diff --git a/bundle.json b/bundle.json index b019454f0f6505a22f96459256a3dae8ed985179..4da7fb74b2b730e00dee648ded197794682dc852 100644 --- a/bundle.json +++ b/bundle.json @@ -13,7 +13,10 @@ "name": "sandbox_manager", "subsystem": "accesscontrol", "syscap": [], - "features": [ "sandbox_manager_feature_coverage = false" ], + "features": [ + "sandbox_manager_feature_coverage = false", + "sandbox_manager_mac_enable = true" + ], "adapted_system_type": [ "standard" ], "rom": "10000KB", "ram": "5000KB", diff --git a/frameworks/sandbox_manager/include/i_sandbox_manager.h b/frameworks/sandbox_manager/include/i_sandbox_manager.h index b6c32bb5926ad8e3900a4545aa14380e8da26e3f..164035558b7dd7a13adb14af9d04b2a71aab29bb 100644 --- a/frameworks/sandbox_manager/include/i_sandbox_manager.h +++ b/frameworks/sandbox_manager/include/i_sandbox_manager.h @@ -31,17 +31,25 @@ public: static const int SA_ID_SANDBOX_MANAGER_SERVICE = SANDBOX_MANAGER_SERVICE_ID; + virtual int32_t CleanPersistPolicyByPath(const std::vector& filePaths) = 0; virtual int32_t PersistPolicy(const std::vector &policy, std::vector &result) = 0; virtual int32_t UnPersistPolicy(const std::vector &policy, std::vector &result) = 0; virtual int32_t PersistPolicyByTokenId( uint64_t tokenId, const std::vector &policy, std::vector &result) = 0; virtual int32_t UnPersistPolicyByTokenId( uint64_t tokenId, const std::vector &policy, std::vector &result) = 0; - virtual int32_t SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag) = 0; + virtual int32_t SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result) = 0; + virtual int32_t UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy) = 0; + virtual int32_t SetPolicyAsync(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag) = 0; + virtual int32_t UnSetPolicyAsync(uint64_t tokenId, const PolicyInfo &policy) = 0; + virtual int32_t CheckPolicy(uint64_t tokenId, const std::vector &policy, std::vector &result) = 0; virtual int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result) = 0; virtual int32_t StopAccessingPolicy(const std::vector &policy, std::vector &result) = 0; virtual int32_t CheckPersistPolicy( uint64_t tokenId, const std::vector &policy, std::vector &result) = 0; + virtual int32_t StartAccessingByTokenId(uint64_t tokenId) = 0; + virtual int32_t UnSetAllPolicyByToken(uint64_t tokenId) = 0; }; } // namespace SandboxManager } // namespace AccessControl diff --git a/frameworks/sandbox_manager/include/sandboxmanager_service_ipc_interface_code.h b/frameworks/sandbox_manager/include/sandboxmanager_service_ipc_interface_code.h index 15fe30f8c1711b35f809126825e5156355bd1016..3d8ca697fa8d32e9915cd509178bc524286419e5 100644 --- a/frameworks/sandbox_manager/include/sandboxmanager_service_ipc_interface_code.h +++ b/frameworks/sandbox_manager/include/sandboxmanager_service_ipc_interface_code.h @@ -24,11 +24,18 @@ enum class SandboxManagerInterfaceCode { PERSIST_PERMISSION = 0xffb0, UNPERSIST_PERMISSION, SET_POLICY, + UN_SET_POLICY, + SET_POLICY_ASYNC, + UN_SET_POLICY_ASYNC, + CHECK_POLICY, START_ACCESSING_URI, STOP_ACCESSING_URI, CHECK_PERSIST_PERMISSION, + START_ACCESSING_BY_TOKEN, + UNSET_ALL_POLICY_BY_TOKEN, PERSIST_PERMISSION_BY_TOKENID, UNPERSIST_PERMISSION_BY_TOKENID, + CLEAN_PERSIST_POLICY_BY_PATH, }; } // namespace SandboxManager } // namespace AccessControl diff --git a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_client.h b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_client.h index aebae4cdaed2c9b332842c5dd0e435aa50a2b961..0c43b4d4a12cba0494d22dd75186dc688392393c 100644 --- a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_client.h +++ b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_client.h @@ -40,9 +40,15 @@ public: static SandboxManagerClient &GetInstance(); virtual ~SandboxManagerClient(); + int32_t CleanPersistPolicyByPath(const std::vector& filePaths); int32_t PersistPolicy(const std::vector &policy, std::vector &result); int32_t UnPersistPolicy(const std::vector &policy, std::vector &result); - int32_t SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag); + int32_t SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result); + int32_t UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy); + int32_t SetPolicyAsync(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag); + int32_t UnSetPolicyAsync(uint64_t tokenId, const PolicyInfo &policy); + int32_t CheckPolicy(uint64_t tokenId, const std::vector &policy, std::vector &result); int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result); int32_t StopAccessingPolicy(const std::vector &policy, std::vector &result); int32_t CheckPersistPolicy(uint64_t tokenId, const std::vector &policy, std::vector &result); @@ -50,6 +56,8 @@ public: uint64_t tokenId, const std::vector &policy, std::vector &result); int32_t UnPersistPolicyByTokenId( uint64_t tokenId, const std::vector &policy, std::vector &result); + int32_t StartAccessingByTokenId(uint64_t tokenId); + int32_t UnSetAllPolicyByToken(uint64_t tokenId); void FinishStartSASuccess(const sptr &remoteObject); void FinishStartSAFail(); diff --git a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_err_code.h b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_err_code.h index 2b26c4b9fc4cfd2d14eab6a3d4d2ab4844b1cde9..a6215c3ee8aa9b0c38ec6b71e2664b36f9bd557a 100644 --- a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_err_code.h +++ b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_err_code.h @@ -30,6 +30,8 @@ enum SandboxManagerErrCode : int32_t { SANDBOX_MANAGER_DB_ERR, SANDBOX_MANAGER_DB_RETURN_EMPTY, SANDBOX_MANAGER_DB_RECORD_NOT_EXIST, + + SANDBOX_MANAGER_MAC_ADAPTER_ERR, }; } // SandboxManager } // AccessControl diff --git a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_kit.h b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_kit.h index 9506077a20e6cfe313d53fb8d7ce945779b67826..7d9cc1e20acd6805b42efbca6e03d4d41e2971a7 100644 --- a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_kit.h +++ b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_kit.h @@ -17,6 +17,7 @@ #define SANDBOXMANAGER_KIT_H #include "policy_info.h" +#include namespace OHOS { namespace AccessControl { @@ -26,6 +27,12 @@ namespace SandboxManager { */ class SandboxManagerKit { public: + /** + * @brief Clear the persistence policy + * @param policy vector of string, file path + * @return SandboxManagerErrCode, see sandbox_manager_err_code.h + */ + static int32_t CleanPersistPolicyByPath(const std::vector& filePaths); /** * @brief Persist policys with caller's tokenId * @param policy vector of PolicyInfo, see policy_info.h @@ -62,10 +69,41 @@ public: * @brief Set policys with a given tokenId to MAC layer * @param tokenId a given tokenId * @param policy vector of PolicyInfo, see policy_info.h - * @param result insert result of each policy, result is SandboxRetType in policy_info.h + * @param policyFlag flag of policy + * @return SandboxManagerErrCode, see sandbox_manager_err_code.h + */ + static int32_t SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result); + /** + * @brief UnSet policy with a given tokenId from MAC layer + * @param tokenId a given tokenId + * @param policy vector of PolicyInfo, see policy_info.h + * @return SandboxManagerErrCode, see sandbox_manager_err_code.h + */ + static int32_t UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy); + /** + * @brief Set policys with a given tokenId to MAC layer async + * @param tokenId a given tokenId + * @param policy vector of PolicyInfo, see policy_info.h + * @param policyFlag flag of policy * @return SandboxManagerErrCode, see sandbox_manager_err_code.h */ - static int32_t SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag); + static int32_t SetPolicyAsync(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag); + /** + * @brief UnSet policy with a given tokenId from MAC layer async + * @param tokenId a given tokenId + * @param policy vector of PolicyInfo, see policy_info.h + * @return SandboxManagerErrCode, see sandbox_manager_err_code.h + */ + static int32_t UnSetPolicyAsync(uint64_t tokenId, const PolicyInfo &policy); + /** + * @brief Check policy with a given tokenId from MAC layer + * @param tokenId a given tokenId + * @param policy vector of PolicyInfo, see policy_info.h + * @param result check result of each policy + * @return true if policy exist, else false + */ + static int32_t CheckPolicy(uint64_t tokenId, const std::vector &policy, std::vector &result); /** * @brief Set existing persisted policys with caller's tokenId to MAC layer * not existed policy would be ignored, but have a return in result @@ -90,6 +128,18 @@ public: */ static int32_t CheckPersistPolicy( uint64_t tokenId, const std::vector &policy, std::vector &result); + /** + * @brief load all policys by tokenid that auto-loaded flag = 1 + * @param tokenId a given tokenId + * @return SandboxManagerErrCode, see sandbox_manager_err_code.h + */ + static int32_t StartAccessingByTokenId(uint64_t tokenId); + /** + * @brief unset all policy of a given tokenid + * @param tokenId a given tokenId + * @return SandboxManagerErrCode, see sandbox_manager_err_code.h + */ + static int32_t UnSetAllPolicyByToken(uint64_t tokenId); }; } // SandboxManager } // AccessControl diff --git a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_proxy.h b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_proxy.h index ebce0a2a027e6f996f44a0111b14f063c01a5bd2..f3784439b65d5f91016791ee9ae848fbbcc819f6 100644 --- a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_proxy.h +++ b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_proxy.h @@ -31,10 +31,15 @@ public: explicit SandboxManagerProxy(const sptr &impl); ~SandboxManagerProxy() override; + int32_t CleanPersistPolicyByPath(const std::vector& filePaths) override; int32_t PersistPolicy(const std::vector &policy, std::vector &result) override; int32_t UnPersistPolicy(const std::vector &policy, std::vector &result) override; - int32_t SetPolicy( - uint64_t tokenId, const std::vector &policy, uint64_t policyFlag) override; + int32_t SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result) override; + int32_t UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy) override; + int32_t SetPolicyAsync(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag) override; + int32_t UnSetPolicyAsync(uint64_t tokenId, const PolicyInfo &policy) override; + int32_t CheckPolicy(uint64_t tokenId, const std::vector &policy, std::vector &result) override; int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result) override; int32_t StopAccessingPolicy(const std::vector &policy, std::vector &result) override; int32_t CheckPersistPolicy( @@ -43,9 +48,12 @@ public: uint64_t tokenId, const std::vector &policy, std::vector &result) override; int32_t UnPersistPolicyByTokenId( uint64_t tokenId, const std::vector &policy, std::vector &result) override; - + int32_t StartAccessingByTokenId(uint64_t tokenId) override; + int32_t UnSetAllPolicyByToken(uint64_t tokenId) override; private: bool SendRequest(SandboxManagerInterfaceCode code, MessageParcel &data, MessageParcel &reply); + bool SendRequest(SandboxManagerInterfaceCode code, MessageParcel &data, MessageParcel &reply, + MessageOption &option); static inline BrokerDelegator delegator_; }; } // namespace SandboxManager diff --git a/interfaces/innerkits/sandbox_manager/libsandbox_manager_sdk.map b/interfaces/innerkits/sandbox_manager/libsandbox_manager_sdk.map index f787881eaa9217cccfbb96ce55fe4d2de269a7dc..856c3fd4aebebded2da37901494f0e36b86c6621 100644 --- a/interfaces/innerkits/sandbox_manager/libsandbox_manager_sdk.map +++ b/interfaces/innerkits/sandbox_manager/libsandbox_manager_sdk.map @@ -14,20 +14,33 @@ 1.0 { global: extern "C++" { + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::CleanPersistPolicyByPath(std::__h::vector, std::__h::allocator>, std::__h::allocator, std::__h::allocator>>> const&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::PersistPolicy(unsigned long, std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::PersistPolicy(unsigned long long, std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnPersistPolicy(unsigned long, std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnPersistPolicy(unsigned long long, std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::PersistPolicy(std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnPersistPolicy(std::__h::vector> const&, std::__h::vector>&)"; - "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicy(unsigned long, std::__h::vector> const&, unsigned long)"; - "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicy(unsigned long long, std::__h::vector> const&, unsigned long long)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicy(unsigned long, std::__h::vector> const&, unsigned long, std::__h::vector>&)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicy(unsigned long long, std::__h::vector> const&, unsigned long long, std::__h::vector>&)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicyAsync(unsigned long long, std::__h::vector> const&, unsigned long long)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicyAsync(unsigned long, std::__h::vector> const&, unsigned long)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetPolicy(unsigned long, OHOS::AccessControl::SandboxManager::PolicyInfo const&)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetPolicy(unsigned long long, OHOS::AccessControl::SandboxManager::PolicyInfo const&)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetPolicyAsync(unsigned long, OHOS::AccessControl::SandboxManager::PolicyInfo const&)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetPolicyAsync(unsigned long long, OHOS::AccessControl::SandboxManager::PolicyInfo const&)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::CheckPolicy(unsigned long, std::__h::vector> const&, std::__h::vector>&)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::CheckPolicy(unsigned long long, std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StartAccessingPolicy(std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StopAccessingPolicy(std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::CheckPersistPolicy(unsigned long, std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerKit::CheckPersistPolicy(unsigned long long, std::__h::vector> const&, std::__h::vector>&)"; "OHOS::AccessControl::SandboxManager::SandboxManagerClient::GetInstance()"; "OHOS::AccessControl::SandboxManager::SandboxManagerClient::InitProxy()"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StartAccessingByTokenId(unsigned long long)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StartAccessingByTokenId(unsigned long)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetAllPolicyByToken(unsigned long long)"; + "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetAllPolicyByToken(unsigned long)"; ""; ""; }; diff --git a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_client.cpp b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_client.cpp index 8018aaac92ec43b0550e41668f58efec30777079..c9c97b3e30619df702dca8d0df411aba59e13efa 100644 --- a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_client.cpp +++ b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_client.cpp @@ -44,6 +44,15 @@ SandboxManagerClient::SandboxManagerClient() SandboxManagerClient::~SandboxManagerClient() {} +int32_t SandboxManagerClient::CleanPersistPolicyByPath(const std::vector& filePaths) +{ + auto proxy = GetProxy(true); + if (proxy == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Proxy is null"); + return SANDBOX_MANAGER_SERVICE_NOT_EXIST; + } + return proxy->CleanPersistPolicyByPath(filePaths); +} int32_t SandboxManagerClient::PersistPolicy(const std::vector &policy, std::vector &result) { @@ -87,14 +96,57 @@ int32_t SandboxManagerClient::UnPersistPolicyByTokenId( return proxy->UnPersistPolicyByTokenId(tokenId, policy, result); } -int32_t SandboxManagerClient::SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag) +int32_t