From f56307e3e543ed883726c00b216811c686a4d0fe Mon Sep 17 00:00:00 2001
From: lsq <linshuqing2@huawei.com>
Date: Tue, 13 Sep 2022 23:39:44 +0800
Subject: [PATCH 1/2] =?UTF-8?q?=E6=9D=83=E9=99=90=E6=95=B4=E6=94=B9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: lsq <linshuqing2@huawei.com>
Change-Id: If88aeaeca044ba7cb6df2be03ef90119bcd05e30
---
 .../unittest/src/accesstoken_kit_test.cpp     | 28 ++++++++
 .../service/accesstoken_manager_stub.h        |  5 +-
 .../src/service/accesstoken_manager_stub.cpp  | 68 ++++++++++++-------
 .../include/service/token_sync_manager_stub.h |  3 +
 .../src/service/token_sync_manager_stub.cpp   | 29 +++++---
 .../test/unittest/token_sync_service/BUILD.gn |  2 +
 .../token_sync_service_test.cpp               | 14 +++-
 7 files changed, 114 insertions(+), 35 deletions(-)

diff --git a/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp
index cd314d88b..52bdfd504 100644
--- a/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp
+++ b/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp
@@ -223,6 +223,32 @@ PermissionStateFull g_locationTestStateAccurate12 = {
 };
 }
 
+void NativeTokenGet()
+{
+    uint64_t tokenId;
+    const char **perms = new const char *[4];
+    perms[0] = "ohos.permission.DISTRIBUTED_DATASYNC";
+    perms[1] = "ohos.permission.GRANT_SENSITIVE_PERMISSIONS";
+    perms[2] = "ohos.permission.REVOKE_SENSITIVE_PERMISSIONS";
+    perms[3] = "ohos.permission.GET_SENSITIVE_PERMISSIONS";
+
+    NativeTokenInfoParams infoInstance = {
+        .dcapsNum = 0,
+        .permsNum = 4,
+        .aclsNum = 0,
+        .dcaps = nullptr,
+        .perms = perms,
+        .acls = nullptr,
+        .aplStr = "system_core",
+    };
+
+    infoInstance.processName = "TestCase";
+    tokenId = GetAccessTokenId(&infoInstance);
+    SetSelfTokenID(tokenId);
+    AccessTokenKit::ReloadNativeTokenInfo();
+    delete[] perms;
+}
+
 void AccessTokenKitTest::SetUpTestCase()
 {
     // make test case clean
@@ -233,6 +259,8 @@ void AccessTokenKitTest::SetUpTestCase()
 
     tokenID = AccessTokenKit::GetHapTokenID(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
     AccessTokenKit::DeleteToken(tokenID);
+
+    NativeTokenGet();
 }
 
 void AccessTokenKitTest::TearDownTestCase()
diff --git a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h
index 6fb115250..98cbf7e34 100644
--- a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h
+++ b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h
@@ -72,12 +72,15 @@ private:
     void DumpTokenInfoInner(MessageParcel& data, MessageParcel& reply);
 
     bool IsAuthorizedCalling() const;
-    bool IsAccessTokenCalling() const;
+    bool IsAccessTokenCalling();
     bool IsNativeProcessCalling();
+    bool IsFoundationCalling() const;
     static const int32_t SYSTEM_UID = 1000;
     static const int32_t ROOT_UID = 0;
     static const int32_t ACCESSTOKEN_UID = 3020;
 
