From fc507dd8cdeeb185fb6cefd0b49864498c047baf Mon Sep 17 00:00:00 2001 From: zhangjunxi Date: Sat, 28 May 2022 14:34:15 +0800 Subject: [PATCH 1/8] Signed-off-by: zhangjunxi Changes to be committed: modified: services/time_manager/src/time_service.cpp modified: utils/native/include/time_permission.h modified: utils/native/src/time_permission.cpp --- services/time_manager/src/time_service.cpp | 6 +- utils/native/include/time_permission.h | 19 +++-- utils/native/src/time_permission.cpp | 91 ++++++++-------------- 3 files changed, 45 insertions(+), 71 deletions(-) diff --git a/services/time_manager/src/time_service.cpp b/services/time_manager/src/time_service.cpp index 44e80c49..416e59b2 100644 --- a/services/time_manager/src/time_service.cpp +++ b/services/time_manager/src/time_service.cpp @@ -306,8 +306,7 @@ bool TimeService::DestroyTimer(uint64_t timerId) int32_t TimeService::SetTime(const int64_t time) { - std::int32_t uid = IPCSkeleton::GetCallingUid(); - auto hasPerm = DelayedSingleton::GetInstance()->CheckCallingPermission(uid, setTimePermName_); + auto hasPerm = DelayedSingleton::GetInstance()->CheckCallingPermission(setTimePermName_); if (!hasPerm) { TIME_HILOGE(TIME_MODULE_SERVICE, "Permission check failed, uid : %{public}d", uid); return E_TIME_NO_PERMISSION; @@ -438,8 +437,7 @@ int TimeService::get_wall_clock_rtc_id() int32_t TimeService::SetTimeZone(const std::string timeZoneId) { - std::int32_t uid = IPCSkeleton::GetCallingUid(); - auto hasPerm = DelayedSingleton::GetInstance()->CheckCallingPermission(uid, setTimezonePermName_); + auto hasPerm = DelayedSingleton::GetInstance()->CheckCallingPermission(setTimezonePermName_); if (!hasPerm) { TIME_HILOGE(TIME_MODULE_SERVICE, "Permission check failed, uid : %{public}d", uid); return E_TIME_NO_PERMISSION; diff --git a/utils/native/include/time_permission.h b/utils/native/include/time_permission.h index 5d15d5a4..c87def15 100644 --- a/utils/native/include/time_permission.h +++ b/utils/native/include/time_permission.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021 Huawei Device Co., Ltd. + * Copyright (c) 2022 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -28,16 +28,15 @@ namespace OHOS { namespace MiscServices { -class TimePermission : public std::enable_shared_from_this { - DECLARE_DELAYED_SINGLETON(TimePermission) -public: - bool CheckSelfPermission(const std::string permName); - bool CheckCallingPermission(const int32_t uid, const std::string permName); +namespace Permission { + static const std::string SET_TIME = "ohos.permission.SET_TIME"; + static const std::string SET_TIME_ZONE = "ohos.permission.SET_TIME_ZONE"; + }//namespace Permission -private: - sptr GetBundleManager(); - bool IsSystemUid(const int32_t &uid) const; - static sptr bundleMgrProxy_; +class TimePermission { +public: + static bool GetBundleNameByUid(int32_t uid, std::string &bundleName); + static bool CheckCallingPermission(const std::string &permissionName); }; } // namespace MiscServices } // namespace OHOS diff --git a/utils/native/src/time_permission.cpp b/utils/native/src/time_permission.cpp index c70ecbf1..57c2277f 100644 --- a/utils/native/src/time_permission.cpp +++ b/utils/native/src/time_permission.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021 Huawei Device Co., Ltd. + * Copyright (c) 2022 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -19,69 +19,46 @@ namespace OHOS { namespace MiscServices { -namespace { -constexpr int32_t SYSTEM_UID = 1000; -constexpr int32_t ROOT_UID = 0; -constexpr int32_t MIN_SYSTEM_UID = 2100; -constexpr int32_t MAX_SYSTEM_UID = 2899; -} -sptr TimePermission::bundleMgrProxy_; + bool TimePermission::GetBundleNameByUid(int32_t uid, std::string &bundleName) + { + sptr systemAbilityManager = + SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager(); + sptr remoteObject = + systemAbilityManager->GetSystemAbility(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID); -TimePermission::TimePermission() {}; -TimePermission::~TimePermission() {}; - -bool TimePermission::CheckSelfPermission(std::string permName) -{ - return true; -} - -bool