SandboxManagerClient::SetPolicy(uint64_t tokenId, const std::vector &policy, + uint64_t policyFlag, std::vector &result) +{ + auto proxy = GetProxy(true); + if (proxy == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "proxy is null"); + return SANDBOX_MANAGER_SERVICE_NOT_EXIST; + } + return proxy->SetPolicy(tokenId, policy, policyFlag, result); +} + +int32_t SandboxManagerClient::UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy) +{ + auto proxy = GetProxy(true); + if (proxy == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "proxy is null"); + return SANDBOX_MANAGER_SERVICE_NOT_EXIST; + } + return proxy->UnSetPolicy(tokenId, policy); +} + +int32_t SandboxManagerClient::SetPolicyAsync(uint64_t tokenId, const std::vector &policy, + uint64_t policyFlag) +{ + auto proxy = GetProxy(true); + if (proxy == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "proxy is null"); + return SANDBOX_MANAGER_SERVICE_NOT_EXIST; + } + return proxy->SetPolicyAsync(tokenId, policy, policyFlag); +} + +int32_t SandboxManagerClient::UnSetPolicyAsync(uint64_t tokenId, const PolicyInfo &policy) { auto proxy = GetProxy(true); if (proxy == nullptr) { SANDBOXMANAGER_LOG_ERROR(LABEL, "proxy is null"); return SANDBOX_MANAGER_SERVICE_NOT_EXIST; } - return proxy->SetPolicy(tokenId, policy, policyFlag); + return proxy->UnSetPolicyAsync(tokenId, policy); +} + +int32_t SandboxManagerClient::CheckPolicy(uint64_t tokenId, const std::vector &policy, + std::vector &result) +{ + auto proxy = GetProxy(true); + if (proxy == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "proxy is null"); + return false; + } + return proxy->CheckPolicy(tokenId, policy, result); } int32_t SandboxManagerClient::StartAccessingPolicy( @@ -129,6 +181,26 @@ int32_t SandboxManagerClient::CheckPersistPolicy( return proxy->CheckPersistPolicy(tokenId, policy, result); } +int32_t SandboxManagerClient::StartAccessingByTokenId(uint64_t tokenId) +{ + auto proxy = GetProxy(true); + if (proxy == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "proxy is null"); + return SANDBOX_MANAGER_SERVICE_NOT_EXIST; + } + return proxy->StartAccessingByTokenId(tokenId); +} + +int32_t SandboxManagerClient::UnSetAllPolicyByToken(uint64_t tokenId) +{ + auto proxy = GetProxy(true); + if (proxy == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "proxy is null"); + return SANDBOX_MANAGER_SERVICE_NOT_EXIST; + } + return proxy->UnSetAllPolicyByToken(tokenId); +} + bool SandboxManagerClient::StartLoadSandboxManagerSa() { { diff --git a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_kit.cpp b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_kit.cpp index 2f5c120a8915883f84e8b556fa10f409329012fe..aa436d6212304af4692a2a2b67d6b312f282c814 100644 --- a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_kit.cpp +++ b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_kit.cpp @@ -30,6 +30,17 @@ static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = { } const uint64_t POLICY_VECTOR_SIZE_LIMIT = 500; +int32_t SandboxManagerKit::CleanPersistPolicyByPath(const std::vector& filePaths) +{ + SANDBOXMANAGER_LOG_DEBUG(LABEL, "Called"); + size_t filePathSize = filePaths.size(); + if (filePathSize == 0 || filePathSize > POLICY_VECTOR_SIZE_LIMIT) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "FilePathSize = %{public}u", static_cast(filePathSize)); + return SandboxManagerErrCode::INVALID_PARAMTER; + } + return SandboxManagerClient::GetInstance().CleanPersistPolicyByPath(filePaths); +} + int32_t SandboxManagerKit::PersistPolicy(const std::vector &policy, std::vector &result) { SANDBOXMANAGER_LOG_DEBUG(LABEL, "called"); @@ -82,14 +93,53 @@ int32_t SandboxManagerKit::UnPersistPolicy( return SandboxManagerClient::GetInstance().UnPersistPolicyByTokenId(tokenId, policy, result); } -int32_t SandboxManagerKit::SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag) +int32_t SandboxManagerKit::SetPolicy(uint64_t tokenId, const std::vector &policy, + uint64_t policyFlag, std::vector &result) +{ + SANDBOXMANAGER_LOG_DEBUG(LABEL, "called"); + size_t policySize = policy.size(); + if ((policySize == 0) || (policySize > POLICY_VECTOR_SIZE_LIMIT) || (tokenId == 0)) { + return SandboxManagerErrCode::INVALID_PARAMTER; + } + return SandboxManagerClient::GetInstance().SetPolicy(tokenId, policy, policyFlag, result); +} + +int32_t SandboxManagerKit::UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy) +{ + SANDBOXMANAGER_LOG_DEBUG(LABEL, "called"); + if (tokenId == 0) { + return SandboxManagerErrCode::INVALID_PARAMTER; + } + return SandboxManagerClient::GetInstance().UnSetPolicy(tokenId, policy); +} + +int32_t SandboxManagerKit::SetPolicyAsync(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag) { SANDBOXMANAGER_LOG_DEBUG(LABEL, "called"); size_t policySize = policy.size(); if ((policySize == 0) || (policySize > POLICY_VECTOR_SIZE_LIMIT) || (tokenId == 0)) { return SandboxManagerErrCode::INVALID_PARAMTER; } - return SandboxManagerClient::GetInstance().SetPolicy(tokenId, policy, policyFlag); + return SandboxManagerClient::GetInstance().SetPolicyAsync(tokenId, policy, policyFlag); +} + +int32_t SandboxManagerKit::UnSetPolicyAsync(uint64_t tokenId, const PolicyInfo &policy) +{ + SANDBOXMANAGER_LOG_DEBUG(LABEL, "called"); + if (tokenId == 0) { + return SandboxManagerErrCode::INVALID_PARAMTER; + } + return SandboxManagerClient::GetInstance().UnSetPolicyAsync(tokenId, policy); +} + +int32_t SandboxManagerKit::CheckPolicy(uint64_t tokenId, const std::vector &policy, + std::vector &result) +{ + SANDBOXMANAGER_LOG_DEBUG(LABEL, "called"); + if (tokenId == 0) { + return SandboxManagerErrCode::INVALID_PARAMTER; + } + return SandboxManagerClient::GetInstance().CheckPolicy(tokenId, policy, result); } int32_t SandboxManagerKit::StartAccessingPolicy(const std::vector &policy, std::vector &result) @@ -128,6 +178,26 @@ int32_t SandboxManagerKit::CheckPersistPolicy( result.clear(); return SandboxManagerClient::GetInstance().CheckPersistPolicy(tokenId, policy, result); } + +int32_t SandboxManagerKit::StartAccessingByTokenId(uint64_t tokenId) +{ + SANDBOXMANAGER_LOG_DEBUG(LABEL, "called"); + if (tokenId == 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Invalid input token."); + return SandboxManagerErrCode::INVALID_PARAMTER; + } + return SandboxManagerClient::GetInstance().StartAccessingByTokenId(tokenId); +} + +int32_t SandboxManagerKit::UnSetAllPolicyByToken(uint64_t tokenId) +{ + SANDBOXMANAGER_LOG_DEBUG(LABEL, "called"); + if (tokenId == 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Invalid input token."); + return SandboxManagerErrCode::INVALID_PARAMTER; + } + return SandboxManagerClient::GetInstance().UnSetAllPolicyByToken(tokenId); +} } // SandboxManager } // AccessControl } // OHOS \ No newline at end of file diff --git a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_proxy.cpp b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_proxy.cpp index 52a625ad33546c5417dc34830edbdb27d1248b63..ab2d002eae3740da19d208e7074e5097af3230bd 100644 --- a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_proxy.cpp +++ b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_proxy.cpp @@ -15,11 +15,14 @@ #include "sandbox_manager_proxy.h" +#include #include #include "iremote_object.h" #include "iremote_proxy.h" +#include "message_option.h" #include "message_parcel.h" #include "parcel.h" +#include "policy_info_parcel.h" #include "policy_info_vector_parcel.h" #include "sandboxmanager_service_ipc_interface_code.h" #include "sandbox_manager_err_code.h" @@ -41,17 +44,21 @@ SandboxManagerProxy::SandboxManagerProxy(const sptr &impl) SandboxManagerProxy::~SandboxManagerProxy() {} -bool SandboxManagerProxy::SendRequest(SandboxManagerInterfaceCode code, - MessageParcel &data, MessageParcel &reply) +bool SandboxManagerProxy::SendRequest(SandboxManagerInterfaceCode code, MessageParcel &data, MessageParcel &reply) { MessageOption option(MessageOption::TF_SYNC); + return SendRequest(code, data, reply, option); +} + +bool SandboxManagerProxy::SendRequest(SandboxManagerInterfaceCode code, MessageParcel &data, MessageParcel &reply, + MessageOption &option) +{ sptr remote = Remote(); if (remote == nullptr) { SANDBOXMANAGER_LOG_ERROR(LABEL, "remote service null."); return false; } - int32_t requestResult = remote->SendRequest( - static_cast(code), data, reply, option); + int32_t requestResult = remote->SendRequest(static_cast(code), data, reply, option); if (requestResult != NO_ERROR) { SANDBOXMANAGER_LOG_ERROR(LABEL, "request fail, result: %{public}d", requestResult); return false; @@ -59,6 +66,36 @@ bool SandboxManagerProxy::SendRequest(SandboxManagerInterfaceCode code, return true; } +int32_t SandboxManagerProxy::CleanPersistPolicyByPath(const std::vector& filePaths) +{ + MessageParcel data; + if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write descriptor fail"); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + if (!data.WriteUint32(filePaths.size())) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Failed to write filePaths size."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + for (const std::string& filePath: filePaths) { + if (!data.WriteString(filePath)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Failed to write filePath."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + } + + MessageParcel reply; + MessageOption option(MessageOption::TF_ASYNC); + if (!SendRequest(SandboxManagerInterfaceCode::CLEAN_PERSIST_POLICY_BY_PATH, data, reply)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Remote fail"); + return SANDBOX_MANAGER_SERVICE_REMOTE_ERR; + } + + return SANDBOX_MANAGER_OK; +} + int32_t SandboxManagerProxy::PersistPolicy(const std::vector &policy, std::vector &result) { MessageParcel data; @@ -205,7 +242,7 @@ int32_t SandboxManagerProxy::UnPersistPolicyByTokenId( } int32_t SandboxManagerProxy::SetPolicy(uint64_t tokenId, const std::vector &policy, - uint64_t policyFlag) + uint64_t policyFlag, std::vector &result) { MessageParcel data; if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) { @@ -230,7 +267,6 @@ int32_t SandboxManagerProxy::SetPolicy(uint64_t tokenId, const std::vector &policy, + uint64_t policyFlag) +{ + MessageParcel data; + if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write descriptor fail"); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + if (!data.WriteUint64(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write tokenId fail"); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + PolicyInfoVectorParcel policyInfoVectorParcel; + policyInfoVectorParcel.policyVector = policy; + if (!data.WriteParcelable(&policyInfoVectorParcel)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write policyInfoVectorParcel fail"); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + if (!data.WriteUint64(policyFlag)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write policyFlag fail"); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + MessageParcel reply; + MessageOption option(MessageOption::TF_ASYNC); + if (!SendRequest(SandboxManagerInterfaceCode::SET_POLICY_ASYNC, data, reply, option)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "remote fail"); + return SANDBOX_MANAGER_SERVICE_REMOTE_ERR; + } + + return SANDBOX_MANAGER_OK; +} +int32_t SandboxManagerProxy::UnSetPolicyAsync(uint64_t tokenId, const PolicyInfo &policy) +{ + MessageParcel data; + if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write descriptor fail"); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + if (!data.WriteUint64(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write tokenId fail"); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + PolicyInfoParcel policyInfoParcel; + policyInfoParcel.policyInfo = policy; + if (!data.WriteParcelable(&policyInfoParcel)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write policyInfoParcel fail"); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + MessageParcel reply; + MessageOption option(MessageOption::TF_ASYNC); + if (!SendRequest(SandboxManagerInterfaceCode::UN_SET_POLICY_ASYNC, data, reply, option)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "remote fail"); + return SANDBOX_MANAGER_SERVICE_REMOTE_ERR; + } + + return SANDBOX_MANAGER_OK; +} + +int32_t SandboxManagerProxy::CheckPolicy(uint64_t tokenId, const std::vector &policy, + std::vector &result) +{ + MessageParcel data; + if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write descriptor fail"); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + if (!data.WriteUint64(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write tokenId fail"); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + PolicyInfoVectorParcel policyInfoVectorParcel; + policyInfoVectorParcel.policyVector = policy; + if (!data.WriteParcelable(&policyInfoVectorParcel)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write policyInfoVectorParcel fail"); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + MessageParcel reply; + if (!SendRequest(SandboxManagerInterfaceCode::CHECK_POLICY, data, reply)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "remote fail"); + return SANDBOX_MANAGER_SERVICE_REMOTE_ERR; + } + + int32_t remoteRet; + if (!reply.ReadInt32(remoteRet)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "read ret fail"); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + result.clear(); + if (remoteRet == SANDBOX_MANAGER_OK) { + if (!reply.ReadBoolVector(&result)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager result parcel fail"); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + } return remoteRet; } @@ -260,7 +439,6 @@ int32_t SandboxManagerProxy::StartAccessingPolicy(const std::vector } MessageParcel reply; - MessageOption option(MessageOption::TF_SYNC); if (!SendRequest(SandboxManagerInterfaceCode::START_ACCESSING_URI, data, reply)) { SANDBOXMANAGER_LOG_ERROR(LABEL, "remote fail"); return SANDBOX_MANAGER_SERVICE_REMOTE_ERR; @@ -295,7 +473,6 @@ int32_t SandboxManagerProxy::StopAccessingPolicy(const std::vector & } MessageParcel reply; - MessageOption option(MessageOption::TF_SYNC); if (!SendRequest(SandboxManagerInterfaceCode::STOP_ACCESSING_URI, data, reply)) { SANDBOXMANAGER_LOG_ERROR(LABEL, "remote fail"); return SANDBOX_MANAGER_SERVICE_REMOTE_ERR; @@ -335,7 +512,6 @@ int32_t SandboxManagerProxy::CheckPersistPolicy(uint64_t tokenId, const std::vec } MessageParcel reply; - MessageOption option(MessageOption::TF_SYNC); if (!SendRequest(SandboxManagerInterfaceCode::CHECK_PERSIST_PERMISSION, data, reply)) { SANDBOXMANAGER_LOG_ERROR(LABEL, "remote fail"); return SANDBOX_MANAGER_SERVICE_REMOTE_ERR; @@ -353,6 +529,48 @@ int32_t SandboxManagerProxy::CheckPersistPolicy(uint64_t tokenId, const std::vec } return remoteRet; } + +int32_t SandboxManagerProxy::StartAccessingByTokenId(uint64_t tokenId) +{ + MessageParcel data; + if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write descriptor fail."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + if (!data.WriteUint64(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write tokenId fail."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + MessageParcel reply; + MessageOption option(MessageOption::TF_ASYNC); + if (!SendRequest(SandboxManagerInterfaceCode::START_ACCESSING_BY_TOKEN, data, reply, option)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Remote fail."); + return SANDBOX_MANAGER_SERVICE_REMOTE_ERR; + } + return SANDBOX_MANAGER_OK; +} + +int32_t SandboxManagerProxy::UnSetAllPolicyByToken(uint64_t tokenId) +{ + MessageParcel data; + if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write descriptor fail."