Android Apk安装过程分析

Android Apk安装过程分析

本文以android 8.0(API Level:26) 源码讲解apk安装过程


  • copy apk到data/app目录下
  • 解析apk信息
  • 更新权限信息
  • 发送安装广播



1.1 ApplicationPackageManager.installCommon


protected ApplicationPackageManager(ContextImpl context,IPackageManager pm) {
        mContext = context;
        mPM = pm;

private void installCommon(Uri packageURI,
            PackageInstallObserver observer, int flags, String installerPackageName,
            int userId) {
        if (!"file".equals(packageURI.getScheme())) {
            throw new UnsupportedOperationException("Only file:// URIs are supported");

        final String originPath = packageURI.getPath();
        try {
            mPM.installPackageAsUser(originPath, observer.getBinder(), flags, installerPackageName,
        } catch (RemoteException e) {
            throw e.rethrowFromSystemServer();


1.2. installPackageAsUser 发送INIT_COPY广播


    public void installPackageAsUser(String originPath, IPackageInstallObserver2 observer,
            int installFlags, String installerPackageName, int userId) {
       final int callingUid = Binder.getCallingUid();
        enforceCrossUserPermission(callingUid, userId,
                true /* requireFullPermission */, true /* checkShell */, "installPackageAsUser");

if ((callingUid == Process.SHELL_UID) || (callingUid == Process.ROOT_UID)) {
            installFlags |= PackageManager.INSTALL_FROM_ADB;

        } else {
            // Caller holds INSTALL_PACKAGES permission, so we're less strict
            // about installerPackageName.

            installFlags &= ~PackageManager.INSTALL_FROM_ADB;
            installFlags &= ~PackageManager.INSTALL_ALL_USERS;

        UserHandle user;
        if ((installFlags & PackageManager.INSTALL_ALL_USERS) != 0) {
            user = UserHandle.ALL;
        } else {
            user = new UserHandle(userId);

        // Only system components can circumvent runtime permissions when installing.
        if ((installFlags & PackageManager.INSTALL_GRANT_RUNTIME_PERMISSIONS) != 0
                && mContext.checkCallingOrSelfPermission(Manifest.permission
            throw new SecurityException("You need the "
                    + "android.permission.INSTALL_GRANT_RUNTIME_PERMISSIONS permission "
                    + "to use the PackageManager.INSTALL_GRANT_RUNTIME_PERMISSIONS flag");

        if ((installFlags & PackageManager.INSTALL_FORWARD_LOCK) != 0
                || (installFlags & PackageManager.INSTALL_EXTERNAL) != 0) {
            throw new IllegalArgumentException(
                    "New installs into ASEC containers no longer supported");

        final File originFile = new File(originPath);
        final OriginInfo origin = OriginInfo.fromUntrustedFile(originFile);

      // 构建INIT_COPY的Message
        final Message msg = mHandler.obtainMessage(INIT_COPY);
        final VerificationInfo verificationInfo = new VerificationInfo(
                null /*originatingUri*/, null /*referrer*/, -1 /*originatingUid*/, callingUid);
        final InstallParams params = new InstallParams(origin, null /*moveInfo*/, observer,
                installFlags, installerPackageName, null /*volumeUuid*/, verificationInfo, user,
                null /*packageAbiOverride*/, null /*grantedPermissions*/,
                null /*certificates*/, PackageManager.INSTALL_REASON_UNKNOWN);
        msg.obj = params;






class PackageHandler extends Handler {
        private boolean mBound = false;
        final ArrayList<HandlerParams> mPendingInstalls =
            new ArrayList<HandlerParams>();

        PackageHandler(Looper looper) {

        public void handleMessage(Message msg) {
            try {
            } finally {

 void doHandleMessage(Message msg) {
            switch (msg.what) {
                case INIT_COPY: {
                    HandlerParams params = (HandlerParams) msg.obj;
                    int idx = mPendingInstalls.size();
                    if (DEBUG_INSTALL) Slog.i(TAG, "init_copy idx=" + idx + ": " + params);
                    // If a bind was already initiated we dont really
                    // need to do anything. The pending install
                    // will be processed later on.
                    if (!mBound) {
                        Trace.asyncTraceBegin(TRACE_TAG_PACKAGE_MANAGER, "bindingMCS",
                        // If this is the only one pending we might
                        // have to bind to the service again.
                        if (!connectToService()) {
                            Slog.e(TAG, "Failed to bind to media container service");
                            Trace.asyncTraceEnd(TRACE_TAG_PACKAGE_MANAGER, "bindingMCS",
                            if (params.traceMethod != null) {
                                Trace.asyncTraceEnd(TRACE_TAG_PACKAGE_MANAGER, params.traceMethod,
                        } else {
                            // Once we bind to the service, the first
                            // pending request will be processed.
                            mPendingInstalls.add(idx, params);
                    } else {
                        mPendingInstalls.add(idx, params);
                        // Already bound to the service. Just make
                        // sure we trigger off processing the first request.
                        if (idx == 0) {

