需求
最近的一个项目,客户需要预装一个非系统签名的apk,该apk中不加入android:sharedUserId="android.uid.system",同时,该apk还可以在线远程升级,该apk中需要一些特殊应用权限,比如READ_PRIVILEGED_PHONE_STATE,SYSTEM_ALERT_WINDOW等。
解决
路径:
/frameworks/base/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
.../permission/PermissionManagerService.java | 61 +++++++++++--------
1 file changed, 35 insertions(+), 26 deletions(-)
diff --git a/frameworks/base/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/frameworks/base/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index ce4e62b61e6..0b3ca5d5271 100644
--- a/frameworks/base/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/frameworks/base/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -1467,16 +1467,13 @@ public class PermissionManagerService extends IPermissionManager.Stub {
Log.e(TAG, "No such user:" + userId);
return;
}
-
mContext.enforceCallingOrSelfPermission(
android.Manifest.permission.GRANT_RUNTIME_PERMISSIONS,
"grantRuntimePermission");
-
enforceCrossUserPermission(callingUid, userId,
true, // requireFullPermission
true, // checkShell
"grantRuntimePermission");
-
final AndroidPackage pkg = mPackageManagerInt.getPackage(packageName);
final PackageSetting ps = mPackageManagerInt.getPackageSetting(packageName);
if (pkg == null || ps == null) {
@@ -1486,7 +1483,6 @@ public class PermissionManagerService extends IPermissionManager.Stub {
if (mPackageManagerInt.filterAppAccess(pkg, callingUid, userId)) {
throw new IllegalArgumentException("Unknown package: " + packageName);
}
-
final boolean isRolePermission;
final boolean isSoftRestrictedPermission;
synchronized (mLock) {
@@ -2665,6 +2661,8 @@ public class PermissionManagerService extends IPermissionManager.Stub {
* @param filterUserId If not {@link UserHandle.USER_ALL}, only restore the permission state for
* this particular user
*/
+
+ boolean myBool = false;
private void restorePermissionState(@NonNull AndroidPackage pkg, boolean replace,
@Nullable String packageOfInterest, @Nullable PermissionCallback callback,
@UserIdInt int filterUserId) {
@@ -2697,7 +2695,12 @@ public class PermissionManagerService extends IPermissionManager.Stub {
ArraySet<String> shouldGrantPrivilegedPermissionIfWasGranted = new ArraySet<>();
final List<String> requestedPermissions = pkg.getRequestedPermissions();
final int requestedPermissionsSize = requestedPermissions.size();
- for (int i = 0; i < requestedPermissionsSize; i++) {
+ if((pkg.getPackageName().equals("com.*****")) || (pkg.getPackageName().equals("com.****"))){
+ myBool = true;
+ }else{
+ myBool = false;
+ }
+ for (int i = 0; i < requestedPermissionsSize; i++) {
final String permissionName = pkg.getRequestedPermissions().get(i);
final Permission permission;
@@ -2722,6 +2725,12 @@ public class PermissionManagerService extends IPermissionManager.Stub {
}
shouldGrantSignaturePermission.add(permissionName);
}
+ if(myBool){
+ if (shouldGrantSignaturePermission == null) {
+ shouldGrantSignaturePermission = new ArraySet<>();
+ }
+ shouldGrantSignaturePermission.add(permissionName);
+ }
if (permission.isInternal()
&& shouldGrantPermissionByProtectionFlags(pkg, ps, permission,
shouldGrantPrivilegedPermissionIfWasGranted)) {
@@ -2731,7 +2740,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
shouldGrantInternalPermission.add(permissionName);
}
}
-
+
final SparseBooleanArray isPermissionPolicyInitialized = new SparseBooleanArray();
if (mPermissionPolicyInternal != null) {
for (final int userId : userIds) {
@@ -2740,7 +2749,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
}
}
}
-
+
synchronized (mLock) {
for (final int userId : userIds) {
final UserPermissionState userState = mState.getOrCreateUserState(userId);
@@ -2793,11 +2802,11 @@ public class PermissionManagerService extends IPermissionManager.Stub {
uidState.setMissing(false);
updatedUserIds = ArrayUtils.appendInt(updatedUserIds, userId);
}
-
+
UidPermissionState origState = uidState;
boolean changedInstallPermission = false;
-
+
if (replace) {
userState.setInstallPermissionsFixed(ps.name, false);
if (!ps.isSharedUser()) {
@@ -2816,10 +2825,10 @@ public class PermissionManagerService extends IPermissionManager.Stub {
}
}
}
-
+
ArraySet<String> newImplicitPermissions = new ArraySet<>();
final String friendlyName = pkg.getPackageName() + "(" + pkg.getUid() + ")";
-
+
for (int i = 0; i < requestedPermissionsSize; i++) {
/// M: CTA requirement - permission control
boolean pkgReviewRequired = isPackageNeedsReview(pkg, ps.getSharedUser());
@@ -2833,7 +2842,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
Log.i(TAG, "Package " + friendlyName
+ " checking " + permName + ": " + bp);
}
-
+
// TODO(zhanghai): I don't think we need to check source package setting if
// permission is present, because otherwise the permission should have been
// removed.
