1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "bundle_permission_mgr.h"
17
18 #include "app_log_tag_wrapper.h"
19 #include "app_log_wrapper.h"
20 #include "bundle_mgr_service.h"
21 #include "bundle_parser.h"
22 #include "ipc_skeleton.h"
23 #include "parameter.h"
24 #include "privacy_kit.h"
25 #include "tokenid_kit.h"
26
27 namespace OHOS {
28 namespace AppExecFwk {
29 namespace {
30 // pre bundle profile
31 constexpr const char* INSTALL_LIST_PERMISSIONS_CONFIG = "/etc/app/install_list_permissions.json";
32 constexpr const char* SCENEBOARD_BUNDLE_NAME = "com.ohos.sceneboard";
33 // install list permissions file
34 constexpr const char* INSTALL_LIST_PERMISSIONS_FILE_PATH = "/system/etc/app/install_list_permissions.json";
35 const int32_t BASE_API_VERSION = 1000;
36 }
37
38 using namespace OHOS::Security;
39 std::map<std::string, DefaultPermission> BundlePermissionMgr::defaultPermissions_;
40
Init()41 bool BundlePermissionMgr::Init()
42 {
43 std::vector<std::string> permissionFileList;
44 #ifdef USE_PRE_BUNDLE_PROFILE
45 std::vector<std::string> rootDirList;
46 BMSEventHandler::GetPreInstallRootDirList(rootDirList);
47 if (rootDirList.empty()) {
48 LOG_E(BMS_TAG_DEFAULT, "rootDirList is empty");
49 return false;
50 }
51 for (const auto &item : rootDirList) {
52 permissionFileList.push_back(item + INSTALL_LIST_PERMISSIONS_CONFIG);
53 }
54 #else
55 permissionFileList.emplace_back(INSTALL_LIST_PERMISSIONS_FILE_PATH);
56 #endif
57 BundleParser bundleParser;
58 std::set<DefaultPermission> permissions;
59 for (const auto &permissionFile : permissionFileList) {
60 if (bundleParser.ParseDefaultPermission(permissionFile, permissions) != ERR_OK) {
61 LOG_D(BMS_TAG_DEFAULT, "BundlePermissionMgr::Init failed");
62 continue;
63 }
64 }
65
66 defaultPermissions_.clear();
67 for (const auto &permission : permissions) {
68 defaultPermissions_.try_emplace(permission.bundleName, permission);
69 }
70 LOG_D(BMS_TAG_DEFAULT, "BundlePermissionMgr::Init success");
71 return true;
72 }
73
UnInit()74 void BundlePermissionMgr::UnInit()
75 {
76 LOG_D(BMS_TAG_DEFAULT, "BundlePermissionMgr::UnInit");
77 defaultPermissions_.clear();
78 }
79
ConvertPermissionDef(const AccessToken::PermissionDef & permDef,PermissionDef & permissionDef)80 void BundlePermissionMgr::ConvertPermissionDef(
81 const AccessToken::PermissionDef &permDef, PermissionDef &permissionDef)
82 {
83 permissionDef.permissionName = permDef.permissionName;
84 permissionDef.bundleName = permDef.bundleName;
85 permissionDef.grantMode = permDef.grantMode;
86 permissionDef.availableLevel = permDef.availableLevel;
87 permissionDef.provisionEnable = permDef.provisionEnable;
88 permissionDef.distributedSceneEnable = permDef.distributedSceneEnable;
89 permissionDef.label = permDef.label;
90 permissionDef.labelId = permDef.labelId;
91 permissionDef.description = permDef.description;
92 permissionDef.descriptionId = permDef.descriptionId;
93 permissionDef.availableType = permDef.availableType;
94 }
95
96 // Convert from the struct DefinePermission that parsed from config.json
ConvertPermissionDef(AccessToken::PermissionDef & permDef,const DefinePermission & definePermission,const std::string & bundleName)97 void BundlePermissionMgr::ConvertPermissionDef(
98 AccessToken::PermissionDef &permDef, const DefinePermission &definePermission, const std::string &bundleName)
99 {
100 permDef.permissionName = definePermission.name;
101 permDef.bundleName = bundleName;
102 permDef.grantMode = [&definePermission]() -> int {
103 if (definePermission.grantMode ==
104 Profile::DEFINEPERMISSION_GRANT_MODE_SYSTEM_GRANT) {
105 return AccessToken::GrantMode::SYSTEM_GRANT;
106 }
107 return AccessToken::GrantMode::USER_GRANT;
108 }();
109
110 permDef.availableLevel = GetTokenApl(definePermission.availableLevel);
111 permDef.provisionEnable = definePermission.provisionEnable;
112 permDef.distributedSceneEnable = definePermission.distributedSceneEnable;
113 permDef.label = definePermission.label;
