From 2f3277e4b591f5e53e1556a6283a5f67dba88871 Mon Sep 17 00:00:00 2001 From: c_bing_b Date: Wed, 13 Aug 2025 19:19:41 +0800 Subject: [PATCH 1/2] add permission verify Signed-off-by: c_bing_b --- .../include/system_ability_manager_stub.h | 2 + .../source/system_ability_manager_stub.cpp | 80 +++++++++++---- .../src/system_ability_mgr_stub_load_test.cpp | 99 +++++++++++++++++++ .../src/system_ability_mgr_stub_test.cpp | 70 ++++++++++--- 4 files changed, 219 insertions(+), 32 deletions(-) diff --git a/services/samgr/native/include/system_ability_manager_stub.h b/services/samgr/native/include/system_ability_manager_stub.h index 25508b3c..c2b2a217 100644 --- a/services/samgr/native/include/system_ability_manager_stub.h +++ b/services/samgr/native/include/system_ability_manager_stub.h @@ -228,6 +228,8 @@ private: int32_t GetCommonEventExtraDataIdlistInner(MessageParcel& data, MessageParcel& reply); int32_t GetLocalAbilityManagerProxyInner(MessageParcel& data, MessageParcel& reply); static int32_t GetHapIdMultiuser(int32_t uid); + int32_t LoadSACheck(int32_t systemAbilityId); + int32_t LoadRemoteSACheck(int32_t systemAbilityId); #ifdef SUPPORT_PENGLAI_MODE void SetPengLai(bool isPengLai); bool isPengLai_ = false; diff --git a/services/samgr/native/source/system_ability_manager_stub.cpp b/services/samgr/native/source/system_ability_manager_stub.cpp index 290377d5..1f8bb914 100644 --- a/services/samgr/native/source/system_ability_manager_stub.cpp +++ b/services/samgr/native/source/system_ability_manager_stub.cpp @@ -358,6 +358,14 @@ int32_t SystemAbilityManagerStub::CheckRemtSystemAbilityInner(MessageParcel& dat return ERR_NULL_OBJECT; } +#ifdef SUPPORT_PENGLAI_MODE + if (isPengLai_ && !SamgrUtil::CheckPengLaiPermission(systemAbilityId)) { + HILOGW("CheckRemt CheckPengLaiPermission denied! SA:%{public}d,callUid:%{public}d", + systemAbilityId, OHOS::IPCSkeleton::GetCallingUid()); + return ERR_PERMISSION_DENIED; + } +#endif + if (!CheckGetRemoteSAPermission(systemAbilityId)) { HILOGE("CheckRemtSystemAbilityInner selinux permission denied! SA:%{public}d,callSid:%{public}s", systemAbilityId, OHOS::IPCSkeleton::GetCallingSid().c_str()); @@ -685,6 +693,29 @@ int32_t SystemAbilityManagerStub::AddSystemProcessInner(MessageParcel& data, Mes return result; } +int32_t SystemAbilityManagerStub::LoadSACheck(int32_t systemAbilityId) +{ + if (!CheckInputSysAbilityId(systemAbilityId)) { + HILOGW("LoadSystemAbilityInner check SAId failed!"); + return ERR_INVALID_VALUE; + } + +#ifdef SUPPORT_PENGLAI_MODE + if (isPengLai_ && !SamgrUtil::CheckPengLaiPermission(systemAbilityId)) { + HILOGW("LoadSA CheckPengLaiPermission denied! SA:%{public}d,callUid:%{public}d", + systemAbilityId, OHOS::IPCSkeleton::GetCallingUid()); + return ERR_PERMISSION_DENIED; + } +#endif + + if (!CheckGetSAPermission(systemAbilityId)) { + HILOGE("LoadSystemAbilityInner selinux permission denied!SA:%{public}d,callSid:%{public}s", + systemAbilityId, OHOS::IPCSkeleton::GetCallingSid().c_str()); + return