Android ContentProvider调用报错"Bad call:..."及相关Binder权限问题分析
问题:
项目中有一下状况:进程A调用另外一进程的B ContentProvider,B在该这次query中须要在query另外一个 C ContentProvider:java
class BContentProvider extends ContentProvider {
Context mContext;
...
@Override
public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) {
...
try {
// query C ContentProvider:
Cursor cursor = mContext.getContentResolver().query(...);
if (cursor != null) {
try {
//do something;
} finally {
cursor.close();
}
}
Cursor cursor = mContext.getContentResolver().query(...);
...
...
}
}
}
复制代码
在这种状况下,系统抛出Exception以下:android
1-11 16:04:51.867 2633 3557 W AppOps : Bad call: specified package com.providers.xxx under uid 10032 but it is really 10001
01-11 16:04:51.867 2633 3557 W AppOps : java.lang.RuntimeException: here
01-11 16:04:51.867 2633 3557 W AppOps : at com.android.server.AppOpsService.getOpsRawLocked(AppOpsService.java:1399)
01-11 16:04:51.867 2633 3557 W AppOps : at com.android.server.AppOpsService.noteOperationUnchecked(AppOpsService.java:1115)
01-11 16:04:51.867 2633 3557 W AppOps : at com.android.server.AppOpsService.noteProxyOperation(AppOpsService.java:1093)
01-11 16:04:51.867 2633 3557 W AppOps : at com.android.internal.app.IAppOpsService$Stub.onTransact(IAppOpsService.java:157)
01-11 16:04:51.867 2633 3557 W AppOps : at android.os.BinderInjector.onTransact(BinderInjector.java:30)
01-11 16:04:51.867 2633 3557 W AppOps : at android.os.Binder.execTransact(Binder.java:569)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: Writing exception to parcel
01-11 16:04:51.868 4659 6791 E DatabaseUtils: java.lang.SecurityException: Proxy package com.providers.xxx from uid 10001 or calling package com.providers.xxx from uid 10032 not allowed to perform READ_PROVIDER_C
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.app.AppOpsManager.noteProxyOp(AppOpsManager.java:1834)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.content.ContentProvider.checkPermissionAndAppOp(ContentProvider.java:538)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.content.ContentProvider.enforceReadPermissionInner(ContentProvider.java:560)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.content.ContentProvider$Transport.enforceReadPermission(ContentProvider.java:483)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.content.ContentProvider$Transport.query(ContentProvider.java:212)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.content.ContentResolver.query(ContentResolver.java:532)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.content.ContentResolver.query(ContentResolver.java:473)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at com.android.providers.xxx.BDatabaseHelper.query(BDatabaseHelper.java:7238)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.content.ContentProvider$Transport.query(ContentProvider.java:239)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.content.ContentProviderNative.onTransact(ContentProviderNative.java:112)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.os.BinderInjector.onTransact(BinderInjector.java:30)
01-11 16:04:51.868 4659 6791 E DatabaseUtils: at android.os.Binder.execTransact(Binder.java:569)
复制代码
分析:
因为错误log首先反应了没有C ContentProvider的权限,但检查A应用是有C的读写权限的。因此排除了A的权限问题。 继续分析: 经过log能够看到确实是ContentProvider在作权限检查时出错。经过log中对应的源码进行分析: 首先能够看到ContentProvider.query()的时候作了权限检查,注意,传入的enforceReadPermission()的callingPkg是调用方的包名,以上面为例,就是B的包名。git
ContentProvider.query():bash
@Override
public Cursor query(String callingPkg, Uri uri, @Nullable String[] projection, @Nullable Bundle queryArgs, @Nullable ICancellationSignal cancellationSignal) {
