diff --git a/interfaces/innerkits/accesstoken/include/accesstoken_kit.h b/interfaces/innerkits/accesstoken/include/accesstoken_kit.h index 45f95f878744bbaa3b7791f0560cb2df94268a16..9639501e1ebb44418a1e6ff9947062fcdd78f75e 100644 --- a/interfaces/innerkits/accesstoken/include/accesstoken_kit.h +++ b/interfaces/innerkits/accesstoken/include/accesstoken_kit.h @@ -545,13 +545,18 @@ public: */ static int32_t GetSecCompEnhance(int32_t pid, SecCompEnhanceData& enhance); #endif - /** * Whether it is a atomic service * @param tokenId token id. * @return bool */ static bool IsAtomicServiceByFullTokenID(uint64_t tokenId); + /** + * @brief whether the process need to show the toast + * @param pid process id + * @return bool + */ + static bool IsToastShownNeeded(int32_t pid); }; } // namespace AccessToken } // namespace Security diff --git a/interfaces/innerkits/accesstoken/libaccesstoken_sdk.map b/interfaces/innerkits/accesstoken/libaccesstoken_sdk.map index fbf53530a90b01d73c8ce96691011da55f5f151c..6ff38a5da5aed2fd3de6f31fd16b7041628abb1c 100644 --- a/interfaces/innerkits/accesstoken/libaccesstoken_sdk.map +++ b/interfaces/innerkits/accesstoken/libaccesstoken_sdk.map @@ -85,6 +85,7 @@ "OHOS::Security::AccessToken::AccessTokenKit::RegisterSecCompEnhance(OHOS::Security::AccessToken::SecCompEnhanceData const&)"; "OHOS::Security::AccessToken::AccessTokenKit::UpdateSecCompEnhance(int, unsigned int)"; "OHOS::Security::AccessToken::AccessTokenKit::GetSecCompEnhance(int, OHOS::Security::AccessToken::SecCompEnhanceData&)"; + "OHOS::Security::AccessToken::AccessTokenKit::IsToastShownNeeded(int)"; "OHOS::Security::AccessToken::AccessTokenKit::GetKernelPermissions(unsigned int, std::__h::vector>&)"; "OHOS::Security::AccessToken::AccessTokenKit::GetSelfPermissionStatus(std::__h::basic_string, std::__h::allocator> const&, OHOS::Security::AccessToken::TypePermissionOper&)"; OHOS::Security::AccessToken::AccessTokenKit::IsSystemAppByFullTokenID*; diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp index 5668cb06b595f4f6be6a3bf34861258618547e3c..9d06a4e0f5d02b3902c1f72dce8c4375757ced20 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp +++ b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp @@ -851,12 +851,15 @@ int32_t AccessTokenKit::GetSecCompEnhance(int32_t pid, SecCompEnhanceData& enhan return AccessTokenManagerClient::GetInstance().GetSecCompEnhance(pid, enhance); } #endif - bool AccessTokenKit::IsAtomicServiceByFullTokenID(uint64_t tokenId) { LOGI(ATM_DOMAIN, ATM_TAG, "Called, tokenId=%{public}" PRId64, tokenId); return (tokenId & ATOMIC_SERVICE_MASK) == ATOMIC_SERVICE_MASK; } +bool AccessTokenKit::IsToastShownNeeded(int32_t pid) +{ + return AccessTokenManagerClient::GetInstance().IsToastShownNeeded(pid); +} } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp index 1092c26af13c21e2f908d36a3d3abc1be5e25fff..6847c7a67bfe9207ef6f1ef4512447e1a29c159b 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp @@ -1244,6 +1244,25 @@ int32_t AccessTokenManagerClient::GetSecCompEnhance(int32_t pid, SecCompEnhanceD return RET_SUCCESS; } #endif + +bool AccessTokenManagerClient::IsToastShownNeeded(int32_t pid) +{ + auto proxy = GetProxy(); + if (proxy == nullptr) { + LOGE(ATM_DOMAIN, ATM_TAG, "Proxy is null."); + return true; + } + + bool needToShow; + int32_t errCode = proxy->IsToastShownNeeded(pid, needToShow); + if (errCode != RET_SUCCESS) { + errCode = ConvertResult(errCode); + LOGE(ATM_DOMAIN, ATM_TAG, "Request fail, result: %{public}d", errCode); + return true; + } + + return needToShow; +} } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h index 021dfcd4ec53d2a3426a07cf4dba7e44f6033ea3..64ddbd8c6a16808dedec68ed6e835ae208a581b0 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h @@ -118,6 +118,7 @@ public: int32_t UpdateSecCompEnhance(int32_t pid, uint32_t seqNum); int32_t GetSecCompEnhance(int32_t pid, SecCompEnhanceData& enhance); #endif // SECURITY_COMPONENT_ENHANCE_ENABLE + bool IsToastShownNeeded(int32_t pid); private: AccessTokenManagerClient(); diff --git