android探索之UID u0_axxx的由来

通过PackageManager的学习,我们知道,android的UID和linux的UID根本是两回事,Linux的UID是用于针对多用户操作系统中用于区分用户的。而Android中的UID是用于系统进行权限管理的,相信大家在shell环境中进行ps命令查询的时候,屏幕都会输出如下的信息,那么,对于输出信息中的USER一栏中具体的system,radio,u0_a1(CanlendarProvider),u0_a27(deskClock)等等这就是我们今天的主人公UID,奇怪的就是之前我们理解的uid都是有正整数来表示,为毛这里是字串的形式,uid是整数这点毋庸置疑,会出现字串的情况应该是有一个一一对应的关系。

为了探索这个对应关系,今天我们就以此为例,探索下这些UID的具体由来。

USER      PID   PPID  VSIZE  RSS   WCHAN              PC  NAME
u0_a42    1971  597   1443692 35452 SyS_epoll_ 7f7dca9ba4 S com.android.printspooler
u0_a24    2003  597   1440292 33136 SyS_epoll_ 7f7dca9ba4 S com.qualcomm.qti.accesscache
u0_a50    2110  597   1440316 32912 SyS_epoll_ 7f7dca9ba4 S com.android.smspush
system    2127  597   1470876 37476 SyS_epoll_ 7f7dca9ba4 S com.android.settings
radio     2140  597   1442476 43824 SyS_epoll_ 7f7dca9ba4 S com.qualcomm.qcrilmsgtunnel
system    2212  597   1444100 35500 SyS_epoll_ 7f7dca9ba4 S com.qualcomm.telephony
system    2286  597   1442632 34892 SyS_epoll_ 7f7dca9ba4 S com.qti.diagservices
system    2301  597   1440236 34528 SyS_epoll_ 7f7dca9ba4 S com.qualcomm.qti.qs
u0_a1     2318  597   1443108 39640 SyS_epoll_ 7f7dca9ba4 S com.android.providers.calendar
u0_a8     2335  597   1442188 34216 SyS_epoll_ 7f7dca9ba4 S com.android.managedprovisioning
u0_a9     2351  597   1440216 33492 SyS_epoll_ 7f7dca9ba4 S com.android.onetimeinitializer
u0_a20    2368  597   1440176 32664 SyS_epoll_ 7f7dca9ba4 S com.qualcomm.qti.calendarlocalaccount
u0_a26    2381  597   1440680 33512 SyS_epoll_ 7f7dca9ba4 S com.qti.csk
u0_a27    2394  597   1448988 40792 SyS_epoll_ 7f7dca9ba4 S com.android.deskclock

首先,通过对于android系统的了解,由于android进程是由zygote进程孵化而来,因此通过zygote的fork流程,我们可以断定,这个字符串并非在这里生成的。如下简要列出zygote孵化的重要部分:

最终在fork的子进程中通过系统调用setresgid和setresuid对当前的进程uid和gid进行了设置,但是这里仍然是数字。无法确认整数和字符的对应关系。所以并非是zygote对其进行了映射转换。

接着我们看第二个方向,由于这些信息终是由ps命令而输出,而这里的ps命令又与原生linux中的ps命令不同,android中源码中,具体的实现代码在/system/core/toolbox/ps.c中,其对应的函数为ps_line方法。

static int ps_line(int pid, int tid, char *namefilter)
{

    // 略去无关代码

    pw = getpwuid(stats.st_uid);
    if(pw == 0 || (display_flags & SHOW_NUMERIC_UID)) {
        sprintf(user,"%d",(int)stats.st_uid);
    } else {
        strcpy(user,pw->pw_name);
    }

    // 略去无关代码
}

这个方法体很长,我们只关注重点部分,getpwuid即是我们要获取UID的方法了。这里需要注意,这个方法是在libc(android实现的轻量级c库boinic)中,路径bionic/libc/bionic/stubs.c

passwd* getpwuid(uid_t uid) { // NOLINT: implementing bad function.
  passwd_state_t* state = g_passwd_tls_buffer.get();
  if (state == NULL) {
    return NULL;
  }

  passwd* pw = android_id_to_passwd(state, uid);
  if (pw != NULL) {
    return pw;
  }
  return app_id_to_passwd(uid, state);
}

这里首先通过传入的uid通过android_id_to_passwd方法去查找,如果有查到,便直接返回了。这里我插一下,这个uid啊,是由userid+appid得来的, 而userid即为我们android的用户id,appid即PKMS在apk安装的时候给每个应用分配的,想要了解PKMS是怎样给安装的应用程序分配uid的同学请戳如下文章深入了解:

