1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "uri_permission_manager_stub_impl.h"
17
18 #include <unordered_map>
19
20 #include "ability_manager_errors.h"
21 #include "accesstoken_kit.h"
22 #include "app_utils.h"
23 #include "hilog_tag_wrapper.h"
24 #include "if_system_ability_manager.h"
25 #include "in_process_call_wrapper.h"
26 #include "ipc_skeleton.h"
27 #include "iservice_registry.h"
28 #include "media_permission_manager.h"
29 #include "parameter.h"
30 #include "permission_constants.h"
31 #include "permission_verification.h"
32 #include "system_ability_definition.h"
33 #include "tokenid_kit.h"
34 #include "uri_permission_utils.h"
35 #include "want.h"
36 #include "hitrace_meter.h"
37
38 #define READ_MODE (1<<0)
39 #define WRITE_MODE (1<<1)
40 #define IS_POLICY_ALLOWED_TO_BE_PRESISTED (1<<0)
41
42 namespace OHOS {
43 namespace AAFwk {
44 namespace {
45 constexpr int32_t ERR_OK = 0;
46 constexpr int32_t INVALID_PARAMTER = 2; // SandboxManager ative err
47 constexpr uint32_t FLAG_READ_WRITE_URI = Want::FLAG_AUTH_READ_URI_PERMISSION | Want::FLAG_AUTH_WRITE_URI_PERMISSION;
48 constexpr uint32_t FLAG_WRITE_URI = Want::FLAG_AUTH_WRITE_URI_PERMISSION;
49 constexpr uint32_t FLAG_READ_URI = Want::FLAG_AUTH_READ_URI_PERMISSION;
50 constexpr const char* CLOUND_DOCS_URI_MARK = "?networkid=";
51 constexpr uint32_t INVALID_ABILITYID = -1;
52 constexpr const char* FOUNDATION_PROCESS = "foundation";
53 }
54
VerifyUriPermission(const Uri & uri,uint32_t flag,uint32_t tokenId)55 bool UriPermissionManagerStubImpl::VerifyUriPermission(const Uri &uri, uint32_t flag, uint32_t tokenId)
56 {
57 // verify if tokenId have uri permission record
58 auto uriStr = uri.ToString();
59 TAG_LOGD(AAFwkTag::URIPERMMGR, "uri is %{private}s, flag is %{public}u, tokenId is %{public}u",
60 uriStr.c_str(), flag, tokenId);
61 if (!UPMSUtils::IsSAOrSystemAppCall()) {
62 TAG_LOGE(AAFwkTag::URIPERMMGR, "not SA or SystemApp");
63 return false;
64 }
65 if ((flag & FLAG_READ_WRITE_URI) == 0) {
66 TAG_LOGE(AAFwkTag::URIPERMMGR, "Flag is invalid.");
67 return false;
68 }
69 uint32_t newFlag = FLAG_READ_URI;
70 if ((flag & FLAG_WRITE_URI) != 0) {
71 newFlag = FLAG_WRITE_URI;
72 }
73 std::lock_guard<std::mutex> guard(mutex_);
74 auto search = uriMap_.find(uriStr);
75 if (search != uriMap_.end()) {
76 auto& list = search->second;
77 for (auto it = list.begin(); it != list.end(); it++) {
78 if ((it->targetTokenId == tokenId) && ((it->flag | FLAG_READ_URI) & newFlag) != 0) {
79 TAG_LOGD(AAFwkTag::URIPERMMGR, "have uri permission.");
80 return true;
81 }
82 }
83 }
84 return VerifySubDirUriPermission(uriStr, newFlag, tokenId);
85 }
86
VerifySubDirUriPermission(const std::string & uriStr,uint32_t newFlag,uint32_t tokenId)87 bool UriPermissionManagerStubImpl::VerifySubDirUriPermission(const std::string &uriStr,
88 uint32_t newFlag, uint32_t tokenId)
89 {
90 auto iPos = uriStr.find(CLOUND_DOCS_URI_MARK);
91 if (iPos == std::string::npos) {
92 TAG_LOGI(AAFwkTag::URIPERMMGR, "Local uri not support to verify sub directory uri permission.");
93 return false;
94 }
95
96 for (auto search = uriMap_.rbegin(); search != uriMap_.rend(); ++search) {
97 if (!IsDistributedSubDirUri(uriStr, search->first)) {
98 continue;
99 }
100 auto& list = search->second;
101 for (auto it = list.begin(); it != list.end(); it++) {
102 if ((it->targetTokenId == tokenId) && ((it->flag | FLAG_READ_URI) & newFlag) != 0) {
103 TAG_LOGD(AAFwkTag::URIPERMMGR, "have uri permission.");
104 return true;
105 }
106 }
107 break;
108 }
109 TAG_LOGI(AAFwkTag::URIPERMMGR, "Uri permission not exists.");
110 return false;
111 }
112
IsDistributedSubDirUri(const std::string & inputUri,const std::string & cachedUri)113 bool UriPermissionManagerStubImpl::IsDistributedSubDirUri(const std::string &inputUri, const std::string &cachedUri)
114 {
115 auto iPos = inputUri.find(CLOUND_DOCS_URI_MARK);
116 auto cPos = cachedUri.find(CLOUND_DOCS_URI_MARK);
117 if ((iPos == std::string::npos) || (cPos == std::string::npos)) {
118 TAG_LOGI(AAFwkTag::URIPERMMGR, "The uri is not distributed file uri.");
119 return false;
120 }
121 std::string iTempUri = inputUri.substr(0, iPos);
122 std::string cTempUri = cachedUri.substr(0, cPos);
123 return iTempUri.find(cTempUri + "/") == 0;
124 }
125
GrantUriPermission(const Uri & uri,unsigned int flag,const std::string targetBundleName,int32_t appIndex,uint32_t initiatorTokenId,int32_t abilityId)126 int UriPermissionManagerStubImpl::GrantUriPermission(const Uri &uri, unsigned int flag,
