http://d.android.com/guide/topics/security/security.html
위 사이트는 안드로이드 security, permission 정책에 관한 문서 입니다.
문서의 서론만 옮겨 봤습니다.
Security and Permissions
Android is a multi-process system, in which each application (and parts of the system) runs in its own process. Most security between applications and the system is enforced at the process level through standard Linux facilities, such as user and group IDs that are assigned to applications. Additional finer-grained security features are provided through a "permission" mechanism that enforces restrictions on the specific operations that a particular process can perform, and per-URI permissions for granting ad-hoc access to specific pieces of data. |
보안 및 권한
안드로이드는 멀티-프로세스 시스템이다, 시스템의 각 응용 프로그램은 자체 프로세스에서 실행됩니다. 응용 프로그램과 시스템 사이의 대부분의 보안은 프로세스 수준에서 애플리케이션에 할당된 사용자와 그룹 ID등으로 표준 리눅스 환경을 통해 시행됩니다. 추가적인 세밀한 보안 기능은 특정 프로세스 수행 할수 있는 구체적인 작업에 대한 제한을 적용하는 "permission" 메커니즘과 지정된 데이타에 ad-hoc 접권의 하가를 위한 per-URI 권한을 통해 제공되어 집니다. |
이미 알고 있듯이 전통적인 linux 환경의 /etc/passwd 파일을 이용한 사용자 및 /etc/group 파일을 이용한 그룹 설정을 사용하지 않는 다는 것이 인상적입니다.
application 권한은 설치할때, 이러한 permission 이 결정되고, 이 후 변경하지 못 한다라고 하는데, 모든 안드로이드 어플리케이션은 AndroidManifest.xml 파일을 가지고 있으며, 이 파일을 통해서 권한 설정을 합니다. 그리고 안드로이드 어플리케이션은 인증서로 서명을 해야 합니다. 이 부분은 프로그램을 직접 만들어 봐야 겠네요 -_-;
안드로이드 어플리케이션에 대한 분석이라는 글에서 AndroidManifest.xml 파일에 대한 언급이 있어서 링크 합니다. http://breathair.tistory.com/70
그렇다면, 안드로이드는 어떠한 사용자와 그룹으로 관리하는가? 이에 대한 인터넷 자료를 구할 수가 없었습니다. 그래서 직접 소스를 올렸습니다.
android_filesystem_config.h 파일에 USER ID, GROUP ID 가 정의 되어 있습니다.
( 소스경로 : system/core/include/private/android_filesystem_config.h )
android_dirs, android_files 의 배열은 mkrootfs 와 mkyaffs2image 툴로 루트 파일 시스템을 만들 때 적용된다고 주석에 나와 있습니다.
( mkbootfs 소스경로 : system/core/cpio/mkbootfs.c )
devices.c 에 정의된 devperms 배열은 init 에서 uevent 처리 하며, /dev/ 이하 파일을 만들어 줍니다.
( 소스경로 : system/core/init/devices.c )
USER ID와 GROUP ID 를 아래와 같이 분류해논 이유를 찾을려고 했는데, 잘 못 찾겠네요. -_-;
//---------------------------------------------------------------------------
// system/core/include/private/android_filesystem_config.h
//---------------------------------------------------------------------------
/* This is the master Users and Groups config for the platform.
** DO NOT EVER RENUMBER.
*/
#define AID_ROOT 0 /* traditional unix root user */
#define AID_SYSTEM 1000 /* system server */
#define AID_RADIO 1001 /* telephony subsystem, RIL */
#define AID_BLUETOOTH 1002 /* bluetooth subsystem */
#define AID_GRAPHICS 1003 /* graphics devices */
#define AID_INPUT 1004 /* input devices */
#define AID_AUDIO 1005 /* audio devices */
#define AID_CAMERA 1006 /* camera devices */
#define AID_LOG 1007 /* log devices */
#define AID_COMPASS 1008 /* compass device */
#define AID_MOUNT 1009 /* mountd socket */
#define AID_WIFI 1010 /* wifi subsystem */
#define AID_ADB 1011 /* android debug bridge (adbd) */
#define AID_INSTALL 1012 /* group for installing packages */
#define AID_MEDIA 1013 /* mediaserver process */
#define AID_DHCP 1014 /* dhcp client */
#define AID_SHELL 2000 /* adb and debug shell user */
#define AID_CACHE 2001 /* cache access */
#define AID_DIAG 2002 /* access to diagnostic resources */
/* The 3000 series are intended for use as supplemental group id's only.
