0

There are many Android Permissions and generally each permission is mapped to a linux group id in AOSP and that is how the access control mechanism works. The mapping can be seen from the platform.xml file. However all the permissions are not mapped to a group id, there are many permissions whose mapping is missing from platform.xml file.

Like FLASHLIGHT, SET_ORIENTATION, SET_WALLPAPER, READ_SMS, SEND_SMS and so on. I'm curious to know how the systems works for these permissions.

Thanks in advance!

Adi GuN
  • 1,244
  • 3
  • 16
  • 38

1 Answers1

1

The system uses the platform defined permissions for some kernel GIDs, such as for the log or radio. But, not all Android permissions are used to lump packages into assigned group IDs. Some are enforced by by the framework before you can start components, others are checked at runtime. They are typically checked within the framework service code running within a process which has privileges to do what you are requesting. Though that's not necessarily a requirement. In fact, you can even define and enforce your own permissions. The calls in use are checkCallingPermission() and enforceCallingPermission(), or one of their variants. These are typically used over Binder type service calls, though not necessarily. Here are some additional details you may find helpful: http://bit.ly/1k9vGM1

Larry Schiefer
  • 15,687
  • 2
  • 27
  • 33
  • Thank you so much Larry. Your answer did help me understand few things. But I'm still confused in how the permissions are enforced. For example if you take the permission VIBRATE, it is not a permission which needs to be enforced by gid/uid. Rather android framework enforces VIBRATE with as you mentioned Binder etc. Could you be more specific and kindly let me know where the enforcement takes place in AOSP. For example if an app has VIBRATE permission and it calls getSystemService(Context.VIBRATOR_SERVICE) where does the check take place to see if app has android.permission.VIBRATE permission? – Adi GuN Mar 19 '14 at 03:57
  • That's actually one of the easier examples. That is one of the dynamically enforced permissions and is done by the VibratorService within system server. So you do not have to have the permission to call `getSystemService(Context.VIBRATOR_SERVICE)`, but you do have to have it to call `Vibrator.vibrate()`. The enforcement happens in VibratorService.java, which runs in the system_server process. – Larry Schiefer Mar 19 '14 at 10:22
  • Probably this was supposed to my actual question. I would love to know your thoughts on it: http://stackoverflow.com/questions/22975353/aosp-how-to-restrict-app-accessing-camera-location – Adi GuN Apr 09 '14 at 22:59