1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "risk_analysis_manager_service.h"
17 
18 #include <thread>
19 
20 #include "accesstoken_kit.h"
21 #include "tokenid_kit.h"
22 #include "ipc_skeleton.h"
23 
24 #include "bigdata.h"
25 #include "database_manager.h"
26 #include "errors.h"
27 #include "model_manager.h"
28 #include "risk_analysis_define.h"
29 #include "risk_analysis_manager_callback_proxy.h"
30 #include "security_guard_define.h"
31 #include "security_guard_log.h"
32 #include "security_guard_utils.h"
33 #include "system_ability_definition.h"
34 #include "ffrt.h"
35 #include "config_manager.h"
36 #include "store_define.h"
37 
38 namespace OHOS::Security::SecurityGuard {
39 REGISTER_SYSTEM_ABILITY_BY_ID(RiskAnalysisManagerService, RISK_ANALYSIS_MANAGER_SA_ID, true);
40 
41 namespace {
42     constexpr int32_t TIMEOUT_REPLY = 500;
43     constexpr const char* PERMISSION = "ohos.permission.securityguard.REQUEST_SECURITY_MODEL_RESULT";
44     constexpr const char* REQUEST_PERMISSION = "ohos.permission.securityguard.REQUEST_SECURITY_MODEL_RESULT";
45     constexpr const char* QUERY_SECURITY_MODEL_RESULT_PERMISSION = "ohos.permission.QUERY_SECURITY_MODEL_RESULT";
46     const std::vector<uint32_t> MODELIDS = {
47         3001000000, 3001000001, 3001000002, 3001000005, 3001000006, 3001000007, 3001000009
48     };
49     const std::unordered_map<std::string, std::vector<std::string>> g_apiPermissionsMap {
50         {"RequestSecurityModelResult", {REQUEST_PERMISSION, QUERY_SECURITY_MODEL_RESULT_PERMISSION}},
51     };
52 }
53 
RiskAnalysisManagerService(int32_t saId, bool runOnCreate)54 RiskAnalysisManagerService::RiskAnalysisManagerService(int32_t saId, bool runOnCreate)
55     : SystemAbility(saId, runOnCreate)
56 {
57     SGLOGW("%{public}s", __func__);
58 }
59 
OnStart()60 void RiskAnalysisManagerService::OnStart()
61 {
62     SGLOGI("RiskAnalysisManagerService %{public}s", __func__);
63     bool success = ConfigManager::InitConfig<EventConfig>();
64     if (!success) {
65         SGLOGE("init event config error");
66     }
67     success = ConfigManager::InitConfig<ModelConfig>();
68     if (!success) {
69         SGLOGE("init model config error");
70     }
71 
72     auto task = [] {
73         ModelManager::GetInstance().Init();
74     };
75     ffrt::submit(task);
76 
77     AddSystemAbilityListener(COMMON_EVENT_SERVICE_ID);
78     if (!Publish(this)) {
79         SGLOGE("Publish error");
80     }
81 }
82 
OnStop()83 void RiskAnalysisManagerService::OnStop()
84 {
85 }
86 
IsApiHasPermission(const std::string &api)87 int32_t RiskAnalysisManagerService::IsApiHasPermission(const std::string &api)
88 {
89     if (g_apiPermissionsMap.count(api) == 0) {
90         SGLOGE("api not in map");
91         return FAILED;
92     }
93     AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
94     if (std::any_of(g_apiPermissionsMap.at(api).cbegin(), g_apiPermissionsMap.at(api).cend(),
95         [callerToken](const std::string &per) {
96         int code = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, per);
97         return code == AccessToken::PermissionState::PERMISSION_GRANTED;
98     })) {
99         AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenType(callerToken);
100         if (tokenType != AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
101             uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
102             if (!AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullTokenId)) {
103                 SGLOGE("not system app no permission");
104                 return NO_SYSTEMCALL;
105             }
106         }
107         return SUCCESS;
108     }
109     SGLOGE("caller no permission");
110     return NO_PERMISSION;
111 }
112 
RequestSecurityModelResult(const std::string &devId, uint32_t modelId, const std::string &param, const sptr<IRemoteObject> &callback)113 int32_t RiskAnalysisManagerService::RequestSecurityModelResult(const std::string &devId, uint32_t modelId,
114     const std::string &param, const sptr<IRemoteObject> &callback)
115 {
116     SGLOGI("enter RiskAnalysisManagerService RequestSecurityModelResult");
117     int32_t ret = IsApiHasPermission("RequestSecurityModelResult");
118     if (ret != SUCCESS) {
119         return ret;
120     }
121     ClassifyEvent event;
122     event.pid = IPCSkeleton::GetCallingPid();
123     event.time = SecurityGuardUtils::GetDate();
124     auto promise = std::make_shared<std::promise<std::string>>();
125     auto future = promise->get_future();
126     PushRiskAnalysisTask(modelId, param, promise);
127     std::chrono::milliseconds span(TIMEOUT_REPLY);
128     std::string result{};
129     if (future.wait_for(span) == std::future_status::timeout) {
130         SGLOGE("wait for result timeout");
131         ret = TIME_OUT;
132     } else {
133         result = future.get();
134         ret =  SUCCESS;
135     }
136     SGLOGI("ReportClassifyEvent");
137     event.status = result;
138     BigData::ReportClassifyEvent(event);
139     auto proxy = iface_cast<RiskAnalysisManagerCallbackProxy>(callback);
140     if (proxy == nullptr) {
141         return NULL_OBJECT;
142     }
143     proxy->ResponseSecurityModelResult(devId, modelId, result);
144     SGLOGI("get analysis result=%{public}s", result.c_str());
145     return ret;
146 }
147 
PushRiskAnalysisTask(uint32_t modelId, std::string param, std::shared_ptr<std::promise<std::string>> promise)148 void RiskAnalysisManagerService::PushRiskAnalysisTask(uint32_t modelId, std::string param,
149     std::shared_ptr<std::promise<std::string>> promise)
150 {
151     auto task = [modelId, param, promise] {
152         SGLOGD("modelId=%{public}u", modelId);
153         if (std::count(MODELIDS.begin(), MODELIDS.end(), modelId) == 0) {
154             SGLOGE("model not support, no need to analyse, modelId=%{public}u", modelId);
155             promise->set_value(UNKNOWN_STATUS);
156             return;
157         }
158         std::string result = ModelManager::GetInstance().GetResult(modelId, param);
159         SGLOGI("result is %{public}s", result.c_str());
160         promise->set_value(result);
161     };
162     ffrt::submit(task);
163 }
164 
SetModelState(uint32_t modelId, bool enable)165 int32_t RiskAnalysisManagerService::SetModelState(uint32_t modelId, bool enable)
166 {
167     return SUCCESS;
168 }
169 
OnAddSystemAbility(int32_t systemAbilityId, const std::string& deviceId)170 void RiskAnalysisManagerService::OnAddSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
171 {
172     SGLOGI("OnAddSystemAbility, systemAbilityId=%{public}d", systemAbilityId);
173     if (systemAbilityId == COMMON_EVENT_SERVICE_ID) {
174         ConfigManager::GetInstance().StartUpdate();
175     }
176 }
177 
OnRemoveSystemAbility(int32_t systemAbilityId, const std::string& deviceId)178 void RiskAnalysisManagerService::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
179 {
180     SGLOGW("OnRemoveSystemAbility, systemAbilityId=%{public}d", systemAbilityId);
181 }
182 }
183