!7470 shell安装管控

Merge pull request !7470 from Zhou Shihui/bm_install
2024-11-23 07:09:53 +00:00 · 2024-11-14 14:09:31 +00:00 · 2024-11-14 14:09:31 +00:00 · c6c6668b43
commit c6c6668b43
parent 346fae0b7a fd9d5fb9a8
8 changed files with 62 additions and 5 deletions
--- a/interfaces/inner_api/appexecfwk_base/include/appexecfwk_errors.h
+++ b/interfaces/inner_api/appexecfwk_base/include/appexecfwk_errors.h
@ -141,6 +141,8 @@ enum {
    ERR_APPEXECFWK_INSTALL_CHECK_ENCRYPTION_FAILED = 8519760,
    ERR_APPEXECFWK_INSTALLD_SERVICE_DIED = 8519761,
    ERR_APPEXECFWK_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED = 8519762,
+    ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL = 8519763,
+    ERR_APPEXECFWK_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL = 8519764,

    ERR_APPEXECFWK_INSTALL_ENTERPRISE_BUNDLE_NOT_ALLOWED = 8519780,
    ERR_APPEXECFWK_INSTALL_SELF_UPDATE_NOT_MDM = 8519781,
@ -150,7 +152,6 @@ enum {
    ERR_APPEXECFWK_INSTALL_FAILED_CONTROLLED = 8519785,
    ERR_APPEXECFWK_INSTALL_APP_IN_BLOCKLIST = 8519787,
    ERR_APPEXECFWK_INSTALL_INTERNALTESTING_BUNDLE_NOT_ALLOWED = 8519788,
-    ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL = 8519789,

 	// native bundle
    ERR_APPEXECFWK_NATIVE_INSTALL_FAILED  = 8519790,
--- a/interfaces/inner_api/appexecfwk_core/include/bundlemgr/status_receiver_interface.h
+++ b/interfaces/inner_api/appexecfwk_core/include/bundlemgr/status_receiver_interface.h
@ -215,6 +215,7 @@ public:

        ERR_INSTALL_EXISTED_ENTERPRISE_BUNDLE_NOT_ALLOWED = 9568414,
        ERR_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED = 9568415,
+        ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL = 9568416,

        ERR_RECOVER_GET_BUNDLEPATH_ERROR = 201,
        ERR_RECOVER_INVALID_BUNDLE_NAME,
--- a/interfaces/inner_api/bundlemgr_extension/include/bms_extension_data_mgr.h
+++ b/interfaces/inner_api/bundlemgr_extension/include/bms_extension_data_mgr.h
@ -40,6 +40,7 @@ public:
    bool CheckApiInfo(const BundleInfo &bundleInfo, uint32_t sdkVersion);
    bool CheckApiInfo(uint32_t compatibleVersion, uint32_t sdkVersion);
    ErrCode HapVerify(const std::string &filePath, Security::Verify::HapVerifyResult &hapVerifyResult);
+    bool IsRdDevice();
    ErrCode QueryAbilityInfos(const Want &want, int32_t userId, std::vector<AbilityInfo> &abilityInfos);
    ErrCode QueryAbilityInfosWithFlag(const Want &want, int32_t flags, int32_t userId,
        std::vector<AbilityInfo> &abilityInfos, bool isNewVersion = false);
--- a/interfaces/inner_api/bundlemgr_extension/include/bundle_mgr_ext.h
+++ b/interfaces/inner_api/bundlemgr_extension/include/bundle_mgr_ext.h
@ -39,6 +39,10 @@ public:
    {
        return ERR_BUNDLEMANAGER_INSTALL_FAILED_SIGNATURE_EXTENSION_NOT_EXISTED;
    }
+    virtual bool IsRdDevice()
+    {
+        return false;
+    }
    virtual ErrCode QueryAbilityInfos(const Want &want, int32_t userId,
        std::vector<AbilityInfo> &abilityInfos)
    {
--- a/interfaces/inner_api/bundlemgr_extension/src/bms_extension_data_mgr.cpp
+++ b/interfaces/inner_api/bundlemgr_extension/src/bms_extension_data_mgr.cpp
@ -115,6 +115,21 @@ ErrCode BmsExtensionDataMgr::HapVerify(const std::string &filePath, Security::Ve
    return ERR_BUNDLEMANAGER_INSTALL_FAILED_SIGNATURE_EXTENSION_NOT_EXISTED;
 }

+bool BmsExtensionDataMgr::IsRdDevice()
+{
+    if ((Init() != ERR_OK) || handler_ == nullptr) {
+        APP_LOGW("link failed");
+        return false;
+    }
+    auto bundleMgrExtPtr =
+        BundleMgrExtRegister::GetInstance().GetBundleMgrExt(bmsExtension_.bmsExtensionBundleMgr.extensionName);
+    if (bundleMgrExtPtr == nullptr) {
+        APP_LOGW("GetBundleMgrExt failed");
+        return false;
+    }
+    return bundleMgrExtPtr->IsRdDevice();
+}
+
 ErrCode BmsExtensionDataMgr::QueryAbilityInfos(const Want &want, int32_t userId,
    std::vector<AbilityInfo> &abilityInfos)
 {
--- a/services/bundlemgr/include/base_bundle_installer.h
+++ b/services/bundlemgr/include/base_bundle_installer.h
@ -387,6 +387,8 @@ private:
        std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes,
        std::unordered_map<std::string, InnerBundleInfo> &infos);

+    ErrCode CheckShellInstall(std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes);
+
    ErrCode CheckInstallCondition(std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes,
        std::unordered_map<std::string, InnerBundleInfo> &infos, bool isSysCapValid);

