android 12 应用安装白名单

一、功能概述

在Android 12.0系统中,实现APP应用安装白名单功能,主要是为了确保只有在白名单内的应用能够被安装。以下是对Android 12.0 APP应用安装白名单的详细解释:

二、核心代码与实现

2.1、IPackageManager.aidl添加接口:

首先,需要在IPackageManager.aidl文件中增加设置白名单和获取白名单的接口。这是实现应用安装白名单功能的基础。

2.2、PackageManagerService(PMS)实现接口:

在PackageManagerService.java中,实现上述接口的具体功能。这包括设置白名单、获取白名单以及在安装应用时判断应用是否在白名单中。

2.3、判断应用是否在白名单中:

在PMS的preparePackageLI方法中,添加逻辑以判断当前正在安装的应用是否在白名单中。如果应用在白名单中,则允许安装;否则,阻止安装。

三、app应用安装白名单核心代码

frameworks/base/core/java/android/content/pm/IPackageManager.aidl
frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java

四、app应用安装白名单核心功能分析

首选需要在IPackageManager.aidl 日这个pms的aidl中增加白名单接口,实现设置白名单和获取白名单的接口,接下来在PMS中的安装app的方法中判断是否是白名单的app,然后确定是否让安装从而实现功能

4.1 IPackageManager.aidl添加接口供app调用

首先需要在增加pms的aidl中IPackageManager.aidl增加设置白名单和获取白名单接口

diff --git a/frameworks/base/core/java/android/content/pm/IPackageManager.aidl b/frameworks/base/core/java/android/content/pm/IPackageManager.aidl
 
old mode 100644
 
new mode 100755
 
index a369cc89a3..90fafe5a8f
 
--- a/frameworks/base/core/java/android/content/pm/IPackageManager.aidl
 
+++ b/frameworks/base/core/java/android/content/pm/IPackageManager.aidl
 
@@ -798,4 +798,7 @@ interface IPackageManager {
 
     */
     int restoreAppData(String sourceDir, String pkgName);
 
    /* @} */
 
+   
 
+       void setInstallPackageWhiteList(in List<String> packageNames);
 
+       List<String> getInstallPackageWhiteList();
 
 }

4.2 在PMS中实现设置和获取白名单的接口

diff --git a/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java b/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java
 
index 45289f2e39..6727b10e35 100755
 
--- a/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java
 
+++ b/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java
 
@@ -111,7 +111,13 @@ import static com.android.server.pm.PackageManagerServiceUtils.getCompressedFile
 
 import static com.android.server.pm.PackageManagerServiceUtils.getLastModifiedTime;
 
 import static com.android.server.pm.PackageManagerServiceUtils.logCriticalInfo;
 
 import static com.android.server.pm.PackageManagerServiceUtils.verifySignatures;
 
-
 
+import java.io.BufferedReader;
 
+import java.io.File;
 
+import java.io.FileInputStream;
 
+import java.io.FileOutputStream;
 
+import java.io.InputStreamReader;
 
+import java.io.LineNumberReader;
 
+import java.io.PrintWriter;
 
 import android.Manifest;
 
 import android.annotation.IntDef;
 
 import android.annotation.NonNull;
 
@@ -2141,7 +2147,16 @@ public class PackageManagerService extends PackageManagerServiceExAbs
 
             }
 
         }
 
     }
 
-
 
+       private List<String> installwhitepackageNames;
 
+           @Override
 
+    public void setInstallPackageWhiteList( List<String> packageNames) {
 
+               this.installwhitepackageNames=packageNames;
 
+    }
 
+       
 
+       @Override
 
+    public List<String> getInstallPackageWhiteList(){
 
+               return this.installwhitepackageNames;
 
+    }
 
     private void notifyInstallObserver(String packageName) {
 
         Pair<PackageInstalledInfo, IPackageInstallObserver2> pair =
 
                 mNoKillInstallObservers.remove(packageName);

通过上述在PackageManagerService.java的代码中,增加实现安装app白名单的接口来实现自定义服务中,通过调用接口来实现对安装白名单数据的传递,来实现控制app白名单内的app安装.

