Android Q 外部应用安装权限管理
要求:外部第三方应用如果没有系统平台签名,无法通过adb install指令安装应用。
只允许白名单之内的文件可以通过adb指令安装
1、文件路径如下
frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java
应用安装白名单
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -488,7 +488,10 @@ public class PackageManagerService extends IPackageManager.Stub
private static String mSignPackageName[] = {
"com.kaifa.bgm.setting",
"com.kirin.healthcare",
- "com.kaifa.bgm.demo"};
+ "com.kaifa.bgm.demo",
+ "com.ascensia.bgm.demo",
+ "com.ascensia.scanner.demo",
+ "com.ascensia.kirin.evaluation"};
.../android/server/pm/PackageManagerService.java | 89 +++++++++++++++++++++-
1 file changed, 87 insertions(+), 2 deletions(-)
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 23c7ad4..e493e1d 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -377,6 +377,9 @@ import java.util.concurrent.atomic.AtomicInteger;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Predicate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
/**
* Keep track of all those APKs everywhere.
@@ -480,6 +483,21 @@ public class PackageManagerService extends IPackageManager.Stub
static final int SCAN_AS_PRODUCT_SERVICES = 1 << 22;
static final int SCAN_AS_ODM = 1 << 23;
+ //add by hhuming on 2021-05-10 for ID1013053 begain
+ //packageName
+ private static String mSignPackageName[] = {
+ "com.kaifa.bgm.setting",
+ "com.kirin.healthcare",
+ "com.kaifa.bgm.demo"};
+
+ //media,platform,shared,testkey,releasekey
+ private static String mRomSingnum[] = {
+ "17005646429478100598",
+ "9539596108125051488",
+ "16132430370418643909",
+ "13604184191370124297",
+ "12176541990031084972"};
+
@IntDef(flag = true, prefix = { "SCAN_" }, value = {
SCAN_NO_DEX,
SCAN_UPDATE_SIGNATURE,
@@ -15651,6 +15669,7 @@ public class PackageManagerService extends IPackageManager.Stub
if (params.move != null) {
return new MoveInstallArgs(params);
} else {
+ Log.i(TAG,"createInstallArgs FileInstallArgs");
return new FileInstallArgs(params);
}
}
@@ -15780,6 +15799,62 @@ public class PackageManagerService extends IPackageManager.Stub
}
}
+ private boolean isRomSignsPackage(Context context,PackageInfoLite pkgLite) {
+ try {
+ if(pkgLite != null){
+ String packageName = pkgLite.packageName;
+ Log.i(TAG,"isRomSignsPackage packageName = " + packageName);
+ for(String num:mSignPackageName) {
+ if(num.equals(packageName)) {
+ return true;
+ }
+ }
+ }else{
+ return false;
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ return false;
+ }
+
+ public boolean isRomSign(Context context) {
+ try {
+ PackageInfo packageInfo = context.getPackageManager().
+ getPackageInfo(context.getPackageName(), PackageManager.GET_SIGNATURES);
+ android.content.pm.Signature[] signs = packageInfo.signatures;
+ android.content.pm.Signature sign = signs[0];
+ String signNumber = parseSignature(sign.toByteArray());
+ Log.i(TAG,"isRomSign signNumber = " + signNumber);
+ for(String num:mRomSingnum) {
+ if(num.equals(signNumber)) {
+ Log.i(TAG,"isRomSign signNumber is right, so return true");
+ return true;
+ }
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ return false;
+ }
+
+ private static String parseSignature(byte[] signature) {
+ try {
+ CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+ X509Certificate cert = (X509Certificate) certFactory
+ .generateCertificate(new ByteArrayInputStream(signature));
+ String pubKey = cert.getPublicKey().toString();
+ String signNumber = cert.getSerialNumber().toString();
+ String AlgNumber = cert.getSignature().toString();
+ Log.i(TAG,"parseSignature pubKey = " + pubKey + ", signNumber = "
+ + signNumber + ", AlgNumber = " + AlgNumber);
+ return signNumber;
+ } catch (CertificateException e) {
+ e.printStackTrace();
+ }
+ return null;
+ }
+
/**
* Logic to handle installation of new applications, including copying
* and renaming logic.
@@ -15824,8 +15899,18 @@ public class PackageManagerService extends IPackageManager.Stub
}
private int doCopyApk() {
+ Log.i(TAG,"doCopyApk = origin " + origin);
+ PackageInfoLite pkgLite = null;
+ int ret = PackageManager.INSTALL_UNKNOWN;
+ if ((((FileInstallArgs)this).installFlags & PackageManager.INSTALL_FROM_ADB) != 0){
+ pkgLite = PackageManagerServiceUtils.getMinimalPackageInfo(mContext,origin.resolvedPath, installFlags, "");
+ if (!isRomSignsPackage(mContext,pkgLite) || !isRomSign(mContext)) {
+ ret = PackageManager.INSTALL_FAILED_INVALID_APK;
+ return ret;
+ }
+ }
if (origin.staged) {
- if (DEBUG_INSTALL) Slog.d(TAG, origin.file + " already staged; skipping copy");
+ Slog.d(TAG, origin.file + " already staged; skipping copy");
codeFile = origin.file;
resourceFile = origin.file;
return PackageManager.INSTALL_SUCCEEDED;
@@ -15842,7 +15927,7 @@ public class PackageManagerService extends IPackageManager.Stub
return PackageManager.INSTALL_FAILED_INSUFFICIENT_STORAGE;
}
- int ret = PackageManagerServiceUtils.copyPackage(
+ ret = PackageManagerServiceUtils.copyPackage(
origin.file.getAbsolutePath(), codeFile);
if (ret != PackageManager.INSTALL_SUCCEEDED) {
Slog.e(TAG, "Failed to copy package");
--
2.7.4
2、生成平台签名的指令如下
development/tools/make_key testkey '/C=US/ST=NY/L=Holbrook View/O=ZJY/OU=PM/CN=SW/[email protected]'
development/tools/make_key media '/C=US/ST=NY/L=Holbrook View/O=ZJY/OU=PM/CN=SW/[email protected]'
development/tools/make_key shared '/C=US/ST=NY/L=Holbrook View/O=ZJY/OU=PM/CN=SW/[email protected]'
development/tools/make_key platform '/C=US/ST=NY/L=Holbrook View/O=ZJY/OU=PM/CN=SW/[email protected]'
development/tools/make_key releasekey '/C=US/ST=NY/L=Holbrook View/O=ZJY/OU=PM/CN=SW/[email protected]'
development/tools/make_key verity '/C=US/ST=NY/L=Holbrook View/O=ZJY/OU=PM/CN=SW/[email protected]'
out/host/linux-x86/bin/generate_verity_key -convert verity.x509.pem verity_key