114 permDef.labelId = definePermission.labelId;
115 permDef.description = definePermission.description;
116 permDef.descriptionId = definePermission.descriptionId;
117 permDef.availableType = GetAvailableType(definePermission.availableType);
118 }
119
GetAvailableType(const std::string & availableType)120 AccessToken::ATokenAvailableTypeEnum BundlePermissionMgr::GetAvailableType(
121 const std::string &availableType)
122 {
123 if (availableType == Profile::DEFINEPERMISSION_AVAILABLE_TYPE_MDM) {
124 return AccessToken::ATokenAvailableTypeEnum::MDM;
125 }
126 return AccessToken::ATokenAvailableTypeEnum::NORMAL;
127 }
128
GetTokenApl(const std::string & apl)129 AccessToken::ATokenAplEnum BundlePermissionMgr::GetTokenApl(const std::string &apl)
130 {
131 if (apl == Profile::AVAILABLELEVEL_SYSTEM_CORE) {
132 return AccessToken::ATokenAplEnum::APL_SYSTEM_CORE;
133 }
134 if (apl == Profile::AVAILABLELEVEL_SYSTEM_BASIC) {
135 return AccessToken::ATokenAplEnum::APL_SYSTEM_BASIC;
136 }
137 return AccessToken::ATokenAplEnum::APL_NORMAL;
138 }
139
CreateHapPolicyParam(const InnerBundleInfo & innerBundleInfo)140 AccessToken::HapPolicyParams BundlePermissionMgr::CreateHapPolicyParam(const InnerBundleInfo &innerBundleInfo)
141 {
142 AccessToken::HapPolicyParams hapPolicy;
143 std::string apl = innerBundleInfo.GetAppPrivilegeLevel();
144 std::vector<AccessToken::PermissionDef> permDef = GetPermissionDefList(innerBundleInfo);
145 hapPolicy.apl = GetTokenApl(apl);
146 hapPolicy.domain = "domain";
147 hapPolicy.permList = permDef;
148 hapPolicy.permStateList = GetPermissionStateFullList(innerBundleInfo);
149 hapPolicy.aclRequestedList = innerBundleInfo.GetAllowedAcls();
150 LOG_I(BMS_TAG_DEFAULT, "%{public}s apl:%{public}s req permission size:%{public}zu, acls size:%{public}zu",
151 innerBundleInfo.GetBundleName().c_str(), apl.c_str(), hapPolicy.permStateList.size(),
152 hapPolicy.aclRequestedList.size());
153 // default permission list
154 DefaultPermission permission;
155 if (!GetDefaultPermission(innerBundleInfo.GetBundleName(), permission)) {
156 return hapPolicy;
157 }
158
159 #ifdef USE_PRE_BUNDLE_PROFILE
160 if (!MatchSignature(permission, innerBundleInfo.GetCertificateFingerprint()) &&
161 !MatchSignature(permission, innerBundleInfo.GetAppId()) &&
162 !MatchSignature(permission, innerBundleInfo.GetAppIdentifier()) &&
163 !MatchSignature(permission, innerBundleInfo.GetOldAppIds())) {
164 LOG_W(BMS_TAG_DEFAULT, "bundleName:%{public}s MatchSignature failed", innerBundleInfo.GetBundleName().c_str());
165 return hapPolicy;
166 }
167 #endif
168 for (const auto &perm: innerBundleInfo.GetAllRequestPermissions()) {
169 bool userCancellable = false;
170 if (!CheckPermissionInDefaultPermissions(permission, perm.name, userCancellable)) {
171 continue;
172 }
173 AccessToken::PreAuthorizationInfo preAuthorizationInfo;
174 preAuthorizationInfo.permissionName = perm.name;
175 preAuthorizationInfo.userCancelable = userCancellable;
176 hapPolicy.preAuthorizationInfo.emplace_back(preAuthorizationInfo);
177 }
178 LOG_I(BMS_TAG_DEFAULT, "end, preAuthorizationInfo size :%{public}zu", hapPolicy.preAuthorizationInfo.size());
179 return hapPolicy;
180 }
181
DeleteAccessTokenId(const AccessToken::AccessTokenID tokenId)182 int32_t BundlePermissionMgr::DeleteAccessTokenId(const AccessToken::AccessTokenID tokenId)
183 {
184 return AccessToken::AccessTokenKit::DeleteToken(tokenId);
185 }
186
ClearUserGrantedPermissionState(const AccessToken::AccessTokenID tokenId)187 int32_t BundlePermissionMgr::ClearUserGrantedPermissionState(const AccessToken::AccessTokenID tokenId)
188 {
189 return AccessToken::AccessTokenKit::ClearUserGrantedPermissionState(tokenId);
190 }
191
GetPermissionDefList(const InnerBundleInfo & innerBundleInfo)192 std::vector<AccessToken::PermissionDef> BundlePermissionMgr::GetPermissionDefList(
193 const InnerBundleInfo &innerBundleInfo)
194 {
195 const auto bundleName = innerBundleInfo.GetBundleName();
