diff --git a/frameworks/inner_api/sandbox_manager/include/sandbox_manager_client.h b/frameworks/inner_api/sandbox_manager/include/sandbox_manager_client.h index 6832dc81e688d7ade328fdb5b58d0c437c0075e6..649e6d90b8244796b1fb32802acbad1208af1c08 100644 --- a/frameworks/inner_api/sandbox_manager/include/sandbox_manager_client.h +++ b/frameworks/inner_api/sandbox_manager/include/sandbox_manager_client.h @@ -60,6 +60,9 @@ public: int32_t StartAccessingByTokenId(uint32_t tokenId, uint64_t timestamp); int32_t UnSetAllPolicyByToken(uint32_t tokenId, uint64_t timestamp); int32_t CleanPolicyByUserId(uint32_t userId, const std::vector &filePathList); + int32_t SetPolicyByBundleName(const std::string &bundleName, int32_t appCloneIndex, + const std::vector &policy, uint64_t policyFlag, std::vector &result); + private: SandboxManagerClient(); DISALLOW_COPY_AND_MOVE(SandboxManagerClient); diff --git a/frameworks/inner_api/sandbox_manager/src/sandbox_manager_client.cpp b/frameworks/inner_api/sandbox_manager/src/sandbox_manager_client.cpp index 66697724a90fc2e6c1a69099763eab54162c2760..7dd7a29ee701052f9e4e35e9b9a99298539d6c9d 100644 --- a/frameworks/inner_api/sandbox_manager/src/sandbox_manager_client.cpp +++ b/frameworks/inner_api/sandbox_manager/src/sandbox_manager_client.cpp @@ -73,6 +73,25 @@ int32_t SandboxManagerClient::CleanPolicyByUserId(uint32_t userId, const std::ve return CallProxyWithRetry(func, __FUNCTION__); } +int32_t SandboxManagerClient::SetPolicyByBundleName(const std::string &bundleName, int32_t appCloneIndex, + const std::vector &policy, uint64_t policyFlag, std::vector &result) +{ + PolicyVecRawData policyRawData; + policyRawData.Marshalling(policy); + + result.clear(); + Uint32VecRawData resultRawData; + std::function &)> func = [&](sptr &proxy) { + return proxy->SetPolicyByBundleName(bundleName, appCloneIndex, policyRawData, policyFlag, resultRawData); + }; + int32_t ret = CallProxyWithRetry(func, __FUNCTION__); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } + resultRawData.Unmarshalling(result); + return ret; +} + int32_t SandboxManagerClient::PersistPolicy(const std::vector &policy, std::vector &result) { PolicyVecRawData policyRawData; diff --git a/frameworks/inner_api/sandbox_manager/src/sandbox_manager_kit.cpp b/frameworks/inner_api/sandbox_manager/src/sandbox_manager_kit.cpp index 7e7454ff91e857cca0e8eed26cf6566a0d7c23d8..87d022d52a59602e382409c1be0d96c861d789b0 100644 --- a/frameworks/inner_api/sandbox_manager/src/sandbox_manager_kit.cpp +++ b/frameworks/inner_api/sandbox_manager/src/sandbox_manager_kit.cpp @@ -98,6 +98,25 @@ int32_t SandboxManagerKit::SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, std::vector &result) +{ + SANDBOXMANAGER_LOG_INFO(LABEL, "set policy by bundle name."); + + size_t policySize = policy.size(); + if (policySize == 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy size failed, size = %{public}zu.", policySize); + return INVALID_PARAMTER; + } + + if ((policyFlag != 0) && (policyFlag != 1)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policyFlag failed, policyFlag = %{public}" PRIu64 ".", policyFlag); + return INVALID_PARAMTER; + } + return SandboxManagerClient::GetInstance().SetPolicyByBundleName(bundleName, + appCloneIndex, policy, policyFlag, result); +} + int32_t SandboxManagerKit::SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, std::vector &result, uint64_t timestamp) { diff --git a/frameworks/sandbox_manager/ISandboxManager.idl b/frameworks/sandbox_manager/ISandboxManager.idl index 5a5f15b8f73ff96e437e8d1bde4680b4536f2b64..9a947c91fcc2791947276183bb9f0ce98d5ea600 100644 --- a/frameworks/sandbox_manager/ISandboxManager.idl +++ b/frameworks/sandbox_manager/ISandboxManager.idl @@ -36,4 +36,5 @@ interface OHOS.AccessControl.SandboxManager.ISandboxManager { [ipccode 0xffbd] void UnPersistPolicyByTokenId([in] unsigned int tokenId, [in] PolicyVecRawData policyRawData, [out] Uint32VecRawData resultRawData); [ipccode 0xffbe, oneway] void CleanPersistPolicyByPath([in] List