127 const std::string targetBundleName, int32_t appIndex, uint32_t initiatorTokenId, int32_t abilityId)
128 {
129 TAG_LOGI(AAFwkTag::URIPERMMGR, "Uri:%{private}s", uri.ToString().c_str());
130 std::vector<Uri> uriVec = { uri };
131 if (UPMSUtils::IsSystemAppCall(initiatorTokenId) && uriVec[0].GetScheme() != "file") {
132 TAG_LOGE(AAFwkTag::URIPERMMGR, "Only support file uri");
133 return ERR_CODE_INVALID_URI_TYPE;
134 }
135 return GrantUriPermission(uriVec, flag, targetBundleName, appIndex, initiatorTokenId, abilityId);
136 }
137
GrantUriPermission(const std::vector<Uri> & uriVec,unsigned int flag,const std::string targetBundleName,int32_t appIndex,uint32_t initiatorTokenId,int32_t abilityId)138 int UriPermissionManagerStubImpl::GrantUriPermission(const std::vector<Uri> &uriVec, unsigned int flag,
139 const std::string targetBundleName, int32_t appIndex, uint32_t initiatorTokenId, int32_t abilityId)
140 {
141 TAG_LOGI(AAFwkTag::URIPERMMGR, "BundleName is %{public}s, appIndex is %{public}d, size of uriVec is %{public}zu.",
142 targetBundleName.c_str(), appIndex, uriVec.size());
143 if (!UPMSUtils::IsSAOrSystemAppCall()) {
144 TAG_LOGE(AAFwkTag::URIPERMMGR, "not SA or SystemApp");
145 return CHECK_PERMISSION_FAILED;
146 }
147 auto checkResult = CheckCalledBySandBox();
148 if (checkResult != ERR_OK) {
149 return checkResult;
150 }
151 if ((flag & FLAG_READ_WRITE_URI) == 0) {
152 TAG_LOGE(AAFwkTag::URIPERMMGR, "invalid flag, value: %{public}u.", flag);
153 return ERR_CODE_INVALID_URI_FLAG;
154 }
155 if (AppUtils::GetInstance().IsGrantPersistUriPermission()) {
156 bool isSystemAppCall = UPMSUtils::IsSystemAppCall(initiatorTokenId);
157 return GrantUriPermissionFor2In1Inner(
158 uriVec, flag, targetBundleName, appIndex, isSystemAppCall, initiatorTokenId, abilityId);
159 }
160 return GrantUriPermissionInner(uriVec, flag, targetBundleName, appIndex, initiatorTokenId, abilityId);
161 }
162
GrantUriPermissionPrivileged(const std::vector<Uri> & uriVec,uint32_t flag,const std::string & targetBundleName,int32_t appIndex,uint32_t initiatorTokenId,int32_t abilityId)163 int32_t UriPermissionManagerStubImpl::GrantUriPermissionPrivileged(const std::vector<Uri> &uriVec, uint32_t flag,
164 const std::string &targetBundleName, int32_t appIndex, uint32_t initiatorTokenId, int32_t abilityId)
165 {
166 TAG_LOGI(AAFwkTag::URIPERMMGR, "BundleName is %{public}s, appIndex is %{public}d, size of uriVec is %{public}zu.",
167 targetBundleName.c_str(), appIndex, uriVec.size());
168
169 uint32_t callerTokenId = IPCSkeleton::GetCallingTokenID();
170 auto permissionName = PermissionConstants::PERMISSION_GRANT_URI_PERMISSION_PRIVILEGED;
171 if (!PermissionVerification::GetInstance()->VerifyPermissionByTokenId(callerTokenId, permissionName)) {
172 TAG_LOGE(AAFwkTag::URIPERMMGR, "No permission to call");
173 return CHECK_PERMISSION_FAILED;
174 }
175
176 if ((flag & FLAG_READ_WRITE_URI) == 0) {
177 TAG_LOGE(AAFwkTag::URIPERMMGR, "invalid flag, value: %{public}u.", flag);
178 return ERR_CODE_INVALID_URI_FLAG;
179 }
180 flag &= FLAG_READ_WRITE_URI;
181 uint32_t targetTokenId = 0;
182 auto ret = UPMSUtils::GetTokenIdByBundleName(targetBundleName, appIndex, targetTokenId);
183 if (ret != ERR_OK) {
184 TAG_LOGE(AAFwkTag::URIPERMMGR, "Get tokenId failed, bundlename: %{public}s.", targetBundleName.c_str());
185 return ret;
186 }
187
188 if (AppUtils::GetInstance().IsGrantPersistUriPermission()) {
189 return GrantBatchUriPermissionFor2In1Privileged(uriVec, flag, callerTokenId, targetTokenId);
190 }
191 if (UPMSUtils::IsFoundationCall()) {
192 callerTokenId = initiatorTokenId;
193 } else {
194 abilityId = INVALID_ABILITYID;
195 }
196 return GrantBatchUriPermissionPrivileged(uriVec, flag, callerTokenId, targetTokenId, abilityId);
197 }
198
GrantUriPermissionInner(const std::vector<Uri> & uriVec,unsigned int flag,const std::string targetBundleName,int32_t appIndex,uint32_t initiatorTokenId,int32_t abilityId)199 int UriPermissionManagerStubImpl::GrantUriPermissionInner(const std::vector<Uri> &uriVec, unsigned int flag,
200 const std::string targetBundleName, int32_t appIndex, uint32_t initiatorTokenId, int32_t abilityId)
201 {
202 TAG_LOGD(AAFwkTag::URIPERMMGR, "called");
203 flag &= FLAG_READ_WRITE_URI;
204 uint32_t targetTokenId = 0;
205 auto ret = UPMSUtils::GetTokenIdByBundleName(targetBundleName, appIndex, targetTokenId);
206 if (ret != ERR_OK) {
207 TAG_LOGE(AAFwkTag::URIPERMMGR, "get tokenId of target bundle name failed.");
208 return ret;
209 }
210 // recordId will be set default id if the process name is not foundation.
