From 58d81108c50161873ac284386817bb78bb53d30d Mon Sep 17 00:00:00 2001 From: chennian Date: Mon, 22 Aug 2022 11:06:16 +0800 Subject: [PATCH] =?UTF-8?q?shell=E8=BF=9B=E7=A8=8B=E4=BB=8Enative=E8=BF=9B?= =?UTF-8?q?=E7=A8=8B=E4=B8=AD=E5=88=86=E7=A6=BB=20Signed-off-by:chennian?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: chennian --- .../nativetoken/include/nativetoken.h | 2 ++ .../innerkits/nativetoken/src/nativetoken.c | 12 ++++++-- .../nativetoken/src/nativetoken_json_oper.c | 2 +- .../service/accesstoken_manager_stub.h | 1 + .../cpp/src/permission/permission_manager.cpp | 2 +- .../src/service/accesstoken_manager_stub.cpp | 29 +++++++++++-------- .../src/token/accesstoken_info_manager.cpp | 18 +++++++----- .../accesstoken_remote_token_manager.cpp | 2 +- .../cpp/src/token/native_token_receptor.cpp | 7 +++-- .../src/service/token_sync_manager_stub.cpp | 9 ++++-- 10 files changed, 54 insertions(+), 30 deletions(-) diff --git a/interfaces/innerkits/nativetoken/include/nativetoken.h b/interfaces/innerkits/nativetoken/include/nativetoken.h index 7c3c9f9be..4506309b4 100644 --- a/interfaces/innerkits/nativetoken/include/nativetoken.h +++ b/interfaces/innerkits/nativetoken/include/nativetoken.h @@ -26,6 +26,7 @@ extern "C" { #define TOKEN_ID_CFG_FILE_PATH "/data/service/el0/access_token/nativetoken.json" #define TOKEN_ID_CFG_DIR_PATH "/data/service/el0/access_token" #define TOKEN_NATIVE_TYPE 1 +#define TOKEN_SHELL_TYPE 2 #define DEFAULT_AT_VERSION 1 #define TRANSFER_KEY_WORDS "NativeTokenInfo" #define MAX_JSON_FILE_LEN 102400 @@ -50,6 +51,7 @@ extern "C" { #define APL_KEY_NAME "APL" #define VERSION_KEY_NAME "version" #define PROCESS_KEY_NAME "processName" +#define HDC_PROCESS_NAME "hdcd" #define SYSTEM_CORE 3 #define SYSTEM_BASIC 2 diff --git a/interfaces/innerkits/nativetoken/src/nativetoken.c b/interfaces/innerkits/nativetoken/src/nativetoken.c index d9c08e8db..6ec9f31fb 100644 --- a/interfaces/innerkits/nativetoken/src/nativetoken.c +++ b/interfaces/innerkits/nativetoken/src/nativetoken.c @@ -277,7 +277,7 @@ static int32_t IsTokenUniqueIdExist(uint32_t tokenUniqueId) return 0; } -static NativeAtId CreateNativeTokenId(void) +static NativeAtId CreateNativeTokenId(const char *processName) { uint32_t rand; NativeAtId tokenId; @@ -302,8 +302,14 @@ static NativeAtId CreateNativeTokenId(void) innerId->reserved = 0; innerId->tokenUniqueId = rand & (TOKEN_RANDOM_MASK); - innerId->type = TOKEN_NATIVE_TYPE; innerId->version = 1; + + if (strcmp(processName, HDC_PROCESS_NAME) == 0) { + innerId->type = TOKEN_SHELL_TYPE; + } else { + innerId->type = TOKEN_NATIVE_TYPE; + } + return tokenId; } @@ -465,7 +471,7 @@ static uint32_t AddNewTokenToListAndFile(const NativeTokenInfoParams *tokenInfo, NativeTokenList *tokenNode; NativeAtId id; - id = CreateNativeTokenId(); + id = CreateNativeTokenId(tokenInfo->processName); if (id == INVALID_TOKEN_ID) { return ATRET_FAILED; } diff --git a/interfaces/innerkits/nativetoken/src/nativetoken_json_oper.c b/interfaces/innerkits/nativetoken/src/nativetoken_json_oper.c index 25062d1b7..2f7247250 100644 --- a/interfaces/innerkits/nativetoken/src/nativetoken_json_oper.c +++ b/interfaces/innerkits/nativetoken/src/nativetoken_json_oper.c @@ -52,7 +52,7 @@ uint32_t GetTokenIdFromJson(cJSON *cjsonItem, NativeTokenList *tokenNode) } AtInnerInfo *atIdInfo = (AtInnerInfo *)&(tokenIdJson->valueint); - if (atIdInfo->type != TOKEN_NATIVE_TYPE) { + if (atIdInfo->type != TOKEN_NATIVE_TYPE && atIdInfo->type != TOKEN_SHELL_TYPE) { AT_LOG_ERROR("[ATLIB-%s]:tokenId type is invalid.", __func__); return ATRET_FAILED; } diff --git