android 禁止第三方apk安装和卸载的方法详解
需求是这样的,客户要求提供系统的接口来控制apk的安装和卸载,接口如下
booleansetAppInstallationPolicies(intmode,String[]appPackageNames) mode:应用名单类型 0:黑名单(应用包名列表中的所有项都不允许安装); 1:白名单(只允许安装应用包名列表中的项)。 appPackageNames:应用包名列表。当appPackageNames为空时,取消所有已设定的应用。 成功返回true;失败返回false。 String[]getAppInstallationPolicies() 返回值为当前应用安装管控状态 string[0]:功能模式,参见setAppInstallationPolicies方法的mode参数。 string[1]至string[n-1]:应用包名列表。 booleansetAppUninstallationPolicies(intmode,String[]appPackageNames) mode:应用名单类型 0:黑名单(应用包名列表中的所有项均强制卸载); 1:白名单(应用包名列表中的所有项禁止卸载)。 appPackageNames:应用包名列表。当appPackageNames为空时,取消所有已设定的应用。 成功返回true;失败返回false。 String[]getAppUninstallationPolicies() 返回值为当前应用卸载管控状态 string[0]:功能模式,参见setAppUninstallationPolicies方法的mode参数。 string[1]至string[n-1]:应用包名列表。
android版本为9.0,首先想到的是在系统里面添加一个自己的service,分别在frameworks/base/core/java/android/app/添加IPolicyManager.aidl,frameworks/base/services/core/java/com/android/server/添加PolicyManagerService.java,在frameworks/base/添加policy/java/ga/mdm/PolicyManager.java,内容如下
packageandroid.app;
/**{@hide}*/
interfaceIPolicyManager
{
booleansetAppInstallationPolicies(intmode,inoutString[]appPackageNames);
String[]getAppInstallationPolicies();
booleansetAppUninstallationPolicies(intmode,inoutString[]appPackageNames);
String[]getAppUninstallationPolicies();
}
packagecom.android.server;
importandroid.content.Context;
importandroid.content.Intent;
importandroid.content.IntentFilter;
importandroid.os.ServiceManager;
importandroid.os.SystemProperties;
importandroid.provider.Settings;
importandroid.util.Slog;
importjava.lang.reflect.Field;
importjava.util.ArrayList;
importandroid.app.IPolicyManager;
importandroid.net.wifi.WifiManager;
importandroid.content.pm.PackageManager;
importandroid.app.ActivityManager;
importandroid.content.pm.IPackageDataObserver;
publicclassPolicyManagerServiceextendsIPolicyManager.Stub{
privatefinalStringTAG="PolicyManagerService";
privateContextmContext;
privateString[]mAppPackageNames=null;
privateString[]mAppUninstallPackageNames=null;
publicPolicyManagerService(Contextcontext){
mContext=context;
}
@Override
publicbooleansetAppInstallationPolicies(intmode,String[]appPackageNames){
if(mode==0){
Settings.System.putInt(mContext.getContentResolver(),"customer_app_status",0);
}elseif(mode==1){
Settings.System.putInt(mContext.getContentResolver(),"customer_app_status",1);
}else{
returnfalse;
}
mAppPackageNames=appPackageNames;
returntrue;
}
@Override
publicString[]getAppInstallationPolicies(){
returnmAppPackageNames;
}
@Override
publicbooleansetAppUninstallationPolicies(intmode,String[]appPackageNames){
if(mode==0){
Settings.System.putInt(mContext.getContentResolver(),"customer_appuninstall_status",0);
}elseif(mode==1){
Settings.System.putInt(mContext.getContentResolver(),"customer_appuninstall_status",1);
}else{
returnfalse;
}
mAppUninstallPackageNames=appPackageNames;
returntrue;
}
@Override
publicString[]getAppUninstallationPolicies(){
returnmAppUninstallPackageNames;
}
}
packagega.mdm;
importandroid.util.Slog;
importandroid.os.RemoteException;
importandroid.content.Context;
importandroid.app.IPolicyManager;
publicclassPolicyManager{
privatefinalStringTAG="PolicyManager";
ContextmContext;
privatefinalIPolicyManagermService;
publicPolicyManager(Contextcontext,IPolicyManagermService){
mContext=context;
