自定义Android系统级权限组

Android安全模型基于Linux的权限管理,使用沙箱隔离机制将每个应用的进程资源隔离。Android应用程序在安装时赋予一个UID,UID不同的应用程序完全隔离。
另一方面,应用如果想使用某种服务,需要在AndroidManifest.xml中申请。比如,想使用网络的话,需要在AndroidManifest.xml中添加:

<uses-permission android:name="android.permission.INTERNET" />

INTERNET权限将被映射到底层的GID。所以,一个应用有一个UID,可以有多个GID,来获得多个权限。
关于Android权限管理更详细的内容这里就不再赘述了,这方面的资料很多。直接进入正题,如何自定义一个类似于上面的INTERNET的系统级权限组?
我们知道,Android本身支持在应用程序的AndroidManifest.xml中自定义权限,但这种自定义的权限没有被映射到系统底层的用户组中,没有独立的GID。如果在系统中有一个C语言写的服务,只有应用申请了权限才可以使用,我们就需要将这个权限映射到底层。

分析

本文中,作为例子,我们假设有一个C语言实现的功能,它提供say_hello的服务,使用这个服务的应用要在AndroidManifest.xml中添加来申请权限。
AndroidManifest.xml是在安装应用的时候解析的。最终调用的解析函数是
frameworks/base/core/java/android/content/pm/PackageParser.java

    private Package parsePackage(
        Resources res, XmlResourceParser parser, int flags, String[] outError)
        throws XmlPullParserException, IOException {
        ......
        while ((type = parser.next()) != XmlPullParser.END_DOCUMENT
                && (type != XmlPullParser.END_TAG || parser.getDepth() > outerDepth)) {
            if (type == XmlPullParser.END_TAG || type == XmlPullParser.TEXT) {
                continue;
            }

            String tagName = parser.getName();
            if (tagName.equals("application")) {
                ......
            } else if (tagName.equals("keys")) {
                if (!parseKeys(pkg, res, parser, attrs, outError)) {
                    return null;
                }
            } else if (tagName.equals("permission-group")) {
                if (parsePermissionGroup(pkg, flags, res, parser, attrs, outError) == null) {
                    return null;
                }
            } else if (tagName.equals("permission")) {
                if (parsePermission(pkg, res, parser, attrs, outError) == null) {
                    return null;
                }
            } else if (tagName.equals("permission-tree")) {
                if (parsePermissionTree(pkg, res, parser, attrs, outError) == null) {
                    return null;
                }
            } else if (tagName.equals("uses-permission")) {
                if (!parseUsesPermission(pkg, res, parser, attrs, outError)) {
                    return null;
                }                                                                                                                         

            } else if (tagName.equals("uses-configuration")) {
            ......

针对不同标签调用对应的解析函数。对于uses-permission调用的是parseUsesPermission:
frameworks/base/core/java/android/content/pm/PackageParser.java

    private boolean parseUsesPermission(Package pkg, Resources res, XmlResourceParser parser,                                                                                                                 
                                        AttributeSet attrs, String[] outError)
            throws XmlPullParserException, IOException {
        ······

        if ((maxSdkVersion == 0) || (maxSdkVersion >= Build.VERSION.RESOURCES_SDK_INT)) {
            if (name != null) {
                int index = pkg.requestedPermissions.indexOf(name);
                if (index == -1) {
                    pkg.requestedPermissions.add(name.intern());
                    pkg.requestedPermissionsRequired.add(required ? Boolean.TRUE : Boolean.FALSE);
                } else {
                    if (pkg.requestedPermissionsRequired.get(index) != required) {
                        outError[0] = "conflicting <uses-permission> entries";
                        mParseError = PackageManager.INSTALL_PARSE_FAILED_MANIFEST_MALFORMED;
                        return false;
                    }
                }
            }
        }

