diff --git a/common/include/dm_constants.h b/common/include/dm_constants.h index 901a30b7a175676d860b062641e2db95cb6cc5d4..1edd72def1799d16cc6410e4f1d0254e34dd4122 100755 --- a/common/include/dm_constants.h +++ b/common/include/dm_constants.h @@ -171,6 +171,8 @@ DM_EXPORT extern const char* DM_VAL_FALSE; DM_EXPORT extern const char* APP_USER_DATA; DM_EXPORT extern const char* BUNDLE_INFO; DM_EXPORT extern const char* DM_BUSINESS_ID; +DM_EXPORT extern const char* DM_RISK; +DM_EXPORT extern const char* DM_SAFE; // screen state enum ScreenState { diff --git a/common/src/dm_constants.cpp b/common/src/dm_constants.cpp index 5a2632e9dbc5bc6bd26f6ef8e506d5769b2e6c95..f8bfb729bda7982b7ec510d1a5037845d8194cdc 100644 --- a/common/src/dm_constants.cpp +++ b/common/src/dm_constants.cpp @@ -161,6 +161,8 @@ const char* DM_VAL_FALSE = "false"; const char* APP_USER_DATA = "appUserData"; const char* BUNDLE_INFO = "bundleInfo"; const char* DM_BUSINESS_ID = "business_id"; +const char* DM_RISK = "risk"; +const char* DM_SAFE = "safe"; // errCode map const std::map MAP_ERROR_CODE = { diff --git a/interfaces/inner_kits/native_cpp/include/i_dm_device_risk_detect.h b/interfaces/inner_kits/native_cpp/include/i_dm_device_risk_detect.h new file mode 100644 index 0000000000000000000000000000000000000000..097f607b04b58d83f390989ed06e21dfaacbf65c --- /dev/null +++ b/interfaces/inner_kits/native_cpp/include/i_dm_device_risk_detect.h @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef OHOS_I_DM_DEVICE_RISK_DETECT_H +#define OHOS_I_DM_DEVICE_RISK_DETECT_H +namespace OHOS { +namespace DistributedHardware { +class IDMDeviceRiskDetect { +public: + virtual ~IDMDeviceRiskDetect() = default; + virtual int32_t Initialize() = 0; + virtual int32_t Release() = 0; + virtual int32_t DetectDeviceRisk(std::string &efuse, std::string &fastbootLock, + std::string &processPrivilege, std::string &rootPackage) = 0; +}; + +using CreateDMDeviceRiskDetectFuncPtr = IDMDeviceRiskDetect *(*)(void); +} // namespace DistributedHardware +} // namespace OHOS +#endif // OHOS_I_DM_DEVICE_RISK_DETECT_H diff --git a/sa_profile/device_manager.cfg b/sa_profile/device_manager.cfg index a1aaa5e7c5e2db98727470ee57e5442fcba99bb4..433c2ef617e6af3c1abdaa2f981f6de125d456f2 100644 --- a/sa_profile/device_manager.cfg +++ b/sa_profile/device_manager.cfg @@ -42,7 +42,8 @@ "ohos.permission.ACCESS_SENSING_WITH_ULTRASOUND", "ohos.permission.ACCESS_DEVAUTH_CRED_PRIVILEGE", "ohos.permission.ACCESS_IDS", - "ohos.permission.sec.ACCESS_UDID" + "ohos.permission.sec.ACCESS_UDID", + "ohos.permission.QUERY_SECURITY_MODEL_RESULT" ], "permission_acls" : [ "ohos.permission.MANAGE_SOFTBUS_NETWORK", diff --git a/services/service/include/device_manager_service.h b/services/service/include/device_manager_service.h index 70c27f371593f457c0f27d2d07570851d2e2437e..069a2ad13e7f8ffb62039b4ea70a995ac1fc86be 100644 --- a/services/service/include/device_manager_service.h +++ b/services/service/include/device_manager_service.h @@ -32,6 +32,7 @@ #include "hichain_listener.h" #include "i_dm_check_api_white_list.h" #include "i_dm_service_impl_ext_resident.h" +#include "i_dm_device_risk_detect.h" #if !