首先先了解一下什么是设备管理员权限,安卓设备管理员权限(Device Administrator)是一种特殊的权限,允许应用程序执行一些需要更高权限的操作,以用于安全管理和设备控制,如果APK由此权限可以加密存储、远程锁定或者清除设备数据、限制设备里面一些APP使用、以及跟踪设备的位置以及使用情况,客户的学习机需要此权限来远程控制机器里面app的使用。 先反编译要添加设备管理员权限的APK,获取到APK的包名和广播名字, 下面我以com.suxuelang.sps.xyz/.MyAdminReceiver为例,首先按照正常的设备管理员流程设置:
adb shell dpm set-active-admin com.suxuelang.sps.xyz/.MyAdminReceiver
这一种是官方开放的权限,在设置-安全-更多安全设置-设备管理应用中可手动激活或者取消。 所开放的权限也有限,并不能让流氓软件带上全家桶。 还得执行以下操作:
adb shell dpm set-device-owner com.suxuelang.sps.xyz/.MyAdminReceiver
执行之后,发现不可取消激活,这样才是权限很大的设备管理员权限,可以买一送N了,执行这个命令后,/data/system/目录中会生成一个文件叫device_owner_2.xml,可以把这个文件内置进系统中:device\mid\mt8735b_3tb_n\mid\LF705E\custom\common\data\system,这样编出的软件就会内置有这个文件,也就有了超级设备管理员权限了。但是data中的文件恢复出厂设置就不存在,所以得想办法在第一次开机的时候执行一下这个命令,所以要解决怎么在第一次开机就执行这个命令,开机执行adb命令我之前写过,不过那个是在安卓十一上做的,在安卓十三开机上执行adb命令对权限的要求更多了,需要解决一下avc权限的问题,以下是修改方法:
diff --git a/frameworks/base/services/core/java/com/android/server/policy/PhoneWindowManager.java b/frameworks/base/services/core/java/com/android/server/policy/PhoneWindowManager.java
index ddd3431919c..a10fb5d202d 100755
--- a/frameworks/base/services/core/java/com/android/server/policy/PhoneWindowManager.java
+++ b/frameworks/base/services/core/java/com/android/server/policy/PhoneWindowManager.java
@@ -235,6 +235,13 @@ import java.util.Set;
import android.location.LocationManager;
import java.util.Calendar;
import static android.provider.Settings.Global.AUTO_TIME;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.OutputStream;
+import android.content.pm.PackageInfo;
+import com.android.server.pm.PackageManagerService;
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
/**
* WindowManagerPolicy implementation for the Android phone UI. This
* introduces a new method suffix, Lp, for an internal lock of the
@@ -552,6 +559,8 @@ public class PhoneWindowManager implements WindowManagerPolicy {
Intent mVrHeadsetHomeIntent;
boolean mPendingMetaAction;
boolean mPendingCapsLockToggle;
+
+ private PackageManagerService mPackageManagerService;
// support for activating the lock screen while the screen is on
private HashSet<Integer> mAllowLockscreenWhenOnDisplays = new HashSet<>();
@@ -5048,6 +5057,7 @@ public class PhoneWindowManager implements WindowManagerPolicy {
readCameraLensCoverState();
updateUiMode();
+ execShell("dpm set-device-owner com.suxuelang.sps.xyz/.MyAdminReceiver");
mDefaultDisplayRotation.updateOrientationListener();
synchronized (mLock) {
mSystemReady = true;
@@ -5067,6 +5077,38 @@ public class PhoneWindowManager implements WindowManagerPolicy {
mAutofillManagerInternal = LocalServices.getService(AutofillManagerInternal.class);
mGestureLauncherService = LocalServices.getService(GestureLauncherService.class);
}
+ private void execShell(String cmd) {
+ Log.d("swl","execShell: "+cmd);
+ DataOutputStream mDataOutputStream = null;
+ DataInputStream mDataInputStream = null;
+ try {
+ java.lang.Process p = Runtime.getRuntime().exec("sh");
+ OutputStream outputStream = p.getOutputStream();
+ mDataOutputStream = new DataOutputStream(outputStream);
+ mDataOutputStream.writeBytes(cmd +"\n");
+ mDataOutputStream.writeBytes("exit\n");
+ mDataOutputStream.flush();
+ int mI = p.waitFor();
+
+ mDataInputStream = new DataInputStream(p.getErrorStream());
+ byte[] mBytes = new byte[mDataInputStream.available()];
+ int mRead = mDataInputStream.read(mBytes);