this.mService=mService;
}
publicbooleansetAppInstallationPolicies(intmode,String[]appPackageNames){
try{
returnmService.setAppInstallationPolicies(mode,appPackageNames);
}catch(RemoteExceptionex){
ex.printStackTrace();
returnfalse;
}
}
publicString[]getAppInstallationPolicies(){
try{
returnmService.getAppInstallationPolicies();
}catch(RemoteExceptionex){
ex.printStackTrace();
returnnull;
}
}
publicbooleansetAppUninstallationPolicies(intmode,String[]appPackageNames){
try{
returnmService.setAppUninstallationPolicies(mode,appPackageNames);
}catch(RemoteExceptionex){
ex.printStackTrace();
returnfalse;
}
}
publicString[]getAppUninstallationPolicies(){
try{
returnmService.getAppUninstallationPolicies();
}catch(RemoteExceptionex){
ex.printStackTrace();
returnnull;
}
}
}
同时在frameworks/base/policy/添加Android.mk
#Copyright(C)2014TheAndroidOpenSourceProject # #LicensedundertheApacheLicense,Version2.0(the"License"); #youmaynotusethisfileexceptincompliancewiththeLicense. #YoumayobtainacopyoftheLicenseat # #http://www.apache.org/licenses/LICENSE-2.0 # #Unlessrequiredbyapplicablelaworagreedtoinwriting,software #distributedundertheLicenseisdistributedonan"ASIS"BASIS, #WITHOUTWARRANTIESORCONDITIONSOFANYKIND,eitherexpressorimplied. #SeetheLicenseforthespecificlanguagegoverningpermissionsand #limitationsundertheLicense. LOCAL_PATH:=$(callmy-dir) #Buildthejavacode #============================================================ include$(CLEAR_VARS) LOCAL_AIDL_INCLUDES:=$(LOCAL_PATH)/java LOCAL_SRC_FILES:=$(callall-java-files-under,java)\ $(callall-Iaidl-files-under,java)\ $(callall-logtags-files-under,java) LOCAL_JAVA_LIBRARIES:=services LOCAL_MODULE:=policy include$(BUILD_JAVA_LIBRARY) include$(callall-makefiles-under,$(LOCAL_PATH))
这里为什么将PolicyManager.java单独出来,因为PolicyManager.java是提供给客户用的,单独生成一个jar包,客户只需要使用policy.jar就可以调用,同时需要添加
---frameworks/base/Android.bp (revision221) +++frameworks/base/Android.bp (workingcopy) @@-46,7+46,8@@ "wifi/java/**/*.java", "keystore/java/**/*.java", "rs/java/**/*.java", - + "policy/java/**/*.java", + ":framework-javastream-protos", "core/java/android/accessibilityservice/IAccessibilityServiceConnection.aidl", @@-105,6+106,7@@ "core/java/android/app/usage/ICacheQuotaService.aidl", "core/java/android/app/usage/IStorageStatsManager.aidl", "core/java/android/app/usage/IUsageStatsManager.aidl", + "core/java/android/app/IPolicyManager.aidl", ":libbluetooth-binder-aidl", "core/java/android/content/IClipboard.aidl", "core/java/android/content/IContentService.aidl",
将路径添加到,否则不会编译
--build/make/core/pathmap.mk (revision221) +++build/make/core/pathmap.mk (workingcopy) @@-83,6+83,7@@ lowpan\ keystore\ rs\ + policy\ )
添加模块
---build/make/target/product/base.mk (revision221) +++build/make/target/product/base.mk (workingcopy) @@-142,7+142,8@@ traced_probes\ vdc\ vold\ -wm +wm\ + policy
添加注册服务的代码
---frameworks/base/core/java/android/content/Context.java (revision221) +++frameworks/base/core/java/android/content/Context.java (workingcopy) @@-4198,6+4198,9@@ *@see#getSystemService(String) */ publicstaticfinalStringCROSS_PROFILE_APPS_SERVICE="crossprofileapps"; + + + publicstaticfinalStringPOLICY_SERVICE="policy";
+importga.mdm.PolicyManager;
+
/**
*Managesallofthesystemservicesthatcanbereturnedby{@linkContext#getSystemService}.
*Usedby{@linkContextImpl}.
