1/*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 *     http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16#include "permission_verification.h"
17
18#include "ability_manager_errors.h"
19#include "accesstoken_kit.h"
20#include "hilog_tag_wrapper.h"
21#include "permission_constants.h"
22#include "server_constant.h"
23#include "support_system_ability_permission.h"
24#include "tokenid_kit.h"
25#include "hitrace_meter.h"
26#include "hilog_tag_wrapper.h"
27
28namespace OHOS {
29namespace AAFwk {
30const std::string DLP_PARAMS_SECURITY_FLAG = "ohos.dlp.params.securityFlag";
31namespace {
32const int32_t SHELL_START_EXTENSION_FLOOR = 0; // FORM
33const int32_t SHELL_START_EXTENSION_CEIL = 21; // EMBEDDED_UI
34const int32_t TOKEN_ID_BIT_SIZE = 32;
35const std::string FOUNDATION_PROCESS_NAME = "foundation";
36const std::set<std::string> OBSERVER_NATIVE_CALLER = {
37    "memmgrservice",
38    "resource_schedule_service",
39};
40}
41bool PermissionVerification::VerifyPermissionByTokenId(const int &tokenId, const std::string &permissionName) const
42{
43    TAG_LOGD(AAFwkTag::DEFAULT, "permission %{public}s", permissionName.c_str());
44    int32_t ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permissionName, false);
45    if (ret != Security::AccessToken::PermissionState::PERMISSION_GRANTED) {
46        TAG_LOGE(AAFwkTag::DEFAULT, "%{public}s: PERMISSION_DENIED", permissionName.c_str());
47        return false;
48    }
49    TAG_LOGD(AAFwkTag::DEFAULT, "verify token success");
50    return true;
51}
52
53bool PermissionVerification::VerifyCallingPermission(
54    const std::string &permissionName, const uint32_t specifyTokenId) const
55{
56    HITRACE_METER_NAME(HITRACE_TAG_ABILITY_MANAGER, __PRETTY_FUNCTION__);
57    TAG_LOGD(AAFwkTag::DEFAULT, "permission %{public}s, specifyTokenId: %{public}u",
58        permissionName.c_str(), specifyTokenId);
59    auto callerToken = specifyTokenId == 0 ? GetCallingTokenID() : specifyTokenId;
60    TAG_LOGD(AAFwkTag::DEFAULT, "Token: %{public}u", callerToken);
61    int32_t ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName, false);
62    if (ret != Security::AccessToken::PermissionState::PERMISSION_GRANTED) {
63        TAG_LOGE(AAFwkTag::DEFAULT, "%{public}s: PERMISSION_DENIED", permissionName.c_str());
64        return false;
65    }
66    TAG_LOGD(AAFwkTag::DEFAULT, "verify Token success");
67    return true;
68}
69
70bool PermissionVerification::IsSACall() const
71{
72    auto callerToken = GetCallingTokenID();
73    return IsSACallByTokenId(callerToken);
74}
75
76bool PermissionVerification::IsSACallByTokenId(uint32_t callerTokenId) const
77{
78    TAG_LOGD(AAFwkTag::DEFAULT, "called");
79    if (callerTokenId == 0) {
80        callerTokenId = GetCallingTokenID();
81    }
82    auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerTokenId);
83    if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
84        TAG_LOGD(AAFwkTag::DEFAULT, "verify success");
85        return true;
86    }
87    TAG_LOGD(AAFwkTag::DEFAULT, "Not SA called");
88    return false;
89}
90
91bool PermissionVerification::IsShellCall() const
92{
93    auto callerToken = GetCallingTokenID();
94    return IsShellCallByTokenId(callerToken);
95}
96
97bool PermissionVerification::IsShellCallByTokenId(uint32_t callerTokenId) const
98{
99    TAG_LOGD(AAFwkTag::DEFAULT, "called");
100    if (callerTokenId == 0) {
101        callerTokenId = GetCallingTokenID();
102    }
103    auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerTokenId);
104    if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL) {
105        TAG_LOGD(AAFwkTag::DEFAULT, "verify success");
106        return true;
107    }
108    TAG_LOGD(AAFwkTag::DEFAULT, "Not shell called");
