android6 的权限分为几个级别，普通的第三方应用一般会用到 normal dangerous 。系统应用可能会用到 signature|system signature|privileged signature,详细的信息在Manifest中定义

vim frameworks/base/core/res/AndroidManifest.xml

其中，只有定义为dangerous 的才会要求”检查权限”，normal级别的，只要在应用的Manifest中有声明，就会自动允许。所以一般开发者要重地关注dangerous的权限.

“检查权限” 是这样的，

1，如果设备运行的是 Android 5.1(API 级别 22)或更低版本，并且应用的 targetSdkVersion 是 22 或更低版本，则系统会在安装时要求用户授予权限

2，targetSdkVersion>=23 && 设备系统是android6+。需要动态申请

3，动态申请 之后，用户会允许或者拒绝，拒绝的话，就不能使用相关功能，强行调用的话，会抛出SerurityException

dangerous的权限有：

权限组

权限

CALENDAR

READ_CALENDAR 、WRITE_CALENDAR

CAMERA

CAMERA

CONTACTS

READ_CONTACTS、WRITE_CONTACTS、GET_ACCOUNTS

LOCATION

ACCESS_FINE_LOCATION、ACCESS_COARSE_LOCATION

MICROPHONE

RECORD_AUDIO

PHONE

READ_PHONE_STATE、CALL_PHONE、READ_CALL_LOG、WRITE_CALL_LOG、ADD_VOICEMAIL、USE_SIP、PROCESS_OUTGOING_CALLS

SENSORS

BODY_SENSORS

SMS

SEND_SMS、RECEIVE_SMS、READ_SMS、RECEIVE_WAP_PUSH、RECEIVE_MMS

STORAGE

READ_EXTERNAL_STORAGE、WRITE_EXTERNAL_STORAGE

好了，游戏规则就是这样。从应用开发者来说，github上也有不少辅助的第三方库，直接拿来用就可以了。颗粒度的控制权限，当然对用户来说是好事。

背景介绍完

不过每开一个app就要弹窗授权什么的，我觉得有点麻烦，所以先看看源码，改一下这个部分的功能。

以静默安装应用为例

vim ./frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java

@Override

public void installPackageAsUser(String originPath, IPackageInstallObserver2 observer,

int installFlags, String installerPackageName, VerificationParams verificationParams,

String packageAbiOverride, int userId) {

mContext.enforceCallingOrSelfPermission(android.Manifest.permission.INSTALL_PACKAGES, null);

final int callingUid = Binder.getCallingUid();

enforceCrossUserPermission(callingUid, userId, true, true, "installPackageAsUser");

// ...

}

enforceCrossUserPermission 里面调用了

mContext.enforceCallingOrSelfPermission(android.Manifest.permission.INTERACT_ACROSS_USERS_FULL, message);

绕了几圈，最后是在ActivityManager.java 中落地

vim ./frameworks/base/core/java/android/app/ActivityManager.java

/**@hide */

public static int checkComponentPermission(String permission, int uid,

int owningUid, boolean exported) {

// Root, system server get to do everything.

final int appId = UserHandle.getAppId(uid);

if (appId == Process.ROOT_UID || appId == Process.SYSTEM_UID) {

return PackageManager.PERMISSION_GRANTED;

}

// Isolated processes don't get any permissions.

if (UserHandle.isIsolated(uid)) {

return PackageManager.PERMISSION_DENIED;

}

// If there is a uid that owns whatever is being accessed, it has

// blanket access to it regardless of the permissions it requires.

if (owningUid >= 0 && UserHandle.isSameApp(uid, owningUid)) {

return PackageManager.PERMISSION_GRANTED;

}

// If the target is not exported, then nobody else can get to it.

if (!exported) {

/* RuntimeException here = new RuntimeException("here"); here.fillInStackTrace(); Slog.w(TAG, "Permission denied: checkComponentPermission() owningUid=" + owningUid, here); */

return PackageManager.PERMISSION_DENIED;

}

if (permission == null) {

return PackageManager.PERMISSION_GRANTED;

}

try {

return AppGlobals.getPackageManager()

.checkUidPermission(permission, uid);

} catch (RemoteException e) {

// Should never happen, but if it does... deny!

