Android11 framework 禁止三方应用通过广播开机自启动-独立方案

之前的文章Android11 framework 禁止三方应用开机自启动记录了我调试Android11应用自启动限制的全过程，但是之前的方案感觉还能再研究，所以有了这一篇文章。

这一篇文章主要探讨Android11上，以广播来进行自启动的应用的限制，极个别用provider实现自启动的应用方案（点名批评we信），我现在暂时还没有研究学习
针对使用广播启动的三方应用，在frameworks\base\services\core\java\com\android\server\am\BroadcastQueue.java​中处理显然是最好的

打开log使能

Line 994: 07-22 11:53:16.576062   927  1375 V BroadcastQueue: Need to start app [background] com.tencent.mobileqq:MSF for broadcast BroadcastRecord{589f6ea u0 android.intent.action.MEDIA_MOUNTED}
Line 1009: 07-22 11:53:17.448550   927  1020 V BroadcastQueue: Need to start app [background] com.tencent.mobileqq:MSF for broadcast BroadcastRecord{589f6ea u0 android.intent.action.MEDIA_MOUNTED}
Line 1021: 07-22 11:53:17.557622   927  1020 V BroadcastQueue: Need to start app [background] com.tencent.mobileqq:MSF for broadcast BroadcastRecord{589f6ea u0 android.intent.action.MEDIA_MOUNTED}
Line 1032: 07-22 11:53:17.628812   927  1020 V BroadcastQueue: Need to start app [background] com.tencent.mobileqq:MSF for broadcast BroadcastRecord{589f6ea u0 android.intent.action.MEDIA_MOUNTED}
Line 1043: 07-22 11:53:18.747292   927  1020 V BroadcastQueue: Need to start app [background] com.tencent.mobileqq:MSF for broadcast BroadcastRecord{589f6ea u0 android.intent.action.MEDIA_MOUNTED}
Line 1054: 07-22 11:53:20.220532   927  1020 V BroadcastQueue: Need to start app [background] com.tencent.mobileqq:MSF for broadcast BroadcastRecord{589f6ea u0 android.intent.action.MEDIA_MOUNTED}
Line 1065: 07-22 11:53:20.472164   927  1020 V BroadcastQueue: Need to start app [background] com.tencent.mobileqq:MSF for broadcast BroadcastRecord{589f6ea u0 android.intent.action.MEDIA_MOUNTED}
Line 1128: 07-22 11:53:25.226399   927  1020 V BroadcastQueue: Need to start app [background] com.tencent.mobileqq:MSF for broadcast BroadcastRecord{589f6ea u0 android.intent.action.MEDIA_MOUNTED}
Line 1205: 07-22 11:54:25.350290   927  1592 V BroadcastQueue: Need to start app [background] com.tencent.mobileqq:MSF for broadcast BroadcastRecord{a42c9c1 u0 android.intent.action.MEDIA_MOUNTED}
Line 1219: 07-22 11:54:25.950266   927  1020 V BroadcastQueue: Need to start app [background] com.tencent.mobileqq:MSF for broadcast BroadcastRecord{a42c9c1 u0 android.intent.action.MEDIA_MOUNTED}
Line 1230: 07-22 11:54:26.005805   927  1020 V BroadcastQueue: Need to start app [background] com.tencent.mobileqq:MSF for broadcast BroadcastRecord{a42c9c1 u0 android.intent.action.MEDIA_MOUNTED}
Line 1253: 07-22 11:54:53.461909   927  1020 V BroadcastQueue: Need to start app [background] com.tencent.mobileqq:MSF for broadcast BroadcastRecord{a42c9c1 u0 android.intent.action.MEDIA_MOUNTED}
Line 1308: 07-22 11:54:53.505324   927  1020 V BroadcastQueue: Need to start app [background] com.tencent.mobileqq:MSF for broadcast BroadcastRecord{a42c9c1 u0 android.intent.action.MEDIA_MOUNTED}
Line 1323: 07-22 11:54:56.521321   927  1020 V BroadcastQueue: Need to start app [background] com.tencent.mobileqq:MSF for broadcast BroadcastRecord{a42c9c1 u0 android.intent.action.MEDIA_MOUNTED}

能看到很多条Need to start app​，找到打印log的地方

final void processNextBroadcastLocked(boolean fromMsg, boolean skipOomAdj) {BroadcastRecord r;...if (DEBUG_BROADCAST)  Slog.v(TAG_BROADCAST,"Need to start app ["

