diff --git a/services/formmgr/BUILD.gn b/services/formmgr/BUILD.gn index cc0963ffc1e427bb8ccac55e80f9face31284da3..1df7b815b4e073966df4a9d3806571d0309cfc33 100644 --- a/services/formmgr/BUILD.gn +++ b/services/formmgr/BUILD.gn @@ -30,6 +30,7 @@ group("fms_target") { ohos_shared_library("libfms") { include_dirs = [ + "${services_path}/common:perm_verification", "//foundation/appexecfwk/standard/interfaces/innerkits/libeventhandler/include", "//foundation/aafwk/standard/interfaces/innerkits/ability_manager/include", "//base/security/permission/interfaces/innerkits/permission_standard/permissionsdk/main/cpp/include", @@ -90,6 +91,7 @@ ohos_shared_library("libfms") { deps = [ "${appexecfwk_path}/common:libappexecfwk_common", "${appexecfwk_path}/libs/libeventhandler:libeventhandler_target", + "${services_path}/common:perm_verification", "//base/miscservices/time/services:time_service", "//foundation/aafwk/standard/frameworks/kits/appkit:app_context", "//foundation/aafwk/standard/frameworks/kits/wantagent:wantagent_innerkits", diff --git a/services/formmgr/include/form_info_mgr.h b/services/formmgr/include/form_info_mgr.h index 42bfdb441b6d62d01750d96631742b255f6820ad..74bdb8db553f23e421758674f2eda487ec8e1c47 100644 --- a/services/formmgr/include/form_info_mgr.h +++ b/services/formmgr/include/form_info_mgr.h @@ -79,6 +79,8 @@ public: private: std::shared_ptr GetOrCreateBundleFromInfo(const std::string &bundleName); + bool IsCaller(std::string bundleName); + bool CheckBundlePermission(); mutable std::shared_timed_mutex bundleFormInfoMapMutex_ {}; std::unordered_map> bundleFormInfoMap_ {}; diff --git a/services/formmgr/include/form_mgr_service.h b/services/formmgr/include/form_mgr_service.h index ffb36aa484b0f3f1bcedeb7c93efe18d7b05e074..400a368f6400f1caa487253e7cb541084070f980 100644 --- a/services/formmgr/include/form_mgr_service.h +++ b/services/formmgr/include/form_mgr_service.h @@ -233,19 +233,7 @@ private: */ ErrCode Init(); - /** - * @brief Permission check by callingUid. - * @param formId the id of the form. - * @return Returns true on success, false on failure. - */ bool CheckFormPermission(); - - /** - * @brief Permission check. - * @param bundleName bundleName. - * @return Returns true on success, false on failure. - */ - bool CheckFormPermission(const std::string &bundleName) const; private: ServiceRunningState state_; diff --git a/services/formmgr/src/form_info_mgr.cpp b/services/formmgr/src/form_info_mgr.cpp index 370e25f79517bae37c98b16c761f1d59f2de04bc..d4a988f3c381b5d44317e4f0ae0111d7229e7dc1 100644 --- a/services/formmgr/src/form_info_mgr.cpp +++ b/services/formmgr/src/form_info_mgr.cpp @@ -23,7 +23,9 @@ #include "form_bms_helper.h" #include "form_info_storage_mgr.h" #include "form_util.h" +#include "ipc_skeleton.h" #include "json_serializer.h" +#include "permission_verification.h" namespace OHOS { namespace AppExecFwk { @@ -274,10 +276,22 @@ ErrCode FormInfoMgr::Remove(const std::string &bundleName) ErrCode FormInfoMgr::GetAllFormsInfo(std::vector &formInfos) { + bool hasPermission = CheckBundlePermission(); std::shared_lock guard(bundleFormInfoMapMutex_); - for (const auto &bundleFormInfo: bundleFormInfoMap_) { - if (bundleFormInfo.second != nullptr) { - bundleFormInfo.second->GetAllFormsInfo(formInfos); + if (hasPermission) { + for (const auto &bundleFormInfo: bundleFormInfoMap_) { + if (bundleFormInfo.second != nullptr) { + bundleFormInfo.second->GetAllFormsInfo(formInfos); + } + } + } else { + for (const auto &bundleFormInfo: bundleFormInfoMap_) { + if (IsCaller(bundleFormInfo.first)) { + if (bundleFormInfo.second != nullptr) { + bundleFormInfo.second->GetAllFormsInfo(formInfos); + } + return ERR_OK; + } } } return ERR_OK; @@ -290,6 +304,10 @@ ErrCode FormInfoMgr::GetFormsInfoByBundle(const std::string &bundleName, std::ve return ERR_APPEXECFWK_FORM_INVALID_PARAM; } + if (!CheckBundlePermission() && !IsCaller(bundleName)) { + return ERR_APPEXECFWK_FORM_PERMISSION_DENY; + } + std::shared_lock