首页 > 代码库 > Android权限机制(一) 权限的申请与保存

Android权限机制(一) 权限的申请与保存

Android系统采用了sandboxes的安全机制,每个app有对应的PID,UID,资源,数据,以及基本的API。当app需要sandbox没有提供的额外API时,需要声明权限。

在本文中,我们将会探究apk申请的权限信息是如何被保存到系统中的。

 

一、声明权限

1. 在AndroidManifest.xml中声明权限

AndroidManifest.xml位于工程根目录下

在<activity>标签之前声明权限

  • 声明了app所需要用到的权限
  • Android要求权限必须在manifest文件中明确声明,不允许在运行时动态声明

2. “最少权限原则”

  • 如无需要,不要申请
  • 更少的权限,对于system和app都更加安全
    • 有些API可能会被恶意攻击
  • GooglePlay会根据来选择对应设备
    • 权限更少,面向的设备类型更多

参考:AndroidDeveloper->SecurityTips->Using Permissions

 

二、PackageManagerService的构造流程

  • SystemServer会调用PackageManagerService(PKMS)的main方法,构造出对象
  • PKMS会扫描/system/app, /system/priv-app, /data/app, …等目录下的apk
  • apk的AndroidManifest信息会动态保存在PKMS的属性成员中

 

三、APK的安装流程

  • adbd是Deamon进程,监听host端的adb命令
  • adbd发送shell命令启动脚本pm (exec)
  • pm.jar的main方法被执行

  • 将apk拷贝到/data/app/下,开始解析AndroidManifest标签信息
  • 与PKMS构造器类似地,调用parsePackage()和scanPackageLI()处理

 

四、两个数据结构:PackageParser.Package和Settings.mUserIds

1. PackageParser.Package

PKMS中mPackages对应的类型是:

// Keys are String (package name), values are Package.  This also serves// as the lock for the global state.  Methods that must be called with// this lock held have the prefix "LP".final HashMap<String, PackageParser.Package> mPackages =        new HashMap<String, PackageParser.Package>();

部分属性成员和方法如下:

从上面两个流程,我们可以看到在PackageManagerService(PKMS)启动(即SystemServer启动)与安装apk时,PKMS都会调用PackageParser::parsePackage()和scanPackageLI()方法。

那么下面我们就来分析一下这两个方法的作用:

/frameworks/base/core/java/android/content/pm/PackageParser.java

PackageParser.Package.parsePackage():

private Package parsePackage(    Resources res, XmlResourceParser parser, int flags, String[] outError)    throws XmlPullParserException, IOException {    String pkgName = parsePackageName(parser, attrs, flags, outError);    final Package pkg = new Package(pkgName);    // ...    int outerDepth = parser.getDepth();    while ((type = parser.next()) != XmlPullParser.END_DOCUMENT            && (type != XmlPullParser.END_TAG || parser.getDepth() > outerDepth)) {        if (type == XmlPullParser.END_TAG || type == XmlPullParser.TEXT) {            continue;        }        String tagName = parser.getName();        if (tagName.equals("application")) {            // ...            }        } /* ... */ else if (tagName.equals("uses-permission")) {            if (!parseUsesPermission(pkg, res, parser, attrs, outError)) {                return null;            }        }    }    // ...    return pkg;}

通过AndroidManifest.xml来获得package名字,然后解析xml文件的tag,并调用相应的方法。 如"uses-permission"标签对应调用parseUsesPermission()方法。

/frameworks/base/core/java/android/content/pm/PackageParser.java

PackageParser.parseUsesPermission():

private boolean parseUsesPermission(Package pkg, Resources res, XmlResourceParser parser,                                    AttributeSet attrs, String[] outError)        throws XmlPullParserException, IOException {    // ...    if ((maxSdkVersion == 0) || (maxSdkVersion >= Build.VERSION.RESOURCES_SDK_INT)) {        if (name != null) {            int index = pkg.requestedPermissions.indexOf(name);            if (index == -1) {                pkg.requestedPermissions.add(name.intern());                pkg.requestedPermissionsRequired.add(required ? Boolean.TRUE : Boolean.FALSE);            } else {                if (pkg.requestedPermissionsRequired.get(index) != required) {                    outError[0] = "conflicting <uses-permission> entries";                    mParseError = PackageManager.INSTALL_PARSE_FAILED_MANIFEST_MALFORMED;                    return false;                }            }        }    }    XmlUtils.skipCurrentTag(parser);    return true;}

parseUsesPermission()判断permission是否已经保存,如果没有则add到pkg的requestedPermissions(ArrayList)中。

