Android6.0 动态权限机制

发表于 | 分类于 | 阅读次数:

Android6.0以后引入了动态权限机制,一些系统权限的分配需要在app运行中进行分配,而不只是在AndroidManifest中指定。

本篇将针对动态权限的底层分配过程进行分析(基于Android-6.0.1)。

权限分配

我们先看一下请求分配权限的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
//frameworks/support/v4/java/android/support/v4/app/ActivityCompat.java
public static void requestPermissions(final @NonNull Activity activity,
        final @NonNull String[] permissions, final int requestCode) {
    if (Build.VERSION.SDK_INT >= 23) {//对于Android M 以及以上的权限的分配
        ActivityCompatApi23.requestPermissions(activity, permissions, requestCode);
    } else if (activity instanceof OnRequestPermissionsResultCallback) {//Android M以下的权限分配
        Handler handler = new Handler(Looper.getMainLooper());
        handler.post(new Runnable() {
            @Override
            public void run() {
                //请求分配的权限结果,如分配就是PERMISSION_GRANTED
                final int[] grantResults = new int[permissions.length];
                
                PackageManager packageManager = activity.getPackageManager();
                String packageName = activity.getPackageName();

                final int permissionCount = permissions.length;
                //通过包管理的checkPermission来检验是否分配权限
                for (int i = 0; i < permissionCount; i++) {
                    grantResults[i] = packageManager.checkPermission(
                            permissions[i], packageName);
                }

                ((OnRequestPermissionsResultCallback) activity).onRequestPermissionsResult(
                        requestCode, permissions, grantResults);
            }
        });
    }
}

requestPermissions对于Android M的前后版本都分别做了处理,Android M以上通过ActivityCompatApi23.requestPermissions进行权限的请求,而Android M以下通过PackageManager来检查Permission的分配情况。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
//frameworks/support/v4/api23/android/support/v4/app/ActivityCompat23.java
class ActivityCompatApi23 {
    ...
    public static void requestPermissions(Activity activity, String[] permissions,
            int requestCode) {
        if (activity instanceof RequestPermissionsRequestCodeValidator) {
            ((RequestPermissionsRequestCodeValidator) activity)
                    .validateRequestPermissionsRequestCode(requestCode);
        }
        //通过Android M的Activity处理
        activity.requestPermissions(permissions, requestCode);
    }
    ...
}

//frameworks/base/core/java/android/app/Activity.java
public final void requestPermissions(@NonNull String[] permissions, int requestCode) {
    if (mHasCurrentPermissionsRequest) {
        Log.w(TAG, "Can reqeust only one set of permissions at a time");
        // Dispatch the callback with empty arrays which means a cancellation.
        onRequestPermissionsResult(requestCode, new String[0], new int[0]);
        return;
    }
    //通过请求的权限构造Intent,弹出请求的窗口
    Intent intent = getPackageManager().buildRequestPermissionsIntent(permissions);
    startActivityForResult(REQUEST_PERMISSIONS_WHO_PREFIX, intent, requestCode, null);
    mHasCurrentPermissionsRequest = true;
}

ActivityCompat23将请求权限的任务交给Activity来完成,在Activity中,通过请求的permission来构造一个Intent随后启动Activity来弹出请求的界面。Intent的构造是通过PackageManager的buildRequestPermissionsIntent方法构造的。

1
2
3
4
5
6
7
8
9
public Intent buildRequestPermissionsIntent(@NonNull String[] permissions) {
    if (ArrayUtils.isEmpty(permissions)) {
        throw new NullPointerException("permission cannot be null or empty");
    }
    Intent intent = new Intent(ACTION_REQUEST_PERMISSIONS);
    intent.putExtra(EXTRA_REQUEST_PERMISSIONS_NAMES, permissions);
    intent.setPackage(getPermissionControllerPackageName());
    return intent;
}

Intent的action是ACTION_REQUEST_PERMISSIONS,它是这么定义的

1
2
public static final String ACTION_REQUEST_PERMISSIONS =
            "android.content.pm.action.REQUEST_PERMISSIONS";

随后一个参数就是具体请求的permission数组和一个权限分派控制的相关的包名。所以activity的请求窗口是通过隐式启动的。

1
2
3
4
5
6
7
8
9
10
/packages/apps/PackageInstaller/AndroidManifest.xml
<activity android:name=".permission.ui.GrantPermissionsActivity"
        android:configChanges="orientation|keyboardHidden|screenSize"
        android:excludeFromRecents="true"
        android:theme="@style/GrantPermissions">
    <intent-filter>
        <action android:name="android.content.pm.action.REQUEST_PERMISSIONS" />
        <category android:name="android.intent.category.DEFAULT" />
    </intent-filter>
</activity>

