背景
根据不同的业务背景下,客户希望部分应用可以实现静默安装及静默卸载的功能,因此需要这个功能,然而android9.0及以上采用的沙盒方式,这一功能普通的应用是实现不了的,作者思考了两种方式:一、在framework中实现service的方式,但是发现一个问题就是framework service属于system_server 分组的,因此访问sdcard file等方法在这里面是不行的,原因是由于sdcard在过去手机中是属于可插拔设备,因此android系统为避免一些插拔过程中读取文件造成的错误,将sdcard这级用户组并未加入到system_server组里,下面看下基本调试方式,adb shell进入设备,执行:
s -A | grep "system_server"
显示的结果
rk3568_r:/ $ ps -A | grep "system_server"
system 531 259 16590784 382396 0 0 S system_server
其中531代表的就是system_server的Tgid 然后再执行:
rk3568_r:/ $ cd proc/531
rk3568_r:/proc/531 $ cat status
显示结果
rk3568_r:/proc/531 $ cat status
Name: Binder:531_3
Umask: 0077
State: S (sleeping)
Tgid: 531
Ngid: 0
Pid: 531
PPid: 259
TracerPid: 0
Uid: 1000 1000 1000 1000
Gid: 1000 1000 1000 1000
FDSize: 512
Groups: 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1018 1021 1023 1024 1028 1032 1065 3001 3002 3003 3006 3007 3009 3010 3011
VmPeak: 16663316 kB
VmSize: 16590784 kB
VmLck: 96788 kB
VmPin: 0 kB
VmHWM: 392996 kB
VmRSS: 382396 kB
RssAnon: 65008 kB
RssFile: 315920 kB
RssShmem: 1468 kB
VmData: 1889436 kB
VmStk: 8192 kB
VmExe: 28 kB
VmLib: 188868 kB
VmPTE: 2036 kB
VmSwap: 0 kB
CoreDumping: 0
Threads: 125
SigQ: 0/7808
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000080001204
SigIgn: 0000000000000001
SigCgt: 0000006e400084f8
CapInh: 0000001806897c20
CapPrm: 0000001806897c20
CapEff: 0000001806897c20
CapBnd: 0000000000000000
CapAmb: 0000000000000000
NoNewPrivs: 0
Seccomp: 0
Speculation_Store_Bypass: thread vulnerable
Cpus_allowed: f
Cpus_allowed_list: 0-3
Mems_allowed: 1
Mems_allowed_list: 0
voluntary_ctxt_switches: 2956
nonvoluntary_ctxt_switches: 5894
重点看一下Groups
Groups: 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1018 1021 1023 1024 1028 1032 1065 3001 3002 3003 3006 3007 3009 3010 3011 VmPeak: 16663316 kB VmSize: 16590784 kB
找到系统源码的system/core/include/private/android_filesystem_config.h文件
#ifndef _ANDROID_FILESYSTEM_CONFIG_H_
#define _ANDROID_FILESYSTEM_CONFIG_H_
#include <sys/types.h>
#if !defined(__ANDROID_VNDK__) && !defined(EXCLUDE_FS_CONFIG_STRUCTURES)
#include <private/fs_config.h>
#endif
/* This is the master Users and Groups config for the platform.
