diff --git a/bundle.json b/bundle.json index 0817d092c50b3edb269630220c002285356b58ae..5792a2c7479782bdd06eea73a601e0cd4c20b16a 100644 --- a/bundle.json +++ b/bundle.json @@ -32,10 +32,12 @@ "c_utils", "common_event_service", "config_policy", + "data_share", "eventhandler", "hilog", "hisysevent", "ipc", + "media_library", "os_account", "relational_store", "safwk", diff --git a/interfaces/inner_api/sandbox_manager/include/sandbox_manager_err_code.h b/interfaces/inner_api/sandbox_manager/include/sandbox_manager_err_code.h index 9e589496c2b8bdf8d258af9fea8c90a6fdd22237..a76a3906fbdad6045c6e9fca50e4a7bbd0da8623 100644 --- a/interfaces/inner_api/sandbox_manager/include/sandbox_manager_err_code.h +++ b/interfaces/inner_api/sandbox_manager/include/sandbox_manager_err_code.h @@ -34,8 +34,9 @@ enum SandboxManagerErrCode : int32_t { SANDBOX_MANAGER_MAC_NOT_INIT, SANDBOX_MANAGER_MAC_IOCTL_ERR, SANDBOX_MANAGER_DENY_ERR, + SANDBOX_MANAGER_MEDIA_CALL_ERR, }; } // SandboxManager } // AccessControl } // OHOS -#endif // SANDBOX_MANAGER_ERR_CODE_H \ No newline at end of file +#endif // SANDBOX_MANAGER_ERR_CODE_H diff --git a/services/sandbox_manager/BUILD.gn b/services/sandbox_manager/BUILD.gn index 77c95f41148940f76bb55c2c3b1e85616a27d2a9..a33984d303ba5dca28c14ef769a29560be869554 100644 --- a/services/sandbox_manager/BUILD.gn +++ b/services/sandbox_manager/BUILD.gn @@ -49,6 +49,7 @@ if (is_standard_system) { "main/cpp/include/sensitive", "main/cpp/include/database", "main/cpp/include/mac", + "main/cpp/include/media", ] sources = [ @@ -57,6 +58,7 @@ if (is_standard_system) { "main/cpp/src/database/sandbox_manager_rdb_open_callback.cpp", "main/cpp/src/database/sandbox_manager_rdb_utils.cpp", "main/cpp/src/mac/mac_adapter.cpp", + "main/cpp/src/media/media_path_support.cpp", "main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp", "main/cpp/src/service/policy_info_manager.cpp", "main/cpp/src/service/policy_trie.cpp", @@ -85,9 +87,11 @@ if (is_standard_system) { "common_event_service:cesfwk_core", "common_event_service:cesfwk_innerkits", "config_policy:configpolicy_util", + "data_share:datashare_consumer", "eventhandler:libeventhandler", "hilog:libhilog", "ipc:ipc_core", + "media_library:media_library_extend_manager", "os_account:os_account_innerkits", "relational_store:native_rdb", "safwk:system_ability_fwk", diff --git a/services/sandbox_manager/main/cpp/include/media/media_path_support.h b/services/sandbox_manager/main/cpp/include/media/media_path_support.h new file mode 100644 index 0000000000000000000000000000000000000000..d66ab11ee742f32fcde9726a14a7f2c93203285b --- /dev/null +++ b/services/sandbox_manager/main/cpp/include/media/media_path_support.h @@ -0,0 +1,57 @@ +/* + * Copyright (c) 2025-2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef MEDIA_PATH_SUPPORT_H +#define MEDIA_PATH_SUPPORT_H + +#include +#include +#include +#include "policy_info.h" +#include "media_library_extend_manager.h" + +namespace OHOS { +namespace AccessControl { +namespace SandboxManager { +class SandboxManagerMedia { +public: + static SandboxManagerMedia &GetInstance(); + SandboxManagerMedia() = default; + virtual ~SandboxManagerMedia() = default; + int32_t InitMedia(); + bool IsMediaPolicy(const std::string &path); + int32_t OperateModeToPhotoPermissionType(std::vector &mode, std::vector &out); + int32_t OperateModeToMediaOperationMode(std::vector &mode, std::vector &out); + int32_t CheckPolicyBeforeGrant(uint32_t tokenId, std::vector &mediaPaths, + std::vector &needGrantUris, std::vector &mode, std::vector &mediaBool, + std::vector &type); + int32_t AddMediaPolicy(uint32_t tokenId, const std::vector &mediaPolicy, + std::vector &mediaPolicyIndex, std::vector &mediaResults); + int32_t RemoveMediaPolicy(uint32_t tokenId, const std::vector &mediaPolicy); + /** + * @brief called by StartAccessingPolicy/StopAccessingPolicy/MatchPolicy + * @param tokenId token id of the object + * @param mediaPolicy vector of PolicyInfo, see policy_info.h + * @param mediaResults check result of media policy + * @return SANDBOX_MANAGER_MEDIA_CALL_ERR / SANDBOX_MANAGER_OK + */ + int32_t GetMediaPermission(uint32_t tokenId, const std::vector &mediaPolicy, + std::vector &mediaResults); +private: + Media::MediaLibraryExtendManager *media_ = nullptr; +}; +} // namespace SandboxManager +} // namespace AccessControl +} // namespace OHOS +#endif // MEDIA_PATH_SUPPORT_H \ No newline at end of file diff --git a/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h b/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h index f4e8bff32b2b73e6b57206f49232a6a0286e4207..8d68b8bea7b4f933a9d58cd9cf962b58218ea1d7 100644 --- a/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h +++ b/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h @@ -172,10 +172,11 @@ private: * @param policies input policy, see policy_info.h * @param result output result * @param passIndexes index of policy which is valid + * @param mediaIndexes index of media policy which is valid * @return uint32_t invalid policy count */ - uint32_t FilterValidPolicyInBatch( - const std::vector &policies, std::vector &results, std::vector &passIndexes); + uint32_t FilterValidPolicyInBatch(const std::vector &policies, std::vector &results, + std::vector &passIndexes, std::vector &mediaIndexes); /** * @brief AddToDatabaseIfNotDuplicate by remove deplicate records * @param tokenId token id of the object @@ -268,6 +269,16 @@ private: private: MacAdapter macAdapter_; + int32_t AddNormalPolicy(const uint32_t tokenId, const std::vector &policy, + std::vector &result, const uint32_t flag, std::vector &queryPolicyIndex, uint32_t invalidNum); + int32_t StartAccessingNormalPolicy(const uint32_t tokenId, const std::vector &policy, + std::vector &results, uint64_t timestamp); + int32_t MatchNormalPolicy(const uint32_t tokenId, const std::vector &policy, + std::vector &result); + int32_t StopAccessingNormalPolicy( + const uint32_t tokenId, const std::vector &policy, std::vector &results); + int32_t GetMediaPolicyCommonWork(const uint32_t tokenId, const std::vector &policy, + std::vector &results, std::vector &validIndex, std::vector &normalPolicy); }; } // namespace SandboxManager } // namespace AccessControl diff --git a/services/sandbox_manager/main/cpp/src/media/media_path_support.cpp b/services/sandbox_manager/main/cpp/src/media/media_path_support.cpp new file mode 100644 index 0000000000000000000000000000000000000000..c1f78cdde539049eb39b4de79c11d584e9aed969 --- /dev/null +++ b/services/sandbox_manager/main/cpp/src/media/media_path_support.cpp @@ -0,0 +1,290 @@ +/* + * Copyright (c) 2025-2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "media_path_support.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "policy_field_const.h" +#include "policy_info.h" +#include "sandbox_manager_const.h" +#include "sandbox_manager_err_code.h" +#include "sandbox_manager_log.h" +#include "ipc_skeleton.h" + +namespace OHOS { +namespace AccessControl { +namespace SandboxManager { +namespace { +static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = { + LOG_CORE, ACCESSCONTROL_DOMAIN_SANDBOXMANAGER, "SandboxManagerMedia" +}; + +static std::mutex g_instanceMutex; +inline static const std::string MEDIA_PATH_1 = "/data/storage/el2/media"; +inline static const bool CANCEL_PERSIST_FLAG = true; // true means persist +inline static const bool CANCEL_POLICY_FLAG = false; // false means temporary +} + +SandboxManagerMedia &SandboxManagerMedia::GetInstance() +{ + static SandboxManagerMedia *instance = nullptr; + if (instance == nullptr) { + std::lock_guard lock(g_instanceMutex); + if (instance == nullptr) { + instance = new SandboxManagerMedia(); + } + } + return *instance; +} + +int32_t SandboxManagerMedia::InitMedia() +{ + media_ = Media::MediaLibraryExtendManager::GetMediaLibraryExtendManager(); + if (media_ == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "GetMediaLibraryExtendManager error"); + return INVALID_PARAMTER; + } + media_->InitMediaLibraryExtendManager(); + return SANDBOX_MANAGER_OK; +} + +bool SandboxManagerMedia::IsMediaPolicy(const std::string &path) +{ + std::string mediaPath1 = MEDIA_PATH_1; + if ((path.size() >= mediaPath1.size()) && (path.substr(0, mediaPath1.size()) == mediaPath1)) { + return true; + } + + return false; +} + +int32_t SandboxManagerMedia::OperateModeToPhotoPermissionType(std::vector &mode, + std::vector &out) +{ + for (size_t i = 0; i < mode.size(); ++i) { + if (mode[i] == OperateMode::READ_MODE) { + out.emplace_back(Media::PhotoPermissionType::PERSIST_READ_IMAGEVIDEO); + } else if (mode[i] == OperateMode::WRITE_MODE) { + out.emplace_back(Media::PhotoPermissionType::PERSIST_WRITE_IMAGEVIDEO); + } else if (mode[i] == OperateMode::WRITE_MODE + OperateMode::READ_MODE) { + /* PERSIST_WRITE_IMAGEVIDEO means both rw*/ + out.emplace_back(Media::PhotoPermissionType::PERSIST_WRITE_IMAGEVIDEO); + } else { + SANDBOXMANAGER_LOG_ERROR(LABEL, "OperateModeToPhotoPermissionType error, err mode = %{public}d", mode[i]); + return INVALID_PARAMTER; + } + } + return SANDBOX_MANAGER_OK; +} + +int32_t SandboxManagerMedia::OperateModeToMediaOperationMode(std::vector &mode, + std::vector &out) +{ + for (size_t i = 0; i < mode.size(); ++i) { + if (mode[i] == OperateMode::READ_MODE) { + out.emplace_back(Media::OperationMode::READ_MODE); + } else if (mode[i] == OperateMode::WRITE_MODE) { + out.emplace_back(Media::OperationMode::WRITE_MODE); + } else if (mode[i] == OperateMode::WRITE_MODE + OperateMode::READ_MODE) { + out.emplace_back(Media::OperationMode::READ_WRITE_MODE); + } else { + SANDBOXMANAGER_LOG_ERROR(LABEL, "OperateModeToMediaOperationMode error, err mode = %{public}d", mode[i]); + return INVALID_PARAMTER; + } + } + return SANDBOX_MANAGER_OK; +} + +int32_t SandboxManagerMedia::CheckPolicyBeforeGrant(uint32_t tokenId, std::vector &mediaPaths, + std::vector &needGrantUris, std::vector &mode, std::vector &mediaBool, + std::vector &type) +{ + size_t mediaPolicySize = mediaPaths.size(); + std::vector uris; + uris.reserve(mediaPolicySize); + + int32_t ret = media_->GetUrisFromFusePaths(mediaPaths, uris); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "GetUrisFromFusePaths error, err code:%{public}d", ret); + return ret; + } + + ret = media_->CheckPhotoUriPermission(tokenId, uris, mediaBool, mode); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Checkphotouripermission error, err code:%{public}d", ret); + return ret; + } + + std::vector needGrantMode; + for (size_t i = 0; i < mediaPolicySize; ++i) { + if (mediaBool[i] == true) { + needGrantUris.emplace_back(uris[i]); + needGrantMode.emplace_back(mode[i]); + } else { + std::string maskPath = SandboxManagerLog::MaskRealPath(uris[i].c_str()); + SANDBOXMANAGER_LOG_ERROR(LABEL, "media Uris:%{public}s, had no policy%{public}llu", + maskPath.c_str(), static_cast(mode[i])); + } + } + + ret = OperateModeToPhotoPermissionType(needGrantMode, type); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } + + return SANDBOX_MANAGER_OK; +} + +int32_t SandboxManagerMedia::AddMediaPolicy(uint32_t tokenId, const std::vector &policy, + std::vector &PolicyIndex, std::vector &results) +{ + if (media_ == nullptr) { + if (InitMedia() != