-
Notifications
You must be signed in to change notification settings - Fork 43
android 权限分析
- 在用户端看到的权限是: permission+签名
- 在linux端看到的权限是: uid+gid
- 在framework层检测屏蔽
- 权限级别normal, dangerous等仅用于安装时提醒用户,让用户决定;签名级别会对比签名;系统级别会对比系统属性;有的权限定义的有gid属性,满足权限要求后(PackageManagerService.java grantPermissionsLPw()),在运行时app进程会被设置相应的gid, cat /proc/pid/status可查看。
- 在linux层利用uid+gid等权限机制
-
http://androidxref.com/4.4.4_r1/xref/system/core/include/private/android_filesystem_config.h 在java解析platform.xml时通过jni调用涉及到
- This is the master Users and Groups config for the platform. DO NOT EVER RENUMBER.
- eg.
#define AID_LOG 1007 /* log devices */ static const struct android_id_info android_ids[] = { // some other { "log", AID_LOG, }, // some other -
http://androidxref.com/4.4.4_r1/xref/frameworks/base/data/etc/platform.xml 这个文件将会被拷贝到android系统的/etc/permissions目录下,供映射时解析,形成BasePermission。
- The following tags are associating low-level group IDs with
permission names. By specifying such a mapping, you are saying
that any application process granted the given permission will
also be running with the given group ID attached to its process,
so it can perform any filesystem (read, write, execute) operations
allowed for that group.
(译: 如果apk申请READ_LOGS权限,则会在安装apk时,给此进程增加一个组,组名为log,使用的接口为setgid()) - eg.
<permission name="android.permission.READ_LOGS" > <group gid="log" /> </permission> - The following tags are associating low-level group IDs with
- http://androidxref.com/4.4.4_r1/xref/frameworks/base/core/res/AndroidManifest.xml 该文件负责系统所有权限的定义
- /data/system/packages.xml, created by http://androidxref.com/4.4.4_r1/xref/frameworks/base/services/java/com/android/server/pm/Settings.java#205 其他相关信息: /data/system/packages.xml文件用于记录系统中所安装的Package信息;/data/system/packages-backup.xml文件是/data/packages.xml文件的备份。在PackageManagerService扫描完目标文件夹后会创建该文件,当系统进行程序安装卸载时会更新该文件。/data/system/packages-stopped.xml文件用于记录系统中强制停止运行的Package信息。/data/system/packages-stopped-backup.xml是/data/packages-stopped.xml文件的备份。在强制停止某个应用时,会将应用相关信息记录到该文件中。 /data/system/packages.list保存系统中存在的所有非系统自带的APK信息,即UID大于1000的apk。当系统第一次开机时,这些文件并不存在,而在以后的开机中,扫描到的这些XML文件是上一次运行过程中创建的。
-
call stack (粗略分析)
// 系统开机后 解析/etc/permissions目录下的配置,包括platform.xml,形成BasePermission see http://blog.csdn.net/yangwen123/article/details/9464779 // 安装apk时解析 PackageParser.java, parsePackage()//解析tag "uses-permission"等 PackageManagerService.java, grantPermissionsLP()//获得权限对应的group_id // start app ActivityManagerService.java, startProcessLocked()//会去获取gid, mContext.getPackageManager().getPackageGids( app.info.packageName); int pid = Process.start("android.app.ActivityThread", mSimpleProcessManagement ? app.processName : null, uid, uid, gids, debugFlags, null); dalvik_system_Zygote.cpp, forkAndSpecializeCommon()//gid等传递过来 fork, setgid(gid) -
see this for more info http://blog.csdn.net/yangwen123/article/details/9464779 or http://blog.csdn.net/andyhuabing/article/details/7464680
-
例子1, app申请了android.permission.WRITE_EXTERNAL_STORAGE权限,该权限的保护等级是dangerous仅用来提醒用户。应用获得该权限,并根据platform.xml中的定义,对应的gid是“sdcard_rw”, 在android_filesystem_config.h中查找到int型值是1015。故当app运行时,cat /proc/app_pid/status 查看groups项得知Groups:1015。 进入android设备查看sdcard文件夹权限,d---rwxr-x system sdcard_rw 1970-01-01 08:00 sdcard,可知sdcard_rw组有rwx的权限,故此app能读写sdcard了。
-
例子2,同一个apk(申请一个system级别的android.permission.READ_LOGS权限)分别安装到/data/app和/system/app/下, cat /proc/pid/status的差异在groups。 用例1的步骤验证即可。
/system/app, u0_a49 28218 1159 483984 23932 ffffffff 40046ee4 S com.ccdt.crashreport root@android:/ # cat /proc/28218/status Name: cdt.crashreport State: S (sleeping) Tgid: 28218 Pid: 28218 PPid: 1159 TracerPid: 0 Uid: 10049 10049 10049 10049 Gid: 10049 10049 10049 10049 FDSize: 256 Groups: 1007 1028 3003 50049
/data/app, u0_a49 5850 1159 482936 24156 ffffffff 40046ee4 S com.ccdt.crashreport root@android:/ # cat /proc/5850/status Name: cdt.crashreport State: S (sleeping) Tgid: 5850 Pid: 5850 PPid: 1159 TracerPid: 0 Uid: 10049 10049 10049 10049 Gid: 10049 10049 10049 10049 FDSize: 256 Groups: 1028 3003 50049
# system app vs 3rd part app
* The only thing special about a system application beyond this is that there are a handful of signature permissions that can also be granted to any app on the system image.
# ref
* android权限代码分析1 http://blog.csdn.net/a332324956/article/details/17439047
* android权限代码分析2 http://blog.csdn.net/a332324956/article/details/17452749
* android权限代码分析3 http://blog.csdn.net/a332324956/article/details/17881841
* Linux下/proc目录简介 http://blog.csdn.net/zdwzzu2006/article/details/7747977
* /proc/pid/status解释 http://blog.chinaunix.net/uid-24347760-id-2943156.html
* http://stackoverflow.com/questions/4264981/android-system-app-101
* PackageManagerService启动源码分析 http://blog.csdn.net/yangwen123/article/details/9464779
* android权限 http://blog.csdn.net/andyhuabing/article/details/7030212
* android权限 http://blog.csdn.net/andyhuabing/article/details/7464680
Just build something.