diff --git a/services/dbms/include/distributed_bms.h b/services/dbms/include/distributed_bms.h index ba1469dae09e555c0037c1a1e518d584399b10ea..ac3d23bec165d45e28f332f81b020f372c026184 100644 --- a/services/dbms/include/distributed_bms.h +++ b/services/dbms/include/distributed_bms.h @@ -114,7 +114,7 @@ public: bool GetDistributedBundleInfo(const std::string &networkId, const std::string &bundleName, DistributedBundleInfo &distributedBundleInfo) override; - + /** * @brief get distributedBundleName based on a given accessTokenId and networkId. * @param networkId Indicates the networkId of remote device. @@ -154,6 +154,10 @@ private: const AbilityInfo &abilityInfo, int32_t userId, RemoteAbilityInfo &remoteAbilityInfo); int32_t Base64WithoutCompress(std::unique_ptr &imageContent, size_t imageContentSize, RemoteAbilityInfo &remoteAbilityInfo); + bool VerifySystemApp(); + bool VerifyTokenNative(Security::AccessToken::AccessTokenID callerToken); + bool VerifyTokenShell(Security::AccessToken::AccessTokenID callerToken); + bool VerifyCallingPermission(const std::string &permissionName); }; } // namespace AppExecFwk } // namespace OHOS diff --git a/services/dbms/include/distributed_bms_host.h b/services/dbms/include/distributed_bms_host.h index b729273fc7e7214ad4b44a4fb1944699fb043a68..47c5273538e5eb63bb924ed66514712fbecf41b3 100644 --- a/services/dbms/include/distributed_bms_host.h +++ b/services/dbms/include/distributed_bms_host.h @@ -37,14 +37,10 @@ private: int HandleGetAbilityInfos(Parcel &data, Parcel &reply); int HandleGetDistributedBundleInfo(Parcel &data, Parcel &reply); int HandleGetDistributedBundleName(Parcel &data, Parcel &reply); - bool VerifyCallingPermission(const std::string &permissionName); template bool GetParcelableInfos(Parcel &data, std::vector &parcelableInfos); template bool WriteParcelableVector(std::vector &parcelableVector, Parcel &data); - bool VerifySystemApp(); - bool VerifySystemAppForTokenNative(Security::AccessToken::AccessTokenID callerToken); - bool VerifySystemAppForTokenShell(Security::AccessToken::AccessTokenID callerToken); }; } // namespace AppExecFwk } // namespace OHOS diff --git a/services/dbms/sa_profile/distributedbms.cfg b/services/dbms/sa_profile/distributedbms.cfg index d63e2cd455d6b77fc0711123c8dc64a9bffbe803..6ab85f0e72e661f240bf08e8e8cc3cc7988586d5 100644 --- a/services/dbms/sa_profile/distributedbms.cfg +++ b/services/dbms/sa_profile/distributedbms.cfg @@ -15,7 +15,8 @@ "gid" : ["dbms", "shell"], "permission": [ "ohos.permission.DISTRIBUTED_DATASYNC", - "ohos.permission.GET_BUNDLE_INFO_PRIVILEGED" + "ohos.permission.GET_BUNDLE_INFO_PRIVILEGED", + "ohos.permission.ACCESS_SERVICE_DM" ], "start-mode": "condition", "jobs" : { diff --git a/services/dbms/src/distributed_bms.cpp b/services/dbms/src/distributed_bms.cpp index 8e22013449f9a173b07fe154f6128922fa92644b..1c70f0924bab70506abefddb217552f677acb61b 100644 --- a/services/dbms/src/distributed_bms.cpp +++ b/services/dbms/src/distributed_bms.cpp @@ -18,6 +18,7 @@ #include #include +#include "accesstoken_kit.h" #include "account_manager_helper.h" #include "app_log_wrapper.h" #include "appexecfwk_errors.h" @@ -33,7 +34,9 @@ #include "image_compress.h" #include "image_packer.h" #include "image_source.h" +#include "ipc_skeleton.h" #include "system_ability_definition.h" +#include "tokenid_kit.h" #ifdef HICOLLIE_ENABLE #include "xcollie/xcollie.h" #include "xcollie/xcollie_define.h" @@ -220,6 +223,14 @@ int32_t DistributedBms::GetRemoteAbilityInfo( int32_t DistributedBms::GetRemoteAbilityInfo(const OHOS::AppExecFwk::ElementName &elementName, const std::string &localeInfo, RemoteAbilityInfo &remoteAbilityInfo) { + if (!VerifySystemApp()) { + APP_LOGE("verify system app failed"); + return ERR_BUNDLE_MANAGER_SYSTEM_API_DENIED; + } + if (!VerifyCallingPermission(Constants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED)) { + APP_LOGE("verify GET_BUNDLE_INFO_PRIVILEGED failed"); + return ERR_BUNDLE_MANAGER_PERMISSION_DENIED; + } auto iDistBundleMgr = GetDistributedBundleMgr(elementName.GetDeviceID()); int32_t resultCode = 0; if (!iDistBundleMgr) { @@ -251,6 +262,14 @@ int32_t DistributedBms::GetRemoteAbilityInfos( int32_t DistributedBms::GetRemoteAbilityInfos(const std::vector &elementNames, const std::string &localeInfo, std::vector &remoteAbilityInfos) { + if (!VerifySystemApp()) { + APP_LOGE("verify system app failed"); + return ERR_BUNDLE_MANAGER_SYSTEM_API_DENIED; + } + if (!VerifyCallingPermission(Constants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED)) { + APP_LOGE("verify GET_BUNDLE_INFO_PRIVILEGED failed"); + return ERR_BUNDLE_MANAGER_PERMISSION_DENIED; + } if (elementNames.empty()) { APP_LOGE("GetDistributedBundle failed due to elementNames empty"); return ERR_BUNDLE_MANAGER_PARAM_ERROR; @@ -287,6 +306,11 @@ int32_t DistributedBms::GetAbilityInfo(const OHOS::AppExecFwk::ElementName &elem { APP_LOGI("DistributedBms GetAbilityInfo bundleName:%{public}s , abilityName:%{public}s, localeInfo:%{public}s", elementName.GetBundleName().c_str(), elementName.GetAbilityName().c_str(), localeInfo.c_str()); + Security::AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID(); + if (!VerifyTokenNative(callerToken) && !VerifyTokenShell(callerToken)) { + APP_LOGE("caller is not native"); + return ERR_BUNDLE_MANAGER_SYSTEM_API_DENIED; + } auto iBundleMgr = GetBundleMgr(); if (!iBundleMgr) { APP_LOGE("DistributedBms GetBundleMgr failed"); @@ -383,6 +407,11 @@ int32_t DistributedBms::GetAbilityInfos(const std::vector &elementN const std::string &localeInfo, std::vector &remoteAbilityInfos) { APP_LOGD("DistributedBms GetAbilityInfos"); + Security::AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID(); + if (!VerifyTokenNative(callerToken) && !VerifyTokenShell(callerToken)) { + APP_LOGE("caller is not native"); + return ERR_BUNDLE_MANAGER_SYSTEM_API_DENIED; + } for (auto elementName : elementNames) { RemoteAbilityInfo remoteAbilityInfo; int32_t result = GetAbilityInfo(elementName, localeInfo, remoteAbilityInfo); @@ -422,6 +451,11 @@ bool DistributedBms::GetDistributedBundleInfo(const std::string &networkId, cons int32_t DistributedBms::GetDistributedBundleName(const std::string &networkId, uint32_t accessTokenId, std::string &bundleName) { + Security::AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID(); + if (!VerifyTokenNative(callerToken) && !VerifyTokenShell(callerToken)) { + APP_LOGE("caller tokenType not native or shell, verify failed"); + return ERR_APPEXECFWK_PARCEL_ERROR; + } #ifdef HICOLLIE_ENABLE int timerId = HiviewDFX::XCollie::GetInstance().SetTimer("GetDistributedBundleName", LOCAL_TIME_OUT_SECONDS, nullptr, nullptr, HiviewDFX::XCOLLIE_FLAG_RECOVERY); @@ -477,5 +511,68 @@ std::unique_ptr DistributedBms::EncodeBase64(std::unique_ptr return result; } + +bool DistributedBms::VerifySystemApp() +{ + APP_LOGI("verifying systemApp"); + int32_t callingUid = IPCSkeleton::GetCallingUid(); + Security::AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID(); + if (VerifyTokenNative(callerToken) || VerifyTokenShell(callerToken) + || callingUid == Constants::ROOT_UID) { + APP_LOGI("caller tokenType is native or shell, verify success"); + return true; + } + uint64_t accessTokenIdEx = IPCSkeleton::GetCallingFullTokenID(); + if (!Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(accessTokenIdEx)) { + APP_LOGE("non-system app calling system api"); + return false; + } + return true; +} + +bool DistributedBms::VerifyTokenNative(Security::AccessToken::AccessTokenID callerToken) +{ + APP_LOGD("verifying system app for native token"); + Security::AccessToken::ATokenTypeEnum tokenType = + Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken); + APP_LOGD("token type is %{public}d", static_cast(tokenType)); + if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) { + APP_LOGI("caller tokenType is native, verify success"); + return true; + } + APP_LOGE("caller tokenType not native, verify failed"); + return false; +} + +bool DistributedBms::VerifyTokenShell(Security::AccessToken::AccessTokenID callerToken) +{ + APP_LOGD("verifying system app for shell token"); + Security::AccessToken::ATokenTypeEnum tokenType = + Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken); + APP_LOGD("token type is %{public}d", static_cast(tokenType)); + if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL) { + APP_LOGI("caller tokenType is shell, verify success"); + return true; + } + APP_LOGE("caller tokenType not shell, verify failed"); + return false; +} + +bool DistributedBms::VerifyCallingPermission(const std::string &permissionName) +{ + APP_LOGD("VerifyCallingPermission permission %{public}s", permissionName.c_str()); + Security::AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID(); + if (VerifyTokenNative(callerToken)) { + APP_LOGD("caller tokenType is native, verify success"); + return true; + } + int32_t ret = OHOS::Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName); + if (ret == OHOS::Security::AccessToken::PermissionState::PERMISSION_DENIED) { + APP_LOGE("permission %{public}s: PERMISSION_DENIED", permissionName.c_str()); + return false; + } + APP_LOGD("verify permission success"); + return true; +} } } \ No newline at end of file diff --git a/services/dbms/src/distributed_bms_host.cpp b/services/dbms/src/distributed_bms_host.cpp index 8b4ef3f3644f25d7cec7c6b96d74689468bf9c25..3349c030f709bbb90dd66c48c26de97919eb4ca6 100644 --- a/services/dbms/src/distributed_bms_host.cpp +++ b/services/dbms/src/distributed_bms_host.cpp @@ -15,14 +15,11 @@ #include "distributed_bms_host.h" -#include "accesstoken_kit.h" #include "app_log_wrapper.h" #include "appexecfwk_errors.h" #include "bundle_constants.h" #include "bundle_memory_guard.h" #include "remote_ability_info.h" -#include "ipc_skeleton.h" -#include "tokenid_kit.h" namespace OHOS { namespace AppExecFwk { @@ -78,14 +75,6 @@ int DistributedBmsHost::OnRemoteRequest(uint32_t code, MessageParcel &data, Mess int DistributedBmsHost::HandleGetRemoteAbilityInfo(Parcel &data, Parcel &reply) { APP_LOGI("DistributedBmsHost handle get remote ability info"); - if (!VerifySystemApp()) { - APP_LOGE("verify system app failed"); - return ERR_BUNDLE_MANAGER_SYSTEM_API_DENIED; - } - if (!VerifyCallingPermission(Constants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED)) { - APP_LOGE("verify GET_BUNDLE_INFO_PRIVILEGED failed"); - return ERR_BUNDLE_MANAGER_PERMISSION_DENIED; - } std::unique_ptr elementName(data.ReadParcelable()); if (!elementName) { APP_LOGE("ReadParcelable failed"); @@ -112,14 +101,6 @@ int DistributedBmsHost::HandleGetRemoteAbilityInfo(Parcel &data, Parcel &reply) int DistributedBmsHost::HandleGetRemoteAbilityInfos(Parcel &data, Parcel &reply) { APP_LOGI("DistributedBmsHost handle get remote ability infos"); - if (!VerifySystemApp()) { - APP_LOGE("verify system app failed"); - return ERR_BUNDLE_MANAGER_SYSTEM_API_DENIED; - } - if (!VerifyCallingPermission(Constants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED)) { - APP_LOGE("verify GET_BUNDLE_INFO_PRIVILEGED failed"); - return ERR_BUNDLE_MANAGER_PERMISSION_DENIED; - } std::vector elementNames; if (!GetParcelableInfos(data, elementNames)) { APP_LOGE("GetRemoteAbilityInfos get parcelable infos failed"); @@ -221,11 +202,6 @@ int DistributedBmsHost::HandleGetDistributedBundleInfo(Parcel &data, Parcel &rep int32_t DistributedBmsHost::HandleGetDistributedBundleName(Parcel &data, Parcel &reply) { APP_LOGD("DistributedBmsHost handle get distributedBundleName"); - Security::AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID(); - if (!VerifySystemAppForTokenNative(callerToken) && !VerifySystemAppForTokenShell(callerToken)) { - APP_LOGE("caller tokenType not native or shell, verify failed"); - return ERR_APPEXECFWK_PARCEL_ERROR; - } std::string networkId = data.ReadString(); uint32_t accessTokenId = data.ReadUint32(); std::string bundleName; @@ -237,69 +213,6 @@ int32_t DistributedBmsHost::HandleGetDistributedBundleName(Parcel &data, Parcel return ret; } -bool DistributedBmsHost::VerifyCallingPermission(const std::string &permissionName) -{ - APP_LOGD("VerifyCallingPermission permission %{public}s", permissionName.c_str()); - Security::AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID(); - if (VerifySystemAppForTokenNative(callerToken)) { - APP_LOGD("caller tokenType is native, verify success"); - return true; - } - int32_t ret = OHOS::Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName); - if (ret == OHOS::Security::AccessToken::PermissionState::PERMISSION_DENIED) { - APP_LOGE("permission %{public}s: PERMISSION_DENIED", permissionName.c_str()); - return false; - } - APP_LOGD("verify permission success"); - return true; -} - -bool DistributedBmsHost::VerifySystemApp() -{ - APP_LOGI("verifying systemApp"); - int32_t callingUid = IPCSkeleton::GetCallingUid(); - Security::AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID(); - if (VerifySystemAppForTokenNative(callerToken) || VerifySystemAppForTokenShell(callerToken) - || callingUid == Constants::ROOT_UID) { - APP_LOGI("caller tokenType is native or shell, verify success"); - return true; - } - uint64_t accessTokenIdEx = IPCSkeleton::GetCallingFullTokenID(); - if (!Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(accessTokenIdEx)) { - APP_LOGE("non-system app calling system api"); - return false; - } - return true; -} - -bool DistributedBmsHost::VerifySystemAppForTokenNative(Security::AccessToken::AccessTokenID callerToken) -{ - APP_LOGD("verifying system app for native token"); - Security::AccessToken::ATokenTypeEnum tokenType = - Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken); - APP_LOGD("token type is %{public}d", static_cast(tokenType)); - if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) { - APP_LOGI("caller tokenType is native, verify success"); - return true; - } - APP_LOGE("caller tokenType not native, verify failed"); - return false; -} - -bool DistributedBmsHost::VerifySystemAppForTokenShell(Security::AccessToken::AccessTokenID callerToken) -{ - APP_LOGD("verifying system app for shell token"); - Security::AccessToken::ATokenTypeEnum tokenType = - Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken); - APP_LOGD("token type is %{public}d", static_cast(tokenType)); - if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL) { - APP_LOGI("caller tokenType is shell, verify success"); - return true; - } - APP_LOGE("caller tokenType not shell, verify failed"); - return false; -} - template bool