  case MCS_BOUND: {
        if (DEBUG_INSTALL) Slog.i(TAG, "mcs_bound");
        if (msg.obj != null) {
            mContainerService = (IMediaContainerService) msg.obj;
            Trace.asyncTraceEnd(TRACE_TAG_PACKAGE_MANAGER, "bindingMCS",
        if (mContainerService == null) {
            if (!mBound) {
                // Something seriously wrong since we are not bound and we are not
                // waiting for connection. Bail out.
                Slog.e(TAG, "Cannot bind to media container service");
                for (HandlerParams params : mPendingInstalls) {
                    // Indicate service bind error
                    Trace.asyncTraceEnd(TRACE_TAG_PACKAGE_MANAGER, "queueInstall",
                    if (params.traceMethod != null) {
                                params.traceMethod, params.traceCookie);
            } else {
                Slog.w(TAG, "Waiting to connect to media container service");
        } else if (mPendingInstalls.size() > 0) {
            HandlerParams params = mPendingInstalls.get(0);
            if (params != null) {
                Trace.asyncTraceEnd(TRACE_TAG_PACKAGE_MANAGER, "queueInstall",
                Trace.traceBegin(TRACE_TAG_PACKAGE_MANAGER, "startCopy");
                if (params.startCopy()) {
                    // We are done...  look for more work or to
                    // go idle.
                    if (DEBUG_SD_INSTALL) Log.i(TAG,
                            "Checking for more work or unbind...");
                    // Delete pending install
                    if (mPendingInstalls.size() > 0) {
                    if (mPendingInstalls.size() == 0) {
                        if (mBound) {
                            if (DEBUG_SD_INSTALL) Log.i(TAG,
                                    "Posting delayed MCS_UNBIND");
                            Message ubmsg = obtainMessage(MCS_UNBIND);
                            // Unbind after a little delay, to avoid
                            // continual thrashing.
                            sendMessageDelayed(ubmsg, 10000);
                    } else {
                        // There are more pending requests in queue.
                        // Just post MCS_BOUND message to trigger processing
                        // of next pending install.
                        if (DEBUG_SD_INSTALL) Log.i(TAG,
                                "Posting MCS_BOUND for next work");
        } else {
            // Should never happen ideally.
            Slog.w(TAG, "Empty queue");

在INIT_COPYz这个case中主要是确保DefaultContainerService已bound,DefaultContainerService是一个应用服务,具体负责实现APK等相关资源文件在内部或外部存储器上的存储工作, 然后发送MCS_BOUND的消息,在MCS_BOUND这个case中 最关键的代码就是

1.4 HandlerParams.startCopy()

# HandlerParams

private abstract class HandlerParams {
        private static final int MAX_RETRIES = 4;

               private int mRetries = 0;

        /** User handle for the user requesting the information or installation. */
        private final UserHandle mUser;
        String traceMethod;
        int traceCookie;

        final boolean startCopy() {
            boolean res;
            try {
                if (DEBUG_INSTALL) Slog.i(TAG, "startCopy " + mUser + ": " + this);

                if (++mRetries > MAX_RETRIES) {
                    Slog.w(TAG, "Failed to invoke remote methods on default container service. Giving up");
                    return false;
                } else {
                    res = true;
            } catch (RemoteException e) {
                if (DEBUG_INSTALL) Slog.i(TAG, "Posting install MCS_RECONNECT");
                res = false;
            return res;

        final void serviceError() {
            if (DEBUG_INSTALL) Slog.i(TAG, "serviceError");

        abstract void handleStartCopy() throws RemoteException;
        abstract void handleServiceError();
        abstract void handleReturnCode();

这里是直接调用 handleStartCopy()

 int ret = PackageManager.INSTALL_SUCCEEDED;
            final boolean onSd = (installFlags & PackageManager.INSTALL_EXTERNAL) != 0;
            final boolean onInt = (installFlags & PackageManager.INSTALL_INTERNAL) != 0;

            PackageInfoLite pkgLite = null;

            if (onInt && onSd) {
                // Check if both bits are set.
                Slog.w(TAG, "Conflicting flags specified for installing on both internal and external");
                ret = PackageManager.INSTALL_FAILED_INVALID_INSTALL_LOCATION;
            } else {
                pkgLite = mContainerService.getMinimalPackageInfo(origin.resolvedPath, installFlags,

                 * If we have too little free space, try to free cache
                 * before giving up.
                if (!origin.staged && pkgLite.recommendedInstallLocation
                        == PackageHelper.RECOMMEND_FAILED_INSUFFICIENT_STORAGE) {
                    final StorageManager storage = StorageManager.from(mContext);
                    final long lowThreshold = storage.getStorageLowBytes(

                    final long sizeBytes = mContainerService.calculateInstalledSize(
                            origin.resolvedPath, isForwardLocked(), packageAbiOverride);

                    if (mInstaller.freeCache(sizeBytes + lowThreshold) >= 0) {
                        pkgLite = mContainerService.getMinimalPackageInfo(origin.resolvedPath,
                                installFlags, packageAbiOverride);
                     * No package verification is enabled, so immediately start
                     * the remote call to initiate copy using temporary file.
                    ret = args.copyApk(mContainerService, true);
            mRet = ret;

handleStartCopy的核心是InstallArgs的copyApk(),其他的都是些存储空间检查,权限检查等等安全校验, copyApk方法会把apk copy到data/app目录下

