diff --git a/bundle.json b/bundle.json index bce66d47d38a3de4b19d3159456fb7fd77f93764..942cced09a31f65756d3f23cb0a2ad3ec735ca99 100644 --- a/bundle.json +++ b/bundle.json @@ -36,7 +36,8 @@ "common_event_service", "ability_base", "sqlite", - "relational_store" + "relational_store", + "os_account" ], "third_party": [] }, diff --git a/frameworks/inner_api/sandbox_manager/include/sandbox_manager_client.h b/frameworks/inner_api/sandbox_manager/include/sandbox_manager_client.h index f7e8ea0820dcdfab9307e23d2501f1c4391fc0df..d672b11358746be050c6c220ce5d7c1a8aa03144 100644 --- a/frameworks/inner_api/sandbox_manager/include/sandbox_manager_client.h +++ b/frameworks/inner_api/sandbox_manager/include/sandbox_manager_client.h @@ -43,20 +43,22 @@ public: int32_t PersistPolicy(const std::vector &policy, std::vector &result); int32_t UnPersistPolicy(const std::vector &policy, std::vector &result); int32_t SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, - std::vector &result); + std::vector &result, uint64_t timestamp); int32_t UnSetPolicy(uint32_t tokenId, const PolicyInfo &policy); - int32_t SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag); + int32_t SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, + uint64_t timestamp); int32_t UnSetPolicyAsync(uint32_t tokenId, const PolicyInfo &policy); int32_t CheckPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result); - int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result); + int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result, + bool useCallerToken, uint32_t tokenId, uint64_t timestamp); int32_t StopAccessingPolicy(const std::vector &policy, std::vector &result); int32_t CheckPersistPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result); int32_t PersistPolicyByTokenId( uint32_t tokenId, const std::vector &policy, std::vector &result); int32_t UnPersistPolicyByTokenId( uint32_t tokenId, const std::vector &policy, std::vector &result); - int32_t StartAccessingByTokenId(uint32_t tokenId); - int32_t UnSetAllPolicyByToken(uint32_t tokenId); + int32_t StartAccessingByTokenId(uint32_t tokenId, uint64_t timestamp); + int32_t UnSetAllPolicyByToken(uint32_t tokenId, uint64_t timestamp); private: SandboxManagerClient(); diff --git a/frameworks/inner_api/sandbox_manager/include/sandbox_manager_proxy.h b/frameworks/inner_api/sandbox_manager/include/sandbox_manager_proxy.h index b54216b07ca5e728337fc31fa07b747e928f73ce..c87e48996ccdaa98b738b9740983fd17b5241749 100644 --- a/frameworks/inner_api/sandbox_manager/include/sandbox_manager_proxy.h +++ b/frameworks/inner_api/sandbox_manager/include/sandbox_manager_proxy.h @@ -35,12 +35,14 @@ public: int32_t PersistPolicy(const std::vector &policy, std::vector &result) override; int32_t UnPersistPolicy(const std::vector &policy, std::vector &result) override; int32_t SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, - std::vector &result) override; + std::vector &result, uint64_t timestamp) override; int32_t UnSetPolicy(uint32_t tokenId, const PolicyInfo &policy) override; - int32_t SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag) override; + int32_t SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, + uint64_t timestamp) override; int32_t UnSetPolicyAsync(uint32_t tokenId, const PolicyInfo &policy) override; int32_t CheckPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result) override; - int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result) override; + int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result, + bool useCallerToken, uint32_t tokenId, uint64_t timestamp) override; int32_t StopAccessingPolicy(const std::vector &policy, std::vector &result) override; int32_t CheckPersistPolicy( uint32_t tokenId, const std::vector &policy, std::vector &result) override; @@ -48,8 +50,8 @@ public: uint32_t tokenId, const std::vector &policy, std::vector &result) override; int32_t UnPersistPolicyByTokenId( uint32_t tokenId, const std::vector &policy, std::vector &result) override; - int32_t StartAccessingByTokenId(uint32_t tokenId) override; - int32_t UnSetAllPolicyByToken(uint32_t tokenId) override; + int32_t StartAccessingByTokenId(uint32_t tokenId, uint64_t timestamp) override; + int32_t UnSetAllPolicyByToken(uint32_t tokenId, uint64_t timestamp) override; private: int32_t SendRequest(SandboxManagerInterfaceCode code, MessageParcel &data, MessageParcel &reply); int32_t SendRequest(SandboxManagerInterfaceCode code, MessageParcel &data, MessageParcel &reply, diff --git a/frameworks/inner_api/sandbox_manager/src/sandbox_manager_client.cpp b/frameworks/inner_api/sandbox_manager/src/sandbox_manager_client.cpp index 8c85cc5d01ae54282ba16fa99a33f2fe961628c8..a92626da4227c5409acf0f91a7d137f10dff98c3 100644 --- a/frameworks/inner_api/sandbox_manager/src/sandbox_manager_client.cpp +++ b/frameworks/inner_api/sandbox_manager/src/sandbox_manager_client.cpp @@ -97,10 +97,10 @@ int32_t SandboxManagerClient::UnPersistPolicyByTokenId( } int32_t SandboxManagerClient::SetPolicy(uint32_t tokenId, const std::vector &policy, - uint64_t policyFlag, std::vector &result) + uint64_t policyFlag, std::vector &result, uint64_t timestamp) { std::function &)> func = - [&](sptr &proxy) { return proxy->SetPolicy(tokenId, policy, policyFlag, result); }; + [&](sptr &proxy) { return proxy->SetPolicy(tokenId, policy, policyFlag, result, timestamp); }; return CallProxyWithRetry(func, __FUNCTION__); } @@ -112,10 +112,10 @@ int32_t SandboxManagerClient::UnSetPolicy(uint32_t tokenId, const PolicyInfo &po } int32_t SandboxManagerClient::SetPolicyAsync(uint32_t tokenId, const std::vector &policy, - uint64_t policyFlag) + uint64_t policyFlag, uint64_t timestamp) { std::function &)> func = - [&](sptr &proxy) { return proxy->SetPolicyAsync(tokenId, policy, policyFlag); }; + [&](sptr &proxy) { return proxy->SetPolicyAsync(tokenId, policy, policyFlag, timestamp); }; return CallProxyWithRetry(func, __FUNCTION__); } @@ -134,11 +134,12 @@ int32_t SandboxManagerClient::CheckPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result) +int32_t SandboxManagerClient::StartAccessingPolicy(const std::vector &policy, std::vector &result, + bool useCallerToken, uint32_t tokenId, uint64_t timestamp) { - std::function &)> func = - [&](sptr &proxy) { return proxy->StartAccessingPolicy(policy, result); }; + std::function &)> func = [&](sptr &proxy) { + return proxy->StartAccessingPolicy(policy, result, useCallerToken, tokenId, timestamp); + }; return CallProxyWithRetry(func, __FUNCTION__); } @@ -157,17 +158,18 @@ int32_t SandboxManagerClient::CheckPersistPolicy( return CallProxyWithRetry(func, __FUNCTION__); } -int32_t SandboxManagerClient::StartAccessingByTokenId(uint32_t tokenId) +int32_t SandboxManagerClient::StartAccessingByTokenId(uint32_t tokenId, uint64_t timestamp) { - std::function &)> func = - [&](sptr &proxy) { return proxy->StartAccessingByTokenId(tokenId); }; + std::function &)> func = [&](sptr &proxy) { + return proxy->StartAccessingByTokenId(tokenId, timestamp); + }; return CallProxyWithRetry(func, __FUNCTION__); } -int32_t SandboxManagerClient::UnSetAllPolicyByToken(uint32_t tokenId) +int32_t SandboxManagerClient::UnSetAllPolicyByToken(uint32_t tokenId, uint64_t timestamp) { std::function &)> func = - [&](sptr &proxy) { return proxy->UnSetAllPolicyByToken(tokenId); }; + [&](sptr &proxy) { return proxy->UnSetAllPolicyByToken(tokenId, timestamp); }; return CallProxyWithRetry(func, __FUNCTION__); } diff --git a/frameworks/inner_api/sandbox_manager/src/sandbox_manager_kit.cpp b/frameworks/inner_api/sandbox_manager/src/sandbox_manager_kit.cpp index a85ad703888e65a5164044fc09acec57469301fd..87ecc371e4662960921ebd3299873720bde94f0d 100644 --- a/frameworks/inner_api/sandbox_manager/src/sandbox_manager_kit.cpp +++ b/frameworks/inner_api/sandbox_manager/src/sandbox_manager_kit.cpp @@ -95,6 +95,12 @@ int32_t SandboxManagerKit::UnPersistPolicy( int32_t SandboxManagerKit::SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, std::vector &result) +{ + return SetPolicy(tokenId, policy, policyFlag, result, 0); +} + +int32_t SandboxManagerKit::SetPolicy(uint32_t tokenId, const std::vector &policy, + uint64_t policyFlag, std::vector &result, uint64_t timestamp) { size_t policySize = policy.size(); if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT) { @@ -109,7 +115,7 @@ int32_t SandboxManagerKit::SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag) +{ + return SetPolicyAsync(tokenId, policy, policyFlag, 0); +} + +int32_t SandboxManagerKit::SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, + uint64_t timestamp) { size_t policySize = policy.size(); if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT) { @@ -141,7 +153,7 @@ int32_t SandboxManagerKit::SetPolicyAsync(uint32_t tokenId, const std::vector &policy, std::vector &result) +{ + bool useCallerToken = true; + uint64_t timestamp = 0; + return StartAccessingPolicy(policy, result, useCallerToken, 0, timestamp); +} + +int32_t SandboxManagerKit::StartAccessingPolicy(const std::vector &policy, std::vector &result, + bool useCallerToken, uint32_t tokenId, uint64_t timestamp) { SANDBOXMANAGER_LOG_DEBUG(LABEL, "Called"); size_t policySize = policy.size(); @@ -178,7 +198,7 @@ int32_t SandboxManagerKit::StartAccessingPolicy(const std::vector &p return SandboxManagerErrCode::INVALID_PARAMTER; } result.clear(); - return SandboxManagerClient::GetInstance().StartAccessingPolicy(policy, result); + return SandboxManagerClient::GetInstance().StartAccessingPolicy(policy, result, useCallerToken, tokenId, timestamp); } int32_t SandboxManagerKit::StopAccessingPolicy(const std::vector &policy, std::vector &result) @@ -207,23 +227,33 @@ int32_t SandboxManagerKit::CheckPersistPolicy( } int32_t SandboxManagerKit::StartAccessingByTokenId(uint32_t tokenId) +{ + return StartAccessingByTokenId(tokenId, 0); +} + +int32_t SandboxManagerKit::StartAccessingByTokenId(uint32_t tokenId, uint64_t timestamp) { SANDBOXMANAGER_LOG_INFO(LABEL, "Input tokenId = %{public}d.", tokenId); if (tokenId == 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Invalid input token."); return SandboxManagerErrCode::INVALID_PARAMTER; } - return SandboxManagerClient::GetInstance().StartAccessingByTokenId(tokenId); + return SandboxManagerClient::GetInstance().StartAccessingByTokenId(tokenId, timestamp); } int32_t SandboxManagerKit::UnSetAllPolicyByToken(uint32_t tokenId) +{ + return UnSetAllPolicyByToken(tokenId, 0); +} + +int32_t SandboxManagerKit::UnSetAllPolicyByToken(uint32_t tokenId, uint64_t timestamp) { SANDBOXMANAGER_LOG_INFO(LABEL, "Input tokenId = %{public}d.", tokenId); if (tokenId == 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Invalid input token."); return SandboxManagerErrCode::INVALID_PARAMTER; } - return SandboxManagerClient::GetInstance().UnSetAllPolicyByToken(tokenId); + return SandboxManagerClient::GetInstance().UnSetAllPolicyByToken(tokenId, timestamp); } } // SandboxManager } // AccessControl diff --git a/frameworks/inner_api/sandbox_manager/src/sandbox_manager_proxy.cpp b/frameworks/inner_api/sandbox_manager/src/sandbox_manager_proxy.cpp index d1d5183b50a780a9152b5088cb718df17fa3d304..ab3403a15079f24c0bdbb49ec528a2440ee4313d 100644 --- a/frameworks/inner_api/sandbox_manager/src/sandbox_manager_proxy.cpp +++ b/frameworks/inner_api/sandbox_manager/src/sandbox_manager_proxy.cpp @@ -233,7 +233,7 @@ int32_t SandboxManagerProxy::UnPersistPolicyByTokenId( } static bool WriteSetPolicyParcel(MessageParcel &data, uint32_t tokenId, const std::vector &policy, - uint64_t policyFlag) + uint64_t policyFlag, uint64_t timestamp) { if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Write descriptor failed."); @@ -243,6 +243,10 @@ static bool WriteSetPolicyParcel(MessageParcel &data, uint32_t tokenId, const st SANDBOXMANAGER_LOG_ERROR(LABEL, "Write tokenId failed."); return false; } + if (!data.WriteUint64(timestamp)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write timestamp failed."); + return false; + } PolicyInfoVectorParcel policyInfoVectorParcel; policyInfoVectorParcel.policyVector = policy; @@ -259,10 +263,10 @@ static bool WriteSetPolicyParcel(MessageParcel &data, uint32_t tokenId, const st } int32_t SandboxManagerProxy::SetPolicy(uint32_t tokenId, const std::vector &policy, - uint64_t policyFlag, std::vector &result) + uint64_t policyFlag, std::vector &result, uint64_t timestamp) { MessageParcel data; - if (!WriteSetPolicyParcel(data, tokenId, policy, policyFlag)) { + if (!WriteSetPolicyParcel(data, tokenId, policy, policyFlag, timestamp)) { return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; } @@ -289,10 +293,10 @@ int32_t SandboxManagerProxy::SetPolicy(uint32_t tokenId, const std::vector &policy, - uint64_t policyFlag) + uint64_t policyFlag, uint64_t timestamp) { MessageParcel data; - if (!WriteSetPolicyParcel(data, tokenId, policy, policyFlag)) { + if (!WriteSetPolicyParcel(data, tokenId, policy, policyFlag, timestamp)) { return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; } @@ -396,7 +400,8 @@ int32_t SandboxManagerProxy::CheckPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result) +int32_t SandboxManagerProxy::StartAccessingPolicy(const std::vector &policy, std::vector &result, + bool useCallerToken, uint32_t tokenId, uint64_t timestamp) { MessageParcel data; if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) { @@ -404,6 +409,21 @@ int32_t SandboxManagerProxy::StartAccessingPolicy(const std::vector return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; } + if (!data.WriteBool(useCallerToken)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write useCallerToken failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + if (!data.WriteUint32(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write tokenId failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + if (!data.WriteUint64(timestamp)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write timestamp failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + PolicyInfoVectorParcel policyInfoVectorParcel; policyInfoVectorParcel.policyVector = policy; if (!data.WriteParcelable(&policyInfoVectorParcel)) { @@ -506,7 +526,7 @@ int32_t SandboxManagerProxy::CheckPersistPolicy(uint32_t tokenId, const std::vec return remoteRet; } -int32_t SandboxManagerProxy::StartAccessingByTokenId(uint32_t tokenId) +int32_t SandboxManagerProxy::StartAccessingByTokenId(uint32_t tokenId, uint64_t timestamp) { MessageParcel data; if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) { @@ -518,6 +538,11 @@ int32_t SandboxManagerProxy::StartAccessingByTokenId(uint32_t tokenId) return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; } + if (!data.WriteUint64(timestamp)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write timestamp fail."