diff --git a/services/samgr/native/include/system_ability_manager_stub.h b/services/samgr/native/include/system_ability_manager_stub.h index 25508b3c14048dc3d0729dd426a28f346b58e066..c2b2a2178fb9dabd827f824fe54324dfa0b29e81 100644 --- a/services/samgr/native/include/system_ability_manager_stub.h +++ b/services/samgr/native/include/system_ability_manager_stub.h @@ -228,6 +228,8 @@ private: int32_t GetCommonEventExtraDataIdlistInner(MessageParcel& data, MessageParcel& reply); int32_t GetLocalAbilityManagerProxyInner(MessageParcel& data, MessageParcel& reply); static int32_t GetHapIdMultiuser(int32_t uid); + int32_t LoadSACheck(int32_t systemAbilityId); + int32_t LoadRemoteSACheck(int32_t systemAbilityId); #ifdef SUPPORT_PENGLAI_MODE void SetPengLai(bool isPengLai); bool isPengLai_ = false; diff --git a/services/samgr/native/source/system_ability_manager_stub.cpp b/services/samgr/native/source/system_ability_manager_stub.cpp index 290377d5962f0a2d9d87b203aa571d8ec427056d..1f8bb91464df550d7d5b9d622a6303f7474d5b78 100644 --- a/services/samgr/native/source/system_ability_manager_stub.cpp +++ b/services/samgr/native/source/system_ability_manager_stub.cpp @@ -358,6 +358,14 @@ int32_t SystemAbilityManagerStub::CheckRemtSystemAbilityInner(MessageParcel& dat return ERR_NULL_OBJECT; } +#ifdef SUPPORT_PENGLAI_MODE + if (isPengLai_ && !SamgrUtil::CheckPengLaiPermission(systemAbilityId)) { + HILOGW("CheckRemt CheckPengLaiPermission denied! SA:%{public}d,callUid:%{public}d", + systemAbilityId, OHOS::IPCSkeleton::GetCallingUid()); + return ERR_PERMISSION_DENIED; + } +#endif + if (!CheckGetRemoteSAPermission(systemAbilityId)) { HILOGE("CheckRemtSystemAbilityInner selinux permission denied! SA:%{public}d,callSid:%{public}s", systemAbilityId, OHOS::IPCSkeleton::GetCallingSid().c_str()); @@ -685,6 +693,29 @@ int32_t SystemAbilityManagerStub::AddSystemProcessInner(MessageParcel& data, Mes return result; } +int32_t SystemAbilityManagerStub::LoadSACheck(int32_t systemAbilityId) +{ + if (!CheckInputSysAbilityId(systemAbilityId)) { + HILOGW("LoadSystemAbilityInner check SAId failed!"); + return ERR_INVALID_VALUE; + } + +#ifdef SUPPORT_PENGLAI_MODE + if (isPengLai_ && !SamgrUtil::CheckPengLaiPermission(systemAbilityId)) { + HILOGW("LoadSA CheckPengLaiPermission denied! SA:%{public}d,callUid:%{public}d", + systemAbilityId, OHOS::IPCSkeleton::GetCallingUid()); + return ERR_PERMISSION_DENIED; + } +#endif + + if (!CheckGetSAPermission(systemAbilityId)) { + HILOGE("LoadSystemAbilityInner selinux permission denied!SA:%{public}d,callSid:%{public}s", + systemAbilityId, OHOS::IPCSkeleton::GetCallingSid().c_str()); + return ERR_PERMISSION_DENIED; + } + return ERR_OK; +} + int32_t SystemAbilityManagerStub::LoadSystemAbilityInner(MessageParcel& data, MessageParcel& reply) { int32_t systemAbilityId = -1; @@ -697,17 +728,10 @@ int32_t SystemAbilityManagerStub::LoadSystemAbilityInner(MessageParcel& data, Me