diff --git a/services/distributeddataservice/service/data_share/data_share_service_stub.cpp b/services/distributeddataservice/service/data_share/data_share_service_stub.cpp index 229afde9572d7e6fbe7db80d62848490b6cfdfb6..d0b000ee9b29cf4fcc7639528bdded7bbc1d4d07 100644 --- a/services/distributeddataservice/service/data_share/data_share_service_stub.cpp +++ b/services/distributeddataservice/service/data_share/data_share_service_stub.cpp @@ -18,6 +18,8 @@ #include "data_share_service_stub.h" #include +#include "accesstoken_kit.h" +#include "tokenid_kit.h" #include "data_share_obs_proxy.h" #include "hiview_adapter.h" #include "hiview_fault_adapter.h" @@ -325,6 +327,24 @@ int32_t DataShareServiceStub::OnNotifyConnectDone(MessageParcel &data, MessagePa return 0; } +bool DataShareServiceStub::CheckProxyCallingPermission(uint32_t tokenId) +{ + Security::AccessToken::ATokenTypeEnum tokenType = + Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId); + return (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE || + tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL); +} + +// GetTokenType use tokenId, and IsSystemApp use fullTokenId, these are different +bool DataShareServiceStub::CheckSystemUidCallingPermission(uint32_t tokenId, uint64_t fullTokenId) +{ + if (CheckProxyCallingPermission(tokenId)) { + return true; + } + // IsSystemAppByFullTokenID here is not IPC + return Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullTokenId); +} + int DataShareServiceStub::OnRemoteRequest(uint32_t code, MessageParcel &data, MessageParcel &reply) { int tryTimes = TRY_TIMES; @@ -333,6 +353,15 @@ int DataShareServiceStub::OnRemoteRequest(uint32_t code, MessageParcel &data, Me std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIME)); } auto callingPid = IPCSkeleton::GetCallingPid(); + if (code >= DATA_SHARE_CMD_SYSTEM_CODE) { + auto fullTokenId = IPCSkeleton::GetCallingFullTokenID(); + if (!CheckSystemUidCallingPermission(IPCSkeleton::GetCallingTokenID(), fullTokenId)) { + ZLOGE("CheckSystemUidCallingPermission fail, token:%{public}" PRIx64 + ", callingPid:%{public}d, code:%{public}u", fullTokenId, callingPid, code); + return E_NOT_SYSTEM_APP; + } + code = code - DATA_SHARE_CMD_SYSTEM_CODE; + } if (code != DATA_SHARE_SERVICE_CMD_QUERY && code != DATA_SHARE_SERVICE_CMD_GET_SILENT_PROXY_STATUS) { ZLOGI("code:%{public}u, callingPid:%{public}d", code, callingPid); } diff --git a/services/distributeddataservice/service/data_share/data_share_service_stub.h b/services/distributeddataservice/service/data_share/data_share_service_stub.h index d13b2099344894592e4804216ed2b2ef2a231625..b84c26967de53afab0711e617f19c33e16382f2f 100644 --- a/services/distributeddataservice/service/data_share/data_share_service_stub.h +++ b/services/distributeddataservice/service/data_share/data_share_service_stub.h @@ -29,6 +29,8 @@ public: private: static constexpr std::chrono::milliseconds TIME_THRESHOLD = std::chrono::milliseconds(500); static bool CheckInterfaceToken(MessageParcel& data); + bool CheckProxyCallingPermission(uint32_t tokenId); + bool CheckSystemUidCallingPermission(uint32_t tokenId, uint64_t fullTokenId); int32_t OnQuery(MessageParcel& data, MessageParcel& reply); int32_t OnAddTemplate(MessageParcel& data, MessageParcel& reply); int32_t OnDelTemplate(MessageParcel& data, MessageParcel& reply); diff --git a/services/distributeddataservice/service/data_share/idata_share_service.h b/services/distributeddataservice/service/data_share/idata_share_service.h index e57489fecdeda12978ad666a1fd1518c064aacc6..05e1fd15542f7e286c0d6ba77b36ed1f005d52a1 100644 --- a/services/distributeddataservice/service/data_share/idata_share_service.h +++ b/services/distributeddataservice/service/data_share/idata_share_service.h @@ -29,6 +29,7 @@ namespace OHOS::DataShare { class IDataShareService { public: + static constexpr int DATA_SHARE_CMD_SYSTEM_CODE = 100; enum { DATA_SHARE_SERVICE_CMD_QUERY, DATA_SHARE_SERVICE_CMD_ADD_TEMPLATE, @@ -52,7 +53,30 @@ public: DATA_SHARE_SERVICE_CMD_INSERTEX, DATA_SHARE_SERVICE_CMD_DELETEEX, DATA_SHARE_SERVICE_CMD_UPDATEEX, - DATA_SHARE_SERVICE_CMD_MAX + DATA_SHARE_SERVICE_CMD_MAX, + DATA_SHARE_SERVICE_CMD_QUERY_SYSTEM = DATA_SHARE_CMD_SYSTEM_CODE, + DATA_SHARE_SERVICE_CMD_ADD_TEMPLATE_SYSTEM, + DATA_SHARE_SERVICE_CMD_DEL_TEMPLATE_SYSTEM, + DATA_SHARE_SERVICE_CMD_PUBLISH_SYSTEM, + DATA_SHARE_SERVICE_CMD_GET_DATA_SYSTEM, + DATA_SHARE_SERVICE_CMD_SUBSCRIBE_RDB_SYSTEM, + DATA_SHARE_SERVICE_CMD_UNSUBSCRIBE_RDB_SYSTEM, + DATA_SHARE_SERVICE_CMD_ENABLE_SUBSCRIBE_RDB_SYSTEM, + DATA_SHARE_SERVICE_CMD_DISABLE_SUBSCRIBE_RDB_SYSTEM, + DATA_SHARE_SERVICE_CMD_SUBSCRIBE_PUBLISHED_SYSTEM, + DATA_SHARE_SERVICE_CMD_UNSUBSCRIBE_PUBLISHED_SYSTEM, + DATA_SHARE_SERVICE_CMD_ENABLE_SUBSCRIBE_PUBLISHED_SYSTEM, + DATA_SHARE_SERVICE_CMD_DISABLE_SUBSCRIBE_PUBLISHED_SYSTEM, + DATA_SHARE_SERVICE_CMD_NOTIFY_SYSTEM, + DATA_SHARE_SERVICE_CMD_NOTIFY_OBSERVERS_SYSTEM, + DATA_SHARE_SERVICE_CMD_SET_SILENT_SWITCH_SYSTEM, + DATA_SHARE_SERVICE_CMD_GET_SILENT_PROXY_STATUS_SYSTEM, + DATA_SHARE_SERVICE_CMD_REGISTER_OBSERVER_SYSTEM, + DATA_SHARE_SERVICE_CMD_UNREGISTER_OBSERVER_SYSTEM, + DATA_SHARE_SERVICE_CMD_INSERTEX_SYSTEM, + DATA_SHARE_SERVICE_CMD_DELETEEX_SYSTEM, + DATA_SHARE_SERVICE_CMD_UPDATEEX_SYSTEM, + DATA_SHARE_SERVICE_CMD_MAX_SYSTEM }; enum { DATA_SHARE_ERROR = -1, DATA_SHARE_OK = 0 };