openharmony/security_security_guard
1
0
Fork 0
mirror of https://gitee.com/openharmony/security_security_guard synced 2024-11-27 08:40:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

!42 sg权限适配及拉起sa流程优化

Browse Source 
Merge pull request !42 from 王毅/master
This commit is contained in:
openharmony_ci 2024-07-17 06:16:47 +00:00 committed by Gitee
commit a52d496cd5
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
12 changed files with 176 additions and 174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
frameworks/js/napi/security_guard_sdk_adaptor.cpp
View File

@ -38,19 +38,14 @@ namespace {
const std::set<int64_t> GRANTED_EVENT{1037000001, 1064001001, 1064001002};
static std::mutex g_mutex;
}
sptr<IRemoteObject> SecurityGuardSdkAdaptor::object_ = nullptr;
std::map<std::shared_ptr<SecurityCollector::ICollectorSubscriber>,
sptr<AcquireDataManagerCallbackService>> SecurityGuardSdkAdaptor::subscribers_ {};
std::mutex SecurityGuardSdkAdaptor::objMutex_;
int32_t SecurityGuardSdkAdaptor::RequestSecurityEventInfo(std::string &devId, std::string &eventList,
RequestRiskDataCallback callback)
{
auto registry = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
if (registry == nullptr) {
SGLOGE("GetSystemAbilityManager error");
return NULL_OBJECT;
}
auto object = registry->GetSystemAbility(DATA_COLLECT_MANAGER_SA_ID);
auto proxy = iface_cast<DataCollectManagerProxy>(object);
auto proxy = LoadDataCollectManageService();
if (proxy == nullptr) {
SGLOGE("proxy is null");
return NULL_OBJECT;
@ -102,12 +97,13 @@ int32_t SecurityGuardSdkAdaptor::ReportSecurityInfo(const std::shared_ptr<EventI
}
auto registry = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
if (registry == nullptr) {
SGLOGE("GetSystemAbilityManager error");
return NULL_OBJECT;
}
auto object = registry->GetSystemAbility(DATA_COLLECT_MANAGER_SA_ID);
auto proxy = iface_cast<DataCollectManagerProxy>(object);
auto proxy = iface_cast<IDataCollectManager>(object);
if (proxy == nullptr) {
SGLOGE("proxy is nullptr");
SGLOGE("proxy is null");
return NULL_OBJECT;
}
int64_t eventId = info->GetEventId();
@ -171,14 +167,7 @@ int32_t SecurityGuardSdkAdaptor::NotifyCollector(const SecurityCollector::Event
int32_t SecurityGuardSdkAdaptor::StartCollector(const SecurityCollector::Event &event,
int64_t duration)
{
auto registry = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
if (registry == nullptr) {
SGLOGE("GetSystemAbilityManager error");
return NULL_OBJECT;
}
auto object = registry->GetSystemAbility(DATA_COLLECT_MANAGER_SA_ID);
auto proxy = iface_cast<IDataCollectManager>(object);
auto proxy = LoadDataCollectManageService();
if (proxy == nullptr) {
SGLOGE("proxy is null");
return NULL_OBJECT;
@ -200,14 +189,7 @@ int32_t SecurityGuardSdkAdaptor::StartCollector(const SecurityCollector::Event &
int32_t SecurityGuardSdkAdaptor::StopCollector(const SecurityCollector::Event &event)
{
SGLOGD("in SecurityGuardSdkAdaptor StopCollector ************");
auto registry = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
if (registry == nullptr) {
SGLOGE("GetSystemAbilityManager error");
return NULL_OBJECT;
}
