From 72c9354379bfff9ca3faae80c535c0005a46cdec Mon Sep 17 00:00:00 2001 From: bug_maker Date: Wed, 25 Jun 2025 14:28:31 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20=E6=96=B0=E5=A2=9E=E6=97=A0=E6=84=9F?= =?UTF-8?q?=E6=88=AA=E5=B1=8F=E6=9D=83=E9=99=90=E8=AE=BE=E7=BD=AE=E6=8E=A5?= =?UTF-8?q?=E5=8F=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: bug_maker --- frameworks/common/include/data_validator.h | 2 + frameworks/common/src/constant_common.cpp | 2 +- frameworks/common/src/data_validator.cpp | 19 +- .../accesstoken/include/access_token.h | 16 +- .../accesstoken/include/access_token_error.h | 3 +- .../accesstoken/include/accesstoken_kit.h | 10 + .../accesstoken/libaccesstoken_sdk.map | 1 + .../accesstoken/src/accesstoken_kit.cpp | 29 ++ .../src/accesstoken_manager_client.cpp | 15 + .../src/accesstoken_manager_client.h | 1 + .../share_permission_with_sandbox_test.cpp | 2 +- .../EdmPolicyTest/edm_policy_set_test.cpp | 334 +++++++++++++++++- .../app_installation_optimized_test.cpp | 8 +- .../HapTokenTest/init_hap_token_test.cpp | 2 +- .../HapTokenTest/update_hap_token_test.cpp | 4 +- ...ar_user_granted__permission_state_test.cpp | 4 +- .../security_component_grant_test.cpp | 2 +- .../idl/IAccessTokenManager.idl | 1 + .../permission/permission_data_brief.h | 1 + .../include/permission/permission_manager.h | 14 + .../include/permission/permission_validator.h | 1 + .../service/accesstoken_manager_service.h | 2 + .../src/permission/permission_data_brief.cpp | 46 ++- .../cpp/src/permission/permission_manager.cpp | 210 ++++++++++- .../src/permission/permission_validator.cpp | 5 + .../service/accesstoken_manager_service.cpp | 28 +- .../test/unittest/permission_manager_test.cpp | 16 +- .../grantpermissionservice_fuzzer.cpp | 4 +- .../revokepermissionservice_fuzzer.cpp | 4 +- 29 files changed, 743 insertions(+), 43 deletions(-) diff --git a/frameworks/common/include/data_validator.h b/frameworks/common/include/data_validator.h index 5fd826d6e..cf91836d8 100644 --- a/frameworks/common/include/data_validator.h +++ b/frameworks/common/include/data_validator.h @@ -49,6 +49,8 @@ public: static bool IsDescValid(const std::string& desc); static bool IsPermissionFlagValid(uint32_t flag); + static bool IsPermissionFlagValidForAdmin(uint32_t flag); + static bool IsPermissionStatusValid(int32_t status); static bool IsDcapValid(const std::string& dcap); static bool IsTokenIDValid(AccessTokenID id); static bool IsDlpTypeValid(int dlpType); diff --git a/frameworks/common/src/constant_common.cpp b/frameworks/common/src/constant_common.cpp index 1e4a9599f..f50940021 100644 --- a/frameworks/common/src/constant_common.cpp +++ b/frameworks/common/src/constant_common.cpp @@ -63,7 +63,7 @@ bool ConstantCommon::IsPermOperatedByUser(int32_t flag) bool ConstantCommon::IsPermOperatedBySystem(int32_t flag) { uint32_t uFlag = static_cast(flag); - return (uFlag & PERMISSION_SYSTEM_FIXED) || (uFlag & PERMISSION_GRANTED_BY_POLICY); + return (uFlag & PERMISSION_SYSTEM_FIXED) || (uFlag & PERMISSION_PRE_AUTHORIZED_CANCELABLE); } bool ConstantCommon::IsPermGrantedBySecComp(int32_t flag) diff --git a/frameworks/common/src/data_validator.cpp b/frameworks/common/src/data_validator.cpp index 329636c47..6c363cbe7 100644 --- a/frameworks/common/src/data_validator.cpp +++ b/frameworks/common/src/data_validator.cpp @@ -140,14 +140,27 @@ bool DataValidator::IsDcapValid(const std::string& dcap) bool DataValidator::IsPermissionFlagValid(uint32_t flag) { uint32_t unmaskedFlag = - flag & (~PermissionFlag::PERMISSION_GRANTED_BY_POLICY); + flag & (~PermissionFlag::PERMISSION_PRE_AUTHORIZED_CANCELABLE); return unmaskedFlag == PermissionFlag::PERMISSION_DEFAULT_FLAG || unmaskedFlag == PermissionFlag::PERMISSION_USER_SET || unmaskedFlag == PermissionFlag::PERMISSION_USER_FIXED || unmaskedFlag == PermissionFlag::PERMISSION_SYSTEM_FIXED || unmaskedFlag == PermissionFlag::PERMISSION_COMPONENT_SET || - unmaskedFlag == PermissionFlag::PERMISSION_POLICY_FIXED || - unmaskedFlag == PermissionFlag::PERMISSION_ALLOW_THIS_TIME; + unmaskedFlag == PermissionFlag::PERMISSION_FIXED_FOR_SECURITY_POLICY || + unmaskedFlag == PermissionFlag::PERMISSION_ALLOW_THIS_TIME || + unmaskedFlag == PermissionFlag::PERMISSION_FIXED_BY_ADMIN_POLICY || + unmaskedFlag == PermissionFlag::PERMISSION_ADMIN_POLICIES_CANCEL; +} + +bool DataValidator::IsPermissionFlagValidForAdmin(uint32_t flag) +{ + return flag == PermissionFlag::PERMISSION_FIXED_BY_ADMIN_POLICY || + flag == PermissionFlag::PERMISSION_ADMIN_POLICIES_CANCEL; +} + +bool DataValidator::IsPermissionStatusValid(int32_t status) +{ + return status == PERMISSION_GRANTED || status == PERMISSION_DENIED; } bool DataValidator::IsTokenIDValid(AccessTokenID id) diff --git a/interfaces/innerkits/accesstoken/include/access_token.h b/interfaces/innerkits/accesstoken/include/access_token.h index 651a28d6c..32d49bf73 100644 --- a/interfaces/innerkits/accesstoken/include/access_token.h +++ b/interfaces/innerkits/accesstoken/include/access_token.h @@ -199,7 +199,7 @@ typedef enum TypePermissionFlag { * a user_grant permission has been set by system for pre-authorization, * and it is cancellable. it always works with other flags. */ - PERMISSION_GRANTED_BY_POLICY = 1 << 3, + PERMISSION_PRE_AUTHORIZED_CANCELABLE = 1 << 3, /** * permission has been set by security component. */ @@ -207,11 +207,21 @@ typedef enum TypePermissionFlag { /* * permission is fixed by policy and the permission cannot be granted or revoked by user */ - PERMISSION_POLICY_FIXED = 1 << 5, + PERMISSION_FIXED_FOR_SECURITY_POLICY = 1 << 5, /* * permission is only allowed during the current lifecycle foreground period */ PERMISSION_ALLOW_THIS_TIME = 1 << 6, + /** + * permission is fixed by admin policy, it cannot be granted or revoked by user, + * and it can be cancelled by admin. + */ + PERMISSION_FIXED_BY_ADMIN_POLICY = 1 << 7, + /** + * permission which is fixed by admin policy, cancel fixed by admin policy. + * it can be granted or revoked by user. + */ + PERMISSION_ADMIN_POLICIES_CANCEL = 1 << 8, } PermissionFlag; /** @@ -249,6 +259,8 @@ typedef enum TypePermissionErrorReason { PRIVACY_STATEMENT_NOT_AGREED = 4, /** The permission cannot be requested in a pop-up window */ UNABLE_POP_UP = 5, + /** The permission is fixed by policy */ + FIXED_BY_POLICY = 6, /** The service is abnormal */ SERVICE_ABNORMAL = 12, } PermissionErrorReason; diff --git a/interfaces/innerkits/accesstoken/include/access_token_error.h b/interfaces/innerkits/accesstoken/include/access_token_error.h index fd3076ec8..695883703 100644 --- a/interfaces/innerkits/accesstoken/include/access_token_error.h +++ b/interfaces/innerkits/accesstoken/include/access_token_error.h @@ -79,7 +79,8 @@ enum AccessTokenError { ERR_REMOTE_CONNECTION, ERR_ADD_DEATH_RECIPIENT_FAILED, ERR_PRASE_RAW_DATA_FAILED, - ERR_PERMISSION_WITHOUT_VALUE + ERR_PERMISSION_WITHOUT_VALUE, + ERR_PERMISSION_RESTRICTED }; } // namespace AccessToken } // namespace Security diff --git a/interfaces/innerkits/accesstoken/include/accesstoken_kit.h b/interfaces/innerkits/accesstoken/include/accesstoken_kit.h index 1e9ceb137..809841f57 100644 --- a/interfaces/innerkits/accesstoken/include/accesstoken_kit.h +++ b/interfaces/innerkits/accesstoken/include/accesstoken_kit.h @@ -559,6 +559,16 @@ public: * @return bool */ static bool IsToastShownNeeded(int32_t pid); + + /** + * @brief Set multiple permissions status and flag with policy. + * @param tokenID token id + * @param permissionList permission list to be set + * @param status the permission status to be set + * @param flag enum PermissionFlag, see access_token.h + * @return error code, see access_token_error.h + */ + static int32_t SetPermissionStatusWithPolicy(uint32_t tokenID, const std::vector& permissionList, int32_t status, uint32_t flag); }; } // namespace AccessToken } // namespace Security diff --git a/interfaces/innerkits/accesstoken/libaccesstoken_sdk.map b/interfaces/innerkits/accesstoken/libaccesstoken_sdk.map index 6ff38a5da..8c89678b9 100644 --- a/interfaces/innerkits/accesstoken/libaccesstoken_sdk.map +++ b/interfaces/innerkits/accesstoken/libaccesstoken_sdk.map @@ -28,6 +28,7 @@ "OHOS::Security::AccessToken::AccessTokenKit::GetNativeTokenInfo(unsigned int, OHOS::Security::AccessToken::NativeTokenInfo&)"; "OHOS::Security::AccessToken::AccessTokenKit::GetPermissionFlag(unsigned int, std::__h::basic_string, std::__h::allocator> const&, unsigned int&)"; "OHOS::Security::AccessToken::AccessTokenKit::GrantPermission(unsigned int, std::__h::basic_string, std::__h::allocator> const&, unsigned int)"; + "OHOS::Security::AccessToken::AccessTokenKit::SetPermissionStatusWithPolicy(unsigned int, std::__h::vector, std::__h::allocator>, std::__h::allocator, std::__h::allocator>>> const&, int, unsigned int)"; "OHOS::Security::AccessToken::AccessTokenKit::RevokePermission(unsigned int, std::__h::basic_string, std::__h::allocator> const&, unsigned int)"; "OHOS::Security::AccessToken::AccessTokenKit::ClearUserGrantedPermissionState(unsigned int)"; "OHOS::Security::AccessToken::PermStateChangeCallbackCustomize::PermStateChangeCallbackCustomize(OHOS::Security::AccessToken::PermStateChangeScope const&)"; diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp index 9e64a8b7a..e91538c37 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp +++ b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp @@ -862,6 +862,35 @@ bool AccessTokenKit::IsToastShownNeeded(int32_t pid) { return AccessTokenManagerClient::GetInstance().IsToastShownNeeded(pid); } + +int32_t AccessTokenKit::SetPermissionStatusWithPolicy(uint32_t tokenID, const std::vector& permissionList, int32_t status, uint32_t flag) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d, permList.size=%{public}zu, status=%{public}d, flag=%{public}u.", + tokenID, permissionList.size(), status, flag); + if (tokenID == INVALID_TOKENID) { + LOGE(ATM_DOMAIN, ATM_TAG, "tokenID: %{public}d, TokenID is invalid.", tokenID); + return AccessTokenError::ERR_PARAM_INVALID; + } + if (permissionList.empty()) { + LOGE(ATM_DOMAIN, ATM_TAG, "PermissionList is empty."); + return AccessTokenError::ERR_PARAM_INVALID; + } + for (const auto& perm : permissionList) { + if (!DataValidator::IsPermissionNameValid(perm)) { + LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid: %{public}s.", perm.c_str()); + return AccessTokenError::ERR_PARAM_INVALID; + } + } + if (!DataValidator::IsPermissionStatusValid(status)) { + LOGE(ATM_DOMAIN, ATM_TAG, "Status: %{public}d, status is invalid.", status); + return AccessTokenError::ERR_PARAM_INVALID; + } + if (!DataValidator::IsPermissionFlagValidForAdmin(flag)) { + LOGE(ATM_DOMAIN, ATM_TAG, "Flag: %{public}u, flag is invalid.", flag); + return AccessTokenError::ERR_PARAM_INVALID; + } + return AccessTokenManagerClient::GetInstance().SetPermissionStatusWithPolicy(tokenID, permissionList, status, flag); +} } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp index 1f35651ae..beffd9f82 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp @@ -388,6 +388,21 @@ int AccessTokenManagerClient::ClearUserGrantedPermissionState(AccessTokenID toke return result; } +int32_t AccessTokenManagerClient::SetPermissionStatusWithPolicy(AccessTokenID tokenID, const std::vector& permissionList, int32_t status, uint32_t flag) +{ + auto proxy = GetProxy(); + if (proxy == nullptr) { + LOGE(ATM_DOMAIN, ATM_TAG, "Proxy is null."); + return AccessTokenError::ERR_SERVICE_ABNORMAL; + } + int32_t result = proxy->SetPermissionStatusWithPolicy(tokenID, permissionList, status, flag); + if (result != RET_SUCCESS) { + result = ConvertResult(result); + } + LOGI(ATM_DOMAIN, ATM_TAG, "Result from server (error=%{public}d).", result); + return result; +} + int32_t AccessTokenManagerClient::SetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t status, int32_t userID = 0) { diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h index 64ddbd8c6..02e1f7d8c 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h @@ -69,6 +69,7 @@ public: int GrantPermissionForSpecifiedTime( AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime); int ClearUserGrantedPermissionState(AccessTokenID tokenID); + int32_t SetPermissionStatusWithPolicy(AccessTokenID tokenID, const std::vector& permissionList, int32_t status, uint32_t flag); AccessTokenIDEx AllocHapToken(const HapInfoParams& info, const HapPolicy& policy); int32_t InitHapToken(const HapInfoParams& info, HapPolicy& policy, AccessTokenIDEx& fullTokenId, HapInfoCheckResult& result); diff --git a/interfaces/innerkits/accesstoken/test/unittest/DlpTest/share_permission_with_sandbox_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/DlpTest/share_permission_with_sandbox_test.cpp index 3e4408d13..87db9f702 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/DlpTest/share_permission_with_sandbox_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/DlpTest/share_permission_with_sandbox_test.cpp @@ -286,7 +286,7 @@ HWTEST_F(SharePermissionTest, PermissionShareClearUserGrantTest001, TestSize.Lev AccessTokenID tokenFullRead = AllocHapTokenId(g_infoParmsReadOnly, g_policyParams); // grant pre-authorization - ret = TestCommon::GrantPermissionByTest(tokenFullControl, PERMISSION_ALL, PERMISSION_GRANTED_BY_POLICY); + ret = TestCommon::GrantPermissionByTest(tokenFullControl, PERMISSION_ALL, PERMISSION_PRE_AUTHORIZED_CANCELABLE); EXPECT_EQ(RET_SUCCESS, ret); uint32_t flag; EXPECT_EQ(RET_SUCCESS, TestCommon::GetPermissionFlagByTest(tokenCommon, PERMISSION_ALL, flag)); diff --git a/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp index e8388d6f7..ae751c5be 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp @@ -39,6 +39,11 @@ static const std::string GET_NETWORK_STATS = "ohos.permission.GET_NETWORK_STATS" static const std::string LOCATION = "ohos.permission.LOCATION"; static const std::string GET_SENSITIVE_PERMISSIONS = "ohos.permission.GET_SENSITIVE_PERMISSIONS"; static const std::string REVOKE_SENSITIVE_PERMISSIONS = "ohos.permission.REVOKE_SENSITIVE_PERMISSIONS"; +static const std::string MICROPHONE = "ohos.permission.MICROPHONE"; +static const std::string CAMERA = "ohos.permission.CAMERA"; +static const std::string CUSTOM_SCREEN_CAPTURE = "ohos.permission.CUSTOM_SCREEN_CAPTURE"; +static const std::string READ_HEALTH_DATA = "ohos.permission.READ_HEALTH_DATA"; +static const std::string MANAGE_EDM_POLICY = "ohos.permission.MANAGE_EDM_POLICY"; PermissionStateFull g_infoManagerInternetState = { .permissionName = INTERNET, .isGeneral = true, @@ -63,6 +68,30 @@ PermissionStateFull g_infoManagerManageNetState = { .grantFlags = {0} }; +PermissionStateFull g_infoManagerMicrophoneState = { + .permissionName = MICROPHONE, + .isGeneral = true, + .resDeviceID = {"local2"}, + .grantStatus = {PermissionState::PERMISSION_DENIED}, + .grantFlags = {0} +}; + +PermissionStateFull g_infoManagerCameraState = { + .permissionName = CAMERA, + .isGeneral = true, + .resDeviceID = {"local2"}, + .grantStatus = {PermissionState::PERMISSION_GRANTED}, + .grantFlags = {PermissionFlag::PERMISSION_SYSTEM_FIXED} +}; + +PermissionStateFull g_infoManagerCustomScreenCaptureState = { + .permissionName = CUSTOM_SCREEN_CAPTURE, + .isGeneral = true, + .resDeviceID = {"local2"}, + .grantStatus = {PermissionState::PERMISSION_DENIED}, + .grantFlags = {PermissionFlag::PERMISSION_FIXED_BY_ADMIN_POLICY} +}; + // Permission set HapInfoParams g_testHapInfoParams = { .userID = 0, @@ -79,6 +108,9 @@ HapPolicyParams g_testPolicyParams = { g_infoManagerInternetState, g_infoManagerNetWorkState, g_infoManagerManageNetState, + g_infoManagerMicrophoneState, + g_infoManagerCameraState, + g_infoManagerCustomScreenCaptureState, } }; @@ -566,4 +598,304 @@ HWTEST_F(EdmPolicySetTest, UserPolicyForUpdateHapTokenTest, TestSize.Level0) EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED); EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID)); -} \ No newline at end of file +} + +/** + * @tc.name: SetPermissionStatusWithPolicy001 + * @tc.desc: Set hap user-grant permission status by policy with edm permission. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy001, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy001"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint64_t selfTokenId = GetSelfTokenID(); + ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false)); + + std::vector permList = {MICROPHONE, CUSTOM_SCREEN_CAPTURE}; + std::vector stateList = {PERMISSION_GRANTED, PERMISSION_DENIED}; + for (auto status : stateList) { + GTEST_LOG_(INFO) << "SetPermissionStatusWithPolicy001 status: " << status; + EXPECT_EQ(RET_SUCCESS, + AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, status, PERMISSION_FIXED_BY_ADMIN_POLICY)); + std::vector permsList; + for (auto perm : permList) { + GTEST_LOG_(INFO) << "SetPermissionStatusWithPolicy001 check perm: " << perm; + EXPECT_EQ(status, AccessTokenKit::VerifyAccessToken(tokenID, perm, false)); + permsList.push_back({perm, FORBIDDEN_OPER}); + } + SetSelfTokenID(tokenID); + PermissionGrantInfo info; + EXPECT_EQ(PASS_OPER, AccessTokenKit::GetSelfPermissionsState(permsList, info)); + EXPECT_EQ(status == PERMISSION_GRANTED ? PASS_OPER : INVALID_OPER, permsList[0].state); + EXPECT_EQ(status == PERMISSION_GRANTED ? REQ_SUCCESS : FIXED_BY_POLICY, permsList[0].errorReason); + EXPECT_EQ(status == PERMISSION_GRANTED ? PASS_OPER : INVALID_OPER, permsList[1].state); + EXPECT_EQ(status == PERMISSION_GRANTED ? REQ_SUCCESS : FIXED_BY_POLICY, permsList[1].errorReason); + SetSelfTokenID(selfTokenId); + } + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: SetPermissionStatusWithPolicy002 + * @tc.desc: Set hap user-grant permission status by policy without edm permission. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy002, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy002"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("foundation"); + uint64_t selfTokenId = GetSelfTokenID(); + ASSERT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false)); + + std::vector permList = {MICROPHONE, CUSTOM_SCREEN_CAPTURE}; + std::vector stateList = {PERMISSION_GRANTED, PERMISSION_DENIED}; + for (auto status : stateList) { + GTEST_LOG_(INFO) << "SetPermissionStatusWithPolicy002 status: " << status; + EXPECT_EQ(ERR_PERMISSION_DENIED, + AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, status, PERMISSION_FIXED_BY_ADMIN_POLICY)); + } + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: SetPermissionStatusWithPolicy003 + * @tc.desc: Set hap system-grant permission. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy003, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy003"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint64_t selfTokenId = GetSelfTokenID(); + ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false)); + + std::vector permList = {GET_NETWORK_STATS}; + EXPECT_EQ(ERR_PARAM_INVALID, AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, PERMISSION_GRANTED, + PERMISSION_FIXED_BY_ADMIN_POLICY)); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: SetPermissionStatusWithPolicy004 + * @tc.desc: Set hap user-grant permission which hap not requested. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy004, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy004"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint64_t selfTokenId = GetSelfTokenID(); + ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false)); + + std::vector permList = {READ_HEALTH_DATA}; + EXPECT_EQ(ERR_PARAM_INVALID, AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, PERMISSION_GRANTED, + PERMISSION_FIXED_BY_ADMIN_POLICY)); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: SetPermissionStatusWithPolicy005 + * @tc.desc: Set hap user-grant permission which is system-fixed + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy005, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy005"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint64_t selfTokenId = GetSelfTokenID(); + ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false)); + + uint32_t flag = 0; + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CAMERA, flag)); + ASSERT_EQ(PERMISSION_SYSTEM_FIXED, flag); + std::vector permList = {CAMERA}; + + EXPECT_EQ(ERR_PARAM_INVALID, AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, PERMISSION_DENIED, + PERMISSION_FIXED_BY_ADMIN_POLICY)); + EXPECT_EQ(ERR_PARAM_INVALID, AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, PERMISSION_GRANTED, + PERMISSION_FIXED_BY_ADMIN_POLICY)); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: SetPermissionStatusWithPolicy006 + * @tc.desc: cancel fixed by admin policy + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy006, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy006"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint64_t selfTokenId = GetSelfTokenID(); + ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false)); + + uint32_t flag = 0; + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + ASSERT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + ASSERT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + std::vector permList = {CUSTOM_SCREEN_CAPTURE}; + + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, PERMISSION_GRANTED, + PERMISSION_ADMIN_POLICIES_CANCEL)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag); + EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, PERMISSION_DENIED, + PERMISSION_ADMIN_POLICIES_CANCEL)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag); + EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + SetSelfTokenID(tokenID); + std::vector permsList = {{CUSTOM_SCREEN_CAPTURE, FORBIDDEN_OPER}}; + PermissionGrantInfo info; + EXPECT_EQ(PASS_OPER, AccessTokenKit::GetSelfPermissionsState(permsList, info)); + EXPECT_EQ(SETTING_OPER, permsList[0].state); + EXPECT_EQ(REQ_SUCCESS, permsList[0].errorReason); + SetSelfTokenID(selfTokenId); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: SetPermissionStatusWithPolicy007 + * @tc.desc: set other flag + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy007, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy007"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint64_t selfTokenId = GetSelfTokenID(); + ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false)); + + std::vector permList = {MICROPHONE, CUSTOM_SCREEN_CAPTURE}; + EXPECT_EQ(ERR_PARAM_INVALID, AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, PERMISSION_GRANTED, + PERMISSION_SYSTEM_FIXED)); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: SetPermissionStatusWithPolicy008 + * @tc.desc: user fixed and system fixed + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy008, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy008"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("foundation"); + uint32_t flag = 0; + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + GTEST_LOG_(INFO) << "SetPermissionStatusWithPolicy008 try GrantPermission with USER_FIXED"; + EXPECT_EQ( + ERR_PERMISSION_RESTRICTED, AccessTokenKit::GrantPermission(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_USER_FIXED)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + GTEST_LOG_(INFO) << "SetPermissionStatusWithPolicy008 try GrantPermission with SYSTEM_FIXED"; + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GrantPermission(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_SYSTEM_FIXED)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_SYSTEM_FIXED, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: SetPermissionStatusWithPolicy009 + * @tc.desc: admin fixed status is not changed when application reset + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy009, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy009"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("foundation"); + uint32_t flag = 0; + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + ASSERT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + ASSERT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + GTEST_LOG_(INFO) << "SetPermissionStatusWithPolicy009 do clear"; + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::ClearUserGrantedPermissionState(tokenID)); + + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + ASSERT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + ASSERT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} diff --git a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/app_installation_optimized_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/app_installation_optimized_test.cpp index 5e8af25c3..71addc172 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/app_installation_optimized_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/app_installation_optimized_test.cpp @@ -275,7 +275,7 @@ HWTEST_F(AppInstallationOptimizedTest, InitHapToken005, TestSize.Level0) EXPECT_EQ(RET_SUCCESS, res); EXPECT_EQ(static_cast(1), permStatList.size()); EXPECT_EQ(CALENDAR_PERMISSION, permStatList[0].permissionName); - EXPECT_EQ(permStatList[0].grantFlags[0], PERMISSION_GRANTED_BY_POLICY); + EXPECT_EQ(permStatList[0].grantFlags[0], PERMISSION_PRE_AUTHORIZED_CANCELABLE); EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(fullTokenId.tokenIdExStruct.tokenID)); } @@ -589,7 +589,7 @@ HWTEST_F(AppInstallationOptimizedTest, UpdateHapToken003, TestSize.Level0) EXPECT_EQ(permStatList1[0].grantFlags[0], PERMISSION_DEFAULT_FLAG); EXPECT_EQ(CALENDAR_PERMISSION, permStatList1[1].permissionName); EXPECT_EQ(permStatList1[1].grantStatus[0], PERMISSION_GRANTED); - EXPECT_EQ(permStatList1[1].grantFlags[0], PERMISSION_GRANTED_BY_POLICY); + EXPECT_EQ(permStatList1[1].grantFlags[0], PERMISSION_PRE_AUTHORIZED_CANCELABLE); EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(fullTokenId.tokenIdExStruct.tokenID)); } @@ -997,7 +997,7 @@ HWTEST_F(AppInstallationOptimizedTest, UpdateHapToken013, TestSize.Level0) TestCommon::GetReqPermissionsByTest(fullTokenId.tokenIdExStruct.tokenID, state, false); EXPECT_EQ(static_cast(2), state.size()); EXPECT_EQ(state[0].grantStatus[0], PERMISSION_GRANTED); - EXPECT_EQ(state[0].grantFlags[0], PERMISSION_GRANTED_BY_POLICY); + EXPECT_EQ(state[0].grantFlags[0], PERMISSION_PRE_AUTHORIZED_CANCELABLE); EXPECT_EQ(state[1].grantStatus[0], PERMISSION_DENIED); EXPECT_EQ(state[1].grantFlags[0], PERMISSION_DEFAULT_FLAG); @@ -1050,7 +1050,7 @@ HWTEST_F(AppInstallationOptimizedTest, UpdateHapToken014, TestSize.Level0) EXPECT_EQ(state[0].grantStatus[0], PERMISSION_GRANTED); EXPECT_EQ(state[0].grantFlags[0], PERMISSION_SYSTEM_FIXED); EXPECT_EQ(state[1].grantStatus[0], PERMISSION_DENIED); - EXPECT_EQ(state[1].grantFlags[0], PERMISSION_USER_FIXED | PERMISSION_GRANTED_BY_POLICY); + EXPECT_EQ(state[1].grantFlags[0], PERMISSION_USER_FIXED | PERMISSION_PRE_AUTHORIZED_CANCELABLE); EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(fullTokenId.tokenIdExStruct.tokenID)); } diff --git a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/init_hap_token_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/init_hap_token_test.cpp index 8bbd287b4..1a34227ba 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/init_hap_token_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/init_hap_token_test.cpp @@ -668,7 +668,7 @@ HWTEST_F(InitHapTokenTest, InitHapTokenSpecsTest004, TestSize.Level0) ASSERT_EQ(static_cast(2), permStatList.size()); ASSERT_EQ("ohos.permission.ACCESS_NEARLINK", permStatList[0].permissionName); EXPECT_EQ(permStatList[0].grantStatus[0], PERMISSION_GRANTED); - EXPECT_EQ(permStatList[0].grantFlags[0], PERMISSION_GRANTED_BY_POLICY); + EXPECT_EQ(permStatList[0].grantFlags[0], PERMISSION_PRE_AUTHORIZED_CANCELABLE); ASSERT_EQ("ohos.permission.READ_WRITE_DESKTOP_DIRECTORY", permStatList[1].permissionName); EXPECT_EQ(permStatList[1].grantStatus[0], PERMISSION_GRANTED); EXPECT_EQ(permStatList[1].grantFlags[0], PERMISSION_SYSTEM_FIXED); diff --git a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/update_hap_token_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/update_hap_token_test.cpp index ae21df44b..06aea9862 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/update_hap_token_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/update_hap_token_test.cpp @@ -1219,7 +1219,7 @@ HWTEST_F(UpdateHapTokenTest, UpdateHapTokenSpecsTest008, TestSize.Level0) AccessTokenKit::GetReqPermissions(fullTokenId.tokenIdExStruct.tokenID, state, false); EXPECT_EQ(static_cast(2), state.size()); EXPECT_EQ(state[0].grantStatus[0], PERMISSION_GRANTED); - EXPECT_EQ(state[0].grantFlags[0], PERMISSION_GRANTED_BY_POLICY); + EXPECT_EQ(state[0].grantFlags[0], PERMISSION_PRE_AUTHORIZED_CANCELABLE); EXPECT_EQ(state[1].grantStatus[0], PERMISSION_DENIED); EXPECT_EQ(state[1].grantFlags[0], PERMISSION_DEFAULT_FLAG); @@ -1276,7 +1276,7 @@ HWTEST_F(UpdateHapTokenTest, UpdateHapTokenSpecsTest009, TestSize.Level0) EXPECT_EQ(state[0].grantStatus[0], PERMISSION_GRANTED); EXPECT_EQ(state[0].grantFlags[0], PERMISSION_SYSTEM_FIXED); EXPECT_EQ(state[1].grantStatus[0], PERMISSION_DENIED); - EXPECT_EQ(state[1].grantFlags[0], PERMISSION_USER_FIXED | PERMISSION_GRANTED_BY_POLICY); + EXPECT_EQ(state[1].grantFlags[0], PERMISSION_USER_FIXED | PERMISSION_PRE_AUTHORIZED_CANCELABLE); EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(fullTokenId.tokenIdExStruct.tokenID)); } diff --git a/interfaces/innerkits/accesstoken/test/unittest/PermissionsTest/clear_user_granted__permission_state_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/PermissionsTest/clear_user_granted__permission_state_test.cpp index bc84fa973..2547a1bd7 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/PermissionsTest/clear_user_granted__permission_state_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/PermissionsTest/clear_user_granted__permission_state_test.cpp @@ -138,14 +138,14 @@ HWTEST_F(ClearUserGrantedPermissionStateTest, ClearUserGrantedPermissionStateFun .isGeneral = true, .resDeviceID = {"local"}, .grantStatus = {OHOS::Security::AccessToken::PermissionState::PERMISSION_DENIED}, - .grantFlags = {PERMISSION_GRANTED_BY_POLICY | PERMISSION_DEFAULT_FLAG} + .grantFlags = {PERMISSION_PRE_AUTHORIZED_CANCELABLE | PERMISSION_DEFAULT_FLAG} }; OHOS::Security::AccessToken::PermissionStateFull infoManagerTestState2 = { .permissionName = "ohos.permission.SEND_MESSAGES", .isGeneral = true, .resDeviceID = {"local"}, .grantStatus = {OHOS::Security::AccessToken::PermissionState::PERMISSION_DENIED}, - .grantFlags = {PERMISSION_GRANTED_BY_POLICY | PERMISSION_USER_FIXED} + .grantFlags = {PERMISSION_PRE_AUTHORIZED_CANCELABLE | PERMISSION_USER_FIXED} }; OHOS::Security::AccessToken::PermissionStateFull infoManagerTestState3 = { .permissionName = "ohos.permission.RECEIVE_SMS", diff --git a/interfaces/innerkits/accesstoken/test/unittest/SecurityComponentTest/security_component_grant_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/SecurityComponentTest/security_component_grant_test.cpp index 6cb648279..1820fa25d 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/SecurityComponentTest/security_component_grant_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/SecurityComponentTest/security_component_grant_test.cpp @@ -182,7 +182,7 @@ HWTEST_F(SecurityComponentGrantTest, SecurityComponentGrantTest003, TestSize.Lev ASSERT_NE(tokenID, INVALID_TOKENID); // system grant - int32_t res = TestCommon::GrantPermissionByTest(tokenID, TEST_PERMISSION, PERMISSION_GRANTED_BY_POLICY); + int32_t res = TestCommon::GrantPermissionByTest(tokenID, TEST_PERMISSION, PERMISSION_PRE_AUTHORIZED_CANCELABLE); ASSERT_EQ(res, RET_SUCCESS); // security component grant diff --git a/services/accesstokenmanager/idl/IAccessTokenManager.idl b/services/accesstokenmanager/idl/IAccessTokenManager.idl index d2e29972a..a3fab9519 100644 --- a/services/accesstokenmanager/idl/IAccessTokenManager.idl +++ b/services/accesstokenmanager/idl/IAccessTokenManager.idl @@ -92,4 +92,5 @@ interface OHOS.Security.AccessToken.IAccessTokenManager{ [ipccode 102, macrodef SECURITY_COMPONENT_ENHANCE_ENABLE] void UpdateSecCompEnhance([in] int pid, [in] unsigned int seqNum); [ipccode 103, macrodef SECURITY_COMPONENT_ENHANCE_ENABLE] void GetSecCompEnhance([in] int pid, [out] SecCompEnhanceDataParcel enhanceParcel); [ipccode 104] void IsToastShownNeeded([in] int pid, [out] boolean needToShow); + [ipccode 105] void SetPermissionStatusWithPolicy([in] unsigned int tokenID, [in] List permissionList, [in] int status, [in] unsigned int flag); } diff --git a/services/accesstokenmanager/main/cpp/include/permission/permission_data_brief.h b/services/accesstokenmanager/main/cpp/include/permission/permission_data_brief.h index 45a5d82ff..fae1b482f 100644 --- a/services/accesstokenmanager/main/cpp/include/permission/permission_data_brief.h +++ b/services/accesstokenmanager/main/cpp/include/permission/permission_data_brief.h @@ -98,6 +98,7 @@ private: void UpdatePermStatus(const BriefPermData& permOld, BriefPermData& permNew); uint32_t GetFlagWroteToDb(uint32_t grantFlag); void MergePermBriefData(std::vector& permBriefDataList, BriefPermData& data); + bool isRestrictedPermission(uint32_t oldFlag, uint32_t newFlag); int32_t UpdatePermStateList(AccessTokenID tokenId, uint32_t opCode, bool isGranted, uint32_t flag); int32_t UpdateSecCompGrantedPermList(AccessTokenID tokenId, const std::string& permissionName, bool isToGrant); int32_t VerifyPermissionStatus(AccessTokenID tokenID, uint32_t permCode); diff --git a/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h b/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h index 71e96caf7..ce27ee4e0 100644 --- a/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h +++ b/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h @@ -71,12 +71,20 @@ public: bool isGranted, uint32_t flag); int32_t CheckAndUpdatePermissionInner(AccessTokenID tokenID, const std::string& permissionName, bool isGranted, uint32_t flag); + int32_t CheckMultiPermissionStatus( + AccessTokenID tokenID, const std::vector& permissionList, int32_t status, uint32_t flag); + int32_t UpdateMultiPermissionStatus( + AccessTokenID tokenID, const std::vector &permissionList, int32_t status, uint32_t flag); + int32_t CheckAndUpdateMultiPermissionStatus( + AccessTokenID tokenID, const std::vector& permissionList, int32_t status, uint32_t flag); int32_t UpdatePermission(AccessTokenID tokenID, const std::string& permissionName, bool isGranted, uint32_t flag, bool needKill); int32_t GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag); int32_t RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag); int32_t GrantPermissionForSpecifiedTime( AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime); + int32_t SetPermissionStatusWithPolicy( + AccessTokenID tokenID, const std::vector& permissionList, int32_t status, uint32_t flag); void GetSelfPermissionState(const std::vector& permsList, PermissionListState& permState, int32_t apiVersion); int32_t AddPermStateChangeCallback( @@ -109,6 +117,12 @@ private: void ScopeToString( const std::vector& tokenIDs, const std::vector& permList); int32_t ScopeFilter(const PermStateChangeScope& scopeSrc, PermStateChangeScope& scopeRes); + int32_t UpdateTokenPermissionState(const std::shared_ptr& infoPtr, AccessTokenID tokenID, + const std::string& permission, bool isGranted, uint32_t flag, bool needKill); + int32_t UpdateMultiTokenPermissionState(const std::shared_ptr &infoPtr, AccessTokenID tokenID, + const std::vector &permissionList, bool isGranted, uint32_t flag, bool needKill); + int32_t UpdateMultiTokenPermissionStateCheck(const std::shared_ptr &infoPtr, + AccessTokenID tokenID, const std::vector &permissionList); int32_t UpdateTokenPermissionState( AccessTokenID id, const std::string& permission, bool isGranted, uint32_t flag, bool needKill); int32_t UpdateTokenPermissionStateCheck(const std::shared_ptr& infoPtr, diff --git a/services/accesstokenmanager/main/cpp/include/permission/permission_validator.h b/services/accesstokenmanager/main/cpp/include/permission/permission_validator.h index aec8b663e..e679272d1 100644 --- a/services/accesstokenmanager/main/cpp/include/permission/permission_validator.h +++ b/services/accesstokenmanager/main/cpp/include/permission/permission_validator.h @@ -31,6 +31,7 @@ public: static bool IsUserIdValid(const int32_t userID); static bool IsToggleStatusValid(const uint32_t status); static bool IsPermissionFlagValid(uint32_t flag); + static bool IsPermissionFlagValidForAdmin(uint32_t flag); static bool IsPermissionDefValid(const PermissionDef& permDef); static bool IsPermissionStateValid(const PermissionStatus& permState); static void FilterInvalidPermissionDef( diff --git a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h index 8d70754ed..f366a9568 100644 --- a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h +++ b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h @@ -76,6 +76,8 @@ public: int GrantPermissionForSpecifiedTime( AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime) override; int ClearUserGrantedPermissionState(AccessTokenID tokenID) override; + int32_t SetPermissionStatusWithPolicy( + AccessTokenID tokenID, const std::vector& permissionList, int32_t status, uint32_t flag) override; int DeleteToken(AccessTokenID tokenID) override; int GetTokenType(AccessTokenID tokenID); int GetTokenType(AccessTokenID tokenID, int32_t& tokenType) override; diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_data_brief.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_data_brief.cpp index d1986c22a..7dc398b11 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_data_brief.