Design of Role-Based RBAC access control logic for Android Access Control

The Android system has many functions for permission check. The "checkuidpermission" in "packagemanagerservice. Java" is the underlying permission check function. The "checkuidpermission" function first finds the approved permission set "grantedpermission" based on the process's "uid ", then, determine whether the requested permission name "permname" is in "grantedpermission. As shown in, this topic designs the function "permset", which performs joint queries on the permission table and user table, and returns the corresponding permission set "permset" according to "uid ", RBAC then checks whether the requested permission name permname is in "permset". If not, the error code is returned.

1. Key Method Design

After a mobile phone user customizes the security policy using the security policy tool, the permtorole and uidtorole tables are formed. Now you need to know that a uid is given, what is the permission set authorized by the user? The following method is designed:

/*

* Return permissions set associated withuid

* @ Uid: The UID of app

**/

Public hashset <string> permissionsset (stringuid );

This method uses the operation object to jointly query the permission table and user table, searches for related permissions based on the UID, and returns the hashset <string> type variable. Because hashset uses a red/black tree as the storage structure, the query efficiency is high. This design reduces the time overhead of RBAC control logic decision-making.

2. Modify checkuidpermission

To implement RBAC access control, you must modify the checkuidpermission method. First, find the relevant permission set based on the UID parameter, as shown below:

If (rbacdebug. RBAC = true ){

Permset = permissionsset (string. valueof (UID ));

}

After Android approves the permission, add the RBAC Control Code as follows:

If (rbacdebug. RBAC = true ){

If (permset. isempty () = true | permset. Contains (permname) = true ){

Return packagemanager. permission_granted;

}

Else {

Return packagemanager. permission_denied;

}

}