4.3PackageManagerService关于安装app白名单功能实现分析

PMS的 preparePackageLl()负责对app的安装功能做相关的管理,可以先看相关代码然后在这里进行安装app的时候判断app是否在白名单列表中决定是否安装

@GuardedBy("mInstallLock")
      private PrepareResult preparePackageLI(InstallArgs args, PackageInstalledInfo res)
              throws PrepareFailure {
          final int installFlags = args.installFlags;
          final File tmpPackageFile = new File(args.getCodePath());
          final boolean onExternal = args.volumeUuid != null;
          final boolean instantApp = ((installFlags & PackageManager.INSTALL_INSTANT_APP) != 0);
          final boolean fullApp = ((installFlags & PackageManager.INSTALL_FULL_APP) != 0);
          final boolean virtualPreload =
                  ((installFlags & PackageManager.INSTALL_VIRTUAL_PRELOAD) != 0);
          @ScanFlags int scanFlags = SCAN_NEW_INSTALL | SCAN_UPDATE_SIGNATURE;
          if (args.move != null) {
              // moving a complete application; perform an initial scan on the new install location
              scanFlags |= SCAN_INITIAL;
          }
          if ((installFlags & PackageManager.INSTALL_DONT_KILL_APP) != 0) {
              scanFlags |= SCAN_DONT_KILL_APP;
          }
          if (instantApp) {
              scanFlags |= SCAN_AS_INSTANT_APP;
          }
          if (fullApp) {
              scanFlags |= SCAN_AS_FULL_APP;
          }
          if (virtualPreload) {
              scanFlags |= SCAN_AS_VIRTUAL_PRELOAD;
          }
  
          if (DEBUG_INSTALL) Slog.d(TAG, "installPackageLI: path=" + tmpPackageFile);
  
          // Sanity check
          if (instantApp && onExternal) {
              Slog.i(TAG, "Incompatible ephemeral install; external=" + onExternal);
              throw new PrepareFailure(PackageManager.INSTALL_FAILED_INSTANT_APP_INVALID);
          }
  
          // Retrieve PackageSettings and parse package
          @ParseFlags final int parseFlags = mDefParseFlags | PackageParser.PARSE_CHATTY
                  | PackageParser.PARSE_ENFORCE_CODE
                  | (onExternal ? PackageParser.PARSE_EXTERNAL_STORAGE : 0);
  
          Trace.traceBegin(TRACE_TAG_PACKAGE_MANAGER, "parsePackage");
          ParsedPackage parsedPackage;
          try (PackageParser2 pp = new PackageParser2(mSeparateProcesses, false, mMetrics, null,
                  mPackageParserCallback)) {
              parsedPackage = pp.parsePackage(tmpPackageFile, parseFlags, false);
              AndroidPackageUtils.validatePackageDexMetadata(parsedPackage);
          } catch (PackageParserException e) {
              throw new PrepareFailure("Failed parse during installPackageLI", e);
          } finally {
              Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER);
          }
  
          // Instant apps have several additional install-time checks.
          if (instantApp) {
              if (parsedPackage.getTargetSdkVersion() < Build.VERSION_CODES.O) {
                  Slog.w(TAG, "Instant app package " + parsedPackage.getPackageName()
                                  + " does not target at least O");
                  throw new PrepareFailure(INSTALL_FAILED_INSTANT_APP_INVALID,
                          "Instant app package must target at least O");
              }
              if (parsedPackage.getSharedUserId() != null) {
                  Slog.w(TAG, "Instant app package " + parsedPackage.getPackageName()
                          + " may not declare sharedUserId.");
                  throw new PrepareFailure(INSTALL_FAILED_INSTANT_APP_INVALID,
                          "Instant app package may not declare a sharedUserId");
              }
          }
  
          if (parsedPackage.isStaticSharedLibrary()) {
              // Static shared libraries have synthetic package names
              renameStaticSharedLibraryPackage(parsedPackage);
  
              // No static shared libs on external storage
              if (onExternal) {
                  Slog.i(TAG, "Static shared libs can only be installed on internal storage.");
                  throw new PrepareFailure(INSTALL_FAILED_INVALID_INSTALL_LOCATION,
                          "Packages declaring static-shared libs cannot be updated");
              }
          }
  