从intent-fliter可以看到,这个GrantPermissionsActivity就是我们进行权限分配的弹出窗口。GrantPermissionsActivity它的布局文件定义在packages/apps/PackageInstaller/res/layout/grant_permissions.xml,从GrantPermissionsActivity的实现来看它就是一个长的像Dialog的activity,这里我们重点关注在该Activity中对权限的允许和拒绝的处理。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
//packages/apps/PackageInstaller/src/com/android/packageinstaller/permission/ui/GrantPermissionsDefaultViewHandler.java
public void onClick(View view) {
    switch (view.getId()) {
        case R.id.permission_allow_button://允许
            if (mResultListener != null) {
                view.clearAccessibilityFocus();
                mResultListener.onPermissionGrantResult(mGroupName, true, false);
            }
            break;
        case R.id.permission_deny_button://拒绝
            mAllowButton.setEnabled(true);
            if (mResultListener != null) {
                view.clearAccessibilityFocus();
                mResultListener.onPermissionGrantResult(mGroupName, false,
                        mDoNotAskCheckbox.isChecked());
            }
            break;
        case R.id.do_not_ask_checkbox://不再询问
            mAllowButton.setEnabled(!mDoNotAskCheckbox.isChecked());
            break;
    }
}

这里是通过GrantPermissionsDefaultViewHandler来控制GrantPermissionsActivity的ui视图,按钮的点击事件是通过GrantPermissionsViewHandler.ResultListener接口来处理的,GrantPermissionsActivity实现了该接口。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
@Override
public void onPermissionGrantResult(String name, boolean granted, boolean doNotAskAgain) {
    if (isObscuredTouch()) {
        showOverlayDialog();
        finish();
        return;
    }
    GroupState groupState = mRequestGrantPermissionGroups.get(name);
    if (groupState.mGroup != null) {
        if (granted) {
            groupState.mGroup.grantRuntimePermissions(doNotAskAgain);//权限组内部的权限分配
            groupState.mState = GroupState.STATE_ALLOWED;//重置权限组的状态
        } else {
            groupState.mGroup.revokeRuntimePermissions(doNotAskAgain);
            groupState.mState = GroupState.STATE_DENIED;
        }
        updateGrantResults(groupState.mGroup);
    }
    //下一个组权限的授权
    if (!showNextPermissionGroupGrantRequest()) {
        setResultAndFinish();
    }
}

onPermissionGrantResult的三个参数分别是name代表了权限组的名字,granted表示是否进行权限分配,doNotAskAgain代表是否询问权限。内部的mRequestGrantPermissionGroups是一个LinkedHashMap<String, GroupState>,它的key是权限组名,值为GroupState,它代表了待授权的权限组Map。需要注意的是权限和权限组的概念是不同的,一个权限所属一个权限组,要给权限组可以对应多个权限。而我们传递给GrantPermissionsActivity的是权限数组(注意并不是权限组),在GrantPermissionsActivity创建的时候,会将我们请求的权限分别匹配到其对应的权限组中,这会重新计算权限组的状态。这个方法对name对应的权限组进行授权或者拒绝,然后处理下一个权限组。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
//packages/apps/PackageInstaller/src/com/android/packageinstaller/permission/ui/GrantPermissionsActivity.java
public class GrantPermissionsActivity extends OverlayTouchActivity
        implements GrantPermissionsViewHandler.ResultListener {
    private String[] mRequestedPermissions;//请求的权限数组
    private int[] mGrantResults;//权限分配的结果数组
    //请求的权限数组对应的权限组Map
    private LinkedHashMap<String, GroupState> mRequestGrantPermissionGroups = new LinkedHashMap<>();
    ...
    @Override
    public void onCreate(Bundle icicle) {
        ...
        //加载应用权限组
        mAppPermissions = new AppPermissions(this, callingPackageInfo, null, false,
            new Runnable() {
                @Override
                public void run() {
                    setResultAndFinish();
                }
            });
        //遍历权限组
        for (AppPermissionGroup group : mAppPermissions.getPermissionGroups()) {
            boolean groupHasRequestedPermission = false;
            for (String requestedPermission : mRequestedPermissions) {
                //如果请求的权限在该组内则标记groupHasRequestedPermission为true
                if (group.hasPermission(requestedPermission)) {
                    groupHasRequestedPermission = true;
                    break;
                }
            }
            if (!groupHasRequestedPermission) {
                continue;
            }
            // We allow the user to choose only non-fixed permissions. A permission
            // is fixed either by device policy or the user denying with prejudice.
            if (!group.isUserFixed() && !group.isPolicyFixed()) {
                switch (permissionPolicy) {
                    case DevicePolicyManager.PERMISSION_POLICY_AUTO_GRANT: {
                        if (!group.areRuntimePermissionsGranted()) {
                            group.grantRuntimePermissions(false);
                        }
                        group.setPolicyFixed();
                    } break;

