android framework中新增自定義許可權

yingxian_Fei發表於2016-06-02
AndroidFramework
在android的framework原始碼中新增自定義的permission以便限制應用程式呼叫自定義的系統介面,
在frameworks/base/core/res/AndroidManifest.xml 中新增:
<permission android:name="android.permission.ENTERPRISE_SETTINGS"
        android:label="@string/permlab_invoke_ivt_method"
        android:description="@string/permdesc_invoke_ivt_method"
        android:protectionLevel="dangerous" />

在frameworks/base/core/res/values/string.xml中新增
permlab_invoke_ivt_method 、permdesc_invoke_ivt_method的字串資源

在被呼叫的介面處新增許可權檢驗
public String getDeviceInfo() throws RemoteException 
{
 	。。。。。。
        mContext.enforceCallingOrSelfPermission("android.permission.ENTERPRISE_SETTINGS", null);
	。。。。。。
}

在呼叫該介面的應用程式的AndroidManifest.xml中需要新增該許可權才可以正常呼叫該介面:
<uses-permission  android:name="android.permission.ENTERPRISE_SETTINGS"/>

其中的許可權保護級別如下:
protectionLevel分為四級: 
"normal" 
The default value. A lower-risk permission that gives requesting applications access to isolated application-level features, with minimal risk to other applications, the system, or the user. The system automatically grants this type of permission to a requesting application at installation, without asking for the user's explicit approval (though the user always has the option to review these permissions before installing). 

"dangerous" 
A higher-risk permission that would give a requesting application access to private user data or control over the device that can negatively impact the user. Because this type of permission introduces potential risk, the system may not automatically grant it to the requesting application. For example, any dangerous permissions requested by an application may be displayed to the user and require confirmation before proceeding, or some other approach may be taken to avoid the user automatically allowing the use of such facilities. 

"signature" 
A permission that the system grants only if the requesting application is signed with the same certificate as the application that declared the permission. If the certificates match, the system automatically grants the permission without notifying the user or asking for the user's explicit approval. 

"signatureOrSystem" 
A permission that the system grants only to applications that are in the Android system image or that are signed with the same certificates as those in the system image. Please avoid using this option, as the signature protection level should be sufficient for most needs and works regardless of exactly where applications are installed. The "signatureOrSystem" permission is used for certain special situations where multiple vendors have applications built into a system image and need to share specific features explicitly because they are being built together. 

前面幾個很好理解 
現在重點記憶下最後一個signatureOrSystem 顧名思義就是在擁有許可權的同時還必須滿足signature一致或System級別APK才擁有! 
現在做了如下嘗試 

Test Result:
TestCustomPermission是我自定義了一個Activity的訪問許可權的APK
TestPermission 去訪問TestCustomPermission的Activity


EclipseSignature 中兩個都用eclipse的簽名
OtherSignature 中兩個都用相同的另一種簽名
DifferentSignature 中兩個簽名不想同
以下是測試結果:

APP級別
許可權設定為signatureOrSystem
1. EclipseSignature 成功訪問 ! 可以加入許可權!
2. OtherSignature 成功訪問 ! 可以加入許可權!
3. DifferentSignature  訪問失敗!


許可權設定為normal
1. DifferentSignature   成功訪問 ! 可以加入許可權!


System 級別
許可權設定為signatureOrSystem
1. EclipseSignature 成功訪問 ! 可以加入許可權!
2. OtherSignature 成功訪問 ! 可以加入許可權!
3. DifferentSignature  成功訪問 ! 可以加入許可權!


TestCustomPermission再 system TestPermission 在APP
1.DifferentSignature 失敗
2.簽名相同成功!


最後一個實驗
在TestCustomPermission中註冊 signatureOrSystem!APP層訪問 在framework API中驗證!

相關文章