diff --git a/frameworks/sandbox_manager/include/i_sandbox_manager.h b/frameworks/sandbox_manager/include/i_sandbox_manager.h index b6c32bb5926ad8e3900a4545aa14380e8da26e3f..0fe319d7d029a6786a42a299e31409d02da5c0a5 100644 --- a/frameworks/sandbox_manager/include/i_sandbox_manager.h +++ b/frameworks/sandbox_manager/include/i_sandbox_manager.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -37,7 +37,12 @@ public: uint64_t tokenId, const std::vector &policy, std::vector &result) = 0; virtual int32_t UnPersistPolicyByTokenId( uint64_t tokenId, const std::vector &policy, std::vector &result) = 0; - virtual int32_t SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag) = 0; + virtual int32_t SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result) = 0; + virtual int32_t UnSetPolicy(uint32_t tokenId, const PolicyInfo &policy) = 0; + virtual int32_t SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag) = 0; + virtual int32_t UnSetPolicyAsync(uint32_t tokenId, const PolicyInfo &policy) = 0; + virtual int32_t CheckPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result) = 0; virtual int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result) = 0; virtual int32_t StopAccessingPolicy(const std::vector &policy, std::vector &result) = 0; virtual int32_t CheckPersistPolicy( diff --git a/frameworks/sandbox_manager/include/sandboxmanager_service_ipc_interface_code.h b/frameworks/sandbox_manager/include/sandboxmanager_service_ipc_interface_code.h index 15fe30f8c1711b35f809126825e5156355bd1016..7634e5a08c696d6b7b37372f9f8083bc5ad99896 100644 --- a/frameworks/sandbox_manager/include/sandboxmanager_service_ipc_interface_code.h +++ b/frameworks/sandbox_manager/include/sandboxmanager_service_ipc_interface_code.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -24,6 +24,10 @@ enum class SandboxManagerInterfaceCode { PERSIST_PERMISSION = 0xffb0, UNPERSIST_PERMISSION, SET_POLICY, + UNSET_POLICY, + SET_POLICY_ASYNC, + UNSET_POLICY_ASYNC, + CHECK_POLICY, START_ACCESSING_URI, STOP_ACCESSING_URI, CHECK_PERSIST_PERMISSION, diff --git a/interfaces/innerkits/sandbox_manager/include/policy_info.h b/interfaces/innerkits/sandbox_manager/include/policy_info.h index 6e7c09847aad9d7eca6a7eb1557c6651fef5794a..9d56d354d5551d5c6bbc7d76c28cc36660f6be67 100644 --- a/interfaces/innerkits/sandbox_manager/include/policy_info.h +++ b/interfaces/innerkits/sandbox_manager/include/policy_info.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -34,7 +34,7 @@ typedef enum SandboxRetType { INVALID_MODE = 2, INVALID_PATH = 3, POLICY_HAS_NOT_BEEN_PERSISTED = 4, - POLICY_HAS_BEEN_PERSISTED = 5, + POLICY_MAC_FAIL = 5, } SandboxRetType; const uint32_t IS_POLICY_ALLOWED_TO_BE_PRESISTED = 1 << 0; diff --git a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_client.h b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_client.h index aebae4cdaed2c9b332842c5dd0e435aa50a2b961..65a1e690ebe2994e5f6ec000ea565deede012e60 100644 --- a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_client.h +++ b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_client.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -42,7 +42,12 @@ public: int32_t PersistPolicy(const std::vector &policy, std::vector &result); int32_t UnPersistPolicy(const std::vector &policy, std::vector &result); - int32_t SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag); + int32_t SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result); + int32_t UnSetPolicy(uint32_t tokenId, const PolicyInfo &policy); + int32_t SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag); + int32_t UnSetPolicyAsync(uint32_t tokenId, const PolicyInfo &policy); + int32_t CheckPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result); int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result); int32_t StopAccessingPolicy(const std::vector &policy, std::vector &result); int32_t CheckPersistPolicy(uint64_t tokenId, const std::vector &policy, std::vector &result); diff --git a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_err_code.h b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_err_code.h index 2b26c4b9fc4cfd2d14eab6a3d4d2ab4844b1cde9..22d16e20ec6e99afb30a16326779e8230c232d08 100644 --- a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_err_code.h +++ b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_err_code.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -30,6 +30,9 @@ enum SandboxManagerErrCode : int32_t { SANDBOX_MANAGER_DB_ERR, SANDBOX_MANAGER_DB_RETURN_EMPTY, SANDBOX_MANAGER_DB_RECORD_NOT_EXIST, + + SANDBOX_MANAGER_MAC_NOT_INIT, + SANDBOX_MANAGER_MAC_IOCTL_ERR, }; } // SandboxManager } // AccessControl diff --git a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_kit.h b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_kit.h index 9506077a20e6cfe313d53fb8d7ce945779b67826..c00c35654f8c91e18fbe917dec1fe285b9d5ad2e 100644 --- a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_kit.h +++ b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_kit.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -62,10 +62,41 @@ public: * @brief Set policys with a given tokenId to MAC layer * @param tokenId a given tokenId * @param policy vector of PolicyInfo, see policy_info.h - * @param result insert result of each policy, result is SandboxRetType in policy_info.h + * @param policyFlag flag of policy + * @return SandboxManagerErrCode, see sandbox_manager_err_code.h + */ + static int32_t SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result); + /** + * @brief Unset policy with a given tokenId from MAC layer + * @param tokenId a given tokenId + * @param policy vector of PolicyInfo, see policy_info.h + * @return SandboxManagerErrCode, see sandbox_manager_err_code.h + */ + static int32_t UnSetPolicy(uint32_t tokenId, const PolicyInfo &policy); + /** + * @brief Set policys with a given tokenId to MAC layer async + * @param tokenId a given tokenId + * @param policy vector of PolicyInfo, see policy_info.h + * @param policyFlag flag of policy + * @return SandboxManagerErrCode, see sandbox_manager_err_code.h + */ + static int32_t SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag); + /** + * @brief Unset policy with a given tokenId from MAC layer async + * @param tokenId a given tokenId + * @param policy vector of PolicyInfo, see policy_info.h * @return SandboxManagerErrCode, see sandbox_manager_err_code.h */ - static int32_t SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag); + static int32_t UnSetPolicyAsync(uint32_t tokenId, const PolicyInfo &policy); + /** + * @brief Check policy with a given tokenId from MAC layer + * @param tokenId a given tokenId + * @param policy vector of PolicyInfo, see policy_info.h + * @param result check result of each policy + * @return true if policy exist, else false + */ + static int32_t CheckPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result); /** * @brief Set existing persisted policys with caller's tokenId to MAC layer * not existed policy would be ignored, but have a return in result diff --git a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_proxy.h b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_proxy.h index 0b7cd062574f4f05affa8f835553d44e65c451e2..87c76ce80f7fd3955e85fa0f4986bc2f46d2ec5f 100644 --- a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_proxy.h +++ b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_proxy.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -33,8 +33,12 @@ public: int32_t PersistPolicy(const std::vector &policy, std::vector &result) override; int32_t UnPersistPolicy(const std::vector &policy, std::vector &result) override; - int32_t SetPolicy( - uint64_t tokenId, const std::vector &policy, uint64_t policyFlag) override; + int32_t SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result) override; + int32_t UnSetPolicy(uint32_t tokenId, const PolicyInfo &policy) override; + int32_t SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag) override; + int32_t UnSetPolicyAsync(uint32_t tokenId, const PolicyInfo &policy) override; + int32_t CheckPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result) override; int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result) override; int32_t StopAccessingPolicy(const std::vector &policy, std::vector &result) override; int32_t CheckPersistPolicy( diff --git a/interfaces/innerkits/sandbox_manager/libsandbox_manager_sdk.map b/interfaces/innerkits/sandbox_manager/libsandbox_manager_sdk.map index f787881eaa9217cccfbb96ce55fe4d2de269a7dc..1774926ac9c0ee966106412df3e1f7b3f424cd31 100644 --- a/interfaces/innerkits/sandbox_manager/libsandbox_manager_sdk.map +++ b/interfaces/innerkits/sandbox_manager/libsandbox_manager_sdk.map @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Huawei Device Co., Ltd. +# Copyright (c) 2023-2024 Huawei Device Co., Ltd. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -20,8 +20,13 @@ "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnPersistPolicy(unsigned long long, std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::PersistPolicy(std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnPersistPolicy(std::__h::vector> const&, std::__h::vector>&)"; - "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicy(unsigned long, std::__h::vector> const&, unsigned long)"; - "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicy(unsigned long long, std::__h::vector> const&, unsigned long long)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicy(unsigned int, std::__h::vector> const&, unsigned long, std::__h::vector>&)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicy(unsigned int, std::__h::vector> const&, unsigned long long, std::__h::vector>&)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicyAsync(unsigned int, std::__h::vector> const&, unsigned long)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicyAsync(unsigned int, std::__h::vector> const&, unsigned long long)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetPolicy(unsigned int, OHOS::AccessControl::SandboxManager::PolicyInfo const&)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetPolicyAsync(unsigned int, OHOS::AccessControl::SandboxManager::PolicyInfo const&)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::CheckPolicy(unsigned int, std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StartAccessingPolicy(std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StopAccessingPolicy(std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::CheckPersistPolicy(unsigned long, std::__h::vector> const&, std::__h::vector>&)"; diff --git a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_client.cpp b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_client.cpp index 8018aaac92ec43b0550e41668f58efec30777079..f25e1558f665dc2368735fa963d036eae22a2fe8 100644 --- a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_client.cpp +++ b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_client.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -87,14 +87,57 @@ int32_t SandboxManagerClient::UnPersistPolicyByTokenId( return proxy->UnPersistPolicyByTokenId(tokenId, policy, result); } -int32_t SandboxManagerClient::SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag) +int32_t SandboxManagerClient::SetPolicy(uint32_t tokenId, const std::vector &policy, + uint64_t policyFlag, std::vector &result) { auto proxy = GetProxy(true); if (proxy == nullptr) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "proxy is null"); + SANDBOXMANAGER_LOG_ERROR(LABEL, "Proxy is null."); + return SANDBOX_MANAGER_SERVICE_NOT_EXIST; + } + return proxy->SetPolicy(tokenId, policy, policyFlag, result); +} + +int32_t SandboxManagerClient::UnSetPolicy(uint32_t tokenId, const PolicyInfo &policy) +{ + auto proxy = GetProxy(true); + if (proxy == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Proxy is null."); + return SANDBOX_MANAGER_SERVICE_NOT_EXIST; + } + return proxy->UnSetPolicy(tokenId, policy); +} + +int32_t SandboxManagerClient::SetPolicyAsync(uint32_t tokenId, const std::vector &policy, + uint64_t policyFlag) +{ + auto proxy = GetProxy(true); + if (proxy == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Proxy is null."); + return SANDBOX_MANAGER_SERVICE_NOT_EXIST; + } + return proxy->SetPolicyAsync(tokenId, policy, policyFlag); +} + +int32_t SandboxManagerClient::UnSetPolicyAsync(uint32_t tokenId, const PolicyInfo &policy) +{ + auto proxy = GetProxy(true); + if (proxy == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Proxy is null."); + return SANDBOX_MANAGER_SERVICE_NOT_EXIST; + } + return proxy->UnSetPolicyAsync(tokenId, policy); +} + +int32_t SandboxManagerClient::CheckPolicy(uint32_t tokenId, const std::vector &policy, + std::vector &result) +{ + auto proxy = GetProxy(true); + if (proxy == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Proxy is null."); return SANDBOX_MANAGER_SERVICE_NOT_EXIST; } - return proxy->SetPolicy(tokenId, policy, policyFlag); + return proxy->CheckPolicy(tokenId, policy, result); } int32_t SandboxManagerClient::StartAccessingPolicy( diff --git a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_kit.cpp b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_kit.cpp index 2f5c120a8915883f84e8b556fa10f409329012fe..f314f52f6497c270e51c4ab881dca475f2dc93b8 100644 --- a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_kit.cpp +++ b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_kit.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -29,6 +29,7 @@ static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = { LOG_CORE, ACCESSCONTROL_DOMAIN_SANDBOXMANAGER, "SandboxManagerKit"}; } const uint64_t POLICY_VECTOR_SIZE_LIMIT = 500; +const uint32_t POLICY_PATH_LIMIT = 256; int32_t SandboxManagerKit::PersistPolicy(const std::vector &policy, std::vector &result) { @@ -82,14 +83,80 @@ int32_t SandboxManagerKit::UnPersistPolicy( return SandboxManagerClient::GetInstance().UnPersistPolicyByTokenId(tokenId, policy, result); } -int32_t SandboxManagerKit::SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag) +int32_t SandboxManagerKit::SetPolicy(uint32_t tokenId, const std::vector &policy, + uint64_t policyFlag, std::vector &result) { - SANDBOXMANAGER_LOG_DEBUG(LABEL, "called"); size_t policySize = policy.size(); - if ((policySize == 0) || (policySize > POLICY_VECTOR_SIZE_LIMIT) || (tokenId == 0)) { + if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy size failed, size = %{public}zu.", policySize); + return INVALID_PARAMTER; + } + if (tokenId == 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check tokenId failed."); + return INVALID_PARAMTER; + } + if ((policyFlag != 0) && (policyFlag != 1)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policyFlag failed, policyFlag = %{public}" PRIu64 ".", policyFlag); + return INVALID_PARAMTER; + } + return SandboxManagerClient::GetInstance().SetPolicy(tokenId, policy, policyFlag, result); +} + +int32_t SandboxManagerKit::UnSetPolicy(uint32_t tokenId, const PolicyInfo &policy) +{ + if (tokenId == 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check tokenId failed."); + return INVALID_PARAMTER; + } + uint32_t length = policy.path.length(); + if (length == 0 || length > POLICY_PATH_LIMIT) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Policy path size check failed, path=%{public}s", policy.path.c_str()); + return INVALID_PARAMTER; + } + return SandboxManagerClient::GetInstance().UnSetPolicy(tokenId, policy); +} + +int32_t SandboxManagerKit::SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag) +{ + size_t policySize = policy.size(); + if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy size failed, size = %{public}zu.", policySize); + return INVALID_PARAMTER; + } + if (tokenId == 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check tokenId failed."); + return INVALID_PARAMTER; + } + if ((policyFlag != 0) && (policyFlag != 1)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policyFlag failed, policyFlag = %{public}" PRIu64 ".", policyFlag); + return INVALID_PARAMTER; + } + return SandboxManagerClient::GetInstance().SetPolicyAsync(tokenId, policy, policyFlag); +} + +int32_t SandboxManagerKit::UnSetPolicyAsync(uint32_t tokenId, const PolicyInfo &policy) +{ + if (tokenId == 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check tokenId failed."); return SandboxManagerErrCode::INVALID_PARAMTER; } - return SandboxManagerClient::GetInstance().SetPolicy(tokenId, policy, policyFlag); + return SandboxManagerClient::GetInstance().UnSetPolicyAsync(tokenId, policy); +} + +int32_t SandboxManagerKit::CheckPolicy(uint32_t tokenId, const std::vector &policy, + std::vector &result) +{ + size_t policySize = policy.size(); + if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy size failed, size = %{public}zu.", policySize); + return INVALID_PARAMTER; + } + if (tokenId == 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check tokenId failed."); + return INVALID_PARAMTER; + } + + return SandboxManagerClient::GetInstance().CheckPolicy(tokenId, policy, result); } int32_t SandboxManagerKit::StartAccessingPolicy(const std::vector &policy, std::vector &result) diff --git a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_proxy.cpp b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_proxy.cpp index 58c5b96d543c6cd5e8198965e5a231ed9b2f0720..65eac5e0a9fc91fd6e513dc635aed7f61ce0de26 100644 --- a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_proxy.cpp +++ b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_proxy.