(defined(__LITEOS_M__) || defined(LITE_DEVICE)) #include "dm_account_common_event.h" #include "dm_datashare_common_event.h" @@ -59,6 +60,10 @@ public: void InitHichainListener(); + void StartDetectDeviceRisk(); + + void DelAllRelateShip(); + DM_EXPORT void RegisterCallerAppId(const std::string &pkgName); DM_EXPORT void UnRegisterCallerAppId(const std::string &pkgName); @@ -275,9 +280,11 @@ private: bool IsDMImplSoLoaded(); bool IsDMServiceAdapterSoLoaded(); bool IsDMServiceAdapterResidentLoad(); + bool IsDMDeviceRiskDetectSoLoaded(); bool IsMsgEmptyAndDMServiceImplReady(const std::string &msg); void UnloadDMServiceImplSo(); void UnloadDMServiceAdapterResident(); + void UnloadDMDeviceRiskDetect(); void SendUnBindBroadCast(const std::vector &peerUdids, int32_t userId, uint64_t tokenId, int32_t bindLevel); void SendUnBindBroadCast(const std::vector &peerUdids, int32_t userId, uint64_t tokenId, @@ -438,9 +445,13 @@ private: private: bool isImplsoLoaded_ = false; bool isAdapterResidentSoLoaded_ = false; + bool isDeviceRiskDetectSoLoaded_ = false; void *residentSoHandle_ = nullptr; + void *deviceRiskDetectSoHandle_ = nullptr; std::mutex isImplLoadLock_; std::mutex isAdapterResidentLoadLock_; + std::mutex isDeviceRiskDetectSoLoadLock_; + std::mutex detectLock_; std::mutex hichainListenerLock_; std::mutex userVecLock_; std::shared_ptr advertiseMgr_; @@ -450,6 +461,7 @@ private: std::shared_ptr listener_; std::shared_ptr dmServiceImpl_; std::shared_ptr dmServiceImplExtResident_; + std::shared_ptr dmDeviceRiskDetect_; std::string localDeviceId_; std::shared_ptr pinHolder_; #if !(defined(__LITEOS_M__) || defined(LITE_DEVICE)) diff --git a/services/service/include/hichain/hichain_listener.h b/services/service/include/hichain/hichain_listener.h index cc43346a26077da6088c62513d889081af95b9f4..cad9be3f19536b754e4316b8e347e77f41454ba1 100644 --- a/services/service/include/hichain/hichain_listener.h +++ b/services/service/include/hichain/hichain_listener.h @@ -68,6 +68,7 @@ public: int32_t GetRelatedGroupsExt(int32_t userId, const std::string &deviceId, std::vector &groupList); int32_t DeleteGroupExt(int32_t userId, std::string &groupId); int64_t GenRequestId(); + int32_t DeleteCredential(int32_t osAccountId, const std::string &credId); static void OnHichainDeviceUnBound(const char *peerUdid, const char *groupInfo); static void OnCredentialDeleted(const char *credId, const char *credInfo); diff --git a/services/service/src/device_manager_service.cpp b/services/service/src/device_manager_service.cpp index edcb3401ca905e5de577e89c893cc1e2cb5b99af..bcfc2a8f19f11b16d57bd4e83830b02764b58d38 100644 --- a/services/service/src/device_manager_service.cpp +++ b/services/service/src/device_manager_service.cpp @@ -40,6 +40,7 @@ #include "multiple_user_connector.h" #include "relationship_sync_mgr.h" #include "openssl/sha.h" +#include "system_ability_definition.h" #if defined(SUPPORT_POWER_MANAGER) #include "power_mgr_client.h" #endif // SUPPORT_POWER_MANAGER @@ -63,6 +64,7 @@ constexpr const char* LIB_IMPL_NAME = "libdevicemanagerserviceimpl.so"; #endif constexpr const char* LIB_DM_ADAPTER_NAME = "libdevicemanageradapter.z.so"; constexpr const char* LIB_DM_RESIDENT_NAME = "libdevicemanagerresident.z.so"; +constexpr const char* LIB_DM_DEVICE_RISK_DETECT_NAME = "libdevicemanagerriskdetect.z.so"; #if !(defined(__LITEOS_M__) || defined(LITE_DEVICE)) && !defined(DEVICE_MANAGER_COMMON_FLAG) constexpr const char* LIB_DM_CHECK_API_WHITE_LIST_NAME = "libdm_check_api_whitelist.z.so"; #endif @@ -106,6 +108,7 @@ DeviceManagerService::~DeviceManagerService() LOGI("DeviceManagerService destructor"); UnloadDMServiceImplSo(); UnloadDMServiceAdapterResident(); + UnloadDMDeviceRiskDetect(); } int32_t DeviceManagerService::Init() @@ -152,6 +155,82 @@ void DeviceManagerService::InitHichainListener() hichainListener_->RegisterCredentialCb(); } +#if !