName)) != ERR_OK) {
121         TAG_LOGW(AAFwkTag::ABILITYMGR, "Get Bundle Name failed");
122         return false;
123     }
124     if (bundleName != "com.ohos.dlpmanager") {
125         TAG_LOGW(AAFwkTag::ABILITYMGR, "Wrong Caller");
126         return false;
127     }
128     return true;
129 }
130 }  // namespace DlpUtils
131 }  // namespace AAFwk
132 }  // namespace OHOS
133 #endif  // OHOS_ABILITY_RUNTIME_DLP_UTILS_H
134