!7470 shell安装管控

Merge pull request !7470 from Zhou Shihui/bm_install
This commit is contained in:
openharmony_ci 2024-11-14 14:09:31 +00:00 committed by Gitee
commit c6c6668b43
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
8 changed files with 62 additions and 5 deletions

View File

@ -141,6 +141,8 @@ enum {
ERR_APPEXECFWK_INSTALL_CHECK_ENCRYPTION_FAILED = 8519760,
ERR_APPEXECFWK_INSTALLD_SERVICE_DIED = 8519761,
ERR_APPEXECFWK_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED = 8519762,
ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL = 8519763,
ERR_APPEXECFWK_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL = 8519764,
ERR_APPEXECFWK_INSTALL_ENTERPRISE_BUNDLE_NOT_ALLOWED = 8519780,
ERR_APPEXECFWK_INSTALL_SELF_UPDATE_NOT_MDM = 8519781,
@ -150,7 +152,6 @@ enum {
ERR_APPEXECFWK_INSTALL_FAILED_CONTROLLED = 8519785,
ERR_APPEXECFWK_INSTALL_APP_IN_BLOCKLIST = 8519787,
ERR_APPEXECFWK_INSTALL_INTERNALTESTING_BUNDLE_NOT_ALLOWED = 8519788,
ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL = 8519789,
// native bundle
ERR_APPEXECFWK_NATIVE_INSTALL_FAILED = 8519790,

View File

@ -215,6 +215,7 @@ public:
ERR_INSTALL_EXISTED_ENTERPRISE_BUNDLE_NOT_ALLOWED = 9568414,
ERR_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED = 9568415,
ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL = 9568416,
ERR_RECOVER_GET_BUNDLEPATH_ERROR = 201,
ERR_RECOVER_INVALID_BUNDLE_NAME,

View File

@ -40,6 +40,7 @@ public:
bool CheckApiInfo(const BundleInfo &bundleInfo, uint32_t sdkVersion);
bool CheckApiInfo(uint32_t compatibleVersion, uint32_t sdkVersion);
ErrCode HapVerify(const std::string &filePath, Security::Verify::HapVerifyResult &hapVerifyResult);
bool IsRdDevice();
ErrCode QueryAbilityInfos(const Want &want, int32_t userId, std::vector<AbilityInfo> &abilityInfos);
ErrCode QueryAbilityInfosWithFlag(const Want &want, int32_t flags, int32_t userId,
std::vector<AbilityInfo> &abilityInfos, bool isNewVersion = false);

View File

@ -39,6 +39,10 @@ public:
{
return ERR_BUNDLEMANAGER_INSTALL_FAILED_SIGNATURE_EXTENSION_NOT_EXISTED;
}
virtual bool IsRdDevice()
{
return false;
}
virtual ErrCode QueryAbilityInfos(const Want &want, int32_t userId,
std::vector<AbilityInfo> &abilityInfos)
{

View File

@ -115,6 +115,21 @@ ErrCode BmsExtensionDataMgr::HapVerify(const std::string &filePath, Security::Ve
return ERR_BUNDLEMANAGER_INSTALL_FAILED_SIGNATURE_EXTENSION_NOT_EXISTED;
}
bool BmsExtensionDataMgr::IsRdDevice()
{
if ((Init() != ERR_OK) || handler_ == nullptr) {
APP_LOGW("link failed");
return false;
}
auto bundleMgrExtPtr =
BundleMgrExtRegister::GetInstance().GetBundleMgrExt(bmsExtension_.bmsExtensionBundleMgr.extensionName);
if (bundleMgrExtPtr == nullptr) {
APP_LOGW("GetBundleMgrExt failed");
return false;
}
return bundleMgrExtPtr->IsRdDevice();
}
ErrCode BmsExtensionDataMgr::QueryAbilityInfos(const Want &want, int32_t userId,
std::vector<AbilityInfo> &abilityInfos)
{

View File

@ -387,6 +387,8 @@ private:
std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes,
std::unordered_map<std::string, InnerBundleInfo> &infos);
ErrCode CheckShellInstall(std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes);
ErrCode CheckInstallCondition(std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes,
std::unordered_map<std::string, InnerBundleInfo> &infos, bool isSysCapValid);
@ -712,6 +714,7 @@ private:
const std::string &bundleDataDirPath, const int32_t limitSize) const;
void VerifyDomain();
void ClearDomainVerifyStatus(const std::string &appIdentifier, const std::string &bundleName) const;
bool IsRdDevice() const;
void SetAtomicServiceModuleUpgrade(const InnerBundleInfo &oldInfo);
void UpdateExtensionSandboxInfo(std::unordered_map<std::string, InnerBundleInfo> &newInfos,
const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes);