a/interfaces/innerkits/accesstoken/test/unittest/SecurityComponentTest/security_component_grant_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/SecurityComponentTest/security_component_grant_test.cpp index 2cfd58c352c40ec242d155b7c7d6eec3bda169d1..6dd48a605547dee41d8e641b73477e51a857684e 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/SecurityComponentTest/security_component_grant_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/SecurityComponentTest/security_component_grant_test.cpp @@ -568,6 +568,20 @@ HWTEST_F(SecurityComponentGrantTest, SecurityComponentGrantTest011, TestSize.Lev ASSERT_EQ(res, RET_SUCCESS); } +/** + * @tc.name: IsToastShownNeededTest001 + * @tc.desc: test whether the security component need to show the toast. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(SecurityComponentGrantTest, IsToastShownNeededTest001, TestSize.Level0) +{ + int32_t pid = 10; + MockNativeToken mock("security_component_service"); + EXPECT_EQ(true, AccessTokenKit::IsToastShownNeeded(pid)); + EXPECT_EQ(false, AccessTokenKit::IsToastShownNeeded(pid)); +} + #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE /** * @tc.name: RegisterSecCompEnhance001 diff --git a/services/accesstokenmanager/BUILD.gn b/services/accesstokenmanager/BUILD.gn index 6a9884450782d6fdb256ad026ba3b1cba059cd40..334112d183e98301962f6c8563c974ed54045167 100644 --- a/services/accesstokenmanager/BUILD.gn +++ b/services/accesstokenmanager/BUILD.gn @@ -61,6 +61,7 @@ if (is_standard_system) { "main/cpp/include/callback", "main/cpp/include/database", "main/cpp/include/dfx", + "main/cpp/include/seccomp", "main/cpp/include/service", "main/cpp/include/form_manager", "main/cpp/include/token", @@ -90,6 +91,7 @@ if (is_standard_system) { "main/cpp/src/permission/permission_validator.cpp", "main/cpp/src/permission/short_grant_manager.cpp", "main/cpp/src/permission/temp_permission_observer.cpp", + "main/cpp/src/seccomp/sec_comp_monitor.cpp", "main/cpp/src/service/accesstoken_manager_service.cpp", "main/cpp/src/token/accesstoken_id_manager.cpp", "main/cpp/src/token/accesstoken_info_manager.cpp", @@ -196,7 +198,6 @@ if (is_standard_system) { if (security_component_enhance_enable == true) { cflags_cc += [ "-DSECURITY_COMPONENT_ENHANCE_ENABLE" ] - include_dirs += [ "main/cpp/include/seccomp" ] sources += [ "main/cpp/src/seccomp/sec_comp_enhance_agent.cpp" ] } diff --git a/services/accesstokenmanager/idl/IAccessTokenManager.idl b/services/accesstokenmanager/idl/IAccessTokenManager.idl index c72dfa48efae0a73c56e863265026af8df5de4d5..d2e29972a12e25d344b48edda5728372d198a3eb 100644 --- a/services/accesstokenmanager/idl/IAccessTokenManager.idl +++ b/services/accesstokenmanager/idl/IAccessTokenManager.idl @@ -90,5 +90,6 @@ interface OHOS.Security.AccessToken.IAccessTokenManager{ [ipccode 81] void GetSelfPermissionStatus([in] String permissionName, [out] int status); [ipccode 101, macrodef SECURITY_COMPONENT_ENHANCE_ENABLE, oneway] void RegisterSecCompEnhance([in] SecCompEnhanceDataParcel enhanceParcel); [ipccode 102, macrodef SECURITY_COMPONENT_ENHANCE_ENABLE] void UpdateSecCompEnhance([in] int pid, [in] unsigned int seqNum); - [ipccode 103, macrodef SECURITY_COMPONENT_ENHANCE_ENABLE] void GetSecCompEnhance([in] int pid, [out] SecCompEnhanceDataParcel enhanceParcel); -} \ No newline at end of file + [ipccode 103, macrodef SECURITY_COMPONENT_ENHANCE_ENABLE] void GetSecCompEnhance([in] int pid, [out] SecCompEnhanceDataParcel enhanceParcel); + [ipccode 104] void IsToastShownNeeded([in] int pid, [out] boolean needToShow); +} diff --git a/services/accesstokenmanager/main/cpp/include/seccomp/sec_comp_enhance_agent.h b/services/accesstokenmanager/main/cpp/include/seccomp/sec_comp_enhance_agent.h index 0efe7b07779a32ac0e23a5d808a0672ca1a95d5d..099be0afd8e9cafd4ddf916a178f71eeaf0c30cd 100644 --- a/services/accesstokenmanager/main/cpp/include/seccomp/sec_comp_enhance_agent.h +++ b/services/accesstokenmanager/main/cpp/include/seccomp/sec_comp_enhance_agent.h @@ -21,28 +21,12 @@ #include "app_status_change_callback.h" #include "nocopyable.h" #include "sec_comp_enhance_data.h" +#include "sec_comp_monitor.h" namespace OHOS { namespace Security { namespace AccessToken { -class AppUsingSecCompStateObserver : public ApplicationStateObserverStub { -public: - AppUsingSecCompStateObserver() = default; - ~AppUsingSecCompStateObserver() = default; - - void OnProcessDied(const ProcessData &processData) override; - DISALLOW_COPY_AND_MOVE(AppUsingSecCompStateObserver); -}; - -class SecCompAppManagerDeathCallback : public AppManagerDeathCallback { -public: - SecCompAppManagerDeathCallback() = default; - ~SecCompAppManagerDeathCallback() = default; - - void NotifyAppManagerDeath() override; - DISALLOW_COPY_AND_MOVE(SecCompAppManagerDeathCallback); -}; - +#ifdef SECURITY_COMPONENT_ENHANCE_ENABLE class SecCompEnhanceAgent final { public: static SecCompEnhanceAgent& GetInstance(); @@ -60,11 +44,12 @@ private: DISALLOW_COPY_AND_MOVE(SecCompEnhanceAgent); private: - sptr observer_ = nullptr; + sptr observer_ = nullptr; std::shared_ptr appManagerDeathCallback_ = nullptr; std::mutex secCompEnhanceMutex_; std::vector secCompEnhanceData_; }; +#endif } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/services/accesstokenmanager/main/cpp/include/seccomp/sec_comp_monitor.h b/services/accesstokenmanager/main/cpp/include/seccomp/sec_comp_monitor.h new file mode 100644 index 0000000000000000000000000000000000000000..5cd28ce653282655d542de5b188a5de44303a5eb --- /dev/null +++ b/services/accesstokenmanager/main/cpp/include/seccomp/sec_comp_monitor.h @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef PERMISSION_SEC_COMP_MONITOR_H +#define PERMISSION_SEC_COMP_MONITOR_H + +#include +#include +#include +#include "app_manager_death_callback.h" +#include "app_status_change_callback.h" +#include "nocopyable.h" + +namespace OHOS { +namespace Security { +namespace AccessToken { +class SecCompUsageObserver : public ApplicationStateObserverStub { +public: + SecCompUsageObserver() = default; + ~SecCompUsageObserver() = default; + + void OnProcessDied(const ProcessData &processData) override; + void OnProcessStateChanged(const ProcessData &processData) override; + void OnAppCacheStateChanged(const AppStateData &appStateData) override; + DISALLOW_COPY_AND_MOVE(SecCompUsageObserver); +}; + +class SecCompAppManagerDeathCallback : public AppManagerDeathCallback { +public: + SecCompAppManagerDeathCallback() = default; + ~SecCompAppManagerDeathCallback() = default; + + void NotifyAppManagerDeath() override; + DISALLOW_COPY_AND_MOVE(SecCompAppManagerDeathCallback); +}; + +class SecCompMonitor final { +public: + static SecCompMonitor& GetInstance(); + ~SecCompMonitor(); + + void RemoveProcessFromForegroundList(int32_t pid); + bool IsToastShownNeeded(int32_t pid); + void OnAppMgrRemoteDiedHandle(); + +private: + SecCompMonitor(); + void InitAppObserver(); + DISALLOW_COPY_AND_MOVE(SecCompMonitor); + sptr observer_ = nullptr; + std::shared_ptr appManagerDeathCallback_ = nullptr; + std::mutex appfgLock_; + std::set appsInForeground_; +}; +} // namespace AccessToken +} // namespace Security +} // namespace OHOS +#endif // PERMISSION_SEC_COMP_MONITOR_H diff --git a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h index f1f6796d1e68f887eb291a69a3975321a343ba2c..cd14e79d9e081f69f42964e666345847615aa7b1 100644 --- a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h +++ b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h @@ -102,6 +102,7 @@ public: int32_t UpdateSecCompEnhance(int32_t pid, uint32_t seqNum) override; int32_t GetSecCompEnhance(int32_t pid, SecCompEnhanceDataParcel& enhanceParcel) override; #endif + int32_t IsToastShownNeeded(int32_t pid, bool& needToShow) override; #ifdef TOKEN_SYNC_ENABLE int GetHapTokenInfoFromRemote(AccessTokenID tokenID, HapTokenInfoForSyncParcel& hapSyncParcel) override; @@ -156,9 +157,7 @@ private: bool IsNativeProcessCalling(); bool IsSystemAppCalling() const; bool IsShellProcessCalling(); -#ifdef SECURITY_COMPONENT_ENHANCE_ENABLE bool IsSecCompServiceCalling(); -#endif #ifndef ATM_BUILD_VARIANT_USER_ENABLE static const int32_t ROOT_UID = 0; #endif diff --git a/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_enhance_agent.cpp b/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_enhance_agent.cpp index 79da6223b8edc2cd5990c33f1070d8a66533695c..5359bc3b4f7b9ca54e8dd9a3f51000605cdb3243 