Android权限机制(一) 权限的申请与保存

Android系统采用了sandboxes的安全机制,每个app有对应的PID,UID,资源,数据,以及基本的API。当app需要sandbox没有提供的额外API时,需要声明权限。

在本文中,我们将会探究apk申请的权限信息是如何被保存到系统中的。

 

一、声明权限

1. 在AndroidManifest.xml中声明权限

AndroidManifest.xml位于工程根目录下

在<activity>标签之前声明权限

  • 声明了app所需要用到的权限
  • Android要求权限必须在manifest文件中明确声明,不允许在运行时动态声明

2. “最少权限原则”

  • 如无需要,不要申请
  • 更少的权限,对于system和app都更加安全
    • 有些API可能会被恶意攻击
  • GooglePlay会根据来选择对应设备
    • 权限更少,面向的设备类型更多

参考:AndroidDeveloper->SecurityTips->Using Permissions

 

二、PackageManagerService的构造流程

  • SystemServer会调用PackageManagerService(PKMS)的main方法,构造出对象
  • PKMS会扫描/system/app, /system/priv-app, /data/app, …等目录下的apk
  • apk的AndroidManifest信息会动态保存在PKMS的属性成员中

 

三、APK的安装流程

  • adbd是Deamon进程,监听host端的adb命令
  • adbd发送shell命令启动脚本pm (exec)
  • pm.jar的main方法被执行

  • 将apk拷贝到/data/app/下,开始解析AndroidManifest标签信息
  • 与PKMS构造器类似地,调用parsePackage()和scanPackageLI()处理

 

四、两个数据结构:PackageParser.Package和Settings.mUserIds

1. PackageParser.Package

PKMS中mPackages对应的类型是:

// Keys are String (package name), values are Package.  This also serves
// as the lock for the global state.  Methods that must be called with
// this lock held have the prefix "LP".
final HashMap<String, PackageParser.Package> mPackages =
        new HashMap<String, PackageParser.Package>();

部分属性成员和方法如下:

从上面两个流程,我们可以看到在PackageManagerService(PKMS)启动(即SystemServer启动)与安装apk时,PKMS都会调用PackageParser::parsePackage()和scanPackageLI()方法。

那么下面我们就来分析一下这两个方法的作用:

/frameworks/base/core/java/android/content/pm/PackageParser.java

PackageParser.Package.parsePackage():

private Package parsePackage(
    Resources res, XmlResourceParser parser, int flags, String[] outError)
    throws XmlPullParserException, IOException {

    String pkgName = parsePackageName(parser, attrs, flags, outError);

    final Package pkg = new Package(pkgName);
    // ...
    int outerDepth = parser.getDepth();
    while ((type = parser.next()) != XmlPullParser.END_DOCUMENT
            && (type != XmlPullParser.END_TAG || parser.getDepth() > outerDepth)) {
        if (type == XmlPullParser.END_TAG || type == XmlPullParser.TEXT) {
            continue;
        }

        String tagName = parser.getName();
        if (tagName.equals("application")) {
            // ...
            }
        } /* ... */ else if (tagName.equals("uses-permission")) {
            if (!parseUsesPermission(pkg, res, parser, attrs, outError)) {
                return null;
            }
        }
    }
    // ...

    return pkg;
}

通过AndroidManifest.xml来获得package名字,然后解析xml文件的tag,并调用相应的方法。 如"uses-permission"标签对应调用parseUsesPermission()方法。

/frameworks/base/core/java/android/content/pm/PackageParser.java

PackageParser.parseUsesPermission():

private boolean parseUsesPermission(Package pkg, Resources res, XmlResourceParser parser,
                                    AttributeSet attrs, String[] outError)
        throws XmlPullParserException, IOException {

    // ...

    if ((maxSdkVersion == 0) || (maxSdkVersion >= Build.VERSION.RESOURCES_SDK_INT)) {
        if (name != null) {
            int index = pkg.requestedPermissions.indexOf(name);
            if (index == -1) {
                pkg.requestedPermissions.add(name.intern());
                pkg.requestedPermissionsRequired.add(required ? Boolean.TRUE : Boolean.FALSE);
            } else {
                if (pkg.requestedPermissionsRequired.get(index) != required) {
                    outError[0] = "conflicting <uses-permission> entries";
                    mParseError = PackageManager.INSTALL_PARSE_FAILED_MANIFEST_MALFORMED;
                    return false;
                }
            }
        }
    }