guard(bundleFormInfoMapMutex_); auto bundleFormInfoIter = bundleFormInfoMap_.find(bundleName); if (bundleFormInfoIter == bundleFormInfoMap_.end()) { @@ -311,6 +329,10 @@ ErrCode FormInfoMgr::GetFormsInfoByModule(const std::string &bundleName, const s return ERR_APPEXECFWK_FORM_INVALID_PARAM; } + if (!CheckBundlePermission() && !IsCaller(bundleName)) { + return ERR_APPEXECFWK_FORM_PERMISSION_DENY; + } + std::shared_lock guard(bundleFormInfoMapMutex_); auto bundleFormInfoIter = bundleFormInfoMap_.find(bundleName); if (bundleFormInfoIter == bundleFormInfoMap_.end()) { @@ -347,5 +369,39 @@ std::shared_ptr FormInfoMgr::GetOrCreateBundleFromInfo(const std bundleFormInfoMap_[bundleName] = bundleFormInfoPtr; return bundleFormInfoPtr; } + +bool FormInfoMgr::IsCaller(std::string bundleName) +{ + auto bms = FormBmsHelper::GetInstance().GetBundleMgr(); + if (!bms) { + return false; + } + AppExecFwk::BundleInfo bundleInfo; + bool ret = bms->GetBundleInfo(bundleName, GET_BUNDLE_DEFAULT, bundleInfo, FormUtil::GetCurrentAccountId()); + if (!ret) { + APP_LOGE("Failed to get bundle info."); + return false; + } + auto callerToken = IPCSkeleton::GetCallingTokenID(); + if (bundleInfo.applicationInfo.accessTokenId == callerToken) { + return true; + } + return false; +} + +bool FormInfoMgr::CheckBundlePermission() +{ + auto isSaCall = AAFwk::PermissionVerification::GetInstance()->IsSACall(); + if (isSaCall) { + return true; + } + auto isCallingPerm = AAFwk::PermissionVerification::GetInstance()->VerifyCallingPermission( + AppExecFwk::Constants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED); + if (isCallingPerm) { + return true; + } + APP_LOGE("Permission verification failed"); + return false; +} } // namespace AppExecFwk } // namespace OHOS diff --git a/services/formmgr/src/form_mgr_service.cpp b/services/formmgr/src/form_mgr_service.cpp index e61d0f15ae9d196a1fb8cd2b51d183ee3be95871..cf1ed09d0d2aaa50a8f12023a0338ce749a4ff4d 100644 --- a/services/formmgr/src/form_mgr_service.cpp +++ b/services/formmgr/src/form_mgr_service.cpp @@ -37,6 +37,7 @@ #include "iservice_registry.h" #include "permission/permission.h" #include "permission/permission_kit.h" +#include "permission_verification.h" #include "string_ex.h" #include "system_ability_definition.h" @@ -141,10 +142,6 @@ int FormMgrService::ReleaseForm(const int64_t formId, const sptr int FormMgrService::UpdateForm(const int64_t formId, const std::string &bundleName, const FormProviderData &formBindingData) { - if (!CheckFormPermission()) { - APP_LOGE("%{public}s fail, update form permission denied", __func__); - return ERR_APPEXECFWK_FORM_PERMISSION_DENY; - } return FormMgrAdapter::GetInstance().UpdateForm(formId, bundleName, formBindingData); } @@ -394,28 +391,20 @@ ErrCode FormMgrService::Init() APP_LOGI("init success"); return ERR_OK; } -/** - * @brief Permission check by callingUid. - * @param formId the id of the form. - * @return Returns true on success, false on failure. - */ -bool FormMgrService::CheckFormPermission() -{ - return true; -} -bool FormMgrService::CheckFormPermission(const std::string &bundleName) const +bool FormMgrService::CheckFormPermission() { - if (bundleName.empty()) { - APP_LOGE("%{public}s fail, bundleName can not be empty", __func__); - return false; + auto isSaCall = AAFwk::PermissionVerification::GetInstance()->IsSACall(); + if (isSaCall) { + return true; } - int result = PermissionKit::VerifyPermission(bundleName, Constants::PERMISSION_REQUIRE_FORM, 0); - if (result != PermissionState::PERMISSION_GRANTED) { - APP_LOGW("permission = %{public}s, bundleName = %{public}s, result = %{public}d", - Constants::PERMISSION_REQUIRE_FORM.c_str(), bundleName.c_str(), result); + auto isCallingPerm = AAFwk::PermissionVerification::GetInstance()->VerifyCallingPermission( + AppExecFwk::Constants::PERMISSION_REQUIRE_FORM); + if (isCallingPerm) { + return true; } - return result == PermissionState::PERMISSION_GRANTED; + APP_LOGE("Permission verification failed"); + return false; } /**