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + if (!data.WriteUint64(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Write tokenId fail."); + return SANDBOX_MANAGER_SERVICE_PARCEL_ERR; + } + + MessageParcel reply; + MessageOption option(MessageOption::TF_ASYNC); + if (!SendRequest(SandboxManagerInterfaceCode::UNSET_ALL_POLICY_BY_TOKEN, data, reply, option)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Remote fail."); + return SANDBOX_MANAGER_SERVICE_REMOTE_ERR; + } + return SANDBOX_MANAGER_OK; +} } // namespace SandboxManager } // namespace AccessControl } // namespace OHOS \ No newline at end of file diff --git a/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_coverage_test.cpp b/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_coverage_test.cpp index 3a0fc3706d139a3f35f9a19395680c9cef723f3d..d83283668e406989382835b96edeaf9f897659a8 100644 --- a/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_coverage_test.cpp +++ b/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_coverage_test.cpp @@ -16,6 +16,7 @@ #include "sandbox_manager_kit_coverage_test.h" #include +#include #include #include "access_token.h" #include "accesstoken_kit.h" @@ -71,6 +72,8 @@ HWTEST_F(SandboxManagerKitCoverageTest, PersistPolicy001, TestSize.Level1) std::vector result; EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(policy, result)); + std::vector filePaths; + EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::CleanPersistPolicyByPath(filePaths)); std::vector policyEmpty; EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(policyEmpty, result)); @@ -152,7 +155,7 @@ HWTEST_F(SandboxManagerKitCoverageTest, SetPolicy001, TestSize.Level1) } std::vector result; - EXPECT_EQ(PERMISSION_DENIED, SandboxManagerKit::SetPolicy(GetSelfTokenID(), policy, 0)); + EXPECT_EQ(PERMISSION_DENIED, SandboxManagerKit::SetPolicy(GetSelfTokenID(), policy, 0, result)); EXPECT_EQ(0, result.size()); } diff --git a/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp b/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp index b91f6bac7e8fbaf8f416c272afd9fef2e5ae66c2..823f14098d2bf013a3782aa74b327e50f60df704 100644 --- a/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp +++ b/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp @@ -40,6 +40,8 @@ namespace SandboxManager { namespace { const std::string SET_POLICY_PERMISSION = "ohos.permission.SET_SANDBOX_POLICY"; const std::string ACCESS_PERSIST_PERMISSION = "ohos.permission.FILE_ACCESS_PERSIST"; +const Security::AccessToken::AccessTokenID INVALID_TOKENID = 537123456; +uint64_t g_selfTokenId; uint64_t g_mockToken; Security::AccessToken::PermissionStateFull g_testState1 = { .permissionName = SET_POLICY_PERMISSION, @@ -70,41 +72,9 @@ Security::AccessToken::HapPolicyParams g_testPolicyPrams = { }; }; -void NativeTokenGet() -{ - uint64_t fullTokenId; - const char **perms = new const char *[1]; - perms[0] = "ohos.permission.DISTRIBUTED_DATASYNC"; - - NativeTokenInfoParams infoInstance = { - .dcapsNum = 0, - .permsNum = 1, - .aclsNum = 0, - .dcaps = nullptr, - .perms = perms, - .acls = nullptr, - .aplStr = "system_core", - }; - - infoInstance.processName = "TestCase"; - fullTokenId = GetAccessTokenId(&infoInstance); - EXPECT_EQ(0, SetSelfTokenID(fullTokenId)); - Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo(); - delete[] perms; -} - void SandboxManagerKitTest::SetUpTestCase() { - NativeTokenGet(); - Security::AccessToken::AccessTokenID tokenID = - Security::AccessToken::AccessTokenKit::GetNativeTokenId("foundation"); - EXPECT_NE(0, tokenID); - EXPECT_EQ(0, SetSelfTokenID(tokenID)); - Security::AccessToken::AccessTokenIDEx tokenIdEx = {0}; - tokenIdEx = Security::AccessToken::AccessTokenKit::AllocHapToken(g_testInfoParms, g_testPolicyPrams); - EXPECT_NE(0, tokenIdEx.tokenIdExStruct.tokenID); - g_mockToken = tokenIdEx.tokenIdExStruct.tokenID; - EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIdExStruct.tokenID)); + g_selfTokenId = GetSelfTokenID(); } void SandboxManagerKitTest::TearDownTestCase() @@ -114,10 +84,16 @@ void SandboxManagerKitTest::TearDownTestCase() void SandboxManagerKitTest::SetUp() { + Security::AccessToken::AccessTokenIDEx tokenIdEx = {0}; + tokenIdEx = Security::AccessToken::AccessTokenKit::AllocHapToken(g_testInfoParms, g_testPolicyPrams); + EXPECT_NE(0, tokenIdEx.tokenIdExStruct.tokenID); + g_mockToken = tokenIdEx.tokenIdExStruct.tokenID; + EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIdExStruct.tokenID)); } void SandboxManagerKitTest::TearDown() { + EXPECT_EQ(0, SetSelfTokenID(g_selfTokenId)); } /** @@ -646,30 +622,31 @@ HWTEST_F(SandboxManagerKitTest, PersistPolicy014, TestSize.Level1) std::vector result; uint64_t policyFlag = 0; std::vector flag; - PolicyInfo infoParent = { - .path = "/data/log", - .mode = OperateMode::WRITE_MODE - }; + PolicyInfo infoParent = {.path = "/data/log", .mode = OperateMode::WRITE_MODE}; EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result)); - EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag)); + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, + SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag)); tokenId = 1; EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result)); - EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag)); + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, + SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag)); tokenId = 0; policy.emplace_back(infoParent); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result)); - EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag)); + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, + SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag)); tokenId = 1; EXPECT_NE(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result)); EXPECT_NE(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result)); - EXPECT_NE(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag)); + EXPECT_NE(SandboxManagerErrCode::INVALID_PARAMTER, + SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result)); EXPECT_NE(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag)); for (int i = 0; i < 500; i++) { @@ -678,15 +655,957 @@ HWTEST_F(SandboxManagerKitTest, PersistPolicy014, TestSize.Level1) tokenId = 0; EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result)); - EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag)); + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, + SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag)); tokenId = 1; EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result)); - EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag)); + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, + SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result)); EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag)); } -} //SandboxManager -} //AccessControl +/** + * @tc.name: PersistPolicy015 + * @tc.desc: PersistPolicy directory. + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, PersistPolicy015, TestSize.Level1) +{ + uint64_t tokenId = 0; + std::vector policy; + std::vector result; + uint64_t policyFlag = 0; + std::vector flag; + PolicyInfo infoParent = {.path = "/data/log", .mode = OperateMode::WRITE_MODE}; + EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result)); + EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::SetPolicyAsync(tokenId, policy, policyFlag)); + EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::UnSetPolicy(tokenId, infoParent)); + EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::UnSetPolicyAsync(tokenId, infoParent)); + EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::CheckPolicy(tokenId, policy, flag)); +} + +/** + * @tc.name: CheckPolicyTest001 + * @tc.desc: Check allowed policy + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, CheckPolicyTest001, TestSize.Level1) +{ + std::vector policyA; + uint64_t policyFlag = 0; + std::vector policyResult; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policyA.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyA, policyFlag, policyResult)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_TRUE(policyResult[0]); + + std::vector result; + infoParent.mode = OperateMode::READ_MODE; + std::vector policyB; + policyB.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyB, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + infoParent.mode = OperateMode::WRITE_MODE; + std::vector policyC; + policyC.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyC, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + infoParent.mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE; + std::vector policyD; + policyD.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyD, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + infoParent.path = "/data/log/hilog"; + infoParent.mode = OperateMode::READ_MODE; + std::vector policyE; + policyE.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyE, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + infoParent.mode = OperateMode::WRITE_MODE; + std::vector policyF; + policyF.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyF, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + infoParent.mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE; + std::vector policyG; + policyG.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyG, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policyA[0])); +} + +/** + * @tc.name: CheckPolicyTest002 + * @tc.desc: Check parent directory policy with r+w + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, CheckPolicyTest002, TestSize.Level1) +{ + std::vector policyA; + uint64_t policyFlag = 1; + std::vector policyResult; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policyA.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyA, policyFlag, policyResult)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_TRUE(policyResult[0]); + + std::vector result; + infoParent.path = "/data", + infoParent.mode = OperateMode::READ_MODE; + std::vector policyB; + policyB.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyB, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); + + infoParent.mode = OperateMode::WRITE_MODE; + std::vector policyC; + policyC.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyC, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); + + infoParent.mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE; + std::vector policyD; + policyD.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyD, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); + + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policyA[0])); +} + +/** + * @tc.name: CheckPolicyTest003 + * @tc.desc: Check parent directory policy with r + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, CheckPolicyTest003, TestSize.Level1) +{ + std::vector policyA; + uint64_t policyFlag = 1; + std::vector policyResult; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE + }; + policyA.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyA, policyFlag, policyResult)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_TRUE(policyResult[0]); + + std::vector result; + infoParent.mode = OperateMode::READ_MODE; + std::vector policyB; + policyB.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyB, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + infoParent.mode = OperateMode::WRITE_MODE; + std::vector policyC; + policyC.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyC, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); + + infoParent.mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE; + std::vector policyD; + policyD.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyD, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); + + infoParent.path = "/data/log/hilog"; + infoParent.mode = OperateMode::READ_MODE; + std::vector policyE; + policyE.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyE, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policyA[0])); +} + +/** + * @tc.name: CheckPolicyTest004 + * @tc.desc: Check parent directory policy with w + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, CheckPolicyTest004, TestSize.Level1) +{ + std::vector policyA; + uint64_t policyFlag = 1; + std::vector policyResult; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::WRITE_MODE + }; + policyA.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyA, policyFlag, policyResult)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_TRUE(policyResult[0]); + + std::vector result; + infoParent.mode = OperateMode::READ_MODE; + std::vector policyB; + policyB.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyB, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); + + infoParent.mode = OperateMode::WRITE_MODE; + std::vector policyC; + policyC.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyC, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + infoParent.mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE; + std::vector policyD; + policyD.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyD, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); + + infoParent.path = "/data/log/hilog"; + infoParent.mode = OperateMode::WRITE_MODE; + std::vector policyE; + policyE.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyE, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policyA[0])); +} + +/** + * @tc.name: CheckPolicyTest005 + * @tc.desc: Check parent directory policy with w + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, CheckPolicyTest005, TestSize.Level1) +{ + std::vector policyA; + uint64_t policyFlag = 1; + std::vector policyResult; + PolicyInfo infoParentA = { + .path = "/data/log", + .mode = OperateMode::WRITE_MODE + }; + PolicyInfo infoParentB = { + .path = "/data/log/hilog", + .mode = OperateMode::WRITE_MODE + }; + PolicyInfo infoParentC = { + .path = "/system/usr", + .mode = OperateMode::WRITE_MODE + }; + policyA.emplace_back(infoParentA); + policyA.emplace_back(infoParentB); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyA, policyFlag, policyResult)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_TRUE(policyResult[0]); + + std::vector result; + std::vector policyB; + policyB.emplace_back(infoParentA); + policyB.emplace_back(infoParentB); + policyB.emplace_back(infoParentC); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyB, result)); + ASSERT_EQ(3, result.size()); + EXPECT_TRUE(result[0]); + EXPECT_TRUE(result[1]); + EXPECT_FALSE(result[2]); +} + +/** + * @tc.name: CheckPolicyTest006 + * @tc.desc: Check allowed policy with invalid tokenID + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, CheckPolicyTest006, TestSize.Level1) +{ + std::vector policy; + uint64_t policyFlag = 1; + std::vector policyResult; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE + }; + policy.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_TRUE(policyResult[0]); + + std::vector result; + ASSERT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPolicy(INVALID_TOKENID, policy, result)); + EXPECT_EQ(0, result.size()); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_selfTokenId, policy, result)); + EXPECT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); + + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policy[0])); +} + +/** + * @tc.name: CheckPolicyTest007 + * @tc.desc: Check allowed policy with invalid policy + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, CheckPolicyTest007, TestSize.Level1) +{ + std::vector policyA; + std::vector result; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE + }; + policyA.emplace_back(infoParent); + for (int i = 0; i < 500; i++) { + policyA.emplace_back(infoParent); + } + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPolicy(g_mockToken, policyA, result)); + EXPECT_EQ(0, result.size()); + + PolicyInfo infoParent1 = { + .path = "/data/log", + .mode = OperateMode::READ_MODE + }; + for (int i = 0; i < 100; i++) { + infoParent1.path += "/data/log"; + } + std::vector policyB; + policyB.emplace_back(infoParent1); + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPolicy(g_mockToken, policyB, result)); + EXPECT_EQ(0, result.size()); + + std::vector policyC; + infoParent.mode = 0; + policyC.emplace_back(infoParent); + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPolicy(g_mockToken, policyC, result)); + EXPECT_EQ(0, result.size()); + + std::vector policyD; + // err mode number + infoParent.mode = OperateMode::WRITE_MODE + OperateMode::WRITE_MODE; + policyD.emplace_back(infoParent); + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPolicy(g_mockToken, policyD, result)); + EXPECT_EQ(0, result.size()); +} + +/** + * @tc.name: UnSetPolicyTest001 + * @tc.desc: Unset policy with invalid tokenID + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, UnSetPolicyTest001, TestSize.Level1) +{ + std::vector policy; + uint64_t policyFlag = 1; + std::vector policyResult; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policy.