TimePermission::CheckCallingPermission(int32_t uid, std::string permName) -{ - if ((uid == SYSTEM_UID) || (uid == ROOT_UID)) { - TIME_HILOGD(TIME_MODULE_COMMON, "root uid return true"); - return true; + sptr iBundleMgr = iface_cast(remoteObject); + if (iBundleMgr == nullptr) { + TIME_HILOGE(TIME_MODULE_COMMON, " permission check failed, cannot get IBundleMgr."); + return false; + } + return iBundleMgr->GetBundleNameForUid(uid, bundleName); } - if (IsSystemUid(uid)) { - TIME_HILOGD(TIME_MODULE_COMMON, "system uid 2100 ~ 2899"); - return true; - } - auto callingToken = IPCSkeleton::GetCallingTokenID(); - auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callingToken); - if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) { - TIME_HILOGD(TIME_MODULE_COMMON, "native taskId."); - return true; - } - auto result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callingToken, permName); - if (result == Security::AccessToken::TypePermissionState::PERMISSION_DENIED) { - return false; - } - return true; -} + bool TimePermission::CheckCallingPermission(const std::string &permissionName) { + if (permissionName.empty()) { + TIME_HILOGE(TIME_MODULE_COMMON, "permission check failed,permission name is empty."); + return false; + } -sptr TimePermission::GetBundleManager() -{ - if (bundleMgrProxy_ == nullptr) { - sptr systemManager = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager(); - if (systemManager != nullptr) { - bundleMgrProxy_ = - iface_cast(systemManager->GetSystemAbility(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID)); + auto callerToken = IPCSkeleton::GetCallingTokenID(); + auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken); + int result = Security::AccessToken::PERMISSION_DENIED; + + if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) { + result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName); + } else if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_HAP) { + result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName); } else { - TIME_HILOGE(TIME_MODULE_COMMON, "fail to get SAMGR"); + TIME_HILOGE(TIME_MODULE_COMMON, "permission check failed, callerToken:%{public}u, tokenType:%{public}d", + callerToken, tokenType); } - } - return bundleMgrProxy_; -} -bool TimePermission::IsSystemUid(const int32_t &uid) const -{ - TIME_HILOGE(TIME_MODULE_COMMON, "enter"); - - if (uid >= MIN_SYSTEM_UID && uid <= MAX_SYSTEM_UID) { + if (result != Security::AccessToken::PERMISSION_GRANTED) { + TIME_HILOGE(TIME_MODULE_COMMON,"permission check failed, permission:%{public}s, callerToken:%{public}u, " + "tokenType:%{public}d",permissionName.c_str(), callerToken, tokenType); + return false; + } return true; } - - return false; -} } // namespace MiscServices -} // namespace OHOS +} // namespace OHOS \ No newline at end of file -- Gitee From e03e192f3d13ebafdbcad8a64d3d812cf2fc526b Mon Sep 17 00:00:00 2001 From: zhangjunxi Date: Sat, 28 May 2022 15:01:41 +0800 Subject: [PATCH 2/8] Signed-off-by: zhangjunxi Changes to be committed: modified: utils/native/src/time_permission.cpp --- utils/native/src/time_permission.cpp | 66 ++++++++++++++-------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/utils/native/src/time_permission.cpp b/utils/native/src/time_permission.cpp index 57c2277f..28923e99 100644 --- a/utils/native/src/time_permission.cpp +++ b/utils/native/src/time_permission.cpp @@ -19,46 +19,46 @@ namespace OHOS { namespace MiscServices { - bool TimePermission::GetBundleNameByUid(int32_t uid, std::string &bundleName) - { - sptr systemAbilityManager = - SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager(); - sptr remoteObject = - systemAbilityManager->GetSystemAbility(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID); +bool TimePermission::GetBundleNameByUid(int32_t uid, std::string &bundleName) +{ + sptr systemAbilityManager = + SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager(); + sptr remoteObject = + systemAbilityManager->GetSystemAbility(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID); - sptr iBundleMgr = iface_cast(remoteObject); - if (iBundleMgr == nullptr) { - TIME_HILOGE(TIME_MODULE_COMMON, " permission