+ String mS = new String(mBytes);
+ Log.d("swl","execShell: mS: "+mS);
+ } catch (Throwable t) {
+ t.printStackTrace();
+ Log.d("swl", "execShell: Throwable="+t.getMessage());
+ }finally {
+ try {
+ assert mDataOutputStream != null;
+ mDataOutputStream.close();
+ assert mDataInputStream != null;
+ mDataInputStream.close();
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ }
+ }
/** {@inheritDoc} */
@Override
diff --git a/system/sepolicy/prebuilts/api/33.0/private/system_server.te b/system/sepolicy/prebuilts/api/33.0/private/system_server.te
old mode 100644
new mode 100755
index 8533acf64fe..30f42e51668
--- a/system/sepolicy/prebuilts/api/33.0/private/system_server.te
+++ b/system/sepolicy/prebuilts/api/33.0/private/system_server.te
@@ -1248,12 +1248,12 @@ neverallow system_server {
# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
# Prevent the addition of new file execs to stop the problem from
# getting worse. b/28035297
-neverallow system_server {
- file_type
- -toolbox_exec
- -logcat_exec
- with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
-}:file execute_no_trans;
+#neverallow system_server {
+# file_type
+# -toolbox_exec
+# -logcat_exec
+# with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
+#}:file execute_no_trans;
# Ensure that system_server doesn't perform any domain transitions other than
# transitioning to the crash_dump domain when a crash occurs or fork clatd.
@@ -1496,3 +1496,6 @@ neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_
# Only system server can write the font files.
neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
+allow system_server shell_exec:file { execute read open execute_no_trans map getattr};
+allow system_server vendor_shell_exec:file { execute read open execute_no_trans};
+allow system_server system_file:file execute_no_trans;
diff --git a/system/sepolicy/private/domain.te b/system/sepolicy/private/domain.te
old mode 100644
new mode 100755
index 2ef688c39bc..766c244e256
--- a/system/sepolicy/private/domain.te
+++ b/system/sepolicy/private/domain.te
@@ -290,6 +290,7 @@ neverallow {
-vendor_file_type
-exec_type
-postinstall_file
+ -system_server
}:file execute;
# Only init is allowed to write cgroup.rc file
@@ -525,6 +526,7 @@ full_treble_only(`
-traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
-vold # loads incremental fs driver
+ -system_server
} {
vendor_file_type
-same_process_hal_file
@@ -542,6 +544,7 @@ full_treble_only(`
-vendor_task_profiles_file
-vendor_uuid_mapping_config_file
-vndk_sp_file
+ -system_server
}:file *;
')
diff --git a/system/sepolicy/private/system_server.te b/system/sepolicy/private/system_server.te
old mode 100644
new mode 100755
index 8533acf64fe..30f42e51668
--- a/system/sepolicy/private/system_server.te
+++ b/system/sepolicy/private/system_server.te
@@ -1248,12 +1248,12 @@ neverallow system_server {
# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
# Prevent the addition of new file execs to stop the problem from
# getting worse. b/28035297
-neverallow system_server {
- file_type
- -toolbox_exec
- -logcat_exec
- with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
-}:file execute_no_trans;
+#neverallow system_server {
+# file_type
+# -toolbox_exec
+# -logcat_exec
+# with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
+#}:file execute_no_trans;