109    return false;
110}
111
112bool PermissionVerification::CheckSpecificSystemAbilityAccessPermission(const std::string &processName) const
113{
114    HITRACE_METER_NAME(HITRACE_TAG_ABILITY_MANAGER, __PRETTY_FUNCTION__);
115    TAG_LOGD(AAFwkTag::DEFAULT, "called");
116    if (!IsSACall()) {
117        TAG_LOGE(AAFwkTag::DEFAULT, "verify fail");
118        return false;
119    }
120    auto callerToken = GetCallingTokenID();
121    Security::AccessToken::NativeTokenInfo nativeTokenInfo;
122    int32_t result = Security::AccessToken::AccessTokenKit::GetNativeTokenInfo(callerToken, nativeTokenInfo);
123    if (result != ERR_OK || nativeTokenInfo.processName != processName) {
124        TAG_LOGE(AAFwkTag::DEFAULT, "check process fail");
125        return false;
126    }
127    return true;
128}
129
130bool PermissionVerification::CheckObserverCallerPermission() const
131{
132    TAG_LOGD(AAFwkTag::DEFAULT, "called");
133    if (!IsSACall()) {
134        TAG_LOGE(AAFwkTag::DEFAULT, "tokenType not native");
135        return false;
136    }
137    auto callerToken = GetCallingTokenID();
138    Security::AccessToken::NativeTokenInfo nativeTokenInfo;
139    int32_t result = Security::AccessToken::AccessTokenKit::GetNativeTokenInfo(callerToken, nativeTokenInfo);
140    if (result != ERR_OK ||
141        OBSERVER_NATIVE_CALLER.find(nativeTokenInfo.processName) == OBSERVER_NATIVE_CALLER.end()) {
142        TAG_LOGE(AAFwkTag::DEFAULT, "check token fail");
143        return false;
144    }
145    return true;
146}
147
148bool PermissionVerification::VerifyRunningInfoPerm() const
149{
150    if (VerifyCallingPermission(PermissionConstants::PERMISSION_GET_RUNNING_INFO)) {
151        TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
152        return true;
153    }
154    TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
155    return false;
156}
157
158bool PermissionVerification::VerifyControllerPerm() const
159{
160    if (VerifyCallingPermission(PermissionConstants::PERMISSION_SET_ABILITY_CONTROLLER)) {
161        TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
162        return true;
163    }
164    TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
165    return false;
166}
167
168bool PermissionVerification::VerifyDlpPermission(Want &want) const
169{
170    if (want.GetIntParam(AbilityRuntime::ServerConstant::DLP_INDEX, 0) == 0) {
171        want.RemoveParam(DLP_PARAMS_SECURITY_FLAG);
172        return true;
173    }
174
175    if (VerifyCallingPermission(PermissionConstants::PERMISSION_ACCESS_DLP)) {
176        return true;
177    }
178    TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
179    return false;
180}
181
182int PermissionVerification::VerifyAccountPermission() const
183{
184    if (VerifyCallingPermission(PermissionConstants::PERMISSION_INTERACT_ACROSS_LOCAL_ACCOUNTS)) {
185        return ERR_OK;
186    }
187    TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
188    return CHECK_PERMISSION_FAILED;
189}
190
191bool PermissionVerification::VerifyMissionPermission() const
192{
193    HITRACE_METER_NAME(HITRACE_TAG_ABILITY_MANAGER, __PRETTY_FUNCTION__);
194    if (VerifyCallingPermission(PermissionConstants::PERMISSION_MANAGE_MISSION)) {
195        TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
196        return true;
197    }
198    TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
199    return false;
200}
201
202int PermissionVerification::VerifyAppStateObserverPermission() const
203{
204    if (VerifyCallingPermission(PermissionConstants::PERMISSION_RUNNING_STATE_OBSERVER)) {
205        TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
206        return ERR_OK;
207    }
