diff --git a/interfaces/innerkits/privacy/test/unittest/src/privacy_kit_test.cpp b/interfaces/innerkits/privacy/test/unittest/src/privacy_kit_test.cpp index 1e5a556a6d93acbd5d34d196c99a5549c6e8dd90..72af90942d3843a0da2943297833a85bcb9fc107 100644 --- a/interfaces/innerkits/privacy/test/unittest/src/privacy_kit_test.cpp +++ b/interfaces/innerkits/privacy/test/unittest/src/privacy_kit_test.cpp @@ -742,6 +742,23 @@ HWTEST_F(PrivacyKitTest, RemovePermissionUsedRecords003, TestSize.Level1) ASSERT_EQ(static_cast(0), result.bundleRecords.size()); } +/** + * @tc.name: RemovePermissionUsedRecords004 + * @tc.desc: RemovePermissionUsedRecords caller is normal app. + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(PrivacyKitTest, RemovePermissionUsedRecords004, TestSize.Level1) +{ + AccessTokenIDEx tokenIdEx = {0}; + tokenIdEx = AccessTokenKit::AllocHapToken(g_normalInfoParms, g_policyPramsA); + ASSERT_NE(INVALID_TOKENID, tokenIdEx.tokenIDEx); + EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx)); + ASSERT_EQ(PrivacyError::ERR_NOT_SYSTEM_APP, + PrivacyKit::RemovePermissionUsedRecords(tokenIdEx.tokenIdExStruct.tokenID, "")); + EXPECT_EQ(0, AccessTokenKit::DeleteToken(tokenIdEx.tokenIdExStruct.tokenID)); +} + /** * @tc.name: GetPermissionUsedRecords001 * @tc.desc: cannot GetPermissionUsedRecords with invalid query time and flag. @@ -1023,6 +1040,25 @@ HWTEST_F(PrivacyKitTest, GetPermissionUsedRecordsAsync003, TestSize.Level1) ASSERT_EQ(ERR_PERMISSION_DENIED, PrivacyKit::GetPermissionUsedRecords(request, callback)); } +/** + * @tc.name: GetPermissionUsedRecordsAsync004 + * @tc.desc: cannot GetPermissionUsedRecordsAsync without permission. + * @tc.type: FUNC + * @tc.require: issueI5P4IU + */ +HWTEST_F(PrivacyKitTest, GetPermissionUsedRecordsAsync004, TestSize.Level1) +{ + AccessTokenIDEx tokenIdEx = {0}; + tokenIdEx = AccessTokenKit::AllocHapToken(g_normalInfoParms, g_policyPramsA); + ASSERT_NE(INVALID_TOKENID, tokenIdEx.tokenIDEx); + EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx)); + PermissionUsedRequest request; + std::vector permissionList; + BuildQueryRequest(g_tokenIdA, GetLocalDeviceUdid(), "", permissionList, request); + OHOS::sptr callback(new TestCallBack()); + ASSERT_EQ(PrivacyError::ERR_NOT_SYSTEM_APP, PrivacyKit::GetPermissionUsedRecords(request, callback)); +} + class CbCustomizeTest1 : public PermActiveStatusCustomizedCbk { public: explicit CbCustomizeTest1(const std::vector &permList) @@ -1394,6 +1430,23 @@ HWTEST_F(PrivacyKitTest, IsAllowedUsingPermission002, TestSize.Level1) std::string permissionName = "ohos.permission.CAMERA"; ASSERT_EQ(false, PrivacyKit::IsAllowedUsingPermission(g_tokenIdE, permissionName)); } + +/** + * @tc.name: IsAllowedUsingPermission003 + * @tc.desc: IsAllowedUsingPermission with no permission. + * @tc.type: FUNC + * @tc.require: issueI5RWX3 issueI5RWX8 + */ +HWTEST_F(PrivacyKitTest, IsAllowedUsingPermission003, TestSize.Level1) +{ + AccessTokenIDEx tokenIdEx = {0}; + tokenIdEx = AccessTokenKit::AllocHapToken(g_systemInfoParms, g_policyPramsA); + ASSERT_NE(INVALID_TOKENID, tokenIdEx.tokenIDEx); + EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx)); + std::string permissionName = "ohos.permission.CAMERA"; + ASSERT_EQ(false, PrivacyKit::IsAllowedUsingPermission(g_tokenIdE, permissionName)); +} + /** * @tc.name: StartUsingPermission001 * @tc.desc: StartUsingPermission with invalid tokenId or permission. @@ -1618,6 +1671,24 @@ HWTEST_F(PrivacyKitTest, StartUsingPermission013, TestSize.Level1) PrivacyKit::StopUsingPermission(g_tokenIdF, permissionName, pid1)); } +/** + * @tc.name: StartUsingPermission014 + * @tc.desc: StartUsingPermission caller is normal app. + * @tc.type: FUNC + * @tc.require: issueI5RWX5 issueI5RWX3 issueI5RWXA + */ +HWTEST_F(PrivacyKitTest, StartUsingPermission014, TestSize.Level1) +{ + AccessTokenIDEx tokenIdEx = {0}; + tokenIdEx = AccessTokenKit::AllocHapToken(g_normalInfoParms, g_policyPramsA); + ASSERT_NE(INVALID_TOKENID, tokenIdEx.tokenIDEx); + EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx)); + std::string permissionName = "ohos.permission.CAMERA"; + auto callbackPtr = std::make_shared(); + ASSERT_EQ(PrivacyError::ERR_NOT_SYSTEM_APP, + PrivacyKit::StartUsingPermission(g_tokenIdE, permissionName, callbackPtr)); +} + /** * @tc.name: StopUsingPermission001 * @tc.desc: StopUsingPermission with invalid tokenId or permission. @@ -2463,10 +2534,9 @@ HWTEST_F(PrivacyKitTest, SetMutePolicyTest001, TestSize.Level1) */ HWTEST_F(PrivacyKitTest, SetMutePolicyTest002, TestSize.Level1) { - AccessTokenIDEx tokenIdEx = {0}; - tokenIdEx = AccessTokenKit::AllocHapToken(g_infoParmsD, g_policyPramsD); - ASSERT_NE(INVALID_TOKENID, tokenIdEx.tokenIDEx); - EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx)); // as a system hap without SET_MUTE_POLICY + uint32_t tokenId = AccessTokenKit::GetNativeTokenId("accesstoken_service"); + ASSERT_NE(0, tokenId); + EXPECT_EQ(0, SetSelfTokenID(tokenId)); // as a sa without SET_MUTE_POLICY ASSERT_EQ(PrivacyError::ERR_PERMISSION_DENIED, PrivacyKit::SetMutePolicy(PolicyType::EDM, CallerType::MICROPHONE, true, RANDOM_TOKENID)); } @@ -2487,6 +2557,22 @@ HWTEST_F(PrivacyKitTest, SetMutePolicyTest003, TestSize.Level1) PrivacyKit::SetMutePolicy(PolicyType::EDM, CallerType::MICROPHONE, true, RANDOM_TOKENID)); } +/** + * @tc.name: SetMutePolicyTest004 + * @tc.desc: Test SetMutePolicy with not permission + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(PrivacyKitTest, SetMutePolicyTest004, TestSize.Level1) +{ + AccessTokenIDEx tokenIdEx = {0}; + tokenIdEx = AccessTokenKit::AllocHapToken(g_infoParmsD, g_policyPramsD); + ASSERT_NE(INVALID_TOKENID, tokenIdEx.tokenIDEx); + EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx)); // as a system hap + ASSERT_EQ(PrivacyError::ERR_PERMISSION_DENIED, + PrivacyKit::SetMutePolicy(PolicyType::EDM, CallerType::MICROPHONE, true, RANDOM_TOKENID)); +} + /** * @tc.name: IsAllowedUsingPermission011 * @tc.desc: IsAllowedUsingPermission with valid tokenId. @@ -2517,8 +2603,11 @@ HWTEST_F(PrivacyKitTest, SetHapWithFGReminder01, TestSize.Level1) { uint32_t opCode1; uint32_t opCode2; - uint32_t tokenTest = 111; /// 111 is a tokenId uint32_t selfUid = getuid(); + setuid(0); + g_infoParmsA.isSystemApp = true; + AccessTokenIDEx tokenIdEx = AccessTokenKit::AllocHapToken(g_infoParmsA, g_policyPramsA); + uint32_t tokenTest = tokenIdEx.tokenIdExStruct.tokenID; setuid(ACCESS_TOKEN_UID); EXPECT_EQ(true, TransferPermissionToOpcode("ohos.permission.SET_FOREGROUND_HAP_REMINDER", opCode1)); @@ -2527,7 +2616,7 @@ HWTEST_F(PrivacyKitTest, SetHapWithFGReminder01, TestSize.Level1) ASSERT_EQ(res, 