ERR_PERMISSION_DENIED; + } + return ERR_OK; +} + int32_t SystemAbilityManagerStub::LoadSystemAbilityInner(MessageParcel& data, MessageParcel& reply) { int32_t systemAbilityId = -1; @@ -697,17 +728,10 @@ int32_t SystemAbilityManagerStub::LoadSystemAbilityInner(MessageParcel& data, Me HILOGW("LoadSystemAbilityInner read SAId failed!"); return ERR_INVALID_VALUE; } - if (!CheckInputSysAbilityId(systemAbilityId)) { - HILOGW("LoadSystemAbilityInner check SAId failed!"); - return ERR_INVALID_VALUE; + int32_t checkRet = LoadSACheck(systemAbilityId); + if (checkRet != ERR_OK) { + return checkRet; } - - if (!CheckGetSAPermission(systemAbilityId)) { - HILOGE("LoadSystemAbilityInner selinux permission denied!SA:%{public}d,callSid:%{public}s", - systemAbilityId, OHOS::IPCSkeleton::GetCallingSid().c_str()); - return ERR_PERMISSION_DENIED; - } - sptr remoteObject = data.ReadRemoteObject(); if (remoteObject == nullptr) { HILOGW("LoadSystemAbilityInner read callback failed!"); @@ -740,6 +764,29 @@ int32_t SystemAbilityManagerStub::LoadSystemAbilityInner(MessageParcel& data, Me return result; } +int32_t SystemAbilityManagerStub::LoadRemoteSACheck(int32_t systemAbilityId) +{ + if (!CheckInputSysAbilityId(systemAbilityId)) { + HILOGW("LoadRemoteSystemAbilityInner check SAId invalid"); + return ERR_INVALID_VALUE; + } + +#ifdef SUPPORT_PENGLAI_MODE + if (isPengLai_ && !SamgrUtil::CheckPengLaiPermission(systemAbilityId)) { + HILOGW("LoadRemote CheckPengLaiPermission denied! SA:%{public}d,callUid:%{public}d", + systemAbilityId, OHOS::IPCSkeleton::GetCallingUid()); + return ERR_PERMISSION_DENIED; + } +#endif + + if (!CheckGetRemoteSAPermission(systemAbilityId)) { + HILOGE("LoadRemoteSystemAbilityInner selinux permission denied! SA:%{public}d,callSid:%{public}s", + systemAbilityId, OHOS::IPCSkeleton::GetCallingSid().c_str()); + return ERR_PERMISSION_DENIED; + } + return ERR_OK; +} + int32_t SystemAbilityManagerStub::LoadRemoteSystemAbilityInner(MessageParcel& data, MessageParcel& reply) { int32_t systemAbilityId = -1; @@ -754,17 +801,10 @@ int32_t SystemAbilityManagerStub::LoadRemoteSystemAbilityInner(MessageParcel& da HILOGW("LoadRemoteSystemAbilityInner read SAId invalid"); return ERR_INVALID_VALUE; } - if (!CheckInputSysAbilityId(systemAbilityId)) { - HILOGW("LoadRemoteSystemAbilityInner check SAId invalid"); - return ERR_INVALID_VALUE; - } - - if (!CheckGetRemoteSAPermission(systemAbilityId)) { - HILOGE("LoadRemoteSystemAbilityInner selinux permission denied! SA:%{public}d,callSid:%{public}s", - systemAbilityId, OHOS::IPCSkeleton::GetCallingSid().c_str()); - return ERR_PERMISSION_DENIED; + int32_t checkRet = LoadRemoteSACheck(systemAbilityId); + if (checkRet != ERR_OK) { + return checkRet; } - deviceId = data.ReadString(); if (deviceId.empty()) { HILOGW("LoadRemoteSystemAbilityInner read deviceId failed"); diff --git a/services/samgr/native/test/unittest/src/system_ability_mgr_stub_load_test.cpp b/services/samgr/native/test/unittest/src/system_ability_mgr_stub_load_test.cpp index 