diff --git a/frameworks/native/ability/native/ability.cpp b/frameworks/native/ability/native/ability.cpp index 55cc691b7b03d9f15edcb287d908e4ebcfbc2146..07661fd131da9bc1a48a6fadbf27ac80eab6a790 100644 --- a/frameworks/native/ability/native/ability.cpp +++ b/frameworks/native/ability/native/ability.cpp @@ -84,6 +84,7 @@ const std::string LAUNCHER_BUNDLE_NAME = "com.ohos.launcher"; const std::string LAUNCHER_ABILITY_NAME = "com.ohos.launcher.MainAbility"; const std::string SHOW_ON_LOCK_SCREEN = "ShowOnLockScreen"; const std::string DLP_INDEX = "ohos.dlp.params.index"; +const std::string DLP_PARAMS_SECURITY_FLAG = "ohos.dlp.params.securityFlag"; #ifdef DISTRIBUTED_DATA_OBJECT_ENABLE constexpr int32_t DISTRIBUTED_OBJECT_TIMEOUT = 10000; @@ -197,6 +198,8 @@ void Ability::OnStart(const Want &want) appIndex_ = want.GetIntParam(DLP_INDEX, 0); (const_cast(want)).RemoveParam(DLP_INDEX); + securityFlag_ = want.GetBoolParam(DLP_PARAMS_SECURITY_FLAG, false); + (const_cast(want)).RemoveParam(DLP_PARAMS_SECURITY_FLAG); HILOG_INFO("%{public}s begin, ability is %{public}s.", __func__, abilityInfo_->name.c_str()); #ifdef SUPPORT_GRAPHICS @@ -2359,7 +2362,7 @@ void Ability::InitWindow(Rosen::WindowType winType, int32_t displayId, sptrInitWindow(winType, abilityContext_, sceneListener_, displayId, option, appIndex_ != 0); + abilityWindow_->InitWindow(winType, abilityContext_, sceneListener_, displayId, option, securityFlag_); } /** diff --git a/frameworks/native/ability/native/ability_runtime/js_ability.cpp b/frameworks/native/ability/native/ability_runtime/js_ability.cpp index fc1056c7ba11e4dac473cf09dab7d9c05f954747..26dd4a98d6c9e58b12e34beaa8a855864668d2d1 100644 --- a/frameworks/native/ability/native/ability_runtime/js_ability.cpp +++ b/frameworks/native/ability/native/ability_runtime/js_ability.cpp @@ -429,7 +429,7 @@ void JsAbility::DoOnForeground(const Want &want) std::weak_ptr weakAbility = shared_from_this(); abilityDisplayMoveListener_ = new AbilityDisplayMoveListener(weakAbility); window->RegisterDisplayMoveListener(abilityDisplayMoveListener_); - window->SetPrivacyMode(appIndex_ != 0); + window->SetPrivacyMode(securityFlag_); } HILOG_INFO("%{public}s begin scene_->GoForeground, sceneFlag_:%{public}d.", __func__, Ability::sceneFlag_); diff --git a/interfaces/kits/native/ability/native/ability.h b/interfaces/kits/native/ability/native/ability.h index 146c31e40935b246ed2d23679c1e60cd2920d02f..a22246a00d4e66710c7d9f8a1a191dbe87897163 100644 --- a/interfaces/kits/native/ability/native/ability.h +++ b/interfaces/kits/native/ability/native/ability.h @@ -1667,6 +1667,7 @@ protected: std::shared_ptr setting_ = nullptr; LaunchParam launchParam_; int32_t appIndex_ = 0; + bool securityFlag_ = false; private: std::shared_ptr ParsePredictionArgsReference( diff --git a/services/abilitymgr/include/ability_manager_service.h b/services/abilitymgr/include/ability_manager_service.h index 90ffb4085f61b6ccd5219e2d2ec37716b71e3b05..a71776eaf958517a09fa8a292bbc2db3e3c42323 100644 --- a/services/abilitymgr/include/ability_manager_service.h +++ b/services/abilitymgr/include/ability_manager_service.h @@ -993,8 +993,6 @@ private: void StartResidentApps(); - int VerifyMissionPermission(); - int VerifyAccountPermission(int32_t userId); bool CheckCallerEligibility(const AppExecFwk::AbilityInfo &abilityInfo, int callerUid); diff --git a/services/abilitymgr/src/ability_manager_service.cpp b/services/abilitymgr/src/ability_manager_service.cpp