bashshellandroid-permissionsandroid-sourceandroid.mk

How to add extra permission to a prebuilt application (no source code) in AOSP

I have an application that doesn't have a specific android permission(for example android.permission.CHANGE_CONFIGURATION).

  1. I don't have its source code.
  2. I'm working on an AOSP.

I prebuilt this application like:

  1. Put APK in /device/model/apps/HERE
  2. Add these snippet codes in Android.mk:

define PREBUILT_templateByMe LOCAL_MODULE := $(1) LOCAL_MODULE_CLASS := APPS LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX) LOCAL_CERTIFICATE := PRESIGNED LOCAL_SRC_FILES := $$(LOCAL_MODULE).apk LOCAL_REQUIRED_MODULES := $(2) include $(BUILD_PREBUILT) endef

define PREBUILT_APP_templateByMe include $$(CLEAR_VARS) LOCAL_MODULE_TAGS := optional $(call PREBUILT_templateByMe, $(1), $(2)) endef

prebuilt_appsByMe := \ myapp

$(foreach app,$(prebuilt_appsByMe), \ $(eval $(call PREBUILT_APP_templateByMe, $(app),))) include $(call all-makefiles-under,$(LOCAL_PATH))

It's work very well, and myapp prebuilt to OS.

Now I want to add that specific android permission(android.permission.CHANGE_CONFIGURATION) to myapp.

I read this, this and many other documents, but I don't know the content of this XML file for an application; Or is it even possible?!
(Does these links helpful to direct me in the right direction about content of XML file? this and this)

I tried another way, but didn't work(preinstall application and add permission by shell script:
Note: First of all, I should say it worked before, on another custom AOSP, but didn't work on this one!

  1. Put APK in /device/model/apps/HERE
  2. Add this snippet code in Android.mk

include $(CLEAR_VARS) LOCAL_MODULE := myapp.apk LOCAL_MODULE_TAGS := optional LOCAL_MODULE_CLASS := ETC LOCAL_MODULE_PATH := $(TARGET_OUT)/preinstall LOCAL_SRC_FILES := myapp.apk include $(BUILD_PREBUILT)

include $(CLEAR_VARS) LOCAL_MODULE := preinstall.sh LOCAL_MODULE_TAGS := optional LOCAL_MODULE_CLASS := ETC LOCAL_MODULE_PATH := $(TARGET_OUT)/preinstall LOCAL_SRC_FILES := preinstall.sh include $(BUILD_PREBUILT)

  1. Content of preinstall.sh:

#!/system/bin/sh
MARK=/data/local/symbol_thirdpart_apks_installed PKGS=/system/preinstall/
if [ ! -e $MARK ]; then echo "booting the first time, so pre-install some APKs."
busybox find $PKGS -name "*\.apk" -exec sh /system/bin/pm install {} \;
touch $MARK echo "OK, installation complete." fi
busybox sh /system/bin/pm grant com.example.myapp android.permission.CHANGE_CONFIGURATION;

  1. Call this shell script as service on boot in init.rc file, like:
    on boot start preinstallByMe

service preinstallByMe /system/bin/sh /system/preinstall/preinstall.sh class main user root group root disabled oneshot

But seems it's not call.

  1. Even these snippet codes in init.rc file not working too:

    1. service installapk /system/preinstall/preinstall.sh class main oneshot

    2. on boot exec /system/preinstall/preinstall.sh

    3. busybox /system/preinstall/preinstall.sh
    4. pm grant com.example.myapp android.permission.CHANGE_CONFIGURATION;

Note: If I call preinstall from shell manually, it's work.
P.S: If your not allowed to call your script, you can add permission to it by adding something like this in /system/core/include/private/android_filesystem_config.h :

{ 00755, AID_ROOT, AID_ROOT, 0, "system/preinstall/preinstall.sh"},

Cause second way(preinstall and add permission by shell), in this custom AOSP, doesn't work, I'm going to add that specific android permission to my app, from beginning, via prebuilt; But if anyone knows what's wrong with the second solution, I'm appreciate it.

Solution

  • To be eligible for system permissions, you should put your APKs in /system/priv-app folder.
    Note: Prior to Kitkat, all APKs on the system partition could use those permissions.

    The sample snippet code to copy APK to /system/priv-app: 

    include $(CLEAR_VARS)
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE := apkname.apk
LOCAL_MODULE_CLASS := APPS
LOCAL_PRIVILEGED_MODULE := true
LOCAL_CERTIFICATE := PRESIGNED
LOCAL_MODULE_PATH := $(TARGET_OUT)/priv-app
LOCAL_SRC_FILES := apkname.apk
include $(BUILD_PREBUILT)

    For more information:

    Some system apps are more system than others "signatureOrSystem" permissions are no longer available to all apps residing en the /system partition. Instead, there is a new /system/priv-app directory, and only apps whose APKs are in that directory are allowed to use signatureOrSystem permissions without sharing the platform cert. This will reduce the surface area for possible exploits of system- bundled applications to try to gain access to permission-guarded operations.

    The ApplicationInfo.FLAG_SYSTEM flag continues to mean what it is said in the documentation: it indicates that the application APK was bundled on the /system partition. A new hidden flag FLAG_PRIVILEGED has been introduced that reflects the actual right to access these permissions.

    [ Source: https://stackoverflow.com/a/20104400/421467 ]

    Update:
    Walkthrough: https://github.com/Drjacky/Install-Google-Play-Manually