From 9d06417cf4221e36843cfd6d62ecd4c034f47cf5 Mon Sep 17 00:00:00 2001 From: Haryslee Date: Wed, 14 May 2025 14:03:25 +0800 Subject: [PATCH] feat: suport customizable of save button Signed-off-by: Haryslee --- .../accesstoken/include/accesstoken_kit.h | 7 + .../accesstoken/libaccesstoken_sdk.map | 1 + .../accesstoken/src/accesstoken_kit.cpp | 5 + .../src/accesstoken_manager_client.cpp | 19 +++ .../src/accesstoken_manager_client.h | 1 + .../security_component_grant_test.cpp | 14 ++ services/accesstokenmanager/BUILD.gn | 3 +- .../idl/IAccessTokenManager.idl | 5 +- .../include/seccomp/sec_comp_enhance_agent.h | 23 +-- .../cpp/include/seccomp/sec_comp_monitor.h | 69 ++++++++ .../service/accesstoken_manager_service.h | 3 +- .../src/seccomp/sec_comp_enhance_agent.cpp | 15 +- .../main/cpp/src/seccomp/sec_comp_monitor.cpp | 156 ++++++++++++++++++ .../service/accesstoken_manager_service.cpp | 13 +- .../accesstokenmanager/test/coverage/BUILD.gn | 2 + .../accesstokenmanager/test/mock/BUILD.gn | 2 + .../accesstokenmanager/test/unittest/BUILD.gn | 3 + .../test/unittest/sec_comp_monitor_test.cpp | 86 ++++++++++ .../test/unittest/sec_comp_monitor_test.h | 43 +++++ .../include/service/privacy_manager_service.h | 3 - test/fuzztest/innerkits/accesstoken/BUILD.gn | 1 + .../istoastshownneeded_fuzzer/BUILD.gn | 44 +++++ .../istoastshownneeded_fuzzer/corpus/init | 14 ++ .../istoastshownneeded_fuzzer.cpp | 49 ++++++ .../istoastshownneeded_fuzzer.h | 21 +++ .../istoastshownneeded_fuzzer/project.xml | 25 +++ .../accesstoken/access_token_service_fuzz.gni | 1 + 27 files changed, 585 insertions(+), 43 deletions(-) create mode 100644 services/accesstokenmanager/main/cpp/include/seccomp/sec_comp_monitor.h create mode 100644 services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_monitor.cpp create mode 100644 services/accesstokenmanager/test/unittest/sec_comp_monitor_test.cpp create mode 100644 services/accesstokenmanager/test/unittest/sec_comp_monitor_test.h create mode 100644 test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/BUILD.gn create mode 100644 test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/corpus/init create mode 100644 test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/istoastshownneeded_fuzzer.cpp create mode 100644 test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/istoastshownneeded_fuzzer.h create mode 100644 test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/project.xml diff --git a/interfaces/innerkits/accesstoken/include/accesstoken_kit.h b/interfaces/innerkits/accesstoken/include/accesstoken_kit.h index 45f95f878..1e9ceb137 100644 --- a/interfaces/innerkits/accesstoken/include/accesstoken_kit.h +++ b/interfaces/innerkits/accesstoken/include/accesstoken_kit.h @@ -552,6 +552,13 @@ public: * @return bool */ static bool IsAtomicServiceByFullTokenID(uint64_t tokenId); + + /** + * @brief whether the process need to show the toast + * @param pid process id + * @return bool + */ + static bool IsToastShownNeeded(int32_t pid); }; } // namespace AccessToken } // namespace Security diff --git a/interfaces/innerkits/accesstoken/libaccesstoken_sdk.map b/interfaces/innerkits/accesstoken/libaccesstoken_sdk.map index fbf53530a..6ff38a5da 100644 --- a/interfaces/innerkits/accesstoken/libaccesstoken_sdk.map +++ b/interfaces/innerkits/accesstoken/libaccesstoken_sdk.map @@ -85,6 +85,7 @@ "OHOS::Security::AccessToken::AccessTokenKit::RegisterSecCompEnhance(OHOS::Security::AccessToken::SecCompEnhanceData const&)"; "OHOS::Security::AccessToken::AccessTokenKit::UpdateSecCompEnhance(int, unsigned int)"; "OHOS::Security::AccessToken::AccessTokenKit::GetSecCompEnhance(int, OHOS::Security::AccessToken::SecCompEnhanceData&)"; + "OHOS::Security::AccessToken::AccessTokenKit::IsToastShownNeeded(int)"; "OHOS::Security::AccessToken::AccessTokenKit::GetKernelPermissions(unsigned int, std::__h::vector>&)"; "OHOS::Security::AccessToken::AccessTokenKit::GetSelfPermissionStatus(std::__h::basic_string, std::__h::allocator> const&, OHOS::Security::AccessToken::TypePermissionOper&)"; OHOS::Security::AccessToken::AccessTokenKit::IsSystemAppByFullTokenID*; diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp index 