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + MessageParcel reply; MessageOption option(MessageOption::TF_ASYNC); int32_t requestRet = SendRequest(SandboxManagerInterfaceCode::START_ACCESSING_BY_TOKEN, data, reply, option); @@ -528,7 +553,7 @@ int32_t SandboxManagerProxy::StartAccessingByTokenId(uint32_t tokenId) return SANDBOX_MANAGER_OK; } -int32_t SandboxManagerProxy::UnSetAllPolicyByToken(uint32_t tokenId) +int32_t SandboxManagerProxy::UnSetAllPolicyByToken(uint32_t tokenId, uint64_t timestamp) { MessageParcel data; if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) { @@ -540,6 +565,11 @@ int32_t SandboxManagerProxy::UnSetAllPolicyByToken(uint32_t tokenId) return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; } + if (!data.WriteUint64(timestamp)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write timestamp failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + MessageParcel reply; MessageOption option(MessageOption::TF_ASYNC); int32_t requestRet = SendRequest(SandboxManagerInterfaceCode::UNSET_ALL_POLICY_BY_TOKEN, data, reply, option); diff --git a/frameworks/inner_api/sandbox_manager/test/BUILD.gn b/frameworks/inner_api/sandbox_manager/test/BUILD.gn index 2fa57e4f60b2130769dbae08ee305d0371be0af2..29ca097486be42c8720c8be8db93753c3df016c7 100644 --- a/frameworks/inner_api/sandbox_manager/test/BUILD.gn +++ b/frameworks/inner_api/sandbox_manager/test/BUILD.gn @@ -29,12 +29,15 @@ ohos_unittest("libsandbox_manager_sdk_test") { include_dirs = [ "${sandbox_manager_path}/frameworks/sandbox_manager/include", "${sandbox_manager_path}/frameworks/common/include", + "${sandbox_manager_path}/interfaces/inner_api/sandbox_manager/include", + "${sandbox_manager_path}/services/sandbox_manager/main/cpp/include/mac", "../include", "../src", "unittest/include", ] sources = [ + "${sandbox_manager_path}/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp", "unittest/src/sandbox_manager_kit_coverage_test.cpp", "unittest/src/sandbox_manager_kit_test.cpp", ] @@ -46,8 +49,8 @@ ohos_unittest("libsandbox_manager_sdk_test") { configs = [ "${sandbox_manager_path}/config:coverage_flags" ] deps = [ - "${sandbox_manager_path}/frameworks/sandbox_manager:sandbox_manager_communication_adapter_cxx", "${sandbox_manager_path}/frameworks/inner_api/sandbox_manager/:libsandbox_manager_sdk", + "${sandbox_manager_path}/frameworks/sandbox_manager:sandbox_manager_communication_adapter_cxx", ] external_deps = [ diff --git a/frameworks/inner_api/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp b/frameworks/inner_api/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp index 0a742737f03d4afa71ed3437696a0de7c89caa33..2d65a3db865a3928b121f7c2012806b9252400f0 100644 --- a/frameworks/inner_api/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp +++ b/frameworks/inner_api/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp @@ -33,6 +33,7 @@ #include "sandbox_manager_log.h" #include "sandbox_manager_kit.h" #include "token_setproc.h" +#include "mac_adapter.h" #define HM_DEC_IOCTL_BASE 's' #define HM_DENY_POLICY_ID 6 @@ -52,6 +53,7 @@ const uint64_t POLICY_VECTOR_SIZE_LIMIT = 500; const int32_t FOUNDATION_UID = 5523; #endif const size_t MAX_POLICY_NUM = 8; +const int DEC_POLICY_HEADER_RESERVED = 64; uint32_t g_selfTokenId; uint32_t g_mockToken; Security::AccessToken::PermissionStateFull g_testState1 = { @@ -69,7 +71,7 @@ Security::AccessToken::PermissionStateFull g_testState2 = { .grantFlags = {0}, }; Security::AccessToken::HapInfoParams g_testInfoParms = { - .userID = 1, + .userID = 100, .bundleName = "sandbox_manager_test", .instIndex = 0, .appIDDesc = "test" @@ -92,8 +94,11 @@ struct PathInfo { struct SandboxPolicyInfo { uint64_t tokenId = 0; + uint64_t timestamp = 0; struct PathInfo pathInfos[MAX_POLICY_NUM]; uint32_t pathNum = 0; + int32_t userId = 0; + uint64_t reserved[DEC_POLICY_HEADER_RESERVED]; bool persist = false; }; @@ -1814,6 +1819,115 @@ HWTEST_F(SandboxManagerKitTest, UnSetAllPolicyByTokenTest001, TestSize.Level1) ASSERT_EQ(1, result.size()); EXPECT_FALSE(result[0]); } + +HWTEST_F(SandboxManagerKitTest, TimestampTest001, TestSize.Level1) +{ + SetDeny("/a/b"); + std::vector policyA; + uint64_t policyFlag = 1; + std::vector policyResult; + PolicyInfo infoParentA = { + .path = "/a/b/c", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policyA.emplace_back(infoParentA); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyA, policyFlag, policyResult, 5)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_EQ(OPERATE_SUCCESSFULLY, policyResult[0]); + + std::vector result; + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyA, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetAllPolicyByToken(g_mockToken, 4)); + sleep(1); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyA, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetAllPolicyByToken(g_mockToken, 6)); + sleep(1); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyA, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); +} + +HWTEST_F(SandboxManagerKitTest, TimestampTest002, TestSize.Level1) +{ + SetDeny("/a/b"); + std::vector policyA; + uint64_t policyFlag = 1; + std::vector policyResult; + PolicyInfo infoParentA = { + .path = "/a/b/c", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policyA.emplace_back(infoParentA); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyA, policyFlag, policyResult, 5)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_EQ(OPERATE_SUCCESSFULLY, policyResult[0]); + + std::vector result; + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyA, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetAllPolicyByToken(g_mockToken, 4)); + sleep(1); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyA, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyA, policyFlag, policyResult, 2)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_EQ(OPERATE_SUCCESSFULLY, policyResult[0]); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetAllPolicyByToken(g_mockToken, 4)); + sleep(1); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyA, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); +} + +HWTEST_F(SandboxManagerKitTest, UserIdTest001, TestSize.Level1) +{ + MacAdapter macAdapter; + macAdapter.Init(); + std::vector policy; + std::vector u32Res; + MacParams macParams; + macParams.tokenId = 100; + macParams.policyFlag = 1; + macParams.timestamp = 0; + macParams.userId = 100; + PolicyInfo infoParentA = { + .path = "/a/b/c", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policy.emplace_back(infoParentA); + u32Res.resize(policy.size()); + SetDeny("/a/b"); + EXPECT_EQ(SANDBOX_MANAGER_OK, macAdapter.SetSandboxPolicy(policy, u32Res, macParams)); + macParams.tokenId = 101; + macParams.userId = 101; + EXPECT_EQ(SANDBOX_MANAGER_OK, macAdapter.SetSandboxPolicy(policy, u32Res, macParams)); + std::vector boolRes; + boolRes.resize(policy.size()); + EXPECT_EQ(SANDBOX_MANAGER_OK, macAdapter.QuerySandboxPolicy(100, policy, boolRes)); + EXPECT_TRUE(boolRes[0]); + EXPECT_EQ(SANDBOX_MANAGER_OK, macAdapter.QuerySandboxPolicy(101, policy, boolRes)); + EXPECT_TRUE(boolRes[0]); + EXPECT_EQ(SANDBOX_MANAGER_OK, macAdapter.UnSetSandboxPolicyByUser(100, policy, boolRes)); + EXPECT_EQ(SANDBOX_MANAGER_OK, macAdapter.QuerySandboxPolicy(100, policy, boolRes)); + EXPECT_FALSE(boolRes[0]); + EXPECT_EQ(SANDBOX_MANAGER_OK, macAdapter.QuerySandboxPolicy(101, policy, boolRes)); + EXPECT_TRUE(boolRes[0]); +} + #endif } // SandboxManager } // AccessControl diff --git a/frameworks/sandbox_manager/include/i_sandbox_manager.h b/frameworks/sandbox_manager/include/i_sandbox_manager.h index f4ac914e1c565b88235904e2865eae0c4528ee98..63c0599d21758ed56b301538a34ae2040423df4b 100644 --- a/frameworks/sandbox_manager/include/i_sandbox_manager.h +++ b/frameworks/sandbox_manager/include/i_sandbox_manager.h @@ -39,17 +39,19 @@ public: virtual int32_t UnPersistPolicyByTokenId( uint32_t tokenId, const std::vector &policy, std::vector &result) = 0; virtual int32_t SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, - std::vector &result) = 0; + std::vector &result, uint64_t timestamp) = 0; virtual int32_t UnSetPolicy(uint32_t tokenId, const PolicyInfo &policy) = 0; - virtual int32_t SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag) = 0; + virtual int32_t SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, + uint64_t timestamp) = 0; virtual int32_t UnSetPolicyAsync(uint32_t tokenId, const PolicyInfo &policy) = 0; virtual int32_t CheckPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result) = 0; - virtual int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result) = 0; + virtual int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result, + bool useCallerToken, uint32_t tokenId, uint64_t timestamp) = 0; virtual int32_t StopAccessingPolicy(const std::vector &policy, std::vector &result) = 0; virtual int32_t CheckPersistPolicy( uint32_t tokenId, const std::vector &policy, std::vector &result) = 0; - virtual int32_t StartAccessingByTokenId(uint32_t tokenId) = 0; - virtual int32_t UnSetAllPolicyByToken(uint32_t tokenId) = 0; + virtual int32_t StartAccessingByTokenId(uint32_t tokenId, uint64_t timestamp) = 0; + virtual int32_t UnSetAllPolicyByToken(uint32_t tokenId, uint64_t timestamp) = 0; }; } // namespace SandboxManager } // namespace AccessControl diff --git a/interfaces/inner_api/sandbox_manager/include/sandbox_manager_kit.h b/interfaces/inner_api/sandbox_manager/include/sandbox_manager_kit.h index b09c666a8b4615f2ae531c401c84fa662bd2efc4..8656d5be263569415600fcb4d8037aec36dea9ba 100644 --- a/interfaces/inner_api/sandbox_manager/include/sandbox_manager_kit.h +++ b/interfaces/inner_api/sandbox_manager/include/sandbox_manager_kit.h @@ -74,6 +74,16 @@ public: */ static int32_t SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, std::vector &result); + /** + * @brief Set policys with a given tokenId to MAC layer + * @param tokenId a given tokenId + * @param policy vector of PolicyInfo, see policy_info.h + * @param policyFlag flag of policy + * @param timestamp timestamp of policy + * @return SandboxManagerErrCode, see sandbox_manager_err_code.h + */ + static int32_t SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result, uint64_t timestamp); /** * @brief Unset policy with a given tokenId from MAC layer * @param tokenId a given tokenId @@ -89,6 +99,16 @@ public: * @return SandboxManagerErrCode, see sandbox_manager_err_code.h */ static int32_t SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag); + /** + * @brief Set policys with a given tokenId to MAC layer async + * @param tokenId a given tokenId + * @param policy vector of PolicyInfo, see policy_info.h + * @param policyFlag flag of policy + * @param timestamp timestamp of policy + * @return SandboxManagerErrCode, see sandbox_manager_err_code.h + */ + static int32_t SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, + uint64_t timestamp); /** * @brief Unset policy with a given tokenId from MAC layer async * @param tokenId a given tokenId @@ -112,6 +132,18 @@ public: * @return SandboxManagerErrCode, see sandbox_manager_err_code.h */ static int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result); + /** + * @brief Set existing persisted policys with caller's tokenId or a given tokenId + * to MAC layer, not existed policy would be ignored, but have a return in result + * @param policy vector of PolicyInfo, see policy_info.h + * @param result insert result of each policy, result is SandboxRetType in policy_info.h + * @param useCallerToken use caller token if true, else use the given tokenId + * @param tokenId a given tokenId + * @param timestamp timestamp to access policy + * @return SandboxManagerErrCode, see sandbox_manager_err_code.h + */ + static int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result, + bool useCallerToken, uint32_t tokenId, uint64_t timestamp); /** * @brief Stop existing persisted policys with caller's tokenId to MAC layer * not existed policy would be ignored, but have a return in result @@ -134,12 +166,26 @@ public: * @return SandboxManagerErrCode, see sandbox_manager_err_code.h */ static int32_t StartAccessingByTokenId(uint32_t tokenId); + /** + * @brief load all policys by tokenid that auto-loaded flag = 1 + * @param tokenId a given tokenId + * @param timestamp timestamp to access policy + * @return SandboxManagerErrCode, see sandbox_manager_err_code.h + */ + static int32_t StartAccessingByTokenId(uint32_t tokenId, uint64_t timestamp); /** * @brief unset all policy of a given tokenid * @param tokenId a given tokenId * @return SandboxManagerErrCode, see sandbox_manager_err_code.h */ static int32_t UnSetAllPolicyByToken(uint32_t tokenId); + /** + * @brief unset all policy of a given tokenid + * @param tokenId a given tokenId + * @param timestamp timestamp to unset policy + * @return SandboxManagerErrCode, see sandbox_manager_err_code.h + */ + static int32_t UnSetAllPolicyByToken(uint32_t tokenId, uint64_t timestamp); }; } // SandboxManager } // AccessControl diff --git a/interfaces/inner_api/sandbox_manager/libsandbox_manager_sdk.map b/interfaces/inner_api/sandbox_manager/libsandbox_manager_sdk.map index 32d1dcfd41f94441cd46f8fba086ab8ac99ae84e..5dcedff2b3654b16d868d223a54af0d734399d8d 100644 --- a/interfaces/inner_api/sandbox_manager/libsandbox_manager_sdk.map +++ b/interfaces/inner_api/sandbox_manager/libsandbox_manager_sdk.map @@ -21,18 +21,28 @@ "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnPersistPolicy(std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicy(unsigned int, std::__h::vector> const&, unsigned long, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicy(unsigned int, std::__h::vector> const&, unsigned long long, std::__h::vector>&)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicy(unsigned int, std::__h::vector> const&, unsigned long, std::__h::vector>&, unsigned long)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicy(unsigned int, std::__h::vector> const&, unsigned long long, std::__h::vector>&, unsigned long long)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicyAsync(unsigned int, std::__h::vector> const&, unsigned long)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicyAsync(unsigned int, std::__h::vector> const&, unsigned long long)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicyAsync(unsigned int, std::__h::vector> const&, unsigned long, unsigned long)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicyAsync(unsigned int, std::__h::vector> const&, unsigned long long, unsigned long long)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetPolicy(unsigned int, OHOS::AccessControl::SandboxManager::PolicyInfo const&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetPolicyAsync(unsigned int, OHOS::AccessControl::SandboxManager::PolicyInfo const&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::CheckPolicy(unsigned int, std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StartAccessingPolicy(std::__h::vector> const&, std::__h::vector>&)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StartAccessingPolicy(std::__h::vector> const&, std::__h::vector>&, bool, unsigned int, unsigned long)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StartAccessingPolicy(std::__h::vector> const&, std::__h::vector>&, bool, unsigned int, unsigned long long)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StopAccessingPolicy(std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::CheckPersistPolicy(unsigned int, std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerClient::GetInstance()"; "OHOS::AccessControl::SandboxManager::SandboxManagerClient::InitProxy()"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StartAccessingByTokenId(unsigned int)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StartAccessingByTokenId(unsigned int, unsigned long)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StartAccessingByTokenId(unsigned int, unsigned long long)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetAllPolicyByToken(unsigned int)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetAllPolicyByToken(unsigned int, unsigned long)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetAllPolicyByToken(unsigned int, unsigned long long)"; ""; ""; }; diff --git a/services/sandbox_manager/BUILD.gn b/services/sandbox_manager/BUILD.gn index 12a6ce1b823070a18f64b3a5d7ecea69672258ee..bdd53f7932bed64fa3f69cf8aef7933d7fd34179 100644 --- a/services/sandbox_manager/BUILD.gn +++ b/services/sandbox_manager/BUILD.gn @@ -78,6 +78,7 @@ if (is_standard_system) { "eventhandler:libeventhandler", "hilog:libhilog", "ipc:ipc_core", + "os_account:os_account_innerkits", "relational_store:native_rdb", "safwk:system_ability_fwk", "samgr:samgr_proxy", diff --git a/services/sandbox_manager/main/cpp/include/mac/mac_adapter.h b/services/sandbox_manager/main/cpp/include/mac/mac_adapter.h index 02a1dcc194c8a3d2b3bebbffd4d17cfdb5298ee6..7244785ff329d77f00d1a818f03801c5e08b045f 100644 --- a/services/sandbox_manager/main/cpp/include/mac/mac_adapter.h +++ b/services/sandbox_manager/main/cpp/include/mac/mac_adapter.h @@ -22,6 +22,13 @@ namespace OHOS { namespace AccessControl { namespace SandboxManager { + +struct MacParams { + uint32_t tokenId; + uint64_t policyFlag; + uint64_t timestamp; + int32_t userId; +}; class MacAdapter { public: explicit MacAdapter(); @@ -29,13 +36,14 @@ public: void Init(); bool IsMacSupport(); - int32_t SetSandboxPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, - std::vector &result); + int32_t SetSandboxPolicy(const std::vector &policy, std::vector &result, + MacParams &macParams); int32_t UnSetSandboxPolicy(uint32_t tokenId, const PolicyInfo &policy); int32_t UnSetSandboxPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result); int32_t QuerySandboxPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result); int32_t CheckSandboxPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result); - int32_t DestroySandboxPolicy(uint32_t tokenId); + int32_t DestroySandboxPolicy(uint32_t tokenId, uint64_t timestamp); + int32_t UnSetSandboxPolicyByUser(int32_t userId, const std::vector &policy, std::vector &result); private: int32_t fd_ = -1; diff --git a/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h b/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h index 80d293ebfb2cd1f8865c1f7ce5f76fd4773fed41..54134688355f3b72e94bed33a02a9dde65c26893 100644 --- a/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h +++ b/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h @@ -86,10 +86,11 @@ public: * @param tokenId token id of the object * @param policy vector of PolicyInfo, see policy_info.h * @param result set result of each policy + * @param timestamp timestamp of policy * @return SANDBOX_MANAGER_MAC_IOCTL_ERR / SANDBOX_MANAGER_OK */ int32_t SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, - std::vector &result); + std::vector &result, uint64_t timestamp = 0); /** * @brief unset policies of a certain tokenId * @param tokenId token id of the object @@ -114,18 +115,20 @@ public: /** * @brief activate all policys of input token that flag = 1 * @param tokenId token id of the object + * @param timestamp timestamp to access policy * @return int32_t */ - int32_t StartAccessingByTokenId(const uint32_t tokenId); + int32_t StartAccessingByTokenId(const uint32_t tokenId, uint64_t timestamp = 0); /** * @brief activate input persist policys * @param tokenId token id of the object * @param policy vector of PolicyInfo, see policy_info.h * @param result remove result of each policy + * @param timestamp timestamp to access policy * @return int32_t */ - int32_t StartAccessingPolicy( - const uint32_t tokenId, const std::vector &policy, std::vector &results); + int32_t StartAccessingPolicy(const uint32_t tokenId, const std::vector &policy, + std::vector &results, uint64_t timestamp = 0); /** * @brief deactivate input persist policys * @param tokenId token id of the object @@ -138,15 +141,16 @@ public: /** * @brief deactivate all policys with given tokenid * @param tokenId token id of the object + * @param timestamp timestamp to unset policy * @return int32_t */ - int32_t UnSetAllPolicyByToken(const uint32_t tokenId); + int32_t UnSetAllPolicyByToken(const uint32_t tokenId, uint64_t timestamp = 0); private: /** * @brief Clean policy list on MAC * @param GenericValues vector */ - void CleanPolicyOnMac(const std::vector &results); + void CleanPolicyOnMac(const std::vector &filePathList, int32_t userId); /** * @brief find a record with same token and policy path (mode not inclued) @@ -230,6 +234,21 @@ private: * @return INVALID_PATH / INVALID_MODE / SANDBOX_MANAGER_OK */ int32_t CheckPolicyValidity(const PolicyInfo &policy); + /** + * @brief remove policies not belong to the user + * @param results input policies to check + * @param userId delete policies not belong to this user + * @return + */ + void RemoveResultByUserId(std::vector &results, int32_t userId); + /** + * @brief get mac params with inputs + * @param tokenId a given tokenId + * @param policyFlag persist policy flag + * @param timestamp timestamp of the policy + * @return mac params structure + */ + MacParams GetMacParams(uint32_t tokenId, uint64_t policyFlag, uint64_t timestamp); private: MacAdapter macAdapter_; diff --git a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h index 57926702c77d6cf87d9e839c19c0e782b85f33c4..e11c01e40599ff9f4d77778ec87a88333f49c9ea 100644 --- a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h +++ b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h @@ -49,17 +49,19 @@ public: int32_t UnPersistPolicyByTokenId( uint32_t tokenId, const std::vector &policy, std::vector &result) override; int32_t SetPolicy(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, - std::vector &result) override; + std::vector &result, uint64_t timestamp = 0) override; int32_t UnSetPolicy(uint32_t tokenId, const PolicyInfo &policy) override; - int32_t SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag) override; + int32_t SetPolicyAsync(uint32_t tokenId, const std::vector &policy, uint64_t policyFlag, + uint64_t timestamp = 0) override; int32_t UnSetPolicyAsync(uint32_t tokenId, const PolicyInfo &policy) override; int32_t CheckPolicy(uint32_t tokenId, const std::vector &policy, std::vector &result) override; - int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result) override; + int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result, + bool useCallerToken = true, uint32_t tokenId = 0, uint64_t timestamp = 0) override; int32_t StopAccessingPolicy(const std::vector &policy, std::vector &result) override; int32_t CheckPersistPolicy( uint32_t tokenId, const std::vector &policy, std::vector &result) override; - int32_t StartAccessingByTokenId(uint32_t tokenId) override; - int32_t UnSetAllPolicyByToken(uint32_t tokenId) override; + int32_t StartAccessingByTokenId(uint32_t tokenId, uint64_t timestamp = 0) override; + int32_t UnSetAllPolicyByToken(uint32_t tokenId, uint64_t timestamp = 0) override; void onRemovePackage(uint32_t tokenId); void DelayUnloadService() override; diff --git a/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp b/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp index 11cdae96aeadd31f9657760f0c0bbc2f3454bb38..c43361bd7703d091c3a6da14fe5416d4170204fd 100644 --- a/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp +++ b/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp @@ -33,6 +33,7 @@ static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = { constexpr const char* DEV_NODE = "/dev/dec"; const size_t MAX_POLICY_NUM = 8; +const int DEC_POLICY_HEADER_RESERVED = 64; struct PathInfo { char *path = nullptr; @@ -43,8 +44,11 @@ struct PathInfo { struct SandboxPolicyInfo { uint64_t tokenId = 0; + uint64_t timestamp = 0; struct PathInfo pathInfos[MAX_POLICY_NUM]; uint32_t pathNum = 0; + int32_t userId = 0; + uint64_t reserved[DEC_POLICY_HEADER_RESERVED]; bool persist = false; }; @@ -54,12 +58,14 @@ struct SandboxPolicyInfo { #define