check failed, cannot get IBundleMgr."); - return false; - } - return iBundleMgr->GetBundleNameForUid(uid, bundleName); + sptr iBundleMgr = iface_cast(remoteObject); + if (iBundleMgr == nullptr) { + TIME_HILOGE(TIME_MODULE_COMMON, " permission check failed, cannot get IBundleMgr."); + return false; } + return iBundleMgr->GetBundleNameForUid(uid, bundleName); +} - bool TimePermission::CheckCallingPermission(const std::string &permissionName) { - if (permissionName.empty()) { - TIME_HILOGE(TIME_MODULE_COMMON, "permission check failed,permission name is empty."); - return false; - } +bool TimePermission::CheckCallingPermission(const std::string &permissionName) { + if (permissionName.empty()) { + TIME_HILOGE(TIME_MODULE_COMMON, "permission check failed,permission name is empty."); + return false; + } - auto callerToken = IPCSkeleton::GetCallingTokenID(); - auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken); - int result = Security::AccessToken::PERMISSION_DENIED; + auto callerToken = IPCSkeleton::GetCallingTokenID(); + auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken); + int result = Security::AccessToken::PERMISSION_DENIED; - if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) { - result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName); - } else if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_HAP) { - result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName); - } else { - TIME_HILOGE(TIME_MODULE_COMMON, "permission check failed, callerToken:%{public}u, tokenType:%{public}d", + if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) { + result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName); + } else if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_HAP) { + result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName); + } else { + TIME_HILOGE(TIME_MODULE_COMMON, "permission check failed, callerToken:%{public}u, tokenType:%{public}d", callerToken, tokenType); - } + } - if (result != Security::AccessToken::PERMISSION_GRANTED) { - TIME_HILOGE(TIME_MODULE_COMMON,"permission check failed, permission:%{public}s, callerToken:%{public}u, " - "tokenType:%{public}d",permissionName.c_str(), callerToken, tokenType); - return false; - } - return true; + if (result != Security::AccessToken::PERMISSION_GRANTED) { + TIME_HILOGE(TIME_MODULE_COMMON,"permission check failed, permission:%{public}s, callerToken:%{public}u,tokenType:%{public}d", + permissionName.c_str(), callerToken, tokenType); + return false; } + return true; +} } // namespace MiscServices } // namespace OHOS \ No newline at end of file -- Gitee From 99a12aa224cd095cfbecfc3d8b7fa17fe112f968 Mon Sep 17 00:00:00 2001 From: zhangjunxi Date: Sat, 28 May 2022 15:30:23 +0800 Subject: [PATCH 3/8] Signed-off-by: zhangjunxi Changes to be committed: modified: etc/init/timeservice.cfg modified: utils/native/include/time_permission.h modified: utils/native/src/time_permission.cpp --- etc/init/timeservice.cfg | 2 +- utils/native/include/time_permission.h | 2 +- utils/native/src/time_permission.cpp | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/etc/init/timeservice.cfg b/etc/init/timeservice.cfg index 738aea11..ae54e496 100644 --- a/etc/init/timeservice.cfg +++ b/etc/init/timeservice.cfg @@ -3,7 +3,7 @@ "name" : "time_service", "path" : ["/system/bin/sa_main", "/system/profile/time_service.xml"], "uid" : "time", - "gid" : ["time", "shell"], + "gid" : ["system", "shell","time"], "caps" : ["SYS_TIME", "WAKE_ALARM"], "secon" : "u:r:time_service:s0" } diff --git a/utils/native/include/time_permission.h b/utils/native/include/time_permission.h index c87def15..1afd5878 100644 --- a/utils/native/include/time_permission.h +++ b/utils/native/include/time_permission.h @@ -31,7 +31,7 @@ namespace MiscServices { namespace Permission { static const std::string SET_TIME = "ohos.permission.SET_TIME"; static const std::string SET_TIME_ZONE = "ohos.permission.SET_TIME_ZONE"; - }//namespace Permission + } class TimePermission { public: diff --git a/utils/native/src/time_permission.cpp b/utils/native/src/time_permission.cpp index 