0); GTEST_LOG_(INFO) << "permissionSet OK "; - EXPECT_EQ(0, SetSelfTokenID(tokenTest)); + EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx)); std::string permissionName = "ohos.permission.MICROPHONE"; ASSERT_EQ(false, PrivacyKit::IsAllowedUsingPermission(g_tokenIdE, permissionName)); int32_t ret = PrivacyKit::SetHapWithFGReminder(g_tokenIdE, true); @@ -2536,8 +2625,10 @@ HWTEST_F(PrivacyKitTest, SetHapWithFGReminder01, TestSize.Level1) ret = PrivacyKit::SetHapWithFGReminder(g_tokenIdE, false); ASSERT_EQ(ret, 0); - res = RemovePermissionFromKernel(tokenTest); + res = RemovePermissionFromKernel(tokenIdEx.tokenIDEx); ASSERT_EQ(res, 0); + setuid(0); + ASSERT_EQ(0, AccessTokenKit::DeleteToken(tokenTest)); setuid(selfUid); } diff --git a/services/privacymanager/src/service/privacy_manager_stub.cpp b/services/privacymanager/src/service/privacy_manager_stub.cpp index 39e9c3bea951f3b01ef8a613d16c3eb2a0483693..e753f73248a5ae20ce7e378184b2afea97de844d 100644 --- a/services/privacymanager/src/service/privacy_manager_stub.cpp +++ b/services/privacymanager/src/service/privacy_manager_stub.cpp @@ -150,6 +150,12 @@ void PrivacyManagerStub::StartUsingPermissionInner(MessageParcel& data, MessageP void PrivacyManagerStub::StartUsingPermissionCallbackInner(MessageParcel& data, MessageParcel& reply) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); + return; + } + if (!VerifyPermission(PERMISSION_USED_STATS)) { reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); return; @@ -185,6 +191,12 @@ void PrivacyManagerStub::StopUsingPermissionInner(MessageParcel& data, MessagePa void PrivacyManagerStub::RemovePermissionUsedRecordsInner(MessageParcel& data, MessageParcel& reply) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); + return; + } + if (!IsAccessTokenCalling() && !VerifyPermission(PERMISSION_USED_STATS)) { reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); return; @@ -224,6 +236,12 @@ void PrivacyManagerStub::GetPermissionUsedRecordsInner(MessageParcel& data, Mess void PrivacyManagerStub::GetPermissionUsedRecordsAsyncInner(MessageParcel& data, MessageParcel& reply) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP); + return; + } + if (!VerifyPermission(PERMISSION_USED_STATS)) { reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); return; @@ -296,6 +314,13 @@ void PrivacyManagerStub::UnRegisterPermActiveStatusCallbackInner(MessageParcel& void PrivacyManagerStub::IsAllowedUsingPermissionInner(MessageParcel& data, MessageParcel& reply) { + uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + ACCESSTOKEN_LOG_ERROR(LABEL, "Permission denied(tokenID=%{public}d)", callingTokenID); + reply.WriteBool(false); + return; + } + if (!VerifyPermission(PERMISSION_USED_STATS)) { reply.WriteBool(false); return; @@ -425,6 +450,12 @@ void PrivacyManagerStub::GetPermissionUsedTypeInfosInner(MessageParcel& data, Me void PrivacyManagerStub::SetMutePolicyInner(MessageParcel& data, MessageParcel& reply) { + AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) != TOKEN_NATIVE) && + (AccessTokenKit::GetTokenTypeFlag(callingTokenID) != TOKEN_SHELL)) { + reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); + return; + } if (!VerifyPermission(SET_MUTE_POLICY)) { reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED); return;