208    TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
209    return ERR_PERMISSION_DENIED;
210}
211
212int32_t PermissionVerification::VerifyUpdateConfigurationPerm() const
213{
214    if (VerifyCallingPermission(PermissionConstants::PERMISSION_UPDATE_CONFIGURATION)) {
215        TAG_LOGI(AAFwkTag::DEFAULT,
216            "Permission %{public}s granted", PermissionConstants::PERMISSION_UPDATE_CONFIGURATION);
217        return ERR_OK;
218    }
219    TAG_LOGE(AAFwkTag::DEFAULT,
220        "Permission %{public}s denied", PermissionConstants::PERMISSION_UPDATE_CONFIGURATION);
221    return ERR_PERMISSION_DENIED;
222}
223
224int32_t PermissionVerification::VerifyUpdateAPPConfigurationPerm() const
225{
226    if (VerifyCallingPermission(PermissionConstants::PERMISSION_UPDATE_APP_CONFIGURATION)) {
227        TAG_LOGI(AAFwkTag::DEFAULT,
228            "Permission %{public}s granted", PermissionConstants::PERMISSION_UPDATE_APP_CONFIGURATION);
229        return ERR_OK;
230    }
231    TAG_LOGE(AAFwkTag::DEFAULT,
232        "Permission %{public}s denied", PermissionConstants::PERMISSION_UPDATE_APP_CONFIGURATION);
233    return ERR_PERMISSION_DENIED;
234}
235
236bool PermissionVerification::VerifyInstallBundlePermission() const
237{
238    if (VerifyCallingPermission(PermissionConstants::PERMISSION_INSTALL_BUNDLE)) {
239        TAG_LOGI(AAFwkTag::DEFAULT,
240            "Permission %{public}s granted", PermissionConstants::PERMISSION_INSTALL_BUNDLE);
241        return true;
242    }
243
244    TAG_LOGE(AAFwkTag::DEFAULT, "Permission %{public}s denied", PermissionConstants::PERMISSION_INSTALL_BUNDLE);
245    return false;
246}
247
248bool PermissionVerification::VerifyGetBundleInfoPrivilegedPermission() const
249{
250    if (VerifyCallingPermission(PermissionConstants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED)) {
251        TAG_LOGI(AAFwkTag::DEFAULT,
252            "Permission %{public}s granted", PermissionConstants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED);
253        return true;
254    }
255
256    TAG_LOGE(AAFwkTag::DEFAULT,
257        "Permission %{public}s denied", PermissionConstants::PERMISSION_GET_BUNDLE_INFO_PRIVILEGED);
258    return false;
259}
260
261bool PermissionVerification::VerifyStartRecentAbilityPermission() const
262{
263    if (VerifyCallingPermission(PermissionConstants::PERMISSION_START_RECENT_ABILITY)) {
264        TAG_LOGI(AAFwkTag::DEFAULT,
265            "Permission %{public}s granted", PermissionConstants::PERMISSION_START_RECENT_ABILITY);
266        return true;
267    }
268    return VerifyMissionPermission();
269}
270
271int PermissionVerification::CheckCallDataAbilityPermission(const VerificationInfo &verificationInfo, bool isShell) const
272{
273    if ((verificationInfo.apiTargetVersion > API8 || isShell) &&
274        !JudgeStartAbilityFromBackground(verificationInfo.isBackgroundCall, verificationInfo.withContinuousTask)) {
275        TAG_LOGE(AAFwkTag::DEFAULT, "start DataAbility fail");
276        return CHECK_PERMISSION_FAILED;
277    }
278    if (!JudgeStartInvisibleAbility(verificationInfo.accessTokenId, verificationInfo.visible)) {
279        TAG_LOGE(AAFwkTag::DEFAULT,
280            "caller INVISIBLE permission invalid");
281        return ABILITY_VISIBLE_FALSE_DENY_REQUEST;
282    }
283    if (!JudgeAssociatedWakeUp(verificationInfo.accessTokenId, verificationInfo.associatedWakeUp)) {
284        TAG_LOGE(AAFwkTag::DEFAULT, "associatedWakeUp false");
285        return CHECK_PERMISSION_FAILED;
286    }
287
288    return ERR_OK;
289}
290
291int PermissionVerification::CheckCallServiceAbilityPermission(const VerificationInfo &verificationInfo) const
292{
293    if (CheckSpecificSystemAbilityAccessPermission(FOUNDATION_PROCESS_NAME)) {