196 const auto defPermissions = innerBundleInfo.GetAllDefinePermissions();
197 std::vector<AccessToken::PermissionDef> permList;
198 if (!defPermissions.empty()) {
199 for (const auto &defPermission : defPermissions) {
200 AccessToken::PermissionDef perm;
201 LOG_D(BMS_TAG_DEFAULT, "defPermission %{public}s", defPermission.name.c_str());
202 ConvertPermissionDef(perm, defPermission, bundleName);
203 permList.emplace_back(perm);
204 }
205 }
206 return permList;
207 }
208
GetPermissionStateFullList(const InnerBundleInfo & innerBundleInfo)209 std::vector<AccessToken::PermissionStateFull> BundlePermissionMgr::GetPermissionStateFullList(
210 const InnerBundleInfo &innerBundleInfo)
211 {
212 auto reqPermissions = innerBundleInfo.GetAllRequestPermissions();
213 LOG_I(BMS_TAG_DEFAULT, "bundleName:%{public}s requestPermission size :%{public}zu",
214 innerBundleInfo.GetBundleName().c_str(), reqPermissions.size());
215 std::vector<AccessToken::PermissionStateFull> permStateFullList;
216 if (!reqPermissions.empty()) {
217 for (const auto &reqPermission : reqPermissions) {
218 AccessToken::PermissionStateFull perState;
219 perState.permissionName = reqPermission.name;
220 perState.isGeneral = true;
221 perState.resDeviceID.emplace_back(innerBundleInfo.GetBaseApplicationInfo().deviceId);
222 perState.grantStatus.emplace_back(AccessToken::PermissionState::PERMISSION_DENIED);
223 perState.grantFlags.emplace_back(AccessToken::PermissionFlag::PERMISSION_DEFAULT_FLAG);
224 permStateFullList.emplace_back(perState);
225 }
226 } else {
227 LOG_D(BMS_TAG_DEFAULT, "BundlePermissionMgr::GetPermissionStateFullList requestPermission is empty");
228 }
229 return permStateFullList;
230 }
231
GetAllReqPermissionStateFull(AccessToken::AccessTokenID tokenId,std::vector<AccessToken::PermissionStateFull> & newPermissionState)232 bool BundlePermissionMgr::GetAllReqPermissionStateFull(AccessToken::AccessTokenID tokenId,
233 std::vector<AccessToken::PermissionStateFull> &newPermissionState)
234 {
235 std::vector<AccessToken::PermissionStateFull> userGrantReqPermList;
236 int32_t ret = AccessToken::AccessTokenKit::GetReqPermissions(tokenId, userGrantReqPermList, false);
237 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
238 LOG_E(BMS_TAG_DEFAULT, "GetAllReqPermissionStateFull get user grant failed errcode: %{public}d", ret);
239 return false;
240 }
241 std::vector<AccessToken::PermissionStateFull> systemGrantReqPermList;
242 ret = AccessToken::AccessTokenKit::GetReqPermissions(tokenId, systemGrantReqPermList, true);
243 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
244 LOG_E(BMS_TAG_DEFAULT, "GetAllReqPermissionStateFull get system grant failed errcode: %{public}d", ret);
245 return false;
246 }
247 newPermissionState = userGrantReqPermList;
248 std::copy(systemGrantReqPermList.begin(), systemGrantReqPermList.end(), std::back_inserter(newPermissionState));
249 return true;
250 }
251
GetRequestPermissionStates(BundleInfo & bundleInfo,uint32_t tokenId,const std::string deviceId)252 bool BundlePermissionMgr::GetRequestPermissionStates(
253 BundleInfo &bundleInfo, uint32_t tokenId, const std::string deviceId)
254 {
255 std::vector<std::string> requestPermission = bundleInfo.reqPermissions;
256 if (requestPermission.empty()) {
257 LOG_D(BMS_TAG_DEFAULT, "GetRequestPermissionStates requestPermission empty");
258 return true;
259 }
260 std::vector<Security::AccessToken::PermissionStateFull> allPermissionState;
261 if (!GetAllReqPermissionStateFull(tokenId, allPermissionState)) {
262 LOG_W(BMS_TAG_DEFAULT, "BundlePermissionMgr::GetRequestPermissionStates failed");
263 }
264 for (auto &req : requestPermission) {
265 auto iter = std::find_if(allPermissionState.begin(), allPermissionState.end(),
266 [&req](const auto &perm) {
267 return perm.permissionName == req;
268 });
269 if (iter != allPermissionState.end()) {
270 LOG_D(BMS_TAG_DEFAULT, "GetRequestPermissionStates request permission name: %{public}s", req.c_str());
