From 2028a31c91c36d261e7b720993fcb48dd0e0ae82 Mon Sep 17 00:00:00 2001 From: wuliushuan Date: Tue, 11 Feb 2025 16:28:25 +0800 Subject: [PATCH] =?UTF-8?q?=E6=94=AF=E6=8C=81=E6=8C=87=E5=AE=9Aacl?= =?UTF-8?q?=E5=A4=B1=E8=B4=A5=E6=A3=80=E6=9F=A520250211?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: wuliushuan Change-Id: Ibcd9b226a8824146d2dfd37512c0a4378641ede9 --- .../accesstoken/src/hap_policy_parcel.cpp | 5 +++ .../accesstoken/include/access_token.h | 11 +++++++ .../accesstoken/include/hap_token_info.h | 2 ++ .../accesstoken/src/accesstoken_kit.cpp | 14 +++++---- .../HapTokenTest/init_hap_token_test.cpp | 31 +++++++++++++++++++ .../cpp/src/permission/permission_manager.cpp | 5 +++ 6 files changed, 62 insertions(+), 6 deletions(-) diff --git a/frameworks/accesstoken/src/hap_policy_parcel.cpp b/frameworks/accesstoken/src/hap_policy_parcel.cpp index 09e785e4f..2f97c490c 100644 --- a/frameworks/accesstoken/src/hap_policy_parcel.cpp +++ b/frameworks/accesstoken/src/hap_policy_parcel.cpp @@ -66,6 +66,8 @@ bool HapPolicyParcel::Marshalling(Parcel& out) const RETURN_IF_FALSE(out.WriteString(info[i].permissionName)); RETURN_IF_FALSE(out.WriteBool(info[i].userCancelable)); } + + RETURN_IF_FALSE(out.WriteInt32(this->hapPolicy.checkIgnore)); return true; } @@ -117,6 +119,9 @@ HapPolicyParcel* HapPolicyParcel::Unmarshalling(Parcel& in) RELEASE_IF_FALSE(in.ReadBool(info.userCancelable), hapPolicyParcel); hapPolicyParcel->hapPolicy.preAuthorizationInfo.emplace_back(info); } + int32_t checkIgnore; + RELEASE_IF_FALSE(in.ReadInt32(checkIgnore), hapPolicyParcel); + hapPolicyParcel->hapPolicy.checkIgnore = HapPolicyCheckIgnore(checkIgnore); return hapPolicyParcel; } } // namespace AccessToken diff --git a/interfaces/innerkits/accesstoken/include/access_token.h b/interfaces/innerkits/accesstoken/include/access_token.h index 1eee23e8c..a398581ce 100644 --- a/interfaces/innerkits/accesstoken/include/access_token.h +++ b/interfaces/innerkits/accesstoken/include/access_token.h @@ -333,6 +333,17 @@ typedef enum RegisterPermissionChangeType { /** app register permissions state change info of itself */ SELF_REGISTER_TYPE = 1, } RegisterPermChangeType; + +/** + * @brief Whether acl check + */ +typedef enum HapPolicyCheckIgnoreType { + /** normal */ + NONE = 0, + /** ignore acl check */ + ACL_IGNORE_CHECK, +} HapPolicyCheckIgnore; + } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/interfaces/innerkits/accesstoken/include/hap_token_info.h b/interfaces/innerkits/accesstoken/include/hap_token_info.h index b8b79d432..0f090e756 100644 --- a/interfaces/innerkits/accesstoken/include/hap_token_info.h +++ b/interfaces/innerkits/accesstoken/include/hap_token_info.h @@ -165,6 +165,7 @@ public: std::vector permStateList; std::vector aclRequestedList; std::vector preAuthorizationInfo; + HapPolicyCheckIgnore checkIgnore = HapPolicyCheckIgnore::NONE; }; /** @@ -199,6 +200,7 @@ public: std::vector permStateList; std::vector aclRequestedList; std::vector preAuthorizationInfo; + HapPolicyCheckIgnore checkIgnore = HapPolicyCheckIgnore::NONE; }; } // namespace AccessToken } // namespace Security diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp index c740150ab..a8c1fe99b 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp +++ b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp @@ -81,14 +81,15 @@ static void TransferHapPolicyParams(const HapPolicyParams& policyIn, HapPolicy& tmp.grantFlag = perm.grantFlags[0]; policyOut.permStateList.emplace_back(tmp); } + policyOut.checkIgnore = policyIn.checkIgnore; } AccessTokenIDEx AccessTokenKit::AllocHapToken(const HapInfoParams& info, const HapPolicyParams& policy) { AccessTokenIDEx res = {0}; LOGI(ATM_DOMAIN, ATM_TAG, "UserID: %{public}d, bundleName :%{public}s, \ -permList: %{public}zu, stateList: %{public}zu", - info.userID, info.bundleName.c_str(), policy.permList.size(), policy.permStateList.size()); +permList: %{public}zu, stateList: %{public}zu, checkIgnore: %{public}d", + info.userID, info.bundleName.c_str(), policy.permList.size(), policy.permStateList.size(), policy.checkIgnore); if ((!DataValidator::IsUserIdValid(info.userID)) || !DataValidator::IsAppIDDescValid(info.appIDDesc) || !DataValidator::IsBundleNameValid(info.bundleName) || !DataValidator::IsAplNumValid(policy.apl) || !DataValidator::IsDomainValid(policy.domain) || !DataValidator::IsDlpTypeValid(info.dlpType)) { @@ -111,8 +112,8 @@ int32_t AccessTokenKit::InitHapToken(const HapInfoParams& info, HapPolicyParams& AccessTokenIDEx& fullTokenId, HapInfoCheckResult& result) { LOGI(ATM_DOMAIN, ATM_TAG, "UserID: %{public}d, bundleName :%{public}s, \ -permList: %{public}zu, stateList: %{public}zu", - info.userID, info.bundleName.c_str(), policy.permList.size(), policy.permStateList.size()); +permList: %{public}zu, stateList: %{public}zu, checkIgnore: %{public}d", + info.userID, info.bundleName.c_str(), policy.permList.size(), policy.permStateList.size(), policy.checkIgnore); if ((!DataValidator::IsUserIdValid(info.userID)) || !DataValidator::IsAppIDDescValid(info.appIDDesc) || !DataValidator::IsBundleNameValid(info.bundleName) || !DataValidator::IsAplNumValid(policy.apl) || !DataValidator::IsDomainValid(policy.domain) || !DataValidator::IsDlpTypeValid(info.dlpType)) { @@ -149,8 +150,9 @@ int32_t AccessTokenKit::UpdateHapToken(AccessTokenIDEx& tokenIdEx, const UpdateH const HapPolicyParams& policy, HapInfoCheckResult& result) { LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d, isSystemApp: %{public}d, \ -permList: %{public}zu, stateList: %{public}zu", - tokenIdEx.tokenIdExStruct.tokenID, info.isSystemApp, policy.permList.size(), policy.permStateList.size()); +permList: %{public}zu, stateList: %{public}zu, checkIgnore: %{public}d", + tokenIdEx.tokenIdExStruct.tokenID, info.isSystemApp, policy.permList.size(), policy.permStateList.size(), + policy.checkIgnore); if ((tokenIdEx.tokenIdExStruct.tokenID == INVALID_TOKENID) || (!DataValidator::IsAppIDDescValid(info.appIDDesc)) || (!DataValidator::IsAplNumValid(policy.apl))) { LOGE(ATM_DOMAIN, ATM_TAG, "Input param failed"); diff --git a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/init_hap_token_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/init_hap_token_test.cpp index 2a1e8be05..911a6ada6 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/init_hap_token_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/init_hap_token_test.cpp @@ -346,6 +346,37 @@ HWTEST_F(InitHapTokenTest, InitHapTokenFuncTest006, TestSize.Level1) ASSERT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenID)); } +/** + * @tc.name: InitHapTokenFuncTest007 + * @tc.desc: Install normal app ignore acl check. + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(InitHapTokenTest, InitHapTokenFuncTest007, TestSize.Level1) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "InitHapTokenFuncTest007"); + + HapInfoParams infoParams; + HapPolicyParams policyParams; + TestCommon::GetHapParams(infoParams, policyParams); + PermissionStateFull permStatDump = { + .permissionName = "ohos.permission.DUMP", + .isGeneral = true, + .resDeviceID = {"device3"}, + .grantStatus = {PermissionState::PERMISSION_DENIED}, + .grantFlags = {PermissionFlag::PERMISSION_SYSTEM_FIXED} + }; + policyParams.permStateList.emplace_back(permStatDump); + AccessTokenIDEx fullTokenId; + int32_t ret = AccessTokenKit::InitHapToken(infoParams, policyParams, fullTokenId); + ASSERT_EQ(ERR_PERM_REQUEST_CFG_FAILED, ret); + policyParams.checkIgnore = HapPolicyCheckIgnore::ACL_IGNORE_CHECK; + ret = AccessTokenKit::InitHapToken(infoParams, policyParams, fullTokenId); + ASSERT_EQ(RET_SUCCESS, ret); + AccessTokenID tokenID = fullTokenId.tokenIdExStruct.tokenID; + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenID)); +} + /** * @tc.name: InitHapTokenSpecsTest001 * @tc.desc: Test the high-level permission authorized by acl. diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index 3f662cbd9..fc14805df 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -838,6 +838,11 @@ void PermissionManager::SetPermToKernel( bool IsAclSatisfied(const PermissionDef& permDef, const HapPolicy& policy) { + if (policy.checkIgnore == HapPolicyCheckIgnore::ACL_IGNORE_CHECK) { + LOGI(ATM_DOMAIN, ATM_TAG, "%{public}s ignore acl check.", permDef.permissionName.c_str()); + return true; + } + if (policy.apl < permDef.availableLevel) { if (!permDef.provisionEnable) { LOGE(ATM_DOMAIN, ATM_TAG, "%{public}s provisionEnable is false.", permDef.permissionName.c_str()); -- Gitee