WARNING: MODIFYING THE DATABASES DIRECTLY MAY CAUSE ISSUES (INCLUDING BOOT LOOPS) WITH YOUR DEVICE. PROCEED AT YOUR OWN RISK AND ALWAYS PERFORM A BACKUP BEFORE CHANGING ANYTHING!
XPrivacy utilizes 2 databases (xprivacy.db and usage.db), both are located in /data/system/xprivacy. Making a file backup of the database cannot safely be done in a running system and should be done from recovery!
XPrivacy checks both the xprivacy database and usage database at system boot for integrity (using 'PRAGMA integrity_check'). If a database is found to be corrupt, the database is deleted, because repairing an sqlite database is mostly not possible (and Android doesn't have the tools for it installed). This can happen to the database of any application, but for XPrivacy it is of course a greater concern. Given the support info I receive, this fortunately happens rarely to the xprivacy database, but more to the usage database. The cause for this difference is that the usage database is set to asynchronous mode for speed reasons (using 'PRAGMA synchronous=OFF').
The usage database is just an aid and not critical for the operation of XPrivacy. Both the xprivacy and usage database are compacted at boot (using 'VACUUM'). This saves space and is good for performance, but the disadvantage is that twice the size of the database on disk space is temporarily needed.
A full disk (/data/system is mounted on internal memory) is fatal for XPrivacy, because the database will become corrupt in this situation. Again looking at the support info, this also rarely happens.
All mentioned sqlite commands are properly documented on the SQLite website
adb shell
su
sqlite3 /data/system/xprivacy/xprivacy.db
su
sqlite3 /data/system/xprivacy/xprivacy.db
*Note: You may need to install sqlite3 binaries
| FIELD | TYPE | NULLABLE |
|---|---|---|
| uid | INTEGER | NOT NULL |
| restriction | TEXT | NOT NULL |
| method | TEXT | NOT NULL |
| restricted | INTEGER |
The restriction table holds information pertaining to the restriction and onDemand settings on a per UID basis.
The 'restriction' field always lists the restriction category (Accounts, Browser, Calendar, etc.).
The method field lists the restriction methods (addOnAccountsUpdateListener, blockingGetAuthToken, getAccounts, etc.)
Entries where the method field is blank always pertain to the restriction category.
If a restriction category is set to block or allow the entire category, the individual methods will not be listed (with the exception of dangerous methods).
The 'restricted' field lists the status of the restrictions settings, the possible values are 0-3.
The meaning of the 'restricted' field depends on whether the restriction pertains to a category or a method:
| Value | as seen in XPrivacy | Meaning |
|---|---|---|
| 0 | [ ] [?] | not restricted, ask |
| 1 | [x] [?] | restricted, ask |
| 2 | [ ] [ ] | not restricted, asked |
| 3 | [x] [ ] | restricted, asked |
| Value | as seen in XPrivacy | Meaning |
|---|---|---|
| 0 | [x] [?] | restricted, ask |
| 1 | [ ] [?] | not restricted, ask |
| 2 | [x] [ ] | restricted, asked |
| 3 | [ ] [ ] | not restricted, asked |
*NOTE: Although the 'method' field doesn't always contain data, it is still NOT NULL. To query empty entries: WHERE method=''
*NOTE: Changes to the restriction table require a flush of the server side cache to take effect, this can be achieved with a reboot, using the option 'Flush cache' found in Menu - Settings, or by sending the intent am startservice -a biz.bokhorst.xprivacy.action.FLUSH. The intent can either be sent with root privileges or from an app which has permission biz.bokhorst.xprivacy.MANAGE_XPRIVACY. For more info see here and here
The setting table holds information pertaining to settings on a global (uid=userID; 0 for the main user) and per UID basis, as well as the white/blacklists.
| Field | Type | NULLABLE |
|---|---|---|
| uid | INTEGER | NOT NULL |
| name | TEXT | NOT NULL |
| value | TEXT | |
| type | TEXT |
*Note: WHERE name='State' and value='0' means ‘restrictions need attention’ (orange), WHERE name='State' and value='1' means ‘restrictions are changed’ (grey), WHERE name='State' and value='2' means ‘restrictions are submitted’ (green)
*Note: WHERE uid='0' and type='Template' contains the values designated in the restrictions template
*Note: WHERE type IN (Command, Filename, IPAddress, Library, Proc, Url) pertain to the white/blacklist entries
The usage database holds information regarding used restrictions by apps.
