1eace7efcSopenharmony_ci/* 2eace7efcSopenharmony_ci * Copyright (c) 2022 Huawei Device Co., Ltd. 3eace7efcSopenharmony_ci * Licensed under the Apache License, Version 2.0 (the "License"); 4eace7efcSopenharmony_ci * you may not use this file except in compliance with the License. 5eace7efcSopenharmony_ci * You may obtain a copy of the License at 6eace7efcSopenharmony_ci * 7eace7efcSopenharmony_ci * http://www.apache.org/licenses/LICENSE-2.0 8eace7efcSopenharmony_ci * 9eace7efcSopenharmony_ci * Unless required by applicable law or agreed to in writing, software 10eace7efcSopenharmony_ci * distributed under the License is distributed on an "AS IS" BASIS, 11eace7efcSopenharmony_ci * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12eace7efcSopenharmony_ci * See the License for the specific language governing permissions and 13eace7efcSopenharmony_ci * limitations under the License. 14eace7efcSopenharmony_ci */ 15eace7efcSopenharmony_ci 16eace7efcSopenharmony_ci#include "permission_verification.h" 17eace7efcSopenharmony_ci 18eace7efcSopenharmony_ci#include "ability_manager_errors.h" 19eace7efcSopenharmony_ci#include "accesstoken_kit.h" 20eace7efcSopenharmony_ci#include "hilog_tag_wrapper.h" 21eace7efcSopenharmony_ci#include "permission_constants.h" 22eace7efcSopenharmony_ci#include "server_constant.h" 23eace7efcSopenharmony_ci#include "support_system_ability_permission.h" 24eace7efcSopenharmony_ci#include "tokenid_kit.h" 25eace7efcSopenharmony_ci#include "hitrace_meter.h" 26eace7efcSopenharmony_ci#include "hilog_tag_wrapper.h" 27eace7efcSopenharmony_ci 28eace7efcSopenharmony_cinamespace OHOS { 29eace7efcSopenharmony_cinamespace AAFwk { 30eace7efcSopenharmony_ciconst std::string DLP_PARAMS_SECURITY_FLAG = "ohos.dlp.params.securityFlag"; 31eace7efcSopenharmony_cinamespace { 32eace7efcSopenharmony_ciconst int32_t SHELL_START_EXTENSION_FLOOR = 0; // FORM 33eace7efcSopenharmony_ciconst int32_t SHELL_START_EXTENSION_CEIL = 21; // EMBEDDED_UI 34eace7efcSopenharmony_ciconst int32_t TOKEN_ID_BIT_SIZE = 32; 35eace7efcSopenharmony_ciconst std::string FOUNDATION_PROCESS_NAME = "foundation"; 36eace7efcSopenharmony_ciconst std::set<std::string> OBSERVER_NATIVE_CALLER = { 37eace7efcSopenharmony_ci "memmgrservice", 38eace7efcSopenharmony_ci "resource_schedule_service", 39eace7efcSopenharmony_ci}; 40eace7efcSopenharmony_ci} 41eace7efcSopenharmony_cibool PermissionVerification::VerifyPermissionByTokenId(const int &tokenId, const std::string &permissionName) const 42eace7efcSopenharmony_ci{ 43eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "permission %{public}s", permissionName.c_str()); 44eace7efcSopenharmony_ci int32_t ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permissionName, false); 45eace7efcSopenharmony_ci if (ret != Security::AccessToken::PermissionState::PERMISSION_GRANTED) { 46eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "%{public}s: PERMISSION_DENIED", permissionName.c_str()); 47eace7efcSopenharmony_ci return false; 48eace7efcSopenharmony_ci } 49eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "verify token success"); 50eace7efcSopenharmony_ci return true; 51eace7efcSopenharmony_ci} 52eace7efcSopenharmony_ci 53eace7efcSopenharmony_cibool PermissionVerification::VerifyCallingPermission( 54eace7efcSopenharmony_ci const std::string &permissionName, const uint32_t specifyTokenId) const 55eace7efcSopenharmony_ci{ 56eace7efcSopenharmony_ci HITRACE_METER_NAME(HITRACE_TAG_ABILITY_MANAGER, __PRETTY_FUNCTION__); 57eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "permission %{public}s, specifyTokenId: %{public}u", 58eace7efcSopenharmony_ci permissionName.c_str(), specifyTokenId); 59eace7efcSopenharmony_ci auto callerToken = specifyTokenId == 0 ? GetCallingTokenID() : specifyTokenId; 60eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Token: %{public}u", callerToken); 61eace7efcSopenharmony_ci int32_t ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName, false); 62eace7efcSopenharmony_ci if (ret != Security::AccessToken::PermissionState::PERMISSION_GRANTED) { 63eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "%{public}s: PERMISSION_DENIED", permissionName.c_str()); 64eace7efcSopenharmony_ci return false; 65eace7efcSopenharmony_ci } 66eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "verify