    XmlUtils.skipCurrentTag(parser);
    return true;
}

parseUsesPermission()判断permission是否已经保存,如果没有则add到pkg的requestedPermissions(ArrayList)中。

下面我们继续看scanPackageLI()方法:

/frameworks/base/services/java/com/android/server/pm/PackageManagerService.java

PackageManagerService.scanPackageLI(PackageParser.Package, ...)

private PackageParser.Package scanPackageLI(PackageParser.Package pkg,
        int parseFlags, int scanMode, long currentTime, UserHandle user) {

    // 判断apk是否已经安装过,跳过重复安装
    // 检查非system app的库是否被映射到正确的路径上
    // 检查是否需要重命名原来的Package Name
    // 为新的apk创建PackageSetting
    // 验证apk的signature
    // 验证apk的ContentProvider是否与已存在的apk的有冲突
    // 把apk的库解压复制到对应目录中

    // writer
    synchronized (mPackages) {
        // We don't expect installation to fail beyond this point,
        if ((scanMode&SCAN_MONITOR) != 0) {
            mAppDirs.put(pkg.mPath, pkg);
        }
        // Add the new setting to mSettings
        mSettings.insertPackageSettingLPw(pkgSetting, pkg);
        // Add the new setting to mPackages
        mPackages.put(pkg.applicationInfo.packageName, pkg);
        // Make sure we don't accidentally delete its data.
        final Iterator<PackageCleanItem> iter = mSettings.mPackagesToBeCleaned.iterator();
        while (iter.hasNext()) {
            PackageCleanItem item = iter.next();
            if (pkgName.equals(item.packageName)) {
                iter.remove();
            }
        }

        // Just create the setting, don't add it yet. For already existing packages
        // the PkgSetting exists already and doesn't have to be created.
        // 安装新apk时,会最终调用到newUserIdLPw()
        pkgSetting = mSettings.getPackageLPw(pkg, origPackage, realName, suid, destCodeFile,
                destResourceFile, pkg.applicationInfo.nativeLibraryDir,
                pkg.applicationInfo.flags, user, false);

        // ...
    }

    // ...
}

2. Settings

在Android中有多个名为Settings的类,此Settings为com.android.server.pm.Settings。

其中,mUserIds属性保存着uid的重要信息。

2.1. addUserIdLPw()

从PKMS构造的时序图可以看出,在PKMS进行scanDirLI之前,会先后调用Settings的addSharedUserLPw()和readLPw()。

public PackageManagerService(Context context, Installer installer,
        boolean factoryTest, boolean onlyCore) {
    // ...

    mSettings = new Settings(context);
    mSettings.addSharedUserLPw("android.uid.system",
            Process.SYSTEM_UID, ApplicationInfo.FLAG_SYSTEM);
    mSettings.addSharedUserLPw("android.uid.phone", RADIO_UID, ApplicationInfo.FLAG_SYSTEM);
    mSettings.addSharedUserLPw("android.uid.log", LOG_UID, ApplicationInfo.FLAG_SYSTEM);
    mSettings.addSharedUserLPw("android.uid.nfc", NFC_UID, ApplicationInfo.FLAG_SYSTEM);
    mSettings.addSharedUserLPw("android.uid.bluetooth", BLUETOOTH_UID, ApplicationInfo.FLAG_SYSTEM);
    mSettings.addSharedUserLPw("android.uid.shell", SHELL_UID, ApplicationInfo.FLAG_SYSTEM);

    synchronized (mInstallLock) {
    // writer
    synchronized (mPackages) {
        // ...

        sUserManager = new UserManagerService(context, this,
                mInstallLock, mPackages);

        readPermissions();

        mFoundPolicyFile = SELinuxMMAC.readInstallPolicy();

        mRestoredSettings = mSettings.readLPw(this, sUserManager.getUsers(false),
                mSdkVersion, mOnlyCore);

addSharedUserLPw()方法的作用是如果某个app的AndroidManifest中声明android:sharedUserId="com.android.process",则它的uid与属性值中的进程uid一样。
当然,前提是两者的apk签名(signature)相同。