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "InitMedia error"); + return SANDBOX_MANAGER_MEDIA_CALL_ERR; + } + } + size_t mediaPolicyIndexSize = PolicyIndex.size(); + std::vector mediaPaths; + std::vector mediaMode; + mediaPaths.reserve(mediaPolicyIndexSize); + mediaMode.reserve(mediaPolicyIndexSize); + for (size_t i = 0; i < mediaPolicyIndexSize; ++i) { + size_t num = PolicyIndex[i]; + mediaPaths.emplace_back(policy[num].path); + mediaMode.emplace_back(policy[num].mode); + } + + std::vector mediaBool; + std::vector needGrantUris; + mediaBool.reserve(mediaPolicyIndexSize); + needGrantUris.reserve(mediaPolicyIndexSize); + std::vector type; + int32_t ret = CheckPolicyBeforeGrant(tokenId, mediaPaths, needGrantUris, mediaMode, mediaBool, type); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } + + uint32_t callingTokenId = IPCSkeleton::GetCallingTokenID(); + ret = media_->GrantPhotoUriPermission(callingTokenId, tokenId, needGrantUris, + type, Media::HideSensitiveType::ALL_DESENSITIZE); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "GrantPhotoUriPermission error, err code = %{public}d", ret); + return ret; + } + for (size_t i = 0; i < mediaPolicyIndexSize; ++i) { + if (mediaBool[i] == true) { + results[i] = SandboxRetType::OPERATE_SUCCESSFULLY; + } else { + results[i] = SandboxRetType::FORBIDDEN_TO_BE_PERSISTED; + } + } + return SANDBOX_MANAGER_OK; +} + +int32_t SandboxManagerMedia::RemoveMediaPolicy(uint32_t tokenId, const std::vector &policy) +{ + if (media_ == nullptr) { + if (InitMedia() != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "InitMedia error"); + return SANDBOX_MANAGER_MEDIA_CALL_ERR; + } + } + size_t mediaPolicySize = policy.size(); + std::vector mediaPaths; + std::vector uris; + std::vector mediaMode; + mediaPaths.reserve(mediaPolicySize); + uris.reserve(mediaPolicySize); + + for (size_t i = 0; i < mediaPolicySize; ++i) { + mediaPaths.emplace_back(policy[i].path); + mediaMode.emplace_back(policy[i].mode); + } + + std::vector operationMode; + operationMode.reserve(mediaPolicySize); + int32_t ret = OperateModeToMediaOperationMode(mediaMode, operationMode); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } + ret = media_->GetUrisFromFusePaths(mediaPaths, uris); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "GetUrisFromFusePaths error, err code:%{public}d", ret); + return ret; + } + + uint32_t callingTokenId = IPCSkeleton::GetCallingTokenID(); + ret = media_->CancelPhotoUriPermission(callingTokenId, tokenId, uris, CANCEL_PERSIST_FLAG, operationMode); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "RemoveMediaPolicy persist error, err code:%{public}d", ret); + return SANDBOX_MANAGER_MEDIA_CALL_ERR; + } + + ret = media_->CancelPhotoUriPermission(callingTokenId, tokenId, uris, CANCEL_POLICY_FLAG, operationMode); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "RemoveMediaPolicy policy error, err code:%{public}d", ret); + return SANDBOX_MANAGER_MEDIA_CALL_ERR; + } + + return SANDBOX_MANAGER_OK; +} + +int32_t SandboxManagerMedia::GetMediaPermission(uint32_t tokenId, const std::vector &policy, + std::vector &results) +{ + if (media_ == nullptr) { + if (InitMedia() != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "InitMedia error"); + return SANDBOX_MANAGER_MEDIA_CALL_ERR; + } + } + size_t mediaPolicySize = policy.size(); + std::vector mediaPaths; + std::vector uris; + std::vector mediaMode; + mediaPaths.reserve(mediaPolicySize); + uris.reserve(mediaPolicySize); + mediaMode.reserve(mediaPolicySize); + + for (size_t i = 0; i < mediaPolicySize; ++i) { + mediaPaths.emplace_back(policy[i].path); + mediaMode.emplace_back(policy[i].mode); + } + + int32_t ret = media_->GetUrisFromFusePaths(mediaPaths, uris); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "GetUrisFromFusePaths error, err code:%{public}d", ret); + return ret; + } + + std::vector photoPermissionType; + photoPermissionType.reserve(mediaPolicySize); + ret = OperateModeToPhotoPermissionType(mediaMode, photoPermissionType); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } + return media_->GetPhotoUrisPermission(tokenId, uris, photoPermissionType, results); +} +} // namespace SandboxManager +} // namespace AccessControl +} // namespace OHOS diff --git a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp index 8cb981b04bfed2baba4c83cfc90f8d4c80f4440c..c5c05fadbc1c0313c84a61320a18c94bd710be18 100644 --- a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp +++ b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp @@ -35,6 +35,7 @@ #include "sandbox_manager_err_code.h" #include "sandbox_manager_log.h" #include "os_account_manager.h" +#include "media_path_support.h" namespace OHOS { namespace AccessControl { @@ -207,8 +208,8 @@ int32_t PolicyInfoManager::CleanPolicyByUserId(uint32_t userId, const std::vecto return SANDBOX_MANAGER_OK; } -int32_t PolicyInfoManager::AddPolicy(const uint32_t tokenId, const std::vector &policy, - std::vector &result, const uint32_t flag) +int32_t PolicyInfoManager::AddNormalPolicy(const uint32_t tokenId, const std::vector &policy, + std::vector &result, const uint32_t flag, std::vector &queryPolicyIndex, uint32_t invalidNum) { if (!macAdapter_.IsMacSupport()) { SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); @@ -216,10 +217,7 @@ int32_t PolicyInfoManager::AddPolicy(const uint32_t tokenId, const std::vector

queryPolicyIndex; - uint32_t invalidNum = FilterValidPolicyInBatch(policy, result, queryPolicyIndex); + // query mac kernel size_t queryPolicyIndexSize = queryPolicyIndex.size(); std::vector queryResults(queryPolicyIndexSize); @@ -256,8 +254,8 @@ int32_t PolicyInfoManager::AddPolicy(const uint32_t tokenId, const std::vector

&policies, std::vector &results, std::vector &passIndexes) +uint32_t PolicyInfoManager::FilterValidPolicyInBatch(const std::vector &policies, + std::vector &results, std::vector &passIndexes, std::vector &mediaIndexes) { size_t policySize = policies.size(); for (size_t i = 0; i < policySize; ++i) { @@ -266,9 +264,13 @@ uint32_t PolicyInfoManager::FilterValidPolicyInBatch( results[i] = static_cast(checkPolicyRet); continue; } - passIndexes.emplace_back(i); + if (SandboxManagerMedia::GetInstance().IsMediaPolicy(policies[i].path)) { + mediaIndexes.emplace_back(i); + } else { + passIndexes.emplace_back(i); + } } - return policySize - passIndexes.size(); + return policySize - passIndexes.size() - mediaIndexes.size(); } int32_t PolicyInfoManager::AddToDatabaseIfNotDuplicate(const uint32_t tokenId, const std::vector &policies, const std::vector &passIndexes, const uint32_t flag, std::vector &results) @@ -374,7 +376,7 @@ int32_t PolicyInfoManager::MatchSinglePolicy(const uint32_t tokenId, const Polic return SANDBOX_MANAGER_OK; } -int32_t PolicyInfoManager::MatchPolicy(const uint32_t tokenId, const std::vector &policy, +int32_t PolicyInfoManager::MatchNormalPolicy(const uint32_t tokenId, const std::vector &policy, std::vector &result) { size_t policySize = policy.size(); @@ -449,6 +451,8 @@ int32_t PolicyInfoManager::RemovePolicy( uint32_t failNum = 0; uint32_t successNum = 0; std::vector conditions; + std::vector mediaPolicy; + mediaPolicy.reserve(policySize); conditions.reserve(policySize); for (size_t i = 0; i < policySize; ++i) { int32_t checkPolicyRet = CheckPolicyValidity(policy[i]); @@ -457,6 +461,11 @@ int32_t PolicyInfoManager::RemovePolicy( ++invalidNum; continue; } + if (SandboxManagerMedia::GetInstance().IsMediaPolicy(policy[i].path)) { + mediaPolicy.emplace_back(policy[i]); + ++invalidNum; + continue; + } PolicyInfo exactFindRes; int32_t ret = ExactFind(tokenId, policy[i], exactFindRes); if (ret == SANDBOX_MANAGER_DB_RETURN_EMPTY) { @@ -475,13 +484,26 @@ int32_t