100644 --- a/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_enhance_agent.cpp +++ b/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_enhance_agent.cpp @@ -29,19 +29,6 @@ namespace AccessToken { namespace { std::recursive_mutex g_instanceMutex; } -void AppUsingSecCompStateObserver::OnProcessDied(const ProcessData &processData) -{ - LOGI(ATM_DOMAIN, ATM_TAG, "OnProcessDied pid %{public}d", processData.pid); - SecCompEnhanceAgent::GetInstance().RemoveSecCompEnhance(processData.pid); -} - -void SecCompAppManagerDeathCallback::NotifyAppManagerDeath() -{ - LOGI(ATM_DOMAIN, ATM_TAG, "AppManagerDeath called"); - - SecCompEnhanceAgent::GetInstance().OnAppMgrRemoteDiedHandle(); -} - SecCompEnhanceAgent& SecCompEnhanceAgent::GetInstance() { static SecCompEnhanceAgent* instance = nullptr; @@ -60,7 +47,7 @@ void SecCompEnhanceAgent::InitAppObserver() if (observer_ != nullptr) { return; } - observer_ = new (std::nothrow) AppUsingSecCompStateObserver(); + observer_ = new (std::nothrow) SecCompUsageObserver(); if (observer_ == nullptr) { LOGE(ATM_DOMAIN, ATM_TAG, "New observer failed."); return; diff --git a/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_monitor.cpp b/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_monitor.cpp new file mode 100644 index 0000000000000000000000000000000000000000..1248b5f9b6b653ff2ec835548d50e04e125661ac --- /dev/null +++ b/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_monitor.cpp @@ -0,0 +1,156 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "sec_comp_monitor.h" + +#include "access_token.h" +#include "access_token_error.h" +#include "accesstoken_kit.h" +#include "accesstoken_common_log.h" +#include "accesstoken_info_manager.h" +#include "app_manager_access_client.h" +#include "ipc_skeleton.h" +#include "securec.h" +#ifdef SECURITY_COMPONENT_ENHANCE_ENABLE +#include "sec_comp_enhance_agent.h" +#endif + +namespace OHOS { +namespace Security { +namespace AccessToken { +namespace { +static std::mutex g_instanceMutex; +constexpr int32_t APP_STATE_CACHED = 100; +} +void SecCompUsageObserver::OnProcessDied(const ProcessData &processData) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "OnProcessDied pid %{public}d", processData.pid); +#ifdef SECURITY_COMPONENT_ENHANCE_ENABLE + SecCompEnhanceAgent::GetInstance().RemoveSecCompEnhance(processData.pid); +#endif + SecCompMonitor::GetInstance().RemoveProcessFromForegroundList(processData.pid); +} + +void SecCompUsageObserver::OnProcessStateChanged(const ProcessData &processData) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "OnChange pid=%{public}d.", processData.pid); + + if (processData.state != AppProcessState::APP_STATE_BACKGROUND) { + return; + } + SecCompMonitor::GetInstance().RemoveProcessFromForegroundList(processData.pid); +} + +void SecCompUsageObserver::OnAppCacheStateChanged(const AppStateData &appStateData) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "OnAppCacheStateChanged pid %{public}d", appStateData.pid); + if (appStateData.state != APP_STATE_CACHED) { + return; + } + + SecCompMonitor::GetInstance().RemoveProcessFromForegroundList(appStateData.pid); +} + +void SecCompAppManagerDeathCallback::NotifyAppManagerDeath() +{ + LOGI(ATM_DOMAIN, ATM_TAG, "AppManagerDeath called"); + +#ifdef SECURITY_COMPONENT_ENHANCE_ENABLE + SecCompEnhanceAgent::GetInstance().OnAppMgrRemoteDiedHandle(); +#endif + SecCompMonitor::GetInstance().OnAppMgrRemoteDiedHandle(); +} + +bool SecCompMonitor::IsToastShownNeeded(int32_t pid) +{ + std::lock_guard lock(appfgLock_); + InitAppObserver(); + auto iter = appsInForeground_.find(pid); + if (iter != appsInForeground_.end()) { + return false; + } + + appsInForeground_.insert(pid); + return true; +} + +void SecCompMonitor::RemoveProcessFromForegroundList(int32_t pid) +{ + std::lock_guard lock(appfgLock_); + auto iter = appsInForeground_.find(pid); + if (iter == appsInForeground_.end()) { + return; + } + LOGI(ATM_DOMAIN, ATM_TAG, "Process pid=%{public}d removed from foreground list.", pid); + appsInForeground_.erase(pid); +} + +SecCompMonitor& SecCompMonitor::GetInstance() +{ + static