271 for (std::vector<std::string>::size_type i = 0; i < iter->resDeviceID.size(); i++) {
272 if (iter->resDeviceID[i] == deviceId) {
273 bundleInfo.reqPermissionStates.emplace_back(iter->grantStatus[i]);
274 break;
275 }
276 }
277 } else {
278 LOG_E(BMS_TAG_DEFAULT, "request permission name : %{public}s is not exit in AccessTokenMgr", req.c_str());
279 bundleInfo.reqPermissionStates.emplace_back(
280 static_cast<int32_t>(AccessToken::PermissionState::PERMISSION_DENIED));
281 }
282 }
283 return true;
284 }
285
VerifyCallingPermissionForAll(const std::string & permissionName)286 bool BundlePermissionMgr::VerifyCallingPermissionForAll(const std::string &permissionName)
287 {
288 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
289 LOG_D(BMS_TAG_DEFAULT, "VerifyCallingPermission permission %{public}s, callerToken : %{public}u",
290 permissionName.c_str(), callerToken);
291 if (AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName) ==
292 AccessToken::PermissionState::PERMISSION_GRANTED) {
293 return true;
294 }
295 LOG_NOFUNC_E(BMS_TAG_DEFAULT, "permission denied caller:%{public}u", callerToken);
296 return false;
297 }
298
VerifyCallingPermissionsForAll(const std::vector<std::string> & permissionNames)299 bool BundlePermissionMgr::VerifyCallingPermissionsForAll(const std::vector<std::string> &permissionNames)
300 {
301 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
302 for (auto permissionName : permissionNames) {
303 if (AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName) ==
304 AccessToken::PermissionState::PERMISSION_GRANTED) {
305 LOG_D(BMS_TAG_DEFAULT, "verify success");
306 return true;
307 }
308 }
309 std::string errorMessage;
310 for (auto deniedPermission : permissionNames) {
311 errorMessage += deniedPermission + " ";
312 }
313 LOG_NOFUNC_E(BMS_TAG_DEFAULT, "%{public}s denied callerToken:%{public}u", errorMessage.c_str(), callerToken);
314 return false;
315 }
316
VerifyPermission(const std::string & bundleName,const std::string & permissionName,const int32_t userId)317 int32_t BundlePermissionMgr::VerifyPermission(
318 const std::string &bundleName, const std::string &permissionName, const int32_t userId)
319 {
320 LOG_D(BMS_TAG_DEFAULT, "VerifyPermission bundleName %{public}s, permission %{public}s", bundleName.c_str(),
321 permissionName.c_str());
322 AccessToken::AccessTokenID tokenId = AccessToken::AccessTokenKit::GetHapTokenID(userId,
323 bundleName, 0);
324 return AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permissionName);
325 }
326
GetPermissionDef(const std::string & permissionName,PermissionDef & permissionDef)327 ErrCode BundlePermissionMgr::GetPermissionDef(const std::string &permissionName, PermissionDef &permissionDef)
328 {
329 LOG_D(BMS_TAG_DEFAULT, "BundlePermissionMgr::GetPermissionDef permission %{public}s", permissionName.c_str());
330 AccessToken::PermissionDef accessTokenPermDef;
331 int32_t ret = AccessToken::AccessTokenKit::GetDefPermission(permissionName, accessTokenPermDef);
332 if (ret == AccessToken::AccessTokenKitRet::RET_SUCCESS) {
333 ConvertPermissionDef(accessTokenPermDef, permissionDef);
334 return ERR_OK;
335 }
336 return ERR_BUNDLE_MANAGER_QUERY_PERMISSION_DEFINE_FAILED;
337 }
338
CheckPermissionInDefaultPermissions(const DefaultPermission & defaultPermission,const std::string & permissionName,bool & userCancellable)339 bool BundlePermissionMgr::CheckPermissionInDefaultPermissions(const DefaultPermission &defaultPermission,
340 const std::string &permissionName, bool &userCancellable)
341 {
342 auto &grantPermission = defaultPermission.grantPermission;
343 auto iter = std::find_if(grantPermission.begin(), grantPermission.end(), [&permissionName](const auto &defPerm) {
344 return defPerm.name == permissionName;
345 });
346 if (iter == grantPermission.end()) {
347 LOG_D(BMS_TAG_DEFAULT, "can not find permission(%{public}s)", permissionName.c_str());
348 return false;
349 }
350