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_TRUE(policyResult[0]); + + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnSetPolicy(INVALID_TOKENID, policy[0])); +#ifdef MAC_ENABLE + EXPECT_EQ(SandboxManagerErrCode::SANDBOX_MANAGER_MAC_ADAPTER_ERR, + SandboxManagerKit::UnSetPolicy(g_selfTokenId, policy[0])); +#else + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_selfTokenId, policy[0])); +#endif + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policy[0])); +} + +/** + * @tc.name: UnSetPolicyTest002 + * @tc.desc: Unset allowed policy + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, UnSetPolicyTest002, TestSize.Level1) +{ + std::vector policy; + uint64_t policyFlag = 1; + std::vector policyResult; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policy.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_TRUE(policyResult[0]); + + std::vector result; + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + std::vector retType; + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policy, retType)); + ASSERT_EQ(1, retType.size()); + EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]); + + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policy[0])); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); + + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::StartAccessingPolicy(policy, retType)); + ASSERT_EQ(1, retType.size()); + EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policy[0])); +} + +/** + * @tc.name: UnSetPolicyTest003 + * @tc.desc: Unset parent policy + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, UnSetPolicyTest003, TestSize.Level1) +{ + std::vector policy; + uint64_t policyFlag = 1; + std::vector policyResult; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policy.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_TRUE(policyResult[0]); + + std::vector result; + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + infoParent.path = "/data"; + std::vector policyB; + policyB.emplace_back(infoParent); +#ifdef MAC_ENABLE + EXPECT_EQ(SandboxManagerErrCode::SANDBOX_MANAGER_MAC_ADAPTER_ERR, + SandboxManagerKit::UnSetPolicy(g_mockToken, policyB[0])); +#else + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policyB[0])); +#endif + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policy[0])); +} + +/** + * @tc.name: UnSetPolicyTest004 + * @tc.desc: Unset policy without permission + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, UnSetPolicyTest004 , TestSize.Level1) +{ + std::vector policy; + uint64_t policyFlag = 1; + std::vector policyResult; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policy.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_TRUE(policyResult[0]); + + std::vector result; + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + ASSERT_EQ(0, SetSelfTokenID(g_selfTokenId)); + EXPECT_EQ(PERMISSION_DENIED, SandboxManagerKit::UnSetPolicy(g_mockToken, policy[0])); + ASSERT_EQ(0, SetSelfTokenID(g_mockToken)); + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policy[0])); +} + +/** + * @tc.name: PolicyAsyncTest001 + * @tc.desc: Set/Unset policy with invalid tokenID + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, PolicyAsyncTest001, TestSize.Level1) +{ + std::vector policy; + uint64_t policyFlag = 1; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policy.emplace_back(infoParent); + ASSERT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, + SandboxManagerKit::SetPolicyAsync(INVALID_TOKENID, policy, policyFlag)); + + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, + SandboxManagerKit::UnSetPolicyAsync(INVALID_TOKENID, policy[0])); + +#ifdef MAC_ENABLE + EXPECT_EQ(SandboxManagerErrCode::SANDBOX_MANAGER_MAC_ADAPTER_ERR, + SandboxManagerKit::SetPolicyAsync(g_selfTokenId, policy, policyFlag)); + EXPECT_EQ(SandboxManagerErrCode::SANDBOX_MANAGER_MAC_ADAPTER_ERR, + SandboxManagerKit::UnSetPolicyAsync(g_selfTokenId, policy[0])); +#else + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicyAsync(g_selfTokenId, policy, policyFlag)); + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicyAsync(g_selfTokenId, policy[0])); +#endif +} + +/** + * @tc.name: PolicyAsyncTest002 + * @tc.desc: Set/Unset allowed policy + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, PolicyAsyncTest002, TestSize.Level1) +{ + std::vector policy; + uint64_t policyFlag = 1; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policy.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicyAsync(g_mockToken, policy, policyFlag)); + + std::vector result; + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + std::vector retType; + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policy, retType)); + ASSERT_EQ(1, retType.size()); + EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]); + + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicyAsync(g_mockToken, policy[0])); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); + + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::StartAccessingPolicy(policy, retType)); + ASSERT_EQ(1, retType.size()); + EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicyAsync(g_mockToken, policy[0])); +} + +/** + * @tc.name: PolicyAsyncTest003 + * @tc.desc: Set/UnSet parent policy + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, PolicyAsyncTest003, TestSize.Level1) +{ + std::vector policy; + uint64_t policyFlag = 1; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policy.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicyAsync(g_mockToken, policy, policyFlag)); + + std::vector result; + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + infoParent.path = "/data"; + std::vector policyB; + policyB.emplace_back(infoParent); +#ifdef MAC_ENABLE + EXPECT_EQ(SandboxManagerErrCode::SANDBOX_MANAGER_MAC_ADAPTER_ERR, + SandboxManagerKit::UnSetPolicyAsync(g_mockToken, policyB[0])); +#endif + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicyAsync(g_mockToken, policyB[0])); +} + +/** + * @tc.name: PolicyAsyncTest004 + * @tc.desc: Set/UnSet policy without permission + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, PolicyAsyncTest004 , TestSize.Level1) +{ + std::vector policy; + uint64_t policyFlag = 1; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policy.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicyAsync(g_mockToken, policy, policyFlag)); + + std::vector result; + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + ASSERT_EQ(0, SetSelfTokenID(g_selfTokenId)); + ASSERT_EQ(PERMISSION_DENIED, SandboxManagerKit::SetPolicyAsync(g_mockToken, policy, policyFlag)); + EXPECT_EQ(PERMISSION_DENIED, SandboxManagerKit::UnSetPolicyAsync(g_mockToken, policy[0])); + ASSERT_EQ(0, SetSelfTokenID(g_mockToken)); + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicyAsync(g_mockToken, policy[0])); +} + +/** + * @tc.name: CleanPersistPolicyByPathTest001 + * @tc.desc: Clean persist policy by path + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, CleanPersistPolicyByPathTest001, TestSize.Level1) +{ + std::vector policy; + uint64_t policyFlag = 1; + std::vector policyResult; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policy.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_TRUE(policyResult[0]); + + std::vector result; + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + std::vector retType; + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policy, retType)); + ASSERT_EQ(1, retType.size()); + EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]); + + std::vector filePaths; + filePaths.emplace_back(infoParent.path); + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CleanPersistPolicyByPath(filePaths)); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPersistPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); +} + +/** + * @tc.name: CleanPersistPolicyByPathTest002 + * @tc.desc: Clean child persist policy by path + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, CleanPersistPolicyByPathTest002, TestSize.Level1) +{ + std::vector policy; + uint64_t policyFlag = 1; + std::vector policyResult; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policy.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_TRUE(policyResult[0]); + + std::vector result; + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + std::vector retType; + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policy, retType)); + ASSERT_EQ(1, retType.size()); + EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]); + + infoParent.path = "/data/log/hilog"; + std::vector policyB; + policyB.emplace_back(infoParent); + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policyB, retType)); + ASSERT_EQ(1, retType.size()); + EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]); + + std::vector filePaths; + infoParent.path = "/data/log"; + filePaths.emplace_back(infoParent.path); + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CleanPersistPolicyByPath(filePaths)); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPersistPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPersistPolicy(g_mockToken, policyB, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); +} + +/** + * @tc.name: CleanPersistPolicyByPathTest003 + * @tc.desc: Clean child persist policy by path + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, CleanPersistPolicyByPathTest003, TestSize.Level1) +{ + std::vector policy; + uint64_t policyFlag = 1; + std::vector policyResult; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policy.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_TRUE(policyResult[0]); + + std::vector result; + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + std::vector retType; + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policy, retType)); + ASSERT_EQ(1, retType.size()); + EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]); + + infoParent.path = "/data/log/hilog"; + std::vector policyB; + policyB.emplace_back(infoParent); + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policyB, retType)); + ASSERT_EQ(1, retType.size()); + EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]); + + std::vector filePaths; + filePaths.emplace_back(infoParent.path); + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CleanPersistPolicyByPath(filePaths)); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyB, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPersistPolicy(g_mockToken, policyB, result)); + ASSERT_EQ(1, result.size()); + EXPECT_FALSE(result[0]); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPersistPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); +} + +/** + * @tc.name: CleanPersistPolicyByPathTest004 + * @tc.desc: Clean persist policy by path with invalid path + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, CleanPersistPolicyByPathTest004, TestSize.Level1) +{ + std::string filePath = "/data/log"; + std::vector filePaths; + for (int i = 0; i < 500; i++) { + filePaths.emplace_back(filePath); + } + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CleanPersistPolicyByPath(filePaths)); +} + +/** + * @tc.name: CleanPersistPolicyByPathTest005 + * @tc.desc: Clean persist policy by path with invalid path + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, CleanPersistPolicyByPathTest005, TestSize.Level1) +{ + std::vector policy; + uint64_t policyFlag = 1; + std::vector policyResult; + PolicyInfo infoParent = { + .path = "/data/log", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policy.emplace_back(infoParent); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_TRUE(policyResult[0]); + + std::vector result; + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + std::vector retType; + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policy, retType)); + ASSERT_EQ(1, retType.size()); + EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]); + + ASSERT_EQ(0, SetSelfTokenID(g_selfTokenId)); + std::vector filePaths; + filePaths.emplace_back(infoParent.path); + EXPECT_EQ(PERMISSION_DENIED, SandboxManagerKit::CleanPersistPolicyByPath(filePaths)); + ASSERT_EQ(0, SetSelfTokenID(g_mockToken)); + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CleanPersistPolicyByPath(filePaths)); +} + +/** + * @tc.name: StartAccessingByTokenIdTest001 + * @tc.desc: Start accessing by invalid tokenId + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, StartAccessingByTokenIdTest001, TestSize.Level1) +{ + EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::StartAccessingByTokenId(0)); +} + +/** + * @tc.name: StartAccessingByTokenIdTest002 + * @tc.desc: Start accessing without permission + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, StartAccessingByTokenIdTest002, TestSize.Level1) +{ + ASSERT_EQ(0, SetSelfTokenID(g_selfTokenId)); + EXPECT_EQ(PERMISSION_DENIED, SandboxManagerKit::StartAccessingByTokenId(0)); +} + +/** + * @tc.name: StartAccessingByTokenIdTest003 + * @tc.desc: Start accessing by tokenID + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SandboxManagerKitTest, StartAccessingByTokenIdTest003, TestSize.Level1) +{ + std::vector policyA; + uint64_t policyFlag = 1; + std::vector policyResult; + PolicyInfo infoParentA = { + .path = "/data/log", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policyA.emplace_back(infoParentA); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyA, policyFlag, policyResult)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_TRUE(policyResult[0]); + + std::vector policyB; + PolicyInfo infoParentB = { + .path = "/system/usr", + .