diff --git a/frameworks/privacy/include/i_privacy_manager.h b/frameworks/privacy/include/i_privacy_manager.h index 6c8cf6a2af1d260f00c8834d0e497fe8fa670056..205d10acf3a9d3d641011592417344cb40a96989 100644 --- a/frameworks/privacy/include/i_privacy_manager.h +++ b/frameworks/privacy/include/i_privacy_manager.h @@ -43,23 +43,25 @@ public: DECLARE_INTERFACE_DESCRIPTOR(u"ohos.security.accesstoken.IPrivacyManager"); - virtual int32_t AddPermissionUsedRecord(const AddPermParamInfoParcel& infoParcel, bool asyncMode = false) = 0; + virtual int32_t AddPermissionUsedRecord(const AddPermParamInfoParcel& infoParcel) = 0; + virtual int32_t AddPermissionUsedRecordAsync(const AddPermParamInfoParcel& infoParcel) = 0; virtual int32_t SetPermissionUsedRecordToggleStatus(int32_t userID, bool status) = 0; virtual int32_t GetPermissionUsedRecordToggleStatus(int32_t userID, bool& status) = 0; virtual int32_t StartUsingPermission(const PermissionUsedTypeInfoParcel &infoParcel, const sptr& anonyStub) = 0; - virtual int32_t StartUsingPermission(const PermissionUsedTypeInfoParcel &infoParcel, + virtual int32_t StartUsingPermissionCallback(const PermissionUsedTypeInfoParcel &infoParcel, const sptr& callback, const sptr& anonyStub) = 0; virtual int32_t StopUsingPermission(AccessTokenID tokenID, int32_t pid, const std::string& permissionName) = 0; virtual int32_t RemovePermissionUsedRecords(AccessTokenID tokenID) = 0; virtual int32_t GetPermissionUsedRecords( - const PermissionUsedRequestParcel& request, PermissionUsedResultParcel& result) = 0; - virtual int32_t GetPermissionUsedRecords( + const PermissionUsedRequestParcel& request, PermissionUsedResultParcel& resultParcel) = 0; + virtual int32_t GetPermissionUsedRecordsAsync( const PermissionUsedRequestParcel& request, const sptr& callback) = 0; virtual int32_t RegisterPermActiveStatusCallback( - std::vector& permList, const sptr& callback) = 0; + const std::vector& permList, const sptr& callback) = 0; virtual int32_t UnRegisterPermActiveStatusCallback(const sptr& callback) = 0; - virtual bool IsAllowedUsingPermission(AccessTokenID tokenID, const std::string& permissionName, int32_t pid) = 0; + virtual int32_t IsAllowedUsingPermission( + AccessTokenID tokenID, const std::string& permissionName, int32_t pid, bool& isAllowed) = 0; virtual int32_t SetMutePolicy(uint32_t policyType, uint32_t callerType, bool isMute, AccessTokenID tokenID) = 0; virtual int32_t SetHapWithFGReminder(uint32_t tokenId, bool isAllowed) = 0; #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE diff --git a/frameworks/privacy/include/privacy_service_ipc_interface_code.h b/frameworks/privacy/include/privacy_service_ipc_interface_code.h index db02228f2c991d1d1230a6700e5aaa9ed13c8898..f21e72c0ac37c77d7b59e14714362043e24922b8 100644 --- a/frameworks/privacy/include/privacy_service_ipc_interface_code.h +++ b/frameworks/privacy/include/privacy_service_ipc_interface_code.h @@ -21,27 +21,28 @@ namespace Security { namespace AccessToken { /* SAID:3505 */ enum class PrivacyInterfaceCode { - ADD_PERMISSION_USED_RECORD = 0x0000, - START_USING_PERMISSION, - START_USING_PERMISSION_CALLBACK, - STOP_USING_PERMISSION, - DELETE_PERMISSION_USED_RECORDS, - GET_PERMISSION_USED_RECORDS, - GET_PERMISSION_USED_RECORDS_ASYNC, - REGISTER_PERM_ACTIVE_STATUS_CHANGE_CALLBACK, - UNREGISTER_PERM_ACTIVE_STATUS_CHANGE_CALLBACK, - IS_ALLOWED_USING_PERMISSION, + ADD_PERMISSION_USED_RECORD = 1, + ADD_PERMISSION_USED_RECORD_ASYNC = 2, + START_USING_PERMISSION = 3, + START_USING_PERMISSION_CALLBACK = 4, + STOP_USING_PERMISSION = 5, + DELETE_PERMISSION_USED_RECORDS = 6, + GET_PERMISSION_USED_RECORDS = 7, + GET_PERMISSION_USED_RECORDS_ASYNC = 8, + REGISTER_PERM_ACTIVE_STATUS_CHANGE_CALLBACK = 9, + UNREGISTER_PERM_ACTIVE_STATUS_CHANGE_CALLBACK = 10, + IS_ALLOWED_USING_PERMISSION = 11, #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE - REGISTER_SEC_COMP_ENHANCE, - UPDATE_SEC_COMP_ENHANCE, - GET_SEC_COMP_ENHANCE, - GET_SPECIAL_SEC_COMP_ENHANCE, + REGISTER_SEC_COMP_ENHANCE = 101, + UPDATE_SEC_COMP_ENHANCE = 102, + GET_SEC_COMP_ENHANCE = 103, + GET_SPECIAL_SEC_COMP_ENHANCE = 104, #endif - GET_PERMISSION_USED_TYPE_INFOS, - SET_MUTE_POLICY, - SET_HAP_WITH_FOREGROUND_REMINDER, - SET_PERMISSION_USED_RECORD_TOGGLE_STATUS, - GET_PERMISSION_USED_RECORD_TOGGLE_STATUS + GET_PERMISSION_USED_TYPE_INFOS = 12, + SET_MUTE_POLICY = 13, + SET_HAP_WITH_FOREGROUND_REMINDER = 14, + SET_PERMISSION_USED_RECORD_TOGGLE_STATUS = 15, + GET_PERMISSION_USED_RECORD_TOGGLE_STATUS = 16 }; } // namespace AccessToken } // namespace Security diff --git a/interfaces/innerkits/privacy/src/privacy_manager_client.cpp b/interfaces/innerkits/privacy/src/privacy_manager_client.cpp index b3ecd9fa4aac327e39f641c89584740c04d7ca3d..0e667cf5a10fe7371644e6a7b9e2259bc140bcef 100644 --- a/interfaces/innerkits/privacy/src/privacy_manager_client.cpp +++ b/interfaces/innerkits/privacy/src/privacy_manager_client.cpp @@ -30,6 +30,7 @@ namespace { const static int32_t MAX_CALLBACK_SIZE = 200; const static int32_t MAX_PERM_LIST_SIZE = 1024; constexpr const char* CAMERA_PERMISSION_NAME = "ohos.permission.CAMERA"; +static const int32_t SA_ID_PRIVACY_MANAGER_SERVICE = 3505; std::recursive_mutex g_instanceMutex; } // namespace @@ -65,7 +66,10 @@ int32_t PrivacyManagerClient::AddPermissionUsedRecord(const AddPermParamInfo& in } AddPermParamInfoParcel infoParcel; infoParcel.info = info; - return proxy->AddPermissionUsedRecord(infoParcel, asyncMode); + if (asyncMode) { + return proxy->AddPermissionUsedRecordAsync(infoParcel); + } + return proxy->AddPermissionUsedRecord(infoParcel); } int32_t PrivacyManagerClient::SetPermissionUsedRecordToggleStatus(int32_t userID, bool status) @@ -161,7 +165,7 @@ int32_t PrivacyManagerClient::StartUsingPermission(AccessTokenID tokenId, int32_ LOGE(PRI_DOMAIN, PRI_TAG, "Proxy death recipent is null."); return PrivacyError::ERR_MALLOC_FAILED; } - result = proxy->StartUsingPermission(parcel, callbackWrap->AsObject(), anonyStub); + result = proxy->StartUsingPermissionCallback(parcel, callbackWrap->AsObject(), anonyStub); if (result == RET_SUCCESS) { std::lock_guard lock(stateCbkMutex_); stateChangeCallbackMap_[id] = callbackWrap; @@ -228,7 +232,7 @@ int32_t PrivacyManagerClient::GetPermissionUsedRecords(const PermissionUsedReque PermissionUsedRequestParcel requestParcel; requestParcel.request = request; - return proxy->GetPermissionUsedRecords(requestParcel, callback); + return proxy->GetPermissionUsedRecordsAsync(requestParcel, callback); } int32_t PrivacyManagerClient::CreateActiveStatusChangeCbk( @@ -319,7 +323,8 @@ bool PrivacyManagerClient::IsAllowedUsingPermission(AccessTokenID tokenID, const LOGE(PRI_DOMAIN, PRI_TAG, "Proxy is null."); return