211 int32_t recordId = -1;
212 uint32_t appTokenId = IPCSkeleton::GetCallingTokenID();
213 if (UPMSUtils::IsFoundationCall()) {
214 recordId = abilityId;
215 appTokenId = initiatorTokenId;
216 }
217 if (uriVec.size() == 1) {
218 return GrantSingleUriPermission(uriVec[0], flag, appTokenId, targetTokenId, recordId);
219 }
220 return GrantBatchUriPermission(uriVec, flag, appTokenId, targetTokenId, recordId);
221 }
222
checkPersistPermission(uint64_t tokenId,const std::vector<PolicyInfo> & policy,std::vector<bool> & result)223 int checkPersistPermission(uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<bool> &result)
224 {
225 for (size_t i = 0; i < policy.size(); i++) {
226 result.emplace_back(true);
227 }
228 TAG_LOGI(AAFwkTag::URIPERMMGR, "result size: %{public}zu", result.size());
229 return 0;
230 }
231
setPolicy(uint64_t tokenId,const std::vector<PolicyInfo> & policy,uint64_t policyFlag)232 int32_t setPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag)
233 {
234 TAG_LOGI(AAFwkTag::URIPERMMGR, "policy size: %{public}zu", policy.size());
235 return 0;
236 }
237
persistPermission(const std::vector<PolicyInfo> & policy,std::vector<uint32_t> & result)238 int persistPermission(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result)
239 {
240 for (size_t i = 0; i < policy.size(); i++) {
241 result.emplace_back(0);
242 }
243 TAG_LOGI(AAFwkTag::URIPERMMGR, "result size: %{public}zu", result.size());
244 return 0;
245 }
246
CheckCalledBySandBox()247 int32_t UriPermissionManagerStubImpl::CheckCalledBySandBox()
248 {
249 // reject sandbox to grant uri permission
250 ConnectManager(appMgr_, APP_MGR_SERVICE_ID);
251 if (appMgr_ == nullptr) {
252 TAG_LOGE(AAFwkTag::URIPERMMGR, "Get BundleManager failed!");
253 return INNER_ERR;
254 }
255 auto callerPid = IPCSkeleton::GetCallingPid();
256 bool isSandbox = false;
257 if (IN_PROCESS_CALL(appMgr_->JudgeSandboxByPid(callerPid, isSandbox)) != ERR_OK) {
258 TAG_LOGE(AAFwkTag::URIPERMMGR, "JudgeSandboxByPid failed.");
259 return INNER_ERR;
260 }
261 if (isSandbox) {
262 TAG_LOGE(AAFwkTag::URIPERMMGR, "Sandbox application can not grant URI permission.");
263 return ERR_CODE_GRANT_URI_PERMISSION;
264 }
265 return ERR_OK;
266 }
267
AddTempUriPermission(const std::string & uri,unsigned int flag,TokenId fromTokenId,TokenId targetTokenId,int32_t abilityId)268 int UriPermissionManagerStubImpl::AddTempUriPermission(const std::string &uri, unsigned int flag,
269 TokenId fromTokenId, TokenId targetTokenId, int32_t abilityId)
270 {
271 std::lock_guard<std::mutex> guard(mutex_);
272 auto search = uriMap_.find(uri);
273 bool autoRemove = (abilityId != DEFAULT_ABILITY_ID);
274 GrantInfo info = { flag, fromTokenId, targetTokenId, autoRemove, {} };
275 info.AddAbilityId(abilityId);
276 if (search == uriMap_.end()) {
277 TAG_LOGI(AAFwkTag::URIPERMMGR, "Insert an uri r/w permission.");
278 std::list<GrantInfo> infoList = { info };
279 uriMap_.emplace(uri, infoList);
280 return ERR_OK;
281 }
282 auto& infoList = search->second;
283 for (auto& item : infoList) {
284 if (item.fromTokenId == fromTokenId && item.targetTokenId == targetTokenId) {
285 TAG_LOGI(AAFwkTag::URIPERMMGR,
286 "Item: flag is %{public}u, autoRemove is %{public}u, ability size is %{public}zu.",
287 item.flag, item.autoRemove, item.abilityIds.size());
288 item.AddAbilityId(abilityId);
289 // r-w
290 if ((item.flag & FLAG_WRITE_URI) == 0 && (flag & FLAG_WRITE_URI) != 0) {
291 TAG_LOGI(AAFwkTag::URIPERMMGR, "Update uri r/w permission.");
292 item.autoRemove = autoRemove;
293 item.flag |= FLAG_WRITE_URI;
294 return ERR_OK;
295 }
296 // w-r
297 TAG_LOGD(AAFwkTag::URIPERMMGR, "Uri has been granted, not to grant again.");
298 if ((item.flag & FLAG_WRITE_URI) != 0 && (flag & FLAG_WRITE_URI) == 0) {
299 return ERR_OK;
300 }
301 // other
302 if (!autoRemove) {
303 item.autoRemove = autoRemove;
304 }
305 return ERR_OK;
306 }
307 }
308 TAG_LOGI(AAFwkTag::URIPERMMGR, "Insert a new uri permission record.");
309 infoList.emplace_back(info);
310 return ERR_OK;
311 }
312
GrantUriPermissionImpl(const Uri & uri,unsigned int flag,TokenId callerTokenId,TokenId targetTokenId,int32_t abilityId)313 int UriPermissionManagerStubImpl::GrantUriPermissionImpl(const Uri &uri, unsigned int flag,
314 TokenId callerTokenId, TokenId targetTokenId, int32_t abilityId)
315 {
316 TAG_LOGD(AAFwkTag::URIPERMMGR, "uri = %{private}s, flag = %{public}u, callerTokenId = %{public}u,"
317 "targetTokenId = %{public}u, abilityId = %{public}d", uri.ToString().c_str(), flag, callerTokenId,
318 targetTokenId, abilityId);
319 ConnectManager(storageManager_, STORAGE_MANAGER_MANAGER_ID);
320 if (storageManager_ == nullptr) {
321 TAG_LOGE(AAFwkTag::URIPERMMGR, "ConnectManager failed");
322 return INNER_ERR;
323 }
324 auto uriStr = uri.ToString();
325 std::vector<std::string> uriVec = { uriStr };
326 auto resVec = storageManager_->CreateShareFile(uriVec, targetTokenId, flag);
327 if (resVec.size() == 0) {
328 TAG_LOGE(AAFwkTag::URIPERMMGR, "storageManager resVec is empty.");
329 return INNER_ERR;