auto object = registry->GetSystemAbility(DATA_COLLECT_MANAGER_SA_ID);
auto proxy = iface_cast<IDataCollectManager>(object);
auto proxy = LoadDataCollectManageService();
if (proxy == nullptr) {
SGLOGE("proxy is null");
return NULL_OBJECT;
@ -229,14 +211,7 @@ int32_t SecurityGuardSdkAdaptor::StopCollector(const SecurityCollector::Event &e
int32_t SecurityGuardSdkAdaptor::QuerySecurityEvent(std::vector<SecurityCollector::SecurityEventRuler> rulers,
std::shared_ptr<SecurityEventQueryCallback> callback)
{
auto registry = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
if (registry == nullptr) {
SGLOGE("GetSystemAbilityManager error");
return NULL_OBJECT;
}
auto object = registry->GetSystemAbility(DATA_COLLECT_MANAGER_SA_ID);
auto proxy = iface_cast<IDataCollectManager>(object);
auto proxy = LoadDataCollectManageService();
if (proxy == nullptr) {
SGLOGE("proxy is null");
return NULL_OBJECT;
@ -266,14 +241,7 @@ int32_t SecurityGuardSdkAdaptor::Subscribe(const std::shared_ptr<SecurityCollect
SGLOGE("the callback has been registered.");
return BAD_PARAM;
}
auto registry = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
if (registry == nullptr) {
SGLOGE("GetSystemAbilityManager error");
return NULL_OBJECT;
}
auto object = registry->GetSystemAbility(DATA_COLLECT_MANAGER_SA_ID);
auto proxy = iface_cast<IDataCollectManager>(object);
auto proxy = LoadDataCollectManageService();
if (proxy == nullptr) {
SGLOGE("proxy is null");
return NULL_OBJECT;
@ -308,14 +276,7 @@ int32_t SecurityGuardSdkAdaptor::Unsubscribe(const std::shared_ptr<SecurityColle
SGLOGE("the callback has not been registered.");
return BAD_PARAM;
}
auto registry = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
if (registry == nullptr) {
SGLOGE("GetSystemAbilityManager error");
return NULL_OBJECT;
}
auto object = registry->GetSystemAbility(DATA_COLLECT_MANAGER_SA_ID);
auto proxy = iface_cast<IDataCollectManager>(object);
auto proxy = LoadDataCollectManageService();
if (proxy == nullptr) {
SGLOGE("proxy is null");
return NULL_OBJECT;
@ -333,16 +294,25 @@ int32_t SecurityGuardSdkAdaptor::Unsubscribe(const std::shared_ptr<SecurityColle
return SUCCESS;
}
int32_t SecurityGuardSdkAdaptor::ConfigUpdate(const SecurityGuard::SecurityConfigUpdateInfo &updateInfo)
sptr<IDataCollectManager> SecurityGuardSdkAdaptor::LoadDataCollectManageService()
{
std::lock_guard<std::mutex> lock(objMutex_);
if (object_ != nullptr) {
SGLOGI("object_ not null");
return iface_cast<IDataCollectManager>(object_);
}
auto registry = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
if (registry == nullptr) {
SGLOGE("GetSystemAbilityManager error");
return NULL_OBJECT;
return nullptr;
}
object_ = registry->GetSystemAbility(DATA_COLLECT_MANAGER_SA_ID);
return iface_cast<IDataCollectManager>(object_);
}
auto object = registry->GetSystemAbility(DATA_COLLECT_MANAGER_SA_ID);
auto proxy = iface_cast<IDataCollectManager>(object);
int32_t SecurityGuardSdkAdaptor::ConfigUpdate(const SecurityGuard::SecurityConfigUpdateInfo &updateInfo)
{
auto proxy = LoadDataCollectManageService();
if (proxy == nullptr) {
SGLOGE("proxy is null");
return NULL_OBJECT;

