diff --git a/interfaces/innerkits/accesstoken/include/access_token.h b/interfaces/innerkits/accesstoken/include/access_token.h index ef3aab948606682cdfed85d5fccec0787b818f77..a56b4c16ff76ddb481fc9a1b9f73a428a685329a 100644 --- a/interfaces/innerkits/accesstoken/include/access_token.h +++ b/interfaces/innerkits/accesstoken/include/access_token.h @@ -43,6 +43,7 @@ typedef enum TypeATokenTypeEnum { TOKEN_INVALID = -1, TOKEN_HAP = 0, TOKEN_NATIVE, + TOKEN_SHELL, } ATokenTypeEnum; typedef enum TypeATokenAplEnum { diff --git a/interfaces/innerkits/nativetoken/include/nativetoken.h b/interfaces/innerkits/nativetoken/include/nativetoken.h index dc71d3888e53901c094f0b34747fc38c60d15294..0b663f5bfdf52a5a14e4594b6130abf1a5b49477 100644 --- a/interfaces/innerkits/nativetoken/include/nativetoken.h +++ b/interfaces/innerkits/nativetoken/include/nativetoken.h @@ -36,6 +36,7 @@ extern "C" { #define TOKEN_ID_CFG_FILE_PATH "/data/service/el0/access_token/nativetoken.json" #define TOKEN_ID_CFG_DIR_PATH "/data/service/el0/access_token" #define TOKEN_NATIVE_TYPE 1 +#define TOKEN_SHELL_TYPE 2 #define DEFAULT_AT_VERSION 1 #define TRANSFER_KEY_WORDS "NativeTokenInfo" #define MAX_JSON_FILE_LEN 102400 @@ -60,6 +61,7 @@ extern "C" { #define APL_KEY_NAME "APL" #define VERSION_KEY_NAME "version" #define PROCESS_KEY_NAME "processName" +#define HDC_PROCESS_NAME "hdcd" #define SYSTEM_CORE 3 #define SYSTEM_BASIC 2 diff --git a/interfaces/innerkits/nativetoken/src/nativetoken.c b/interfaces/innerkits/nativetoken/src/nativetoken.c index 89c507868d9fb5e91e4f2b019b5d75c573e3be74..f9a38dd922e728418242df6a1c06d11ff99e61f3 100644 --- a/interfaces/innerkits/nativetoken/src/nativetoken.c +++ b/interfaces/innerkits/nativetoken/src/nativetoken.c @@ -267,7 +267,7 @@ static int32_t IsTokenUniqueIdExist(uint32_t tokenUniqueId) return 0; } -static NativeAtId CreateNativeTokenId(void) +static NativeAtId CreateNativeTokenId(const char *processName) { uint32_t rand; NativeAtId tokenId; @@ -292,8 +292,14 @@ static NativeAtId CreateNativeTokenId(void) innerId->reserved = 0; innerId->tokenUniqueId = rand & (TOKEN_RANDOM_MASK); - innerId->type = TOKEN_NATIVE_TYPE; innerId->version = 1; + + if (strcmp(processName, HDC_PROCESS_NAME) == 0) { + innerId->type = TOKEN_SHELL_TYPE; + } else { + innerId->type = TOKEN_NATIVE_TYPE; + } + return tokenId; } @@ -455,7 +461,7 @@ static uint32_t AddNewTokenToListAndFile(const NativeTokenInfoParams *tokenInfo, NativeTokenList *tokenNode; NativeAtId id; - id = CreateNativeTokenId(); + id = CreateNativeTokenId(tokenInfo->processName); if (id == INVALID_TOKEN_ID) { return ATRET_FAILED; } diff --git a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h index 6bd9a3ec2a6e8fbf9aa3026dff4b477cd5eadf33..b8203a1fa5bb7f52558ded6105ffe5e24a6e2322 100644 --- a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h +++ b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h @@ -70,6 +70,7 @@ private: bool IsAuthorizedCalling() const; bool IsAccessTokenCalling() const; + bool IsNativeProcessCalling(); static const int32_t SYSTEM_UID = 1000; static const int32_t ROOT_UID = 0; static const int32_t ACCESSTOKEN_UID = 3020; diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index 595f386a0ba0ba6999d0465b681d4acb4c140184..ee4d85897f628648e991361ecf425adecdcdc9a1 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -149,7 +149,7 @@ int PermissionManager::VerifyAccessToken(AccessTokenID tokenID, const std::strin } ATokenTypeEnum tokenType = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID); - if (tokenType == TOKEN_NATIVE) { + if ((tokenType == TOKEN_NATIVE) || (tokenType == TOKEN_SHELL)) { return VerifyNativeAccessToken(tokenID, permissionName); } if (tokenType == TOKEN_HAP) { diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp index 8d621da61b8ad6fab150eb7a9707739dcad0c39c..646072a083e33ebe5188cadbc3f17924c8640853 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp @@ -230,8 +230,7 @@ void AccessTokenManagerStub::GetTokenTypeInner(MessageParcel& data, MessageParce void AccessTokenManagerStub::CheckNativeDCapInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if (this->GetTokenType(tokenCaller) != TOKEN_NATIVE) { + if (!IsNativeProcessCalling()) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -244,8 +243,7 @@ void AccessTokenManagerStub::CheckNativeDCapInner(MessageParcel& data, MessagePa void AccessTokenManagerStub::GetHapTokenIDInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if (this->GetTokenType(tokenCaller) != TOKEN_NATIVE) { + if (!IsNativeProcessCalling()) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -259,8 +257,7 @@ void AccessTokenManagerStub::GetHapTokenIDInner(MessageParcel& data, MessageParc void AccessTokenManagerStub::AllocLocalTokenIDInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if ((!IsAuthorizedCalling()) && (this->GetTokenType(tokenCaller) != TOKEN_NATIVE)) { + if ((!IsAuthorizedCalling()) && (!IsNativeProcessCalling())) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -292,8 +289,7 @@ void AccessTokenManagerStub::UpdateHapTokenInner(MessageParcel& data, MessagePar void AccessTokenManagerStub::GetHapTokenInfoInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if ((this->GetTokenType(tokenCaller) != TOKEN_NATIVE)) { + if (!IsNativeProcessCalling()) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -307,8 +303,7 @@ void AccessTokenManagerStub::GetHapTokenInfoInner(MessageParcel& data, MessagePa void AccessTokenManagerStub::GetNativeTokenInfoInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if (this->GetTokenType(tokenCaller) != TOKEN_NATIVE) { + if (!IsNativeProcessCalling()) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -444,8 +439,7 @@ void AccessTokenManagerStub::DeleteRemoteDeviceTokensInner(MessageParcel& data, void AccessTokenManagerStub::DumpTokenInfoInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if (this->GetTokenType(tokenCaller) != TOKEN_NATIVE) { + if (!IsNativeProcessCalling()) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -468,6 +462,16 @@ bool AccessTokenManagerStub::IsAccessTokenCalling() const return callingUid == ACCESSTOKEN_UID; } +bool AccessTokenManagerStub::IsNativeProcessCalling() +{ + AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); + int32_t type = this->GetTokenType(tokenCaller); + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { + return false; + } + return true; +} + AccessTokenManagerStub::AccessTokenManagerStub() { requestFuncMap_[static_cast(IAccessTokenManager::InterfaceCode::VERIFY_ACCESSTOKEN)] = diff --git a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp index a4cabdbea818eda4c5c5400a67f69dd15ac3dd35..dba39aaff9a7092fa20c82dd9d520ef7b360ae42 100644 --- a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp @@ -123,7 +123,8 @@ void AccessTokenInfoManager::InitNativeTokenInfos() DataStorage::GetRealDataStorage().Find(DataStorage::ACCESSTOKEN_PERMISSION_STATE, permStateRes); for (GenericValues nativeTokenValue : nativeTokenResults) { AccessTokenID tokenId = (AccessTokenID)nativeTokenValue.GetInt(FIELD_TOKEN_ID); - int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(tokenId, TOKEN_NATIVE); + ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenId); + int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(tokenId, type); if (ret != RET_SUCCESS) { ACCESSTOKEN_LOG_ERROR(LABEL, "tokenId %{public}u add failed.", tokenId); continue; @@ -341,7 +342,7 @@ int AccessTokenInfoManager::RemoveHapTokenInfo(AccessTokenID id) int AccessTokenInfoManager::RemoveNativeTokenInfo(AccessTokenID id) { ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(id); - if (type != TOKEN_NATIVE) { + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { ACCESSTOKEN_LOG_ERROR( LABEL, "token %{public}u is not hap.", id); return RET_FAILED; @@ -527,7 +528,8 @@ void AccessTokenInfoManager::ProcessNativeTokenInfos( "token %{public}u process name %{public}s is new, add to manager!", infoPtr->GetTokenID(), infoPtr->GetProcessName().c_str()); AccessTokenID id = infoPtr->GetTokenID(); - int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(id, TOKEN_NATIVE); + ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(id); + int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(id, type); if (ret != RET_SUCCESS) { ACCESSTOKEN_LOG_ERROR(LABEL, "token Id register fail"); continue; @@ -729,13 +731,13 @@ int AccessTokenInfoManager::SetRemoteNativeTokenInfo(const std::string& deviceID } for (NativeTokenInfoForSync& nativeToken : nativeTokenInfoList) { + ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(nativeToken.baseInfo.tokenID); if (!DataValidator::IsAplNumValid(nativeToken.baseInfo.apl) || nativeToken.baseInfo.ver != DEFAULT_TOKEN_VERSION || !DataValidator::IsProcessNameValid(nativeToken.baseInfo.processName) || nativeToken.baseInfo.dcap.size() <= 0 || - AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(nativeToken.baseInfo.tokenID) != TOKEN_NATIVE) { - ACCESSTOKEN_LOG_ERROR( - LABEL, "device %{public}s token %{public}u is invalid.", + (type != TOKEN_NATIVE && type != TOKEN_SHELL)) { + ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s