Android 9.0 设置白名单,在安装阶段赋予应用权限,避开应用启动时动态请求权限
一、需要修改的source code 位置:
/frameworks/base/core/res/res/values/config.xml
/frameworks/base/core/res/res/values/symbols.xml
/frameworks/base/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
二、具体修改方法:
第一步:
/frameworks/base/core/res/res/values/config.xml中增加一个apk_whitelist的string-array,可以添加到最后面位置,代码如下:
<!-- For whitelis apk --> <string-array translatable="false" name="apk_whitelist" > <item>"com.google.middleware.startup"</item> <item>"com.google.sh.test"</item> <item>"com.google.middleware.videotest.test"</item> </string-array>
第二步:
/frameworks/base/core/res/res/values/symbols.xml 中声明上述添加的string-array变量,可以添加到最后面位置,代码如下:
<!-- For whitelist apk --> <java-symbol type="array" name="apk_whitelist" />
第三步:/frameworks/base/services/core/java/com/android/server/pm/permission/PermissionManagerService.java中处理apk权限请求时,判断是否时白名单中的apk给予放行与授权,修改如下:
1. PermissionManagerService中增加存储白名单apk包名的List:mAPkWhitelist,及初始化方法initApkWhitelist和判断方法isInApkWhitelist
private List<String> mAPkWhitelist = new ArrayList<String>(); private boolean isInApkWhitelist(String pkgName) { for (String token : mAPkWhitelist) { if (pkgName.equals(token)) { return true; } } return false; } private void initApkWhitelist() { String[] apkWhitelist = Resources.getSystem().getStringArray( com.android.internal.R.array.apk_whitelist); mAPkWhitelist = Arrays.asList(apkWhitelist); }
2. PermissionManagerService构造函数中对mAPkWhitelist进行初始化,即读取资源文件中apk_whitelist的包名
PermissionManagerService(Context context, @Nullable DefaultPermissionGrantedCallback defaultGrantCallback, @NonNull Object externalLock) { mContext = context; mLock = externalLock; ...... LocalServices.addService( PermissionManagerInternal.class, new PermissionManagerInternalImpl()); initCMCCApkWhitelist(); // 对白名单进行初始化 }
3. PermissionManagerService::grantPermissions函数中请求处理权限时,判断是否时白名单中的应用给予授权
if (bp.isNormal()) { // For all apps normal permissions are install time ones. grant = GRANT_INSTALL; } else if (bp.isRuntime()) { // If a permission review is required for legacy apps we represent // their permissions as always granted runtime ones since we need // to keep the review required permission flag per user while an // install permission's state is shared across all users. if (!appSupportsRuntimePermissions && !mSettings.mPermissionReviewRequired) { // For legacy apps dangerous permissions are install time ones. grant = GRANT_INSTALL; } else if (origPermissions.hasInstallPermission(bp.getName())) { // For legacy apps that became modern, install becomes runtime. grant = GRANT_UPGRADE; } else if (isLegacySystemApp) { // For legacy system apps, install becomes runtime. // We cannot check hasInstallPermission() for system apps since those // permissions were granted implicitly and not persisted pre-M. grant = GRANT_UPGRADE; } else { // For modern apps keep runtime permissions unchanged. grant = GRANT_RUNTIME; if(isInCMCCApkWhitelist(pkg.packageName)) // 白名单应用判断 grant = GRANT_INSTALL; } } else if (bp.isSignature()) { // For all apps signature permissions are install time ones. allowedSig = grantSignaturePermission(perm, pkg, bp, origPermissions); if (allowedSig) { grant = GRANT_INSTALL; } if(isInCMCCApkWhitelist(pkg.packageName)) // 白名单应用判断 grant = GRANT_INSTALL; }
三、使用白名单:
如果要添加新的应用app到白名单,只需把app的包名写到config.xml中的apk_whitelist即可