diff --git a/interfaces/inner_api/appexecfwk_base/include/appexecfwk_errors.h b/interfaces/inner_api/appexecfwk_base/include/appexecfwk_errors.h index 7dcc2fdcf..e63ae4363 100644 --- a/interfaces/inner_api/appexecfwk_base/include/appexecfwk_errors.h +++ b/interfaces/inner_api/appexecfwk_base/include/appexecfwk_errors.h @@ -141,6 +141,8 @@ enum { ERR_APPEXECFWK_INSTALL_CHECK_ENCRYPTION_FAILED = 8519760, ERR_APPEXECFWK_INSTALLD_SERVICE_DIED = 8519761, ERR_APPEXECFWK_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED = 8519762, + ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL = 8519763, + ERR_APPEXECFWK_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL = 8519764, ERR_APPEXECFWK_INSTALL_ENTERPRISE_BUNDLE_NOT_ALLOWED = 8519780, ERR_APPEXECFWK_INSTALL_SELF_UPDATE_NOT_MDM = 8519781, @@ -150,7 +152,6 @@ enum { ERR_APPEXECFWK_INSTALL_FAILED_CONTROLLED = 8519785, ERR_APPEXECFWK_INSTALL_APP_IN_BLOCKLIST = 8519787, ERR_APPEXECFWK_INSTALL_INTERNALTESTING_BUNDLE_NOT_ALLOWED = 8519788, - ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL = 8519789, // native bundle ERR_APPEXECFWK_NATIVE_INSTALL_FAILED = 8519790, diff --git a/interfaces/inner_api/appexecfwk_core/include/bundlemgr/status_receiver_interface.h b/interfaces/inner_api/appexecfwk_core/include/bundlemgr/status_receiver_interface.h index 3a46fe806..b14319f0b 100644 --- a/interfaces/inner_api/appexecfwk_core/include/bundlemgr/status_receiver_interface.h +++ b/interfaces/inner_api/appexecfwk_core/include/bundlemgr/status_receiver_interface.h @@ -215,6 +215,7 @@ public: ERR_INSTALL_EXISTED_ENTERPRISE_BUNDLE_NOT_ALLOWED = 9568414, ERR_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED = 9568415, + ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL = 9568416, ERR_RECOVER_GET_BUNDLEPATH_ERROR = 201, ERR_RECOVER_INVALID_BUNDLE_NAME, diff --git a/interfaces/inner_api/bundlemgr_extension/include/bms_extension_data_mgr.h b/interfaces/inner_api/bundlemgr_extension/include/bms_extension_data_mgr.h index ba7aaf9d9..57a6a17dd 100644 --- a/interfaces/inner_api/bundlemgr_extension/include/bms_extension_data_mgr.h +++ b/interfaces/inner_api/bundlemgr_extension/include/bms_extension_data_mgr.h @@ -40,6 +40,7 @@ public: bool CheckApiInfo(const BundleInfo &bundleInfo, uint32_t sdkVersion); bool CheckApiInfo(uint32_t compatibleVersion, uint32_t sdkVersion); ErrCode HapVerify(const std::string &filePath, Security::Verify::HapVerifyResult &hapVerifyResult); + bool IsRdDevice(); ErrCode QueryAbilityInfos(const Want &want, int32_t userId, std::vector &abilityInfos); ErrCode QueryAbilityInfosWithFlag(const Want &want, int32_t flags, int32_t userId, std::vector &abilityInfos, bool isNewVersion = false); diff --git a/interfaces/inner_api/bundlemgr_extension/include/bundle_mgr_ext.h b/interfaces/inner_api/bundlemgr_extension/include/bundle_mgr_ext.h index b73e20704..18d8e0271 100644 --- a/interfaces/inner_api/bundlemgr_extension/include/bundle_mgr_ext.h +++ b/interfaces/inner_api/bundlemgr_extension/include/bundle_mgr_ext.h @@ -39,6 +39,10 @@ public: { return ERR_BUNDLEMANAGER_INSTALL_FAILED_SIGNATURE_EXTENSION_NOT_EXISTED; } + virtual bool IsRdDevice() + { + return false; + } virtual ErrCode QueryAbilityInfos(const Want &want, int32_t userId, std::vector &abilityInfos) { diff --git a/interfaces/inner_api/bundlemgr_extension/src/bms_extension_data_mgr.cpp b/interfaces/inner_api/bundlemgr_extension/src/bms_extension_data_mgr.cpp index a1f8ff508..828982351 100644 --- a/interfaces/inner_api/bundlemgr_extension/src/bms_extension_data_mgr.cpp +++ b/interfaces/inner_api/bundlemgr_extension/src/bms_extension_data_mgr.cpp @@ -115,6 +115,21 @@ ErrCode BmsExtensionDataMgr::HapVerify(const std::string &filePath, Security::Ve return ERR_BUNDLEMANAGER_INSTALL_FAILED_SIGNATURE_EXTENSION_NOT_EXISTED; } +bool BmsExtensionDataMgr::IsRdDevice() +{ + if ((Init() != ERR_OK) || handler_ == nullptr) { + APP_LOGW("link failed"); + return false; + } + auto bundleMgrExtPtr = + BundleMgrExtRegister::GetInstance().GetBundleMgrExt(bmsExtension_.bmsExtensionBundleMgr.extensionName); + if (bundleMgrExtPtr == nullptr) { + APP_LOGW("GetBundleMgrExt failed"); + return false; + } + return bundleMgrExtPtr->IsRdDevice(); +} + ErrCode BmsExtensionDataMgr::QueryAbilityInfos(const Want &want, int32_t userId, std::vector &abilityInfos) { diff --git a/services/bundlemgr/include/base_bundle_installer.h b/services/bundlemgr/include/base_bundle_installer.h index c98688b91..3e3703754 100644 --- a/services/bundlemgr/include/base_bundle_installer.h +++ b/services/bundlemgr/include/base_bundle_installer.h @@ -387,6 +387,8 @@ private: std::vector &hapVerifyRes, std::unordered_map &infos); + ErrCode CheckShellInstall(std::vector &hapVerifyRes); + ErrCode CheckInstallCondition(std::vector &hapVerifyRes, std::unordered_map &infos, bool isSysCapValid); @@ -712,6 +714,7 @@ private: const std::string &bundleDataDirPath, const int32_t limitSize) const; void VerifyDomain(); void ClearDomainVerifyStatus(const std::string &appIdentifier, const std::string &bundleName) const; + bool IsRdDevice() const; void SetAtomicServiceModuleUpgrade(const InnerBundleInfo &oldInfo); void UpdateExtensionSandboxInfo(std::unordered_map &newInfos, const std::vector &hapVerifyRes); diff --git a/services/bundlemgr/src/base_bundle_installer.cpp b/services/bundlemgr/src/base_bundle_installer.cpp index c330d1f3b..bb37e1aa1 100644 --- a/services/bundlemgr/src/base_bundle_installer.cpp +++ b/services/bundlemgr/src/base_bundle_installer.cpp @@ -1145,10 +1145,8 @@ ErrCode BaseBundleInstaller::ProcessBundleInstall(const std::vector CHECK_RESULT(result, "hap files check signature info failed %{public}d"); UpdateInstallerState(InstallerState::INSTALL_SIGNATURE_CHECKED); // ---- 15% - if (sysEventInfo_.callingUid == ServiceConstants::SHELL_UID && - hapVerifyResults[0].GetProvisionInfo().type == Security::Verify::ProvisionType::RELEASE) { - return ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL; - } + result = CheckShellInstall(hapVerifyResults); + CHECK_RESULT(result, "check shell install failed %{public}d"); // parse the bundle infos for all haps // key is bundlePath , value is innerBundleInfo @@ -3734,6 +3732,19 @@ ErrCode BaseBundleInstaller::CheckMultipleHapsSignInfo( return bundleInstallChecker_->CheckMultipleHapsSignInfo(bundlePaths, hapVerifyRes); } +ErrCode BaseBundleInstaller::CheckShellInstall(std::vector &hapVerifyRes) +{ + if (sysEventInfo_.callingUid != ServiceConstants::SHELL_UID || hapVerifyRes.empty()) { + return ERR_OK; + } + Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes.begin()->GetProvisionInfo(); + if (provisionInfo.distributionType == Security::Verify::AppDistType::APP_GALLERY && + provisionInfo.type == Security::Verify::ProvisionType::RELEASE && !IsRdDevice()) { + return ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL; + } + return ERR_OK; +} + ErrCode BaseBundleInstaller::ParseHapFiles( const std::vector &bundlePaths, const InstallParam &installParam, @@ -5367,6 +5378,11 @@ ErrCode BaseBundleInstaller::CheckSoEncryption(InnerBundleInfo &info, const std: info.GetBundleName().c_str()); return ERR_APPEXECFWK_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED; } + if (isEncrypted && sysEventInfo_.callingUid == ServiceConstants::SHELL_UID) { + LOG_E(BMS_TAG_INSTALLER, "-n %{public}s encrypted bundle is not allowed for shell", + info.GetBundleName().c_str()); + return ERR_APPEXECFWK_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL; + } if (isEncrypted) { LOG_D(BMS_TAG_INSTALLER, "module %{public}s is encrypted", modulePath_.c_str()); info.SetApplicationReservedFlag(static_cast(ApplicationReservedFlag::ENCRYPTED_APPLICATION)); @@ -6029,6 +6045,17 @@ void BaseBundleInstaller::ClearDomainVerifyStatus(const std::string &appIdentifi #endif } +bool BaseBundleInstaller::IsRdDevice() const +{ + BmsExtensionDataMgr bmsExtensionDataMgr; + bool res = bmsExtensionDataMgr.IsRdDevice(); + if (res) { + LOG_I(BMS_TAG_INSTALLER, "current device is rd device"); + return true; + } + return false; +} + ErrCode BaseBundleInstaller::CreateShaderCache(const std::string &bundleName, int32_t uid, int32_t gid) const { std::string shaderCachePath; diff --git a/services/bundlemgr/src/status_receiver_proxy.cpp b/services/bundlemgr/src/status_receiver_proxy.cpp index 5b9a57ad3..c670edf22 100644 --- a/services/bundlemgr/src/status_receiver_proxy.cpp +++ b/services/bundlemgr/src/status_receiver_proxy.cpp @@ -228,6 +228,8 @@ const char* MSG_ERR_UNINSTALL_CONTROLLED = "[MSG_ERR_UNINSTALL_CONTROLLED]"; const char* MSG_ERR_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED = "[MSG_ERR_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED]"; const char* MSG_ERR_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL = "[MSG_ERR_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL]"; +const char* MSG_ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL = + "[MSG_ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL]"; const std::unordered_map MAP_RECEIVED_RESULTS { {ERR_OK, {IStatusReceiver::SUCCESS, MSG_SUCCESS}}, @@ -606,6 +608,9 @@ const std::unordered_map MAP_RECEIVED_RESULTS { {ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL, {IStatusReceiver::ERR_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL, MSG_ERR_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL}}, + {ERR_APPEXECFWK_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL, + {IStatusReceiver::ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL, + MSG_ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL}}, }; } // namespace