1/*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 *     http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16#ifndef OHOS_ABILITY_RUNTIME_DLP_UTILS_H
17#define OHOS_ABILITY_RUNTIME_DLP_UTILS_H
18
19#include "ability_record.h"
20#include "bundle_mgr_helper.h"
21#ifdef WITH_DLP
22#include "dlp_permission_kit.h"
23#endif // WITH_DLP
24#include "global_constant.h"
25#include "hilog_tag_wrapper.h"
26#include "in_process_call_wrapper.h"
27#include "iremote_object.h"
28#include "permission_verification.h"
29#include "server_constant.h"
30#include "want.h"
31
32namespace OHOS {
33namespace AAFwk {
34namespace DlpUtils {
35#ifdef WITH_DLP
36using Dlp = Security::DlpPermission::DlpPermissionKit;
37#endif // WITH_DLP
38[[maybe_unused]]static bool DlpAccessOtherAppsCheck(const sptr<IRemoteObject> &callerToken, const Want &want)
39{
40#ifdef WITH_DLP
41    auto isSaCall = AAFwk::PermissionVerification::GetInstance()->IsSACall();
42    if (isSaCall) {
43        return true;
44    }
45    if (callerToken == nullptr) {
46        return true;
47    }
48    auto abilityRecord = Token::GetAbilityRecordByToken(callerToken);
49    if (abilityRecord == nullptr) {
50        TAG_LOGE(AAFwkTag::ABILITYMGR, "Ability destroyed");
51        return true;
52    }
53    if (abilityRecord->GetAppIndex() <= AbilityRuntime::GlobalConstant::MAX_APP_CLONE_INDEX) {
54        return true;
55    }
56    if (abilityRecord->GetApplicationInfo().bundleName == want.GetElement().GetBundleName()) {
57        return true;
58    }
59    int32_t uid = abilityRecord->GetApplicationInfo().uid;
60    Security::DlpPermission::SandBoxExternalAuthorType authResult;
61    int result = Dlp::GetSandboxExternalAuthorization(uid, want, authResult);
62    if (result != ERR_OK) {
63        TAG_LOGE(AAFwkTag::ABILITYMGR, "GetSandboxExternalAuthorization failed %{public}d", result);
64        return false;
65    }
66    if (authResult != Security::DlpPermission::SandBoxExternalAuthorType::ALLOW_START_ABILITY) {
67        TAG_LOGE(AAFwkTag::ABILITYMGR, "Auth failed, not allow start %{public}d", uid);
68        return false;
69    }
70#endif // WITH_DLP
71    return true;
72}
73
74#ifdef WITH_DLP
75[[maybe_unused]]static bool OtherAppsAccessDlpCheck(const sptr<IRemoteObject> &callerToken, const Want &want)
76{
77    int32_t dlpIndex = want.GetIntParam(AbilityRuntime::ServerConstant::DLP_INDEX, 0);
78    if (dlpIndex <= AbilityRuntime::GlobalConstant::MAX_APP_CLONE_INDEX && dlpIndex != 0) {
79        return false;
80    }
81
82    if (callerToken != nullptr) {
83        auto abilityRecord = Token::GetAbilityRecordByToken(callerToken);
84        if (abilityRecord != nullptr &&
85            abilityRecord->GetAppIndex() > AbilityRuntime::GlobalConstant::MAX_APP_CLONE_INDEX) {
86            return true;
87        }
88    }
89
90    return PermissionVerification::GetInstance()->VerifyDlpPermission(const_cast<Want &>(want));
91}
92#endif // WITH_DLP
93
94[[maybe_unused]]static bool SandboxAuthCheck(const AbilityRecord &callerRecord, const Want &want)
95{
96#ifdef WITH_DLP
97    int32_t uid = callerRecord.GetApplicationInfo().uid;
98    Security::DlpPermission::SandBoxExternalAuthorType authResult;
99    int result = Dlp::GetSandboxExternalAuthorization(uid, want, authResult);
100    if (result != ERR_OK) {
101        TAG_LOGE(AAFwkTag::ABILITYMGR, "GetSandboxExternalAuthorization failed %{public}d", result);
102        return false;
103    }
104    if (authResult != Security::DlpPermission::SandBoxExternalAuthorType::ALLOW_START_ABILITY) {
105        TAG_LOGE(AAFwkTag::ABILITYMGR, "Auth failed, not allow start %{public}d", uid);
106        return false;
107    }
108#endif // WITH_DLP
109    return true;
110}
111
112static bool CheckCallerIsDlpManager(const std::shared_ptr<AppExecFwk::BundleMgrHelper> &bundleManager)
113{
114    if (!bundleManager) {
115        return false;
116    }
117
118    std::string bundleName;
119    auto callerUid = IPCSkeleton::GetCallingUid();
120    if (IN_PROCESS_CALL(bundleManager->GetNameForUid(callerUid, bundleName)) != ERR_OK) {
121        TAG_LOGW(AAFwkTag::ABILITYMGR, "Get Bundle Name failed");
122        return false;
123    }
124    if (bundleName != "com.ohos.dlpmanager") {
125        TAG_LOGW(AAFwkTag::ABILITYMGR, "Wrong Caller");
126        return false;
127    }
128    return true;
129}
130}  // namespace DlpUtils
131}  // namespace AAFwk
132}  // namespace OHOS
133#endif  // OHOS_ABILITY_RUNTIME_DLP_UTILS_H
134