* DO NOT EVER RENUMBER
*/
#define AID_ROOT 0 /* traditional unix root user */
/* The following are for LTP and should only be used for testing */
#define AID_DAEMON 1 /* traditional unix daemon owner */
#define AID_BIN 2 /* traditional unix binaries owner */
#define AID_SYSTEM 1000 /* system server */
#define AID_RADIO 1001 /* telephony subsystem, RIL */
#define AID_BLUETOOTH 1002 /* bluetooth subsystem */
#define AID_GRAPHICS 1003 /* graphics devices */
#define AID_INPUT 1004 /* input devices */
#define AID_AUDIO 1005 /* audio devices */
#define AID_CAMERA 1006 /* camera devices */
#define AID_LOG 1007 /* log devices */
#define AID_COMPASS 1008 /* compass device */
#define AID_MOUNT 1009 /* mountd socket */
#define AID_WIFI 1010 /* wifi subsystem */
#define AID_ADB 1011 /* android debug bridge (adbd) */
#define AID_INSTALL 1012 /* group for installing packages */
#define AID_MEDIA 1013 /* mediaserver process */
#define AID_DHCP 1014 /* dhcp client */
#define AID_SDCARD_RW 1015 /* external storage write access */
#define AID_VPN 1016 /* vpn system */
#define AID_KEYSTORE 1017 /* keystore subsystem */
#define AID_USB 1018 /* USB devices */
#define AID_DRM 1019 /* DRM server */
#define AID_MDNSR 1020 /* MulticastDNSResponder (service discovery) */
#define AID_GPS 1021 /* GPS daemon */
#define AID_UNUSED1 1022 /* deprecated, DO NOT USE */
#define AID_MEDIA_RW 1023 /* internal media storage write access */
#define AID_MTP 1024 /* MTP USB driver access */
#define AID_UNUSED2 1025 /* deprecated, DO NOT USE */
#define AID_DRMRPC 1026 /* group for drm rpc */
#define AID_NFC 1027 /* nfc subsystem */
#define AID_SDCARD_R 1028 /* external storage read access */
#define AID_CLAT 1029 /* clat part of nat464 */
#define AID_LOOP_RADIO 1030 /* loop radio devices */
#define AID_MEDIA_DRM 1031 /* MediaDrm plugins */
#define AID_PACKAGE_INFO 1032 /* access to installed package details */
#define AID_SDCARD_PICS 1033 /* external storage photos access */
#define AID_SDCARD_AV 1034 /* external storage audio/video access */
#define AID_SDCARD_ALL 1035 /* access all users external storage */
#define AID_LOGD 1036 /* log daemon */
#define AID_SHARED_RELRO 1037 /* creator of shared GNU RELRO files */
#define AID_DBUS 1038 /* dbus-daemon IPC broker process */
#define AID_TLSDATE 1039 /* tlsdate unprivileged user */
#define AID_MEDIA_EX 1040 /* mediaextractor process */
#define AID_AUDIOSERVER 1041 /* audioserver process */
#define AID_METRICS_COLL 1042 /* metrics_collector process */
#define AID_METRICSD 1043 /* metricsd process */
#define AID_WEBSERV 1044 /* webservd process */
#define AID_DEBUGGERD 1045 /* debuggerd unprivileged user */
#define AID_MEDIA_CODEC 1046 /* mediacodec process */
#define AID_CAMERASERVER 1047 /* cameraserver process */
#define AID_FIREWALL 1048 /* firewalld process */
#define AID_TRUNKS 1049 /* trunksd process (TPM daemon) */
#define AID_NVRAM 1050 /* Access-controlled NVRAM */
#define AID_DNS 1051 /* DNS resolution daemon (system: netd) */
#define AID_DNS_TETHER 1052 /* DNS resolution daemon (tether: dnsmasq) */
#define AID_WEBVIEW_ZYGOTE 1053 /* WebView zygote process */
#define AID_VEHICLE_NETWORK 1054 /* Vehicle network service */
#define AID_MEDIA_AUDIO 1055 /* GID for audio files on internal media storage */
#define AID_MEDIA_VIDEO 1056 /* GID for video files on internal media storage */
#define AID_MEDIA_IMAGE 1057 /* GID for image files on internal media storage */
#define AID_TOMBSTONED 1058 /* tombstoned user */
#define AID_MEDIA_OBB 1059 /* GID for OBB files on internal media storage */
#define AID_ESE 1060 /* embedded secure element (eSE) subsystem */
#define AID_OTA_UPDATE 1061 /* resource tracking UID for OTA updates */
