systemspi_cpp安全问题整改

Signed-off-by: lsl <lanshulei@huawei.com>

interfaces/kits/napi/accessibility_config/include/napi_accessibility_config.h

@@ -135,7 +135,9 @@ private:
     static void GetConfigComplete(napi_env env, napi_status status, void* data);
     static void GetConfigExecute(napi_env env, void* data);
     static bool CheckReadPermission(const std::string &permission);
+    static bool CheckWritePermission(const std::string &permission);
     static bool IsAvailable(napi_env env, napi_callback_info info);
+    static bool IsAvailableWrite(napi_env env, napi_callback_info info);
     static void GetScreenTouchConfigExecute(NAccessibilityConfigData* callbackInfo);
     static void EnableAbilityError(size_t& argc, OHOS::Accessibility::RetError& errCode,
         napi_env env, napi_value* parameters, NAccessibilityConfigData* callbackInfo);

interfaces/kits/napi/accessibility_config/src/napi_accessibility_config.cpp

@@ -215,6 +215,27 @@ bool NAccessibilityConfig::CheckReadPermission(const std::string &permission)
     return true;
 }
 
+bool NAccessibilityConfig::CheckWritePermission(const std::string &permission)
+{
+    HILOG_DEBUG();
+    uint32_t tokenId = IPCSkeleton::GetCallingTokenID();
+    int result = TypePermissionState::PERMISSION_GRANTED;
+    ATokenTypeEnum tokenType = AccessTokenKit::GetTokenTypeFlag(tokenId);
+    if (tokenType == TOKEN_INVALID) {
+        HILOG_WARN("AccessToken type invalid!");
+        return false;
+    } else {
+        result = AccessTokenKit::VerifyAccessToken(tokenId, permission);
+    }
+    if (result == TypePermissionState::PERMISSION_DENIED) {
+        HILOG_WARN("AccessTokenID denied!");
+        return false;
+    }
+    HILOG_DEBUG("tokenType %{private}d dAccessTokenID:%{private}u, permission:%{private}s matched!",
+        tokenType, tokenId, permission.c_str());
+    return true;
+}
+
 bool NAccessibilityConfig::IsAvailable(napi_env env, napi_callback_info info)
 {
     HILOG_DEBUG();
@@ -235,6 +256,26 @@ bool NAccessibilityConfig::IsAvailable(napi_env env, napi_callback_info info)
     return true;
 }
 
+bool NAccessibilityConfig::IsAvailableWrite(napi_env env, napi_callback_info info)
+{
+    HILOG_DEBUG();
+    if (!Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(IPCSkeleton::GetCallingFullTokenID())) {
+        napi_value err = CreateBusinessError(env, OHOS::Accessibility::RET_ERR_NOT_SYSTEM_APP);
+        napi_throw(env, err);
+        HILOG_ERROR("is not system app");
+        return false;
+    }
+
+    if (!CheckWritePermission(OHOS_PERMISSION_WRITE_ACCESSIBILITY_CONFIG)) {
+        napi_value err = CreateBusinessError(env, OHOS::Accessibility::RET_ERR_NO_PERMISSION);
+        napi_throw(env, err);
+        HILOG_ERROR("have no write permission");
+        return false;
+    }
+    
+    return true;
+}
+
 napi_value NAccessibilityConfig::SubscribeState(napi_env env, napi_callback_info info)
 {
     HILOG_DEBUG();
@@ -704,6 +745,9 @@ bool NAccessibilityConfig::SetConfigParseData(napi_env env, NAccessibilityConfig
 napi_value NAccessibilityConfig::SetConfig(napi_env env, napi_callback_info info)
 {
     HILOG_DEBUG();
+    if (!IsAvailableWrite(env, info)) {
+        return nullptr;
+    }
 
     NAccessibilityConfigClass* obj;
     size_t argc = ARGS_SIZE_TWO;

interfaces/kits/napi/accessibility_extension_module_loader/BUILD.gn

@@ -64,11 +64,14 @@ ohos_shared_library("accessibility_extension_module") {
     "ability_runtime:app_context",
     "ability_runtime:extensionkit_native",
     "ability_runtime:runtime",
+    "access_token:libaccesstoken_sdk",
+    "access_token:libtokenid_sdk",
     "c_utils:utils",
     "common_event_service:cesfwk_innerkits",
     "ffrt:libffrt",
     "hilog:libhilog",
     "input:libmmi-client",
+    "ipc:ipc_core",
     "napi:ace_napi",
   ]
 

interfaces/kits/napi/accessibility_extension_module_loader/src/napi_accessibility_element.cpp

@@ -23,9 +23,14 @@
 #include "accessibility_utils.h"
 #include "nlohmann/json.hpp"
 
+#include "ipc_skeleton.h"
+#include "tokenid_kit.h"
+#include "accesstoken_kit.h"
+
 using namespace OHOS;
 using namespace OHOS::Accessibility;
 using namespace OHOS::AccessibilityNapi;
+using namespace Security::AccessToken;
 namespace {
     const std::vector<std::string> ELEMENT_INFO_ATTRIBUTE_NAMES = {"componentId", "inspectorKey",
         "bundleName", "componentType", "inputType", "text", "hintText", "description", "triggerAction",
@@ -1553,6 +1558,12 @@ void NAccessibilityElement::ActionNamesComplete(napi_env env, napi_status status
 napi_value NAccessibilityElement::EnableScreenCurtain(napi_env env, napi_callback_info info)
 {
     HILOG_INFO("enter NAccessibilityElement::EnableScreenCurtain");
+    if (!Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(IPCSkeleton::GetCallingFullTokenID())) {
+        napi_value err = CreateBusinessError(env, OHOS::Accessibility::RET_ERR_NOT_SYSTEM_APP);
+        napi_throw(env, err);
+        HILOG_ERROR("is not system app");
+        return nullptr;
+    }
 
     size_t argc = ARGS_SIZE_ONE;
     napi_value argv[ARGS_SIZE_ONE] = { 0 };