Android7.0的静默安装失败问题研究
最近遇到了在Android7.0上静默安装失败的问题。应用程序放到系统分区(/system/priv-app/)执行pm命令实现静默安装的方式在其他版本上都可以实现静默安装,在7.0上就安装失败,报这个异常:
java.lang.SecurityException:
Permission Denial: runInstallCreate from pm command asks to run as user -1 but is calling from user 0;
this requires android.permission.INTERACT_ACROSS_USERS_FULL
至于安装失败肯定是pm instll的执行逻辑做了修改,我们直接从Pm的源码开始研究。
网上关于7.0静默安装的资料确实很少,没办法了只能先去查看源码看为啥报这个异常了。手头上也没有7.0的源码,只能去下载了,20个G的源码下载了三个小时左右。7.0源码下载,清华大学Android源码镜像站,在解压的aosp目录下面执行repo sync即可得到完整目录。
看frameworks的,源码查看工具我用的是understand,全局搜索runInstallCreate from pm command asks to run as user没搜到,说明这句话是组装成的,所以拆开搜索,全局搜索asks to run as user,这次搜到了。该方法在UserController类中
int handleIncomingUser(int callingPid, int callingUid, int userId, boolean allowAll,
int allowMode, String name, String callerPackage) {
//测试发现这个getUserId的返回值应该为0
final int callingUserId = UserHandle.getUserId(callingUid);
if (callingUserId == userId) {
return userId;
}
// Note that we may be accessing mCurrentUserId outside of a lock...
// shouldn't be a big deal, if this is being called outside
// of a locked context there is intrinsically a race with
// the value the caller will receive and someone else changing it.
// We assume that USER_CURRENT_OR_SELF will use the current user; later
// we will switch to the calling user if access to the current user fails.
int targetUserId = unsafeConvertIncomingUserLocked(userId);
if (callingUid != 0 && callingUid != SYSTEM_UID) {
final boolean allow;
if (mService.checkComponentPermission(INTERACT_ACROSS_USERS_FULL, callingPid,
callingUid, -1, true) == PackageManager.PERMISSION_GRANTED) {
// If the caller has this permission, they always pass go. And collect $200.
allow = true;
} else if (allowMode == ALLOW_FULL_ONLY) {
// We require full access, sucks to be you.
allow = false;
} else if (mService.checkComponentPermission(INTERACT_ACROSS_USERS, callingPid,
callingUid, -1, true) != PackageManager.PERMISSION_GRANTED) {
// If the caller does not have either permission, they are always doomed.
allow = false;
} else if (allowMode == ALLOW_NON_FULL) {
// We are blanket allowing non-full access, you lucky caller!
allow = true;
} else if (allowMode == ALLOW_NON_FULL_IN_PROFILE) {
// We may or may not allow this depending on whether the two users are
// in the same profile.
allow = isSameProfileGroup(callingUserId, targetUserId);
} else {
throw new IllegalArgumentException("Unknown mode: " + allowMode);
}
if (!allow) {
if (userId == UserHandle.USER_CURRENT_OR_SELF) {
// In this case, they would like to just execute as their
// owner user instead of failing.
targetUserId = callingUserId;
} else {
StringBuilder builder = new StringBuilder(128);
builder.append("Permission Denial: ");
builder.append(name);
if (callerPackage != null) {
builder.append(" from ");
builder.append(callerPackage);
}
builder.append(" asks to run as user ");
builder.append(userId);
builder.append(" but is calling from user ");
builder.append(UserHandle.getUserId(callingUid));
builder.append("; this requires ");
builder.append(INTERACT_ACROSS_USERS_FULL);
if (allowMode != ALLOW_FULL_ONLY) {
builder.append(" or ");
builder.append(INTERACT_ACROSS_USERS);
}
String msg = builder.toString();
Slog.w(TAG, msg);
throw new SecurityException(msg);
}
}
}
if (!allowAll && targetUserId < 0) {
throw new IllegalArgumentException(
"Call does not support special user #" + targetUserId);
}
// Check shell permission
if (callingUid == Process.SHELL_UID && targetUserId >= UserHandle.USER_SYSTEM) {
if (hasUserRestriction(UserManager.DISALLOW_DEBUGGING_FEATURES, targetUserId)) {
throw new SecurityException("Shell does not have permission to access user "
+ targetUserId + "\n " + Debug.getCallers(3));
}
}
return targetUserId;
}
研究发现callingUserId = UserHandle.getUserId(callingUid)的返回值为0,如果userId的值和callingUserId的值相同就不会执行下面的方法,也就不会抛出异常了。那我们就继续追踪看看userId是什么。这次我们Pm的源码开始,pm install就是在Pm这个类中执行的,调用的是runInstall方法,runInstall的源码就不贴出来了,我们这里只关心两个方法
final InstallParams params = makeInstallParams();和final int sessionId = doCreateSession(params.sessionParams,params.installerPackageName, params.userId);
makeInstallParams的源码:该方法是解析命令中的参数的,这里只看主要的
private InstallParams makeInstallParams() {
final SessionParams sessionParams = new SessionParams(SessionParams.MODE_FULL_INSTALL);
final InstallParams params = new InstallParams();
params.sessionParams = sessionParams;
String opt;
while ((opt = nextOption()) != null) {
switch (opt) {
....
case "-i":
params.installerPackageName = nextArg();
if (params.installerPackageName == null) {
throw new IllegalArgumentException("Missing installer package");
}
break;
...
...
case "--user":
params.userId = UserHandle.parseUserArg(nextOptionData());
break;
....
default:
throw new IllegalArgumentException("Unknown option " + opt);
}
}
return params;
}
doCreateSession方法中回去调用userId = translateUserId(userId, "runInstallCreate");
translateUserId中回去调用ActivityManager.handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(), userId, true, true, logContext, "pm command");看ActivityManagerService中的handleIncomingUser方法
@Override
public int handleIncomingUser(int callingPid, int callingUid, int userId, boolean allowAll,
boolean requireFull, String name, String callerPackage) {
return mUserController.handleIncomingUser(callingPid, callingUid, userId, allowAll,
requireFull ? ALLOW_FULL_ONLY : ALLOW_NON_FULL, name, callerPackage);
}
找到了,就是在这里调用的mUserController.handleIncomingUser方法,抛出的异常。这个userId就是我们调用doCreateSession方法传入的params.userId,我们继续看makeInstallParams的源码,params.userId是--user指定的。
我们在代码中执行Runtime.getRuntime().exec("pm install --user 0 apkpath"),log又抛出一个空指针异常。
调用链:doCreateSession--->mInstaller.createSession(params, installerPackageName, userId)-->createSessionInternal-->mAppOps.checkPackage(callingUid, installerPackageName);
checkPackageName会判断installerPackageName是不是为空,为空就抛出异常。installerPackageNameye也是调用doCreateSession时传入params.installerPackageName 该值也是pm命令指定的,为当前调用执行pm命令的包名
所以修改pm命令为:Runtime.getRuntime().exec("pm install -i 包名 --user 0 apkpath"),静默安装成功!!!
到这里就结束了,后面的源码没有贴出来,但是写出了调用过程,大家可以自己去追踪一下源码!