                    case DevicePolicyManager.PERMISSION_POLICY_AUTO_DENY: {
                        if (group.areRuntimePermissionsGranted()) {
                            group.revokeRuntimePermissions(false);
                        }
                        group.setPolicyFixed();
                    } break;

                    default: {
                        //权限组是否已经分配了Runtime Permission,如果没有,则添加到mRequestGrantPermissionGroups中
                        if (!group.areRuntimePermissionsGranted()) {
                            mRequestGrantPermissionGroups.put(group.getName(),
                                    new GroupState(group));
                        } else {
                            group.grantRuntimePermissions(false);
                            updateGrantResults(group);
                        }
                    } break;
                }
            } else {
                // if the permission is fixed, ensure that we return the right request result
                updateGrantResults(group);
            }
        }
        ...
        if (!showNextPermissionGroupGrantRequest()) {
            setResultAndFinish();
        }
    }
}

在GrantPermissionsActivity的onCreate方法中,根据请求的权限计算所属权限组的状态,首先创建AppPermissions对象,这时会去加载应用的权限组。同时遍历用于请求的权限数组并找到其对应的权限组,同时判断该权限组是否已经分配了动态权限,如果未授权则添加到待授权的权限组Map中。到这里我们还未看到真正的授权过程,在前面onPermissionGrantResult方法中,授权是通过GroupState中的成员mGroup的grantRuntimePermissions方法进一步进行权限分配的。而GroupState的定义如下

1
2
3
4
5
6
7
8
9
10
11
12
private static final class GroupState {
    static final int STATE_UNKNOWN = 0;
    static final int STATE_ALLOWED = 1;
    static final int STATE_DENIED = 2;

    final AppPermissionGroup mGroup;
    int mState = STATE_UNKNOWN;

    GroupState(AppPermissionGroup group) {
        mGroup = group;
    }
}

GroupState有三个状态STATE_UNKNOWN,STATE_ALLOWED,STATE_DENIED,它内部的mGroup实际上是个AppPermissionGroup,这些AppPermissionGroup是在AppPermissions加载的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
//packages/apps/PackageInstaller/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
public boolean grantRuntimePermissions(boolean fixedByTheUser) {
    final boolean isSharedUser = mPackageInfo.sharedUserId != null;
    final int uid = mPackageInfo.applicationInfo.uid;

    // We toggle permissions only to apps that support runtime
    // permissions, otherwise we toggle the app op corresponding
    // to the permission if the permission is granted to the app.
    //遍历权限组对应的权限
    for (Permission permission : mPermissions.values()) {
        if (mAppSupportsRuntimePermissions) {//支持动态权限分配
            // Do not touch permissions fixed by the system.
            if (permission.isSystemFixed()) {//系统权限则返回
                return false;
            }

            // Ensure the permission app op enabled before the permission grant.
            //打开permssion可以被grant的选项
            if (permission.hasAppOp() && !permission.isAppOpAllowed()) {
                permission.setAppOpAllowed(true);
                mAppOps.setUidMode(permission.getAppOp(), uid, AppOpsManager.MODE_ALLOWED);
            }

            // Grant the permission if needed.
            //进行动态分配,通过PMS完成
            if (!permission.isGranted()) {
                permission.setGranted(true);
                mPackageManager.grantRuntimePermission(mPackageInfo.packageName,
                        permission.getName(), mUserHandle);
            }

            // Update the permission flags.
            if (!fixedByTheUser) {
                // Now the apps can ask for the permission as the user
                // no longer has it fixed in a denied state.
                if (permission.isUserFixed() || permission.isUserSet()) {
                    permission.setUserFixed(false);
                    permission.setUserSet(true);
                    mPackageManager.updatePermissionFlags(permission.getName(),
                            mPackageInfo.packageName,
                            PackageManager.FLAG_PERMISSION_USER_FIXED
                                    | PackageManager.FLAG_PERMISSION_USER_SET,
                            0, mUserHandle);
                }
            }
        } else {//Adnroid M以下的版本权限分配
            ....    
        }
    }
    return true;
}