Token success"); 67eace7efcSopenharmony_ci return true; 68eace7efcSopenharmony_ci} 69eace7efcSopenharmony_ci 70eace7efcSopenharmony_cibool PermissionVerification::IsSACall() const 71eace7efcSopenharmony_ci{ 72eace7efcSopenharmony_ci auto callerToken = GetCallingTokenID(); 73eace7efcSopenharmony_ci return IsSACallByTokenId(callerToken); 74eace7efcSopenharmony_ci} 75eace7efcSopenharmony_ci 76eace7efcSopenharmony_cibool PermissionVerification::IsSACallByTokenId(uint32_t callerTokenId) const 77eace7efcSopenharmony_ci{ 78eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "called"); 79eace7efcSopenharmony_ci if (callerTokenId == 0) { 80eace7efcSopenharmony_ci callerTokenId = GetCallingTokenID(); 81eace7efcSopenharmony_ci } 82eace7efcSopenharmony_ci auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerTokenId); 83eace7efcSopenharmony_ci if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) { 84eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "verify success"); 85eace7efcSopenharmony_ci return true; 86eace7efcSopenharmony_ci } 87eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Not SA called"); 88eace7efcSopenharmony_ci return false; 89eace7efcSopenharmony_ci} 90eace7efcSopenharmony_ci 91eace7efcSopenharmony_cibool PermissionVerification::IsShellCall() const 92eace7efcSopenharmony_ci{ 93eace7efcSopenharmony_ci auto callerToken = GetCallingTokenID(); 94eace7efcSopenharmony_ci return IsShellCallByTokenId(callerToken); 95eace7efcSopenharmony_ci} 96eace7efcSopenharmony_ci 97eace7efcSopenharmony_cibool PermissionVerification::IsShellCallByTokenId(uint32_t callerTokenId) const 98eace7efcSopenharmony_ci{ 99eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "called"); 100eace7efcSopenharmony_ci if (callerTokenId == 0) { 101eace7efcSopenharmony_ci callerTokenId = GetCallingTokenID(); 102eace7efcSopenharmony_ci } 103eace7efcSopenharmony_ci auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerTokenId); 104eace7efcSopenharmony_ci if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL) { 105eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "verify success"); 106eace7efcSopenharmony_ci return true; 107eace7efcSopenharmony_ci } 108eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Not shell called"); 109eace7efcSopenharmony_ci return false; 110eace7efcSopenharmony_ci} 111eace7efcSopenharmony_ci 112eace7efcSopenharmony_cibool PermissionVerification::CheckSpecificSystemAbilityAccessPermission(const std::string &processName) const 113eace7efcSopenharmony_ci{ 114eace7efcSopenharmony_ci HITRACE_METER_NAME(HITRACE_TAG_ABILITY_MANAGER, __PRETTY_FUNCTION__); 115eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "called"); 116eace7efcSopenharmony_ci if (!IsSACall()) { 117eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "verify fail"); 118eace7efcSopenharmony_ci return false; 119eace7efcSopenharmony_ci } 120eace7efcSopenharmony_ci auto callerToken = GetCallingTokenID(); 121eace7efcSopenharmony_ci Security::AccessToken::NativeTokenInfo nativeTokenInfo; 122eace7efcSopenharmony_ci int32_t result = Security::AccessToken::AccessTokenKit::GetNativeTokenInfo(callerToken, nativeTokenInfo); 123eace7efcSopenharmony_ci if (result != ERR_OK || nativeTokenInfo.processName != processName) { 124eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "check process fail"); 125eace7efcSopenharmony_ci return false; 126eace7efcSopenharmony_ci } 127eace7efcSopenharmony_ci return true; 128eace7efcSopenharmony_ci} 129eace7efcSopenharmony_ci 130eace7efcSopenharmony_cibool PermissionVerification::CheckObserverCallerPermission() const 131eace7efcSopenharmony_ci{ 132eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "called"); 133eace7efcSopenharmony_ci if (!IsSACall()) { 134eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "tokenType not native"); 135eace7efcSopenharmony_ci return false; 136eace7efcSopenharmony_ci } 137eace7efcSopenharmony_ci auto callerToken = GetCallingTokenID(); 138eace7efcSopenharmony_ci Security::AccessToken::NativeTokenInfo nativeTokenInfo; 139eace7efcSopenharmony_ci int32_t result = Security::AccessToken::AccessTokenKit::GetNativeTokenInfo(callerToken, nativeTokenInfo); 140eace7efcSopenharmony_ci if (result != ERR_OK || 141eace7efcSopenharmony_ci