7435eddd..e14c7e0c 100644 --- a/services/samgr/native/test/unittest/src/system_ability_mgr_stub_load_test.cpp +++ b/services/samgr/native/test/unittest/src/system_ability_mgr_stub_load_test.cpp @@ -42,6 +42,13 @@ constexpr uint32_t SAID = 1499; constexpr int64_t DEFAULT_EVENTID = 0; constexpr int32_t INVALID_SAID = -1; } +#ifdef SUPPORT_PENGLAI_MODE +extern bool g_permissionRet; +extern void* g_originHandle; +bool MockIsLaunchAllowedByUid(const int32_t callingUid, const int32_t systemAbilityId); +void SetPenglaiPerm(bool permission); +void UnSetPenglaiPerm(); +#endif void SystemAbilityMgrStubLoadTest::SetUpTestCase() { @@ -319,6 +326,52 @@ HWTEST_F(SystemAbilityMgrStubLoadTest, LoadRemoteSystemAbilityInner005, TestSize EXPECT_EQ(result, ERR_INVALID_VALUE); } +/** + * @tc.name: LoadRemoteSystemAbilityInner006 + * @tc.desc: test LoadRemoteSystemAbilityInner, penglai mode permission check failed! + * @tc.type: FUNC + */ +#ifdef SUPPORT_PENGLAI_MODE +HWTEST_F(SystemAbilityMgrStubTest, LoadRemoteSystemAbilityInner006, TestSize.Level3) +{ + sptr saMgr = SystemAbilityManager::GetInstance(); + EXPECT_TRUE(saMgr != nullptr); + MessageParcel data; + MessageParcel reply; + data.WriteInt32(SAID); + saMgr->SetPengLai(true); + // set permission denied + SetPenglaiPerm(false); + int32_t result = saMgr->LoadRemoteSystemAbilityInner(data, reply); + EXPECT_EQ(result, ERR_PERMISSION_DENIED); + UnSetPenglaiPerm(); + saMgr->SetPengLai(false); +} +#endif + +/** + * @tc.name: LoadRemoteSystemAbilityInner007 + * @tc.desc: test LoadRemoteSystemAbilityInner, penglai mode permission check success! + * @tc.type: FUNC + */ +#ifdef SUPPORT_PENGLAI_MODE +HWTEST_F(SystemAbilityMgrStubTest, LoadRemoteSystemAbilityInner007, TestSize.Level3) +{ + sptr saMgr = SystemAbilityManager::GetInstance(); + EXPECT_TRUE(saMgr != nullptr); + MessageParcel data; + MessageParcel reply; + data.WriteInt32(SAID); + saMgr->SetPengLai(true); + // set permission true + SetPenglaiPerm(true); + int32_t result = saMgr->LoadRemoteSystemAbilityInner(data, reply); + EXPECT_NE(result, ERR_PERMISSION_DENIED); + UnSetPenglaiPerm(); + saMgr->SetPengLai(false); +} +#endif + HWTEST_F(SystemAbilityMgrStubLoadTest, InitSaProfile001, TestSize.Level1) { sptr saMgr = SystemAbilityManager::GetInstance(); @@ -1216,6 +1269,52 @@ HWTEST_F(SystemAbilityMgrStubLoadTest, LoadSystemAbility008, TestSize.Level3) EXPECT_EQ(res, ERR_OK); } +/** + * @tc.name: LoadSystemAbilityInner001 + * @tc.desc: test LoadSystemAbilityInner, penglai mode permission check failed! + * @tc.type: FUNC + */ +#ifdef SUPPORT_PENGLAI_MODE +HWTEST_F(SystemAbilityMgrStubTest, LoadSystemAbilityInner001, TestSize.Level3) +{ + sptr saMgr = SystemAbilityManager::GetInstance(); + EXPECT_TRUE(saMgr != nullptr); + MessageParcel data; + MessageParcel reply; + data.WriteInt32(SAID); + saMgr->SetPengLai(true); + // set permission denied + SetPenglaiPerm(false); + int32_t result = saMgr->LoadSystemAbilityInner(data, reply); + EXPECT_EQ(result, ERR_PERMISSION_DENIED); + UnSetPenglaiPerm(); + saMgr->SetPengLai(false); +} +#endif + +/** + * @tc.name: LoadSystemAbilityInner002 + * @tc.desc: test LoadSystemAbilityInner, penglai mode permission check success! + * @tc.type: FUNC + */ +#ifdef SUPPORT_PENGLAI_MODE +HWTEST_F(SystemAbilityMgrStubTest, LoadSystemAbilityInner002, TestSize.Level3) +{ + sptr saMgr = SystemAbilityManager::GetInstance(); + EXPECT_TRUE(saMgr != nullptr); + MessageParcel data; + MessageParcel reply; + data.WriteInt32(SAID); + saMgr->SetPengLai(true); + // set permission true + SetPenglaiPerm(true); + int32_t result = saMgr->LoadSystemAbilityInner(data, reply); + EXPECT_NE(result, ERR_PERMISSION_DENIED); + UnSetPenglaiPerm(); + saMgr->SetPengLai(false); +} +#endif + /** * @tc.name: DoMakeRemoteBinder001 * @tc.desc: test DoMakeRemoteBinder, callback is nullptr diff --git a/services/samgr/native/test/unittest/src/system_ability_mgr_stub_test.cpp b/services/samgr/native/test/unittest/src/system_ability_mgr_stub_test.cpp index 5024627f..e61b9567 100644 --- a/services/samgr/native/test/unittest/src/system_ability_mgr_stub_test.cpp +++ b/services/samgr/native/test/unittest/src/system_ability_mgr_stub_test.cpp @@ -170,18 +170,6 @@ HWTEST_F(SystemAbilityMgrStubTest, UnSubsSystemAbilityInner001, TestSize.Level4) EXPECT_EQ(result, ERR_NULL_OBJECT); } -#ifdef SUPPORT_ACCESS_TOKEN -HWTEST_F(SystemAbilityMgrStubTest, CheckRemtSystemAbilityInner001, TestSize.Level4) -{ - sptr saMgr = SystemAbilityManager::GetInstance(); - EXPECT_TRUE(saMgr != nullptr); - MessageParcel data; - MessageParcel reply; - int32_t result = saMgr->CheckRemtSystemAbilityInner(data, reply); - EXPECT_EQ(result, ERR_PERMISSION_DENIED); -} -#endif - #ifdef SUPPORT_ACCESS_TOKEN HWTEST_F(SystemAbilityMgrStubTest, AddOndemandSystemAbilityInner001, TestSize.Level4) { @@ -392,6 +380,18 @@ HWTEST_F(SystemAbilityMgrStubTest, ListSystemAbilityInner004, TestSize.Level1) EXPECT_EQ(result, ERR_NONE); } +#ifdef SUPPORT_ACCESS_TOKEN +HWTEST_F(SystemAbilityMgrStubTest, CheckRemtSystemAbilityInner001, TestSize.Level4) +{ + sptr saMgr = SystemAbilityManager::GetInstance(); + EXPECT_TRUE(saMgr != nullptr); + MessageParcel data; + MessageParcel reply; + int32_t result = saMgr->CheckRemtSystemAbilityInner(data, reply); + EXPECT_EQ(result, ERR_PERMISSION_DENIED); +} +#endif + /** * @tc.name: CheckRemtSystemAbilityInner002 * @tc.desc: test CheckRemtSystemAbilityInner, read systemAbilityId failed! @@ -442,6 +442,52 @@ HWTEST_F(SystemAbilityMgrStubTest, CheckRemtSystemAbilityInner004, TestSize.Leve EXPECT_EQ(result, ERR_NULL_OBJECT); } +/** + * @tc.name: CheckRemtSystemAbilityInner005 + * @tc.desc: test CheckRemtSystemAbilityInner, penglai mode permission check failed! + * @tc.type: FUNC + */ +#ifdef SUPPORT_PENGLAI_MODE +HWTEST_F(SystemAbilityMgrStubTest, CheckRemtSystemAbilityInner005, TestSize.Level3) +{ + sptr saMgr = SystemAbilityManager::GetInstance(); + EXPECT_TRUE(saMgr != nullptr); + MessageParcel data; + MessageParcel reply; + data.WriteInt32(SAID); + saMgr->SetPengLai(true); + // set