+    AccessTokenID tokenSyncId_ = 0;
+
     using RequestFuncType = void (AccessTokenManagerStub::*)(MessageParcel &data, MessageParcel &reply);
     std::map<uint32_t, RequestFuncType> requestFuncMap_;
 };
diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp
index a678b5782..18033ad0b 100644
--- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp
+++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp
@@ -59,7 +59,7 @@ int32_t AccessTokenManagerStub::OnRemoteRequest(
 
 void AccessTokenManagerStub::DeleteTokenInfoInner(MessageParcel& data, MessageParcel& reply)
 {
-    if (!IsAuthorizedCalling()) {
+    if (!IsFoundationCalling() && !IsAuthorizedCalling()) {
         ACCESSTOKEN_LOG_INFO(LABEL, "permission denied");
         reply.WriteInt32(RET_FAILED);
         return;
@@ -202,6 +202,16 @@ void AccessTokenManagerStub::RevokePermissionInner(MessageParcel& data, MessageP
 
 void AccessTokenManagerStub::ClearUserGrantedPermissionStateInner(MessageParcel& data, MessageParcel& reply)
 {
+    uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
+    if (!IsAuthorizedCalling() &&
+        VerifyAccessToken(callingTokenID, REVOKE_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
+        HiviewDFX::HiSysEvent::Write(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
+            HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR,
+            "CALLER_TOKENID", callingTokenID);
+        ACCESSTOKEN_LOG_ERROR(LABEL, "permission denied(tokenID=%{public}d)", callingTokenID);
+        reply.WriteInt32(RET_FAILED);
+        return;
+    }
     AccessTokenID tokenID = data.ReadUint32();
     int result = this->ClearUserGrantedPermissionState(tokenID);
     reply.WriteInt32(result);
@@ -210,7 +220,7 @@ void AccessTokenManagerStub::ClearUserGrantedPermissionStateInner(MessageParcel&
 void AccessTokenManagerStub::AllocHapTokenInner(MessageParcel& data, MessageParcel& reply)
 {
     AccessTokenIDEx res = {0};
-    if (!IsAuthorizedCalling()) {
+    if (!IsFoundationCalling() && !IsAuthorizedCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(RET_FAILED);
         return;
@@ -236,7 +246,7 @@ void AccessTokenManagerStub::GetTokenTypeInner(MessageParcel& data, MessageParce
 
 void AccessTokenManagerStub::CheckNativeDCapInner(MessageParcel& data, MessageParcel& reply)
 {
-    if (!IsNativeProcessCalling()) {
+    if (!IsNativeProcessCalling() && !IsAuthorizedCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(RET_FAILED);
         return;
@@ -249,7 +259,7 @@ void AccessTokenManagerStub::CheckNativeDCapInner(MessageParcel& data, MessagePa
 
 void AccessTokenManagerStub::GetHapTokenIDInner(MessageParcel& data, MessageParcel& reply)
 {
-    if (!IsNativeProcessCalling()) {
+    if (!IsNativeProcessCalling() && !IsAuthorizedCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(INVALID_TOKENID);
         return;
@@ -263,7 +273,7 @@ void AccessTokenManagerStub::GetHapTokenIDInner(MessageParcel& data, MessageParc
 
 void AccessTokenManagerStub::AllocLocalTokenIDInner(MessageParcel& data, MessageParcel& reply)
 {
-    if ((!IsAuthorizedCalling()) && (!IsNativeProcessCalling())) {
+    if ((!IsNativeProcessCalling()) && !IsAuthorizedCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(INVALID_TOKENID);
         return;
@@ -276,7 +286,7 @@ void AccessTokenManagerStub::AllocLocalTokenIDInner(MessageParcel& data, Message
 
 void AccessTokenManagerStub::UpdateHapTokenInner(MessageParcel& data, MessageParcel& reply)
 {
-    if (!IsAuthorizedCalling()) {
+    if (!IsFoundationCalling() && !IsAuthorizedCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(RET_FAILED);
         return;
@@ -296,7 +306,7 @@ void AccessTokenManagerStub::UpdateHapTokenInner(MessageParcel& data, MessagePar
 
 void AccessTokenManagerStub::GetHapTokenInfoInner(MessageParcel& data, MessageParcel& reply)
 {
-    if (!IsNativeProcessCalling()) {
+    if (!IsNativeProcessCalling() && !IsAuthorizedCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(RET_FAILED);
         return;
@@ -310,7 +320,7 @@ void AccessTokenManagerStub::GetHapTokenInfoInner(MessageParcel& data, MessagePa
 