        XmlUtils.skipCurrentTag(parser);
        return true;
    }

它的工作就是调用pkg.requestedPermissions.add(name.intern());将诸如android.permission.INTERNET这样的字符串添加到pkg.requestedPermissions列表中。
解析完成后,会调用grantPermissionsLPw获取相应的GID:
frameworks/base/services/java/com/android/server/pm/PackageManagerService.java

    private void grantPermissionsLPw(PackageParser.Package pkg, boolean replace) {
        .......
        final int N = pkg.requestedPermissions.size();
        for (int i=0; i<N; i++) {
            final String name = pkg.requestedPermissions.get(i);
            final boolean required = pkg.requestedPermissionsRequired.get(i);
            final BasePermission bp = mSettings.mPermissions.get(name);
            if (DEBUG_INSTALL) {
                if (gp != ps) {
                    Log.i(TAG, "Package " + pkg.packageName + " checking " + name + ": " + bp);
                }
            }

            if (bp == null || bp.packageSetting == null) {
                Slog.w(TAG, "Unknown permission " + name
                        + " in package " + pkg.packageName);
                continue;
            }

            final String perm = bp.name;
            boolean allowed;
            boolean allowedSig = false;
            ......
            if (allowed) {
                ......
                if (allowed) {
                    if (!gp.grantedPermissions.contains(perm)) {
                        changedPermission = true;
                        gp.grantedPermissions.add(perm);
                        gp.gids = appendInts(gp.gids, bp.gids);
                    } else if (!ps.haveGids) {
                        gp.gids = appendInts(gp.gids, bp.gids);
                    }
                } else {
                    Slog.w(TAG, "Not granting permission " + perm
                            + " to package " + pkg.packageName
                            + " because it was previously installed without");
                }
            } else {
                ......
            }
        }
        ......
    }

需要注意的是final BasePermission bp = mSettings.mPermissions.get(name);
mSettings保存了与设定相关的东西,class Settings定义在frameworks/base/services/java/com/android/server/pm/Settings.java中,它的mPermissions成员的类型是HashMap,保存了权限名字到权限信息的映射。BasePermission中有一个int[] gids成员,这就是这个权限对应的gid;还有一个PackageSettingBase类型的packageSetting成员,它指定了声明这个权限的包的配置信息。

定义权限名

那么,mSettings.mPermissions是在什么时候初始化的呢?
PackageManagerService在初始化时,会调用readPermissions();它又调用了readPermissionsFromXml(permFile),permFile文件的文件路径是/etc/permissions/platform.xml,这个文件中定义了底层GID和高层权限名字之间的对应关系:
frameworks/base/data/etc/platform.xml

<permissions>
    ......
    <permission name="android.permission.INTERNET" >
        <group gid="inet" />
    </permission>
    ......
</permissions>

所以我们在这个文件中添加say_hello权限:
frameworks/base/data/etc/platform.xml

    <permission name="android.permission.SAY_HELLO" >
        <group gid="say_hello" />
    </permission>

获取整型GID

回到readPermissionsFromXml函数,对于名字是“permission”的标签,会调用readPermission函数:
frameworks/base/services/java/com/android/server/pm/PackageManagerService.java

    void readPermission(XmlPullParser parser, String name)
            throws IOException, XmlPullParserException {

        name = name.intern();

        BasePermission bp = mSettings.mPermissions.get(name);
        if (bp == null) {
            bp = new BasePermission(name, null, BasePermission.TYPE_BUILTIN);
            mSettings.mPermissions.put(name, bp);
        }
        int outerDepth = parser.getDepth();
        int type; 
        while ((type=parser.next()) != XmlPullParser.END_DOCUMENT
               && (type != XmlPullParser.END_TAG
                       || parser.getDepth() > outerDepth)) {
            if (type == XmlPullParser.END_TAG                                                                                                                                                                 
                    || type == XmlPullParser.TEXT) {
                continue;
            }     

            String tagName = parser.getName();
            if ("group".equals(tagName)) {
                String gidStr = parser.getAttributeValue(null, "gid");
                if (gidStr != null) {
                    int gid = Process.getGidForName(gidStr);
                    bp.gids = appendInt(bp.gids, gid); 
                } else {
                    Slog.w(TAG, "<group> without gid at "
                            + parser.getPositionDescription());
                }
            }
            XmlUtils.skipCurrentTag(parser);
        }
    }

首先将权限的名字添加到mSettings.mPermissions列表中,然后进入while循环,把这个权限对应的所有gid都添加到bp.gids中。gid是调用Process.getGidForName根据gid的名字得到了,在我们的例子中,也就是"say_hello"。getGidForName是Process中的一个native方法:
frameworks/base/core/java/android/os/Process.java

public static final native int getGidForName(String name);

