From e4d1763fa716bc4d5e9d4703f1697f4fe2297d63 Mon Sep 17 00:00:00 2001 From: bug_maker Date: Wed, 9 Jul 2025 17:07:50 +0800 Subject: [PATCH 1/7] =?UTF-8?q?feat:=20=E4=BF=AE=E6=94=B9=E9=94=99?= =?UTF-8?q?=E8=AF=AF=E6=95=B0=E6=8D=AE=E7=B1=BB=E5=9E=8B=EF=BC=8C=E6=B7=BB?= =?UTF-8?q?=E5=8A=A0=E5=8D=95=E6=B5=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: bug_maker --- .../main/cpp/src/permission/permission_manager.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index 0a639ff58..12312a729 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -422,7 +422,7 @@ int32_t PermissionManager::UpdateMultiTokenPermissionState(const std::shared_ptr AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapInfo); ClearThreadErrorMsg(); - uint32_t ret = RET_SUCCESS; + int32_t ret = RET_SUCCESS; bool isHadSuccess = false; for (const std::string &permissionName : permissionList) { HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION", -- Gitee From 2a330c67a5faa248ad53b38f7731d51c2b2e30d0 Mon Sep 17 00:00:00 2001 From: bug_maker Date: Fri, 11 Jul 2025 16:05:22 +0800 Subject: [PATCH 2/7] =?UTF-8?q?feat:=20=E4=BF=AE=E6=94=B9=E5=8D=95?= =?UTF-8?q?=E6=B5=8B=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: bug_maker --- .../test/unittest/EdmPolicyTest/edm_policy_set_test.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp index a9748cda7..f85806632 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp @@ -864,10 +864,12 @@ HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy007, TestSize.Level0) std::vector permList = {MICROPHONE, CUSTOM_SCREEN_CAPTURE}; uint32_t ret = RET_SUCCESS; + int32_t selfUid = getuid(); + setuid(10001); ret = AccessTokenKit::SetPermissionStatusWithPolicy( tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); EXPECT_EQ(ERR_PERMISSION_DENIED, ret); - + setuid(selfUid); EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); } -- Gitee From 923e7b3c55d80b7b2a43a5a5f2664fb7001a5f07 Mon Sep 17 00:00:00 2001 From: bug_maker Date: Fri, 11 Jul 2025 16:33:54 +0800 Subject: [PATCH 3/7] =?UTF-8?q?feat:=20=E4=BF=AE=E6=94=B9=E6=9D=83?= =?UTF-8?q?=E9=99=90=E5=8F=97=E6=8E=A7=E6=97=B6=E7=9A=84=E9=94=99=E8=AF=AF?= =?UTF-8?q?=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: bug_maker --- .../main/cpp/src/permission/permission_manager.cpp | 2 +- .../main/cpp/src/service/accesstoken_manager_service.cpp | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index 12312a729..45c054d74 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -210,7 +210,7 @@ static bool IsPermissionRestrictedByRules(const std::string& permission) bool PermissionManager::HandlePermissionDeniedCase(uint32_t goalGrantFlag, PermissionListState& permState) { if ((goalGrantFlag & PERMISSION_FIXED_BY_ADMIN_POLICY) != 0) { - permState.state = INVALID_OPER; + permState.state = FORBIDDEN_OPER; permState.errorReason = FIXED_BY_POLICY; return true; } diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp index ff8b9519b..97484b822 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp @@ -353,6 +353,7 @@ PermissionOper AccessTokenManagerService::GetPermissionsState(AccessTokenID toke LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d, apiVersion: %{public}d", tokenID, apiVersion); bool needRes = false; + bool fixedByPolicyRes = false; std::vector permsList; if (!GetAppReqPermissions(tokenID, permsList)) { return INVALID_OPER; @@ -378,6 +379,9 @@ PermissionOper AccessTokenManagerService::GetPermissionsState(AccessTokenID toke if (static_cast(reqPermList[i].permsState.state) == DYNAMIC_OPER) { needRes = true; } + if (static_cast(reqPermList[i].permsState.state) == FORBIDDEN_OPER) { + fixedByPolicyRes = true; + } LOGD(ATM_DOMAIN, ATM_TAG, "Perm: %{public}s, state: %{public}d", reqPermList[i].permsState.permissionName.c_str(), reqPermList[i].permsState.state); } @@ -392,6 +396,9 @@ PermissionOper AccessTokenManagerService::GetPermissionsState(AccessTokenID toke } return FORBIDDEN_OPER; } + if (fixedByPolicyRes) { + return FORBIDDEN_OPER; + } if (needRes) { return DYNAMIC_OPER; } -- Gitee From a1fbcf3a0e20bb1403df8290394c3ab5a3d6f90a Mon Sep 17 00:00:00 2001 From: bug_maker Date: Fri, 11 Jul 2025 17:21:16 +0800 Subject: [PATCH 4/7] =?UTF-8?q?feat:=20=E6=B7=BB=E5=8A=A0=E5=8D=95?= =?UTF-8?q?=E6=B5=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: bug_maker --- .../test/unittest/EdmPolicyTest/edm_policy_set_test.