294        TAG_LOGD(AAFwkTag::DEFAULT, "Allow fms to connect service ability");
295        return ERR_OK;
296    }
297    if ((verificationInfo.apiTargetVersion > API8 || IsShellCall()) &&
298        !JudgeStartAbilityFromBackground(verificationInfo.isBackgroundCall, verificationInfo.withContinuousTask)) {
299        TAG_LOGE(AAFwkTag::DEFAULT, "Start ServiceAbility failed");
300        return CHECK_PERMISSION_FAILED;
301    }
302    if (!JudgeStartInvisibleAbility(verificationInfo.accessTokenId, verificationInfo.visible)) {
303        TAG_LOGE(AAFwkTag::DEFAULT, "caller INVISIBLE permission invalid");
304        return ABILITY_VISIBLE_FALSE_DENY_REQUEST;
305    }
306    if (!JudgeAssociatedWakeUp(verificationInfo.accessTokenId, verificationInfo.associatedWakeUp)) {
307        TAG_LOGE(AAFwkTag::DEFAULT, "associatedWakeUp false");
308        return CHECK_PERMISSION_FAILED;
309    }
310
311    return ERR_OK;
312}
313
314int PermissionVerification::CheckCallAbilityPermission(const VerificationInfo &verificationInfo,
315    bool isCallByShortcut) const
316{
317    return JudgeInvisibleAndBackground(verificationInfo, isCallByShortcut);
318}
319
320int PermissionVerification::CheckCallServiceExtensionPermission(const VerificationInfo &verificationInfo) const
321{
322    return JudgeInvisibleAndBackground(verificationInfo);
323}
324
325int PermissionVerification::CheckStartByCallPermission(const VerificationInfo &verificationInfo) const
326{
327    if (IsCallFromSameAccessToken(verificationInfo.accessTokenId)) {
328        TAG_LOGE(AAFwkTag::DEFAULT, "StartAbilityByCall reject");
329        return CHECK_PERMISSION_FAILED;
330    }
331    // Different APP call, check permissions
332    if (!VerifyCallingPermission(PermissionConstants::PERMISSION_ABILITY_BACKGROUND_COMMUNICATION)) {
333        TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
334        return CHECK_PERMISSION_FAILED;
335    }
336    if (!JudgeStartInvisibleAbility(verificationInfo.accessTokenId, verificationInfo.visible)) {
337        return ABILITY_VISIBLE_FALSE_DENY_REQUEST;
338    }
339    if (!JudgeStartAbilityFromBackground(verificationInfo.isBackgroundCall, verificationInfo.withContinuousTask)) {
340        return CHECK_PERMISSION_FAILED;
341    }
342
343    return ERR_OK;
344}
345
346unsigned int PermissionVerification::GetCallingTokenID() const
347{
348    auto callerToken = IPCSkeleton::GetCallingTokenID();
349    TAG_LOGD(AAFwkTag::DEFAULT, "callerToken: %{private}u", callerToken);
350    return callerToken;
351}
352
353bool PermissionVerification::JudgeStartInvisibleAbility(const uint32_t accessTokenId, const bool visible,
354    const uint32_t specifyTokenId) const
355{
356    if (visible) {
357        TAG_LOGD(AAFwkTag::DEFAULT, "visible:true");
358        return true;
359    }
360    if (specifyTokenId > 0 && accessTokenId == specifyTokenId) {
361        TAG_LOGD(AAFwkTag::DEFAULT, "accessTokenId equal specifyTokenId");
362        return true;
363    }
364    if (IsCallFromSameAccessToken(accessTokenId)) {
365        TAG_LOGD(AAFwkTag::DEFAULT, "TargetAbility in same APP");
366        return true;
367    }
368    if (VerifyCallingPermission(PermissionConstants::PERMISSION_START_INVISIBLE_ABILITY, specifyTokenId)) {
369        TAG_LOGD(AAFwkTag::DEFAULT, "Caller PASS");
370        return true;
371    }
372    TAG_LOGE(AAFwkTag::DEFAULT, "verification fail");
373    return false;
374}
375
376bool PermissionVerification::JudgeStartAbilityFromBackground(
377    const bool isBackgroundCall, bool withContinuousTask) const
378{
379    if (!isBackgroundCall) {
380        TAG_LOGD(AAFwkTag::DEFAULT, "Caller not background");
381        return true;
382    }
383