1.6 FileInstallArgs#copyApk

class FileInstallArgs extends InstallArgs {
    int copyApk(IMediaContainerService imcs, boolean temp) throws RemoteException {
        Trace.traceBegin(TRACE_TAG_PACKAGE_MANAGER, "copyApk");
        try {
            return doCopyApk(imcs, temp);
        } finally {


private int doCopyApk(IMediaContainerService imcs, boolean temp) throws RemoteException {
    if (origin.staged) {
        if (DEBUG_INSTALL) Slog.d(TAG, origin.file + " already staged; skipping copy");
        codeFile = origin.file;
        resourceFile = origin.file;
        return PackageManager.INSTALL_SUCCEEDED;

    try {
        final boolean isEphemeral = (installFlags & PackageManager.INSTALL_INSTANT_APP) != 0;
        final File tempDir =
                mInstallerService.allocateStageDirLegacy(volumeUuid, isEphemeral);
        codeFile = tempDir;
        resourceFile = tempDir;
    } catch (IOException e) {
        Slog.w(TAG, "Failed to create copy file: " + e);

    final IParcelFileDescriptorFactory target = new IParcelFileDescriptorFactory.Stub() {
        public ParcelFileDescriptor open(String name, int mode) throws RemoteException {
            if (!FileUtils.isValidExtFilename(name)) {
                throw new IllegalArgumentException("Invalid filename: " + name);
            try {
                final File file = new File(codeFile, name);
                final FileDescriptor fd =,
                        O_RDWR | O_CREAT, 0644);
                Os.chmod(file.getAbsolutePath(), 0644);
                return new ParcelFileDescriptor(fd);
            } catch (ErrnoException e) {
                throw new RemoteException("Failed to open: " + e.getMessage());

    int ret = PackageManager.INSTALL_SUCCEEDED;
    ret = imcs.copyPackage(origin.file.getAbsolutePath(), target);
    if (ret != PackageManager.INSTALL_SUCCEEDED) {
        Slog.e(TAG, "Failed to copy package");
        return ret;

    final File libraryRoot = new File(codeFile, LIB_DIR_NAME);
    NativeLibraryHelper.Handle handle = null;
    try {
        handle = NativeLibraryHelper.Handle.create(codeFile);
        ret = NativeLibraryHelper.copyNativeBinariesWithOverride(handle, libraryRoot,
    } catch (IOException e) {
        Slog.e(TAG, "Copying native libraries failed", e);
        ret = PackageManager.INSTALL_FAILED_INTERNAL_ERROR;
    } finally {

    return ret;

1.7 startCopy

final boolean startCopy() {
            boolean res;
            try {
                if (++mRetries > MAX_RETRIES) {
                    Slog.w(TAG, "Failed to invoke remote methods on default container service. Giving up");
                    return false;
                } else {
                    res = true;
            } catch (RemoteException e) {
                if (DEBUG_INSTALL) Slog.i(TAG, "Posting install MCS_RECONNECT");
                res = false;
            return res;



2.1 handleReturnCode

void handleReturnCode() {
            // If mArgs is null, then MCS couldn't be reached. When it
            // reconnects, it will try again to install. At that point, this
            // will succeed.
            if (mArgs != null) {
                processPendingInstall(mArgs, mRet);
 private void processPendingInstall(final InstallArgs args, final int currentStatus) {
 // Queue up an async operation since the package installation may take a little while. Runnable() {
            public void run() {
                 // Result object to be returned
                PackageInstalledInfo res = new PackageInstalledInfo();
                res.returnCode = currentStatus;
                res.uid = -1;
                res.pkg = null;
                res.removedInfo = new PackageRemovedInfo();
                if (res.returnCode == PackageManager.INSTALL_SUCCEEDED) {
                    synchronized (mInstallLock) {
                        installPackageLI(args, res); //1.安装
                    args.doPostInstall(res.returnCode, res.uid);

                // A restore should be performed at this point if (a) the install
                // succeeded, (b) the operation is not an update, and (c) the new
                // package has not opted out of backup participation.
                final boolean update = res.removedInfo.removedPackage != null;
                final int flags = (res.pkg == null) ? 0 : res.pkg.applicationInfo.flags;
                boolean doRestore = !update
                        && ((flags & ApplicationInfo.FLAG_ALLOW_BACKUP) != 0);

                // Set up the post-install work request bookkeeping.  This will be used
                // and cleaned up by the post-install event handling regardless of whether
                // there's a restore pass performed.  Token values are >= 1.
                int token;
                if (mNextInstallToken < 0) mNextInstallToken = 1;
                token = mNextInstallToken++;

                PostInstallData data = new PostInstallData(args, res);
                mRunningInstalls.put(token, data);
                if (DEBUG_INSTALL) Log.v(TAG, "+ starting restore round-trip " + token);

                if (res.returnCode == PackageManager.INSTALL_SUCCEEDED && doRestore) {
                    // Pass responsibility to the Backup Manager.  It will perform a
                    // restore if appropriate, then pass responsibility back to the
                    // Package Manager to run the post-install observer callbacks
                    // and broadcasts.
                    IBackupManager bm = IBackupManager.Stub.asInterface(
                    if (bm != null) {
                        if (DEBUG_INSTALL) Log.v(TAG, "token " + token
                                + " to BM for possible restore");
                        try {
                            bm.restoreAtInstall(res.pkg.applicationInfo.packageName, token); //2.调用backup服务
                        } catch (RemoteException e) {
                            // can't happen; the backup manager is local
                        } catch (Exception e) {
                            Slog.e(TAG, "Exception trying to enqueue restore", e);
                            doRestore = false;
                    } else {
                        Slog.e(TAG, "Backup Manager not found!");
                        doRestore = false;

                if (!doRestore) {
                    // No restore possible, or the Backup Manager was mysteriously not
                    // available -- just fire the post-install work request directly.
                    if (DEBUG_INSTALL) Log.v(TAG, "No restore - queue post-install for " + token);
                    Message msg = mHandler.obtainMessage(POST_INSTALL, token, 0);


1.installPackageLI(args, res); 解析Package和后续操作, token);