HILOGW("LoadSystemAbilityInner read SAId failed!"); return ERR_INVALID_VALUE; } - if (!CheckInputSysAbilityId(systemAbilityId)) { - HILOGW("LoadSystemAbilityInner check SAId failed!"); - return ERR_INVALID_VALUE; + int32_t checkRet = LoadSACheck(systemAbilityId); + if (checkRet != ERR_OK) { + return checkRet; } - - if (!CheckGetSAPermission(systemAbilityId)) { - HILOGE("LoadSystemAbilityInner selinux permission denied!SA:%{public}d,callSid:%{public}s", - systemAbilityId, OHOS::IPCSkeleton::GetCallingSid().c_str()); - return ERR_PERMISSION_DENIED; - } - sptr remoteObject = data.ReadRemoteObject(); if (remoteObject == nullptr) { HILOGW("LoadSystemAbilityInner read callback failed!"); @@ -740,6 +764,29 @@ int32_t SystemAbilityManagerStub::LoadSystemAbilityInner(MessageParcel& data, Me return result; } +int32_t SystemAbilityManagerStub::LoadRemoteSACheck(int32_t systemAbilityId) +{ + if (!CheckInputSysAbilityId(systemAbilityId)) { + HILOGW("LoadRemoteSystemAbilityInner check SAId invalid"); + return ERR_INVALID_VALUE; + } + +#ifdef SUPPORT_PENGLAI_MODE + if (isPengLai_ && !SamgrUtil::CheckPengLaiPermission(systemAbilityId)) { + HILOGW("LoadRemote CheckPengLaiPermission denied! SA:%{public}d,callUid:%{public}d", + systemAbilityId, OHOS::IPCSkeleton::GetCallingUid()); + return ERR_PERMISSION_DENIED; + } +#endif + + if (!CheckGetRemoteSAPermission(systemAbilityId)) { + HILOGE("LoadRemoteSystemAbilityInner selinux permission denied! SA:%{public}d,callSid:%{public}s", + systemAbilityId, OHOS::IPCSkeleton::GetCallingSid().c_str()); + return ERR_PERMISSION_DENIED; + } + return ERR_OK; +} + int32_t SystemAbilityManagerStub::LoadRemoteSystemAbilityInner(MessageParcel& data, MessageParcel& reply) { int32_t systemAbilityId = -1; @@ -754,17 +801,10 @@ int32_t SystemAbilityManagerStub::LoadRemoteSystemAbilityInner(MessageParcel& da HILOGW("LoadRemoteSystemAbilityInner read SAId invalid"); return ERR_INVALID_VALUE; } - if (!CheckInputSysAbilityId(systemAbilityId)) { - HILOGW("LoadRemoteSystemAbilityInner check SAId invalid"); - return ERR_INVALID_VALUE; - } - - if (!CheckGetRemoteSAPermission(systemAbilityId)) { - HILOGE("LoadRemoteSystemAbilityInner selinux permission denied! SA:%{public}d,callSid:%{public}s", - systemAbilityId, OHOS::IPCSkeleton::GetCallingSid().c_str()); - return ERR_PERMISSION_DENIED; + int32_t checkRet = LoadRemoteSACheck(systemAbilityId); + if (checkRet != ERR_OK) { + return checkRet; } - deviceId = data.ReadString(); if (deviceId.empty()) { HILOGW("LoadRemoteSystemAbilityInner read deviceId failed"); diff --git a/services/samgr/native/test/unittest/src/system_ability_mgr_stub_load_test.cpp b/services/samgr/native/test/unittest/src/system_ability_mgr_stub_load_test.cpp index 7435edddc7fd1cd2ec858d4c3e3934b738f56dd9..e14c7e0c7ff22f78da42e3b64aff9273dba08fd0 100644 --- a/services/samgr/native/test/unittest/src/system_ability_mgr_stub_load_test.cpp +++ b/services/samgr/native/test/unittest/src/system_ability_mgr_stub_load_test.cpp @@ -42,6 +42,13 @@ constexpr uint32_t SAID = 1499; constexpr int64_t DEFAULT_EVENTID = 0; constexpr int32_t INVALID_SAID = -1; } +#ifdef SUPPORT_PENGLAI_MODE +extern bool g_permissionRet; +extern void* g_originHandle; +bool MockIsLaunchAllowedByUid(const int32_t callingUid, const int32_t systemAbilityId); +void SetPenglaiPerm(bool permission); +void UnSetPenglaiPerm(); +#endif void SystemAbilityMgrStubLoadTest::SetUpTestCase() { @@ -319,6 +326,52 @@ HWTEST_F(SystemAbilityMgrStubLoadTest, LoadRemoteSystemAbilityInner005, TestSize EXPECT_EQ(result, ERR_INVALID_VALUE); } +/** + * @tc.name: LoadRemoteSystemAbilityInner006 + * @tc.desc: test LoadRemoteSystemAbilityInner, penglai mode permission check failed! + * @tc.type: FUNC + */ +#ifdef SUPPORT_PENGLAI_MODE +HWTEST_F(SystemAbilityMgrStubTest, LoadRemoteSystemAbilityInner006, TestSize.Level3) +{ + sptr saMgr = SystemAbilityManager::GetInstance(); + EXPECT_TRUE(saMgr != nullptr); + MessageParcel data; + MessageParcel reply; + data.WriteInt32(SAID); + saMgr->SetPengLai(true); + // set permission denied + SetPenglaiPerm(false); + int32_t result = saMgr->LoadRemoteSystemAbilityInner(data, reply); + EXPECT_EQ(result, ERR_PERMISSION_DENIED); + UnSetPenglaiPerm(); + saMgr->SetPengLai(false); +} +#endif + +/** + * @tc.name: LoadRemoteSystemAbilityInner007 + * @tc.desc: test LoadRemoteSystemAbilityInner, penglai mode permission check success! + * @tc.type: FUNC + */ +#ifdef SUPPORT_PENGLAI_MODE +HWTEST_F(SystemAbilityMgrStubTest, LoadRemoteSystemAbilityInner007, TestSize.Level3) +{ + sptr saMgr = SystemAbilityManager::GetInstance(); + EXPECT_TRUE(saMgr != nullptr); + MessageParcel data; + MessageParcel reply; + data.WriteInt32(SAID); + saMgr->SetPengLai(true); + // set permission true + SetPenglaiPerm(true); + int32_t result = saMgr->LoadRemoteSystemAbilityInner(data, reply); + EXPECT_NE(result, ERR_PERMISSION_DENIED); + UnSetPenglaiPerm(); + saMgr->SetPengLai(false); +} +#endif + HWTEST_F(SystemAbilityMgrStubLoadTest, InitSaProfile001, TestSize.Level1) { sptr saMgr = SystemAbilityManager::GetInstance(); @@ -1216,6 +1269,52 @@ HWTEST_F(SystemAbilityMgrStubLoadTest, LoadSystemAbility008, TestSize.Level3) EXPECT_EQ(res, ERR_OK); } +/** + * @tc.name: LoadSystemAbilityInner001 + * @tc.desc: test LoadSystemAbilityInner, penglai mode permission check failed! + * @tc.type: FUNC + */ +#ifdef SUPPORT_PENGLAI_MODE +HWTEST_F(SystemAbilityMgrStubTest, LoadSystemAbilityInner001, TestSize.Level3) +{ + sptr saMgr = SystemAbilityManager::GetInstance(); + EXPECT_TRUE(saMgr != nullptr); + MessageParcel data; + MessageParcel reply; + data.WriteInt32(SAID); + saMgr->SetPengLai(true); + // set permission denied + SetPenglaiPerm(false); + int32_t result = saMgr->LoadSystemAbilityInner(data, reply); + EXPECT_EQ(result, ERR_PERMISSION_DENIED); + UnSetPenglaiPerm(); + saMgr->SetPengLai(false); +} +#endif + +/** + * @tc.name: LoadSystemAbilityInner002 + * @tc.desc: test LoadSystemAbilityInner, penglai mode permission check success! + * @tc.type: FUNC + */ +#ifdef SUPPORT_PENGLAI_MODE +HWTEST_F(SystemAbilityMgrStubTest, LoadSystemAbilityInner002, TestSize.Level3) +{ + sptr saMgr = SystemAbilityManager::GetInstance(); + EXPECT_TRUE(saMgr != nullptr); + MessageParcel data; + MessageParcel reply; + data.WriteInt32(SAID); + saMgr->SetPengLai(true); + // set permission true + SetPenglaiPerm(true); + int32_t result = saMgr->LoadSystemAbilityInner(data, reply); + EXPECT_NE(result, ERR_PERMISSION_DENIED); + UnSetPenglaiPerm(); + saMgr->SetPengLai(false); +} +#endif + /** * @tc.name: DoMakeRemoteBinder001 * @tc.desc: test DoMakeRemoteBinder, callback is nullptr diff --git a/services/samgr/native/test/unittest/src/system_ability_mgr_stub_test.cpp b/services/samgr/native/test/unittest/src/system_ability_mgr_stub_test.cpp index 5024627fa54e60e25df3c9a502e5a6e9820e13c2..78b8d3fac0d9e9c71210a0214953f88ad6f9a433 100644 --- a/services/samgr/native/test/unittest/src/system_ability_mgr_stub_test.cpp +++ b/services/samgr/native/test/unittest/src/system_ability_mgr_stub_test.cpp @@ -442,6 +442,52 @@ HWTEST_F(SystemAbilityMgrStubTest, CheckRemtSystemAbilityInner004, TestSize.Leve EXPECT_EQ(result, ERR_NULL_OBJECT); } +/** + * @tc.name: CheckRemtSystemAbilityInner005 + * @tc.desc: test CheckRemtSystemAbilityInner, penglai mode permission check failed! + * @tc.type: FUNC + */ +#ifdef SUPPORT_PENGLAI_MODE +HWTEST_F(SystemAbilityMgrStubTest, CheckRemtSystemAbilityInner005, TestSize.Level3) +{ + sptr saMgr = SystemAbilityManager::GetInstance(); + EXPECT_TRUE(saMgr != nullptr); + MessageParcel data; + MessageParcel reply; + data.WriteInt32(SAID); + saMgr->SetPengLai(true); + // set permission denied + SetPenglaiPerm(false); + int32_t result = saMgr->CheckRemtSystemAbilityInner(data, reply); + EXPECT_EQ(result, ERR_PERMISSION_DENIED); + UnSetPenglaiPerm(); + saMgr->SetPengLai(false); +} +#endif + +/** + * @tc.name: CheckRemtSystemAbilityInner006 + * @tc.desc: test CheckSystemAbilityImmeInner, penglai mode permission check success! + * @tc.type: FUNC + */ +#ifdef SUPPORT_PENGLAI_MODE +HWTEST_F(SystemAbilityMgrStubTest, CheckRemtSystemAbilityInner006, TestSize.Level3) +{ + sptr saMgr = SystemAbilityManager::GetInstance(); + EXPECT_TRUE(saMgr != nullptr); + MessageParcel data; + MessageParcel reply; + data.WriteInt32(SAID); + saMgr->SetPengLai(true); + // set permission true + SetPenglaiPerm(true); + int32_t result = saMgr->CheckRemtSystemAbilityInner(data, reply); + EXPECT_NE(result, ERR_PERMISSION_DENIED); + UnSetPenglaiPerm(); + saMgr->SetPengLai(false); +} +#endif + /** * @tc.name: AddOndemandSystemAbilityInner002 * @tc.desc: test AddOndemandSystemAbilityInner, read systemAbilityId failed!