permission denied + SetPenglaiPerm(false); + int32_t result = saMgr->CheckRemtSystemAbilityInner(data, reply); + EXPECT_EQ(result, ERR_PERMISSION_DENIED); + UnSetPenglaiPerm(); + saMgr->SetPengLai(false); +} +#endif + +/** + * @tc.name: CheckRemtSystemAbilityInner006 + * @tc.desc: test CheckSystemAbilityImmeInner, penglai mode permission check success! + * @tc.type: FUNC + */ +#ifdef SUPPORT_PENGLAI_MODE +HWTEST_F(SystemAbilityMgrStubTest, CheckRemtSystemAbilityInner006, TestSize.Level3) +{ + sptr saMgr = SystemAbilityManager::GetInstance(); + EXPECT_TRUE(saMgr != nullptr); + MessageParcel data; + MessageParcel reply; + data.WriteInt32(SAID); + saMgr->SetPengLai(true); + // set permission true + SetPenglaiPerm(true); + int32_t result = saMgr->CheckRemtSystemAbilityInner(data, reply); + EXPECT_NE(result, ERR_PERMISSION_DENIED); + UnSetPenglaiPerm(); + saMgr->SetPengLai(false); +} +#endif + /** * @tc.name: AddOndemandSystemAbilityInner002 * @tc.desc: test AddOndemandSystemAbilityInner, read systemAbilityId failed! -- Gitee From 874937b2437071f65612616d2b4a71c7d02234e4 Mon Sep 17 00:00:00 2001 From: chenbingbing Date: Thu, 14 Aug 2025 07:47:47 +0000 Subject: [PATCH 2/2] update services/samgr/native/test/unittest/src/system_ability_mgr_stub_test.cpp. Signed-off-by: chenbingbing --- .../src/system_ability_mgr_stub_test.cpp | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/services/samgr/native/test/unittest/src/system_ability_mgr_stub_test.cpp b/services/samgr/native/test/unittest/src/system_ability_mgr_stub_test.cpp index e61b9567..78b8d3fa 100644 --- a/services/samgr/native/test/unittest/src/system_ability_mgr_stub_test.cpp +++ b/services/samgr/native/test/unittest/src/system_ability_mgr_stub_test.cpp @@ -170,6 +170,18 @@ HWTEST_F(SystemAbilityMgrStubTest, UnSubsSystemAbilityInner001, TestSize.Level4) EXPECT_EQ(result, ERR_NULL_OBJECT); } +#ifdef SUPPORT_ACCESS_TOKEN +HWTEST_F(SystemAbilityMgrStubTest, CheckRemtSystemAbilityInner001, TestSize.Level4) +{ + sptr saMgr = SystemAbilityManager::GetInstance(); + EXPECT_TRUE(saMgr != nullptr); + MessageParcel data; + MessageParcel reply; + int32_t result = saMgr->CheckRemtSystemAbilityInner(data, reply); + EXPECT_EQ(result, ERR_PERMISSION_DENIED); +} +#endif + #ifdef SUPPORT_ACCESS_TOKEN HWTEST_F(SystemAbilityMgrStubTest, AddOndemandSystemAbilityInner001, TestSize.Level4) { @@ -380,18 +392,6 @@ HWTEST_F(SystemAbilityMgrStubTest, ListSystemAbilityInner004, TestSize.Level1) EXPECT_EQ(result, ERR_NONE); } -#ifdef SUPPORT_ACCESS_TOKEN -HWTEST_F(SystemAbilityMgrStubTest, CheckRemtSystemAbilityInner001, TestSize.Level4) -{ - sptr saMgr = SystemAbilityManager::GetInstance(); - EXPECT_TRUE(saMgr != nullptr); - MessageParcel data; - MessageParcel reply; - int32_t result = saMgr->CheckRemtSystemAbilityInner(data, reply); - EXPECT_EQ(result, ERR_PERMISSION_DENIED); -} -#endif - /** * @tc.name: CheckRemtSystemAbilityInner002 * @tc.desc: test CheckRemtSystemAbilityInner, read systemAbilityId failed! -- Gitee