Slog.e(TAG, "PackageManager is dead?!?", e);

}

return PackageManager.PERMISSION_DENIED;

}

vim ./frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java

@Override

public int checkUidPermission(String permName, int uid) {

final int userId = UserHandle.getUserId(uid);

if (!sUserManager.exists(userId)) {

return PackageManager.PERMISSION_DENIED;

}

synchronized (mPackages) {

Object obj = mSettings.getUserIdLPr(UserHandle.getAppId(uid));

if (obj != null) {

final SettingBase ps = (SettingBase) obj;

final PermissionsState permissionsState = ps.getPermissionsState();

if (permissionsState.hasPermission(permName, userId)) {

return PackageManager.PERMISSION_GRANTED;

}

// Special case: ACCESS_FINE_LOCATION permission includes ACCESS_COARSE_LOCATION

if (Manifest.permission.ACCESS_COARSE_LOCATION.equals(permName) && permissionsState

.hasPermission(Manifest.permission.ACCESS_FINE_LOCATION, userId)) {

return PackageManager.PERMISSION_GRANTED;

}

} else {

ArraySet perms = mSystemPermissions.get(uid);

if (perms != null) {

if (perms.contains(permName)) {

return PackageManager.PERMISSION_GRANTED;

}

if (Manifest.permission.ACCESS_COARSE_LOCATION.equals(permName) && perms

.contains(Manifest.permission.ACCESS_FINE_LOCATION)) {

return PackageManager.PERMISSION_GRANTED;

}

}

}

}

return PackageManager.PERMISSION_DENIED;

}

细节代码完

弄通了之后就动手改一下，一开始改的是frameworks/base/core/res/AndroidManifest.xml 一开始，改掉了 STORAGE ，把READ_EXTERNAL_STORAGE、WRITE_EXTERNAL_STORAGE 的级别都变成了normal，然后存储权限就默认赋予了(PERMISSION_GRANTED)， 之后就不会弹窗了。

再改了 SMS 然后系统就起不来了

adb connect 192.168.0.67 && adb shell logcat

报这个错误

09-20 16:16:25.907 5653 5653 E AndroidRuntime: *** FATAL EXCEPTION IN SYSTEM PROCESS: main

09-20 16:16:25.907 5653 5653 E AndroidRuntime: java.lang.SecurityException: Permission android.permission.READ_SMS is not a changeable permission type

09-20 16:16:25.907 5653 5653 E AndroidRuntime: at com.android.server.pm.PackageManagerService.enforceDeclaredAsUsedAndRuntimeOrDevelopmentPermission(PackageManagerService.java:3468)

09-20 16:16:25.907 5653 5653 E AndroidRuntime: at com.android.server.pm.PackageManagerService.grantRuntimePermission(PackageManagerService.java:3501)

09-20 16:16:25.907 5653 5653 E AndroidRuntime: at com.android.server.pm.DefaultPermissionGrantPolicy.grantRuntimePermissionsLPw(DefaultPermissionGrantPolicy.java:828)

09-20 16:16:25.907 5653 5653 E AndroidRuntime: at com.android.server.pm.DefaultPermissionGrantPolicy.grantDefaultPermissionsToDefaultSmsAppLPr(DefaultPermissionGrantPolicy.java:616)

09-20 16:16:25.907 5653 5653 E AndroidRuntime: at com.android.server.pm.PackageManagerService$PackageManagerInternalImpl.grantDefaultPermissionsToDefaultSmsApp(PackageManagerService.java:17006)

09-20 16:16:25.907 5653 5653 E AndroidRuntime: at com.android.server.telecom.TelecomLoaderService$TelecomServiceConnection.onServiceConnected(TelecomLoaderService.java:86)

09-20 16:16:25.907 5653 5653 E AndroidRuntime: at android.app.LoadedApk$ServiceDispatcher.doConnected(LoadedApk.java:1223)

09-20 16:16:25.907 5653 5653 E AndroidRuntime: at android.app.LoadedApk$ServiceDispatcher$RunConnection.run(LoadedApk.java:1240)

09-20 16:16:25.907 5653 5653 E AndroidRuntime: at android.os.Handler.handleCallback(Handler.java:739)

09-20 16:16:25.907 5653 5653 E AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:95)

09-20 16:16:25.907 5653 5653 E AndroidRuntime: at android.os.Looper.loop(Looper.java:148)

09-20 16:16:25.907 5653 5653 E AndroidRuntime: at com.android.server.SystemServer.run(SystemServer.java:283)

09-20 16:16:25.907 5653 5653 E AndroidRuntime: at com.android.server.SystemServer.main(SystemServer.java:168)

09-20 16:16:25.907 5653 5653 E AndroidRuntime: at java.lang.reflect.Method.invoke(Native Method)

09-20 16:16:25.907 5653 5653 E AndroidRuntime: at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:745)

09-20 16:16:25.907 5653 5653 E AndroidRuntime: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:635)

目测是 PackageManagerService.java 抛异常，SystemServer起不来，然后就不停的重启。

待续