它的实际定义是
frameworks/base/core/jni/android_util_Process.cpp

jint android_os_Process_getGidForName(JNIEnv* env, jobject clazz, jstring name)
{
    ......    
    const size_t N = name8.size();
    if (N > 0) { 
        const char* str = name8.string();
        for (size_t i=0; i<N; i++) {
            if (str[i] < '0' || str[i] > '9') {
                struct group* grp = getgrnam(str);
                if (grp == NULL) {
                    return -1;
                }    
                return grp->gr_gid;
            }    
        }    
        return atoi(str);
    }    
    return -1;
}

它就是根据组名调用getgrnam获取组信息。我们知道,getgrnam是一个C库函数,在Linux中标准定义是根据读取/etc/group文件获取组信息,但在Android中并没有这个文件,那么这个函数是怎么实现的呢?
bionic/libc/bionic/stubs.cpp

static group* android_iinfo_to_group(group* gr,                                                                                                                                                               
                                     const android_id_info* iinfo) {
  gr->gr_name   = (char*) iinfo->name;
  gr->gr_gid    = iinfo->aid;
  gr->gr_mem[0] = gr->gr_name;
  gr->gr_mem[1] = NULL;
  return gr;
}

static group* android_name_to_group(group* gr, const char* name) {
  for (size_t n = 0; n < android_id_count; ++n) {
    if (!strcmp(android_ids[n].name, name)) {
      return android_iinfo_to_group(gr, android_ids + n);
    }
  }
  return NULL;
}

group* getgrnam(const char* name) { // NOLINT: implementing bad function.
  stubs_state_t* state = __stubs_state();
  if (state == NULL) {
    return NULL;
  }

  if (android_name_to_group(&state->group_, name) != 0) {                                                                                                                                                     
    return &state->group_;
  }

  return app_id_to_group(app_id_from_name(name), state);
}

显而易见,它是遍历android_ids数组,查找是否有对应的组。
android_ids的定义在android_filesystem_config.h中
system/core/include/private/android_filesystem_config.h

......
#define AID_INET          3003  /* can create AF_INET and AF_INET6 sockets */
......
static const struct android_id_info android_ids[] = {
......
     { "inet",          AID_INET, },
......
};

这样就把inet字符串和整型值3003关联起来了。所以我们不妨把say_hello的整型gid定义为8001,在android_filesystem_config.h中添加

#define AID_SAY_HELLO          8001

在android_ids数组中添加

{ "say_hello",          AID_SAY_HELLO, },

这样就把字符串的say_hello和数字8001关联起来了。

在android中声明权限

回到readPermissions,readPermissions()完成后会调用scanDirLI扫描系统中安装的apk,它调用scanPackageLI建立每个apk的配置结构PackageSetting(继承于上面提到的PackageSettingBase),并把mSettings.mPermissions中保存的权限与之相关联。然后调用updatePermissionsLPw更新mSettings.mPermissions列表。
frameworks/base/services/java/com/android/server/pm/PackageManagerService.java

    private void updatePermissionsLPw(String changingPkg,
            PackageParser.Package pkgInfo, int flags) {
        ......
        // Make sure all dynamic permissions have been assigned to a package,                                                                                                                                 
        // and make sure there are no dangling permissions.
        it = mSettings.mPermissions.values().iterator();
        while (it.hasNext()) {
            final BasePermission bp = it.next();
            if (bp.type == BasePermission.TYPE_DYNAMIC) {
                if (DEBUG_SETTINGS) Log.v(TAG, "Dynamic permission: name="
                        + bp.name + " pkg=" + bp.sourcePackage
                        + " info=" + bp.pendingInfo);
                if (bp.packageSetting == null && bp.pendingInfo != null) {
                    final BasePermission tree = findPermissionTreeLP(bp.name);
                    if (tree != null && tree.perm != null) {
                        bp.packageSetting = tree.packageSetting;
                        bp.perm = new PackageParser.Permission(tree.perm.owner,
                                new PermissionInfo(bp.pendingInfo));
                        bp.perm.info.packageName = tree.perm.info.packageName;
                        bp.perm.info.name = bp.name;
                        bp.uid = tree.uid;
                    }
                }
            }
            if (bp.packageSetting == null) {
                // We may not yet have parsed the package, so just see if
                // we still know about its settings.
                bp.packageSetting = mSettings.mPackages.get(bp.sourcePackage);
            } else {
            }
            if (bp.packageSetting == null) {
                Slog.w(TAG, "Removing dangling permission: " + bp.name
                        + " from package " + bp.sourcePackage);
                it.remove();
            } else if (changingPkg != null && changingPkg.equals(bp.sourcePackage)) {
                if (pkgInfo == null || !hasPermission(pkgInfo, bp.name)) {
                    Slog.i(TAG, "Removing old permission: " + bp.name
                            + " from package " + bp.sourcePackage);
                    flags |= UPDATE_PERMISSIONS_ALL;
                    it.remove();
                }
            }
        }

