diff --git a/etc/init/timeservice.cfg b/etc/init/timeservice.cfg index 738aea117649710d4680c241149edddb583523fe..332d1dd000008fc13264bc69a54f2721fea36ed2 100644 --- a/etc/init/timeservice.cfg +++ b/etc/init/timeservice.cfg @@ -2,8 +2,8 @@ "services" : [{ "name" : "time_service", "path" : ["/system/bin/sa_main", "/system/profile/time_service.xml"], - "uid" : "time", - "gid" : ["time", "shell"], + "uid" : "system", + "gid" : ["system", "shell"], "caps" : ["SYS_TIME", "WAKE_ALARM"], "secon" : "u:r:time_service:s0" } diff --git a/services/time_manager/src/time_service.cpp b/services/time_manager/src/time_service.cpp index 44e80c49272447f5d7e1cb2158fa59aac461725e..1a70a9c1fa77ae7f609f8dd973048267b28a1b34 100644 --- a/services/time_manager/src/time_service.cpp +++ b/services/time_manager/src/time_service.cpp @@ -306,10 +306,9 @@ bool TimeService::DestroyTimer(uint64_t timerId) int32_t TimeService::SetTime(const int64_t time) { - std::int32_t uid = IPCSkeleton::GetCallingUid(); - auto hasPerm = DelayedSingleton::GetInstance()->CheckCallingPermission(uid, setTimePermName_); + auto hasPerm = DelayedSingleton::GetInstance()->CheckCallingPermission(setTimePermName_); if (!hasPerm) { - TIME_HILOGE(TIME_MODULE_SERVICE, "Permission check failed, uid : %{public}d", uid); + TIME_HILOGE(TIME_MODULE_SERVICE, "Permission check setTime failed"); return E_TIME_NO_PERMISSION; } TIME_HILOGI(TIME_MODULE_SERVICE, "Setting time of day to milliseconds: %{public}" PRId64 "", time); @@ -438,10 +437,9 @@ int TimeService::get_wall_clock_rtc_id() int32_t TimeService::SetTimeZone(const std::string timeZoneId) { - std::int32_t uid = IPCSkeleton::GetCallingUid(); - auto hasPerm = DelayedSingleton::GetInstance()->CheckCallingPermission(uid, setTimezonePermName_); + auto hasPerm = DelayedSingleton::GetInstance()->CheckCallingPermission(setTimezonePermName_); if (!hasPerm) { - TIME_HILOGE(TIME_MODULE_SERVICE, "Permission check failed, uid : %{public}d", uid); + TIME_HILOGE(TIME_MODULE_SERVICE, "Permission check setTimezone failed"); return E_TIME_NO_PERMISSION; } diff --git a/utils/native/include/time_permission.h b/utils/native/include/time_permission.h index 5d15d5a4425942a997e9faf3fa8a1e411804a7d5..40d10ae019cc44b178237dc5950e6f14a3ce9875 100644 --- a/utils/native/include/time_permission.h +++ b/utils/native/include/time_permission.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021 Huawei Device Co., Ltd. + * Copyright (c) 2022 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -28,16 +28,15 @@ namespace OHOS { namespace MiscServices { -class TimePermission : public std::enable_shared_from_this { - DECLARE_DELAYED_SINGLETON(TimePermission) -public: - bool CheckSelfPermission(const std::string permName); - bool CheckCallingPermission(const int32_t uid, const std::string permName); + namespace Permission { + static const std::string SET_TIME = "ohos.permission.SET_TIME"; + static const std::string SET_TIME_ZONE = "ohos.permission.SET_TIME_ZONE"; + } -private: - sptr GetBundleManager(); - bool IsSystemUid(const int32_t &uid) const; - static sptr bundleMgrProxy_; +class TimePermission { +public: + static bool GetBundleNameByUid(int32_t uid, std::string &bundleName); + static bool CheckCallingPermission(const std::string &permissionName); }; } // namespace MiscServices } // namespace OHOS diff --git a/utils/native/src/time_permission.cpp b/utils/native/src/time_permission.cpp index c70ecbf12e507a2ad22745f566dd20eacdd6c211..15d9ec07f46e5a8d63c237a13e94961807fce54c 100644 --- a/utils/native/src/time_permission.cpp +++ b/utils/native/src/time_permission.