我们先看installPackageLI(args, res)方法


private void installPackageLI(InstallArgs args, PackageInstalledInfo res) {
        final int installFlags = args.installFlags;
        String installerPackageName = args.installerPackageName;
        File tmpPackageFile = new File(args.getCodePath());
        boolean forwardLocked = ((installFlags & PackageManager.INSTALL_FORWARD_LOCK) != 0);
        boolean onSd = ((installFlags & PackageManager.INSTALL_EXTERNAL) != 0);
        boolean replace = false;
        // Result object to be returned
        res.returnCode = PackageManager.INSTALL_SUCCEEDED;

        if (DEBUG_INSTALL) Slog.d(TAG, "installPackageLI: path=" + tmpPackageFile);
        // Retrieve PackageSettings and parse package
        final int parseFlags = mDefParseFlags | PackageParser.PARSE_CHATTY
                | (forwardLocked ? PackageParser.PARSE_FORWARD_LOCK : 0)
                | (onSd ? PackageParser.PARSE_ON_SDCARD : 0);
        PackageParser pp = new PackageParser();

        final PackageParser.Package pkg;
        try {
            pkg = pp.parsePackage(tmpPackageFile, parseFlags);
        } catch (PackageParserException e) {
            res.setError("Failed parse during installPackageLI", e);

        // Mark that we have an install time CPU ABI override.
        pkg.cpuAbiOverride = args.abiOverride;

        String pkgName = = pkg.packageName;
                try {
            pp.collectCertificates(pkg, parseFlags);
        } catch (PackageParserException e) {
            res.setError("Failed collect during installPackageLI", e);

                pp = null;
        String oldCodePath = null;
        boolean systemApp = false;
        synchronized (mPackages) {
            // Check whether the newly-scanned package wants to define an already-defined perm
            int N = pkg.permissions.size();
            for (int i = N-1; i >= 0; i--) {
                PackageParser.Permission perm = pkg.permissions.get(i);
                BasePermission bp = mSettings.mPermissions.get(;
                if (bp != null) {
                    // If the defining package is signed with our cert, it's okay.  This
                    // also includes the "updating the same package" case, of course.
                    // "updating same package" could also involve key-rotation.
                    final boolean sigsOk;
                    if (!bp.sourcePackage.equals(pkg.packageName)
                            || !(bp.packageSetting instanceof PackageSetting)
                            || !bp.packageSetting.keySetData.isUsingUpgradeKeySets()
                            || ((PackageSetting) bp.packageSetting).sharedUser != null) {
                        sigsOk = compareSignatures(bp.packageSetting.signatures.mSignatures,
                                pkg.mSignatures) == PackageManager.SIGNATURE_MATCH;
                    } else {
                        sigsOk = checkUpgradeKeySetLP((PackageSetting) bp.packageSetting, pkg);
                    if (!sigsOk) {
                        // If the owning package is the system itself, we log but allow
                        // install to proceed; we fail the install on all other permission
                        // redefinitions.
                        if (!bp.sourcePackage.equals("android")) {
                            res.setError(INSTALL_FAILED_DUPLICATE_PERMISSION, "Package "
                                    + pkg.packageName + " attempting to redeclare permission "
                                    + + " already owned by " + bp.sourcePackage);
                            res.origPermission =;
                            res.origPackage = bp.sourcePackage;
                        } else {
                            Slog.w(TAG, "Package " + pkg.packageName
                                    + " attempting to redeclare system permission "
                                    + + "; ignoring new declaration");

            // Check if installing already existing package
            if ((installFlags & PackageManager.INSTALL_REPLACE_EXISTING) != 0) {
                String oldName = mSettings.mRenamedPackages.get(pkgName);
                if (pkg.mOriginalPackages != null
                        && pkg.mOriginalPackages.contains(oldName)
                        && mPackages.containsKey(oldName)) {
                    // This package is derived from an original package,
                    // and this device has been updating from that original
                    // name.  We must continue using the original name, so
                    // rename the new package here.
                    pkgName = pkg.packageName;
                    replace = true;
                    if (DEBUG_INSTALL) Slog.d(TAG, "Replacing existing renamed package: oldName="
                            + oldName + " pkgName=" + pkgName);
                } else if (mPackages.containsKey(pkgName)) {
                    // This package, under its official name, already exists
                    // on the device; we should replace it.
                    replace = true;
                    if (DEBUG_INSTALL) Slog.d(TAG, "Replace existing pacakge: " + pkgName);
            PackageSetting ps = mSettings.mPackages.get(pkgName);
            if (ps != null) {
                if (DEBUG_INSTALL) Slog.d(TAG, "Existing package: " + ps);
                oldCodePath = mSettings.mPackages.get(pkgName).codePathString;
                if (ps.pkg != null && ps.pkg.applicationInfo != null) {
                    systemApp = (ps.pkg.applicationInfo.flags &
                            ApplicationInfo.FLAG_SYSTEM) != 0;
                res.origUsers = ps.queryInstalledUsers(sUserManager.getUserIds(), true);

        if (replace) {
            replacePackageLI(pkg, parseFlags, scanFlags | SCAN_REPLACING, args.user,
                    installerPackageName, res);
        } else {
            installNewPackageLI(pkg, parseFlags, scanFlags | SCAN_DELETE_DATA_ON_FAILURES,
                    args.user, installerPackageName, res);
        synchronized (mPackages) {
            final PackageSetting ps = mSettings.mPackages.get(pkgName);
            if (ps != null) {
                res.newUsers = ps.queryInstalledUsers(sUserManager.getUserIds(), true);



if (replace) {
    replacePackageLI(pkg, parseFlags, scanFlags | SCAN_REPLACING, args.user,
            installerPackageName, res);
} else {
    installNewPackageLI(pkg, parseFlags, scanFlags | SCAN_DELETE_DATA_ON_FAILURES,
            args.user, installerPackageName, res);

if (replace) {
    replacePackageLI(pkg, parseFlags, scanFlags | SCAN_REPLACING, args.user,
            installerPackageName, res);
} else {
    installNewPackageLI(pkg, parseFlags, scanFlags | SCAN_DELETE_DATA_ON_FAILURES,
            args.user, installerPackageName, res);