(defined(__LITEOS_M__) || defined(LITE_DEVICE)) +void DeviceManagerService::StartDetectDeviceRisk() +{ + std::lock_guard lock(detectLock_); + auto samgr = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager(); + CHECK_NULL_VOID(samgr); + if (samgr->CheckSystemAbility(RISK_ANALYSIS_MANAGER_SA_ID) == nullptr) { + LOGE("%{public}d sa not start", RISK_ANALYSIS_MANAGER_SA_ID); + return; + } + if (!IsDMDeviceRiskDetectSoLoaded()) { + LOGE("load dm device risk detect failed."); + return; + } + std::string efuse; + std::string fastbootLock; + std::string processPrivilege; + std::string rootPackage; + int32_t ret = dmDeviceRiskDetect_->DetectDeviceRisk(efuse, fastbootLock, processPrivilege, rootPackage); + if (ret != DM_OK) { + LOGE("DetectDeviceRisk failed. ret:%{public}d", ret); + return; + } + LOGI("efuse:%{public}s, fastbootLock:%{public}s, processPrivilege:%{public}s, rootPackage:%{public}s", + efuse.c_str(), fastbootLock.c_str(), processPrivilege.c_str(), rootPackage.c_str()); + if (efuse == DM_RISK || (efuse == DM_SAFE && fastbootLock == DM_RISK)) { + LOGI("device status is development"); + return; + } else if (processPrivilege == DM_RISK || rootPackage == DM_RISK) { + LOGI("device status is Illegal"); + DelAllRelateShip(); + } else { + LOGI("device status is Commercial"); + return; + } +} + +void DeviceManagerService::DelAllRelateShip() +{ + std::lock_guard lock(hichainListenerLock_); + if (hichainListener_ == nullptr) { + hichainListener_ = std::make_shared(); + } + char localDeviceId[DEVICE_UUID_LENGTH] = {0}; + GetDevUdid(localDeviceId, DEVICE_UUID_LENGTH); + std::string localUdid = static_cast(localDeviceId); + int32_t userId = MultipleUserConnector::GetCurrentAccountUserID(); + std::vector currentUserIds; + currentUserIds.push_back(userId); + hichainListener_->DeleteAllGroup(localUdid, currentUserIds); + std::vector profiles = + DeviceProfileConnector::GetInstance().GetAllAclIncludeLnnAcl(); + for (auto &item : profiles) { + std::string acerDeviceId = item.GetAccesser().GetAccesserDeviceId(); + std::string aceeDeviceId = item.GetAccessee().GetAccesseeDeviceId(); + if (localUdid == acerDeviceId) { + int32_t acerUserId = item.GetAccesser().GetAccesserUserId(); + int32_t acerSkId = item.GetAccesser().GetAccesserSessionKeyId(); + DeviceProfileConnector::GetInstance().DeleteSessionKey(acerUserId, acerSkId); + + std::string acerCredId = item.GetAccesser().GetAccesserCredentialIdStr(); + hichainListener_->DeleteCredential(acerUserId, acerCredId); + } else if (localUdid == aceeDeviceId) { + int32_t aceeUserId = item.GetAccessee().GetAccesseeUserId(); + int32_t aceeSkId = item.GetAccessee().GetAccesseeSessionKeyId(); + DeviceProfileConnector::GetInstance().DeleteSessionKey(aceeUserId, aceeSkId); + + std::string aceeCredId = item.GetAccessee().GetAccesseeCredentialIdStr(); + hichainListener_->DeleteCredential(aceeUserId, aceeCredId); + } + int32_t aclId = item.GetAccessControlId(); + DeviceProfileConnector::GetInstance().DeleteAccessControlById(aclId); + } +} +#endif + #if !