可以看到如果权限的packageSetting为空,则将被从列表中删除。所以,只在platform.xml中定义了权限是不够的。必须有包声明这个权限,从而使bp.packageSetting不为空(前面说过,scanPackageLI会将权限和包配置关联起来)。像INTERNET这样的系统权限是在framework-res.apk(包名是android)中声明的:
frameworks/base/core/res/AndroidManifest.xml

    ......
    <!-- Allows applications to open network sockets. -->
    <permission android:name="android.permission.INTERNET"
        android:permissionGroup="android.permission-group.NETWORK"
        android:protectionLevel="dangerous"
        android:description="@string/permdesc_createNetworkSockets"
        android:label="@string/permlab_createNetworkSockets" />
     ......

所以我们也在frameworks/base/core/res/AndroidManifest.xml中添加如下内容:

    <permission android:name="android.permission.SAY_HELLO"
        android:protectionLevel="dangerous" 
        android:label="say hello"
        />

至此,我们就完成了say_hello权限的定义。

实现过程总结

1、在platform.xml中添加
frameworks/base/data/etc/platform.xml

    <permission name="android.permission.SAY_HELLO" >
        <group gid="say_hello" />
    </permission>

2、在android_filesystem_config.h中添加

#define AID_SAY_HELLO          8001

在android_ids数组中添加

{ "say_hello",          AID_SAY_HELLO, },

3、在frameworks/base/core/res/AndroidManifest.xml中添加

    <permission android:name="android.permission.SAY_HELLO"
        android:protectionLevel="dangerous" 
        android:label="say hello"
        />

4、将frameworks/base/data/etc/platform.xml push到/etc/permissions/下
5、执行mmm bionic/libc/ 编译出libc.so,并将其push到/system/lib下
6、执行mmm frameworks/base/core/res/编译出framework-res.apk,并将其push到/system/framework下
完成,可以在android应用中验证成果了!

在底层获取应用的权限

我们的应用场景是在C语言中管理权限,那么如何在C语言中获取各应用的权限呢?
其实,在PackageManagerService初始化所有包信息之后就会调用mSettings.writeLPr()(只要系统中包的信息有改变,比如安装应用,都会调用这个函数)。
frameworks/base/services/java/com/android/server/pm/Settings.java

    void writeLPr() {
           ......
            // Write package list file now, use a JournaledFile.
            File tempFile = new File(mPackageListFilename.getAbsolutePath() + ".tmp");                                                                                                                        
            JournaledFile journal = new JournaledFile(mPackageListFilename, tempFile);

            final File writeTarget = journal.chooseForWrite();
            fstr = new FileOutputStream(writeTarget);
            str = new BufferedOutputStream(fstr);
            try {
                FileUtils.setPermissions(fstr.getFD(), 0660, SYSTEM_UID, PACKAGE_INFO_GID);

                StringBuilder sb = new StringBuilder();
                for (final PackageSetting pkg : mPackages.values()) {
                    if (pkg.pkg == null || pkg.pkg.applicationInfo == null) {
                        Slog.w(TAG, "Skipping " + pkg + " due to missing metadata");
                        continue;
                    }

                    final ApplicationInfo ai = pkg.pkg.applicationInfo;
                    final String dataPath = ai.dataDir;
                    final boolean isDebug = (ai.flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0;
                    final int[] gids = pkg.getGids();

                    // Avoid any application that has a space in its path.
                    if (dataPath.indexOf(" ") >= 0)
                        continue;