The 'restriction' field lists the restriction category (Accounts, Browser, Calendar, etc.).
The 'method' field lists the restriction methods (addOnAccountsUpdateListener, blockingGetAuthToken, getAccounts, etc.)
The 'extra' field holds the parameter information (when applicable)
The 'restricted' field indicates whether the restriction was allowed '0' or denied '1'
The 'time' field holds a UNIX timestamp indicating when the restriction was last accessed.
| Field | Type | NULLABLE |
|---|---|---|
| uid | INTEGER | NOT NULL |
| restriction | TEXT | NOT NULL |
| method | TEXT | NOT NULL |
| extra | TEXT | NOT NULL |
| restricted | INTEGER | NOT NULL |
| time | INTEGER | NOT NULL |
| value | TEXT | NOT NULL |
NOTE: Although the 'extra' field doesn't always contain data, it is still NOT NULL. To query empty entries: WHERE extra=''
SELECT * FROM setting WHERE uid='0';
This will show all global XPrivacy settings (including those not visible within the app)
SELECT * FROM restriction WHERE uid='1000';
This will show all restriction settings for UID 1000
SELECT * from setting WHERE name='OnDemand' and value='false';
This will list all apps where onDemand is not active
SELECT * from restriction WHERE restriction='internet' and method='' and restricted='2' ORDER BY uid;
This will list all apps that have unrestricted access to the Internet category, ordered by UID
SELECT * FROM restriction WHERE method='inet' and restricted='3';
This will list all apps that have unrestricted Internet/Inet access
SELECT * FROM setting WHERE type='Contact' ORDER BY uid;
This will list all allowed contacts, ordered by UID. Note that contact value corresponds to the same entry in /data/data/com.android.providers.contacts/databases/contacts2.db:raw_contacts:contact_id (Location may very depending on your ROM)
SELECT * FROM setting WHERE type='Application' ORDER BY uid;
This will list all allowed applications, ordered by UID.
UPDATE setting SET value='true' where name='OnDemand' and uid IN (10001,10002,10003);
This will enable onDemand for apps listed in the IN ()
UPDATE restriction SET restricted='0' WHERE uid IN (10001,10002,10003) and method='connect';
This will turn on onDemand for Internet/Connect with a time out default to deny for apps listed in the IN ()
UPDATE restriction SET restricted='3' WHERE uid IN (10001,10002,10003) and method='open';
This will allow unrestricted access to Storage/Open for the listed apps
SELECT uid, restricted FROM restriction WHERE method='loadLibrary' and restricted IN (0,1,3) ORDER BY uid;
This will list all apps that can load native libraries, either permanently or onDemand
SELECT s.uid, s.name, r.restricted FROM setting s JOIN restriction r on s.uid=r.uid WHERE (r.method='inet' and r.restricted IN (0,1,3)) and (s.type='Library' and s.value='true') ORDER BY s.uid, s.name;
This will list UID, native library name and INET permission value for all apps that have INET access (onDemand or permanent) as well as white listed native libraries
UPDATE setting SET value='true' WHERE name='Log';
This will enabled debug logging
UPDATE setting SET value='false' WHERE name LIKE 'Dangerous%';
This will remove all 'dangerous restrictions' from the template
UPDATE setting SET value='false' WHERE name = 'RestrictSystem';
This will disable restricting of system components
SELECT * FROM usage ORDER BY time DESC;
This will show all usage data ordered by TIME (newest entries first)
DELETE FROM usage where uid='1000';
This will delete all usage entries for UID 1000
DELETE FROM usage;
THIS WILL DELETE ALL USAGE DATA
This page was kindly contributed by an0n981