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE + }; + policyB.emplace_back(infoParentB); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyB, policyFlag, policyResult)); + ASSERT_EQ(1, policyResult.size()); + EXPECT_TRUE(policyResult[0]); + + std::vector result; + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyA, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + Security::AccessToken::AccessTokenID tokenID = + Security::AccessToken::AccessTokenKit::GetNativeTokenId("foundation"); + EXPECT_NE(0, tokenID); + EXPECT_EQ(0, SetSelfTokenID(tokenID)); + + std::vector retType; + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policyA, retType)); + ASSERT_EQ(1, retType.size()); + EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]); + + ASSERT_EQ(0, SetSelfTokenID(g_selfTokenId)); + + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policyB, retType)); + ASSERT_EQ(1, retType.size()); + EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]); + + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policyA[0])); + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policyB[0])); + + EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::StartAccessingByTokenId(g_mockToken)); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyA, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPersistPolicy(g_mockToken, policyA, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyB, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); + ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPersistPolicy(g_mockToken, policyB, result)); + ASSERT_EQ(1, result.size()); + EXPECT_TRUE(result[0]); +} +} // SandboxManager +} // AccessControl } // OHOS \ No newline at end of file diff --git a/sandbox_manager.gni b/sandbox_manager.gni index c4d52ec09609e18d464fa517a17c705fb4493da2..3aa1257108fb798b71d5d4f4f0dce9618a5cb686 100644 --- a/sandbox_manager.gni +++ b/sandbox_manager.gni @@ -16,3 +16,7 @@ module_output_path_interface_sandbox = "sandbox_manager/interface/" module_output_path_service_sandbox = "sandbox_manager/service" + +declare_args() { + sandbox_manager_mac_enable = true +} \ No newline at end of file diff --git a/services/sandbox_manager/BUILD.gn b/services/sandbox_manager/BUILD.gn index 8fe24a3d8079de539e25548ef14af9e6e1a70cd1..e45cb7d38ab94866f703066040f4c0fef290ee46 100644 --- a/services/sandbox_manager/BUILD.gn +++ b/services/sandbox_manager/BUILD.gn @@ -57,6 +57,12 @@ if (is_standard_system) { cflags_cc = [ "-DHILOG_ENABLE" ] + if (sandbox_manager_mac_enable) { + sources += [ "main/cpp/src/mac/mac_adapter.cpp" ] + include_dirs += [ "main/cpp/include/mac" ] + cflags_cc += [ "-DMAC_ENABLE" ] + } + configs = [ "${sandbox_manager_path}/config:coverage_flags" ] deps = [ diff --git a/services/sandbox_manager/main/cpp/include/database/sandbox_manager_db.h b/services/sandbox_manager/main/cpp/include/database/sandbox_manager_db.h index 8494dc90cd5ee14b060f8bcff8072c37cfbdaa39..40916f2c59d542fec912ff1b9a15b7da8ecf9d44 100644 --- a/services/sandbox_manager/main/cpp/include/database/sandbox_manager_db.h +++ b/services/sandbox_manager/main/cpp/include/database/sandbox_manager_db.h @@ -51,6 +51,7 @@ public: int32_t Modify(const DataType type, const GenericValues &modifyValues, const GenericValues &conditions); + int32_t FindSubPath(const DataType type, const std::string& filePath, std::vector& results); int32_t Find(const DataType type, const GenericValues &conditions, const GenericValues &symbols, std::vector &results); diff --git a/services/sandbox_manager/main/cpp/include/mac/mac_adapter.h b/services/sandbox_manager/main/cpp/include/mac/mac_adapter.h new file mode 100644 index 0000000000000000000000000000000000000000..800199ffde998e0601342021b68fe5472ef3fbaf --- /dev/null +++ b/services/sandbox_manager/main/cpp/include/mac/mac_adapter.h @@ -0,0 +1,45 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef SANDBOX_MANAGER_MAC_ADAPTER_H +#define SANDBOX_MANAGER_MAC_ADAPTER_H + +#include +#include "policy_info.h" + +namespace OHOS { +namespace AccessControl { +namespace SandboxManager { +class MacAdapter { +public: + explicit MacAdapter(); + virtual ~MacAdapter(); + bool Init(); + + int32_t SetSandboxPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result); + int32_t UnSetSandboxPolicy(uint64_t tokenId, const PolicyInfo &policy); + int32_t UnSetSandboxPolicy(uint64_t tokenId, const std::vector &policy, std::vector &result); + int32_t QuerySandboxPolicy(uint64_t tokenId, const std::vector &policy, std::vector &result); + int32_t CheckSandboxPolicy(uint64_t tokenId, const std::vector &policy, std::vector &result); + int32_t DestroySandboxPolicy(uint64_t tokenId); + +private: + int32_t fd_ = -1; +}; +} // namespace SandboxManager +} // namespace AccessControl +} // namespace OHOS +#endif // SANDBOX_MANAGER_MAC_ADAPTER_H \ No newline at end of file diff --git a/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h b/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h index 7ed3a1fef04d6fc6bf7347a7913af87cdb480c38..01681d4f7f2c428fab5be04fd7888ba337f3d062 100644 --- a/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h +++ b/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h @@ -19,6 +19,9 @@ #include #include #include +#ifdef MAC_ENABLE +#include "mac_adapter.h" +#endif #include "generic_values.h" #include "policy_info.h" @@ -31,7 +34,13 @@ public: static PolicyInfoManager &GetInstance(); PolicyInfoManager() = default; virtual ~PolicyInfoManager() = default; - void Init(); + bool Init(); + /** + * @brief Clear the persistence policy + * @param policy vector of string, file path + * @return SANDBOX_MANAGER_OK + */ + int32_t CleanPersistPolicyByPath(const std::vector& filePaths); /** * @brief Insert policys to database * @param tokenId token id of the object @@ -67,14 +76,73 @@ public: * / SANDBOX_MANAGER_DB_RETURN_EMPTY */ int32_t RemovePolicy(const uint64_t tokenId, const std::vector &policy, std::vector &result); + /** + * @brief set policies of a certain tokenId + * @param tokenId token id of the object + * @param policy vector of PolicyInfo, see policy_info.h + * @param result set result of each policy + * @return SANDBOX_MANAGER_MAC_ADAPTER_ERR / SANDBOX_MANAGER_OK + */ + int32_t SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result); + /** + * @brief unset policies of a certain tokenId + * @param tokenId token id of the object + * @param policy PolicyInfo, see policy_info.h + * @return SANDBOX_MANAGER_MAC_ADAPTER_ERR / SANDBOX_MANAGER_OK + */ + int32_t UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy); + /** + * @brief check policies of a certain tokenId + * @param tokenId token id of the object + * @param policy vector of PolicyInfo, see policy_info.h + * @param result check result of each policy + * @return SANDBOX_MANAGER_MAC_ADAPTER_ERR / SANDBOX_MANAGER_OK + */ + int32_t CheckPolicy(uint64_t tokenId, const std::vector &policy, std::vector &result); /** * @brief remove all policys of a certain tokenId (bundle) * @param tokenId token id of the object * @return bool */ bool RemoveBundlePolicy(const uint64_t tokenId); - + /** + * @brief activate all policys of input token that flag = 1 + * @param tokenId token id of the object + * @return int32_t + */ + int32_t StartAccessingByTokenId(const uint64_t tokenId); + /** + * @brief activate input persist policys + * @param tokenId token id of the object + * @param policy vector of PolicyInfo, see policy_info.h + * @param result remove result of each policy + * @return int32_t + */ + int32_t StartAccessingPolicy( + const uint64_t tokenId, const std::vector &policy, std::vector &results); + /** + * @brief deactivate input persist policys + * @param tokenId token id of the object + * @param policy vector of PolicyInfo, see policy_info.h + * @param result remove result of each policy + * @return int32_t + */ + int32_t StopAccessingPolicy( + const uint64_t tokenId, const std::vector &policy, std::vector &results); + /** + * @brief deactivate all policys with given tokenid + * @param tokenId token id of the object + * @return int32_t + */ + int32_t UnSetAllPolicyByToken(const uint64_t tokenId); private: + /** + * @brief Clean policy list on MAC + * @param GenericValues vector + */ + void CleanPolicyOnMac(const std::vector& results); + /** * @brief find a record with same token and policy path (mode not inclued) * @param tokenId token id of the object @@ -100,6 +168,15 @@ private: * @return */ void TransferPolicyToGeneric(const uint64_t tokenId, const PolicyInfo &policy, GenericValues &generic); + + /** + * @brief transfer a GenericValues and token to policy style + * @param tokenId token id of the object + * @param policy input GenericValues + * @param generic transfer result + * @return + */ + void TransferGenericToPolicy(const GenericValues &generic, uint64_t& tokenId, PolicyInfo &policy); /** * @brief cal depth of a given path string * @param path path of file system @@ -128,6 +205,31 @@ private: * @return INVALID_PATH / INVALID_MODE / SANDBOX_MANAGER_OK */ int32_t CheckPolicyValidity(const PolicyInfo &policy); + /** + * @brief check policy validity in batch + * @param policy input policy, see policy_info.h + * @param result output result + * @param passIndex index of policy which is valid + * @return + */ + void CheckPolicyValidityInBatch( + const std::vector &policy, std::vector &results, std::vector &passIndex); + /** + * @brief AddToDatabaseIfNotDuplicate by remove deplicate records + * @param tokenId token id of the object + * @param policy input policy, see policy_info.h + * @param result output result + * @param passIndex index of policy which is valid + * @param flag persist flag + * @return + */ + int32_t AddToDatabaseIfNotDuplicate(const uint64_t tokenId, + const std::vector &policy, const std::vector &passIndex, + std::vector &results, const uint32_t flag); +private: +#ifdef MAC_ENABLE + MacAdapter macAdapter_; +#endif }; } // namespace SandboxManager } // namespace AccessControl diff --git a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_const.h b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_const.h index 2912e47905dffdbf0b63e1e49f70203826396e61..b44c5063267a5988e41ea4dab9855743a43e3272 100644 --- a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_const.h +++ b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_const.h @@ -31,6 +31,7 @@ const std::string SET_POLICY_PERMISSION_NAME = "ohos.permission.SET_SANDBOX_POLI const std::string ACCESS_PERSIST_PERMISSION_NAME = "ohos.permission.FILE_ACCESS_PERSIST"; const uint32_t POLICY_VECTOR_SIZE_LIMIT = 500; +const int32_t FOUNDATION_UID = 5523; } // namespace SandboxManager } // namespace AccessControl } // namespace OHOS diff --git a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h index 5a34ed3fa0305e467bd21d9920fd99cc7e0a9985..d69b132d7b374b6a2b45d5b4263f36a67bc43013 100644 --- a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h +++ b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h @@ -41,17 +41,25 @@ public: void OnStop() override; void OnStart(const SystemAbilityOnDemandReason& startReason) override; + int32_t CleanPersistPolicyByPath(const std::vector& filePaths) override; int32_t PersistPolicy(const std::vector &policy, std::vector &result) override; int32_t UnPersistPolicy(const std::vector &policy, std::vector &result) override; int32_t PersistPolicyByTokenId( uint64_t tokenId, const std::vector &policy, std::vector &result) override; int32_t UnPersistPolicyByTokenId( uint64_t tokenId, const std::vector &policy, std::vector &result) override; - int32_t SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag) override; + int32_t SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result) override; + int32_t UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy) override; + int32_t SetPolicyAsync(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag) override; + int32_t UnSetPolicyAsync(uint64_t tokenId, const PolicyInfo &policy) override; + int32_t CheckPolicy(uint64_t tokenId, const std::vector &policy, std::vector &result) override; int32_t StartAccessingPolicy(const std::vector &policy, std::vector &result) override; int32_t StopAccessingPolicy(const std::vector &policy, std::vector &result) override; int32_t CheckPersistPolicy( uint64_t tokenId, const std::vector &policy, std::vector &result) override; + int32_t StartAccessingByTokenId(uint64_t tokenId) override; + int32_t UnSetAllPolicyByToken(uint64_t tokenId) override; void onRemovePackage(uint64_t tokenId); void DelayUnloadService() override; diff --git a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_stub.h b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_stub.h index 97d01919b238a32f968ebe75af857d14bc528ca7..86c72731475555d9b60f22ed367c832ccdb30f96 100644 --- a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_stub.h +++ b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_stub.h @@ -36,20 +36,29 @@ public: virtual void DelayUnloadService() = 0; private: + void CleanPersistPolicyByPathInner(MessageParcel &data, MessageParcel &reply); void PersistPolicyInner(MessageParcel &data, MessageParcel &reply); void UnPersistPolicyInner(MessageParcel &data, MessageParcel &reply); void PersistPolicyByTokenIdInner(MessageParcel &data, MessageParcel &reply); void UnPersistPolicyByTokenIdInner(MessageParcel &data, MessageParcel &reply); void SetPolicyInner(MessageParcel &data, MessageParcel &reply); + void UnSetPolicyInner(MessageParcel &data, MessageParcel &reply); + void SetPolicyAsyncInner(MessageParcel &data, MessageParcel &reply); + void UnSetPolicyAsyncInner(MessageParcel &data, MessageParcel &reply); + void CheckPolicyInner(MessageParcel &data, MessageParcel &reply); void StartAccessingPolicyInner(MessageParcel &data, MessageParcel &reply); void StopAccessingPolicyInner(MessageParcel &data, MessageParcel &reply); void CheckPersistPolicyInner(MessageParcel &data, MessageParcel &reply); + void StartAccessingByTokenIdInner(MessageParcel &data, MessageParcel &reply); + void UnSetAllPolicyByTokenInner(MessageParcel &data, MessageParcel &reply); void SetPolicyOpFuncInMap(); bool CheckPermission(const uint64_t tokenId, const std::string &permission); + bool IsFileManagerCalling(const uint32_t tokenCaller); using RequestFuncType = void (SandboxManagerStub::*)(MessageParcel &data, MessageParcel &reply); std::map requestFuncMap_; + uint32_t tokenFileManagerId_ = 0; }; } // namespace SandboxManager } // namespace AccessControl diff --git a/services/sandbox_manager/main/cpp/src/database/sandbox_manager_db.cpp b/services/sandbox_manager/main/cpp/src/database/sandbox_manager_db.cpp index 6b46ee3d72c2d6771abaf51dc82ae1a87d8bb799..527a080b8065b32738fe25b0e9460c9c44bde516 100644 --- a/services/sandbox_manager/main/cpp/src/database/sandbox_manager_db.cpp +++ b/services/sandbox_manager/main/cpp/src/database/sandbox_manager_db.cpp @@ -16,6 +16,7 @@ #include "sandbox_manager_db.h" #include +#include #include "policy_field_const.h" #include "sandbox_manager_log.h" @@ -128,6 +129,29 @@ int32_t SandboxManagerDb::Modify(const DataType type, const GenericValues& modif return (ret == Statement::State::DONE) ? SUCCESS : FAILURE; } +int32_t SandboxManagerDb::FindSubPath( + const DataType type, const std::string& filePath, std::vector& results) +{ + OHOS::Utils::UniqueReadGuard lock(this->rwLock_); + auto it = dataTypeToSqlTable_.find(type); + if (it == dataTypeToSqlTable_.end()) { + return FAILURE; + } + std::string sql = "select * from " + it->second.tableName_ + " where " + PolicyFiledConst::FIELD_PATH + + " like " + filePath + "/%" + "or" + PolicyFiledConst::FIELD_PATH + "=" + filePath; + auto statement = Prepare(sql); + + while (statement.Step() == Statement::State::ROW) { + int columnCount = statement.GetColumnCount(); + GenericValues value; + for (int i = 0; i < columnCount; i++) { + value.Put(statement.GetColumnName(i), statement.GetValue(i, false)); + } + results.emplace_back(value); + } + return SUCCESS; +} + int32_t SandboxManagerDb::Find(const DataType type, const GenericValues& conditions, const GenericValues& symbols, std::vector& results) { diff --git a/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp b/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp new file mode 100644 index 0000000000000000000000000000000000000000..6df234ca3d2bcd9127af6b03f8b0b149f7212fce --- /dev/null +++ b/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp @@ -0,0 +1,285 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "mac_adapter.h" +#include +#include +#include +#include +#include +#include +#include "sandbox_manager_err_code.h" +#include "sandbox_manager_log.h" + +namespace OHOS { +namespace AccessControl { +namespace SandboxManager { +static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = { + LOG_CORE, ACCESSCONTROL_DOMAIN_SANDBOXMANAGER, "SandboxManagerMacAdapter" +}; + +constexpr const char* DEV_NODE = "/dev/dec"; +const size_t MAX_POLICY_NUM = 32; + +struct PathInfo { + char *path = nullptr; + uint32_t pathLen = 0; + uint32_t mode = 0; + bool result = false; +}; + +struct SandboxPolicyInfo { + uint64_t tokenId = 0; + struct PathInfo pathInfos[MAX_POLICY_NUM]; + uint32_t pathNum = 0; + bool persist = false; +}; + +#define SANDBOX_IOCTL_BASE 's' +#define SET_POLICY 1 +#define UN_SET_POLICY 2 +#define QUERY_POLICY 3 +#define CHECK_POLICY 4 +#define DESTROY_POLICY 5 + +#define SET_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, SET_POLICY, struct SandboxPolicyInfo) +#define UN_SET_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, UN_SET_POLICY, struct SandboxPolicyInfo) +#define QUERY_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, QUERY_POLICY, struct SandboxPolicyInfo) +#define CHECK_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, CHECK_POLICY, struct SandboxPolicyInfo) +#define DESTROY_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, DESTROY_POLICY, uint64_t) + +MacAdapter::MacAdapter() {} + +MacAdapter::~MacAdapter() +{ + if (fd_ >= 0) { + close(fd_); + fd_ = -1; + } +} + +bool MacAdapter::Init() +{ + fd_ = open(DEV_NODE, O_RDWR); + if (fd_ < 0) { + SANDBOXMANAGER_LOG_INFO(LABEL, "Open node failed, errno=%{public}d.", errno); + return false; + } + return true; +} + +int32_t MacAdapter::SetSandboxPolicy(uint64_t tokenId, const