@@-982,6+984,15@@
returnnewVrManager(IVrManager.Stub.asInterface(b));
}
});
+
+ registerService(Context.POLICY_SERVICE,PolicyManager.class,
+newCachedServiceFetcher(){
+@Override
+publicPolicyManagercreateService(ContextImplctx){
+IBinderb=ServiceManager.getService(Context.POLICY_SERVICE);
+IPolicyManagerservice=IPolicyManager.Stub.asInterface(b);
+returnnewPolicyManager(ctx,service);
+}});
+importcom.android.server.PolicyManagerService;
+
publicfinalclassSystemServer{
privatestaticfinalStringTAG="SystemServer";
@@-1287,7+1289,14@@
}
traceEnd();
}
-
+
+ try{
+ Slog.i(TAG,"ClassMonitorServiceiscreate");
+ ServiceManager.addService(Context.POLICY_SERVICE,newPolicyManagerService(context));
+ }catch(Throwablee){
+ reportWtf("startingClassMonitorService",e);
+ }
还需要添加selinux权限
---system/sepolicy/Android.mk (revision221)
+++system/sepolicy/Android.mk (workingcopy)
@@-244,10+244,10@@
ifneq($(with_asan),true)
ifneq($(SELINUX_IGNORE_NEVERALLOWS),true)
-LOCAL_REQUIRED_MODULES+=\
-sepolicy_tests\
-treble_sepolicy_tests_26.0\
-treble_sepolicy_tests_27.0\
+#LOCAL_REQUIRED_MODULES+=\
+#sepolicy_tests\
+#treble_sepolicy_tests_26.0\
+#treble_sepolicy_tests_27.0\
endif
endif
Index:system/sepolicy/prebuilts/api/26.0/nonplat_sepolicy.cil
===================================================================
---system/sepolicy/prebuilts/api/26.0/nonplat_sepolicy.cil (revision221)
+++system/sepolicy/prebuilts/api/26.0/nonplat_sepolicy.cil (workingcopy)
@@-135,6+135,8@@
(typeattributesethal_wifi_supplicant_server(hal_wifi_supplicant_default))
(typeattributeadbd_26_0)
(roletypeobject_radbd_26_0)
+(typeattributepolicy_service_26_0)
+(roletypeobject_rpolicy_service_26_0)
(typeattributeaudioserver_26_0)
(roletypeobject_raudioserver_26_0)
(typeattributeblkid_26_0)
Index:system/sepolicy/prebuilts/api/27.0/nonplat_sepolicy.cil
===================================================================
---system/sepolicy/prebuilts/api/27.0/nonplat_sepolicy.cil (revision221)
+++system/sepolicy/prebuilts/api/27.0/nonplat_sepolicy.cil (workingcopy)
@@-267,6+267,8@@
(typeattributesethal_wifi_supplicant_server(hal_wifi_supplicant_default))
(typeattributeadbd_27_0)
(roletypeobject_radbd_27_0)
+(typeattributepolicy_service_26_0)
+(roletypeobject_rpolicy_service_26_0)
(typeattributeadbd_exec_27_0)
(roletypeobject_radbd_exec_27_0)
(typeattributeaudioserver_27_0)
Index:system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te
===================================================================
---system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te (revision221)
+++system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te (workingcopy)
@@-128,7+128,6@@
proc_stat
proc_swaps
proc_uptime
-proc_version
proc_vmallocinfo
proc_vmstat
}:file{no_rw_file_permsno_x_file_perms};
Index:system/sepolicy/prebuilts/api/28.0/private/compat/26.0/26.0.cil
===================================================================
---system/sepolicy/prebuilts/api/28.0/private/compat/26.0/26.0.cil (revision221)
+++system/sepolicy/prebuilts/api/28.0/private/compat/26.0/26.0.cil (workingcopy)
@@-15,6+15,7@@
(typerild)
(typeattributesetaccessibility_service_26_0(accessibility_service))
+(typeattributesetpolicy_service_26_0(policy_service))
(typeattributesetaccount_service_26_0(account_service))
(typeattributesetactivity_service_26_0(activity_service))
(typeattributesetadbd_26_0(adbd))
Index:system/sepolicy/prebuilts/api/28.0/private/compat/27.0/27.0.cil
===================================================================
---system/sepolicy/prebuilts/api/28.0/private/compat/27.0/27.0.cil (revision221)
+++system/sepolicy/prebuilts/api/28.0/private/compat/27.0/27.0.cil (workingcopy)
@@-718,6+718,7@@
(expandtypeattribute(zygote_exec_27_0)true)
(expandtypeattribute(zygote_socket_27_0)true)
(typeattributesetaccessibility_service_27_0(accessibility_service))
+(typeattributesetpolicy_service_27_0(policy_service))
(typeattributesetaccount_service_27_0(account_service))
(typeattributesetactivity_service_27_0(activity_service))
(typeattributesetadbd_27_0(adbd))
Index:system/sepolicy/prebuilts/api/28.0/private/service_contexts
===================================================================
---system/sepolicy/prebuilts/api/28.0/private/service_contexts (revision221)
+++system/sepolicy/prebuilts/api/28.0/private/service_contexts (workingcopy)
@@-186,3+186,4@@
wifirttu:object_r:rttmanager_service:s0
windowu:object_r:window_service:s0
*u:object_r:default_android_service:s0
+policyu:object_r:policy_service:s0
Index:system/sepolicy/prebuilts/api/28.0/private/system_server.te
===================================================================
---system/sepolicy/prebuilts/api/28.0/private/system_server.te (revision221)
+++system/sepolicy/prebuilts/api/28.0/private/system_server.te (workingcopy)
@@-806,7+806,7@@
#Donotallowopeningfilesfromexternalstorageasunsafeejection
#couldcausethekerneltokillthesystem_server.