a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h index cbc45c2be..e95fa76f9 100644 --- a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h +++ b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h @@ -72,6 +72,7 @@ private: bool IsAuthorizedCalling() const; bool IsAccessTokenCalling() const; + bool IsNativeProcessCalling(); static const int32_t SYSTEM_UID = 1000; static const int32_t ROOT_UID = 0; static const int32_t ACCESSTOKEN_UID = 3020; diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index 4819bf776..7b2cc9520 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -150,7 +150,7 @@ int PermissionManager::VerifyAccessToken(AccessTokenID tokenID, const std::strin } ATokenTypeEnum tokenType = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID); - if (tokenType == TOKEN_NATIVE) { + if ((tokenType == TOKEN_NATIVE) || (tokenType == TOKEN_SHELL)) { return VerifyNativeAccessToken(tokenID, permissionName); } if (tokenType == TOKEN_HAP) { diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp index dd2c129e9..529c64dde 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp @@ -234,8 +234,7 @@ void AccessTokenManagerStub::GetTokenTypeInner(MessageParcel& data, MessageParce void AccessTokenManagerStub::CheckNativeDCapInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if (this->GetTokenType(tokenCaller) != TOKEN_NATIVE) { + if (!IsNativeProcessCalling()) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -248,8 +247,7 @@ void AccessTokenManagerStub::CheckNativeDCapInner(MessageParcel& data, MessagePa void AccessTokenManagerStub::GetHapTokenIDInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if (this->GetTokenType(tokenCaller) != TOKEN_NATIVE) { + if (!IsNativeProcessCalling()) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(INVALID_TOKENID); return; @@ -263,8 +261,7 @@ void AccessTokenManagerStub::GetHapTokenIDInner(MessageParcel& data, MessageParc void AccessTokenManagerStub::AllocLocalTokenIDInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if ((!IsAuthorizedCalling()) && (this->GetTokenType(tokenCaller) != TOKEN_NATIVE)) { + if ((!IsAuthorizedCalling()) && (!IsNativeProcessCalling())) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(INVALID_TOKENID); return; @@ -297,8 +294,7 @@ void AccessTokenManagerStub::UpdateHapTokenInner(MessageParcel& data, MessagePar void AccessTokenManagerStub::GetHapTokenInfoInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if ((this->GetTokenType(tokenCaller) != TOKEN_NATIVE)) { + if (!IsNativeProcessCalling()) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -312,8 +308,7 @@ void AccessTokenManagerStub::GetHapTokenInfoInner(MessageParcel& data, MessagePa void AccessTokenManagerStub::GetNativeTokenInfoInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if (this->GetTokenType(tokenCaller) != TOKEN_NATIVE) { + if (!IsNativeProcessCalling()) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -478,8 +473,7 @@ void AccessTokenManagerStub::DeleteRemoteDeviceTokensInner(MessageParcel& data, void AccessTokenManagerStub::DumpTokenInfoInner(MessageParcel& data, MessageParcel& reply) { - AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if (this->GetTokenType(tokenCaller) != TOKEN_NATIVE) { + if (!IsNativeProcessCalling()) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -502,6 +496,17 @@ bool AccessTokenManagerStub::IsAccessTokenCalling() const return callingUid == ACCESSTOKEN_UID; } +bool AccessTokenManagerStub::IsNativeProcessCalling() +{ + AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); + int32_t type = this->GetTokenType(tokenCaller); + ACCESSTOKEN_LOG_DEBUG(LABEL, "Calling