shell安装管控

Signed-off-by: Zhou Shihui <zhoushihui4@huawei.com>
This commit is contained in:
Zhou Shihui 2024-11-13 16:40:11 +08:00
parent 607d14a403
commit be58fbb9a0
5 changed files with 30 additions and 5 deletions

View File

@ -141,6 +141,8 @@ enum {
ERR_APPEXECFWK_INSTALL_CHECK_ENCRYPTION_FAILED = 8519760,
ERR_APPEXECFWK_INSTALLD_SERVICE_DIED = 8519761,
ERR_APPEXECFWK_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED = 8519762,
ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL = 8519763,
ERR_APPEXECFWK_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL = 8519764,
ERR_APPEXECFWK_INSTALL_ENTERPRISE_BUNDLE_NOT_ALLOWED = 8519780,
ERR_APPEXECFWK_INSTALL_SELF_UPDATE_NOT_MDM = 8519781,
@ -150,7 +152,6 @@ enum {
ERR_APPEXECFWK_INSTALL_FAILED_CONTROLLED = 8519785,
ERR_APPEXECFWK_INSTALL_APP_IN_BLOCKLIST = 8519787,
ERR_APPEXECFWK_INSTALL_INTERNALTESTING_BUNDLE_NOT_ALLOWED = 8519788,
ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL = 8519789,
// native bundle
ERR_APPEXECFWK_NATIVE_INSTALL_FAILED = 8519790,

View File

@ -215,6 +215,7 @@ public:
ERR_INSTALL_EXISTED_ENTERPRISE_BUNDLE_NOT_ALLOWED = 9568414,
ERR_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED = 9568415,
ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL = 9568416,
ERR_RECOVER_GET_BUNDLEPATH_ERROR = 201,
ERR_RECOVER_INVALID_BUNDLE_NAME,

View File

@ -387,6 +387,8 @@ private:
std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes,
std::unordered_map<std::string, InnerBundleInfo> &infos);
ErrCode CheckShellInstall(std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes);
ErrCode CheckInstallCondition(std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes,
std::unordered_map<std::string, InnerBundleInfo> &infos, bool isSysCapValid);

View File

@ -1153,10 +1153,8 @@ ErrCode BaseBundleInstaller::ProcessBundleInstall(const std::vector<std::string>
CHECK_RESULT(result, "hap files check signature info failed %{public}d");
UpdateInstallerState(InstallerState::INSTALL_SIGNATURE_CHECKED); // ---- 15%
if (sysEventInfo_.callingUid == ServiceConstants::SHELL_UID &&
hapVerifyResults[0].GetProvisionInfo().type == Security::Verify::ProvisionType::RELEASE) {
return ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL;
}
result = CheckShellInstall(hapVerifyResults);
CHECK_RESULT(result, "check shell install failed %{public}d");
// parse the bundle infos for all haps
// key is bundlePath , value is innerBundleInfo
@ -3742,6 +3740,19 @@ ErrCode BaseBundleInstaller::CheckMultipleHapsSignInfo(
return bundleInstallChecker_->CheckMultipleHapsSignInfo(bundlePaths, hapVerifyRes);
}
ErrCode BaseBundleInstaller::CheckShellInstall(std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
{
if (sysEventInfo_.callingUid != ServiceConstants::SHELL_UID || hapVerifyRes.empty()) {
return ERR_OK;
}
Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes.begin()->GetProvisionInfo();
if (provisionInfo.distributionType == Security::Verify::AppDistType::APP_GALLERY &&
provisionInfo.type == Security::Verify::ProvisionType::RELEASE) {
return ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL;
}
return ERR_OK;
}
ErrCode BaseBundleInstaller::ParseHapFiles(
const std::vector<std::string> &bundlePaths,
const InstallParam &installParam,
@ -5375,6 +5386,11 @@ ErrCode BaseBundleInstaller::CheckSoEncryption(InnerBundleInfo &info, const std:
info.GetBundleName().c_str());
return ERR_APPEXECFWK_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED;
}
if (isEncrypted && sysEventInfo_.callingUid == ServiceConstants::SHELL_UID) {
LOG_E(BMS_TAG_INSTALLER, "-n %{public}s encrypted bundle is not allowed for shell",
info.GetBundleName().c_str());
return ERR_APPEXECFWK_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL;
}
if (isEncrypted) {
LOG_D(BMS_TAG_INSTALLER, "module %{public}s is encrypted", modulePath_.c_str());
info.SetApplicationReservedFlag(static_cast<uint32_t>(ApplicationReservedFlag::ENCRYPTED_APPLICATION));

View File

@ -228,6 +228,8 @@ const char* MSG_ERR_UNINSTALL_CONTROLLED = "[MSG_ERR_UNINSTALL_CONTROLLED]";
const char* MSG_ERR_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED = "[MSG_ERR_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED]";
const char* MSG_ERR_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL =
"[MSG_ERR_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL]";
const char* MSG_ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL =
"[MSG_ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL]";
const std::unordered_map<int32_t, struct ReceivedResult> MAP_RECEIVED_RESULTS {
{ERR_OK, {IStatusReceiver::SUCCESS, MSG_SUCCESS}},
@ -606,6 +608,9 @@ const std::unordered_map<int32_t, struct ReceivedResult> MAP_RECEIVED_RESULTS {
{ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL,
{IStatusReceiver::ERR_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL,
MSG_ERR_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL}},
{ERR_APPEXECFWK_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL,
{IStatusReceiver::ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL,
MSG_ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL}},
};
} // namespace