3
frameworks/js/napi/security_guard_sdk_adaptor.h
View File

@ -46,6 +46,9 @@ private:
~SecurityGuardSdkAdaptor() = delete;
static std::map<std::shared_ptr<SecurityCollector::ICollectorSubscriber>,
sptr<AcquireDataManagerCallbackService>> subscribers_;
static sptr<IDataCollectManager> LoadDataCollectManageService();
static sptr<IRemoteObject> object_;
static std::mutex objMutex_;
};
} // OHOS::Security::SecurityGuard

38
sa_profile/security_collector.cfg
View File

@ -1,18 +1,40 @@
{
"services": [{
"services": [
{
"name" : "security_collector",
"path" : ["/system/bin/sa_main", "/system/profile/security_collector.json"],
"path" : [
"/system/bin/sa_main",
"/system/profile/security_collector.json"
],
"ondemand": true,
"dynamic": true,
"uid" : "security_collector",
"gid" : ["security_collector", "shell", "oeminfo_nvme_server"],
"gid" : [
"security_collector",
"shell",
"oeminfo_nvme_server"
],
"apl" : "system_basic",
"secon" : "u:r:security_collector:s0",
"caps" : ["CAP_DAC_OVERRIDE", "CAP_SYS_PTRACE", "CAP_NET_ADMIN", "CAP_SYS_ADMIN", "CAP_DAC_READ_SEARCH"],
"permission" : ["ohos.permission.securityguard.REPORT_SECURITY_INFO",
"ohos.permission.READ_DFX_SYSEVENT", "ohos.permission.STORAGE_MANAGER",
"ohos.permission.RUNNING_STATE_OBSERVER", "ohos.permission.VERIFY_ACTIVATION_LOCK",
"ohos.permission.ATTEST_KEY", "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS"],
"caps" : [
"CAP_DAC_OVERRIDE",
"CAP_SYS_PTRACE",
"CAP_NET_ADMIN",
"CAP_SYS_ADMIN",
"CAP_DAC_READ_SEARCH"
],
"permission" : [
"ohos.permission.securityguard.REPORT_SECURITY_INFO",
"ohos.permission.READ_DFX_SYSEVENT",
"ohos.permission.STORAGE_MANAGER",
"ohos.permission.WRITE_USER_STORAGE",
"ohos.permission.INPUT_MONITORING",
"ohos.permission.RUNNING_STATE_OBSERVER",
"ohos.permission.VERIFY_ACTIVATION_LOCK",
"ohos.permission.ATTEST_KEY",
"ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS",
"ohos.permission.REPORT_SECURITY_EVENT"
],
"writepid" : ["/dev/cpuset/system-background/tasks"]
}]
}

20
sa_profile/security_guard.cfg
View File

@ -17,12 +17,28 @@
"gid" : ["security_guard", "shell"],
"apl" : "system_basic",
"secon" : "u:r:security_guard:s0",
"permission" : ["ohos.permission.securityguard.REPORT_SECURITY_INFO",
"permission" : [
"ohos.permission.securityguard.REPORT_SECURITY_INFO",
"ohos.permission.securityguard.REQUEST_SECURITY_EVENT_INFO",
"ohos.permission.READ_DFX_SYSEVENT",
"ohos.permission.ACCESS_IDS",
"ohos.permission.ACCESS_SERVICE_DM",
"ohos.permission.hsdr.HSDR_ACCESS",
"ohos.permission.hsdr.REQUEST_HSDR",
"ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS"],
"ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS",
"ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION",
"ohos.permission.GET_NETWORK_INFO",
"ohos.permission.ATTEST_KEY",
"ohos.permission.QUERY_SECURITY_EVENT",
"ohos.permission.REPORT_SECURITY_EVENT",
"ohos.permission.QUERY_SECURITY_MODEL_RESULT",
"ohos.permission.QUERY_SECURITY_POLICY_FROM_CLOUD",
"ohos.permission.REPORT_SECURITY_EVENT_TO_CLOUD",
"ohos.permission.COLLECT_SECURITY_EVENT"
],
"permission_acls": [
"ohos.permission.COLLECT_SECURITY_EVENT"
],
"jobs" : {
"on-start" : "services:security_guard"
}