330 }
331 if (resVec[0] != 0 && resVec[0] != -EEXIST) {
332 TAG_LOGE(AAFwkTag::URIPERMMGR, "failed to CreateShareFile.");
333 return INNER_ERR;
334 }
335 AddTempUriPermission(uriStr, flag, callerTokenId, targetTokenId, abilityId);
336 UPMSUtils::SendSystemAppGrantUriPermissionEvent(callerTokenId, targetTokenId, uriVec, resVec);
337 return ERR_OK;
338 }
339
GrantSingleUriPermission(const Uri & uri,unsigned int flag,uint32_t callerTokenId,uint32_t targetTokenId,int32_t abilityId)340 int UriPermissionManagerStubImpl::GrantSingleUriPermission(const Uri &uri, unsigned int flag, uint32_t callerTokenId,
341 uint32_t targetTokenId, int32_t abilityId)
342 {
343 TAG_LOGI(AAFwkTag::URIPERMMGR,
344 "uri is %{private}s, callerTokenId is %{public}u, targetTokenId is %{public}u, abilityId is %{public}d",
345 uri.ToString().c_str(), callerTokenId, targetTokenId, abilityId);
346 if (!CheckUriTypeIsValid(uri)) {
347 TAG_LOGE(AAFwkTag::URIPERMMGR, "Check uri type failed, uri is %{private}s", uri.ToString().c_str());
348 return ERR_CODE_INVALID_URI_TYPE;
349 }
350 TokenIdPermission tokenIdPermission(callerTokenId);
351 std::vector<Uri> uriVec = { uri };
352 auto checkResult = CheckUriPermission(tokenIdPermission, uriVec, flag);
353 if (!checkResult[0]) {
354 TAG_LOGW(AAFwkTag::URIPERMMGR, "No permission, uri is %{private}s, callerTokenId is %{public}u",
355 uri.ToString().c_str(), callerTokenId);
356 UPMSUtils::SendShareUnPrivilegeUriEvent(callerTokenId, targetTokenId);
357 return CHECK_PERMISSION_FAILED;
358 }
359 return GrantUriPermissionImpl(uri, flag, callerTokenId, targetTokenId, abilityId);
360 }
361
GrantBatchUriPermissionImpl(const std::vector<std::string> & uriVec,unsigned int flag,TokenId callerTokenId,TokenId targetTokenId,int32_t abilityId)362 int UriPermissionManagerStubImpl::GrantBatchUriPermissionImpl(const std::vector<std::string> &uriVec,
363 unsigned int flag, TokenId callerTokenId, TokenId targetTokenId, int32_t abilityId)
364 {
365 TAG_LOGI(AAFwkTag::URIPERMMGR,"callerTokenId is %{public}u, targetTokenId is %{public}u, flag is %{public}u,"
366 "list size is %{public}zu", callerTokenId, targetTokenId, flag, uriVec.size());
367 ConnectManager(storageManager_, STORAGE_MANAGER_MANAGER_ID);
368 if (storageManager_ == nullptr) {
369 TAG_LOGE(AAFwkTag::URIPERMMGR, "ConnectManager failed.");
370 return INNER_ERR;
371 }
372 auto resVec = storageManager_->CreateShareFile(uriVec, targetTokenId, flag);
373 if (resVec.size() == 0) {
374 TAG_LOGE(AAFwkTag::URIPERMMGR, "Failed to createShareFile, storageManager resVec is empty.");
375 return INNER_ERR;
376 }
377 if (resVec.size() != uriVec.size()) {
378 TAG_LOGE(AAFwkTag::URIPERMMGR, "Failed to createShareFile, ret is %{public}u", resVec[0]);
379 return resVec[0];
380 }
381 int successCount = 0;
382 for (size_t i = 0; i < uriVec.size(); i++) {
383 auto ret = resVec[i];
384 if (ret != 0 && ret != -EEXIST) {
385 TAG_LOGE(AAFwkTag::URIPERMMGR, "failed to CreateShareFile.");
386 continue;
387 }
388 AddTempUriPermission(uriVec[i], flag, callerTokenId, targetTokenId, abilityId);
389 successCount++;
390 }
391 TAG_LOGI(AAFwkTag::URIPERMMGR, "total %{public}d uri permissions added.", successCount);
392 if (successCount == 0) {
393 return INNER_ERR;
394 }
395 UPMSUtils::SendSystemAppGrantUriPermissionEvent(callerTokenId, targetTokenId, uriVec, resVec);
396 return ERR_OK;
397 }
398
GrantBatchUriPermission(const std::vector<Uri> & uriVec,unsigned int flag,uint32_t callerTokenId,uint32_t targetTokenId,int32_t abilityId)399 int UriPermissionManagerStubImpl::GrantBatchUriPermission(const std::vector<Uri> &uriVec, unsigned int flag,
400 uint32_t callerTokenId, uint32_t targetTokenId, int32_t abilityId)
401 {
402 TAG_LOGI(AAFwkTag::URIPERMMGR,
403 "callerTokenId is %{public}u, targetTokenId is %{public}u, flag is %{public}u, abilityId is %{public}u.",
404 callerTokenId, targetTokenId, flag, abilityId);
405 TokenIdPermission tokenIdPermission(callerTokenId);
406 std::vector<std::string> uriStrVec = {};
407 auto checkResult = CheckUriPermission(tokenIdPermission, uriVec, flag);
408 int32_t noPermissionUriCount = 0;
409 for (size_t i = 0; i < checkResult.size(); i++) {
410 auto uriStr = uriVec[i].ToString();
411 if (!checkResult[i]) {
412 TAG_LOGW(AAFwkTag::URIPERMMGR, "No permission, uri:%{private}s", uriStr.c_str());
413 noPermissionUriCount++;
414 continue;
415 }
416 uriStrVec.emplace_back(uriStr);
417 }
418 if (noPermissionUriCount > 0) {
419 UPMSUtils::SendShareUnPrivilegeUriEvent(callerTokenId, targetTokenId);
420 }
421 if (uriStrVec.empty()) {
422 TAG_LOGE(AAFwkTag::URIPERMMGR, "all uri invalid or no permission");
423 return INNER_ERR;
424 }
425 return GrantBatchUriPermissionImpl(uriStrVec, flag, callerTokenId, targetTokenId, abilityId);
426 }
427
GrantBatchUriPermissionPrivileged(const std::vector<Uri> & uriVec,uint32_t flag,uint32_t callerTokenId,uint32_t targetTokenId,int32_t abilityId)428 int32_t UriPermissionManagerStubImpl::GrantBatchUriPermissionPrivileged(const std::vector<Uri> &uriVec, uint32_t flag,