下面我们继续看scanPackageLI()方法:

/frameworks/base/services/java/com/android/server/pm/PackageManagerService.java

PackageManagerService.scanPackageLI(PackageParser.Package, ...)

private PackageParser.Package scanPackageLI(PackageParser.Package pkg,        int parseFlags, int scanMode, long currentTime, UserHandle user) {    // 判断apk是否已经安装过,跳过重复安装    // 检查非system app的库是否被映射到正确的路径上    // 检查是否需要重命名原来的Package Name    // 为新的apk创建PackageSetting    // 验证apk的signature    // 验证apk的ContentProvider是否与已存在的apk的有冲突    // 把apk的库解压复制到对应目录中    // writer    synchronized (mPackages) {        // We don‘t expect installation to fail beyond this point,        if ((scanMode&SCAN_MONITOR) != 0) {            mAppDirs.put(pkg.mPath, pkg);        }        // Add the new setting to mSettings        mSettings.insertPackageSettingLPw(pkgSetting, pkg);        // Add the new setting to mPackages        mPackages.put(pkg.applicationInfo.packageName, pkg);        // Make sure we don‘t accidentally delete its data.        final Iterator<PackageCleanItem> iter = mSettings.mPackagesToBeCleaned.iterator();        while (iter.hasNext()) {            PackageCleanItem item = iter.next();            if (pkgName.equals(item.packageName)) {                iter.remove();            }        }        // Just create the setting, don‘t add it yet. For already existing packages        // the PkgSetting exists already and doesn‘t have to be created.        // 安装新apk时,会最终调用到newUserIdLPw()        pkgSetting = mSettings.getPackageLPw(pkg, origPackage, realName, suid, destCodeFile,                destResourceFile, pkg.applicationInfo.nativeLibraryDir,                pkg.applicationInfo.flags, user, false);        // ...    }    // ...}

2. Settings

在Android中有多个名为Settings的类,此Settings为com.android.server.pm.Settings。

其中,mUserIds属性保存着uid的重要信息。

2.1. addUserIdLPw()

从PKMS构造的时序图可以看出,在PKMS进行scanDirLI之前,会先后调用Settings的addSharedUserLPw()和readLPw()。

public PackageManagerService(Context context, Installer installer,        boolean factoryTest, boolean onlyCore) {    // ...    mSettings = new Settings(context);    mSettings.addSharedUserLPw("android.uid.system",            Process.SYSTEM_UID, ApplicationInfo.FLAG_SYSTEM);    mSettings.addSharedUserLPw("android.uid.phone", RADIO_UID, ApplicationInfo.FLAG_SYSTEM);    mSettings.addSharedUserLPw("android.uid.log", LOG_UID, ApplicationInfo.FLAG_SYSTEM);    mSettings.addSharedUserLPw("android.uid.nfc", NFC_UID, ApplicationInfo.FLAG_SYSTEM);    mSettings.addSharedUserLPw("android.uid.bluetooth", BLUETOOTH_UID, ApplicationInfo.FLAG_SYSTEM);    mSettings.addSharedUserLPw("android.uid.shell", SHELL_UID, ApplicationInfo.FLAG_SYSTEM);    synchronized (mInstallLock) {    // writer    synchronized (mPackages) {        // ...        sUserManager = new UserManagerService(context, this,                mInstallLock, mPackages);        readPermissions();        mFoundPolicyFile = SELinuxMMAC.readInstallPolicy();        mRestoredSettings = mSettings.readLPw(this, sUserManager.getUsers(false),                mSdkVersion, mOnlyCore);

addSharedUserLPw()方法的作用是如果某个app的AndroidManifest中声明android:sharedUserId="com.android.process",则它的uid与属性值中的进程uid一样。
当然,前提是两者的apk签名(signature)相同。

