From da61a59316370456abe368fcf23835ebad5499fb Mon Sep 17 00:00:00 2001
From: wuliushuan <wuliushuan.30044128@huawei.com>
Date: Mon, 24 Feb 2025 15:38:55 +0800
Subject: [PATCH] =?UTF-8?q?=E6=94=AF=E6=8C=81=E5=85=83=E6=9C=8D=E5=8A=A120?=
 =?UTF-8?q?250224?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: wuliushuan <wuliushuan.30044128@huawei.com>
Change-Id: I5d622f2e41c5e2cb3dc9236e80ae47b8b4359321
---
 .../accesstoken/src/hap_info_parcel.cpp       |  2 ++
 .../accesstoken/include/accesstoken_kit.h     |  7 ++++++
 .../accesstoken/include/hap_token_info.h      |  4 ++++
 .../accesstoken/src/accesstoken_kit.cpp       | 22 ++++++++++++++-----
 .../src/accesstoken_manager_proxy.cpp         |  5 +++++
 .../src/service/accesstoken_manager_stub.cpp  |  1 +
 .../src/token/accesstoken_info_manager.cpp    |  9 ++++++++
 .../cpp/src/token/hap_token_info_inner.cpp    |  9 ++++++++
 8 files changed, 53 insertions(+), 6 deletions(-)

diff --git a/frameworks/accesstoken/src/hap_info_parcel.cpp b/frameworks/accesstoken/src/hap_info_parcel.cpp
index bac45bdb6..e96f8d0fc 100644
--- a/frameworks/accesstoken/src/hap_info_parcel.cpp
+++ b/frameworks/accesstoken/src/hap_info_parcel.cpp
@@ -33,6 +33,7 @@ bool HapInfoParcel::Marshalling(Parcel& out) const
     if (this->hapInfoParameter.isRestore) {
         RETURN_IF_FALSE(out.WriteUint32(this->hapInfoParameter.tokenID));
     }
+    RETURN_IF_FALSE(out.WriteBool(this->hapInfoParameter.isMetaService));
     return true;
 }
 
@@ -54,6 +55,7 @@ HapInfoParcel* HapInfoParcel::Unmarshalling(Parcel& in)
     if (hapInfoParcel->hapInfoParameter.isRestore) {
         RELEASE_IF_FALSE(in.ReadUint32(hapInfoParcel->hapInfoParameter.tokenID), hapInfoParcel);
     }
+    RELEASE_IF_FALSE(in.ReadBool(hapInfoParcel->hapInfoParameter.isMetaService), hapInfoParcel);
     return hapInfoParcel;
 }
 } // namespace AccessToken
diff --git a/interfaces/innerkits/accesstoken/include/accesstoken_kit.h b/interfaces/innerkits/accesstoken/include/accesstoken_kit.h
index 32bf54fbf..c78664571 100644
--- a/interfaces/innerkits/accesstoken/include/accesstoken_kit.h
+++ b/interfaces/innerkits/accesstoken/include/accesstoken_kit.h
@@ -502,6 +502,13 @@ public:
      * @return tokenId
      */
     static uint64_t GetRenderTokenID(uint64_t tokenId);
+
+    /**
+     * Whether it is a meta-service
+     * @param tokenId token id.
+     * @return bool
+     */
+    static bool IsMetaServiceByFullTokenID(uint64_t tokenId);
 };
 } // namespace AccessToken
 } // namespace Security
diff --git a/interfaces/innerkits/accesstoken/include/hap_token_info.h b/interfaces/innerkits/accesstoken/include/hap_token_info.h
index 0f090e756..962d9e222 100644
--- a/interfaces/innerkits/accesstoken/include/hap_token_info.h
+++ b/interfaces/innerkits/accesstoken/include/hap_token_info.h
@@ -73,6 +73,8 @@ public:
     std::string appDistributionType;
     bool isRestore = false;
     AccessTokenID tokenID = INVALID_TOKENID;
+    /** Whether hap is a meta-service */
+    bool isMetaService = false;
 };
 
 /**
@@ -87,6 +89,8 @@ public:
     bool isSystemApp;
     /* app type */
     std::string appDistributionType;
+    /** Whether hap is a meta-service */
+    bool isMetaService = false;
 };
 
 /**
diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp
index a8c1fe99b..fb16748e2 100644
--- a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp
+++ b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp
@@ -14,6 +14,7 @@
  */
 
