在本篇博客中,我们分析一下Android中的APK是如何安装的,以及PKMS在这个过程中进行了哪些工作。
APK的安装方式有很多,我们先来看看如何用adb命令进行安装。
我们从adb install开始分析,该命令有多个参数,这里仅考虑最基本的adb install xxxx.apk。
一、adb命令
看看system/core/adb/commandline.cpp中的adb_commandline函数:
int adb_commandline(int argc, const char **argv) {
...........
else if (!strcmp(argv[0], "install")) {
if (argc < 2) return usage();
FeatureSet features;
std::string error;
if (!adb_get_feature_set(&features, &error)) {
fprintf(stderr, "error: %s\n", error.c_str());
return 1;
}
if (CanUseFeature(features, kFeatureCmd)) {
//支持FeatureCmd时调用install_app
return install_app(transport_type, serial, argc, argv);
}
//否则,利用install_app_legacy
return install_app_legacy(transport_type, serial, argc, argv);
}
...........
}
1、install_app_legacy
我看先看看传统的install_app_legacy:
static int install_app_legacy(TransportType transport, const char* serial, int argc, const char** argv) {
//待安装的APK目前还在源机器上,现在需要把APK的文件复制到手机里
//如果安装在手机内部存储,那么目的地址为DATA_DEST
//如果安装在SD卡上,则目的地址为SD_DEST
static const char *const DATA_DEST = "/data/local/tmp/%s";
static const char *const SD_DEST = "/sdcard/tmp/%s";
.........
//默认安装到手机内部
const char* where = DATA_DEST;
for (i = 1; i < argc; i++) {
//携带参数-s时,才安装到SD卡
if (!strcmp(argv[i], "-s")) {
where = SD_DEST;
}
}
//解析参数,判断adb命令中是否携带了有效的apk文件名
...........
//取出apk名
std::vector<const char*> apk_file = {argv[last_apk]};
//构造apk目的地址
std::string apk_dest = android::base::StringPrintf(
where, adb_basename(argv[last_apk]).c_str());
//do_sync_push将此APK文件传输到手机的目标路径,失败的话将跳转到clenaup_apk
if (!do_sync_push(apk_file, apk_dest.c_str())) goto cleanup_apk;
//执行pm_command
result = pm_command(transport, serial, argc, argv);
cleanup_apk:
//删除刚才传输的文件
//PKMS在安装过程中会将该APK复制一份到/data/app目录下,所有data/local/tmp目录下对应的文件可以删除
delete_file(transport, serial, apk_dest);
return result;
}
从代码来看,传统的安装方式就是将源机器中的APK文件拷贝到目的手机的tmp目录下,然后调用pm_command进行处理。
2、install_app
我们再看看支持FeatureCmd的机器,如何安装APK:
static int install_app(TransportType transport, const char* serial, int argc, const char** argv) {
//利用参数创建出本地文件的名称
const char* file = argv[argc - 1];
//解析参数,判断adb命令中是否携带了有效的apk文件名
.........
//adb_open中将创建出这个file对应的文件
int localFd = adb_open(file, O_RDONLY);
............
std::string cmd = "exec:cmd package";
//添加cmd参数
............
//连接源端,获取源APK文件的描述符
int remoteFd = adb_connect(cmd, &error);
............
//将remoteFd中的数据写入到localFd
copy_to_file(localFd, remoteFd);
//得到结果
read_status_line(remoteFd, buf, sizeof(buf));
adb_close(localFd);
adb_close(remoteFd);
..........
return 0;
}
从代码来看install_app就是将源机器的文件复制到了目的机器中,并没有进行额外的操作。猜想可能是支持特殊FeatureCmd的机器,PKMS能够监听到这个拷贝,然后触发后续的扫描工作。这个过程没有研究过对应代码,暂时不做深入分析。
对于传统的安装方式,我们需要继续往下看看pm_command。
二、pm_command
我们先看看pm_command函数:
static int pm_command(TransportType transport, const char* serial, int argc, const char** argv) {
std::string cmd = "pm";
//构造pm cmd
while (argc-- > 0) {
cmd += " " + escape_arg(*argv++);
}
//发送shell命令给adbd
return send_shell_command(transport, serial, cmd, false);
}
我们跟进下send_shell_command:
// Connects to the device "shell" service with |command| and prints the
// resulting output.
static int send_shell_command(TransportType transport_type, const char* serial,
const std::string& command,
bool disable_shell_protocol,
std::string* output=nullptr,
std::string* err=nullptr) {
...........
while (true) {
bool attempt_connection = true;
// Use shell protocol if it's supported and the caller doesn't explicitly disable it.
if (!disable_shell_protocol) {
.......
if (adb_get_feature_set(&features, &error)) {
//如果定义了feature,则替换shell protocol
use_shell_protocol = CanUseFeature(features, kFeatureShell2);
} else {
// Device was unreachable.
attempt_connection = false;
}
}
if (attempt_connection) {
std::string error;
//此时command中携带的就是以pm开头的命令
std::string service_string = ShellServiceString(use_shell_protocol, "", command);
//向shell服务发送命令
fd = adb_connect(service_string, &error);
if (fd >= 0) {
break;
}
}
............
}
//读取返回结果
int exit_code = read_and_dump(fd, use_shell_protocol, output, err);
if (adb_close(fd) < 0) {
..........
}
return int exit_code;
}
从上面的代码来看,pm_command就是向shell服务发送pm命令。
pm是一个可执行脚本,我们在终端上调用adb shell,然后执行pm,可以得到以下结果:
root:/ # pm
usage: pm list packages [-f] [-d] [-e] [-s] [-3] [-i] [-u] [--user USER_ID] [FILTER]
pm list permission-groups
pm list permissions [-g] [-f] [-d] [-u] [GROUP]
pm list instrumentation [-f] [TARGET-PACKAGE]
..........
pm脚本定义在frameworks/base/cmds/pm中:
base=/system
export CLASSPATH=$base/framework/pm.jar
exec app_process $base/bin com.android.commands.pm.Pm "$@"
在编译system.img时,会根据Android.mk将该脚本复制到system/bin目录下。
从脚本的内容来看,当调用pm时,将向app_process目录的main函数传入Pm对应的参数:
我们看看对应的定义于app_main.cpp的main函数(前面的博客分析过,这个其实也是zygote启动的函数):
//app_process的main函数
int main(int argc, char* const argv[]) {
........
//解析参数
while (i < argc) {
const char* arg = argv[i++];
if (strcmp(arg, "--zygote") == 0) {
zygote = true;
niceName = ZYGOTE_NICE_NAME;
} else if (strcmp(arg, "--start-system-server") == 0) {
startSystemServer = true;
} else if (strcmp(arg, "--application") == 0) {
application = true;
} else if (strncmp(arg, "--nice-name=", 12) == 0) {
niceName.setTo(arg + 12);
} else if (strncmp(arg, "--", 2) != 0) {
//此时我们有参数,进入该分支设置className
className.setTo(arg);
break;
} else {
--i;
break;
}
}
...........
if (zygote) {
runtime.start("com.android.internal.os.ZygoteInit", args, zygote);
} else if (className) {
//此时不再是启动zygote,而是启动className对应的类
runtime.start("com.android.internal.os.RuntimeInit", args, zygote);
} else {
.........
}
........
}
我们跟进AndroidRuntime.cpp的start函数:
void AndroidRuntime::start(const char* className, const Vector<String8>& options, bool zygote)
{
..........
jmethodID startMeth = env->GetStaticMethodID(startClass, "main",
"([Ljava/lang/String;)V");
if (startMeth == NULL) {
ALOGE("JavaVM unable to find main() in '%s'\n", className);
} else {
//反射调用main函数,从native层进入java世界
env->CallStaticVoidMethod(startClass, startMeth, strArray);
}
.........
}
于是流程会进入到RuntimeInit的main函数:
public static final void main(String[] argv) {
........
//进行一些常规的初始化工作
commonInit();
/*
* Now that we're running in interpreted code, call back into native code
* to run the system.
*/
nativeFinishInit();
.........