351 userCancellable = iter->userCancellable;
352 return true;
353 }
354
GetDefaultPermission(const std::string & bundleName,DefaultPermission & permission)355 bool BundlePermissionMgr::GetDefaultPermission(
356 const std::string &bundleName, DefaultPermission &permission)
357 {
358 auto iter = defaultPermissions_.find(bundleName);
359 if (iter == defaultPermissions_.end()) {
360 LOG_W(BMS_TAG_DEFAULT, "bundleName: %{public}s does not exist in defaultPermissions",
361 bundleName.c_str());
362 return false;
363 }
364
365 permission = iter->second;
366 return true;
367 }
368
MatchSignature(const DefaultPermission & permission,const std::vector<std::string> & signatures)369 bool BundlePermissionMgr::MatchSignature(
370 const DefaultPermission &permission, const std::vector<std::string> &signatures)
371 {
372 if (permission.appSignature.empty()) {
373 LOG_W(BMS_TAG_DEFAULT, "appSignature is empty");
374 return false;
375 }
376 for (const auto &signature : permission.appSignature) {
377 if (std::find(signatures.begin(), signatures.end(), signature) != signatures.end()) {
378 return true;
379 }
380 }
381
382 return false;
383 }
384
MatchSignature(const DefaultPermission & permission,const std::string & signature)385 bool BundlePermissionMgr::MatchSignature(
386 const DefaultPermission &permission, const std::string &signature)
387 {
388 if (permission.appSignature.empty() || signature.empty()) {
389 LOG_W(BMS_TAG_DEFAULT, "appSignature or signature is empty");
390 return false;
391 }
392 return std::find(permission.appSignature.begin(), permission.appSignature.end(),
393 signature) != permission.appSignature.end();
394 }
395
GetHapApiVersion()396 int32_t BundlePermissionMgr::GetHapApiVersion()
397 {
398 // get appApiVersion from applicationInfo
399 std::string bundleName;
400 auto uid = IPCSkeleton::GetCallingUid();
401 auto userId = uid / Constants::BASE_USER_RANGE;
402 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
403 if (dataMgr == nullptr) {
404 LOG_E(BMS_TAG_DEFAULT, "DataMgr is nullptr");
405 return Constants::INVALID_API_VERSION;
406 }
407 auto ret = dataMgr->GetBundleNameForUid(uid, bundleName);
408 if (!ret) {
409 LOG_E(BMS_TAG_DEFAULT, "getBundleName failed, uid : %{public}d", uid);
410 return Constants::INVALID_API_VERSION;
411 }
412 ApplicationInfo applicationInfo;
413 auto res = dataMgr->GetApplicationInfoV9(bundleName,
414 static_cast<int32_t>(GetApplicationFlag::GET_APPLICATION_INFO_WITH_DISABLE), userId, applicationInfo);
415 if (res != ERR_OK) {
416 LOG_E(BMS_TAG_DEFAULT, "getApplicationInfo failed");
417 return Constants::INVALID_API_VERSION;
418 }
419 auto appApiVersion = applicationInfo.apiTargetVersion % BASE_API_VERSION;
420 LOG_D(BMS_TAG_DEFAULT, "appApiVersion is %{public}d", appApiVersion);
421 auto systemApiVersion = GetSdkApiVersion();
422 // api version is the minimum value of {appApiVersion, systemApiVersion}
423 return systemApiVersion < appApiVersion ? systemApiVersion :appApiVersion;
424 }
425
426 // if the api has been system api since it is published, then beginSystemApiVersion can be omitted
VerifySystemApp(int32_t beginSystemApiVersion)427 bool BundlePermissionMgr::VerifySystemApp(int32_t beginSystemApiVersion)
428 {
429 LOG_D(BMS_TAG_DEFAULT, "verifying systemApp");
430 uint64_t accessTokenIdEx = IPCSkeleton::GetCallingFullTokenID();
431 if (Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(accessTokenIdEx)) {
432 return true;
433 }
434 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
435 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
436 LOG_D(BMS_TAG_DEFAULT, "tokenType is %{private}d", tokenType);
437 int32_t callingUid = IPCSkeleton::GetCallingUid();
438 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE ||
439 tokenType == AccessToken::ATokenTypeEnum::TOKEN_SHELL ||
440 callingUid == Constants::ROOT_UID ||
441 callingUid == ServiceConstants::SHELL_UID) {
442 LOG_D(BMS_TAG_DEFAULT, "caller tokenType is native, verify success");
443 return true;
