/* * Copyright (c) 2022-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #ifndef OHOS_ABILITY_RUNTIME_URI_PERMISSION_MANAGER_STUB_IMPL_H #define OHOS_ABILITY_RUNTIME_URI_PERMISSION_MANAGER_STUB_IMPL_H #include #include #include #include #include "app_mgr_interface.h" #include "istorage_manager.h" #include "tokenid_permission.h" #include "uri.h" #include "uri_permission_manager_stub.h" #ifdef ABILITY_RUNTIME_FEATURE_SANDBOXMANAGER #include "policy_info.h" #include "sandbox_manager_kit.h" #else #include "upms_policy_info.h" #endif // ABILITY_RUNTIME_FEATURE_SANDBOXMANAGER namespace OHOS::AAFwk { namespace { using ClearProxyCallback = std::function&)>; using TokenId = Security::AccessToken::AccessTokenID; #ifdef ABILITY_RUNTIME_FEATURE_SANDBOXMANAGER using namespace AccessControl::SandboxManager; #endif // ABILITY_RUNTIME_FEATURE_SANDBOXMANAGER constexpr int32_t DEFAULT_ABILITY_ID = -1; } struct GrantInfo { unsigned int flag; const uint32_t fromTokenId; const uint32_t targetTokenId; bool autoRemove; std::unordered_set abilityIds; void AddAbilityId(int32_t abilityId) { if (abilityId != DEFAULT_ABILITY_ID) { abilityIds.insert(abilityId); } } bool RemoveAbilityId(int32_t abilityId) { return abilityIds.erase(abilityId) > 0; } bool IsEmptyAbilityId() { return abilityIds.empty(); } void ClearAbilityIds() { abilityIds.clear(); } }; class UriPermissionManagerStubImpl : public UriPermissionManagerStub, public std::enable_shared_from_this { public: UriPermissionManagerStubImpl() = default; virtual ~UriPermissionManagerStubImpl() = default; int GrantUriPermission(const Uri &uri, unsigned int flag, const std::string targetBundleName, int32_t appIndex = 0, uint32_t initiatorTokenId = 0, int32_t abilityId = -1) override; int GrantUriPermission(const std::vector &uriVec, unsigned int flag, const std::string targetBundleName, int32_t appIndex = 0, uint32_t initiatorTokenId = 0, int32_t abilityId = -1) override; int32_t GrantUriPermissionPrivileged(const std::vector &uriVec, uint32_t flag, const std::string &targetBundleName, int32_t appIndex, uint32_t initiatorTokenId, int32_t abilityId) override; std::vector CheckUriAuthorization(const std::vector &uriVec, uint32_t flag, uint32_t tokenId) override; // only for foundation calling void RevokeUriPermission(const TokenId tokenId, int32_t abilityId = -1) override; int RevokeAllUriPermissions(uint32_t tokenId) override; int RevokeUriPermissionManually(const Uri &uri, const std::string bundleName, int32_t appIndex = 0) override; bool VerifyUriPermission(const Uri &uri, uint32_t flag, uint32_t tokenId) override; private: template void ConnectManager(sptr &mgr, int32_t serviceId); int GrantUriPermissionImpl(const Uri &uri, unsigned int flag, TokenId fromTokenId, TokenId targetTokenId, int32_t abilityId); int AddTempUriPermission(const std::string &uri, unsigned int flag, TokenId fromTokenId, TokenId targetTokenId, int32_t abilityId); int GrantBatchUriPermissionImpl(const std::vector &uriVec, unsigned int flag, TokenId initiatorTokenId, TokenId targetTokenId, int32_t abilityId); int GrantBatchUriPermission(const std::vector &uriVec, unsigned int flag, uint32_t initiatorTokenId, uint32_t targetTokenId, int32_t abilityId); int32_t GrantBatchUriPermissionPrivileged(const std::vector &uriVec, uint32_t flag, uint32_t callerTokenId, uint32_t targetTokenId, int32_t abilityId = -1); int32_t GrantBatchUriPermissionFor2In1Privileged(const std::vector &uriVec, uint32_t flag, uint32_t callerTokenId, uint32_t targetTokenId, int32_t abilityId = -1); int GrantSingleUriPermission(const Uri &uri, unsigned int flag, uint32_t callerTokenId, uint32_t targetTokenId, int32_t abilityId); int32_t CheckCalledBySandBox(); std::vector CheckUriPermission(TokenIdPermission &tokenIdPermission, const std::vector &uriVec, uint32_t flag); bool CheckUriTypeIsValid(Uri uri); int GrantUriPermissionInner(const std::vector &uriVec, unsigned int flag, const std::string targetBundleName, int32_t appIndex, uint32_t initiatorTokenId, int32_t abilityId = -1); int GrantUriPermissionFor2In1Inner(const std::vector &uriVec, unsigned int flag, const std::string &targetBundleName, int32_t appIndex, bool isSystemAppCall, uint32_t initiatorTokenId = 0, int32_t abilityId = -1); void HandleUriPermission( uint64_t tokenId, unsigned int flag, std::vector &docsVec, bool isSystemAppCall); void CheckProxyUriPermission(TokenIdPermission &tokenIdPermission, const std::vector &uriVec, uint32_t flag, std::vector &result); int32_t DeleteShareFile(uint32_t targetTokenId, const std::vector &uriVec); void RemoveUriRecord(std::vector &uriList, const TokenId tokenId, int32_t abilityId); bool VerifySubDirUriPermission(const std::string &uriStr, uint32_t newFlag, uint32_t tokenId); bool IsDistributedSubDirUri(const std::string &inputUri, const std::string &cachedUri); int32_t ClearPermissionTokenByMap(const uint32_t tokenId) override; #ifdef ABILITY_RUNTIME_FEATURE_SANDBOXMANAGER int32_t Active(const std::vector &policy, std::vector &result) override; #endif // ABILITY_RUNTIME_FEATURE_SANDBOXMANAGER class ProxyDeathRecipient : public IRemoteObject::DeathRecipient { public: explicit ProxyDeathRecipient(ClearProxyCallback&& proxy) : proxy_(proxy) {} ~ProxyDeathRecipient() = default; virtual void OnRemoteDied([[maybe_unused]] const wptr& remote) override; private: ClearProxyCallback proxy_; }; private: std::map> uriMap_; std::mutex mutex_; std::mutex mgrMutex_; sptr appMgr_ = nullptr; sptr storageManager_ = nullptr; std::set permissionTokenMap_; std::mutex ptMapMutex_; }; } // namespace OHOS::AAFwk #endif // OHOS_ABILITY_RUNTIME_URI_PERMISSION_MANAGER_STUB_IMPL_H