}
native函数定义在framework/base/core/jni/AndroidRuntime.cpp中,对应的函数为:
static void com_android_internal_os_RuntimeInit_nativeFinishInit(JNIEnv* env, jobject clazz)
{
//gCurRuntime保存AndroidRuntime,实际上是AndroidRuntime的子类
gCurRuntime->onStarted();
}
App_main.cpp中定义的AppRuntime继承AndroidRuntime,实现了onStarted函数:
virtual void onStarted()
{
//binder通信相关的
sp<ProcessState> proc = ProcessState::self();
ALOGV("App process: starting thread pool.\n");
proc->startThreadPool();
AndroidRuntime* ar = AndroidRuntime::getRuntime();
//调用AndroidRuntime.cpp的callMain函数,参数与Pm.java相关
ar->callMain(mClassName, mClass, mArgs);
IPCThreadState::self()->stopProcess();
}
status_t AndroidRuntime::callMain(const String8& className, jclass clazz,
const Vector<String8>& args) {
..........
env = getJNIEnv();
..........
methodId = env->GetStaticMethodID(clazz, "main", "([Ljava/lang/String;)V");
..........
const size_t numArgs = args.size();
stringClass = env->FindClass("java/lang/String");
strArray = env->NewObjectArray(numArgs, stringClass, NULL);
for (size_t i = 0; i < numArgs; i++) {
jstring argStr = env->NewStringUTF(args[i].string());
env->SetObjectArrayElement(strArray, i, argStr);
}
...........
//最终调用了Pm.java的main函数
env->CallStaticVoidMethod(clazz, methodId, strArray);
return NO_ERROR;
}
这里自己初次看时,认为这里没有fork新的进程,那么APK安装运行在zygote进程中。
实际上这是一个错误的理解,说明自己的理解还不到位。
init创建zygote进程时,是fork出一个子进程,然后才调用app_main中的函数,此时整个zygote严格来讲只是一个native进程;当app_main函数最终通过AndroidRuntime等反射调用zygoteInit.java的main函数后,才演变成了Java层的zygote进程。
这里的情况是类似的,adb进程发送消息给Shell服务,Shell服务执行Pm脚本,由于exec函数并未创建出新的进程,因此调用app_main后整个代码仍然是运行在Shell服务对应的native进程中,同样通过反射后演变为Java层中的进程。
这里自己花了很多的笔墨来分析如何从执行脚本文件,到启动Java进程。
主要是弄懂这个机制后,我们实际上完全可以学习pm的写法,依葫芦画瓢写一个脚本文件,然后定义对应的Java文件。
通过脚本命令,来让Java层的进程提供服务。
三、Pm中的流程
现在我们进入了Pm.java的main函数:
public static void main(String[] args) {
int exitCode = 1;
try {
//别被写法欺骗了,Pm并没有继承Runnable
exitCode = new Pm().run(args);
} catch (Exception e) {
.......
}
System.exit(exitCode);
}
//根据参数进行对应的操作,现在我们仅关注APK安装
public int run(String[] args) throws RemoteException {
...........
//利用Binder通信,得到PKMS服务端代理
mPm = IPackageManager.Stub.asInterface(ServiceManager.getService("package"));
//保存参数
mArgs = args;
String op = args[0];
mNextArg = 1;
............
//返回PKMS中保存的PackageInstallerService
mInstaller = mPm.getPackageInstaller();
........
if ("install".equals(op)) {
//安装APK将调用runInstall
return runInstall();
}
.......
}
我们跟进runInstall函数:
private int runInstall() throws RemoteException {
//根据参数创建InstallParams,其中包含了SessionParams,标志为MODE_FULL_INSTALL
final InstallParams params = makeInstallParams();
//1 创建Session
final int sessionId = doCreateSession(params.sessionParams,
params.installerPackageName, params.userId);
try {
//inPath对应于安装的APK文件
final String inPath = nextArg();
.......
//2 wirite session
if (doWriteSession(sessionId, inPath, params.sessionParams.sizeBytes, "base.apk",
false /*logSuccess*/) != PackageInstaller.STATUS_SUCCESS) {
return 1;
}
//3 commit session
if (doCommitSession(sessionId, false /*logSuccess*/)
!= PackageInstaller.STATUS_SUCCESS) {
return 1;
}
System.out.println("Success");
return 0;
} finally {
........
}
}
从上面的代码来看,runInstall主要进行了三件事,即创建session、对session进行写操作,最后提交session。
接下来,我们来看看每一步究竟在干些什么:
1、 create session
private int doCreateSession(SessionParams params, String installerPackageName, int userId)
throws RemoteException {
//通过ActivityManagerService得到"runInstallCreate"(作为Context对应的字符串)对应的uid
userId = translateUserId(userId, "runInstallCreate");
if (userId == UserHandle.USER_ALL) {
userId = UserHandle.USER_SYSTEM;
params.installFlags |= PackageManager.INSTALL_ALL_USERS;
}
//通过PackageInstallerService创建session
final int sessionId = mInstaller.createSession(params, installerPackageName, userId);
return sessionId;
}
跟进一下PackageInstallerService的createSession函数:
@Override
public int createSession(SessionParams params, String installerPackageName, int userId) {
try {
return createSessionInternal(params, installerPackageName, userId);
} catch (IOException e) {
throw ExceptionUtils.wrap(e);
}
}
private int createSessionInternal(SessionParams params, String installerPackageName, int userId)
throws IOException {
//安装权限检查
.......
//修改SessionParams的installFlags
if ((callingUid == Process.SHELL_UID) || (callingUid == Process.ROOT_UID)) {
params.installFlags |= PackageManager.INSTALL_FROM_ADB;
} else {
.........
}
..........
// Defensively resize giant app icons
//调整app图标大小,这里应该是不同安装方式共用的代码
//通过adb安装apk时,应该还没有解析到app图标
if (params.appIcon != null) {
........
}
//根据SessionParams的installFlags进行一些操作
..........
} else {
// For now, installs to adopted media are treated as internal from
// an install flag point-of-view.
//adb安装应该进入这个分支(不添加参数指定安装在sd card时),为SessionParams设置InstallInternal Flag,后文会用到
params.setInstallFlagsInternal();
...........
}
final int sessionId;
final PackageInstallerSession session;
synchronized (mSessions) {
// Sanity check that installer isn't going crazy
//确保同一个uid没有提交过多的Session,MAX_ACTIVE_SESSIONS为1024
final int activeCount = getSessionCount(mSessions, callingUid);
if (activeCount >= MAX_ACTIVE_SESSIONS) {
throw new IllegalStateException(
"Too many active sessions for UID " + callingUid);
}
//同样确保同一个uid没有提交过多的Session,MAX_HISTORICAL_SESSIONS为1048576
final int historicalCount = getSessionCount(mHistoricalSessions, callingUid);
if (historicalCount >= MAX_HISTORICAL_SESSIONS) {
throw new IllegalStateException(
"Too many historical sessions for UID " + callingUid);
}
........
//sessionId是个随机值
sessionId = allocateSessionIdLocked();
// We're staging to exactly one location
File stageDir = null;
String stageCid = null;
//根据installFlags,决定安装目录,前文已经提到,过默认将安装到internal目录下
if ((params.installFlags & PackageManager.INSTALL_INTERNAL) != 0) {
final boolean isEphemeral =
(params.installFlags & PackageManager.INSTALL_EPHEMERAL) != 0;
//此处将会在临时性的data目录下创建出file,应该是作为copy的目的地址
stageDir = buildStageDir(params.volumeUuid, sessionId, isEphemeral);
} else {
stageCid = buildExternalStageCid(sessionId);
}
session = new PackageInstallerSession(mInternalCallback, mContext, mPm,
mInstallThread.getLooper(), sessionId, userId, installerPackageName, callingUid,
params, createdMillis, stageDir, stageCid, false, false);
mSessions.put(sessionId, session);
mSessions.put(sessionId, session);
}
//进行回调
mCallbacks.notifySessionCreated(session.sessionId, session.userId);
//在mSessionsFile中进行记录
writeSessionsAsync();
return sessionId;
}
从代码来看,上述代码的目的就是为APK安装做好准备工作,例如权限检查、目的临时文件的创建等, 最终创建出PackageInstallerSession对象。PackageInstallerSession可以看做是”安装APK”这个请求的封装,其中包含了处理这个请求需要的一些信息。
这种设计方式,大致可以按照命令模式来理解。
实际上PackageInstallerSession不仅是分装请求的对象,其自身还是个服务端:
public class PackageInstallerSession extends IPackageInstallerSession.Stub
2、write session
创建出PackageInstallerSession后,我们看看Pm.java中的doWriteSession函数:
private int doWriteSession(int sessionId, String inPath, long sizeBytes, String splitName,
boolean logSuccess) throws RemoteException {
if ("-".equals(inPath)) {
inPath = null;
} else if (inPath != null) {
//此时file指向了待安装的APK文件(adb执行拷贝后的目的地址)
final File file = new File(inPath);
if (file.isFile()) {
sizeBytes = file.length();
}
}
......