444 }
445 if (beginSystemApiVersion != Constants::ALL_VERSIONCODE) {
446 auto apiVersion = GetHapApiVersion();
447 if (apiVersion == Constants::INVALID_API_VERSION) {
448 LOG_E(BMS_TAG_DEFAULT, "get api version failed, system app verification failed");
449 return false;
450 }
451 if (apiVersion < beginSystemApiVersion) {
452 LOG_I(BMS_TAG_DEFAULT, "previous app calling, verify success");
453 return true;
454 }
455 }
456 LOG_E(BMS_TAG_DEFAULT, "system app verification failed");
457 return false;
458 }
459
IsSystemApp()460 bool BundlePermissionMgr::IsSystemApp()
461 {
462 LOG_D(BMS_TAG_DEFAULT, "verifying systemApp");
463 uint64_t accessTokenIdEx = IPCSkeleton::GetCallingFullTokenID();
464 if (Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(accessTokenIdEx)) {
465 return true;
466 }
467 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
468 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
469 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_HAP) {
470 LOG_E(BMS_TAG_DEFAULT, "IsSystemApp %{public}d,%{public}d,%{public}u",
471 IPCSkeleton::GetCallingUid(), IPCSkeleton::GetCallingPid(), callerToken);
472 return false;
473 }
474 LOG_D(BMS_TAG_DEFAULT, "caller tokenType is not hap, ignore");
475 return true;
476 }
477
IsNativeTokenType()478 bool BundlePermissionMgr::IsNativeTokenType()
479 {
480 LOG_D(BMS_TAG_DEFAULT, "begin to verify token type");
481 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
482 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
483 LOG_D(BMS_TAG_DEFAULT, "tokenType is %{private}d", tokenType);
484 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE
485 || tokenType == AccessToken::ATokenTypeEnum::TOKEN_SHELL) {
486 LOG_D(BMS_TAG_DEFAULT, "caller tokenType is native, verify success");
487 return true;
488 }
489 if (VerifyCallingUid()) {
490 LOG_D(BMS_TAG_DEFAULT, "caller is root or foundation or BMS_UID, verify success");
491 return true;
492 }
493 LOG_E(BMS_TAG_DEFAULT, "caller tokenType not native, verify failed");
494 return false;
495 }
496
IsShellTokenType()497 bool BundlePermissionMgr::IsShellTokenType()
498 {
499 LOG_D(BMS_TAG_DEFAULT, "IsShellTokenType begin");
500 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
501 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
502 LOG_D(BMS_TAG_DEFAULT, "tokenType is %{private}d", tokenType);
503 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_SHELL) {
504 LOG_D(BMS_TAG_DEFAULT, "caller is shell, success");
505 return true;
506 }
507 LOG_I(BMS_TAG_DEFAULT, "caller not shell");
508 return false;
509 }
510
VerifyCallingUid()511 bool BundlePermissionMgr::VerifyCallingUid()
512 {
513 LOG_D(BMS_TAG_DEFAULT, "begin to verify calling uid");
514 int32_t callingUid = IPCSkeleton::GetCallingUid();
515 LOG_D(BMS_TAG_DEFAULT, "calling uid is %{public}d", callingUid);
516 if (callingUid == Constants::ROOT_UID ||
517 callingUid == Constants::FOUNDATION_UID ||
518 callingUid == ServiceConstants::SHELL_UID ||
519 callingUid == ServiceConstants::BMS_UID) {
520 LOG_D(BMS_TAG_DEFAULT, "caller is root or foundation, verify success");
521 return true;
522 }
523 LOG_E(BMS_TAG_DEFAULT, "verify calling uid failed");
524 return false;
525 }
526
VerifyPreload(const AAFwk::Want & want)527 bool BundlePermissionMgr::VerifyPreload(const AAFwk::Want &want)
528 {
529 std::string callingBundleName;
530 auto uid = IPCSkeleton::GetCallingUid();
531 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
532 if (dataMgr == nullptr) {
533 LOG_E(BMS_TAG_DEFAULT, "DataMgr is nullptr");
534 return false;
535 }
536 auto ret = dataMgr->GetBundleNameForUid(uid, callingBundleName);
537 if (!ret) {
538 return BundlePermissionMgr::VerifyCallingPermissionForAll(Constants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED);
539 }
540 std::string bundleName = want.GetElement().GetBundleName();
541 return bundleName == callingBundleName || callingBundleName == SCENEBOARD_BUNDLE_NAME;
542 }
543