权限的分配最终是通过PMS的grantRuntimePermission方法来完成的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
//frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java
@Override
public void grantRuntimePermission(String packageName, String name, final int userId) {
    ...
    mContext.enforceCallingOrSelfPermission(
            android.Manifest.permission.GRANT_RUNTIME_PERMISSIONS,
            "grantRuntimePermission");
    
    enforceCrossUserPermission(Binder.getCallingUid(), userId, true, false,
            "grantRuntimePermission");

    final int uid;
    final SettingBase sb;
        
    synchronized (mPackages) {
        //取到Package对象
        final PackageParser.Package pkg = mPackages.get(packageName);
        if (pkg == null) {
            throw new IllegalArgumentException("Unknown package: " + packageName);
        }
        //取到全局设置中的权限信息    
        final BasePermission bp = mSettings.mPermissions.get(name);
        if (bp == null) {
            throw new IllegalArgumentException("Unknown permission: " + name);
        }

        enforceDeclaredAsUsedAndRuntimeOrDevelopmentPermission(pkg, bp);

        uid = UserHandle.getUid(userId, pkg.applicationInfo.uid);
        sb = (SettingBase) pkg.mExtras;//从pkg中取到应用的设置信息SettingBase
        if (sb == null) {
            throw new IllegalArgumentException("Unknown package: " + packageName);
        }
        //取到权限状态    
        final PermissionsState permissionsState = sb.getPermissionsState();
        
        final int flags = permissionsState.getPermissionFlags(name, userId);
        if ((flags & PackageManager.FLAG_PERMISSION_SYSTEM_FIXED) != 0) {
            throw new SecurityException("Cannot grant system fixed permission: "
                    + name + " for package: " + packageName);
        }

        if (bp.isDevelopment()) {
            // Development permissions must be handled specially, since they are not
            // normal runtime permissions.  For now they apply to all users.
            if (permissionsState.grantInstallPermission(bp) !=
                    PermissionsState.PERMISSION_OPERATION_FAILURE) {
                scheduleWriteSettingsLocked();
            }
            return;
        }
        //通过PermissionsState进行动态权限的分配
        final int result = permissionsState.grantRuntimePermission(bp, userId);
        ....
    }
    .....
}

在PMS的grantRuntimePermission方法中首先根据包名取到应用安装时的Package对象,这个Package对象中包含了应用的一些设置信息,通过这个设置信息可以取到当前应用的PermissionState,它维护了当前应用的权限授予情况。同时根据参数name,也就是权限名获取全新的配置信息BasePermission对象,它时从mSettings中取到的,mSettings是PMS的全局设置,它在PMS启动的时候初始化,里面包含了平台支持的所有权限。最后权限的分配进一步通过PermissionState来完成

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
//frameworks/base/services/core/java/com/android/server/pm/PermissionsState.java
//动态权限的分配
public int grantRuntimePermission(BasePermission permission, int userId) {
    enforceValidUserId(userId);
    if (userId == UserHandle.USER_ALL) {
        return PERMISSION_OPERATION_FAILURE;
    }
    return grantPermission(permission, userId);
}

private int grantPermission(BasePermission permission, int userId) {
    if (hasPermission(permission.name, userId)) {
        return PERMISSION_OPERATION_FAILURE;
    }
    //计算用户组id
    final boolean hasGids = !ArrayUtils.isEmpty(permission.computeGids(userId));
    final int[] oldGids = hasGids ? computeGids(userId) : NO_GIDS;
    //将权限包装成PermissionData添加到应用的权限列表中
    PermissionData permissionData = ensurePermissionData(permission);
    //授予权限,修改PermissionState的mGranted属性
    if (!permissionData.grant(userId)) {
        return PERMISSION_OPERATION_FAILURE;
    }

    if (hasGids) {
        final int[] newGids = computeGids(userId);//重新计算用户的权限组id
        //权限组id是否发生变化
        if (oldGids.length != newGids.length) {
            return PERMISSION_OPERATION_SUCCESS_GIDS_CHANGED;
        }
    }
    return PERMISSION_OPERATION_SUCCESS;
}

在grantPermission方法中首先会计算当前用户进程当前拥有的组id,然后再通过ensurePermissionData将权限添加到应用的PermissionData列表中,这里返回一个PermissionData,通过该对象的grant方法进行最终的分配,事实上它其实是修改内部PermissionState成员的mGranted状态为true。最后会对用户的组id进行重新计算,如果发生变化则返回PERMISSION_OPERATION_SUCCESS_GIDS_CHANGED,否则返回PERMISSION_OPERATION_SUCCESS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
//保证权限被添加到用户列表中
private PermissionData ensurePermissionData(BasePermission permission) {
    if (mPermissions == null) {
        mPermissions = new ArrayMap<>();
    }
    PermissionData permissionData = mPermissions.get(permission.name);
    if (permissionData == null) {
        permissionData = new PermissionData(permission);
        mPermissions.put(permission.name, permissionData);
    }
    return permissionData;
}

