当前位置:   article > 正文

android 权限默认授予,AOSP 权限的默认授予

安卓怎么默认授予signature签名权限

AOSP 权限的默认授予

环境Android 8.1

Android的权限等级分为normal,dangerous,signature,signatureOrSystem

normal是在AndroidManifest中声明即可获取的低风险权限;

dangerous是需要在获取时提示用户的高风险权限,也就是Runtime权限;

signature是request权限的app和声明权限的app签名一致的时候才能自动获去的权限,也叫签名权限/特许权限;

signatureOrSystem在api 23 废弃。

运行时权限

运行时权限的默认授予工作由DefaultPermissionGrantPolicy类的grantDefaultPermissions完成。 调用的时机有2个:

1. 创建新User的时候

void onNewUserCreated(final int userId){

mDefaultPermissionPolicy.grantDefaultPermissions(userId);

// If permission review for legacy apps is required, we represent

// dagerous permissions for such apps as always granted runtime

// permissions to keep per user flag state whether review is needed.

// Hence, if a new user is added we have to propagate dangerous

// permission grants for these legacy apps.

if (mPermissionReviewRequired) {

updatePermissionsLPw(null, null, UPDATE_PERMISSIONS_ALL

| UPDATE_PERMISSIONS_REPLACE_ALL);

}

}

复制代码

2.systemReady的时候

@Override

public void systemReady(){

enforceSystemOrRoot("Only the system can claim the system is ready");

mSystemReady = true;

……

// If we upgraded grant all default permissions before kicking off.

for (int userId : grantPermissionsUserIds) {

mDefaultPermissionPolicy.grantDefaultPermissions(userId);

}

……

}

复制代码

方法实现:

public void grantDefaultPermissions(int userId){

if (mService.hasSystemFeature(PackageManager.FEATURE_EMBEDDED, 0)) {

grantAllRuntimePermissions(userId);

} else {

grantPermissionsToSysComponentsAndPrivApps(userId);

grantDefaultSystemHandlerPermissions(userId);

grantDefaultPermissionExceptions(userId);

}

}

复制代码

其中有四个方法的调用

1.grantAllRuntimePermissions(userId);

调用grantAllRuntimePermissions的前提条件是hasSystemFeature(PackageManager.FEATURE_EMBEDDED, 0),看了一下FEATURE_EMBEDDED的注释,发现是给没有UI的物联网设备的授权。

/**

* Feature for {@link #getSystemAvailableFeatures} and

* {@link #hasSystemFeature}: This is a device for IoT and may not have an UI. An embedded

* device is defined as a full stack Android device with or without a display and no

* user-installable apps.

*/

@SdkConstant(SdkConstantType.FEATURE)

public static final String FEATURE_EMBEDDED = "android.hardware.type.embedded";

复制代码

2.grantPermissionsToSysComponentsAndPrivApps(userId);

private void grantPermissionsToSysComponentsAndPrivApps(int userId){

Log.i(TAG, "Granting permissions to platform components for user " + userId);

synchronized (mService.mPackages) {

for (PackageParser.Package pkg : mService.mPackages.values()) {

if (!isSysComponentOrPersistentPlatformSignedPrivAppLPr(pkg)

|| !doesPackageSupportRuntimePermissions(pkg)

|| pkg.requestedPermissions.isEmpty()) {

continue;

}

grantRuntimePermissionsForPackageLocked(userId, pkg);

}

}

}

复制代码

在不满足条件

!isSysComponentOrPersistentPlatformSignedPrivAppLPr(pkg),

!doesPackageSupportRuntimePermissions(pkg)

和pkg.requestedPermissions.isEmpty()的情况下,

才会对该pkg进行授权,也就是授权的条件是:

isSysComponentOrPersistentPlatformSignedPrivAppLPr && doesPackageSupportRuntimePermissions && !pkg.requestedPermissions.isEmpty()

翻译一下就是:

uid<10000的 或者 是privApp且persistent且系统签名的 其中uid<10000 的如android.uid.system,可以通过通过adb shell ps来看,第一列是system的是<10000的,

SupportRuntimePermissions是application的targetSdkVersion > 22

pkg请求的权限非空

3.grantDefaultSystemHandlerPermissions(userId);

授权具体的权限给业务相关的模块 比如授予STORAGE_PERMISSIONS给Media provider,授予CONTACTS_PERMISSIONS和PHONE_PERMISSIONS 给Contacts等 涉及到的有Installer, Verifier,SetupWizard,Camera,Media provider,Downloads provider,Downloads UI,Storage provider,CertInstaller,Dialer,Sim call manager,SMS,Cell Broadcast Receiver,Carrier Provisioning Service,Calendar,Calendar provider,Calendar provider sync adapters,Contacts,Contacts provider sync adapters,Contacts provider,Device provisioning,Maps,Gallery,Email,Browser,Voice interaction,Voice recognition,Location,Music,Home,Watches,Print Spooler,EmergencyInfo,NFC Tag viewer,Storage Manager,Companion devices,Ringtone Picker

4.grantDefaultPermissionExceptions(userId);

例外的权限授予: 可以通过PRODUCT_COPY_FILES的机制把xml文件copy到目标位置, 读取system/etc/default-permissions/下 和 vendor/etc/default-permissions/下 的xml文件。 像这样定义想要预授权的应用和权限

package="foo.bar.permission">

复制代码

Fixed permissions的意思是固定的权限,就不能再由用户手动更改了

可以通过如下命令查看权限授予的结果:

adb shell pm dump com.xx.xxx | grep permission

值得注意的是,由于在PMS授予权限时,会通过enforceDeclaredAsUsedAndRuntimeOrDevelopmentPermission方法来做检查,所以在default-mega-permissions中添加的权限需要保证在app的AndroidManifest中已声明,且为Runtime或Development权限,这样才能完成默认授予

private static void enforceDeclaredAsUsedAndRuntimeOrDevelopmentPermission(

PackageParser.Package pkg, BasePermission bp){

int index = pkg.requestedPermissions.indexOf(bp.name);

if (index == -1) {

throw new SecurityException("Package " + pkg.packageName

+ " has not requested permission " + bp.name);

}

if (!bp.isRuntime() && !bp.isDevelopment()) {

throw new SecurityException("Permission " + bp.name

+ " is not a changeable permission type");

}

}

复制代码

特许权限

对signature权限的授予,可以参考特许权限白名单

参考/frameworks/base/core/res/AndroidManifest.xml可知,signature有 android.permission.ACCESS_IMS_CALL_SERVICE android.permission.SEND_SMS_NO_CONFIRMATION android.permission.NETWORK_SETTINGS android.permission.ACCOUNT_MANAGER

……

总结一下

想要自动获取Runtime权限(也就是dangerous权限),通过grantDefaultPermissionExceptions

想要要获取特许权限(也就是signature权限),通过特许权限白名单机制

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/很楠不爱3/article/detail/261283
推荐阅读
相关标签
  

闽ICP备14008679号