#define AID_AUTOMOTIVE_EVS 1062 /* Automotive rear and surround view system */
#define AID_LOWPAN 1063 /* LoWPAN subsystem */
#define AID_HSM 1064 /* hardware security module subsystem */
#define AID_RESERVED_DISK 1065 /* GID that has access to reserved disk space */
#define AID_STATSD 1066 /* statsd daemon */
#define AID_INCIDENTD 1067 /* incidentd daemon */
#define AID_SECURE_ELEMENT 1068 /* secure element subsystem */
#define AID_LMKD 1069 /* low memory killer daemon */
#define AID_LLKD 1070 /* live lock daemon */
#define AID_IORAPD 1071 /* input/output readahead and pin daemon */
#define AID_GPU_SERVICE 1072 /* GPU service daemon */
#define AID_NETWORK_STACK 1073 /* network stack service */
#define AID_GSID 1074 /* GSI service daemon */
#define AID_FSVERITY_CERT 1075 /* fs-verity key ownership in keystore */
#define AID_CREDSTORE 1076 /* identity credential manager service */
#define AID_EXTERNAL_STORAGE 1077 /* Full external storage access including USB OTG volumes */
#define AID_EXT_DATA_RW 1078 /* GID for app-private data directories on external storage */
#define AID_EXT_OBB_RW 1079 /* GID for OBB directories on external storage */
#define AID_CONTEXT_HUB 1080 /* GID for access to the Context Hub */
/* Changes to this file must be made in AOSP, *not* in internal branches. */
#define AID_SHELL 2000 /* adb and debug shell user */
#define AID_CACHE 2001 /* cache access */
#define AID_DIAG 2002 /* access to diagnostic resources */
/* The range 2900-2999 is reserved for the vendor partition */
/* Note that the two 'OEM' ranges pre-dated the vendor partition, so they take the legacy 'OEM'
* name. Additionally, they pre-dated passwd/group files, so there are users and groups named oem_#
* created automatically for all values in these ranges. If there is a user/group in a passwd/group
* file corresponding to this range, both the oem_# and user/group names will resolve to the same
* value. */
#define AID_OEM_RESERVED_START 2900
#define AID_OEM_RESERVED_END 2999
/* The 3000 series are intended for use as supplemental group id's only.
* They indicate special Android capabilities that the kernel is aware of. */
#define AID_NET_BT_ADMIN 3001 /* bluetooth: create any socket */
#define AID_NET_BT 3002 /* bluetooth: create sco, rfcomm or l2cap sockets */
#define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
#define AID_NET_RAW 3004 /* can create raw INET sockets */
#define AID_NET_ADMIN 3005 /* can configure interfaces and routing tables. */
#define AID_NET_BW_STATS 3006 /* read bandwidth statistics */
#define AID_NET_BW_ACCT 3007 /* change bandwidth statistics accounting */
#define AID_READPROC 3009 /* Allow /proc read access */
#define AID_WAKELOCK 3010 /* Allow system wakelock read/write access */
#define AID_UHID 3011 /* Allow read/write to /dev/uhid node */
/* The range 5000-5999 is also reserved for vendor partition. */
#define AID_OEM_RESERVED_2_START 5000
#define AID_OEM_RESERVED_2_END 5999
/* The range 6000-6499 is reserved for the system partition. */
#define AID_SYSTEM_RESERVED_START 6000
#define AID_SYSTEM_RESERVED_END 6499
/* The range 6500-6999 is reserved for the odm partition. */
#define AID_ODM_RESERVED_START 6500
#define AID_ODM_RESERVED_END 6999
/* The range 7000-7499 is reserved for the product partition. */
#define AID_PRODUCT_RESERVED_START 7000
#define AID_PRODUCT_RESERVED_END 7499
/* The range 7500-7999 is reserved for the system_ext partition. */
#define AID_SYSTEM_EXT_RESERVED_START 7500
#define AID_SYSTEM_EXT_RESERVED_END 7999
#define AID_EVERYBODY 9997 /* shared between all apps in the same profile */
#define AID_MISC 9998 /* access to misc storage */
#define AID_NOBODY 9999