//取出PackageInstallerSession中的SessionInfo
final SessionInfo info = mInstaller.getSessionInfo(sessionId);
PackageInstaller.Session session = null;
InputStream in = null;
OutputStream out = null;
try {
//1 获取PackageInstallerSession的调用接口
session = new PackageInstaller.Session(
mInstaller.openSession(sessionId));
if (inPath != null) {
//定义输入端,待安装APK对应文件的源地址
in = new FileInputStream(inPath);
} else {
in = new SizedInputStream(System.in, sizeBytes);
}
//2 定义输出端,对应拷贝后的目的地址
out = session.openWrite(splitName, 0, sizeBytes);
int total = 0;
byte[] buffer = new byte[65536];
int c;
//进行文件的拷贝
while ((c = in.read(buffer)) != -1) {
total += c;
out.write(buffer, 0, c);
if (info.sizeBytes > 0) {
final float fraction = ((float) c / (float) info.sizeBytes);
//只是更新进度而已
session.addProgress(fraction);
}
}
session.fsync(out);
......
return PackageInstaller.STATUS_SUCCESS;
} catch (IOException e) {
........
} finally {
IoUtils.closeQuietly(out);
IoUtils.closeQuietly(in);
IoUtils.closeQuietly(session);
}
}
从doWriteSession的代码来看,此处进行的主要工作就是通过Session将源端的数据拷贝到目的端。
其实从整个对象的命名和执行过程来看,这里整个是基于C/S架构的通信过程,Pm作为PackageInstallerService 的客户端,利用PackageInstallerSession来封装每一次完整的通信过程。
2.1 得到PackageInstallerSession的代理对象
我们看看上面代码调用的PackageInstaller.Session的构造函数:
//参数传入的是PackageInstallerService.openSession函数的返回结果,即实际PackageInstallerSession的代理端
public Session(IPackageInstallerSession session) {
mSession = session;
}
我们看看PackageInstallerService.openSession函数:
@Override
public IPackageInstallerSession openSession(int sessionId) {
try {
return openSessionInternal(sessionId);
} catch (IOException e) {
throw ExceptionUtils.wrap(e);
}
}
private IPackageInstallerSession openSessionInternal(int sessionId) throws IOException {
synchronized (mSessions) {
//根据sessionId得到之前创建的PackageInstallerSession
final PackageInstallerSession session = mSessions.get(sessionId);
if (session == null || !isCallingUidOwner(session)) {
throw new SecurityException("Caller has no access to session " + sessionId);
}
//调用其open函数
session.open();
//PacakgeInstallerSession转化为IPackageInstallerSession返回
return session;
}
}
//open函数就是准备好待拷贝的目录
public void open() throws IOException {
.......
//PackageInstallerService创建出PackageInstallerSession时,传入的prepared参数为false
if (!mPrepared) {
if (stageDir != null) {
prepareStageDir(stageDir);
} else if (stageCid != null) {
prepareExternalStageCid(stageCid, params.sizeBytes);
.....
} else {
//throw exception
......
}
........
}
}
}
2.2 得到客户端
PacakgeInstaller.Session的openWrite函数:
public @NonNull OutputStream openWrite(@NonNull String name, long offsetBytes,
long lengthBytes) throws IOException {
try {
//mSession是PacakgeInstallerSession,这里发生了Binder通信
final ParcelFileDescriptor clientSocket = mSession.openWrite(name,
offsetBytes, lengthBytes);
//引入了FileBridge对象,后文分析
return new FileBridge.FileBridgeOutputStream(clientSocket);
} catch (RuntimeException e) {
ExceptionUtils.maybeUnwrapIOException(e);
throw e;
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
}
}
我们看看PacakgeInstallerSession的openWrite函数:
@Override
public ParcelFileDescriptor openWrite(String name, long offsetBytes, long lengthBytes) {
try {
return openWriteInternal(name, offsetBytes, lengthBytes);
} catch (IOException e) {
throw ExceptionUtils.wrap(e);
}
}
private ParcelFileDescriptor openWriteInternal(String name, long offsetBytes, long lengthBytes)
throws IOException {
// Quick sanity check of state, and allocate a pipe for ourselves. We
// then do heavy disk allocation outside the lock, but this open pipe
// will block any attempted install transitions.
//FileBrige建立了客户端和服务端的管道
final FileBridge bridge;
synchronized (mLock) {
......
bridge = new FileBridge();
mBridges.add(bridge);
}
try {
// Use installer provided name for now; we always rename later
if (!FileUtils.isValidExtFilename(name)) {
throw new IllegalArgumentException("Invalid name: " + name);
}
//打开文件,定义权限
final File target = new File(resolveStageDir(), name);
// holding open FDs into containers.
final FileDescriptor targetFd = Libcore.os.open(target.getAbsolutePath(),
O_CREAT | O_WRONLY, 0644);
Os.chmod(target.getAbsolutePath(), 0644);
//定义文件内存格式及分配内存
// If caller specified a total length, allocate it for them. Free up
// cache space to grow, if needed.
if (lengthBytes > 0) {
final StructStat stat = Libcore.os.fstat(targetFd);
final long deltaBytes = lengthBytes - stat.st_size;
// Only need to free up space when writing to internal stage
if (stageDir != null && deltaBytes > 0) {
mPm.freeStorage(params.volumeUuid, deltaBytes);
}
Libcore.os.posix_fallocate(targetFd, 0, lengthBytes);
}
//定义起始偏移量
if (offsetBytes > 0) {
Libcore.os.lseek(targetFd, offsetBytes, OsConstants.SEEK_SET);
}
bridge.setTargetFile(targetFd);
bridge.start();
//返回了bridge的client socket
return new ParcelFileDescriptor(bridge.getClientSocket());
} catch (ErrnoException e) {
throw e.rethrowAsIOException();
}
}
2.2.1 FileBridge
为了更好的理解上述过程,我们需要看看FileBridge:
public class FileBridge extends Thread {
.......
private final FileDescriptor mServer = new FileDescriptor();
private final FileDescriptor mClient = new FileDescriptor();
.......
public FileBridge() {
try {
//构造函数建立的mServer和mClient之间的管道
Os.socketpair(AF_UNIX, SOCK_STREAM, 0, mServer, mClient);
} catch (ErrnoException e) {
throw new RuntimeException("Failed to create bridge");
}
}
.......
public void setTargetFile(FileDescriptor target) {
mTarget = target;
}
public FileDescriptor getClientSocket() {
return mClient;
}
@Override
public void run() {
final byte[] temp = new byte[8192];
try {
//取出mServer中的数据,并进行处理
//注意mSever和mClient通道绑定,于是读出的数据是mClient写入的,向mServer写数据也会递交给mClient
while (IoBridge.read(mServer, temp, 0, MSG_LENGTH) == MSG_LENGTH) {
final int cmd = Memory.peekInt(temp, 0, ByteOrder.BIG_ENDIAN);
if (cmd == CMD_WRITE) {
// Shuttle data into local file
int len = Memory.peekInt(temp, 4, ByteOrder.BIG_ENDIAN);
while (len > 0) {
int n = IoBridge.read(mServer, temp, 0, Math.min(temp.length, len));
.......
IoBridge.write(mTarget, temp, 0, n);
len -= n;
}
} else if (cmd == CMD_FSYNC) {
// Sync and echo back to confirm
Os.fsync(mTarget);
IoBridge.write(mServer, temp, 0, MSG_LENGTH);
} else if (cmd == CMD_CLOSE) {
// Close and echo back to confirm
Os.fsync(mTarget);
Os.close(mTarget);
mClosed = true;
IoBridge.write(mServer, temp, 0, MSG_LENGTH);
break;
}
}
} catch (ErrnoException | IOException e) {
........
} finally {
forceClose();
}
}
通过调用PackageInstallerSession的openWrite函数,Pm将得到与PackageInstallerSession通信的client端,同时PackageInstallerSession启动FileBridge准备接收数据。
在上文中进行文件拷贝时,最终就是利用FileBridge的管道来完成实际的工作。
3、 commit session
根据上面的代码,我们知道doWriteSession结束后,如果没有出现任何错误,那么APK源文件已经copy到目的地址了。
接下来我们看看doCommitSession进行的工作。
private int doCommitSession(int sessionId, boolean logSuccess) throws RemoteException {
PackageInstaller.Session session = null;
try {
session = new PackageInstaller.Session(
mInstaller.openSession(sessionId));
//receiver用于接收结果
final LocalIntentReceiver receiver = new LocalIntentReceiver();
//提交session
session.commit(receiver.getIntentSender());
.....