PolicyInfoManager::RemovePolicy( ++successNum; } - int32_t ret = SandboxManagerRdb::GetInstance().Remove(SANDBOX_MANAGER_PERSISTED_POLICY, conditions); - if (ret != SandboxManagerRdb::SUCCESS) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "Database operate error"); - return SANDBOX_MANAGER_DB_ERR; + + int32_t ret; + if (!conditions.empty()) { + ret = SandboxManagerRdb::GetInstance().Remove(SANDBOX_MANAGER_PERSISTED_POLICY, conditions); + if (ret != SandboxManagerRdb::SUCCESS) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Database operate error"); + return SANDBOX_MANAGER_DB_ERR; + } + PolicyOperateInfo info(result.size(), successNum, failNum, invalidNum); + SandboxManagerDfxHelper::WritePersistPolicyOperateSucc(OperateTypeEnum::UNPERSIST_POLICY, info); } - PolicyOperateInfo info(result.size(), successNum, failNum, invalidNum); - SandboxManagerDfxHelper::WritePersistPolicyOperateSucc(OperateTypeEnum::UNPERSIST_POLICY, info); + + if (!mediaPolicy.empty()) { + ret = SandboxManagerMedia::GetInstance().RemoveMediaPolicy(tokenId, mediaPolicy); + if (ret != SandboxManagerRdb::SUCCESS) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "remove media operate error"); + return SANDBOX_MANAGER_MEDIA_CALL_ERR; + } + } + return SANDBOX_MANAGER_OK; } @@ -690,7 +712,7 @@ int32_t PolicyInfoManager::StartAccessingByTokenId(const uint32_t tokenId, uint6 return SANDBOX_MANAGER_OK; } -int32_t PolicyInfoManager::StartAccessingPolicy( +int32_t PolicyInfoManager::StartAccessingNormalPolicy( const uint32_t tokenId, const std::vector &policy, std::vector &results, uint64_t timestamp) { if (!macAdapter_.IsMacSupport()) { @@ -699,7 +721,6 @@ int32_t PolicyInfoManager::StartAccessingPolicy( return SANDBOX_MANAGER_OK; } size_t policySize = policy.size(); - results.resize(policySize); // check database, check validity in MatchPolicy std::vector matchResults(policySize); int32_t ret = MatchPolicy(tokenId, policy, matchResults); @@ -746,7 +767,7 @@ int32_t PolicyInfoManager::StartAccessingPolicy( return SANDBOX_MANAGER_OK; } -int32_t PolicyInfoManager::StopAccessingPolicy( +int32_t PolicyInfoManager::StopAccessingNormalPolicy( const uint32_t tokenId, const std::vector &policy, std::vector &results) { if (!macAdapter_.IsMacSupport()) { @@ -755,7 +776,6 @@ int32_t PolicyInfoManager::StopAccessingPolicy( return SANDBOX_MANAGER_OK; } size_t policySize = policy.size(); - results.resize(policySize); // check database, check validity in MatchPolicy std::vector matchResults(policy.size()); int32_t ret = MatchPolicy(tokenId, policy, matchResults); @@ -943,6 +963,183 @@ int32_t PolicyInfoManager::CheckPolicyValidity(const PolicyInfo &policy) SANDBOXMANAGER_LOG_ERROR(LABEL, "Policy mode check fail: %{public}" PRIu64, policy.mode); return SandboxRetType::INVALID_MODE; } + + return SANDBOX_MANAGER_OK; +} + +int32_t PolicyInfoManager::AddPolicy(const uint32_t tokenId, const std::vector &policy, + std::vector &results, const uint32_t flag) +{ + size_t policySize = policy.size(); + results.resize(policySize); + // check validity + std::vector queryPolicyIndex; + std::vector mediaPolicyIndex; + uint32_t invalidNum = FilterValidPolicyInBatch(policy, results, queryPolicyIndex, mediaPolicyIndex); + + int32_t ret; + if (!mediaPolicyIndex.empty()) { + size_t mediaPolicyIndexSize = mediaPolicyIndex.size(); + std::vector mediaResults(mediaPolicyIndexSize); + ret = SandboxManagerMedia::GetInstance().AddMediaPolicy(tokenId, policy, mediaPolicyIndex, mediaResults); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "AddMediaPolicy failed."); + results.clear(); + return SANDBOX_MANAGER_MEDIA_CALL_ERR; + } + for (size_t i = 0; i < mediaPolicyIndexSize; ++i) { + results[mediaPolicyIndex[i]] = mediaResults[i]; + } + } + + if (!queryPolicyIndex.empty()) { + size_t