384    // Temporarily supports permissions with two different spellings
385    // PERMISSION_START_ABILIIES_FROM_BACKGROUND will be removed later due to misspelling
386    if (VerifyCallingPermission(PermissionConstants::PERMISSION_START_ABILITIES_FROM_BACKGROUND) ||
387        VerifyCallingPermission(PermissionConstants::PERMISSION_START_ABILIIES_FROM_BACKGROUND)) {
388        TAG_LOGD(AAFwkTag::DEFAULT, "Caller PASS");
389        return true;
390    }
391    TAG_LOGE(AAFwkTag::DEFAULT, "verification fail");
392    return false;
393}
394
395bool PermissionVerification::JudgeAssociatedWakeUp(const uint32_t accessTokenId, const bool associatedWakeUp) const
396{
397    if (IsCallFromSameAccessToken(accessTokenId)) {
398        TAG_LOGD(AAFwkTag::DEFAULT, "TargetAbility in same APP");
399        return true;
400    }
401    if (associatedWakeUp) {
402        TAG_LOGD(AAFwkTag::DEFAULT, "associatedWakeUp: true");
403        return true;
404    }
405    TAG_LOGE(AAFwkTag::DEFAULT, "not allowed associatedWakeUp");
406    return false;
407}
408
409int PermissionVerification::JudgeInvisibleAndBackground(const VerificationInfo &verificationInfo,
410    bool isCallByShortcut) const
411{
412    uint32_t specifyTokenId = verificationInfo.specifyTokenId;
413    TAG_LOGD(AAFwkTag::DEFAULT, "specifyTokenId: %{public}u, isCallByShortcut %{public}d",
414        specifyTokenId, isCallByShortcut);
415    if (specifyTokenId == 0 &&
416        SupportSystemAbilityPermission::IsSupportSaCallPermission() && IsSACall()) {
417        TAG_LOGD(AAFwkTag::DEFAULT, "Support SA call");
418        return ERR_OK;
419    }
420    if (!isCallByShortcut &&
421        !JudgeStartInvisibleAbility(verificationInfo.accessTokenId, verificationInfo.visible,
422        specifyTokenId)) {
423        return ABILITY_VISIBLE_FALSE_DENY_REQUEST;
424    }
425    if (!JudgeStartAbilityFromBackground(verificationInfo.isBackgroundCall, verificationInfo.withContinuousTask)) {
426        return CHECK_PERMISSION_FAILED;
427    }
428
429    return ERR_OK;
430}
431
432bool PermissionVerification::JudgeCallerIsAllowedToUseSystemAPI() const
433{
434    if (IsSACall() || IsShellCall()) {
435        return true;
436    }
437    auto callerToken = IPCSkeleton::GetCallingFullTokenID();
438    return Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(callerToken);
439}
440
441bool PermissionVerification::IsSystemAppCall() const
442{
443    auto callerToken = IPCSkeleton::GetCallingFullTokenID();
444    return Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(callerToken);
445}
446
447bool PermissionVerification::IsSystemAppCallByTokenId(uint32_t callerTokenId) const
448{
449    if (callerTokenId == 0) {
450        return IsSystemAppCall();
451    }
452    auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerTokenId);
453    if (tokenType != Security::AccessToken::ATokenTypeEnum::TOKEN_HAP) {
454        TAG_LOGE(AAFwkTag::URIPERMMGR, "Not TOKEN_HAP.");
455        return false;
456    }
457    Security::AccessToken::HapTokenInfo hapInfo;
458    auto ret = Security::AccessToken::AccessTokenKit::GetHapTokenInfo(callerTokenId, hapInfo);
459    if (ret != Security::AccessToken::AccessTokenKitRet::RET_SUCCESS) {
460        TAG_LOGE(AAFwkTag::URIPERMMGR, "GetHapTokenInfo failed, ret:%{public}d", ret);
461        return false;
462    }
463    uint64_t fullCallerTokenId = (static_cast<uint64_t>(hapInfo.tokenAttr) << TOKEN_ID_BIT_SIZE) + callerTokenId;
464    return Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullCallerTokenId);
465}
466
467bool PermissionVerification::VerifyBackgroundCallPermission(const bool isBackgroundCall) const
468{
469    return JudgeStartAbilityFromBackground(isBackgroundCall);
470}
471
472bool PermissionVerification::VerifyPrepareTerminatePermission() const
473{
474    if (VerifyCallingPermission(PermissionConstants::PERMISSION_PREPARE_TERMINATE)) {
475        TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
476        return true;
477    }
478    TAG_LOGD(AAFwkTag::DEFAULT, "Permission denied");
479    return false;
480}
481
482bool PermissionVerification::VerifyPrepareTerminatePermission(const int &tokenId) const
483{
484    int32_t ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId,
485        PermissionConstants::PERMISSION_PREPARE_TERMINATE, false);
486    if (ret != Security::AccessToken::PermissionState::PERMISSION_GRANTED) {
487        TAG_LOGD(AAFwkTag::DEFAULT, "permission denied");
488        return false;
489    }
490    TAG_LOGD(AAFwkTag::DEFAULT, "verify AccessToken success");
491    return true;
492}
493
494bool PermissionVerification::VerifyShellStartExtensionType(int32_t type) const
495{
496    if (IsShellCall() && type >= SHELL_START_EXTENSION_FLOOR && type <= SHELL_START_EXTENSION_CEIL) {
497        return true;
498    }
499    TAG_LOGD(AAFwkTag::DEFAULT, "reject start");
500    return false;
501}
502
503bool PermissionVerification::VerifyPreloadApplicationPermission() const
504{
505    if (VerifyCallingPermission(PermissionConstants::PERMISSION_PRELOAD_APPLICATION)) {
506        TAG_LOGD(AAFwkTag::DEFAULT, "Permission %{public}s granted",
507            PermissionConstants::PERMISSION_PRELOAD_APPLICATION);
508        return true;
509    }
510    TAG_LOGE(AAFwkTag::DEFAULT, "Permission %{public}s denied",
511        PermissionConstants::PERMISSION_PRELOAD_APPLICATION);
512    return false;
513}
514
515bool PermissionVerification::VerifyPreStartAtomicServicePermission() const
516{
517    if (VerifyCallingPermission(PermissionConstants::PERMISSION_PRE_START_ATOMIC_SERVICE)) {
518        TAG_LOGD(AAFwkTag::APPMGR, "Permission %{public}s granted",
519            PermissionConstants::PERMISSION_PRE_START_ATOMIC_SERVICE);
520        return true;
521    }
522    TAG_LOGW(AAFwkTag::APPMGR, "Permission %{public}s denied",
523        PermissionConstants::PERMISSION_PRE_START_ATOMIC_SERVICE);
524    return false;
525}
526
527bool PermissionVerification::VerifyKillProcessDependedOnWebPermission() const
528{
529    if (IsSACall() && VerifyCallingPermission(PermissionConstants::PERMISSION_KILL_PROCESS_DEPENDED_ON_WEB)) {
530        TAG_LOGD(AAFwkTag::APPMGR, "Permission granted");
531        return true;
532    }
533    TAG_LOGW(AAFwkTag::APPMGR, "Permission denied");
534    return false;
535}
536
537bool PermissionVerification::VerifyBlockAllAppStartPermission() const
538{
539    if (IsSACall() && VerifyCallingPermission(PermissionConstants::PERMISSION_BLOCK_ALL_APP_START)) {
540        TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
541        return true;
542    }
543    TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
544    return false;
545}
546
547bool PermissionVerification::VerifyStartUIAbilityToHiddenPermission() const
548{
549    if (IsSACall() && VerifyCallingPermission(PermissionConstants::PERMISSION_START_UIABILITY_TO_HIDDEN)) {
550        TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
551        return true;
552    }
553    TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
554    return false;
555}
556
557bool PermissionVerification::VerifySuperviseKiaServicePermission() const
558{
559    if (IsSACall() && VerifyCallingPermission(PermissionConstants::PERMISSION_SUPERVISE_KIA_SERVICE)) {
560        TAG_LOGD(AAFwkTag::DEFAULT, "Permission granted");
561        return true;
562    }
563    TAG_LOGE(AAFwkTag::DEFAULT, "Permission denied");
564    return false;
565}
566}  // namespace AAFwk
567}  // namespace OHOS
568