} finally {
IoUtils.closeQuietly(session);
}
}
PackageInstaller.Session中的commit函数,将通过Binder通信调用PackageInstallerSession的commit函数:
public void commit(@NonNull IntentSender statusReceiver) {
try {
mSession.commit(statusReceiver);
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
}
}
我们跟进PackageInstallerSession的commit函数:
@Override
public void commit(IntentSender statusReceiver) {
.......
final boolean wasSealed;
synchronized (mLock) {
//初始时mSealed为false
wasSealed = mSealed;
if (!mSealed) {
// Verify that all writers are hands-off
//前面的doWriteSession传输数据的结尾,会关闭bridge
for (FileBridge bridge : mBridges) {
if (!bridge.isClosed()) {
throw new SecurityException("Files still open");
}
}
mSealed = true;
}
}
............
final PackageInstallObserverAdapter adapter = new PackageInstallObserverAdapter(mContext,
statusReceiver, sessionId, mIsInstallerDeviceOwner, userId);
mHandler.obtainMessage(MSG_COMMIT, adapter.getBinder()).sendToTarget();
}
PackageInstallerSession被创建时,指定了mHandler对应callback:
private final Handler.Callback mHandlerCallback = new Handler.Callback() {
@Override
public boolean handleMessage(Message msg) {
synchronized (mLock) {
if (msg.obj != null) {
//其实就是存储Pm.java中的结果接收器
mRemoteObserver = (IPackageInstallObserver2) msg.obj;
}
try {
//因此,commit发送消息后,最终将触发commitLocked
commitLocked();
} catch (PackageManagerException e) {
.......
}
return true;
}
}
};
private void commitLocked() throws PackageManagerException {
.......
try {
//解析安装地址,即前文APK文件copy后的目的地址
resolveStageDir();
} catch (IOException e) {
........
}
// Verify that stage looks sane with respect to existing application.
// This currently only ensures packageName, versionCode, and certificate
// consistency.
//将利用PKMS检查APK文件是否满足要求,主要是保证各个文件是否具有一致性
validateInstallLocked();
//检查权限等
........
if (stageCid != null) {
// Figure out the final installed size and resize the container once
// and for all. Internally the parser handles straddling between two
// locations when inheriting.
final long finalSize = calculateInstalledSize();
resizeContainer(stageCid, finalSize);
}
// Inherit any packages and native libraries from existing install that
// haven't been overridden.
if (params.mode == SessionParams.MODE_INHERIT_EXISTING) {
//如果新的APK文件继承某些已安装的Pacakge,此处将copy需要的native库文件等
.........
}
......
// Unpack native libraries
//解压缩native库文件
extractNativeLibraries(mResolvedStageDir, params.abiOverride);
// Container is ready to go, let's seal it up!
if (stageCid != null) {
//针对安装在sdcard的操作,根据uid、gid调用fixSdPermissions
finalizeAndFixContainer(stageCid);
}
.........
//调用PKMS的installStage,进入安装的下一步操作
mPm.installStage(mPackageName, stageDir, stageCid, localObserver, params,
installerPackageName, installerUid, user, mCertificates);
}
代码看到这里,我们终于明白了APK安装过程中,Pm.java进行的操作其实就是将adb拷贝的文件,拷贝到系统内或sdcard的目录中,然后进行初步的权限检查等工作,最后通知PKMS进入Install Stage。
整个代码引入了PackageInstallerSession,个人认为这里涉及了Binder通信、类似于Java网络通信的架构及命令模式,写的非常巧妙,有值得学习和模仿的地方。
四、installStage
几经波折,APK的安装流程终于进入到了PKMS,我们看看installStage函数:
void installStage(String packageName, File stagedDir, String stagedCid,
IPackageInstallObserver2 observer, PackageInstaller.SessionParams sessionParams,
String installerPackageName, int installerUid, UserHandle user,
Certificate[][] certificates) {
............
//verificationInfo主要用于存储权限验证需要的信息
final VerificationInfo verificationInfo = new VerificationInfo(
sessionParams.originatingUri, sessionParams.referrerUri,
sessionParams.originatingUid, installerUid);
//origin中主要存储的APK文件的路径信息
final OriginInfo origin;
if (stagedDir != null) {
origin = OriginInfo.fromStagedFile(stagedDir);
} else {
origin = OriginInfo.fromStagedContainer(stagedCid);
}
final Message msg = mHandler.obtainMessage(INIT_COPY);
//准备安装所需的参数
final InstallParams params = new InstallParams(origin, null, observer,
sessionParams.installFlags, installerPackageName, sessionParams.volumeUuid,
verificationInfo, user, sessionParams.abiOverride,
sessionParams.grantedRuntimePermissions, certificates);
.........
msg.obj = params;
.........
//发送INIT_COPY消息,驱动处理流程
mHandler.sendMessage(msg);
}
PKMS中实际的消息处理函数为doHandleMessage:
void doHandleMessage(Message msg) {
switch (msg.what) {
case INIT_COPY: {
//这里取出的其实就是InstallParams,其继承HandlerParams
HandlerParams params = (HandlerParams) msg.obj;
//idx为当前等待处理处理的安装请求的个数
int idx = mPendingInstalls.size();
............
// If a bind was already initiated we dont really
// need to do anything. The pending install
// will be processed later on.
//初始时,mBound的值为false
if (!mBound) {
............
// If this is the only one pending we might
// have to bind to the service again.
//连接实际的安装服务,后文介绍
if (!connectToService()) {
..................
} else {
// Once we bind to the service, the first
// pending request will be processed.
//绑定服务成功后,将新的请求加入到mPendingIntalls中,等待处理
mPendingInstalls.add(idx, params);
}
} else {
//如果之前已经绑定过服务,同样将新的请求加入到mPendingIntalls中,等待处理
mPendingInstalls.add(idx, params);
// Already bound to the service. Just make
// sure we trigger off processing the first request.
if (idx == 0) {
//如果是第一个请求,则直接发送事件MCS_BOUND,触发处理流程
mHandler.sendEmptyMessage(MCS_BOUND);
}
}
break;
}
}
}
上面代码的处理逻辑实际上是比较简单的,我们就看看connectToService的操作,来寻找一下实际进行安装工作的服务:
private boolean connectToService() {
........
//Component的包名为"com.android.defcontainer";类名为"com.android.defcontainer.DefaultContainerService"
Intent service = new Intent().setComponent(DEFAULT_CONTAINER_COMPONENT);
Process.setThreadPriority(Process.THREAD_PRIORITY_DEFAULT);
if (mContext.bindServiceAsUser(service, mDefContainerConn,
Context.BIND_AUTO_CREATE, UserHandle.SYSTEM)) {
Process.setThreadPriority(Process.THREAD_PRIORITY_BACKGROUND);
mBound = true;
return true;
}
Process.setThreadPriority(Process.THREAD_PRIORITY_BACKGROUND);
return false;
}
从代码可以看出实际进行安装工作的服务是DefaultContainerService,当绑定服务成功后:
class DefaultContainerConnection implements ServiceConnection {
public void onServiceConnected(ComponentName name, IBinder service) {
........
//获得与服务端通信的代理对象
IMediaContainerService imcs =
IMediaContainerService.Stub.asInterface(service);
//发送MCS_BOUND消息触发流程
mHandler.sendMessage(mHandler.obtainMessage(MCS_BOUND, imcs));
}
.......
}
现在我们知道了当服务绑定成功后,也会发送MCS_BOUND消息触发接下来的流程。
MCS_BOUND对应的处理流程同样定义于doHandleMessage中:
void doHandleMessage(Message msg) {
.......
case MCS_BOUND: {
........
if (msg.obj != null) {
mContainerService = (IMediaContainerService) msg.obj;
.......
}
if (mContainerService == null) {
if (!mBound) {
// Something seriously wrong since we are not bound and we are not
// waiting for connection. Bail out.
............
} else {
Slog.w(TAG, "Waiting to connect to media container service");
}
} else if (mPendingInstalls.size() > 0) {
HandlerParams params = mPendingInstalls.get(0);
if (params != null) {
........
//调用参数的startCopy函数
if (params.startCopy()) {
........