false; } - return proxy->IsAllowedUsingPermission(tokenID, permissionName, pid); + bool isAllowed = false; + return proxy->IsAllowedUsingPermission(tokenID, permissionName, pid, isAllowed); } #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE @@ -436,10 +441,9 @@ void PrivacyManagerClient::InitProxy() LOGD(PRI_DOMAIN, PRI_TAG, "GetSystemAbilityManager is null"); return; } - auto privacySa = sam->CheckSystemAbility(IPrivacyManager::SA_ID_PRIVACY_MANAGER_SERVICE); + auto privacySa = sam->CheckSystemAbility(SA_ID_PRIVACY_MANAGER_SERVICE); if (privacySa == nullptr) { - LOGD(PRI_DOMAIN, PRI_TAG, "CheckSystemAbility %{public}d is null", - IPrivacyManager::SA_ID_PRIVACY_MANAGER_SERVICE); + LOGD(PRI_DOMAIN, PRI_TAG, "CheckSystemAbility %{public}d is null", SA_ID_PRIVACY_MANAGER_SERVICE); return; } diff --git a/interfaces/innerkits/privacy/src/privacy_manager_proxy.cpp b/interfaces/innerkits/privacy/src/privacy_manager_proxy.cpp index 77f50a8360f2872c366be8aa02e574b39b03b2fd..0b6e923b35d50103ea383d622a8c903e4a603077 100644 --- a/interfaces/innerkits/privacy/src/privacy_manager_proxy.cpp +++ b/interfaces/innerkits/privacy/src/privacy_manager_proxy.cpp @@ -37,7 +37,7 @@ PrivacyManagerProxy::PrivacyManagerProxy(const sptr& impl) PrivacyManagerProxy::~PrivacyManagerProxy() {} -int32_t PrivacyManagerProxy::AddPermissionUsedRecord(const AddPermParamInfoParcel& infoParcel, bool asyncMode) +int32_t PrivacyManagerProxy::AddPermissionUsedRecord(const AddPermParamInfoParcel& infoParcel) { MessageParcel addData; addData.WriteInterfaceToken(IPrivacyManager::GetDescriptor()); @@ -47,7 +47,25 @@ int32_t PrivacyManagerProxy::AddPermissionUsedRecord(const AddPermParamInfoParce } MessageParcel reply; - if (!SendRequest(PrivacyInterfaceCode::ADD_PERMISSION_USED_RECORD, addData, reply, asyncMode)) { + if (!SendRequest(PrivacyInterfaceCode::ADD_PERMISSION_USED_RECORD, addData, reply)) { + return PrivacyError::ERR_SERVICE_ABNORMAL; + } + int32_t result = reply.ReadInt32(); + LOGI(PRI_DOMAIN, PRI_TAG, "Result from server data = %{public}d", result); + return result; +} + +int32_t PrivacyManagerProxy::AddPermissionUsedRecordAsync(const AddPermParamInfoParcel& infoParcel) +{ + MessageParcel addData; + addData.WriteInterfaceToken(IPrivacyManager::GetDescriptor()); + if (!addData.WriteParcelable(&infoParcel)) { + LOGE(PRI_DOMAIN, PRI_TAG, "Failed to WriteParcelable(infoParcel)"); + return PrivacyError::ERR_WRITE_PARCEL_FAILED; + } + + MessageParcel reply; + if (!SendRequest(PrivacyInterfaceCode::ADD_PERMISSION_USED_RECORD_ASYNC, addData, reply, true)) { return PrivacyError::ERR_SERVICE_ABNORMAL; } int32_t result = reply.ReadInt32(); @@ -144,7 +162,7 @@ int32_t PrivacyManagerProxy::StartUsingPermission( return result; } -int32_t PrivacyManagerProxy::StartUsingPermission( +int32_t PrivacyManagerProxy::StartUsingPermissionCallback( const PermissionUsedTypeInfoParcel &infoParcel, const sptr& callback, const sptr& anonyStub) { @@ -223,7 +241,7 @@ int32_t PrivacyManagerProxy::RemovePermissionUsedRecords(AccessTokenID tokenID) } int32_t PrivacyManagerProxy::GetPermissionUsedRecords(const PermissionUsedRequestParcel& request, - PermissionUsedResultParcel& result) + PermissionUsedResultParcel& resultParcel) { MessageParcel data; data.WriteInterfaceToken(IPrivacyManager::GetDescriptor()); @@ -247,11 +265,11 @@ int32_t PrivacyManagerProxy::GetPermissionUsedRecords(const PermissionUsedReques LOGE(PRI_DOMAIN, PRI_TAG, "ReadParcelable fail"); return PrivacyError::ERR_READ_PARCEL_FAILED; } - result = *resultSptr; + resultParcel = *resultSptr; return ret; } -int32_t PrivacyManagerProxy::GetPermissionUsedRecords(const PermissionUsedRequestParcel& request, +int32_t PrivacyManagerProxy::GetPermissionUsedRecordsAsync(const PermissionUsedRequestParcel& request, const sptr& callback) { MessageParcel data; @@ -276,7 +294,7 @@ int32_t PrivacyManagerProxy::GetPermissionUsedRecords(const PermissionUsedReques } int32_t PrivacyManagerProxy::RegisterPermActiveStatusCallback( - std::vector& permList, const sptr& callback) + const std::vector& permList, const sptr& callback) { MessageParcel data; if (!data.WriteInterfaceToken(IPrivacyManager::GetDescriptor())) { @@ -332,8 +350,8 @@ int32_t PrivacyManagerProxy::UnRegisterPermActiveStatusCallback(const sptr& impl); ~PrivacyManagerProxy() override; - int32_t AddPermissionUsedRecord(const AddPermParamInfoParcel& infoParcel, bool asyncMode = false) override; + int32_t AddPermissionUsedRecord(const AddPermParamInfoParcel& infoParcel) override; + int32_t AddPermissionUsedRecordAsync(const AddPermParamInfoParcel& infoParcel) override; int32_t SetPermissionUsedRecordToggleStatus(int32_t userID, bool status) override; int32_t GetPermissionUsedRecordToggleStatus(int32_t userID, bool& status) override; int32_t StartUsingPermission(const PermissionUsedTypeInfoParcel &infoParcel, const sptr& anonyStub) override; - int32_t StartUsingPermission(const PermissionUsedTypeInfoParcel &infoParcel, + int32_t StartUsingPermissionCallback(const PermissionUsedTypeInfoParcel &infoParcel, const sptr& callback, const sptr& anonyStub) override; int32_t StopUsingPermission(AccessTokenID tokenID, int32_t pid, const std::string& permissionName) override; int32_t RemovePermissionUsedRecords(AccessTokenID tokenID) override; int32_t GetPermissionUsedRecords( - const PermissionUsedRequestParcel& request, PermissionUsedResultParcel& result) override; - int32_t GetPermissionUsedRecords(const PermissionUsedRequestParcel& request, + const PermissionUsedRequestParcel& request, PermissionUsedResultParcel& resultParcel) override; + int32_t GetPermissionUsedRecordsAsync(const PermissionUsedRequestParcel& request, const sptr& callback) override; int32_t RegisterPermActiveStatusCallback( - std::vector& permList, const sptr& callback) override; + const std::vector& permList, const sptr& callback) override; int32_t UnRegisterPermActiveStatusCallback(const sptr& callback) override; - bool IsAllowedUsingPermission(AccessTokenID tokenID, const std::string& permissionName, int32_t pid) override; + int32_t IsAllowedUsingPermission( + AccessTokenID tokenID, const std::string& permissionName, int32_t pid, bool& isAllowed) override; #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE int32_t RegisterSecCompEnhance(const SecCompEnhanceDataParcel& enhance) override; int32_t UpdateSecCompEnhance(int32_t pid, uint32_t seqNum) override; diff --git a/services/privacymanager/include/service/privacy_manager_service.h b/services/privacymanager/include/service/privacy_manager_service.h index 08a785cf79b3feeb759cd99bf46a0dbc0c3cd9e9..1a032cdc14f05edbbcf9c1866168455d7b319dcb 100644 --- a/services/privacymanager/include/service/privacy_manager_service.h +++ b/services/privacymanager/include/service/privacy_manager_service.h @@ -40,21 +40,22 @@ public: void OnStart() override; void OnStop() override; - int32_t AddPermissionUsedRecord(const AddPermParamInfoParcel& infoParcel, bool asyncMode = false) override; + int32_t AddPermissionUsedRecord(const AddPermParamInfoParcel& infoParcel) override; + int32_t AddPermissionUsedRecordAsync(const AddPermParamInfoParcel& infoParcel) override; int32_t SetPermissionUsedRecordToggleStatus(int32_t userID, bool status) override; int32_t GetPermissionUsedRecordToggleStatus(int32_t userID, bool& status) override; int32_t StartUsingPermission(const PermissionUsedTypeInfoParcel &infoParcel, const sptr& anonyStub) override; - int32_t StartUsingPermission(const PermissionUsedTypeInfoParcel &infoParcel, + int32_t StartUsingPermissionCallback(const PermissionUsedTypeInfoParcel &infoParcel, const sptr& callback, const sptr& anonyStub) override; int32_t StopUsingPermission(AccessTokenID tokenId, int32_t pid, const std::string& permissionName) override; int32_t RemovePermissionUsedRecords(AccessTokenID tokenId) override; int32_t GetPermissionUsedRecords( - const PermissionUsedRequestParcel& request, PermissionUsedResultParcel& result) override; - int32_t GetPermissionUsedRecords( + const PermissionUsedRequestParcel& request, PermissionUsedResultParcel& resultParcel) override; + int32_t GetPermissionUsedRecordsAsync( const PermissionUsedRequestParcel& request, const sptr& callback) override; int32_t RegisterPermActiveStatusCallback( - std::vector& permList, const sptr& callback) override; + const std::vector& permList, const sptr& callback) override; int32_t UnRegisterPermActiveStatusCallback(const sptr& callback) override; #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE int32_t RegisterSecCompEnhance(const SecCompEnhanceDataParcel& enhanceParcel) override; @@ -63,7 +64,8 @@ public: int32_t GetSpecialSecCompEnhance(const std::string& bundleName, std::vector& enhanceParcelList) override; #endif - bool IsAllowedUsingPermission(AccessTokenID tokenId, const std::string& permissionName, int32_t pid) override; + int32_t IsAllowedUsingPermission( + AccessTokenID tokenId, const std::string& permissionName, int32_t pid, bool& isAllowed) override; int32_t GetPermissionUsedTypeInfos(const AccessTokenID tokenId, const std::string& permissionName, std::vector& resultsParcel) override; int32_t Dump(int32_t fd, const std::vector& args) override; @@ -77,6 +79,15 @@ private: void ProcessProxyDeathStub(const sptr& anonyStub, int32_t callerPid); void ReleaseDeathStub(int32_t callerPid); + bool IsSecCompServiceCalling(); + bool IsPrivilegedCalling() const; + bool IsAccessTokenCalling() const; + bool IsSystemAppCalling() const; + bool VerifyPermission(const std::string& permission) const; + static const int32_t ACCESSTOKEN_UID = 3020; + AccessTokenID secCompTokenId_ = 0; + static const int32_t ROOT_UID = 0; + ServiceRunningState state_; #ifdef EVENTHANDLER_ENABLE diff --git a/services/privacymanager/include/service/privacy_manager_stub.h b/services/privacymanager/include/service/privacy_manager_stub.h index a79b423c7270a4911afabe0c34fa873a06f2c606..b1ca6bf6915837d5810d97ef5b07818fe229cb95 100644 --- a/services/privacymanager/include/service/privacy_manager_stub.h +++ b/services/privacymanager/include/service/privacy_manager_stub.h @@ -34,6 +34,7 @@ public: private: void AddPermissionUsedRecordInner(MessageParcel& data, MessageParcel& reply); + void AddPermissionUsedRecordAsyncInner(MessageParcel& data, MessageParcel& reply); void SetPermissionUsedRecordToggleStatusInner(MessageParcel& data, MessageParcel& reply); void GetPermissionUsedRecordToggleStatusInner(MessageParcel& data, MessageParcel& reply); void StartUsingPermissionInner(MessageParcel& data, MessageParcel& reply); @@ -50,22 +51,18 @@ private: void UpdateSecCompEnhanceInner(MessageParcel& data, MessageParcel& reply); void GetSecCompEnhanceInner(MessageParcel& data, MessageParcel& reply); void GetSpecialSecCompEnhanceInner(MessageParcel& data, MessageParcel& reply); - bool IsSecCompServiceCalling(); #endif void GetPermissionUsedTypeInfosInner(MessageParcel& data, MessageParcel& reply); void SetMutePolicyInner(MessageParcel& data, MessageParcel& reply); void SetHapWithFGReminderInner(MessageParcel& data, MessageParcel& reply); - bool IsPrivilegedCalling() const; - bool IsAccessTokenCalling() const; - bool IsSystemAppCalling() const; - bool VerifyPermission(const std::string& permission) const; - static const int32_t ACCESSTOKEN_UID = 3020; + + #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE - AccessTokenID secCompTokenId_ = 0; + #endif void SetPrivacyFuncInMap(); #ifndef ATM_BUILD_VARIANT_USER_ENABLE - static const int32_t ROOT_UID = 0; + #endif using RequestType = void (PrivacyManagerStub::*)(MessageParcel &data, MessageParcel &reply); diff --git a/services/privacymanager/src/service/privacy_manager_service.cpp b/services/privacymanager/src/service/privacy_manager_service.cpp index 1eb81c9e76e835f8a8103157c5a89143f30cf2ef..072090de857093e702be8cdf918425f2c776266a 100644 --- a/services/privacymanager/src/service/privacy_manager_service.cpp +++ b/services/privacymanager/src/service/privacy_manager_service.cpp @@ -19,6 +19,7 @@ #include #include "access_token.h" +#include "accesstoken_kit.h" #include "accesstoken_common_log.h" #include "active_status_callback_manager.h" #include "ipc_skeleton.h" @@ -29,16 +30,25 @@ #include "constant.h" #include "ipc_skeleton.h" #include "permission_record_manager.h" +#include "privacy_error.h" #include "privacy_manager_proxy_death_param.h" #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE #include "privacy_sec_comp_enhance_agent.h" #endif #include "system_ability_definition.h" #include "string_ex.h" +#include "tokenid_kit.h" namespace OHOS { namespace Security { namespace AccessToken { +namespace { +constexpr const char* PERMISSION_USED_STATS = "ohos.permission.PERMISSION_USED_STATS"; +constexpr const char* PERMISSION_RECORD_TOGGLE = "ohos.permission.PERMISSION_RECORD_TOGGLE"; +constexpr const char* SET_FOREGROUND_HAP_REMINDER = "ohos.permission.SET_FOREGROUND_HAP_REMINDER"; +constexpr const char* SET_MUTE_POLICY = "ohos.permission.SET_MUTE_POLICY"; +static const int32_t SA_ID_PRIVACY_MANAGER_SERVICE = 3505; +} const bool REGISTER_RESULT = SystemAbility::MakeAndRegisterAbility(DelayedSingleton::GetInstance().get()); @@ -87,24 +97,58 @@ void PrivacyManagerService::OnStop() state_ = ServiceRunningState::STATE_NOT_START; } -int32_t PrivacyManagerService::AddPermissionUsedRecord(const AddPermParamInfoParcel& infoParcel, - bool asyncMode) +int32_t PrivacyManagerService::AddPermissionUsedRecord(const AddPermParamInfoParcel& infoParcel) { LOGD(PRI_DOMAIN, PRI_TAG, "id: %{public}d, perm: %{public}s, succCnt: %{public}d," " failCnt: %{public}d, type: %{public}d", infoParcel.info.tokenId, infoParcel.info.permissionName.c_str(), infoParcel.info.successCount, infoParcel.info.failCount, infoParcel.info.type); + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + return PrivacyError::ERR_NOT_SYSTEM_APP; + } + if (!VerifyPermission(PERMISSION_USED_STATS)) { + return PrivacyError::ERR_PERMISSION_DENIED; + } AddPermParamInfo info = infoParcel.info; return PermissionRecordManager::GetInstance().AddPermissionUsedRecord(info); } +int32_t PrivacyManagerService::AddPermissionUsedRecordAsync(const AddPermParamInfoParcel& infoParcel) +{ + return AddPermissionUsedRecord(infoParcel); +} + int32_t PrivacyManagerService::SetPermissionUsedRecordToggleStatus(int32_t userID, bool status) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + return PrivacyError::ERR_NOT_SYSTEM_APP; + } + if (!IsPrivilegedCalling() && !VerifyPermission(PERMISSION_RECORD_TOGGLE)) { + return PrivacyError::ERR_PERMISSION_DENIED; + } + if (userID != 0 && !IsPrivilegedCalling()) { + LOGE(PRI_DOMAIN, PRI_TAG, "User version only get calling userID."); + return PrivacyError::ERR_PERMISSION_DENIED; + } LOGI(PRI_DOMAIN, PRI_TAG, "userID: %{public}d, status: %{public}d", userID, status ? 1 : 0); return PermissionRecordManager::GetInstance().SetPermissionUsedRecordToggleStatus(userID, status); } int32_t PrivacyManagerService::GetPermissionUsedRecordToggleStatus(int32_t userID, bool& status) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + return PrivacyError::ERR_NOT_SYSTEM_APP; + } + if (!IsPrivilegedCalling() && !VerifyPermission(PERMISSION_USED_STATS)) { + return PrivacyError::ERR_PERMISSION_DENIED; + } + if (userID != 0 && !IsPrivilegedCalling()) { + LOGE(PRI_DOMAIN, PRI_TAG, "User version only get calling userID."); + return PrivacyError::ERR_PERMISSION_DENIED; + } + LOGD(PRI_DOMAIN, PRI_TAG, "userID: %{public}d, status: %{public}d", userID, status ? 1 : 0); return PermissionRecordManager::GetInstance().GetPermissionUsedRecordToggleStatus(userID, status); } @@ -155,15 +199,30 @@ void PrivacyManagerService::ReleaseDeathStub(int32_t callerPid) int32_t PrivacyManagerService::StartUsingPermission( const PermissionUsedTypeInfoParcel &infoParcel, const sptr& anonyStub) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + return PrivacyError::ERR_NOT_SYSTEM_APP; + } + if (!VerifyPermission(PERMISSION_USED_STATS)) { + return PrivacyError::ERR_PERMISSION_DENIED; + } int32_t callerPid = IPCSkeleton::GetCallingPid(); LOGI(PRI_DOMAIN, PRI_TAG, "Caller pid = %{public}d.", callerPid); ProcessProxyDeathStub(anonyStub, callerPid); return PermissionRecordManager::GetInstance().StartUsingPermission(infoParcel.info, callerPid); } -int32_t PrivacyManagerService::StartUsingPermission(const PermissionUsedTypeInfoParcel &infoParcel, +int32_t PrivacyManagerService::StartUsingPermissionCallback(const PermissionUsedTypeInfoParcel &infoParcel, const sptr& callback, const sptr& anonyStub) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + return PrivacyError::ERR_NOT_SYSTEM_APP; + } + + if (!VerifyPermission(PERMISSION_USED_STATS)) { + return PrivacyError::ERR_PERMISSION_DENIED; + } int32_t callerPid = IPCSkeleton::GetCallingPid(); LOGI(PRI_DOMAIN, PRI_TAG, "Caller pid = %{public}d.", callerPid); ProcessProxyDeathStub(anonyStub, callerPid); @@ -173,6 +232,13 @@ int32_t PrivacyManagerService::StartUsingPermission(const PermissionUsedTypeInfo int32_t PrivacyManagerService::StopUsingPermission( AccessTokenID tokenId, int32_t pid, const std::string& permissionName) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + return PrivacyError::ERR_NOT_SYSTEM_APP; + } + if (!VerifyPermission(PERMISSION_USED_STATS)) { + return PrivacyError::ERR_PERMISSION_DENIED; + } LOGI(PRI_DOMAIN, PRI_TAG, "id: %{public}u, pid: %{public}d, perm: %{public}s", tokenId, pid, permissionName.c_str()); int32_t callerPid = IPCSkeleton::GetCallingPid(); @@ -189,14 +255,30 @@ int32_t PrivacyManagerService::StopUsingPermission( int32_t PrivacyManagerService::RemovePermissionUsedRecords(AccessTokenID tokenId) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + return PrivacyError::ERR_NOT_SYSTEM_APP; + } + + if (!IsAccessTokenCalling() && !VerifyPermission(PERMISSION_USED_STATS)) { + return PrivacyError::ERR_PERMISSION_DENIED; + } LOGI(PRI_DOMAIN, PRI_TAG, "id: %{public}u", tokenId); PermissionRecordManager::GetInstance().RemovePermissionUsedRecords(tokenId); return Constant::SUCCESS; } int32_t PrivacyManagerService::GetPermissionUsedRecords( - const PermissionUsedRequestParcel& request, PermissionUsedResultParcel& result) + const PermissionUsedRequestParcel& request, PermissionUsedResultParcel& resultParcel) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + return PrivacyError::ERR_NOT_SYSTEM_APP; + } + + if (!VerifyPermission(PERMISSION_USED_STATS)) { + return PrivacyError::ERR_PERMISSION_DENIED; + } std::string permissionList; for (const auto& perm : request.request.permissionList) { permissionList.append(perm); @@ -208,20 +290,35 @@ int32_t PrivacyManagerService::GetPermissionUsedRecords( PermissionUsedResult permissionRecord; int32_t ret = PermissionRecordManager::GetInstance().GetPermissionUsedRecords(request.request, permissionRecord); - result.result = permissionRecord; + resultParcel.result = permissionRecord; return ret; } -int32_t PrivacyManagerService::GetPermissionUsedRecords( +int32_t PrivacyManagerService::GetPermissionUsedRecordsAsync( const PermissionUsedRequestParcel& request, const sptr& callback) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + return PrivacyError::ERR_NOT_SYSTEM_APP; + } + + if (!VerifyPermission(PERMISSION_USED_STATS)) { + return PrivacyError::ERR_PERMISSION_DENIED; + } LOGD(PRI_DOMAIN, PRI_TAG, "id: %{public}d", request.request.tokenId); return PermissionRecordManager::GetInstance().GetPermissionUsedRecordsAsync(request.request, callback); } int32_t PrivacyManagerService::RegisterPermActiveStatusCallback( - std::vector& permList, const sptr& callback) + const std::vector& permList, const sptr& callback) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + return PrivacyError::ERR_NOT_SYSTEM_APP; + } + if (!VerifyPermission(PERMISSION_USED_STATS)) { + return PrivacyError::ERR_PERMISSION_DENIED; + } return PermissionRecordManager::GetInstance().RegisterPermActiveStatusCallback( IPCSkeleton::GetCallingTokenID(), permList, callback); } @@ -235,11 +332,19 @@ int32_t PrivacyManagerService::RegisterSecCompEnhance(const SecCompEnhanceDataPa int32_t PrivacyManagerService::UpdateSecCompEnhance(int32_t pid, uint32_t seqNum) { + if (!IsSecCompServiceCalling()) { + return