2.3 installNewPackageLI

 private void installNewPackageLI(PackageParser.Package pkg,
            int parseFlags, int scanFlags, UserHandle user,
            String installerPackageName, PackageInstalledInfo res) {
        // Remember this for later, in case we need to rollback this install
        String pkgName = pkg.packageName;

        if (DEBUG_INSTALL) Slog.d(TAG, "installNewPackageLI: " + pkg);
        boolean dataDirExists = getDataPathForPackage(pkg.packageName, 0).exists();
        synchronized(mPackages) {
            if (mSettings.mRenamedPackages.containsKey(pkgName)) {
                // A package with the same name is already installed, though
                // it has been renamed to an older name.  The package we
                // are trying to install should be installed as an update to
                // the existing one, but that has not been requested, so bail.
                res.setError(INSTALL_FAILED_ALREADY_EXISTS, "Attempt to re-install " + pkgName
                        + " without first uninstalling package running as "
                        + mSettings.mRenamedPackages.get(pkgName));
            if (mPackages.containsKey(pkgName)) {
                // Don't allow installation over an existing package with the same name.
                res.setError(INSTALL_FAILED_ALREADY_EXISTS, "Attempt to re-install " + pkgName
                        + " without first uninstalling.");

        try {
            PackageParser.Package newPackage = scanPackageLI(pkg, parseFlags, scanFlags,
                    System.currentTimeMillis(), user);

            updateSettingsLI(newPackage, installerPackageName, null, null, res);
            // delete the partially installed application. the data directory will have to be
            // restored if it was already existing
            if (res.returnCode != PackageManager.INSTALL_SUCCEEDED) {
                // remove package from internal structures.  Note that we want deletePackageX to
                // delete the package data and cache directories that it created in
                // scanPackageLocked, unless those directories existed before we even tried to
                // install.
                deletePackageLI(pkgName, UserHandle.ALL, false, null, null,
                        dataDirExists ? PackageManager.DELETE_KEEP_DATA : 0,
                                res.removedInfo, true);

        } catch (PackageManagerException e) {
            res.setError("Package couldn't be installed in " + pkg.codePath, e);


  • scanPackageLI(pkg, parseFlags, scanFlags,
    System.currentTimeMillis(), user)
  • updateSettingsLI(newPackage, installerPackageName

scanPackageLI 负责安装,updateSettingsLI负责安装完成后的设置信息更新

2.4 scanPackageLI



在 scanPackageLI会调用到performDexOptLI(),去执行dexopt操作

2.5 updateSettingsLI 更新设置信息

private void updateSettingsLI(PackageParser.Package newPackage, String installerPackageName,
            int[] allUsers, PackageInstalledInfo res, UserHandle user, int installReason) {
        // Update the parent package setting
    updateSettingsInternalLI(newPackage, installerPackageName, allUsers, res.origUsers,
            res, user, installReason);
    // Update the child packages setting
    final int childCount = (newPackage.childPackages != null)
            ? newPackage.childPackages.size() : 0;
    for (int i = 0; i < childCount; i++) {
        PackageParser.Package childPackage = newPackage.childPackages.get(i);
        PackageInstalledInfo childRes = res.addedChildPackages.get(childPackage.packageName);
        updateSettingsInternalLI(childPackage, installerPackageName, allUsers,
                childRes.origUsers, childRes, user, installReason);


 private void updateSettingsInternalLI(PackageParser.Package newPackage,
            String installerPackageName, int[] allUsers, int[] installedForUsers,
            PackageInstalledInfo res, UserHandle user, int installReason) {
        Trace.traceBegin(TRACE_TAG_PACKAGE_MANAGER, "updateSettings");

        installed in " + newPackage.codePath);
        synchronized (mPackages) {
            updatePermissionsLPw(newPackage.packageName, newPackage,
                    UPDATE_PERMISSIONS_REPLACE_PKG | (newPackage.permissions.size() > 0
                            ? UPDATE_PERMISSIONS_ALL : 0));



3.1 updatePermissionsLPw

private void updatePermissionsLPw(PackageParser.Package pkg, int flags) {
        // Update the parent permissions
    updatePermissionsLPw(pkg.packageName, pkg, flags);
    // Update the child permissions
    final int childCount = (pkg.childPackages != null) ? pkg.childPackages.size() : 0;
    for (int i = 0; i < childCount; i++) {
        PackageParser.Package childPkg = pkg.childPackages.get(i);
        updatePermissionsLPw(childPkg.packageName, childPkg, flags);

private void updatePermissionsLPw(String changingPkg,
           PackageParser.Package pkgInfo, String replaceVolumeUuid, int flags) {
   if (pkgInfo != null) {
       // Only replace for packages on requested volume
       final String volumeUuid = getVolumeUuidForPackage(pkgInfo);
       final boolean replace = ((flags & UPDATE_PERMISSIONS_REPLACE_PKG) != 0)
               && Objects.equals(replaceVolumeUuid, volumeUuid);
       grantPermissionsLPw(pkgInfo, replace, changingPkg);


 private void grantPermissionsLPw(PackageParser.Package pkg, boolean replace,
           String packageOfInterest) {
            final int N = pkg.requestedPermissions.size();
       for (int i=0; i<N; i++) {
           final String name = pkg.requestedPermissions.get(i);
           final BasePermission bp = mSettings.mPermissions.get(name);
           final boolean appSupportsRuntimePermissions = pkg.applicationInfo.targetSdkVersion
                   >= Build.VERSION_CODES.M;

           if (DEBUG_INSTALL) {
               Log.i(TAG, "Package " + pkg.packageName + " checking " + name + ": " + bp);

           if (bp == null || bp.packageSetting == null) {
               if (packageOfInterest == null || packageOfInterest.equals(pkg.packageName)) {
                   if (DEBUG_PERMISSIONS) {
                       Slog.i(TAG, "Unknown permission " + name
                               + " in package " + pkg.packageName);