#define AID_APP 10000 /* TODO: switch users over to AID_APP_START */
#define AID_APP_START 10000 /* first app user */
#define AID_APP_END 19999 /* last app user */
#define AID_CACHE_GID_START 20000 /* start of gids for apps to mark cached data */
#define AID_CACHE_GID_END 29999 /* end of gids for apps to mark cached data */
#define AID_EXT_GID_START 30000 /* start of gids for apps to mark external data */
#define AID_EXT_GID_END 39999 /* end of gids for apps to mark external data */
#define AID_EXT_CACHE_GID_START 40000 /* start of gids for apps to mark external cached data */
#define AID_EXT_CACHE_GID_END 49999 /* end of gids for apps to mark external cached data */
#define AID_SHARED_GID_START 50000 /* start of gids for apps in each user to share */
#define AID_SHARED_GID_END 59999 /* end of gids for apps in each user to share */
/*
* This is a magic number in the kernel and not something that was picked
* arbitrarily. This value is returned whenever a uid that has no mapping in the
* user namespace is returned to userspace:
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/highuid.h?h=v4.4#n40
*/
#define AID_OVERFLOWUID 65534 /* unmapped user in the user namespace */
/* use the ranges below to determine whether a process is isolated */
#define AID_ISOLATED_START 90000 /* start of uids for fully isolated sandboxed processes */
#define AID_ISOLATED_END 99999 /* end of uids for fully isolated sandboxed processes */
#define AID_USER 100000 /* TODO: switch users over to AID_USER_OFFSET */
#define AID_USER_OFFSET 100000 /* offset for uid ranges for each user */
/*
* android_ids has moved to pwd/grp functionality.
* If you need to add one, the structure is now
* auto-generated based on the AID_ constraints
* documented at the top of this header file.
* Also see build/tools/fs_config for more details.
*/
#endif
上面我们发现AID_SDCARD_R对应的是1028,然后我们按照传统的方式找到给system_server赋予group id的文件,frameworks/base/core/java/com/android/internal/os/ZygoteInit.java
/* Hardcoded command line to start the system server */
String args[] = {
"--setuid=1000",
"--setgid=1000",
"--setgroups=1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,1018,1021,1023,"
+ "1024,1032,1065,3001,3002,3003,3006,3007,3009,3010,3011",
"--capabilities=" + capabilities + "," + capabilities,
"--nice-name=system_server",
"--runtime-args",
"--target-sdk-version=" + VMRuntime.SDK_VERSION_CUR_DEVELOPMENT,
"com.android.server.SystemServer",
};
ZygoteArguments parsedArgs = null;
就算这样依然不行,后面再分析吧,第二种方式采用的是以系统应用为静默安装卸载器的方式。
静默安装卸载器实现
思路在系统中开发一个应用这个应用是无界面形式主要功能就是负责静默安装及卸载功能,这里我们可以将它称为是静默安装卸载器
源码部分
package com.xiaoxuan.silent;
import android.annotation.SuppressLint;
import android.app.Service;
import android.content.Context;
import android.app.PendingIntent;
import android.content.BroadcastReceiver;
import android.content.Intent;
import android.content.pm.PackageInfo;
import android.content.pm.PackageInstaller;
import android.content.pm.PackageManager;
import android.os.IBinder;
import android.os.RemoteException;
import android.util.Log;
import androidx.annotation.Nullable;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
/* SilentInstallService类继承ISilentInstall.aidl */
public class SilentInstallService extends Service {
private static final String TAG = "SilentInstallService";
private int mSessionId = -1;
@Override
public void onCreate() {
super.onCreate();
PackageInstaller.SessionCallback mSessionCallback = new InstallSessionCallback();
getPackageManager().getPackageInstaller().registerSessionCallback(mSessionCallback);
}
class MyBinder extends ISilentInstall.Stub
{
@Override
public void silentInstall(String apkPath) throws RemoteException {
Log.d(TAG, "installApp()------->" + apkPath);