155
services/data_collect/sa/data_collect_manager_service.cpp
View File

@ -53,10 +53,21 @@ namespace {
constexpr int32_t TWO_ARGS = 2;
constexpr int32_t TIMEOUT_REPLY = 10000;
const std::string REPORT_PERMISSION = "ohos.permission.securityguard.REPORT_SECURITY_INFO";
const std::string REPORT_PERMISSION_NEW = "ohos.permission.REPORT_SECURITY_INFO";
const std::string REQUEST_PERMISSION = "ohos.permission.securityguard.REQUEST_SECURITY_EVENT_INFO";
const std::string MANAGE_CONFIG_PERMISSION = "ohos.permission.securityguard.MANAGE_SECURITY_GUARD_CONFIG";
const std::string MANAGE_CONFIG_PERMISSION = "ohos.permission.MANAGE_SECURITY_GUARD_CONFIG";
const std::string QUERY_SECURITY_EVENT_PERMISSION = "ohos.permission.QUERY_SECURITY_EVENT";
constexpr int32_t CFG_FILE_MAX_SIZE = 1 * 1024 * 1024;
constexpr int32_t CFG_FILE_BUFF_SIZE = 1 * 1024 * 1024 + 1;
const std::unordered_map<std::string, std::vector<std::string>> g_apiPermissionsMap {
{"RequestDataSubmit", {REPORT_PERMISSION, REPORT_PERMISSION_NEW}},
{"QuerySecurityEvent", {REPORT_PERMISSION, QUERY_SECURITY_EVENT_PERMISSION}},
{"CollectorStart", {REQUEST_PERMISSION, QUERY_SECURITY_EVENT_PERMISSION}},
{"CollectorStop", {REQUEST_PERMISSION, QUERY_SECURITY_EVENT_PERMISSION}},
{"Subscribe", {REQUEST_PERMISSION, QUERY_SECURITY_EVENT_PERMISSION}},
{"UnSubscribe", {REQUEST_PERMISSION, QUERY_SECURITY_EVENT_PERMISSION}},
{"ConfigUpdate", {MANAGE_CONFIG_PERMISSION}}
};
}
REGISTER_SYSTEM_ABILITY_BY_ID(DataCollectManagerService, DATA_COLLECT_MANAGER_SA_ID, true);
@ -145,19 +156,9 @@ void DataCollectManagerService::DumpEventInfo(int fd, int64_t eventId)
int32_t DataCollectManagerService::RequestDataSubmit(int64_t eventId, std::string &version, std::string &time,
std::string &content)
{
AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
int code = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, REPORT_PERMISSION);
if (code != AccessToken::PermissionState::PERMISSION_GRANTED) {
SGLOGE("caller no permission");
return NO_PERMISSION;
}
AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenType(callerToken);
if (tokenType != AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
if (!AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullTokenId)) {
SGLOGE("not system app no permission");
return NO_SYSTEMCALL;
}
int32_t ret = IsApiHasPermission("RequestDataSubmit");
if (ret != SUCCESS) {
return ret;
}
if (!DataFormat::CheckRiskContent(content)) {
SGLOGE("CheckRiskContent error");
@ -287,19 +288,9 @@ int32_t DataCollectManagerService::Subscribe(const SecurityCollector::SecurityCo
const sptr<IRemoteObject> &callback)
{
SGLOGD("DataCollectManagerService, start subscribe");
AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
int code = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, REQUEST_PERMISSION);
if (code != AccessToken::PermissionState::PERMISSION_GRANTED) {
SGLOGE("caller no permission");
return NO_PERMISSION;
}
AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenType(callerToken);
if (tokenType != AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
if (!AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullTokenId)) {
SGLOGE("not system app no permission");
return NO_SYSTEMCALL;
}
int32_t ret = IsApiHasPermission("Subscribe");
if (ret != SUCCESS) {
return ret;
}
std::lock_guard<std::mutex> lock(mutex_);
if (deathRecipient_ == nullptr) {
@ -310,7 +301,7 @@ int32_t DataCollectManagerService::Subscribe(const SecurityCollector::SecurityCo
}
}
callback->AddDeathRecipient(deathRecipient_);
int32_t ret = AcquireDataSubscribeManager::GetInstance().InsertSubscribeRecord(subscribeInfo, callback);
ret = AcquireDataSubscribeManager::GetInstance().InsertSubscribeRecord(subscribeInfo, callback);
SgSubscribeEvent event;
event.pid = IPCSkeleton::GetCallingPid();
event.time = SecurityGuardUtils::GetDate();
@ -323,26 +314,16 @@ int32_t DataCollectManagerService::Subscribe(const SecurityCollector::SecurityCo
int32_t DataCollectManagerService::Unsubscribe(const sptr<IRemoteObject> &callback)
{
AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
int code = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, REQUEST_PERMISSION);
if (code != AccessToken::PermissionState::PERMISSION_GRANTED) {
SGLOGE("caller no permission");
return NO_PERMISSION;
}
AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenType(callerToken);
if (tokenType != AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
if (!AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullTokenId)) {
SGLOGE("not system app no permission");
return NO_SYSTEMCALL;
}
int32_t ret = IsApiHasPermission("UnSubscribe");
if (ret != SUCCESS) {
return ret;
}
std::lock_guard<std::mutex> lock(mutex_);
if (deathRecipient_ != nullptr) {
callback->RemoveDeathRecipient(deathRecipient_);
}
int32_t ret = AcquireDataSubscribeManager::GetInstance().RemoveSubscribeRecord(callback);
ret = AcquireDataSubscribeManager::GetInstance().RemoveSubscribeRecord(callback);
SgUnsubscribeEvent event;