// Delete pending install
if (mPendingInstalls.size() > 0) {
mPendingInstalls.remove(0);
}
if (mPendingInstalls.size() == 0) {
if (mBound) {
..........
removeMessages(MCS_UNBIND);
Message ubmsg = obtainMessage(MCS_UNBIND);
// Unbind after a little delay, to avoid
// continual thrashing.
sendMessageDelayed(ubmsg, 10000);
}
} else {
// There are more pending requests in queue.
// Just post MCS_BOUND message to trigger processing
// of next pending install.
......
mHandler.sendEmptyMessage(MCS_BOUND);
}
}
.........
}
} else {
// Should never happen ideally.
Slog.w(TAG, "Empty queue");
}
break;
}
.......
}
这一段代码写的非常清晰,就是处理完一个安装请求后,接着处理下一个;如果队列为空,则等待一段时间后,发送MCS_UNBIND消息断开与安装服务的绑定。
顺着流程,我们现在看看HandlerParams的startCopy函数:
final boolean startCopy() {
boolean res;
try {
........
//处理安装失败,MAX_RETRIES = 4
if (++mRetries > MAX_RETRIES) {
.........
mHandler.sendEmptyMessage(MCS_GIVE_UP);
handleServiceError();
return false;
} else {
//先调用handleStartCopy进行实际的copy工作
handleStartCopy();
res = true;
}
} catch (RemoteException e) {
if (DEBUG_INSTALL) Slog.i(TAG, "Posting install MCS_RECONNECT");
mHandler.sendEmptyMessage(MCS_RECONNECT);
res = false;
}
//然后根据结果做相应处理
handleReturnCode();
return res;
}
如上图所示,从这段代码来看,PKMS将先后调用handleStartCopy和handleReturnCode来完成主要的工作。接下来,我们分别介绍一下这两个函数的工作流程。
五、handleStartCopy
HandlerParams为PKMS的内部抽象类,上面代码中的实际处理函数由其子类InstallParams来实现,我们看看与实际安装相关的handleStartCopy函数:
public void handleStartCopy() throws RemoteException {
int ret = PackageManager.INSTALL_SUCCEEDED;
// If we're already staged, we've firmly committed to an install location
//根据参数决定是安装在手机内还是sdcard中,设置对应标志位
if (origin.staged) {
if (origin.file != null) {
installFlags |= PackageManager.INSTALL_INTERNAL;
installFlags &= ~PackageManager.INSTALL_EXTERNAL;
} else if (origin.cid != null) {
installFlags |= PackageManager.INSTALL_EXTERNAL;
installFlags &= ~PackageManager.INSTALL_INTERNAL;
} else {
throw new IllegalStateException("Invalid stage location");
}
}
final boolean onSd = (installFlags & PackageManager.INSTALL_EXTERNAL) != 0;
final boolean onInt = (installFlags & PackageManager.INSTALL_INTERNAL) != 0;
final boolean ephemeral = (installFlags & PackageManager.INSTALL_EPHEMERAL) != 0;
PackageInfoLite pkgLite = null;
//检查APK的安装位置是否正确
if (onInt && onSd) {
// Check if both bits are set.
...........
//APK不能同时安装在内部存储空间和SD card上
ret = PackageManager.INSTALL_FAILED_INVALID_INSTALL_LOCATION;
} else if (onSd && ephemeral) {
.......
//APK不能短暂地安装在SD card上
ret = PackageManager.INSTALL_FAILED_INVALID_INSTALL_LOCATION;
} else {
//1、利用ContainerService获取PackageInfoLite,应该判断了能否进行安装
pkgLite = mContainerService.getMinimalPackageInfo(origin.resolvedPath, installFlags,
packageAbiOverride);
.........
/*
* If we have too little free space, try to free cache
* before giving up.
*/
//对于安装在SD card上的APK,当存储空间过小导致安装失败时
if (!origin.staged && pkgLite.recommendedInstallLocation
== PackageHelper.RECOMMEND_FAILED_INSUFFICIENT_STORAGE) {
final StorageManager storage = StorageManager.from(mContext);
//利用StroageManager得到设备内部存储空间允许的最小余量
final long lowThreshold = storage.getStorageLowBytes(
Environment.getDataDirectory());
//利用ContainerService得到安装APK的大小
final long sizeBytes = mContainerService.calculateInstalledSize(
origin.resolvedPath, isForwardLocked(), packageAbiOverride);
try {
//利用Installer释放缓存,试图将缓存释放到大于等于(最小余量与APK大小之和)
mInstaller.freeCache(null, sizeBytes + lowThreshold);
//再次试图得到PackageInfoLite,判断是否满足安装条件
pkgLite = mContainerService.getMinimalPackageInfo(origin.resolvedPath,
installFlags, packageAbiOverride);
} catch (InstallerException e) {
Slog.w(TAG, "Failed to free cache", e);
}
/*
* The cache free must have deleted the file we
* downloaded to install.
*
* TODO: fix the "freeCache" call to not delete
* the file we care about.
*/
if (pkgLite.recommendedInstallLocation
== PackageHelper.RECOMMEND_FAILED_INVALID_URI) {
//试图释放cache还是无法安装,只能设置标志位为失败
pkgLite.recommendedInstallLocation
= PackageHelper.RECOMMEND_FAILED_INSUFFICIENT_STORAGE;
}
}
}
if (ret == PackageManager.INSTALL_SUCCEEDED) {
//recommendedInstallLocation中记录了安装的路径信息,即APK保存在终端内部还是Sd card中,此外也可以记录安装失败的信息
int loc = pkgLite.recommendedInstallLocation;
if (loc == PackageHelper.RECOMMEND_FAILED_INVALID_LOCATION) {
ret = PackageManager.INSTALL_FAILED_INVALID_INSTALL_LOCATION;
} else if (loc == PackageHelper.RECOMMEND_FAILED_ALREADY_EXISTS) {
ret = PackageManager.INSTALL_FAILED_ALREADY_EXISTS;
} else if (loc == PackageHelper.RECOMMEND_FAILED_INSUFFICIENT_STORAGE) {
ret = PackageManager.INSTALL_FAILED_INSUFFICIENT_STORAGE;
} else if (loc == PackageHelper.RECOMMEND_FAILED_INVALID_APK) {
ret = PackageManager.INSTALL_FAILED_INVALID_APK;
} else if (loc == PackageHelper.RECOMMEND_FAILED_INVALID_URI) {
ret = PackageManager.INSTALL_FAILED_INVALID_URI;
} else if (loc == PackageHelper.RECOMMEND_MEDIA_UNAVAILABLE) {
ret = PackageManager.INSTALL_FAILED_MEDIA_UNAVAILABLE;
} else {
// Override with defaults if needed.
//2、installLocationPolicy主要判断终端上是否有已经安装过该APK,同一个APK一般只能用新版的替换旧版
loc = installLocationPolicy(pkgLite);
//根据loc调整installFlag
......
}
}
//3、createInstallArgs用于创建一个安装参数对象
final InstallArgs args = createInstallArgs(this);
mArgs = args;
if (ret == PackageManager.INSTALL_SUCCEEDED) {
// Apps installed for "all" users use the device owner to verify the app
UserHandle verifierUser = getUser();
if (verifierUser == UserHandle.ALL) {
verifierUser = UserHandle.SYSTEM;
}
/*
* Determine if we have any installed package verifiers. If we
* do, then we'll defer to them to verify the packages.
*/
final int requiredUid = mRequiredVerifierPackage == null ? -1
: getPackageUid(mRequiredVerifierPackage, MATCH_DEBUG_TRIAGED_MISSING,
verifierUser.getIdentifier());
if (!origin.existing && requiredUid != -1
&& isVerificationEnabled(verifierUser.getIdentifier(), installFlags)) {
//如果存在Package检查者,同时满足启动检查的条件,那么将利用Pacakge检查者来检查安装包
//其实就是构造一个intent,action为"android.intent.action.PACKAGE_NEEDS_VERIFICATION"
//在intent中添加需要多信息后,发送给接收者处理
.........