//根据用户权限列表计算用户的gid
public int[] computeGids(int userId) {
    enforceValidUserId(userId);

    int[] gids = mGlobalGids;

    if (mPermissions != null) {
        final int permissionCount = mPermissions.size();
        for (int i = 0; i < permissionCount; i++) {
            String permission = mPermissions.keyAt(i);
            if (!hasPermission(permission, userId)) {
                continue;
            }
            PermissionData permissionData = mPermissions.valueAt(i);
            //取到权限对应的组id数组,可见权限可以通过多个gid描述
            final int[] permGids = permissionData.computeGids(userId);
            if (permGids != NO_GIDS) {
                //将权限对应的组id添加到用户的组id数组中
                gids = appendInts(gids, permGids);
            }
        }
    }

    return gids;
}

ensurePermissionData方法确保将权限对应的PermissionData添加到PermissonsState的权限列表中,后续通过computeGids计算用户userId对应的组id,并将其添加到用户的组id数组mGlobalGids中。其中内置权限的gid映射是定义在/etc/permission/platform.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<permissions>
    ···
    <permission name="android.permission.READ_EXTERNAL_STORAGE" >
        <group gid="sdcard_r" />
    </permission>

    <permission name="android.permission.WRITE_EXTERNAL_STORAGE" >
        <group gid="sdcard_r" />
        <group gid="sdcard_rw" />
    </permission>
    
    <permission name="android.permission.INTERNET" >
        <group gid="inet" />
    </permission>
    ···
</permissions>

至此,我们明白了权限的本质实际上就是一组gid,这组gid对应的是一些整型,这些映射关系存放在system/core/include/private/android_filesystem_config.h中,其中的定义如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#define AID_NET_BT_ADMIN  3001  /* bluetooth: create any socket */
#define AID_NET_BT        3002  /* bluetooth: create sco, rfcomm or l2cap sockets */
#define AID_INET          3003  /* can create AF_INET and AF_INET6 sockets */
#define AID_SDCARD_RW     1015  /* external storage write access */

static const struct android_id_info android_ids[] = {
    ...
    { "bluetooth",     AID_BLUETOOTH, },
    { "sdcard_rw",     AID_SDCARD_RW, },
    { "net_bt_admin",  AID_NET_BT_ADMIN, },
    { "net_bt",        AID_NET_BT, },
    { "inet",          AID_INET, },
    ...
}

通过将权限映射成一组gid,然后作为补充gid赋值给用户进程,也就是权限分配的本质。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
//PermisssionsState.PermissionData
public boolean grant(int userId) {
    if (!isCompatibleUserId(userId)) {
        return false;
    }

    if (isGranted(userId)) {
        return false;
    }

    PermissionState userState = mUserStates.get(userId);
    if (userState == null) {
        userState = new PermissionState(mPerm.name);
        mUserStates.put(userId, userState);
    }
    //分配权限置true
    userState.mGranted = true;

    return true;
}

通过PermissionData的grant方法,为对应的用户创建PermissionState,并将mGranted置为true表示分配了该权限给
该用户。

当然权限分配完成后,下次不需要再次分配,当我们重新启动手机后,并需要再次对权限进行分配,这是因为PMS为所有的package记录了权限分配的情况,在Android6.0之前,package所有的权限信息都是存放在data/system/packages.xml配置文件中,在应用中启动时候读取该配置就可以直到权限分配了哪些权限。但在Android6.0后,运行时权限放在了data/system/users/0/runtime-permissions.xml中,而普通权限保持不变依然存放在packages.xml中,而且默认granted就是true。那么在分配完成权限后需要将权限的分配信息持久化到该文件中。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
//packages.xml
<package 
    name="com.feelschaotic.demo" 
    codePath="/data/app/com.feelschaotic.demo-Gi5ksdF6mUDLakfOugCcwQ==" 
    nativeLibraryPath="/data/app/com.feelschaotic.demo-Gi5ksdF6mUDLakfOugCcwQ==/lib" 
    primaryCpuAbi="x86" 
    publicFlags="945307462" 
    privateFlags="0" 
    ft="16348dc3870" 
    it="16343f1d6aa" 
    ut="16348dc4c4d" 
    version="8220" 
    userId="10102">
        <sigs count="1">
            <cert index="20" key="..." />
        </sigs>
        <perms>
          <!-- 此处普通权限的 granted 全都默认是 true,且不可改变 granted 值-->
            <item name="android.permission.CHANGE_NETWORK_STATE" granted="true" flags="0" />
            <item name="android.permission.INTERNET" granted="true" flags="0" />
            <item name="android.permission.CHANGE_WIFI_STATE" granted="true" flags="0" />
            <item name="android.permission.ACCESS_NETWORK_STATE" granted="true" flags="0" />
        </perms>
        <proper-signing-keyset identifier="48" />
    </package>
1
2
3
4
5
6
7
8
9
<pkg name="com.feelschaotic.demo">
   <!-- 该demo我们故意拒绝了定位权限,可以看到:ACCESS_FINE_LOCATION 和 ACCESS_COARSE_LOCATION 的 granted 为 false -->
    <item name="android.permission.ACCESS_FINE_LOCATION" granted="false" flags="1" />
    <item name="android.permission.READ_EXTERNAL_STORAGE" granted="true" flags="0" />
    <item name="android.permission.ACCESS_COARSE_LOCATION" granted="false" flags="1" />
    <item name="android.permission.READ_PHONE_STATE" granted="true" flags="0" />
    <item name="android.permission.WRITE_EXTERNAL_STORAGE" granted="true" flags="0" />
    ...
</pkg>