File apkFile = new File(apkPath);
if (!apkFile.exists()) {
Log.d(TAG, "文件不存在");
}
PackageInfo packageInfo = getPackageManager().getPackageArchiveInfo(apkPath, PackageManager.GET_ACTIVITIES | PackageManager.GET_SERVICES);
if (packageInfo != null) {
String packageName = packageInfo.packageName;
int versionCode = packageInfo.versionCode;
String versionName = packageInfo.versionName;
Log.d(TAG, "packageName=" + packageName + ", versionCode=" + versionCode + ", versionName=" + versionName);
}
PackageInstaller packageInstaller = getPackageManager().getPackageInstaller();
PackageInstaller.SessionParams sessionParams
= new PackageInstaller.SessionParams(PackageInstaller
.SessionParams.MODE_FULL_INSTALL);
Log.d(TAG, "apkFile length" + apkFile.length());
sessionParams.setSize(apkFile.length());
try {
mSessionId = packageInstaller.createSession(sessionParams);
} catch (Exception e) {
e.printStackTrace();
}
Log.d(TAG, "sessionId---->" + mSessionId);
if (mSessionId != -1) {
boolean copySuccess = onTransfesApkFile(apkPath);
Log.d(TAG, "copySuccess---->" + copySuccess);
if (copySuccess) {
execInstallAPP();
}
}
}
@Override
public void silentUnInstall(String packageName) throws RemoteException {
Intent broadcastIntent = new Intent(getApplicationContext(), InstallResultReceiver.class);
@SuppressLint("UnspecifiedImmutableFlag") PendingIntent pendingIntent = PendingIntent.getBroadcast(getApplicationContext(), 1,
broadcastIntent, PendingIntent.FLAG_UPDATE_CURRENT);
PackageInstaller packageInstaller = getPackageManager().getPackageInstaller();
packageInstaller.uninstall(packageName, pendingIntent.getIntentSender());
}
}
@Nullable
@Override
public IBinder onBind(Intent intent) {
return new MyBinder();
}
private class InstallSessionCallback extends PackageInstaller.SessionCallback {
@Override
public void onCreated(int sessionId) {
// empty
Log.d(TAG, "onCreated()" + sessionId);
}
@Override
public void onBadgingChanged(int sessionId) {
// empty
Log.d(TAG, "onBadgingChanged()" + sessionId + "active");
}
@Override
public void onActiveChanged(int sessionId, boolean active) {
// empty
Log.d(TAG, "onActiveChanged()" + sessionId + "active" + active);
}
@Override
public void onProgressChanged(int sessionId, float progress) {
Log.d(TAG, "onProgressChanged()" + sessionId);
if (sessionId == mSessionId) {
int progres = (int) (Integer.MAX_VALUE * progress);
Log.d(TAG, "onProgressChanged" + progres);
}
}
@Override
public void onFinished(int sessionId, boolean success) {
// empty, finish is handled by InstallResultReceiver
Log.d(TAG, "onFinished()" + sessionId + "success" + success);
if (mSessionId == sessionId) {
if (success) {
Log.d(TAG, "onFinished() 安装成功");
} else {
Log.d(TAG, "onFinished() 安装失败");
}
}
}
}
/**
* 通过文件流传输apk
*
* @param apkPath
* @return
*/
private boolean onTransfesApkFile(String apkPath) {
Log.d(TAG, "---------->onTransfesApkFile()<---------------------");
InputStream in = null;
OutputStream out = null;
PackageInstaller.Session session = null;
boolean success = false;
try {
File apkFile = new File(apkPath);
session = getPackageManager().getPackageInstaller().openSession(mSessionId);
out = session.openWrite("base.apk", 0, apkFile.length());
in = new FileInputStream(apkFile);
int total = 0, c;
byte[] buffer = new byte[1024 * 1024];
while ((c = in.read(buffer)) != -1) {
total += c;
out.write(buffer, 0, c);
}
session.fsync(out);
Log.d(TAG, "streamed " + total + " bytes");
success = true;
} catch (IOException e) {
e.printStackTrace();
} finally {
if (null != session) {
session.close();
}
try {
if (null != out) {
out.close();
}
if (null != in) {
in.close();
}
} catch (IOException e) {
e.printStackTrace();
}
}
return success;
}
