Android 10 设置安装白名单,禁止其他app安装
前言
在进行frameworks定制开发的时候,客户需要需求需要系统支持应用白名单(包名和签名sha256),用于app安装需校验白名单规则,参考多位大神的博客总结了个方法。
一、问题解决
1.分析问题
应用安装有多种方法
1、 直接调用安装接口。
2、通过命令进行安装 pm install
经过加打印发现在pms中无论是adb shell 还是代码安装都会走preparePackageLI方法。
可以在preparePackageLI方法执行安装前进行判断是否为白名单内的包名然后再进行安装,最终选择通过遍历文件内保存的包名来确定是否是白名单内的应用。
2.解决问题
路径:
frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java
+++ a/android/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/android/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -307,6 +307,7 @@ import com.android.server.SystemServerInitThreadPool;
import com.android.server.Watchdog;
import com.android.server.net.NetworkPolicyManagerInternal;
import com.android.server.pm.Installer.InstallerException;
+import com.android.server.pm.PackageManagerService.PostInstallData;
import com.android.server.pm.Settings.DatabaseVersion;
import com.android.server.pm.Settings.VersionInfo;
import com.android.server.pm.dex.ArtManagerService;
@@ -339,6 +340,7 @@ import org.xmlpull.v1.XmlPullParserException;
import org.xmlpull.v1.XmlSerializer;
import java.io.BufferedOutputStream;
+import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
@@ -347,6 +349,7 @@ import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.FilenameFilter;
import java.io.IOException;
+import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
@@ -17405,7 +17408,36 @@ public class PackageManagerService extends IPackageManager.Stub
return this;
}
}
+ /*add for installer white list*/
+ private boolean isInstallerEnable(String packagename){
+ ArrayList<String> whiteListApp = new ArrayList<String>();
+ try{
+ BufferedReader br = new BufferedReader(new InputStreamReader(
+ new FileInputStream("/vendor/etc/WhiteListAppFilter.properties")));
+
+ String line ="";
+ while ((line = br.readLine()) != null){
+ whiteListApp.add(line);
+ }
+
+ br.close();
+ }catch(java.io.FileNotFoundException ex){
+ return false;
+ }catch(java.io.IOException ex){
+ return false;
+ }
+
+ Iterator<String> it = whiteListApp.iterator();
+
+ while (it.hasNext()) {
+ String whitelisItem = it.next();
+ if (whitelisItem.equals(packagename)) {
+ return true;
+ }
+ }
+ return false;
+ }
@GuardedBy("mInstallLock")
private PrepareResult preparePackageLI(InstallArgs args, PackageInstalledInfo res)
throws PrepareFailure {
@@ -17545,6 +17577,12 @@ public class PackageManagerService extends IPackageManager.Stub
throw new PrepareFailure("Failed collect during installPackageLI", e);
}
+ // add for installer enable/disable
+ if (!isInstallerEnable(pkg.packageName)) {
+ throw new PrepareFailure(INSTALL_FAILED_INSTANT_APP_INVALID, "app is not in the whitelist. packageName");
+
+ }
+
if (instantApp && pkg.mSigningDetails.signatureSchemeVersion
< SignatureSchemeVersion.SIGNING_BLOCK_V2) {
Slog.w(TAG, "Instant app package " + pkg.packageName
将文件copy到vendor/etc里面去
--- diff --git a/android/device/softwinner/m133/kernel b/android/device/softwinner/m133/kernel
index a067f32494..e95dd83f97 100755
Binary files a/android/device/softwinner/m133/kernel and b/android/device/softwinner/m133/kernel differ
diff --git a/android/device/softwinner/m133/m133.mk b/android/device/softwinner/m133/m133.mk
index c24c5e275d..f351923ad6 100755
--- a/android/device/softwinner/m133/m133.mk
+++ b/android/device/softwinner/m133/m133.mk
@@ -198,7 +198,8 @@ PRODUCT_COPY_FILES += \
$(LOCAL_PATH)/language/zh_CN_2018030706.zip:/product/usr/share/ime/google/d3_lms/zh_CN_2018030706.zip \
device/softwinner/m133/sunxi-ir.kl:system/usr/keylayout/sunxi-ir.kl \
device/softwinner/m133/spidev_test:system/bin/spidev_test \
- device/softwinner/m133/spidev_fdx:system/bin/spidev_fdx
+ device/softwinner/m133/spidev_fdx:system/bin/spidev_fdx \
+ device/softwinner/m133/WhiteListAppFilter.properties:/vendor/etc/WhiteListAppFilter.properties
PRODUCT_COPY_FILES += \
$(LOCAL_PATH)/configs/camera.cfg:$(TARGET_COPY_OUT_VENDOR)/etc/camera.cfg \
文件内容
com.iflytek.speechcloud
//表示只有讯飞语音可以安装
效果
非白名单内的app安装效果,会先显示拒绝。通过echo 将讯飞输入法的包名到白名单之后,因为vendor属于系统目录需要 su 后mount -o rw,remount /vendor 才能进行文件修改。
最终效果,安装成功
总结
分析应用安装流程,找到合适的位置,进行白名单的判断,最终达到客户的效果,白名单保存方式有很多,可以通过数据库,属性等来进行保存,我这种通过文件只是其一大家可以自行选择。
每日赠言
有位智者说,学习是为了完善人生,而非享乐人生。追求卓越,成功自会随你而来