429 uint32_t callerTokenId, uint32_t targetTokenId, int32_t abilityId)
430 {
431 TAG_LOGI(AAFwkTag::URIPERMMGR, "callerTokenId is %{public}u, targetTokenId is %{public}u, flag is %{public}u.",
432 callerTokenId, targetTokenId, flag);
433 std::vector<std::string> uriStrVec = {};
434 for (const auto &uri : uriVec) {
435 if (!CheckUriTypeIsValid(uri)) {
436 TAG_LOGW(AAFwkTag::URIPERMMGR, "Check uri type failed, uri is %{private}s.", uri.ToString().c_str());
437 continue;
438 }
439 uriStrVec.emplace_back(uri.ToString());
440 }
441 if (uriStrVec.empty()) {
442 TAG_LOGE(AAFwkTag::URIPERMMGR, "Valid uri list is empty.");
443 return ERR_CODE_INVALID_URI_TYPE;
444 }
445 return GrantBatchUriPermissionImpl(uriStrVec, flag, callerTokenId, targetTokenId, abilityId);
446 }
447
GrantBatchUriPermissionFor2In1Privileged(const std::vector<Uri> & uriVec,uint32_t flag,uint32_t callerTokenId,uint32_t targetTokenId,int32_t abilityId)448 int32_t UriPermissionManagerStubImpl::GrantBatchUriPermissionFor2In1Privileged(const std::vector<Uri> &uriVec,
449 uint32_t flag, uint32_t callerTokenId, uint32_t targetTokenId, int32_t abilityId)
450 {
451 TAG_LOGI(AAFwkTag::URIPERMMGR, "callerTokenId is %{public}u, targetTokenId is %{public}u, flag is %{public}u.",
452 callerTokenId, targetTokenId, flag);
453 std::vector<std::string> uriStrVec = {};
454 std::vector<PolicyInfo> docsVec = {};
455 for (const auto &uri : uriVec) {
456 auto uriInner = uri;
457 auto uriStr = uriInner.ToString();
458 if (!CheckUriTypeIsValid(uri)) {
459 TAG_LOGW(AAFwkTag::URIPERMMGR, "Check uri type failed, uri is %{private}s.", uriStr.c_str());
460 continue;
461 }
462 auto &&authority = uriInner.GetAuthority();
463 if (authority != "docs" || uriStr.find(CLOUND_DOCS_URI_MARK) != std::string::npos) {
464 uriStrVec.emplace_back(uriStr);
465 continue;
466 }
467 PolicyInfo policyInfo;
468 policyInfo.path = uriStr;
469 policyInfo.mode = (flag & Want::FLAG_AUTH_WRITE_URI_PERMISSION) == 0 ? READ_MODE : WRITE_MODE;
470 docsVec.emplace_back(policyInfo);
471 }
472
473 TAG_LOGI(AAFwkTag::URIPERMMGR, "docsUri size is %{public}zu, otherUri size is %{public}zu",
474 docsVec.size(), uriStrVec.size());
475
476 if (uriStrVec.empty() && docsVec.empty()) {
477 TAG_LOGE(AAFwkTag::URIPERMMGR, "Valid uri list is empty.");
478 return ERR_CODE_INVALID_URI_TYPE;
479 }
480
481 if (!uriStrVec.empty()) {
482 auto ret = GrantBatchUriPermissionImpl(uriStrVec, flag, callerTokenId, targetTokenId, abilityId);
483 if (docsVec.empty()) {
484 return ret;
485 }
486 }
487
488 bool isSystemAppCall = PermissionVerification::GetInstance()->IsSystemAppCall();
489 HandleUriPermission(targetTokenId, flag, docsVec, isSystemAppCall);
490 return ERR_OK;
491 }
492
RemoveUriRecord(std::vector<std::string> & uriList,const TokenId tokenId,int32_t abilityId)493 void UriPermissionManagerStubImpl::RemoveUriRecord(std::vector<std::string> &uriList, const TokenId tokenId,
494 int32_t abilityId)
495 {
496 std::lock_guard<std::mutex> guard(mutex_);
497 for (auto iter = uriMap_.begin(); iter != uriMap_.end();) {
498 auto& list = iter->second;
499 for (auto it = list.begin(); it != list.end(); it++) {
500 if (it->targetTokenId != tokenId || !it->RemoveAbilityId(abilityId) || !it->autoRemove) {
501 continue;
502 }
503 if (!it->IsEmptyAbilityId()) {
504 TAG_LOGD(AAFwkTag::URIPERMMGR, "Remove an abilityId.");
505 break;
506 }
507 TAG_LOGI(AAFwkTag::URIPERMMGR, "Erase an info form list.");
508 list.erase(it);
509 uriList.emplace_back(iter->first);
510 break;
511 }
512 if (list.empty()) {
513 uriMap_.erase(iter++);
514 continue;
515 }
516 ++iter;
517 }
518 }
519
RevokeUriPermission(const TokenId tokenId,int32_t abilityId)520 void UriPermissionManagerStubImpl::RevokeUriPermission(const TokenId tokenId, int32_t abilityId)
521 {
522 TAG_LOGI(AAFwkTag::URIPERMMGR,
523 "Start to remove uri permission, tokenId is %{public}u, abilityId is %{public}d", tokenId, abilityId);
524 if (!UPMSUtils::IsFoundationCall()) {
525 TAG_LOGE(AAFwkTag::URIPERMMGR, "No permission to revoke uri permission.");
526 return;
527 }
528 std::vector<std::string> uriList;
529 RemoveUriRecord(uriList, tokenId, abilityId);
530 if (!uriList.empty()) {
531 DeleteShareFile(tokenId, uriList);
532 }
533 }
534
RevokeAllUriPermissions(uint32_t tokenId)535 int UriPermissionManagerStubImpl::RevokeAllUriPermissions(uint32_t tokenId)
536 {
537 TAG_LOGI(AAFwkTag::URIPERMMGR, "Start to revoke all uri permission, tokenId is %{public}u.", tokenId);
538 if (!UPMSUtils::IsFoundationCall()) {
539 TAG_LOGE(AAFwkTag::URIPERMMGR, "No permission to revoke all uri permission.");
540 return CHECK_PERMISSION_FAILED;
541 }
542 std::string callerAuthority = "";
543 UPMSUtils::GetAlterableBundleNameByTokenId(tokenId, callerAuthority);
544 std::map<uint32_t, std::vector<std::string>> uriLists;
545 {
546 std::lock_guard<std::mutex> guard(mutex_);
547 for (auto iter = uriMap_.begin(); iter != uriMap_.end();) {
548 auto uriAuthority = Uri(iter->first).GetAuthority();
549 // uri belong to target tokenId.
