Android Security user and groups

最新推荐文章于 2024-06-28 09:29:01 发布

转载最新推荐文章于 2024-06-28 09:29:01 发布 · 893 阅读

https://github.com/keesj/gomo/wiki/AndroidSecurityUserAndGroups

The Android system does not have the conventional /etc/passwd storage for users and groups. It contains a fixed set of user and groups
that is included in the system libraries. These user and groups are used to isolate processes and grant permissions. The Android system also creates a user per application when an application gets installed.

Just like conventional POSIX compliant system the libc provides and API to get user information. The Android
libc implementation is called bionic and calls like getpwuid (to get user name information ) and getgrent to get groups information get their information from somewhere else.

As you can read in bionic/libc/docs/OVERVIEW.TXT user and groups are hard coded. Next to the hard coded id’s every
application that gets installed will get it’s own id starting from 10000. It recognizes “app_1234” as the synthetic
name of the application that was installed with uid 10000 + 1234, which is 11234

system/core/include/private/android_filesystem_config.h contains the list of user user id’s mapped to numbers and this code gets included
when building bionic. A bit lower in the file you will find the DEFINE → group name mapping. This is a one to one mapping so AID_VPN(id 1016) is the group called “vpn”.

/* This is the master Users and Groups config for the platform.
** DO NOT EVER RENUMBER.
*/

#define AID_ROOT             0  /* traditional unix root user */

#define AID_SYSTEM        1000  /* system server */

#define AID_RADIO         1001  /* telephony subsystem, RIL */
#define AID_BLUETOOTH     1002  /* bluetooth subsystem */
#define AID_GRAPHICS      1003  /* graphics devices */
#define AID_INPUT         1004  /* input devices */
#define AID_AUDIO         1005  /* audio devices */
#define AID_CAMERA        1006  /* camera devices */
#define AID_LOG           1007  /* log devices */
#define AID_COMPASS       1008  /* compass device */
#define AID_MOUNT         1009  /* mountd socket */
#define AID_WIFI          1010  /* wifi subsystem */
#define AID_ADB           1011  /* android debug bridge (adbd) */
#define AID_INSTALL       1012  /* group for installing packages */
#define AID_MEDIA         1013  /* mediaserver process */
#define AID_DHCP          1014  /* dhcp client */
#define AID_SDCARD_RW     1015  /* external storage write access */
#define AID_VPN           1016  /* vpn system */
#define AID_KEYSTORE      1017  /* keystore subsystem */

#define AID_SHELL         2000  /* adb and debug shell user */
#define AID_CACHE         2001  /* cache access */
#define AID_DIAG          2002  /* access to diagnostic resources */

/* The 3000 series are intended for use as supplemental group id's only.
 * They indicate special Android capabilities that the kernel is aware of. */
#define AID_NET_BT_ADMIN  3001  /* bluetooth: create any socket */
#define AID_NET_BT        3002  /* bluetooth: create sco, rfcomm or l2cap sockets */
#define AID_INET          3003  /* can create AF_INET and AF_INET6 sockets */
#define AID_NET_RAW       3004  /* can create raw INET sockets */
#define AID_NET_ADMIN     3005  /* can configure interfaces and routing tables. */

#define AID_MISC          9998  /* access to misc storage */
#define AID_NOBODY        9999

#define AID_APP          10000 /* first app user */

The groups and capabilities are also hardcoded in the kernel

mydoirid/kernel/android-2.6.32/net/ipv4/af_inet.c
return in_egroup_p(AID_INET) || capable(CAP_NET_RAW);

Shared user id.

Android allows different packages to be installed under the same user id. This is allowed if these packages declare
the same shared user id in their manifest and the are signed using the same key.

Generate user ids

The Android permissions do not stop at the process level. It is during package installation that the user id gets
assigned. this information is stored somewhere.