std::vector &policy, + uint64_t policyFlag, std::vector &result) +{ + if (fd_ < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet."); + return SANDBOX_MANAGER_MAC_ADAPTER_ERR; + } + + size_t policyNum = policy.size(); + + for (size_t offset = 0; offset < policyNum; offset += MAX_POLICY_NUM) { + size_t curBatchSize = std::min(MAX_POLICY_NUM, policyNum - offset); + + struct SandboxPolicyInfo info; + info.tokenId = tokenId; + info.pathNum = curBatchSize; + info.persist = policyFlag == 1 ? true : false; + + for (size_t i = 0; i < curBatchSize; ++i) { + info.pathInfos[i].path = const_cast(policy[offset + i].path.c_str()); + info.pathInfos[i].pathLen = policy[offset + i].path.length(); + info.pathInfos[i].mode = policy[offset + i].mode; + } + + if (ioctl(fd_, SET_POLICY_CMD, &info) < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Set policy failed at batch %{public}zu, errno=%{public}d.", + offset / MAX_POLICY_NUM, errno); + } + for (size_t i = 0; i < curBatchSize; ++i) { + result[offset + i] = info.pathInfos[i].result ? SANDBOX_MANAGER_OK : SANDBOX_MANAGER_MAC_ADAPTER_ERR; + } + } + uint32_t failCount = + std::count_if(result.begin(), result.end(), [](uint32_t res) { return res != SANDBOX_MANAGER_OK; }); + if (failCount > 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Set policy failed, failCount=%{public}u.", failCount); + } + return SANDBOX_MANAGER_OK; +} + +int32_t MacAdapter::QuerySandboxPolicy(uint64_t tokenId, const std::vector &policy, + std::vector &result) +{ + if (fd_ < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet."); + return SANDBOX_MANAGER_MAC_ADAPTER_ERR; + } + + result.clear(); + + size_t policyNum = policy.size(); + + for (size_t offset = 0; offset < policyNum; offset += MAX_POLICY_NUM) { + size_t curBatchSize = std::min(MAX_POLICY_NUM, policyNum - offset); + + struct SandboxPolicyInfo info; + info.tokenId = tokenId; + info.pathNum = curBatchSize; + + for (size_t i = 0; i < curBatchSize; ++i) { + info.pathInfos[i].path = const_cast(policy[offset + i].path.c_str()); + info.pathInfos[i].pathLen = policy[offset + i].path.length(); + info.pathInfos[i].mode = policy[offset + i].mode; + } + + if (ioctl(fd_, QUERY_POLICY_CMD, &info) < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Query policy failed at batch %{public}zu, errno=%{public}d.", + offset / MAX_POLICY_NUM, errno); + } + for (size_t i = 0; i < curBatchSize; ++i) { + result[offset + i] = info.pathInfos[i].result; + } + } + + uint32_t failCount = std::count(result.begin(), result.end(), false); + if (failCount > 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Query policy failed, failCount=%{public}u.", failCount); + } + return failCount == 0 ? SANDBOX_MANAGER_OK : SANDBOX_MANAGER_MAC_ADAPTER_ERR; +} + +int32_t MacAdapter::CheckSandboxPolicy(uint64_t tokenId, const std::vector &policy, + std::vector &result) +{ + if (fd_ < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet."); + return SANDBOX_MANAGER_MAC_ADAPTER_ERR; + } + + result.clear(); + + size_t policyNum = policy.size(); + + for (size_t offset = 0; offset < policyNum; offset += MAX_POLICY_NUM) { + size_t curBatchSize = std::min(MAX_POLICY_NUM, policyNum - offset); + + struct SandboxPolicyInfo info; + info.tokenId = tokenId; + info.pathNum = curBatchSize; + + for (size_t i = 0; i < curBatchSize; ++i) { + info.pathInfos[i].path = const_cast(policy[offset + i].path.c_str()); + info.pathInfos[i].pathLen = policy[offset + i].path.length(); + info.pathInfos[i].mode = policy[offset + i].mode; + } + + if (ioctl(fd_, CHECK_POLICY_CMD, &info) < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy failed at batch %{public}zu, errno=%{public}d.", + offset / MAX_POLICY_NUM, errno); + } + for (size_t i = 0; i < curBatchSize; ++i) { + result[offset + i] = info.pathInfos[i].result; + } + } + + uint32_t failCount = std::count(result.begin(), result.end(), false); + if (failCount > 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy failed, failCount=%{public}u.", failCount); + } + return failCount == 0 ? SANDBOX_MANAGER_OK : SANDBOX_MANAGER_MAC_ADAPTER_ERR; +} + +int32_t MacAdapter::UnSetSandboxPolicy(uint64_t tokenId, const std::vector &policy, + std::vector &result) +{ + if (fd_ < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet."); + return SANDBOX_MANAGER_MAC_ADAPTER_ERR; + } + + result.clear(); + + size_t policyNum = policy.size(); + + for (size_t offset = 0; offset < policyNum; offset += MAX_POLICY_NUM) { + size_t curBatchSize = std::min(MAX_POLICY_NUM, policyNum - offset); + + struct SandboxPolicyInfo info; + info.tokenId = tokenId; + info.pathNum = curBatchSize; + + for (size_t i = 0; i < curBatchSize; ++i) { + info.pathInfos[i].path = const_cast(policy[offset + i].path.c_str()); + info.pathInfos[i].pathLen = policy[offset + i].path.length(); + info.pathInfos[i].mode = policy[offset + i].mode; + } + + if (ioctl(fd_, UN_SET_POLICY_CMD, &info) < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Unset policy failed at batch %{public}zu, errno=%{public}d.", + offset / MAX_POLICY_NUM, errno); + } + for (size_t i = 0; i < curBatchSize; ++i) { + result[offset + i] = info.pathInfos[i].result; + } + } + + uint32_t failCount = std::count(result.begin(), result.end(), false); + if (failCount > 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Unset policy failed, failCount=%{public}u.", failCount); + } + return failCount == 0 ? SANDBOX_MANAGER_OK : SANDBOX_MANAGER_MAC_ADAPTER_ERR; +} + +int32_t MacAdapter::UnSetSandboxPolicy(uint64_t tokenId, const PolicyInfo &policy) +{ + if (fd_ < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet."); + return SANDBOX_MANAGER_MAC_ADAPTER_ERR; + } + + struct SandboxPolicyInfo info; + info.tokenId = tokenId; + info.pathNum = 1; + + info.pathInfos[0].path = const_cast(policy.path.c_str()); + info.pathInfos[0].pathLen = policy.path.length(); + info.pathInfos[0].mode = policy.mode; + + if (ioctl(fd_, UN_SET_POLICY_CMD, &info) < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Unset policy failed, errno=%{public}d.", errno); + return SANDBOX_MANAGER_MAC_ADAPTER_ERR; + } + + return info.pathInfos[0].result ? SANDBOX_MANAGER_OK : SANDBOX_MANAGER_MAC_ADAPTER_ERR; +} + +int32_t MacAdapter::DestroySandboxPolicy(uint64_t tokenId) +{ + if (fd_ < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet."); + return SANDBOX_MANAGER_MAC_ADAPTER_ERR; + } + + if (ioctl(fd_, DESTROY_POLICY_CMD, &tokenId) < 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Destroy policy failed, errno=%{public}d.", errno); + return SANDBOX_MANAGER_MAC_ADAPTER_ERR; + } + + return SANDBOX_MANAGER_OK; +} +} // namespace SandboxManager +} // namespace AccessControl +} // namespace OHOS \ No newline at end of file diff --git a/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp b/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp index 6b26eac47aa7472e9a06d42d4fd476af74e4f73a..8b93823b0f1d5a057b9fc9b9f05f04058e98c890 100644 --- a/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp +++ b/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp @@ -42,6 +42,7 @@ bool SandboxManagerCommonEventSubscriber::RegisterEvent() auto skill = std::make_shared(); skill->AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED); skill->AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_FULLY_REMOVED); + skill->AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_DATA_CLEARED); EventFwk::CommonEventSubscribeInfo subscribeInfo(*skill); auto info = std::make_shared(*skill); g_subscriber = std::make_shared(*info); @@ -74,7 +75,8 @@ void SandboxManagerCommonEventSubscriber::OnReceiveEvent(const EventFwk::CommonE std::string action = want.GetAction(); SANDBOXMANAGER_LOG_INFO(LABEL, "Receive event = %{public}s.", action.c_str()); if (action == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED || - action == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_FULLY_REMOVED) { + action == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_FULLY_REMOVED || + action == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_DATA_CLEARED) { uint64_t tokenId = static_cast(want.GetParams().GetIntParam("accessTokenId", 0)); if (tokenId == 0) { SANDBOXMANAGER_LOG_ERROR(LABEL, "Error tokenid = %{public}" PRIu64".", tokenId); diff --git a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp index b1b23f3c2c4b852b63322f633ed0b3ef3a15c642..a3bd952342f49e8812c4f568519fe9e3738d2e3b 100644 --- a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp +++ b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp @@ -15,9 +15,13 @@ #include "policy_info_manager.h" +#include #include +#include #include +#include #include +#include #include #include "accesstoken_kit.h" #include "generic_values.h" @@ -43,52 +47,130 @@ PolicyInfoManager &PolicyInfoManager::GetInstance() return instance; } -void PolicyInfoManager::Init() +bool PolicyInfoManager::Init() { SandboxManagerDb::GetInstance(); +#ifdef MAC_ENABLE + if (!macAdapter_.Init()) { + return false; + } +#endif + return true; } -int32_t PolicyInfoManager::AddPolicy(const uint64_t tokenId, const std::vector &policy, - std::vector &result, const uint32_t flag) +void PolicyInfoManager::CleanPolicyOnMac(const std::vector& results) { - uint64_t policySize = policy.size(); - if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT) { - return INVALID_PARAMTER; - } - result.resize(policySize); - - for (size_t i = 0; i < policySize; i++) { - int32_t checkPolicyRet = CheckPolicyValidity(policy[i]); - if (checkPolicyRet != SANDBOX_MANAGER_OK) { - result[i] = static_cast(checkPolicyRet); - continue; - } - // find duplicate record (have same tokenId, path), delete it - PolicyInfo findresult; - int32_t exactFindRet = ExactFind(tokenId, policy[i], findresult); - if (exactFindRet == SANDBOX_MANAGER_DB_ERR) { - return SANDBOX_MANAGER_DB_ERR; +#ifdef MAC_ENABLE + std::map> allPersistPolic; + for (auto& res : results) { + uint64_t tokenId; + PolicyInfo policy; + TransferGenericToPolicy(res, tokenId, policy); + auto it = allPersistPolic.find(tokenId); + if (it == allPersistPolic.end()) { + std::vector polcys; + polcys.emplace_back(policy); + allPersistPolic.insert(std::make_pair(tokenId, polcys)); + } else { + it->second.emplace_back(policy); } + } - if (exactFindRet == SANDBOX_MANAGER_OK && findresult.mode == policy[i].mode) { - result[i] = SandboxRetType::OPERATE_SUCCESSFULLY; + for (auto it : allPersistPolic) { + std::vector result; + int32_t count = 0; + macAdapter_.UnSetSandboxPolicy(it.first, it.second, result); + for (bool res : result) { + if (!res) { + ++count; + } + } + SANDBOXMANAGER_LOG_INFO(LABEL, "Mac UnSetSandboxPolicy size = %{public}zu, fail size = %{public}d.", + it.second.size(), count); + } +#else + SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); +#endif +} +int32_t PolicyInfoManager::CleanPersistPolicyByPath(const std::vector& filePaths) +{ + //Gets the persistence policy to be cleaned up + std::vector results; + for (std::string path : filePaths) { + uint32_t length = path.length(); + if (length == 0 || length > POLICY_PATH_LIMIT) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Policy path check fail: %{public}s.", path.c_str()); continue; } + std::string pathTmp = AdjustPath(path); + SandboxManagerDb::GetInstance().FindSubPath( + SandboxManagerDb::SANDBOX_MANAGER_PERSISTED_POLICY, pathTmp, results); + } + if (results.empty()) { + SANDBOXMANAGER_LOG_INFO(LABEL, "No deleted persistence policy was found."); + return SANDBOX_MANAGER_OK; + } - GenericValues addRecord; - TransferPolicyToGeneric(tokenId, policy[i], addRecord); - addRecord.Put(PolicyFiledConst::FIELD_FLAG, static_cast(flag)); + //clean MAC + CleanPolicyOnMac(results); - std::vector recordVec = {addRecord}; - int32_t ret = SandboxManagerDb::GetInstance().Add( - SandboxManagerDb::SANDBOX_MANAGER_PERSISTED_POLICY, recordVec); + //clear the persistence policy + for (auto& res: results) { + int32_t ret = SandboxManagerDb::GetInstance().Remove( + SandboxManagerDb::SANDBOX_MANAGER_PERSISTED_POLICY, res); if (ret != SandboxManagerDb::SUCCESS) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "database operate error"); - return SANDBOX_MANAGER_DB_ERR; + SANDBOXMANAGER_LOG_ERROR(LABEL, "%{public}s delete fail!", + res.GetString(PolicyFiledConst::FIELD_PATH).c_str()); + } + } + return SANDBOX_MANAGER_OK; +} + +int32_t PolicyInfoManager::AddPolicy(const uint64_t tokenId, const std::vector &policy, + std::vector &result, const uint32_t flag) +{ +#ifdef MAC_ENABLE + size_t policySize = policy.size(); + if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT) { + return INVALID_PARAMTER; + } + result.resize(policySize); + // check validity + std::vector queryPolicyIndex; + CheckPolicyValidityInBatch(policy, result, queryPolicyIndex); + // query mac kernel + size_t queryPolicyIndexSize = queryPolicyIndex.size(); + std::vector queryResults(queryPolicyIndexSize); + std::vector queryPolicys(queryPolicyIndexSize); + std::transform(queryPolicyIndex.begin(), queryPolicyIndex.end(), + queryPolicys.begin(), [policy](const size_t index) { return policy[index]; }); + int32_t ret = macAdapter_.QuerySandboxPolicy(tokenId, queryPolicys, queryResults); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "MacAdapter query error."); + result.clear(); + return ret; + } + // add to database + std::vector addPolicyGeneric; + std::vector addPolicyIndex; + for (size_t i = 0; i < queryPolicyIndexSize; i++) { + if (queryResults[i]) { + addPolicyIndex.emplace_back(queryPolicyIndex[i]); + } else { + result[queryPolicyIndex[i]] = SandboxRetType::FORBIDDEN_TO_BE_PERSISTED; } - result[i] = SandboxRetType::OPERATE_SUCCESSFULLY; + } + ret = AddToDatabaseIfNotDuplicate(tokenId, policy, addPolicyIndex, result, flag); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "AddToDatabaseIfNotDuplicate failed."); + result.clear(); + return ret; } return SANDBOX_MANAGER_OK; +#else + SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); + return SANDBOX_MANAGER_OK; +#endif } int32_t PolicyInfoManager::MatchSinglePolicy(const uint64_t tokenId, const PolicyInfo &policy, uint32_t &result) @@ -163,6 +245,7 @@ int32_t PolicyInfoManager::MatchPolicy(const uint64_t tokenId, const std::vector int32_t PolicyInfoManager::RemovePolicy( const uint64_t tokenId, const std::vector &policy, std::vector &result) { +#ifdef MAC_ENABLE // remove only token, path, mode equal uint64_t policySize = policy.size(); if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT) { @@ -177,13 +260,18 @@ int32_t PolicyInfoManager::RemovePolicy( result[i] = static_cast(checkPolicyRet); continue; } - PolicyInfo exactFindRes; int32_t ret = ExactFind(tokenId, policy[i], exactFindRes); if (ret == SANDBOX_MANAGER_DB_RETURN_EMPTY) { result[i] = SandboxRetType::POLICY_HAS_NOT_BEEN_PERSISTED; continue; } + + ret = macAdapter_.UnSetSandboxPolicy(tokenId, policy[i]); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "MacAdapter unset error."); + return ret; + } GenericValues condition; TransferPolicyToGeneric(tokenId, policy[i], condition); @@ -195,6 +283,102 @@ int32_t PolicyInfoManager::RemovePolicy( } } return SANDBOX_MANAGER_OK; +#else + SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); + return SANDBOX_MANAGER_OK; +#endif +} + +int32_t PolicyInfoManager::SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag, + std::vector &result) +{ +#ifdef MAC_ENABLE + result.resize(policy.size(), INVALID_PARAMTER); + std::vector validIndex; + std::vector validPolicies; + for (size_t index = 0; index < policy.size(); ++index) { + int32_t res = PolicyInfoManager::CheckPolicyValidity(policy[index]); + if (res == SANDBOX_MANAGER_OK) { + validIndex.emplace_back(index); + validPolicies.emplace_back(policy[index]); + } + } + + if (validPolicies.empty()) { + SANDBOXMANAGER_LOG_WARN(LABEL, "No valid policy to set."); + return SANDBOX_MANAGER_OK; + } + + std::vector setResult(validPolicies.size(), SANDBOX_MANAGER_OK); + int32_t ret = macAdapter_.SetSandboxPolicy(tokenId, validPolicies, policyFlag, setResult); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Set sandbox