550 if (callerAuthority == uriAuthority) {
551 for (const auto &record : iter->second) {
552 uriLists[record.targetTokenId].emplace_back(iter->first);
553 }
554 uriMap_.erase(iter++);
555 continue;
556 }
557 auto& list = iter->second;
558 for (auto it = list.begin(); it != list.end();) {
559 if (it->targetTokenId == tokenId || it->fromTokenId == tokenId) {
560 TAG_LOGI(AAFwkTag::URIPERMMGR, "Erase an uri permission record.");
561 uriLists[it->targetTokenId].emplace_back(iter->first);
562 list.erase(it++);
563 continue;
564 }
565 it++;
566 }
567 if (list.empty()) {
568 uriMap_.erase(iter++);
569 continue;
570 }
571 iter++;
572 }
573 }
574
575 for (auto iter = uriLists.begin(); iter != uriLists.end(); iter++) {
576 if (DeleteShareFile(iter->first, iter->second) != ERR_OK) {
577 return INNER_ERR;
578 }
579 }
580 return ERR_OK;
581 }
582
RevokeUriPermissionManually(const Uri & uri,const std::string bundleName,int32_t appIndex)583 int UriPermissionManagerStubImpl::RevokeUriPermissionManually(const Uri &uri, const std::string bundleName,
584 int32_t appIndex)
585 {
586 TAG_LOGI(AAFwkTag::URIPERMMGR,
587 "Revoke uri permission manually, uri is %{private}s, bundleName is %{public}s, appIndex is %{public}d",
588 uri.ToString().c_str(), bundleName.c_str(), appIndex);
589 if (!UPMSUtils::IsSAOrSystemAppCall()) {
590 TAG_LOGE(AAFwkTag::URIPERMMGR, "not SA or SystemApp");
591 return CHECK_PERMISSION_FAILED;
592 }
593 if (!CheckUriTypeIsValid(uri)) {
594 TAG_LOGE(AAFwkTag::URIPERMMGR, "Check uri type failed, uri is %{private}s.", uri.ToString().c_str());
595 return ERR_CODE_INVALID_URI_TYPE;
596 }
597 uint32_t targetTokenId = 0;
598 auto ret = UPMSUtils::GetTokenIdByBundleName(bundleName, appIndex, targetTokenId);
599 if (ret != ERR_OK) {
600 TAG_LOGE(AAFwkTag::URIPERMMGR, "get tokenId by bundle name failed.");
601 return ret;
602 }
603
604 auto uriStr = uri.ToString();
605 auto uriInner = uri;
606 auto uriAuthority = uriInner.GetAuthority();
607 // uri belong to caller or caller is target.
608 auto callerTokenId = IPCSkeleton::GetCallingTokenID();
609 std::string callerAuthority = "";
610 UPMSUtils::GetAlterableBundleNameByTokenId(callerTokenId, callerAuthority);
611 bool isRevokeSelfUri = (callerTokenId == targetTokenId || callerAuthority == uriAuthority);
612 std::vector<std::string> uriList;
613 {
614 std::lock_guard<std::mutex> guard(mutex_);
615 auto search = uriMap_.find(uriStr);
616 if (search == uriMap_.end()) {
617 TAG_LOGI(AAFwkTag::URIPERMMGR, "URI does not exist on uri map.");
618 return ERR_OK;
619 }
620 auto& list = search->second;
621 for (auto it = list.begin(); it != list.end(); it++) {
622 if (it->targetTokenId == targetTokenId && (callerTokenId == it->fromTokenId || isRevokeSelfUri)) {
623 uriList.emplace_back(search->first);
624 TAG_LOGI(AAFwkTag::URIPERMMGR, "Revoke an uri permission record.");
625 list.erase(it);
626 break;
627 }
628 }
629 if (list.empty()) {
630 uriMap_.erase(search);
631 }
632 }
633 return DeleteShareFile(targetTokenId, uriList);
634 }
635
DeleteShareFile(uint32_t targetTokenId,const std::vector<std::string> & uriVec)636 int32_t UriPermissionManagerStubImpl::DeleteShareFile(uint32_t targetTokenId, const std::vector<std::string> &uriVec)
637 {
638 ConnectManager(storageManager_, STORAGE_MANAGER_MANAGER_ID);
639 if (storageManager_ == nullptr) {
640 TAG_LOGE(AAFwkTag::URIPERMMGR, "Connect StorageManager failed.");
641 return INNER_ERR;
642 }
643 auto ret = storageManager_->DeleteShareFile(targetTokenId, uriVec);
644 if (ret != ERR_OK) {
645 TAG_LOGE(AAFwkTag::URIPERMMGR, "DeleteShareFile failed, errorCode is %{public}d.", ret);
646 }
647 return ret;
648 }
649
CheckUriAuthorization(const std::vector<std::string> & uriStrVec,uint32_t flag,uint32_t tokenId)650 std::vector<bool> UriPermissionManagerStubImpl::CheckUriAuthorization(const std::vector<std::string> &uriStrVec,
651 uint32_t flag, uint32_t tokenId)
652 {
653 TAG_LOGI(AAFwkTag::URIPERMMGR, "tokenId:%{public}u, flag:%{public}u, size of uris:%{public}zu",
654 tokenId, flag, uriStrVec.size());
655 if (!UPMSUtils::IsSAOrSystemAppCall()) {
656 TAG_LOGE(AAFwkTag::URIPERMMGR, "not SA or SystemApp");
657 std::vector<bool> result(uriStrVec.size(), false);
658 return result;
659 }
660 if ((flag & FLAG_READ_WRITE_URI) == 0) {
661 TAG_LOGE(AAFwkTag::URIPERMMGR, "Flag is invalid.");
662 std::vector<bool> result(uriStrVec.size(), false);
663 return result;
664 }
665 std::vector<Uri> uriVec;
666 for (auto &uriStr: uriStrVec) {
667 uriVec.emplace_back(uriStr);
668 }
669 TokenIdPermission tokenIdPermission(tokenId);
670 return CheckUriPermission(tokenIdPermission, uriVec, flag);
671 }
672
673 template<typename T>
ConnectManager(sptr<T> & mgr,int32_t serviceId)674 void UriPermissionManagerStubImpl::ConnectManager(sptr<T> &mgr, int32_t serviceId)
