1eace7efcSopenharmony_ci/*
2eace7efcSopenharmony_ci * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3eace7efcSopenharmony_ci * Licensed under the Apache License, Version 2.0 (the "License");
4eace7efcSopenharmony_ci * you may not use this file except in compliance with the License.
5eace7efcSopenharmony_ci * You may obtain a copy of the License at
6eace7efcSopenharmony_ci *
7eace7efcSopenharmony_ci *     http://www.apache.org/licenses/LICENSE-2.0
8eace7efcSopenharmony_ci *
9eace7efcSopenharmony_ci * Unless required by applicable law or agreed to in writing, software
10eace7efcSopenharmony_ci * distributed under the License is distributed on an "AS IS" BASIS,
11eace7efcSopenharmony_ci * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12eace7efcSopenharmony_ci * See the License for the specific language governing permissions and
13eace7efcSopenharmony_ci * limitations under the License.
14eace7efcSopenharmony_ci */
15eace7efcSopenharmony_ci
16eace7efcSopenharmony_ci#ifndef OHOS_ABILITY_RUNTIME_DLP_UTILS_H
17eace7efcSopenharmony_ci#define OHOS_ABILITY_RUNTIME_DLP_UTILS_H
18eace7efcSopenharmony_ci
19eace7efcSopenharmony_ci#include "ability_record.h"
20eace7efcSopenharmony_ci#include "bundle_mgr_helper.h"
21eace7efcSopenharmony_ci#ifdef WITH_DLP
22eace7efcSopenharmony_ci#include "dlp_permission_kit.h"
23eace7efcSopenharmony_ci#endif // WITH_DLP
24eace7efcSopenharmony_ci#include "global_constant.h"
25eace7efcSopenharmony_ci#include "hilog_tag_wrapper.h"
26eace7efcSopenharmony_ci#include "in_process_call_wrapper.h"
27eace7efcSopenharmony_ci#include "iremote_object.h"
28eace7efcSopenharmony_ci#include "permission_verification.h"
29eace7efcSopenharmony_ci#include "server_constant.h"
30eace7efcSopenharmony_ci#include "want.h"
31eace7efcSopenharmony_ci
32eace7efcSopenharmony_cinamespace OHOS {
33eace7efcSopenharmony_cinamespace AAFwk {
34eace7efcSopenharmony_cinamespace DlpUtils {
35eace7efcSopenharmony_ci#ifdef WITH_DLP
36eace7efcSopenharmony_ciusing Dlp = Security::DlpPermission::DlpPermissionKit;
37eace7efcSopenharmony_ci#endif // WITH_DLP
38eace7efcSopenharmony_ci[[maybe_unused]]static bool DlpAccessOtherAppsCheck(const sptr<IRemoteObject> &callerToken, const Want &want)
39eace7efcSopenharmony_ci{
40eace7efcSopenharmony_ci#ifdef WITH_DLP
41eace7efcSopenharmony_ci    auto isSaCall = AAFwk::PermissionVerification::GetInstance()->IsSACall();
42eace7efcSopenharmony_ci    if (isSaCall) {
43eace7efcSopenharmony_ci        return true;
44eace7efcSopenharmony_ci    }
45eace7efcSopenharmony_ci    if (callerToken == nullptr) {
46eace7efcSopenharmony_ci        return true;
47eace7efcSopenharmony_ci    }
48eace7efcSopenharmony_ci    auto abilityRecord = Token::GetAbilityRecordByToken(callerToken);
49eace7efcSopenharmony_ci    if (abilityRecord == nullptr) {
50eace7efcSopenharmony_ci        TAG_LOGE(AAFwkTag::ABILITYMGR, "Ability destroyed");
51eace7efcSopenharmony_ci        return true;
52eace7efcSopenharmony_ci    }
53eace7efcSopenharmony_ci    if (abilityRecord->GetAppIndex() <= AbilityRuntime::GlobalConstant::MAX_APP_CLONE_INDEX) {
54eace7efcSopenharmony_ci        return true;
55eace7efcSopenharmony_ci    }
56eace7efcSopenharmony_ci    if (abilityRecord->GetApplicationInfo().bundleName == want.GetElement().GetBundleName()) {
57eace7efcSopenharmony_ci        return true;
58eace7efcSopenharmony_ci    }
59eace7efcSopenharmony_ci    int32_t uid = abilityRecord->GetApplicationInfo().uid;
60eace7efcSopenharmony_ci    Security::DlpPermission::SandBoxExternalAuthorType authResult;
61eace7efcSopenharmony_ci    int result = Dlp::GetSandboxExternalAuthorization(uid, want, authResult);
62eace7efcSopenharmony_ci    if (result != ERR_OK) {
63eace7efcSopenharmony_ci        TAG_LOGE(AAFwkTag::ABILITYMGR, "GetSandboxExternalAuthorization failed %{public}d", result);
64eace7efcSopenharmony_ci        return false;
65eace7efcSopenharmony_ci    }
66eace7efcSopenharmony_ci    if (authResult != Security::DlpPermission::SandBoxExternalAuthorType::ALLOW_START_ABILITY) {