28923e99..28dfb8e9 100644 --- a/utils/native/src/time_permission.cpp +++ b/utils/native/src/time_permission.cpp @@ -34,7 +34,8 @@ bool TimePermission::GetBundleNameByUid(int32_t uid, std::string &bundleName) return iBundleMgr->GetBundleNameForUid(uid, bundleName); } -bool TimePermission::CheckCallingPermission(const std::string &permissionName) { +bool TimePermission::CheckCallingPermission(const std::string &permissionName) +{ if (permissionName.empty()) { TIME_HILOGE(TIME_MODULE_COMMON, "permission check failed,permission name is empty."); return false; @@ -50,12 +51,11 @@ bool TimePermission::CheckCallingPermission(const std::string &permissionName) { result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permissionName); } else { TIME_HILOGE(TIME_MODULE_COMMON, "permission check failed, callerToken:%{public}u, tokenType:%{public}d", - callerToken, tokenType); + callerToken, tokenType); } if (result != Security::AccessToken::PERMISSION_GRANTED) { - TIME_HILOGE(TIME_MODULE_COMMON,"permission check failed, permission:%{public}s, callerToken:%{public}u,tokenType:%{public}d", - permissionName.c_str(), callerToken, tokenType); + TIME_HILOGE(TIME_MODULE_COMMON,"permission check failed"); return false; } return true; -- Gitee From 8b16d5c92eb5e4f6fa0d53205cd42f5b5b452014 Mon Sep 17 00:00:00 2001 From: zhangjunxi Date: Sat, 28 May 2022 15:42:36 +0800 Subject: [PATCH 4/8] Signed-off-by: zhangjunxi Changes to be committed: modified: utils/native/src/time_permission.cpp --- utils/native/src/time_permission.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/native/src/time_permission.cpp b/utils/native/src/time_permission.cpp index 28dfb8e9..cfe74c56 100644 --- a/utils/native/src/time_permission.cpp +++ b/utils/native/src/time_permission.cpp @@ -28,7 +28,7 @@ bool TimePermission::GetBundleNameByUid(int32_t uid, std::string &bundleName) sptr iBundleMgr = iface_cast(remoteObject); if (iBundleMgr == nullptr) { - TIME_HILOGE(TIME_MODULE_COMMON, " permission check failed, cannot get IBundleMgr."); + TIME_HILOGE(TIME_MODULE_COMMON, "permission check failed, cannot get IBundleMgr."); return false; } return iBundleMgr->GetBundleNameForUid(uid, bundleName); @@ -55,7 +55,7 @@ bool TimePermission::CheckCallingPermission(const std::string &permissionName) } if (result != Security::AccessToken::PERMISSION_GRANTED) { - TIME_HILOGE(TIME_MODULE_COMMON,"permission check failed"); + TIME_HILOGE(TIME_MODULE_COMMON, "permission check failed."); return false; } return true; -- Gitee From e1ebd556aae4f0e572fcc5c5283f73eaab296383 Mon Sep 17 00:00:00 2001 From: zhangjunxi Date: Sat, 28 May 2022 15:53:12 +0800 Subject: [PATCH 5/8] Signed-off-by: zhangjunxi Changes to be committed: modified: services/time_manager/src/time_service.cpp modified: utils/native/src/time_permission.cpp --- services/time_manager/src/time_service.cpp | 4 ++-- utils/native/src/time_permission.cpp | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/services/time_manager/src/time_service.cpp b/services/time_manager/src/time_service.cpp index 416e59b2..1a70a9c1 100644 --- a/services/time_manager/src/time_service.cpp +++ b/services/time_manager/src/time_service.cpp @@ -308,7 +308,7 @@ int32_t TimeService::SetTime(const int64_t time) { auto hasPerm = DelayedSingleton::GetInstance()->CheckCallingPermission(setTimePermName_); if (!hasPerm) { - TIME_HILOGE(TIME_MODULE_SERVICE, "Permission check failed, uid : %{public}d", uid); + TIME_HILOGE(TIME_MODULE_SERVICE, "Permission check setTime failed"); return E_TIME_NO_PERMISSION; } TIME_HILOGI(TIME_MODULE_SERVICE, "Setting time of day to milliseconds: %{public}" PRId64 "", time); @@ -439,7 +439,7 @@ int32_t TimeService::SetTimeZone(const std::string timeZoneId) { auto hasPerm = DelayedSingleton::GetInstance()->CheckCallingPermission(setTimezonePermName_); if (!hasPerm) { - TIME_HILOGE(TIME_MODULE_SERVICE, "Permission check failed, uid : %{public}d", uid); + TIME_HILOGE(TIME_MODULE_SERVICE, "Permission check setTimezone failed"); return E_TIME_NO_PERMISSION; } diff --git a/utils/native/src/time_permission.cpp b/utils/native/src/time_permission.cpp index