675 {
676 TAG_LOGD(AAFwkTag::URIPERMMGR, "Call.");
677 std::lock_guard<std::mutex> lock(mgrMutex_);
678 if (mgr == nullptr) {
679 TAG_LOGE(AAFwkTag::URIPERMMGR, "mgr is nullptr.");
680 auto systemAbilityMgr = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
681 if (systemAbilityMgr == nullptr) {
682 TAG_LOGE(AAFwkTag::URIPERMMGR, "Failed to get SystemAbilityManager.");
683 return;
684 }
685
686 auto remoteObj = systemAbilityMgr->GetSystemAbility(serviceId);
687 if (remoteObj == nullptr) {
688 TAG_LOGE(AAFwkTag::URIPERMMGR, "Failed to get mgr.");
689 return;
690 }
691 TAG_LOGE(AAFwkTag::URIPERMMGR, "to cast.");
692 mgr = iface_cast<T>(remoteObj);
693 if (mgr == nullptr) {
694 TAG_LOGE(AAFwkTag::URIPERMMGR, "Failed to cast.");
695 return;
696 }
697 wptr<T> manager = mgr;
698 auto self = weak_from_this();
699 auto onClearProxyCallback = [manager, self](const auto& remote) {
700 auto mgrSptr = manager.promote();
701 auto impl = self.lock();
702 if (impl && mgrSptr && mgrSptr->AsObject() == remote.promote()) {
703 std::lock_guard<std::mutex> lock(impl->mgrMutex_);
704 mgrSptr.clear();
705 }
706 };
707 sptr<ProxyDeathRecipient> recipient(new ProxyDeathRecipient(std::move(onClearProxyCallback)));
708 if (!mgr->AsObject()->AddDeathRecipient(recipient)) {
709 TAG_LOGE(AAFwkTag::URIPERMMGR, "AddDeathRecipient failed.");
710 }
711 }
712 }
713
714 void UriPermissionManagerStubImpl::ProxyDeathRecipient::OnRemoteDied([[maybe_unused]]
715 const wptr<IRemoteObject>& remote)
716 {
717 if (proxy_) {
718 TAG_LOGD(AAFwkTag::URIPERMMGR, "mgr stub died.");
719 proxy_(remote);
720 }
721 }
722
GrantUriPermissionFor2In1Inner(const std::vector<Uri> & uriVec,unsigned int flag,const std::string & targetBundleName,int32_t appIndex,bool isSystemAppCall,uint32_t initiatorTokenId,int32_t abilityId)723 int UriPermissionManagerStubImpl::GrantUriPermissionFor2In1Inner(const std::vector<Uri> &uriVec, unsigned int flag,
724 const std::string &targetBundleName, int32_t appIndex, bool isSystemAppCall, uint32_t initiatorTokenId,
725 int32_t abilityId)
726 {
727 TAG_LOGI(AAFwkTag::URIPERMMGR, "UriVec size is %{public}zu, targetBundleName is %{public}s",
728 uriVec.size(), targetBundleName.c_str());
729 std::vector<PolicyInfo> docsVec;
730 std::vector<Uri> otherVec;
731 for (const auto &uri : uriVec) {
732 Uri uri_inner = uri;
733 auto &&scheme = uri_inner.GetScheme();
734 if (scheme != "file") {
735 TAG_LOGW(AAFwkTag::URIPERMMGR, "Only support file uri.");
736 continue;
737 }
738 auto &&authority = uri_inner.GetAuthority();
739 TAG_LOGD(AAFwkTag::URIPERMMGR, "The authority is %{public}s", authority.c_str());
740 PolicyInfo policyInfo;
741 policyInfo.path = uri_inner.ToString();
742 if ((flag & Want::FLAG_AUTH_WRITE_URI_PERMISSION) != 0) {
743 policyInfo.mode |= WRITE_MODE;
744 } else {
745 policyInfo.mode |= READ_MODE;
746 }
747 if (authority == "docs" && uri.ToString().find(CLOUND_DOCS_URI_MARK) == std::string::npos) {
748 docsVec.emplace_back(policyInfo);
749 } else {
750 otherVec.emplace_back(uri_inner);
751 }
752 }
753 if (!otherVec.empty()) {
754 auto ret = GrantUriPermissionInner(otherVec, flag, targetBundleName, appIndex, initiatorTokenId, abilityId);
755 if (docsVec.empty()) {
756 return ret;
757 }
758 }
759 uint32_t tokenId = 0;
760 auto ret = UPMSUtils::GetTokenIdByBundleName(targetBundleName, appIndex, tokenId);
761 if (ret != ERR_OK) {
762 return ret;
763 }
764 TAG_LOGD(AAFwkTag::URIPERMMGR, "The tokenId is %{public}u", tokenId);
765 HandleUriPermission(tokenId, flag, docsVec, isSystemAppCall);
766 return ERR_OK;
767 }
768
HandleUriPermission(uint64_t tokenId,unsigned int flag,std::vector<PolicyInfo> & docsVec,bool isSystemAppCall)769 void UriPermissionManagerStubImpl::HandleUriPermission(
770 uint64_t tokenId, unsigned int flag, std::vector<PolicyInfo> &docsVec, bool isSystemAppCall)
771 {
772 TAG_LOGD(AAFwkTag::URIPERMMGR, "HandleUriPermission called");
773 uint32_t policyFlag = 0;
774 if ((flag & Want::FLAG_AUTH_PERSISTABLE_URI_PERMISSION) != 0) {
775 policyFlag |= IS_POLICY_ALLOWED_TO_BE_PRESISTED;
776 }
777 // Handle docs type URI permission
778 if (!docsVec.empty()) {
779 std::vector<bool> result;
780 checkPersistPermission(tokenId, docsVec, result);
781 if (docsVec.size() != result.size()) {
782 TAG_LOGE(AAFwkTag::URIPERMMGR, "Check persist permission failed.");
783 return;
784 }
785 std::vector<PolicyInfo> policyVec;
786 auto docsItem = docsVec.begin();
787 for (auto resultItem = result.begin(); resultItem != result.end();) {
788 if (*resultItem == true) {
789 policyVec.emplace_back(*docsItem);
790 }
791 resultItem++;
792 docsItem++;
793 }
794 if (!policyVec.empty()) {
795 setPolicy(tokenId, policyVec, policyFlag);
796 // The current processing starts from API 11 and maintains 5 versions.