queryPolicyIndexSize = queryPolicyIndex.size(); + std::vector queryResults(queryPolicyIndexSize); + ret = AddNormalPolicy(tokenId, policy, queryResults, flag, queryPolicyIndex, invalidNum); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "AddNormalPolicy failed."); + results.clear(); + return ret; + } + for (size_t i = 0; i < queryPolicyIndexSize; ++i) { + results[queryPolicyIndex[i]] = queryResults[i]; + } + } + + return SANDBOX_MANAGER_OK; +} + +int32_t PolicyInfoManager::GetMediaPolicyCommonWork(const uint32_t tokenId, const std::vector &policy, + std::vector &results, std::vector &validIndex, std::vector &normalPolicy) +{ + size_t policySize = policy.size(); + std::vector validMediaIndex; + std::vector mediaPolicy; + validMediaIndex.reserve(policySize); + mediaPolicy.reserve(policySize); + for (size_t i = 0; i < policySize; ++i) { + if (SandboxManagerMedia::GetInstance().IsMediaPolicy(policy[i].path)) { + validMediaIndex.emplace_back(i); + mediaPolicy.emplace_back(policy[i]); + } else { + validIndex.emplace_back(i); + normalPolicy.emplace_back(policy[i]); + } + } + + if (!mediaPolicy.empty()) { + std::vector checkMediaResult(validMediaIndex.size(), false); + int32_t ret = SandboxManagerMedia::GetInstance().GetMediaPermission(tokenId, mediaPolicy, checkMediaResult); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "GetMeidaPermission failed."); + results.clear(); + return SANDBOX_MANAGER_MEDIA_CALL_ERR; + } + size_t resultIndex = 0; + for (const auto &index : validMediaIndex) { + if (checkMediaResult[resultIndex++] == true) { + results[index] = SandboxRetType::OPERATE_SUCCESSFULLY; + } else { + results[index] = SandboxRetType::POLICY_HAS_NOT_BEEN_PERSISTED; + } + } + } + return SANDBOX_MANAGER_OK; +} + +int32_t PolicyInfoManager::StartAccessingPolicy( + const uint32_t tokenId, const std::vector &policy, std::vector &results, uint64_t timestamp) +{ + size_t policySize = policy.size(); + results.resize(policySize); + + std::vector validIndex; + std::vector normalPolicy; + validIndex.reserve(policySize); + normalPolicy.reserve(policySize); + int32_t ret = GetMediaPolicyCommonWork(tokenId, policy, results, validIndex, normalPolicy); + if (ret != SANDBOX_MANAGER_OK) { + return SANDBOX_MANAGER_MEDIA_CALL_ERR; + } + + if (!normalPolicy.empty()) { + std::vector checkNormalResult(validIndex.size(), false); + ret = StartAccessingNormalPolicy(tokenId, normalPolicy, checkNormalResult, timestamp); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "StartAccessingPolicy failed."); + results.clear(); + return ret; + } + size_t resultIndex = 0; + for (const auto &index : validIndex) { + results[index] = checkNormalResult[resultIndex++]; + } + } + return ret; +} + +int32_t PolicyInfoManager::StopAccessingPolicy( + const uint32_t tokenId, const std::vector &policy, std::vector &results) +{ + size_t policySize = policy.size(); + results.resize(policySize); + + std::vector validIndex; + std::vector normalPolicy; + validIndex.reserve(policySize); + normalPolicy.reserve(policySize); + int32_t ret = GetMediaPolicyCommonWork(tokenId, policy, results, validIndex, normalPolicy); + if (ret != SANDBOX_MANAGER_OK) { + return SANDBOX_MANAGER_MEDIA_CALL_ERR; + } + + if (!normalPolicy.empty()) { + std::vector checkNormalResult(validIndex.size(), false); + ret = StopAccessingNormalPolicy(tokenId, normalPolicy, checkNormalResult); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "StopAccessingNormalPolicy failed."); + results.clear(); + return ret; + } + size_t resultIndex = 0; + for (const auto &index : validIndex) { + results[index] = checkNormalResult[resultIndex++]; + } + } + + return ret; +} + +int32_t PolicyInfoManager::MatchPolicy( + const uint32_t tokenId, const std::vector &policy, std::vector &results) +{ + size_t policySize = policy.size(); + if (results.size() != policySize) { + results.resize(policySize); + } + + results.resize(policy.size(), false); + std::vector validIndex; + std::vector validPolicies; + + int32_t ret = GetMediaPolicyCommonWork(tokenId, policy, results, validIndex, validPolicies); + if (ret != SANDBOX_MANAGER_OK) { + return SANDBOX_MANAGER_MEDIA_CALL_ERR; + } + + if (!validPolicies.empty()) { + std::vector checkNormalResult(validIndex.size(), false); + ret = MatchNormalPolicy(tokenId, validPolicies, checkNormalResult); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "MatchNormalPolicy failed."); + results.clear(); + return ret; + } + size_t resultIndex = 0; + for (const auto &index : validIndex) { + results[index] = checkNormalResult[resultIndex++]; + } + } return SANDBOX_MANAGER_OK; } } // namespace SandboxManager diff --git a/services/sandbox_manager/test/BUILD.gn b/services/sandbox_manager/test/BUILD.gn index 02603ed556923521c18854b4e6d9dd0e3ac38ed5..ce1a63f37ba428868defe95414b9414336f086fb 100644 --- a/services/sandbox_manager/test/BUILD.gn +++ b/services/sandbox_manager/test/BUILD.gn @@ -24,6 +24,7 @@ sandbox_manager_service_src = [ "../main/cpp/src/database/sandbox_manager_rdb_open_callback.cpp", "../main/cpp/src/database/sandbox_manager_rdb_utils.cpp", "../main/cpp/src/mac/mac_adapter.cpp", + "../main/cpp/src/media/media_path_support.cpp", ] ohos_unittest("libsandbox_manager_service_standard_test") { @@ -46,6 +47,7 @@ ohos_unittest("libsandbox_manager_service_standard_test") { "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/sensitive", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/service", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/mac", + "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/media", ] sources = [ @@ -80,9 +82,11 @@ ohos_unittest("libsandbox_manager_service_standard_test") { "common_event_service:cesfwk_core", "common_event_service:cesfwk_innerkits", "config_policy:configpolicy_util", + "data_share:datashare_consumer", "eventhandler:libeventhandler", "hilog:libhilog", "ipc:ipc_core", + "media_library:media_library_extend_manager", "os_account:os_account_innerkits", "relational_store:native_rdb", "safwk:system_ability_fwk", diff --git a/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni b/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni index 7b4696e08aed4077305a322774ac1947f903b7f4..64ea8d3b23ee52df7e37252d46fc68adaf71016e 100644 --- a/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni +++ b/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni @@ -22,6 +22,7 @@ sandbox_manager_include_dirs = [ "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/sensitive", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/service", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/mac", + "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/media", "../../mock/", "../../../common/", ] @@ -34,6 +35,7 @@ sandbox_manager_sources = [ "${sandbox_manager_path}/services/sandbox_manager/main/cpp/src/database/sandbox_manager_rdb_open_callback.cpp", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/src/database/sandbox_manager_rdb_utils.cpp", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp", + "${sandbox_manager_path}/services/sandbox_manager/main/cpp/src/media/media_path_support.cpp", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/src/service/policy_trie.cpp", @@ -60,8 +62,10 @@ sandbox_manager_external_deps = [ "common_event_service:cesfwk_core", "common_event_service:cesfwk_innerkits", "config_policy:configpolicy_util", + "data_share:datashare_consumer", "hilog:libhilog", "ipc:ipc_core", + "media_library:media_library_extend_manager", "os_account:os_account_innerkits", "relational_store:native_rdb", "safwk:system_ability_fwk",