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -20,6 +20,7 @@ #include "iremote_proxy.h" #include "message_parcel.h" #include "parcel.h" +#include "policy_info_parcel.h" #include "policy_info_vector_parcel.h" #include "sandboxmanager_service_ipc_interface_code.h" #include "sandbox_manager_err_code.h" @@ -211,41 +212,165 @@ int32_t SandboxManagerProxy::UnPersistPolicyByTokenId( return remoteRet; } -int32_t SandboxManagerProxy::SetPolicy(uint64_t tokenId, const std::vector &policy, - uint64_t policyFlag) +static bool WriteSetPolicyParcel(MessageParcel &data, uint32_t tokenId, const std::vector &policy, + uint64_t policyFlag) { - MessageParcel data; if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "Write descriptor fail"); - return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write descriptor failed."); + return false; } - if (!data.WriteUint64(tokenId)) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "Write tokenId fail"); - return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + if (!data.WriteUint32(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write tokenId failed."); + return false; } - + PolicyInfoVectorParcel policyInfoVectorParcel; policyInfoVectorParcel.policyVector = policy; if (!data.WriteParcelable(&policyInfoVectorParcel)) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "Write policyInfoVectorParcel fail"); - return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write policyInfoVectorParcel failed."); + return false; } if (!data.WriteUint64(policyFlag)) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "Write policyFlag fail"); + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write policyFlag failed."); + return false; + } + return true; +} + +int32_t SandboxManagerProxy::SetPolicy(uint32_t tokenId, const std::vector &policy, + uint64_t policyFlag, std::vector &result) +{ + MessageParcel data; + if (!WriteSetPolicyParcel(data, tokenId, policy, policyFlag)) { return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; } MessageParcel reply; int32_t requestRet = SendRequest(SandboxManagerInterfaceCode::SET_POLICY, data, reply); if (requestRet != SANDBOX_MANAGER_OK) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "remote fail"); return requestRet; } int32_t remoteRet; if (!reply.ReadInt32(remoteRet)) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "read ret fail"); + SANDBOXMANAGER_LOG_ERROR(LABEL, "read ret failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + result.clear(); + if (remoteRet != SANDBOX_MANAGER_OK) { + return remoteRet; + } + if (!reply.ReadUInt32Vector(&result)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read result failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + return remoteRet; +} + +int32_t SandboxManagerProxy::SetPolicyAsync(uint32_t tokenId, const std::vector &policy, + uint64_t policyFlag) +{ + MessageParcel data; + if (!WriteSetPolicyParcel(data, tokenId, policy, policyFlag)) { + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + MessageParcel reply; + MessageOption option(MessageOption::TF_ASYNC); + return SendRequest(SandboxManagerInterfaceCode::SET_POLICY_ASYNC, data, reply, option); +} + +static bool WriteUnSetPolicyParcel(MessageParcel &data, uint32_t tokenId, const PolicyInfo &policy) +{ + if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write descriptor failed."); + return false; + } + if (!data.WriteUint32(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write tokenId failed."); + return false; + } + + PolicyInfoParcel policyInfoParcel; + policyInfoParcel.policyInfo = policy; + if (!data.WriteParcelable(&policyInfoParcel)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write policyInfoParcel failed."); + return false; + } + return true; +} + +int32_t SandboxManagerProxy::UnSetPolicy(uint32_t tokenId, const PolicyInfo &policy) +{ + MessageParcel data; + if (!WriteUnSetPolicyParcel(data, tokenId, policy)) { + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + MessageParcel reply; + int32_t requestRet = SendRequest(SandboxManagerInterfaceCode::UNSET_POLICY, data, reply); + if (requestRet != SANDBOX_MANAGER_OK) { + return requestRet; + } + + int32_t remoteRet; + if (!reply.ReadInt32(remoteRet)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read ret failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + return remoteRet; +} + +int32_t SandboxManagerProxy::UnSetPolicyAsync(uint32_t tokenId, const PolicyInfo &policy) +{ + MessageParcel data; + if (!WriteUnSetPolicyParcel(data, tokenId, policy)) { + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + MessageParcel reply; + MessageOption option(MessageOption::TF_ASYNC); + return SendRequest(SandboxManagerInterfaceCode::UNSET_POLICY_ASYNC, data, reply, option); +} + +int32_t SandboxManagerProxy::CheckPolicy(uint32_t tokenId, const std::vector &policy, + std::vector &result) +{ + MessageParcel data; + if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write descriptor failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + if (!data.WriteUint32(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write tokenId failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + PolicyInfoVectorParcel policyInfoVectorParcel; + policyInfoVectorParcel.policyVector = policy; + if (!data.WriteParcelable(&policyInfoVectorParcel)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write policyInfoVectorParcel failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + MessageParcel reply; + int32_t requestRet = SendRequest(SandboxManagerInterfaceCode::CHECK_POLICY, data, reply); + if (requestRet != SANDBOX_MANAGER_OK) { + return requestRet; + } + + int32_t remoteRet; + if (!reply.ReadInt32(remoteRet)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read ret failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + result.clear(); + if (remoteRet != SANDBOX_MANAGER_OK) { + return remoteRet; + } + if (!reply.ReadBoolVector(&result)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read result failed."); return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; } return remoteRet; diff --git a/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_coverage_test.cpp b/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_coverage_test.cpp index 3a0fc3706d139a3f35f9a19395680c9cef723f3d..4d58f7fa7cd2ba948fecf0884a59bae86db67d9b 100644 --- a/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_coverage_test.cpp +++ b/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_coverage_test.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -152,7 +152,7 @@ HWTEST_F(SandboxManagerKitCoverageTest, SetPolicy001, TestSize.Level1) } std::vector result; - EXPECT_EQ(PERMISSION_DENIED, SandboxManagerKit::SetPolicy(GetSelfTokenID(), policy, 0)); + EXPECT_EQ(PERMISSION_DENIED, SandboxManagerKit::SetPolicy(GetSelfTokenID(), policy, 0, result)); EXPECT_EQ(0, result.size()); } diff --git a/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp b/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp index b91f6bac7e8fbaf8f416c272afd9fef2e5ae66c2..b71bc713f3735f1dec6cd7f31dded821e609fab7 100644 --- a/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp +++ b/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -168,7 +168,7 @@ HWTEST_F(SandboxManagerKitTest, PersistPolicyByTokenID001, TestSize.Level1) policy.emplace_back(info); std::vector result; - const uint64_t tokenId = 123456; // 123456 is a mocked tokenid. + const uint32_t tokenId = 123456; // 123456 is a mocked tokenid. ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(tokenId, policy, result)); ASSERT_EQ(1, result.size()); @@ -641,35 +641,36 @@ HWTEST_F(SandboxManagerKitTest, PersistPolicy013, TestSize.Level1) */ HWTEST_F(SandboxManagerKitTest, PersistPolicy014, TestSize.Level1) { - uint64_t tokenId = 0; + uint32_t tokenId = 0; std::vector policy; std::vector result; uint64_t policyFlag = 0; std::vector flag; - PolicyInfo infoParent = { - .path = "/data/log", - .mode = OperateMode::WRITE_MODE - }; + PolicyInfo infoParent = {.path = "/data/log", .mode = OperateMode::WRITE_MODE}; EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result)); - EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag)); + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, + SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag)); tokenId = 1; EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result)); - EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag)); + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, + SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag)); tokenId = 0; policy.emplace_back(infoParent); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result)); - EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag)); + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, + SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag)); tokenId = 1; EXPECT_NE(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result)); EXPECT_NE(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result)); - EXPECT_NE(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag)); + EXPECT_NE(SandboxManagerErrCode::INVALID_PARAMTER, + SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result)); EXPECT_NE(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag)); for (int i = 0; i < 500; i++) { @@ -678,15 +679,37 @@ HWTEST_F(SandboxManagerKitTest, PersistPolicy014, TestSize.Level1) tokenId = 0; EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result)); - EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag)); + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, + SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag)); tokenId = 1; EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result)); - EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag)); + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, + SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag)); } +/** + * @tc.name: PersistPolicy015 + * @tc.desc: add test. + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, PersistPolicy015, TestSize.Level1) +{ + uint32_t tokenId = 0; + std::vector policy; + std::vector result; + uint64_t policyFlag = 0; + std::vector flag; + PolicyInfo infoParent = {.path = "/data/log", .mode = OperateMode::WRITE_MODE}; + EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result)); + EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::SetPolicyAsync(tokenId, policy, policyFlag)); + EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::UnSetPolicy(tokenId, infoParent)); + EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::UnSetPolicyAsync(tokenId, infoParent)); + EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::CheckPolicy(tokenId, policy, flag)); +} } //SandboxManager } //AccessControl } // OHOS \ No newline at end of file diff --git a/services/sandbox_manager/BUILD.gn b/services/sandbox_manager/BUILD.gn index 8fe24a3d8079de539e25548ef14af9e6e1a70cd1..5cbe5f13f2ebf51d9ff9d57fae4fb4dceb39e4d4 100644 --- a/services/sandbox_manager/BUILD.gn +++ b/services/sandbox_manager/BUILD.gn @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Huawei Device Co., Ltd. +# Copyright (c) 2023-2024 Huawei Device Co., Ltd. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -44,11 +44,13 @@ if (is_standard_system) { "main/cpp/include/service", "main/cpp/include/sensitive", "main/cpp/include/database", + "main/cpp/include/mac", ] sources = [ "main/cpp/src/database/policy_field_const.cpp", "main/cpp/src/database/sandbox_manager_db.cpp", + "main/cpp/src/mac/mac_adapter.cpp", "main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp", "main/cpp/src/service/policy_info_manager.cpp", "main/cpp/src/service/sandbox_manager_service.cpp", diff --git a/services/sandbox_manager/main/cpp/include/mac/mac_adapter.h b/services/sandbox_manager/main/cpp/include/mac/mac_adapter.h new file mode 100644 index 0000000000000000000000000000000000000000..02a1dcc194c8a3d2b3bebbffd4d17cfdb5298ee6 --- /dev/null +++ b/services/sandbox_manager/main/cpp/include/mac/mac_adapter.h @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef SANDBOX_MANAGER_MAC_ADAPTER_H +#define SANDBOX_MANAGER_MAC_ADAPTER_H + +#include +#include "policy_info.h" + +namespace OHOS { +namespace AccessControl { +namespace SandboxManager { +class MacAdapter { +public: + explicit MacAdapter(); + virtual ~MacAdapter(); + void Init(); + bool IsMacSupport(); + + int32_t SetSandboxPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result); + int32_t UnSetSandboxPolicy(uint32_t tokenId, const PolicyInfo &policy); + int32_t UnSetSandboxPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result); + int32_t QuerySandboxPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result); + int32_t CheckSandboxPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result); + int32_t DestroySandboxPolicy(uint32_t tokenId); + +private: + int32_t fd_ = -1; + bool isMacSupport_ = false; +}; +} // namespace SandboxManager +} // namespace AccessControl +} // namespace OHOS +#endif // SANDBOX_MANAGER_MAC_ADAPTER_H \ No newline at end of file diff --git a/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h b/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h index 7ed3a1fef04d6fc6bf7347a7913af87cdb480c38..af484befc23936e11649757f8097d65afc528695 100644 --- a/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h +++ b/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -19,6 +19,7 @@ #include #include #include +#include "mac_adapter.h" #include "generic_values.h" #include "policy_info.h" @@ -67,6 +68,30 @@ public: * / SANDBOX_MANAGER_DB_RETURN_EMPTY */ int32_t RemovePolicy(const uint64_t tokenId, const std::vector &policy, std::vector &result); + /** + * @brief set policies of a certain tokenId + * @param tokenId token id of the object + * @param policy vector of PolicyInfo, see policy_info.h + * @param result set result of each policy + * @return SANDBOX_MANAGER_MAC_IOCTL_ERR / SANDBOX_MANAGER_OK + */ + int32_t SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result); + /** + * @brief unset policies of a certain tokenId + * @param tokenId token id of the object + * @param policy PolicyInfo, see policy_info.h + * @return SANDBOX_MANAGER_MAC_IOCTL_ERR / SANDBOX_MANAGER_OK + */ + int32_t UnSetPolicy(uint32_t tokenId, const PolicyInfo &policy); + /** + * @brief check policies of a certain tokenId + * @param tokenId token id of the object + * @param policy vector of PolicyInfo, see policy_info.h + * @param result check result of each policy + * @return SANDBOX_MANAGER_MAC_IOCTL_ERR / SANDBOX_MANAGER_OK + */ + int32_t CheckPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result); /** * @brief remove all policys of a certain tokenId (bundle) * @param tokenId token id of the object @@ -128,6 +153,9 @@ private: * @return INVALID_PATH / INVALID_MODE / SANDBOX_MANAGER_OK */ int32_t CheckPolicyValidity(const PolicyInfo &policy); + +private: + MacAdapter macAdapter_; }; } // namespace SandboxManager } // namespace AccessControl diff --git a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h index 5a34ed3fa0305e467bd21d9920fd99cc7e0a9985..68f93bd380e6c6af9c4dc9023c02050aea505708 100644 --- a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h +++ b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -47,7 +47,12 @@ public: uint64_t tokenId, const std::vector &policy, std::vector &result) override; int32_t UnPersistPolicyByTokenId( uint64_t tokenId, const std::vector &policy, std::vector &result) override; - int32_t SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag) override; + int32_t SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result) override; + int32_t UnSetPolicy(uint32_t tokenId, const PolicyInfo &policy) override; + int32_t SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag) override; + int32_t UnSetPolicyAsync(uint32_t tokenId, const PolicyInfo &policy) override; + int32_t CheckPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result) override; int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result) override; int32_t StopAccessingPolicy(const std::vector &policy, std::vector &result) override; int32_t CheckPersistPolicy( diff --git a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_stub.h b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_stub.h index c4509ec0492f00c63efca928b2ba0fff5dcc97ba..6c7a35b554bdcaf67591c512a539c28027fc5aec 100644 --- a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_stub.h +++ b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_stub.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -41,13 +41,15 @@ private: int32_t PersistPolicyByTokenIdInner(MessageParcel &data, MessageParcel &reply); int32_t UnPersistPolicyByTokenIdInner(MessageParcel &data, MessageParcel &reply); int32_t SetPolicyInner(MessageParcel &data, MessageParcel &reply); + int32_t UnSetPolicyInner(MessageParcel &data, MessageParcel &reply); + int32_t SetPolicyAsyncInner(MessageParcel &data, MessageParcel &reply); + int32_t UnSetPolicyAsyncInner(MessageParcel &data, MessageParcel &reply); + int32_t CheckPolicyInner(MessageParcel &data, MessageParcel &reply); int32_t StartAccessingPolicyInner(MessageParcel &data, MessageParcel &reply); int32_t StopAccessingPolicyInner(MessageParcel &data, MessageParcel &reply); int32_t CheckPersistPolicyInner(MessageParcel &data, MessageParcel &reply); void SetPolicyOpFuncInMap(); - bool CheckPermission(const uint64_t tokenId, const std::string &permission); - using RequestFuncType = int32_t (SandboxManagerStub::*)(MessageParcel &data, MessageParcel &reply); std::map requestFuncMap_; }; diff --git a/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp b/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp new file mode 100644 index 0000000000000000000000000000000000000000..a4af596592cef91bf6ba5dc665d48ef9a51c54ed --- /dev/null +++ b/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp @@ -0,0 +1,300 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "mac_adapter.h" +#include +#include +#include +#include +#include +#include +#include "sandbox_manager_err_code.h" +#include "sandbox_manager_log.h" + +namespace OHOS { +namespace AccessControl { +namespace SandboxManager { +static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = { + LOG_CORE, ACCESSCONTROL_DOMAIN_SANDBOXMANAGER, "SandboxManagerMacAdapter" +}; + +constexpr const char* DEV_NODE = "/dev/dec"; +const size_t MAX_POLICY_NUM = 32; + +struct PathInfo { + char *path = nullptr; + uint32_t pathLen = 0; + uint32_t mode = 0; + bool result = false; +}; + +struct SandboxPolicyInfo { + uint64_t tokenId = 0; + struct PathInfo pathInfos[MAX_POLICY_NUM]; + uint32_t pathNum = 0; + bool persist = false; +}; + +#define SANDBOX_IOCTL_BASE 's' +#define SET_POLICY 1 +#define UN_SET_POLICY 2 +#define QUERY_POLICY 3 +#define CHECK_POLICY 4 +#define DESTROY_POLICY 5 + +#define SET_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, SET_POLICY, struct SandboxPolicyInfo) +#define UN_SET_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, UN_SET_POLICY, struct SandboxPolicyInfo) +#define QUERY_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, QUERY_POLICY, struct SandboxPolicyInfo) +#define CHECK_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, CHECK_POLICY, struct SandboxPolicyInfo) +#define DESTROY_POLICY_CMD _IOW(SANDBOX_IOCTL_BASE, DESTROY_POLICY, uint64_t) + +MacAdapter::MacAdapter() {} + +MacAdapter::~MacAdapter() +{ + if (fd_ >= 0) { + close(fd_); + fd_ = -1; + } + isMacSupport_ = false; +} + +void MacAdapter::Init() +{ + if (access(DEV_NODE, F_OK) == 0) { + SANDBOXMANAGER_LOG_INFO(LABEL, "Node exists, mac is support."); + isMacSupport_ = true; + } + fd_ = open(DEV_NODE, O_RDWR); + if (fd_ < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Open node failed, errno=%{public}d.", errno); + return; + } + SANDBOXMANAGER_LOG_INFO(LABEL, "Open node success.", errno); + return; +} + +bool MacAdapter::IsMacSupport() +{ + return isMacSupport_; +} + +int32_t MacAdapter::SetSandboxPolicy(uint32_t tokenId, const std::vector &policy, + uint64_t policyFlag, std::vector &result) +{ + if (fd_ < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet."); + return SANDBOX_MANAGER_MAC_NOT_INIT; + } + + size_t policyNum = policy.size(); + + for (size_t offset = 0; offset < policyNum; offset += MAX_POLICY_NUM) { + size_t curBatchSize = std::min(MAX_POLICY_NUM, policyNum - offset); + + struct SandboxPolicyInfo info; + info.tokenId = tokenId; + info.pathNum = curBatchSize; + info.persist = policyFlag == 1 ? true : false; + + for (size_t i = 0; i < curBatchSize; ++i) { + info.pathInfos[i].path = const_cast(policy[offset + i].path.c_str()); + info.pathInfos[i].pathLen = policy[offset + i].path.length(); + info.pathInfos[i].mode = policy[offset + i].mode; + } + + if (ioctl(fd_, SET_POLICY_CMD, &info) < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Set policy failed at batch %{public}zu, errno=%{public}d.", + offset / MAX_POLICY_NUM, errno); + return SANDBOX_MANAGER_MAC_IOCTL_ERR; + } + for (size_t i = 0; i < curBatchSize; ++i) { + result[offset + i] = info.pathInfos[i].result ? SANDBOX_MANAGER_OK : POLICY_MAC_FAIL; + } + } + uint32_t failCount = + std::count_if(result.begin(), result.end(), [](uint32_t res) { return res != SANDBOX_MANAGER_OK; }); + if (failCount > 0) { + SANDBOXMANAGER_LOG_WARN(LABEL, "Set policy has failed items, failCount=%{public}u.", failCount); + } + return SANDBOX_MANAGER_OK; +} + +int32_t MacAdapter::QuerySandboxPolicy(uint32_t tokenId, const std::vector &policy, + std::vector &result) +{ + if (fd_ < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet."); + return SANDBOX_MANAGER_MAC_NOT_INIT; + } + + result.clear(); + + size_t policyNum = policy.size(); + + for (size_t offset = 0; offset < policyNum; offset += MAX_POLICY_NUM) { + size_t curBatchSize = std::min(MAX_POLICY_NUM, policyNum - offset); + + struct SandboxPolicyInfo info; + info.tokenId = tokenId; + info.pathNum = curBatchSize; + + for (size_t i = 0; i < curBatchSize; ++i) { + info.pathInfos[i].path = const_cast(policy[offset + i].path.c_str()); + info.pathInfos[i].pathLen = policy[offset + i].path.length(); + info.pathInfos[i].mode = policy[offset + i].mode; + } + + if (ioctl(fd_, QUERY_POLICY_CMD, &info) < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Query policy failed at batch %{public}zu, errno=%{public}d.", + offset / MAX_POLICY_NUM, errno); + return SANDBOX_MANAGER_MAC_IOCTL_ERR; + } + for (size_t i = 0; i < curBatchSize; ++i) { + result[offset + i] = info.pathInfos[i].result; + } + } + + uint32_t failCount = std::count(result.begin(), result.end(), false); + if (failCount > 0) { + SANDBOXMANAGER_LOG_WARN(LABEL, "Query policy has failed items, failCount=%{public}u.", failCount); + } + return SANDBOX_MANAGER_OK; +} + +int32_t MacAdapter::CheckSandboxPolicy(uint32_t tokenId, const std::vector &policy, + std::vector &result) +{ + if (fd_ < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet."); + return SANDBOX_MANAGER_MAC_NOT_INIT; + } + + result.clear(); + + size_t policyNum = policy.size(); + + for (size_t offset = 0; offset < policyNum; offset += MAX_POLICY_NUM) { + size_t curBatchSize = std::min(MAX_POLICY_NUM, policyNum - offset); + + struct SandboxPolicyInfo info; + info.tokenId = tokenId; + info.pathNum = curBatchSize; + + for (size_t i = 0; i < curBatchSize; ++i) { + info.pathInfos[i].path = const_cast(policy[offset + i].path.c_str()); + info.pathInfos[i].pathLen = policy[offset + i].path.length(); + info.pathInfos[i].mode = policy[offset + i].mode; + } + + if (ioctl(fd_, CHECK_POLICY_CMD, &info) < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy failed at batch %{public}zu, errno=%{public}d.", + offset / MAX_POLICY_NUM, errno); + return SANDBOX_MANAGER_MAC_IOCTL_ERR; + } + for (size_t i = 0; i < curBatchSize; ++i) { + result[offset + i] = info.pathInfos[i].result; + } + } + + uint32_t failCount = std::count(result.begin(), result.end(), false); + if (failCount > 0) { + SANDBOXMANAGER_LOG_WARN(LABEL, "Check policy has failed items, failCount=%{public}u.", failCount); + } + return SANDBOX_MANAGER_OK; +} + +int32_t MacAdapter::UnSetSandboxPolicy(uint32_t tokenId, const std::vector &policy, + std::vector &result) +{ + if (fd_ < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet."); + return SANDBOX_MANAGER_MAC_NOT_INIT; + } + + result.clear(); + + size_t policyNum = policy.size(); + + for (size_t offset = 0; offset < policyNum; offset += MAX_POLICY_NUM) { + size_t curBatchSize = std::min(MAX_POLICY_NUM, policyNum - offset); + + struct SandboxPolicyInfo info; + info.tokenId = tokenId; + info.pathNum = curBatchSize; + + for (size_t i = 0; i < curBatchSize; ++i) { + info.pathInfos[i].path = const_cast(policy[offset + i].path.c_str()); + info.pathInfos[i].pathLen = policy[offset + i].path.length(); + info.pathInfos[i].mode = policy[offset + i].mode; + } + + if (ioctl(fd_, UN_SET_POLICY_CMD, &info) < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Unset policy failed at batch %{public}zu, errno=%{public}d.", + offset / MAX_POLICY_NUM, errno); + return SANDBOX_MANAGER_MAC_IOCTL_ERR; + } + for (size_t i = 0; i < curBatchSize; ++i) { + result[offset + i] = info.pathInfos[i].result; + } + } + + uint32_t failCount = std::count(result.begin(), result.end(), false); + if (failCount > 0) { + SANDBOXMANAGER_LOG_WARN(LABEL, "Unset policy has failed items, failCount=%{public}u.", failCount); + } + return SANDBOX_MANAGER_OK; +} + +int32_t MacAdapter::UnSetSandboxPolicy(uint32_t tokenId, const PolicyInfo &policy) +{ + if (fd_ < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet."); + return SANDBOX_MANAGER_MAC_NOT_INIT; + } + + struct SandboxPolicyInfo info; + info.tokenId = tokenId; + info.pathNum = 1; + + info.pathInfos[0].path = const_cast(policy.path.c_str()); + info.pathInfos[0].pathLen = policy.path.length(); + info.pathInfos[0].mode = policy.mode; + + if (ioctl(fd_, UN_SET_POLICY_CMD, &info) < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Unset policy failed, errno=%{public}d.", errno); + return SANDBOX_MANAGER_MAC_IOCTL_ERR; + } + + return SANDBOX_MANAGER_OK; +} + +int32_t MacAdapter::DestroySandboxPolicy(uint32_t tokenId) +{ + if (fd_ < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet."); + return SANDBOX_MANAGER_MAC_NOT_INIT; + } + + if (ioctl(fd_, DESTROY_POLICY_CMD, &tokenId) < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Destroy policy failed, errno=%{public}d.", errno); + return SANDBOX_MANAGER_MAC_IOCTL_ERR; + } + + return SANDBOX_MANAGER_OK; +} +} // namespace SandboxManager +} // namespace AccessControl +} // namespace OHOS \ No newline at end of file diff --git a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp index b1b23f3c2c4b852b63322f633ed0b3ef3a15c642..c6e3c3078a114bf888e8effbe92e114d694aba8f 100644 --- a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp +++ b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -46,6 +46,7 @@ PolicyInfoManager &PolicyInfoManager::GetInstance() void PolicyInfoManager::Init() { SandboxManagerDb::GetInstance(); + macAdapter_.Init(); } int32_t PolicyInfoManager::AddPolicy(const uint64_t tokenId, const std::vector &policy, @@ -197,6 +198,93 @@ int32_t PolicyInfoManager::RemovePolicy( return SANDBOX_MANAGER_OK; } +int32_t PolicyInfoManager::SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result) +{ + if (!macAdapter_.IsMacSupport()) { + SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); + return SANDBOX_MANAGER_OK; + } + result.resize(policy.size(), INVALID_PATH); + std::vector validIndex; + std::vector validPolicies; + for (size_t index = 0; index < policy.size(); ++index) { + int32_t res = CheckPolicyValidity(policy[index]); + if (res == SANDBOX_MANAGER_OK) { + validIndex.emplace_back(index); + validPolicies.emplace_back(policy[index]); + } else { + result[index] = res; + } + } + + if (validPolicies.empty()) { + SANDBOXMANAGER_LOG_WARN(LABEL, "No valid policy to set."); + return SANDBOX_MANAGER_OK; + } + + std::vector setResult(validPolicies.size(), SANDBOX_MANAGER_OK); + int32_t ret = macAdapter_.SetSandboxPolicy(tokenId, validPolicies, policyFlag, setResult); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Set sandbox policy failed, error=%{public}d.", ret); + result.clear(); + return ret; + } + size_t resultIndex = 0; + for (const auto &index : validIndex) { + result[index] = setResult[resultIndex++]; + } + + return SANDBOX_MANAGER_OK; +} + +int32_t PolicyInfoManager::UnSetPolicy(uint32_t tokenId, const PolicyInfo &policy) +{ + if (!macAdapter_.IsMacSupport()) { + SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); + return SANDBOX_MANAGER_OK; + } + return macAdapter_.UnSetSandboxPolicy(tokenId, policy); +} + +int32_t PolicyInfoManager::CheckPolicy(uint32_t tokenId, const std::vector &policy, + std::vector &result) +{ + if (!macAdapter_.IsMacSupport()) { + SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); + return SANDBOX_MANAGER_OK; + } + result.resize(policy.size(), false); + std::vector validIndex; + std::vector validPolicies; + for (size_t index = 0; index < policy.size(); ++index) { + int32_t res = CheckPolicyValidity(policy[index]); + if (res == SANDBOX_MANAGER_OK) { + validIndex.emplace_back(index); + validPolicies.emplace_back(policy[index]); + } + } + + if (validPolicies.empty()) { + SANDBOXMANAGER_LOG_WARN(LABEL, "No valid policy to set."); + return SANDBOX_MANAGER_OK; + } + + std::vector checkResult(validPolicies.size(), false); + int32_t ret = macAdapter_.CheckSandboxPolicy(tokenId, validPolicies, checkResult); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check sandbox policy failed, error=%{public}d.", ret); + result.clear(); + return ret; + } + size_t resultIndex = 0; + for (const auto &index : validIndex) { + result[index] = checkResult[resultIndex++]; + } + + return SANDBOX_MANAGER_OK; +} + bool PolicyInfoManager::RemoveBundlePolicy(const uint64_t tokenId) { GenericValues conditions; diff --git a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp index 245fc1648a8e3498ea1ce614cf59a961e6cefe20..4fd91f56db469cea79afb255fd870ecb725d6457 100644 --- a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp +++ b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -181,22 +181,67 @@ int32_t SandboxManagerService::UnPersistPolicyByTokenId( return PolicyInfoManager::GetInstance().RemovePolicy(tokenId, policy, result); } -int32_t SandboxManagerService::SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag) +int32_t SandboxManagerService::SetPolicy(uint32_t tokenId, const std::vector &policy, + uint64_t policyFlag, std::vector &result) { size_t policySize = policy.size(); - if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT || tokenId == 0) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "Policy vector size error, size = %{public}zu, tokenid = %{public}" PRIu64, - policy.size(), tokenId); + if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy size failed, size = %{public}zu.", policySize); + return INVALID_PARAMTER; + } + if (tokenId == 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check tokenId failed."); + return INVALID_PARAMTER; + } + if ((policyFlag != 0) && (policyFlag != 1)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policyFlag failed, policyFlag = %{public}" PRIu64 ".", policyFlag); return INVALID_PARAMTER; } - if (policyFlag == IS_POLICY_ALLOWED_TO_BE_PRESISTED) { - SANDBOXMANAGER_LOG_INFO(LABEL, "Allow to set persistant."); - } else { - SANDBOXMANAGER_LOG_INFO(LABEL, "Not allow to set persistant."); + return