1.引言

最近在面試復習，對android知識重新梳理了一遍，爭取做到以點到面，把知識點都串起來。PackageManagerService 是android 核心服務之一。授權/app安裝都與之相關。本文主要講下安裝apk的流程和掃描apk的過程。

2.正題

2.1 packageService 服務啟動，apk掃描過程

android中基本上每個cpp文件都對應一個名詞一模一樣的java文件，如surface.java 和surface.cpp ，Canves.java和Canves.cpp。包括本文的SystemServer.cpp和SystemServer.java。 往往c到java層的時候，都是調用java層的main方法。同理在系統初始化的時候，SystemServer.java的main方法會被調用.進而調用startBootstrapServices

/services/java/com/android/server/SystemServer.java

 private void startBootstrapServices() {
        ....
       traceBeginAndSlog("StartPackageManagerService");
        try {
            Watchdog.getInstance().pauseWatchingCurrentThread("packagemanagermain");
            mPackageManagerService = PackageManagerService.main(mSystemContext, installer,
            mFactoryTestMode != FactoryTest.FACTORY_TEST_OFF, mOnlyCore);
        } finally {
            Watchdog.getInstance().resumeWatchingCurrentThread("packagemanagermain");
        }
    ....
}

/services/core/java/com/android/server/pm/PackageManagerService.java

   public static PackageManagerService main(Context context, Installer installer,
           boolean factoryTest, boolean onlyCore) {
       // Self-check for initial settings.
       PackageManagerServiceCompilerMapping.checkProperties();

       PackageManagerService m = new PackageManagerService(context, installer,
               factoryTest, onlyCore);
       m.enableSystemUserPackages();
       ServiceManager.addService("package", m);
       final PackageManagerNative pmn = m.new PackageManagerNative();
       ServiceManager.addService("package_native", pmn);
       return m;
   }

ServiceManager.addService("package", m);
將每個服務保存到Map中，需要的時候就根據名詞獲取IBinder的引用。掃描系統app的核心就是在PackageManagerService的構造方法中。

掃描特定目錄下是否含有apk:

scanDirTracedLI(frameworkDir, systemParseFlags,
                    systemScanFlags | SCAN_NO_DEX | SCAN_AS_PRIVILEGED, 0);
            if (!mPackages.containsKey("android")) {
                throw new IllegalStateException(
                        "Failed to load frameworks package; check log for warnings");
            }
            for (int i = 0, size = mDirsToScanAsSystem.size(); i < size; i++) {
                final SystemPartition partition = mDirsToScanAsSystem.get(i);
          
            //掃描priv-app目錄

           if (partition.privAppFolder != null) {
                    scanDirTracedLI(partition.privAppFolder, systemParseFlags,
                            systemScanFlags | SCAN_AS_PRIVILEGED | partition.scanFlag, 0);
                }
                scanDirTracedLI(partition.appFolder, systemParseFlags,
                        systemScanFlags | partition.scanFlag, 0);
            }
          ...
          //掃描system/app目錄下的內容
          scanDirTracedLI(sAppInstallDir, 0, scanFlags | SCAN_REQUIRE_KNOWN, 0);

scanDirTracedLI方法調用的事scanDirLI方法，此方法是用了倆個for循環，第一for循環不斷解析apk生成ParseResult,并且向 ArrayBlockingQueue中保存，下一個for循環就是不停的取出。

        for (File file : files) {
                final boolean isPackage = (isApkFile(file) || file.isDirectory())
                        && !PackageInstallerService.isStageName(file.getName());
                if (!isPackage) {
                    // Ignore entries which are not packages
                    continue;
                }
                parallelPackageParser.submit(file, parseFlags);
                fileCount++;
            }

            // Process results one by one
            for (; fileCount > 0; fileCount--) {
                ParallelPackageParser.ParseResult parseResult = parallelPackageParser.take();
                Throwable throwable = parseResult.throwable;
                int errorCode = PackageManager.INSTALL_SUCCEEDED;
                }

                // Delete invalid userdata apps
                if ((scanFlags & SCAN_AS_SYSTEM) == 0 &&
                        errorCode != PackageManager.INSTALL_SUCCEEDED) {
                    logCriticalInfo(Log.WARN,
                            "Deleting invalid package at " + parseResult.scanFile);
                    removeCodePathLI(parseResult.scanFile);
                }
            }
        }

services/core/java/com/android/server/pm/ParallelPackageParser.java

 /**
     * Submits the file for parsing
     * @param scanFile file to scan
     * @param parseFlags parse falgs
     */
    public void submit(File scanFile, int parseFlags) {
        mService.submit(() -> {
            ParseResult pr = new ParseResult();
            Trace.traceBegin(TRACE_TAG_PACKAGE_MANAGER, "parallel parsePackage [" + scanFile + "]");
            try {
                PackageParser pp = new PackageParser();
                pp.setSeparateProcesses(mSeparateProcesses);
                pp.setOnlyCoreApps(mOnlyCore);
                pp.setDisplayMetrics(mMetrics);
                pp.setCacheDir(mCacheDir);
                pp.setCallback(mPackageParserCallback);
                pr.scanFile = scanFile;
                pr.pkg = parsePackage(pp, scanFile, parseFlags);
            } catch (Throwable e) {
                pr.throwable = e;
            } finally {
                Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER);
            }
            try {
                mQueue.put(pr);
            } catch (InterruptedException e) {
                Thread.currentThread().interrupt();
                // Propagate result to callers of take().
                // This is helpful to prevent main thread from getting stuck waiting on
                // ParallelPackageParser to finish in case of interruption
                mInterruptedInThread = Thread.currentThread().getName();
            }
        });
    }