QUERY_POLICY 3 #define CHECK_POLICY 4 #define DESTROY_POLICY 5 +#define DEL_POLICY_BY_USER 7 #define SET_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, SET_POLICY, struct SandboxPolicyInfo) #define UN_SET_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, UN_SET_POLICY, struct SandboxPolicyInfo) #define QUERY_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, QUERY_POLICY, struct SandboxPolicyInfo) #define CHECK_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, CHECK_POLICY, struct SandboxPolicyInfo) -#define DESTROY_POLICY_CMD _IOW(SANDBOX_IOCTL_BASE, DESTROY_POLICY, uint64_t) +#define DESTROY_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, DESTROY_POLICY, struct SandboxPolicyInfo) +#define DEL_DEC_POLICY_BY_USER_CMD _IOWR(SANDBOX_IOCTL_BASE, DEL_POLICY_BY_USER, struct SandboxPolicyInfo) MacAdapter::MacAdapter() {} @@ -92,11 +98,12 @@ bool MacAdapter::IsMacSupport() return isMacSupport_; } -int32_t MacAdapter::SetSandboxPolicy(uint32_t tokenId, const std::vector &policy, - uint64_t policyFlag, std::vector &result) +int32_t MacAdapter::SetSandboxPolicy(const std::vector &policy, std::vector &result, + MacParams &macParams) { - SANDBOXMANAGER_LOG_INFO(LABEL, "Set sandbox policy target:%{public}u flag:%{public}" PRIu64 ".", tokenId, - policyFlag); + SANDBOXMANAGER_LOG_INFO(LABEL, + "Set sandbox policy target:%{public}u flag:%{public}" PRIu64 " timestamp:%{public}" PRIu64 " userId:%{public}d", + macParams.tokenId, macParams.policyFlag, macParams.timestamp, macParams.userId); if (fd_ < 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet."); return SANDBOX_MANAGER_MAC_NOT_INIT; @@ -108,16 +115,18 @@ int32_t MacAdapter::SetSandboxPolicy(uint32_t tokenId, const std::vector(policy[offset + i].path.c_str()); info.pathInfos[i].pathLen = policy[offset + i].path.length(); info.pathInfos[i].mode = policy[offset + i].mode; SANDBOXMANAGER_LOG_INFO(LABEL, "Set policy paths target:%{public}u path:%{private}s mode:%{public}d", - tokenId, info.pathInfos[i].path, info.pathInfos[i].mode); + macParams.tokenId, info.pathInfos[i].path, info.pathInfos[i].mode); } if (ioctl(fd_, SET_POLICY_CMD, &info) < 0) { @@ -267,6 +276,52 @@ int32_t MacAdapter::UnSetSandboxPolicy(uint32_t tokenId, const std::vector &policy, + std::vector &result) +{ + SANDBOXMANAGER_LOG_INFO(LABEL, "Unset sandbox policy by userId:%{private}d", userId); + + if (fd_ < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet."); + return SANDBOX_MANAGER_MAC_NOT_INIT; + } + + result.clear(); + + size_t policyNum = policy.size(); + + for (size_t offset = 0; offset < policyNum; offset += MAX_POLICY_NUM) { + size_t curBatchSize = std::min(MAX_POLICY_NUM, policyNum - offset); + + struct SandboxPolicyInfo info; + info.userId = userId; + info.pathNum = curBatchSize; + + for (size_t i = 0; i < curBatchSize; ++i) { + info.pathInfos[i].path = const_cast(policy[offset + i].path.c_str()); + info.pathInfos[i].pathLen = policy[offset + i].path.length(); + info.pathInfos[i].mode = policy[offset + i].mode; + SANDBOXMANAGER_LOG_INFO(LABEL, "Unset policy paths userId:%{private}d path:%{private}s mode:%{public}d", + userId, info.pathInfos[i].path, info.pathInfos[i].mode); + } + + if (ioctl(fd_, DEL_DEC_POLICY_BY_USER_CMD, &info) < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Unset policy failed at batch %{public}zu, errno=%{public}d.", + offset / MAX_POLICY_NUM, errno); + return SANDBOX_MANAGER_MAC_IOCTL_ERR; + } + for (size_t i = 0; i < curBatchSize; ++i) { + result[offset + i] = info.pathInfos[i].result; + } + } + + uint32_t failCount = static_cast(std::count(result.begin(), result.end(), false)); + if (failCount > 0) { + SANDBOXMANAGER_LOG_WARN(LABEL, "Unset policy has failed items, failCount=%{public}u.", failCount); + } + return SANDBOX_MANAGER_OK; +} + int32_t MacAdapter::UnSetSandboxPolicy(uint32_t tokenId, const PolicyInfo &policy) { if (fd_ < 0) { @@ -292,16 +347,21 @@ int32_t MacAdapter::UnSetSandboxPolicy(uint32_t tokenId, const PolicyInfo &polic return SANDBOX_MANAGER_OK; } -int32_t MacAdapter::DestroySandboxPolicy(uint32_t tokenId) +int32_t MacAdapter::DestroySandboxPolicy(uint32_t tokenId, uint64_t timestamp) { - SANDBOXMANAGER_LOG_INFO(LABEL, "Destroy sandbox policy target:%{public}u", tokenId); + SANDBOXMANAGER_LOG_INFO(LABEL, "Destroy sandbox policy target:%{public}u timestamp:%{public}" PRIu64 ".", tokenId, + timestamp); if (fd_ < 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet."); return SANDBOX_MANAGER_MAC_NOT_INIT; } - if (ioctl(fd_, DESTROY_POLICY_CMD, &tokenId) < 0) { + struct SandboxPolicyInfo info; + info.tokenId = tokenId; + info.timestamp = timestamp; + + if (ioctl(fd_, DESTROY_POLICY_CMD, &info) < 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Destroy policy failed, errno=%{public}d.", errno); return SANDBOX_MANAGER_MAC_IOCTL_ERR; } diff --git a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp index 1bb5cacf36798381fd403bcf19578215c5f2e3f4..3ced0d4b04c6554c06dce1f2e5da29114648591e 100644 --- a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp +++ b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp @@ -33,6 +33,7 @@ #include "sandbox_manager_dfx_helper.h" #include "sandbox_manager_err_code.h" #include "sandbox_manager_log.h" +#include "os_account_manager.h" namespace OHOS { namespace AccessControl { @@ -62,47 +63,71 @@ void PolicyInfoManager::Init() macAdapter_.Init(); } -void PolicyInfoManager::CleanPolicyOnMac(const std::vector& results) +void PolicyInfoManager::CleanPolicyOnMac(const std::vector &filePathList, int32_t userId) { + SANDBOXMANAGER_LOG_INFO(LABEL, "Clean policy on Mac by userId:%{private}d", userId); if (!macAdapter_.IsMacSupport()) { SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); return; } - std::map> allPersistPolicy; - for (const auto& res : results) { - uint32_t tokenId; + std::vector policies; + for (const std::string &path:filePathList) { PolicyInfo policy; - TransferGenericToPolicy(res, tokenId, policy); - auto it = allPersistPolicy.find(tokenId); - if (it == allPersistPolicy.end()) { - std::vector policies; - policies.emplace_back(policy); - allPersistPolicy.insert(std::make_pair(tokenId, policies)); - } else { - it->second.emplace_back(policy); - } + policy.path = path; + policies.emplace_back(policy); } - uint32_t failCount = 0; - for (auto& it : allPersistPolicy) { - std::vector result(it.second.size()); - int32_t count = 0; - macAdapter_.UnSetSandboxPolicy(it.first, it.second, result); - for (bool res : result) { - if (!res) { - ++count; - } + + std::vector result(policies.size()); + + macAdapter_.UnSetSandboxPolicyByUser(userId, policies, result); + int32_t count = 0; + for (bool res : result) { + if (!res) { + ++count; } - SANDBOXMANAGER_LOG_INFO(LABEL, "Mac UnSetSandboxPolicy size = %{public}zu, fail size = %{public}d.", - it.second.size(), count); - failCount += static_cast(count); } - size_t resultSize = results.size(); - PolicyOperateInfo info(resultSize, resultSize - failCount, failCount, 0); + size_t resultSize = result.size(); + PolicyOperateInfo info(resultSize, resultSize - count, count, 0); SandboxManagerDfxHelper::WritePersistPolicyOperateSucc(OperateTypeEnum::CLEAN_PERSIST_POLICY_BY_PATH, info); } +void PolicyInfoManager::RemoveResultByUserId(std::vector &results, int32_t userId) +{ + for (auto it = results.begin(); it != results.end();) { + uint32_t tokenId = static_cast(it->GetInt(PolicyFiledConst::FIELD_TOKENID)); + Security::AccessToken::HapTokenInfo hapTokenInfoRes; + int ret = Security::AccessToken::AccessTokenKit::GetHapTokenInfo(tokenId, hapTokenInfoRes); + if (ret != 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "find user id by token id failed ret:%{public}d", ret); + ++it; + continue; + } + SANDBOXMANAGER_LOG_INFO(LABEL, "check