在PMS的grantRuntimePermission分配完运行时权限后,最后会调用writeRuntimePermissionsForUserLPr将权限信息持久化到配置文件runtime-permissions.xml中,我们看看这个过程

1
2
3
4
5
6
7
public void writeRuntimePermissionsForUserLPr(int userId, boolean sync) {
    if (sync) {
        mRuntimePermissionsPersistence.writePermissionsForUserSyncLPr(userId);
    } else {
        mRuntimePermissionsPersistence.writePermissionsForUserAsyncLPr(userId);
    }
}

无论时同步方式还是异步方式的持久化,最后都会调用下面的方法进行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
//写入权限到配置文件
private void writePermissionsSync(int userId) {
    //要写入的文件/data/system/users/0/runtime-permissions.xml
    AtomicFile destination = new AtomicFile(getUserRuntimePermissionsFile(userId));

    ArrayMap<String, List<PermissionState>> permissionsForPackage = new ArrayMap<>();
    ArrayMap<String, List<PermissionState>> permissionsForSharedUser = new ArrayMap<>();

    synchronized (mLock) {
        mWriteScheduled.delete(userId);
        //对所有的package进行处理
        final int packageCount = mPackages.size();
        for (int i = 0; i < packageCount; i++) {
            String packageName = mPackages.keyAt(i);
            //取到PackageSetting
            PackageSetting packageSetting = mPackages.valueAt(i);
            if (packageSetting.sharedUser == null) {//没有sharedUser的情况
                //取到PermissionsState,这个对象描述了包的权限信息
                PermissionsState permissionsState = packageSetting.getPermissionsState();
                List<PermissionState> permissionsStates = permissionsState
                        .getRuntimePermissionStates(userId);//获取全新分配列表
                if (!permissionsStates.isEmpty()) {
                    //存放在permissionsForPackage这个Map中,以包名为键
                    permissionsForPackage.put(packageName, permissionsStates);
                }
            }
        }
        //有shareUser的情况
        final int sharedUserCount = mSharedUsers.size();
        for (int i = 0; i < sharedUserCount; i++) {
            String sharedUserName = mSharedUsers.keyAt(i);
            SharedUserSetting sharedUser = mSharedUsers.valueAt(i);
            PermissionsState permissionsState = sharedUser.getPermissionsState();
            List<PermissionState> permissionsStates = permissionsState
                    .getRuntimePermissionStates(userId);
            if (!permissionsStates.isEmpty()) {
                permissionsForSharedUser.put(sharedUserName, permissionsStates);
            }
        }
    }
    //写配置
    FileOutputStream out = null;
    try {
        //取到输出流
        out = destination.startWrite();

        XmlSerializer serializer = Xml.newSerializer();
        serializer.setOutput(out, StandardCharsets.UTF_8.name());
        serializer.setFeature(
                "http://xmlpull.org/v1/doc/features.html#indent-output", true);
        serializer.startDocument(null, true);
        serializer.startTag(null, TAG_RUNTIME_PERMISSIONS);