tokenID: %{public}d, type: %{public}d", tokenCaller, type); + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { + return false; + } + return true; +} + AccessTokenManagerStub::AccessTokenManagerStub() { requestFuncMap_[static_cast(IAccessTokenManager::InterfaceCode::VERIFY_ACCESSTOKEN)] = diff --git a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp index ef440cdda..a45297f0e 100644 --- a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp @@ -123,7 +123,8 @@ void AccessTokenInfoManager::InitNativeTokenInfos() DataStorage::GetRealDataStorage().Find(DataStorage::ACCESSTOKEN_PERMISSION_STATE, permStateRes); for (const GenericValues& nativeTokenValue : nativeTokenResults) { AccessTokenID tokenId = (AccessTokenID)nativeTokenValue.GetInt(FIELD_TOKEN_ID); - int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(tokenId, TOKEN_NATIVE); + ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenId); + int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(tokenId, type); if (ret != RET_SUCCESS) { ACCESSTOKEN_LOG_ERROR(LABEL, "tokenId %{public}u add failed.", tokenId); continue; @@ -341,7 +342,7 @@ int AccessTokenInfoManager::RemoveHapTokenInfo(AccessTokenID id) int AccessTokenInfoManager::RemoveNativeTokenInfo(AccessTokenID id) { ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(id); - if (type != TOKEN_NATIVE) { + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { ACCESSTOKEN_LOG_ERROR( LABEL, "token %{public}u is not hap.", id); return RET_FAILED; @@ -527,7 +528,8 @@ void AccessTokenInfoManager::ProcessNativeTokenInfos( "token %{public}u process name %{public}s is new, add to manager!", infoPtr->GetTokenID(), infoPtr->GetProcessName().c_str()); AccessTokenID id = infoPtr->GetTokenID(); - int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(id, TOKEN_NATIVE); + ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(id); + int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(id, type); if (ret != RET_SUCCESS) { ACCESSTOKEN_LOG_ERROR(LABEL, "token Id register fail"); continue; @@ -729,11 +731,12 @@ int AccessTokenInfoManager::SetRemoteNativeTokenInfo(const std::string& deviceID } for (NativeTokenInfoForSync& nativeToken : nativeTokenInfoList) { + ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(nativeToken.baseInfo.tokenID); if (!DataValidator::IsAplNumValid(nativeToken.baseInfo.apl) || nativeToken.baseInfo.ver != DEFAULT_TOKEN_VERSION || !DataValidator::IsProcessNameValid(nativeToken.baseInfo.processName) || nativeToken.baseInfo.dcap.empty() || - AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(nativeToken.baseInfo.tokenID) != TOKEN_NATIVE) { + (type != TOKEN_NATIVE && type != TOKEN_SHELL)) { ACCESSTOKEN_LOG_ERROR( LABEL, "device %{public}s token %{public}u is invalid.", ConstantCommon::EncryptDevId(deviceID).c_str(), nativeToken.baseInfo.tokenID); @@ -805,7 +808,7 @@ int AccessTokenInfoManager::DeleteRemoteToken(const std::string& deviceID, Acces return RET_FAILED; } hapTokenInfoMap_.erase(mapID); - } else if (type == TOKEN_NATIVE) { + } else if ((type == TOKEN_NATIVE) || (type == TOKEN_SHELL)) { Utils::UniqueWriteGuard infoGuard(this->nativeTokenInfoLock_); if (nativeTokenInfoMap_.count(mapID) == 0) { ACCESSTOKEN_LOG_ERROR( @@ -822,8 +825,9 @@ int AccessTokenInfoManager::DeleteRemoteToken(const std::string& deviceID, Acces AccessTokenID AccessTokenInfoManager::GetRemoteNativeTokenID(const std::string& deviceID, AccessTokenID tokenID) { - if (!DataValidator::IsDeviceIdValid(deviceID) - || AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_NATIVE) { + if ((!DataValidator::IsDeviceIdValid(deviceID)) || (tokenID == 0) || + ((AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_NATIVE) && + (AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_SHELL))) { ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s parms invalid", ConstantCommon::EncryptDevId(deviceID).c_str()); return 0; } diff --git a/services/accesstokenmanager/main/cpp/src/token/accesstoken_remote_token_manager.cpp b/services/accesstokenmanager/main/cpp/src/token/accesstoken_remote_token_manager.cpp index d2240dfe5..19bf0a493 100644 --- a/services/accesstokenmanager/main/cpp/src/token/accesstoken_remote_token_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/accesstoken_remote_token_manager.cpp @@ -48,7 +48,7 @@ AccessTokenID AccessTokenRemoteTokenManager::MapRemoteDeviceTokenToLocal(const s return 0; } ATokenTypeEnum tokeType = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(remoteID); - if (tokeType != TOKEN_HAP && tokeType != TOKEN_NATIVE) { + if ((tokeType < TOKEN_HAP) || (tokeType > TOKEN_SHELL)) { ACCESSTOKEN_LOG_ERROR( LABEL, "token %{public}x type is invalid.", remoteID); return 0; diff --git a/services/accesstokenmanager/main/cpp/src/token/native_token_receptor.cpp b/services/accesstokenmanager/main/cpp/src/token/native_token_receptor.cpp index 37cd2eee0..aaa452736 100644 --- a/services/accesstokenmanager/main/cpp/src/token/native_token_receptor.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/native_token_receptor.cpp @@ -95,8 +95,11 @@ void from_json(const nlohmann::json& j, std::shared_ptr& p if (j.find(JSON_TOKEN_ID) != j.end()) { native.tokenID = j.at(JSON_TOKEN_ID).get(); - if (native.tokenID == 0 || - AccessTokenIDManager::GetTokenIdTypeEnum(native.tokenID) != TOKEN_NATIVE) { + if (native.tokenID == 0) { + return; + } + ATokenTypeEnum type = AccessTokenIDManager::GetTokenIdTypeEnum(native.tokenID); + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { return; } } else { diff --git a/services/tokensyncmanager/src/service/token_sync_manager_stub.cpp b/services/tokensyncmanager/src/service/token_sync_manager_stub.cpp index 727b2f6c2..85ca0d399 100644 --- a/services/tokensyncmanager/src/service/token_sync_manager_stub.cpp +++ b/services/tokensyncmanager/src/service/token_sync_manager_stub.cpp @@ -56,7 +56,8 @@ int32_t TokenSyncManagerStub::OnRemoteRequest( void TokenSyncManagerStub::GetRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply) { AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if ((reinterpret_cast(&tokenCaller))->type != TOKEN_NATIVE) { + int type = (reinterpret_cast(&tokenCaller))->type; + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -72,7 +73,8 @@ void TokenSyncManagerStub::GetRemoteHapTokenInfoInner(MessageParcel& data, Messa void TokenSyncManagerStub::DeleteRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply) { AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if ((reinterpret_cast(&tokenCaller))->type != TOKEN_NATIVE) { + int type = (reinterpret_cast(&tokenCaller))->type; + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; @@ -86,7 +88,8 @@ void TokenSyncManagerStub::DeleteRemoteHapTokenInfoInner(MessageParcel& data, Me void TokenSyncManagerStub::UpdateRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply) { AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); - if ((reinterpret_cast(&tokenCaller))->type != TOKEN_NATIVE) { + int type = (reinterpret_cast(&tokenCaller))->type; + if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) { ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__); reply.WriteInt32(RET_FAILED); return; -- Gitee