1. 文件(夾)讀寫權限
init.rc 中建立test1 test2 test3 文件夾
mkdir /data/misc/test1 0770 root root
mkdir /data/misc/test2 0770 wifi wifi
mkdir /data/misc/test3 0770 system misc
其中
test1 目錄的owner是root, group 也是root
test2 目錄的owner是wifi , group 也是wifi
test3 目錄的owner是system , group 是misc (任何用戶都屬於group misc)
service xxxx /system/bin/xxxx
user root
disabled
oneshot
service yyyy /system/bin/yyyy
user system
disabled
oneshot
service zzzz /system/bin/zzzz
user wifi
disabled
oneshot
結果:
xxxx 服務可以訪問 test1, test2, test3
yyyy 服務可以訪問 test3
zzzz 服務可以訪問 test2, test3
Android 中mkdir 的定義
- int do_mkdir(int nargs, char **args)
- {
- mode_t mode = 0755;
- /* mkdir <path> [mode] [owner] [group] */
- if (nargs >= 3) {
- mode = strtoul(args[2], 0, 8);
- }
- if (mkdir(args[1], mode)) {
- return -errno;
- }
- if (nargs >= 4) {
- uid_t uid = decode_uid(args[3]);
- gid_t gid = -1;
- if (nargs == 5) {
- gid = decode_uid(args[4]);
- }
- if (chown(args[1], uid, gid)) {
- return -errno;
- }
- }
- return 0;
- }
2. Property 權限
Android Property 也是有權限的。
2.1 以前綴 ctl. 開頭的控制屬性, 設置前,Android 代碼會調用函數check_control_perms()檢查調用者的 user id 和 group id
- struct {
- const char *service;
- unsigned int uid;
- unsigned int gid;
- } control_perms[] = {
- { "dumpstate",AID_SHELL, AID_LOG },
- {NULL, 0, 0 }
- };
-
-
/* * Checks permissions for setting system properties. * Returns 1 if uid allowed, 0 otherwise. */
- static int check_control_perms(const char *name, int uid, int gid) {
- int i;
- if (uid == AID_SYSTEM || uid == AID_ROOT)
- return 1;
- /* Search the ACL */
- for (i = 0; control_perms[i].service; i++) {
- if (strcmp(control_perms[i].service, name) == 0) {
- if ((uid && control_perms[i].uid == uid) ||
- (gid && control_perms[i].gid == gid)) {
- return 1;
- }
- }
- }
- return 0;
- }
2.2 其它屬性, 設置前,Android 代碼會調用函數check_perms()檢查調用者的 user id 和 group id
check_perms(msg.name, cr.uid, cr.gid)
- struct {
- const char *prefix;
- unsigned int uid;
- unsigned int gid;
- } property_perms[] = {
- { "net.rmnet0.", AID_RADIO, 0 },
- { "net.gprs.", AID_RADIO, 0 },
- { "net.ppp", AID_RADIO, 0 },
- { "ril.", AID_RADIO, 0 },
- { "gsm.", AID_RADIO, 0 },
- { "persist.radio", AID_RADIO, 0 },
- { "net.dns", AID_RADIO, 0 },
- { "net.", AID_SYSTEM, 0 },
- { "dev.", AID_SYSTEM, 0 },
- { "runtime.", AID_SYSTEM, 0 },
- { "hw.", AID_SYSTEM, 0 },
- { "sys.", AID_SYSTEM, 0 },
- { "service.", AID_SYSTEM, 0 },
- { "wlan.", AID_SYSTEM, 0 },
- { "dhcp.", AID_SYSTEM, 0 },
- { "dhcp.", AID_DHCP, 0 },
- { "vpn.", AID_SYSTEM, 0 },
- { "vpn.", AID_VPN, 0 },
- { "debug.", AID_SHELL, 0 },
- { "log.", AID_SHELL, 0 },
- { "service.adb.root", AID_SHELL, 0 },
- { "persist.sys.", AID_SYSTEM, 0 },
- { "persist.service.", AID_SYSTEM, 0 },
- { NULL, 0, 0 }
- };
-
/* * Checks permissions for starting/stoping system services. * AID_SYSTEM and AID_ROOT are always allowed. * * Returns 1 if uid allowed, 0 otherwise. */
- static int check_perms(const char *name, unsigned int uid, int gid)
- {
- int i;
- if (uid == 0)
- return 1;
- if(!strncmp(name, "ro.", 3))
- name +=3;
- for (i = 0; property_perms[i].prefix; i++) {
- int tmp;
- if (strncmp(property_perms[i].prefix, name,
- strlen(property_perms[i].prefix)) == 0) {
- if ((uid && property_perms[i].uid == uid) ||
- (gid && property_perms[i].gid == gid)) {
- return 1;
- }
- }
- }
- return 0;
- }
從代碼中可以看到, 任何不以property_perms[] 中定義的前綴開頭的property 是
無法被除root以外的用戶訪問的,包括system用戶。
3. 最後補充Android 的uid gid 定義
- #define AID_ROOT 0 /* traditional unix root user */
- #define AID_SYSTEM 1000 /* system server */
- #define AID_RADIO 1001 /* telephony subsystem, RIL */
- #define AID_BLUETOOTH 1002 /* bluetooth subsystem */
- #define AID_GRAPHICS 1003 /* graphics devices */
- #define AID_INPUT 1004 /* input devices */
- #define AID_AUDIO 1005 /* audio devices */
- #define AID_CAMERA 1006 /* camera devices */
- #define AID_LOG 1007 /* log devices */
- #define AID_COMPASS 1008 /* compass device */
- #define AID_MOUNT 1009 /* mountd socket */
- #define AID_WIFI 1010 /* wifi subsystem */
- #define AID_ADB 1011 /* android debug bridge (adbd) */
- #define AID_INSTALL 1012 /* group for installing packages */
- #define AID_MEDIA 1013 /* mediaserver process */
- #define AID_DHCP 1014 /* dhcp client */
- #define AID_SDCARD_RW 1015 /* external storage write access */
- #define AID_VPN 1016 /* vpn system */
- #define AID_KEYSTORE 1017 /* keystore subsystem */
- #define AID_SHELL 2000 /* adb and debug shell user */
- #define AID_CACHE 2001 /* cache access */
- #define AID_DIAG 2002 /* access to diagnostic resources */
- /* The 3000 series are intended for use as supplemental group id's only.
- * They indicate special Android capabilities that the kernel is aware of. */
- #define AID_NET_BT_ADMIN 3001 /* bluetooth: create any socket */
- #define AID_NET_BT 3002 /* bluetooth: create sco, rfcomm or l2cap sockets */
- #define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
- #define AID_NET_RAW 3004 /* can create raw INET sockets */
- #define AID_NET_ADMIN 3005 /* can configure interfaces and routing tables. */
- #define AID_MISC 9998 /* access to misc storage */
- #define AID_NOBODY 9999
- #define AID_APP 10000 /* first app user */
可見root (AID_ROOT = 0) 的權限最高, app (AID_APP = 10000) 權限最低, misc (AID_MISC = 9998) 權限倒數第三低。
所以#1 中描述的目錄test3的group 屬性設置成了 misc, 則除了 app/nobody 這兩個用戶,
android系統中其它所有用戶都有該目錄的group權限!