        String fingerprint = mFingerprints.get(userId);
        if (fingerprint != null) {
            serializer.attribute(null, ATTR_FINGERPRINT, fingerprint);
        }
        //先写当前package的permission
        final int packageCount = permissionsForPackage.size();
        for (int i = 0; i < packageCount; i++) {
            String packageName = permissionsForPackage.keyAt(i);
            List<PermissionState> permissionStates = permissionsForPackage.valueAt(i);
            serializer.startTag(null, TAG_PACKAGE);//package
            serializer.attribute(null, ATTR_NAME, packageName);
            writePermissions(serializer, permissionStates);
            serializer.endTag(null, TAG_PACKAGE);
        }
        //写其shareUser进程的permission
        final int sharedUserCount = permissionsForSharedUser.size();
        for (int i = 0; i < sharedUserCount; i++) {
            String packageName = permissionsForSharedUser.keyAt(i);
            List<PermissionState> permissionStates = permissionsForSharedUser.valueAt(i);
            serializer.startTag(null, TAG_SHARED_USER);
            serializer.attribute(null, ATTR_NAME, packageName);
            writePermissions(serializer, permissionStates);
            serializer.endTag(null, TAG_SHARED_USER);
        }

        serializer.endTag(null, TAG_RUNTIME_PERMISSIONS);
        serializer.endDocument();
        destination.finishWrite(out);

        if (Build.FINGERPRINT.equals(fingerprint)) {
            mDefaultPermissionsGranted.put(userId, true);
        }
    // Any error while writing is fatal.
    } catch (Throwable t) {
        Slog.wtf(PackageManagerService.TAG,
                "Failed to write settings, restoring backup", t);
        destination.failWrite(out);
    } finally {
        IoUtils.closeQuietly(out);
    }
}

writePermissionsSync写配置的过程很简单,先打开配置文件/data/system/users/0/runtime-permissions.xml,随后对PMS中的每个package和sharedUser分别将其对应的权限分配列表按照包名和shareUserName存放在permissionsForPackage和permissionsForSharedUser中,随后打开输出流分别将其对应的运行时权限分配情况写入文件。

1
2
3
4
5
6
7
8
9
10
11
12
private void writePermissions(XmlSerializer serializer,
        List<PermissionState> permissionStates) throws IOException {
    for (PermissionState permissionState : permissionStates) {
        serializer.startTag(null, TAG_ITEM);
        serializer.attribute(null, ATTR_NAME,permissionState.getName());
        serializer.attribute(null, ATTR_GRANTED,
                String.valueOf(permissionState.isGranted()));
        serializer.attribute(null, ATTR_FLAGS,
                Integer.toHexString(permissionState.getFlags()));
        serializer.endTag(null, TAG_ITEM);
    }
}

writePermissions负责写tag 为package下的一条权限分配信息,如

1
<item name="android.permission.WRITE_EXTERNAL_STORAGE" granted="true" flags="0" />

权限的检测

权限检测是通过Context的checkSelfPermission方法来进行的。我们看下它的实现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
@Override
public int checkSelfPermission(String permission) {
    if (permission == null) {
        throw new IllegalArgumentException("permission is null");
    }

    return checkPermission(permission, Process.myPid(), Process.myUid());
}
@Override
public int checkPermission(String permission, int pid, int uid) {
    if (permission == null) {
        throw new IllegalArgumentException("permission is null");
    }

    try {
        return ActivityManagerNative.getDefault().checkPermission(
                permission, pid, uid);
    } catch (RemoteException e) {
        return PackageManager.PERMISSION_DENIED;
    }
}

最终还是通过AMS的checkPermission来进行权限检查。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
//frameworks/base/core/java/android/app/ActivityManager.java
@Override
public int checkPermission(String permission, int pid, int uid) {
    if (permission == null) {
        return PackageManager.PERMISSION_DENIED;
    }
    return checkComponentPermission(permission, pid, uid, -1, true);
}
int checkComponentPermission(String permission, int pid, int uid,
        int owningUid, boolean exported) {
    if (pid == MY_PID) {
        return PackageManager.PERMISSION_GRANTED;
    }
    return ActivityManager.checkComponentPermission(permission, uid,
            owningUid, exported);
}
/** @hide */
public static int checkComponentPermission(String permission, int uid,
        int owningUid, boolean exported) {
    // Root, system server get to do everything.
    final int appId = UserHandle.getAppId(uid);
    if (appId == Process.ROOT_UID || appId == Process.SYSTEM_UID) {
        return PackageManager.PERMISSION_GRANTED;
    }
    // Isolated processes don't get any permissions.
    if (UserHandle.isIsolated(uid)) {
        return PackageManager.PERMISSION_DENIED;
    }
    // If there is a uid that owns whatever is being accessed, it has
    // blanket access to it regardless of the permissions it requires.
    if (owningUid >= 0 && UserHandle.isSameApp(uid, owningUid)) {
        return PackageManager.PERMISSION_GRANTED;
    }
    // If the target is not exported, then nobody else can get to it.
    if (!exported) {
        /*
        RuntimeException here = new RuntimeException("here");
        here.fillInStackTrace();
        Slog.w(TAG, "Permission denied: checkComponentPermission() owningUid=" + owningUid,
                here);
        */
        return PackageManager.PERMISSION_DENIED;
    }
    if (permission == null) {
        return PackageManager.PERMISSION_GRANTED;
    }
    //通过PMS进行check
    try {
        return AppGlobals.getPackageManager()
                .checkUidPermission(permission, uid);
    } catch (RemoteException e) {
        // Should never happen, but if it does... deny!
        Slog.e(TAG, "PackageManager is dead?!?", e);
    }
    return PackageManager.PERMISSION_DENIED;
}

