From fe162c4db6b8a8b44eedcacae8d79d4d25155112 Mon Sep 17 00:00:00 2001
From: Zhao-PengFei35 <zhaopengfei35@huawei.com>
Date: Wed, 4 Jan 2023 17:27:01 +0800
Subject: [PATCH] fixed 16bfc70 from
 https://gitee.com/Zhao-PengFei35/resourceschedule_device_usage_statistics/pulls/298
 add system app check

Signed-off-by: Zhao-PengFei35 <zhaopengfei35@huawei.com>
---
 BUILD.gn                                              |  1 +
 .../js/@ohos.resourceschedule.usageStatistics.d.ts    | 11 +++++++++++
 .../napi/include/bundle_state_inner_errors.h          |  2 ++
 services/common/src/bundle_active_service.cpp         | 11 +++++++++--
 4 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/BUILD.gn b/BUILD.gn
index 39e78d9..5dcf163 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -174,6 +174,7 @@ ohos_shared_library("usagestatservice") {
     "ability_base:want",
     "ability_runtime:app_manager",
     "access_token:libaccesstoken_sdk",
+    "access_token:libtokenid_sdk",
     "bundle_framework:appexecfwk_base",
     "c_utils:utils",
     "common_event_service:cesfwk_innerkits",
diff --git a/interfaces/kits/bundlestats/js/@ohos.resourceschedule.usageStatistics.d.ts b/interfaces/kits/bundlestats/js/@ohos.resourceschedule.usageStatistics.d.ts
index 1349bc6..56d2379 100644
--- a/interfaces/kits/bundlestats/js/@ohos.resourceschedule.usageStatistics.d.ts
+++ b/interfaces/kits/bundlestats/js/@ohos.resourceschedule.usageStatistics.d.ts
@@ -302,6 +302,7 @@ declare namespace usageStatistics {
      * @systemapi Hide this for inner system use.
      * @param bundleName, name of the application.
      * @throws { BusinessError } 201 - Parameter error.
+     * @throws { BusinessError } 202 - Not System App.
      * @throws { BusinessError } 401 - Permission denied.
      * @throws { BusinessError } 801 - Capability not supported.
      * @throws { BusinessError } 10000001 - Memory operation failed.
@@ -337,6 +338,7 @@ declare namespace usageStatistics {
      * @param begin Indicates the start time of the query period, in milliseconds.
      * @param end Indicates the end time of the query period, in milliseconds.
      * @throws { BusinessError } 201 - Parameter error.
+     * @throws { BusinessError } 202 - Not System App.
      * @throws { BusinessError } 401 - Permission denied.
      * @throws { BusinessError } 801 - Capability not supported.
      * @throws { BusinessError } 10000001 - Memory operation failed.
@@ -397,6 +399,7 @@ declare namespace usageStatistics {
      * @param begin Indicates the start time of the query period, in milliseconds.
      * @param end Indicates the end time of the query period, in milliseconds.
      * @throws { BusinessError } 201 - Parameter error.
+     * @throws { BusinessError } 202 - Not System App.
      * @throws { BusinessError } 401 - Permission denied.
      * @throws { BusinessError } 801 - Capability not supported.
      * @throws { BusinessError } 10000001 - Memory operation failed.
@@ -420,6 +423,7 @@ declare namespace usageStatistics {
      * @param begin Indicates the start time of the query period, in milliseconds.
      * @param end Indicates the end time of the query period, in milliseconds.
      * @throws { BusinessError } 201 - Parameter error.
+     * @throws { BusinessError } 202 - Not System App.
      * @throws { BusinessError } 401 - Permission denied.
      * @throws { BusinessError } 801 - Capability not supported.
      * @throws { BusinessError } 10000001 - Memory operation failed.
@@ -463,6 +467,7 @@ declare namespace usageStatistics {
      * @systemapi Hide this for inner system use.
      * @param maxNum Indicates max record number in result, max value is 1000, default value is 1000.
      * @throws { BusinessError } 201 - Parameter error.
+     * @throws { BusinessError } 202 - Not System App.
      * @throws { BusinessError } 401 - Permission denied.
      * @throws { BusinessError } 801 - Capability not supported.
      * @throws { BusinessError } 10000001 - Memory operation failed.
@@ -484,6 +489,7 @@ declare namespace usageStatistics {
      * @permission ohos.permission.BUNDLE_ACTIVE_INFO
      * @systemapi Hide this for inner system use.
      * @throws { BusinessError } 201 - Parameter error.
+     * @throws { BusinessError } 202 - Not System App.
      * @throws { BusinessError } 401 - Permission denied.
      * @throws { BusinessError } 801 - Capability not supported.
      * @throws { BusinessError } 10000001 - Memory operation failed.
@@ -546,6 +552,7 @@ declare namespace usageStatistics {
      * @param bundleName, name of the application.
      * @param newGroup, the group of the application whose name is bundleName.
      * @throws { BusinessError } 201 - Parameter error.
+     * @throws { BusinessError } 202 - Not System App.
      * @throws { BusinessError } 401 - Permission denied.
      * @throws { BusinessError } 801 - Capability not supported.
      * @throws { BusinessError } 10000001 - Memory operation failed.
@@ -567,6 +574,7 @@ declare namespace usageStatistics {
      * @systemapi Hide this for inner system use.
      * @param Callback<AppGroupCallbackInfo>, callback when application group change,return the AppGroupCallbackInfo.
      * @throws { BusinessError } 201 - Parameter error.
+     * @throws { BusinessError } 202 - Not System App.
      * @throws { BusinessError } 401 - Permission denied.
      * @throws { BusinessError } 801 - Capability not supported.
      * @throws { BusinessError } 10000001 - Memory operation failed.
@@ -587,6 +595,7 @@ declare namespace usageStatistics {
      * @permission ohos.permission.BUNDLE_ACTIVE_INFO
      * @systemapi Hide this for inner system use.
      * @throws { BusinessError } 201 - Parameter error.
+     * @throws { BusinessError } 202 - Not System App.
      * @throws { BusinessError } 401 - Permission denied.
      * @throws { BusinessError } 801 - Capability not supported.
      * @throws { BusinessError } 10000001 - Memory operation failed.
@@ -608,6 +617,7 @@ declare namespace usageStatistics {
      * @param begin Indicates the start time of the query period, in milliseconds.
      * @param end Indicates the end time of the query period, in milliseconds.
      * @throws { BusinessError } 201 - Parameter error.
+     * @throws { BusinessError } 202 - Not System App.
      * @throws { BusinessError } 401 - Permission denied.
      * @throws { BusinessError } 801 - Capability not supported.
      * @throws { BusinessError } 10000001 - Memory operation failed.
@@ -631,6 +641,7 @@ declare namespace usageStatistics {
      * @param begin Indicates the start time of the query period, in milliseconds.
      * @param end Indicates the end time of the query period, in milliseconds.
      * @throws { BusinessError } 201 - Parameter error.
+     * @throws { BusinessError } 202 - Not System App.
      * @throws { BusinessError } 401 - Permission denied.
      * @throws { BusinessError } 801 - Capability not supported.
      * @throws { BusinessError } 10000001 - Memory operation failed.
diff --git a/interfaces/kits/bundlestats/napi/include/bundle_state_inner_errors.h b/interfaces/kits/bundlestats/napi/include/bundle_state_inner_errors.h
index a709d3c..293b64f 100644
--- a/interfaces/kits/bundlestats/napi/include/bundle_state_inner_errors.h
+++ b/interfaces/kits/bundlestats/napi/include/bundle_state_inner_errors.h
@@ -56,6 +56,7 @@ enum : int32_t {
 