PrivacyError::ERR_PERMISSION_DENIED; + } + return PrivacySecCompEnhanceAgent::GetInstance().UpdateSecCompEnhance(pid, seqNum); } int32_t PrivacyManagerService::GetSecCompEnhance(int32_t pid, SecCompEnhanceDataParcel& enhanceParcel) { + if (!IsSecCompServiceCalling()) { + return PrivacyError::ERR_PERMISSION_DENIED; + } + SecCompEnhanceData enhanceData; int32_t res = PrivacySecCompEnhanceAgent::GetInstance().GetSecCompEnhance(pid, enhanceData); if (res != RET_SUCCESS) { @@ -254,6 +359,10 @@ int32_t PrivacyManagerService::GetSecCompEnhance(int32_t pid, SecCompEnhanceData int32_t PrivacyManagerService::GetSpecialSecCompEnhance(const std::string& bundleName, std::vector& enhanceParcelList) { + if (!IsSecCompServiceCalling()) { + return PrivacyError::ERR_PERMISSION_DENIED; + } + std::vector enhanceList; PrivacySecCompEnhanceAgent::GetInstance().GetSpecialSecCompEnhance(bundleName, enhanceList); for (const auto& enhance : enhanceList) { @@ -334,20 +443,40 @@ int32_t PrivacyManagerService::Dump(int32_t fd, const std::vector& callback) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + return PrivacyError::ERR_NOT_SYSTEM_APP; + } + if (!VerifyPermission(PERMISSION_USED_STATS)) { + return PrivacyError::ERR_PERMISSION_DENIED; + } return PermissionRecordManager::GetInstance().UnRegisterPermActiveStatusCallback(callback); } -bool PrivacyManagerService::IsAllowedUsingPermission(AccessTokenID tokenId, const std::string& permissionName, - int32_t pid) +int32_t PrivacyManagerService::IsAllowedUsingPermission(AccessTokenID tokenId, const std::string& permissionName, + int32_t pid, bool& isAllowed) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + LOGE(PRI_DOMAIN, PRI_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID); + return PrivacyError::ERR_NOT_SYSTEM_APP; + } + + if (!VerifyPermission(PERMISSION_USED_STATS)) { + return PrivacyError::ERR_PERMISSION_DENIED; + } LOGI(PRI_DOMAIN, PRI_TAG, "Id: %{public}d, perm: %{public}s, pid: %{public}d.", tokenId, permissionName.c_str(), pid); - return PermissionRecordManager::GetInstance().IsAllowedUsingPermission(tokenId, permissionName, pid); + isAllowed = PermissionRecordManager::GetInstance().IsAllowedUsingPermission(tokenId, permissionName, pid); + return ERR_OK; } int32_t PrivacyManagerService::SetMutePolicy(uint32_t policyType, uint32_t callerType, bool isMute, AccessTokenID tokenID) { + if (!VerifyPermission(SET_MUTE_POLICY)) { + return PrivacyError::ERR_PERMISSION_DENIED; + } LOGI(PRI_DOMAIN, PRI_TAG, "PolicyType %{public}d, callerType %{public}d, isMute %{public}d, tokenId %{public}u", policyType, callerType, isMute, tokenID); return PermissionRecordManager::GetInstance().SetMutePolicy( @@ -356,6 +485,9 @@ int32_t PrivacyManagerService::SetMutePolicy(uint32_t policyType, uint32_t calle int32_t PrivacyManagerService::SetHapWithFGReminder(uint32_t tokenId, bool isAllowed) { + if (!VerifyPermission(SET_FOREGROUND_HAP_REMINDER)) { + return PrivacyError::ERR_PERMISSION_DENIED; + } LOGI(PRI_DOMAIN, PRI_TAG, "id: %{public}d, isAllowed: %{public}d", tokenId, isAllowed); return PermissionRecordManager::GetInstance().SetHapWithFGReminder(tokenId, isAllowed); } @@ -363,6 +495,13 @@ int32_t PrivacyManagerService::SetHapWithFGReminder(uint32_t tokenId, bool isAll int32_t PrivacyManagerService::GetPermissionUsedTypeInfos(const AccessTokenID tokenId, const std::string& permissionName, std::vector& resultsParcel) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + return PrivacyError::ERR_NOT_SYSTEM_APP; + } + if (!VerifyPermission(PERMISSION_USED_STATS)) { + return PrivacyError::ERR_PERMISSION_DENIED; + } LOGD(PRI_DOMAIN, PRI_TAG, "id: %{public}d, perm: %{public}s", tokenId, permissionName.c_str()); std::vector results; @@ -411,6 +550,50 @@ bool PrivacyManagerService::Initialize() #endif return true; } + +#ifdef SECURITY_COMPONENT_ENHANCE_ENABLE +bool PrivacyManagerService::IsSecCompServiceCalling() +{ + uint32_t tokenCaller = IPCSkeleton::GetCallingTokenID(); + if (secCompTokenId_ == 0) { + secCompTokenId_ = AccessTokenKit::GetNativeTokenId("security_component_service"); + } + return tokenCaller == secCompTokenId_; +} +#endif + +bool PrivacyManagerService::IsPrivilegedCalling() const +{ + // shell process is root in debug mode. +#ifndef ATM_BUILD_VARIANT_USER_ENABLE + int32_t callingUid = IPCSkeleton::GetCallingUid(); + return callingUid == ROOT_UID; +#else + return false; +#endif +} + +bool PrivacyManagerService::IsAccessTokenCalling() const +{ + int32_t callingUid = IPCSkeleton::GetCallingUid(); + return callingUid == ACCESSTOKEN_UID; +} + +bool PrivacyManagerService::IsSystemAppCalling() const +{ + uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID(); + return TokenIdKit::IsSystemAppByFullTokenID(fullTokenId); +} + +bool PrivacyManagerService::VerifyPermission(const std::string& permission) const +{ + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if (AccessTokenKit::VerifyAccessToken(callingTokenID, permission) == PERMISSION_DENIED) { + LOGE(PRI_DOMAIN, PRI_TAG, "Permission denied(callingTokenID=%{public}d)", callingTokenID); + return false; + } + return true; +} } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/services/privacymanager/src/service/privacy_manager_stub.cpp b/services/privacymanager/src/service/privacy_manager_stub.cpp index 2f16edfa53afbd245c261dfeb513d26bebe25d75..51f5f31c6cf0fdefca8d88c1737ee0f2d43a0e84 100644 --- a/services/privacymanager/src/service/privacy_manager_stub.cpp +++ b/services/privacymanager/src/service/privacy_manager_stub.cpp @@ -30,10 +30,6 @@ namespace Security { namespace AccessToken { namespace { static const uint32_t PERM_LIST_SIZE_MAX = 1024; -constexpr const char* PERMISSION_USED_STATS = "ohos.permission.PERMISSION_USED_STATS"; -constexpr const char* PERMISSION_RECORD_TOGGLE = "ohos.permission.PERMISSION_RECORD_TOGGLE"; -constexpr const char* SET_FOREGROUND_HAP_REMINDER = "ohos.permission.SET_FOREGROUND_HAP_REMINDER"; -constexpr const char* SET_MUTE_POLICY = "ohos.permission.SET_MUTE_POLICY"; } PrivacyManagerStub::PrivacyManagerStub() @@ -45,6 +41,8 @@ void PrivacyManagerStub::SetPrivacyFuncInMap() { requestMap_[static_cast(PrivacyInterfaceCode::ADD_PERMISSION_USED_RECORD)] = &PrivacyManagerStub::AddPermissionUsedRecordInner; + requestMap_[static_cast(PrivacyInterfaceCode::ADD_PERMISSION_USED_RECORD_ASYNC)] = + &PrivacyManagerStub::AddPermissionUsedRecordAsyncInner; requestMap_[static_cast(PrivacyInterfaceCode::START_USING_PERMISSION)] = &PrivacyManagerStub::StartUsingPermissionInner; requestMap_[static_cast(PrivacyInterfaceCode::START_USING_PERMISSION_CALLBACK)] = @@ -108,15 +106,6 @@ int32_t PrivacyManagerStub::OnRemoteRequest( void