 #include "accesstoken_kit.h"
+#include <cinttypes>
 #include <string>
 #include <vector>
 #include "accesstoken_common_log.h"
@@ -34,6 +35,7 @@ namespace Security {
 namespace AccessToken {
 namespace {
 static const uint64_t SYSTEM_APP_MASK = (static_cast<uint64_t>(1) << 32);
+static const uint64_t META_SERVICE_MASK = (static_cast<uint64_t>(1) << 36);
 static const uint64_t TOKEN_ID_LOWMASK = 0xffffffff;
 static const int INVALID_DLP_TOKEN_FLAG = -1;
 static const int FIRSTCALLER_TOKENID_DEFAULT = 0;
@@ -88,8 +90,9 @@ AccessTokenIDEx AccessTokenKit::AllocHapToken(const HapInfoParams& info, const H
 {
     AccessTokenIDEx res = {0};
     LOGI(ATM_DOMAIN, ATM_TAG, "UserID: %{public}d, bundleName :%{public}s, \
-permList: %{public}zu, stateList: %{public}zu, checkIgnore: %{public}d",
-        info.userID, info.bundleName.c_str(), policy.permList.size(), policy.permStateList.size(), policy.checkIgnore);
+permList: %{public}zu, stateList: %{public}zu, checkIgnore: %{public}d, isMetaService: %{public}d",
+        info.userID, info.bundleName.c_str(), policy.permList.size(), policy.permStateList.size(), policy.checkIgnore,
+        info.isMetaService);
     if ((!DataValidator::IsUserIdValid(info.userID)) || !DataValidator::IsAppIDDescValid(info.appIDDesc) ||
         !DataValidator::IsBundleNameValid(info.bundleName) || !DataValidator::IsAplNumValid(policy.apl) ||
         !DataValidator::IsDomainValid(policy.domain) || !DataValidator::IsDlpTypeValid(info.dlpType)) {
@@ -112,8 +115,9 @@ int32_t AccessTokenKit::InitHapToken(const HapInfoParams& info, HapPolicyParams&
     AccessTokenIDEx& fullTokenId, HapInfoCheckResult& result)
 {
     LOGI(ATM_DOMAIN, ATM_TAG, "UserID: %{public}d, bundleName :%{public}s, \
-permList: %{public}zu, stateList: %{public}zu, checkIgnore: %{public}d",
-        info.userID, info.bundleName.c_str(), policy.permList.size(), policy.permStateList.size(), policy.checkIgnore);
+permList: %{public}zu, stateList: %{public}zu, checkIgnore: %{public}d, isMetaService: %{public}d",
+        info.userID, info.bundleName.c_str(), policy.permList.size(), policy.permStateList.size(), policy.checkIgnore,
+        info.isMetaService);
     if ((!DataValidator::IsUserIdValid(info.userID)) || !DataValidator::IsAppIDDescValid(info.appIDDesc) ||
         !DataValidator::IsBundleNameValid(info.bundleName) || !DataValidator::IsAplNumValid(policy.apl) ||
         !DataValidator::IsDomainValid(policy.domain) || !DataValidator::IsDlpTypeValid(info.dlpType)) {
@@ -150,9 +154,9 @@ int32_t AccessTokenKit::UpdateHapToken(AccessTokenIDEx& tokenIdEx, const UpdateH
     const HapPolicyParams& policy, HapInfoCheckResult& result)
 {
     LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d, isSystemApp: %{public}d, \
-permList: %{public}zu, stateList: %{public}zu, checkIgnore: %{public}d",
+permList: %{public}zu, stateList: %{public}zu, checkIgnore: %{public}d, isMetaService: %{public}d",
         tokenIdEx.tokenIdExStruct.tokenID, info.isSystemApp, policy.permList.size(), policy.permStateList.size(),
-        policy.checkIgnore);
+        policy.checkIgnore, info.isMetaService);
     if ((tokenIdEx.tokenIdExStruct.tokenID == INVALID_TOKENID) || (!DataValidator::IsAppIDDescValid(info.appIDDesc)) ||
         (!DataValidator::IsAplNumValid(policy.apl))) {
         LOGE(ATM_DOMAIN, ATM_TAG, "Input param failed");
@@ -729,6 +733,12 @@ uint64_t AccessTokenKit::GetRenderTokenID(uint64_t tokenId)
     id = *reinterpret_cast<AccessTokenID *>(idInner);
     return static_cast<uint64_t>(id);
 }
+
+bool AccessTokenKit::IsMetaServiceByFullTokenID(uint64_t tokenId)
+{
+    LOGD(ATM_DOMAIN, ATM_TAG, "Called, tokenId=%{public}" PRId64, tokenId);
+    return (tokenId & META_SERVICE_MASK) == META_SERVICE_MASK;
+}
 } // namespace AccessToken
 } // namespace Security
 } // namespace OHOS
diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.cpp
index 78b220a7c..832a0af5b 100644
--- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.cpp
+++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.cpp
@@ -1026,6 +1026,11 @@ int32_t AccessTokenManagerProxy::UpdateHapToken(AccessTokenIDEx& tokenIdEx, cons
         return ERR_WRITE_PARCEL_FAILED;
     }
 