(defined(__LITEOS_M__) || defined(LITE_DEVICE)) #if defined(SUPPORT_BLUETOOTH) || defined(SUPPORT_WIFI) void DeviceManagerService::SubscribePublishCommonEvent() @@ -1591,6 +1670,58 @@ void DeviceManagerService::UnloadDMServiceAdapterResident() } } +bool DeviceManagerService::IsDMDeviceRiskDetectSoLoaded() +{ + std::lock_guard lock(isDeviceRiskDetectSoLoadLock_); + if (isDeviceRiskDetectSoLoaded_ && (dmDeviceRiskDetect_ != nullptr)) { + return true; + } + deviceRiskDetectSoHandle_ = dlopen(LIB_DM_DEVICE_RISK_DETECT_NAME, RTLD_NOW | RTLD_NODELETE | RTLD_NOLOAD); + if (deviceRiskDetectSoHandle_ == nullptr) { + deviceRiskDetectSoHandle_ = dlopen(LIB_DM_DEVICE_RISK_DETECT_NAME, RTLD_NOW | RTLD_NODELETE); + } + if (deviceRiskDetectSoHandle_ == nullptr) { + LOGE("load dm device risk detect so failed."); + return false; + } + dlerror(); + auto func = (CreateDMDeviceRiskDetectFuncPtr)dlsym(deviceRiskDetectSoHandle_, "CreateDMDeviceRiskDetectObject"); + if (dlerror() != nullptr || func == nullptr) { + dlclose(deviceRiskDetectSoHandle_); + deviceRiskDetectSoHandle_ = nullptr; + LOGE("Create object function is not exist."); + return false; + } + + dmDeviceRiskDetect_ = std::shared_ptr(func()); + if (dmDeviceRiskDetect_->Initialize() != DM_OK) { + dlclose(deviceRiskDetectSoHandle_); + deviceRiskDetectSoHandle_ = nullptr; + dmDeviceRiskDetect_ = nullptr; + isDeviceRiskDetectSoLoaded_ = false; + LOGE("dm sdevice risk detect init failed."); + return false; + } + isDeviceRiskDetectSoLoaded_ = true; + LOGI("Success."); + return true; +} + +void DeviceManagerService::UnloadDMDeviceRiskDetect() +{ + LOGI("Start."); + std::lock_guard lock(isDeviceRiskDetectSoLoadLock_); + if (dmDeviceRiskDetect_ != nullptr) { + dmDeviceRiskDetect_->Release(); + dmDeviceRiskDetect_ = nullptr; + } + if (deviceRiskDetectSoHandle_ != nullptr) { + LOGI("dm device risk detect deviceRiskDetectSoHandle_ is not nullptr."); + dlclose(deviceRiskDetectSoHandle_); + deviceRiskDetectSoHandle_ = nullptr; + } +} + int32_t DeviceManagerService::StartDiscovering(const std::string &pkgName, const std::map &discoverParam, const std::map &filterOptions) { diff --git a/services/service/src/hichain/hichain_listener.cpp b/services/service/src/hichain/hichain_listener.cpp index 1779410c6d9a709ab748459cc7ceb087e551ff10..499cc6843a16d50c35024f8ed6fc16ac154b65de 100644 --- a/services/service/src/hichain/hichain_listener.cpp +++ b/services/service/src/hichain/hichain_listener.cpp @@ -318,5 +318,21 @@ int32_t HichainListener::DeleteGroupExt(int32_t userId, std::string &groupId) } return DM_OK; } + +int32_t HichainListener::DeleteCredential(int32_t osAccountId, const std::string &credId) +{ + LOGI("start. osAccountId=%{public}s, credId=%{public}s", GetAnonyInt32(osAccountId).c_str(), + GetAnonyString(credId).c_str()); + if (credManager_ == nullptr) { + LOGE("credManager_ is nullptr"); + return ERR_DM_POINT_NULL; + } + int32_t ret = credManager_->deleteCredential(osAccountId, credId.c_str()); + if (ret != DM_OK) { + LOGE("Hichain deleteCredential failed ret %{public}d.", ret); + return ERR_DM_FAILED; + } + return DM_OK; +} } // namespace DistributedHardware } // namespace OHOS \ No newline at end of file diff --git a/services/service/src/ipc/standard/ipc_server_stub.cpp b/services/service/src/ipc/standard/ipc_server_stub.cpp index a971dd983848abdd1948a9a7f4b2eb46528979a0..acc8499e74fc3f0e1a283b0c4a5e5c60f9b88311 100644 --- a/services/service/src/ipc/standard/ipc_server_stub.cpp +++ b/services/service/src/ipc/standard/ipc_server_stub.cpp @@ -93,6 +93,7 @@ void IpcServerStub::OnStart() #endif AddSystemAbilityListener(DEVICE_AUTH_SERVICE_ID); AddSystemAbilityListener(ACCESS_TOKEN_MANAGER_SERVICE_ID); + AddSystemAbilityListener(RISK_ANALYSIS_MANAGER_SA_ID); DeviceManagerService::GetInstance().SubscribePackageCommonEvent(); } @@ -208,6 +209,10 @@ void IpcServerStub::OnAddSystemAbility(int32_t systemAbilityId, const std::strin