} else {
//4、调用安装参数对象的copyApk函数
ret = args.copyApk(mContainerService, true);
}
}
mRet = ret;
}
handleStartCopy函数整体来看还是比较复杂的,内容比较多,我们需要分4步介绍其中主要的内容。
1、getMinimalPackageInfo
getMinimalPackageInfo实际定义于DefaultContainerService中,其代码如下:
@Override
public PackageInfoLite getMinimalPackageInfo(String packagePath, int flags,
String abiOverride) {
final Context context = DefaultContainerService.this;
final boolean isForwardLocked = (flags & PackageManager.INSTALL_FORWARD_LOCK) != 0;
PackageInfoLite ret = new PackageInfoLite();
........
final File packageFile = new File(packagePath);
final PackageParser.PackageLite pkg;
final long sizeBytes;
try {
//如同PKMS的构造函数,利用PackageParser来解析APK文件,得到PackageInfoLite
pkg = PackageParser.parsePackageLite(packageFile, 0);
sizeBytes = PackageHelper.calculateInstalledSize(pkg, isForwardLocked, abiOverride);
} catch (PackageParserException | IOException e) {
.................
}
ret.packageName = pkg.packageName;
ret.splitNames = pkg.splitNames;
ret.versionCode = pkg.versionCode;
ret.baseRevisionCode = pkg.baseRevisionCode;
ret.splitRevisionCodes = pkg.splitRevisionCodes;
ret.installLocation = pkg.installLocation;
ret.verifiers = pkg.verifiers;
//利用resolveInstallLocation来得到一个合理的安装位置
ret.recommendedInstallLocation = PackageHelper.resolveInstallLocation(context,
pkg.packageName, pkg.installLocation, sizeBytes, flags);
ret.multiArch = pkg.multiArch;
return ret;
}
从代码可以看出,getMinimalPackageInfo的代码比较简单,其实就是利用PackageParser解析出APK对应Pacakge的基本信息,然后利用resolveInstallLocation得到适合APK安装的路径。
1.1 resolveInstallLocation
我们看看resolveInstallLocation函数:
public static int resolveInstallLocation(Context context, String packageName,
int installLocation, long sizeBytes, int installFlags) {
ApplicationInfo existingInfo = null;
try {
//如果之前该APK之前安装过,那么将获取到之前记录的ApplicationInfo信息
existingInfo = context.getPackageManager().getApplicationInfo(packageName,
PackageManager.GET_UNINSTALLED_PACKAGES);
} catch (NameNotFoundException ignored) {
.........
}
final int prefer;
final boolean checkBoth;
boolean ephemeral = false;
//以下其实就是根据installFlags决定安装倾向的路径prefer
if ((installFlags & PackageManager.INSTALL_EPHEMERAL) != 0) {
prefer = RECOMMEND_INSTALL_INTERNAL;
ephemeral = true;
checkBoth = false;
} else if ((installFlags & PackageManager.INSTALL_INTERNAL) != 0) {
prefer = RECOMMEND_INSTALL_INTERNAL;
checkBoth = false;
} else if ((installFlags & PackageManager.INSTALL_EXTERNAL) != 0) {
prefer = RECOMMEND_INSTALL_EXTERNAL;
checkBoth = false;
} else if (installLocation == PackageInfo.INSTALL_LOCATION_INTERNAL_ONLY) {
prefer = RECOMMEND_INSTALL_INTERNAL;
checkBoth = false;
} else if (installLocation == PackageInfo.INSTALL_LOCATION_PREFER_EXTERNAL) {
prefer = RECOMMEND_INSTALL_EXTERNAL;
checkBoth = true;
} else if (installLocation == PackageInfo.INSTALL_LOCATION_AUTO) {
//一般APK安装的路径就是auto
// When app is already installed, prefer same medium
if (existingInfo != null) {
// TODO: distinguish if this is external ASEC
if ((existingInfo.flags & ApplicationInfo.FLAG_EXTERNAL_STORAGE) != 0) {
prefer = RECOMMEND_INSTALL_EXTERNAL;
} else {
prefer = RECOMMEND_INSTALL_INTERNAL;
}
} else {
//可以看到一般默认条件下是安装在手机内部的
prefer = RECOMMEND_INSTALL_INTERNAL;
}
//auto时,checkBoth为true
checkBoth = true;
} else {
prefer = RECOMMEND_INSTALL_INTERNAL;
checkBoth = false;
}
boolean fitsOnInternal = false;
if (checkBoth || prefer == RECOMMEND_INSTALL_INTERNAL) {
//fitsOnInternal和下面的fitsOnExternal应该就是用于检查对应路径是否有足够的空间来安装APK的
fitsOnInternal = fitsOnInternal(context, sizeBytes);
}
boolean fitsOnExternal = false;
if (checkBoth || prefer == RECOMMEND_INSTALL_EXTERNAL) {
fitsOnExternal = fitsOnExternal(context, sizeBytes);
}
if (prefer == RECOMMEND_INSTALL_INTERNAL) {
// The ephemeral case will either fit and return EPHEMERAL, or will not fit
// and will fall through to return INSUFFICIENT_STORAGE
if (fitsOnInternal) {
return (ephemeral)
? PackageHelper.RECOMMEND_INSTALL_EPHEMERAL
: PackageHelper.RECOMMEND_INSTALL_INTERNAL;
}
} else if (prefer == RECOMMEND_INSTALL_EXTERNAL) {
if (fitsOnExternal) {
return PackageHelper.RECOMMEND_INSTALL_EXTERNAL;
}
}
//个人感觉这里就是容错用的吧,在前面的代码中正常情况下,prefer已经被取值为RECOMMEND_INSTALL_INTERNAL或RECOMMEND_INSTALL_EXTERNAL了
if (checkBoth) {
if (fitsOnInternal) {
return PackageHelper.RECOMMEND_INSTALL_INTERNAL;
} else if (fitsOnExternal) {
return PackageHelper.RECOMMEND_INSTALL_EXTERNAL;
}
}
//没有足够空间,返回对应消息
return PackageHelper.RECOMMEND_FAILED_INSUFFICIENT_STORAGE;
}
上述代码相对比较简单,我们主要以fitsOnInternal为例,看看如何判断存储空间是否足够:
public static boolean fitsOnInternal(Context context, long sizeBytes) {
final StorageManager storage = context.getSystemService(StorageManager.class);
final File target = Environment.getDataDirectory();
//APK安装所需的空间,小于等于可用空间时,就返回true
return (sizeBytes <= storage.getStorageBytesUntilLow(target));
}
//StorgeManager中的函数,其实就是用总的可用空间,减去已经使用的空间,得到剩余空间
public long getStorageBytesUntilLow(File path) {
return path.getUsableSpace() - getStorageFullBytes(path);
}
2、installLocationPolicy
当成功得到APK对应的PacakgeInfoLite,并判断安装路径有足够的剩余空间时,将调用installLocationPolicy函数:
private int installLocationPolicy(PackageInfoLite pkgLite) {
String packageName = pkgLite.packageName;
int installLocation = pkgLite.installLocation;
boolean onSd = (installFlags & PackageManager.INSTALL_EXTERNAL) != 0;
synchronized (mPackages) {
// Currently installed package which the new package is attempting to replace or
// null if no such package is installed.
//判断终端上之前是否安装过同样的APK
PackageParser.Package installedPkg = mPackages.get(packageName);
// Package which currently owns the data which the new package will own if installed.
// If an app is unstalled while keeping data (e.g., adb uninstall -k), installedPkg
// will be null whereas dataOwnerPkg will contain information about the package
// which was uninstalled while keeping its data.
//当一个APK卸载时,那么installedPkg为null
PackageParser.Package dataOwnerPkg = installedPkg;
if (dataOwnerPkg == null) {
//但是如果APK卸载时,保留了数据,那么PKMS将取出对应的PacakgeSettings
PackageSetting ps = mSettings.mPackages.get(packageName);
if (ps != null) {
//从PacakgeSettings中取出Pacakge
dataOwnerPkg = ps.pkg;
}
}
//存在旧APK对应的信息时
if (dataOwnerPkg != null) {
final boolean downgradeRequested =
(installFlags & PackageManager.INSTALL_ALLOW_DOWNGRADE) != 0;
final boolean packageDebuggable =
(dataOwnerPkg.applicationInfo.flags
& ApplicationInfo.FLAG_DEBUGGABLE) != 0;
//当安装一个重复的APK时,新装的APK版本一般要比旧APK的版本高
//除非满足以下要求,例如显示要求装入旧版本、在debug模式下等
final boolean downgradePermitted =
(downgradeRequested) && ((Build.IS_DEBUGGABLE) || (packageDebuggable));
//默认模式下,即仅能安装高版本时
if (!downgradePermitted) {
try {
//比较两个Package信息中的VersionCode
checkDowngrade(dataOwnerPkg, pkgLite);
} catch (PackageManagerException e) {
Slog.w(TAG, "Downgrade detected: " + e.getMessage());
return PackageHelper.RECOMMEND_FAILED_VERSION_DOWNGRADE;
}
}
}
//旧有的APK还存在终端上时
if (installedPkg != null) {
//installFlags中必须携带REPLACE_EXISTING,否则将报错
if ((installFlags & PackageManager.INSTALL_REPLACE_EXISTING) != 0) {
// Check for updated system application.
