check samgr by access token

Signed-off-by: yangguangzhao <yangguangzhao1@huawei.com>
2024-11-23 16:59:54 +00:00 · 2022-05-26 14:40:22 +08:00 · 2022-05-26 14:40:22 +08:00 · c4ffc39674
commit c4ffc39674
parent 2fbaa6e871
5 changed files with 26 additions and 29 deletions
--- a/core/common/security/permission/common/permission_entry.c
+++ b/core/common/security/permission/common/permission_entry.c
@ -365,7 +365,7 @@ static bool CheckDBinder(const char *sessionName)
        return false;
    }
    if (strcmp(DBINDER_SERVICE_NAME, sessionName) == 0) {
-        return false;
+        return true;
    }
    if (StrStartWith(sessionName, DBINDER_BUS_NAME_PREFIX)) {
        return true;
--- a/core/common/security/permission/softbus_trans_permission.json
+++ b/core/common/security/permission/softbus_trans_permission.json
@ -1,16 +1,4 @@
 [
-  {
-    "SESSION_NAME": "DBinderService",
-    "DEVID": "NETWORKID",
-    "APP_INFO": [
-      {
-        "TYPE": "native_app",
-        "UID": "1000",
-        "PKG_NAME": "DBinderService",
-        "ACTIONS": "create,open"
-      }
-    ]
-  },
  {
    "SESSION_NAME": "DistributedFileService.*",
    "REGEXP": "true",
--- a/core/common/security/permission/standard/softbus_permission.cpp
+++ b/core/common/security/permission/standard/softbus_permission.cpp
@ -18,6 +18,7 @@
 #include <sys/types.h>
 #include <unistd.h>

+#include "accesstoken_kit.h"
 #include "ipc_skeleton.h"
 #include "permission_entry.h"
 #include "softbus_adapter_mem.h"
@ -32,11 +33,13 @@
 #endif

 namespace {
+    using namespace OHOS::Security;
+
    const std::string PERMISSION_JSON_FILE = PERMISSION_JSON_FILE_PATH;
    const std::string DANGER_APP_PERMISSION = "ohos.permission.DISTRIBUTED_DATASYNC";
    const int32_t SYSTEM_UID = 1000;
    const int32_t MULTE_USER_RADIX = 100000;
-    const char *dbinderSessionName = "DBinderService";
+    const std::string SAMGR_PROCESS_NAME = "samgr";
 }

 int32_t TransPermissionInit(void)
@ -128,20 +131,19 @@ int32_t RemoveTransPermission(const char *sessionName)

 int32_t CheckDynamicPermission(void)
 {
-    int32_t callingUid = (int32_t)OHOS::IPCSkeleton::GetCallingUid();
-    int32_t callingPid = (int32_t)OHOS::IPCSkeleton::GetCallingPid();
-    int32_t dbinderUid = 0;
-    int32_t dbinderPid = 0;
+    uint32_t callingToken = OHOS::IPCSkeleton::GetCallingTokenID();

-    int32_t ret = TransGetUidAndPid(dbinderSessionName, &dbinderUid, &dbinderPid);
-    if (ret != SOFTBUS_OK) {
-        SoftBusLog(SOFTBUS_LOG_COMM, SOFTBUS_LOG_ERROR, "RemovePermissionInner get dbinder uid and pid failed");
-        return ret;
+    auto tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(callingToken);
+    if (tokenType != AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
+        SoftBusLog(SOFTBUS_LOG_COMM, SOFTBUS_LOG_ERROR, "not native call");
+        return SOFTBUS_ERR;
    }
-    if (callingUid != dbinderUid || callingPid != dbinderPid) {
-        SoftBusLog(SOFTBUS_LOG_COMM, SOFTBUS_LOG_ERROR, "RemovePermission denied: invalid uid %d or pid %d",
-            callingUid, callingPid);
-        return SOFTBUS_PERMISSION_DENIED;
+    AccessToken::NativeTokenInfo nativeTokenInfo;
+    int32_t result = AccessToken::AccessTokenKit::GetNativeTokenInfo(callingToken, nativeTokenInfo);
+    if (result == SOFTBUS_OK && nativeTokenInfo.processName == SAMGR_PROCESS_NAME) {
+        return SOFTBUS_OK;
    }
-    return SOFTBUS_OK;
+    SoftBusLog(SOFTBUS_LOG_COMM, SOFTBUS_LOG_ERROR,
+        "check dynamic permission failed, processName:%{private}s", nativeTokenInfo.processName.c_str());
+    return SOFTBUS_ERR;
 }
--- a/core/frame/BUILD.gn
+++ b/core/frame/BUILD.gn
@ -175,6 +175,7 @@ if (defined(ohos_lite)) {
    if (is_standard_system) {
      external_deps = bus_center_server_external_deps
      external_deps += [
+        "access_token:libaccesstoken_sdk",
        "deviceauth_standard:deviceauth_sdk",
        "hiviewdfx_hilog_native:libhilog",
        "ipc:ipc_core",
--- a/sdk/transmission/ipc/standard/src/trans_server_proxy.cpp
+++ b/sdk/transmission/ipc/standard/src/trans_server_proxy.cpp
@ -57,6 +57,10 @@ static sptr<IRemoteObject> GetSystemAbility()
 int32_t TransServerProxyInit(void)
 {
    std::lock_guard<std::mutex> lock(g_mutex);
+    if (g_serverProxy != nullptr) {
+        return SOFTBUS_OK;
+    }
+
    sptr<IRemoteObject> object = GetSystemAbility();
    if (object == nullptr) {
        SoftBusLog(SOFTBUS_LOG_TRAN, SOFTBUS_LOG_ERROR, "Get remote softbus object failed!\n");
@ -179,8 +183,10 @@ int32_t ServerIpcQosReport(int32_t channelId, int32_t chanType, int32_t appType,
 int32_t ServerIpcGrantPermission(int uid, int pid, const char *sessionName)
 {
    if (g_serverProxy == nullptr) {
-        SoftBusLog(SOFTBUS_LOG_TRAN, SOFTBUS_LOG_ERROR, "softbus server g_serverProxy is nullptr!");
-        return SOFTBUS_ERR;
+        if (TransServerProxyInit() != SOFTBUS_OK) {
+            SoftBusLog(SOFTBUS_LOG_TRAN, SOFTBUS_LOG_ERROR, "grant permission g_serverProxy is nullptr!");
+            return SOFTBUS_ERR;
+        }
    }
    if (sessionName == nullptr) {
        SoftBusLog(SOFTBUS_LOG_TRAN, SOFTBUS_LOG_ERROR, "sessionName is nullptr");