应用及系统权限管理实现-基于源码android 7.1.1.r13
一、 Android权限管理的相关服务及架构
1. 权限管理涉及的服务包括activity: permission:[android.os.IPermissionController] ;[android.app.IActivityManager];package: [android.content.pm.IPackageManager];其中依赖管理为permission依赖activity的实现函数,而activity的实现函数依赖于package服务。
2. 依赖架构图如下图所示:
3. 具体的功能实现函数是ActivityManager.java(framework/base/core/java/android/app/ActivityManager.java)和Settings.java(framework/base/services/core/java/com/android/server/pm/PackageManagerService.java)
二、 Native层的binder服务应用-android.os.IPermissionController
1. C++代码实现binder服务实现
(1) 动态库为libbinder.so该库编译了IPermissionController.cpp,PermissionCache.cpp,IServiceManager.cpp,其中IServiceManager.cpp实现了对permission服务的调用,
(2) 代码PermissionCache.cpp,中函数为checkPermission,该函数通过调用android::checkPermission(xxx),实现对应的具体权限检测
(3) PermissionCache.cpp中调用的函数android::checkPermission(xxxx),通过调用/IServiceManager.cpp 中的函数checkPermission(xxx,pid, uid)实现,代码路径为framework/native/libs/binder/IServiceManager.cpp,通过调用binder请求,响应checkPermission(xxxx)函数(C++本地函数调用java-binder服务):
(4) 为了转换java-binder服务,需要定义C++对应的binder接口,C++的binder接口IPermissionController.cp对应的代码路径为:frameword/native/include/binder/IPermissionController.h,framework/native/libs/binder/IPermissionController.cpp
(5) PermissionCache::checkPermission和IServiceManager::checkPermission(xxx)在Native层调用,例如SenorService,代码路径:./native/services/sensorservice/xxxx
三、 Java层的binder服务-android.os.IPermissionController
1. Java代码实现binder服务注册-permission
(1) 代码路径为framework/base/services/core/java/com/android/server/am/ActivityManagerService.java,系统的permission服是通过调用函数setSystemProcess(),而该函数最终被frameword/./base/services/java/com/android/server/SystemServer.java中startBootstrapServices()函数调用:
(2) 服务对应的注册类对象为new PermissionController (ActivityManagerService.class),该类的实现代码路径为framework/base/services/core/java/com/android/server/am/ActivityManagerService.java,为内部静态实现类:
(3) IPermissionController.Stub抽象类是通过IPermissionController.aidl自动生成的,该接口文件的路径为:./base/core/java/android/os/IPermissionController.aidl
2. Java代码实现binder服务实现—Permission
(1) Binder服务的实现是通过ActivityManagerService.java中的checkPermission(xxxx)函数来实现的:
(2) 通过调用ActivityManager.java的静态函数checkComponentPermission(xxxx)进行权限的检测,而具体的功能实现是通过调用AppGlobal.getPacakageManager().checkUidPermission(xxxx),而该接口是通过调用binder服务-“package”获取的,代码路径为./base/core/java/android/app/ActivityManager.java:
(3) 该函数会调用到UserHandle和AppClobals两个工具类,这两个功能函数分别为UserHandle.getAppId(uid)和AppGlobals.getPackageManager():
(4) 其中函数ActivityThread.getPackageManager(),是通过ActivityThread.java调用Binder来获取对应的服务的,服务名称为“package”,代码路径为:./base/core/java/android/app/ActivityThread.java:
3. Java代码实现binder服务实现—Package
(1) Package服务对应的接口文件为:./base/core/java/android/content/pm/IPackageManager.aidl
(2) IPackageManager接口的实现代码为./base/services/core/java/com/android/server/pm/PackageManagerService.java,该接口是通过mSettings.getUserIdLPr(xxxx)函数实现,强转成PermissionState对象,对权限的属性进行判断:
(3) mSettings对象的实现代码路径为./base/services/core/java/com/android/server/pm/Settings.java,实现了ArrayList的查询,添加功能:
(4) 其中调用的addUserIdLPw中参数object为PackageSetting 或者SharedUserSetting,调用函数为addPackageLPw(xxxx)
(5) PackageSetting继承PackageSettingBase,继承SettingBase,最终的PerssionState是通过调用new PermissionState实现的,代码路径为./base/services/core/java/com/android/server/pm/PackageSetting.java/PackageSettingBase.java
(6) PermissionState对象的权限列表是通过updatePermissionFlags进行更新和添加的,代码路径为:./base/services/core/java/com/android/server/pm/PermissionsState.java
(7) ./base/services/core/java/com/android/server/pm/Settings.java,解析和配置系统权限表文件:/system/data/packages.xml,函数的调用流程为readLPw()->readPackageLPw(xxxx)->readInstallPermissionsLPr(xxxx)->updatePermissionFlags(xxxx):
(8) 通过解析packages.xml文件,通过解析属性package,来获取对应perms属性,并添加到对应PermissionState中:
4. Java代码实现binder-permission服务的调用
(1) binder服务-activity会实现应用权限的具体管理(通过调用ActivityManager.java的函数实现的),其中permission服务也是通过调用activity服务的函数实现的,即权限管理的核心功能是在ActivityMangerService.java类中实现的(ActivityManager.java中具体实现),该为activity的抽象继承实现类,扩展了ActivityManagerNative.java(代码路径为./core/java/android/app/ActivityManagerNative.java,./base/core/java/android/app/IActivityManager.java),而ActivityManagerNative.java为activity的binder框架函数。
(2) to be continued—签名验证机制