From 729d88d569d6e91da10adbf558b67bc507232fb7 Mon Sep 17 00:00:00 2001
From: panqiangbiao <panqiangbiao@huawei.com>
Date: Sat, 19 Feb 2022 16:16:47 +0800
Subject: [PATCH] add permisson check as whitelist

Signed-off-by: panqiangbiao <panqiangbiao@huawei.com>
---
 interfaces/kits/js/src/file_manager_napi.cpp  |  2 +-
 services/BUILD.gn                             |  2 +
 .../src/server/file_manager_service_stub.cpp  | 76 ++++++++++++++++++-
 3 files changed, 77 insertions(+), 3 deletions(-)

diff --git a/interfaces/kits/js/src/file_manager_napi.cpp b/interfaces/kits/js/src/file_manager_napi.cpp
index 8d9d0add..39f1c578 100644
--- a/interfaces/kits/js/src/file_manager_napi.cpp
+++ b/interfaces/kits/js/src/file_manager_napi.cpp
@@ -67,7 +67,7 @@ UniError DealWithErrno(int err)
     };
     if (errMap.count(err) == 0) {
         ERR_LOG("unhandler err number %{public}d", err);
-        return UniError(FAIL);
+        return UniError(EACCES);
     } else {
         return UniError(errMap[err]);
     }
diff --git a/services/BUILD.gn b/services/BUILD.gn
index ee052479..a60d45f0 100644
--- a/services/BUILD.gn
+++ b/services/BUILD.gn
@@ -62,6 +62,7 @@ ohos_shared_library("fms_server") {
     "//base/hiviewdfx/hilog/interfaces/native/innerkits:libhilog",
     "//foundation/aafwk/standard/frameworks/kits/ability/native:abilitykit_native",
     "//foundation/aafwk/standard/interfaces/innerkits/base:base",
+    "//foundation/aafwk/standard/services/abilitymgr:abilityms",
     "//foundation/distributedschedule/dmsfwk/interfaces/innerkits/uri:zuri",
     "//foundation/filemanagement/storage_service/interfaces/innerkits/storage_manager/native:storage_manager_sa_proxy",
     "//foundation/filemanagement/storage_service/services/storage_manager:storage_manager",
@@ -77,6 +78,7 @@ ohos_shared_library("fms_server") {
     "ability_base:want",
     "ability_runtime:ability_manager",
     "ability_runtime:wantagent_innerkits",
+    "access_token:libaccesstoken_sdk",
     "ces_standard:cesfwk_innerkits",
     "hiviewdfx_hilog_native:libhilog",
     "ipc:ipc_core",
diff --git a/services/src/server/file_manager_service_stub.cpp b/services/src/server/file_manager_service_stub.cpp
index f3c5d21e..0ebdd02f 100644
--- a/services/src/server/file_manager_service_stub.cpp
+++ b/services/src/server/file_manager_service_stub.cpp
@@ -18,12 +18,16 @@
 #include "file_manager_service_def.h"
 #include "file_manager_service_errno.h"
 #include "file_manager_service.h"
+#include "ipc_singleton.h"
+#include "ipc_skeleton.h"
 #include "log.h"
 #include "media_file_utils.h"
 #include "oper_factory.h"
+#include "sa_mgr_client.h"
+#include "string_ex.h"
+#include "system_ability_definition.h"
 
 using namespace std;
-
 namespace OHOS {
 namespace FileManagerService {
 static int GetEquipmentCode(uint32_t code)
@@ -51,10 +55,78 @@ int FileManagerServiceStub::OperProcess(uint32_t code, MessageParcel &data,
     return errCode;
 }
 
+static sptr<AppExecFwk::IBundleMgr> GetSysBundleManager()
+{
+    auto bundleObj =
+        OHOS::DelayedSingleton<AAFwk::SaMgrClient>::GetInstance()->GetSystemAbility(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID);
+    if (bundleObj == nullptr) {
+        ERR_LOG("failed to get bundle manager service");
+        return nullptr;
+    }
+    sptr<AppExecFwk::IBundleMgr> bms = iface_cast<AppExecFwk::IBundleMgr>(bundleObj);
+    return bms;
+}
+
+static bool GetClientUid(int &uid)
+{
+    auto bms = GetSysBundleManager();
+    if (bms == nullptr) {
+        ERR_LOG("GetClientBundleName bms is %{public}d", (bms == nullptr));
+        return false;
+    }
+    uid = IPCSkeleton::GetCallingUid();
+    return true;
+}
+
+static string GetClientBundleName(int uid)
+{
+    std::string bundleName = "";
+    auto bms = GetSysBundleManager();
+    if (bms == nullptr) {
+        return bundleName;
+    }
+    auto result = bms->GetBundleNameForUid(uid, bundleName);
+    DEBUG_LOG("GetClientBundleName: bundleName is %{public}s ", bundleName.c_str());
+    if (!result) {
+        ERR_LOG("GetBundleNameForUid fail");
+        return "";
+    }
+    return bundleName;
+}
+
+bool CheckClientPermission(const std::string& permissionStr)
+{
+    int uid = 0;
+    if (!GetClientUid(uid)) {
+        ERR_LOG("GetClientUid: fail ");
+        return false;
+    }
+    if (uid == 0) {
+        ERR_LOG("uid as root, white list pass");
+        return true;
+    }
+    DEBUG_LOG("GetClientBundleName: uid is %{public}d ", uid);
+    std::string bundleName = GetClientBundleName(uid);
+    if (IsSameTextStr(bundleName, "ohos.acts.distributeddatamgr.distributedfile") ||
+        IsSameTextStr(bundleName, "ohos.acts.storage.filemanager") ||
+        IsSameTextStr(bundleName, "com.ohos.filepicker") ||
+        IsSameTextStr(bundleName, "com.example.filemanager")) {
+        DEBUG_LOG("CheckClientPermission: Pass the white list");
+        return true;
+    }
+    return false;
+}
+
 int FileManagerServiceStub::OnRemoteRequest(uint32_t code, MessageParcel &data,
     MessageParcel &reply, MessageOption &option)
 {
-    // to do checkpermission()
+    // change permission string after finishing accessToken
+    string permission = "permission";
+    if (!CheckClientPermission(permission)) {
+        ERR_LOG("checkpermission error FAIL");
+        reply.WriteInt32(FAIL);
+        return FAIL;
+    }
     if (!MediaFileUtils::InitHelper(AsObject())) {
         ERR_LOG("InitHelper error %{public}d", FAIL);
         reply.WriteInt32(FAIL);
-- 
Gitee