PolicyInfoManager::GetInstance().SetPolicy(tokenId, policy, policyFlag, result); +} + +int32_t SandboxManagerService::UnSetPolicy(uint32_t tokenId, const PolicyInfo &policy) +{ + if (tokenId == 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check tokenId failed."); + return INVALID_PARAMTER; } - // set to Mac here, FORBIDDEN_TO_BE_PERSISTED - return SANDBOX_MANAGER_OK; + uint32_t length = policy.path.length(); + if (length == 0 || length > POLICY_PATH_LIMIT) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Policy path size check failed, path=%{public}s", policy.path.c_str()); + return INVALID_PARAMTER; + } + + return PolicyInfoManager::GetInstance().UnSetPolicy(tokenId, policy); +} + +int32_t SandboxManagerService::SetPolicyAsync(uint32_t tokenId, const std::vector &policy, + uint64_t policyFlag) +{ + std::vector result; + return SetPolicy(tokenId, policy, policyFlag, result); +} + +int32_t SandboxManagerService::UnSetPolicyAsync(uint32_t tokenId, const PolicyInfo &policy) +{ + return UnSetPolicy(tokenId, policy); +} + +int32_t SandboxManagerService::CheckPolicy(uint32_t tokenId, const std::vector &policy, + std::vector &result) +{ + size_t policySize = policy.size(); + if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy size failed, size = %{public}zu.", policySize); + return INVALID_PARAMTER; + } + if (tokenId == 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check tokenId failed."); + return INVALID_PARAMTER; + } + + return PolicyInfoManager::GetInstance().CheckPolicy(tokenId, policy, result); } int32_t SandboxManagerService::StartAccessingPolicy( diff --git a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_stub.cpp b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_stub.cpp index 90f4ae9b1f619a787b5640c57cb5313ceb1a7941..a38b197d4d04cea55a8e46a7ea4bf07c47d85dcb 100644 --- a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_stub.cpp +++ b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_stub.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -22,6 +22,7 @@ #include "accesstoken_kit.h" #include "ipc_skeleton.h" #include "policy_info.h" +#include "policy_info_parcel.h" #include "policy_info_vector_parcel.h" #include "sandbox_manager_const.h" #include "sandbox_manager_err_code.h" @@ -39,6 +40,8 @@ static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = { LOG_CORE, ACCESSCONTROL_DOMAIN_SANDBOXMANAGER, "SandboxManagerStub"}; } +static bool CheckPermission(const uint64_t tokenId, const std::string &permission); + int32_t SandboxManagerStub::OnRemoteRequest( uint32_t code, MessageParcel &data, MessageParcel &reply, MessageOption &option) { @@ -196,35 +199,147 @@ int32_t SandboxManagerStub::UnPersistPolicyByTokenIdInner(MessageParcel &data, M return SANDBOX_MANAGER_OK; } - -int32_t SandboxManagerStub::SetPolicyInner(MessageParcel &data, MessageParcel &reply) +static int32_t ReadSetPolicyParcel(MessageParcel &data, uint32_t &tokenId, + sptr &policyInfoVectorParcel, uint64_t &policyFlag) { uint64_t callingTokenId = IPCSkeleton::GetCallingTokenID(); if (!CheckPermission(callingTokenId, SET_POLICY_PERMISSION_NAME)) { return PERMISSION_DENIED; } - uint64_t tokenId; - if (!data.ReadUint64(tokenId)) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "reply tokenId parcel fail"); + if (!data.ReadUint32(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId failed."); return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; } - sptr policyInfoVectorParcel = data.ReadParcelable(); + policyInfoVectorParcel = data.ReadParcelable(); if (policyInfoVectorParcel == nullptr) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager data parcel fail"); + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read policyInfoVectorParcel failed."); return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; } - uint64_t policyFlag; if (!data.ReadUint64(policyFlag)) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "read policyFlag parcel fail"); + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read policyFlag failed."); return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; } - int32_t ret = this->SetPolicy(tokenId, policyInfoVectorParcel->policyVector, policyFlag); + return SANDBOX_MANAGER_OK; +} + +int32_t SandboxManagerStub::SetPolicyInner(MessageParcel &data, MessageParcel &reply) +{ + uint32_t tokenId; + sptr policyInfoVectorParcel = nullptr; + uint64_t policyFlag; + int32_t readRes = ReadSetPolicyParcel(data, tokenId, policyInfoVectorParcel, policyFlag); + if (readRes != SANDBOX_MANAGER_OK) { + return readRes; + } + + std::vector result; + int32_t ret = this->SetPolicy(tokenId, policyInfoVectorParcel->policyVector, policyFlag, result); if (!reply.WriteInt32(ret)) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager ret parcel fail"); + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write ret failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } + if (!reply.WriteUInt32Vector(result)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write result failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + return SANDBOX_MANAGER_OK; +} + +int32_t SandboxManagerStub::SetPolicyAsyncInner(MessageParcel &data, MessageParcel &reply) +{ + uint32_t tokenId; + sptr policyInfoVectorParcel = nullptr; + uint64_t policyFlag; + int32_t readRes = ReadSetPolicyParcel(data, tokenId, policyInfoVectorParcel, policyFlag); + if (readRes != SANDBOX_MANAGER_OK) { + return readRes; + } + + return this->SetPolicyAsync(tokenId, policyInfoVectorParcel->policyVector, policyFlag); +} + +static int32_t ReadUnSetPolicyParcel(MessageParcel &data, uint32_t &tokenId, + sptr &policyInfoParcel) +{ + uint64_t callingTokenId = IPCSkeleton::GetCallingTokenID(); + if (!CheckPermission(callingTokenId, SET_POLICY_PERMISSION_NAME)) { + return PERMISSION_DENIED; + } + + if (!data.ReadUint32(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + policyInfoParcel = data.ReadParcelable(); + if (policyInfoParcel == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read policyInfoParcel failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + return SANDBOX_MANAGER_OK; +} + +int32_t SandboxManagerStub::UnSetPolicyInner(MessageParcel &data, MessageParcel &reply) +{ + uint32_t tokenId; + sptr policyInfoParcel = nullptr; + int32_t readRes = ReadUnSetPolicyParcel(data, tokenId, policyInfoParcel); + if (readRes != SANDBOX_MANAGER_OK) { + return readRes; + } + + int32_t ret = this->UnSetPolicy(tokenId, policyInfoParcel->policyInfo); + if (!reply.WriteInt32(ret)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write ret failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + return SANDBOX_MANAGER_OK; +} + +int32_t SandboxManagerStub::UnSetPolicyAsyncInner(MessageParcel &data, MessageParcel &reply) +{ + uint32_t tokenId; + sptr policyInfoParcel = nullptr; + int32_t readRes = ReadUnSetPolicyParcel(data, tokenId, policyInfoParcel); + if (readRes != SANDBOX_MANAGER_OK) { + return readRes; + } + + return this->UnSetPolicyAsync(tokenId, policyInfoParcel->policyInfo); +} + +int32_t SandboxManagerStub::CheckPolicyInner(MessageParcel &data, MessageParcel &reply) +{ + uint32_t tokenId; + if (!data.ReadUint32(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + sptr policyInfoVectorParcel = data.ReadParcelable(); + if (policyInfoVectorParcel == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read policyInfoVectorParcel failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + std::vector result; + int32_t ret = this->CheckPolicy(tokenId, policyInfoVectorParcel->policyVector, result); + if (!reply.WriteInt32(ret)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write ret failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } + if (!reply.WriteBoolVector(result)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write result failed."); return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; } return SANDBOX_MANAGER_OK; @@ -334,6 +449,14 @@ void