diff --git a/services/distributeddataservice/service/data_share/data_provider_config.cpp b/services/distributeddataservice/service/data_share/data_provider_config.cpp index accce64e09ab916aa92bf4f2a9a4846decc94555..4a11ecb9db0a391ca08be090c642fcc9b8407199 100644 --- a/services/distributeddataservice/service/data_share/data_provider_config.cpp +++ b/services/distributeddataservice/service/data_share/data_provider_config.cpp @@ -148,6 +148,7 @@ int DataProviderConfig::GetFromExtensionProperties(const ProfileInfo &profileInf int DataProviderConfig::GetFromExtension() { + providerInfo_.isFromExtension = true; if (!GetFromUriPath()) { ZLOGE("Uri path failed! uri:%{public}s", URIUtils::Anonymous(providerInfo_.uri).c_str()); return E_URI_NOT_EXIST; diff --git a/services/distributeddataservice/service/data_share/data_provider_config.h b/services/distributeddataservice/service/data_share/data_provider_config.h index 694b04a892579fb19c84d04e28e68de6eca5a957..ea3abd562ee2840eec22eb952ce9abdced3e908d 100644 --- a/services/distributeddataservice/service/data_share/data_provider_config.h +++ b/services/distributeddataservice/service/data_share/data_provider_config.h @@ -45,6 +45,7 @@ public: std::string type = "rdb"; std::string backup; std::string extensionUri; + bool isFromExtension = false; bool singleton = false; bool hasExtension = false; bool allowEmptyPermission = false; diff --git a/services/distributeddataservice/service/data_share/data_share_service_impl.cpp b/services/distributeddataservice/service/data_share/data_share_service_impl.cpp index 54c7504ac2c392b47f0e1b10595878c8239c73a0..e893e7636a38c9d4f9d31c7c544ba6c060b3f95e 100644 --- a/services/distributeddataservice/service/data_share/data_share_service_impl.cpp +++ b/services/distributeddataservice/service/data_share/data_share_service_impl.cpp @@ -1104,9 +1104,9 @@ std::pair DataShareServiceImpl::ExecuteEx(const std::string &u return std::make_pair(ERROR_PERMISSION_DENIED, 0); } std::string permission = isRead ? providerInfo.readPermission : providerInfo.writePermission; - if (!permission.empty() && !PermitDelegate::VerifyPermission(permission, tokenId)) { - ZLOGE("Permission denied! token:0x%{public}x, permission:%{public}s, uri:%{public}s", - tokenId, permission.c_str(), URIUtils::Anonymous(providerInfo.uri).c_str()); + if (!VerifyPermission(providerInfo.bundleName, permission, providerInfo.isFromExtension, tokenId)) { + ZLOGE("Permission denied! token:0x%{public}x, permission:%{public}s,isFromExtension:%{public}d,uri:%{public}s", + tokenId, permission.c_str(), providerInfo.isFromExtension, URIUtils::Anonymous(providerInfo.uri).c_str()); RADAR_REPORT(__FUNCTION__, RadarReporter::SILENT_ACCESS, RadarReporter::PROXY_PERMISSION, RadarReporter::FAILED, RadarReporter::ERROR_CODE, RadarReporter::PERMISSION_DENIED_ERROR); return std::make_pair(ERROR_PERMISSION_DENIED, 0); @@ -1184,4 +1184,31 @@ void DataShareServiceImpl::ReportExcuteFault(uint32_t callingTokenId, DataProvid providerInfo.storeName, func, errCode, appendix}; HiViewFaultAdapter::ReportDataFault(faultInfo); } + +bool DataShareServiceImpl::VerifyPermission(const std::string &bundleName, const std::string &permission, + bool isFromExtension, const int32_t tokenId) +{ + // Provider from extension, allows empty permissions, not configured to allow access. + if (isFromExtension) { + if (!permission.empty() && !PermitDelegate::VerifyPermission(permission, tokenId)) { + return false; + } + } else { + Security::AccessToken::HapTokenInfo tokenInfo; + auto result = Security::AccessToken::AccessTokenKit::GetHapTokenInfo(tokenId, tokenInfo); + if (result == Security::AccessToken::RET_SUCCESS && tokenInfo.bundleName == bundleName) { + return true; + } + // Provider from ProxyData, which does not allow empty permissions and cannot be access without configured + if (permission.empty()) { + ZLOGE("Permission empty! token:0x%{public}x, bundleName:%{public}s", tokenId, bundleName.c_str()); + return false; + } + // If the permission is NO_PERMISSION, access is also allowed + if (permission != NO_PERMISSION && !PermitDelegate::VerifyPermission(permission, tokenId)) { + return false; + } + } + return true; +} } // namespace OHOS::DataShare diff --git a/services/distributeddataservice/service/data_share/data_share_service_impl.h b/services/distributeddataservice/service/data_share/data_share_service_impl.h index 0282591b3e56b8a1c669bf733ed9661be41926c0..1e776ae87cfacb3480be2e5b884ab92c9d3b5aa6 100644 --- a/services/distributeddataservice/service/data_share/data_share_service_impl.h +++ b/services/distributeddataservice/service/data_share/data_share_service_impl.h @@ -142,11 +142,14 @@ private: int32_t errCode, std::string &func); bool VerifyAcrossAccountsPermission(int32_t currentUserId, int32_t visitedUserId, const std::string &acrossAccountsPermission, uint32_t callerTokenId); + bool VerifyPermission(const std::string &bundleName, const std::string &permission, + bool isFromExtension, const int32_t tokenId); static Factory factory_; static constexpr int32_t ERROR = -1; static constexpr int32_t ERROR_PERMISSION_DENIED = -2; static constexpr const char *PROXY_URI_SCHEMA = "datashareproxy"; static constexpr const char *EXT_URI_SCHEMA = "datashare://"; + static constexpr const char *NO_PERMISSION = "noPermission"; PublishStrategy publishStrategy_; GetDataStrategy getDataStrategy_; SubscribeStrategy subscribeStrategy_;