Android M PackageManagerService 启动过程分析

Android M PackageManager对于应用程序apk的安装流程分析

我们跟进android_id_to_passwd方法。

static passwd* android_id_to_passwd(passwd_state_t* state, unsigned id) {
  for (size_t n = 0; n < android_id_count; ++n) {
    if (android_ids[n].aid == id) {
      return android_iinfo_to_passwd(state, android_ids + n);
    }
  }
  return NULL;
}

android_id_passwd的情况是通过查询一个android_ids的数组,其中定义了各个特殊uid和字符串的对应关系,如system root shell等系统级别的,定义在文件/system/core/include/private/android_filesystem_config.h当中的,看一下,是不是似曾相识?

#define AID_ROOT             0  /* traditional unix root user */

#define AID_SYSTEM        1000  /* system server */

#define AID_RADIO         1001  /* telephony subsystem, RIL */
#define AID_BLUETOOTH     1002  /* bluetooth subsystem */
#define AID_GRAPHICS      1003  /* graphics devices */
#define AID_INPUT         1004  /* input devices */
#define AID_AUDIO         1005  /* audio devices */
#define AID_CAMERA        1006  /* camera devices */
#define AID_LOG           1007  /* log devices */
#define AID_COMPASS       1008  /* compass device */
#define AID_MOUNT         1009  /* mountd socket */
#define AID_WIFI          1010  /* wifi subsystem */
#define AID_ADB           1011  /* android debug bridge (adbd) */
#define AID_INSTALL       1012  /* group for installing packages */
#define AID_MEDIA         1013  /* mediaserver process */
#define AID_DHCP          1014  /* dhcp client */
#define AID_SDCARD_RW     1015  /* external storage write access */
#define AID_VPN           1016  /* vpn system */
#define AID_KEYSTORE      1017  /* keystore subsystem */
#define AID_USB           1018  /* USB devices */
#define AID_DRM           1019  /* DRM server */
#define AID_MDNSR         1020  /* MulticastDNSResponder (service discovery) */
#define AID_GPS           1021  /* GPS daemon */
#define AID_UNUSED1       1022  /* deprecated, DO NOT USE */
#define AID_MEDIA_RW      1023  /* internal media storage write access */
#define AID_MTP           1024  /* MTP USB driver access */
#define AID_UNUSED2       1025  /* deprecated, DO NOT USE */
#define AID_DRMRPC        1026  /* group for drm rpc */
#define AID_NFC           1027  /* nfc subsystem */
#define AID_SDCARD_R      1028  /* external storage read access */
#define AID_CLAT          1029  /* clat part of nat464 */
#define AID_LOOP_RADIO    1030  /* loop radio devices */
#define AID_MEDIA_DRM     1031  /* MediaDrm plugins */
#define AID_PACKAGE_INFO  1032  /* access to installed package details */
#define AID_SDCARD_PICS   1033  /* external storage photos access */
#define AID_SDCARD_AV     1034  /* external storage audio/video access */
#define AID_SDCARD_ALL    1035  /* access all users external storage */
#define AID_LOGD          1036  /* log daemon */
#define AID_SHARED_RELRO  1037  /* creator of shared GNU RELRO files */

#define AID_SHELL         2000  /* adb and debug shell user */
#define AID_CACHE         2001  /* cache access */
#define AID_DIAG          2002  /* access to diagnostic resources */

/* The range 2900-2999 is reserved for OEM, and must never be
 * used here */
#define AID_OEM_RESERVED_START 2900
#define AID_OEM_RESERVED_END   2999

/* The 3000 series are intended for use as supplemental group id's only.
 * They indicate special Android capabilities that the kernel is aware of. */
#define AID_NET_BT_ADMIN  3001  /* bluetooth: create any socket */
#define AID_NET_BT        3002  /* bluetooth: create sco, rfcomm or l2cap sockets */
#define AID_INET          3003  /* can create AF_INET and AF_INET6 sockets */
#define AID_NET_RAW       3004  /* can create raw INET sockets */
#define AID_NET_ADMIN     3005  /* can configure interfaces and routing tables. */
#define AID_NET_BW_STATS  3006  /* read bandwidth statistics */
#define AID_NET_BW_ACCT   3007  /* change bandwidth statistics accounting */
#define AID_NET_BT_STACK  3008  /* bluetooth: access config files */
#define AID_QCOM_DIAG     3009  /* can read/write /dev/diag */