5668cb06b..9e64a8b7a 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp +++ b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp @@ -857,6 +857,11 @@ bool AccessTokenKit::IsAtomicServiceByFullTokenID(uint64_t tokenId) LOGI(ATM_DOMAIN, ATM_TAG, "Called, tokenId=%{public}" PRId64, tokenId); return (tokenId & ATOMIC_SERVICE_MASK) == ATOMIC_SERVICE_MASK; } + +bool AccessTokenKit::IsToastShownNeeded(int32_t pid) +{ + return AccessTokenManagerClient::GetInstance().IsToastShownNeeded(pid); +} } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp index 1092c26af..6847c7a67 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp @@ -1244,6 +1244,25 @@ int32_t AccessTokenManagerClient::GetSecCompEnhance(int32_t pid, SecCompEnhanceD return RET_SUCCESS; } #endif + +bool AccessTokenManagerClient::IsToastShownNeeded(int32_t pid) +{ + auto proxy = GetProxy(); + if (proxy == nullptr) { + LOGE(ATM_DOMAIN, ATM_TAG, "Proxy is null."); + return true; + } + + bool needToShow; + int32_t errCode = proxy->IsToastShownNeeded(pid, needToShow); + if (errCode != RET_SUCCESS) { + errCode = ConvertResult(errCode); + LOGE(ATM_DOMAIN, ATM_TAG, "Request fail, result: %{public}d", errCode); + return true; + } + + return needToShow; +} } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h index 021dfcd4e..64ddbd8c6 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h @@ -118,6 +118,7 @@ public: int32_t UpdateSecCompEnhance(int32_t pid, uint32_t seqNum); int32_t GetSecCompEnhance(int32_t pid, SecCompEnhanceData& enhance); #endif // SECURITY_COMPONENT_ENHANCE_ENABLE + bool IsToastShownNeeded(int32_t pid); private: AccessTokenManagerClient(); diff --git a/interfaces/innerkits/accesstoken/test/unittest/SecurityComponentTest/security_component_grant_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/SecurityComponentTest/security_component_grant_test.cpp index 2228b119b..baad01dbb 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/SecurityComponentTest/security_component_grant_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/SecurityComponentTest/security_component_grant_test.cpp @@ -568,6 +568,20 @@ HWTEST_F(SecurityComponentGrantTest, SecurityComponentGrantTest011, TestSize.Lev ASSERT_EQ(res, RET_SUCCESS); } +/** + * @tc.name: IsToastShownNeededTest001 + * @tc.desc: test whether the security component need to show the toast. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(SecurityComponentGrantTest, IsToastShownNeededTest001, TestSize.Level0) +{ + int32_t pid = 10; + MockNativeToken mock("security_component_service"); + EXPECT_EQ(true, AccessTokenKit::IsToastShownNeeded(pid)); + EXPECT_EQ(false, AccessTokenKit::IsToastShownNeeded(pid)); +} + #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE /** * @tc.name: RegisterSecCompEnhance001 diff --git a/services/accesstokenmanager/BUILD.gn b/services/accesstokenmanager/BUILD.gn index 7d5f3bbd0..28d7d1208 100644 --- a/services/accesstokenmanager/BUILD.gn +++ b/services/accesstokenmanager/BUILD.gn @@ -61,6 +61,7 @@ if (is_standard_system) { "main/cpp/include/callback", "main/cpp/include/database", "main/cpp/include/dfx", + "main/cpp/include/seccomp", "main/cpp/include/service", "main/cpp/include/form_manager", "main/cpp/include/token", @@ -90,6 +91,7 @@ if (is_standard_system) { "main/cpp/src/permission/permission_validator.cpp", "main/cpp/src/permission/short_grant_manager.cpp", "main/cpp/src/permission/temp_permission_observer.cpp", + "main/cpp/src/seccomp/sec_comp_monitor.cpp", "main/cpp/src/service/accesstoken_manager_service.cpp", "main/cpp/src/token/accesstoken_id_manager.cpp", "main/cpp/src/token/accesstoken_info_manager.cpp", @@ -197,7 +199,6 @@ if (is_standard_system) { if (security_component_enhance_enable == true) { cflags_cc += [ "-DSECURITY_COMPONENT_ENHANCE_ENABLE" ] - include_dirs += [ "main/cpp/include/seccomp" ] sources += [ "main/cpp/src/seccomp/sec_comp_enhance_agent.cpp" ] } diff --git a/services/accesstokenmanager/idl/IAccessTokenManager.idl b/services/accesstokenmanager/idl/IAccessTokenManager.idl index c72dfa48e..d2e29972a 100644 --- a/services/accesstokenmanager/idl/IAccessTokenManager.idl +++ b/services/accesstokenmanager/idl/IAccessTokenManager.idl @@ -90,5 +90,6 @@ interface OHOS.Security.AccessToken.IAccessTokenManager{ [ipccode 81] void GetSelfPermissionStatus([in] String permissionName, [out] int status); [ipccode 101, macrodef SECURITY_COMPONENT_ENHANCE_ENABLE, oneway] void RegisterSecCompEnhance([in] SecCompEnhanceDataParcel enhanceParcel); [ipccode 102, macrodef SECURITY_COMPONENT_ENHANCE_ENABLE] void UpdateSecCompEnhance([in] int pid, [in] unsigned int seqNum); - [ipccode 103, macrodef SECURITY_COMPONENT_ENHANCE_ENABLE] void GetSecCompEnhance([in] int pid, [out] SecCompEnhanceDataParcel enhanceParcel); -} \ No newline at end of file + [ipccode 103, macrodef SECURITY_COMPONENT_ENHANCE_ENABLE] void GetSecCompEnhance([in] int pid, [out] SecCompEnhanceDataParcel enhanceParcel); + [ipccode 104] void IsToastShownNeeded([in] int pid, [out] boolean needToShow); +} diff --git a/services/accesstokenmanager/main/cpp/include/seccomp/sec_comp_enhance_agent.h b/services/accesstokenmanager/main/cpp/include/seccomp/sec_comp_enhance_agent.h index 0efe7b077..099be0afd 100644 --- a/services/accesstokenmanager/main/cpp/include/seccomp/sec_comp_enhance_agent.h +++ b/services/accesstokenmanager/main/cpp/include/seccomp/sec_comp_enhance_agent.h @@ -21,28 +21,12 @@ #include "app_status_change_callback.h" #include "nocopyable.h" #include "sec_comp_enhance_data.h" +#include "sec_comp_monitor.h" namespace OHOS { namespace Security { namespace AccessToken { -class AppUsingSecCompStateObserver : public ApplicationStateObserverStub { -public: - AppUsingSecCompStateObserver() = default; - ~AppUsingSecCompStateObserver() = default; - - void OnProcessDied(const ProcessData &processData) override; - DISALLOW_COPY_AND_MOVE(AppUsingSecCompStateObserver); -}; - -class SecCompAppManagerDeathCallback : public AppManagerDeathCallback { -public: - SecCompAppManagerDeathCallback() = default; - ~SecCompAppManagerDeathCallback() = default; - - void NotifyAppManagerDeath() override; - DISALLOW_COPY_AND_MOVE(SecCompAppManagerDeathCallback); -}; - +#ifdef SECURITY_COMPONENT_ENHANCE_ENABLE class SecCompEnhanceAgent final { public: static SecCompEnhanceAgent& GetInstance(); @@ -60,11 +44,12 @@ private: DISALLOW_COPY_AND_MOVE(SecCompEnhanceAgent); private: - sptr observer_ = nullptr; + sptr observer_ = nullptr; std::shared_ptr appManagerDeathCallback_ = nullptr; std::mutex secCompEnhanceMutex_; std::vector secCompEnhanceData_; }; +#endif } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/services/accesstokenmanager/main/cpp/include/seccomp/sec_comp_monitor.h b/services/accesstokenmanager/main/cpp/include/seccomp/sec_comp_monitor.h new file mode 100644 index 000000000..5cd28ce65 --- /dev/null +++ b/services/accesstokenmanager/main/cpp/include/seccomp/sec_comp_monitor.h @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef PERMISSION_SEC_COMP_MONITOR_H +#define PERMISSION_SEC_COMP_MONITOR_H + +#include +#include +#include +#include "app_manager_death_callback.h" +#include "app_status_change_callback.h" +#include "nocopyable.h" + +namespace OHOS { +namespace Security { +namespace AccessToken { +class SecCompUsageObserver : public ApplicationStateObserverStub { +public: + SecCompUsageObserver() = default; + ~SecCompUsageObserver() = default; + + void OnProcessDied(const ProcessData &processData) override; + void OnProcessStateChanged(const ProcessData &processData) override; + void OnAppCacheStateChanged(const AppStateData &appStateData) override; + DISALLOW_COPY_AND_MOVE(SecCompUsageObserver); +}; + +class SecCompAppManagerDeathCallback : public AppManagerDeathCallback { +public: + SecCompAppManagerDeathCallback() = default; + ~SecCompAppManagerDeathCallback() = default; + + void NotifyAppManagerDeath() override; + DISALLOW_COPY_AND_MOVE(SecCompAppManagerDeathCallback); +}; + +class SecCompMonitor final { +public: + static SecCompMonitor& GetInstance(); + ~SecCompMonitor(); + + void RemoveProcessFromForegroundList(int32_t pid); + bool IsToastShownNeeded(int32_t pid); + void OnAppMgrRemoteDiedHandle(); + +private: + SecCompMonitor(); + void InitAppObserver(); + DISALLOW_COPY_AND_MOVE(SecCompMonitor); + sptr observer_ = nullptr; + std::shared_ptr appManagerDeathCallback_ = nullptr; + std::mutex