if ((installedPkg.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0) {
//系统APK不应该存在SD card上
if (onSd) {
Slog.w(TAG, "Cannot install update to system app on sdcard");
return PackageHelper.RECOMMEND_FAILED_INVALID_LOCATION;
}
return PackageHelper.RECOMMEND_INSTALL_INTERNAL;
} else {
// If current upgrade specifies particular preference
if (installLocation == PackageInfo.INSTALL_LOCATION_INTERNAL_ONLY) {
// Application explicitly specified internal.
return PackageHelper.RECOMMEND_INSTALL_INTERNAL;
} else if (installLocation == PackageInfo.INSTALL_LOCATION_PREFER_EXTERNAL) {
// App explictly prefers external. Let policy decide
} else {
// Prefer previous location
//未指定安装路径时,与之前的安装路径保持一致
if (isExternal(installedPkg)) {
return PackageHelper.RECOMMEND_INSTALL_EXTERNAL;
}
return PackageHelper.RECOMMEND_INSTALL_INTERNAL;
}
}
} else {
// Invalid install. Return error code
return PackageHelper.RECOMMEND_FAILED_ALREADY_EXISTS;
}
}
}
// All the special cases have been taken care of.
// Return result based on recommended install location.
if (onSd) {
return PackageHelper.RECOMMEND_INSTALL_EXTERNAL;
}
return pkgLite.recommendedInstallLocation;
}
3、createInstallArgs
处理完潜在的重复安装APK的风险后,PKMS调用createInstallArgs生成安装参数对象:
private InstallArgs createInstallArgs(InstallParams params) {
if (params.move != null) {
return new MoveInstallArgs(params);
} else if (installOnExternalAsec(params.installFlags) || params.isForwardLocked()) {
return new AsecInstallArgs(params);
} else {
return new FileInstallArgs(params);
}
}
这部分的代码较为简单,就是利用参数决定创建哪个InstallArgs的子类,我们主要关注在终端安装APK时,将要使用的FileInstallArgs,后文介绍其功能。
4、copyApk
如果不需要进行安装包检查,对于安装在终端内部的APK而言,将调用FileInstallArgs的copyAPK函数:
int copyApk(IMediaContainerService imcs, boolean temp) throws RemoteException {
Trace.traceBegin(TRACE_TAG_PACKAGE_MANAGER, "copyApk");
try {
//doCopyApk负责进行实际的工作
return doCopyApk(imcs, temp);
} finally {
Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER);
}
}
private int doCopyApk(IMediaContainerService imcs, boolean temp) throws RemoteException {
//与之前版本不同的时,Android7.0中,已经通过Session进行了文件拷贝
//当进入到前文所述的PKMS的installStage时,OriginInfo.fromStagedFile或OriginInfo.fromStagedContainer均会将staged变量置为true
if (origin.staged) {
if (DEBUG_INSTALL) Slog.d(TAG, origin.file + " already staged; skipping copy");
codeFile = origin.file;
resourceFile = origin.file;
return PackageManager.INSTALL_SUCCEEDED;
}
}
//当使用其它方式安装APK时,将进入到以下流程
try {
//当需要临时安装时,创建一个临时安装目录
final boolean isEphemeral = (installFlags & PackageManager.INSTALL_EPHEMERAL) != 0;
final File tempDir =
mInstallerService.allocateStageDirLegacy(volumeUuid, isEphemeral);
codeFile = tempDir;
resourceFile = tempDir;
} catch (IOException e) {
Slog.w(TAG, "Failed to create copy file: " + e);
return PackageManager.INSTALL_FAILED_INSUFFICIENT_STORAGE;
}
//定义回调接口
final IParcelFileDescriptorFactory target = new IParcelFileDescriptorFactory.Stub() {
@Override
public ParcelFileDescriptor open(String name, int mode) throws RemoteException {
if (!FileUtils.isValidExtFilename(name)) {
throw new IllegalArgumentException("Invalid filename: " + name);
}
try {
//当接口被回调时,需要创建并打开文件,同事赋予相应的权限
final File file = new File(codeFile, name);
final FileDescriptor fd = Os.open(file.getAbsolutePath(),
O_RDWR | O_CREAT, 0644);
Os.chmod(file.getAbsolutePath(), 0644);
return new ParcelFileDescriptor(fd);
} catch (ErrnoException e) {
throw new RemoteException("Failed to open: " + e.getMessage());
}
}
};
//调用DefaultContainerService进行copyPackage的操作,传入了回调的接口
int ret = PackageManager.INSTALL_SUCCEEDED;
ret = imcs.copyPackage(origin.file.getAbsolutePath(), target);
if (ret != PackageManager.INSTALL_SUCCEEDED) {
Slog.e(TAG, "Failed to copy package");
return ret;
}
//拷贝APK对应的Native库文件
final File libraryRoot = new File(codeFile, LIB_DIR_NAME);
NativeLibraryHelper.Handle handle = null;
try {
handle = NativeLibraryHelper.Handle.create(codeFile);
ret = NativeLibraryHelper.copyNativeBinariesWithOverride(handle, libraryRoot,
abiOverride);
} catch (IOException e) {
Slog.e(TAG, "Copying native libraries failed", e);
ret = PackageManager.INSTALL_FAILED_INTERNAL_ERROR;
} finally {
IoUtils.closeQuietly(handle);
}
return ret;
}
对于非adb安装的APK,我们看看DefaultContainerService对应的copyPackage是如何进行处理的:
@Override
public int copyPackage(String packagePath, IParcelFileDescriptorFactory target) {
if (packagePath == null || target == null) {
return PackageManager.INSTALL_FAILED_INVALID_URI;
}
PackageLite pkg = null;
try {
final File packageFile = new File(packagePath);
//解析出PackageFile
pkg = PackageParser.parsePackageLite(packageFile, 0);
//利用copyPackageInner进行实际的处理
return copyPackageInner(pkg, target);
} catch (PackageParserException | IOException | RemoteException e) {
Slog.w(TAG, "Failed to copy package at " + packagePath + ": " + e);
return PackageManager.INSTALL_FAILED_INSUFFICIENT_STORAGE;
}
}
private int copyPackageInner(PackageLite pkg, IParcelFileDescriptorFactory target)
throws IOException, RemoteException {
//copyFile负责实际的拷贝
copyFile(pkg.baseCodePath, target, "base.apk");
if (!ArrayUtils.isEmpty(pkg.splitNames)) {
for (int i = 0; i < pkg.splitNames.length; i++) {
//对于多APK文件的情况,需依次拷贝所有的子文件
copyFile(pkg.splitCodePaths[i], target, "split_" + pkg.splitNames[i] + ".apk");
}
}
return PackageManager.INSTALL_SUCCEEDED;
}
private void copyFile(String sourcePath, IParcelFileDescriptorFactory target, String targetName)
throws IOException, RemoteException {
Slog.d(TAG, "Copying " + sourcePath + " to " + targetName);
InputStream in = null;
OutputStream out = null;
try {
//源文件作为输入
in = new FileInputStream(sourcePath);
//目的文件作为输出,这里进行了多层封装
//上文提到过,回调接口target调用open函数后,将创建并打开目的端文件,然后赋予相应的写权限
//ParcelFileDescriptor.AutoCloseOutputStream利用文件描述符构造出一个可自动关闭的输出流
out = new ParcelFileDescriptor.AutoCloseOutputStream(
target.open(targetName, ParcelFileDescriptor.MODE_READ_WRITE));
//进行实际的数据拷贝
Streams.copy(in, out);
} finally {
IoUtils.closeQuietly(out);
IoUtils.closeQuietly(in);
}
}
至此整个handleStartCopy流程介绍完毕,可以看出当利用adb安装时,handleStartCopy实际上并没有完成什么实际的操作;对于其它方式安装APK时,handleStartCopy才会进行真正的数据拷贝工作。
六、handleReturnCode
copy过程结束后,将调用InstallParams的handleReturnCode:
void handleReturnCode() {
if (mArgs != null) {
processPendingInstall(mArgs, mRet);
}
}
private void processPendingInstall(final InstallArgs args, final int currentStatus) {
mHandler.post(new Runnable() {
public void run() {
mHandler.removeCallbacks(this);
// Result object to be returned
PackageInstalledInfo res = new PackageInstalledInfo();
res.setReturnCode(currentStatus);
res.uid = -1;
res.pkg = null;
res.removedInfo = null;
if (res.returnCode == PackageManager.INSTALL_SUCCEEDED) {
//1、安装在终端上的APK,将调用FileInstallArgs的doPreInstall进行处理
args.doPreInstall(res.returnCode);
synchronized (mInstallLock) {
//2、调用installPackageTracedLI进行安装
installPackageTracedLI(args, res);
}
//3、调用FileInstallArgs的doPostInstall
args.doPostInstall(res.returnCode, res.uid);
}
// A restore should be performed at this point if (a) the install
// succeeded, (b) the operation is not an update, and (c) the new
// package has not opted out of backup participation.