validateIncomingUri(uri);
uri = maybeGetUriWithoutUserId(uri);
if (enforceReadPermission(callingPkg, uri, null) != AppOpsManager.MODE_ALLOWED) {
复制代码
enforceReadPermission()调用了.checkPermissionAndAppOp()方法,ContentProvider.checkPermissionAndAppOp()调用了AppOpsManager.noteProxyOp()去作检查出了异常。app
AppOpsManager.noteProxyOp():ide
public int noteProxyOp(int op, String proxiedPackageName) {
int mode = noteProxyOpNoThrow(op, proxiedPackageName);
if (mode == MODE_ERRORED) {
throw new SecurityException("Proxy package " + mContext.getOpPackageName()
+ " from uid " + Process.myUid() + " or calling package "
+ proxiedPackageName + " from uid " + Binder.getCallingUid()
+ " not allowed to perform " + sOpNames[op]);
}
return mode;
}
复制代码
noteProxyOpNoThrow()又作了什么呢? AppOpsManager.noteProxyOpNoThrow():ui
/** * Like {@link #noteProxyOp(int, String)} but instead * of throwing a {@link SecurityException} it returns {@link #MODE_ERRORED}. * @hide */
public int noteProxyOpNoThrow(int op, String proxiedPackageName) {
try {
return mService.noteProxyOperation(op, mContext.getOpPackageName(),
Binder.getCallingUid(), proxiedPackageName);
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
}
}
复制代码
可见noteProxyOpNoThrow()是经过binder调用到了AppOpsService.noteProxyOperation()方法,注意,这里传入的是AppOpsService.noteProxyOperation()的后两个参数为Binder.getCallingUid()和以前层层传入的调用方的包名,也就是上面例子的B的包名。this
下面,继续看binder另外一侧的AppOpsService.noteProxyOperation()方法,咱们结合log中AppOps的输出log:spa
AppOpsService.noteProxyOperation():线程
@Override
public int noteProxyOperation(int code, String proxyPackageName, int proxiedUid, String proxiedPackageName) {
verifyIncomingOp(code);
final int proxyUid = Binder.getCallingUid();
String resolveProxyPackageName = resolvePackageName(proxyUid, proxyPackageName);
if (resolveProxyPackageName == null) {
return AppOpsManager.MODE_IGNORED;
}
final int proxyMode = noteOperationUnchecked(code, proxyUid,
resolveProxyPackageName, -1, null);
if (proxyMode != AppOpsManager.MODE_ALLOWED || Binder.getCallingUid() == proxiedUid) {
return proxyMode;
}
String resolveProxiedPackageName = resolvePackageName(proxiedUid, proxiedPackageName);
if (resolveProxiedPackageName == null) {
return AppOpsManager.MODE_IGNORED;
}
return noteOperationUnchecked(code, proxiedUid, resolveProxiedPackageName,
proxyMode, resolveProxyPackageName);
}
复制代码
AppOpsService.noteOperationUnchecked():
private int noteOperationUnchecked(int code, int uid, String packageName, int proxyUid, String proxyPackageName) {
Op op = null;
Op switchOp = null;
int switchCode;
int resultMode = AppOpsManager.MODE_ALLOWED;
synchronized (this) {
Ops ops = getOpsRawLocked(uid, packageName, true);
...
}
...
}
复制代码
AppOpsService.getOpsRawLocked():
private Ops getOpsRawLocked(int uid, String packageName, boolean edit) {
...
Ops ops = uidState.pkgOps.get(packageName);
if (ops == null) {
if (!edit) {
return null;
}
boolean isPrivileged = false;
// This is the first time we have seen this package name under this uid,
// so let's make sure it is valid.
if (uid != 0) {
final long ident = Binder.clearCallingIdentity();
try {
int pkgUid = -1;
try {
ApplicationInfo appInfo = ActivityThread.getPackageManager()
.getApplicationInfo(packageName,
PackageManager.MATCH_DEBUG_TRIAGED_MISSING,
UserHandle.getUserId(uid));
if (appInfo != null) {
pkgUid = appInfo.uid;
isPrivileged = (appInfo.privateFlags
& ApplicationInfo.PRIVATE_FLAG_PRIVILEGED) != 0;
}
...
}
...
if (pkgUid != uid) {
// Oops! The package name is not valid for the uid they are calling
// under. Abort.