 void AccessTokenManagerStub::GetNativeTokenInfoInner(MessageParcel& data, MessageParcel& reply)
 {
-    if (!IsNativeProcessCalling()) {
+    if (!IsNativeProcessCalling() && !IsAuthorizedCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(RET_FAILED);
         return;
@@ -325,8 +335,7 @@ void AccessTokenManagerStub::GetNativeTokenInfoInner(MessageParcel& data, Messag
 void AccessTokenManagerStub::RegisterPermStateChangeCallbackInner(MessageParcel& data, MessageParcel& reply)
 {
     uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
-    if (!IsAuthorizedCalling() &&
-        VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
+    if (VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "permission denied(tokenID=%{public}d)", callingTokenID);
         reply.WriteInt32(RET_FAILED);
         return;
@@ -349,8 +358,7 @@ void AccessTokenManagerStub::RegisterPermStateChangeCallbackInner(MessageParcel&
 void AccessTokenManagerStub::UnRegisterPermStateChangeCallbackInner(MessageParcel& data, MessageParcel& reply)
 {
     uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
-    if (!IsAuthorizedCalling() &&
-        VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
+    if (VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "permission denied(tokenID=%{public}d)", callingTokenID);
         reply.WriteInt32(RET_FAILED);
         return;
@@ -367,13 +375,18 @@ void AccessTokenManagerStub::UnRegisterPermStateChangeCallbackInner(MessageParce
 
 void AccessTokenManagerStub::ReloadNativeTokenInfoInner(MessageParcel& data, MessageParcel& reply)
 {
+    if (!IsAuthorizedCalling()) {
+        ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
+        reply.WriteUint32(RET_FAILED);
+        return;
+    }
     int32_t result = this->ReloadNativeTokenInfo();
     reply.WriteInt32(result);
 }
 
 void AccessTokenManagerStub::GetNativeTokenIdInner(MessageParcel& data, MessageParcel& reply)
 {
-    if (!IsNativeProcessCalling()) {
+    if (!IsNativeProcessCalling() && !IsAuthorizedCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteUint32(INVALID_TOKENID);
         return;
@@ -511,7 +524,7 @@ void AccessTokenManagerStub::DeleteRemoteDeviceTokensInner(MessageParcel& data,
 
 void AccessTokenManagerStub::DumpTokenInfoInner(MessageParcel& data, MessageParcel& reply)
 {
-    if (!IsNativeProcessCalling()) {
+    if (!IsNativeProcessCalling() && !IsAuthorizedCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(RET_FAILED);
         return;
@@ -524,26 +537,31 @@ void AccessTokenManagerStub::DumpTokenInfoInner(MessageParcel& data, MessageParc
 
 bool AccessTokenManagerStub::IsAuthorizedCalling() const
 {
-    int callingUid = IPCSkeleton::GetCallingUid();
+    int32_t callingUid = IPCSkeleton::GetCallingUid();
     ACCESSTOKEN_LOG_INFO(LABEL, "Calling uid: %{public}d", callingUid);
-    return callingUid == SYSTEM_UID || callingUid == ROOT_UID || callingUid == FOUNDATION_UID;
+    return callingUid == SYSTEM_UID || callingUid == ROOT_UID;
 }
 