result userId:%{public}d hap userId:%{public}d target:%{public}u", userId, + hapTokenInfoRes.userID, tokenId); + + if (hapTokenInfoRes.userID != userId) { + SANDBOXMANAGER_LOG_INFO(LABEL, + "userId:%{public}d hap userId:%{public}d mismatch, do not delete target:%{public}u", userId, + hapTokenInfoRes.userID, tokenId); + it = results.erase(it); + } else { + ++it; + } + } +} + int32_t PolicyInfoManager::CleanPersistPolicyByPath(const std::vector& filePathList) { + // clean MAC + int32_t userId = 0; + int32_t ret = AccountSA::OsAccountManager::GetForegroundOsAccountLocalId(userId); + if (ret != 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "clean persist failed, get user id failed error=%{public}d", ret); + userId = 0; // set default userId + } + + SANDBOXMANAGER_LOG_INFO(LABEL, "clean policy by path and userId:%{public}d", userId); + CleanPolicyOnMac(filePathList, userId); //Gets the persistence policy to be cleaned up std::vector results; for (const std::string& path : filePathList) { @@ -123,8 +148,7 @@ int32_t PolicyInfoManager::CleanPersistPolicyByPath(const std::vector &policy, uint64_t policyFlag, - std::vector &result) + std::vector &result, uint64_t timestamp) { size_t policySize = policy.size(); if (!macAdapter_.IsMacSupport()) { @@ -409,7 +447,8 @@ int32_t PolicyInfoManager::SetPolicy(uint32_t tokenId, const std::vector setResult(validPolicies.size(), SANDBOX_MANAGER_OK); - int32_t ret = macAdapter_.SetSandboxPolicy(tokenId, validPolicies, policyFlag, setResult); + MacParams macParams = GetMacParams(tokenId, policyFlag, timestamp); + int32_t ret = macAdapter_.SetSandboxPolicy(validPolicies, setResult, macParams); if (ret != SANDBOX_MANAGER_OK) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Set sandbox policy failed, error=%{public}d.", ret); PolicyOperateInfo info(policySize, successNum, failNum, invalidNum); @@ -500,7 +539,7 @@ bool PolicyInfoManager::RemoveBundlePolicy(const uint32_t tokenId) return true; } -int32_t PolicyInfoManager::StartAccessingByTokenId(const uint32_t tokenId) +int32_t PolicyInfoManager::StartAccessingByTokenId(const uint32_t tokenId, uint64_t timestamp) { if (!macAdapter_.IsMacSupport()) { SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); @@ -536,7 +575,8 @@ int32_t PolicyInfoManager::StartAccessingByTokenId(const uint32_t tokenId) policys[i] = policy; } std::vector macResults(searchSize); - ret = macAdapter_.SetSandboxPolicy(tokenId, policys, 0, macResults); + MacParams macParams = GetMacParams(tokenId, 0, timestamp); + ret = macAdapter_.SetSandboxPolicy(policys, macResults, macParams); if (ret != SANDBOX_MANAGER_OK) { SANDBOXMANAGER_LOG_ERROR(LABEL, "MacAdapter set policy error, err code = %{public}d.", ret); return ret; @@ -550,7 +590,7 @@ int32_t PolicyInfoManager::StartAccessingByTokenId(const uint32_t tokenId) } int32_t PolicyInfoManager::StartAccessingPolicy( - const uint32_t tokenId, const std::vector &policy, std::vector &results) + const uint32_t tokenId, const std::vector &policy, std::vector &results, uint64_t timestamp) { if (!macAdapter_.IsMacSupport()) { SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); @@ -583,7 +623,8 @@ int32_t PolicyInfoManager::StartAccessingPolicy( std::transform(accessingIndex.begin(), accessingIndex.end(), accessingPolicy.begin(), [policy](size_t index) { return policy[index]; }); std::vector macResults(accessingIndexSize); - ret = macAdapter_.SetSandboxPolicy(tokenId, accessingPolicy, 0, macResults); + MacParams macParams = GetMacParams(tokenId, 0, timestamp); + ret = macAdapter_.SetSandboxPolicy(accessingPolicy, macResults, macParams); if (ret != SANDBOX_MANAGER_OK) { SANDBOXMANAGER_LOG_ERROR(LABEL, "MacAdapter set policy error, err code = %{public}d.", ret); results.clear(); @@ -659,7 +700,7 @@ int32_t PolicyInfoManager::StopAccessingPolicy( return SANDBOX_MANAGER_OK; } -int32_t PolicyInfoManager::UnSetAllPolicyByToken(const uint32_t tokenId) +int32_t PolicyInfoManager::UnSetAllPolicyByToken(const uint32_t tokenId, uint64_t timestamp) { if (!macAdapter_.IsMacSupport()) { SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); @@ -668,7 +709,7 @@ int32_t PolicyInfoManager::UnSetAllPolicyByToken(const uint32_t tokenId) PolicyOperateInfo info(0, 0, 0, 0); info.callerTokenid = tokenId; SandboxManagerDfxHelper::WritePersistPolicyOperateSucc(OperateTypeEnum::UNSET_ALL_POLICY_BY_TOKEN, info); - return macAdapter_.DestroySandboxPolicy(tokenId); + return macAdapter_.DestroySandboxPolicy(tokenId, timestamp); } int32_t PolicyInfoManager::RangeFind(const GenericValues &conditions, const GenericValues &symbols, diff --git a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp index 2a693dbe0ae8ab1d81504d0dbfe005ac652e4838..9f4f838315ecdea8f45b6e2d88bd3a3e54279881 100644 --- a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp +++ b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp @@ -202,7 +202,7 @@ int32_t SandboxManagerService::UnPersistPolicyByTokenId( } int32_t SandboxManagerService::SetPolicy(uint32_t tokenId, const std::vector &policy, - uint64_t policyFlag, std::vector &result) + uint64_t policyFlag, std::vector &result, uint64_t timestamp) { size_t policySize = policy.size(); if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT) { @@ -218,7 +218,7 @@ int32_t SandboxManagerService::SetPolicy(uint32_t tokenId, const std::vector &policy, - uint64_t policyFlag) + uint64_t policyFlag, uint64_t timestamp) { std::vector result; - return SetPolicy(tokenId, policy, policyFlag, result); + return SetPolicy(tokenId, policy, policyFlag, result, timestamp); } int32_t SandboxManagerService::UnSetPolicyAsync(uint32_t tokenId, const PolicyInfo &policy) @@ -264,17 +264,22 @@ int32_t SandboxManagerService::CheckPolicy(uint32_t tokenId, const std::vector

&policy, std::vector &result) +int32_t SandboxManagerService::StartAccessingPolicy(const std::vector &policy, + std::vector &result, bool useCallerToken, uint32_t tokenId, uint64_t timestamp) { - uint32_t callingTokenId = IPCSkeleton::GetCallingTokenID(); + uint32_t callingTokenId = 0; + if (useCallerToken) { + callingTokenId = IPCSkeleton::GetCallingTokenID(); + } else { + callingTokenId = tokenId; + } size_t policySize = policy.size(); if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Policy vector size error, size = %{public}zu", policy.size()); return INVALID_PARAMTER; } - return PolicyInfoManager::GetInstance().StartAccessingPolicy(callingTokenId, policy, result); + return PolicyInfoManager::GetInstance().StartAccessingPolicy(callingTokenId, policy, result, timestamp); } int32_t SandboxManagerService::StopAccessingPolicy( @@ -313,22 +318,22 @@ int32_t SandboxManagerService::CheckPersistPolicy( return SANDBOX_MANAGER_OK; } -int32_t SandboxManagerService::StartAccessingByTokenId(uint32_t tokenId) +int32_t SandboxManagerService::StartAccessingByTokenId(uint32_t tokenId, uint64_t timestamp) { if (tokenId == 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Invalid Tokenid."); return INVALID_PARAMTER; } - return PolicyInfoManager::GetInstance().StartAccessingByTokenId(tokenId); + return PolicyInfoManager::GetInstance().StartAccessingByTokenId(tokenId, timestamp); } -int32_t SandboxManagerService::UnSetAllPolicyByToken(uint32_t tokenId) +int32_t SandboxManagerService::UnSetAllPolicyByToken(uint32_t tokenId, uint64_t timestamp) { if (tokenId == 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Invalid Tokenid."); return INVALID_PARAMTER; } - return PolicyInfoManager::GetInstance().UnSetAllPolicyByToken(tokenId); + return PolicyInfoManager::GetInstance().UnSetAllPolicyByToken(tokenId, timestamp); } bool SandboxManagerService::Initialize() diff --git a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_stub.cpp