           // Limit ephemeral apps to ephemeral allowed permissions.
           if (pkg.applicationInfo.isInstantApp() && !bp.isInstant()) {
               if (DEBUG_PERMISSIONS) {
                   Log.i(TAG, "Denying non-ephemeral permission " + + " for package "
                           + pkg.packageName);

           if (bp.isRuntimeOnly() && !appSupportsRuntimePermissions) {
               if (DEBUG_PERMISSIONS) {
                   Log.i(TAG, "Denying runtime-only permission " + + " for package "
                           + pkg.packageName);

           final String perm =;
           boolean allowedSig = false;
           int grant = GRANT_DENIED;

           // Keep track of app op permissions.
           if ((bp.protectionLevel & PermissionInfo.PROTECTION_FLAG_APPOP) != 0) {
               ArraySet<String> pkgs = mAppOpPermissionPackages.get(;
               if (pkgs == null) {
                   pkgs = new ArraySet<>();
                   mAppOpPermissionPackages.put(, pkgs);

           final int level = bp.protectionLevel & PermissionInfo.PROTECTION_MASK_BASE;
           switch (level) {
               case PermissionInfo.PROTECTION_NORMAL: {
                   // For all apps normal permissions are install time ones.
                   grant = GRANT_INSTALL;
               } break;

               case PermissionInfo.PROTECTION_DANGEROUS: {
                   // If a permission review is required for legacy apps we represent
                   // their permissions as always granted runtime ones since we need
                   // to keep the review required permission flag per user while an
                   // install permission's state is shared across all users.
                   if (!appSupportsRuntimePermissions && !mPermissionReviewRequired) {
                       // For legacy apps dangerous permissions are install time ones.
                       grant = GRANT_INSTALL;
                   } else if (origPermissions.hasInstallPermission( {
                       // For legacy apps that became modern, install becomes runtime.
                       grant = GRANT_UPGRADE;
                   } else if (mPromoteSystemApps
                           && isSystemApp(ps)
                           && mExistingSystemPackages.contains( {
                       // For legacy system apps, install becomes runtime.
                       // We cannot check hasInstallPermission() for system apps since those
                       // permissions were granted implicitly and not persisted pre-M.
                       grant = GRANT_UPGRADE;
                   } else {
                       // For modern apps keep runtime permissions unchanged.
                       grant = GRANT_RUNTIME;
               } break;

               case PermissionInfo.PROTECTION_SIGNATURE: {
                   // For all apps signature permissions are install time ones.
                   allowedSig = grantSignaturePermission(perm, pkg, bp, origPermissions);
                   if (allowedSig) {
                       grant = GRANT_INSTALL;
               } break;

           if (DEBUG_PERMISSIONS) {
               Slog.i(TAG, "Granting permission " + perm + " to package " + pkg.packageName);

           if (grant != GRANT_DENIED) {
               if (!isSystemApp(ps) && ps.installPermissionsFixed) {
                   // If this is an existing, non-system package, then
                   // we can't add any new permissions to it.
                   if (!allowedSig && !origPermissions.hasInstallPermission(perm)) {
                       // Except...  if this is a permission that was added
                       // to the platform (note: need to only do this when
                       // updating the platform).
                       if (!isNewPlatformPermissionForPackage(perm, pkg)) {
                           grant = GRANT_DENIED;

               switch (grant) {
                   case GRANT_INSTALL: {
                       // Revoke this as runtime permission to handle the case of
                       // a runtime permission being downgraded to an install one.
                       // Also in permission review mode we keep dangerous permissions
                       // for legacy apps
                       for (int userId : UserManagerService.getInstance().getUserIds()) {
                           if (origPermissions.getRuntimePermissionState(
                         , userId) != null) {
                               // Revoke the runtime permission and clear the flags.
                               origPermissions.revokeRuntimePermission(bp, userId);
                               origPermissions.updatePermissionFlags(bp, userId,
                                     PackageManager.MASK_PERMISSION_FLAGS, 0);
                               // If we revoked a permission permission, we have to write.
                               changedRuntimePermissionUserIds = ArrayUtils.appendInt(
                                       changedRuntimePermissionUserIds, userId);
                       // Grant an install permission.
                       if (permissionsState.grantInstallPermission(bp) !=
                               PermissionsState.PERMISSION_OPERATION_FAILURE) {
                           changedInstallPermission = true;
                   } break;