在AMS中的一系列调用中,最终的权限还是通过PMS的checkUidPermission来进行check的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
//PMS
@Override
public int checkUidPermission(String permName, int uid) {
    final int userId = UserHandle.getUserId(uid);

    if (!sUserManager.exists(userId)) {
        return PackageManager.PERMISSION_DENIED;
    }

    synchronized (mPackages) {
        Object obj = mSettings.getUserIdLPr(UserHandle.getAppId(uid));
        if (obj != null) {
            final SettingBase ps = (SettingBase) obj;
            final PermissionsState permissionsState = ps.getPermissionsState();
            //通过PermissionsState来检查
            if (permissionsState.hasPermission(permName, userId)) {
                return PackageManager.PERMISSION_GRANTED;
            }
            //定位权限的检测特殊处理
            // Special case: ACCESS_FINE_LOCATION permission includes ACCESS_COARSE_LOCATION
            if (Manifest.permission.ACCESS_COARSE_LOCATION.equals(permName) && permissionsState
                    .hasPermission(Manifest.permission.ACCESS_FINE_LOCATION, userId)) {
                return PackageManager.PERMISSION_GRANTED;
            }
        } else {
            ArraySet<String> perms = mSystemPermissions.get(uid);
            if (perms != null) {
                if (perms.contains(permName)) {
                    return PackageManager.PERMISSION_GRANTED;
                }
                if (Manifest.permission.ACCESS_COARSE_LOCATION.equals(permName) && perms
                        .contains(Manifest.permission.ACCESS_FINE_LOCATION)) {
                    return PackageManager.PERMISSION_GRANTED;
                }
            }
        }
    }

    return PackageManager.PERMISSION_DENIED;
}

checkUidPermission首先根据userId从PMS的配置对象中取到SettingBase,然后取到用户对应的PermissionsState,再通过permissionsState的hasPermission判断是否有该权限。

1
2
3
4
5
6
7
8
9
10
11
12
//检测权限
public boolean hasPermission(String name, int userId) {
    enforceValidUserId(userId);

    if (mPermissions == null) {
        return false;
    }
    //取到权限对应的PermissionData
    PermissionData permissionData = mPermissions.get(name);
    //通过isGranted来判断
    return permissionData != null && permissionData.isGranted(userId);
}

从PermissionsState的权限列表中取到PermissionData,通过PermissionData的PermissionState对象的mGranted成员就知道权限是否分配了。

总结

在Android6.0之前的版本中,应用在安装的时候会将manifest中request的权限(即通过申请的权限)添加到Package对象的PackageSetting中,PMS为每个安装的app创建一个Package对象,这个是在安装过程中创建的,同时在安装过程中也会为每个app创建一个PackageSetting对象,并将其保存在Package对象的mExtra中,在PackageSetting内部保存了应用的签名信息和授予的权限列表,实际上PackageSetting本身就是继承自GrantedPermissions类,这个类从名字看就知道它负责已授权的permission。应用中授权的权限在安装完成后会将应用的信息(包括了权限,签名和应用的基本信息等)写入到pacakge.xml文件中,这样下次系统启动就可以通过读取该文件获取应用的授权信息。

在Aandroid6.0之后,google为了防止应用滥用权限对权限的授予进行了收缩,将危险的权限授予过程交给用户来决定,为了适应这样的变化,必须要将安装权限和运行时权限进行区分处理,安装权限保持原有的逻辑不变,对于动态权限的分配必然要对PackageSetting进行一个大手术,在Android6.0中PackageSetting不再继承自GrantedPermissions,而是继承自于SettingBase,它的内部也比以前复杂了一些,简单来说它内部维护了一个PermissionsState,它负责管理应用的权限,因此它内部存放着应用的授权的权限列表(实际上是一个ArrayMap<String, PermissionData>),以及权限组对应的gids,此时的权限不再是仅仅是一个String,而是一个PermissionData,而PermissionData内部持有PermissionState即permission的状态,可以看到最终我们还是通过改变PermissionData的PermissionState来达到动态授权的目的。另外授予的动态权限最终会保存在runtime-permission.xml中。

参考

https://www.jianshu.com/p/a17c8bed79d9

坚持原创技术分享,您的支持将鼓励我继续创作!