b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_stub.cpp index e138584b0112242147c74ea37e92cf07d2c24b79..ae6d5edacce3ad4f4c22dd5dd98e79afb903fd19 100644 --- a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_stub.cpp +++ b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_stub.cpp @@ -222,7 +222,7 @@ int32_t SandboxManagerStub::UnPersistPolicyByTokenIdInner(MessageParcel &data, M } static int32_t ReadSetPolicyParcel(MessageParcel &data, uint32_t &tokenId, - sptr &policyInfoVectorParcel, uint64_t &policyFlag) + sptr &policyInfoVectorParcel, uint64_t &policyFlag, uint64_t ×tamp) { uint64_t callingTokenId = IPCSkeleton::GetCallingTokenID(); if (!CheckPermission(callingTokenId, SET_POLICY_PERMISSION_NAME)) { @@ -234,6 +234,11 @@ static int32_t ReadSetPolicyParcel(MessageParcel &data, uint32_t &tokenId, return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; } + if (!data.ReadUint64(timestamp)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read timestamp failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + policyInfoVectorParcel = data.ReadParcelable(); if (policyInfoVectorParcel == nullptr) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Read policyInfoVectorParcel failed."); @@ -253,13 +258,14 @@ int32_t SandboxManagerStub::SetPolicyInner(MessageParcel &data, MessageParcel &r uint32_t tokenId; sptr policyInfoVectorParcel = nullptr; uint64_t policyFlag; - int32_t readRes = ReadSetPolicyParcel(data, tokenId, policyInfoVectorParcel, policyFlag); + uint64_t timestamp; + int32_t readRes = ReadSetPolicyParcel(data, tokenId, policyInfoVectorParcel, policyFlag, timestamp); if (readRes != SANDBOX_MANAGER_OK) { return readRes; } std::vector result; - int32_t ret = this->SetPolicy(tokenId, policyInfoVectorParcel->policyVector, policyFlag, result); + int32_t ret = this->SetPolicy(tokenId, policyInfoVectorParcel->policyVector, policyFlag, result, timestamp); if (!reply.WriteInt32(ret)) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Write ret failed."); return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; @@ -279,12 +285,13 @@ int32_t SandboxManagerStub::SetPolicyAsyncInner(MessageParcel &data, MessageParc uint32_t tokenId; sptr policyInfoVectorParcel = nullptr; uint64_t policyFlag; - int32_t readRes = ReadSetPolicyParcel(data, tokenId, policyInfoVectorParcel, policyFlag); + uint64_t timestamp; + int32_t readRes = ReadSetPolicyParcel(data, tokenId, policyInfoVectorParcel, policyFlag, timestamp); if (readRes != SANDBOX_MANAGER_OK) { return readRes; } - return this->SetPolicyAsync(tokenId, policyInfoVectorParcel->policyVector, policyFlag); + return this->SetPolicyAsync(tokenId, policyInfoVectorParcel->policyVector, policyFlag, timestamp); } static int32_t ReadUnSetPolicyParcel(MessageParcel &data, uint32_t &tokenId, @@ -374,6 +381,24 @@ int32_t SandboxManagerStub::StartAccessingPolicyInner(MessageParcel &data, Messa return PERMISSION_DENIED; } + bool useCallerToken; + if (!data.ReadBool(useCallerToken)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read useCallerToken failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + uint32_t tokenId; + if (!data.ReadUint32(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + uint64_t timestamp; + if (!data.ReadUint64(timestamp)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read timestamp failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + sptr policyInfoVectorParcel = data.ReadParcelable(); if (policyInfoVectorParcel == nullptr) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Reply sandbox manager data parcel fail"); @@ -381,7 +406,8 @@ int32_t SandboxManagerStub::StartAccessingPolicyInner(MessageParcel &data, Messa } std::vector result; - int32_t ret = this->StartAccessingPolicy(policyInfoVectorParcel->policyVector, result); + int32_t ret = + this->StartAccessingPolicy(policyInfoVectorParcel->policyVector, result, useCallerToken, tokenId, timestamp); if (!reply.WriteInt32(ret)) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Reply sandbox manager ret parcel fail"); return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; @@ -470,7 +496,13 @@ int32_t SandboxManagerStub::StartAccessingByTokenIdInner(MessageParcel &data, Me SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId parcel fail"); return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; } - this->StartAccessingByTokenId(tokenId); + uint64_t timestamp; + if (!data.ReadUint64(timestamp)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read timestamp failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + this->StartAccessingByTokenId(tokenId, timestamp); return SANDBOX_MANAGER_OK; } @@ -486,7 +518,12 @@ int32_t SandboxManagerStub::UnSetAllPolicyByTokenInner(MessageParcel &data, Mess SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId parcel fail"); return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; } - this->UnSetAllPolicyByToken(tokenId); + uint64_t timestamp; + if (!data.ReadUint64(timestamp)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read timestamp failed."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + this->UnSetAllPolicyByToken(tokenId, timestamp); return SANDBOX_MANAGER_OK; } diff --git a/services/sandbox_manager/test/BUILD.gn b/services/sandbox_manager/test/BUILD.gn index 2741586868a27e162224747fa74acbf49bb80a93..41aa7bbd4509d90b99babe403078d3cb39745bb0 100644 --- a/services/sandbox_manager/test/BUILD.gn +++ b/services/sandbox_manager/test/BUILD.gn @@ -79,6 +79,7 @@ ohos_unittest("libsandbox_manager_service_standard_test") { "eventhandler:libeventhandler", "hilog:libhilog", "ipc:ipc_core", + "os_account:os_account_innerkits", "relational_store:native_rdb", "safwk:system_ability_fwk", "samgr:samgr_proxy", diff --git a/services/sandbox_manager/test/unittest/policy_info_manager_test.cpp b/services/sandbox_manager/test/unittest/policy_info_manager_test.cpp index 01758b61e120e093ab8ee592fab8df0ecc33b73e..177e0f2093e190b49fd230387596d058498b660c 100644 --- a/services/sandbox_manager/test/unittest/policy_info_manager_test.cpp +++ b/services/sandbox_manager/test/unittest/policy_info_manager_test.cpp @@ -356,16 +356,17 @@ HWTEST_F(PolicyInfoManagerTest, MacAdapterTest001, TestSize.Level1) { MacAdapter macAdapter; std::vector policy; - uint64_t flag = 0; std::vector u32Res; - EXPECT_EQ(SANDBOX_MANAGER_MAC_NOT_INIT, macAdapter.SetSandboxPolicy(selfTokenId_, policy, flag, u32Res)); + MacParams macParams; + macParams.tokenId = selfTokenId_; + EXPECT_EQ(SANDBOX_MANAGER_MAC_NOT_INIT, macAdapter.SetSandboxPolicy(policy, u32Res, macParams)); std::vector boolRes; EXPECT_EQ(SANDBOX_MANAGER_MAC_NOT_INIT, macAdapter.QuerySandboxPolicy(selfTokenId_, policy, boolRes)); EXPECT_EQ(SANDBOX_MANAGER_MAC_NOT_INIT, macAdapter.CheckSandboxPolicy(selfTokenId_, policy, boolRes)); EXPECT_EQ(SANDBOX_MANAGER_MAC_NOT_INIT, macAdapter.UnSetSandboxPolicy(selfTokenId_, policy, boolRes)); PolicyInfo info; EXPECT_EQ(SANDBOX_MANAGER_MAC_NOT_INIT, macAdapter.UnSetSandboxPolicy(selfTokenId_, info)); - EXPECT_EQ(SANDBOX_MANAGER_MAC_NOT_INIT, macAdapter.DestroySandboxPolicy(selfTokenId_)); + EXPECT_EQ(SANDBOX_MANAGER_MAC_NOT_INIT, macAdapter.DestroySandboxPolicy(selfTokenId_, 0)); } /** diff --git a/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni b/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni index ca0f1791b54732c14e01fa160e503245af651c73..4010e4ced5c91b308283e9e55485ece884736eca 100644 --- a/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni +++ b/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni @@ -61,6 +61,7 @@ sandbox_manager_external_deps = [ "common_event_service:cesfwk_innerkits", "hilog:libhilog", "ipc:ipc_core", + "os_account:os_account_innerkits", "relational_store:native_rdb", "safwk:system_ability_fwk", "samgr:samgr_proxy",