                   case GRANT_RUNTIME: {
                       // Grant previously granted runtime permissions.
                       for (int userId : UserManagerService.getInstance().getUserIds()) {
                           PermissionState permissionState = origPermissions
                                   .getRuntimePermissionState(, userId);
                           int flags = permissionState != null
                                   ? permissionState.getFlags() : 0;
                           if (origPermissions.hasRuntimePermission(, userId)) {
                               // Don't propagate the permission in a permission review mode if
                               // the former was revoked, i.e. marked to not propagate on upgrade.
                               // Note that in a permission review mode install permissions are
                               // represented as constantly granted runtime ones since we need to
                               // keep a per user state associated with the permission. Also the
                               // revoke on upgrade flag is no longer applicable and is reset.
                               final boolean revokeOnUpgrade = (flags & PackageManager
                                       .FLAG_PERMISSION_REVOKE_ON_UPGRADE) != 0;
                               if (revokeOnUpgrade) {
                                   flags &= ~PackageManager.FLAG_PERMISSION_REVOKE_ON_UPGRADE;
                                   // Since we changed the flags, we have to write.
                                   changedRuntimePermissionUserIds = ArrayUtils.appendInt(
                                           changedRuntimePermissionUserIds, userId);
                               if (!mPermissionReviewRequired || !revokeOnUpgrade) {
                                   if (permissionsState.grantRuntimePermission(bp, userId) ==
                                           PermissionsState.PERMISSION_OPERATION_FAILURE) {
                                       // If we cannot put the permission as it was,
                                       // we have to write.
                                       changedRuntimePermissionUserIds = ArrayUtils.appendInt(
                                               changedRuntimePermissionUserIds, userId);

                               // If the app supports runtime permissions no need for a review.
                               if (mPermissionReviewRequired
                                       && appSupportsRuntimePermissions
                                       && (flags & PackageManager
                                               .FLAG_PERMISSION_REVIEW_REQUIRED) != 0) {
                                   flags &= ~PackageManager.FLAG_PERMISSION_REVIEW_REQUIRED;
                                   // Since we changed the flags, we have to write.
                                   changedRuntimePermissionUserIds = ArrayUtils.appendInt(
                                           changedRuntimePermissionUserIds, userId);
                           } else if (mPermissionReviewRequired
                                   && !appSupportsRuntimePermissions) {
                               // For legacy apps that need a permission review, every new
                               // runtime permission is granted but it is pending a review.
                               // We also need to review only platform defined runtime
                               // permissions as these are the only ones the platform knows
                               // how to disable the API to simulate revocation as legacy
                               // apps don't expect to run with revoked permissions.
                               if (PLATFORM_PACKAGE_NAME.equals(bp.sourcePackage)) {
                                   if ((flags & FLAG_PERMISSION_REVIEW_REQUIRED) == 0) {
                                       flags |= FLAG_PERMISSION_REVIEW_REQUIRED;
                                       // We changed the flags, hence have to write.
                                       changedRuntimePermissionUserIds = ArrayUtils.appendInt(
                                               changedRuntimePermissionUserIds, userId);
                               if (permissionsState.grantRuntimePermission(bp, userId)
                                       != PermissionsState.PERMISSION_OPERATION_FAILURE) {
                                   // We changed the permission, hence have to write.
                                   changedRuntimePermissionUserIds = ArrayUtils.appendInt(
                                           changedRuntimePermissionUserIds, userId);
                           // Propagate the permission flags.
                           permissionsState.updatePermissionFlags(bp, userId, flags, flags);
                   } break;

                   case GRANT_UPGRADE: {
                       // Grant runtime permissions for a previously held install permission.
                       PermissionState permissionState = origPermissions
                       final int flags = permissionState != null ? permissionState.getFlags() : 0;

                       if (origPermissions.revokeInstallPermission(bp)
                               != PermissionsState.PERMISSION_OPERATION_FAILURE) {
                           // We will be transferring the permission flags, so clear them.
                           origPermissions.updatePermissionFlags(bp, UserHandle.USER_ALL,
                                   PackageManager.MASK_PERMISSION_FLAGS, 0);
                           changedInstallPermission = true;

                       // If the permission is not to be promoted to runtime we ignore it and
                       // also its other flags as they are not applicable to install permissions.
                       if ((flags & PackageManager.FLAG_PERMISSION_REVOKE_ON_UPGRADE) == 0) {
                           for (int userId : currentUserIds) {
                               if (permissionsState.grantRuntimePermission(bp, userId) !=
                                       PermissionsState.PERMISSION_OPERATION_FAILURE) {
                                   // Transfer the permission flags.
                                   permissionsState.updatePermissionFlags(bp, userId,
                                           flags, flags);
                                   // If we granted the permission, we have to write.
                                   changedRuntimePermissionUserIds = ArrayUtils.appendInt(
                                           changedRuntimePermissionUserIds, userId);
                   } break;

                   default: {
                       if (packageOfInterest == null
                               || packageOfInterest.equals(pkg.packageName)) {
                           if (DEBUG_PERMISSIONS) {
                               Slog.i(TAG, "Not granting permission " + perm
                                       + " to package " + pkg.packageName
                                       + " because it was previously installed without");
                   } break;
           } else {
               if (permissionsState.revokeInstallPermission(bp) !=
                       PermissionsState.PERMISSION_OPERATION_FAILURE) {
                   // Also drop the permission flags.
                   permissionsState.updatePermissionFlags(bp, UserHandle.USER_ALL,
                           PackageManager.MASK_PERMISSION_FLAGS, 0);
                   changedInstallPermission = true;
                   Slog.i(TAG, "Un-granting permission " + perm
                           + " from package " + pkg.packageName
                           + " (protectionLevel=" + bp.protectionLevel
                           + " flags=0x" + Integer.toHexString(pkg.applicationInfo.flags)
                           + ")");
               } else if ((bp.protectionLevel&PermissionInfo.PROTECTION_FLAG_APPOP) == 0) {
                   // Don't print warning for app op permissions, since it is fine for them
                   // not to be granted, there is a UI for the user to decide.
                   if (DEBUG_PERMISSIONS
                           && (packageOfInterest == null
                                   || packageOfInterest.equals(pkg.packageName))) {
                       Slog.i(TAG, "Not granting permission " + perm
                               + " to package " + pkg.packageName
                               + " (protectionLevel=" + bp.protectionLevel
                               + " flags=0x" + Integer.toHexString(pkg.applicationInfo.flags)
                               + ")");

       if ((changedInstallPermission || replace) && !ps.installPermissionsFixed &&
               !isSystemApp(ps) || isUpdatedSystemApp(ps)){
           // This is the first that we have heard about this package, so the
           // permissions we have now selected are fixed until explicitly
           // changed.
           ps.installPermissionsFixed = true;

