From 1f58988b94f4d98827f86f36ecb65508479314e1 Mon Sep 17 00:00:00 2001 From: j30052480 Date: Thu, 23 Nov 2023 18:07:51 +0800 Subject: [PATCH 1/5] Decouple samgr from access_token Signed-off-by: j30052480 --- config.gni | 20 ++++++++++++++++++++ services/samgr/native/BUILD.gn | 7 ++++++- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 config.gni diff --git a/config.gni b/config.gni new file mode 100644 index 00000000..af45c667 --- /dev/null +++ b/config.gni @@ -0,0 +1,20 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +declare_args() { + samgr_feature_access_token_enable = true + if (defined(global_parts_info) && + !defined(global_parts_info.security_access_token)) { + samgr_feature_access_token_enable = false + } +} \ No newline at end of file diff --git a/services/samgr/native/BUILD.gn b/services/samgr/native/BUILD.gn index 072bd35b..6cdfa292 100644 --- a/services/samgr/native/BUILD.gn +++ b/services/samgr/native/BUILD.gn @@ -14,6 +14,7 @@ import("//build/ohos.gni") import("//build/ohos_var.gni") import("../var.gni") +import("../../../config.gni") config("distributed_store_config") { visibility = [ ":*" ] @@ -82,7 +83,6 @@ ohos_executable("samgr") { } if (is_standard_system) { external_deps = [ - "access_token:libaccesstoken_sdk", "c_utils:utils", "ffrt:libffrt", "hilog:libhilog", @@ -110,6 +110,11 @@ ohos_executable("samgr") { defines += [ "RESSCHED_ENABLE" ] } + if (samgr_feature_access_token_enable) { + external_deps += [ "access_token:libaccesstoken_sdk" ] + defines += [ "ACCESS_TOKEN_ENABLE" ] + } + if (support_device_manager) { sources += [ "//foundation/systemabilitymgr/samgr/services/samgr/native/source/collect/device_networking_collect.cpp" ] external_deps += [ "device_manager:devicemanagersdk" ] -- Gitee From 4042b33bc7eb31e232b8ea6a07b694ff68d19f7a Mon Sep 17 00:00:00 2001 From: j30052480 Date: Thu, 23 Nov 2023 19:46:50 +0800 Subject: [PATCH 2/5] Decouple samgr from access_token Signed-off-by: j30052480 --- config.gni | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config.gni b/config.gni index af45c667..2148a694 100644 --- a/config.gni +++ b/config.gni @@ -17,4 +17,4 @@ declare_args() { !defined(global_parts_info.security_access_token)) { samgr_feature_access_token_enable = false } -} \ No newline at end of file +} -- Gitee From e10479b004f6f7c4bc1825914ddf513952bc9bfe Mon Sep 17 00:00:00 2001 From: j30052480 Date: Thu, 23 Nov 2023 19:57:11 +0800 Subject: [PATCH 3/5] Decouple samgr from access_token Signed-off-by: j30052480 --- services/samgr/native/BUILD.gn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/samgr/native/BUILD.gn b/services/samgr/native/BUILD.gn index 6cdfa292..d28a5e66 100644 --- a/services/samgr/native/BUILD.gn +++ b/services/samgr/native/BUILD.gn @@ -13,8 +13,8 @@ import("//build/ohos.gni") import("//build/ohos_var.gni") -import("../var.gni") import("../../../config.gni") +import("../var.gni") config("distributed_store_config") { visibility = [ ":*" ] -- Gitee From a340b28ca2bc8115f5fd7d731c8a2c1fb4489118 Mon Sep 17 00:00:00 2001 From: j30052480 Date: Thu, 23 Nov 2023 20:45:04 +0800 Subject: [PATCH 4/5] Decouple samgr from access_token Signed-off-by: j30052480 --- .../samgr/native/source/system_ability_manager.cpp | 10 +++++++++- .../native/source/system_ability_manager_dumper.cpp | 9 ++++++++- .../native/source/system_ability_manager_stub.cpp | 8 +++++++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/services/samgr/native/source/system_ability_manager.cpp b/services/samgr/native/source/system_ability_manager.cpp index 57161116..dc8b6a22 100644 --- a/services/samgr/native/source/system_ability_manager.cpp +++ b/services/samgr/native/source/system_ability_manager.cpp @@ -20,7 +20,6 @@ #include #include "ability_death_recipient.h" -#include "accesstoken_kit.h" #include "datetime_ex.h" #include "directory_ex.h" #include "errors.h" @@ -40,6 +39,9 @@ #include "system_ability_manager_dumper.h" #include "tools.h" +#ifdef ACCESS_TOKEN_ENABLE +#include "accesstoken_kit.h" +#endif #ifdef SUPPORT_DEVICE_MANAGER #include "device_manager.h" using namespace OHOS::DistributedHardware; @@ -262,6 +264,7 @@ bool SystemAbilityManager::GetSaProfile(int32_t saId, SaProfile& saProfile) bool SystemAbilityManager::CheckCallerProcess(SaProfile& saProfile) { +#ifdef ACCESS_TOKEN_ENABLE uint32_t accessToken = IPCSkeleton::GetCallingTokenID(); Security::AccessToken::NativeTokenInfo nativeTokenInfo; int32_t tokenInfoResult = Security::AccessToken::AccessTokenKit::GetNativeTokenInfo(accessToken, nativeTokenInfo); @@ -276,6 +279,9 @@ bool SystemAbilityManager::CheckCallerProcess(SaProfile& saProfile) return false; } return true; +#else + return true; +#endif } bool SystemAbilityManager::CheckAllowUpdate(OnDemandPolicyType type, SaProfile& saProfile) @@ -1956,6 +1962,7 @@ int32_t SystemAbilityManager::SendStrategy(int32_t type, std::vector& s int32_t level, std::string& action) { HILOGD("SendStrategy begin"); +#ifdef ACCESS_TOKEN_ENABLE uint32_t accessToken = IPCSkeleton::GetCallingTokenID(); Security::AccessToken::NativeTokenInfo nativeTokenInfo; int32_t result = Security::AccessToken::AccessTokenKit::GetNativeTokenInfo(accessToken, nativeTokenInfo); @@ -1963,6 +1970,7 @@ int32_t SystemAbilityManager::SendStrategy(int32_t type, std::vector& s HILOGW("SendStrategy reject used by %{public}s", nativeTokenInfo.processName.c_str()); return ERR_PERMISSION_DENIED; } +#endif for (auto saId : systemAbilityIds) { SaProfile saProfile; diff --git a/services/samgr/native/source/system_ability_manager_dumper.cpp b/services/samgr/native/source/system_ability_manager_dumper.cpp index 46fa6939..5c2cf295 100644 --- a/services/samgr/native/source/system_ability_manager_dumper.cpp +++ b/services/samgr/native/source/system_ability_manager_dumper.cpp @@ -15,10 +15,13 @@ #include "system_ability_manager_dumper.h" -#include "accesstoken_kit.h" #include "ipc_skeleton.h" #include "system_ability_manager.h" +#ifdef ACCESS_TOKEN_ENABLE +#include "accesstoken_kit.h" +#endif + namespace OHOS { namespace { const std::string HIDUMPER_PROCESS_NAME = "hidumper_service"; @@ -74,6 +77,7 @@ bool SystemAbilityManagerDumper::Dump(std::shared_ptr #include -#include "accesstoken_kit.h" #include "datetime_ex.h" #include "errors.h" #include "hitrace_meter.h" @@ -31,6 +30,9 @@ #include "system_ability_on_demand_event.h" #include "tools.h" +#ifdef ACCESS_TOKEN_ENABLE +#include "accesstoken_kit.h" +#endif #ifdef WITH_SELINUX #include "service_checker.h" #endif @@ -973,10 +975,14 @@ int32_t SystemAbilityManagerStub::GetOnDemandSystemAbilityIdsInner(MessageParcel bool SystemAbilityManagerStub::CanRequest() { +#ifdef ACCESS_TOKEN_ENABLE auto accessTokenId = IPCSkeleton::GetCallingTokenID(); AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(accessTokenId); HILOGD("SystemAbilityManagerStub::CanRequest tokenId:%{private}u, tokenType:%{public}d", accessTokenId, tokenType); return (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE); +#else + return true; +#endif } } // namespace OHOS -- Gitee From 8edbf716293aff68cd540521c7c83f57aa639c75 Mon Sep 17 00:00:00 2001 From: j30052480 Date: Fri, 24 Nov 2023 10:27:22 +0800 Subject: [PATCH 5/5] Decouple samgr from access_token Signed-off-by: j30052480 --- config.gni | 20 ------------------- services/samgr/native/BUILD.gn | 1 - .../native/source/system_ability_manager.cpp | 6 ++---- .../source/system_ability_manager_dumper.cpp | 2 +- .../source/system_ability_manager_stub.cpp | 4 +++- services/samgr/var.gni | 5 +++++ 6 files changed, 11 insertions(+), 27 deletions(-) delete mode 100644 config.gni diff --git a/config.gni b/config.gni deleted file mode 100644 index 2148a694..00000000 --- a/config.gni +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright (c) 2023 Huawei Device Co., Ltd. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -declare_args() { - samgr_feature_access_token_enable = true - if (defined(global_parts_info) && - !defined(global_parts_info.security_access_token)) { - samgr_feature_access_token_enable = false - } -} diff --git a/services/samgr/native/BUILD.gn b/services/samgr/native/BUILD.gn index d28a5e66..7352e870 100644 --- a/services/samgr/native/BUILD.gn +++ b/services/samgr/native/BUILD.gn @@ -13,7 +13,6 @@ import("//build/ohos.gni") import("//build/ohos_var.gni") -import("../../../config.gni") import("../var.gni") config("distributed_store_config") { diff --git a/services/samgr/native/source/system_ability_manager.cpp b/services/samgr/native/source/system_ability_manager.cpp index dc8b6a22..01aef647 100644 --- a/services/samgr/native/source/system_ability_manager.cpp +++ b/services/samgr/native/source/system_ability_manager.cpp @@ -278,10 +278,8 @@ bool SystemAbilityManager::CheckCallerProcess(SaProfile& saProfile) saProfile.saId, nativeTokenInfo.processName.c_str()); return false; } +#endif // if not support access_token, not check access_token return true; -#else - return true; -#endif } bool SystemAbilityManager::CheckAllowUpdate(OnDemandPolicyType type, SaProfile& saProfile) @@ -1970,7 +1968,7 @@ int32_t SystemAbilityManager::SendStrategy(int32_t type, std::vector& s HILOGW("SendStrategy reject used by %{public}s", nativeTokenInfo.processName.c_str()); return ERR_PERMISSION_DENIED; } -#endif +#endif // if not support access_token, not check access_token for (auto saId : systemAbilityIds) { SaProfile saProfile; diff --git a/services/samgr/native/source/system_ability_manager_dumper.cpp b/services/samgr/native/source/system_ability_manager_dumper.cpp index 5c2cf295..6da44ee6 100644 --- a/services/samgr/native/source/system_ability_manager_dumper.cpp +++ b/services/samgr/native/source/system_ability_manager_dumper.cpp @@ -86,7 +86,7 @@ bool SystemAbilityManagerDumper::CanDump() } return false; #else - return true; + return true; // if not support access_token, not check access_token #endif } diff --git a/services/samgr/native/source/system_ability_manager_stub.cpp b/services/samgr/native/source/system_ability_manager_stub.cpp index 5e933321..d7ee0d19 100644 --- a/services/samgr/native/source/system_ability_manager_stub.cpp +++ b/services/samgr/native/source/system_ability_manager_stub.cpp @@ -101,7 +101,9 @@ namespace { } } +#ifdef ACCESS_TOKEN_ENABLE using namespace OHOS::Security; +#endif namespace OHOS { SystemAbilityManagerStub::SystemAbilityManagerStub() { @@ -982,7 +984,7 @@ bool SystemAbilityManagerStub::CanRequest() accessTokenId, tokenType); return (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE); #else - return true; + return true; // if not support access_token, not check access_token #endif } } // namespace OHOS diff --git a/services/samgr/var.gni b/services/samgr/var.gni index 9a976c9d..2700b4d9 100644 --- a/services/samgr/var.gni +++ b/services/samgr/var.gni @@ -15,6 +15,7 @@ declare_args() { hicollie_able = true preferences_enable = true ressched_able = true + samgr_feature_access_token_enable = true support_device_manager = false support_common_event = false if (!defined(global_parts_info) || @@ -29,6 +30,10 @@ declare_args() { !defined(global_parts_info.resourceschedule_resource_schedule_service)) { ressched_able = false } + if (defined(global_parts_info) && + !defined(global_parts_info.security_access_token)) { + samgr_feature_access_token_enable = false + } if (defined(global_parts_info) && defined(global_parts_info.distributedhardware_device_manager)) { support_device_manager = true -- Gitee