appfgLock_; + std::set appsInForeground_; +}; +} // namespace AccessToken +} // namespace Security +} // namespace OHOS +#endif // PERMISSION_SEC_COMP_MONITOR_H diff --git a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h index f1f6796d1..cd14e79d9 100644 --- a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h +++ b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h @@ -102,6 +102,7 @@ public: int32_t UpdateSecCompEnhance(int32_t pid, uint32_t seqNum) override; int32_t GetSecCompEnhance(int32_t pid, SecCompEnhanceDataParcel& enhanceParcel) override; #endif + int32_t IsToastShownNeeded(int32_t pid, bool& needToShow) override; #ifdef TOKEN_SYNC_ENABLE int GetHapTokenInfoFromRemote(AccessTokenID tokenID, HapTokenInfoForSyncParcel& hapSyncParcel) override; @@ -156,9 +157,7 @@ private: bool IsNativeProcessCalling(); bool IsSystemAppCalling() const; bool IsShellProcessCalling(); -#ifdef SECURITY_COMPONENT_ENHANCE_ENABLE bool IsSecCompServiceCalling(); -#endif #ifndef ATM_BUILD_VARIANT_USER_ENABLE static const int32_t ROOT_UID = 0; #endif diff --git a/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_enhance_agent.cpp b/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_enhance_agent.cpp index 79da6223b..5359bc3b4 100644 --- a/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_enhance_agent.cpp +++ b/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_enhance_agent.cpp @@ -29,19 +29,6 @@ namespace AccessToken { namespace { std::recursive_mutex g_instanceMutex; } -void AppUsingSecCompStateObserver::OnProcessDied(const ProcessData &processData) -{ - LOGI(ATM_DOMAIN, ATM_TAG, "OnProcessDied pid %{public}d", processData.pid); - SecCompEnhanceAgent::GetInstance().RemoveSecCompEnhance(processData.pid); -} - -void SecCompAppManagerDeathCallback::NotifyAppManagerDeath() -{ - LOGI(ATM_DOMAIN, ATM_TAG, "AppManagerDeath called"); - - SecCompEnhanceAgent::GetInstance().OnAppMgrRemoteDiedHandle(); -} - SecCompEnhanceAgent& SecCompEnhanceAgent::GetInstance() { static SecCompEnhanceAgent* instance = nullptr; @@ -60,7 +47,7 @@ void SecCompEnhanceAgent::InitAppObserver() if (observer_ != nullptr) { return; } - observer_ = new (std::nothrow) AppUsingSecCompStateObserver(); + observer_ = new (std::nothrow) SecCompUsageObserver(); if (observer_ == nullptr) { LOGE(ATM_DOMAIN, ATM_TAG, "New observer failed."); return; diff --git a/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_monitor.cpp b/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_monitor.cpp new file mode 100644 index 000000000..1248b5f9b --- /dev/null +++ b/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_monitor.cpp @@ -0,0 +1,156 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "sec_comp_monitor.h" + +#include "access_token.h" +#include "access_token_error.h" +#include "accesstoken_kit.h" +#include "accesstoken_common_log.h" +#include "accesstoken_info_manager.h" +#include "app_manager_access_client.h" +#include "ipc_skeleton.h" +#include "securec.h" +#ifdef SECURITY_COMPONENT_ENHANCE_ENABLE +#include "sec_comp_enhance_agent.h" +#endif + +namespace OHOS { +namespace Security { +namespace AccessToken { +namespace { +static std::mutex g_instanceMutex; +constexpr int32_t APP_STATE_CACHED = 100; +} +void SecCompUsageObserver::OnProcessDied(const ProcessData &processData) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "OnProcessDied pid %{public}d", processData.pid); +#ifdef SECURITY_COMPONENT_ENHANCE_ENABLE + SecCompEnhanceAgent::GetInstance().RemoveSecCompEnhance(processData.pid); +#endif + SecCompMonitor::GetInstance().RemoveProcessFromForegroundList(processData.pid); +} + +void SecCompUsageObserver::OnProcessStateChanged(const ProcessData &processData) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "OnChange pid=%{public}d.", processData.pid); + + if (processData.state != AppProcessState::APP_STATE_BACKGROUND) { + return; + } + SecCompMonitor::GetInstance().RemoveProcessFromForegroundList(processData.pid); +} + +void SecCompUsageObserver::OnAppCacheStateChanged(const AppStateData &appStateData) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "OnAppCacheStateChanged pid %{public}d", appStateData.pid); + if (appStateData.state != APP_STATE_CACHED) { + return; + } + + SecCompMonitor::GetInstance().RemoveProcessFromForegroundList(appStateData.pid); +} + +void SecCompAppManagerDeathCallback::NotifyAppManagerDeath() +{ + LOGI(ATM_DOMAIN, ATM_TAG, "AppManagerDeath called"); + +#ifdef SECURITY_COMPONENT_ENHANCE_ENABLE + SecCompEnhanceAgent::GetInstance().OnAppMgrRemoteDiedHandle(); +#endif + SecCompMonitor::GetInstance().OnAppMgrRemoteDiedHandle(); +} + +bool SecCompMonitor::IsToastShownNeeded(int32_t pid) +{ + std::lock_guard lock(appfgLock_); + InitAppObserver(); + auto iter = appsInForeground_.find(pid); + if (iter != appsInForeground_.end()) { + return false; + } + + appsInForeground_.insert(pid); + return true; +} + +void SecCompMonitor::RemoveProcessFromForegroundList(int32_t pid) +{ + std::lock_guard lock(appfgLock_); + auto iter = appsInForeground_.find(pid); + if (iter == appsInForeground_.end()) { + return; + } + LOGI(ATM_DOMAIN, ATM_TAG, "Process pid=%{public}d removed from foreground list.", pid); + appsInForeground_.erase(pid); +} + +SecCompMonitor& SecCompMonitor::GetInstance() +{ + static SecCompMonitor* instance = nullptr; + if (instance == nullptr) { + std::lock_guard lock(g_instanceMutex); + if (instance == nullptr) { + SecCompMonitor* tmp = new SecCompMonitor(); + instance = std::move(tmp); + } + } + return *instance; +} + +void SecCompMonitor::InitAppObserver() +{ + if (observer_ != nullptr) { + return; + } + observer_ = new (std::nothrow) SecCompUsageObserver(); + if (observer_ == nullptr) { + LOGE(ATM_DOMAIN, ATM_TAG, "New observer failed."); + return; + } + if (AppManagerAccessClient::GetInstance().RegisterApplicationStateObserver(observer_) != 0) { + LOGE(ATM_DOMAIN, ATM_TAG, "Register observer failed."); + observer_ = nullptr; + return; + } + if (appManagerDeathCallback_ == nullptr) { + appManagerDeathCallback_ = std::make_shared(); + AppManagerAccessClient::GetInstance().RegisterDeathCallback(appManagerDeathCallback_); + } +} + +SecCompMonitor::SecCompMonitor() +{ + InitAppObserver(); +} + +SecCompMonitor::~SecCompMonitor() +{ + if (observer_ != nullptr) { + AppManagerAccessClient::GetInstance().UnregisterApplicationStateObserver(observer_); + observer_ = nullptr; + } +} + +void SecCompMonitor::OnAppMgrRemoteDiedHandle() +{ + LOGI(ATM_DOMAIN, ATM_TAG, "OnAppMgrRemoteDiedHandle."); + if (observer_ != nullptr) { + AppManagerAccessClient::GetInstance().UnregisterApplicationStateObserver(observer_); + observer_ = nullptr; + } +} +} // namespace AccessToken +} // namespace Security +} // namespace OHOS diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp index 02262ad1d..e9d93c5e3 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp @@ -45,6 +45,7 @@ #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE #include "sec_comp_enhance_agent.h" #endif +#include "sec_comp_monitor.h" #include "short_grant_manager.h" #include "string_ex.h" #include "system_ability_definition.h" @@ -1449,7 +1450,6 @@ bool AccessTokenManagerService::IsSystemAppCalling() const return TokenIdKit::IsSystemAppByFullTokenID(fullTokenId); } -#ifdef SECURITY_COMPONENT_ENHANCE_ENABLE bool AccessTokenManagerService::IsSecCompServiceCalling() { uint32_t tokenCaller = IPCSkeleton::GetCallingTokenID(); @@ -1458,7 +1458,6 @@ bool AccessTokenManagerService::IsSecCompServiceCalling() } return tokenCaller == secCompTokenId_; } -#endif int32_t AccessTokenManagerService::CallbackEnter(uint32_t code) { @@ -1513,6 +1512,16 @@ int32_t AccessTokenManagerService::GetSecCompEnhance(int32_t pid, SecCompEnhance return RET_SUCCESS; } #endif + +int32_t AccessTokenManagerService::IsToastShownNeeded(int32_t pid, bool& needToShow) +{ + if (!IsSecCompServiceCalling()) { + return AccessTokenError::ERR_PERMISSION_DENIED; + } + + needToShow = SecCompMonitor::GetInstance().IsToastShownNeeded(pid); + return RET_SUCCESS; +} } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/services/accesstokenmanager/test/coverage/BUILD.gn b/services/accesstokenmanager/test/coverage/BUILD.gn index ecc13840b..2b5141008 100644 --- a/services/accesstokenmanager/test/coverage/BUILD.gn +++ b/services/accesstokenmanager/test/coverage/BUILD.gn @@ -35,6 +35,7 @@ accesstoken_manager_service_source = [ "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/short_grant_manager.