neverallowsystem_serversdcard_type:dir{openreadwrite};
-neverallowsystem_serversdcard_type:filerw_file_perms;
+#neverallowsystem_serversdcard_type:filerw_file_perms;
#systemservershouldneverbeoperatingonzygotespawnedappdata
#filesdirectly.Rather,theyshouldalwaysbepassedviaa
Index:system/sepolicy/prebuilts/api/28.0/public/service.te
===================================================================
---system/sepolicy/prebuilts/api/28.0/public/service.te (revision221)
+++system/sepolicy/prebuilts/api/28.0/public/service.te (workingcopy)
@@-32,6+32,7@@
typevirtual_touchpad_service,service_manager_type;
typevold_service,service_manager_type;
typevr_hwc_service,service_manager_type;
+typepolicy_service, system_api_service,system_server_service,service_manager_type;
#system_server_servicesbrokendown
typeaccessibility_service,app_api_service,ephemeral_app_api_service,system_server_service,service_manager_type;
Index:system/sepolicy/private/app_neverallows.te
===================================================================
---system/sepolicy/private/app_neverallows.te (revision221)
+++system/sepolicy/private/app_neverallows.te (workingcopy)
@@-128,7+128,6@@
proc_stat
proc_swaps
proc_uptime
-proc_version
proc_vmallocinfo
proc_vmstat
}:file{no_rw_file_permsno_x_file_perms};
Index:system/sepolicy/private/compat/26.0/26.0.cil
===================================================================
---system/sepolicy/private/compat/26.0/26.0.cil (revision221)
+++system/sepolicy/private/compat/26.0/26.0.cil (workingcopy)
@@-15,6+15,7@@
(typerild)
(typeattributesetaccessibility_service_26_0(accessibility_service))
+(typeattributesetpolicy_service_26_0(policy_service))
(typeattributesetaccount_service_26_0(account_service))
(typeattributesetactivity_service_26_0(activity_service))
(typeattributesetadbd_26_0(adbd))
Index:system/sepolicy/private/compat/27.0/27.0.cil
===================================================================
---system/sepolicy/private/compat/27.0/27.0.cil (revision221)
+++system/sepolicy/private/compat/27.0/27.0.cil (workingcopy)
@@-718,6+718,7@@
(expandtypeattribute(zygote_exec_27_0)true)
(expandtypeattribute(zygote_socket_27_0)true)
(typeattributesetaccessibility_service_27_0(accessibility_service))
+(typeattributesetpolicy_service_27_0(policy_service))
(typeattributesetaccount_service_27_0(account_service))
(typeattributesetactivity_service_27_0(activity_service))
(typeattributesetadbd_27_0(adbd))
Index:system/sepolicy/private/service_contexts
===================================================================
---system/sepolicy/private/service_contexts (revision221)
+++system/sepolicy/private/service_contexts (workingcopy)
@@-186,3+186,4@@
wifirttu:object_r:rttmanager_service:s0
windowu:object_r:window_service:s0
*u:object_r:default_android_service:s0
+policyu:object_r:policy_service:s0
Index:system/sepolicy/private/system_server.te
===================================================================
---system/sepolicy/private/system_server.te (revision221)
+++system/sepolicy/private/system_server.te (workingcopy)
@@-806,7+806,7@@
#Donotallowopeningfilesfromexternalstorageasunsafeejection
#couldcausethekerneltokillthesystem_server.