SecCompMonitor* instance = nullptr; + if (instance == nullptr) { + std::lock_guard lock(g_instanceMutex); + if (instance == nullptr) { + SecCompMonitor* tmp = new SecCompMonitor(); + instance = std::move(tmp); + } + } + return *instance; +} + +void SecCompMonitor::InitAppObserver() +{ + if (observer_ != nullptr) { + return; + } + observer_ = new (std::nothrow) SecCompUsageObserver(); + if (observer_ == nullptr) { + LOGE(ATM_DOMAIN, ATM_TAG, "New observer failed."); + return; + } + if (AppManagerAccessClient::GetInstance().RegisterApplicationStateObserver(observer_) != 0) { + LOGE(ATM_DOMAIN, ATM_TAG, "Register observer failed."); + observer_ = nullptr; + return; + } + if (appManagerDeathCallback_ == nullptr) { + appManagerDeathCallback_ = std::make_shared(); + AppManagerAccessClient::GetInstance().RegisterDeathCallback(appManagerDeathCallback_); + } +} + +SecCompMonitor::SecCompMonitor() +{ + InitAppObserver(); +} + +SecCompMonitor::~SecCompMonitor() +{ + if (observer_ != nullptr) { + AppManagerAccessClient::GetInstance().UnregisterApplicationStateObserver(observer_); + observer_ = nullptr; + } +} + +void SecCompMonitor::OnAppMgrRemoteDiedHandle() +{ + LOGI(ATM_DOMAIN, ATM_TAG, "OnAppMgrRemoteDiedHandle."); + if (observer_ != nullptr) { + AppManagerAccessClient::GetInstance().UnregisterApplicationStateObserver(observer_); + observer_ = nullptr; + } +} +} // namespace AccessToken +} // namespace Security +} // namespace OHOS diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp index 02262ad1d4f025833cf8b606144daeca74eb48eb..e9d93c5e31cba4e6f9480a8d651c4a4285f63222 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp @@ -45,6 +45,7 @@ #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE #include "sec_comp_enhance_agent.h" #endif +#include "sec_comp_monitor.h" #include "short_grant_manager.h" #include "string_ex.h" #include "system_ability_definition.h" @@ -1449,7 +1450,6 @@ bool AccessTokenManagerService::IsSystemAppCalling() const return TokenIdKit::IsSystemAppByFullTokenID(fullTokenId); } -#ifdef SECURITY_COMPONENT_ENHANCE_ENABLE bool AccessTokenManagerService::IsSecCompServiceCalling() { uint32_t tokenCaller = IPCSkeleton::GetCallingTokenID(); @@ -1458,7 +1458,6 @@ bool AccessTokenManagerService::IsSecCompServiceCalling() } return tokenCaller == secCompTokenId_; } -#endif int32_t AccessTokenManagerService::CallbackEnter(uint32_t code) { @@ -1513,6 +1512,16 @@ int32_t AccessTokenManagerService::GetSecCompEnhance(int32_t pid, SecCompEnhance return RET_SUCCESS; } #endif + +int32_t AccessTokenManagerService::IsToastShownNeeded(int32_t pid, bool& needToShow) +{ + if (!IsSecCompServiceCalling()) { + return AccessTokenError::ERR_PERMISSION_DENIED; + } + + needToShow = SecCompMonitor::GetInstance().IsToastShownNeeded(pid); + return RET_SUCCESS; +} } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/services/accesstokenmanager/test/coverage/BUILD.gn b/services/accesstokenmanager/test/coverage/BUILD.gn index ee1706c8cf86a203564ef6d82167b9aef2d45a16..5b44be53412568d3f7edacc84b65f8a7d9c8fd60 100644 --- a/services/accesstokenmanager/test/coverage/BUILD.gn +++ b/services/accesstokenmanager/test/coverage/BUILD.gn @@ -35,6 +35,7 @@ accesstoken_manager_service_source = [ "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/short_grant_manager.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/temp_permission_observer.cpp", + "${access_token_path}/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_monitor.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/token/accesstoken_id_manager.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp", @@ -74,6 +75,7 @@ ohos_unittest("libaccesstoken_manager_service_coverage_test") { "${access_token_path}/services/accesstokenmanager/main/cpp/include/dfx", "${access_token_path}/services/accesstokenmanager/main/cpp/include/form_manager", "${access_token_path}/services/accesstokenmanager/main/cpp/include/permission", + "${access_token_path}/services/accesstokenmanager/main/cpp/include/seccomp", "${access_token_path}/services/accesstokenmanager/main/cpp/include/service", "${access_token_path}/services/accesstokenmanager/main/cpp/include/token", ] diff --git a/services/accesstokenmanager/test/mock/BUILD.gn b/services/accesstokenmanager/test/mock/BUILD.gn index f16162b70f88f0092babc808417b0611822cc6e9..ddff767fb0c08c17b725ba8ffcc8156da4e7025e 100644 --- a/services/accesstokenmanager/test/mock/BUILD.gn +++ b/services/accesstokenmanager/test/mock/BUILD.gn @@ -35,6 +35,7 @@ accesstoken_manager_service_source = [ "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/short_grant_manager.