event.pid = IPCSkeleton::GetCallingPid();
event.time = SecurityGuardUtils::GetDate();
@ -393,19 +374,9 @@ int32_t DataCollectManagerService::QuerySecurityEvent(std::vector<SecurityCollec
const sptr<IRemoteObject> &callback)
{
SGLOGE("enter QuerySecurityEvent");
AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
int code = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, REQUEST_PERMISSION);
if (code != AccessToken::PermissionState::PERMISSION_GRANTED) {
SGLOGE("caller no permission");
return NO_PERMISSION;
}
AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenType(callerToken);
if (tokenType != AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
if (!AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullTokenId)) {
SGLOGE("not system app no permission");
return NO_SYSTEMCALL;
}
int32_t ret = IsApiHasPermission("QuerySecurityEvent");
if (ret != SUCCESS) {
return ret;
}
auto proxy = iface_cast<ISecurityEventQueryCallback>(callback);
if (proxy == nullptr) {
@ -455,19 +426,9 @@ int32_t DataCollectManagerService::CollectorStart(
const SecurityCollector::SecurityCollectorSubscribeInfo &subscribeInfo, const sptr<IRemoteObject> &callback)
{
SGLOGI("enter CollectorStart.");
AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
int code = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, REQUEST_PERMISSION);
if (code != AccessToken::PermissionState::PERMISSION_GRANTED) {
SGLOGE("caller no permission");
return NO_PERMISSION;
}
AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenType(callerToken);
if (tokenType != AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
if (!AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullTokenId)) {
SGLOGE("not system app no permission");
return NO_SYSTEMCALL;
}
int32_t code = IsApiHasPermission("CollectorStart");
if (code != SUCCESS) {
return code;
}
code = SecurityCollector::CollectorManager::GetInstance().CollectorStart(subscribeInfo);
if (code != SUCCESS) {
@ -481,19 +442,9 @@ int32_t DataCollectManagerService::CollectorStop(const SecurityCollector::Securi
const sptr<IRemoteObject> &callback)
{
SGLOGI("enter CollectorStop.");
AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
int code = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, REQUEST_PERMISSION);
if (code != AccessToken::PermissionState::PERMISSION_GRANTED) {
SGLOGE("caller no permission");
return NO_PERMISSION;
}
AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenType(callerToken);
if (tokenType != AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
if (!AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullTokenId)) {
SGLOGE("not system app no permission");
return NO_SYSTEMCALL;
}
int32_t code = IsApiHasPermission("CollectorStop");
if (code != SUCCESS) {
return code;
}
code = SecurityCollector::CollectorManager::GetInstance().CollectorStop(subscribeInfo);
if (code != SUCCESS) {
@ -503,6 +454,32 @@ int32_t DataCollectManagerService::CollectorStop(const SecurityCollector::Securi
return SUCCESS;
}
int32_t DataCollectManagerService::IsApiHasPermission(const std::string &api)
{
if (g_apiPermissionsMap.count(api) == 0) {
SGLOGE("api not in map");
return FAILED;
}
AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
if (std::any_of(g_apiPermissionsMap.at(api).cbegin(), g_apiPermissionsMap.at(api).cend(),
[callerToken](const std::string &per) {
int code = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, per);
return code == AccessToken::PermissionState::PERMISSION_GRANTED;
})) {
AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenType(callerToken);
if (tokenType != AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
if (!AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullTokenId)) {
SGLOGE("not system app no permission");
return NO_SYSTEMCALL;
}
}
return SUCCESS;
}
SGLOGE("caller no permission");
return NO_PERMISSION;
}
bool DataCollectManagerService::WriteRemoteFileToLocal(const SecurityGuard::SecurityConfigUpdateInfo &info,
const std::string &realPath)
{
@ -543,19 +520,9 @@ bool DataCollectManagerService::WriteRemoteFileToLocal(const SecurityGuard::Secu
int32_t DataCollectManagerService::ConfigUpdate(const SecurityGuard::SecurityConfigUpdateInfo &info)
{
SGLOGI("enter ConfigUpdate.");
AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
int code = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, REQUEST_PERMISSION);
if (code != AccessToken::PermissionState::PERMISSION_GRANTED) {
SGLOGE("caller no permission");
return NO_PERMISSION;
}
AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenType(callerToken);
if (tokenType != AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
if (!AccessToken::TokenIdKit::IsSystemAppByFullTokenID(fullTokenId)) {
SGLOGE("not system app no permission");
return NO_SYSTEMCALL;
}
int32_t code = IsApiHasPermission("ConfigUpdate");
if (code != SUCCESS) {
return code;
}
std::string realPath = CONFIG_ROOT_PATH + "tmp/" + info.GetFileName();
SGLOGI("config file is %{public}s, fd is %{public}d", realPath.c_str(), info.GetFd());

