feat(core.manager): 大于API 33，安装插件时，禁止插件文件可写入

.github/workflows/check-build-test.yml

@@ -175,3 +175,30 @@ jobs:
           script: ./gradlew androidTestSdk
       - name: post-build
         uses: ./.github/actions/post-build
+  test-sdk-avd-target34:
+    needs: build-sdk
+    name: 自动化测试-target 34的冒烟测试
+    runs-on: ubuntu-22.04
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: pre-build
+        uses: ./.github/actions/pre-build
+      - name: Enable KVM
+        run: |
+          echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
+          sudo udevadm control --reload-rules
+          sudo udevadm trigger --name-match=kvm
+      - name: run AVD tests
+        uses: reactivecircus/android-emulator-runner@v2
+        with:
+          api-level: 34
+          target: google_apis
+          arch: x86_64
+          profile: pixel_xl
+          force-avd-creation: false
+          emulator-options: -no-snapshot-save -no-window -gpu swiftshader_indirect -noaudio -no-boot-anim -camera-back none
+          disable-animations: true
+          script: ./gradlew :test-dynamic-host:connectedTarget34DebugAndroidTest -Pandroid.testInstrumentationRunnerArguments.class=com.tencent.shadow.test.cases.plugin_main.ApplicationContextSubDirTest#testGetDatabasePath
+      - name: post-build
+        uses: ./.github/actions/post-build

CONTRIBUTING.md

@@ -89,7 +89,7 @@ Shadow的`coding`和`core.gradle-plugin`、`core.manifest-parser`、`core.transf
 如果测试方法是抽象类中的，需要传入一个具体的实现类。
 
 ```shell
-./gradlew :test-dynamic-host:connectedDebugAndroidTest -Pandroid.testInstrumentationRunnerArguments.class=com.tencent.shadow.test.cases.plugin_main.ApplicationContextSubDirTest#testGetDatabasePath
+./gradlew :test-dynamic-host:connectedTarget28DebugAndroidTest -Pandroid.testInstrumentationRunnerArguments.class=com.tencent.shadow.test.cases.plugin_main.ApplicationContextSubDirTest#testGetDatabasePath
 ```
 
 ## 清理工作区

buildScripts/gradle/maven.gradle

@@ -30,7 +30,7 @@ task jvmTestSdk() {
 
 task androidTestSdk() {
     dependsOn gradle.includedBuild('core').task(':manager-db-test:connectedDebugAndroidTest')
-    dependsOn ':test-dynamic-host:connectedDebugAndroidTest'
+    dependsOn ':test-dynamic-host:connectedTarget28DebugAndroidTest'
 }
 
 task testSdk() {

projects/sample/source/sample-host/src/main/java/com/tencent/shadow/sample/host/manager/FixedPathPmUpdater.java

@@ -18,6 +18,8 @@
 
 package com.tencent.shadow.sample.host.manager;
 
+import android.os.Build;
+
 import com.tencent.shadow.dynamic.host.PluginManagerUpdater;
 
 import java.io.File;
@@ -29,6 +31,12 @@ public class FixedPathPmUpdater implements PluginManagerUpdater {
 
     FixedPathPmUpdater(File apk) {
         this.apk = apk;
+
+        //在API 33以上的系统上，禁止动态加载文件可写入，满足系统安全限制
+        if (Build.VERSION.SDK_INT > Build.VERSION_CODES.TIRAMISU) {
+            //noinspection ResultOfMethodCallIgnored
+            apk.setWritable(false);
+        }
     }
 
 

projects/sdk/core/manager/src/main/java/com/tencent/shadow/core/manager/BasePluginManager.java

@@ -136,9 +136,25 @@ public final void onInstallCompleted(PluginConfig pluginConfig,
         String oDexDir = ODexBloc.isEffective() ?
                 AppCacheFolderManager.getODexDir(root, pluginConfig.UUID).getAbsolutePath() : null;
 
+        //在API 33以上的系统上，禁止动态加载文件可写入，满足系统安全限制
+        if (Build.VERSION.SDK_INT > Build.VERSION_CODES.TIRAMISU) {
+            setWritableFalseForPluginFiles(pluginConfig);
+        }
+
         mInstalledDao.insert(pluginConfig, soDirMap, oDexDir);
     }
 
+    private static void setWritableFalseForPluginFiles(PluginConfig pluginConfig) {
+        List<PluginConfig.FileInfo> list = new ArrayList<>();
+        list.add(pluginConfig.pluginLoader);
+        list.add(pluginConfig.runTime);
+        list.addAll(pluginConfig.plugins.values());
+        for (PluginConfig.FileInfo fileInfo : list) {
+            //noinspection ResultOfMethodCallIgnored
+            fileInfo.file.setWritable(false);
+        }
+    }
+
     protected InstalledPlugin.Part getPluginPartByPartKey(String uuid, String partKey) {
         InstalledPlugin installedPlugin = mInstalledDao.getInstalledPluginByUUID(uuid);
         if (installedPlugin == null) {

projects/sdk/core/runtime/src/main/java/com/tencent/shadow/core/runtime/ShadowApplication.java

@@ -29,10 +29,8 @@
 import android.content.res.Configuration;
 import android.os.Build;
 
-import java.lang.ref.WeakReference;
 import java.util.HashMap;
 import java.util.Map;
-import java.util.WeakHashMap;
 