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021 Huawei Device Co., Ltd. + * Copyright (c) 2022 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -19,69 +19,48 @@ namespace OHOS { namespace MiscServices { -namespace { -constexpr int32_t SYSTEM_UID = 1000; -constexpr int32_t ROOT_UID = 0; -constexpr int32_t MIN_SYSTEM_UID = 2100; -constexpr int32_t MAX_SYSTEM_UID = 2899; -} -sptr TimePermission::bundleMgrProxy_; - -TimePermission::TimePermission() {}; -TimePermission::~TimePermission() {}; - -bool TimePermission::CheckSelfPermission(std::string permName) -{ - return true; -} - -bool TimePermission::CheckCallingPermission(int32_t uid, std::string permName) +bool TimePermission::GetBundleNameByUid(int32_t uid, std::string &bundleName) { - if ((uid == SYSTEM_UID) || (uid == ROOT_UID)) { - TIME_HILOGD(TIME_MODULE_COMMON, "root uid return true"); - return true; - } - if (IsSystemUid(uid)) { - TIME_HILOGD(TIME_MODULE_COMMON, "system uid 2100 ~ 2899"); - return true; - } - auto callingToken = IPCSkeleton::GetCallingTokenID(); + sptr systemAbilityManager = + SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager(); + sptr remoteObject = + systemAbilityManager->GetSystemAbility(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID); - auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callingToken); - if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) { - TIME_HILOGD(TIME_MODULE_COMMON, "native taskId."); - return true; - } - auto result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callingToken, permName); - if (result == Security::AccessToken::TypePermissionState::PERMISSION_DENIED) { + sptr iBundleMgr = iface_cast(remoteObject); + if (iBundleMgr == nullptr) { + TIME_HILOGE(TIME_MODULE_COMMON, "permission check failed, cannot get IBundleMgr."); return false; } - return true; + return iBundleMgr->GetBundleNameForUid(uid, bundleName); } -sptr TimePermission::GetBundleManager() +bool TimePermission::CheckCallingPermission(const std::string &permissionName) { - if (bundleMgrProxy_ == nullptr) { - sptr systemManager = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager(); - if (systemManager != nullptr) { - bundleMgrProxy_ = - iface_cast(systemManager->GetSystemAbility(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID)); - } else { - TIME_HILOGE(TIME_MODULE_COMMON, "fail to get SAMGR"); - } + if (permissionName.empty()) { + TIME_HILOGE(TIME_MODULE_COMMON, "permission check failed,permission name is empty."); + return false; } - return bundleMgrProxy_; -} -bool TimePermission::IsSystemUid(const int32_t &uid) const -{ - TIME_HILOGE(TIME_MODULE_COMMON, "enter"); + auto callerToken = IPCSkeleton::GetCallingTokenID(); + auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken); + int result = Security::AccessToken::PERMISSION_DENIED; - if (uid >= MIN_SYSTEM_UID && uid <= MAX_SYSTEM_UID) { - return true; + if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) { + result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName); + } else if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_HAP) { + result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName); + } else { + TIME_HILOGE(TIME_MODULE_COMMON, "permission check failed, callerToken:%{public}u, tokenType:%{public}d", + callerToken, tokenType); } - return false; + if (result != Security::AccessToken::PERMISSION_GRANTED) { + TIME_HILOGE(TIME_MODULE_COMMON, + "permission check failed, permission:%{public}s, callerToken:%{public}u, tokenType:%{public}d", + permissionName.c_str(), callerToken, tokenType); + return false; + } + return true; } } // namespace MiscServices -} // namespace OHOS +} // namespace OHOS \ No newline at end of file