1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "ipc_common.h"
17 #include "ipc_skeleton.h"
18 #include "accesstoken_kit.h"
19 #include "app_mgr_interface.h"
20 #include "iam_common_defines.h"
21 #include "iam_logger.h"
22 #include "iam_para2str.h"
23 #include "iservice_registry.h"
24 #include "system_ability_definition.h"
25 #include "tokenid_kit.h"
26 #include "parameters.h"
27 #ifdef HAS_OS_ACCOUNT_PART
28 #include "os_account_manager.h"
29 #include "os_account_info.h"
30 #include "user_auth_hdi.h"
31 #endif // HAS_OS_ACCOUNT_PART
32 #define LOG_TAG "USER_AUTH_SA"
33
34 namespace OHOS {
35 namespace UserIam {
36 namespace UserAuth {
37 namespace PermissionString {
38 const std::string MANAGE_USER_IDM_PERMISSION = "ohos.permission.MANAGE_USER_IDM";
39 const std::string USE_USER_IDM_PERMISSION = "ohos.permission.USE_USER_IDM";
40 const std::string ACCESS_USER_AUTH_INTERNAL_PERMISSION = "ohos.permission.ACCESS_USER_AUTH_INTERNAL";
41 const std::string ACCESS_BIOMETRIC_PERMISSION = "ohos.permission.ACCESS_BIOMETRIC";
42 const std::string ACCESS_AUTH_RESPOOL = "ohos.permission.ACCESS_AUTH_RESPOOL";
43 const std::string ENFORCE_USER_IDM = "ohos.permission.ENFORCE_USER_IDM";
44 const std::string SUPPORT_USER_AUTH = "ohos.permission.SUPPORT_USER_AUTH";
45 }
46
47 namespace {
48 // process white list of allowing to call, <processUid, processName>
49 const std::vector<std::pair<int32_t, std::string>> manageUserIdmWhiteLists = {
50 {3058, "accountmgr"},
51 };
52
53 const std::vector<std::pair<int32_t, std::string>> enforceUserIdmWhiteLists = {
54 {3058, "accountmgr"},
55 };
56 }
57
GetCallingUserId(IPCObjectStub & stub,int32_t & userId)58 int32_t IpcCommon::GetCallingUserId(IPCObjectStub &stub, int32_t &userId)
59 {
60 uint32_t tokenId = GetAccessTokenId(stub);
61 using namespace Security::AccessToken;
62 ATokenTypeEnum callingType = AccessTokenKit::GetTokenTypeFlag(tokenId);
63 if (callingType != ATokenTypeEnum::TOKEN_HAP) {
64 IAM_LOGE("failed to get calling type");
65 return TYPE_NOT_SUPPORT;
66 }
67 HapTokenInfo hapTokenInfo;
68 int result = AccessTokenKit::GetHapTokenInfo(tokenId, hapTokenInfo);
69 if (result != SUCCESS) {
70 IAM_LOGE("failed to get hap token info, result = %{public}d", result);
71 return TYPE_NOT_SUPPORT;
72 }
73 userId = static_cast<int32_t>(hapTokenInfo.userID);
74 IAM_LOGI("get callingUserId is %{public}d", userId);
75 return SUCCESS;
76 }
77
GetActiveUserId(std::optional<int32_t> & userId)78 int32_t IpcCommon::GetActiveUserId(std::optional<int32_t> &userId)
79 {
80 if (userId.has_value() && userId.value() != 0) {
81 return SUCCESS;
82 }
83 std::vector<int32_t> ids;
84 #ifdef HAS_OS_ACCOUNT_PART
85 ErrCode queryRet = AccountSA::OsAccountManager::QueryActiveOsAccountIds(ids);
86 if (queryRet != ERR_OK || ids.empty()) {
87 IAM_LOGE("failed to query active account id");
88 return GENERAL_ERROR;
89 }
90 #else // HAS_OS_ACCOUNT_PART
91 const int32_t DEFAULT_OS_ACCOUNT_ID = 0;
92 ids.push_back(DEFAULT_OS_ACCOUNT_ID);
93 IAM_LOGI("there is no os account part, use default id");
94 #endif // HAS_OS_ACCOUNT_PART
95 userId = ids.front();
96 return SUCCESS;
97 }
98
GetAllUserId(std::vector<int32_t> & userIds)99 int32_t IpcCommon::GetAllUserId(std::vector<int32_t> &userIds)
100 {
101 #ifdef HAS_OS_ACCOUNT_PART
102 std::vector<OHOS::AccountSA::OsAccountInfo> accountInfos = {};
103 ErrCode ret = AccountSA::OsAccountManager::QueryAllCreatedOsAccounts(accountInfos);
104 if (ret != ERR_OK) {
105 IAM_LOGE("failed to query all account id ret %{public}d ", ret);
106 return GENERAL_ERROR;
107 }
108
109 if (accountInfos.empty()) {
110 IAM_LOGE("accountInfos count %{public}zu", accountInfos.size());
111 return SUCCESS;
112 }
113