token %{public}u is invalid.", ConstantCommon::EncryptDevId(deviceID).c_str(), nativeToken.baseInfo.tokenID); continue; } @@ -805,7 +807,7 @@ int AccessTokenInfoManager::DeleteRemoteToken(const std::string& deviceID, Acces return RET_FAILED; } hapTokenInfoMap_.erase(mapID); - } else if (type == TOKEN_NATIVE) { + } else if ((type == TOKEN_NATIVE) || (type == TOKEN_SHELL)) { Utils::UniqueWriteGuard infoGuard(this->nativeTokenInfoLock_); if (nativeTokenInfoMap_.count(mapID) == 0) { ACCESSTOKEN_LOG_ERROR( @@ -822,8 +824,9 @@ int AccessTokenInfoManager::DeleteRemoteToken(const std::string& deviceID, Acces AccessTokenID AccessTokenInfoManager::GetRemoteNativeTokenID(const std::string& deviceID, AccessTokenID tokenID) { - if (!DataValidator::IsDeviceIdValid(deviceID) - || AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_NATIVE) { + if ((!DataValidator::IsDeviceIdValid(deviceID)) || (tokenID == 0) || + ((AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_NATIVE) && + (AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_SHELL))) { ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s parms invalid", ConstantCommon::EncryptDevId(deviceID).c_str()); return 0; } diff --git a/services/accesstokenmanager/main/cpp/src/token/accesstoken_remote_token_manager.cpp b/services/accesstokenmanager/main/cpp/src/token/accesstoken_remote_token_manager.cpp index d2240dfe5fc7127dde5b9c3cb1a4c59ad207fc20..19bf0a493699049cbb2ff3745394d827901915a6 100644 --- a/services/accesstokenmanager/main/cpp/src/token/accesstoken_remote_token_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/accesstoken_remote_token_manager.cpp @@ -48,7 +48,7 @@ AccessTokenID AccessTokenRemoteTokenManager::MapRemoteDeviceTokenToLocal(const s return 0; } ATokenTypeEnum tokeType = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(remoteID); - if (tokeType != TOKEN_HAP && tokeType != TOKEN_NATIVE) { + if ((tokeType < TOKEN_HAP) || (tokeType > TOKEN_SHELL)) { ACCESSTOKEN_LOG_ERROR( LABEL, "token %{public}x type is invalid.", remoteID); return 0; diff --git a/services/accesstokenmanager/main/cpp/src/token/native_token_receptor.cpp b/services/accesstokenmanager/main/cpp/src/token/native_token_receptor.cpp index 37cd2eee05c5f17a3a65fcb0b6d20c9a41d254db..aaa4527364d66fb97bd8270f859803aca1fc6579 100644 --- a/services/accesstokenmanager/main/cpp/src/token/native_token_receptor.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/native_token_receptor.cpp @@ -95,8 +95,11 @@ void from_json(const nlohmann::json& j, std::shared_ptr& p if (j.find(JSON_TOKEN_ID) != j.end()) { native.tokenID = j.at(JSON_TOKEN_ID).get(); - if (native.tokenID == 0 || - AccessTokenIDManager::GetTokenIdTypeEnum(native.tokenID) != TOKEN_NATIVE) { + if (native.tokenID == 0) { + return; + } + ATokenTypeEnum type = AccessTokenIDManager::GetTokenIdTypeEnum(native.tokenID); + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { return; } } else { diff --git a/services/tokensyncmanager/src/service/token_sync_manager_stub.cpp b/services/tokensyncmanager/src/service/token_sync_manager_stub.cpp index 727b2f6c2215f0c26faf4aab33aee97ce527e2db..85ca0d399374195c7c6281a960d0a9e91a7f9001 100644 --- a/services/tokensyncmanager/src/service/token_sync_manager_stub.cpp +++ b/services/tokensyncmanager/src/service/token_sync_manager_stub.cpp @@ -56,7 +56,8 @@ int32_t TokenSyncManagerStub::OnRemoteRequest( void TokenSyncManagerStub::GetRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply) { AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if ((reinterpret_cast(&tokenCaller))->type != TOKEN_NATIVE) { + int type = (reinterpret_cast(&tokenCaller))->type; + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -72,7 +73,8 @@ void TokenSyncManagerStub::GetRemoteHapTokenInfoInner(MessageParcel& data, Messa void TokenSyncManagerStub::DeleteRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply) { AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if ((reinterpret_cast(&tokenCaller))->type != TOKEN_NATIVE) { + int type = (reinterpret_cast(&tokenCaller))->type; + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -86,7 +88,8 @@ void TokenSyncManagerStub::DeleteRemoteHapTokenInfoInner(MessageParcel& data, Me void TokenSyncManagerStub::UpdateRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply) { AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if ((reinterpret_cast(&tokenCaller))->type != TOKEN_NATIVE) { + int type = (reinterpret_cast(&tokenCaller))->type; + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return;