       // Persist the runtime permissions state for users with changes. If permissions
       // were revoked because no app in the shared user declares them we have to
       // write synchronously to avoid losing runtime permissions state.
       for (int userId : changedRuntimePermissionUserIds) {
           mSettings.writeRuntimePermissionsForUserLPr(userId, runtimePermissionsRevoked);



前面processPendingInstall方法中,在执行完installPackageLi后,会执行 bm.restoreAtInstall()方法,实际调用的是BackupManagerService的restoreAtInstall()方法


    public void restoreAtInstall(String packageName, int token) {
    if (skip) {
        // Auto-restore disabled or no way to attempt a restore

        if (transportClient != null) {
                    transportClient, "BMS.restoreAtInstall()");

        // Tell the PackageManager to proceed with the post-install handling for this package.
        if (DEBUG) Slog.v(TAG, "Finishing install immediately");
        try {
            mPackageManagerBinder.finishPackageInstall(token, false);
        } catch (RemoteException e) { /* can't happen */ }

这里会调用到 mPackageManagerBinder.finishPackageInstall(token, false)方法, 也就是PackageManagerService的finishPackageInstall()方法


    public void finishPackageInstall(int token, boolean didLaunch) {
        enforceSystemOrRoot("Only the system is allowed to finish installs");

        final Message msg = mHandler.obtainMessage(POST_INSTALL, token, didLaunch ? 1 : 0);


# PacakageManagerService
  case POST_INSTALL: {
            // Handle the parent package
            handlePackagePostInstall(parentRes, grantPermissions, killApp,
                    virtualPreload, grantedPermissions, didRestore,

            // Handle the child packages
            final int childCount = (parentRes.addedChildPackages != null)
                    ? parentRes.addedChildPackages.size() : 0;
            for (int i = 0; i < childCount; i++) {
                PackageInstalledInfo childRes = parentRes.addedChildPackages.valueAt(i);
                handlePackagePostInstall(childRes, grantPermissions, killApp,
                        virtualPreload, grantedPermissions, false /*didRestore*/,

            // Log tracing if needed
            if (args.traceMethod != null) {
                Trace.asyncTraceEnd(TRACE_TAG_PACKAGE_MANAGER, args.traceMethod,
        } else {
            Slog.e(TAG, "Bogus post-install token " + msg.arg1);

    } break;

private void handlePackagePostInstall(PackageInstalledInfo res, boolean grantPermissions,
            boolean killApp, boolean virtualPreload, String[] grantedPermissions,
            boolean launchedForRestore, String installerPackage,
            IPackageInstallObserver2 installObserver) {

     if (update) {
        extras.putBoolean(Intent.EXTRA_REPLACING, true);
    sendPackageBroadcast(Intent.ACTION_PACKAGE_ADDED, packageName,
            extras, 0 /*flags*/,
            null /*targetPackage*/, null /*finishedReceiver*/,
            updateUserIds, instantUserIds);
    if (installerPackageName != null) {
        sendPackageBroadcast(Intent.ACTION_PACKAGE_ADDED, packageName,
                extras, 0 /*flags*/,
                installerPackageName, null /*finishedReceiver*/,
                updateUserIds, instantUserIds);
   if (update) {
                packageName, extras, 0 /*flags*/,
                null /*targetPackage*/, null /*finishedReceiver*/,
                updateUserIds, instantUserIds);
        if (installerPackageName != null) {
            sendPackageBroadcast(Intent.ACTION_PACKAGE_REPLACED, packageName,
                    extras, 0 /*flags*/,
                    installerPackageName, null /*finishedReceiver*/,
                    updateUserIds, instantUserIds);
        if (notifyVerifier) {
            sendPackageBroadcast(Intent.ACTION_PACKAGE_REPLACED, packageName,
                    extras, 0 /*flags*/,
                    mRequiredVerifierPackage, null /*finishedReceiver*/,
                    updateUserIds, instantUserIds);
                null /*package*/, null /*extras*/, 0 /*flags*/,
                packageName /*targetPackage*/,
                null /*finishedReceiver*/, updateUserIds, instantUserIds);
    } else if (launchedForRestore && !isSystemApp(res.pkg)) {
        // First-install and we did a restore, so we're responsible for the
        // first-launch broadcast.
        if (DEBUG_BACKUP) {
            Slog.i(TAG, "Post-restore of " + packageName
                    + " sending FIRST_LAUNCH in " + Arrays.toString(firstUserIds));
        sendFirstLaunchBroadcast(packageName, installerPackage,
                firstUserIds, firstInstantUserIds);



  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 216,402评论 6 499
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 92,377评论 3 392
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 162,483评论 0 353
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 58,165评论 1 292
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 67,176评论 6 388
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 51,146评论 1 297
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 40,032评论 3 417
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 38,896评论 0 274
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 45,311评论 1 310
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 37,536评论 2 332
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 39,696评论 1 348
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 35,413评论 5 343
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 41,008评论 3 325
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 31,659评论 0 22
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,815评论 1 269
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 47,698评论 2 368
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 44,592评论 2 353