index 48401106dce4be34750b05ddb7b1541bf3425c83..9a7252a8344c10f08c2493614471ee0360c841eb 100644 --- a/services/abilitymgr/src/ability_manager_service.cpp +++ b/services/abilitymgr/src/ability_manager_service.cpp @@ -45,7 +45,6 @@ #include "iservice_registry.h" #include "itest_observer.h" #include "mission_info_mgr.h" -#include "permission_constants.h" #include "permission_verification.h" #include "sa_mgr_client.h" #include "system_ability_token_callback.h" @@ -1528,7 +1527,7 @@ int AbilityManagerService::ContinueMission(const std::string &srcDeviceId, const int32_t missionId, const sptr &callBack, AAFwk::WantParams &wantParams) { HILOG_INFO("ContinueMission missionId: %{public}d", missionId); - if (VerifyMissionPermission() == CHECK_PERMISSION_FAILED) { + if (!PermissionVerification::GetInstance()->VerifyMissionPermission()) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); return CHECK_PERMISSION_FAILED; } @@ -1601,7 +1600,7 @@ int AbilityManagerService::NotifyContinuationResult(int32_t missionId, int32_t r int AbilityManagerService::StartSyncRemoteMissions(const std::string& devId, bool fixConflict, int64_t tag) { - if (VerifyMissionPermission() == CHECK_PERMISSION_FAILED) { + if (!PermissionVerification::GetInstance()->VerifyMissionPermission()) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); return CHECK_PERMISSION_FAILED; } @@ -1611,7 +1610,7 @@ int AbilityManagerService::StartSyncRemoteMissions(const std::string& devId, boo int AbilityManagerService::StopSyncRemoteMissions(const std::string& devId) { - if (VerifyMissionPermission() == CHECK_PERMISSION_FAILED) { + if (!PermissionVerification::GetInstance()->VerifyMissionPermission()) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); return CHECK_PERMISSION_FAILED; } @@ -1628,7 +1627,7 @@ int AbilityManagerService::RegisterMissionListener(const std::string &deviceId, return REGISTER_REMOTE_MISSION_LISTENER_FAIL; } CHECK_POINTER_AND_RETURN(listener, ERR_INVALID_VALUE); - if (VerifyMissionPermission() == CHECK_PERMISSION_FAILED) { + if (!PermissionVerification::GetInstance()->VerifyMissionPermission()) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); return CHECK_PERMISSION_FAILED; } @@ -1645,7 +1644,7 @@ int AbilityManagerService::UnRegisterMissionListener(const std::string &deviceId return REGISTER_REMOTE_MISSION_LISTENER_FAIL; } CHECK_POINTER_AND_RETURN(listener, ERR_INVALID_VALUE); - if (VerifyMissionPermission() == CHECK_PERMISSION_FAILED) { + if (!PermissionVerification::GetInstance()->VerifyMissionPermission()) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); return CHECK_PERMISSION_FAILED; } @@ -1831,7 +1830,7 @@ int AbilityManagerService::LockMissionForCleanup(int32_t missionId) HILOG_INFO("request unlock mission for clean up all, id :%{public}d", missionId); CHECK_POINTER_AND_RETURN(currentMissionListManager_, ERR_NO_INIT); - if (VerifyMissionPermission() == CHECK_PERMISSION_FAILED) { + if (!PermissionVerification::GetInstance()->VerifyMissionPermission()) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); return CHECK_PERMISSION_FAILED; } @@ -1843,7 +1842,7 @@ int AbilityManagerService::UnlockMissionForCleanup(int32_t missionId) HILOG_INFO("request unlock mission for clean up all, id :%{public}d", missionId); CHECK_POINTER_AND_RETURN(currentMissionListManager_, ERR_NO_INIT); - if (VerifyMissionPermission() == CHECK_PERMISSION_FAILED) { + if (!PermissionVerification::GetInstance()->VerifyMissionPermission()) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); return CHECK_PERMISSION_FAILED; } @@ -1855,7 +1854,7 @@ int AbilityManagerService::RegisterMissionListener(const sptr HILOG_INFO("request RegisterMissionListener "); CHECK_POINTER_AND_RETURN(currentMissionListManager_, ERR_NO_INIT); - if (VerifyMissionPermission() == CHECK_PERMISSION_FAILED) { + if (!PermissionVerification::GetInstance()->VerifyMissionPermission()) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); return CHECK_PERMISSION_FAILED; } @@ -1867,7 +1866,7 @@ int AbilityManagerService::UnRegisterMissionListener(const sptrVerifyMissionPermission()) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); return CHECK_PERMISSION_FAILED; } @@ -1880,7 +1879,7 @@ int AbilityManagerService::GetMissionInfos(const std::string& deviceId, int32_t HILOG_INFO("request GetMissionInfos."); CHECK_POINTER_AND_RETURN(currentMissionListManager_, ERR_NO_INIT); - if (VerifyMissionPermission() == CHECK_PERMISSION_FAILED) { + if (!PermissionVerification::GetInstance()->VerifyMissionPermission()) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); return CHECK_PERMISSION_FAILED; } @@ -1911,7 +1910,7 @@ int AbilityManagerService::GetMissionInfo(const std::string& deviceId, int32_t m HILOG_INFO("request GetMissionInfo, missionId:%{public}d", missionId); CHECK_POINTER_AND_RETURN(currentMissionListManager_, ERR_NO_INIT); - if (VerifyMissionPermission() == CHECK_PERMISSION_FAILED) { + if (!PermissionVerification::GetInstance()->VerifyMissionPermission()) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); return CHECK_PERMISSION_FAILED; } @@ -1947,7 +1946,7 @@ int AbilityManagerService::CleanMission(int32_t missionId) HILOG_INFO("request CleanMission, missionId:%{public}d", missionId); CHECK_POINTER_AND_RETURN(currentMissionListManager_, ERR_NO_INIT); - if (VerifyMissionPermission() == CHECK_PERMISSION_FAILED) { + if (!PermissionVerification::GetInstance()->VerifyMissionPermission()) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); return CHECK_PERMISSION_FAILED; } @@ -1960,7 +1959,7 @@ int AbilityManagerService::CleanAllMissions() HILOG_INFO("request CleanAllMissions "); CHECK_POINTER_AND_RETURN(currentMissionListManager_, ERR_NO_INIT); - if (VerifyMissionPermission() == CHECK_PERMISSION_FAILED) { + if (!PermissionVerification::GetInstance()->VerifyMissionPermission()) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); return CHECK_PERMISSION_FAILED; } @@ -1980,7 +1979,7 @@ int AbilityManagerService::MoveMissionToFront(int32_t missionId) HILOG_INFO("request MoveMissionToFront, missionId:%{public}d", missionId); CHECK_POINTER_AND_RETURN(currentMissionListManager_, ERR_NO_INIT); - if (VerifyMissionPermission() == CHECK_PERMISSION_FAILED) { + if (!PermissionVerification::GetInstance()->VerifyMissionPermission()) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); return CHECK_PERMISSION_FAILED; } @@ -1998,7 +1997,7 @@ int AbilityManagerService::MoveMissionToFront(int32_t missionId, const StartOpti HILOG_INFO("request MoveMissionToFront, missionId:%{public}d", missionId); CHECK_POINTER_AND_RETURN(currentMissionListManager_, ERR_NO_INIT); - if (VerifyMissionPermission() == CHECK_PERMISSION_FAILED) { + if (!PermissionVerification::GetInstance()->VerifyMissionPermission()) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); return CHECK_PERMISSION_FAILED; } @@ -3900,7 +3899,7 @@ int AbilityManagerService::RegisterSnapshotHandler(const