IsCallingUidValid(int32_t uid)544 bool BundlePermissionMgr::IsCallingUidValid(int32_t uid)
545 {
546 int32_t callingUid = IPCSkeleton::GetCallingUid();
547 if (callingUid == uid) {
548 return true;
549 }
550 LOG_E(BMS_TAG_DEFAULT, "IsCallingUidValid failed, uid = %{public}d, calling uid = %{public}d", uid, callingUid);
551 return false;
552 }
553
IsSelfCalling()554 bool BundlePermissionMgr::IsSelfCalling()
555 {
556 int32_t callingUid = IPCSkeleton::GetCallingUid();
557 if (callingUid == Constants::FOUNDATION_UID) {
558 return true;
559 }
560 return false;
561 }
562
VerifyUninstallPermission()563 bool BundlePermissionMgr::VerifyUninstallPermission()
564 {
565 if (!BundlePermissionMgr::IsSelfCalling() &&
566 !BundlePermissionMgr::VerifyCallingPermissionsForAll({Constants::PERMISSION_INSTALL_BUNDLE,
567 ServiceConstants::PERMISSION_UNINSTALL_BUNDLE})) {
568 LOG_E(BMS_TAG_DEFAULT, "uninstall bundle permission denied");
569 return false;
570 }
571 return true;
572 }
573
VerifyRecoverPermission()574 bool BundlePermissionMgr::VerifyRecoverPermission()
575 {
576 if (!BundlePermissionMgr::IsSelfCalling() &&
577 !BundlePermissionMgr::VerifyCallingPermissionsForAll({Constants::PERMISSION_INSTALL_BUNDLE,
578 ServiceConstants::PERMISSION_RECOVER_BUNDLE})) {
579 LOG_E(BMS_TAG_DEFAULT, "recover bundle permission denied");
580 return false;
581 }
582 return true;
583 }
584
AddPermissionUsedRecord(const std::string & permission,int32_t successCount,int32_t failCount)585 void BundlePermissionMgr::AddPermissionUsedRecord(
586 const std::string &permission, int32_t successCount, int32_t failCount)
587 {
588 LOG_D(BMS_TAG_DEFAULT, "AddPermissionUsedRecord permission:%{public}s", permission.c_str());
589 AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
590 AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
591 if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_HAP) {
592 int32_t ret = AccessToken::PrivacyKit::AddPermissionUsedRecord(callerToken, permission,
593 successCount, failCount);
594 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
595 APP_LOGE("AddPermissionUsedRecord failed, ret = %{public}d", ret);
596 }
597 }
598 }
599
IsBundleSelfCalling(const std::string & bundleName)600 bool BundlePermissionMgr::IsBundleSelfCalling(const std::string &bundleName)
601 {
602 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
603 if (dataMgr == nullptr) {
604 LOG_E(BMS_TAG_DEFAULT, "DataMgr is nullptr");
605 return false;
606 }
607 int32_t callingUid = IPCSkeleton::GetCallingUid();
608 LOG_D(BMS_TAG_DEFAULT, "start, callingUid: %{public}d", callingUid);
609 std::string callingBundleName;
610 if (dataMgr->GetNameForUid(callingUid, callingBundleName) != ERR_OK) {
611 return false;
612 }
613 LOG_D(BMS_TAG_DEFAULT, "bundleName :%{public}s, callingBundleName : %{public}s",
614 bundleName.c_str(), callingBundleName.c_str());
615 if (bundleName != callingBundleName) {
616 LOG_W(BMS_TAG_DEFAULT, "failed, callingUid: %{public}d", callingUid);
617 return false;
618 }
619 LOG_D(BMS_TAG_DEFAULT, "end, verify success");
620 return true;
621 }
622
VerifyCallingBundleSdkVersion(int32_t beginApiVersion)623 bool BundlePermissionMgr::VerifyCallingBundleSdkVersion(int32_t beginApiVersion)
624 {
625 auto dataMgr = DelayedSingleton<BundleMgrService>::GetInstance()->GetDataMgr();
626 if (dataMgr == nullptr) {
627 LOG_E(BMS_TAG_DEFAULT, "DataMgr is nullptr");
628 return false;
629 }
630 int32_t callingUid = IPCSkeleton::GetCallingUid();
631 LOG_D(BMS_TAG_DEFAULT, "start, callingUid: %{public}d", callingUid);
632 std::string callingBundleName;
633 if (dataMgr->GetNameForUid(callingUid, callingBundleName) != ERR_OK) {
634 return false;
635 }
636 auto userId = callingUid / Constants::BASE_USER_RANGE;
637 ApplicationInfo applicationInfo;
638 auto res = dataMgr->GetApplicationInfoV9(callingBundleName,
639 static_cast<int32_t>(GetApplicationFlag::GET_APPLICATION_INFO_WITH_DISABLE), userId, applicationInfo);
640 if (res != ERR_OK) {