-bool AccessTokenManagerStub::IsAccessTokenCalling() const
+bool AccessTokenManagerStub::IsFoundationCalling() const
 {
-    int callingUid = IPCSkeleton::GetCallingUid();
-    return callingUid == ACCESSTOKEN_UID;
+    int32_t callingUid = IPCSkeleton::GetCallingUid();
+    ACCESSTOKEN_LOG_INFO(LABEL, "Calling uid: %{public}d", callingUid);
+    return callingUid == FOUNDATION_UID;
+}
+
+bool AccessTokenManagerStub::IsAccessTokenCalling()
+{
+    int tokenCaller = IPCSkeleton::GetCallingTokenID();
+    if (tokenSyncId_ == 0) {
+        tokenSyncId_ = this->GetNativeTokenId("token_sync_service");
+    }
+    return tokenCaller == tokenSyncId_;
 }
 
 bool AccessTokenManagerStub::IsNativeProcessCalling()
 {
     AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
-    int32_t type = this->GetTokenType(tokenCaller);
-    ACCESSTOKEN_LOG_DEBUG(LABEL, "Calling tokenID: %{public}d, type: %{public}d", tokenCaller, type);
-    if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) {
-        return false;
-    }
-    return true;
+    return this->GetTokenType(tokenCaller) == TOKEN_NATIVE;
 }
 
 AccessTokenManagerStub::AccessTokenManagerStub()
diff --git a/services/tokensyncmanager/include/service/token_sync_manager_stub.h b/services/tokensyncmanager/include/service/token_sync_manager_stub.h
index f16fd8dd7..ed587de81 100644
--- a/services/tokensyncmanager/include/service/token_sync_manager_stub.h
+++ b/services/tokensyncmanager/include/service/token_sync_manager_stub.h
@@ -34,6 +34,9 @@ private:
     void GetRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply);
     void DeleteRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply);
     void UpdateRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply);
+
+    bool IsNativeProcessCalling() const;
+    bool IsRootCalling() const;
 };
 } // namespace AccessToken
 } // namespace Security
diff --git a/services/tokensyncmanager/src/service/token_sync_manager_stub.cpp b/services/tokensyncmanager/src/service/token_sync_manager_stub.cpp
index 85ca0d399..73cac0503 100644
--- a/services/tokensyncmanager/src/service/token_sync_manager_stub.cpp
+++ b/services/tokensyncmanager/src/service/token_sync_manager_stub.cpp
@@ -26,6 +26,7 @@ namespace Security {
 namespace AccessToken {
 namespace {
 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "TokenSyncManagerStub"};
+static const int32_t ROOT_UID = 0;
 }
 
 int32_t TokenSyncManagerStub::OnRemoteRequest(
@@ -53,15 +54,29 @@ int32_t TokenSyncManagerStub::OnRemoteRequest(
     return NO_ERROR;
 }
 
-void TokenSyncManagerStub::GetRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply)
+bool TokenSyncManagerStub::IsNativeProcessCalling() const
 {
     AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
     int type = (reinterpret_cast<AccessTokenIDInner *>(&tokenCaller))->type;
-    if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) {
+    ACCESSTOKEN_LOG_DEBUG(LABEL, "Calling type: %{public}d", type);
+    return type == TOKEN_NATIVE;
+}
+
+bool TokenSyncManagerStub::IsRootCalling() const
+{
+    int callingUid = IPCSkeleton::GetCallingUid();
+    ACCESSTOKEN_LOG_DEBUG(LABEL, "Calling uid: %{public}d", callingUid);
+    return callingUid == ROOT_UID;
+}
+
+void TokenSyncManagerStub::GetRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply)
+{
+    if (!IsRootCalling() && !IsNativeProcessCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(RET_FAILED);
         return;
     }
+
     std::string deviceID = data.ReadString();
     AccessTokenID tokenID = data.ReadUint32();
 
