preface

This article is intended for Android system developers only.

Privilege application

What are privileged applications? An application in the priv-app directory of the system partition is a privileged application. Different Android versions define partitions as follows

  1. A version of Android 8.1 or less. The privileged partition is/system.
  2. For Android 9 or greater, the privilege partition is/system./productand/vendor.

For example, starting with Android 9, an app in the /product/priv-app directory is a privileged app.

Licensing rights of the system

Starting with Android 8.0, privileged applications that use a franchise on the system need to whitelist that franchise.

So what are system permissions? System of franchise rights must be frameworks/base/core/res/AndroidManifest. XML definition, and grade for signature | ring

<permission
    android:name="com.permission.test"
    android:protectionLevel="signature|privileged" />
Copy the code

Whitelist file

As mentioned earlier, if a privilege application uses the system’s privilege, then we need to add the privilege to the whitelist.

So where is this whitelist file? If the privilege is applied in the /vendor partition, the whitelist file must be in the /vendor/etc/permissions/ directory.

So where do these whitelisted files come from? Usually from frameworks/base/data/etc/directory, also have a plenty of applications from, these applications through the Android. Mk or Android. Bp compile white list file to the specified directory.

Here to frameworks/base/data/etc/directory, for example, have the following files in my project

Android.bp
com.android.carrierconfig.xml
com.android.contacts.xml
com.android.dialer.xml
com.android.documentsui.xml
com.android.emergency.xml
com.android.launcher3.xml
com.android.provision.xml
com.android.settings.intelligence.xml
com.android.settings.xml
com.android.storagemanager.xml
com.android.systemui.xml
com.android.timezone.updater.xml
framework-sysconfig.xml
hiddenapi-package-whitelist.xml
platform.xml
privapp-permissions-platform.xml
Copy the code

Privileged applications that use system permissions typically add whitelists to the privapp-permissions-platform.xml file. You can also create a separate file, such as com.android.systemui. XML, which is the systemUI privilege whitelist file.

So how to compile the white list file to the system partition, it is by the frameworks/base/data/etc/Android. Bp, part of the code is as follows

Prebuilt_etc {// alias of the configuration file name: "privApp -permissions-platform. XML ", // directory of the configuration file sub_dir: "permissions", // Source configuration file name: SRC: "privapp-permissions-platform.xml", } prebuilt_etc { name: "Privapp_whitelist_com. Android. Carrierconfig", / / added to the product configuration file partition product_specific: true, sub_dir: "permissions", SRC: "com.android.carrierconfig.xml", filename_from_src: true, }Copy the code

The first prebuilt_etc module compiles privapp-permissions-platform. XML by default to the /system/etc/permissions directory under the /system partition.

The first prebuilt_etc module, because product_specific: true is defined, compiles the configuration file to the /product partition.

To compile the configuration file into the vendor area, add proprietary: true.

Add a whitelist for privileged applications

If I now in frameworks/base/core/res/AndroidManifest. The XML defines the following a privilege

<permission
    android:name="com.permission.test"
    android:protectionLevel="signature|privileged" />
Copy the code

This permission is then used in the AndroidManifest.xml of the SettingsProvider

<uses-permission android:name="com.permission.test" />
Copy the code

Since the SettingsProvider belongs to the privilege App and uses the system’s privileges, add this privilege whitelist to the SettingsProvider.

You can refer to the privilege whitelist file to whitelist your application. This is done manually. But if you have compiled the source code, you can through the execution of development/tools/privapp_permissions/privapp_permissions py the script to see you need to configure the information, for example, in the above example, the following information will be shown


      
<permissions>
    <privapp-permissions package="com.android.providers.settings">
        <permission name="com.permission.test"/>
    </privapp-permissions>
</permissions>
Copy the code

That is the content of the white list, we can put the content in the frameworks/base/data/etc/privapp – permissions – platform. XML, can also generate a file alone, Called com. Android. Will. Settings. The XML. If you are generating a separate file, you also need to compile the configuration in android.bp.