RuntimeException ex = new RuntimeException("here");
ex.fillInStackTrace();
Slog.w(TAG, "Bad call: specified package " + packageName
+ " under uid " + uid + " but it is really " + pkgUid, ex);
return null;
}
} finally {
Binder.restoreCallingIdentity(ident);
}
}
ops = new Ops(packageName, uidState, isPrivileged);
uidState.pkgOps.put(packageName, ops);
}
return ops;
}
复制代码
这里主要的操做就是将传入的uid和包名进行判断:比对该包对应的uid和传入的uid比较,若是不一致就报错。错误信息和log中的一致:
Bad call: specified package com.providers.xxx under uid 10032 but it is really 10001
复制代码
上文提到了,这个包名是传入的ContentProvider的调用方的包名,也就是例子中的B的包名。而uid是在AppOpsManager中经过Binder.getCallingUid()得到的。log中显示,此uid并非B的uid,而是其上游调用者A的uid。 为何在C中调用Binder.getCallingUid()获得的是A进程的呢?我找到了袁辉辉大神的一片博客: Binder IPC的权限控制
“线程B经过Binder调用当前线程的某个组件:此时线程B是线程B某个组件的调用端,则mCallingUid和mCallingPid应该保存当前线程B的PID和UID,故须要调用clearCallingIdentity()方法完成这个功能。当线程B调用完某个组件,因为线程B仍然处于线程A的被调用端,所以mCallingUid和mCallingPid须要恢复成线程A的UID和PID,这是调用restoreCallingIdentity()便可完成。”
Binder的机制就是这么设计的,因此须要在B进行下一次Binder调用(也就是query ContentProvider)以前调用clearCallingIdentity()来将B的 PID和UID附给mCallingUid和mCallingPid。Binder调用结束后在restoreCallingIdentity()来将其恢复成其本来调用方的PID和UID。这样在C里就会用B的相关信息进行权限校验,在AppOpsService.getOpsRawLocked(),UID和包名都是B的,是一致的,就不会报错。
解决办法
其实上文也已经提到了,参考 Binder IPC的权限控制,在B进行Query先后分别调用clearCallingIdentity() //做用是清空远程调用端的uid和pid,用当前本地进程的uid和pid替代,这样在以后的调用方去进行权限校验时会以B的信息为主,不会出现包名和UID不一致的状况。 最后修改过的调用方式以下:
long token = Binder.clearCallingIdentity();
try {
Cursor cursor = mContext.getContentResolver().query(...);
if (cursor != null) {
try {
//do something;
} finally {
cursor.close();
}
}
} finally {
Binder.restoreCallingIdentity(token);
}
复制代码
总结:
-
ContentProvider是用Binder实现的,查询的过程其实就是一次Binder调用,因此想深刻了解ContentProvider必定要会一些Binder相关的知识。
-
ContentProvider在接受一次查询前会调用AppOpsManager(其会经过Binder再由AppOpsService完成)进行权限校验,其中会校验调用方的UID和包名是否一致,其相关功能可见文章: Android 权限管理 —— AppOps。
-
Binder调用时候能够经过Binder.getCallingPid()和Binder.getCallingUid()来获取调用方的PID和UID,而若是A经过Binder调用B,B又Binder调用了C,那么在C中Binder.getCallingPid()和Binder.getCallingUid()获得的是A的PID和UID,这种状况下须要在B调用C的先后用Binder.clearCallingIdentity()和Binder.restoreCallingIdentity()使其带上B的PID和UID,从而在C中进行权限校验时候用B的信息进行校验,固然这也符合逻辑,B调用的C,应该B须要有相应权限。
-
Binder.clearCallingIdentity()和Binder.restoreCallingIdentity()的实现原理 Binder IPC的权限控制也有介绍,是经过移位实现的。
- 1. android 权限问题分析
- 2. Android应用权限相关问题
- 3. 权限相关问题
- 4. Android 串口相关权限问题
- 5. Tomcat启动报错相关问题解决(无权限)
- 6. ContentProvider访问权限错误的解决
- 7. contentprovider权限
- 8. Android权限问题
- 9. ContentProvider权限设置
- 10. Android 权限分析
- 更多相关文章...
- • XML 相关技术 - XML 教程
- • MySQL删除用户权限(REVOKE) - MySQL教程
- • NewSQL-TiDB相关
- • PHP Ajax 跨域问题最佳解决方案
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. Window下Ribbit MQ安装
- 2. Linux下Redis安装及集群搭建
- 3. shiny搭建网站填坑战略
- 4. Mysql8.0.22安装与配置详细教程
- 5. Hadoop安装及配置
- 6. Python爬虫初学笔记
- 7. 部署LVS-Keepalived高可用集群
- 8. keepalived+mysql高可用集群
- 9. jenkins 公钥配置
- 10. HA实用详解
- 1. android 权限问题分析
- 2. Android应用权限相关问题
- 3. 权限相关问题
- 4. Android 串口相关权限问题
- 5. Tomcat启动报错相关问题解决(无权限)
- 6. ContentProvider访问权限错误的解决
- 7. contentprovider权限
- 8. Android权限问题
- 9. ContentProvider权限设置
- 10. Android 权限分析