#define AID_SENSORS       3011 /* access to /dev/socket/sensor_ctl_socket & QCCI/QCSI */

#define AID_RFS           3012  /* Remote Filesystem for peripheral processors */
#define AID_RFS_SHARED    3013  /* Shared files for Remote Filesystem for peripheral processors  */

#define AID_EVERYBODY     9997  /* shared between all apps in the same profile */
#define AID_MISC          9998  /* access to misc storage */
#define AID_NOBODY        9999

#define AID_APP          10000  /* first app user */

#define AID_ISOLATED_START 99000 /* start of uids for fully isolated sandboxed processes */
#define AID_ISOLATED_END   99999 /* end of uids for fully isolated sandboxed processes */

#define AID_USER        100000  /* offset for uid ranges for each user */

#define AID_SHARED_GID_START 50000 /* start of gids for apps in each user to share */
#define AID_SHARED_GID_END   59999 /* start of gids for apps in each user to share */

static const struct android_id_info android_ids[] = {
    { "root",          AID_ROOT, },

    { "system",        AID_SYSTEM, },

    { "radio",         AID_RADIO, },
    { "bluetooth",     AID_BLUETOOTH, },
    { "graphics",      AID_GRAPHICS, },
    { "input",         AID_INPUT, },
    { "audio",         AID_AUDIO, },
    { "camera",        AID_CAMERA, },
    { "log",           AID_LOG, },
    { "compass",       AID_COMPASS, },
    { "mount",         AID_MOUNT, },
    { "wifi",          AID_WIFI, },
    { "adb",           AID_ADB, },
    { "install",       AID_INSTALL, },
    { "media",         AID_MEDIA, },
    { "dhcp",          AID_DHCP, },
    { "sdcard_rw",     AID_SDCARD_RW, },
    { "vpn",           AID_VPN, },
    { "keystore",      AID_KEYSTORE, },
    { "usb",           AID_USB, },
    { "drm",           AID_DRM, },
    { "mdnsr",         AID_MDNSR, },
    { "gps",           AID_GPS, },
    // AID_UNUSED1
    { "media_rw",      AID_MEDIA_RW, },
    { "mtp",           AID_MTP, },
    // AID_UNUSED2
    { "drmrpc",        AID_DRMRPC, },
    { "nfc",           AID_NFC, },
    { "sdcard_r",      AID_SDCARD_R, },
    { "clat",          AID_CLAT, },
    { "loop_radio",    AID_LOOP_RADIO, },
    { "mediadrm",      AID_MEDIA_DRM, },
    { "package_info",  AID_PACKAGE_INFO, },
    { "shared_relro",  AID_SHARED_RELRO, },

    { "shell",         AID_SHELL, },
    { "cache",         AID_CACHE, },
    { "diag",          AID_DIAG, },
    { "qcom_diag",     AID_QCOM_DIAG, },

    { "net_bt_admin",  AID_NET_BT_ADMIN, },
    { "net_bt",        AID_NET_BT, },
    { "inet",          AID_INET, },
    { "net_raw",       AID_NET_RAW, },
    { "net_admin",     AID_NET_ADMIN, },
    { "net_bw_stats",  AID_NET_BW_STATS, },
    { "net_bw_acct",   AID_NET_BW_ACCT, },
    { "net_bt_stack",  AID_NET_BT_STACK, },

    { "sensors",       AID_SENSORS, },

    { "rfs",           AID_RFS, },
    { "rfs_shared",    AID_RFS_SHARED, },

    { "everybody",     AID_EVERYBODY, },
    { "misc",          AID_MISC, },
    { "nobody",        AID_NOBODY, },
};

这里就很清楚了,那些系统级别的uid对应的字符串都是在这里定义的,比如我们开篇提到的system,radio等等,而普通的应用呢则不是在这里匹配得到,方法自然会返回null,那么就会进入后面的流程 app_id_to_passwd。

#define AID_USER 100000    /* offset for uid ranges for each user */ 
#define AID_ISOLATED_START 99000  /* start of uids for fully isolated sandboxed processes */ 
#define AID_APP 10000 