OBSERVER_NATIVE_CALLER.find(nativeTokenInfo.processName) == OBSERVER_NATIVE_CALLER.end()) { 142eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "check token fail"); 143eace7efcSopenharmony_ci return false; 144eace7efcSopenharmony_ci } 145eace7efcSopenharmony_ci return true; 146eace7efcSopenharmony_ci} 147eace7efcSopenharmony_ci 148eace7efcSopenharmony_cibool PermissionVerification::VerifyRunningInfoPerm() const 149eace7efcSopenharmony_ci{ 150eace7efcSopenharmony_ci if (VerifyCallingPermission(PermissionConstants::PERMISSION_GET_RUNNING_INFO)) { 151eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted"); 152eace7efcSopenharmony_ci return true; 153eace7efcSopenharmony_ci } 154eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied"); 155eace7efcSopenharmony_ci return false; 156eace7efcSopenharmony_ci} 157eace7efcSopenharmony_ci 158eace7efcSopenharmony_cibool PermissionVerification::VerifyControllerPerm() const 159eace7efcSopenharmony_ci{ 160eace7efcSopenharmony_ci if (VerifyCallingPermission(PermissionConstants::PERMISSION_SET_ABILITY_CONTROLLER)) { 161eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted"); 162eace7efcSopenharmony_ci return true; 163eace7efcSopenharmony_ci } 164eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied"); 165eace7efcSopenharmony_ci return false; 166eace7efcSopenharmony_ci} 167eace7efcSopenharmony_ci 168eace7efcSopenharmony_cibool PermissionVerification::VerifyDlpPermission(Want &want) const 169eace7efcSopenharmony_ci{ 170eace7efcSopenharmony_ci if (want.GetIntParam(AbilityRuntime::ServerConstant::DLP_INDEX, 0) == 0) { 171eace7efcSopenharmony_ci want.RemoveParam(DLP_PARAMS_SECURITY_FLAG); 172eace7efcSopenharmony_ci return true; 173eace7efcSopenharmony_ci } 174eace7efcSopenharmony_ci 175eace7efcSopenharmony_ci if (VerifyCallingPermission(PermissionConstants::PERMISSION_ACCESS_DLP)) { 176eace7efcSopenharmony_ci return true; 177eace7efcSopenharmony_ci } 178eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied"); 179eace7efcSopenharmony_ci return false; 180eace7efcSopenharmony_ci} 181eace7efcSopenharmony_ci 182eace7efcSopenharmony_ciint PermissionVerification::VerifyAccountPermission() const 183eace7efcSopenharmony_ci{ 184eace7efcSopenharmony_ci if (VerifyCallingPermission(PermissionConstants::PERMISSION_INTERACT_ACROSS_LOCAL_ACCOUNTS)) { 185eace7efcSopenharmony_ci return ERR_OK; 186eace7efcSopenharmony_ci } 187eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied"); 188eace7efcSopenharmony_ci return CHECK_PERMISSION_FAILED; 189eace7efcSopenharmony_ci} 190eace7efcSopenharmony_ci 191eace7efcSopenharmony_cibool PermissionVerification::VerifyMissionPermission() const 192eace7efcSopenharmony_ci{ 193eace7efcSopenharmony_ci HITRACE_METER_NAME(HITRACE_TAG_ABILITY_MANAGER, __PRETTY_FUNCTION__); 194eace7efcSopenharmony_ci if (VerifyCallingPermission(PermissionConstants::PERMISSION_MANAGE_MISSION)) { 195eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted"); 196eace7efcSopenharmony_ci return true; 197eace7efcSopenharmony_ci } 198eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied"); 199eace7efcSopenharmony_ci return false; 200eace7efcSopenharmony_ci} 201eace7efcSopenharmony_ci 202eace7efcSopenharmony_ciint PermissionVerification::VerifyAppStateObserverPermission() const 203eace7efcSopenharmony_ci{ 204eace7efcSopenharmony_ci if (VerifyCallingPermission(PermissionConstants::PERMISSION_RUNNING_STATE_OBSERVER)) { 205eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted"); 206eace7efcSopenharmony_ci return ERR_OK; 207eace7efcSopenharmony_ci } 208eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied"); 209eace7efcSopenharmony_ci return ERR_PERMISSION_DENIED; 210eace7efcSopenharmony_ci} 211eace7efcSopenharmony_ci 212eace7efcSopenharmony_ciint32_t PermissionVerification::VerifyUpdateConfigurationPerm() const 213eace7efcSopenharmony_ci{ 214eace7efcSopenharmony_ci if (VerifyCallingPermission(PermissionConstants::PERMISSION_UPDATE_CONFIGURATION)) { 215eace7efcSopenharmony_ci TAG_LOGI(AAFwkTag::DEFAULT, 216eace7efcSopenharmony_ci "Permission %{public}s granted", PermissionConstants::PERMISSION_UPDATE_CONFIGURATION); 217eace7efcSopenharmony_ci return ERR_OK; 218eace7efcSopenharmony_ci } 219eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, 220eace7efcSopenharmony_ci "Permission %{public}s denied", PermissionConstants::PERMISSION_UPDATE_CONFIGURATION); 221eace7efcSopenharmony_ci return ERR_PERMISSION_DENIED; 222eace7efcSopenharmony_ci} 223eace7efcSopenharmony_ci 224eace7efcSopenharmony_ciint32_t PermissionVerification::VerifyUpdateAPPConfigurationPerm() const 225eace7efcSopenharmony_ci{ 226eace7efcSopenharmony_ci if (VerifyCallingPermission(PermissionConstants::PERMISSION_UPDATE_APP_CONFIGURATION)) { 227eace7efcSopenharmony_ci TAG_LOGI(AAFwkTag::DEFAULT, 228eace7efcSopenharmony_ci "Permission %{public}s granted", PermissionConstants::PERMISSION_UPDATE_APP_CONFIGURATION); 229eace7efcSopenharmony_ci return ERR_OK; 230eace7efcSopenharmony_ci } 231eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, 232eace7efcSopenharmony_ci "Permission %{public}s denied", PermissionConstants::PERMISSION_UPDATE_APP_CONFIGURATION); 233eace7efcSopenharmony_ci return ERR_PERMISSION_DENIED; 234eace7efcSopenharmony_ci} 235eace7efcSopenharmony_ci 236eace7efcSopenharmony_cibool PermissionVerification::VerifyInstallBundlePermission() const 237eace7efcSopenharmony_ci{ 238eace7efcSopenharmony_ci if (VerifyCallingPermission(PermissionConstants::PERMISSION_INSTALL_BUNDLE)) { 239eace7efcSopenharmony_ci TAG_LOGI(AAFwkTag::DEFAULT, 240eace7efcSopenharmony_ci "Permission %{public}s granted", PermissionConstants::PERMISSION_INSTALL_BUNDLE); 241eace7efcSopenharmony_ci return true; 242eace7efcSopenharmony_ci } 243eace7efcSopenharmony_ci 244eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "Permission %{public}s denied", PermissionConstants::PERMISSION_INSTALL_BUNDLE); 245eace7efcSopenharmony_ci return false; 246eace7efcSopenharmony_ci} 247eace7efcSopenharmony_ci 248eace7efcSopenharmony_cibool PermissionVerification::VerifyGetBundleInfoPrivilegedPermission() const 249eace7efcSopenharmony_ci{ 250eace7efcSopenharmony_ci if (VerifyCallingPermission(PermissionConstants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED)) { 251eace7efcSopenharmony_ci TAG_LOGI(AAFwkTag::DEFAULT, 252eace7efcSopenharmony_ci "Permission %{public}s granted", PermissionConstants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED); 253eace7efcSopenharmony_ci return true; 254eace7efcSopenharmony_ci } 255eace7efcSopenharmony_ci 256eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, 257eace7efcSopenharmony_ci "Permission %{public}s denied", PermissionConstants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED); 258eace7efcSopenharmony_ci return false; 259eace7efcSopenharmony_ci} 260eace7efcSopenharmony_ci 261eace7efcSopenharmony_cibool PermissionVerification::VerifyStartRecentAbilityPermission() const 262eace7efcSopenharmony_ci{ 263eace7efcSopenharmony_ci if (VerifyCallingPermission(PermissionConstants::PERMISSION_START_RECENT_ABILITY)) { 264eace7efcSopenharmony_ci TAG_LOGI(AAFwkTag::DEFAULT, 265eace7efcSopenharmony_ci "Permission %{public}s granted", PermissionConstants::PERMISSION_START_RECENT_ABILITY); 266eace7efcSopenharmony_ci return true; 267eace7efcSopenharmony_ci } 268eace7efcSopenharmony_ci return VerifyMissionPermission(); 269eace7efcSopenharmony_ci} 270eace7efcSopenharmony_ci 271eace7efcSopenharmony_ciint PermissionVerification::CheckCallDataAbilityPermission(const VerificationInfo &verificationInfo, bool isShell) const 272eace7efcSopenharmony_ci{ 273eace7efcSopenharmony_ci if ((verificationInfo.apiTargetVersion > API8 || isShell) && 274eace7efcSopenharmony_ci !JudgeStartAbilityFromBackground(verificationInfo.isBackgroundCall, verificationInfo.withContinuousTask)) { 275eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "start DataAbility fail"); 276eace7efcSopenharmony_ci return CHECK_PERMISSION_FAILED; 277eace7efcSopenharmony_ci } 278eace7efcSopenharmony_ci if (!JudgeStartInvisibleAbility(verificationInfo.accessTokenId, verificationInfo.visible)) { 279eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, 280eace7efcSopenharmony_ci "caller INVISIBLE permission invalid"); 281eace7efcSopenharmony_ci return ABILITY_VISIBLE_FALSE_DENY_REQUEST; 282eace7efcSopenharmony_ci } 283eace7efcSopenharmony_ci if (!JudgeAssociatedWakeUp(verificationInfo.accessTokenId, verificationInfo.associatedWakeUp)) { 284eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "associatedWakeUp false"); 285eace7efcSopenharmony_ci