Failed opening content provider (FileProvider)

Question

I'm trying to share a file through FileProvider API. On the server side, the File has been configured as the following:

public void prepareData() {
    File apkFile = new File(context.getCacheDir(), "ngp-187002.apk");


    Uri apkFileUri = FileProvider.getUriForFile(context, context.getPackageName() + ".fileprovider", apkFile);
    Log.i(TAG, "Apk file Uri: " + apkFileUri.toString() + ", fileSize = " + apkFile.length());

    context.grantUriPermission(NGP_UPDATER_PACKAGE_NAME, apkFileUri, Intent.FLAG_GRANT_READ_URI_PERMISSION);

    Intent updaterIntent = new Intent();

    updaterIntent.setClassName(NGP_UPDATER_PACKAGE_NAME, NGP_UPDATER_SERVICE_CLASS_NAME);
    updaterIntent.setAction(EXTERNAL_ACTION_UPDATE_NGP);
    // updaterIntent.putExtra(EXTERNAL_PARAM_APK_LOC, TARGET_APK_DIR);
    updaterIntent.setDataAndType(apkFileUri, "application/vnd.android.package-archive");
    updaterIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
    // Since NgpApp & NgpUpdater are signed by the same key, we can start the process
    context.startService(updaterIntent);
}

And AndroidManifest.xml has been configured as the following:

<provider
  android:authorities="${applicationId}.fileprovider"
  android:exported="false"
  android:grantUriPermissions="true"
  android:name="android.support.v4.content.FileProvider">
  <meta-data android:name="android.support.FILE_PROVIDER_PATHS"
    android:resource="@xml/fileproviderpath"/>
</provider>

Filepath xml file is as following

<paths xmlns:android="http://schemas.android.com/apk/res/android">
    <cache-path name="cache" path="."/>
</paths>

The receiver side is a IntentService, I'm trying to get the stream like the following:

String apkLocUri = intent.getData();
is = getBaseContext().getContentResolver().openInputStream(apkLocUri);

But i'm getting

12-05 11:57:44.941   784   827 I NGPPackageInstallerService: the apkLocUri is: content://com.xxx.yyy.fileprovider/cache/ngp-187002.apk
12-05 11:57:44.989   784   827 E JavaBinder: !!! FAILED BINDER TRANSACTION !!!  (parcel size = 416)
12-05 11:57:44.990   784   827 I ActivityThread: Removing dead content provider:android.content.ContentProviderProxy@40db0b5
12-05 11:57:44.994  2831  8889 W ActivityManager: unstableProviderDied: caller 10058 says ContentProviderConnection{a983e7c/com.xxx.yyy/android.support.v4.content.FileProvider->784:com.xxx.yyyupdater/u0a58 s1/1 u1/1 +29s191ms} died, but we don't agree
12-05 11:57:44.999 31747 31747 W Binder:31433_5: type=1400 audit(0.0:103879): avc: denied { read } for path="/data/data/com.xxx.yyy/cache/ngp-187002.apk" dev="dm-0" ino=2972 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=file permissive=0
12-05 11:57:45.041   784   827 E JavaBinder: !!! FAILED BINDER TRANSACTION !!!  (parcel size = 416)
12-05 11:57:45.046   784   827 E NGPPackageInstallerService: apk file does not exist
12-05 11:57:45.046   784   827 E NGPPackageInstallerService: java.io.FileNotFoundException: Failed opening content provider: content://com.xxx.yyy.fileprovider/cache/ngp-187002.apk
12-05 11:57:45.046   784   827 E NGPPackageInstallerService:    at android.content.ContentResolver.openTypedAssetFileDescriptor(ContentResolver.java:1187)
12-05 11:57:45.046   784   827 E NGPPackageInstallerService:    at android.content.ContentResolver.openAssetFileDescriptor(ContentResolver.java:984)
12-05 11:57:45.046   784   827 E NGPPackageInstallerService:    at android.content.ContentResolver.openFileDescriptor(ContentResolver.java:837)
12-05 11:57:45.046   784   827 E NGPPackageInstallerService:    at android.content.ContentResolver.openFileDescriptor(ContentResolver.java:791)
12-05 11:57:45.046   784   827 E NGPPackageInstallerService:    at com.xxx.yyyupdater.PackageInstallerService.installPackage(PackageInstallerService.java:60)
12-05 11:57:45.046   784   827 E NGPPackageInstallerService:    at com.xxx.yyyupdater.PackageInstallerService.onHandleIntent(PackageInstallerService.java:51)
12-05 11:57:45.046   784   827 E NGPPackageInstallerService:    at android.app.IntentService$ServiceHandler.handleMessage(IntentService.java:68)
12-05 11:57:45.046   784   827 E NGPPackageInstallerService:    at android.os.Handler.dispatchMessage(Handler.java:102)
12-05 11:57:45.046   784   827 E NGPPackageInstallerService:    at android.os.Looper.loop(Looper.java:154)
12-05 11:57:45.046   784   827 E NGPPackageInstallerService:    at android.os.HandlerThread.run(HandlerThread.java:61)