// Translate a uid into the corresponding name.
// 0 to AID_APP-1                   -> "system", "radio", etc.
// AID_APP to AID_ISOLATED_START-1  -> u0_a1234
// AID_ISOLATED_START to AID_USER-1 -> u0_i1234
// AID_USER+                        -> u1_radio, u1_a1234, u2_i1234, etc.
// returns a passwd structure (sets errno to ENOENT on failure).
static passwd* app_id_to_passwd(uid_t uid, passwd_state_t* state) {
  if (uid < AID_APP) {
    errno = ENOENT;
    return NULL;
  }

  print_app_name_from_uid(uid, state->name_buffer_, sizeof(state->name_buffer_));

  const uid_t appid = uid % AID_USER;
  if (appid < AID_APP) {
      snprintf(state->dir_buffer_, sizeof(state->dir_buffer_), "/");
  } else {
      snprintf(state->dir_buffer_, sizeof(state->dir_buffer_), "/data");
  }

  snprintf(state->sh_buffer_, sizeof(state->sh_buffer_), "/system/bin/sh");

  passwd* pw = &state->passwd_;
  pw->pw_name  = state->name_buffer_;
  pw->pw_dir   = state->dir_buffer_;
  pw->pw_shell = state->sh_buffer_;
  pw->pw_uid   = uid;
  pw->pw_gid   = uid;
  return pw;
}

static void print_app_name_from_uid(const uid_t uid, char* buffer, const int bufferlen) {
  const uid_t appid = uid % AID_USER;
  const uid_t userid = uid / AID_USER;
  if (appid >= AID_ISOLATED_START) {
    snprintf(buffer, bufferlen, "u%u_i%u", userid, appid - AID_ISOLATED_START);
  } else if (appid < AID_APP) {
    for (size_t n = 0; n < android_id_count; n++) {
      if (android_ids[n].aid == appid) {
        snprintf(buffer, bufferlen, "u%u_%s", userid, android_ids[n].name);
        return;
      }
    }
  } else {
    snprintf(buffer, bufferlen, "u%u_a%u", userid, appid - AID_APP);
  }
}

看到这个方法后,我们不禁恍然大悟啊,通过上面的宏定义以及计算方法,我们不难得出:

  • app的uid/100000的结果为userid,填到ux的x处。
  • app的uid减去10000为appid,填到axx的xx处。
  • 例如某个app的uid是10022,经过计算,userid为10022/100000=0,appid为10022-10000=22,则那么最终通过ps打印得到uid字串就是u0_a22

那么这个useid在系统中哪里可以查到呢?当然是在pkms中啦 ,比如在packages.list中就会有哦。

com.gd.mobicore.pa 10047 0 /data/data/com.gd.mobicore.pa platform 3003
com.qualcomm.qti.auth.sampleextauthservice 10049 0 /data/data/com.qualcomm.qti.auth.sampleextauthservice platform none
com.cootek.smartinputv5.language.indonesian 10062 0 /data/data/com.cootek.smartinputv5.language.indonesian default none
com.qrd.omadownload 10036 0 /data/data/com.qrd.omadownload platform 3003
com.cootek.smartinputv5.language.vietnam 10072 0 /data/data/com.cootek.smartinputv5.language.vietnam default none
com.android.providers.telephony 1001 0 /data/data/com.android.providers.telephony platform 2001,1005,3002,1023,1015,3003,3001,3009,3006
com.cootek.smartinputv5.language.cangjie 10059 0 /data/data/com.cootek.smartinputv5.language.cangjie default none
com.android.providers.calendar 10001 0 /data/data/com.android.providers.calendar default 3003
com.android.providers.media 10006 0 /data/data/com.android.providers.media default 2001,1023,1015,3003,1024,3007
com.qti.service.colorservice 1000 0 /data/data/com.qti.service.colorservice platform 2001,3002,1023,1015,3003,3001,1021,3004,3005,1000,2002,3009,1010
com.qualcomm.shutdownlistner 10053 0 /data/data/com.qualcomm.shutdownlistner platform none
com.android.wallpapercropper 10016 0 /data/data/com.android.wallpapercropper platform none
com.quicinc.cne.CNEService 1000 0 /data/data/com.quicinc.cne.CNEService platform 2001,3002,1023,1015,3003,3001,1021,3004,3005,1000,2002,3009,1010
com.android.protips 10043 0 /data/data/com.android.protips default none
com.qualcomm.qti.phonefeature 1001 0 /data/data/com.qualcomm.qti.phonefeature platform 2001,1005,3002,1023,1015,3003,3001,3009,3006
com.cootek.smartinputv5.language.marathi 10063 0 /data/data/com.cootek.smartinputv5.language.marathi default none
org.simalliance.openmobileapi.service 1000 0 /data/data/org.simalliance.openmobileapi.service platform 2001,3002,1023,1015,3003,3001,1021,3004,3005,1000,2002,3009,1010
com.android.documentsui 10028 0 /data/data/com.android.documentsui platform none
com.android.externalstorage 10007 0 /data/data/com.android.externalstorage platform 1023,1015
com.cootek.smartinputv5.language.spanishlatin 10066 0 /data/data/com.cootek.smartinputv5.language.spanishlatin default none
com.qualcomm.uimremoteclient 1001 0 /data/data/com.qualcomm.uimremoteclient platform 2001,1005,3002,1023,1015,3003,3001,3009,3006
com.android.htmlviewer 10030 0 /data/data/com.android.htmlviewer default none
com.qualcomm.ftm 10029 0 /data/data/com.qualcomm.ftm platform none
com.qualcomm.sta 1000 0 /data/data/com.qualcomm.sta platform 2001,3002,1023,1015,3003,3001,1021,3004,3005,1000,2002,3009,1010
com.qualcomm.svi 1000 0 /data/data/com.qualcomm.svi platform 2001,3002,1023,1015,3003,3001,1021,3004,3005,1000,2002,3009,1010
com.android.deskclock 10027 0 /data/data/com.android.deskclock platform none