return CHECK_PERMISSION_FAILED; 286eace7efcSopenharmony_ci } 287eace7efcSopenharmony_ci 288eace7efcSopenharmony_ci return ERR_OK; 289eace7efcSopenharmony_ci} 290eace7efcSopenharmony_ci 291eace7efcSopenharmony_ciint PermissionVerification::CheckCallServiceAbilityPermission(const VerificationInfo &verificationInfo) const 292eace7efcSopenharmony_ci{ 293eace7efcSopenharmony_ci if (CheckSpecificSystemAbilityAccessPermission(FOUNDATION_PROCESS_NAME)) { 294eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Allow fms to connect service ability"); 295eace7efcSopenharmony_ci return ERR_OK; 296eace7efcSopenharmony_ci } 297eace7efcSopenharmony_ci if ((verificationInfo.apiTargetVersion > API8 || IsShellCall()) && 298eace7efcSopenharmony_ci !JudgeStartAbilityFromBackground(verificationInfo.isBackgroundCall, verificationInfo.withContinuousTask)) { 299eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "Start ServiceAbility failed"); 300eace7efcSopenharmony_ci return CHECK_PERMISSION_FAILED; 301eace7efcSopenharmony_ci } 302eace7efcSopenharmony_ci if (!JudgeStartInvisibleAbility(verificationInfo.accessTokenId, verificationInfo.visible)) { 303eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "caller INVISIBLE permission invalid"); 304eace7efcSopenharmony_ci return ABILITY_VISIBLE_FALSE_DENY_REQUEST; 305eace7efcSopenharmony_ci } 306eace7efcSopenharmony_ci if (!JudgeAssociatedWakeUp(verificationInfo.accessTokenId, verificationInfo.associatedWakeUp)) { 307eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "associatedWakeUp false"); 308eace7efcSopenharmony_ci return CHECK_PERMISSION_FAILED; 309eace7efcSopenharmony_ci } 310eace7efcSopenharmony_ci 311eace7efcSopenharmony_ci return ERR_OK; 312eace7efcSopenharmony_ci} 313eace7efcSopenharmony_ci 314eace7efcSopenharmony_ciint PermissionVerification::CheckCallAbilityPermission(const VerificationInfo &verificationInfo, 315eace7efcSopenharmony_ci bool isCallByShortcut) const 316eace7efcSopenharmony_ci{ 317eace7efcSopenharmony_ci return JudgeInvisibleAndBackground(verificationInfo, isCallByShortcut); 318eace7efcSopenharmony_ci} 319eace7efcSopenharmony_ci 320eace7efcSopenharmony_ciint PermissionVerification::CheckCallServiceExtensionPermission(const VerificationInfo &verificationInfo) const 321eace7efcSopenharmony_ci{ 322eace7efcSopenharmony_ci return JudgeInvisibleAndBackground(verificationInfo); 323eace7efcSopenharmony_ci} 324eace7efcSopenharmony_ci 325eace7efcSopenharmony_ciint PermissionVerification::CheckStartByCallPermission(const VerificationInfo &verificationInfo) const 326eace7efcSopenharmony_ci{ 327eace7efcSopenharmony_ci if (IsCallFromSameAccessToken(verificationInfo.accessTokenId)) { 328eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "StartAbilityByCall reject"); 329eace7efcSopenharmony_ci return CHECK_PERMISSION_FAILED; 330eace7efcSopenharmony_ci } 331eace7efcSopenharmony_ci // Different APP call, check permissions 332eace7efcSopenharmony_ci if (!VerifyCallingPermission(PermissionConstants::PERMISSION_ABILITY_BACKGROUND_COMMUNICATION)) { 333eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied"); 334eace7efcSopenharmony_ci return CHECK_PERMISSION_FAILED; 335eace7efcSopenharmony_ci } 336eace7efcSopenharmony_ci if (!JudgeStartInvisibleAbility(verificationInfo.accessTokenId, verificationInfo.visible)) { 337eace7efcSopenharmony_ci return ABILITY_VISIBLE_FALSE_DENY_REQUEST; 338eace7efcSopenharmony_ci } 339eace7efcSopenharmony_ci if (!JudgeStartAbilityFromBackground(verificationInfo.isBackgroundCall, verificationInfo.withContinuousTask)) { 340eace7efcSopenharmony_ci return CHECK_PERMISSION_FAILED; 341eace7efcSopenharmony_ci } 342eace7efcSopenharmony_ci 343eace7efcSopenharmony_ci return ERR_OK; 344eace7efcSopenharmony_ci} 345eace7efcSopenharmony_ci 346eace7efcSopenharmony_ciunsigned int PermissionVerification::GetCallingTokenID() const 347eace7efcSopenharmony_ci{ 348eace7efcSopenharmony_ci auto callerToken = IPCSkeleton::GetCallingTokenID(); 349eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "callerToken: %{private}u", callerToken); 350eace7efcSopenharmony_ci return callerToken; 351eace7efcSopenharmony_ci} 352eace7efcSopenharmony_ci 353eace7efcSopenharmony_cibool PermissionVerification::JudgeStartInvisibleAbility(const uint32_t accessTokenId, const