这样,该进程就能获得uid的权限。

而readLPw()则是创建新的uid。无论是调用addSharedUserLPw()还是readLPw(),最终都会调用到addUserIdLPw()。

private boolean addUserIdLPw(int uid, Object obj, Object name) {    if (uid > Process.LAST_APPLICATION_UID) {        return false;    }    if (uid >= Process.FIRST_APPLICATION_UID) {        int N = mUserIds.size();        final int index = uid - Process.FIRST_APPLICATION_UID;        while (index >= N) {            mUserIds.add(null);            N++;        }        if (mUserIds.get(index) != null) {            PackageManagerService.reportSettingsProblem(Log.ERROR,                    "Adding duplicate user id: " + uid                    + " name=" + name);            return false;        }        mUserIds.set(index, obj);    } else {        if (mOtherUserIds.get(uid) != null) {            PackageManagerService.reportSettingsProblem(Log.ERROR,                    "Adding duplicate shared id: " + uid                    + " name=" + name);            return false;        }        mOtherUserIds.put(uid, obj);    }

mUserIds是一个ArrayList,以uid减去FIRST_APPLICATION_UID的值为下标索引,而对应的obj是Object类型,实际上是PackageSetting
(PackageSetting继承于PackageSettingBase,
而PackageSettingBase继承于GrantedPermissions。
GrantedPermissions中有一个类型为HashSet的grantedPermissions,存放着权限的String)

2.2. newUserIdLPw()

上面的addUserIdLPw,是在PKMS启动时调用的。而安装新apk时,调用的是newUserIdLPw。

private PackageParser.Package scanPackageLI(PackageParser.Package pkg,        int parseFlags, int scanMode, long currentTime, UserHandle user) {    // writer    synchronized (mPackages) {        // Just create the setting, don‘t add it yet. For already existing packages        // the PkgSetting exists already and doesn‘t have to be created.        // 为新的APK创建PackageSetting        pkgSetting = mSettings.getPackageLPw(pkg, origPackage, realName, suid, destCodeFile,                destResourceFile, pkg.applicationInfo.nativeLibraryDir,                pkg.applicationInfo.flags, user, false);        if (pkgSetting == null) {            Slog.w(TAG, "Creating application package " + pkg.packageName + " failed");            mLastScanError = PackageManager.INSTALL_FAILED_INSUFFICIENT_STORAGE;            return null;        }    }            }

最终会调用到newUserIdLPw():

private int newUserIdLPw(Object obj) {    // Let‘s be stupidly inefficient for now...    final int N = mUserIds.size();    for (int i = 0; i < N; i++) {        if (mUserIds.get(i) == null) {            mUserIds.set(i, obj);            return Process.FIRST_APPLICATION_UID + i;        }    }    // None left?    if (N > (Process.LAST_APPLICATION_UID-Process.FIRST_APPLICATION_UID)) {        return -1;    }    mUserIds.add(obj);    return Process.FIRST_APPLICATION_UID + N;} 

如果新安装的apk具有android:sharedUserId的话,scanPackageLI()中将会调用getSharedUserLPw(),最终还是会调用到newUserIdLPw(),这一段我们就不再详细探究。

通过以上的分析,我们可以得出以下结论:

  • SystemServer启动时与安装apk时都会扫描apk
  • 扫描后得到的标签信息保存到PKMS.mPackages和Settings.mUserIds中,而不是文件中
  • 标签信息存放到两个不同的数据结构,应该是有不同的应用场合

 

五、通过PackageManager获得PackageInfo

保存了apk的信息之后,我们就可以通过PackageManager来间接获得PKMS中的这些信息。 PackageManager.getPackageInfo()是Android API level 1的公开接口:

public abstract PackageInfo getPackageInfo(String packageName, int flags)

通过AIDL,PKMS的getPackageInfo()会被调用到:

/frameworks/base/services/java/com/android/server/pm/PackageManagerService.java

PackageManagerService.getPackageInfo()

@Overridepublic PackageInfo getPackageInfo(String packageName, int flags, int userId) {    if (!sUserManager.exists(userId)) return null;    enforceCrossUserPermission(Binder.getCallingUid(), userId, false, "get package info");    // reader    synchronized (mPackages) {        PackageParser.Package p = mPackages.get(packageName);        if (DEBUG_PACKAGE_INFO)            Log.v(TAG, "getPackageInfo " + packageName + ": " + p);        if (p != null) {            return generatePackageInfo(p, flags, userId);        }        if((flags & PackageManager.GET_UNINSTALLED_PACKAGES) != 0) {            return generatePackageInfoFromSettingsLPw(packageName, flags, userId);        }    }    return null;}

这样,apk的<uses-permission>信息也就能够被第三方app获取到了。