PrivacyManagerStub::AddPermissionUsedRecordInner(MessageParcel& data, MessageParcel& reply) { - uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); - if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { - reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); - return; - } - if (!VerifyPermission(PERMISSION_USED_STATS)) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } sptr infoParcel = data.ReadParcelable(); if (infoParcel == nullptr) { LOGE(PRI_DOMAIN, PRI_TAG, "ReadParcelable faild"); @@ -126,28 +115,26 @@ void PrivacyManagerStub::AddPermissionUsedRecordInner(MessageParcel& data, Messa reply.WriteInt32(this->AddPermissionUsedRecord(*infoParcel)); } -void PrivacyManagerStub::SetPermissionUsedRecordToggleStatusInner(MessageParcel& data, MessageParcel& reply) +void PrivacyManagerStub::AddPermissionUsedRecordAsyncInner(MessageParcel& data, MessageParcel& reply) { - uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); - if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { - reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); - return; - } - if (!IsPrivilegedCalling() && !VerifyPermission(PERMISSION_RECORD_TOGGLE)) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); + sptr infoParcel = data.ReadParcelable(); + if (infoParcel == nullptr) { + LOGE(PRI_DOMAIN, PRI_TAG, "ReadParcelable faild"); + reply.WriteInt32(PrivacyError::ERR_READ_PARCEL_FAILED); return; } + reply.WriteInt32(this->AddPermissionUsedRecordAsync(*infoParcel)); +} + +void PrivacyManagerStub::SetPermissionUsedRecordToggleStatusInner(MessageParcel& data, MessageParcel& reply) +{ + int32_t userID = 0; if (!data.ReadInt32(userID)) { LOGE(PRI_DOMAIN, PRI_TAG, "Failed to read userId."); reply.WriteInt32(PrivacyError::ERR_READ_PARCEL_FAILED); return; } - if (userID != 0 && !IsPrivilegedCalling()) { - LOGE(PRI_DOMAIN, PRI_TAG, "User version only get calling userID."); - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } bool status = true; if (!data.ReadBool(status)) { LOGE(PRI_DOMAIN, PRI_TAG, "Failed to read status."); @@ -159,26 +146,14 @@ void PrivacyManagerStub::SetPermissionUsedRecordToggleStatusInner(MessageParcel& void PrivacyManagerStub::GetPermissionUsedRecordToggleStatusInner(MessageParcel& data, MessageParcel& reply) { - uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); - if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { - reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); - return; - } - if (!IsPrivilegedCalling() && !VerifyPermission(PERMISSION_USED_STATS)) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } + int32_t userID = 0; if (!data.ReadInt32(userID)) { LOGE(PRI_DOMAIN, PRI_TAG, "Failed to read userId."); reply.WriteInt32(PrivacyError::ERR_READ_PARCEL_FAILED); return; } - if (userID != 0 && !IsPrivilegedCalling()) { - LOGE(PRI_DOMAIN, PRI_TAG, "User version only get calling userID."); - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } + bool status = true; reply.WriteInt32(this->GetPermissionUsedRecordToggleStatus(userID, status)); reply.WriteBool(status); @@ -186,15 +161,6 @@ void PrivacyManagerStub::GetPermissionUsedRecordToggleStatusInner(MessageParcel& void PrivacyManagerStub::StartUsingPermissionInner(MessageParcel& data, MessageParcel& reply) { - uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); - if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { - reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); - return; - } - if (!VerifyPermission(PERMISSION_USED_STATS)) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } sptr info = data.ReadParcelable(); if (info == nullptr) { LOGE(PRI_DOMAIN, PRI_TAG, "Read parcel fail."); @@ -212,16 +178,6 @@ void PrivacyManagerStub::StartUsingPermissionInner(MessageParcel& data, MessageP void PrivacyManagerStub::StartUsingPermissionCallbackInner(MessageParcel& data, MessageParcel& reply) { - uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); - if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { - reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); - return; - } - - if (!VerifyPermission(PERMISSION_USED_STATS)) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } sptr info = data.ReadParcelable(); if (info == nullptr) { reply.WriteInt32(PrivacyError::ERR_READ_PARCEL_FAILED); @@ -239,20 +195,11 @@ void PrivacyManagerStub::StartUsingPermissionCallbackInner(MessageParcel& data, reply.WriteInt32(PrivacyError::ERR_READ_PARCEL_FAILED); return; } - reply.WriteInt32(this->StartUsingPermission(*info, callback, anonyStub)); + reply.WriteInt32(this->StartUsingPermissionCallback(*info, callback, anonyStub)); } void PrivacyManagerStub::StopUsingPermissionInner(MessageParcel& data, MessageParcel& reply) { - uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); - if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { - reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); - return; - } - if (!VerifyPermission(PERMISSION_USED_STATS)) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } AccessTokenID tokenId = data.ReadUint32(); int32_t pid = data.ReadInt32(); std::string permissionName = data.ReadString(); @@ -261,33 +208,13 @@ void PrivacyManagerStub::StopUsingPermissionInner(MessageParcel& data, MessagePa void PrivacyManagerStub::RemovePermissionUsedRecordsInner(MessageParcel& data, MessageParcel& reply) { - uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); - if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { - reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); - return; - } - - if (!IsAccessTokenCalling() && !VerifyPermission(PERMISSION_USED_STATS)) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } - AccessTokenID tokenId = data.ReadUint32(); reply.WriteInt32(this->RemovePermissionUsedRecords(tokenId)); } void PrivacyManagerStub::GetPermissionUsedRecordsInner(MessageParcel& data, MessageParcel& reply) { - uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); - if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { - reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); - return; - } PermissionUsedResultParcel responseParcel; - if (!VerifyPermission(PERMISSION_USED_STATS)) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } sptr requestParcel = data.ReadParcelable(); if (requestParcel == nullptr) { LOGE(PRI_DOMAIN, PRI_TAG, "ReadParcelable faild"); @@ -305,16 +232,6 @@ void PrivacyManagerStub::GetPermissionUsedRecordsInner(MessageParcel& data, Mess void PrivacyManagerStub::GetPermissionUsedRecordsAsyncInner(MessageParcel& data, MessageParcel& reply) { - uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); - if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { - reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); - return; - } - - if (!VerifyPermission(PERMISSION_USED_STATS)) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } sptr