1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_manager.h"
17
18 #include "accesstoken_kit.h"
19 #include "access_token.h"
20 #include "dm_anonymous.h"
21 #include "dm_log.h"
22 #include "hap_token_info.h"
23 #include "ipc_skeleton.h"
24 #include "native_token_info.h"
25 #include "securec.h"
26 #include "tokenid_kit.h"
27
28 using namespace OHOS::Security::AccessToken;
29
30 namespace OHOS {
31 namespace DistributedHardware {
32 DM_IMPLEMENT_SINGLE_INSTANCE(PermissionManager);
33 namespace {
34 constexpr const char* DM_SERVICE_ACCESS_PERMISSION = "ohos.permission.ACCESS_SERVICE_DM";
35 constexpr const char* DM_SERVICE_ACCESS_NEWPERMISSION = "ohos.permission.DISTRIBUTED_DATASYNC";
36 constexpr const char* DM_MONITOR_DEVICE_NETWORK_STATE_PERMISSION = "ohos.permission.MONITOR_DEVICE_NETWORK_STATE";
37 constexpr int32_t DM_OK = 0;
38 constexpr int32_t ERR_DM_FAILED = 96929744;
39 constexpr int32_t PKG_NAME_SIZE_MAX = 256;
40 #define AUTH_CODE_WHITE_LIST_NUM (3)
41 constexpr const static char g_authCodeWhiteList[AUTH_CODE_WHITE_LIST_NUM][PKG_NAME_SIZE_MAX] = {
42 "com.huawei.msdp.hmringgenerator",
43 "com.huawei.msdp.hmringdiscriminator",
44 "CollaborationFwk",
45 };
46
47 #define PIN_HOLDER_WHITE_LIST_NUM (1)
48 constexpr const static char g_pinHolderWhiteList[PIN_HOLDER_WHITE_LIST_NUM][PKG_NAME_SIZE_MAX] = {
49 "CollaborationFwk",
50 };
51
52 #define SYSTEM_SA_WHITE_LIST_NUM (7)
53 constexpr const static char systemSaWhiteList[SYSTEM_SA_WHITE_LIST_NUM][PKG_NAME_SIZE_MAX] = {
54 "Samgr_Networking",
55 "ohos.distributeddata.service",
56 "ohos.dslm",
57 "ohos.deviceprofile",
58 "distributed_bundle_framework",
59 "ohos.dhardware",
60 "ohos.security.distributed_access_token",
61 };
62 }
63
CheckPermission(void)64 bool PermissionManager::CheckPermission(void)
65 {
66 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
67 if (tokenCaller == 0) {
68 LOGE("CheckPermission GetCallingTokenID error.");
69 return false;
70 }
71 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
72 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_HAP || tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
73 if (AccessTokenKit::VerifyAccessToken(tokenCaller, DM_SERVICE_ACCESS_PERMISSION) !=
74 PermissionState::PERMISSION_GRANTED) {
75 LOGE("DM service access is denied, please apply for corresponding permissions");
76 return false;
77 }
78 }
79 return true;
80 }
81
CheckNewPermission(void)82 bool PermissionManager::CheckNewPermission(void)
83 {
84 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
85 if (tokenCaller == 0) {
86 LOGE("CheckNewPermission GetCallingTokenID error.");
87 return false;
88 }
89 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
90 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_HAP || tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
91 if (AccessTokenKit::VerifyAccessToken(tokenCaller, DM_SERVICE_ACCESS_NEWPERMISSION) !=
92 PermissionState::PERMISSION_GRANTED) {
93 LOGE("DM service access is denied, please apply for corresponding new permissions");
94 return false;
95 }
96 }
97 return true;
98 }
99
CheckMonitorPermission(void)100 bool PermissionManager::CheckMonitorPermission(void)
101 {
102 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
103 if (tokenCaller == 0) {
104 LOGE("CheckMonitorPermission GetCallingTokenID error.");
105 return false;
106 }
107 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
108 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
109 if (AccessTokenKit::VerifyAccessToken(tokenCaller, DM_MONITOR_DEVICE_NETWORK_STATE_PERMISSION) !=
110 PermissionState::PERMISSION_GRANTED) {