 /**
  * 用于在plugin-loader中调用假的Application方法的接口
@@ -88,7 +86,11 @@ public void onCreate() {
                         intentFilter.addAction(action);
                     }
                 }
-                registerReceiver(receiver, intentFilter);
+                if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
+                    registerReceiver(receiver, intentFilter, RECEIVER_EXPORTED);
+                } else {
+                    registerReceiver(receiver, intentFilter);
+                }
             } catch (Exception e) {
                 throw new RuntimeException(e);
             }

projects/test/dynamic/host/test-dynamic-host/build.gradle

@@ -29,6 +29,16 @@ android {
     testOptions {
         animationsDisabled = true
     }
+    flavorDimensions "targetSdk"
+    productFlavors {
+        target28 {
+            //target28就是defaultConfig
+        }
+        target34 {
+            minSdkVersion 19
+            targetSdkVersion 34
+        }
+    }
 }
 
 dependencies {
@@ -40,22 +50,26 @@ dependencies {
     implementation project(':constant')
 
     testImplementation "junit:junit:$junit_version"
-    androidTestImplementation "androidx.test:core:$androidx_test_version"
     androidTestImplementation "androidx.test.ext:junit:$androidx_test_junit_version"
     androidTestImplementation "androidx.test.espresso:espresso-core:$espresso_version"
     androidTestImplementation "androidx.test.espresso:espresso-remote:$espresso_version"
     implementation "androidx.test.espresso:espresso-idling-resource:$espresso_version"
-    androidTestImplementation "androidx.test:runner:$androidx_test_version"
 
     implementation project(':plugin-use-host-code-lib')
     implementation project(':test-manager')
     implementation project(':custom-view')
+
+    androidTestTarget28Implementation "androidx.test:core:$androidx_test_version"
+    androidTestTarget34Implementation "androidx.test:core:1.6.1"
+
+    androidTestTarget28Implementation "androidx.test:runner:$androidx_test_version"
+    androidTestTarget34Implementation "androidx.test:runner:1.6.1"
 }
 
-def createCopyTask(projectName, buildType, name, apkName, inputFile, taskName) {
+def createCopyTask(projectName, buildType, name, apkName, inputFile, taskName, forTask) {
     def outputFile = file("${getBuildDir()}/generated/assets/${name}/${buildType}/${apkName}")
     outputFile.getParentFile().mkdirs()
-    return tasks.create("copy${buildType.capitalize()}${name.capitalize()}Task", Copy) {
+    return tasks.create("copy${buildType.capitalize()}${name.capitalize()}For${forTask.capitalize()}", Copy) {
         group = 'build'
         description = "复制${name}到assets中."
         from(inputFile.getParent()) {
@@ -81,7 +95,8 @@ def generateAssets(generateAssetsTask, buildType) {
             moduleName,
             'pluginmanager.apk',
             pluginManagerApkFile,
-            "assemble${buildType.capitalize()}"
+            "assemble${buildType.capitalize()}",
+            generateAssetsTask.name
     )
 
     def pluginZip = file("${getRootProject().getBuildDir()}/plugin-${buildType}.zip")
@@ -91,14 +106,15 @@ def generateAssets(generateAssetsTask, buildType) {
             'plugin-zip',
             "plugin-${buildType}.zip",
             pluginZip,
-            "package${buildType.capitalize()}Plugin"
+            "package${buildType.capitalize()}Plugin",
+            generateAssetsTask.name
     )
 
 
 }
 
 tasks.whenTaskAdded { task ->
-    if (task.name == "generateDebugAssets") {
+    if (task.name == "generateTarget28DebugAssets" || task.name == "generateTarget34DebugAssets") {
         generateAssets(task, 'debug')
     }
 }

projects/test/dynamic/host/test-dynamic-host/src/main/AndroidManifest.xml

@@ -10,7 +10,9 @@
         android:theme="@android:style/Theme.DeviceDefault"
         android:icon="@drawable/ic_launcher"
         tools:ignore="GoogleAppIndexingWarning">
-        <activity android:name=".MainActivity">
+        <activity
+            android:exported="true"
+            android:name=".MainActivity">
             <intent-filter>
                 <action android:name="android.intent.action.MAIN" />
 

projects/test/dynamic/host/test-dynamic-host/src/main/java/com/tencent/shadow/test/dynamic/host/PluginHelper.java

@@ -75,6 +75,10 @@ public void run() {
     private void preparePlugin() {
         try {
             InputStream is = mContext.getAssets().open(sPluginManagerName);
+
+            //noinspection ResultOfMethodCallIgnored
+            pluginManagerFile.setWritable(true);
+
             FileUtils.copyInputStreamToFile(is, pluginManagerFile);
 
             InputStream zip = mContext.getAssets().open(sPluginZip);

projects/test/dynamic/host/test-dynamic-host/src/main/java/com/tencent/shadow/test/dynamic/host/manager/FixedPathPmUpdater.java

@@ -18,6 +18,8 @@
 
 package com.tencent.shadow.test.dynamic.host.manager;
 
+import android.os.Build;
+
 import com.tencent.shadow.dynamic.host.PluginManagerUpdater;
 
 import java.io.File;
@@ -29,6 +31,12 @@ public class FixedPathPmUpdater implements PluginManagerUpdater {
 
     FixedPathPmUpdater(File apk) {
         this.apk = apk;
+
+        //在API 33以上的系统上，禁止动态加载文件可写入，满足系统安全限制
+        if (Build.VERSION.SDK_INT > Build.VERSION_CODES.TIRAMISU) {
+            //noinspection ResultOfMethodCallIgnored
+            apk.setWritable(false);
+        }
     }