1
services/data_collect/sa/include/data_collect_manager_service.h
View File

@ -68,6 +68,7 @@ private:
static bool QueryEventByRuler(sptr<ISecurityEventQueryCallback> proxy,
SecurityCollector::SecurityEventRuler ruler);
bool WriteRemoteFileToLocal(const SecurityGuard::SecurityConfigUpdateInfo &info, const std::string &realPath);
int32_t IsApiHasPermission(const std::string &api);
std::mutex mutex_{};
sptr<IRemoteObject::DeathRecipient> deathRecipient_{};
};

1
services/risk_classify/include/risk_analysis_manager_service.h
View File

@ -38,6 +38,7 @@ public:
private:
void PushRiskAnalysisTask(uint32_t modelId, std::string param, std::shared_ptr<std::promise<std::string>> promise);
int32_t IsApiHasPermission(const std::string &api);
};
} // namespace OHOS::Security::SecurityGuard

34
services/risk_classify/src/risk_analysis_manager_service.cpp
View File

@ -41,8 +41,12 @@ REGISTER_SYSTEM_ABILITY_BY_ID(RiskAnalysisManagerService, RISK_ANALYSIS_MANAGER_
namespace {
constexpr int32_t TIMEOUT_REPLY = 500;
constexpr const char* PERMISSION = "ohos.permission.securityguard.REQUEST_SECURITY_MODEL_RESULT";
constexpr const char* REQUEST_PERMISSION = "ohos.permission.securityguard.REQUEST_SECURITY_MODEL_RESULT";
constexpr const char* QUERY_SECURITY_MODEL_RESULT_PERMISSION = "ohos.permission.QUERY_SECURITY_MODEL_RESULT";
const std::vector<uint32_t> MODELIDS = { 3001000000, 3001000001, 3001000002, 3001000005, 3001000006, 3001000007 };
const std::unordered_map<std::string, std::vector<std::string>> g_apiPermissionsMap {
{"RequestSecurityModelResult", {REQUEST_PERMISSION, QUERY_SECURITY_MODEL_RESULT_PERMISSION}},
};
}
RiskAnalysisManagerService::RiskAnalysisManagerService(int32_t saId, bool runOnCreate)
@ -78,16 +82,22 @@ void RiskAnalysisManagerService::OnStop()
{
}
int32_t RiskAnalysisManagerService::RequestSecurityModelResult(const std::string &devId, uint32_t modelId,
const std::string &param, const sptr<IRemoteObject> &callback)
int32_t RiskAnalysisManagerService::IsApiHasPermission(const std::string &api)
{
SGLOGD("%{public}s", __func__);
if (g_apiPermissionsMap.count(api) == 0) {
SGLOGE("api not in map");
return FAILED;
}
AccessToken::AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
int code = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, PERMISSION);
if (code != AccessToken::PermissionState::PERMISSION_GRANTED) {
if (std::none_of(g_apiPermissionsMap.at(api).cbegin(), g_apiPermissionsMap.at(api).cend(),
[callerToken](const std::string &per) {
int code = AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, per);
return code == AccessToken::PermissionState::PERMISSION_GRANTED;
})) {
SGLOGE("caller no permission");
return NO_PERMISSION;
}
AccessToken::ATokenTypeEnum tokenType = AccessToken::AccessTokenKit::GetTokenType(callerToken);
if (tokenType != AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
@ -96,6 +106,17 @@ int32_t RiskAnalysisManagerService::RequestSecurityModelResult(const std::string
return NO_SYSTEMCALL;
}
}
return SUCCESS;
}
int32_t RiskAnalysisManagerService::RequestSecurityModelResult(const std::string &devId, uint32_t modelId,
const std::string &param, const sptr<IRemoteObject> &callback)
{
SGLOGD("%{public}s", __func__);
int32_t ret = IsApiHasPermission("RequestSecurityModelResult");
if (ret != SUCCESS) {
return ret;
}
ClassifyEvent event;
event.pid = IPCSkeleton::GetCallingPid();
event.time = SecurityGuardUtils::GetDate();
@ -103,7 +124,6 @@ int32_t RiskAnalysisManagerService::RequestSecurityModelResult(const std::string
auto future = promise->get_future();
PushRiskAnalysisTask(modelId, param, promise);
std::chrono::milliseconds span(TIMEOUT_REPLY);
ErrorCode ret;
std::string result{};
if (future.wait_for(span) == std::future_status::timeout) {
SGLOGE("wait for result timeout");