641 LOG_E(BMS_TAG_DEFAULT, "getApplicationInfo failed, callingBundleName:%{public}s", callingBundleName.c_str());
642 return false;
643 }
644 auto systemApiVersion = GetSdkApiVersion();
645 auto appApiVersion = applicationInfo.apiTargetVersion;
646 // api version is the minimum value of {appApiVersion, systemApiVersion}
647 appApiVersion = systemApiVersion < appApiVersion ? systemApiVersion : appApiVersion;
648 LOG_D(BMS_TAG_DEFAULT, "appApiVersion: %{public}d", appApiVersion);
649
650 if ((appApiVersion % BASE_API_VERSION) < beginApiVersion) {
651 LOG_I(BMS_TAG_DEFAULT, "previous app calling, verify success");
652 return true;
653 }
654 return false;
655 }
656
CreateHapInfoParams(const InnerBundleInfo & innerBundleInfo,const int32_t userId,const int32_t dlpType)657 Security::AccessToken::HapInfoParams BundlePermissionMgr::CreateHapInfoParams(const InnerBundleInfo &innerBundleInfo,
658 const int32_t userId, const int32_t dlpType)
659 {
660 AccessToken::HapInfoParams hapInfo;
661 hapInfo.userID = userId;
662 hapInfo.bundleName = innerBundleInfo.GetBundleName();
663 hapInfo.instIndex = innerBundleInfo.GetAppIndex();
664 hapInfo.appIDDesc = innerBundleInfo.GetAppId();
665 hapInfo.dlpType = dlpType;
666 hapInfo.apiVersion = innerBundleInfo.GetBaseApplicationInfo().apiTargetVersion;
667 hapInfo.isSystemApp = innerBundleInfo.IsSystemApp();
668 hapInfo.appDistributionType = innerBundleInfo.GetAppDistributionType();
669 return hapInfo;
670 }
671
InitHapToken(const InnerBundleInfo & innerBundleInfo,const int32_t userId,const int32_t dlpType,Security::AccessToken::AccessTokenIDEx & tokenIdeEx)672 int32_t BundlePermissionMgr::InitHapToken(const InnerBundleInfo &innerBundleInfo, const int32_t userId,
673 const int32_t dlpType, Security::AccessToken::AccessTokenIDEx& tokenIdeEx)
674 {
675 LOG_I(BMS_TAG_DEFAULT, "start, init hap token bundleName:%{public}s", innerBundleInfo.GetBundleName().c_str());
676 AccessToken::HapInfoParams hapInfo = CreateHapInfoParams(innerBundleInfo, userId, dlpType);
677 AccessToken::HapPolicyParams hapPolicy = CreateHapPolicyParam(innerBundleInfo);
678 auto ret = AccessToken::AccessTokenKit::InitHapToken(hapInfo, hapPolicy, tokenIdeEx);
679 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
680 LOG_E(BMS_TAG_DEFAULT, "InitHapToken failed, bundleName:%{public}s errCode:%{public}d",
681 innerBundleInfo.GetBundleName().c_str(), ret);
682 return ret;
683 }
684 LOG_I(BMS_TAG_DEFAULT, "bundleName: %{public}s tokenId:%{public}u", innerBundleInfo.GetBundleName().c_str(),
685 tokenIdeEx.tokenIdExStruct.tokenID);
686 return ERR_OK;
687 }
688
UpdateHapToken(Security::AccessToken::AccessTokenIDEx & tokenIdeEx,const InnerBundleInfo & innerBundleInfo)689 int32_t BundlePermissionMgr::UpdateHapToken(
690 Security::AccessToken::AccessTokenIDEx& tokenIdeEx, const InnerBundleInfo &innerBundleInfo)
691 {
692 LOG_I(BMS_TAG_DEFAULT, "start, update hap token bundleName:%{public}s", innerBundleInfo.GetBundleName().c_str());
693 AccessToken::UpdateHapInfoParams updateHapInfoParams;
694 updateHapInfoParams.appIDDesc = innerBundleInfo.GetAppId();
695 updateHapInfoParams.apiVersion = innerBundleInfo.GetBaseApplicationInfo().apiTargetVersion;
696 updateHapInfoParams.isSystemApp = innerBundleInfo.IsSystemApp();
697 updateHapInfoParams.appDistributionType = innerBundleInfo.GetAppDistributionType();
698
699 AccessToken::HapPolicyParams hapPolicy = CreateHapPolicyParam(innerBundleInfo);
700
701 auto ret = AccessToken::AccessTokenKit::UpdateHapToken(tokenIdeEx, updateHapInfoParams, hapPolicy);
702 if (ret != AccessToken::AccessTokenKitRet::RET_SUCCESS) {
703 LOG_E(BMS_TAG_DEFAULT, "UpdateHapToken failed, bundleName:%{public}s errCode:%{public}d",
704 innerBundleInfo.GetBundleName().c_str(), ret);
705 return ret;
706 }
707 LOG_I(BMS_TAG_DEFAULT, "end, update hap token bundleName:%{public}s", innerBundleInfo.GetBundleName().c_str());
708 return ERR_OK;
709 }
710 } // namespace AppExecFwk
711 } // namespace OHOS