111 LOGE("DM service access is denied, please apply for corresponding permissions.");
112 return false;
113 }
114 }
115 return true;
116 }
117
GetCallerProcessName(std::string & processName)118 int32_t PermissionManager::GetCallerProcessName(std::string &processName)
119 {
120 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
121 if (tokenCaller == 0) {
122 LOGE("GetCallerProcessName GetCallingTokenID error.");
123 return ERR_DM_FAILED;
124 }
125 LOGI("GetCallerProcessName::tokenCaller ID == %{public}s", GetAnonyInt32(tokenCaller).c_str());
126 ATokenTypeEnum tokenTypeFlag = AccessTokenKit::GetTokenTypeFlag(tokenCaller);
127 if (tokenTypeFlag == ATokenTypeEnum::TOKEN_HAP) {
128 HapTokenInfo tokenInfo;
129 if (AccessTokenKit::GetHapTokenInfo(tokenCaller, tokenInfo) != EOK) {
130 LOGE("GetHapTokenInfo failed.");
131 return ERR_DM_FAILED;
132 }
133 processName = std::move(tokenInfo.bundleName);
134 uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
135 if (!OHOS::Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullTokenId)) {
136 LOGE("GetCallerProcessName %{public}s not system hap.", processName.c_str());
137 return ERR_DM_FAILED;
138 }
139 } else if (tokenTypeFlag == ATokenTypeEnum::TOKEN_NATIVE) {
140 NativeTokenInfo tokenInfo;
141 if (AccessTokenKit::GetNativeTokenInfo(tokenCaller, tokenInfo) != EOK) {
142 LOGE("GetNativeTokenInfo failed.");
143 return ERR_DM_FAILED;
144 }
145 processName = std::move(tokenInfo.processName);
146 } else {
147 LOGE("GetCallerProcessName failed, unsupported process.");
148 return ERR_DM_FAILED;
149 }
150
151 LOGI("Get process name: %{public}s success.", processName.c_str());
152 return DM_OK;
153 }
154
CheckProcessNameValidOnAuthCode(const std::string & processName)155 bool PermissionManager::CheckProcessNameValidOnAuthCode(const std::string &processName)
156 {
157 LOGI("Enter PermissionManager::CheckProcessNameValidOnAuthCode");
158 if (processName.empty()) {
159 LOGE("ProcessName is empty");
160 return false;
161 }
162
163 uint16_t index = 0;
164 for (; index < AUTH_CODE_WHITE_LIST_NUM; ++index) {
165 std::string tmp(g_authCodeWhiteList[index]);
166 if (processName == tmp) {
167 return true;
168 }
169 }
170
171 LOGE("CheckProcessNameValidOnAuthCode process name: %{public}s invalid.", processName.c_str());
172 return false;
173 }
174
CheckProcessNameValidOnPinHolder(const std::string & processName)175 bool PermissionManager::CheckProcessNameValidOnPinHolder(const std::string &processName)
176 {
177 LOGI("Enter PermissionManager::CheckProcessNameValidOnPinHolder");
178 if (processName.empty()) {
179 LOGE("ProcessName is empty");
180 return false;
181 }
182
183 uint16_t index = 0;
184 for (; index < PIN_HOLDER_WHITE_LIST_NUM; ++index) {
185 std::string tmp(g_pinHolderWhiteList[index]);
186 if (processName == tmp) {
187 return true;
188 }
189 }
190
191 LOGE("CheckProcessNameValidOnPinHolder process name: %{public}s invalid.", processName.c_str());
192 return false;
193 }
194
CheckSystemSA(const std::string & pkgName)195 bool PermissionManager::CheckSystemSA(const std::string &pkgName)
196 {
197 for (uint16_t index = 0; index < SYSTEM_SA_WHITE_LIST_NUM; ++index) {
198 std::string tmp(systemSaWhiteList[index]);
199 if (pkgName == tmp) {
200 return true;
201 }
202 }
203 return false;
204 }
205
GetSystemSA()206 std::unordered_set<std::string> PermissionManager::GetSystemSA()
207 {
208 std::unordered_set<std::string> systemSA;
209 for (uint16_t index = 0; index < SYSTEM_SA_WHITE_LIST_NUM; ++index) {
210 std::string tmp(systemSaWhiteList[index]);
211 systemSA.insert(tmp);
212 }
213 return systemSA;
214 }
215 } // namespace DistributedHardware
216 } // namespace OHOS
217