SandboxManagerStub::SetPolicyOpFuncInMap() &SandboxManagerStub::UnPersistPolicyByTokenIdInner; requestFuncMap_[static_cast(SandboxManagerInterfaceCode::SET_POLICY)] = &SandboxManagerStub::SetPolicyInner; + requestFuncMap_[static_cast(SandboxManagerInterfaceCode::UNSET_POLICY)] = + &SandboxManagerStub::UnSetPolicyInner; + requestFuncMap_[static_cast(SandboxManagerInterfaceCode::SET_POLICY_ASYNC)] = + &SandboxManagerStub::SetPolicyAsyncInner; + requestFuncMap_[static_cast(SandboxManagerInterfaceCode::UNSET_POLICY_ASYNC)] = + &SandboxManagerStub::UnSetPolicyAsyncInner; + requestFuncMap_[static_cast(SandboxManagerInterfaceCode::CHECK_POLICY)] = + &SandboxManagerStub::CheckPolicyInner; requestFuncMap_[static_cast(SandboxManagerInterfaceCode::START_ACCESSING_URI)] = &SandboxManagerStub::StartAccessingPolicyInner; requestFuncMap_[static_cast(SandboxManagerInterfaceCode::STOP_ACCESSING_URI)] = @@ -352,7 +475,7 @@ SandboxManagerStub::~SandboxManagerStub() requestFuncMap_.clear(); } -bool SandboxManagerStub::CheckPermission(const uint64_t tokenId, const std::string &permission) +bool CheckPermission(const uint64_t tokenId, const std::string &permission) { int32_t ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permission); if (ret == Security::AccessToken::PermissionState::PERMISSION_GRANTED) { diff --git a/services/sandbox_manager/test/BUILD.gn b/services/sandbox_manager/test/BUILD.gn index c0c018a47654942f1d3e41a5a5c5c5e850f4d2d2..05c753574a9a0ba2b906159643e4a070a3e490b4 100644 --- a/services/sandbox_manager/test/BUILD.gn +++ b/services/sandbox_manager/test/BUILD.gn @@ -21,6 +21,7 @@ sandbox_manager_service_src = [ "../main/cpp/src/service/policy_info_manager.cpp", "../main/cpp/src/database/policy_field_const.cpp", "../main/cpp/src/database/sandbox_manager_db.cpp", + "../main/cpp/src/mac/mac_adapter.cpp", ] ohos_unittest("libsandbox_manager_service_standard_test") { @@ -42,6 +43,7 @@ ohos_unittest("libsandbox_manager_service_standard_test") { "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/database", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/sensitive", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/service", + "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/mac", ] sources = [ diff --git a/services/sandbox_manager/test/unittest/sandbox_manager_service_test.cpp b/services/sandbox_manager/test/unittest/sandbox_manager_service_test.cpp index e3d30140ff90c7c200da88b887dfd521fde4161e..fcbd5369cae3f67002b78395637899fdeef78d1a 100644 --- a/services/sandbox_manager/test/unittest/sandbox_manager_service_test.cpp +++ b/services/sandbox_manager/test/unittest/sandbox_manager_service_test.cpp @@ -167,22 +167,22 @@ HWTEST_F(SandboxManagerServiceTest, SandboxManagerServiceTest002, TestSize.Level std::vector policy; std::vector result0; uint64_t policyFlag = 0; - EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag)); + EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag, result0)); uint64_t sizeLimit = 0; EXPECT_EQ(sizeLimit, result0.size()); policy.resize(POLICY_VECTOR_SIZE_LIMIT + 1); std::vector result; - EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag)); + EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag, result)); sizeLimit = 0; EXPECT_EQ(sizeLimit, result.size()); policy.resize(1); - EXPECT_EQ(SANDBOX_MANAGER_OK, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag)); + EXPECT_EQ(SANDBOX_MANAGER_OK, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag, result)); policyFlag = 1; - EXPECT_EQ(SANDBOX_MANAGER_OK, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag)); - EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(0, policy, policyFlag)); + EXPECT_EQ(SANDBOX_MANAGER_OK, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag, result)); + EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(0, policy, policyFlag, result)); } /** @@ -425,8 +425,6 @@ HWTEST_F(SandboxManagerServiceTest, SandboxManagerStub001, TestSize.Level1) EXPECT_EQ(SANDBOX_MANAGER_SERVICE_PARCEL_ERR, sandboxManagerService_->UnPersistPolicyInner(data, reply)); data.WriteParcelable(policyInfoVectorParcel); sandboxManagerService_->UnPersistPolicyInner(data, reply); - uint64_t tokenId = 0; - EXPECT_EQ(false, sandboxManagerService_->CheckPermission(tokenId, ACCESS_PERSIST_PERMISSION_NAME)); } /** @@ -466,9 +464,9 @@ HWTEST_F(SandboxManagerServiceTest, SandboxManagerStub003, TestSize.Level1) MessageParcel data; MessageParcel reply; EXPECT_EQ(SANDBOX_MANAGER_SERVICE_PARCEL_ERR, sandboxManagerService_->SetPolicyInner(data, reply)); - data.WriteUint64(1); + data.WriteUint32(1); EXPECT_EQ(SANDBOX_MANAGER_SERVICE_PARCEL_ERR, sandboxManagerService_->SetPolicyInner(data, reply)); - data.WriteUint64(1); + data.WriteUint32(1); sptr policyInfoVectorParcel; data.WriteParcelable(policyInfoVectorParcel); EXPECT_EQ(SANDBOX_MANAGER_SERVICE_PARCEL_ERR, sandboxManagerService_->SetPolicyInner(data, reply)); @@ -637,14 +635,14 @@ HWTEST_F(SandboxManagerServiceTest, SandboxManagerStub008, TestSize.Level1) MessageParcel data, reply; EXPECT_EQ(SANDBOX_MANAGER_SERVICE_PARCEL_ERR, sandboxManagerService_->SetPolicyInner(data, reply)); - data.WriteUint64(sysGrantToken_); + data.WriteUint32(sysGrantToken_); data.WriteUint32(POLICY_VECTOR_SIZE_LIMIT + 1); EXPECT_EQ(SANDBOX_MANAGER_SERVICE_PARCEL_ERR, sandboxManagerService_->SetPolicyInner(data, reply)); - data.WriteUint64(sysGrantToken_); + data.WriteUint32(sysGrantToken_); std::vector policy; policy.emplace_back(PolicyInfo { - .path = "", + .path = "test path", .mode = 0b01, }); PolicyInfoVectorParcel policyInfoVectorParcel; diff --git a/test/fuzztest/innerkits/sandbox_manager/setpolicy_fuzzer/setpolicy_fuzzer.cpp b/test/fuzztest/innerkits/sandbox_manager/setpolicy_fuzzer/setpolicy_fuzzer.cpp index e9e5161d3af7e59aa8cf8b135957c0d1564a7344..474d386a41c7baf772d6941c8b3d367e2b2c8753 100644 --- a/test/fuzztest/innerkits/sandbox_manager/setpolicy_fuzzer/setpolicy_fuzzer.cpp +++ b/test/fuzztest/innerkits/sandbox_manager/setpolicy_fuzzer/setpolicy_fuzzer.cpp @@ -32,7 +32,7 @@ namespace OHOS { } std::vector policyVec; - uint64_t tokenId = static_cast(size); + uint32_t tokenId = static_cast(size); uint64_t policyFlag = static_cast(size); PolicyInfo policy = { @@ -40,8 +40,9 @@ namespace OHOS { .mode = static_cast(size), }; policyVec.emplace_back(policy); + std::vector result; - int32_t ret = SandboxManagerKit::SetPolicy(tokenId, policyVec, policyFlag); + int32_t ret = SandboxManagerKit::SetPolicy(tokenId, policyVec, policyFlag, result); return ret == SandboxManagerErrCode::SANDBOX_MANAGER_OK; } diff --git a/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni b/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni index f44d1957b63edf5cbd0cd4e3a2e73aed02d1d1fb..e683e65d783fc65fe94c7a409706d3103c870a82 100644 --- a/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni +++ b/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni @@ -21,6 +21,7 @@ sandbox_manager_include_dirs = [ "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/database", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/sensitive", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/service", + "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/mac", ] sandbox_manager_sources = [ @@ -30,6 +31,7 @@ sandbox_manager_sources = [ "${sandbox_manager_path}/services/common/database/src/variant_value.cpp", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/src/database/policy_field_const.cpp", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/src/database/sandbox_manager_db.cpp", + "${sandbox_manager_path}/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp", "${sandbox_manager_path}/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp", @@ -55,4 +57,4 @@ sandbox_manager_external_deps = [ "safwk:system_ability_fwk", "samgr:samgr_proxy", "sqlite:sqlite", -] \ No newline at end of file +] diff --git a/test/fuzztest/services/sandbox_manager/setpolicystub_fuzzer/setpolicystub_fuzzer.cpp b/test/fuzztest/services/sandbox_manager/setpolicystub_fuzzer/setpolicystub_fuzzer.cpp index 49548c222d977eeaacf966e18492498815ed7f81..4385b183f7e963337a20b3e21c04d430918f71d3 100644 --- a/test/fuzztest/services/sandbox_manager/setpolicystub_fuzzer/setpolicystub_fuzzer.cpp +++ b/test/fuzztest/services/sandbox_manager/setpolicystub_fuzzer/setpolicystub_fuzzer.cpp @@ -48,7 +48,7 @@ namespace OHOS { return false; } - if (!datas.WriteUint64(tokenId)) { + if (!datas.WriteUint32(tokenId)) { return false; }