# Ensure that system_server doesn't perform any domain transitions other than
# transitioning to the crash_dump domain when a crash occurs or fork clatd.
@@ -1496,3 +1496,6 @@ neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_
# Only system server can write the font files.
neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
+allow system_server shell_exec:file { execute read open execute_no_trans map getattr};
+allow system_server vendor_shell_exec:file { execute read open execute_no_trans};
+allow system_server system_file:file execute_no_trans;
diff --git a/system/sepolicy/public/domain.te b/system/sepolicy/public/domain.te
old mode 100644
new mode 100755
index 8e1fcf7c9ed..496c3cb4e39
--- a/alps_mssi/system/sepolicy/public/domain.te
+++ b/alps_mssi/system/sepolicy/public/domain.te
@@ -918,6 +918,7 @@ full_treble_only(`
-init
-shell
-ueventd
+ -system_server
} vendor_shell_exec:file { execute execute_no_trans };
')
@@ -938,6 +939,7 @@ full_treble_only(`
-iorap_prefetcherd_exec
-iorap_inode2filename_exec
-netutils_wrapper_exec
+ -system_server
userdebug_or_eng(`-tcpdump_exec')
}:file { entrypoint execute execute_no_trans };
')
@@ -968,6 +970,7 @@ full_treble_only(`
-shell
-system_executes_vendor_violators
-ueventd
+ -system_server
} {
vendor_file_type
-same_process_hal_file
@@ -975,6 +978,7 @@ full_treble_only(`
-vendor_app_file
-vendor_public_framework_file
-vendor_public_lib_file
+ -system_server
}:file execute;
')
@@ -983,6 +987,7 @@ full_treble_only(`
coredomain
-shell
-system_executes_vendor_violators
+ -system_server
} {
vendor_file_type
-same_process_hal_file
@@ -1299,6 +1304,7 @@ full_treble_only(`
neverallow {
coredomain
-appdomain
+ -system_server
} {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
')
这个开机执行adb命令的方法还可用于其他需求,接下来是去掉进入APP以后导航栏按钮亮度会自动变暗这个效果,这个效果我就不发出来了,mtk的机器、aosp以及谷歌的pixel9pro都有此效果,这个效果是安卓八点一谷歌添加的,因为客户需求做了默认导航栏背景,客户导航栏背景是暗色的,可以很清楚看出此效果客户要求把此效果去掉,客户想保持导航栏按钮常亮,就要去掉这个效果,这个找了好久,我也提给MTK了,但是他们也找不到,也让公司提给Google了(Google涉及谷歌apk或者底层代码的定制类问题。Google都是不会解的,只会发一些链接) 
真想给他们说菜就多练,后续在vendor\mediatek\proprietary\packages\apps\SystemUI\src\com\android\systemui\navigationbar\NavigationBarTransitions.java中的applyLightsOut方法找到了,是否使用导航栏按钮亮度/透明度变化的动画也是在这个方法中,有兴趣的大佬可以研究一下
private void applyLightsOut(boolean lightsOut, boolean animate, boolean force) {
if (!force && lightsOut == mLightsOut) return;
mLightsOut = lightsOut;
if (mNavButtons == null) return;
// ok, everyone, stop it right there
mNavButtons.animate().cancel();
// Bump percentage by 10% if dark.
float darkBump = mLightTransitionsController.getCurrentDarkIntensity() / 10;
final float navButtonsAlpha = lightsOut ? 0.6f + darkBump : 1f;
if (!animate) {
mNavButtons.setAlpha(navButtonsAlpha);
} else {
final int duration = lightsOut ? LIGHTS_OUT_DURATION : LIGHTS_IN_DURATION;
mNavButtons.animate()
.alpha(navButtonsAlpha)
.setDuration(duration)
.start();
}
}
只要让applyLightsOut方法传入的lightsOut为false就可以实现此需求,修改方案也有两种,第一种方法是有一个配置文件,把这个配置给直接关掉就行,看注释这个效果好像跟屏的种类也有关系,具体的我也没怎么研究
vendor\mediatek\proprietary\packages\apps\SystemUI\res\values\config.xml
<!-- Whether to enable dimming navigation buttons when wallpaper is not visible, should be
enabled for OLED devices to reduce/prevent burn in on the navigation bar (because of the
black background and static button placements) and disabled for all other devices to
prevent wasting cpu cycles on the dimming animation -->
<bool name="config_navigation_bar_enable_auto_dim_no_visible_wallpaper">false</bool>
第二种方法就是applyLightsOut方法传入的lightsOut为false
vendor\mediatek\proprietary\packages\apps\SystemUI\src\com\android\systemui\navigationbar\NavigationBarTransitions.java
@Override
protected boolean isLightsOut(int mode) {
- return super.isLightsOut(mode) || (mAllowAutoDimWallpaperNotVisible && mAutoDim
- && !mWallpaperVisible && mode != MODE_WARNING);
+ return false;
}
做出来以后mtk还要我给他们share一下 
这个是在安卓十三以及安卓八点一验证过的,中间的版本修改方法应该也是大同小异,不过我估计有这样的需求也很少,找的过程没啥说的,只能多看导航栏那部分的代码,大佬有更好的方法,或者工具之类的解决这种动画、UI的问题,欢迎大佬分享出来