上面的第二列即是每个app对应的uid了,我们可以看到,canlendarprovider的uid为10001,而deskclock的是10027,那么经过计算,我们得到的USER分别为u0_a1, u0_a27。

可能有些人会问:博主,看你打印都是u0_axx,那有些u10_axx中是u10是怎么回事,我看到过的哦。

    /**
     * @hide Range of uids allocated for a user.
     */
    public static final int PER_USER_RANGE = 100000;

    public static final int getUid(int userId, int appId) {
        if (MU_ENABLED) {
            return userId * PER_USER_RANGE + (appId % PER_USER_RANGE);
        } else {
            return appId;
        }
    }

很简单,u10_axx就是多用户下的进程了,我们打开多用户开关,切换到访客模式或者通过新建user的方式,完成后进行ps一下,输出如下:

// ps输出 访客模式
u0_a34    13056 597   1440200 32780 SyS_epoll_ 7f7dca9ba4 S com.qualcomm.qti.lunarinfo
system    13069 597   1440288 33880 SyS_epoll_ 7f7dca9ba4 S com.qualcomm.timeservice
u10_a42   32319 597   1443772 35444 SyS_epoll_ 7f7dca9ba4 S com.android.printspooler
u10_a8    32341 597   1442188 33064 SyS_epoll_ 7f7dca9ba4 S com.android.managedprovisioning
u10_system 32355 597   1470876 36316 SyS_epoll_ 7f7dca9ba4 S com.android.settings
u10_radio 32388 597   1440252 32800 SyS_epoll_ 7f7dca9ba4 S com.qualcomm.qcrilmsgtunnel
u10_a44   32406 597   1440248 35280 SyS_epoll_ 7f7dca9ba4 S com.android.provision
u10_a14   32419 597   1453712 44656 SyS_epoll_ 7f7dca9ba4 S com.android.systemui
u10_system 32434 597   1448136 37004 SyS_epoll_ 7f7dca9ba4 S com.qualcomm.location.XT
system    32492 1     14332  3832  hrtimer_na 7f964c9594 S /system/bin/ATFWD-daemon

// 新建user 11
u11_system 3022  591   1440164 33184 SyS_epoll_ 7f96147ba4 S com.qualcomm.qti.notificationservice
u11_a37   3035  591   1447512 35676 SyS_epoll_ 7f96147ba4 S com.oma.drm
u11_radio 3050  591   1451772 39164 SyS_epoll_ 7f96147ba4 S com.android.phone
u11_a45   3063  594   878888 36016 SyS_epoll_ 00f7427c64 S com.qti.smq.qualcommFeedback
u11_system 3077  591   1441432 34276 SyS_epoll_ 7f96147ba4 S com.qualcomm.qti.GBAHttpAuthentication.auth
u11_a46   3096  591   1440756 33672 SyS_epoll_ 7f96147ba4 S com.qualcomm.qti.telephonyservice
u11_system 3114  591   1441200 34632 SyS_epoll_ 7f96147ba4 S com.qualcomm.qualcommsettings
u11_radio 3128  591   1442344 34000 SyS_epoll_ 7f96147ba4 S com.qualcomm.qti.rcsbootstraputil
u11_system 3143  591   1441420 34084 SyS_epoll_ 7f96147ba4 S com.qualcomm.telephony

是不是很神奇?

posted @ 2018-08-09 10:58  mail181  阅读(322)  评论(0编辑  收藏  举报