diff --git a/services/ans/include/access_token_helper.h b/services/ans/include/access_token_helper.h index 11de4e9da6620989fa45ea11321fb9da7b3c5081..965ca236a41f5cfd8835f40908d8086eebb8a605 100644 --- a/services/ans/include/access_token_helper.h +++ b/services/ans/include/access_token_helper.h @@ -34,6 +34,7 @@ public: static bool VerifyCallerPermission( const Security::AccessToken::AccessTokenID &tokenCaller, const std::string &permission); static bool VerifyNativeToken(const Security::AccessToken::AccessTokenID &callerToken); + static bool IsSystemHap(); }; } // namespace Notification } // namespace OHOS diff --git a/services/ans/src/access_token_helper.cpp b/services/ans/src/access_token_helper.cpp index b49617be6ad571b0c72cdd76099d51e8121767e2..eb387d0e7c9225a97048f105570fe0bf7ce95474 100644 --- a/services/ans/src/access_token_helper.cpp +++ b/services/ans/src/access_token_helper.cpp @@ -15,20 +15,46 @@ #include "access_token_helper.h" +#include "ans_log_wrapper.h" +#include "ipc_skeleton.h" + +using namespace OHOS::Security::AccessToken; + namespace OHOS { namespace Notification { bool AccessTokenHelper::VerifyCallerPermission( - const Security::AccessToken::AccessTokenID &tokenCaller, const std::string &permission) + const AccessTokenID &tokenCaller, const std::string &permission) +{ + int result = AccessTokenKit::VerifyAccessToken(tokenCaller, permission); + return (result == PERMISSION_GRANTED); +} + +bool AccessTokenHelper::VerifyNativeToken(const AccessTokenID &callerToken) { - int result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenCaller, permission); - return (result == Security::AccessToken::PERMISSION_GRANTED); + ATokenTypeEnum tokenType = + AccessTokenKit::GetTokenTypeFlag(callerToken); + return tokenType == ATokenTypeEnum::TOKEN_NATIVE; } -bool AccessTokenHelper::VerifyNativeToken(const Security::AccessToken::AccessTokenID &callerToken) +bool AccessTokenHelper::IsSystemHap() { - Security::AccessToken::ATokenTypeEnum tokenType = - Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken); - return tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE; + AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID(); + ATokenTypeEnum type = AccessTokenKit::GetTokenTypeFlag(tokenId); + if (type == ATokenTypeEnum::TOKEN_NATIVE) { + return true; + } + if (type == ATokenTypeEnum::TOKEN_HAP) { + HapTokenInfo info; + AccessTokenKit::GetHapTokenInfo(tokenId, info); + if (info.apl == ATokenAplEnum::APL_SYSTEM_CORE || info.apl == ATokenAplEnum::APL_SYSTEM_BASIC) { + return true; + } + pid_t pid = IPCSkeleton::GetCallingPid(); + pid_t uid = IPCSkeleton::GetCallingUid(); + ANS_LOGW("apl not match, info.apl=%{public}d, type=%{public}d, pid=%{public}d, uid=%{public}d", + info.apl, type, pid, uid); + } + return false; } } // namespace Notification } // namespace OHOS \ No newline at end of file diff --git a/services/ans/src/advanced_notification_service.cpp b/services/ans/src/advanced_notification_service.cpp index 3d82e40b62e42aee9417affda41ba25b7bf7a3cd..817b4052c573c97716728054ef8fd6e6321026d4 100644 --- a/services/ans/src/advanced_notification_service.cpp +++ b/services/ans/src/advanced_notification_service.cpp @@ -124,7 +124,7 @@ inline bool IsSystemApp() isSystemApp = bundleManager->IsSystemApp(callingUid); } - return isSystemApp; + return isSystemApp || AccessTokenHelper::IsSystemHap(); } inline int64_t ResetSeconds(int64_t date) diff --git a/services/ans/test/unittest/mock/mock_access_token_helper.cpp b/services/ans/test/unittest/mock/mock_access_token_helper.cpp index 0f3cba40f0988a31a08c6696fa5b944a7fb47d92..d72c3f6314644bc242610f557ac6ba3f0a22da86 100644 --- a/services/ans/test/unittest/mock/mock_access_token_helper.cpp +++ b/services/ans/test/unittest/mock/mock_access_token_helper.cpp @@ -28,5 +28,10 @@ bool AccessTokenHelper::VerifyNativeToken(const Security::AccessToken::AccessTok { return callerToken == NATIVE_TOKEN; } + +bool IsSystemHap() +{ + return true; +} } // namespace Notification } // namespace OHOS \ No newline at end of file diff --git a/services/test/moduletest/mock/mock_access_token_helper.cpp b/services/test/moduletest/mock/mock_access_token_helper.cpp index 51c2f039e007568d3be76eafd903af52e6383d50..d881c3551b180892b26b53d1f0b53269fec11f9a 100644 --- a/services/test/moduletest/mock/mock_access_token_helper.cpp +++ b/services/test/moduletest/mock/mock_access_token_helper.cpp @@ -27,5 +27,10 @@ bool AccessTokenHelper::VerifyNativeToken(const Security::AccessToken::AccessTok { return true; } + +bool IsSystemHap() +{ + return true; +} } // namespace Notification } // namespace OHOS \ No newline at end of file