 enum {
     ERR_PERMISSION_DENIED = 201,
+    ERR_NOT_SYSTEM_APP = 202,
     ERR_PARAM_ERROR = 401,
     ERR_MEMORY_OPERATION_FAILED = 10000001,
     ERR_PARCEL_WRITE_FALIED,
@@ -107,6 +108,7 @@ enum ServiceError {
 
 static std::map<int32_t, std::string> saErrCodeMsgMap = {
     {ERR_PERMISSION_DENIED, "Permission denied."},
+    {ERR_NOT_SYSTEM_APP, "Not system app."},
     {ERR_MEMORY_OPERATION_FAILED, "Memory operation failed. create object failed."},
     {ERR_PARCEL_WRITE_FALIED, "Parcel operation failed. Failed to write the parcel."},
     {ERR_GET_SYSTEM_ABILITY_MANAGER_FAILED, "System service operation failed. Failed to get system ability manager."},
diff --git a/services/common/src/bundle_active_service.cpp b/services/common/src/bundle_active_service.cpp
index 67b08f9..0ce9607 100644
--- a/services/common/src/bundle_active_service.cpp
+++ b/services/common/src/bundle_active_service.cpp
@@ -22,6 +22,8 @@
 #include "bundle_active_event.h"
 #include "bundle_active_package_stats.h"
 #include "bundle_active_account_helper.h"
+#include "tokenid_kit.h"
+
 #include "bundle_active_service.h"
 
 namespace OHOS {
@@ -543,6 +545,11 @@ ErrCode BundleActiveService::CheckBundleIsSystemAppAndHasPermission(const int32_
     std::string bundleName = "";
     sptrBundleMgr_->GetBundleNameForUid(uid, bundleName);
 
+    if (!Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(IPCSkeleton::GetCallingFullTokenID())) {
+        BUNDLE_ACTIVE_LOGE("%{public}s is not system app", bundleName.c_str());
+        return ERR_NOT_SYSTEM_APP;
+    }
+
     int32_t bundleHasPermission = AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, NEEDED_PERMISSION);
     if (bundleHasPermission != 0) {
         BUNDLE_ACTIVE_LOGE("%{public}s hasn't permission", bundleName.c_str());
@@ -567,8 +574,8 @@ ErrCode BundleActiveService::CheckNativePermission(OHOS::Security::AccessToken::
 ErrCode BundleActiveService::CheckSystemAppOrNativePermission(const int32_t uid,
     OHOS::Security::AccessToken::AccessTokenID tokenId)
 {
-    if (CheckBundleIsSystemAppAndHasPermission(uid, tokenId) == ERR_OK) {
-        return ERR_OK;
+    if (AccessToken::AccessTokenKit::GetTokenType(tokenId) == AccessToken::ATokenTypeEnum::TOKEN_HAP) {
+        return CheckBundleIsSystemAppAndHasPermission(uid, tokenId);
     }
     return CheckNativePermission(tokenId);
 }
-- 
Gitee