問題:
專案中有一下情況:程式A呼叫另一程式的B ContentProvider,B在該此次query中需要在query另一個 C ContentProvider:
class BContentProvider extends ContentProvider {
Context mContext;
...
@Override
public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) {
...
try {
// query C ContentProvider:
Cursor cursor = mContext.getContentResolver().query(...);
if (cursor != null) {
try {
//do something;
} finally {
cursor.close();
}
}
Cursor cursor = mContext.getContentResolver().query(...);
...
...
}
}
}
複製程式碼在這種情況下,系統丟擲Exception如下:
1-11 16:04:51.867 2633 3557 W AppOps : Bad call: specified package com.providers.xxx under uid 10032 but it is really 10001
01-11 16:04:51.867 2633 3557 W AppOps : java.lang.RuntimeException: here
01-11 16:04:51.867 2633 3557 W AppOps : at com.android.server.AppOpsService.getOpsRawLocked(AppOpsService.java:1399)
01-11 16:04:51.867 2633 3557 W AppOps : at com.android.server.AppOpsService.noteOperationUnchecked(AppOpsService.java:1115)
01-11 16:04:51.867 2633 3557 W AppOps : at com.android.server.AppOpsService.noteProxyOperation(AppOpsService.java:1093)
01-11 16:04:51.867 2633 3557 W AppOps : at com.android.internal.app.IAppOpsService$Stub.onTransact(IAppOpsService.java:157)
01-11 16:04:51.867 2633 3557 W AppOps : at android.os.BinderInjector.onTransact(BinderInjector.java:30)
01-11 16:04:51.867 2633 3557 W AppOps : at android.os.Binder.execTransact(Binder.java:569)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: Writing exception to parcel
01-11 16:04:51.868 4659 6791 E DatabaseUtils: java.lang.SecurityException: Proxy package com.providers.xxx from uid 10001 or calling package com.providers.xxx from uid 10032 not allowed to perform READ_PROVIDER_C
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.app.AppOpsManager.noteProxyOp(AppOpsManager.java:1834)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.content.ContentProvider.checkPermissionAndAppOp(ContentProvider.java:538)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.content.ContentProvider.enforceReadPermissionInner(ContentProvider.java:560)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.content.ContentProvider$Transport.enforceReadPermission(ContentProvider.java:483)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.content.ContentProvider$Transport.query(ContentProvider.java:212)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.content.ContentResolver.query(ContentResolver.java:532)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.content.ContentResolver.query(ContentResolver.java:473)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at com.android.providers.xxx.BDatabaseHelper.query(BDatabaseHelper.java:7238)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.content.ContentProvider$Transport.query(ContentProvider.java:239)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.content.ContentProviderNative.onTransact(ContentProviderNative.java:112)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.os.BinderInjector.onTransact(BinderInjector.java:30)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.os.Binder.execTransact(Binder.java:569)
複製程式碼分析:
由於錯誤log首先反應了沒有C ContentProvider的許可權,但檢查A應用是有C的讀寫許可權的。所以排除了A的許可權問題。 繼續分析: 通過log可以看到確實是ContentProvider在做許可權檢查時出錯。通過log中對應的原始碼進行分析: 首先可以看到ContentProvider.query()的時候做了許可權檢查,注意,傳入的enforceReadPermission()的callingPkg是呼叫方的包名,以上面為例,就是B的包名。
ContentProvider.query():
@Override
public Cursor query(String callingPkg, Uri uri, @Nullable String[] projection,
@Nullable Bundle queryArgs, @Nullable ICancellationSignal cancellationSignal) {
validateIncomingUri(uri);
uri = maybeGetUriWithoutUserId(uri);
if (enforceReadPermission(callingPkg, uri, null) != AppOpsManager.MODE_ALLOWED) {
複製程式碼enforceReadPermission()呼叫了.checkPermissionAndAppOp()方法,ContentProvider.checkPermissionAndAppOp()呼叫了AppOpsManager.noteProxyOp()去做檢查出了異常。
AppOpsManager.noteProxyOp():
public int noteProxyOp(int op, String proxiedPackageName) {
int mode = noteProxyOpNoThrow(op, proxiedPackageName);
if (mode == MODE_ERRORED) {
throw new SecurityException("Proxy package " + mContext.getOpPackageName()
+ " from uid " + Process.myUid() + " or calling package "
+ proxiedPackageName + " from uid " + Binder.getCallingUid()
+ " not allowed to perform " + sOpNames[op]);
}
return mode;
}
複製程式碼noteProxyOpNoThrow()又做了什麼呢? AppOpsManager.noteProxyOpNoThrow():
/**
* Like {@link #noteProxyOp(int, String)} but instead
* of throwing a {@link SecurityException} it returns {@link #MODE_ERRORED}.