Please show filepaths xml file too. – blackapps Dec 04 '19 at 19:36 — blackapps, Dec 04 '19 at 19:36
@blackapps It's been attached per request – Qylin Dec 05 '19 at 08:13 — Qylin, Dec 05 '19 at 08:13
I see nothing wrong. Does it print the correct file size? – blackapps Dec 05 '19 at 10:52 — blackapps, Dec 05 '19 at 10:52
Yes, it's the correct file size – Qylin Dec 05 '19 at 12:05 — Qylin, Dec 05 '19 at 12:05
I've attached a bit more adb log to this issue – Qylin Dec 05 '19 at 12:16 — Qylin, Dec 05 '19 at 12:16

score 0 · Answer 1 · answered Dec 05 '19 at 08:38

Last time when I worked with content provider, I created permissions like this way: create read write permissions by adding these codes in your AndroidManifest,xml file:

    <uses-permission android:name="com.anystring.READ_PERMISSION"/>
    <uses-permission android:name="com.anystring.WRITE_PERMISSION"/>

    <permission android:name="com.anystring.READ_PERMISSION"
        android:protectionLevel="signature" />
    <permission android:name="com.anystring.WRITE_PERMISSION"
        android:protectionLevel="signature" />
<application
// ... rest of the code ...
/>

Next in your provider, you give those permissions in your provider code, so it will look something like this:

<provider
  android:authorities="${applicationId}.fileprovider"
  android:readPermission="com.anystring.READ_PERMISSION"
  android:writePermission="com.anystring.WRITE_PERMISSION"
  android:enabled="true"
  android:exported="true"
  android:multiprocess="true"
  android:grantUriPermissions="true"
  android:name="android.support.v4.content.FileProvider">
  <meta-data android:name="android.support.FILE_PROVIDER_PATHS"
    android:resource="@xml/fileproviderpath"/>
</provider>

So basically this way, you create a permission. Only apps that are granted permission in the manifest file can access data. The signature level protection ensures that only your company's apps can read each others data. So change/remove it depending on what you want. I hope this works, good luck.

When android:exported="true" I get a runtime crash saying the FileProvider should not set as exported. So I guess that's not an option — Qylin, Dec 05 '19 at 08:55

score 0 · Answer 2 · answered Dec 05 '19 at 13:06

Well this is fairly interesting, I was tipped by the log message avc: denied { read } and this post has inspired me. So my first reaction was why not change a folder. So I changed the folder to context.getExternalCacheDir() And everything works as expected!

context.getCacheDir() = /data/user/0/com.xxx.yyy/cache
context.getExternalCacheDir() = /storage/emulated/0/Android/data/com.xxx.yyy/cache

One more thing worth mentioning is the provider app is a system app, it's uid is system, probably that's why SELinux prevent the other app to access it.

Strange story. Using a FileProvider one would think that private paths do not matter. — blackapps, Dec 05 '19 at 13:19

Failed opening content provider (FileProvider)

2 Answers2