                    // we store on each line the following information for now:
                    //
                    // pkgName    - package name
                    // userId     - application-specific user id
                    // debugFlag  - 0 or 1 if the package is debuggable.
                    // dataPath   - path to package's data path
                    // seinfo     - seinfo label for the app (assigned at install time)
                    // gids       - supplementary gids this app launches with
                    //
                    // NOTE: We prefer not to expose all ApplicationInfo flags for now.
                    //
                    // DO NOT MODIFY THIS FORMAT UNLESS YOU CAN ALSO MODIFY ITS USERS
                    // FROM NATIVE CODE. AT THE MOMENT, LOOK AT THE FOLLOWING SOURCES:
                    //   system/core/run-as/run-as.c
                    //   system/core/sdcard/sdcard.c
                    //
                    sb.setLength(0);
                    sb.append(ai.packageName);
                    sb.append(" ");
                    sb.append((int)ai.uid);
                    sb.append(isDebug ? " 1 " : " 0 ");
                    sb.append(dataPath);
                    sb.append(" ");
                    sb.append(ai.seinfo);
                    sb.append(" ");
                    sb.append(" ");
                    if (gids != null && gids.length > 0) {
                        sb.append(gids[0]);
                        for (int i = 1; i < gids.length; i++) {
                            sb.append(",");
                            sb.append(gids[i]);
                        }
                    } else {
                        sb.append("none");
                    }
                    sb.append("\n");
                    str.write(sb.toString().getBytes());
                }
                str.flush();
                FileUtils.sync(fstr);
                str.close();
                journal.commit();
            } catch (Exception e) {
            ......
    }

mPackageListFilename.getAbsolutePath()的结果是/data/system/packages.list,这段代码的任务就是将mPackages中保存的所有包的信息保存到/data/system/packages.list.tmp,保存的内容和格式见注释。如果这个过程没有出错,最后调用journal.commit()将/data/system/packages.list.tmp重命名为/data/system/packages.list覆盖原来的文件。
所以,/data/system/packages.list中保存了所有应用申请的权限,C代码只要读这个文件就能判断某个应用是否申请了我们要求的权限。
通常情况下,在接收到应用的请求时,我们不愿意每次都读取这个文件然后解析、判断这个应用的gids中是否有我们定义的id,更好的做法是将所有申请了权限的包缓存起来,这样就不必每次都读文件。而且,writeLPr更新这个文件的方法是直接用新文件覆盖旧文件,所以我们只需要监听这个文件的删除事件,在事件发生时,更新缓存。下面的代码片段是一个使用这种方法的例子。

const static char *package_list_file = "/data/system/packages.list";/*packages.list文件*/
static int read_package_list() {
    FILE* file = fopen(package_list_file, "r");
    if (!file) {
        return -1;
    }

    char buf[512];                                                                                                                                                                                            
    while (fgets(buf, sizeof(buf), file) != NULL) {
        char package_name[512];
        int appid;
        char gids[512];

        if (sscanf(buf, "%s %d %*d %*s %*s %s", package_name, &appid, gids) == 3) {
            char* package_name_dup = strdup(package_name);
            char* token = strtok(gids, ",");
            /*将appid(也就是应用进程的uid)从缓存中删除*/
            while (token != NULL) {
                if (strtoul(token, NULL, 10) == AID_SAY_HELLO /*权限gid*/) {
                    /*该应用申请了权限,将其添加到缓存中*/
                    break;
                }
                token = strtok(NULL, ",");
            }
        }
    }

    fclose(file);
    return 0;
}

void watch_package_list() {
    struct inotify_event *event;
    char event_buf[512];

    int nfd = inotify_init();
    if (nfd < 0) {
        return;
    }

    bool active = false;
    while (1) {
        if (!active) {
            int res = inotify_add_watch(nfd, package_list_file, IN_DELETE_SELF);/*监听删除事件*/
            if (res == -1) {
                if (errno == ENOENT || errno == EACCES) {
                    sleep(3);
                    continue;
                } else {
                    return;
                }
            }

            if (read_package_list() == -1) {
                return;
            }
            active = true;
        }

        int event_pos = 0;
        int res = read(nfd, event_buf, sizeof(event_buf));
        if (res < (int) sizeof(*event)) {
            if (errno == EINTR)
                continue;
            return;
        }

        while (res >= (int) sizeof(*event)) {
            int event_size;
            event = (struct inotify_event *) (event_buf + event_pos);

            if ((event->mask & IN_IGNORED) == IN_IGNORED) {
                active = false;
            }

            event_size = sizeof(*event) + event->len;
            res -= event_size;
            event_pos += event_size;
        }
    }
}                              
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值