114 std::transform(accountInfos.begin(), accountInfos.end(), std::back_inserter(userIds),
115 [](auto &iter) { return iter.GetLocalId(); });
116 #else
117 const int32_t DEFAULT_OS_ACCOUNT_ID = 0;
118 userIds.push_back(DEFAULT_OS_ACCOUNT_ID);
119 #endif
120
121 return SUCCESS;
122 }
123
MapOsAccountTypeToUserType(int32_t userId,AccountSA::OsAccountType osAccountType)124 static HdiUserType MapOsAccountTypeToUserType(int32_t userId, AccountSA::OsAccountType osAccountType)
125 {
126 if (osAccountType == AccountSA::OsAccountType::PRIVATE) {
127 return HdiUserType::PRIVATE;
128 } else if (userId == MAIN_USER_ID) {
129 return HdiUserType::MAIN;
130 } else {
131 return HdiUserType::SUB;
132 }
133 }
134
GetUserTypeByUserId(int32_t userId,int32_t & userType)135 int32_t IpcCommon::GetUserTypeByUserId(int32_t userId, int32_t &userType)
136 {
137 #ifdef HAS_OS_ACCOUNT_PART
138 AccountSA::OsAccountType osAccountType;
139 ErrCode ret = AccountSA::OsAccountManager::GetOsAccountType(userId, osAccountType);
140 if (ret != ERR_OK) {
141 IAM_LOGE("failed to get osAccountType for userId %d, error code: %d", userId, ret);
142 return TYPE_NOT_SUPPORT;
143 }
144 userType = MapOsAccountTypeToUserType(userId, osAccountType);
145 IAM_LOGI("userType:%{public}d", userType);
146 #else
147 const int32_t DEFAULT_OS_ACCOUNT_TYPE = 0;
148 userType = DEFAULT_OS_ACCOUNT_TYPE;
149 #endif
150
151 return SUCCESS;
152 }
153
CheckForegroundApplication(const std::string & bundleName)154 bool IpcCommon::CheckForegroundApplication(const std::string &bundleName)
155 {
156 sptr<ISystemAbilityManager> samgrClient = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
157 if (samgrClient == nullptr) {
158 IAM_LOGI("Get system ability manager failed");
159 return false;
160 }
161 sptr<AppExecFwk::IAppMgr> iAppManager =
162 iface_cast<AppExecFwk::IAppMgr>(samgrClient->GetSystemAbility(APP_MGR_SERVICE_ID));
163 if (iAppManager == nullptr) {
164 IAM_LOGI("Failed to get ability manager service");
165 return false;
166 }
167 std::vector<AppExecFwk::AppStateData> foregroundAppList;
168 iAppManager->GetForegroundApplications(foregroundAppList);
169 auto it = std::find_if(foregroundAppList.begin(), foregroundAppList.end(), [bundleName] (auto foregroundApp) {
170 return bundleName.compare(foregroundApp.bundleName) == 0;
171 });
172 if (it == foregroundAppList.end()) {
173 IAM_LOGI("app : %{public}s is not foreground", bundleName.c_str());
174 return false;
175 }
176 return true;
177 }
178
CheckPermission(IPCObjectStub & stub,Permission permission)179 bool IpcCommon::CheckPermission(IPCObjectStub &stub, Permission permission)
180 {
181 switch (permission) {
182 case MANAGE_USER_IDM_PERMISSION:
183 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::MANAGE_USER_IDM_PERMISSION) &&
184 CheckNativeCallingProcessWhiteList(stub, permission);
185 case USE_USER_IDM_PERMISSION:
186 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::USE_USER_IDM_PERMISSION);
187 case ACCESS_USER_AUTH_INTERNAL_PERMISSION:
188 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::ACCESS_USER_AUTH_INTERNAL_PERMISSION);
189 case ACCESS_BIOMETRIC_PERMISSION:
190 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::ACCESS_BIOMETRIC_PERMISSION);
191 case ACCESS_AUTH_RESPOOL:
192 return CheckDirectCaller(stub, PermissionString::ACCESS_AUTH_RESPOOL);
193 case ENFORCE_USER_IDM:
194 return CheckDirectCaller(stub, PermissionString::ENFORCE_USER_IDM) &&
195 CheckNativeCallingProcessWhiteList(stub, permission);
196 case SUPPORT_USER_AUTH:
197 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::SUPPORT_USER_AUTH);
198 case IS_SYSTEM_APP:
199 return CheckCallerIsSystemApp(stub);
200 case CLEAR_REDUNDANCY_PERMISSION:
201 return CheckDirectCaller(stub, PermissionString::ENFORCE_USER_IDM);
202 default:
203 IAM_LOGE("failed to check permission");
204 return false;
205 }
206 }
207
GetAccessTokenId(IPCObjectStub & stub)208 uint32_t IpcCommon::GetAccessTokenId(IPCObjectStub &stub)
209 {
210 uint32_t tokenId = stub.GetFirstTokenID();
211 IAM_LOGI("get first caller tokenId: %{public}s", GET_MASKED_STRING(tokenId).c_str());
212 if (tokenId == 0) {
213 IAM_LOGI("no first caller, get direct caller tokenId: %{public}s", GET_MASKED_STRING(tokenId).c_str());
214 tokenId = stub.GetCallingTokenID();
215 }
216 return tokenId;
217 }
218
GetTokenId(IPCObjectStub & stub)219 uint32_t IpcCommon::GetTokenId(IPCObjectStub &stub)
220 {
221 uint32_t tokenId = stub.GetCallingTokenID();
222 IAM_LOGI("get tokenId: %{public}s", GET_MASKED_STRING(tokenId).c_str());
223 return tokenId;
224 }
225
GetWhiteLists(Permission permission)226 std::vector<std::pair<int32_t, std::string>> IpcCommon::GetWhiteLists(Permission permission)
227 {
228 switch (permission) {
229 case MANAGE_USER_IDM_PERMISSION:
230 return manageUserIdmWhiteLists;
231 case ENFORCE_USER_IDM:
232 return enforceUserIdmWhiteLists;
233 case CLEAR_REDUNDANCY_PERMISSION:
234 case USE_USER_IDM_PERMISSION:
235 case ACCESS_USER_AUTH_INTERNAL_PERMISSION:
236 case ACCESS_BIOMETRIC_PERMISSION:
237 case ACCESS_AUTH_RESPOOL:
238 case SUPPORT_USER_AUTH:
239 case IS_SYSTEM_APP:
240 default:
241 IAM_LOGE("the permission has no white lists");
242 return {};
243 }
244 }
245
CheckNativeCallingProcessWhiteList(IPCObjectStub & stub,Permission permission)246 bool IpcCommon::CheckNativeCallingProcessWhiteList(IPCObjectStub &stub, Permission permission)
247 {
248 uint32_t tokenId = stub.GetCallingTokenID();
249 using namespace Security::AccessToken;
250 ATokenTypeEnum callingType = AccessTokenKit::GetTokenTypeFlag(tokenId);
251 if (callingType != ATokenTypeEnum::TOKEN_NATIVE) {
252 IAM_LOGE("failed to get calling type");
253 return false;
254 }
255 NativeTokenInfo nativeTokenInfo;
256 int result = AccessTokenKit::GetNativeTokenInfo(tokenId, nativeTokenInfo);
257 if (result != SUCCESS) {
258 IAM_LOGE("failed to get native token info, result = %{public}d", result);
259 return false;
260 }
261
262 std::vector<std::pair<int32_t, std::string>> whiteLists = IpcCommon::GetWhiteLists(permission);
263 std::string processName = nativeTokenInfo.processName;
264 int32_t processUid = stub.GetCallingUid();
265 for (const auto &whiteList : whiteLists) {
266 if (whiteList.first == processUid && whiteList.second == processName) {
267 return true;
268 }
269 }
270 IAM_LOGE("failed to check process white list");
271 return false;
272 }
273
CheckDirectCallerAndFirstCallerIfSet(IPCObjectStub & stub,const std::string & permission)274 bool IpcCommon::CheckDirectCallerAndFirstCallerIfSet(IPCObjectStub &stub, const std::string &permission)
275 {
276 uint32_t firstTokenId = stub.GetFirstTokenID();
277 uint32_t callingTokenId = stub.GetCallingTokenID();
278 using namespace Security::AccessToken;
279 if ((firstTokenId != 0 && AccessTokenKit::VerifyAccessToken(firstTokenId, permission) != RET_SUCCESS) ||
280 AccessTokenKit::VerifyAccessToken(callingTokenId, permission) != RET_SUCCESS) {
281 IAM_LOGE("failed to check permission");
282 return false;
283 }
284 return true;
285 }
286
CheckDirectCaller(IPCObjectStub & stub,const std::string & permission)287 bool IpcCommon::CheckDirectCaller(IPCObjectStub &stub, const std::string &permission)
288 {
289 uint32_t callingTokenId = stub.GetCallingTokenID();
290 using namespace Security::AccessToken;
291 if (AccessTokenKit::VerifyAccessToken(callingTokenId, permission) != RET_SUCCESS) {
292 IAM_LOGE("failed to check permission");
293 return false;
294 }
