可以为root设备授予哪些权限？

Question

Short and simple question:

rooted devices can grant apps with extra permissions during runtime (using "grant permission" command using the adb , as I recall). An example for this is the ability to read system logs , which became a non-user permission starting with API16 (link here ) .

Is there a list of such permissions?

Answer 1

The command you may be thinking of is pm grant PACKAGE PERMISSION , which can be sent to an adb-connected device using adb shell pm grant PACKAGE PERMISSION .

However, only optional permissions can be granted or revoked this way. If you try to grant a permission not requested in the app's manifest, you'll get Operation not allowed: java.lang.SecurityException: Package PACKAGE has not requested permission PERMISSION . Likewise, if you try to revoke a permission not deemed optional, you'll get Operation not allowed: java.lang.SecurityException: Can't change PERMISSION. It is required by the application Operation not allowed: java.lang.SecurityException: Can't change PERMISSION. It is required by the application . Even for a rooted device or emulator.

Now, as far as what is deemed 'optional', as well as getting a list of such permissions, that's a little unclear. However, based on some experimentation, I believe these include at least the set of permissions assigned to permission group android.permission-group.DEVELOPMENT_TOOLS . You can see which these are on a running device using pm list permissions -g . On my API 19 emulator, as well as a Nexus 7 running AOSP 4.4.4, these are:

group:android.permission-group.DEVELOPMENT_TOOLS
  permission:android.permission.ACCESS_ALL_EXTERNAL_STORAGE
  permission:android.permission.SIGNAL_PERSISTENT_PROCESSES
  permission:android.permission.READ_LOGS
  permission:android.permission.SET_ALWAYS_FINISH
  permission:android.permission.WRITE_SECURE_SETTINGS
  permission:android.permission.SET_PROCESS_LIMIT
  permission:android.permission.CHANGE_CONFIGURATION
  permission:android.permission.DUMP
  permission:android.permission.SET_DEBUG_AP

If (and only if) these are declared in the manifest, then you can grant/revoke them using the above command. Note that they are not granted automatically on installation; you must issue the pm grant command. I was able to observe and confirm this by using the Settings app and seeing the reported permissions change as I granted and revoked them.

There may be other permissions that behave like this, but I haven't found them. Normal permissions like android.permission.INTERNET cannot be granted or revoked in this manner.

Addendum: Per additional question in comment section regarding pm set-permission-enforced PERMISSION : As far as I know, the only permission which currently supports this is android.permission.READ_EXTERNAL_STORAGE . I'm basing this statement on my reading of the source code , which is also consistent with my experiences using the command. The purpose of the selective enforcement setting on this permission is to allow testing of apps under pre- and post-API 19 conditions as described here .