From 8485244e333dd921ca8c4a76c806334cd7ec8eb3 Mon Sep 17 00:00:00 2001 From: unknown Date: Thu, 28 Jul 2022 20:46:09 +0800 Subject: [PATCH 1/5] add user Signed-off-by: unknown --- services/abilitymgr/include/dlp_utils.h | 56 +++++++++++++++++++ .../src/ability_manager_service.cpp | 19 +++++-- 2 files changed, 69 insertions(+), 6 deletions(-) create mode 100644 services/abilitymgr/include/dlp_utils.h diff --git a/services/abilitymgr/include/dlp_utils.h b/services/abilitymgr/include/dlp_utils.h new file mode 100644 index 00000000000..8f23661271e --- /dev/null +++ b/services/abilitymgr/include/dlp_utils.h @@ -0,0 +1,56 @@ +/* + * Copyright (c) 2022 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef OHOS_ABILITY_RUNTIME_DLP_UTILS_H +#define OHOS_ABILITY_RUNTIME_DLP_UTILS_H + +#include "ability_record.h" +// #include "dlp_permission_kit.h" +#include "iremote_object.h" +#include "want.h" + +namespace OHOS { +namespace AAFwk { +namespace DlpUtils { +// using Dlp = Security::DlpPermission; +static bool DlpAccessOtherAppsCheck(const sptr &callerToken, const Want &want) +{ + if (callerToken == nullptr) { + return true; + } + auto abilityRecord = Token::GetAbilityRecordByToken(callerToken); + if (abilityRecord == nullptr) { + HILOG_ERROR("Ability has already been destroyed."); + return false; + } + if (abilityRecord->GetAppIndex() == 0) { + return true; + } + if (abilityRecord->GetApplicationInfo().bundleName == want.GetElement().GetBundleName()) { + return true; + } + int32_t uid = abilityRecord->GetApplicationInfo().uid; + //Dlp::SandBoxExternalAuthorType result = Dlp::GetSandBoxExternalAuthorization(uid, want); + //if (result == Dlp::SandBoxExternalAuthorType::ALLOW_START_ABILITY) { + // return true; + //} + HILOG_ERROR("Ability has already been destroyed %{public}d.", uid); + return false; +} +} // namespace DlpUtils +} // namespace AAFwk +} // namespace OHOS + +#endif // OHOS_ABILITY_RUNTIME_DLP_UTILS_H diff --git a/services/abilitymgr/src/ability_manager_service.cpp b/services/abilitymgr/src/ability_manager_service.cpp index 060dc39483e..52bf31283cd 100644 --- a/services/abilitymgr/src/ability_manager_service.cpp +++ b/services/abilitymgr/src/ability_manager_service.cpp @@ -37,6 +37,7 @@ #include "hitrace_meter.h" #include "bundle_mgr_client.h" #include "distributed_client.h" +#include "dlp_utils.h" #include "hilog_wrapper.h" #include "if_system_ability_manager.h" #include "in_process_call_wrapper.h" @@ -327,7 +328,8 @@ int AbilityManagerService::StartAbilityInner(const Want &want, const sptrVerifyDlpPermission(const_cast(want)) || - VerifyAccountPermission(userId) == CHECK_PERMISSION_FAILED) { + VerifyAccountPermission(userId) == CHECK_PERMISSION_FAILED || + !DlpUtils::DlpAccessOtherAppsCheck(callerToken, want)) { HILOG_ERROR("%{public}s: Permission verification failed.", __func__); return CHECK_PERMISSION_FAILED; } @@ -484,7 +486,8 @@ int AbilityManagerService::StartAbility(const Want &want, const AbilityStartSett HiSysEventType::BEHAVIOR, eventInfo); if (!PermissionVerification::GetInstance()->VerifyDlpPermission(const_cast(want)) || - VerifyAccountPermission(userId) == CHECK_PERMISSION_FAILED) { + VerifyAccountPermission(userId) == CHECK_PERMISSION_FAILED || + !DlpUtils::DlpAccessOtherAppsCheck(callerToken, want)) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); eventInfo.errCode = CHECK_PERMISSION_FAILED; AAFWK::EventReport::SendAbilityEvent(AAFWK::START_ABILITY_ERROR, @@ -635,7 +638,8 @@ int AbilityManagerService::StartAbility(const Want &want, const StartOptions &st HiSysEventType::BEHAVIOR, eventInfo); if (!PermissionVerification::GetInstance()->VerifyDlpPermission(const_cast(want)) || - VerifyAccountPermission(userId) == CHECK_PERMISSION_FAILED) { + VerifyAccountPermission(userId) == CHECK_PERMISSION_FAILED || + !DlpUtils::DlpAccessOtherAppsCheck(callerToken, want)) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); eventInfo.errCode = CHECK_PERMISSION_FAILED; AAFWK::EventReport::SendAbilityEvent(AAFWK::START_ABILITY_ERROR, @@ -842,7 +846,8 @@ int AbilityManagerService::StartExtensionAbility(const Want &want, const sptrVerifyDlpPermission(const_cast(want)) || - VerifyAccountPermission(userId) == CHECK_PERMISSION_FAILED) { + VerifyAccountPermission(userId) == CHECK_PERMISSION_FAILED || + !DlpUtils::DlpAccessOtherAppsCheck(callerToken, want)) { HILOG_ERROR("%{public}s: Permission verification failed.", __func__); eventInfo.errCode = CHECK_PERMISSION_FAILED; AAFWK::EventReport::SendExtensionEvent(AAFWK::START_EXTENSION_ERROR, @@ -936,7 +941,8 @@ int AbilityManagerService::StopExtensionAbility(const Want &want, const sptrVerifyDlpPermission(const_cast(want)) || - VerifyAccountPermission(userId) == CHECK_PERMISSION_FAILED) { + VerifyAccountPermission(userId) == CHECK_PERMISSION_FAILED || + !DlpUtils::DlpAccessOtherAppsCheck(callerToken, want)) { HILOG_ERROR("%{public}s: Permission verification failed.", __func__); eventInfo.errCode = CHECK_PERMISSION_FAILED; AAFWK::EventReport::SendExtensionEvent(AAFWK::STOP_EXTENSION_ERROR, @@ -1352,7 +1358,8 @@ int AbilityManagerService::ConnectAbility( eventInfo); if (!PermissionVerification::GetInstance()->VerifyDlpPermission(const_cast(want)) || - VerifyAccountPermission(userId) == CHECK_PERMISSION_FAILED) { + VerifyAccountPermission(userId) == CHECK_PERMISSION_FAILED || + !DlpUtils::DlpAccessOtherAppsCheck(callerToken, want)) { HILOG_ERROR("%{public}s: Permission verification failed", __func__); eventInfo.errCode = CHECK_PERMISSION_FAILED; AAFWK::EventReport::SendExtensionEvent(AAFWK::CONNECT_SERVICE_ERROR, -- Gitee From dcf12f84ba442fee558804f2f7949fcd801e6ca1 Mon Sep 17 00:00:00 2001 From: unknown Date: Thu, 28 Jul 2022 20:56:33 +0800 Subject: [PATCH 2/5] add user Signed-off-by: unknown --- services/abilitymgr/include/dlp_utils.h | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/services/abilitymgr/include/dlp_utils.h b/services/abilitymgr/include/dlp_utils.h index 8f23661271e..c0624fbf332 100644 --- a/services/abilitymgr/include/dlp_utils.h +++ b/services/abilitymgr/include/dlp_utils.h @@ -16,17 +16,22 @@ #ifndef OHOS_ABILITY_RUNTIME_DLP_UTILS_H #define OHOS_ABILITY_RUNTIME_DLP_UTILS_H +#ifdef WITH_DLP #include "ability_record.h" -// #include "dlp_permission_kit.h" +#include "dlp_permission_kit.h" +#endif // WITH_DLP #include "iremote_object.h" #include "want.h" namespace OHOS { namespace AAFwk { namespace DlpUtils { -// using Dlp = Security::DlpPermission; +#ifdef WITH_DLP +using Dlp = Security::DlpPermission; +#endif // WITH_DLP static bool DlpAccessOtherAppsCheck(const sptr &callerToken, const Want &want) { +#ifdef WITH_DLP if (callerToken == nullptr) { return true; } @@ -42,12 +47,13 @@ static bool DlpAccessOtherAppsCheck(const sptr &callerToken, cons return true; } int32_t uid = abilityRecord->GetApplicationInfo().uid; - //Dlp::SandBoxExternalAuthorType result = Dlp::GetSandBoxExternalAuthorization(uid, want); - //if (result == Dlp::SandBoxExternalAuthorType::ALLOW_START_ABILITY) { - // return true; - //} - HILOG_ERROR("Ability has already been destroyed %{public}d.", uid); - return false; + Dlp::SandBoxExternalAuthorType result = Dlp::GetSandBoxExternalAuthorization(uid, want); + if (result != Dlp::SandBoxExternalAuthorType::ALLOW_START_ABILITY) { + HILOG_ERROR("Ability has already been destroyed %{public}d.", uid); + return false; + } +#endif // WITH_DLP + return true; } } // namespace DlpUtils } // namespace AAFwk -- Gitee From bad3c1e22dd2b9d07d977584186375baa5069f14 Mon Sep 17 00:00:00 2001 From: unknown Date: Fri, 29 Jul 2022 17:31:28 +0800 Subject: [PATCH 3/5] add user Signed-off-by: unknown --- services/abilitymgr/include/dlp_utils.h | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/services/abilitymgr/include/dlp_utils.h b/services/abilitymgr/include/dlp_utils.h index c0624fbf332..85fa16867c5 100644 --- a/services/abilitymgr/include/dlp_utils.h +++ b/services/abilitymgr/include/dlp_utils.h @@ -27,7 +27,7 @@ namespace OHOS { namespace AAFwk { namespace DlpUtils { #ifdef WITH_DLP -using Dlp = Security::DlpPermission; +using Dlp = Security::DlpPermission::DlpPermissionKit; #endif // WITH_DLP static bool DlpAccessOtherAppsCheck(const sptr &callerToken, const Want &want) { @@ -47,8 +47,13 @@ static bool DlpAccessOtherAppsCheck(const sptr &callerToken, cons return true; } int32_t uid = abilityRecord->GetApplicationInfo().uid; - Dlp::SandBoxExternalAuthorType result = Dlp::GetSandBoxExternalAuthorization(uid, want); - if (result != Dlp::SandBoxExternalAuthorType::ALLOW_START_ABILITY) { + Security::DlpPermission::SandBoxExternalAuthorType authResult; + int result = Dlp::GetSandboxExternalAuthorization(uid, want, authResult); + if (result != ERR_OK) { + HILOG_ERROR("GetSandboxExternalAuthorization failed %{public}d.", result); + return false; + } + if (authResult != Security::DlpPermission::SandBoxExternalAuthorType::ALLOW_START_ABILITY) { HILOG_ERROR("Ability has already been destroyed %{public}d.", uid); return false; } -- Gitee From 57210c462ba50f23b3930280ee59b7606ebd0101 Mon Sep 17 00:00:00 2001 From: unknown Date: Fri, 29 Jul 2022 17:33:00 +0800 Subject: [PATCH 4/5] add user Signed-off-by: unknown --- services/abilitymgr/BUILD.gn | 5 +++++ services/abilitymgr/include/dlp_utils.h | 1 - 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/services/abilitymgr/BUILD.gn b/services/abilitymgr/BUILD.gn index abbdd894c4e..ff608417171 100644 --- a/services/abilitymgr/BUILD.gn +++ b/services/abilitymgr/BUILD.gn @@ -135,6 +135,11 @@ ohos_shared_library("abilityms") { external_deps += [ "efficiency_manager:suspend_manager_client" ] } + if (os_dlp_part_enabled) { + cflags_cc += [ "-DWITH_DLP" ] + external_deps += [ "dlp_permission_service:libdlp_permission_sdk" ] + } + if (ability_runtime_graphics) { deps += [ "${ace_engine_path}/interfaces/inner_api/ui_service_manager:ui_service_mgr", diff --git a/services/abilitymgr/include/dlp_utils.h b/services/abilitymgr/include/dlp_utils.h index 85fa16867c5..cb40a3bd542 100644 --- a/services/abilitymgr/include/dlp_utils.h +++ b/services/abilitymgr/include/dlp_utils.h @@ -63,5 +63,4 @@ static bool DlpAccessOtherAppsCheck(const sptr &callerToken, cons } // namespace DlpUtils } // namespace AAFwk } // namespace OHOS - #endif // OHOS_ABILITY_RUNTIME_DLP_UTILS_H -- Gitee From 0a9c401dc5ff40889ed32be042fa06f2c2619dc1 Mon Sep 17 00:00:00 2001 From: unknown Date: Sat, 30 Jul 2022 08:54:44 +0800 Subject: [PATCH 5/5] add user Signed-off-by: unknown --- services/abilitymgr/include/dlp_utils.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/abilitymgr/include/dlp_utils.h b/services/abilitymgr/include/dlp_utils.h index cb40a3bd542..d1b111b3bde 100644 --- a/services/abilitymgr/include/dlp_utils.h +++ b/services/abilitymgr/include/dlp_utils.h @@ -54,7 +54,7 @@ static bool DlpAccessOtherAppsCheck(const sptr &callerToken, cons return false; } if (authResult != Security::DlpPermission::SandBoxExternalAuthorType::ALLOW_START_ABILITY) { - HILOG_ERROR("Ability has already been destroyed %{public}d.", uid); + HILOG_ERROR("Auth failed, not allow start %{public}d.", uid); return false; } #endif // WITH_DLP -- Gitee