@@ -72,13 +87,12 @@ void TokenSyncManagerStub::GetRemoteHapTokenInfoInner(MessageParcel& data, Messa
 
 void TokenSyncManagerStub::DeleteRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply)
 {
-    AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
-    int type = (reinterpret_cast<AccessTokenIDInner *>(&tokenCaller))->type;
-    if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) {
+    if (!IsRootCalling() && !IsNativeProcessCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(RET_FAILED);
         return;
     }
+
     std::string deviceID = data.ReadString();
     AccessTokenID tokenID = data.ReadUint32();
     int result = this->DeleteRemoteHapTokenInfo(tokenID);
@@ -87,13 +101,12 @@ void TokenSyncManagerStub::DeleteRemoteHapTokenInfoInner(MessageParcel& data, Me
 
 void TokenSyncManagerStub::UpdateRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply)
 {
-    AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
-    int type = (reinterpret_cast<AccessTokenIDInner *>(&tokenCaller))->type;
-    if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) {
+    if (!IsRootCalling() && !IsNativeProcessCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(RET_FAILED);
         return;
     }
+
     sptr<HapTokenInfoForSyncParcel> tokenInfoParcelPtr = data.ReadParcelable<HapTokenInfoForSyncParcel>();
     int result = RET_FAILED;
     if (tokenInfoParcelPtr != nullptr) {
diff --git a/services/tokensyncmanager/test/unittest/token_sync_service/BUILD.gn b/services/tokensyncmanager/test/unittest/token_sync_service/BUILD.gn
index 9252861a6..0fae85ace 100644
--- a/services/tokensyncmanager/test/unittest/token_sync_service/BUILD.gn
+++ b/services/tokensyncmanager/test/unittest/token_sync_service/BUILD.gn
@@ -67,12 +67,14 @@ ohos_unittest("libtoken_sync_service_sdk_test") {
     "//foundation/communication/dsoftbus/interfaces/kits/common",
     "//foundation/communication/dsoftbus/interfaces/kits/bus_center",
     "//foundation/distributedhardware/device_manager/interfaces/inner_kits/native_cpp/include",
+    "//base/security/access_token/interfaces/innerkits/token_setproc/include",
   ]
 
   deps = [
     "//base/security/access_token/frameworks/accesstoken:accesstoken_communication_adapter_cxx",
     "//base/security/access_token/frameworks/common:accesstoken_common_cxx",
     "//base/security/access_token/interfaces/innerkits/accesstoken:libaccesstoken_sdk",
+    "//base/security/access_token/interfaces/innerkits/token_setproc:libtoken_setproc",
     "//foundation/distributedhardware/device_manager/interfaces/inner_kits/native_cpp:devicemanagersdk",
     "//third_party/zlib:libz",
   ]
diff --git a/services/tokensyncmanager/test/unittest/token_sync_service/token_sync_service_test.cpp b/services/tokensyncmanager/test/unittest/token_sync_service/token_sync_service_test.cpp
index 3517a2721..a5adc86de 100644
--- a/services/tokensyncmanager/test/unittest/token_sync_service/token_sync_service_test.cpp
+++ b/services/tokensyncmanager/test/unittest/token_sync_service/token_sync_service_test.cpp
@@ -32,6 +32,7 @@
 #include "device_info.h"
 #include "soft_bus_device_connection_listener.h"
 #include "soft_bus_session_listener.h"
+#include "token_setproc.h"
 #include "device_info_manager.h"
 
 #define private public
@@ -63,8 +64,19 @@ TokenSyncServiceTest::TokenSyncServiceTest()
 }
 TokenSyncServiceTest::~TokenSyncServiceTest()
 {}
+
+void NativeTokenGet()
+{
+    uint64_t tokenId;
+    tokenId = AccessTokenKit::GetNativeTokenId("token_sync_service");
+    ASSERT_NE(tokenId, 0);
+    SetSelfTokenID(tokenId);
+}
+
 void TokenSyncServiceTest::SetUpTestCase()
-{}
+{
+    NativeTokenGet();
+}
 void TokenSyncServiceTest::TearDownTestCase()
 {}
 void TokenSyncServiceTest::SetUp()
-- 
Gitee