1
test/unittest/data_collect/sa/data_collect_manager_service.h
View File

@ -67,6 +67,7 @@ private:
static bool QueryEventByRuler(sptr<ISecurityEventQueryCallback> proxy,
SecurityCollector::SecurityEventRuler ruler);
bool WriteRemoteFileToLocal(const SecurityGuard::SecurityConfigUpdateInfo &info, const std::string &realPath);
int32_t IsApiHasPermission(const std::string &api);
std::mutex mutex_{};
sptr<IRemoteObject::DeathRecipient> deathRecipient_{};
};

16
test/unittest/data_collect/sa/security_guard_data_collect_sa_test.cpp
View File

@ -69,6 +69,7 @@ void SecurityGuardDataCollectSaTest::TearDownTestCase()
{
DataFormat::DelInterface();
AccessToken::AccessTokenKit::DelInterface();
AccessToken::TokenIdKit::DelInterface();
}
void SecurityGuardDataCollectSaTest::SetUp()
@ -342,7 +343,6 @@ HWTEST_F(SecurityGuardDataCollectSaTest, TestPushDataCollectTask_ValidConditions
HWTEST_F(SecurityGuardDataCollectSaTest, OnAddSystemAbility_RiskAnalysisManagerSaId, TestSize.Level1)
{
std::vector<int64_t> whiteList{};
EXPECT_CALL(ConfigDataManager::GetInstance(), GetAllEventIds()).WillOnce(Return(whiteList));
DataCollectManagerService service(DATA_COLLECT_MANAGER_SA_ID, true);
service.OnAddSystemAbility(RISK_ANALYSIS_MANAGER_SA_ID, "deviceId");
}
@ -360,7 +360,7 @@ HWTEST_F(SecurityGuardDataCollectSaTest, RequestDataSubmit_NoPermission, TestSiz
std::string time = "2022-01-01";
std::string content = "content";
EXPECT_CALL(*(AccessToken::AccessTokenKit::GetInterface()), VerifyAccessToken).WillOnce(
EXPECT_CALL(*(AccessToken::AccessTokenKit::GetInterface()), VerifyAccessToken).WillRepeatedly(
Return(AccessToken::PermissionState::PERMISSION_DENIED));
DataCollectManagerService service(DATA_COLLECT_MANAGER_SA_ID, true);
int32_t result = service.RequestDataSubmit(eventId, version, time, content);
@ -462,7 +462,7 @@ HWTEST_F(SecurityGuardDataCollectSaTest, Subscribe01, TestSize.Level1)
sptr<MockRemoteObject> obj(new (std::nothrow) MockRemoteObject());
EXPECT_CALL(*(AccessToken::AccessTokenKit::GetInterface()), VerifyAccessToken)
.WillOnce(Return(AccessToken::PermissionState::PERMISSION_DENIED));
.WillRepeatedly(Return(AccessToken::PermissionState::PERMISSION_DENIED));
DataCollectManagerService service(DATA_COLLECT_MANAGER_SA_ID, true);
int32_t result = service.Subscribe(subscribeInfo, obj);
EXPECT_EQ(result, NO_PERMISSION);
@ -474,7 +474,7 @@ HWTEST_F(SecurityGuardDataCollectSaTest, Unsubscribe01, TestSize.Level1)
sptr<MockRemoteObject> mockObj(new (std::nothrow) MockRemoteObject());
EXPECT_CALL(*(AccessToken::AccessTokenKit::GetInterface()), VerifyAccessToken)
.WillOnce(Return(AccessToken::PermissionState::PERMISSION_DENIED));
.WillRepeatedly(Return(AccessToken::PermissionState::PERMISSION_DENIED));
DataCollectManagerService service(DATA_COLLECT_MANAGER_SA_ID, true);
int32_t result = service.Unsubscribe(mockObj);
EXPECT_EQ(result, NO_PERMISSION);
@ -795,7 +795,7 @@ HWTEST_F(SecurityGuardDataCollectSaTest, TestOnRemoteRequestWithDataRequestCmd09
sptr<MockRemoteObject> obj(new (std::nothrow) MockRemoteObject());
data.WriteRemoteObject(obj);