//判断是否需要备份恢复
final boolean update = res.removedInfo != null
&& res.removedInfo.removedPackage != null;
final int flags = (res.pkg == null) ? 0 : res.pkg.applicationInfo.flags;
boolean doRestore = !update
&& ((flags & ApplicationInfo.FLAG_ALLOW_BACKUP) != 0);
// Set up the post-install work request bookkeeping. This will be used
// and cleaned up by the post-install event handling regardless of whether
// there's a restore pass performed. Token values are >= 1.
int token;
if (mNextInstallToken < 0) mNextInstallToken = 1;
token = mNextInstallToken++;
PostInstallData data = new PostInstallData(args, res);
mRunningInstalls.put(token, data);
if (res.returnCode == PackageManager.INSTALL_SUCCEEDED && doRestore) {
//调用BackupManager的接口进行恢复工作
.......
}
if (!doRestore) {
.......
//4、生成一个POST_INSTALL消息,触发后续操作
Message msg = mHandler.obtainMessage(POST_INSTALL, token, 0);
mHandler.sendMessage(msg);
}
}
});
}
从上面的代码可以看出,handleReturnCode主要做了4件事:
*调用InstallArgs的doPreInstall函数,对于安装在终端内部的APK而言,将调用FileInstallArgs的doPreInstall函数;
*调用PKMS的installPackageTracedLI函数进行APK安装;
*调用InstallArgs的doPostInstall函数;
*利用结果构造PostInstallData,然后发送POST_INSTALL消息触发后续处理流程
现在我们分别介绍这几部分工作:
1、doPreInstall
int doPreInstall(int status) {
if (status != PackageManager.INSTALL_SUCCEEDED) {
cleanUp();
}
return status;
}
private boolean cleanUp() {
if (codeFile == null || !codeFile.exists()) {
return false;
}
removeCodePathLI(codeFile);
if (resourceFile != null && !FileUtils.contains(codeFile, resourceFile)) {
resourceFile.delete();
}
return true;
}
从代码来看,正常流程下doPreInstall并不会进行实际的工作,只是当handleStartCopy出现问题时,doPreInstall将清理拷贝的文件。
2、installPackageTracedLI
private void installPackageTracedLI(InstallArgs args, PackageInstalledInfo res) {
try {
Trace.traceBegin(TRACE_TAG_PACKAGE_MANAGER, "installPackage");
installPackageLI(args, res);
} finally {
Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER);
}
}
private void installPackageLI(InstallArgs args, PackageInstalledInfo res) {
//定义一些变量
.........
// Result object to be returned
res.setReturnCode(PackageManager.INSTALL_SUCCEEDED);
//定义parseFlags
.......
PackageParser pp = new PackageParser();
.......
final PackageParser.Package pkg;
try {
//解析APK文件,形成Package对象
pkg = pp.parsePackage(tmpPackageFile, parseFlags);
} catch (PackageParserException e) {
res.setError("Failed parse during installPackageLI", e);
return;
} finally {
Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER);
}
/ If we are installing a clustered package add results for the children
if (pkg.childPackages != null) {
//在需要的情况下,解析Child Package信息
........
}
try {
// either use what we've been given or parse directly from the APK
if (args.certificates != null) {
try {
//如果参数中定义了权限信息,就用参数中的权限信息配置Package对象
PackageParser.populateCertificates(pkg, args.certificates);
} catch (PackageParserException e) {
// there was something wrong with the certificates we were given;
// try to pull them from the APK
PackageParser.collectCertificates(pkg, parseFlags);
}
} else {
//否则,就从AndroidManifest.xml文件中解析出权限信息
PackageParser.collectCertificates(pkg, parseFlags);
}
} catch (PackageParserException e) {
res.setError("Failed collect during installPackageLI", e);
return;
}
//当安装重复的APK时,根据权限、签名信息、版本等条件,判断能否进一步操作
.............
........
//根据Package中的信息,修改拷贝文件时,临时赋予的名称
//此处将利用FileInstallArgs的doRename
if (!args.doRename(res.returnCode, pkg, oldCodePath)) {
res.setError(INSTALL_FAILED_INSUFFICIENT_STORAGE, "Failed rename");
return;
}
.........
try (PackageFreezer freezer = freezePackageForInstall(pkgName, installFlags,
"installPackageLI")) {
if (replace) {
//用新的package信息替换旧的
replacePackageLIF(pkg, parseFlags, scanFlags | SCAN_REPLACING, args.user,
installerPackageName, res);
} else {
//将新的pacakge信息加入到PKMS中
installNewPackageLIF(pkg, parseFlags, scanFlags | SCAN_DELETE_DATA_ON_FAILURES,
args.user, installerPackageName, volumeUuid, res);
}
}
..........
}
从代码来看,installPackageTracedLI的主要工作就是解析APK文件,形成对应的Package对象;生成对应的权限信息后,根据Package中的信息,更改存储路径对应目录的名称。
3、doPostInstall
int doPostInstall(int status, int uid) {
if (status != PackageManager.INSTALL_SUCCEEDED) {
cleanUp();
}
return status;
}
可以看出,FileInstallArgs中定义的doPostInstall函数和doPreInstall函数完全一样,正常流程下不需要进行任何操作;当之前的处理流程出现问题时,利用cleanUp清楚创建的文件和资源。
4、处理POST_INSTALL消息
在PackageHandler的doHandleMessage中处理POST_INSTALL消息:
.....
case POST_INSTALL: {
............
PostInstallData data = mRunningInstalls.get(msg.arg1);
final boolean didRestore = (msg.arg2 != 0);
mRunningInstalls.delete(msg.arg1);
if (data != null) {
............
// Handle the parent package
handlePackagePostInstall(parentRes, grantPermissions, killApp,
grantedPermissions, didRestore, args.installerPackageName,
args.observer);
// Handle the child packages
final int childCount = (parentRes.addedChildPackages != null)
? parentRes.addedChildPackages.size() : 0;
for (int i = 0; i < childCount; i++) {
//同样利用handlePackagePostInstall处理child Package
........
}
........
} else {
.........
}
}
break;
......
我们跟进一下handlePackagePostInstall函数:
private void handlePackagePostInstall(PackageInstalledInfo res, boolean grantPermissions,
boolean killApp, String[] grantedPermissions,
boolean launchedForRestore, String installerPackage,
IPackageInstallObserver2 installObserver) {
if (res.returnCode == PackageManager.INSTALL_SUCCEEDED) {
// Send the removed broadcasts
if (res.removedInfo != null) {
res.removedInfo.sendPackageRemovedBroadcasts(killApp);
}
//调用grantRequestedRuntimePermissions等,赋予Package权限
...........
//发送ACTION_PACKAGE_ADDED等广播消息
...........
...........
}
// If someone is watching installs - notify them
//将安装的结果通知给Pm.java中观察者
if (installObserver != null) {
try {
Bundle extras = extrasForInstallResult(res);
installObserver.onPackageInstalled(res.name, res.returnCode,
res.returnMsg, extras);
} catch (RemoteException e) {
Slog.i(TAG, "Observer no longer exists.");
}
}
}
从上面的代码来看,处理POST_INSTALL的主要工作其实还是通过广播、回调接口通知系统中的其它组件,有新的Pacakge安装或发生了改变。
最后整理一下handleReturnCode的流程,如下所示:
七、总结
从上面的代码来看,整个APK的安装过程极其琐碎复杂,但核心思想还是比较简单的:就是将待安装的APK文件拷贝到手机的指定位置,然后利用PackageParser来解析出对应的Package对象,最终将Package对象加入到PKMS中。
整体流程的主干大体如下图所示:
大图链接