policy failed, error=%{public}d.", ret); + result.clear(); + return ret; + } + size_t resultIndex = 0; + for (const auto &index : validIndex) { + result[index] = setResult[resultIndex++]; + } + + return SANDBOX_MANAGER_OK; +#else + SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); + return SANDBOX_MANAGER_OK; +#endif +} + +int32_t PolicyInfoManager::UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy) +{ +#ifdef MAC_ENABLE + int32_t ret = CheckPolicyValidity(policy); + if (ret != SANDBOX_MANAGER_OK) { + return ret; + } + return macAdapter_.UnSetSandboxPolicy(tokenId, policy); +#else + SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); + return SANDBOX_MANAGER_OK; +#endif +} + +int32_t PolicyInfoManager::CheckPolicy(uint64_t tokenId, const std::vector &policy, + std::vector &result) +{ +#ifdef MAC_ENABLE + result.resize(policy.size(), false); + std::vector validIndex; + std::vector validPolicies; + for (size_t index = 0; index < policy.size(); ++index) { + int32_t res = PolicyInfoManager::CheckPolicyValidity(policy[index]); + if (res == SANDBOX_MANAGER_OK) { + validIndex.emplace_back(index); + validPolicies.emplace_back(policy[index]); + } + } + + if (validPolicies.empty()) { + SANDBOXMANAGER_LOG_WARN(LABEL, "No valid policy to set."); + return SANDBOX_MANAGER_OK; + } + + std::vector checkResult(validPolicies.size(), false); + int32_t ret = macAdapter_.CheckSandboxPolicy(tokenId, validPolicies, checkResult); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check sandbox policy failed, error=%{public}d.", ret); + result.clear(); + return ret; + } + size_t resultIndex = 0; + for (const auto &index : validIndex) { + result[index] = checkResult[resultIndex++]; + } + + return SANDBOX_MANAGER_OK; +#else + SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); + return SANDBOX_MANAGER_OK; +#endif } bool PolicyInfoManager::RemoveBundlePolicy(const uint64_t tokenId) @@ -211,6 +395,149 @@ bool PolicyInfoManager::RemoveBundlePolicy(const uint64_t tokenId) return true; } +int32_t PolicyInfoManager::StartAccessingByTokenId(const uint64_t tokenId) +{ +#ifdef MAC_ENABLE + GenericValues conditions; + GenericValues symbols; + + conditions.Put(PolicyFiledConst::FIELD_TOKENID, static_cast(tokenId)); + symbols.Put(PolicyFiledConst::FIELD_TOKENID, std::string("=")); + conditions.Put(PolicyFiledConst::FIELD_FLAG, 1); + symbols.Put(PolicyFiledConst::FIELD_FLAG, std::string("=")); + + std::vector dbResults; + int32_t ret = RangeFind(conditions, symbols, dbResults); + if (ret == SANDBOX_MANAGER_DB_ERR) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Database operate error"); + return SANDBOX_MANAGER_DB_ERR; + } + size_t searchSize = dbResults.size(); + if (searchSize == 0) { + SANDBOXMANAGER_LOG_INFO(LABEL, "Database find result empty"); + return SANDBOX_MANAGER_DB_RETURN_EMPTY; + } + + std::vector policys(searchSize); + for (size_t i = 0; i (dbResults[i].GetInt(PolicyFiledConst::FIELD_MODE)); + policys[i] = policy; + } + std::vector macResults; + ret = macAdapter_.SetSandboxPolicy(tokenId, policys, 0, macResults); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "MacAdapter set policy error."); + return ret; + } + return SANDBOX_MANAGER_OK; +#else + SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); + return true; +#endif +} + +int32_t PolicyInfoManager::StartAccessingPolicy( + const uint64_t tokenId, const std::vector &policy, std::vector &results) +{ +#ifdef MAC_ENABLE + size_t policySize = policy.size(); + results.resize(policySize); + // check database, check validity in MatchPolicy + std::vector matchResults(policy.size()); + int32_t ret = MatchPolicy(tokenId, policy, matchResults); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "MatchPolicy error."); + results.clear(); + return ret; + } + // set to mac + std::vector accessingIndex; + for (size_t i = 0; i < policySize; i++) { + if (matchResults[i] == SandboxRetType::OPERATE_SUCCESSFULLY) { + accessingIndex.emplace_back(i); + } else { + results[i] = matchResults[i]; + } + } + size_t accessingIndexSize = accessingIndex.size(); + std::vector accessingPolicy(accessingIndexSize); + std::transform(accessingIndex.begin(), accessingIndex.end(), + accessingPolicy.begin(), [policy](size_t index) { return policy[index]; }); + std::vector macResults(accessingIndexSize); + ret = macAdapter_.SetSandboxPolicy(tokenId, accessingPolicy, 0, macResults); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "MacAdapter set policy error."); + results.clear(); + return ret; + } + // write ok flag + for (size_t i = 0; i < accessingIndexSize; i++) { + results[accessingIndex[i]] = macResults[i]; + } + return SANDBOX_MANAGER_OK; +#else + SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); + return SANDBOX_MANAGER_OK; +#endif +} + +int32_t PolicyInfoManager::StopAccessingPolicy( + const uint64_t tokenId, const std::vector &policy, std::vector &results) +{ +#ifdef MAC_ENABLE + size_t policySize = policy.size(); + results.resize(policySize); + // check database, check validity in MatchPolicy + std::vector matchResults(policy.size()); + int32_t ret = MatchPolicy(tokenId, policy, matchResults); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "MatchPolicy error."); + results.clear(); + return ret; + } + // set to mac + std::vector accessingIndex; + for (size_t i = 0; i < policySize; i++) { + if (matchResults[i] == SandboxRetType::OPERATE_SUCCESSFULLY) { + accessingIndex.emplace_back(i); + } else { + results[i] = matchResults[i]; + } + } + size_t accessingIndexSize = accessingIndex.size(); + std::vector accessingPolicy(accessingIndexSize); + std::transform(accessingIndex.begin(), accessingIndex.end(), + accessingPolicy.begin(), [policy](size_t index) { return policy[index]; }); + std::vector macResults(accessingIndexSize); + ret = macAdapter_.UnSetSandboxPolicy(tokenId, accessingPolicy, macResults); + if (ret != SANDBOX_MANAGER_OK) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "MacAdapter unset policy error."); + results.clear(); + return ret; + } + // write ok flag + for (size_t i = 0; i < accessingIndexSize; i++) { + results[accessingIndex[i]] = macResults[i]; + } + return SANDBOX_MANAGER_OK; +#else + SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); + return SANDBOX_MANAGER_OK; +#endif +} + +int32_t PolicyInfoManager::UnSetAllPolicyByToken(const uint64_t tokenId) +{ +#ifdef MAC_ENABLE + return macAdapter_.DestroySandboxPolicy(tokenId); +#else + SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success."); + return SANDBOX_MANAGER_OK; +#endif +} + int32_t PolicyInfoManager::RangeFind(const GenericValues &conditions, const GenericValues &symbols, std::vector &results) { @@ -260,6 +587,12 @@ void PolicyInfoManager::TransferPolicyToGeneric(const uint64_t tokenId, const Po generic.Put(PolicyFiledConst::FIELD_DEPTH, GetDepth(path)); generic.Put(PolicyFiledConst::FIELD_MODE, static_cast(policy.mode)); } +void PolicyInfoManager::TransferGenericToPolicy(const GenericValues &generic, uint64_t& tokenId, PolicyInfo &policy) +{ + policy.path = generic.GetString(PolicyFiledConst::FIELD_PATH); + policy.mode = static_cast(generic.GetInt(PolicyFiledConst::FIELD_MODE)); + tokenId = static_cast(generic.GetInt(PolicyFiledConst::FIELD_TOKENID)); +} int64_t PolicyInfoManager::GetDepth(const std::string &path) { @@ -293,8 +626,14 @@ bool PolicyInfoManager::IsPolicyMatch(const PolicyInfo &searchPolicy, const uint uint64_t referMode; searchMode = searchPolicy.mode & MODE_FILTER; referMode = referPolicy.mode & MODE_FILTER; - // mode should strict equal - modeMatch = (searchMode == referMode); + // refer RW, search R or W shoule return true + if (referMode == searchMode) { + modeMatch = true; + } else if (referMode > searchMode) { + modeMatch = ((referMode & searchMode) != 0); + } else { + modeMatch = false; + } return pathMatch && modeMatch; } @@ -324,6 +663,49 @@ int32_t PolicyInfoManager::CheckPolicyValidity(const PolicyInfo &policy) } return SANDBOX_MANAGER_OK; } + +void PolicyInfoManager::CheckPolicyValidityInBatch( + const std::vector &policy, std::vector &results, std::vector &passIndex) +{ + size_t policySize = policy.size(); + for (size_t i = 0; i < policySize; i++) { + int32_t checkPolicyRet = CheckPolicyValidity(policy[i]); + if (checkPolicyRet != SANDBOX_MANAGER_OK) { + results[i] = static_cast(checkPolicyRet); + continue; + } + passIndex.emplace_back(i); + } +} +int32_t PolicyInfoManager::AddToDatabaseIfNotDuplicate(const uint64_t tokenId, const std::vector &policy, + const std::vector &passIndex, std::vector &results, const uint32_t flag) +{ + std::vector addPolicyGeneric; + for (size_t each : passIndex) { + GenericValues condition; + TransferPolicyToGeneric(tokenId, policy[each], condition); + int32_t ret = SandboxManagerDb::GetInstance().Remove( + SandboxManagerDb::SANDBOX_MANAGER_PERSISTED_POLICY, condition); + if (ret != SandboxManagerDb::SUCCESS) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Database remove error"); + return SANDBOX_MANAGER_DB_ERR; + } + condition.Put(PolicyFiledConst::FIELD_FLAG, static_cast(flag)); + addPolicyGeneric.emplace_back(condition); + } + int32_t ret = SandboxManagerDb::GetInstance().Add( + SandboxManagerDb::SANDBOX_MANAGER_PERSISTED_POLICY, addPolicyGeneric); + if (ret != SandboxManagerDb::SUCCESS) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "database operate error"); + results.clear(); + return SANDBOX_MANAGER_DB_ERR; + } + // write results + for (size_t each: passIndex) { + results[each] = SandboxRetType::OPERATE_SUCCESSFULLY; + } + return SANDBOX_MANAGER_OK; +} } // namespace SandboxManager } // namespace AccessControl } // namespace OHOS \ No newline at end of file diff --git a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp index 245fc1648a8e3498ea1ce614cf59a961e6cefe20..73043e2980300d7ba87ba91e71834f92b8a2b462 100644 --- a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp +++ b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp @@ -23,6 +23,7 @@ #include "common_event_support.h" #include "ipc_skeleton.h" #include "iservice_registry.h" +#include "policy_info.h" #include "policy_info_manager.h" #include "sandbox_manager_const.h" #include "sandbox_manager_err_code.h" @@ -126,6 +127,11 @@ void SandboxManagerService::OnStart(const SystemAbilityOnDemandReason& startReas } } +int32_t SandboxManagerService::CleanPersistPolicyByPath(const std::vector& filePaths) +{ + return PolicyInfoManager::GetInstance().CleanPersistPolicyByPath(filePaths); +} + int32_t SandboxManagerService::PersistPolicy(const std::vector &policy, std::vector &result) { uint64_t callingTokenId = IPCSkeleton::GetCallingTokenID(); @@ -134,8 +140,12 @@ int32_t SandboxManagerService::PersistPolicy(const std::vector &poli SANDBOXMANAGER_LOG_ERROR(LABEL, "Policy vector size error, size = %{public}zu.", policy.size()); return INVALID_PARAMTER; } - result.resize(policySize); - return PolicyInfoManager::GetInstance().AddPolicy(callingTokenId, policy, result); + + uint32_t flag = 0; + if (IPCSkeleton::GetCallingUid() == FOUNDATION_UID) { + flag = 1; + } + return PolicyInfoManager::GetInstance().AddPolicy(callingTokenId, policy, result, flag); } int32_t SandboxManagerService::UnPersistPolicy( @@ -148,7 +158,6 @@ int32_t SandboxManagerService::UnPersistPolicy( return INVALID_PARAMTER; } - result.resize(policySize); return PolicyInfoManager::GetInstance().RemovePolicy(callingTokenId, policy, result); } @@ -162,8 +171,12 @@ int32_t SandboxManagerService::PersistPolicyByTokenId( policy.size(), tokenId); return INVALID_PARAMTER; } - result.resize(policySize); - return PolicyInfoManager::GetInstance().AddPolicy(tokenId, policy, result); + + uint32_t flag = 0; + if (IPCSkeleton::GetCallingUid() == FOUNDATION_UID) { + flag = 1; + } + return PolicyInfoManager::GetInstance().AddPolicy(tokenId, policy, result, flag); } int32_t SandboxManagerService::UnPersistPolicyByTokenId( @@ -177,11 +190,11 @@ int32_t SandboxManagerService::UnPersistPolicyByTokenId( return INVALID_PARAMTER; } - result.resize(policySize); return PolicyInfoManager::GetInstance().RemovePolicy(tokenId, policy, result); } -int32_t SandboxManagerService::SetPolicy(uint64_t tokenId, const std::vector &policy, uint64_t policyFlag) +int32_t SandboxManagerService::SetPolicy(uint64_t tokenId, const std::vector &policy, + uint64_t policyFlag, std::vector &result) { size_t policySize = policy.size(); if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT || tokenId == 0) { @@ -190,13 +203,40 @@ int32_t SandboxManagerService::SetPolicy(uint64_t tokenId, const std::vector &policy, + uint64_t policyFlag) +{ + std::vector result; + return SetPolicy(tokenId, policy, policyFlag, result); +} + +int32_t SandboxManagerService::UnSetPolicyAsync(uint64_t tokenId, const PolicyInfo &policy) +{ + return UnSetPolicy(tokenId, policy); +} + +int32_t SandboxManagerService::CheckPolicy(uint64_t tokenId, const std::vector &policy, + std::vector &result) +{ + if (tokenId == 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Check tokenId failed."); + return INVALID_PARAMTER; + } + + return PolicyInfoManager::GetInstance().CheckPolicy(tokenId, policy, result); } int32_t SandboxManagerService::StartAccessingPolicy( @@ -209,16 +249,7 @@ int32_t SandboxManagerService::StartAccessingPolicy( return INVALID_PARAMTER; } - std::vector matchResult(policy.size()); - - int32_t ret = PolicyInfoManager::GetInstance().MatchPolicy(callingTokenId, policy, matchResult); - if (ret != SANDBOX_MANAGER_OK) { - return ret; - } - - // setURI here - result = matchResult; - return SANDBOX_MANAGER_OK; + return PolicyInfoManager::GetInstance().StartAccessingPolicy(callingTokenId, policy, result); } int32_t SandboxManagerService::StopAccessingPolicy( @@ -231,15 +262,7 @@ int32_t SandboxManagerService::StopAccessingPolicy( return INVALID_PARAMTER; } - std::vector matchResult(policy.size()); - int32_t ret = PolicyInfoManager::GetInstance().MatchPolicy(callingTokenId, policy, matchResult); - if (ret != SANDBOX_MANAGER_OK) { - return ret; - } - - // stopURI here - result = matchResult; - return SANDBOX_MANAGER_OK; + return PolicyInfoManager::GetInstance().StopAccessingPolicy(callingTokenId, policy, result); } int32_t SandboxManagerService::CheckPersistPolicy( @@ -265,10 +288,30 @@ int32_t SandboxManagerService::CheckPersistPolicy( return SANDBOX_MANAGER_OK; } +int32_t SandboxManagerService::StartAccessingByTokenId(uint64_t tokenId) +{ + if (tokenId == 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Invalid Tokenid."); + return INVALID_PARAMTER; + } + return PolicyInfoManager::GetInstance().StartAccessingByTokenId(tokenId); +} + +int32_t SandboxManagerService::UnSetAllPolicyByToken(uint64_t tokenId) +{ + if (tokenId == 0) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Invalid Tokenid."); + return INVALID_PARAMTER; + } + return PolicyInfoManager::GetInstance().UnSetAllPolicyByToken(tokenId); +} + bool SandboxManagerService::Initialize() { DelayUnloadService(); - PolicyInfoManager::GetInstance().Init(); + if (!PolicyInfoManager::GetInstance().Init()) { + return false; + } AddSystemAbilityListener(COMMON_EVENT_SERVICE_ID); return true; } @@ -309,7 +352,8 @@ bool SandboxManagerService::StartByEventAction(const SystemAbilityOnDemandReason std::string reasonName = startReason.GetName(); SANDBOXMANAGER_LOG_INFO(LABEL, "Start by common event, event = %{public}s.", reasonName.c_str()); if (reasonName == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED || - reasonName == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_FULLY_REMOVED) { + reasonName == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_FULLY_REMOVED || + reasonName == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_DATA_CLEARED) { auto wantMap = startReason.GetExtraData().GetWant(); auto iter = startReason.GetExtraData().GetWant().find("accessTokenId"); if (iter == startReason.GetExtraData().GetWant().end()) { diff --git a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_stub.cpp b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_stub.cpp index