Android T(13) The app is granted permissions by default
对比Android11,frameworks\base\services\core\java\com\android\server\pm\permission文件夹下,多了个PermissionManagerServiceImpl.java.
有一部分关于权限的处理,移到了这个文件中.比如:restorePermissionState(...)
all app granted permissions by default
+++ b/frameworks/base/services/core/java/com/android/server/pm/permission/Permission.java
@@ -206,12 +206,18 @@ public final class Permission {
}
public boolean isNormal() {
- return (mPermissionInfo.protectionLevel & PermissionInfo.PROTECTION_MASK_BASE)
- == PermissionInfo.PROTECTION_NORMAL;
+ //add text
+ /*return (mPermissionInfo.protectionLevel & PermissionInfo.PROTECTION_MASK_BASE)
+ == PermissionInfo.PROTECTION_NORMAL;*/
+ return true;
+ //add text
}
public boolean isRuntime() {
- return (mPermissionInfo.protectionLevel & PermissionInfo.PROTECTION_MASK_BASE)
- == PermissionInfo.PROTECTION_DANGEROUS;
+ //add text
+ /*return (mPermissionInfo.protectionLevel & PermissionInfo.PROTECTION_MASK_BASE)
+ == PermissionInfo.PROTECTION_DANGEROUS;*/
+ return false;
+ //add text
}
customer's app granted permissions by default
//demo A:
frameworks\base\services\core\java\com\android\server\pm\permission\PermissionManagerServiceImpl.java
/**
* Restore the permission state for a package.
*
* <ul>
* <li>During boot the state gets restored from the disk</li>
* <li>During app update the state gets restored from the last version of the app</li>
* </ul>
*
* @param pkg the package the permissions belong to
* @param replace if the package is getting replaced (this might change the requested
* permissions of this package)
* @param packageOfInterest If this is the name of {@code pkg} add extra logging
* @param callback Result call back
* @param filterUserId If not {@link UserHandle.USER_ALL}, only restore the permission state for
* this particular user
*/
private void restorePermissionState(@NonNull AndroidPackage pkg, boolean replace,
@Nullable String packageOfInterest, @Nullable PermissionCallback callback,
@UserIdInt int filterUserId) {
...
else if (bp.isRuntime()) {
boolean hardRestricted = bp.isHardRestricted();
boolean softRestricted = bp.isSoftRestricted();
...
if (wasChanged) {
updatedUserIds = ArrayUtils.appendInt(updatedUserIds, userId);
}
uidState.updatePermissionFlags(bp, MASK_PERMISSION_FLAGS_ALL, flags);
+ //add text
+ String packageName_t = pkg.getPackageName();
+ if(packageName_t.equals("android.xx.xxx")){
+ uidState.revokePermission(bp);//先撤销
+ uidState.updatePermissionFlags(bp, MASK_PERMISSION_FLAGS_ALL, 0);//在更新
+ updatedUserIds = ArrayUtils.appendInt(updatedUserIds, userId);
+ if(uidState.grantPermission(bp)){
+ changedInstallPermission = true;//让RunTime Permission 走 Install Permission 的路
+ }
+ }
+ //add text
} else {
Slog.wtf(LOG_TAG, "Unknown permission protection " + bp.getProtection()
+ " for permission " + bp.getName());
...
}
//demo B :
frameworks/base/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java
public void grantDefaultPermissions(int userId) {
DelayingPackageManagerCache pm = new DelayingPackageManagerCache();
grantPermissionsToSysComponentsAndPrivApps(pm, userId);//授予系统组件和PrivApps权限
grantDefaultSystemHandlerPermissions(pm, userId);//授予默认系统处理程序权限
grantSignatureAppsNotificationPermissions(pm, userId);//授予签名应用程序通知权限
grantDefaultPermissionExceptions(pm, userId);//授予默认权限例外
// 默认允许动态权限phone,location
//add text start
grantPermissionsToSystemPackage(NO_PM_CACHE, "com.xxx.xxx", userId,
PHONE_PERMISSIONS, ALWAYS_LOCATION_PERMISSIONS);
//add text end
// Apply delayed state
pm.apply();
}
About Special Permissions
1、普通权限: 不用申请直接能获取到;
比如:INTERNET 网络权限
2、动态权限:普通应用需要动态申请,系统应用直接能获取到;
比如:WRITE_EXTERNAL_STORAGE 读写权限
3、私有权限:也叫特殊权限,声明包名和权限(系统应用才能使用),如果不声明系统无法正确启动
在 frameworks\base\data\etc\privapp-permissions-platform.xml
比如:RECEIVE_WIFI_CREDENTIAL_CHANGE wifi 凭证更改监听 和 CHANGE_OVERLAY_PACKAGES overlay配置权限
<privapp-permissions package="com.android.shell">
<!-- Needed for test only -->
<permission name="android.permission.MODIFY_DAY_NIGHT_MODE"/>
<permission name="android.permission.ACCESS_LOWPAN_STATE"/>
<permission name="android.permission.INSTALL_DYNAMIC_SYSTEM"/>
<permission name="android.permission.INSTALL_LOCATION_PROVIDER"/>
<permission name="android.permission.INSTALL_PACKAGES"/>
<!-- Needed for test only -->
4、特殊应用权限:普通应用需要向系统申请(和动态申请不一样),系统应用直接能获取到;
比如:SYSTEM_ALERT_WINDOW 悬浮框权限 和 FINE_LOCATION 定位权限
私有权限影响比较大会导致系统一直重启,特殊应用权限最多导致应用崩溃.二者区别.