bool visible, 354eace7efcSopenharmony_ci const uint32_t specifyTokenId) const 355eace7efcSopenharmony_ci{ 356eace7efcSopenharmony_ci if (visible) { 357eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "visible:true"); 358eace7efcSopenharmony_ci return true; 359eace7efcSopenharmony_ci } 360eace7efcSopenharmony_ci if (specifyTokenId > 0 && accessTokenId == specifyTokenId) { 361eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "accessTokenId equal specifyTokenId"); 362eace7efcSopenharmony_ci return true; 363eace7efcSopenharmony_ci } 364eace7efcSopenharmony_ci if (IsCallFromSameAccessToken(accessTokenId)) { 365eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "TargetAbility in same APP"); 366eace7efcSopenharmony_ci return true; 367eace7efcSopenharmony_ci } 368eace7efcSopenharmony_ci if (VerifyCallingPermission(PermissionConstants::PERMISSION_START_INVISIBLE_ABILITY, specifyTokenId)) { 369eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Caller PASS"); 370eace7efcSopenharmony_ci return true; 371eace7efcSopenharmony_ci } 372eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "verification fail"); 373eace7efcSopenharmony_ci return false; 374eace7efcSopenharmony_ci} 375eace7efcSopenharmony_ci 376eace7efcSopenharmony_cibool PermissionVerification::JudgeStartAbilityFromBackground( 377eace7efcSopenharmony_ci const bool isBackgroundCall, bool withContinuousTask) const 378eace7efcSopenharmony_ci{ 379eace7efcSopenharmony_ci if (!isBackgroundCall) { 380eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Caller not background"); 381eace7efcSopenharmony_ci return true; 382eace7efcSopenharmony_ci } 383eace7efcSopenharmony_ci 384eace7efcSopenharmony_ci // Temporarily supports permissions with two different spellings 385eace7efcSopenharmony_ci // PERMISSION_START_ABILIIES_FROM_BACKGROUND will be removed later due to misspelling 386eace7efcSopenharmony_ci if (VerifyCallingPermission(PermissionConstants::PERMISSION_START_ABILITIES_FROM_BACKGROUND) || 387eace7efcSopenharmony_ci VerifyCallingPermission(PermissionConstants::PERMISSION_START_ABILIIES_FROM_BACKGROUND)) { 388eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Caller PASS"); 389eace7efcSopenharmony_ci return true; 390eace7efcSopenharmony_ci } 391eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "verification fail"); 392eace7efcSopenharmony_ci return false; 393eace7efcSopenharmony_ci} 394eace7efcSopenharmony_ci 395eace7efcSopenharmony_cibool PermissionVerification::JudgeAssociatedWakeUp(const uint32_t accessTokenId, const bool associatedWakeUp) const 396eace7efcSopenharmony_ci{ 397eace7efcSopenharmony_ci if (IsCallFromSameAccessToken(accessTokenId)) { 398eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "TargetAbility in same APP"); 399eace7efcSopenharmony_ci return true; 400eace7efcSopenharmony_ci } 401eace7efcSopenharmony_ci if (associatedWakeUp) { 402eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "associatedWakeUp: true"); 403eace7efcSopenharmony_ci return true; 404eace7efcSopenharmony_ci } 405eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "not allowed associatedWakeUp"); 406eace7efcSopenharmony_ci return false; 407eace7efcSopenharmony_ci} 408eace7efcSopenharmony_ci 409eace7efcSopenharmony_ciint PermissionVerification::JudgeInvisibleAndBackground(const VerificationInfo &verificationInfo, 410eace7efcSopenharmony_ci bool isCallByShortcut) const 411eace7efcSopenharmony_ci{ 412eace7efcSopenharmony_ci uint32_t specifyTokenId = verificationInfo.specifyTokenId; 413eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "specifyTokenId: %{public}u, isCallByShortcut %{public}d", 414eace7efcSopenharmony_ci specifyTokenId, isCallByShortcut); 415eace7efcSopenharmony_ci if (specifyTokenId == 0 && 416eace7efcSopenharmony_ci SupportSystemAbilityPermission::IsSupportSaCallPermission() && IsSACall()) { 417eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Support SA call"); 418eace7efcSopenharmony_ci return ERR_OK; 419eace7efcSopenharmony_ci } 420eace7efcSopenharmony_ci if (!isCallByShortcut && 421eace7efcSopenharmony_ci !JudgeStartInvisibleAbility(verificationInfo.accessTokenId, verificationInfo.visible, 422eace7efcSopenharmony_ci specifyTokenId)) { 423eace7efcSopenharmony_ci return ABILITY_VISIBLE_FALSE_DENY_REQUEST; 