@ -712,6 +714,7 @@ private:
        const std::string &bundleDataDirPath, const int32_t limitSize) const;
    void VerifyDomain();
    void ClearDomainVerifyStatus(const std::string &appIdentifier, const std::string &bundleName) const;
+    bool IsRdDevice() const;
    void SetAtomicServiceModuleUpgrade(const InnerBundleInfo &oldInfo);
    void UpdateExtensionSandboxInfo(std::unordered_map<std::string, InnerBundleInfo> &newInfos,
        const std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes);
--- a/services/bundlemgr/src/base_bundle_installer.cpp
+++ b/services/bundlemgr/src/base_bundle_installer.cpp
@ -1145,10 +1145,8 @@ ErrCode BaseBundleInstaller::ProcessBundleInstall(const std::vector<std::string>
    CHECK_RESULT(result, "hap files check signature info failed %{public}d");
    UpdateInstallerState(InstallerState::INSTALL_SIGNATURE_CHECKED);               // ---- 15%

-    if (sysEventInfo_.callingUid == ServiceConstants::SHELL_UID &&
-        hapVerifyResults[0].GetProvisionInfo().type == Security::Verify::ProvisionType::RELEASE) {
-        return ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL;
-    }
+    result = CheckShellInstall(hapVerifyResults);
+    CHECK_RESULT(result, "check shell install failed %{public}d");

    // parse the bundle infos for all haps
    // key is bundlePath , value is innerBundleInfo
@ -3734,6 +3732,19 @@ ErrCode BaseBundleInstaller::CheckMultipleHapsSignInfo(
    return bundleInstallChecker_->CheckMultipleHapsSignInfo(bundlePaths, hapVerifyRes);
 }

+ErrCode BaseBundleInstaller::CheckShellInstall(std::vector<Security::Verify::HapVerifyResult> &hapVerifyRes)
+{
+    if (sysEventInfo_.callingUid != ServiceConstants::SHELL_UID || hapVerifyRes.empty()) {
+        return ERR_OK;
+    }
+    Security::Verify::ProvisionInfo provisionInfo = hapVerifyRes.begin()->GetProvisionInfo();
+    if (provisionInfo.distributionType == Security::Verify::AppDistType::APP_GALLERY &&
+        provisionInfo.type == Security::Verify::ProvisionType::RELEASE && !IsRdDevice()) {
+        return ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL;
+    }
+    return ERR_OK;
+}
+
 ErrCode BaseBundleInstaller::ParseHapFiles(
    const std::vector<std::string> &bundlePaths,
    const InstallParam &installParam,
@ -5367,6 +5378,11 @@ ErrCode BaseBundleInstaller::CheckSoEncryption(InnerBundleInfo &info, const std:
            info.GetBundleName().c_str());
        return ERR_APPEXECFWK_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED;
    }
+    if (isEncrypted && sysEventInfo_.callingUid == ServiceConstants::SHELL_UID) {
+        LOG_E(BMS_TAG_INSTALLER, "-n %{public}s encrypted bundle is not allowed for shell",
+            info.GetBundleName().c_str());
+        return ERR_APPEXECFWK_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL;
+    }
    if (isEncrypted) {
        LOG_D(BMS_TAG_INSTALLER, "module %{public}s is encrypted", modulePath_.c_str());
        info.SetApplicationReservedFlag(static_cast<uint32_t>(ApplicationReservedFlag::ENCRYPTED_APPLICATION));
@ -6029,6 +6045,17 @@ void BaseBundleInstaller::ClearDomainVerifyStatus(const std::string &appIdentifi
 #endif
 }

+bool BaseBundleInstaller::IsRdDevice() const
+{
+    BmsExtensionDataMgr bmsExtensionDataMgr;
+    bool res = bmsExtensionDataMgr.IsRdDevice();
+    if (res) {
+        LOG_I(BMS_TAG_INSTALLER, "current device is rd device");
+        return true;
+    }
+    return false;
+}
+
 ErrCode BaseBundleInstaller::CreateShaderCache(const std::string &bundleName, int32_t uid, int32_t gid) const
 {
    std::string shaderCachePath;
--- a/services/bundlemgr/src/status_receiver_proxy.cpp
+++ b/services/bundlemgr/src/status_receiver_proxy.cpp
@ -228,6 +228,8 @@ const char* MSG_ERR_UNINSTALL_CONTROLLED = "[MSG_ERR_UNINSTALL_CONTROLLED]";
 const char* MSG_ERR_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED = "[MSG_ERR_INSTALL_DEBUG_ENCRYPTED_BUNDLE_FAILED]";
 const char* MSG_ERR_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL =
    "[MSG_ERR_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL]";
+const char* MSG_ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL =
+    "[MSG_ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL]";

 const std::unordered_map<int32_t, struct ReceivedResult> MAP_RECEIVED_RESULTS {
    {ERR_OK, {IStatusReceiver::SUCCESS, MSG_SUCCESS}},
@ -606,6 +608,9 @@ const std::unordered_map<int32_t, struct ReceivedResult> MAP_RECEIVED_RESULTS {
    {ERR_APPEXECFWK_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL,
        {IStatusReceiver::ERR_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL,
            MSG_ERR_INSTALL_RELEASE_BUNDLE_NOT_ALLOWED_FOR_SHELL}},
+    {ERR_APPEXECFWK_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL,
+        {IStatusReceiver::ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL,
+            MSG_ERR_INSTALL_ENCRYPTED_BUNDLE_NOT_ALLOWED_FOR_SHELL}},
 };
 }  // namespace