* They indicate special Android capabilities that the kernel is aware of. */
#define AID_NET_BT_ADMIN 3001 /* bluetooth: create any socket */
#define AID_NET_BT 3002 /* bluetooth: create sco, rfcomm or l2cap sockets */
#define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
#define AID_NET_RAW 3004 /* can create raw INET sockets */
#define AID_MISC 9998 /* access to misc storage */
#define AID_NOBODY 9999
#define AID_APP 10000 /* first app user */
static struct android_id_info android_ids[] = {
{ "root", AID_ROOT, },
{ "system", AID_SYSTEM, },
{ "radio", AID_RADIO, },
{ "bluetooth", AID_BLUETOOTH, },
{ "graphics", AID_GRAPHICS, },
{ "input", AID_INPUT, },
{ "audio", AID_AUDIO, },
{ "camera", AID_CAMERA, },
{ "log", AID_LOG, },
{ "compass", AID_COMPASS, },
{ "mount", AID_MOUNT, },
{ "wifi", AID_WIFI, },
{ "dhcp", AID_DHCP, },
{ "adb", AID_ADB, },
{ "install", AID_INSTALL, },
{ "media", AID_MEDIA, },
{ "shell", AID_SHELL, },
{ "cache", AID_CACHE, },
{ "diag", AID_DIAG, },
{ "net_bt_admin", AID_NET_BT_ADMIN, },
{ "net_bt", AID_NET_BT, },
{ "inet", AID_INET, },
{ "net_raw", AID_NET_RAW, },
{ "misc", AID_MISC, },
{ "nobody", AID_NOBODY, },
};
/* Rules for directories.
** These rules are applied based on "first match", so they
** should start with the most specific path and work their
** way up to the root.
*/
static struct fs_path_config android_dirs[] = {
{ 00770, AID_SYSTEM, AID_CACHE, "cache" },
{ 00771, AID_SYSTEM, AID_SYSTEM, "data/app" },
{ 00771, AID_SYSTEM, AID_SYSTEM, "data/app-private" },
{ 00771, AID_SYSTEM, AID_SYSTEM, "data/dalvik-cache" },
{ 00771, AID_SYSTEM, AID_SYSTEM, "data/data" },
{ 00771, AID_SHELL, AID_SHELL, "data/local/tmp" },
{ 00771, AID_SHELL, AID_SHELL, "data/local" },
{ 01771, AID_SYSTEM, AID_MISC, "data/misc" },
{ 00770, AID_DHCP, AID_DHCP, "data/misc/dhcp" },
{ 00771, AID_SYSTEM, AID_SYSTEM, "data" },
{ 00750, AID_ROOT, AID_SHELL, "sbin" },
{ 00755, AID_ROOT, AID_SHELL, "system/bin" },
{ 00755, AID_ROOT, AID_SHELL, "system/xbin" },
{ 00777, AID_ROOT, AID_ROOT, "system/etc/ppp" }, /* REMOVE */
{ 00777, AID_ROOT, AID_ROOT, "sdcard" },
{ 00755, AID_ROOT, AID_ROOT, 0 },
};
/* Rules for files.
** These rules are applied based on "first match", so they
** should start with the most specific path and work their
** way up to the root. Prefixes ending in * denotes wildcard
** and will allow partial matches.
*/
static struct fs_path_config android_files[] = {
{ 00555, AID_ROOT, AID_ROOT, "system/etc/ppp/ip-up" },
{ 00555, AID_ROOT, AID_ROOT, "system/etc/ppp/ip-down" },
{ 00440, AID_ROOT, AID_SHELL, "system/etc/init.goldfish.rc" },
{ 00550, AID_ROOT, AID_SHELL, "system/etc/init.goldfish.sh" },
{ 00440, AID_ROOT, AID_SHELL, "system/etc/init.trout.rc" },
{ 00550, AID_ROOT, AID_SHELL, "system/etc/init.ril" },
{ 00550, AID_ROOT, AID_SHELL, "system/etc/init.testmenu" },
{ 00550, AID_ROOT, AID_SHELL, "system/etc/init.gprs-pppd" },
{ 00550, AID_DHCP, AID_SHELL, "system/etc/dhcpcd/dhcpcd-run-hooks" },
{ 00440, AID_BLUETOOTH, AID_BLUETOOTH, "system/etc/dbus.conf" },
{ 00440, AID_BLUETOOTH, AID_BLUETOOTH, "system/etc/bluez/hcid.conf" },
{ 00440, AID_BLUETOOTH, AID_BLUETOOTH, "system/etc/bluez/input.conf" },
{ 00440, AID_BLUETOOTH, AID_BLUETOOTH, "system/etc/bluez/audio.conf" },
{ 00440, AID_RADIO, AID_AUDIO, "/system/etc/AudioPara4.csv" },
{ 00644, AID_SYSTEM, AID_SYSTEM, "data/app/*" },
{ 00644, AID_SYSTEM, AID_SYSTEM, "data/app-private/*" },
{ 00644, AID_APP, AID_APP, "data/data/*" },
/* the following two files are INTENTIONALLY set-gid and not set-uid.