sptr& int32_t AbilityManagerService::GetMissionSnapshot(const std::string& deviceId, int32_t missionId, MissionSnapshot& missionSnapshot, bool isLowResolution) { - if (VerifyMissionPermission() == CHECK_PERMISSION_FAILED) { + if (!PermissionVerification::GetInstance()->VerifyMissionPermission()) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); return CHECK_PERMISSION_FAILED; } @@ -4580,22 +4579,6 @@ bool AbilityManagerService::GetDataAbilityUri(const std::vectorIsSACall(); - if (isSaCall) { - return ERR_OK; - } - auto isCallingPerm = AAFwk::PermissionVerification::GetInstance()->VerifyCallingPermission( - PermissionConstants::PERMISSION_MANAGE_MISSION); - if (isCallingPerm) { - HILOG_DEBUG("%{public}s: Permission verification succeeded.", __func__); - return ERR_OK; - } - HILOG_ERROR("%{public}s: Permission verification failed", __func__); - return CHECK_PERMISSION_FAILED; -} - void AbilityManagerService::GetAbilityRunningInfo(std::vector &info, std::shared_ptr &abilityRecord) { @@ -4619,17 +4602,7 @@ int AbilityManagerService::VerifyAccountPermission(int32_t userId) if ((userId < 0) || (userController_ && (userController_->GetCurrentUserId() == userId))) { return ERR_OK; } - auto isSaCall = AAFwk::PermissionVerification::GetInstance()->IsSACall(); - if (isSaCall) { - return ERR_OK; - } - auto isCallingPerm = AAFwk::PermissionVerification::GetInstance()->VerifyCallingPermission( - PermissionConstants::PERMISSION_INTERACT_ACROSS_LOCAL_ACCOUNTS); - if (isCallingPerm) { - return ERR_OK; - } - HILOG_ERROR("%{public}s: Permission verification failed", __func__); - return CHECK_PERMISSION_FAILED; + return AAFwk::PermissionVerification::GetInstance()->VerifyAccountPermission(); } #ifdef ABILITY_COMMAND_FOR_TEST diff --git a/services/appmgr/include/app_running_record.h b/services/appmgr/include/app_running_record.h index 73868bfa525e7a4f0988f3befdf36284532291e1..9506905d3cd4b55bce5b18071e25f21c241e83d3 100644 --- a/services/appmgr/include/app_running_record.h +++ b/services/appmgr/include/app_running_record.h @@ -497,6 +497,8 @@ public: bool IsKilling() const; void SetAppIndex(const int32_t appIndex); int32_t GetAppIndex() const; + void SetSecurityFlag(bool securityFlag); + bool GetSecurityFlag() const; using Closure = std::function; void PostTask(std::string msg, int64_t timeOut, const Closure &task); @@ -586,6 +588,7 @@ private: std::shared_ptr renderRecord_ = nullptr; AppSpawnStartMsg startMsg_; int32_t appIndex_ = 0; + bool securityFlag_ = false; }; } // namespace AppExecFwk } // namespace OHOS diff --git a/services/appmgr/src/app_mgr_service_inner.cpp b/services/appmgr/src/app_mgr_service_inner.cpp index be4e1316e67252bef036f1547a3932d89aca4c74..3a35588f1c2927f62c58e52c448f5cebc53fc21d 100644 --- a/services/appmgr/src/app_mgr_service_inner.cpp +++ b/services/appmgr/src/app_mgr_service_inner.cpp @@ -70,6 +70,7 @@ const std::string SO_PATH = "system/lib64/libmapleappkit.z.so"; const std::string RENDER_PARAM = "invalidparam"; const std::string COLD_START = "coldStart"; const std::string DLP_PARAMS_INDEX = "ohos.dlp.params.index"; +const std::string DLP_PARAMS_SECURITY_FLAG = "ohos.dlp.params.securityFlag"; const int32_t SIGNAL_KILL = 9; constexpr int32_t USER_SCALE = 200000; #define ENUM_TO_STRING(s) #s @@ -805,6 +806,7 @@ std::shared_ptr AppMgrServiceInner::CreateAppRunningRecord(con appRecord->SetDebugApp(true); } appRecord->SetAppIndex(want->GetIntParam(DLP_PARAMS_INDEX, 