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/temp_permission_observer.cpp", + "${access_token_path}/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_monitor.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/token/accesstoken_id_manager.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp", @@ -74,6 +75,7 @@ ohos_unittest("libpermission_manager_mock_test") { "${access_token_path}/services/accesstokenmanager/main/cpp/include/dfx", "${access_token_path}/services/accesstokenmanager/main/cpp/include/form_manager", "${access_token_path}/services/accesstokenmanager/main/cpp/include/permission", + "${access_token_path}/services/accesstokenmanager/main/cpp/include/seccomp", "${access_token_path}/services/accesstokenmanager/main/cpp/include/service", "${access_token_path}/services/accesstokenmanager/main/cpp/include/token", ] diff --git a/services/accesstokenmanager/test/unittest/BUILD.gn b/services/accesstokenmanager/test/unittest/BUILD.gn index 6eef73f260cb764f529a28143d1def532a2493fb..8dd44e836552897796b3c7930a821f5095da2ff5 100644 --- a/services/accesstokenmanager/test/unittest/BUILD.gn +++ b/services/accesstokenmanager/test/unittest/BUILD.gn @@ -35,6 +35,7 @@ accesstoken_manager_service_source = [ "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/short_grant_manager.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/temp_permission_observer.cpp", + "${access_token_path}/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_monitor.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/token/accesstoken_id_manager.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp", @@ -74,6 +75,7 @@ ohos_unittest("libaccesstoken_manager_service_standard_test") { "${access_token_path}/services/accesstokenmanager/main/cpp/include/dfx", "${access_token_path}/services/accesstokenmanager/main/cpp/include/form_manager", "${access_token_path}/services/accesstokenmanager/main/cpp/include/permission", + "${access_token_path}/services/accesstokenmanager/main/cpp/include/seccomp", "${access_token_path}/services/accesstokenmanager/main/cpp/include/service", "${access_token_path}/services/accesstokenmanager/main/cpp/include/token", "${access_token_path}/services/accesstokenmanager/test/unittest", @@ -88,6 +90,7 @@ ohos_unittest("libaccesstoken_manager_service_standard_test") { "parameters.cpp", "permission_grant_event_test.cpp", "permission_manager_test.cpp", + "sec_comp_monitor_test.cpp", "short_grant_manager_test.cpp", ] diff --git a/services/accesstokenmanager/test/unittest/sec_comp_monitor_test.cpp b/services/accesstokenmanager/test/unittest/sec_comp_monitor_test.cpp new file mode 100644 index 0000000000000000000000000000000000000000..79f75db14442c450605f58dd9297445c9de6414f --- /dev/null +++ b/services/accesstokenmanager/test/unittest/sec_comp_monitor_test.cpp @@ -0,0 +1,86 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "sec_comp_monitor_test.h" + +using namespace testing::ext; +using namespace OHOS; + +namespace OHOS { +namespace Security { +namespace AccessToken { +namespace { +constexpr int32_t APP_STATE_CACHED = 100; +} + +void SecCompMonitorTest::SetUpTestCase() +{ +} + +void SecCompMonitorTest::TearDownTestCase() +{ + sleep(3); // delay 3 minutes +} + +void SecCompMonitorTest::SetUp() +{ + if (appStateObserver_ != nullptr) { + return; + } + appStateObserver_ = std::make_shared(); +} + +void SecCompMonitorTest::TearDown() +{ + appStateObserver_ = nullptr; +} + +/** + * @tc.name: ProcessFromForegroundList001 + * @tc.desc: Monitor foreground list for process after process state changed + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(SecCompMonitorTest, ProcessFromForegroundList001, TestSize.Level0) +{ + EXPECT_EQ(true, SecCompMonitor::GetInstance().IsToastShownNeeded(10)); + EXPECT_EQ(false, SecCompMonitor::GetInstance().IsToastShownNeeded(10)); + ASSERT_NE(nullptr, appStateObserver_); + EXPECT_EQ(1, SecCompMonitor::GetInstance().appsInForeground_.size()); + ProcessData processData; + processData.state = AppProcessState::APP_STATE_BACKGROUND; + processData.pid = 10; + // change to background + appStateObserver_->OnProcessStateChanged(processData); + EXPECT_EQ(0, SecCompMonitor::GetInstance().appsInForeground_.size()); + + EXPECT_EQ(true, SecCompMonitor::GetInstance().IsToastShownNeeded(10)); + EXPECT_EQ(1, SecCompMonitor::GetInstance().appsInForeground_.size()); + // change to die + appStateObserver_->OnProcessDied(processData); + EXPECT_EQ(0, SecCompMonitor::GetInstance().appsInForeground_.size()); + + EXPECT_EQ(true, SecCompMonitor::GetInstance().IsToastShownNeeded(10)); + EXPECT_EQ(1, SecCompMonitor::GetInstance().appsInForeground_.size()); + AppStateData appStateData; + appStateData.state = APP_STATE_CACHED; + appStateData.pid = 10; + // change to background + appStateObserver_->OnAppCacheStateChanged(appStateData); + EXPECT_EQ(0, SecCompMonitor::GetInstance().appsInForeground_.size()); +} +} // namespace AccessToken +} // namespace Security +} // namespace OHOS diff --git a/services/accesstokenmanager/test/unittest/sec_comp_monitor_test.h b/services/accesstokenmanager/test/unittest/sec_comp_monitor_test.h new file mode 100644 index 0000000000000000000000000000000000000000..11bd071dd03a2f8cb194ed06e8a334d006cc9ecc --- /dev/null +++ b/services/accesstokenmanager/test/unittest/sec_comp_monitor_test.h @@ -0,0 +1,43 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef SEC_COMP_MONITOR_TEST_H +#define SEC_COMP_MONITOR_TEST_H + +#include + +#define private public +#include "sec_comp_monitor.h" +#undef private + +namespace OHOS { +namespace Security { +namespace AccessToken { +class SecCompMonitorTest : public testing::Test { +public: + static void SetUpTestCase(); + + static void TearDownTestCase(); + + void SetUp(); + + void TearDown(); + + std::shared_ptr appStateObserver_ = nullptr; +}; +} // namespace AccessToken +} // namespace Security +} // namespace OHOS +#endif // SEC_COMP_MONITOR_TEST_H diff --git a/services/privacymanager/include/service/privacy_manager_service.h b/services/privacymanager/include/service/privacy_manager_service.h index bb17b1a4cba3550fa36de9d59a0609ddac884582..7c4b2f6d3c256a056e282d6d2c1f0a1ba04b3ecc 100644 --- a/services/privacymanager/include/service/privacy_manager_service.h +++ b/services/privacymanager/include/service/privacy_manager_service.h @@ -72,9 +72,6 @@ private: void ProcessProxyDeathStub(const sptr& anonyStub, int32_t callerPid); void ReleaseDeathStub(int32_t callerPid); -#ifdef SECURITY_COMPONENT_ENHANCE_ENABLE - bool IsSecCompServiceCalling(); -#endif bool IsPrivilegedCalling() const; bool IsAccessTokenCalling() const; bool IsSystemAppCalling() const; diff --git a/test/fuzztest/innerkits/accesstoken/BUILD.gn b/test/fuzztest/innerkits/accesstoken/BUILD.gn index 646d954f925a68649b290c889ca5cd64e5cc1896..e7e49c309e607e8177aadb5e37ccef43f44bdc5f 100644 --- a/test/fuzztest/innerkits/accesstoken/BUILD.gn +++ b/test/fuzztest/innerkits/accesstoken/BUILD.gn @@ -47,6 +47,7 @@ group("fuzztest") { "grantpermission_fuzzer:GrantPermissionFuzzTest", "grantpermissionforspecifiedtime_fuzzer:GrantPermissionForSpecifiedTimeFuzzTest", "inithaptoken_fuzzer:InitHapTokenFuzzTest", + "istoastshownneeded_fuzzer:IsToastShownNeededFuzzTest", "registerpermstatechangecallback_fuzzer:RegisterPermStateChangeCallbackFuzzTest", "requestapppermonsetting_fuzzer:RequestAppPermOnSettingFuzzTest", "revokeusergrantedpermission_fuzzer:RevokeUserGrantedPermissionFuzzTest", diff --git a/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/BUILD.gn b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..57774825a2179f4a7bd496742d9fd8c7ddab2a2f --- /dev/null +++ b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/BUILD.gn @@ -0,0 +1,44 