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_data_brief.cpp @@ -271,7 +271,7 @@ void PermissionDataBrief::UpdatePermStatus(const BriefPermData& permOld, BriefPe if ((permOld.flag == PERMISSION_SYSTEM_FIXED) || // if old user_grant permission is granted by pre_authorization unfixed // and the user has not operated this permission, it keeps the new initalized state. - (permOld.flag == PERMISSION_GRANTED_BY_POLICY)) { + (permOld.flag == PERMISSION_PRE_AUTHORIZED_CANCELABLE)) { return; } @@ -403,10 +403,33 @@ int32_t PermissionDataBrief::StorePermissionBriefData(AccessTokenID tokenId, static uint32_t UpdateWithNewFlag(uint32_t oldFlag, uint32_t currFlag) { - uint32_t newFlag = currFlag | (oldFlag & PERMISSION_GRANTED_BY_POLICY); + uint32_t newFlag = currFlag | (oldFlag & PERMISSION_PRE_AUTHORIZED_CANCELABLE); return newFlag; } +/** + * @brief Check whether the permission is restricted by admin policy and cannot be modified. + * + * Returns true if: + * - the oldFlag was set with PERMISSION_FIXED_BY_ADMIN_POLICY, and + * - the newFlag does NOT contain any of the following flags: + * PERMISSION_FIXED_BY_ADMIN_POLICY, PERMISSION_SYSTEM_FIXED, or PERMISSION_ADMIN_POLICIES_CANCEL. + * This indicates that the permission is controlled by admin policy and cannot be modified. + * + * @param oldFlag The original permission flag before modification. + * @param newFlag The new permission flag to be applied. + * @return Returns true if the permission is restricted and cannot be modified; + * otherwise returns false. + */ +bool PermissionDataBrief::isRestrictedPermission(uint32_t oldFlag, uint32_t newFlag) +{ + bool isFixedByAdmin = ((oldFlag & PERMISSION_FIXED_BY_ADMIN_POLICY) == PERMISSION_FIXED_BY_ADMIN_POLICY); + bool newFlagDoesNotHaveFixedAdmin = (newFlag & PERMISSION_FIXED_BY_ADMIN_POLICY) == 0; + bool newFlagHasNoSystemFixed = (newFlag & PERMISSION_SYSTEM_FIXED) == 0; + bool newFlagHasNoAdminCancel = (newFlag & PERMISSION_ADMIN_POLICIES_CANCEL) == 0; + return isFixedByAdmin && newFlagDoesNotHaveFixedAdmin && newFlagHasNoSystemFixed && newFlagHasNoAdminCancel; +} + int32_t PermissionDataBrief::UpdatePermStateList( AccessTokenID tokenId, uint32_t opCode, bool isGranted, uint32_t flag) { @@ -424,13 +447,21 @@ int32_t PermissionDataBrief::UpdatePermStateList( LOGC(ATM_DOMAIN, ATM_TAG, "Permission not request!"); return AccessTokenError::ERR_PARAM_INVALID; } - if ((static_cast(iter->flag) & PERMISSION_SYSTEM_FIXED) == PERMISSION_SYSTEM_FIXED) { LOGC(ATM_DOMAIN, ATM_TAG, "Permission fixed by system!"); return AccessTokenError::ERR_PARAM_INVALID; } - iter->status = isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED; + if (isRestrictedPermission(iter->flag, flag)) { + LOGC(ATM_DOMAIN, ATM_TAG, "Oldflag: %{public}d, invalid params!", iter->flag); + return AccessTokenError::ERR_PERMISSION_RESTRICTED; + } + if ((flag & PERMISSION_ADMIN_POLICIES_CANCEL) == 0) { + iter->status = isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED; + } iter->flag = UpdateWithNewFlag(iter->flag, flag); + LOGI(ATM_DOMAIN, ATM_TAG, + "Update perm state list, tokenId: %{public}d, permCode: %{public}d, status: %{public}d, flag: %{public}d", + tokenId, opCode, iter->status, iter->flag); return RET_SUCCESS; } @@ -503,9 +534,12 @@ int32_t PermissionDataBrief::ResetUserGrantPermissionStatus(AccessTokenID tokenI } /* A user_grant permission has been set by system for cancellable pre-authorization. */ /* it should keep granted when the app reset. */ - if ((oldFlag & PERMISSION_GRANTED_BY_POLICY) != 0) { + if ((oldFlag & PERMISSION_PRE_AUTHORIZED_CANCELABLE) != 0) { perm.status = PERMISSION_GRANTED; - perm.flag = PERMISSION_GRANTED_BY_POLICY; + perm.flag = PERMISSION_PRE_AUTHORIZED_CANCELABLE; + continue; + } + if((oldFlag & PERMISSION_FIXED_BY_ADMIN_POLICY) != 0){ continue; } perm.status = PERMISSION_DENIED; diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index 949652a13..96c7852a4 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -231,7 +231,18 @@ void PermissionManager::GetSelfPermissionState(const std::vector infoGuard(this->permParamSetLock_); if (filtered || (IsUserGrantPermission(permissionName) && - ((flag != PERMISSION_GRANTED_BY_POLICY) && (flag != PERMISSION_SYSTEM_FIXED)))) { + ((flag != PERMISSION_PRE_AUTHORIZED_CANCELABLE) && (flag != PERMISSION_SYSTEM_FIXED)))) { paramValue_++; LOGD(ATM_DOMAIN, ATM_TAG, "paramValue_ change %{public}llu", static_cast(paramValue_)); @@ -367,6 +378,83 @@ void PermissionManager::NotifyWhenPermissionStateUpdated(AccessTokenID tokenID, grantEvent_.AddEvent(tokenID, permissionName, infoPtr->permUpdateTimestamp_); } +int32_t PermissionManager::UpdateTokenPermissionState(const std::shared_ptr& infoPtr, + AccessTokenID tokenID, const std::string& permission, bool isGranted, uint32_t flag, bool needKill) +{ + bool isSecCompGrantedBefore = HapTokenInfoInner::IsPermissionGrantedWithSecComp(tokenID, permission); + bool statusChanged = false; + int32_t ret = infoPtr->UpdatePermissionStatus(permission, isGranted, flag, statusChanged); + if (ret != RET_SUCCESS) { + LOGC(ATM_DOMAIN, ATM_TAG, "Update info perm status failed, ret is %{public}d", ret); + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR", + HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", UPDATE_PERMISSION_STATUS_FAILED, "TOKENID", + tokenID, "PERM", permission, "BUNDLE_NAME", infoPtr->GetBundleName(), "INT_VAL1", ret, "INT_VAL2", + static_cast(flag), "NEED_KILL", needKill); + return ret; + } + if (statusChanged) { + NotifyWhenPermissionStateUpdated(tokenID, permission, isGranted, flag, infoPtr); + // To notify kill process when perm is revoke + if (needKill && (!isGranted && !isSecCompGrantedBefore)) { + LOGI(ATM_DOMAIN, ATM_TAG, "(%{public}s) is revoked, kill process(%{public}u).", permission.c_str(), + tokenID); + std::shared_ptr abilityManagerLoader = GetAbilityManager(); + AbilityManagerAccessLoaderInterface *abilityManager = + abilityManagerLoader->GetObject(); + if (abilityManager == nullptr) { + LOGE(ATM_DOMAIN, ATM_TAG, "AbilityManager is nullptr!"); + } else if ((ret = abilityManager->KillProcessForPermissionUpdate(tokenID)) != ERR_OK) { + LOGE(ATM_DOMAIN, ATM_TAG, "kill process failed, ret=%{public}d.", ret); + } + } + } + return RET_SUCCESS; +} + +int32_t PermissionManager::UpdateMultiTokenPermissionState(const std::shared_ptr &infoPtr, + AccessTokenID tokenID, const std::vector &permissionList, bool isGranted, uint32_t flag, bool needKill) +{ + + HapTokenInfo hapInfo; + AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapInfo); + ClearThreadErrorMsg(); + + uint32_t ret = RET_SUCCESS; + bool isHadSuccess = false; + for (const std::string &permissionName : permissionList) { + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION", + HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "SCENE_CODE", CommonSceneCode::AT_COMMOM_START, + "TOKENID", tokenID, "USERID", hapInfo.userID, "BUNDLENAME", hapInfo.bundleName, "INSTINDEX", hapInfo.instIndex, + "PERMISSION_NAME", permissionName, "PERMISSION_FLAG", flag, "GRANTED_FLAG", isGranted); + + ret = UpdateTokenPermissionState(infoPtr, tokenID, permissionName, isGranted, flag, needKill); + if (ret != RET_SUCCESS) { + break; + } + + isHadSuccess = true; + + uint32_t newFlag = flag; + if (GetPermissionFlag(tokenID, permissionName, flag) == RET_SUCCESS) { + flag = newFlag; + } + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION", + HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "SCENE_CODE", CommonSceneCode::AT_COMMON_FINISH, + "TOKENID", tokenID, "PERMISSION_NAME", permissionName, "PERMISSION_FLAG", flag, "GRANTED_FLAG", isGranted, + "ERROR_CODE", ret); + ReportSysCommonEventError(static_cast(isGranted ? IAccessTokenManagerIpcCode::COMMAND_GRANT_PERMISSION : + IAccessTokenManagerIpcCode::COMMAND_REVOKE_PERMISSION), ret); + } + + if (isHadSuccess) { + ParamFlagUpdate(); +#ifdef TOKEN_SYNC_ENABLE + TokenModifyNotifier::GetInstance().NotifyTokenModify(tokenID); +#endif + } + return ret; +} + int32_t PermissionManager::UpdateTokenPermissionState( AccessTokenID id, const std::string& permission, bool isGranted, uint32_t flag, bool needKill) { @@ -449,6 +537,75 @@ int32_t PermissionManager::UpdateTokenPermissionStateCheck(const std::shared_ptr return ERR_OK; } +int32_t PermissionManager::UpdateMultiPermissionStatus( + AccessTokenID tokenID, const std::vector &permissionList, int32_t status, uint32_t flag) +{ + bool isGranted = (status == PERMISSION_GRANTED); + bool needKill = false; + // To kill process when perm is revoke + if (!isGranted) { + LOGI(ATM_DOMAIN, ATM_TAG, "Perm is revoked, kill process(%{public}u).", tokenID); + needKill = true; + } + + std::shared_ptr infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenID); + if (infoPtr == nullptr) { + LOGC(ATM_DOMAIN, ATM_TAG, "tokenInfo is null, tokenId=%{public}u.", tokenID); + return AccessTokenError::ERR_TOKENID_NOT_EXIST; + } + + int32_t ret = UpdateMultiTokenPermissionStateCheck(infoPtr, tokenID, permissionList); + if(ret != RET_SUCCESS){ + return ret; + } + + ret = UpdateMultiTokenPermissionState(infoPtr, tokenID, permissionList, isGranted, flag, needKill); + if (ret != RET_SUCCESS) { + LOGC(ATM_DOMAIN, ATM_TAG, "Update permission %{public}u failed, ret is %{public}d.", tokenID, ret); + return ret; + } + +#ifdef SUPPORT_SANDBOX_APP + // The action of sharing would be taken place only if the grant operation or revoke operation equals to success. + std::vector tokenIdList; + AccessTokenInfoManager::GetInstance().GetRelatedSandBoxHapList(tokenID, tokenIdList); + for (const auto &id : tokenIdList) { + (void)UpdateMultiTokenPermissionState(infoPtr, id, permissionList, isGranted, flag, needKill); + } +#endif + + return RET_SUCCESS; +} + +int32_t PermissionManager::UpdateMultiTokenPermissionStateCheck(const std::shared_ptr &infoPtr, + AccessTokenID tokenID, const std::vector &permissionList) +{ + if (infoPtr->IsRemote()) { + LOGC(ATM_DOMAIN, ATM_TAG, "Remote token can not update."); + return AccessTokenError::ERR_IDENTITY_CHECK_FAILED; + } + +#ifdef SUPPORT_SANDBOX_APP + int32_t hapDlpType = infoPtr->GetDlpType(); + if (hapDlpType == DLP_COMMON) { + return RET_SUCCESS; + } + for (const std::string& permissionName : permissionList) { + int32_t permDlpMode = DlpPermissionSetManager::GetInstance().GetPermDlpMode(permissionName); + if (!DlpPermissionSetManager::GetInstance().IsPermDlpModeAvailableToDlpHap(hapDlpType, permDlpMode)) { + LOGC(ATM_DOMAIN, ATM_TAG, "%{public}s cannot to be granted to %{public}u.", permissionName.c_str(), tokenID); + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR", + HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", DLP_CHECK_FAILED, "TOKENID", tokenID, "PERM", + permissionName, "BUNDLE_NAME", infoPtr->GetBundleName(), "INT_VAL1", hapDlpType, + "INT_VAL2", permDlpMode); + return AccessTokenError::ERR_IDENTITY_CHECK_FAILED; + } + } +#endif + + return RET_SUCCESS; +} + int32_t PermissionManager::UpdatePermission(AccessTokenID tokenID, const std::string& permissionName, bool isGranted, uint32_t flag, bool needKill) { @@ -524,6 +681,44 @@ int32_t PermissionManager::CheckAndUpdatePermissionInner(AccessTokenID tokenID, return ret; } +int32_t PermissionManager::CheckMultiPermissionStatus( + AccessTokenID tokenID, const std::vector &permissionList, int32_t status, uint32_t flag) +{ + if (!PermissionValidator::IsPermissionFlagValidForAdmin(flag)) { + LOGC(ATM_DOMAIN, ATM_TAG, "flag: %{public}d, Invalid params!", flag); + return AccessTokenError::ERR_PARAM_INVALID; + } + for (const std::string& permissionName : permissionList) { + LOGI(ATM_DOMAIN, ATM_TAG, + "tokenID: %{public}d, permissionName: %{public}s, status: %{public}d, flag: %{public}d.", tokenID, + permissionName.c_str(), status, flag); + if (!IsDefinedPermission(permissionName)) { + LOGC(ATM_DOMAIN, ATM_TAG, "No definition for permission: %{public}s!", permissionName.c_str()); + return AccessTokenError::ERR_PERMISSION_NOT_EXIST; + } + if (!IsUserGrantPermission(permissionName)) { + LOGC(ATM_DOMAIN, ATM_TAG, "Only support permissions of user_grant to set."); + return AccessTokenError::ERR_PARAM_INVALID; + } + } + return RET_SUCCESS; +} + +int32_t PermissionManager::CheckAndUpdateMultiPermissionStatus( + AccessTokenID tokenID, const std::vector &permissionList, int32_t status, uint32_t flag) +{ + int32_t ret = RET_SUCCESS; + ret = CheckMultiPermissionStatus(tokenID, permissionList, status, flag); + if (ret != RET_SUCCESS) { + return ret; + } + ret = UpdateMultiPermissionStatus(tokenID, permissionList, status, flag); + if (ret != RET_SUCCESS) { + return ret; + } + return RET_SUCCESS; +} + int32_t PermissionManager::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag) { LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, permissionName: %{public}s, flag: %{public}d", @@ -560,6 +755,13 @@ void PermissionManager::ScopeToString( tokenidStr.c_str(), permStr.c_str()); } +int32_t PermissionManager::SetPermissionStatusWithPolicy( + AccessTokenID tokenID, const std::vector& permissionList, int32_t status, uint32_t flag) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, status: %{public}d, flag: %{public}u.", tokenID, status, flag); + return CheckAndUpdateMultiPermissionStatus(tokenID, permissionList, status, flag); +} + int32_t PermissionManager::ScopeFilter(const PermStateChangeScope& scopeSrc, PermStateChangeScope& scopeRes) { std::set tokenIdSet; @@ -1032,7 +1234,7 @@ bool PermissionManager::InitPermissionList(const HapInitInfo& initInfo, std::vec } bool userCancelable = true; if (IsUserGrantPermPreAuthorized(initInfo.policy.preAuthorizationInfo, state.permissionName, userCancelable)) { - state.grantFlag = userCancelable ? PERMISSION_GRANTED_BY_POLICY : PERMISSION_SYSTEM_FIXED; + state.grantFlag = userCancelable ? PERMISSION_PRE_AUTHORIZED_CANCELABLE : PERMISSION_SYSTEM_FIXED; state.grantStatus = PERMISSION_GRANTED; } initializedList.emplace_back(state); diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp index 941fafe1f..814f474da 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp @@ -40,6 +40,11 @@ bool PermissionValidator::IsPermissionFlagValid(uint32_t flag) return DataValidator::IsPermissionFlagValid(flag); } +bool PermissionValidator::IsPermissionFlagValidForAdmin(uint32_t flag) +{ + return DataValidator::IsPermissionFlagValidForAdmin(flag); +} + bool PermissionValidator::IsPermissionNameValid(const std::string& permissionName) { return DataValidator::IsPermissionNameValid(permissionName); diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp index b4a333560..50ea3cb47 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp @@ -81,6 +81,7 @@ const std::string REVOKE_SENSITIVE_PERMISSIONS = "ohos.permission.REVOKE_SENSITI const std::string GET_SENSITIVE_PERMISSIONS = "ohos.permission.GET_SENSITIVE_PERMISSIONS"; const std::string DISABLE_PERMISSION_DIALOG = "ohos.permission.DISABLE_PERMISSION_DIALOG"; const std::string GRANT_SHORT_TERM_WRITE_MEDIAVIDEO = "ohos.permission.GRANT_SHORT_TERM_WRITE_MEDIAVIDEO"; +const std::string MANAGE_EDM_POLICY = "ohos.permission.MANAGE_EDM_POLICY"; static constexpr int32_t SA_ID_ACCESSTOKEN_MANAGER_SERVICE = 3503; @@ -404,11 +405,11 @@ int AccessTokenManagerService::GetPermissionFlag( if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { return AccessTokenError::ERR_NOT_SYSTEM_APP; } - if (!IsPrivilegedCalling() && VerifyAccessToken(callingTokenID, GRANT_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED && VerifyAccessToken(callingTokenID, REVOKE_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED && - VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) { + VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED && + VerifyAccessToken(callingTokenID, MANAGE_EDM_POLICY) == PERMISSION_DENIED) { LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID); return AccessTokenError::ERR_PERMISSION_DENIED; } @@ -545,6 +546,29 @@ int AccessTokenManagerService::ClearUserGrantedPermissionState(AccessTokenID tok return RET_SUCCESS; } +int32_t AccessTokenManagerService::SetPermissionStatusWithPolicy( + AccessTokenID tokenID, const std::vector& permissionList, int32_t status, uint32_t flag) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "tokenID: %{public}d, permList size:%{public}zu, status: %{public}d, flag: %{public}u.", + tokenID, permissionList.size(), status, flag); + + AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + return AccessTokenError::ERR_NOT_SYSTEM_APP; + } + + if (!IsPrivilegedCalling() && + VerifyAccessToken(callingTokenID, MANAGE_EDM_POLICY) == PERMISSION_DENIED) { + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT", + HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR, "CALLER_TOKENID", + callingTokenID); + LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d).", callingTokenID); + return AccessTokenError::ERR_PERMISSION_DENIED; + } + + return PermissionManager::GetInstance().SetPermissionStatusWithPolicy(tokenID, permissionList, status, flag); +} + int32_t AccessTokenManagerService::RegisterPermStateChangeCallback( const PermStateChangeScopeParcel& scope, const sptr& callback) { diff --git a/services/accesstokenmanager/test/unittest/permission_manager_test.cpp b/services/accesstokenmanager/test/unittest/permission_manager_test.cpp index 8f6886d51..a6ee3e2db 100644 --- a/services/accesstokenmanager/test/unittest/permission_manager_test.cpp +++ b/services/accesstokenmanager/test/unittest/permission_manager_test.cpp @@ -130,25 +130,25 @@ static PermissionStatus g_permState2 = { static PermissionStatus g_permState6 = { .permissionName = "ohos.permission.CAMERA", .grantStatus = PermissionState::PERMISSION_DENIED, - .grantFlag = PermissionFlag::PERMISSION_POLICY_FIXED + .grantFlag = PermissionFlag::PERMISSION_FIXED_FOR_SECURITY_POLICY }; static PermissionStatus g_permState7 = { .permissionName = "ohos.permission.CAMERA", .grantStatus = PermissionState::PERMISSION_GRANTED, - .grantFlag = PermissionFlag::PERMISSION_POLICY_FIXED + .grantFlag = PermissionFlag::PERMISSION_FIXED_FOR_SECURITY_POLICY }; static PermissionStatus g_permState8 = { .permissionName = "ohos.permission.CAMERA", .grantStatus = PermissionState::PERMISSION_DENIED, - .grantFlag = PermissionFlag::PERMISSION_POLICY_FIXED | PermissionFlag::PERMISSION_USER_SET + .grantFlag = PermissionFlag::PERMISSION_FIXED_FOR_SECURITY_POLICY | PermissionFlag::PERMISSION_USER_SET }; static PermissionStatus g_permState9 = { .permissionName = "ohos.permission.CAMERA", .grantStatus = PermissionState::PERMISSION_GRANTED, - .grantFlag = PermissionFlag::PERMISSION_POLICY_FIXED | PermissionFlag::PERMISSION_USER_SET + .grantFlag = PermissionFlag::PERMISSION_FIXED_FOR_SECURITY_POLICY | PermissionFlag::PERMISSION_USER_SET }; static PermissionDef g_infoManagerPermDef1 = { @@ -523,7 +523,7 @@ HWTEST_F(PermissionManagerTest, GetSelfPermissionState002, TestSize.Level0) permState1.permissionName = "ohos.permission.CAMERA"; int32_t apiVersion = ACCURATE_LOCATION_API_VERSION; - // flag is PERMISSION_POLICY_FIXED and state is denied, return SETTING_OPER + // flag is PERMISSION_FIXED_FOR_SECURITY_POLICY and state is denied, return SETTING_OPER PermissionManager::GetInstance().GetSelfPermissionState(permsList1, permState1, apiVersion); ASSERT_EQ(PermissionOper::SETTING_OPER, permState1.state); @@ -532,7 +532,7 @@ HWTEST_F(PermissionManagerTest, GetSelfPermissionState002, TestSize.Level0) PermissionListState permState2; permState2.permissionName = "ohos.permission.CAMERA"; - // flag is PERMISSION_POLICY_FIXED and state is granted, return PASS_OPER + // flag is PERMISSION_FIXED_FOR_SECURITY_POLICY and state is granted, return PASS_OPER PermissionManager::GetInstance().GetSelfPermissionState(permsList2, permState2, apiVersion); ASSERT_EQ(PermissionOper::PASS_OPER, permState2.state); @@ -541,7 +541,7 @@ HWTEST_F(PermissionManagerTest, GetSelfPermissionState002, TestSize.Level0) PermissionListState permState3; permState3.permissionName = "ohos.permission.CAMERA"; - // flag is PERMISSION_POLICY_FIXED | PERMISSION_USER_SET and state is denied, return SETTING_OPER + // flag is PERMISSION_FIXED_FOR_SECURITY_POLICY | PERMISSION_USER_SET and state is denied, return SETTING_OPER PermissionManager::GetInstance().GetSelfPermissionState(permsList3, permState3, apiVersion); ASSERT_EQ(PermissionOper::SETTING_OPER, permState3.state); @@ -550,7 +550,7 @@ HWTEST_F(PermissionManagerTest, GetSelfPermissionState002, TestSize.Level0) PermissionListState permState4; permState4.permissionName = "ohos.permission.CAMERA"; - // flag is PERMISSION_POLICY_FIXED | PERMISSION_USER_SET and state is granted, return PASS_OPER + // flag is PERMISSION_FIXED_FOR_SECURITY_POLICY | PERMISSION_USER_SET and state is granted, return PASS_OPER PermissionManager::GetInstance().GetSelfPermissionState(permsList4, permState4, apiVersion); ASSERT_EQ(PermissionOper::PASS_OPER, permState4.state); } diff --git a/test/fuzztest/normalize_service/accesstoken/grantpermissionservice_fuzzer/grantpermissionservice_fuzzer.cpp b/test/fuzztest/normalize_service/accesstoken/grantpermissionservice_fuzzer/grantpermissionservice_fuzzer.cpp index 42d0d9a3d..3ec52f5be 100644 --- a/test/fuzztest/normalize_service/accesstoken/grantpermissionservice_fuzzer/grantpermissionservice_fuzzer.cpp +++ b/test/fuzztest/normalize_service/accesstoken/grantpermissionservice_fuzzer/grantpermissionservice_fuzzer.cpp @@ -52,9 +52,9 @@ static const vector FLAG_LIST = { PERMISSION_USER_SET, PERMISSION_USER_FIXED, PERMISSION_SYSTEM_FIXED, - PERMISSION_GRANTED_BY_POLICY, + PERMISSION_PRE_AUTHORIZED_CANCELABLE, PERMISSION_COMPONENT_SET, - PERMISSION_POLICY_FIXED, + PERMISSION_FIXED_FOR_SECURITY_POLICY, PERMISSION_ALLOW_THIS_TIME }; static const uint32_t FLAG_LIST_SIZE = 8; diff --git a/test/fuzztest/normalize_service/accesstoken/revokepermissionservice_fuzzer/revokepermissionservice_fuzzer.cpp b/test/fuzztest/normalize_service/accesstoken/revokepermissionservice_fuzzer/revokepermissionservice_fuzzer.cpp index 775e08ab6..3c33630e7 100644 --- a/test/fuzztest/normalize_service/accesstoken/revokepermissionservice_fuzzer/revokepermissionservice_fuzzer.cpp +++ b/test/fuzztest/normalize_service/accesstoken/revokepermissionservice_fuzzer/revokepermissionservice_fuzzer.cpp @@ -34,9 +34,9 @@ static const vector FLAG_LIST = { PERMISSION_USER_SET, PERMISSION_USER_FIXED, PERMISSION_SYSTEM_FIXED, - PERMISSION_GRANTED_BY_POLICY, + PERMISSION_PRE_AUTHORIZED_CANCELABLE, PERMISSION_COMPONENT_SET, - PERMISSION_POLICY_FIXED, + PERMISSION_FIXED_FOR_SECURITY_POLICY, PERMISSION_ALLOW_THIS_TIME }; static const uint32_t FLAG_LIST_SIZE = 8; -- Gitee