这样,该进程就能获得uid的权限。

而readLPw()则是创建新的uid。无论是调用addSharedUserLPw()还是readLPw(),最终都会调用到addUserIdLPw()。

private boolean addUserIdLPw(int uid, Object obj, Object name) {
    if (uid > Process.LAST_APPLICATION_UID) {
        return false;
    }

    if (uid >= Process.FIRST_APPLICATION_UID) {
        int N = mUserIds.size();
        final int index = uid - Process.FIRST_APPLICATION_UID;
        while (index >= N) {
            mUserIds.add(null);
            N++;
        }
        if (mUserIds.get(index) != null) {
            PackageManagerService.reportSettingsProblem(Log.ERROR,
                    "Adding duplicate user id: " + uid
                    + " name=" + name);
            return false;
        }
        mUserIds.set(index, obj);
    } else {
        if (mOtherUserIds.get(uid) != null) {
            PackageManagerService.reportSettingsProblem(Log.ERROR,
                    "Adding duplicate shared id: " + uid
                    + " name=" + name);
            return false;
        }
        mOtherUserIds.put(uid, obj);
    }

mUserIds是一个ArrayList,以uid减去FIRST_APPLICATION_UID的值为下标索引,而对应的obj是Object类型,实际上是PackageSetting
(PackageSetting继承于PackageSettingBase,
而PackageSettingBase继承于GrantedPermissions。
GrantedPermissions中有一个类型为HashSet的grantedPermissions,存放着权限的String)

2.2. newUserIdLPw()

上面的addUserIdLPw,是在PKMS启动时调用的。而安装新apk时,调用的是newUserIdLPw。

private PackageParser.Package scanPackageLI(PackageParser.Package pkg,
        int parseFlags, int scanMode, long currentTime, UserHandle user) {

    // writer
    synchronized (mPackages) {

        // Just create the setting, don't add it yet. For already existing packages
        // the PkgSetting exists already and doesn't have to be created.
        // 为新的APK创建PackageSetting
        pkgSetting = mSettings.getPackageLPw(pkg, origPackage, realName, suid, destCodeFile,
                destResourceFile, pkg.applicationInfo.nativeLibraryDir,
                pkg.applicationInfo.flags, user, false);
        if (pkgSetting == null) {
            Slog.w(TAG, "Creating application package " + pkg.packageName + " failed");
            mLastScanError = PackageManager.INSTALL_FAILED_INSUFFICIENT_STORAGE;
            return null;
        }
    }            
}

最终会调用到newUserIdLPw():

private int newUserIdLPw(Object obj) {
    // Let's be stupidly inefficient for now...
    final int N = mUserIds.size();
    for (int i = 0; i < N; i++) {
        if (mUserIds.get(i) == null) {
            mUserIds.set(i, obj);
            return Process.FIRST_APPLICATION_UID + i;
        }
    }

    // None left?
    if (N > (Process.LAST_APPLICATION_UID-Process.FIRST_APPLICATION_UID)) {
        return -1;
    }

    mUserIds.add(obj);
    return Process.FIRST_APPLICATION_UID + N;
} 

如果新安装的apk具有android:sharedUserId的话,scanPackageLI()中将会调用getSharedUserLPw(),最终还是会调用到newUserIdLPw(),这一段我们就不再详细探究。

通过以上的分析,我们可以得出以下结论:

  • SystemServer启动时与安装apk时都会扫描apk
  • 扫描后得到的标签信息保存到PKMS.mPackages和Settings.mUserIds中,而不是文件中
  • 标签信息存放到两个不同的数据结构,应该是有不同的应用场合

 

五、通过PackageManager获得PackageInfo

保存了apk的信息之后,我们就可以通过PackageManager来间接获得PKMS中的这些信息。 PackageManager.getPackageInfo()是Android API level 1的公开接口:

public abstract PackageInfo getPackageInfo(String packageName, int flags)

通过AIDL,PKMS的getPackageInfo()会被调用到:

/frameworks/base/services/java/com/android/server/pm/PackageManagerService.java

PackageManagerService.getPackageInfo()

@Override
public PackageInfo getPackageInfo(String packageName, int flags, int userId) {
    if (!sUserManager.exists(userId)) return null;
    enforceCrossUserPermission(Binder.getCallingUid(), userId, false, "get package info");
    // reader
    synchronized (mPackages) {
        PackageParser.Package p = mPackages.get(packageName);
        if (DEBUG_PACKAGE_INFO)
            Log.v(TAG, "getPackageInfo " + packageName + ": " + p);
        if (p != null) {
            return generatePackageInfo(p, flags, userId);
        }
        if((flags & PackageManager.GET_UNINSTALLED_PACKAGES) != 0) {
            return generatePackageInfoFromSettingsLPw(packageName, flags, userId);
        }
    }
    return null;
}

这样,apk的<uses-permission>信息也就能够被第三方app获取到了。

posted on 2014-06-23 21:22  JacobChen2012  阅读(855)  评论(0编辑  收藏  举报

导航