Mr.Hyde Mr.Hyde - 25 days ago 24
Bash Question

How to add extra permission to a prebuilt application (no source code) in AOSP

I have an application that doesn't have a specific android permission(for example

android.permission.CHANGE_CONFIGURATION
).


  1. I don't have its source code.

  2. I'm working on an AOSP.



I prebuilt this application like:


  1. Put APK in
    /device/model/apps/HERE

  2. Add these snippet codes in Android.mk:



define PREBUILT_templateByMe
LOCAL_MODULE := $(1)
LOCAL_MODULE_CLASS := APPS
LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX)
LOCAL_CERTIFICATE := PRESIGNED
LOCAL_SRC_FILES := $$(LOCAL_MODULE).apk
LOCAL_REQUIRED_MODULES := $(2)
include $(BUILD_PREBUILT)
endef


define PREBUILT_APP_templateByMe
include $$(CLEAR_VARS)
LOCAL_MODULE_TAGS := optional
$(call PREBUILT_templateByMe, $(1), $(2))
endef


prebuilt_appsByMe := \
myapp


$(foreach app,$(prebuilt_appsByMe), \
$(eval $(call PREBUILT_APP_templateByMe, $(app),)))
include $(call all-makefiles-under,$(LOCAL_PATH))


It's work very well, and myapp prebuilt to OS.

Now I want to add that specific android permission(
android.permission.CHANGE_CONFIGURATION
) to myapp.

I read this, this and many other documents, but I don't know the content of this XML file for an application; Or is it even possible?!

(Does these links helpful to direct me in the right direction about content of XML file? this and this)




I tried another way, but didn't work(preinstall application and add permission by shell script:

Note: First of all, I should say it worked before, on another custom AOSP, but didn't work on this one!


  1. Put APK in
    /device/model/apps/HERE

  2. Add this snippet code in Android.mk



include $(CLEAR_VARS)
LOCAL_MODULE := myapp.apk
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_PATH := $(TARGET_OUT)/preinstall
LOCAL_SRC_FILES := myapp.apk
include $(BUILD_PREBUILT)


include $(CLEAR_VARS)
LOCAL_MODULE := preinstall.sh
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_PATH := $(TARGET_OUT)/preinstall
LOCAL_SRC_FILES := preinstall.sh
include $(BUILD_PREBUILT)



  1. Content of preinstall.sh:



#!/system/bin/sh


MARK=/data/local/symbol_thirdpart_apks_installed
PKGS=/system/preinstall/


if [ ! -e $MARK ]; then
echo "booting the first time, so pre-install some APKs."


busybox find $PKGS -name "*\.apk" -exec sh /system/bin/pm install {} \;


touch $MARK
echo "OK, installation complete."
fi


busybox sh /system/bin/pm grant com.example.myapp android.permission.CHANGE_CONFIGURATION;



  1. Call this shell script as service on boot in init.rc file, like:

    on boot
    start preinstallByMe



service preinstallByMe /system/bin/sh /system/preinstall/preinstall.sh
class main
user root
group root
disabled
oneshot


But seems it's not call.


  1. Even these snippet codes in init.rc file not working too:


    1. service installapk /system/preinstall/preinstall.sh
      class main
      oneshot

    2. on boot
      exec /system/preinstall/preinstall.sh

    3. busybox /system/preinstall/preinstall.sh

    4. pm grant com.example.myapp android.permission.CHANGE_CONFIGURATION;




Note: If I call preinstall from shell manually, it's work.

P.S: If your not allowed to call your script, you can add permission to it by adding something like this in
/system/core/include/private/android_filesystem_config.h
:

{ 00755, AID_ROOT, AID_ROOT, 0, "system/preinstall/preinstall.sh"},


Cause second way(preinstall and add permission by shell), in this custom AOSP, doesn't work, I'm going to add that specific android permission to my app, from beginning, via prebuilt; But if anyone knows what's wrong with the second solution, I'm appreciate it.

Answer

To be eligible for system permissions, you should put your APKs in /system/priv-app folder.
Note: Prior to Kitkat, all APKs on the system partition could use those permissions.

The sample snippet code to copy APK to /system/priv-app:

include $(CLEAR_VARS)
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE := apkname.apk
LOCAL_MODULE_CLASS := APPS
LOCAL_PRIVILEGED_MODULE := true
LOCAL_CERTIFICATE := PRESIGNED
LOCAL_MODULE_PATH := $(TARGET_OUT)/priv-app
LOCAL_SRC_FILES := apkname.apk
include $(BUILD_PREBUILT)

For more information:

Some system apps are more system than others "signatureOrSystem" permissions are no longer available to all apps residing en the /system partition. Instead, there is a new /system/priv-app directory, and only apps whose APKs are in that directory are allowed to use signatureOrSystem permissions without sharing the platform cert. This will reduce the surface area for possible exploits of system- bundled applications to try to gain access to permission-guarded operations.

The ApplicationInfo.FLAG_SYSTEM flag continues to mean what it is says in the documentation: it indicates that the application apk was bundled on the /system partition. A new hidden flag FLAG_PRIVILEGED has been introduced that reflects the actual right to access these permissions.

[Source: http://stackoverflow.com/a/20104400/421467]

Comments