View File

@ -1145,10 +1145,8 @@ ErrCode BaseBundleInstaller::ProcessBundleInstall(const std::vector<std::string>
CHECK_RESULT(result, "hap files check signature info failed %{public}d");
UpdateInstallerState(InstallerState::INSTALL_SIGNATURE_CHECKED); // ---- 15%
if (sysEventInfo_.callingUid == ServiceConstants::SHELL_UID &&
hapVerifyResults[0].GetProvisionInfo().type == Security::Verify::ProvisionType::RELEASE) {
return ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL;
}
result = CheckShellInstall(hapVerifyResults);
CHECK_RESULT(result, "check shell install failed %{public}d");
// parse the bundle infos for all haps
// key is bundlePath , value is innerBundleInfo
@ -3734,6 +3732,19 @@ ErrCode BaseBundleInstaller::CheckMultipleHapsSignInfo(
return bundleInstallChecker_->CheckMultipleHapsSignInfo(bundlePaths, hapVerifyRes);
}
ErrCode BaseBundleInstaller::CheckShellInstall(std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
{
if (sysEventInfo_.callingUid != ServiceConstants::SHELL_UID || hapVerifyRes.empty()) {
return ERR_OK;
}
Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes.begin()->GetProvisionInfo();
if (provisionInfo.distributionType == Security::Verify::AppDistType::APP_GALLERY &&
provisionInfo.type == Security::Verify::ProvisionType::RELEASE && !IsRdDevice()) {
return ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL;
}
return ERR_OK;
}
ErrCode BaseBundleInstaller::ParseHapFiles(
const std::vector<std::string> &bundlePaths,
const InstallParam &installParam,
@ -5367,6 +5378,11 @@ ErrCode BaseBundleInstaller::CheckSoEncryption(InnerBundleInfo &info, const std:
info.GetBundleName().c_str());
return ERR_APPEXECFWK_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED;
}
if (isEncrypted && sysEventInfo_.callingUid == ServiceConstants::SHELL_UID) {
LOG_E(BMS_TAG_INSTALLER, "-n %{public}s encrypted bundle is not allowed for shell",
info.GetBundleName().c_str());
return ERR_APPEXECFWK_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL;
}
if (isEncrypted) {
LOG_D(BMS_TAG_INSTALLER, "module %{public}s is encrypted", modulePath_.c_str());
info.SetApplicationReservedFlag(static_cast<uint32_t>(ApplicationReservedFlag::ENCRYPTED_APPLICATION));
@ -6029,6 +6045,17 @@ void BaseBundleInstaller::ClearDomainVerifyStatus(const std::string &appIdentifi
#endif
}
bool BaseBundleInstaller::IsRdDevice() const
{
BmsExtensionDataMgr bmsExtensionDataMgr;
bool res = bmsExtensionDataMgr.IsRdDevice();
if (res) {
LOG_I(BMS_TAG_INSTALLER, "current device is rd device");
return true;
}
return false;
}
ErrCode BaseBundleInstaller::CreateShaderCache(const std::string &bundleName, int32_t uid, int32_t gid) const
{
std::string shaderCachePath;

View File

@ -228,6 +228,8 @@ const char* MSG_ERR_UNINSTALL_CONTROLLED = "[MSG_ERR_UNINSTALL_CONTROLLED]";
const char* MSG_ERR_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED = "[MSG_ERR_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED]";
const char* MSG_ERR_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL =
"[MSG_ERR_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL]";
const char* MSG_ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL =
"[MSG_ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL]";
const std::unordered_map<int32_t, struct ReceivedResult> MAP_RECEIVED_RESULTS {
{ERR_OK, {IStatusReceiver::SUCCESS, MSG_SUCCESS}},
@ -606,6 +608,9 @@ const std::unordered_map<int32_t, struct ReceivedResult> MAP_RECEIVED_RESULTS {
{ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL,
{IStatusReceiver::ERR_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL,
MSG_ERR_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL}},
{ERR_APPEXECFWK_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL,
{IStatusReceiver::ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL,
MSG_ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL}},
};
} // namespace