295 return true;
296 }
297
CheckCallerIsSystemApp(IPCObjectStub & stub)298 bool IpcCommon::CheckCallerIsSystemApp(IPCObjectStub &stub)
299 {
300 uint32_t callingTokenId = stub.GetCallingTokenID();
301 using namespace Security::AccessToken;
302 uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
303 bool checkRet = TokenIdKit::IsSystemAppByFullTokenID(fullTokenId);
304 ATokenTypeEnum callingType = AccessTokenKit::GetTokenTypeFlag(callingTokenId);
305 if (checkRet && callingType == ATokenTypeEnum::TOKEN_HAP) {
306 IAM_LOGI("the caller is system application");
307 return true;
308 }
309 return false;
310 }
311
GetCallerName(IPCObjectStub & stub,std::string & callerName,int32_t & callerType)312 bool IpcCommon::GetCallerName(IPCObjectStub &stub, std::string &callerName, int32_t &callerType)
313 {
314 const std::string DEVELOPER_MODE_STATE = "const.security.developermode.state";
315 callerType = UserAuthCallerType::TOKEN_INVALID;
316 uint32_t tokenId = GetAccessTokenId(stub);
317 using namespace Security::AccessToken;
318 ATokenTypeEnum callerTypeTemp = AccessTokenKit::GetTokenTypeFlag(tokenId);
319 if (callerTypeTemp == ATokenTypeEnum::TOKEN_HAP) {
320 callerType = UserAuthCallerType::TOKEN_HAP;
321 HapTokenInfo hapTokenInfo;
322 int result = AccessTokenKit::GetHapTokenInfo(tokenId, hapTokenInfo);
323 if (result != SUCCESS) {
324 IAM_LOGE("failed to get hap token info, result = %{public}d", result);
325 return false;
326 }
327 callerName = hapTokenInfo.bundleName;
328 IAM_LOGI("caller bundleName is %{public}s", callerName.c_str());
329 return true;
330 } else if (callerTypeTemp == ATokenTypeEnum::TOKEN_NATIVE) {
331 callerType = UserAuthCallerType::TOKEN_NATIVE;
332 NativeTokenInfo nativeTokenInfo;
333 int res = AccessTokenKit::GetNativeTokenInfo(tokenId, nativeTokenInfo);
334 if (res != SUCCESS) {
335 IAM_LOGE("failed to get native token info, res = %{public}d", res);
336 return false;
337 }
338 callerName = nativeTokenInfo.processName;
339 IAM_LOGI("caller processName is %{public}s", callerName.c_str());
340 return true;
341 } else if (callerTypeTemp == ATokenTypeEnum::TOKEN_SHELL &&
342 OHOS::system::GetBoolParameter(DEVELOPER_MODE_STATE, false)) {
343 if (!CheckPermission(stub, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
344 return false;
345 }
346 IAM_LOGI("caller is shell for develop mode");
347 return true;
348 }
349 IAM_LOGI("caller is not a hap or a native");
350 return false;
351 }
352
GetCallingAppID(IPCObjectStub & stub,std::string & callingAppID)353 bool IpcCommon::GetCallingAppID(IPCObjectStub &stub, std::string &callingAppID)
354 {
355 uint32_t tokenId = GetAccessTokenId(stub);
356 using namespace Security::AccessToken;
357 ATokenTypeEnum callerTypeTemp = AccessTokenKit::GetTokenTypeFlag(tokenId);
358 if (callerTypeTemp != ATokenTypeEnum::TOKEN_HAP) {
359 return false;
360 }
361
362 HapTokenInfo hapTokenInfo;
363 int result = AccessTokenKit::GetHapTokenInfo(tokenId, hapTokenInfo);
364 if (result != SUCCESS) {
365 IAM_LOGE("failed to get hap token info, result = %{public}d", result);
366 return false;
367 }
368 callingAppID = hapTokenInfo.appID;
369 IAM_LOGI("successed in getting caller app ID");
370 return true;
371 }
372
IsOsAccountVerified(int32_t userId)373 bool IpcCommon::IsOsAccountVerified(int32_t userId)
374 {
375 bool isOsAccountVerified = false;
376 #ifdef HAS_OS_ACCOUNT_PART
377 ErrCode queryRet = AccountSA::OsAccountManager::IsOsAccountVerified(userId, isOsAccountVerified);
378 if (queryRet != ERR_OK) {
379 IAM_LOGE("failed to query account verified status");
380 return false;
381 }
382 #endif
383 return isOsAccountVerified;
384 }
385 } // namespace UserAuth
386 } // namespace UserIam
387 } // namespace OHOS