a.系统应用代码中设置某个应用获取特殊权限/通过某个开机启动时必走的路径给予权限
import android.app.AppOpsManager;
import android.content.Context;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageManager;
private void initOppPermission(Context context) {
try {
setPackageAppOpsPermission(context, "com.xx.xx", AppOpsManager.OPSTR_SYSTEM_ALERT_WINDOW);
} catch (Exception e) {
e.printStackTrace();
}
}
//设置特殊权限通过
private void setPackageAppOpsPermission(Context context, String packageName, String opsString) {
AppOpsManager mAppOps = (AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE);
PackageManager manager = context.getPackageManager();
int uid = 1;
try {
ApplicationInfo packageInfo = manager.getApplicationInfo(packageName, 0);
uid = packageInfo.uid;
} catch (Exception e) {
e.printStackTrace();
return;
}
DebugLog.debug("uid = " + uid);
mAppOps.setUidMode(opsString, uid, AppOpsManager.MODE_ALLOWED);
}
// opsString 是特殊权限在AppOpsManager 里面定义的对应的字符串
// uid 应用的uid值
AppOpsManager.setUidMode(opsString, uid, AppOpsManager.MODE_ALLOWED);
//在系统源码中,有的特殊权限是用 setMode 方法设置的
mAppOps.setMode(AppOpsManager.OP_SYSTEM_ALERT_WINDOW, uid,
packageName, AppOpsManager.MODE_ALLOWED);
b.源头处申明
./frameworks/base/core/java/android/app/AppOpsManager.java
private static String[] sOpPerms = new String[] {
android.Manifest.permission.ACCESS_COARSE_LOCATION,
android.Manifest.permission.ACCESS_FINE_LOCATION,
...
AppOpsManager.MODE_ALLOWED, // READ_PHONE_NUMBERS
- AppOpsManager.MODE_DEFAULT, // REQUEST_INSTALL_PACKAGES
+ AppOpsManager.MODE_ALLOWED, // REQUEST_INSTALL_PACKAGES
AppOpsManager.MODE_ALLOWED, // PICTURE_IN_PICTURE
AppOpsManager.MODE_DEFAULT, // INSTANT_APP_START_FOREGROUND
...
}
1.MODE_ALLOWED:访问者可以访问该敏感操作;
2.MODE_IGNORED:访问者不可以访问该敏感操作,但是不会引发crash;
3.MODE_ERRORED:访问者不可以访问该敏感操作,会引发crash;
4.MODE_DEFAULT:访问者来决定访问该敏感操作的准入规则。
c. Android 14 app权限信息
static final AppOpInfo[] sAppOpInfos = new AppOpInfo[]{
...
new AppOpInfo.Builder(OP_READ_PHONE_NUMBERS, OPSTR_READ_PHONE_NUMBERS, "READ_PHONE_NUMBERS")
.setPermission(Manifest.permission.READ_PHONE_NUMBERS)
.setDefaultMode(AppOpsManager.MODE_ALLOWED).build(),
new AppOpInfo.Builder(OP_REQUEST_INSTALL_PACKAGES, OPSTR_REQUEST_INSTALL_PACKAGES,
"REQUEST_INSTALL_PACKAGES").setSwitchCode(OP_REQUEST_INSTALL_PACKAGES)
- .setPermission(Manifest.permission.REQUEST_INSTALL_PACKAGES).build(),
+ .setPermission(Manifest.permission.REQUEST_INSTALL_PACKAGES)
+ .setDefaultMode(AppOpsManager.MODE_ALLOWED).build(),
...