424eace7efcSopenharmony_ci } 425eace7efcSopenharmony_ci if (!JudgeStartAbilityFromBackground(verificationInfo.isBackgroundCall, verificationInfo.withContinuousTask)) { 426eace7efcSopenharmony_ci return CHECK_PERMISSION_FAILED; 427eace7efcSopenharmony_ci } 428eace7efcSopenharmony_ci 429eace7efcSopenharmony_ci return ERR_OK; 430eace7efcSopenharmony_ci} 431eace7efcSopenharmony_ci 432eace7efcSopenharmony_cibool PermissionVerification::JudgeCallerIsAllowedToUseSystemAPI() const 433eace7efcSopenharmony_ci{ 434eace7efcSopenharmony_ci if (IsSACall() || IsShellCall()) { 435eace7efcSopenharmony_ci return true; 436eace7efcSopenharmony_ci } 437eace7efcSopenharmony_ci auto callerToken = IPCSkeleton::GetCallingFullTokenID(); 438eace7efcSopenharmony_ci return Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(callerToken); 439eace7efcSopenharmony_ci} 440eace7efcSopenharmony_ci 441eace7efcSopenharmony_cibool PermissionVerification::IsSystemAppCall() const 442eace7efcSopenharmony_ci{ 443eace7efcSopenharmony_ci auto callerToken = IPCSkeleton::GetCallingFullTokenID(); 444eace7efcSopenharmony_ci return Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(callerToken); 445eace7efcSopenharmony_ci} 446eace7efcSopenharmony_ci 447eace7efcSopenharmony_cibool PermissionVerification::IsSystemAppCallByTokenId(uint32_t callerTokenId) const 448eace7efcSopenharmony_ci{ 449eace7efcSopenharmony_ci if (callerTokenId == 0) { 450eace7efcSopenharmony_ci return IsSystemAppCall(); 451eace7efcSopenharmony_ci } 452eace7efcSopenharmony_ci auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerTokenId); 453eace7efcSopenharmony_ci if (tokenType != Security::AccessToken::ATokenTypeEnum::TOKEN_HAP) { 454eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::URIPERMMGR, "Not TOKEN_HAP."); 455eace7efcSopenharmony_ci return false; 456eace7efcSopenharmony_ci } 457eace7efcSopenharmony_ci Security::AccessToken::HapTokenInfo hapInfo; 458eace7efcSopenharmony_ci auto ret = Security::AccessToken::AccessTokenKit::GetHapTokenInfo(callerTokenId, hapInfo); 459eace7efcSopenharmony_ci if (ret != Security::AccessToken::AccessTokenKitRet::RET_SUCCESS) { 460eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::URIPERMMGR, "GetHapTokenInfo failed, ret:%{public}d", ret); 461eace7efcSopenharmony_ci return false; 462eace7efcSopenharmony_ci } 463eace7efcSopenharmony_ci uint64_t fullCallerTokenId = (static_cast<uint64_t>(hapInfo.tokenAttr) << TOKEN_ID_BIT_SIZE) + callerTokenId; 464eace7efcSopenharmony_ci return Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullCallerTokenId); 465eace7efcSopenharmony_ci} 466eace7efcSopenharmony_ci 467eace7efcSopenharmony_cibool PermissionVerification::VerifyBackgroundCallPermission(const bool isBackgroundCall) const 468eace7efcSopenharmony_ci{ 469eace7efcSopenharmony_ci return JudgeStartAbilityFromBackground(isBackgroundCall); 470eace7efcSopenharmony_ci} 471eace7efcSopenharmony_ci 472eace7efcSopenharmony_cibool PermissionVerification::VerifyPrepareTerminatePermission() const 473eace7efcSopenharmony_ci{ 474eace7efcSopenharmony_ci if (VerifyCallingPermission(PermissionConstants::PERMISSION_PREPARE_TERMINATE)) { 475eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted"); 476eace7efcSopenharmony_ci return true; 477eace7efcSopenharmony_ci } 478eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Permission denied"); 479eace7efcSopenharmony_ci return false; 480eace7efcSopenharmony_ci} 481eace7efcSopenharmony_ci 482eace7efcSopenharmony_cibool PermissionVerification::VerifyPrepareTerminatePermission(const int &tokenId) const 483eace7efcSopenharmony_ci{ 484eace7efcSopenharmony_ci int32_t ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, 485eace7efcSopenharmony_ci PermissionConstants::PERMISSION_PREPARE_TERMINATE, false); 486eace7efcSopenharmony_ci if (ret != Security::AccessToken::PermissionState::PERMISSION_GRANTED) { 487eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "permission denied"); 488eace7efcSopenharmony_ci return false; 489eace7efcSopenharmony_ci } 490eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "verify AccessToken success"); 491eace7efcSopenharmony_ci return true; 492eace7efcSopenharmony_ci} 493eace7efcSopenharmony_ci 494eace7efcSopenharmony_cibool PermissionVerification::VerifyShellStartExtensionType(int32_t