Android應用層對裝置的訪問許可權的實現
android應用層對裝置的訪問許可權的實現
如果應用程式出現開啟裝置許可權不夠的錯誤,可能是建立裝置節點時賦予的許可權不夠。
問題:攝像頭總是許可權不夠,只能在shell下重新設定可用。
分析:android對裝置節點的管理不是使用udev,在init裡面,system/core/init/下的init.c和devices.c裡對裝置節點的建立設定了許可權。
Andoid安全機制包括兩個層次:系統層和應用層。應用層的安全機制建立在授權與申請基礎上,本文不講。系統層的安全機制包括給 每個使用者程序分配單獨的uid和gid,使用程序本身可以防止地址空間的共享,從而避免使用執行緒方式對資料的全域性可見性。使用了uid則對於外存也加了封 鎖,當然這得感謝UNIX的使用者空間機制。系統層安全機制還包括對裝置訪問的控制,在這個方面,Android的做法與傳統有所不同。
Android除了給予使用者程序以單獨的uid外,給系統服務也分配了固定的uid,諸如system/core/include/private/android_filesystem_config.h檔案中定義了這些固定的uid:
- define AID_SYSTEM 1000
#define AID_RADIO 1001
#define AID_BLUETOOTH 1002
#define AID_GRAPHICS 1003
#define AID_INPUT 1004
#define AID_AUDIO 1005
#define AID_CAMERA 1006
#define AID_LOG 1007
......................................
傳統的做法是,除了root,其它全是普通使用者,兩類使用者的許可權在核心裡是規定死的,這也保證了UNIX核心的安全性。比如dev目錄下的裝置文 件,一般使用者主是root,而且對其他使用者不開放讀寫能力。使用者使用裝置一般通過系統呼叫如ioctl,而系統呼叫屬於受信程式碼。
Android的問題是,引入的這些系統使用者,實際上在許可權方面是無法與普通uid區分的,如果系統使用者能訪問一個裝置,那麼一般使用者也 能。所以,Andoid沒有別的選擇,只能預設開啟裝置檔案的全域性讀寫。這在systemcore/init/device.c做了定義:
{ "/dev/urandom", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/ashmem", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/binder", 0666, AID_ROOT, AID_ROOT, 0 },
.....................................
裝置檔案當然還是存放於/dev目錄下,但dev目錄的填充不是由udev做的,而是由Android的init程序做的。這個步驟由make_device函式完成,各個裝置的許可權來自於上述device.c檔案的規定。
這種裝置許可權分配的潛在危險是,任何使用者程序都可以操作裝置,如果底層裝置驅動有漏洞,那麼整個系統的安全性就是存在風險的,而UNIX系統最大的安全隱患,正是來自於裝置驅動。
在Android中,由於沒有mdev和udev,所以它沒有辦法動態的生成裝置節點,那麼它是如何做的呢?
我們可以在system/core/init/下的init.c和devices.c中找到答案:
init.c中的int main(int argc, char **argv)
建立了一些基本的裝置節點。
int main(int argc, char **argv)
{
...
/* Get the basic filesystem setup we need put
* together in the initramdisk on / and then we'll
* let the rc file figure out the rest.
*/
mkdir("/dev", 0755);
mkdir("/proc", 0755);
mkdir("/sys", 0755);
mount("tmpfs", "/dev", "tmpfs", 0, "mode=0755");
mkdir("/dev/pts", 0755);
mkdir("/dev/socket", 0755);
mount("devpts", "/dev/pts", "devpts", 0, NULL);
mount("proc", "/proc", "proc", 0, NULL);
mount("sysfs", "/sys", "sysfs", 0, NULL);
for(;;) {
...
if (ufds[0].revents == POLLIN)
handle_device_fd(device_fd);
if (ufds[1].revents == POLLIN)
handle_property_set_fd(property_set_fd);
if (ufds[3].revents == POLLIN)
handle_keychord(keychord_fd);
}
return 0;
}
我們再來看看handle_device_fd(),該函式定義在devices.c中
void handle_device_fd(int fd)
{
...
handle_device_event(&uevent);
handle_firmware_event(&uevent);
}
}
而handle_device_event定義如下:
static void handle_device_event(struct uevent *uevent)
{
...
if(!strcmp(uevent->action, "add")) {
make_device(devpath, block, uevent->major, uevent->minor);
return;
}
...
}
make_device定義如下:
static void make_device(const char *path, int block, int major, int minor)
{
...
mode = get_device_perm(path, &uid, &gid) | (block ? S_IFBLK : S_IFCHR);
dev = (major << 8) | minor;
...
