diff --git a/interfaces/innerkits/privacy/test/unittest/src/privacy_kit_test.cpp b/interfaces/innerkits/privacy/test/unittest/src/privacy_kit_test.cpp index 931a291e2c2c200de9527ed63f0eb35a625d02d2..4982a1bf385d41f31c133acc24035efe30407ca3 100644 --- a/interfaces/innerkits/privacy/test/unittest/src/privacy_kit_test.cpp +++ b/interfaces/innerkits/privacy/test/unittest/src/privacy_kit_test.cpp @@ -2615,6 +2615,10 @@ HWTEST_F(PrivacyKitTest, IsAllowedUsingPermission013, TestSize.Level1) AccessTokenID tokenId = tokenIdEx.tokenIdExStruct.tokenID; ASSERT_NE(0, tokenId); // hap MICROPHONE_BACKGROUND permission ASSERT_EQ(true, PrivacyKit::IsAllowedUsingPermission(tokenId, permissionName)); // background hap + info.isSystemApp = true; + info.bundleName = "ohos.privacy_test.microphone.sys_app"; + tokenIdEx = AccessTokenKit::AllocHapToken(info, policy); + AccessTokenID sysApptokenId = tokenIdEx.tokenIdExStruct.tokenID; uint32_t selfUid = getuid(); setuid(ACCESS_TOKEN_UID); @@ -2623,8 +2627,8 @@ HWTEST_F(PrivacyKitTest, IsAllowedUsingPermission013, TestSize.Level1) uint32_t opCode2 = -1; ASSERT_EQ(true, TransferPermissionToOpcode("ohos.permission.SET_FOREGROUND_HAP_REMINDER", opCode1)); ASSERT_EQ(true, TransferPermissionToOpcode("ohos.permission.PERMISSION_USED_STATS", opCode2)); - ASSERT_EQ(0, AddPermissionToKernel(RANDOM_TOKENID, {opCode1, opCode2}, {1, 1})); - EXPECT_EQ(0, SetSelfTokenID(RANDOM_TOKENID)); + ASSERT_EQ(0, AddPermissionToKernel(sysApptokenId, {opCode1, opCode2}, {1, 1})); + EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx)); GTEST_LOG_(INFO) << "permissionSet OK "; // callkit set hap to foreground with MICROPHONE_BACKGROUND @@ -2637,8 +2641,9 @@ HWTEST_F(PrivacyKitTest, IsAllowedUsingPermission013, TestSize.Level1) EXPECT_EQ(0, PrivacyKit::SetHapWithFGReminder(tokenId, false)); EXPECT_EQ(0, PrivacyKit::SetHapWithFGReminder(g_tokenIdE, false)); - ASSERT_EQ(0, RemovePermissionFromKernel(RANDOM_TOKENID)); + ASSERT_EQ(0, RemovePermissionFromKernel(sysApptokenId)); setuid(selfUid); + ASSERT_EQ(0, AccessTokenKit::DeleteToken(sysApptokenId)); } /** @@ -2651,8 +2656,11 @@ HWTEST_F(PrivacyKitTest, SetHapWithFGReminder01, TestSize.Level1) { uint32_t opCode1; uint32_t opCode2; - uint32_t tokenTest = 111; /// 111 is a tokenId uint32_t selfUid = getuid(); + setuid(0); + g_infoParmsA.isSystemApp = true; + AccessTokenIDEx tokenIdEx = AccessTokenKit::AllocHapToken(g_infoParmsA, g_policyPramsA); + uint32_t tokenTest = tokenIdEx.tokenIdExStruct.tokenID; setuid(ACCESS_TOKEN_UID); EXPECT_EQ(true, TransferPermissionToOpcode("ohos.permission.SET_FOREGROUND_HAP_REMINDER", opCode1)); @@ -2661,7 +2669,7 @@ HWTEST_F(PrivacyKitTest, SetHapWithFGReminder01, TestSize.Level1) ASSERT_EQ(res, 0); GTEST_LOG_(INFO) << "permissionSet OK "; - EXPECT_EQ(0, SetSelfTokenID(tokenTest)); + EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx)); std::string permissionName = "ohos.permission.MICROPHONE"; ASSERT_EQ(false, PrivacyKit::IsAllowedUsingPermission(g_tokenIdE, permissionName)); int32_t ret = PrivacyKit::SetHapWithFGReminder(g_tokenIdE, true); @@ -2670,8 +2678,10 @@ HWTEST_F(PrivacyKitTest, SetHapWithFGReminder01, TestSize.Level1) ret = PrivacyKit::SetHapWithFGReminder(g_tokenIdE, false); ASSERT_EQ(ret, 0); - res = RemovePermissionFromKernel(tokenTest); + res = RemovePermissionFromKernel(tokenIdEx.tokenIDEx); ASSERT_EQ(res, 0); + setuid(0); + ASSERT_EQ(0, AccessTokenKit::DeleteToken(tokenTest)); setuid(selfUid); } diff --git a/services/privacymanager/src/service/privacy_manager_stub.cpp b/services/privacymanager/src/service/privacy_manager_stub.cpp index 170b8a90e5876e1561ea0c92fd3cd1b527d77849..55e576824b4583e3679ba43da8396b0df2d53a5c 100644 --- a/services/privacymanager/src/service/privacy_manager_stub.cpp +++ b/services/privacymanager/src/service/privacy_manager_stub.cpp @@ -211,6 +211,12 @@ void PrivacyManagerStub::StartUsingPermissionInner(MessageParcel& data, MessageP void PrivacyManagerStub::StartUsingPermissionCallbackInner(MessageParcel& data, MessageParcel& reply) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); + return; + } + if (!VerifyPermission(PERMISSION_USED_STATS)) { reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); return; @@ -254,6 +260,12 @@ void PrivacyManagerStub::StopUsingPermissionInner(MessageParcel& data, MessagePa void PrivacyManagerStub::RemovePermissionUsedRecordsInner(MessageParcel& data, MessageParcel& reply) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); + return; + } + if (!IsAccessTokenCalling() && !VerifyPermission(PERMISSION_USED_STATS)) { reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); return; @@ -292,6 +304,12 @@ void PrivacyManagerStub::GetPermissionUsedRecordsInner(MessageParcel& data, Mess void PrivacyManagerStub::GetPermissionUsedRecordsAsyncInner(MessageParcel& data, MessageParcel& reply) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); + return; + } + if (!VerifyPermission(PERMISSION_USED_STATS)) { reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); return; @@ -364,6 +382,13 @@ void PrivacyManagerStub::UnRegisterPermActiveStatusCallbackInner(MessageParcel& void PrivacyManagerStub::IsAllowedUsingPermissionInner(MessageParcel& data, MessageParcel& reply) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + LOGE(PRI_DOMAIN, PRI_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID); + reply.WriteBool(false); + return; + } + if (!VerifyPermission(PERMISSION_USED_STATS)) { reply.WriteBool(false); return;