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/temp_permission_observer.cpp", + "${access_token_path}/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_monitor.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/token/accesstoken_id_manager.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp", @@ -75,6 +76,7 @@ ohos_unittest("libaccesstoken_manager_service_coverage_test") { "${access_token_path}/services/accesstokenmanager/main/cpp/include/dfx", "${access_token_path}/services/accesstokenmanager/main/cpp/include/form_manager", "${access_token_path}/services/accesstokenmanager/main/cpp/include/permission", + "${access_token_path}/services/accesstokenmanager/main/cpp/include/seccomp", "${access_token_path}/services/accesstokenmanager/main/cpp/include/service", "${access_token_path}/services/accesstokenmanager/main/cpp/include/token", ] diff --git a/services/accesstokenmanager/test/mock/BUILD.gn b/services/accesstokenmanager/test/mock/BUILD.gn index 4accc53c0..424c963fb 100644 --- a/services/accesstokenmanager/test/mock/BUILD.gn +++ b/services/accesstokenmanager/test/mock/BUILD.gn @@ -35,6 +35,7 @@ accesstoken_manager_service_source = [ "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/short_grant_manager.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/temp_permission_observer.cpp", + "${access_token_path}/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_monitor.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/token/accesstoken_id_manager.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp", @@ -75,6 +76,7 @@ ohos_unittest("libpermission_manager_mock_test") { "${access_token_path}/services/accesstokenmanager/main/cpp/include/dfx", "${access_token_path}/services/accesstokenmanager/main/cpp/include/form_manager", "${access_token_path}/services/accesstokenmanager/main/cpp/include/permission", + "${access_token_path}/services/accesstokenmanager/main/cpp/include/seccomp", "${access_token_path}/services/accesstokenmanager/main/cpp/include/service", "${access_token_path}/services/accesstokenmanager/main/cpp/include/token", ] diff --git a/services/accesstokenmanager/test/unittest/BUILD.gn b/services/accesstokenmanager/test/unittest/BUILD.gn index 1074f025e..c5eb71583 100644 --- a/services/accesstokenmanager/test/unittest/BUILD.gn +++ b/services/accesstokenmanager/test/unittest/BUILD.gn @@ -35,6 +35,7 @@ accesstoken_manager_service_source = [ "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/short_grant_manager.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/temp_permission_observer.cpp", + "${access_token_path}/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_monitor.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/token/accesstoken_id_manager.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp", @@ -75,6 +76,7 @@ ohos_unittest("libaccesstoken_manager_service_standard_test") { "${access_token_path}/services/accesstokenmanager/main/cpp/include/dfx", "${access_token_path}/services/accesstokenmanager/main/cpp/include/form_manager", "${access_token_path}/services/accesstokenmanager/main/cpp/include/permission", + "${access_token_path}/services/accesstokenmanager/main/cpp/include/seccomp", "${access_token_path}/services/accesstokenmanager/main/cpp/include/service", "${access_token_path}/services/accesstokenmanager/main/cpp/include/token", "${access_token_path}/services/accesstokenmanager/test/unittest", @@ -89,6 +91,7 @@ ohos_unittest("libaccesstoken_manager_service_standard_test") { "parameters.cpp", "permission_grant_event_test.cpp", "permission_manager_test.cpp", + "sec_comp_monitor_test.cpp", "short_grant_manager_test.cpp", ] diff --git a/services/accesstokenmanager/test/unittest/sec_comp_monitor_test.cpp b/services/accesstokenmanager/test/unittest/sec_comp_monitor_test.cpp new file mode 100644 index 000000000..79f75db14 --- /dev/null +++ b/services/accesstokenmanager/test/unittest/sec_comp_monitor_test.cpp @@ -0,0 +1,86 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "sec_comp_monitor_test.h" + +using namespace testing::ext; +using namespace OHOS; + +namespace OHOS { +namespace Security { +namespace AccessToken { +namespace { +constexpr int32_t APP_STATE_CACHED = 100; +} + +void SecCompMonitorTest::SetUpTestCase() +{ +} + +void SecCompMonitorTest::TearDownTestCase() +{ + sleep(3); // delay 3 minutes +} + +void SecCompMonitorTest::SetUp() +{ + if (appStateObserver_ != nullptr) { + return; + } + appStateObserver_ = std::make_shared(); +} + +void SecCompMonitorTest::TearDown() +{ + appStateObserver_ = nullptr; +} + +/** + * @tc.name: ProcessFromForegroundList001 + * @tc.desc: Monitor foreground list for process after process state changed + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SecCompMonitorTest, ProcessFromForegroundList001, TestSize.Level0) +{ + EXPECT_EQ(true, SecCompMonitor::GetInstance().IsToastShownNeeded(10)); + EXPECT_EQ(false, SecCompMonitor::GetInstance().IsToastShownNeeded(10)); + ASSERT_NE(nullptr, appStateObserver_); + EXPECT_EQ(1, SecCompMonitor::GetInstance().appsInForeground_.size()); + ProcessData processData; + processData.state = AppProcessState::APP_STATE_BACKGROUND; + processData.pid = 10; + // change to background + appStateObserver_->OnProcessStateChanged(processData); + EXPECT_EQ(0, SecCompMonitor::GetInstance().appsInForeground_.size()); + + EXPECT_EQ(true, SecCompMonitor::GetInstance().IsToastShownNeeded(10)); + EXPECT_EQ(1, SecCompMonitor::GetInstance().appsInForeground_.size()); + // change to die + appStateObserver_->OnProcessDied(processData); + EXPECT_EQ(0, SecCompMonitor::GetInstance().appsInForeground_.size()); + + EXPECT_EQ(true, SecCompMonitor::GetInstance().IsToastShownNeeded(10)); + EXPECT_EQ(1, SecCompMonitor::GetInstance().appsInForeground_.size()); + AppStateData appStateData; + appStateData.state = APP_STATE_CACHED; + appStateData.pid = 10; + // change to background + appStateObserver_->OnAppCacheStateChanged(appStateData); + EXPECT_EQ(0, SecCompMonitor::GetInstance().appsInForeground_.size()); +} +} // namespace AccessToken +} // namespace Security +} // namespace OHOS diff --git a/services/accesstokenmanager/test/unittest/sec_comp_monitor_test.h b/services/accesstokenmanager/test/unittest/sec_comp_monitor_test.h new file mode 100644 index 000000000..11bd071dd --- /dev/null +++ b/services/accesstokenmanager/test/unittest/sec_comp_monitor_test.h @@ -0,0 +1,43 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef SEC_COMP_MONITOR_TEST_H +#define SEC_COMP_MONITOR_TEST_H + +#include + +#define private public +#include "sec_comp_monitor.h" +#undef private + +namespace OHOS { +namespace Security { +namespace AccessToken { +class SecCompMonitorTest : public testing::Test { +public: + static void SetUpTestCase(); + + static void TearDownTestCase(); + + void SetUp(); + + void TearDown(); + + std::shared_ptr appStateObserver_ = nullptr; +}; +} // namespace AccessToken +} // namespace Security +} // namespace OHOS +#endif // SEC_COMP_MONITOR_TEST_H diff --git a/services/privacymanager/include/service/privacy_manager_service.h b/services/privacymanager/include/service/privacy_manager_service.h index 9cd117d47..73ed0238d 100644 --- a/services/privacymanager/include/service/privacy_manager_service.h +++ b/services/privacymanager/include/service/privacy_manager_service.h @@ -72,9 +72,6 @@ private: void ProcessProxyDeathStub(const sptr& anonyStub, int32_t callerPid); void ReleaseDeathStub(int32_t callerPid); -#ifdef SECURITY_COMPONENT_ENHANCE_ENABLE - bool IsSecCompServiceCalling(); -#endif bool IsPrivilegedCalling() const; bool IsAccessTokenCalling() const; bool IsSystemAppCalling() const; diff --git a/test/fuzztest/innerkits/accesstoken/BUILD.gn b/test/fuzztest/innerkits/accesstoken/BUILD.gn index 646d954f9..e7e49c309 100644 --- a/test/fuzztest/innerkits/accesstoken/BUILD.gn +++ b/test/fuzztest/innerkits/accesstoken/BUILD.gn @@ -47,6 +47,7 @@ group("fuzztest") { "grantpermission_fuzzer:GrantPermissionFuzzTest", "grantpermissionforspecifiedtime_fuzzer:GrantPermissionForSpecifiedTimeFuzzTest", "inithaptoken_fuzzer:InitHapTokenFuzzTest", + "istoastshownneeded_fuzzer:IsToastShownNeededFuzzTest", "registerpermstatechangecallback_fuzzer:RegisterPermStateChangeCallbackFuzzTest", "requestapppermonsetting_fuzzer:RequestAppPermOnSettingFuzzTest", "revokeusergrantedpermission_fuzzer:RevokeUserGrantedPermissionFuzzTest", diff --git a/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/BUILD.gn b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/BUILD.gn new file mode 100644 index 000000000..57774825a --- /dev/null +++ b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/BUILD.gn @@ -0,0 +1,44 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//build/config/features.gni") +import("//build/test.gni") +import("../../../../../access_token.gni") + +ohos_fuzztest("IsToastShownNeededFuzzTest") { + module_out_path = module_output_path_interface_access_token + fuzz_config_file = "." + include_dirs = [ + "${access_token_path}/interfaces/innerkits/accesstoken/include", + "${access_token_path}/test/fuzztest/common", + ] + cflags = [ + "-g", + "-O0", + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + sources = [ "istoastshownneeded_fuzzer.cpp" ] + + deps = [ + "${access_token_path}/interfaces/innerkits/accesstoken:libaccesstoken_sdk", + ] + + configs = [ "${access_token_path}/config:coverage_flags" ] + + external_deps = [ + "c_utils:utils", + "hilog:libhilog", + "ipc:ipc_core", + ] +} diff --git a/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/corpus/init b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/corpus/init new file mode 100644 index 000000000..2aea1356e --- /dev/null +++ b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/corpus/init @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FUZZ diff --git a/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/istoastshownneeded_fuzzer.cpp b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/istoastshownneeded_fuzzer.cpp new file mode 100644 index 000000000..5dd6fa856 --- /dev/null +++ b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/istoastshownneeded_fuzzer.cpp @@ -0,0 +1,49 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "istoastshownneeded_fuzzer.h" + +#include +#include +#include +#include + +#include "accesstoken_fuzzdata.h" +#undef private +#include "accesstoken_kit.h" + +using namespace std; +using namespace OHOS::Security::AccessToken; + +namespace OHOS { + bool IsToastShownNeededFuzzTest(const uint8_t* data, size_t size) + { + if ((data == nullptr) || (size == 0)) { + return false; + } + + AccessTokenFuzzData fuzzData(data, size); + + return AccessTokenKit::IsToastShownNeeded(fuzzData.GetData()); + } +} + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + /* Run your code on data */ + OHOS::IsToastShownNeededFuzzTest(data, size); + return 0; +} diff --git a/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/istoastshownneeded_fuzzer.h b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/istoastshownneeded_fuzzer.h new file mode 100644 index 000000000..f17b40fc9 --- /dev/null +++ b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/istoastshownneeded_fuzzer.h @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef TEST_FUZZTEST_ISTOASTSHOWNNEEDED_FUZZER_H +#define TEST_FUZZTEST_ISTOASTSHOWNNEEDED_FUZZER_H + +#define FUZZ_PROJECT_NAME "istoastshownneeded_fuzzer" + +#endif // TEST_FUZZTEST_ISTOASTSHOWNNEEDED_FUZZER_H diff --git a/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/project.xml b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/project.xml new file mode 100644 index 000000000..66e1dcac4 --- /dev/null +++ b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 1000 + + 300 + + 4096 + + diff --git a/test/fuzztest/services/accesstoken/access_token_service_fuzz.gni b/test/fuzztest/services/accesstoken/access_token_service_fuzz.gni index 37402c406..9e61ae9cc 100644 --- a/test/fuzztest/services/accesstoken/access_token_service_fuzz.gni +++ b/test/fuzztest/services/accesstoken/access_token_service_fuzz.gni @@ -103,6 +103,7 @@ access_token_sources = [ "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/short_grant_manager.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/temp_permission_observer.cpp", + "${access_token_path}/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_monitor.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/token/accesstoken_id_manager.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp", -- Gitee