* Do not change. */
{ 02755, AID_ROOT, AID_NET_RAW, "system/bin/ping" },
{ 02755, AID_ROOT, AID_INET, "system/bin/netcfg" },
/* the following four files are INTENTIONALLY set-uid, but they
* are NOT included on user builds. */
{ 06755, AID_ROOT, AID_ROOT, "system/xbin/su" },
{ 06755, AID_ROOT, AID_ROOT, "system/xbin/librank" },
{ 06755, AID_ROOT, AID_ROOT, "system/xbin/procrank" },
{ 06755, AID_ROOT, AID_ROOT, "system/xbin/procmem" },
{ 00755, AID_ROOT, AID_SHELL, "system/bin/*" },
{ 00755, AID_ROOT, AID_SHELL, "system/xbin/*" },
{ 00750, AID_ROOT, AID_SHELL, "sbin/*" },
{ 00755, AID_ROOT, AID_ROOT, "bin/*" },
{ 00750, AID_ROOT, AID_SHELL, "init*" },
{ 00644, AID_ROOT, AID_ROOT, 0 },
};
//---------------------------------------------------------------------------
// system/core/init/devices.c
//---------------------------------------------------------------------------
static struct perms_ devperms[] = {
{ "/dev/null", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/zero", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/full", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/ptmx", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/tty", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/random", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/urandom", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/ashmem", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/binder", 0666, AID_ROOT, AID_ROOT, 0 },
/* logger should be world writable (for logging) but not readable */
{ "/dev/log/", 0662, AID_ROOT, AID_LOG, 1 },
/* these should not be world writable */
{ "/dev/android_adb", 0660, AID_ADB, AID_ADB, 0 },
{ "/dev/android_adb_enable", 0660, AID_ADB, AID_ADB, 0 },
{ "/dev/ttyMSM0", 0600, AID_BLUETOOTH, AID_BLUETOOTH, 0 },
{ "/dev/ttyHS0", 0600, AID_BLUETOOTH, AID_BLUETOOTH, 0 },
{ "/dev/uinput", 0600, AID_BLUETOOTH, AID_BLUETOOTH, 0 },
{ "/dev/alarm", 0664, AID_SYSTEM, AID_RADIO, 0 },
{ "/dev/tty0", 0660, AID_ROOT, AID_SYSTEM, 0 },
{ "/dev/graphics/", 0660, AID_ROOT, AID_GRAPHICS, 1 },
{ "/dev/hw3d", 0660, AID_SYSTEM, AID_GRAPHICS, 0 },
{ "/dev/input/", 0660, AID_ROOT, AID_INPUT, 1 },
{ "/dev/eac", 0660, AID_ROOT, AID_AUDIO, 0 },
{ "/dev/cam", 0660, AID_ROOT, AID_CAMERA, 0 },
{ "/dev/pmem", 0660, AID_SYSTEM, AID_GRAPHICS, 0 },
{ "/dev/pmem_gpu", 0660, AID_SYSTEM, AID_GRAPHICS, 1 },
{ "/dev/pmem_adsp", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/pmem_camera", 0660, AID_SYSTEM, AID_CAMERA, 1 },
{ "/dev/oncrpc/", 0660, AID_ROOT, AID_SYSTEM, 1 },
{ "/dev/adsp/", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/mt9t013", 0660, AID_SYSTEM, AID_SYSTEM, 0 },
{ "/dev/akm8976_daemon",0640, AID_COMPASS, AID_SYSTEM, 0 },
{ "/dev/akm8976_aot", 0640, AID_COMPASS, AID_SYSTEM, 0 },
{ "/dev/akm8976_pffd", 0640, AID_COMPASS, AID_SYSTEM, 0 },
{ "/dev/msm_pcm_out", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/msm_pcm_in", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/msm_pcm_ctl", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/msm_snd", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/msm_mp3", 0660, AID_SYSTEM, AID_AUDIO, 1 },
{ "/dev/msm_audpre", 0660, AID_SYSTEM, AID_AUDIO, 0 },
{ "/dev/htc-acoustic", 0660, AID_SYSTEM, AID_AUDIO, 0 },
{ "/dev/smd0", 0640, AID_RADIO, AID_RADIO, 0 },
{ "/dev/qmi", 0640, AID_RADIO, AID_RADIO, 0 },
{ "/dev/qmi0", 0640, AID_RADIO, AID_RADIO, 0 },
{ "/dev/qmi1", 0640, AID_RADIO, AID_RADIO, 0 },
{ "/dev/qmi2", 0640, AID_RADIO, AID_RADIO, 0 },
{ NULL, 0, 0, 0, 0 },
};