requestParcel = data.ReadParcelable(); if (requestParcel == nullptr) { LOGE(PRI_DOMAIN, PRI_TAG, "ReadParcelable failed"); @@ -327,20 +244,11 @@ void PrivacyManagerStub::GetPermissionUsedRecordsAsyncInner(MessageParcel& data, reply.WriteInt32(PrivacyError::ERR_READ_PARCEL_FAILED); return; } - reply.WriteInt32(this->GetPermissionUsedRecords(*requestParcel, callback)); + reply.WriteInt32(this->GetPermissionUsedRecordsAsync(*requestParcel, callback)); } void PrivacyManagerStub::RegisterPermActiveStatusCallbackInner(MessageParcel& data, MessageParcel& reply) { - uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); - if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { - reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); - return; - } - if (!VerifyPermission(PERMISSION_USED_STATS)) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } uint32_t permListSize = data.ReadUint32(); if (permListSize > PERM_LIST_SIZE_MAX) { LOGE(PRI_DOMAIN, PRI_TAG, "Read permListSize fail"); @@ -363,15 +271,6 @@ void PrivacyManagerStub::RegisterPermActiveStatusCallbackInner(MessageParcel& da void PrivacyManagerStub::UnRegisterPermActiveStatusCallbackInner(MessageParcel& data, MessageParcel& reply) { - uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); - if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { - reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); - return; - } - if (!VerifyPermission(PERMISSION_USED_STATS)) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } sptr callback = data.ReadRemoteObject(); if (callback == nullptr) { LOGE(PRI_DOMAIN, PRI_TAG, "Read scopeParcel fail"); @@ -383,27 +282,14 @@ void PrivacyManagerStub::UnRegisterPermActiveStatusCallbackInner(MessageParcel& void PrivacyManagerStub::IsAllowedUsingPermissionInner(MessageParcel& data, MessageParcel& reply) { - uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); - if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { - LOGE(PRI_DOMAIN, PRI_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID); - reply.WriteBool(false); - return; - } - - if (!VerifyPermission(PERMISSION_USED_STATS)) { - reply.WriteBool(false); - return; - } - AccessTokenID tokenId = data.ReadUint32(); std::string permissionName = data.ReadString(); int32_t pid = data.ReadInt32(); - bool result = this->IsAllowedUsingPermission(tokenId, permissionName, pid); - if (!reply.WriteBool(result)) { - LOGE(PRI_DOMAIN, PRI_TAG, "Failed to WriteBool(%{public}s)", permissionName.c_str()); - reply.WriteBool(false); - return; + bool isAllowed = false; + int32_t result = this->IsAllowedUsingPermission(tokenId, permissionName, pid, isAllowed); + if (reply.WriteInt32(result)) { + reply.WriteBool(isAllowed); } } @@ -421,11 +307,6 @@ void PrivacyManagerStub::RegisterSecCompEnhanceInner(MessageParcel& data, Messag void PrivacyManagerStub::UpdateSecCompEnhanceInner(MessageParcel& data, MessageParcel& reply) { - if (!IsSecCompServiceCalling()) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } - int32_t pid = data.ReadInt32(); uint32_t seqNum = data.ReadUint32(); reply.WriteInt32(this->UpdateSecCompEnhance(pid, seqNum)); @@ -433,11 +314,6 @@ void PrivacyManagerStub::UpdateSecCompEnhanceInner(MessageParcel& data, MessageP void PrivacyManagerStub::GetSecCompEnhanceInner(MessageParcel& data, MessageParcel& reply) { - if (!IsSecCompServiceCalling()) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } - int32_t pid = data.ReadInt32(); SecCompEnhanceDataParcel parcel; int32_t result = this->GetSecCompEnhance(pid, parcel); @@ -451,11 +327,6 @@ void PrivacyManagerStub::GetSecCompEnhanceInner(MessageParcel& data, MessageParc void PrivacyManagerStub::GetSpecialSecCompEnhanceInner(MessageParcel& data, MessageParcel& reply) { - if (!IsSecCompServiceCalling()) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } - std::string bundleName = data.ReadString(); std::vector parcelList; int32_t result = this->GetSpecialSecCompEnhance(bundleName, parcelList); @@ -468,28 +339,10 @@ void PrivacyManagerStub::GetSpecialSecCompEnhanceInner(MessageParcel& data, Mess reply.WriteParcelable(&parcel); } } - -bool PrivacyManagerStub::IsSecCompServiceCalling() -{ - uint32_t tokenCaller = IPCSkeleton::GetCallingTokenID(); - if (secCompTokenId_ == 0) { - secCompTokenId_ = AccessTokenKit::GetNativeTokenId("security_component_service"); - } - return tokenCaller == secCompTokenId_; -} #endif void PrivacyManagerStub::GetPermissionUsedTypeInfosInner(MessageParcel& data, MessageParcel& reply) { - uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); - if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { - reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); - return; - } - if (!VerifyPermission(PERMISSION_USED_STATS)) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } AccessTokenID tokenId = data.ReadUint32(); std::string permissionName = data.ReadString(); std::vector resultsParcel; @@ -506,10 +359,6 @@ void PrivacyManagerStub::GetPermissionUsedTypeInfosInner(MessageParcel& data, Me void PrivacyManagerStub::SetMutePolicyInner(MessageParcel& data, MessageParcel& reply) { - if (!VerifyPermission(SET_MUTE_POLICY)) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } uint32_t policyType; if (!data.ReadUint32(policyType)) { LOGE(PRI_DOMAIN, PRI_TAG, "Failed to read policyType."); @@ -544,10 +393,6 @@ void PrivacyManagerStub::SetMutePolicyInner(MessageParcel& data, MessageParcel& void PrivacyManagerStub::SetHapWithFGReminderInner(MessageParcel& data, MessageParcel& reply) { - if (!VerifyPermission(SET_FOREGROUND_HAP_REMINDER)) { - reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); - return; - } uint32_t tokenId; if (!data.ReadUint32(tokenId)) { LOGE(PRI_DOMAIN, PRI_TAG, "Failed to read tokenId."); @@ -567,39 +412,6 @@ void PrivacyManagerStub::SetHapWithFGReminderInner(MessageParcel& data, MessageP return; } } - -bool PrivacyManagerStub::IsPrivilegedCalling() const -{ - // shell process is root in debug mode. -#ifndef ATM_BUILD_VARIANT_USER_ENABLE - int32_t callingUid = IPCSkeleton::GetCallingUid(); - return callingUid == ROOT_UID; -#else - return false; -#endif -} - -bool PrivacyManagerStub::IsAccessTokenCalling() const -{ - int32_t callingUid = IPCSkeleton::GetCallingUid(); - return callingUid == ACCESSTOKEN_UID; -} - -bool PrivacyManagerStub::IsSystemAppCalling() const -{ - uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID(); - return TokenIdKit::IsSystemAppByFullTokenID(fullTokenId); -} - -bool PrivacyManagerStub::VerifyPermission(const std::string& permission) const -{ - uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); - if (AccessTokenKit::VerifyAccessToken(callingTokenID, permission) == PERMISSION_DENIED) { - LOGE(PRI_DOMAIN, PRI_TAG, "Permission