          String pkgName = res.name = parsedPackage.getPackageName();
          if (parsedPackage.isTestOnly()) {
              if ((installFlags & PackageManager.INSTALL_ALLOW_TEST) == 0) {
                  throw new PrepareFailure(INSTALL_FAILED_TEST_ONLY, "installPackageLI");
              }
          }
  
          try {
              // either use what we've been given or parse directly from the APK
              if (args.signingDetails != PackageParser.SigningDetails.UNKNOWN) {
                  parsedPackage.setSigningDetails(args.signingDetails);
              } else {
                  parsedPackage.setSigningDetails(
                          ParsingPackageUtils.getSigningDetails(parsedPackage, false /* skipVerify */));
              }
          } catch (PackageParserException e) {
              throw new PrepareFailure("Failed collect during installPackageLI", e);
          }
  
		  .....
      }

通过对PMS的安装流程分析,可以得知在app静默安装,手动安装,等等无论是pm安装或者是 代码安装 都会走preparePackageLl所以在这里添加判断包名是否在白名单即可然后在白名单内的app可以安装,不在白名单内的app就不能安装,具体实现如下:

@@ -17482,7 +17497,13 @@ public class PackageManagerService extends PackageManagerServiceExAbs
 
 @GuardedBy("mInstallLock")
    private PrepareResult preparePackageLI(InstallArgs args, PackageInstalledInfo res)
            throws PrepareFailure {     
         try (PackageParser2 pp = new PackageParser2(mSeparateProcesses, false, mMetrics, null,
                  mPackageParserCallback)) {
              parsedPackage = pp.parsePackage(tmpPackageFile, parseFlags, false);
              AndroidPackageUtils.validatePackageDexMetadata(parsedPackage);
          } catch (PackageParserException e) {
              throw new PrepareFailure("Failed parse during installPackageLI", e);
          } finally {
              Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER);
          }
 
 
-
 
+               if(!isWhiteListApp(parsedPackage.getPackageName())){
 
+            Log.d("TAG","--isWhiteListApp--");
 
+                       
 
+                       throw new PrepareFailure(INSTALL_FAILED_INSTANT_APP_INVALID,
 
+                    "app is not in the whitelist. packageName");
 
+           
 
+        }
 
         if (instantApp && pkg.mSigningDetails.signatureSchemeVersion
 
                 < SignatureSchemeVersion.SIGNING_BLOCK_V2) {
 
             Slog.w(TAG, "Instant app package " + pkg.packageName
 
@@ -18039,7 +18060,21 @@ public class PackageManagerService extends PackageManagerServiceExAbs
 
             }
 
         }
 
     }
 
+    private boolean isWhiteListApp(String packagename){
 
 
 
+               if(this.installwhitepackageNames ==null || this.installwhitepackageNames.size()==0){
 
+                       return true;
 
+               }
 
+               
 
+        Iterator<String> it = this.installwhitepackageNames.iterator();
 
+        while (it.hasNext()) {
 
+            String whitelistItem = it.next();
 
+            if (whitelistItem.equals(packagename)) {
 
+                return true;
 
+            }
 
+        }
 
+        return false;
 
+    }
相关推荐
神技圈子13 分钟前
【linux经典工具】作为一个合格的开发人员怎能不会tmux
linux·运维·服务器
Bold!25 分钟前
最新ubuntu22.04 下列软件包有未满足的依赖关系 解决方案
linux·运维·服务器
itachi-uchiha1 小时前
Linux特种文件系统--tmpfs文件系统
linux·运维·服务器
、十一、1 小时前
Linux中FTP安装
linux·服务器·网络
ahardstone1 小时前
Vim的简单使用
linux·编辑器·vim
huhy~1 小时前
基于centos7.9搭建MariaDB10.5高可用集群
linux·mariadb
陌夏微秋1 小时前
02 Linux常用软件——vi、vim
linux·运维·vim
黑不溜秋的1 小时前
C++ 在项目中使用vim
linux·编辑器·vim
芭啦啦*1 小时前
2024.10.29- Linux(CentOS7)笔记(1)
linux·运维·笔记
独行soc1 小时前
#渗透测试#SRC漏洞挖掘# 信息收集-Shodan进阶之Mongodb未授权访问
linux·服务器·网络