0)); + appRecord->SetSecurityFlag(want->GetBoolParam(DLP_PARAMS_SECURITY_FLAG, false)); } if (preToken) { @@ -1058,6 +1060,10 @@ void AppMgrServiceInner::StartAbility(const sptr &token, const sp return; } + if (want) { + want->SetParam(DLP_PARAMS_SECURITY_FLAG, appRecord->GetSecurityFlag()); + } + if (abilityInfo->launchMode == LaunchMode::SINGLETON) { int32_t ownerUserId = -1; if (want) { diff --git a/services/appmgr/src/app_running_record.cpp b/services/appmgr/src/app_running_record.cpp index 80247ce41046e0c405f8853c447702e19b156d0a..7084260f691947585032240eb631cef5bfc1bfac 100644 --- a/services/appmgr/src/app_running_record.cpp +++ b/services/appmgr/src/app_running_record.cpp @@ -1090,6 +1090,16 @@ int32_t AppRunningRecord::GetAppIndex() const return appIndex_; } +void AppRunningRecord::SetSecurityFlag(bool securityFlag) +{ + securityFlag_ = securityFlag; +} + +bool AppRunningRecord::GetSecurityFlag() const +{ + return securityFlag_; +} + void AppRunningRecord::SetKilling() { isKilling_ = true; diff --git a/services/common/BUILD.gn b/services/common/BUILD.gn index 0cc42bb18e103d27ceb51392b82d7fbbd6797544..0b894a0e9e6d01a99c90e7730102eb26fe71cb82 100644 --- a/services/common/BUILD.gn +++ b/services/common/BUILD.gn @@ -25,7 +25,10 @@ group("ams_common_target") { config("common_config") { visibility = [ ":*" ] - include_dirs = [ "include" ] + include_dirs = [ + "include", + "${ability_runtime_innerkits_path}/ability_manager/include", + ] cflags = [] if (target_cpu == "arm") { cflags += [ "-DBINDER_IPC_32BIT" ] diff --git a/services/common/include/permission_verification.h b/services/common/include/permission_verification.h index 4e3c7658dfcafc1d11f690bf0fb4b1ce5e7d05aa..1cae029b6b4f83a14d86600c7cf93df9bacf6512 100644 --- a/services/common/include/permission_verification.h +++ b/services/common/include/permission_verification.h @@ -38,6 +38,10 @@ public: bool VerifyDlpPermission(Want &want); + int VerifyAccountPermission(); + + bool VerifyMissionPermission(); + private: DISALLOW_COPY_AND_MOVE(PermissionVerification); unsigned int GetCallingTokenID(); diff --git a/services/common/src/permission_verification.cpp b/services/common/src/permission_verification.cpp index 6ce2af1e4acd07a92d484df2b6cbda32d4c1b24d..ca57162280edb9b0d208aa1623ac36d141f8d35e 100644 --- a/services/common/src/permission_verification.cpp +++ b/services/common/src/permission_verification.cpp @@ -15,6 +15,7 @@ #include "permission_verification.h" +#include "ability_manager_errors.h" #include "accesstoken_kit.h" #include "hilog_wrapper.h" #include "ipc_skeleton.h" @@ -113,6 +114,31 @@ bool PermissionVerification::VerifyDlpPermission(Want &want) return false; } +int PermissionVerification::VerifyAccountPermission() +{ + if (IsSACall()) { + return ERR_OK; + } + if (VerifyCallingPermission(PermissionConstants::PERMISSION_INTERACT_ACROSS_LOCAL_ACCOUNTS)) { + return ERR_OK; + } + HILOG_ERROR("%{public}s: Permission verification failed", __func__); + return CHECK_PERMISSION_FAILED; +} + +bool PermissionVerification::VerifyMissionPermission() +{ + if (IsSACall()) { + return true; + } + if (VerifyCallingPermission(PermissionConstants::PERMISSION_MANAGE_MISSION)) { + HILOG_DEBUG("%{public}s: Permission verification succeeded.", __func__); + return true; + } + HILOG_ERROR("%{public}s: Permission verification failed", __func__); + return false; +} + unsigned int PermissionVerification::GetCallingTokenID() { auto callerToken = IPCSkeleton::GetCallingTokenID();