From e1f84b9689f8ce7047fab311b5bf5b6c8836a147 Mon Sep 17 00:00:00 2001 From: panqiangbiao Date: Wed, 9 Mar 2022 17:38:20 +0800 Subject: [PATCH 1/3] add permission check Signed-off-by: panqiangbiao --- services/src/server/file_manager_service_stub.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/services/src/server/file_manager_service_stub.cpp b/services/src/server/file_manager_service_stub.cpp index ebb5e27c..d407cb9c 100644 --- a/services/src/server/file_manager_service_stub.cpp +++ b/services/src/server/file_manager_service_stub.cpp @@ -103,6 +103,10 @@ bool CheckClientPermission(const std::string& permissionStr) } DEBUG_LOG("GetClientBundleName: uid is %{public}d ", uid); std::string bundleName = GetClientBundleName(uid); + if (bundleName == "") { + ERR_LOG("get bundleName fail"); + return true; + } if (IsSameTextStr(bundleName, "ohos.acts.distributeddatamgr.distributedfile") || IsSameTextStr(bundleName, "ohos.acts.storage.filemanager") || IsSameTextStr(bundleName, "com.ohos.filepicker") || @@ -126,6 +130,8 @@ int FileManagerServiceStub::OnRemoteRequest(uint32_t code, MessageParcel &data, string permission = "permission"; if (!CheckClientPermission(permission)) { ERR_LOG("checkpermission error FAIL"); + reply.WriteInt32(FAIL); + return FAIL; } if (!MediaFileUtils::InitHelper(AsObject())) { ERR_LOG("Init MediaLibraryDataAbility Helper error"); @@ -138,4 +144,4 @@ int FileManagerServiceStub::OnRemoteRequest(uint32_t code, MessageParcel &data, return errCode; } } // namespace FileManagerService -} // namespace OHOS \ No newline at end of file +} // namespace OHOS -- Gitee From a5211e5a9d03336ebb5a1b00796831f8b5f5f8c0 Mon Sep 17 00:00:00 2001 From: panqiangbiao Date: Fri, 11 Mar 2022 10:45:03 +0800 Subject: [PATCH 2/3] delete unnecessary white pass Signed-off-by: panqiangbiao --- services/src/server/file_manager_service_stub.cpp | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/services/src/server/file_manager_service_stub.cpp b/services/src/server/file_manager_service_stub.cpp index d407cb9c..0f3742dc 100644 --- a/services/src/server/file_manager_service_stub.cpp +++ b/services/src/server/file_manager_service_stub.cpp @@ -107,10 +107,8 @@ bool CheckClientPermission(const std::string& permissionStr) ERR_LOG("get bundleName fail"); return true; } - if (IsSameTextStr(bundleName, "ohos.acts.distributeddatamgr.distributedfile") || - IsSameTextStr(bundleName, "ohos.acts.storage.filemanager") || - IsSameTextStr(bundleName, "com.ohos.filepicker") || - IsSameTextStr(bundleName, "com.example.filemanager")) { + if (IsSameTextStr(bundleName, "ohos.acts.storage.filemanager") || + IsSameTextStr(bundleName, "com.ohos.filepicker")) { DEBUG_LOG("CheckClientPermission: Pass the white list"); return true; } -- Gitee From 7ad0feeae753165273781079cc129970eb09f1ba Mon Sep 17 00:00:00 2001 From: panqiangbiao Date: Mon, 14 Mar 2022 09:50:04 +0800 Subject: [PATCH 3/3] add accessToken check Signed-off-by: panqiangbiao --- .../src/server/file_manager_service_stub.cpp | 65 +++---------------- 1 file changed, 9 insertions(+), 56 deletions(-) diff --git a/services/src/server/file_manager_service_stub.cpp b/services/src/server/file_manager_service_stub.cpp index 0f3742dc..2cfc3d65 100644 --- a/services/src/server/file_manager_service_stub.cpp +++ b/services/src/server/file_manager_service_stub.cpp @@ -15,6 +15,7 @@ #include "file_manager_service_stub.h" +#include "accesstoken_kit.h" #include "file_manager_service_def.h" #include "file_manager_service_errno.h" #include "file_manager_service.h" @@ -26,7 +27,6 @@ #include "sa_mgr_client.h" #include "string_ex.h" #include "system_ability_definition.h" - using namespace std; namespace OHOS { namespace FileManagerService { @@ -55,64 +55,17 @@ int FileManagerServiceStub::OperProcess(uint32_t code, MessageParcel &data, return errCode; } -static bool GetClientUid(int &uid) -{ - uid = IPCSkeleton::GetCallingUid(); - return true; -} - -static sptr GetSysBundleManager() -{ - auto bundleObj = - OHOS::DelayedSingleton::GetInstance()->GetSystemAbility(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID); - if (bundleObj == nullptr) { - ERR_LOG("failed to get bundle manager service"); - return nullptr; - } - sptr bms = iface_cast(bundleObj); - return bms; -} - -static string GetClientBundleName(int uid) -{ - std::string bundleName = ""; - auto bms = GetSysBundleManager(); - if (bms == nullptr) { - ERR_LOG("failed to get bundle manager service bms == nullptr"); - return bundleName; - } - auto result = bms->GetBundleNameForUid(uid, bundleName); - DEBUG_LOG("GetClientBundleName: bundleName is %{public}s ", bundleName.c_str()); - if (!result) { - ERR_LOG("GetBundleNameForUid fail"); - return ""; - } - return bundleName; -} - bool CheckClientPermission(const std::string& permissionStr) { - int uid = 0; - if (!GetClientUid(uid)) { - ERR_LOG("GetClientUid: fail "); + Security::AccessToken::AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID(); + int res = Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenCaller, + permissionStr); + if (res != Security::AccessToken::PermissionState::PERMISSION_GRANTED) { + ERR_LOG("Have no media permission"); return false; } - if (uid == 0) { - ERR_LOG("uid as root, white list pass"); - return true; - } - DEBUG_LOG("GetClientBundleName: uid is %{public}d ", uid); - std::string bundleName = GetClientBundleName(uid); - if (bundleName == "") { - ERR_LOG("get bundleName fail"); - return true; - } - if (IsSameTextStr(bundleName, "ohos.acts.storage.filemanager") || - IsSameTextStr(bundleName, "com.ohos.filepicker")) { - DEBUG_LOG("CheckClientPermission: Pass the white list"); - return true; - } - return false; + ERR_LOG("permission check success"); + return true; } int FileManagerServiceStub::OnRemoteRequest(uint32_t code, MessageParcel &data, @@ -125,7 +78,7 @@ int FileManagerServiceStub::OnRemoteRequest(uint32_t code, MessageParcel &data, return FAIL; } // change permission string after finishing accessToken - string permission = "permission"; + string permission = "ohos.permission.READ_MEDIA"; if (!CheckClientPermission(permission)) { ERR_LOG("checkpermission error FAIL"); reply.WriteInt32(FAIL); -- Gitee