/**
* 执行安装并通知安装结果
*/
private void execInstallAPP() {
Log.d(TAG, "--------------------->execInstallAPP()<------------------");
try (PackageInstaller.Session session = getPackageManager().getPackageInstaller().openSession(mSessionId)) {
Intent intent = new Intent(getApplicationContext(), InstallResultReceiver.class);
PendingIntent pendingIntent = PendingIntent.getBroadcast(getApplicationContext(),
1, intent,
PendingIntent.FLAG_UPDATE_CURRENT);
session.commit(pendingIntent.getIntentSender());
} catch (IOException e) {
e.printStackTrace();
}
}
static class InstallResultReceiver extends BroadcastReceiver {
private static final String TAG = "InstallResultReceiver";
@Override
public void onReceive(Context context, Intent intent) {
if (intent != null) {
final int status = intent.getIntExtra(PackageInstaller.EXTRA_STATUS,
PackageInstaller.STATUS_FAILURE);
if (status == PackageInstaller.STATUS_SUCCESS) {
// success
} else {
String msg = intent.getStringExtra(PackageInstaller.EXTRA_STATUS_MESSAGE);
Log.e(TAG, "Install FAILURE status_massage" + msg);
}
}
}
};
}
AndroidManifest.xml
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
android:sharedUserId="android.uid.system">
<uses-permission android:name="android.permission.REQUEST_DELETE_PACKAGES" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<application
android:allowBackup="true"
android:supportsRtl="true"
android:label="@string/app_name"
android:usesCleartextTraffic="false"
android:requestLegacyExternalStorage="true">
<activity
android:name=".MainActivity"
android:theme="@android:style/Theme.NoDisplay"
android:exported="true">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<service
android:name=".SilentInstallService"
android:enabled="true"
android:exported="true">
<!--enable:ture设置可用
exported:ture对外暴露 -->
<intent-filter>
<action android:name="com.xiaoxuan.silent.test" />
</intent-filter>
</service>
</application>
</manifest>
这里大家可以看到我标注了系统签组,就是为了可以获取到更多的权限
android:sharedUserId="android.uid.system"
下面是aidl
package com.xiaoxuan.silent;
interface ISilentInstall {
void silentInstall(String apkPath);
void silentUnInstall(String packageName);
}
Android.bp实现
android_app {
name: "SilentInstall",
srcs: [
"src/**/*.java",
"src/com/xiaoxuan/silent/ISilentInstall.aidl",
],
sdk_version: "current",
product_specific: true,
optimize: {
proguard_flags_files: ["proguard.flags"],
},
certificate: "platform",
}
到这里我们的静默安装卸载器就完成了,下面完成模拟第三方普通应用调用
普通应用调用静默安装卸载器
package com.xiaoxuan.myapplication6;
import androidx.appcompat.app.AppCompatActivity;
import android.content.ComponentName;
import android.content.Intent;
import android.content.ServiceConnection;
import android.os.Bundle;
import android.os.IBinder;
import android.os.RemoteException;
import android.view.View;
import android.widget.Button;
import com.xiaoxuan.silent.ISilentInstall;
public class MainActivity extends AppCompatActivity {
private Button button;
private ISilentInstall iMyAidlInterface;
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
button=(Button) findViewById(R.id.btn_tost);
Intent intent=new Intent();
intent.setAction("com.xiaoxuan.silent.test");
intent.setPackage("com.xiaoxuan.silent");
bindService(intent,conn,BIND_AUTO_CREATE);
button.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
try {
iMyAidlInterface.silentInstall("/sdcard/aiqiyi.apk");
} catch (RemoteException e) {
e.printStackTrace();
}
}
});
}
public ServiceConnection conn=new ServiceConnection() {
@Override
public void onServiceConnected(ComponentName name, IBinder service) {
iMyAidlInterface=ISilentInstall.Stub.asInterface(service);
}
@Override
public void onServiceDisconnected(ComponentName name) {
}
};
}
注意的是aidl与静默安装卸载器的aidl一致,直接安装包名目录拷贝过来。