解析的操作放在parsePackage()方法中,生成一個PackageParser.Package對象。
PackageParser類是真正執行解析apk的核心類，涉及到apk的解析操作。

經過層層調用，最終解析方法是PackageParser .parseBaseApkCommon。此方法會對Minifest.xml進行解析。得到四大組件，以及各個權限。以下是部分代碼

            String tagName = parser.getName();
            if (tagName.equals("activity")) {
                Activity a = parseActivity(owner, res, parser, flags, outError, cachedArgs, false,
                        owner.baseHardwareAccelerated);
                if (a == null) {
                    mParseError = PackageManager.INSTALL_PARSE_FAILED_MANIFEST_MALFORMED;
                    return false;
                }

                owner.activities.add(a);
                parsedComponent = a.info;

            }

Package 類的結構:

        public boolean baseHardwareAccelerated;

        // For now we only support one application per package.
        @UnsupportedAppUsage
        public ApplicationInfo applicationInfo = new ApplicationInfo();

        @UnsupportedAppUsage
        public final ArrayList<Permission> permissions = new ArrayList<Permission>(0);
        @UnsupportedAppUsage
        public final ArrayList<PermissionGroup> permissionGroups = new ArrayList<PermissionGroup>(0);
        @UnsupportedAppUsage
        public final ArrayList<Activity> activities = new ArrayList<Activity>(0);
        @UnsupportedAppUsage
        public final ArrayList<Activity> receivers = new ArrayList<Activity>(0);
        @UnsupportedAppUsage
        public final ArrayList<Provider> providers = new ArrayList<Provider>(0);
        @UnsupportedAppUsage
        public final ArrayList<Service> services = new ArrayList<Service>(0);
        @UnsupportedAppUsage
        public final ArrayList<Instrumentation> instrumentation = new ArrayList<Instrumentation>(0);

        @UnsupportedAppUsage
        public final ArrayList<String> requestedPermissions = new ArrayList<String>();

        /** Permissions requested but not in the manifest. */
        public final ArrayList<String> implicitPermissions = new ArrayList<>();

以上就是android 啟動的時候 掃描app的過程。這個過程在安裝apk的時候也會用到。

2.2 apk安裝過程

分析安裝過程先從應用層分析,入口在PackageInstallerActivity 這是系統默認的界面.點擊ok之后，調用的事如下方法:

 mAlert.setButton(DialogInterface.BUTTON_POSITIVE, getString(R.string.install),
                (ignored, ignored2) -> {
                    if (mOk.isEnabled()) {
                        if (mSessionId != -1) {
                            mInstaller.setPermissionsResult(mSessionId, true);
                            finish();
                        } else {
                            startInstall();
                        }
                    }
                }, null);
        mAlert.setButton(DialogInterface.BUTTON_NEGATIVE, getString(R.string.cancel),
                (ignored, ignored2) -> {
                    // Cancel and finish
                    setResult(RESULT_CANCELED);
                    if (mSessionId != -1) {
                        mInstaller.setPermissionsResult(mSessionId, false);
                    }
                    finish();
                }, null);
        setupAlert();

mInstaller.setPermissionsResult(mSessionId, true); 調用的PackageInstallerService的setPermissionsResult

@Override
    public void setPermissionsResult(int sessionId, boolean accepted) {

//        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.INSTALL_PACKAGES, TAG);
        synchronized (mSessions) {
            PackageInstallerSession session = mSessions.get(sessionId);
            if (session != null) {
                session.setPermissionsResult(accepted);
            }
        }
    }

mContext.enforceCallingOrSelfPermission 是分析的入口方法.

1.copy apk到data/app/

session.setPermissionsResult會發送一個MSG_COMMIT的Message.最終調用到了PackageManagerService.installStage方法。installStage方法發送了一個INIT_COPY的Message,將apk拷貝到data/app/

void doHandleMessage(Message msg) {
            switch (msg.what) {
                case INIT_COPY: {
                    HandlerParams params = (HandlerParams) msg.obj;
                    if (params != null) {
                        if (DEBUG_INSTALL) Slog.i(TAG, "init_copy: " + params);
                        Trace.asyncTraceEnd(TRACE_TAG_PACKAGE_MANAGER, "queueInstall",
                                System.identityHashCode(params));
                        Trace.traceBegin(TRACE_TAG_PACKAGE_MANAGER, "startCopy");
                        //開始copy,開始install
                        params.startCopy();
                        Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER);
                    }
                    break;
                }
                case SEND_PENDING_BROADCAST: {

2.processPendingInstall

processPendingInstall最終調用installPackagesLI方法。installPackagesLI是安裝的核心。會繼續調用prepareAppDataAfterInstallLIF方法

1. 創建data/data用戶數據：
2. 將package信息寫入到/data/system/package.xml

private void prepareAppDataAfterInstallLIF(PackageParser.Package pkg) {
        final PackageSetting ps;
        synchronized (mPackages) {
            ps = mSettings.mPackages.get(pkg.packageName);
            mSettings.writeKernelMappingLPr(ps);
        }

        final UserManagerService um = sUserManager;
        UserManagerInternal umInternal = getUserManagerInternal();
        for (UserInfo user : um.getUsers(false /* excludeDying */)) {
            final int flags;
            if (umInternal.isUserUnlockingOrUnlocked(user.id)) {
                flags = StorageManager.FLAG_STORAGE_DE | StorageManager.FLAG_STORAGE_CE;
            } else if (umInternal.isUserRunning(user.id)) {
                flags = StorageManager.FLAG_STORAGE_DE;
            } else {
                continue;
            }

            if (ps.getInstalled(user.id)) {
                // TODO: when user data is locked, mark that we're still dirty
                prepareAppDataLIF(pkg, user.id, flags);
            }
        }
    }