From 6b89b371a215be0cc428ba20531283da703e96bc Mon Sep 17 00:00:00 2001 From: Li Ang Date: Fri, 27 Sep 2024 17:40:28 +0800 Subject: [PATCH] check tempAllowList under secure shield mode Signed-off-by: luyifan<842825214@qq.com> --- .../innerkits/code_sign_attr_utils/BUILD.gn | 1 + .../src/ownerid_utils.cpp | 20 ++++++++++++++++++- test/unittest/code_sign_attr_utils_test.cpp | 3 +++ 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/interfaces/innerkits/code_sign_attr_utils/BUILD.gn b/interfaces/innerkits/code_sign_attr_utils/BUILD.gn index 342b008..cdac4be 100755 --- a/interfaces/innerkits/code_sign_attr_utils/BUILD.gn +++ b/interfaces/innerkits/code_sign_attr_utils/BUILD.gn @@ -35,6 +35,7 @@ ohos_static_library("libcode_sign_attr_utils") { external_deps = [ "c_utils:utils", "hilog:libhilog", + "init:libbegetutil", ] part_name = "code_signature" diff --git a/interfaces/innerkits/code_sign_attr_utils/src/ownerid_utils.cpp b/interfaces/innerkits/code_sign_attr_utils/src/ownerid_utils.cpp index c70ef1b..360d215 100644 --- a/interfaces/innerkits/code_sign_attr_utils/src/ownerid_utils.cpp +++ b/interfaces/innerkits/code_sign_attr_utils/src/ownerid_utils.cpp @@ -15,20 +15,38 @@ #include "ownerid_utils.h" #include "code_sign_attr_utils.h" +#include "parameter.h" #include "log.h" #include #include +#define SECURE_SHIELD_MODE_KEY "ohos.boot.advsecmode.state" +#define VALUE_MAX_LEN 32 + // the list will be removed before 930 static const std::unordered_set g_tempAllowList; +static uint32_t IsSecureShieldModeOn() +{ + char secureShieldModeValue[VALUE_MAX_LEN] = {0}; + (void)GetParameter(SECURE_SHIELD_MODE_KEY, "0", secureShieldModeValue, VALUE_MAX_LEN - 1); + return (strcmp(secureShieldModeValue, "0") != 0); +} + uint32_t ConvertIdType(int idType, const char *ownerId) { - if (idType != PROCESS_OWNERID_APP || ownerId == nullptr) { + if (ownerId == nullptr) { + return idType; + } + if ((idType != PROCESS_OWNERID_APP) && (idType != PROCESS_OWNERID_APP_TEMP_ALLOW)) { return idType; } std::string ownerIdStr(ownerId); + // discard PROCESS_OWNERID_APP_TEMP_ALLOW under Secure Shield Mode + if (IsSecureShieldModeOn()) { + idType = PROCESS_OWNERID_APP; + } if (g_tempAllowList.count(ownerIdStr) != 0) { LOG_INFO("Xpm: app in temporary allow list"); return PROCESS_OWNERID_APP_TEMP_ALLOW; diff --git a/test/unittest/code_sign_attr_utils_test.cpp b/test/unittest/code_sign_attr_utils_test.cpp index b318c32..2cad264 100644 --- a/test/unittest/code_sign_attr_utils_test.cpp +++ b/test/unittest/code_sign_attr_utils_test.cpp @@ -91,8 +91,11 @@ HWTEST_F(CodeSignAttrUtilsTest, CodeSignAttrUtilsTest_0003, TestSize.Level0) { // test non OWNERID_APP, retval is origin idType EXPECT_EQ(ConvertIdType(PROCESS_OWNERID_DEBUG, nullptr), PROCESS_OWNERID_DEBUG); + EXPECT_EQ(ConvertIdType(PROCESS_OWNERID_DEBUG, "1"), PROCESS_OWNERID_DEBUG); // test app not in list, retval is OWNERID_APP EXPECT_EQ(ConvertIdType(PROCESS_OWNERID_APP, "1"), PROCESS_OWNERID_APP); + // test OWNERID_APP_TEMPA_ALLOW, retval is origin idType + EXPECT_EQ(ConvertIdType(PROCESS_OWNERID_APP_TEMP_ALLOW, "1"), PROCESS_OWNERID_APP_TEMP_ALLOW); // test nullptr EXPECT_EQ(ConvertIdType(PROCESS_OWNERID_APP, nullptr), PROCESS_OWNERID_APP); } -- Gitee