e017a0f7d0aafd35734d8312c7805de3c5ef255b..0ea3f71cc884b19b310085d332a2600ca14e72ad 100644 --- a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_stub.cpp +++ b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_stub.cpp @@ -17,11 +17,13 @@ #include #include +#include #include #include #include "accesstoken_kit.h" #include "ipc_skeleton.h" #include "policy_info.h" +#include "policy_info_parcel.h" #include "policy_info_vector_parcel.h" #include "sandbox_manager_const.h" #include "sandbox_manager_err_code.h" @@ -66,6 +68,34 @@ int32_t SandboxManagerStub::OnRemoteRequest( return NO_ERROR; } +void SandboxManagerStub::CleanPersistPolicyByPathInner(MessageParcel &data, MessageParcel &reply) +{ + uint32_t callingTokenId = IPCSkeleton::GetCallingTokenID(); + if (!IsFileManagerCalling(callingTokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Permission denied(tokenID=%{public}d)", callingTokenId); + reply.WriteInt32(PERMISSION_DENIED); + return; + } + + std::vector filePaths; + uint32_t size = 0; + if (!data.ReadUint32(size)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Reply sandbox manager data file path fail"); + return; + } + for (uint32_t i = 0; i < size; i++) { + std::string filePath; + if (!data.ReadString(filePath)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Reply sandbox manager data file path fail"); + return; + } + filePaths.emplace_back(filePath); + } + + this->CleanPersistPolicyByPath(filePaths); + return; +} + void SandboxManagerStub::PersistPolicyInner(MessageParcel &data, MessageParcel &reply) { uint64_t callingTokenId = IPCSkeleton::GetCallingTokenID(); @@ -76,7 +106,7 @@ void SandboxManagerStub::PersistPolicyInner(MessageParcel &data, MessageParcel & sptr policyInfoVectorParcel = data.ReadParcelable(); if (policyInfoVectorParcel == nullptr) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager data parcel fail"); + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read sandbox manager data parcel fail"); reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); return; } @@ -109,7 +139,7 @@ void SandboxManagerStub::UnPersistPolicyInner(MessageParcel &data, MessageParcel sptr policyInfoVectorParcel = data.ReadParcelable(); if (policyInfoVectorParcel == nullptr) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "read sandbox manager data parcel fail"); + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read sandbox manager data parcel fail"); reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); return; } @@ -142,13 +172,13 @@ void SandboxManagerStub::PersistPolicyByTokenIdInner(MessageParcel &data, Messag } uint64_t tokenId; if (!data.ReadUint64(tokenId)) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "read tokenId parcel fail"); + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId parcel fail"); reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); return; } sptr policyInfoVectorParcel = data.ReadParcelable(); if (policyInfoVectorParcel == nullptr) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "read sandbox manager data parcel fail"); + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read sandbox manager data parcel fail"); reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); return; } @@ -175,18 +205,18 @@ void SandboxManagerStub::UnPersistPolicyByTokenIdInner(MessageParcel &data, Mess { uint64_t callingTokenId = IPCSkeleton::GetCallingTokenID(); if (!CheckPermission(callingTokenId, ACCESS_PERSIST_PERMISSION_NAME)) { - reply.WriteUint32(PERMISSION_DENIED); + reply.WriteInt32(PERMISSION_DENIED); return; } uint64_t tokenId; if (!data.ReadUint64(tokenId)) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "reply tokenId parcel fail"); + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId parcel fail"); reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); return; } sptr policyInfoVectorParcel = data.ReadParcelable(); if (policyInfoVectorParcel == nullptr) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager data parcel fail"); + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read sandbox manager data parcel fail"); reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); return; } @@ -211,6 +241,83 @@ void SandboxManagerStub::UnPersistPolicyByTokenIdInner(MessageParcel &data, Mess } void SandboxManagerStub::SetPolicyInner(MessageParcel &data, MessageParcel &reply) +{ + uint64_t callingTokenId = IPCSkeleton::GetCallingTokenID(); + if (!CheckPermission(callingTokenId, SET_POLICY_PERMISSION_NAME)) { + reply.WriteInt32(PERMISSION_DENIED); + return; + } + + uint64_t tokenId; + if (!data.ReadUint64(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId parcel fail"); + reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); + return; + } + + sptr policyInfoVectorParcel = data.ReadParcelable(); + if (policyInfoVectorParcel == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read sandbox manager data parcel fail"); + reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); + return; + } + + uint64_t policyFlag; + if (!data.ReadUint64(policyFlag)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read policyFlag parcel fail"); + reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); + return; + } + + std::vector result; + int32_t ret = this->SetPolicy(tokenId, policyInfoVectorParcel->policyVector, policyFlag, result); + if (!reply.WriteInt32(ret)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager ret parcel fail"); + reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); + return; + } + if (ret == SANDBOX_MANAGER_OK) { + if (!reply.WriteUInt32Vector(result)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager result parcel fail"); + reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); + return; + } + } + return; +} + +void SandboxManagerStub::UnSetPolicyInner(MessageParcel &data, MessageParcel &reply) +{ + uint64_t callingTokenId = IPCSkeleton::GetCallingTokenID(); + if (!CheckPermission(callingTokenId, SET_POLICY_PERMISSION_NAME)) { + reply.WriteInt32(PERMISSION_DENIED); + return; + } + + uint64_t tokenId; + if (!data.ReadUint64(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "reply tokenId parcel fail"); + reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); + return; + } + + sptr policyInfoParcel = data.ReadParcelable(); + if (policyInfoParcel == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager data parcel fail"); + reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); + return; + } + + int32_t ret = this->UnSetPolicy(tokenId, policyInfoParcel->policyInfo); + if (!reply.WriteInt32(ret)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager ret parcel fail"); + reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); + return; + } + return; +} + +void SandboxManagerStub::SetPolicyAsyncInner(MessageParcel &data, MessageParcel &reply) { uint64_t callingTokenId = IPCSkeleton::GetCallingTokenID(); if (!CheckPermission(callingTokenId, SET_POLICY_PERMISSION_NAME)) { @@ -227,7 +334,7 @@ void SandboxManagerStub::SetPolicyInner(MessageParcel &data, MessageParcel &repl sptr policyInfoVectorParcel = data.ReadParcelable(); if (policyInfoVectorParcel == nullptr) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager data parcel fail"); + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read sandbox manager data parcel fail"); reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); return; } @@ -238,13 +345,64 @@ void SandboxManagerStub::SetPolicyInner(MessageParcel &data, MessageParcel &repl reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); return; } - - int32_t ret = this->SetPolicy(tokenId, policyInfoVectorParcel->policyVector, policyFlag); + + this->SetPolicyAsync(tokenId, policyInfoVectorParcel->policyVector, policyFlag); +} + +void SandboxManagerStub::UnSetPolicyAsyncInner(MessageParcel &data, MessageParcel &reply) +{ + uint64_t callingTokenId = IPCSkeleton::GetCallingTokenID(); + if (!CheckPermission(callingTokenId, SET_POLICY_PERMISSION_NAME)) { + reply.WriteInt32(PERMISSION_DENIED); + return; + } + + uint64_t tokenId; + if (!data.ReadUint64(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "reply tokenId parcel fail"); + reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); + return; + } + + sptr policyInfoParcel = data.ReadParcelable(); + if (policyInfoParcel == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager data parcel fail"); + reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); + return; + } + + this->UnSetPolicyAsync(tokenId, policyInfoParcel->policyInfo); +} + +void SandboxManagerStub::CheckPolicyInner(MessageParcel &data, MessageParcel &reply) +{ + uint64_t tokenId; + if (!data.ReadUint64(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "reply tokenId parcel fail"); + reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); + return; + } + + sptr policyInfoVectorParcel = data.ReadParcelable(); + if (policyInfoVectorParcel == nullptr) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read sandbox manager data parcel fail"); + reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); + return; + } + std::vector result; + int32_t ret = this->CheckPolicy(tokenId, policyInfoVectorParcel->policyVector, result); if (!reply.WriteInt32(ret)) { SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager ret parcel fail"); reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); return; } + if (ret == SANDBOX_MANAGER_OK) { + if (!reply.WriteBoolVector(result)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager result parcel fail"); + reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); + return; + } + } return; } @@ -319,14 +477,14 @@ void SandboxManagerStub::CheckPersistPolicyInner(MessageParcel &data, MessagePar { uint64_t tokenId; if (!data.ReadUint64(tokenId)) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "reply tokenId parcel fail"); + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId parcel fail"); reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); return; } sptr policyInfoVectorParcel = data.ReadParcelable(); if (policyInfoVectorParcel == nullptr) { - SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager data parcel fail"); + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read sandbox manager data parcel fail"); reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); return; } @@ -349,8 +507,44 @@ void SandboxManagerStub::CheckPersistPolicyInner(MessageParcel &data, MessagePar return; } +void SandboxManagerStub::StartAccessingByTokenIdInner(MessageParcel &data, MessageParcel &reply) +{ + if (IPCSkeleton::GetCallingUid() != FOUNDATION_UID) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Not foundation-AMS userid, permision denied."); + return; + } + uint64_t tokenId; + if (!data.ReadUint64(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId parcel fail"); + reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); + return; + } + this->StartAccessingByTokenId(tokenId); + return; +} + +void SandboxManagerStub::UnSetAllPolicyByTokenInner(MessageParcel &data, MessageParcel &reply) +{ + uint64_t callingTokenId = IPCSkeleton::GetCallingTokenID(); + if (!CheckPermission(callingTokenId, SET_POLICY_PERMISSION_NAME)) { + reply.WriteInt32(PERMISSION_DENIED); + return; + } + + uint64_t tokenId; + if (!data.ReadUint64(tokenId)) { + SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId parcel fail"); + reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR); + return; + } + this->UnSetAllPolicyByToken(tokenId); + return; +} + void SandboxManagerStub::SetPolicyOpFuncInMap() { + requestFuncMap_[static_cast(SandboxManagerInterfaceCode::CLEAN_PERSIST_POLICY_BY_PATH)] = + &SandboxManagerStub::CleanPersistPolicyByPathInner; requestFuncMap_[static_cast(SandboxManagerInterfaceCode::PERSIST_PERMISSION)] = &SandboxManagerStub::PersistPolicyInner; requestFuncMap_[static_cast(SandboxManagerInterfaceCode::UNPERSIST_PERMISSION)] = @@ -361,12 +555,24 @@ void SandboxManagerStub::SetPolicyOpFuncInMap() &SandboxManagerStub::UnPersistPolicyByTokenIdInner; requestFuncMap_[static_cast(SandboxManagerInterfaceCode::SET_POLICY)] = &SandboxManagerStub::SetPolicyInner; + requestFuncMap_[static_cast(SandboxManagerInterfaceCode::UN_SET_POLICY)] = + &SandboxManagerStub::UnSetPolicyInner; + requestFuncMap_[static_cast(SandboxManagerInterfaceCode::SET_POLICY_ASYNC)] = + &SandboxManagerStub::SetPolicyAsyncInner; + requestFuncMap_[static_cast(SandboxManagerInterfaceCode::UN_SET_POLICY_ASYNC)] = + &SandboxManagerStub::UnSetPolicyAsyncInner; + requestFuncMap_[static_cast(SandboxManagerInterfaceCode::CHECK_POLICY)] = + &SandboxManagerStub::CheckPolicyInner; requestFuncMap_[static_cast(SandboxManagerInterfaceCode::START_ACCESSING_URI)] = &SandboxManagerStub::StartAccessingPolicyInner; requestFuncMap_[static_cast(SandboxManagerInterfaceCode::STOP_ACCESSING_URI)] = &SandboxManagerStub::StopAccessingPolicyInner; requestFuncMap_[static_cast(SandboxManagerInterfaceCode::CHECK_PERSIST_PERMISSION)] = &SandboxManagerStub::CheckPersistPolicyInner; + requestFuncMap_[static_cast(SandboxManagerInterfaceCode::START_ACCESSING_BY_TOKEN)] = + &SandboxManagerStub::StartAccessingByTokenIdInner; + requestFuncMap_[static_cast(SandboxManagerInterfaceCode::UNSET_ALL_POLICY_BY_TOKEN)] = + &SandboxManagerStub::UnSetAllPolicyByTokenInner; } SandboxManagerStub::SandboxManagerStub() @@ -389,6 +595,14 @@ bool SandboxManagerStub::CheckPermission(const uint64_t tokenId, const std::stri SANDBOXMANAGER_LOG_ERROR(LABEL, "Check permission token:%{public}" PRIu64" fail", tokenId); return false; } +bool SandboxManagerStub::IsFileManagerCalling(const uint32_t tokenCaller) +{ + if (tokenFileManagerId_ == 0) { + tokenFileManagerId_ = Security::AccessToken::AccessTokenKit::GetNativeTokenId( + "file_manager_service"); + } + return tokenCaller == tokenFileManagerId_; +} } // namespace SandboxManager } // namespace AccessControl } // namespace OHOS \ No newline at end of file diff --git a/services/sandbox_manager/main/sa_profile/sandbox_manager_service.json b/services/sandbox_manager/main/sa_profile/sandbox_manager_service.json index 669be81e208e1f5a3119b0420fb52f4cdf4e5d1b..fe4223c679d25d32bbf1501682928b0a37d9331b 100644 --- a/services/sandbox_manager/main/sa_profile/sandbox_manager_service.json +++ b/services/sandbox_manager/main/sa_profile/sandbox_manager_service.json @@ -15,6 +15,9 @@ }, { "name": "usual.event.PACKAGE_FULLY_REMOVED" + }, + { + "name": "usual.event.PACKAGE_DATA_CLEARED" }] } }] diff --git a/services/sandbox_manager/test/unittest/sandbox_manager_service_test.cpp b/services/sandbox_manager/test/unittest/sandbox_manager_service_test.cpp index 454f782e93ef3cf35c2d5e4b19bff5fa261fa19e..1ef380d0396400d1fdf84351c7a06a2626bce54d 100644 --- a/services/sandbox_manager/test/unittest/sandbox_manager_service_test.cpp +++ b/services/sandbox_manager/test/unittest/sandbox_manager_service_test.cpp @@ -166,22 +166,23 @@ HWTEST_F(SandboxManagerServiceTest, SandboxManagerServiceTest002, TestSize.Level std::vector policy; std::vector result0; uint64_t policyFlag = 0; - EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag)); + std::vector policyResult; + EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag, policyResult)); uint64_t sizeLimit = 0; EXPECT_EQ(sizeLimit, result0.size()); policy.resize(POLICY_VECTOR_SIZE_LIMIT + 1); std::vector result; - EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag)); + EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag, policyResult)); sizeLimit = 0; EXPECT_EQ(sizeLimit, result.size()); policy.resize(1); - EXPECT_EQ(SANDBOX_MANAGER_OK, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag)); + EXPECT_EQ(SANDBOX_MANAGER_OK, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag, policyResult)); policyFlag = 1; - EXPECT_EQ(SANDBOX_MANAGER_OK, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag)); - EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(0, policy, policyFlag)); + EXPECT_EQ(SANDBOX_MANAGER_OK, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag, policyResult)); + EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(0, policy, policyFlag, policyResult)); } /**