setegid(gid);
mknod(path, mode, dev);
chown(path, uid, -1);
setegid(AID_ROOT);
}
其他動態裝置的節點建立,android也規定好了裝置節點的名字和許可權等。下面這個函式會返回你要建立的裝置節點的許可權,如果列表中沒 有,就會使用預設600,當然這樣的話,應用程式使用裝置就會出現問題,所以,你要把你的裝置加到列表 static struct perms_ devperms[] 中。
我們看看get_device_perm如下實現:
static mode_t get_device_perm(const char *path, unsigned *uid, unsigned *gid)
{
mode_t perm;
if (get_device_perm_inner(qemu_perms, path, uid, gid, &perm) == 0) {
return perm;
} else if (get_device_perm_inner(devperms, path, uid, gid, &perm) == 0) {
return perm;
} else {
struct listnode *node;
struct perm_node *perm_node;
struct perms_ *dp;
/* Check partners list. */
list_for_each(node, &devperms_partners) {
perm_node = node_to_item(node, struct perm_node, plist);
dp = &perm_node->dp;
if (dp->prefix) {
if (strncmp(path, dp->name, strlen(dp->name)))
continue;
} else {
if (strcmp(path, dp->name))
continue;
}
/* Found perm in partner list. */
*uid = dp->uid;
*gid = dp->gid;
return dp->perm;
}
/* Default if nothing found. */
*uid = 0;
*gid = 0;
return 0600;
}
}
我們最後可以看到在devperms中定義了要生成的裝置節點:
static struct perms_ devperms[] = {
{ "/dev/null", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/zero", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/full", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/ptmx", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/tty", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/random", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/urandom", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/ashmem", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/binder", 0666, AID_ROOT, AID_ROOT, 0 },
/* logger should be world writable (for logging) but not readable */
{ "/dev/log/", 0662, AID_ROOT, AID_LOG, 1 },
/* the msm hw3d client device node is world writable/readable. */
{ "/dev/msm_hw3dc", 0666, AID_ROOT, AID_ROOT, 0 },
/* gpu driver for adreno200 is globally accessible */
{ "/dev/kgsl", 0666, AID_ROOT, AID_ROOT, 0 },
/* these should not be world writable */
{ "/dev/diag", 0660, AID_RADIO, AID_RADIO, 0 },
{ "/dev/diag_arm9", 0660, AID_RADIO, AID_RADIO, 0 },
{ "/dev/android_adb", 0660, AID_ADB, AID_ADB, 0 },
{ "/dev/android_adb_enable", 0660, AID_ADB, AID_ADB, 0 },
{ "/dev/ttyMSM0", 0600, AID_BLUETOOTH, AID_BLUETOOTH, 0 },
{ "/dev/ttyHS0", 0600, AID_BLUETOOTH, AID_BLUETOOTH, 0 },
{ "/dev/uinput", 0660, AID_SYSTEM, AID_BLUETOOTH, 0 },
{ "/dev/alarm", 0664, AID_SYSTEM, AID_RADIO, 0 },
{ "/dev/tty0", 0660, AID_ROOT, AID_SYSTEM, 0 },
{ "/dev/graphics/", 0660, AID_ROOT, AID_GRAPHICS, 1 },
{ "/dev/msm_hw3dm", 0660, AID_SYSTEM, AID_GRAPHICS, 0 },
{ "/dev/input/", 0660, AID_ROOT, AID_INPUT, 1 },
{ "/dev/eac", 0660, AID_ROOT, AID_AUDIO, 0 },
{ "/dev/cam", 0660, AID_ROOT, AID_CAMERA, 0 },
{ "/dev/pmem", 0660, AID_SYSTEM, AID_GRAPHICS, 0 },
{ "/dev/pmem_adsp", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/pmem_camera", 0660, AID_SYSTEM, AID_CAMERA, 1 },
{ "/dev/oncrpc/", 0660, AID_ROOT, AID_SYSTEM, 1 },
{ "/dev/adsp/", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/snd/", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/mt9t013", 0660, AID_SYSTEM, AID_SYSTEM, 0 },
{ "/dev/msm_camera/", 0660, AID_SYSTEM, AID_SYSTEM, 1 },
{ "/dev/akm8976_daemon",0640, AID_COMPASS, AID_SYSTEM, 0 },
{ "/dev/akm8976_aot", 0640, AID_COMPASS, AID_SYSTEM, 0 },
{ "/dev/akm8973_daemon",0640, AID_COMPASS, AID_SYSTEM, 0 },
{ "/dev/akm8973_aot", 0640, AID_COMPASS, AID_SYSTEM, 0 },
{ "/dev/bma150", 0640, AID_COMPASS, AID_SYSTEM, 0 },
{ "/dev/cm3602", 0640, AID_COMPASS, AID_SYSTEM, 0 },
{ "/dev/akm8976_pffd", 0640, AID_COMPASS, AID_SYSTEM, 0 },
{ "/dev/lightsensor", 0640, AID_SYSTEM, AID_SYSTEM, 0 },
{ "/dev/msm_pcm_out", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/msm_pcm_in", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/msm_pcm_ctl", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/msm_snd", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/msm_mp3", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/audience_a1026", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/tpa2018d1", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/msm_audpre", 0660, AID_SYSTEM, AID_AUDIO, 0 },
{ "/dev/msm_audio_ctl", 0660, AID_SYSTEM, AID_AUDIO, 0 },
{ "/dev/htc-acoustic", 0660, AID_SYSTEM, AID_AUDIO, 0 },
{ "/dev/vdec", 0660, AID_SYSTEM, AID_AUDIO, 0 },
{ "/dev/q6venc", 0660, AID_SYSTEM, AID_AUDIO, 0 },
{ "/dev/snd/dsp", 0660, AID_SYSTEM, AID_AUDIO, 0 },
{ "/dev/snd/dsp1", 0660, AID_SYSTEM, AID_AUDIO, 0 },
{ "/dev/snd/mixer", 0660, AID_SYSTEM, AID_AUDIO, 0 },
{ "/dev/smd0", 0640, AID_RADIO, AID_RADIO, 0 },
{ "/dev/qemu_trace", 0666, AID_SYSTEM, AID_SYSTEM, 0 },
{ "/dev/qmi", 0640, AID_RADIO, AID_RADIO, 0 },
{ "/dev/qmi0", 0640, AID_RADIO, AID_RADIO, 0 },
{ "/dev/qmi1", 0640, AID_RADIO, AID_RADIO, 0 },
{ "/dev/qmi2", 0640, AID_RADIO, AID_RADIO, 0 },
/* CDMA radio interface MUX */
{ "/dev/ts0710mux", 0640, AID_RADIO, AID_RADIO, 1 },
{ "/dev/ppp", 0660, AID_RADIO, AID_VPN, 0 },
{ "/dev/tun", 0640, AID_VPN, AID_VPN, 0 },
{ NULL, 0, 0, 0, 0 },
};