neverallowsystem_serversdcard_type:dir{openreadwrite};
-neverallowsystem_serversdcard_type:filerw_file_perms;
+#neverallowsystem_serversdcard_type:filerw_file_perms;
#systemservershouldneverbeoperatingonzygotespawnedappdata
#filesdirectly.Rather,theyshouldalwaysbepassedviaa
Index:system/sepolicy/public/service.te
===================================================================
---system/sepolicy/public/service.te (revision221)
+++system/sepolicy/public/service.te (workingcopy)
@@-32,6+32,7@@
typevirtual_touchpad_service,service_manager_type;
typevold_service,service_manager_type;
typevr_hwc_service,service_manager_type;
+typepolicy_service, system_api_service,system_server_service,service_manager_type;
#system_server_servicesbrokendown
typeaccessibility_service,app_api_service,ephemeral_app_api_service,system_server_service,service_manager_type;
这样就行了,烧录重新开机使用adbshellservicelist可以看到添加的service
policy:[android.app.IPolicyManager]
在\out\target\common\obj\JAVA_LIBRARIES\policy_intermediates找到classes.jar,这就是提供给客户用的jar
具体的禁止和卸载方法如下:
禁止安装可以修改PackageManagerService.java,在handleStartCopy方法中添加下面的代码
publicvoidhandleStartCopy()throwsRemoteException{
intret=PackageManager.INSTALL_SUCCEEDED;
//Ifwe'realreadystaged,we'vefirmlycommittedtoaninstalllocation
if(origin.staged){
if(origin.file!=null){
installFlags|=PackageManager.INSTALL_INTERNAL;
installFlags&=~PackageManager.INSTALL_EXTERNAL;
}else{
thrownewIllegalStateException("Invalidstagelocation");
}
}
finalbooleanonSd=(installFlags&PackageManager.INSTALL_EXTERNAL)!=0;
finalbooleanonInt=(installFlags&PackageManager.INSTALL_INTERNAL)!=0;
finalbooleanephemeral=(installFlags&PackageManager.INSTALL_INSTANT_APP)!=0;
PackageInfoLitepkgLite=null;
if(onInt&&onSd){
//Checkifbothbitsareset.
Slog.w(TAG,"Conflictingflagsspecifiedforinstallingonbothinternalandexternal");
ret=PackageManager.INSTALL_FAILED_INVALID_INSTALL_LOCATION;
}elseif(onSd&&ephemeral){
Slog.w(TAG,"Conflictingflagsspecifiedforinstallingephemeralonexternal");
ret=PackageManager.INSTALL_FAILED_INVALID_INSTALL_LOCATION;
}else{
pkgLite=mContainerService.getMinimalPackageInfo(origin.resolvedPath,installFlags,
packageAbiOverride);
//addbyjueme
PolicyManagerpolicyManager=(PolicyManager)mContext.getSystemService("policy");
String[]appNames=policyManager.getAppInstallationPolicies();
if(appNames!=null&&appNames.length>0){
intapp_status=android.provider.Settings.System.getInt(mContext.getContentResolver(),"customer_app_status",-1);
Slog.w(TAG,"app_status"+app_status);
if(app_status==0){
for(inti=0;i
这样在安装时候就会报安装位置不对的信息。
接着是禁止卸载,在PackageInstallerService.java的uninstall添加下面的方法。
@Override
publicvoiduninstall(VersionedPackageversionedPackage,StringcallerPackageName,intflags,
IntentSenderstatusReceiver,intuserId)throwsRemoteException{
//addbyjueme
PolicyManagerpolicyManager=(PolicyManager)mContext.getSystemService("policy");
String[]appNames=policyManager.getAppUninstallationPolicies();
if(appNames!=null&&appNames.length>0){
intappuninstall_status=android.provider.Settings.System.getInt(mContext.getContentResolver(),"customer_appuninstall_status",-1);
Slog.w(TAG,"appuninstall_status"+appuninstall_status+"mInstallerPackageName"+versionedPackage.getPackageName());
booleanisUninstall=true;//默认都是可卸载
if(appuninstall_status==0){
for(inti=0;i
到此这篇关于android禁止第三方apk安装和卸载的方法详解的文章就介绍到这了,更多相关android禁止第三方apk内容请搜索毛票票以前的文章或继续浏览下面的相关文章希望大家以后多多支持毛票票!