filePathList); [ipccode 0xffbf, oneway] void CleanPolicyByUserId([in] unsigned int userId, [in] List filePathList); + [ipccode 0xffc0] void SetPolicyByBundleName([in] String bundleName, [in] int appCloneIndex, [in] PolicyVecRawData policyRawData, [in] unsigned long policyFlag, [out] Uint32VecRawData resultRawData); } \ No newline at end of file diff --git a/interfaces/inner_api/sandbox_manager/include/policy_info.h b/interfaces/inner_api/sandbox_manager/include/policy_info.h index 9d56d354d5551d5c6bbc7d76c28cc36660f6be67..8bc0aa6eba3f20596d5ee4c60f39b02987dcacbe 100644 --- a/interfaces/inner_api/sandbox_manager/include/policy_info.h +++ b/interfaces/inner_api/sandbox_manager/include/policy_info.h @@ -42,6 +42,10 @@ const uint32_t IS_POLICY_ALLOWED_TO_BE_PRESISTED = 1 << 0; typedef enum OperateMode { READ_MODE = 1 << 0, WRITE_MODE = 1 << 1, + CREATE_MODE = 1 << 2, + DELETE_MODE = 1 << 3, + RENAME_MODE = 1 << 4, + MAX_MODE = 1 << 5, } OperateMode; } // namespace SandboxManager } // namespace AccessControl diff --git a/interfaces/inner_api/sandbox_manager/include/sandbox_manager_kit.h b/interfaces/inner_api/sandbox_manager/include/sandbox_manager_kit.h index 344b2b1685866a8cb72816030326b52bf5b46fec..a7b77b9b6cf6818fa1e78d7436ea5bdb367cd0d5 100644 --- a/interfaces/inner_api/sandbox_manager/include/sandbox_manager_kit.h +++ b/interfaces/inner_api/sandbox_manager/include/sandbox_manager_kit.h @@ -193,6 +193,9 @@ public: * @return SandboxManagerErrCode, see sandbox_manager_err_code.h */ static int32_t CleanPolicyByUserId(uint32_t userId, const std::vector &filePathList); + + static int32_t SetPolicyByBundleName(const std::string &bundleName, int32_t appCloneIndex, + const std::vector &policy, uint64_t policyFlag, std::vector &result); }; } // SandboxManager } // AccessControl diff --git a/interfaces/inner_api/sandbox_manager/libsandbox_manager_sdk.map b/interfaces/inner_api/sandbox_manager/libsandbox_manager_sdk.map index 4c541174a7b4f6ac13a917b2d98061a84f54c741..7fcff78da7fde5fab32e407ef137497d89a11268 100644 --- a/interfaces/inner_api/sandbox_manager/libsandbox_manager_sdk.map +++ b/interfaces/inner_api/sandbox_manager/libsandbox_manager_sdk.map @@ -44,6 +44,8 @@ "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetAllPolicyByToken(unsigned int, unsigned long)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetAllPolicyByToken(unsigned int, unsigned long long)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::CleanPolicyByUserId(unsigned int, std::__h::vector, std::__h::allocator>, std::__h::allocator, std::__h::allocator>>> const&)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicyByBundleName(std::__h::basic_string, std::__h::allocator> const&, int, std::__h::vector> const&, unsigned long, std::__h::vector>&)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicyByBundleName(std::__h::basic_string, std::__h::allocator> const&, int, std::__h::vector> const&, unsigned long long, std::__h::vector>&)"; ""; ""; }; diff --git a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_const.h b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_const.h index 1c7fab871299cc248705ece9413cdad770c3a6c1..c91792383660d29af5b5ea60e6d64df071f4158e 100644 --- a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_const.h +++ b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_const.h @@ -30,6 +30,7 @@ const uint64_t MODE_FILTER = 0b11; const std::string SET_POLICY_PERMISSION_NAME = "ohos.permission.SET_SANDBOX_POLICY"; const std::string CHECK_POLICY_PERMISSION_NAME = "ohos.permission.CHECK_SANDBOX_POLICY"; const std::string ACCESS_PERSIST_PERMISSION_NAME = "ohos.permission.FILE_ACCESS_PERSIST"; +const std::string FILE_ACCESS_PERMISSION_NAME = "ohos.permission.FILE_ACCESS_MANAGER"; const int32_t FOUNDATION_UID = 5523; } // namespace SandboxManager diff --git a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h index fe78cf58fc900cccc935068eb44a3e5233d64d12..7be618429a8f04d438102b6c3fb5a4fed317224d 100644 --- a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h +++ b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h @@ -67,7 +67,8 @@ public: void onRemovePackage(uint32_t tokenId); bool CheckPermission(const uint32_t tokenId, const std::string &permission); void DelayUnloadService(); - + int32_t SetPolicyByBundleName(const std::string &bundleName, int32_t appCloneIndex, + const PolicyVecRawData &policyRawData, uint64_t policyFlag, Uint32VecRawData &resultRawData) override; private: bool Initialize(); bool InitDelayUnloadHandler(); diff --git a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp index 579ecbb32ef9ea8b584e94e3959bfa3367c67d58..c6f0f3ab147e4f615bd3a21c630dd46fd1c2c783 100644 --- a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp +++ b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp @@ -964,8 +964,7 @@ int32_t PolicyInfoManager::CheckPolicyValidity(const PolicyInfo &policy) } // mode between 0 and 0b11(READ_MODE+WRITE_MODE) - if (policy.mode < OperateMode::READ_MODE || - policy.mode > OperateMode::READ_MODE + OperateMode::WRITE_MODE) { + if (policy.mode < OperateMode::READ_MODE || policy.mode >= OperateMode::MAX_MODE) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Policy mode check fail: %{public}" PRIu64, policy.mode); return SandboxRetType::INVALID_MODE; } diff --git a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp index b7e34d0994e50c52b41daeddee290dd11944355e..0a6964a91917319366ef9f5511e253889fcd9e72 100644 --- a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp +++ b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp @@ -23,6 +23,7 @@ #include "common_event_support.h" #include "ipc_skeleton.h" #include "iservice_registry.h" +#include "os_account_manager.h" #include "policy_info.h" #include "policy_info_manager.h" #include "sandbox_manager_const.h" @@ -163,6 +164,51 @@ int32_t SandboxManagerService::CleanPolicyByUserId(uint32_t userId, const std::v return PolicyInfoManager::GetInstance().CleanPolicyByUserId(userId, filePathList); } + +int32_t SandboxManagerService::SetPolicyByBundleName(const std::string &bundleName, int32_t appCloneIndex, + const PolicyVecRawData &policyRawData, uint64_t policyFlag, Uint32VecRawData &resultRawData) +{ + SANDBOXMANAGER_LOG_INFO(LABEL, "set policy by bundle:%{public}s", bundleName.c_str()); + DelayUnloadService(); + uint32_t callingTokenId = IPCSkeleton::GetCallingTokenID(); + if (!CheckPermission(callingTokenId, FILE_ACCESS_PERMISSION_NAME)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check tokenId failed."); + return PERMISSION_DENIED; + } + std::vector policy; + policyRawData.Unmarshalling(policy); + size_t policySize = policy.size(); + if (policySize == 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy size failed, size = %{public}zu.", policySize); + return INVALID_PARAMTER; + } + int32_t userId = 0; + int32_t ret = AccountSA::OsAccountManager::GetForegroundOsAccountLocalId(userId); + if (ret != 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "grantPermission failed, get user id failed error=%{public}d", ret); + return INVALID_PARAMTER; + } + + uint32_t tokenId = Security::AccessToken::AccessTokenKit::GetHapTokenID(userId, bundleName, appCloneIndex); + if (tokenId == 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "grantPermission failed, get token id failed"); + return INVALID_PARAMTER; + } + + SANDBOXMANAGER_LOG_INFO(LABEL, "set policy targetId:%{public}u", tokenId); + + if ((policyFlag != 0) && (policyFlag != 1)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policyFlag failed, policyFlag = %{public}" PRIu64 ".", policyFlag); + return INVALID_PARAMTER; + } + std::vector result; + ret = PolicyInfoManager::GetInstance().SetPolicy(tokenId, policy, policyFlag, result); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } + resultRawData.Marshalling(result); + return SANDBOX_MANAGER_OK; +} int32_t SandboxManagerService::PersistPolicy(const PolicyVecRawData &policyRawData, Uint32VecRawData &resultRawData) { DelayUnloadService();