+    if (!data.WriteBool(info.isMetaService)) {
+        LOGE(ATM_DOMAIN, ATM_TAG, "Write isMetaService failed.");
+        return ERR_WRITE_PARCEL_FAILED;
+    }
+
     MessageParcel reply;
     if (!SendRequest(AccessTokenInterfaceCode::UPDATE_HAP_TOKEN, data, reply)) {
         return ERR_SERVICE_ABNORMAL;
diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp
index f9cd095b5..a678f57cf 100644
--- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp
+++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp
@@ -605,6 +605,7 @@ void AccessTokenManagerStub::UpdateHapTokenInner(MessageParcel& data, MessagePar
             reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED), "WriteInt32 failed.");
         return;
     }
+    info.isMetaService = data.ReadBool();
     HapInfoCheckResult resultInfo;
     int32_t result = this->UpdateHapToken(tokenIdEx, info, *policyParcel, resultInfo);
     IF_FALSE_RETURN_LOG(ATM_DOMAIN, ATM_TAG, reply.WriteInt32(result), "WriteInt32 failed.");
diff --git a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp
index 25621e1ec..a1439c82f 100644
--- a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp
+++ b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp
@@ -57,6 +57,7 @@ namespace AccessToken {
 namespace {
 std::recursive_mutex g_instanceMutex;
 static const unsigned int SYSTEM_APP_FLAG = 0x0001;
+static const unsigned int META_SERVICE_FLAG = 0x0010;
 static constexpr int32_t BASE_USER_RANGE = 200000;
 #ifdef TOKEN_SYNC_ENABLE
 static const int MAX_PTHREAD_NAME_LEN = 15; // pthread name max length
@@ -558,6 +559,9 @@ int AccessTokenInfoManager::AllocAccessTokenIDEx(
     if (info.isSystemApp) {
         tokenIdEx.tokenIdExStruct.tokenAttr |= SYSTEM_APP_FLAG;
     }
+    if (info.isMetaService) {
+        tokenIdEx.tokenIdExStruct.tokenAttr |= META_SERVICE_FLAG;
+    }
     return RET_SUCCESS;
 }
 
@@ -654,6 +658,11 @@ int32_t AccessTokenInfoManager::UpdateHapToken(AccessTokenIDEx& tokenIdEx, const
     } else {
         tokenIdEx.tokenIdExStruct.tokenAttr &= ~SYSTEM_APP_FLAG;
     }
+    if (info.isMetaService) {
+        tokenIdEx.tokenIdExStruct.tokenAttr |= META_SERVICE_FLAG;
+    } else {
+        tokenIdEx.tokenIdExStruct.tokenAttr &= ~META_SERVICE_FLAG;
+    }
     PermissionManager::GetInstance().AddDefPermissions(permList, tokenID, true);
     {
         Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
diff --git a/services/accesstokenmanager/main/cpp/src/token/hap_token_info_inner.cpp b/services/accesstokenmanager/main/cpp/src/token/hap_token_info_inner.cpp
index 70211011a..03bd8ae73 100644
--- a/services/accesstokenmanager/main/cpp/src/token/hap_token_info_inner.cpp
+++ b/services/accesstokenmanager/main/cpp/src/token/hap_token_info_inner.cpp
@@ -37,6 +37,7 @@ namespace AccessToken {
 namespace {
 static const std::string DEFAULT_DEVICEID = "0";
 static const unsigned int SYSTEM_APP_FLAG = 0x0001;
+static const unsigned int META_SERVICE_FLAG = 0x0010;
 }
 
 HapTokenInfoInner::HapTokenInfoInner() : permUpdateTimestamp_(0), isRemote_(false)
@@ -60,6 +61,9 @@ HapTokenInfoInner::HapTokenInfoInner(AccessTokenID id,
     if (info.isSystemApp) {
         tokenInfoBasic_.tokenAttr |= SYSTEM_APP_FLAG;
     }
+    if (info.isMetaService) {
+        tokenInfoBasic_.tokenAttr |= META_SERVICE_FLAG;
+    }
     tokenInfoBasic_.bundleName = info.bundleName;
     tokenInfoBasic_.apiVersion = GetApiVersion(info.apiVersion);
     tokenInfoBasic_.instIndex = info.instIndex;
@@ -97,6 +101,11 @@ void HapTokenInfoInner::Update(const UpdateHapInfoParams& info, const std::vecto
     } else {
         tokenInfoBasic_.tokenAttr &= ~SYSTEM_APP_FLAG;
     }
+    if (info.isMetaService) {
+        tokenInfoBasic_.tokenAttr |= META_SERVICE_FLAG;
+    } else {
+        tokenInfoBasic_.tokenAttr &= ~META_SERVICE_FLAG;
+    }
     Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->policySetLock_);
     PermissionDataBrief::GetInstance().Update(tokenInfoBasic_.tokenID, permStateList);
 }
-- 
Gitee