在android的framework源码中添加自定义的permission以便限制应用程序调用自定义的系统接口,
在frameworks/base/core/res/AndroidManifest.xml 中添加:
<permission android:name="android.permission.ENTERPRISE_SETTINGS"
android:label="@string/permlab_invoke_ivt_method"
android:description="@string/permdesc_invoke_ivt_method"
android:protectionLevel="dangerous" />
在frameworks/base/core/res/values/string.xml中添加
permlab_invoke_ivt_method 、permdesc_invoke_ivt_method的字符串资源
在被调用的接口处添加权限检验
public String getDeviceInfo() throws RemoteException
{
。。。。。。
mContext.enforceCallingOrSelfPermission("android.permission.ENTERPRISE_SETTINGS", null);
。。。。。。
}
在调用该接口的应用程序的AndroidManifest.xml中需要添加该权限才可以正常调用该接口:
<uses-permission android:name="android.permission.ENTERPRISE_SETTINGS"/>
其中的权限保护级别如下:
protectionLevel分为四级:
"normal"
The default value. A lower-risk permission that gives requesting applications access to isolated application-level features, with minimal risk to other applications, the system, or the user. The system automatically grants this type of permission to a requesting application at installation, without asking for the user's explicit approval (though the user always has the option to review these permissions before installing).
"dangerous"
A higher-risk permission that would give a requesting application access to private user data or control over the device that can negatively impact the user. Because this type of permission introduces potential risk, the system may not automatically grant it to the requesting application. For example, any dangerous permissions requested by an application may be displayed to the user and require confirmation before proceeding, or some other approach may be taken to avoid the user automatically allowing the use of such facilities.
"signature"
A permission that the system grants only if the requesting application is signed with the same certificate as the application that declared the permission. If the certificates match, the system automatically grants the permission without notifying the user or asking for the user's explicit approval.
"signatureOrSystem"
A permission that the system grants only to applications that are in the Android system image or that are signed with the same certificates as those in the system image. Please avoid using this option, as the signature protection level should be sufficient for most needs and works regardless of exactly where applications are installed. The "signatureOrSystem" permission is used for certain special situations where multiple vendors have applications built into a system image and need to share specific features explicitly because they are being built together.
前面几个很好理解
现在重点记忆下最后一个signatureOrSystem 顾名思义就是在拥有权限的同时还必须满足signature一致或System级别APK才拥有!
现在做了如下尝试
Test Result:
TestCustomPermission是我自定义了一个Activity的访问权限的APK
TestPermission 去访问TestCustomPermission的Activity
EclipseSignature 中两个都用eclipse的签名
OtherSignature 中两个都用相同的另一种签名
DifferentSignature 中两个签名不想同
以下是测试结果:
APP级别
权限设置为signatureOrSystem
1. EclipseSignature 成功访问 ! 可以加入权限!
2. OtherSignature 成功访问 ! 可以加入权限!
3. DifferentSignature 访问失败!
权限设置为normal
1. DifferentSignature 成功访问 ! 可以加入权限!
System 级别
权限设置为signatureOrSystem
1. EclipseSignature 成功访问 ! 可以加入权限!
2. OtherSignature 成功访问 ! 可以加入权限!
3. DifferentSignature 成功访问 ! 可以加入权限!
TestCustomPermission再 system TestPermission 在APP
1.DifferentSignature 失败
2.签名相同成功!
最后一个实验
在TestCustomPermission中注册 signatureOrSystem!APP层访问 在framework API中验证!