797 if (((policyFlag & IS_POLICY_ALLOWED_TO_BE_PRESISTED) != 0) && isSystemAppCall) {
798 std::vector<uint32_t> persistResult;
799 persistPermission(policyVec, persistResult);
800 }
801 }
802 }
803 }
804
CheckUriPermission(TokenIdPermission & tokenIdPermission,const std::vector<Uri> & uriVec,uint32_t flag)805 std::vector<bool> UriPermissionManagerStubImpl::CheckUriPermission(TokenIdPermission &tokenIdPermission,
806 const std::vector<Uri> &uriVec, uint32_t flag)
807 {
808 auto tokenId = tokenIdPermission.GetTokenId();
809 std::vector<bool> result(uriVec.size(), false);
810 std::vector<Uri> mediaUris;
811 std::vector<int32_t> mediaUriIndexs;
812 std::string callerAlterableBundleName;
813 UPMSUtils::GetAlterableBundleNameByTokenId(tokenId, callerAlterableBundleName);
814 for (size_t i = 0; i < uriVec.size(); i++) {
815 auto uri = uriVec[i];
816 auto &&scheme = uri.GetScheme();
817 // checkUriPermission not support content uri
818 if (scheme != "file") {
819 TAG_LOGW(AAFwkTag::URIPERMMGR, "invalid uri:%{private}s", uri.ToString().c_str());
820 result[i] = false;
821 continue;
822 }
823 auto &&authority = uri.GetAuthority();
824 TAG_LOGD(AAFwkTag::URIPERMMGR, "UriAuth:%{public}s", authority.c_str());
825 if (authority == "docs" && tokenIdPermission.VerifyFileAccessManagerPermission()) {
826 result[i] = true;
827 continue;
828 }
829 if (authority == "media") {
830 mediaUris.emplace_back(uri);
831 mediaUriIndexs.emplace_back(i);
832 continue;
833 }
834 result[i] = (authority == callerAlterableBundleName);
835 }
836 if (!mediaUris.empty()) {
837 auto mediaUriResult = MediaPermissionManager::GetInstance().CheckUriPermission(mediaUris, tokenId, flag);
838 for (size_t i = 0; i < mediaUriResult.size(); i++) {
839 result[mediaUriIndexs[i]] = mediaUriResult[i];
840 }
841 }
842 CheckProxyUriPermission(tokenIdPermission, uriVec, flag, result);
843 return result;
844 }
845
CheckProxyUriPermission(TokenIdPermission & tokenIdPermission,const std::vector<Uri> & uriVec,uint32_t flag,std::vector<bool> & result)846 void UriPermissionManagerStubImpl::CheckProxyUriPermission(TokenIdPermission &tokenIdPermission,
847 const std::vector<Uri> &uriVec, uint32_t flag, std::vector<bool> &result)
848 {
849 TAG_LOGI(AAFwkTag::URIPERMMGR, "Call");
850 if (uriVec.size() != result.size()) {
851 TAG_LOGW(AAFwkTag::URIPERMMGR, "param size not equal");
852 return;
853 }
854 auto tokenId = tokenIdPermission.GetTokenId();
855 if (!tokenIdPermission.VerifyProxyAuthorizationUriPermission()) {
856 TAG_LOGW(AAFwkTag::URIPERMMGR, "no proxy permission");
857 return;
858 }
859 for (size_t i = 0; i < uriVec.size(); i++) {
860 if (!result[i]) {
861 result[i] = VerifyUriPermission(uriVec[i], flag, tokenId);
862 }
863 }
864 }
865
CheckUriTypeIsValid(Uri uri)866 bool UriPermissionManagerStubImpl::CheckUriTypeIsValid(Uri uri)
867 {
868 auto &&scheme = uri.GetScheme();
869 if (scheme != "file" && scheme != "content") {
870 TAG_LOGE(AAFwkTag::URIPERMMGR, "Type of uri is invalid, Scheme is %{public}s", scheme.c_str());
871 return false;
872 }
873 return true;
874 }
875
ClearPermissionTokenByMap(const uint32_t tokenId)876 int32_t UriPermissionManagerStubImpl::ClearPermissionTokenByMap(const uint32_t tokenId)
877 {
878 HITRACE_METER_NAME(HITRACE_TAG_ABILITY_MANAGER, __PRETTY_FUNCTION__);
879 TAG_LOGD(AAFwkTag::URIPERMMGR, "call");
880 bool isCallingPermission =
881 AAFwk::PermissionVerification::GetInstance()->CheckSpecificSystemAbilityAccessPermission(FOUNDATION_PROCESS);
882 if (!isCallingPermission) {
883 TAG_LOGE(AAFwkTag::APPMGR, "verification failed");
884 return ERR_PERMISSION_DENIED;
885 }
886 #ifdef ABILITY_RUNTIME_FEATURE_SANDBOXMANAGER
887 std::lock_guard<std::mutex> lock(ptMapMutex_);
888 if (permissionTokenMap_.find(tokenId) == permissionTokenMap_.end()) {
889 TAG_LOGD(AAFwkTag::URIPERMMGR, "permissionTokenMap_ empty");
890 return ERR_OK;
891 }
892 uint64_t timeNow = std::chrono::duration_cast<std::chrono::nanoseconds>(
893 std::chrono::high_resolution_clock::now().time_since_epoch()).count();
894 TAG_LOGD(AAFwkTag::URIPERMMGR, "clear %{private}d permission", tokenId);
895 auto ret = SandboxManagerKit::UnSetAllPolicyByToken(tokenId, timeNow);
896 TAG_LOGI(AAFwkTag::URIPERMMGR, "clear permission end");
897 if (ret != ERR_OK) {
898 TAG_LOGE(AAFwkTag::URIPERMMGR, "ClearPermission failed, ret is %{public}d", ret);
899 return ret;
900 }
901 permissionTokenMap_.erase(tokenId);
902 #endif // ABILITY_RUNTIME_FEATURE_SANDBOXMANAGER
903 return ERR_OK;
904 }
905
906 #ifdef ABILITY_RUNTIME_FEATURE_SANDBOXMANAGER
Active(const std::vector<PolicyInfo> & policy,std::vector<uint32_t> & result)907 int32_t UriPermissionManagerStubImpl::Active(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result)
908 {
909 HITRACE_METER_NAME(HITRACE_TAG_ABILITY_MANAGER, __PRETTY_FUNCTION__);
910 TAG_LOGD(AAFwkTag::URIPERMMGR, "call");
911 std::lock_guard<std::mutex> lock(ptMapMutex_);
912 auto callingPid = IPCSkeleton::GetCallingPid();
913 ConnectManager(appMgr_, APP_MGR_SERVICE_ID);
914 if (appMgr_ == nullptr) {
915 TAG_LOGE(AAFwkTag::URIPERMMGR, "appMgr_ null");
916 return INVALID_PARAMTER;
917 }
918 bool isTerminating = false;
919 if (IN_PROCESS_CALL(appMgr_->IsTerminatingByPid(callingPid, isTerminating)) != ERR_OK) {
920 TAG_LOGE(AAFwkTag::URIPERMMGR, "IsTerminatingByPid failed");
921 return INVALID_PARAMTER;
922 }
923 if (isTerminating) {
924 TAG_LOGD(AAFwkTag::URIPERMMGR, "app is terminating");
925 return INVALID_PARAMTER;
926 }
927 uint64_t timeNow = std::chrono::duration_cast<std::chrono::nanoseconds>(
928 std::chrono::high_resolution_clock::now().time_since_epoch()).count();
929 auto tokenId = IPCSkeleton::GetCallingTokenID();
930 TAG_LOGD(AAFwkTag::URIPERMMGR, "active %{private}d permission", tokenId);
931 auto ret = SandboxManagerKit::StartAccessingPolicy(policy, result, false, tokenId, timeNow);
932 TAG_LOGI(AAFwkTag::URIPERMMGR, "active permission end");
933 if (ret != ERR_OK) {
934 TAG_LOGE(AAFwkTag::URIPERMMGR, "StartAccessingPolicy failed, ret is %{public}d", ret);
935 return ret;
936 }
937 permissionTokenMap_.insert(tokenId);
938 return ERR_OK;
939 }
940 #endif // ABILITY_RUNTIME_FEATURE_SANDBOXMANAGER
941 } // namespace AAFwk
942 } // namespace OHOS