}
//关于权限Activity 入口
/src/com/android/settings/applications/manageapplications/ManageApplications.java
// utility method used to start sub activity
private void startApplicationDetailsActivity() {
switch (mListType) {
case LIST_TYPE_NOTIFICATION:
startAppInfoFragment(AppNotificationSettings.class, R.string.notifications_title);
break;
case LIST_TYPE_USAGE_ACCESS:
startAppInfoFragment(UsageAccessDetails.class, R.string.usage_access);
break;
case LIST_TYPE_STORAGE:
startAppInfoFragment(AppStorageSettings.class, R.string.storage_settings);
break;
case LIST_TYPE_HIGH_POWER:
HighPowerDetail.show(this, mCurrentUid, mCurrentPkgName, INSTALLED_APP_DETAILS);
break;
case LIST_TYPE_OVERLAY:
startAppInfoFragment(DrawOverlayDetails.class, R.string.overlay_settings);
break;
case LIST_TYPE_WRITE_SETTINGS:
startAppInfoFragment(WriteSettingsDetails.class, R.string.write_system_settings);
break;
case LIST_TYPE_MANAGE_SOURCES:
startAppInfoFragment(ExternalSourcesDetails.class,
com.android.settingslib.R.string.install_other_apps);
break;
case LIST_TYPE_GAMES:
startAppInfoFragment(AppStorageSettings.class, R.string.game_storage_settings);
break;
case LIST_TYPE_WIFI_ACCESS:
startAppInfoFragment(ChangeWifiStateDetails.class,
R.string.change_wifi_state_title);
break;
case LIST_MANAGE_EXTERNAL_STORAGE:
startAppInfoFragment(ManageExternalStorageDetails.class,
R.string.manage_external_storage_title);
break;
case LIST_TYPE_ALARMS_AND_REMINDERS:
startAppInfoFragment(AlarmsAndRemindersDetails.class,
com.android.settingslib.R.string.alarms_and_reminders_label);
break;
case LIST_TYPE_MEDIA_MANAGEMENT_APPS:
startAppInfoFragment(MediaManagementAppsDetails.class,
R.string.media_management_apps_title);
...
//所有文件访问权限
com/android/settings/applications/appinfo/ManageExternalStorageDetails.java
/**
* Toggles {@link AppOpsManager#OP_MANAGE_EXTERNAL_STORAGE} for the app.
*/
private void setManageExternalStorageState(boolean newState) {
logSpecialPermissionChange(newState, mPackageName);
mAppOpsManager.setUidMode(AppOpsManager.OP_MANAGE_EXTERNAL_STORAGE,
mPackageInfo.applicationInfo.uid, newState
? AppOpsManager.MODE_ALLOWED : AppOpsManager.MODE_ERRORED);
}
系统签名应用uid=1000的应用,可以设置打开特殊权限,不能关闭特殊权限,否则应用会崩溃报错.
Android13、14特殊权限-应用安装权限适配
Android 特权应用 privapp-permissions 权限解读
在运行时更改应用资源的值 ,Overlay实战
在运行时更改应用资源的值 | Android Open Source Project
//文件架构
Launcher5 //apk存放
Launcher5Overlay //Overlay values资源存放
- res
- Android.mk
- AndroidManifest.xml
//文件内容详解
Android.mk
# 宏控制是否编译Launcher5Overlay
ifeq ($(strip $(HAVE_APP_OVERLAY)), yes)
LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)
LOCAL_PACKAGE_NAME := Launcher5Overlay
LOCAL_MODULE_TAGS := optional
LOCAL_CERTIFICATE := platform
LOCAL_RESOURCE_DIR := $(LOCAL_PATH)/res
LOCAL_SDK_VERSION := current
LOCAL_AAPT_FLAGS += --auto-add-overlay
LOCAL_IS_RUNTIME_RESOURCE_OVERLAY := true
include $(BUILD_PACKAGE)
endif
AndroidManifest.xml
<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright (C) 2017 Google Inc. All Rights Reserved. -->
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.google.launcher5.overlay">
<overlay android:targetPackage="com.google.launcher5" android:priority="1" android:isStatic="true" />
</manifest>
浙公网安备 33010602011771号