type) const 495eace7efcSopenharmony_ci{ 496eace7efcSopenharmony_ci if (IsShellCall() && type >= SHELL_START_EXTENSION_FLOOR && type <= SHELL_START_EXTENSION_CEIL) { 497eace7efcSopenharmony_ci return true; 498eace7efcSopenharmony_ci } 499eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "reject start"); 500eace7efcSopenharmony_ci return false; 501eace7efcSopenharmony_ci} 502eace7efcSopenharmony_ci 503eace7efcSopenharmony_cibool PermissionVerification::VerifyPreloadApplicationPermission() const 504eace7efcSopenharmony_ci{ 505eace7efcSopenharmony_ci if (VerifyCallingPermission(PermissionConstants::PERMISSION_PRELOAD_APPLICATION)) { 506eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Permission %{public}s granted", 507eace7efcSopenharmony_ci PermissionConstants::PERMISSION_PRELOAD_APPLICATION); 508eace7efcSopenharmony_ci return true; 509eace7efcSopenharmony_ci } 510eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "Permission %{public}s denied", 511eace7efcSopenharmony_ci PermissionConstants::PERMISSION_PRELOAD_APPLICATION); 512eace7efcSopenharmony_ci return false; 513eace7efcSopenharmony_ci} 514eace7efcSopenharmony_ci 515eace7efcSopenharmony_cibool PermissionVerification::VerifyPreStartAtomicServicePermission() const 516eace7efcSopenharmony_ci{ 517eace7efcSopenharmony_ci if (VerifyCallingPermission(PermissionConstants::PERMISSION_PRE_START_ATOMIC_SERVICE)) { 518eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::APPMGR, "Permission %{public}s granted", 519eace7efcSopenharmony_ci PermissionConstants::PERMISSION_PRE_START_ATOMIC_SERVICE); 520eace7efcSopenharmony_ci return true; 521eace7efcSopenharmony_ci } 522eace7efcSopenharmony_ci TAG_LOGW(AAFwkTag::APPMGR, "Permission %{public}s denied", 523eace7efcSopenharmony_ci PermissionConstants::PERMISSION_PRE_START_ATOMIC_SERVICE); 524eace7efcSopenharmony_ci return false; 525eace7efcSopenharmony_ci} 526eace7efcSopenharmony_ci 527eace7efcSopenharmony_cibool PermissionVerification::VerifyKillProcessDependedOnWebPermission() const 528eace7efcSopenharmony_ci{ 529eace7efcSopenharmony_ci if (IsSACall() && VerifyCallingPermission(PermissionConstants::PERMISSION_KILL_PROCESS_DEPENDED_ON_WEB)) { 530eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::APPMGR, "Permission granted"); 531eace7efcSopenharmony_ci return true; 532eace7efcSopenharmony_ci } 533eace7efcSopenharmony_ci TAG_LOGW(AAFwkTag::APPMGR, "Permission denied"); 534eace7efcSopenharmony_ci return false; 535eace7efcSopenharmony_ci} 536eace7efcSopenharmony_ci 537eace7efcSopenharmony_cibool PermissionVerification::VerifyBlockAllAppStartPermission() const 538eace7efcSopenharmony_ci{ 539eace7efcSopenharmony_ci if (IsSACall() && VerifyCallingPermission(PermissionConstants::PERMISSION_BLOCK_ALL_APP_START)) { 540eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted"); 541eace7efcSopenharmony_ci return true; 542eace7efcSopenharmony_ci } 543eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied"); 544eace7efcSopenharmony_ci return false; 545eace7efcSopenharmony_ci} 546eace7efcSopenharmony_ci 547eace7efcSopenharmony_cibool PermissionVerification::VerifyStartUIAbilityToHiddenPermission() const 548eace7efcSopenharmony_ci{ 549eace7efcSopenharmony_ci if (IsSACall() && VerifyCallingPermission(PermissionConstants::PERMISSION_START_UIABILITY_TO_HIDDEN)) { 550eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted"); 551eace7efcSopenharmony_ci return true; 552eace7efcSopenharmony_ci } 553eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied"); 554eace7efcSopenharmony_ci return false; 555eace7efcSopenharmony_ci} 556eace7efcSopenharmony_ci 557eace7efcSopenharmony_cibool PermissionVerification::VerifySuperviseKiaServicePermission() const 558eace7efcSopenharmony_ci{ 559eace7efcSopenharmony_ci if (IsSACall() && VerifyCallingPermission(PermissionConstants::PERMISSION_SUPERVISE_KIA_SERVICE)) { 560eace7efcSopenharmony_ci TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted"); 561eace7efcSopenharmony_ci return true; 562eace7efcSopenharmony_ci } 563eace7efcSopenharmony_ci TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied"); 564eace7efcSopenharmony_ci return false; 565eace7efcSopenharmony_ci} 566eace7efcSopenharmony_ci} // namespace AAFwk 567eace7efcSopenharmony_ci} // namespace OHOS 568