From 11c86c8cefb5230a83f7676a4b0b11ff4905e5c3 Mon Sep 17 00:00:00 2001 From: archane Date: Fri, 28 Feb 2025 15:10:11 +0800 Subject: [PATCH] =?UTF-8?q?=E6=95=B0=E6=8D=AE=E6=8F=90=E4=BE=9B=E6=96=B9?= =?UTF-8?q?=E6=B2=A1=E9=85=8D=E7=BD=AEproxyData=E7=9A=84=E6=9D=83=E9=99=90?= =?UTF-8?q?=EF=BC=8C=E7=A6=81=E6=AD=A2=E5=85=B6=E4=BB=96=E6=95=B0=E6=8D=AE?= =?UTF-8?q?=E8=AE=BF=E9=97=AE=E6=96=B9=E9=9D=99=E9=BB=98=E8=AE=BF=E9=97=AE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: archane Change-Id: I160081e017ba3d10cf474816585995640ea2dea7 --- .../data_share/data_provider_config.cpp | 1 + .../service/data_share/data_provider_config.h | 1 + .../data_share/data_share_service_impl.cpp | 33 +++++++++++++++++-- .../data_share/data_share_service_impl.h | 3 ++ 4 files changed, 35 insertions(+), 3 deletions(-) diff --git a/services/distributeddataservice/service/data_share/data_provider_config.cpp b/services/distributeddataservice/service/data_share/data_provider_config.cpp index accce64e0..4a11ecb9d 100644 --- a/services/distributeddataservice/service/data_share/data_provider_config.cpp +++ b/services/distributeddataservice/service/data_share/data_provider_config.cpp @@ -148,6 +148,7 @@ int DataProviderConfig::GetFromExtensionProperties(const ProfileInfo &profileInf int DataProviderConfig::GetFromExtension() { + providerInfo_.isFromExtension = true; if (!GetFromUriPath()) { ZLOGE("Uri path failed! uri:%{public}s", URIUtils::Anonymous(providerInfo_.uri).c_str()); return E_URI_NOT_EXIST; diff --git a/services/distributeddataservice/service/data_share/data_provider_config.h b/services/distributeddataservice/service/data_share/data_provider_config.h index 694b04a89..ea3abd562 100644 --- a/services/distributeddataservice/service/data_share/data_provider_config.h +++ b/services/distributeddataservice/service/data_share/data_provider_config.h @@ -45,6 +45,7 @@ public: std::string type = "rdb"; std::string backup; std::string extensionUri; + bool isFromExtension = false; bool singleton = false; bool hasExtension = false; bool allowEmptyPermission = false; diff --git a/services/distributeddataservice/service/data_share/data_share_service_impl.cpp b/services/distributeddataservice/service/data_share/data_share_service_impl.cpp index 54c7504ac..e893e7636 100644 --- a/services/distributeddataservice/service/data_share/data_share_service_impl.cpp +++ b/services/distributeddataservice/service/data_share/data_share_service_impl.cpp @@ -1104,9 +1104,9 @@ std::pair DataShareServiceImpl::ExecuteEx(const std::string &u return std::make_pair(ERROR_PERMISSION_DENIED, 0); } std::string permission = isRead ? providerInfo.readPermission : providerInfo.writePermission; - if (!permission.empty() && !PermitDelegate::VerifyPermission(permission, tokenId)) { - ZLOGE("Permission denied! token:0x%{public}x, permission:%{public}s, uri:%{public}s", - tokenId, permission.c_str(), URIUtils::Anonymous(providerInfo.uri).c_str()); + if (!VerifyPermission(providerInfo.bundleName, permission, providerInfo.isFromExtension, tokenId)) { + ZLOGE("Permission denied! token:0x%{public}x, permission:%{public}s,isFromExtension:%{public}d,uri:%{public}s", + tokenId, permission.c_str(), providerInfo.isFromExtension, URIUtils::Anonymous(providerInfo.uri).c_str()); RADAR_REPORT(__FUNCTION__, RadarReporter::SILENT_ACCESS, RadarReporter::PROXY_PERMISSION, RadarReporter::FAILED, RadarReporter::ERROR_CODE, RadarReporter::PERMISSION_DENIED_ERROR); return std::make_pair(ERROR_PERMISSION_DENIED, 0); @@ -1184,4 +1184,31 @@ void DataShareServiceImpl::ReportExcuteFault(uint32_t callingTokenId, DataProvid providerInfo.storeName, func, errCode, appendix}; HiViewFaultAdapter::ReportDataFault(faultInfo); } + +bool DataShareServiceImpl::VerifyPermission(const std::string &bundleName, const std::string &permission, + bool isFromExtension, const int32_t tokenId) +{ + // Provider from extension, allows empty permissions, not configured to allow access. + if (isFromExtension) { + if (!permission.empty() && !PermitDelegate::VerifyPermission(permission, tokenId)) { + return false; + } + } else { + Security::AccessToken::HapTokenInfo tokenInfo; + auto result = Security::AccessToken::AccessTokenKit::GetHapTokenInfo(tokenId, tokenInfo); + if (result == Security::AccessToken::RET_SUCCESS && tokenInfo.bundleName == bundleName) { + return true; + } + // Provider from ProxyData, which does not allow empty permissions and cannot be access without configured + if (permission.empty()) { + ZLOGE("Permission empty! token:0x%{public}x, bundleName:%{public}s", tokenId, bundleName.c_str()); + return false; + } + // If the permission is NO_PERMISSION, access is also allowed + if (permission != NO_PERMISSION && !PermitDelegate::VerifyPermission(permission, tokenId)) { + return false; + } + } + return true; +} } // namespace OHOS::DataShare diff --git a/services/distributeddataservice/service/data_share/data_share_service_impl.h b/services/distributeddataservice/service/data_share/data_share_service_impl.h index 0282591b3..1e776ae87 100644 --- a/services/distributeddataservice/service/data_share/data_share_service_impl.h +++ b/services/distributeddataservice/service/data_share/data_share_service_impl.h @@ -142,11 +142,14 @@ private: int32_t errCode, std::string &func); bool VerifyAcrossAccountsPermission(int32_t currentUserId, int32_t visitedUserId, const std::string &acrossAccountsPermission, uint32_t callerTokenId); + bool VerifyPermission(const std::string &bundleName, const std::string &permission, + bool isFromExtension, const int32_t tokenId); static Factory factory_; static constexpr int32_t ERROR = -1; static constexpr int32_t ERROR_PERMISSION_DENIED = -2; static constexpr const char *PROXY_URI_SCHEMA = "datashareproxy"; static constexpr const char *EXT_URI_SCHEMA = "datashare://"; + static constexpr const char *NO_PERMISSION = "noPermission"; PublishStrategy publishStrategy_; GetDataStrategy getDataStrategy_; SubscribeStrategy subscribeStrategy_; -- Gitee