DistributedBmsHost::WriteParcelableVector(std::vector &parcelableVector, Parcel &reply) { diff --git a/services/dbms/test/unittest/dbms_services_kit_test/dbms_services_kit_test.cpp b/services/dbms/test/unittest/dbms_services_kit_test/dbms_services_kit_test.cpp index 0ba2a5f3adfdea629b8966cd0176ab281bc8c97e..84ff5330da89eada08710f295aa88736fb35ee02 100644 --- a/services/dbms/test/unittest/dbms_services_kit_test/dbms_services_kit_test.cpp +++ b/services/dbms/test/unittest/dbms_services_kit_test/dbms_services_kit_test.cpp @@ -1501,4 +1501,30 @@ HWTEST_F(DbmsServicesKitTest, GetUdidByNetworkId_0100, Function | SmallTest | Le auto ret = deviceManager.GetUdidByNetworkId(netWorkId, uid); EXPECT_FALSE(ret == -1); } + +/** + * @tc.number: VerifyCallingPermission_0100 + * @tc.name: Test VerifyCallingPermission + * @tc.desc: Verify the VerifyCallingPermission return true. + */ +HWTEST_F(DbmsServicesKitTest, VerifyCallingPermission_0100, Function | MediumTest | Level1) +{ + auto distributedBms = GetDistributedBms(); + EXPECT_NE(distributedBms, nullptr); + int res = distributedBms->VerifyCallingPermission(Constants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED); + EXPECT_TRUE(res); +} + +/** + * @tc.number: VerifyCallingPermission_0200 + * @tc.name: Test VerifyCallingPermission + * @tc.desc: Verify the VerifyCallingPermission return false. + */ +HWTEST_F(DbmsServicesKitTest, VerifyCallingPermission_0200, Function | MediumTest | Level1) +{ + auto distributedBms = GetDistributedBms(); + EXPECT_NE(distributedBms, nullptr); + int res = distributedBms->VerifyCallingPermission(""); + EXPECT_FALSE(res); +} } // OHOS \ No newline at end of file diff --git a/services/dbms/test/unittest/distributed_bms_host_test/distributed_bms_host_test.cpp b/services/dbms/test/unittest/distributed_bms_host_test/distributed_bms_host_test.cpp index 8483911f5f6226c2a3bcba194dd76bc9877dd08c..301a7b2fdc1539902c6fd839565ad764e8efa6c7 100644 --- a/services/dbms/test/unittest/distributed_bms_host_test/distributed_bms_host_test.cpp +++ b/services/dbms/test/unittest/distributed_bms_host_test/distributed_bms_host_test.cpp @@ -277,7 +277,7 @@ HWTEST_F(DistributedBmsHostTest, OnRemoteRequest_1100, Function | MediumTest | L MessageOption option; data.WriteInterfaceToken(DistributedBmsHost::GetDescriptor()); - + std::string networkId; std::string bundleName; data.WriteString(networkId); @@ -301,7 +301,7 @@ HWTEST_F(DistributedBmsHostTest, OnRemoteRequest_1200, Function | MediumTest | L MessageOption option; data.WriteInterfaceToken(DistributedBmsHost::GetDescriptor()); - + std::string networkId; std::string bundleName; data.WriteString(networkId); @@ -696,30 +696,6 @@ HWTEST_F(DistributedBmsHostTest, HandleGetDistributedBundleName_0400, Function | EXPECT_EQ(res, NO_ERROR); } -/** - * @tc.number: VerifyCallingPermission_0100 - * @tc.name: Test VerifyCallingPermission - * @tc.desc: Verify the VerifyCallingPermission return true. - */ -HWTEST_F(DistributedBmsHostTest, VerifyCallingPermission_0100, Function | MediumTest | Level1) -{ - MockDistributedBmsHost host; - int res = host.VerifyCallingPermission(Constants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED); - EXPECT_TRUE(res); -} - -/** - * @tc.number: VerifyCallingPermission_0200 - * @tc.name: Test VerifyCallingPermission - * @tc.desc: Verify the VerifyCallingPermission return false. - */ -HWTEST_F(DistributedBmsHostTest, VerifyCallingPermission_0200, Function | MediumTest | Level1) -{ - MockDistributedBmsHost host; - int res = host.VerifyCallingPermission(""); - EXPECT_FALSE(res); -} - /** * @tc.number: WriteParcelableVector_0100 * @tc.name: Test WriteParcelableVector