From 29c53bfd1a47edbdb51655b3c4194b2b18e5ba80 Mon Sep 17 00:00:00 2001
From: lsq <linshuqing2@huawei.com>
Date: Mon, 19 Sep 2022 11:33:36 +0800
Subject: [PATCH 2/2] =?UTF-8?q?=E4=BF=AE=E6=94=B9remote=E7=9B=B8=E5=85=B3?=
 =?UTF-8?q?=E6=8E=A5=E5=8F=A3=E7=9A=84=E6=9D=83=E9=99=90=E8=8C=83=E5=9B=B4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: lsq <linshuqing2@huawei.com>
Change-Id: I8a57d62cdf2a25d29934086e6cbb20e25c347c77
---
 .../cpp/src/service/accesstoken_manager_stub.cpp   | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp
index 18033ad0b..f32db8c38 100644
--- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp
+++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp
@@ -403,7 +403,7 @@ void AccessTokenManagerStub::GetNativeTokenIdInner(MessageParcel& data, MessageP
 #ifdef TOKEN_SYNC_ENABLE
 void AccessTokenManagerStub::GetHapTokenInfoFromRemoteInner(MessageParcel& data, MessageParcel& reply)
 {
-    if (!IsAuthorizedCalling() && !IsAccessTokenCalling()) {
+    if (!IsAccessTokenCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(RET_FAILED);
         return;
@@ -418,7 +418,7 @@ void AccessTokenManagerStub::GetHapTokenInfoFromRemoteInner(MessageParcel& data,
 
 void AccessTokenManagerStub::GetAllNativeTokenInfoInner(MessageParcel& data, MessageParcel& reply)
 {
-    if (!IsAuthorizedCalling() && !IsAccessTokenCalling()) {
+    if (!IsAccessTokenCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(RET_FAILED);
         return;
@@ -434,7 +434,7 @@ void AccessTokenManagerStub::GetAllNativeTokenInfoInner(MessageParcel& data, Mes
 
 void AccessTokenManagerStub::SetRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply)
 {
-    if (!IsAuthorizedCalling() && !IsAccessTokenCalling()) {
+    if (!IsAccessTokenCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(RET_FAILED);
         return;
@@ -452,7 +452,7 @@ void AccessTokenManagerStub::SetRemoteHapTokenInfoInner(MessageParcel& data, Mes
 
 void AccessTokenManagerStub::SetRemoteNativeTokenInfoInner(MessageParcel& data, MessageParcel& reply)
 {
-    if (!IsAuthorizedCalling() && !IsAccessTokenCalling()) {
+    if (!IsAccessTokenCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(RET_FAILED);
         return;
@@ -482,7 +482,7 @@ void AccessTokenManagerStub::SetRemoteNativeTokenInfoInner(MessageParcel& data,
 
 void AccessTokenManagerStub::DeleteRemoteTokenInner(MessageParcel& data, MessageParcel& reply)
 {
-    if (!IsAuthorizedCalling() && !IsAccessTokenCalling()) {
+    if (!IsAccessTokenCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(RET_FAILED);
         return;
@@ -496,7 +496,7 @@ void AccessTokenManagerStub::DeleteRemoteTokenInner(MessageParcel& data, Message
 
 void AccessTokenManagerStub::GetRemoteNativeTokenIDInner(MessageParcel& data, MessageParcel& reply)
 {
-    if (!IsAuthorizedCalling() && !IsAccessTokenCalling()) {
+    if (!IsAccessTokenCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(INVALID_TOKENID);
         return;
@@ -510,7 +510,7 @@ void AccessTokenManagerStub::GetRemoteNativeTokenIDInner(MessageParcel& data, Me
 
 void AccessTokenManagerStub::DeleteRemoteDeviceTokensInner(MessageParcel& data, MessageParcel& reply)
 {
-    if (!IsAuthorizedCalling() && !IsAccessTokenCalling()) {
+    if (!IsAccessTokenCalling()) {
         ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
         reply.WriteInt32(RET_FAILED);
         return;
-- 
Gitee