denied(callingTokenID=%{public}d)", callingTokenID); - return false; - } - return true; -} } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/services/privacymanager/test/unittest/privacy_manager_service_test.cpp b/services/privacymanager/test/unittest/privacy_manager_service_test.cpp index 4c656c9eb8f4b303d4c91d3eb56fe2bb63a687cd..260c7b4659a7638981489d188b30861b8378951d 100644 --- a/services/privacymanager/test/unittest/privacy_manager_service_test.cpp +++ b/services/privacymanager/test/unittest/privacy_manager_service_test.cpp @@ -18,6 +18,7 @@ #include "accesstoken_kit.h" #include "constant.h" +#include "i_privacy_manager.h" #include "on_permission_used_record_callback_stub.h" #define private public #include "permission_record_manager.h" @@ -220,18 +221,21 @@ HWTEST_F(PrivacyManagerServiceTest, IsAllowedUsingPermission001, TestSize.Level1 tokenId = AccessTokenKit::GetHapTokenID(g_InfoParms1.userID, g_InfoParms1.bundleName, g_InfoParms1.instIndex); ASSERT_NE(INVALID_TOKENID, tokenId); - ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission(tokenId, MICROPHONE_PERMISSION_NAME, -1)); - ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission(tokenId, LOCATION_PERMISSION_NAME, -1)); - ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission(tokenId, CAMERA_PERMISSION_NAME, -1)); + bool isAllowed = false; + ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission( + tokenId, MICROPHONE_PERMISSION_NAME, -1, isAllowed)); + ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission( + tokenId, LOCATION_PERMISSION_NAME, -1, isAllowed)); + ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission(tokenId, CAMERA_PERMISSION_NAME, -1, isAllowed)); #ifdef CAMERA_FLOAT_WINDOW_ENABLE // not pip PermissionRecordManager::GetInstance().NotifyCameraWindowChange(false, tokenId, false); - ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission(tokenId, CAMERA_PERMISSION_NAME, -1)); + ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission(tokenId, CAMERA_PERMISSION_NAME, -1, isAllowed)); PermissionRecordManager::GetInstance().NotifyCameraWindowChange(false, tokenId, false); // pip PermissionRecordManager::GetInstance().NotifyCameraWindowChange(true, tokenId, false); - ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission(tokenId, CAMERA_PERMISSION_NAME, -1)); + ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission(tokenId, CAMERA_PERMISSION_NAME, -1, isAllowed)); #endif } @@ -245,16 +249,17 @@ HWTEST_F(PrivacyManagerServiceTest, IsAllowedUsingPermission002, TestSize.Level1 { AccessTokenID tokenId = AccessTokenKit::GetNativeTokenId("privacy_service"); // invalid tokenId - ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission(0, CAMERA_PERMISSION_NAME, -1)); + bool isAllowed = false; + ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission(0, CAMERA_PERMISSION_NAME, -1, isAllowed)); // native tokenId - ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission(tokenId, CAMERA_PERMISSION_NAME, -1)); + ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission(tokenId, CAMERA_PERMISSION_NAME, -1, isAllowed)); // invalid permission tokenId = AccessTokenKit::GetHapTokenID(g_InfoParms1.userID, g_InfoParms1.bundleName, g_InfoParms1.instIndex); ASSERT_NE(INVALID_TOKENID, tokenId); - ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission(tokenId, "test", -1)); + ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission(tokenId, "test", -1, isAllowed)); } /* @@ -270,7 +275,8 @@ HWTEST_F(PrivacyManagerServiceTest, IsAllowedUsingPermission003, TestSize.Level1 tokenId = AccessTokenKit::GetHapTokenID(g_InfoParms1.userID, g_InfoParms1.bundleName, g_InfoParms1.instIndex); ASSERT_NE(INVALID_TOKENID, tokenId); - ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission(tokenId, CAMERA_PERMISSION_NAME, -1)); + bool isAllowed = false; + ASSERT_EQ(false, privacyManagerService_->IsAllowedUsingPermission(tokenId, CAMERA_PERMISSION_NAME, -1, isAllowed)); } class TestPrivacyManagerStub : public PrivacyManagerStub { @@ -278,7 +284,11 @@ public: TestPrivacyManagerStub() = default; virtual ~TestPrivacyManagerStub() = default; - int32_t AddPermissionUsedRecord(const AddPermParamInfoParcel& infoParcel, bool asyncMode = false) + int32_t AddPermissionUsedRecord(const AddPermParamInfoParcel& infoParcel) + { + return RET_SUCCESS; + } + int32_t AddPermissionUsedRecordAsync(const AddPermParamInfoParcel& infoParcel) { return RET_SUCCESS; } @@ -294,7 +304,7 @@ public: { return RET_SUCCESS; } - int32_t StartUsingPermission(const PermissionUsedTypeInfoParcel& info, + int32_t StartUsingPermissionCallback(const PermissionUsedTypeInfoParcel& info, const sptr& callback, const sptr& anonyStub) { return RET_SUCCESS; @@ -308,17 +318,17 @@ public: return RET_SUCCESS; } int32_t GetPermissionUsedRecords( - const PermissionUsedRequestParcel& request, PermissionUsedResultParcel& result) + const PermissionUsedRequestParcel& request, PermissionUsedResultParcel& resultParcel) { return RET_SUCCESS; } - int32_t GetPermissionUsedRecords( + int32_t GetPermissionUsedRecordsAsync( const PermissionUsedRequestParcel& request, const sptr& callback) { return RET_SUCCESS; } int32_t RegisterPermActiveStatusCallback( - std::vector& permList, const sptr& callback) + const std::vector& permList, const sptr& callback) { return RET_SUCCESS; } @@ -326,9 +336,11 @@ public: { return RET_SUCCESS; } - bool IsAllowedUsingPermission(AccessTokenID tokenID, const std::string& permissionName, int32_t pid) + int32_t IsAllowedUsingPermission( + AccessTokenID tokenID, const std::string& permissionName, int32_t pid, bool& isAllowed) { - return true; + isAllowed = true; + return RET_SUCCESS; } int32_t GetPermissionUsedTypeInfos(const AccessTokenID tokenId, const std::string& permissionName, std::vector& resultsParcel) @@ -1159,6 +1171,9 @@ HWTEST_F(PrivacyManagerServiceTest, IsAllowedUsingPermissionInner001, TestSize.L ASSERT_EQ(RET_SUCCESS, testSub.OnRemoteRequest(static_cast( PrivacyInterfaceCode::IS_ALLOWED_USING_PERMISSION), data, reply, option)); // callingTokenID is native token hdcd with need permission, remote is true return ERR_PARAM_INVALID + int32_t result; + reply.ReadInt32(result); + ASSERT_EQ(result, RET_SUCCESS); ASSERT_EQ(true, reply.ReadBool()); } @@ -1189,6 +1204,9 @@ HWTEST_F(PrivacyManagerServiceTest, IsAllowedUsingPermissionInner002, TestSize.L ASSERT_EQ(RET_SUCCESS, testSub.OnRemoteRequest(static_cast( PrivacyInterfaceCode::IS_ALLOWED_USING_PERMISSION), data, reply, option)); // callingTokenID is normal hap without need permission + int32_t result; + reply.ReadInt32(result); + ASSERT_EQ(result, RET_SUCCESS); ASSERT_EQ(false, reply.ReadBool()); } } // namespace AccessToken