67eace7efcSopenharmony_ci        TAG_LOGE(AAFwkTag::ABILITYMGR, "Auth failed, not allow start %{public}d", uid);
68eace7efcSopenharmony_ci        return false;
69eace7efcSopenharmony_ci    }
70eace7efcSopenharmony_ci#endif // WITH_DLP
71eace7efcSopenharmony_ci    return true;
72eace7efcSopenharmony_ci}
73eace7efcSopenharmony_ci
74eace7efcSopenharmony_ci#ifdef WITH_DLP
75eace7efcSopenharmony_ci[[maybe_unused]]static bool OtherAppsAccessDlpCheck(const sptr<IRemoteObject> &callerToken, const Want &want)
76eace7efcSopenharmony_ci{
77eace7efcSopenharmony_ci    int32_t dlpIndex = want.GetIntParam(AbilityRuntime::ServerConstant::DLP_INDEX, 0);
78eace7efcSopenharmony_ci    if (dlpIndex <= AbilityRuntime::GlobalConstant::MAX_APP_CLONE_INDEX && dlpIndex != 0) {
79eace7efcSopenharmony_ci        return false;
80eace7efcSopenharmony_ci    }
81eace7efcSopenharmony_ci
82eace7efcSopenharmony_ci    if (callerToken != nullptr) {
83eace7efcSopenharmony_ci        auto abilityRecord = Token::GetAbilityRecordByToken(callerToken);
84eace7efcSopenharmony_ci        if (abilityRecord != nullptr &&
85eace7efcSopenharmony_ci            abilityRecord->GetAppIndex() > AbilityRuntime::GlobalConstant::MAX_APP_CLONE_INDEX) {
86eace7efcSopenharmony_ci            return true;
87eace7efcSopenharmony_ci        }
88eace7efcSopenharmony_ci    }
89eace7efcSopenharmony_ci
90eace7efcSopenharmony_ci    return PermissionVerification::GetInstance()->VerifyDlpPermission(const_cast<Want &>(want));
91eace7efcSopenharmony_ci}
92eace7efcSopenharmony_ci#endif // WITH_DLP
93eace7efcSopenharmony_ci
94eace7efcSopenharmony_ci[[maybe_unused]]static bool SandboxAuthCheck(const AbilityRecord &callerRecord, const Want &want)
95eace7efcSopenharmony_ci{
96eace7efcSopenharmony_ci#ifdef WITH_DLP
97eace7efcSopenharmony_ci    int32_t uid = callerRecord.GetApplicationInfo().uid;
98eace7efcSopenharmony_ci    Security::DlpPermission::SandBoxExternalAuthorType authResult;
99eace7efcSopenharmony_ci    int result = Dlp::GetSandboxExternalAuthorization(uid, want, authResult);
100eace7efcSopenharmony_ci    if (result != ERR_OK) {
101eace7efcSopenharmony_ci        TAG_LOGE(AAFwkTag::ABILITYMGR, "GetSandboxExternalAuthorization failed %{public}d", result);
102eace7efcSopenharmony_ci        return false;
103eace7efcSopenharmony_ci    }
104eace7efcSopenharmony_ci    if (authResult != Security::DlpPermission::SandBoxExternalAuthorType::ALLOW_START_ABILITY) {
105eace7efcSopenharmony_ci        TAG_LOGE(AAFwkTag::ABILITYMGR, "Auth failed, not allow start %{public}d", uid);
106eace7efcSopenharmony_ci        return false;
107eace7efcSopenharmony_ci    }
108eace7efcSopenharmony_ci#endif // WITH_DLP
109eace7efcSopenharmony_ci    return true;
110eace7efcSopenharmony_ci}
111eace7efcSopenharmony_ci
112eace7efcSopenharmony_cistatic bool CheckCallerIsDlpManager(const std::shared_ptr<AppExecFwk::BundleMgrHelper> &bundleManager)
113eace7efcSopenharmony_ci{
114eace7efcSopenharmony_ci    if (!bundleManager) {
115eace7efcSopenharmony_ci        return false;
116eace7efcSopenharmony_ci    }
117eace7efcSopenharmony_ci
118eace7efcSopenharmony_ci    std::string bundleName;
119eace7efcSopenharmony_ci    auto callerUid = IPCSkeleton::GetCallingUid();
120eace7efcSopenharmony_ci    if (IN_PROCESS_CALL(bundleManager->GetNameForUid(callerUid, bundleName)) != ERR_OK) {
121eace7efcSopenharmony_ci        TAG_LOGW(AAFwkTag::ABILITYMGR, "Get Bundle Name failed");
122eace7efcSopenharmony_ci        return false;
123eace7efcSopenharmony_ci    }
124eace7efcSopenharmony_ci    if (bundleName != "com.ohos.dlpmanager") {
125eace7efcSopenharmony_ci        TAG_LOGW(AAFwkTag::ABILITYMGR, "Wrong Caller");
126eace7efcSopenharmony_ci        return false;
127eace7efcSopenharmony_ci    }
128eace7efcSopenharmony_ci    return true;
129eace7efcSopenharmony_ci}
130eace7efcSopenharmony_ci}  // namespace DlpUtils
131eace7efcSopenharmony_ci}  // namespace AAFwk
132eace7efcSopenharmony_ci}  // namespace OHOS
133eace7efcSopenharmony_ci#endif  // OHOS_ABILITY_RUNTIME_DLP_UTILS_H
134