* @hide
*/
public int noteProxyOpNoThrow(int op, String proxiedPackageName) {
try {
return mService.noteProxyOperation(op, mContext.getOpPackageName(),
Binder.getCallingUid(), proxiedPackageName);
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
}
}
複製程式碼可見noteProxyOpNoThrow()是通過binder呼叫到了AppOpsService.noteProxyOperation()方法,注意,這裡傳入的是AppOpsService.noteProxyOperation()的後兩個引數為Binder.getCallingUid()和之前層層傳入的呼叫方的包名,也就是上面例子的B的包名。
下面,繼續看binder另一側的AppOpsService.noteProxyOperation()方法,我們結合log中AppOps的輸出log:
AppOpsService.noteProxyOperation():
@Override
public int noteProxyOperation(int code, String proxyPackageName,
int proxiedUid, String proxiedPackageName) {
verifyIncomingOp(code);
final int proxyUid = Binder.getCallingUid();
String resolveProxyPackageName = resolvePackageName(proxyUid, proxyPackageName);
if (resolveProxyPackageName == null) {
return AppOpsManager.MODE_IGNORED;
}
final int proxyMode = noteOperationUnchecked(code, proxyUid,
resolveProxyPackageName, -1, null);
if (proxyMode != AppOpsManager.MODE_ALLOWED || Binder.getCallingUid() == proxiedUid) {
return proxyMode;
}
String resolveProxiedPackageName = resolvePackageName(proxiedUid, proxiedPackageName);
if (resolveProxiedPackageName == null) {
return AppOpsManager.MODE_IGNORED;
}
return noteOperationUnchecked(code, proxiedUid, resolveProxiedPackageName,
proxyMode, resolveProxyPackageName);
}
複製程式碼AppOpsService.noteOperationUnchecked():
private int noteOperationUnchecked(int code, int uid, String packageName,
int proxyUid, String proxyPackageName) {
Op op = null;
Op switchOp = null;
int switchCode;
int resultMode = AppOpsManager.MODE_ALLOWED;
synchronized (this) {
Ops ops = getOpsRawLocked(uid, packageName, true);
...
}
...
}
複製程式碼AppOpsService.getOpsRawLocked():
private Ops getOpsRawLocked(int uid, String packageName, boolean edit) {
...
Ops ops = uidState.pkgOps.get(packageName);
if (ops == null) {
if (!edit) {
return null;
}
boolean isPrivileged = false;
// This is the first time we have seen this package name under this uid,
// so let's make sure it is valid.
if (uid != 0) {
final long ident = Binder.clearCallingIdentity();
try {
int pkgUid = -1;
try {
ApplicationInfo appInfo = ActivityThread.getPackageManager()
.getApplicationInfo(packageName,
PackageManager.MATCH_DEBUG_TRIAGED_MISSING,
UserHandle.getUserId(uid));
if (appInfo != null) {
pkgUid = appInfo.uid;
isPrivileged = (appInfo.privateFlags
& ApplicationInfo.PRIVATE_FLAG_PRIVILEGED) != 0;
}
...
}
...
if (pkgUid != uid) {
// Oops! The package name is not valid for the uid they are calling
// under. Abort.