思考：这里的log打印能拿到进程名，以及监听的广播，且从log看，这里就是管理是否启动的。如果从这里拦截，能让监听此广播的应用不执行启动逻辑，比上一篇文章单纯的不让执行任何逻辑合理

修改思路，非系统应用禁止通过ACTION_MEDIA_MOUNTED​和ACTION_BOOT_COMPLETED​两个广播进行启动，退出逻辑需要走原生的流程，不能直接return，修改方案如下：

diff --git a/frameworks/base/services/core/java/com/android/server/am/BroadcastQueue.java b/frameworks/base/services/core/java/com/android/server/am/BroadcastQueue.java
index b6afd4a82d..d6b9a3328c 100644
--- a/frameworks/base/services/core/java/com/android/server/am/BroadcastQueue.java
+++ b/frameworks/base/services/core/java/com/android/server/am/BroadcastQueue.java
@@ -33,6 +33,7 @@ import android.content.IIntentSender;import android.content.Intent;import android.content.IntentSender;import android.content.pm.ActivityInfo;
+import android.content.pm.ApplicationInfo;import android.content.pm.PackageManager;import android.content.pm.PermissionInfo;import android.content.pm.ResolveInfo;
@@ -70,6 +71,7 @@ import java.util.Set;* offload special broadcasts that we know take a long time, such as BOOT_COMPLETED.*/public final class BroadcastQueue {
+    private boolean DEBUG_BROADCAST = true;private static final String TAG = "BroadcastQueue";private static final String TAG_MU = TAG + POSTFIX_MU;private static final String TAG_BROADCAST = TAG + POSTFIX_BROADCAST;
@@ -1648,11 +1650,18 @@ public final class BroadcastQueue {// restart the application.}+        boolean isSystem = (info.activityInfo.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0;
+        boolean isAllow = true;
+        if (!isSystem &&
+            (r.intent.toString().contains(Intent.ACTION_MEDIA_MOUNTED)
+                || r.intent.toString().contains(Intent.ACTION_BOOT_COMPLETED))) {
+            isAllow = false;
+        }// Not running -- get it started, to be executed when the app comes up.if (DEBUG_BROADCAST)  Slog.v(TAG_BROADCAST,"Need to start app ["
-                + mQueueName + "] " + targetProcess + " for broadcast " + r);
-        if ((r.curApp=mService.startProcessLocked(targetProcess,
+                + mQueueName + "] " + targetProcess + " for broadcast " + r + ", isSystem= " + isSystem + ", allow= " + isAllow);
+        if (!isAllow || (r.curApp=mService.startProcessLocked(targetProcess,info.activityInfo.applicationInfo, true,r.intent.getFlags() | Intent.FLAG_FROM_BACKGROUND,new HostingRecord("broadcast", r.curComponent),...r.state = BroadcastRecord.IDLE;return;}

一样的，判断是否允许isAllow​然后走原生的退出逻辑

这样可以让三方应用不通过ACTION_MEDIA_MOUNTED​和ACTION_BOOT_COMPLETED​两个广播进行启动动作。

生效log如下：

07-22 16:07:38.243585   895  1467 V BroadcastQueue: Need to start app [background] com.tencent.mobileqq:MSF for broadcast BroadcastRecord{228d228 u0 android.intent.action.MEDIA_MOUNTED}, isSystem= false, allow= false
07-22 16:07:38.243633   895  1467 W BroadcastQueue: Unable to launch app com.tencent.mobileqq/10110 for broadcast Intent { act=android.intent.action.MEDIA_MOUNTED dat=file:///storage/emulated/0 flg=0x5000010 (has extras) }: process is bad07-22 16:25:04.107345   909  1515 V BroadcastQueue: Need to start app [background] com.example.test111 for broadcast BroadcastRecord{e84020c u0 android.intent.action.BOOT_COMPLETED}, isSystem= false, allow= false
07-22 16:25:04.107448   909  1515 W BroadcastQueue: Unable to launch app com.example.test111/10115 for broadcast Intent { act=android.intent.action.BOOT_COMPLETED flg=0x89000010 (has extras) }: process is bad

注意：广播类型的启动能防得住，但是有部分app可能不仅仅通过广播，还通过provider执行自启动，这类的我暂时还没研究