DeviceManagerService::GetInstance().InitHichainListener(); return; } + if (systemAbilityId == RISK_ANALYSIS_MANAGER_SA_ID) { + DeviceManagerService::GetInstance().StartDetectDeviceRisk(); + return; + } } void IpcServerStub::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string& deviceId) diff --git a/services/service/src/softbus/softbus_listener.cpp b/services/service/src/softbus/softbus_listener.cpp index 8f0e5dcff64e727c168d4cd472e049c5f01898a9..2491cc636dd59aedef7006b09e89e809fb65493b 100644 --- a/services/service/src/softbus/softbus_listener.cpp +++ b/services/service/src/softbus/softbus_listener.cpp @@ -268,6 +268,7 @@ void SoftbusListener::OnSoftbusDeviceOnline(NodeBasicInfo *info) LOGE("NodeBasicInfo is nullptr."); return; } + DeviceManagerService::GetInstance().StartDetectDeviceRisk(); DmDeviceInfo dmDeviceInfo; ConvertNodeBasicInfoToDmDevice(*info, dmDeviceInfo); LOGI("device online networkId: %{public}s.", GetAnonyString(dmDeviceInfo.networkId).c_str()); diff --git a/test/unittest/UTTest_device_manager_service_three.cpp b/test/unittest/UTTest_device_manager_service_three.cpp index 89d07048aeee702027343640fa59dc00fab0103a..5ca56ab1440f80cfc8d88825cf57f927149b6c42 100644 --- a/test/unittest/UTTest_device_manager_service_three.cpp +++ b/test/unittest/UTTest_device_manager_service_three.cpp @@ -896,6 +896,19 @@ HWTEST_F(DeviceManagerServiceThreeTest, ProcessReceiveRspAppUnbind_302, testing: DeviceManagerService::GetInstance().ProcessReceiveRspAppUnbind(remoteUdid); EXPECT_EQ(DeviceManagerService::GetInstance().timer_, nullptr); } + +HWTEST_F(DeviceManagerServiceThreeTest, StartDetectDeviceRisk_301, testing::ext::TestSize.Level1) +{ + DeviceManagerService::GetInstance().isDeviceRiskDetectSoLoaded_ = false; + DeviceManagerService::GetInstance().StartDetectDeviceRisk(); + EXPECT_EQ(DeviceManagerService::GetInstance().isDeviceRiskDetectSoLoaded_, false); +} + +HWTEST_F(DeviceManagerServiceThreeTest, UnloadDMDeviceRiskDetect_301, testing::ext::TestSize.Level1) +{ + DeviceManagerService::GetInstance().UnloadDMDeviceRiskDetect(); + EXPECT_EQ(DeviceManagerService::GetInstance().dmDeviceRiskDetect_, nullptr); +} } // namespace } // namespace DistributedHardware } // namespace OHOS diff --git a/test/unittest/UTTest_hichain_listener.cpp b/test/unittest/UTTest_hichain_listener.cpp index 1d0f88328681ebe06a618b1f094f00c27427bd55..329b0aa3e79ffb9d1dbc8c6528db47e3272123cd 100644 --- a/test/unittest/UTTest_hichain_listener.cpp +++ b/test/unittest/UTTest_hichain_listener.cpp @@ -15,6 +15,7 @@ #include "UTTest_hichain_listener.h" #include "dm_anonymous.h" +#include "dm_error_type.h" namespace OHOS { namespace DistributedHardware { @@ -157,5 +158,23 @@ HWTEST_F(HichainListenerTest, OnCredentialDeleted_005, testing::ext::TestSize.Le EXPECT_TRUE(true); // Verifying early return for invalid length } +HWTEST_F(HichainListenerTest, DeleteCredential_001, testing::ext::TestSize.Level2) +{ + HichainListener listener; + listener.credManager_ = nullptr; + int32_t osAccountId = 123; + std::string credId = "123456789"; + int32_t ret = listener.DeleteCredential(osAccountId, credId); + EXPECT_EQ(ret, ERR_DM_POINT_NULL); +} + +HWTEST_F(HichainListenerTest, DeleteCredential_002, testing::ext::TestSize.Level2) +{ + HichainListener listener; + int32_t osAccountId = 123; + std::string credId = "123456789"; + int32_t ret = listener.DeleteCredential(osAccountId, credId); + EXPECT_EQ(ret, ERR_DM_FAILED); +} } // DistributedHardware } // OHOS \ No newline at end of file