RuntimeException ex = new RuntimeException("here");
ex.fillInStackTrace();
Slog.w(TAG, "Bad call: specified package " + packageName
+ " under uid " + uid + " but it is really " + pkgUid, ex);
return null;
}
} finally {
Binder.restoreCallingIdentity(ident);
}
}
ops = new Ops(packageName, uidState, isPrivileged);
uidState.pkgOps.put(packageName, ops);
}
return ops;
}
複製程式碼這裡主要的操作就是將傳入的uid和包名進行判斷:比對該包對應的uid和傳入的uid比較,如果不一致就報錯。錯誤資訊和log中的一致:
Bad call: specified package com.providers.xxx under uid 10032 but it is really 10001
複製程式碼上文提到了,這個包名是傳入的ContentProvider的呼叫方的包名,也就是例子中的B的包名。而uid是在AppOpsManager中通過Binder.getCallingUid()獲得的。log中顯示,此uid並不是B的uid,而是其上游呼叫者A的uid。 為什麼在C中呼叫Binder.getCallingUid()得到的是A程式的呢?我找到了袁輝輝大神的一片部落格: Binder IPC的許可權控制
“執行緒B通過Binder呼叫當前執行緒的某個元件:此時執行緒B是執行緒B某個元件的呼叫端,則mCallingUid和mCallingPid應該儲存當前執行緒B的PID和UID,故需要呼叫clearCallingIdentity()方法完成這個功能。當執行緒B呼叫完某個元件,由於執行緒B仍然處於執行緒A的被呼叫端,因此mCallingUid和mCallingPid需要恢復成執行緒A的UID和PID,這是呼叫restoreCallingIdentity()即可完成。”
Binder的機制就是這麼設計的,所以需要在B進行下一次Binder呼叫(也就是query ContentProvider)之前呼叫clearCallingIdentity()來將B的 PID和UID附給mCallingUid和mCallingPid。Binder呼叫結束後在restoreCallingIdentity()來將其恢復成其原本呼叫方的PID和UID。這樣在C裡就會用B的相關資訊進行許可權校驗,在AppOpsService.getOpsRawLocked(),UID和包名都是B的,是一致的,就不會報錯。
解決辦法
其實上文也已經提到了,參考 Binder IPC的許可權控制,在B進行Query前後分別呼叫clearCallingIdentity() //作用是清空遠端呼叫端的uid和pid,用當前本地程式的uid和pid替代,這樣在之後的呼叫方去進行許可權校驗時會以B的資訊為主,不會出現包名和UID不一致的情況。 最後修改過的呼叫方式如下:
long token = Binder.clearCallingIdentity();
try {
Cursor cursor = mContext.getContentResolver().query(...);
if (cursor != null) {
try {
//do something;
} finally {
cursor.close();
}
}
} finally {
Binder.restoreCallingIdentity(token);
}
複製程式碼總結:
-
ContentProvider是用Binder實現的,查詢的過程其實就是一次Binder呼叫,所以想深入瞭解ContentProvider一定要會一些Binder相關的知識。
-
ContentProvider在接受一次查詢前會呼叫AppOpsManager(其會通過Binder再由AppOpsService完成)進行許可權校驗,其中會校驗呼叫方的UID和包名是否一致,其相關功能可見文章: Android 許可權管理 —— AppOps。
-
Binder呼叫時候可以通過Binder.getCallingPid()和Binder.getCallingUid()來獲取呼叫方的PID和UID,而如果A通過Binder呼叫B,B又Binder呼叫了C,那麼在C中Binder.getCallingPid()和Binder.getCallingUid()得到的是A的PID和UID,這種情況下需要在B呼叫C的前後用Binder.clearCallingIdentity()和Binder.restoreCallingIdentity()使其帶上B的PID和UID,從而在C中進行許可權校驗時候用B的資訊進行校驗,當然這也符合邏輯,B呼叫的C,應該B需要有相應許可權。
-
Binder.clearCallingIdentity()和Binder.restoreCallingIdentity()的實現原理 Binder IPC的許可權控制也有介紹,是通過移位實現的。