EXPECT_CALL(*(AccessToken::AccessTokenKit::GetInterface()), VerifyAccessToken).WillOnce(
EXPECT_CALL(*(AccessToken::AccessTokenKit::GetInterface()), VerifyAccessToken).WillRepeatedly(
Return(AccessToken::PermissionState::PERMISSION_DENIED));
EXPECT_CALL(ConfigDataManager::GetInstance(), GetEventConfig).WillRepeatedly(Return(true));
DataCollectManagerService service(DATA_COLLECT_MANAGER_SA_ID, true);
@ -1060,7 +1060,7 @@ HWTEST_F(SecurityGuardDataCollectSaTest, QuerySecurityEvent, TestSize.Level1)
std::vector<SecurityCollector::SecurityEventRuler> rules {};
rules.emplace_back(rule);
sptr<MockRemoteObject> obj(new (std::nothrow) MockRemoteObject());
EXPECT_CALL(*(AccessToken::AccessTokenKit::GetInterface()), VerifyAccessToken).WillOnce(
EXPECT_CALL(*(AccessToken::AccessTokenKit::GetInterface()), VerifyAccessToken).WillRepeatedly(
Return(AccessToken::PermissionState::PERMISSION_DENIED));
DataCollectManagerService service(DATA_COLLECT_MANAGER_SA_ID, true);
int32_t result = service.QuerySecurityEvent(rules, obj);
@ -1106,7 +1106,7 @@ HWTEST_F(SecurityGuardDataCollectSaTest, CollectorStart01, TestSize.Level1)
{
SecurityCollector::SecurityCollectorSubscribeInfo subscribeInfo {};
sptr<MockRemoteObject> obj(new (std::nothrow) MockRemoteObject());
EXPECT_CALL(*(AccessToken::AccessTokenKit::GetInterface()), VerifyAccessToken).WillOnce(
EXPECT_CALL(*(AccessToken::AccessTokenKit::GetInterface()), VerifyAccessToken).WillRepeatedly(
Return(AccessToken::PermissionState::PERMISSION_DENIED));
DataCollectManagerService service(DATA_COLLECT_MANAGER_SA_ID, true);
int32_t result = service.CollectorStart(subscribeInfo, obj);
@ -1164,7 +1164,7 @@ HWTEST_F(SecurityGuardDataCollectSaTest, CollectorStop01, TestSize.Level1)
{
SecurityCollector::SecurityCollectorSubscribeInfo subscribeInfo {};
sptr<MockRemoteObject> obj(new (std::nothrow) MockRemoteObject());
EXPECT_CALL(*(AccessToken::AccessTokenKit::GetInterface()), VerifyAccessToken).WillOnce(
EXPECT_CALL(*(AccessToken::AccessTokenKit::GetInterface()), VerifyAccessToken).WillRepeatedly(
Return(AccessToken::PermissionState::PERMISSION_DENIED));
DataCollectManagerService service(DATA_COLLECT_MANAGER_SA_ID, true);
int32_t result = service.CollectorStop(subscribeInfo, obj);

1
test/unittest/risk_classify/include/risk_analysis_manager_service.h
View File

@ -39,6 +39,7 @@ public:
private:
void PushRiskAnalysisTask(uint32_t modelId, std::string param, std::shared_ptr<std::promise<std::string>> promise);
int32_t IsApiHasPermission(const std::string &api);
};
} // namespace OHOS::Security::SecurityGuard

2
test/unittest/security_collector/interface_test/src/collector_interface_test.cpp
View File

@ -193,7 +193,7 @@ HWTEST_F(CollectorInterfaceTest, UnSubscribe002, testing::ext::TestSize.Level1)
new(std::nothrow) SecurityCollector::SecurityCollectorManagerCallbackService(nullptr);
manager.eventListeners_.insert({subscriber, callback});
int ret = manager.Unsubscribe(subscriber);
EXPECT_EQ(ret, SecurityCollector::NO_PERMISSION);
EXPECT_EQ(ret, SecurityCollector::BAD_PARAM);
}
HWTEST_F(CollectorInterfaceTest, UnSubscribe003, testing::ext::TestSize.Level1)