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//build/config/features.gni") +import("//build/test.gni") +import("../../../../../access_token.gni") + +ohos_fuzztest("IsToastShownNeededFuzzTest") { + module_out_path = module_output_path_interface_access_token + fuzz_config_file = "." + include_dirs = [ + "${access_token_path}/interfaces/innerkits/accesstoken/include", + "${access_token_path}/test/fuzztest/common", + ] + cflags = [ + "-g", + "-O0", + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + sources = [ "istoastshownneeded_fuzzer.cpp" ] + + deps = [ + "${access_token_path}/interfaces/innerkits/accesstoken:libaccesstoken_sdk", + ] + + configs = [ "${access_token_path}/config:coverage_flags" ] + + external_deps = [ + "c_utils:utils", + "hilog:libhilog", + "ipc:ipc_core", + ] +} diff --git a/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/corpus/init b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/corpus/init new file mode 100644 index 0000000000000000000000000000000000000000..2aea1356e3c3b3ee6e12ad3f72640897d769d02e --- /dev/null +++ b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/corpus/init @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FUZZ diff --git a/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/istoastshownneeded_fuzzer.cpp b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/istoastshownneeded_fuzzer.cpp new file mode 100644 index 0000000000000000000000000000000000000000..5dd6fa8565ce8e6358ff4d1665c163a618e3b3fb --- /dev/null +++ b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/istoastshownneeded_fuzzer.cpp @@ -0,0 +1,49 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "istoastshownneeded_fuzzer.h" + +#include +#include +#include +#include + +#include "accesstoken_fuzzdata.h" +#undef private +#include "accesstoken_kit.h" + +using namespace std; +using namespace OHOS::Security::AccessToken; + +namespace OHOS { + bool IsToastShownNeededFuzzTest(const uint8_t* data, size_t size) + { + if ((data == nullptr) || (size == 0)) { + return false; + } + + AccessTokenFuzzData fuzzData(data, size); + + return AccessTokenKit::IsToastShownNeeded(fuzzData.GetData()); + } +} + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + /* Run your code on data */ + OHOS::IsToastShownNeededFuzzTest(data, size); + return 0; +} diff --git a/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/istoastshownneeded_fuzzer.h b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/istoastshownneeded_fuzzer.h new file mode 100644 index 0000000000000000000000000000000000000000..f17b40fc97a2449ce7a42d9a56b4d5f522b085a6 --- /dev/null +++ b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/istoastshownneeded_fuzzer.h @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef TEST_FUZZTEST_ISTOASTSHOWNNEEDED_FUZZER_H +#define TEST_FUZZTEST_ISTOASTSHOWNNEEDED_FUZZER_H + +#define FUZZ_PROJECT_NAME "istoastshownneeded_fuzzer" + +#endif // TEST_FUZZTEST_ISTOASTSHOWNNEEDED_FUZZER_H diff --git a/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/project.xml b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/project.xml new file mode 100644 index 0000000000000000000000000000000000000000..66e1dcac475475fb101b6f8670ec699e6e9696aa --- /dev/null +++ b/test/fuzztest/innerkits/accesstoken/istoastshownneeded_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 1000 + + 300 + + 4096 + + diff --git a/test/fuzztest/services/accesstoken/access_token_service_fuzz.gni b/test/fuzztest/services/accesstoken/access_token_service_fuzz.gni index 37402c406d5e58e61791b9c0c46e222376ecf2e5..9e61ae9cc940cd1b11124b9a4e25af6a51715443 100644 --- a/test/fuzztest/services/accesstoken/access_token_service_fuzz.gni +++ b/test/fuzztest/services/accesstoken/access_token_service_fuzz.gni @@ -103,6 +103,7 @@ access_token_sources = [ "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/short_grant_manager.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/permission/temp_permission_observer.cpp", + "${access_token_path}/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_monitor.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/token/accesstoken_id_manager.cpp", "${access_token_path}/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp",