diff --git a/interfaces/innerkits/nativetoken/include/nativetoken.h b/interfaces/innerkits/nativetoken/include/nativetoken.h index 7c3c9f9be0143fdc850f6ec2d85c05aecf08ef5c..4506309b4afb2ca1a21995380107ca38e351496b 100644 --- a/interfaces/innerkits/nativetoken/include/nativetoken.h +++ b/interfaces/innerkits/nativetoken/include/nativetoken.h @@ -26,6 +26,7 @@ extern "C" { #define TOKEN_ID_CFG_FILE_PATH "/data/service/el0/access_token/nativetoken.json" #define TOKEN_ID_CFG_DIR_PATH "/data/service/el0/access_token" #define TOKEN_NATIVE_TYPE 1 +#define TOKEN_SHELL_TYPE 2 #define DEFAULT_AT_VERSION 1 #define TRANSFER_KEY_WORDS "NativeTokenInfo" #define MAX_JSON_FILE_LEN 102400 @@ -50,6 +51,7 @@ extern "C" { #define APL_KEY_NAME "APL" #define VERSION_KEY_NAME "version" #define PROCESS_KEY_NAME "processName" +#define HDC_PROCESS_NAME "hdcd" #define SYSTEM_CORE 3 #define SYSTEM_BASIC 2 diff --git a/interfaces/innerkits/nativetoken/src/nativetoken.c b/interfaces/innerkits/nativetoken/src/nativetoken.c index 8a58d5fb5a40b7831f9d41692210f3fde2b504d5..e8164adbea15e39e6a49152527f92def6fcb4e07 100644 --- a/interfaces/innerkits/nativetoken/src/nativetoken.c +++ b/interfaces/innerkits/nativetoken/src/nativetoken.c @@ -277,7 +277,7 @@ static int32_t IsTokenUniqueIdExist(uint32_t tokenUniqueId) return 0; } -static NativeAtId CreateNativeTokenId(void) +static NativeAtId CreateNativeTokenId(const char *processName) { uint32_t rand; NativeAtId tokenId; @@ -302,8 +302,14 @@ static NativeAtId CreateNativeTokenId(void) innerId->reserved = 0; innerId->tokenUniqueId = rand & (TOKEN_RANDOM_MASK); - innerId->type = TOKEN_NATIVE_TYPE; innerId->version = 1; + + if (strcmp(processName, HDC_PROCESS_NAME) == 0) { + innerId->type = TOKEN_SHELL_TYPE; + } else { + innerId->type = TOKEN_NATIVE_TYPE; + } + return tokenId; } @@ -465,7 +471,7 @@ static uint32_t AddNewTokenToListAndFile(const NativeTokenInfoParams *tokenInfo, NativeTokenList *tokenNode; NativeAtId id; - id = CreateNativeTokenId(); + id = CreateNativeTokenId(tokenInfo->processName); if (id == INVALID_TOKEN_ID) { return ATRET_FAILED; } diff --git a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h index cbc45c2beaf56f40810e05a8f8c800dcf94682ce..e95fa76f9324f036f53b23e64dbac58691f7a69f 100644 --- a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h +++ b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h @@ -72,6 +72,7 @@ private: bool IsAuthorizedCalling() const; bool IsAccessTokenCalling() const; + bool IsNativeProcessCalling(); static const int32_t SYSTEM_UID = 1000; static const int32_t ROOT_UID = 0; static const int32_t ACCESSTOKEN_UID = 3020; diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index 5cfb182608fe57736c967854081c7bc168e28682..ae6573bf08a7c3e9c2771858772ef658bfbe8d8f 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -150,7 +150,7 @@ int PermissionManager::VerifyAccessToken(AccessTokenID tokenID, const std::strin } ATokenTypeEnum tokenType = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID); - if (tokenType == TOKEN_NATIVE) { + if ((tokenType == TOKEN_NATIVE) || (tokenType == TOKEN_SHELL)) { return VerifyNativeAccessToken(tokenID, permissionName); } if (tokenType == TOKEN_HAP) { diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp index 4d40336116237a39fda335691bf82f26770228ad..e17c32388f621bafe4448043f629d4de09c48cb5 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp @@ -234,8 +234,7 @@ void AccessTokenManagerStub::GetTokenTypeInner(MessageParcel& data, MessageParce void AccessTokenManagerStub::CheckNativeDCapInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if (this->GetTokenType(tokenCaller) != TOKEN_NATIVE) { + if (!IsNativeProcessCalling()) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -248,8 +247,7 @@ void AccessTokenManagerStub::CheckNativeDCapInner(MessageParcel& data, MessagePa void AccessTokenManagerStub::GetHapTokenIDInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if (this->GetTokenType(tokenCaller) != TOKEN_NATIVE) { + if (!IsNativeProcessCalling()) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(INVALID_TOKENID); return; @@ -263,8 +261,7 @@ void AccessTokenManagerStub::GetHapTokenIDInner(MessageParcel& data, MessageParc void AccessTokenManagerStub::AllocLocalTokenIDInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if ((!IsAuthorizedCalling()) && (this->GetTokenType(tokenCaller) != TOKEN_NATIVE)) { + if ((!IsAuthorizedCalling()) && (!IsNativeProcessCalling())) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(INVALID_TOKENID); return; @@ -296,8 +293,7 @@ void AccessTokenManagerStub::UpdateHapTokenInner(MessageParcel& data, MessagePar void AccessTokenManagerStub::GetHapTokenInfoInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if ((this->GetTokenType(tokenCaller) != TOKEN_NATIVE)) { + if (!IsNativeProcessCalling()) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -311,8 +307,7 @@ void AccessTokenManagerStub::GetHapTokenInfoInner(MessageParcel& data, MessagePa void AccessTokenManagerStub::GetNativeTokenInfoInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if (this->GetTokenType(tokenCaller) != TOKEN_NATIVE) { + if (!IsNativeProcessCalling()) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -477,8 +472,7 @@ void AccessTokenManagerStub::DeleteRemoteDeviceTokensInner(MessageParcel& data, void AccessTokenManagerStub::DumpTokenInfoInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if (this->GetTokenType(tokenCaller) != TOKEN_NATIVE) { + if (!IsNativeProcessCalling()) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -501,6 +495,16 @@ bool AccessTokenManagerStub::IsAccessTokenCalling() const return callingUid == ACCESSTOKEN_UID; } +bool AccessTokenManagerStub::IsNativeProcessCalling() +{ + AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); + int32_t type = this->GetTokenType(tokenCaller); + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { + return false; + } + return true; +} + AccessTokenManagerStub::AccessTokenManagerStub() { requestFuncMap_[static_cast(IAccessTokenManager::InterfaceCode::VERIFY_ACCESSTOKEN)] = diff --git a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp index a4cabdbea818eda4c5c5400a67f69dd15ac3dd35..8dccc403a69e06e40b294852eec50e51fbb9cdde 100644 --- a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp @@ -123,7 +123,8 @@ void AccessTokenInfoManager::InitNativeTokenInfos() DataStorage::GetRealDataStorage().Find(DataStorage::ACCESSTOKEN_PERMISSION_STATE, permStateRes); for (GenericValues nativeTokenValue : nativeTokenResults) { AccessTokenID tokenId = (AccessTokenID)nativeTokenValue.GetInt(FIELD_TOKEN_ID); - int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(tokenId, TOKEN_NATIVE); + ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(tokenId); + int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(tokenId, type); if (ret != RET_SUCCESS) { ACCESSTOKEN_LOG_ERROR(LABEL, "tokenId %{public}u add failed.", tokenId); continue; @@ -341,7 +342,7 @@ int AccessTokenInfoManager::RemoveHapTokenInfo(AccessTokenID id) int AccessTokenInfoManager::RemoveNativeTokenInfo(AccessTokenID id) { ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(id); - if (type != TOKEN_NATIVE) { + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { ACCESSTOKEN_LOG_ERROR( LABEL, "token %{public}u is not hap.", id); return RET_FAILED; @@ -527,7 +528,8 @@ void AccessTokenInfoManager::ProcessNativeTokenInfos( "token %{public}u process name %{public}s is new, add to manager!", infoPtr->GetTokenID(), infoPtr->GetProcessName().c_str()); AccessTokenID id = infoPtr->GetTokenID(); - int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(id, TOKEN_NATIVE); + ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(id); + int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(id, type); if (ret != RET_SUCCESS) { ACCESSTOKEN_LOG_ERROR(LABEL, "token Id register fail"); continue; @@ -729,13 +731,13 @@ int AccessTokenInfoManager::SetRemoteNativeTokenInfo(const std::string& deviceID } for (NativeTokenInfoForSync& nativeToken : nativeTokenInfoList) { + ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(nativeToken.baseInfo.tokenID); if (!DataValidator::IsAplNumValid(nativeToken.baseInfo.apl) || nativeToken.baseInfo.ver != DEFAULT_TOKEN_VERSION || !DataValidator::IsProcessNameValid(nativeToken.baseInfo.processName) || nativeToken.baseInfo.dcap.size() <= 0 || - AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(nativeToken.baseInfo.tokenID) != TOKEN_NATIVE) { - ACCESSTOKEN_LOG_ERROR( - LABEL, "device %{public}s token %{public}u is invalid.", + (type != TOKEN_NATIVE && type != TOKEN_SHELL)) { + ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s token %{public}u is invalid.", ConstantCommon::EncryptDevId(deviceID).c_str(), nativeToken.baseInfo.tokenID); continue; } @@ -805,7 +807,7 @@ int AccessTokenInfoManager::DeleteRemoteToken(const std::string& deviceID, Acces return RET_FAILED; } hapTokenInfoMap_.erase(mapID); - } else if (type == TOKEN_NATIVE) { + } else if ((type == TOKEN_NATIVE) || (type == TOKEN_SHELL)) { Utils::UniqueWriteGuard infoGuard(this->nativeTokenInfoLock_); if (nativeTokenInfoMap_.count(mapID) == 0) { ACCESSTOKEN_LOG_ERROR( @@ -822,8 +824,9 @@ int AccessTokenInfoManager::DeleteRemoteToken(const std::string& deviceID, Acces AccessTokenID AccessTokenInfoManager::GetRemoteNativeTokenID(const std::string& deviceID, AccessTokenID tokenID) { - if (!DataValidator::IsDeviceIdValid(deviceID) - || AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_NATIVE) { + if ((!DataValidator::IsDeviceIdValid(deviceID)) || (tokenID == 0) || + ((AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_NATIVE) && + (AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_SHELL))) { ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s parms invalid", ConstantCommon::EncryptDevId(deviceID).c_str()); return 0; } diff --git a/services/accesstokenmanager/main/cpp/src/token/accesstoken_remote_token_manager.cpp b/services/accesstokenmanager/main/cpp/src/token/accesstoken_remote_token_manager.cpp index d2240dfe5fc7127dde5b9c3cb1a4c59ad207fc20..19bf0a493699049cbb2ff3745394d827901915a6 100644 --- a/services/accesstokenmanager/main/cpp/src/token/accesstoken_remote_token_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/accesstoken_remote_token_manager.cpp @@ -48,7 +48,7 @@ AccessTokenID AccessTokenRemoteTokenManager::MapRemoteDeviceTokenToLocal(const s return 0; } ATokenTypeEnum tokeType = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(remoteID); - if (tokeType != TOKEN_HAP && tokeType != TOKEN_NATIVE) { + if ((tokeType < TOKEN_HAP) || (tokeType > TOKEN_SHELL)) { ACCESSTOKEN_LOG_ERROR( LABEL, "token %{public}x type is invalid.", remoteID); return 0; diff --git a/services/accesstokenmanager/main/cpp/src/token/native_token_receptor.cpp b/services/accesstokenmanager/main/cpp/src/token/native_token_receptor.cpp index 37cd2eee05c5f17a3a65fcb0b6d20c9a41d254db..aaa4527364d66fb97bd8270f859803aca1fc6579 100644 --- a/services/accesstokenmanager/main/cpp/src/token/native_token_receptor.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/native_token_receptor.cpp @@ -95,8 +95,11 @@ void from_json(const nlohmann::json& j, std::shared_ptr& p if (j.find(JSON_TOKEN_ID) != j.end()) { native.tokenID = j.at(JSON_TOKEN_ID).get(); - if (native.tokenID == 0 || - AccessTokenIDManager::GetTokenIdTypeEnum(native.tokenID) != TOKEN_NATIVE) { + if (native.tokenID == 0) { + return; + } + ATokenTypeEnum type = AccessTokenIDManager::GetTokenIdTypeEnum(native.tokenID); + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { return; } } else { diff --git a/services/tokensyncmanager/src/service/token_sync_manager_stub.cpp b/services/tokensyncmanager/src/service/token_sync_manager_stub.cpp index 727b2f6c2215f0c26faf4aab33aee97ce527e2db..85ca0d399374195c7c6281a960d0a9e91a7f9001 100644 --- a/services/tokensyncmanager/src/service/token_sync_manager_stub.cpp +++ b/services/tokensyncmanager/src/service/token_sync_manager_stub.cpp @@ -56,7 +56,8 @@ int32_t TokenSyncManagerStub::OnRemoteRequest( void TokenSyncManagerStub::GetRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply) { AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if ((reinterpret_cast(&tokenCaller))->type != TOKEN_NATIVE) { + int type = (reinterpret_cast(&tokenCaller))->type; + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -72,7 +73,8 @@ void TokenSyncManagerStub::GetRemoteHapTokenInfoInner(MessageParcel& data, Messa void TokenSyncManagerStub::DeleteRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply) { AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if ((reinterpret_cast(&tokenCaller))->type != TOKEN_NATIVE) { + int type = (reinterpret_cast(&tokenCaller))->type; + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -86,7 +88,8 @@ void TokenSyncManagerStub::DeleteRemoteHapTokenInfoInner(MessageParcel& data, Me void TokenSyncManagerStub::UpdateRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply) { AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if ((reinterpret_cast(&tokenCaller))->type != TOKEN_NATIVE) { + int type = (reinterpret_cast(&tokenCaller))->type; + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return;