From 7ecacc52c0eca53aecd2ddeeb7905950574867a9 Mon Sep 17 00:00:00 2001
From: zero-cyc <chenlien@huawei.com>
Date: Wed, 1 Jun 2022 10:15:13 +0800
Subject: [PATCH] add apl check

Signed-off-by: zero-cyc <chenlien@huawei.com>
Change-Id: I00ccc2c999f90e0e8698b98b1b37ed462372418e
---
 services/ans/include/access_token_helper.h    |  1 +
 services/ans/src/access_token_helper.cpp      | 25 +++++++++++++++++++
 .../ans/src/advanced_notification_service.cpp |  3 +--
 3 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/services/ans/include/access_token_helper.h b/services/ans/include/access_token_helper.h
index 11de4e9da..965ca236a 100644
--- a/services/ans/include/access_token_helper.h
+++ b/services/ans/include/access_token_helper.h
@@ -34,6 +34,7 @@ public:
     static bool VerifyCallerPermission(
         const Security::AccessToken::AccessTokenID &tokenCaller, const std::string &permission);
     static bool VerifyNativeToken(const Security::AccessToken::AccessTokenID &callerToken);
+    static bool IsSystemHap();
 };
 }  // namespace Notification
 }  // namespace OHOS
diff --git a/services/ans/src/access_token_helper.cpp b/services/ans/src/access_token_helper.cpp
index b49617be6..a54e4ce61 100644
--- a/services/ans/src/access_token_helper.cpp
+++ b/services/ans/src/access_token_helper.cpp
@@ -15,6 +15,9 @@
 
 #include "access_token_helper.h"
 
+#include "ans_log_wrapper.h"
+#include "ipc_skeleton.h"
+
 namespace OHOS {
 namespace Notification {
 bool AccessTokenHelper::VerifyCallerPermission(
@@ -30,5 +33,27 @@ bool AccessTokenHelper::VerifyNativeToken(const Security::AccessToken::AccessTok
         Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
     return tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE;
 }
+
+bool AccessTokenHelper::IsSystemHap()
+{
+    AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
+    ATokenTypeEnum type = AccessTokenKit::GetTokenTypeFlag(tokenId);
+    if (type == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
+        return true;
+    }
+    if (type == Security::AccessToken::ATokenTypeEnum::TOKEN_HAP) {
+        HapTokenInfo info;
+        AccessTokenKit::GetHapTokenInfo(tokenId, info);
+        if (info.apl == ATokenAplEnum::APL_SYSTEM_CORE || info.apl == ATokenAplEnum::APL_SYSTEM_BASIC) {
+            return true;
+        }
+        pid_t pid = IPCSkeleton::GetCallingPid();
+        pid_t uid = IPCSkeleton::GetCallingUid();
+        ANS_LOGW("apl not match, info.apl=%{public}d, type=%{public}d, pid=%{public}d, uid=%{public}d",
+            static_cast<int32_t>(info.apl), static_cast<int32_t>(type), pid, uid);
+    }
+    return false;
+}
+
 }  // namespace Notification
 }  // namespace OHOS
\ No newline at end of file
diff --git a/services/ans/src/advanced_notification_service.cpp b/services/ans/src/advanced_notification_service.cpp
index 2ebdcdd1e..1f67cf01f 100644
--- a/services/ans/src/advanced_notification_service.cpp
+++ b/services/ans/src/advanced_notification_service.cpp
@@ -122,8 +122,7 @@ inline bool IsSystemApp()
     if (bundleManager != nullptr) {
         isSystemApp = bundleManager->IsSystemApp(callingUid);
     }
-
-    return isSystemApp;
+    return isSystemApp || AccessTokenHelper::IsSystemHap();
 }
 
 inline int64_t ResetSeconds(int64_t date)
-- 
Gitee