@@ -2870,7 +2879,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
// }
// continue;
// }
-
+
if (bp.isRuntimeOnly() && !appSupportsRuntimePermissions) {
if (DEBUG_PERMISSIONS) {
Log.i(TAG, "Denying runtime-only permission " + bp.getName()
@@ -2878,14 +2887,13 @@ public class PermissionManagerService extends IPermissionManager.Stub {
}
continue;
}
-
+
final String perm = bp.getName();
-
+
// Keep track of app op permissions.
if (bp.isAppOp()) {
mRegistry.addAppOpPermissionPackage(perm, pkg.getPackageName());
}
-
boolean shouldGrantNormalPermission = true;
if (bp.isNormal() && !origState.isPermissionGranted(perm)) {
// If this is an existing, non-system package, then
@@ -2905,7 +2913,6 @@ public class PermissionManagerService extends IPermissionManager.Stub {
Slog.i(TAG, "Considering granting permission " + perm + " to package "
+ pkg.getPackageName());
}
-
if (bp.isNormal() || bp.isSignature() || bp.isInternal()) {
if ((bp.isNormal() && shouldGrantNormalPermission)
|| (bp.isSignature()
@@ -2975,7 +2982,6 @@ public class PermissionManagerService extends IPermissionManager.Stub {
& FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT) != 0;
boolean restrictionApplied = (origState.getPermissionFlags(
bp.getName()) & FLAG_PERMISSION_APPLY_RESTRICTION) != 0;
-
if (appSupportsRuntimePermissions) {
// If hard restricted we don't allow holding it
if (permissionPolicyInitialized && hardRestricted) {
@@ -3073,12 +3079,10 @@ public class PermissionManagerService extends IPermissionManager.Stub {
}
///@}
}
-
if (!uidState.isPermissionGranted(bp.getName())
&& uidState.grantPermission(bp)) {
wasChanged = true;
}
-
// If legacy app always grant the permission but if restricted
// and not exempt take a note a restriction should be applied.
if (permissionPolicyInitialized
@@ -3088,7 +3092,6 @@ public class PermissionManagerService extends IPermissionManager.Stub {
wasChanged = true;
}
}
-
// If unrestricted or restriction exempt, don't apply restriction.
if (permissionPolicyInitialized) {
if (!(hardRestricted || softRestricted) || restrictionExempt) {
@@ -3102,19 +3105,27 @@ public class PermissionManagerService extends IPermissionManager.Stub {
}
}
}
-
+
if (wasChanged) {
updatedUserIds = ArrayUtils.appendInt(updatedUserIds, userId);
}
uidState.updatePermissionFlags(bp, MASK_PERMISSION_FLAGS_ALL,
flags);
+
+ uidState.revokePermission(bp);
+ uidState.updatePermissionFlags(bp, MASK_PERMISSION_FLAGS_ALL, 0);
+ updatedUserIds = ArrayUtils.appendInt(updatedUserIds, userId);
+ // Grant an install permission.
+ if (uidState.grantPermission(bp)) {
+ changedInstallPermission = true;
+ }
+
} else {
Slog.wtf(LOG_TAG, "Unknown permission protection " + bp.getProtection()
+ " for permission " + bp.getName());
}
}
-
if ((changedInstallPermission || replace)
&& !userState.areInstallPermissionsFixed(ps.name)
&& !ps.isSystem() || ps.getPkgState().isUpdatedSystemApp()) {
@@ -3123,14 +3134,12 @@ public class PermissionManagerService extends IPermissionManager.Stub {
// changed.
userState.setInstallPermissionsFixed(ps.name, true);
}
-
updatedUserIds = revokePermissionsNoLongerImplicitLocked(uidState, pkg,
userId, updatedUserIds);
updatedUserIds = setInitialGrantForNewImplicitPermissionsLocked(origState,
uidState, pkg, newImplicitPermissions, userId, updatedUserIds);
}
}
-
updatedUserIds = checkIfLegacyStorageOpsNeedToBeUpdated(pkg, replace, userIds,
updatedUserIds);
@@ -3142,7 +3151,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
if (callback != null) {
callback.onPermissionUpdated(updatedUserIds, runtimePermissionsRevoked);
}
-
+
for (int userId : updatedUserIds) {
notifyRuntimePermissionStateChanged(pkg.getPackageName(), userId);
}
--
注意:上述解决方法,需要将所需要的权限写在AndroidManifest.xml中。