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp index f85806632..40deed939 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp @@ -1131,7 +1131,7 @@ HWTEST_F(EdmPolicySetTest, EdmTestGetSelfPermissionsState001, TestSize.Level0) PermissionGrantInfo info; SetSelfTokenID(tokenID); EXPECT_EQ(PASS_OPER, AccessTokenKit::GetSelfPermissionsState(permsList, info)); - EXPECT_EQ(INVALID_OPER, permsList[0].state); + EXPECT_EQ(FORBIDDEN_OPER, permsList[0].state); SetSelfTokenID(selfTokenId); // 3. set flag is PERMISSION_ADMIN_POLICIES_CANCEL. -- Gitee From 9baeb0c895b9b96becf89d2a7f3803c5aee95cb0 Mon Sep 17 00:00:00 2001 From: bug_maker Date: Sat, 12 Jul 2025 16:50:56 +0800 Subject: [PATCH 5/7] =?UTF-8?q?feat:=20=E4=BF=AE=E6=94=B9=E5=8D=95?= =?UTF-8?q?=E6=B5=8B=E5=92=8C=E4=BB=A3=E7=A0=81=E9=80=BB=E8=BE=91?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: bug_maker --- .../EdmPolicyTest/edm_policy_set_test.cpp | 18 ++++++------------ .../service/accesstoken_manager_service.h | 1 + .../service/accesstoken_manager_service.cpp | 19 ++++++++++++------- .../test/unittest/permission_manager_test.cpp | 2 +- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp index 40deed939..dad286107 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp @@ -657,26 +657,20 @@ HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy001, TestSize.Level0) uint64_t selfTokenId = GetSelfTokenID(); ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false)); + uint32_t flag = 0; std::vector permList = {MICROPHONE, CUSTOM_SCREEN_CAPTURE}; std::vector stateList = {PERMISSION_GRANTED, PERMISSION_DENIED}; for (auto status : stateList) { GTEST_LOG_(INFO) << "SetPermissionStatusWithPolicy001 status: " << status; EXPECT_EQ(RET_SUCCESS, - AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, status, PERMISSION_FIXED_BY_ADMIN_POLICY)); + AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, status, PERMISSION_FIXED_BY_ADMIN_POLICY)); std::vector permsList; for (auto perm : permList) { GTEST_LOG_(INFO) << "SetPermissionStatusWithPolicy001 check perm: " << perm; EXPECT_EQ(status, AccessTokenKit::VerifyAccessToken(tokenID, perm, false)); - permsList.push_back({perm, FORBIDDEN_OPER}); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, perm, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); } - SetSelfTokenID(tokenID); - PermissionGrantInfo info; - EXPECT_EQ(PASS_OPER, AccessTokenKit::GetSelfPermissionsState(permsList, info)); - EXPECT_EQ(status == PERMISSION_GRANTED ? PASS_OPER : INVALID_OPER, permsList[0].state); - EXPECT_EQ(status == PERMISSION_GRANTED ? REQ_SUCCESS : FIXED_BY_POLICY, permsList[0].errorReason); - EXPECT_EQ(status == PERMISSION_GRANTED ? PASS_OPER : INVALID_OPER, permsList[1].state); - EXPECT_EQ(status == PERMISSION_GRANTED ? REQ_SUCCESS : FIXED_BY_POLICY, permsList[1].errorReason); - SetSelfTokenID(selfTokenId); } EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); @@ -1126,11 +1120,11 @@ HWTEST_F(EdmPolicySetTest, EdmTestGetSelfPermissionsState001, TestSize.Level0) EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); - // 2. get permission state is INVALID_OPER. + // 2. get permission state is FORBIDDEN_OPER. std::vector permsList = {{CUSTOM_SCREEN_CAPTURE}}; PermissionGrantInfo info; SetSelfTokenID(tokenID); - EXPECT_EQ(PASS_OPER, AccessTokenKit::GetSelfPermissionsState(permsList, info)); + EXPECT_EQ(FORBIDDEN_OPER, AccessTokenKit::GetSelfPermissionsState(permsList, info)); EXPECT_EQ(FORBIDDEN_OPER, permsList[0].state); SetSelfTokenID(selfTokenId); diff --git a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h index f366a9568..ffad5fda2 100644 --- a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h +++ b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h @@ -142,6 +142,7 @@ private: void GetConfigValue(uint32_t& parseConfigFlag); bool Initialize(); void AccessTokenServiceParamSet() const; + bool isLocationPermSpecialHandle(std::string permissionName, int32_t apiVersion); PermissionOper GetPermissionsState(AccessTokenID tokenID, std::vector& reqPermList); int32_t UpdateHapTokenCore(AccessTokenIDEx& tokenIdEx, const UpdateHapInfoParams& info, const HapPolicyParcel& policyParcel, HapInfoCheckResultIdl& resultInfoIdl); diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp index 97484b822..00bc8b3e3 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp @@ -342,6 +342,14 @@ static bool GetAppReqPermissions(AccessTokenID tokenID, std::vector= ACCURATE_LOCATION_API_VERSION); +} + PermissionOper AccessTokenManagerService::GetPermissionsState(AccessTokenID tokenID, std::vector& reqPermList) { @@ -368,10 +376,7 @@ PermissionOper AccessTokenManagerService::GetPermissionsState(AccessTokenID toke uint32_t size = reqPermList.size(); for (uint32_t i = 0; i < size; i++) { // api9 location permission special handle above - if (((reqPermList[i].permsState.permissionName == VAGUE_LOCATION_PERMISSION_NAME) || - (reqPermList[i].permsState.permissionName == ACCURATE_LOCATION_PERMISSION_NAME) || - (reqPermList[i].permsState.permissionName == BACKGROUND_LOCATION_PERMISSION_NAME)) && - (apiVersion >= ACCURATE_LOCATION_API_VERSION)) { + if (isLocationPermSpecialHandle(reqPermList[i].permsState.permissionName, apiVersion)) { continue; } @@ -396,12 +401,12 @@ PermissionOper AccessTokenManagerService::GetPermissionsState(AccessTokenID toke } return FORBIDDEN_OPER; } - if (fixedByPolicyRes) { - return FORBIDDEN_OPER; - } if (needRes) { return DYNAMIC_OPER; } + if (fixedByPolicyRes) { + return FORBIDDEN_OPER; + } return PASS_OPER; } diff --git a/services/accesstokenmanager/test/unittest/permission_manager_test.cpp b/services/accesstokenmanager/test/unittest/permission_manager_test.cpp index 8efa635e2..34efeee60 100644 --- a/services/accesstokenmanager/test/unittest/permission_manager_test.cpp +++ b/services/accesstokenmanager/test/unittest/permission_manager_test.cpp @@ -625,7 +625,7 @@ HWTEST_F(PermissionManagerTest, GetSelfPermissionState004, TestSize.Level0) permState2.permissionName = "ohos.permission.CAMERA"; PermissionManager::GetInstance().GetSelfPermissionState(permsList2, permState2, apiVersion); - ASSERT_EQ(PermissionOper::SETTING_OPER, permState2.state); + ASSERT_EQ(PermissionOper::FORBIDDEN_OPER, permState2.state); std::vector permsList3; permsList3.emplace_back(g_permState12); -- Gitee From 0e6dfaa0aae1479d095bd0c9f48b7ae8fa323535 Mon Sep 17 00:00:00 2001 From: bug_maker Date: Sat, 12 Jul 2025 18:29:26 +0800 Subject: [PATCH 6/7] =?UTF-8?q?feat:=20=E4=BF=AE=E6=94=B9=E5=8D=95?= =?UTF-8?q?=E6=B5=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: bug_maker --- .../test/unittest/permission_manager_test.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/accesstokenmanager/test/unittest/permission_manager_test.cpp b/services/accesstokenmanager/test/unittest/permission_manager_test.cpp index 34efeee60..3280a41d1 100644 --- a/services/accesstokenmanager/test/unittest/permission_manager_test.cpp +++ b/services/accesstokenmanager/test/unittest/permission_manager_test.cpp @@ -617,7 +617,7 @@ HWTEST_F(PermissionManagerTest, GetSelfPermissionState004, TestSize.Level0) int32_t apiVersion = ACCURATE_LOCATION_API_VERSION; PermissionManager::GetInstance().GetSelfPermissionState(permsList1, permState1, apiVersion); - ASSERT_EQ(PermissionOper::INVALID_OPER, permState1.state); + ASSERT_EQ(PermissionOper::FORBIDDEN_OPER, permState1.state); std::vector permsList2; permsList2.emplace_back(g_permState11); -- Gitee From 776c69e9ddfb15ac9975762ac160dba4b2db2ab4 Mon Sep 17 00:00:00 2001 From: bug_maker Date: Sat, 12 Jul 2025 20:30:29 +0800 Subject: [PATCH 7/7] =?UTF-8?q?feat:=20=E4=BF=AE=E6=94=B9=E5=8D=95?= =?UTF-8?q?=E6=B5=8B=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: bug_maker --- .../test/unittest/permission_manager_test.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/accesstokenmanager/test/unittest/permission_manager_test.cpp b/services/accesstokenmanager/test/unittest/permission_manager_test.cpp index 3280a41d1..8ffef6e49 100644 --- a/services/accesstokenmanager/test/unittest/permission_manager_test.cpp +++ b/services/accesstokenmanager/test/unittest/permission_manager_test.cpp @@ -625,7 +625,7 @@ HWTEST_F(PermissionManagerTest, GetSelfPermissionState004, TestSize.Level0) permState2.permissionName = "ohos.permission.CAMERA"; PermissionManager::GetInstance().GetSelfPermissionState(permsList2, permState2, apiVersion); - ASSERT_EQ(PermissionOper::FORBIDDEN_OPER, permState2.state); + ASSERT_EQ(PermissionOper::SETTING_OPER, permState2.state); std::vector permsList3; permsList3.emplace_back(g_permState12); -- Gitee