cfe74c56..b21ce630 100644 --- a/utils/native/src/time_permission.cpp +++ b/utils/native/src/time_permission.cpp @@ -55,7 +55,8 @@ bool TimePermission::CheckCallingPermission(const std::string &permissionName) } if (result != Security::AccessToken::PERMISSION_GRANTED) { - TIME_HILOGE(TIME_MODULE_COMMON, "permission check failed."); + TIME_HILOGE("permission check failed, permission:%{public}s, callerToken:%{public}u, tokenType:%{public}d", + permissionName.c_str(), callerToken, tokenType); return false; } return true; -- Gitee From 40043c10370296e5f3a150c027b9bc8955119566 Mon Sep 17 00:00:00 2001 From: zhangjunxi Date: Sat, 28 May 2022 17:00:40 +0800 Subject: [PATCH 6/8] Signed-off-by: zhangjunxi Changes to be committed: modified: utils/native/src/time_permission.cpp --- utils/native/src/time_permission.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/native/src/time_permission.cpp b/utils/native/src/time_permission.cpp index b21ce630..61655120 100644 --- a/utils/native/src/time_permission.cpp +++ b/utils/native/src/time_permission.cpp @@ -55,7 +55,7 @@ bool TimePermission::CheckCallingPermission(const std::string &permissionName) } if (result != Security::AccessToken::PERMISSION_GRANTED) { - TIME_HILOGE("permission check failed, permission:%{public}s, callerToken:%{public}u, tokenType:%{public}d", + TIME_HILOGE(TIME_MODULE_COMMON, "permission check failed, permission:%{public}s, callerToken:%{public}u, tokenType:%{public}d", permissionName.c_str(), callerToken, tokenType); return false; } -- Gitee From e5d826e0d61997457fb45d4455b2b2fa96a3e4c7 Mon Sep 17 00:00:00 2001 From: zhangjunxi Date: Sat, 28 May 2022 17:42:46 +0800 Subject: [PATCH 7/8] Signed-off-by: zhangjunxi Changes to be committed: modified: utils/native/src/time_permission.cpp --- utils/native/src/time_permission.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/utils/native/src/time_permission.cpp b/utils/native/src/time_permission.cpp index 61655120..15d9ec07 100644 --- a/utils/native/src/time_permission.cpp +++ b/utils/native/src/time_permission.cpp @@ -55,8 +55,9 @@ bool TimePermission::CheckCallingPermission(const std::string &permissionName) } if (result != Security::AccessToken::PERMISSION_GRANTED) { - TIME_HILOGE(TIME_MODULE_COMMON, "permission check failed, permission:%{public}s, callerToken:%{public}u, tokenType:%{public}d", - permissionName.c_str(), callerToken, tokenType); + TIME_HILOGE(TIME_MODULE_COMMON, + "permission check failed, permission:%{public}s, callerToken:%{public}u, tokenType:%{public}d", + permissionName.c_str(), callerToken, tokenType); return false; } return true; -- Gitee From 08089796f9228996c3e64a11bd4dbe3348fa9cb8 Mon Sep 17 00:00:00 2001 From: zhangjunxi Date: Sat, 28 May 2022 19:03:56 +0800 Subject: [PATCH 8/8] Signed-off-by: zhangjunxi Changes to be committed: modified: etc/init/timeservice.cfg modified: utils/native/include/time_permission.h --- etc/init/timeservice.cfg | 4 ++-- utils/native/include/time_permission.h | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/etc/init/timeservice.cfg b/etc/init/timeservice.cfg index ae54e496..332d1dd0 100644 --- a/etc/init/timeservice.cfg +++ b/etc/init/timeservice.cfg @@ -2,8 +2,8 @@ "services" : [{ "name" : "time_service", "path" : ["/system/bin/sa_main", "/system/profile/time_service.xml"], - "uid" : "time", - "gid" : ["system", "shell","time"], + "uid" : "system", + "gid" : ["system", "shell"], "caps" : ["SYS_TIME", "WAKE_ALARM"], "secon" : "u:r:time_service:s0" } diff --git a/utils/native/include/time_permission.h b/utils/native/include/time_permission.h index 1afd5878..40d10ae0 100644 --- a/utils/native/include/time_permission.h +++ b/utils/native/include/time_permission.h @@ -28,9 +28,9 @@ namespace OHOS { namespace MiscServices { -namespace Permission { - static const std::string SET_TIME = "ohos.permission.SET_TIME"; - static const std::string SET_TIME_ZONE = "ohos.permission.SET_TIME_ZONE"; + namespace Permission { + static const std::string SET_TIME = "ohos.permission.SET_TIME"; + static const std::string SET_TIME_ZONE = "ohos.permission.SET_TIME_ZONE"; } class TimePermission { -- Gitee