perf: shizuku appops

Author: lisonge

app/src/main/AndroidManifest.xml

@@ -28,10 +28,10 @@
         android:allowBackup="true"
         android:icon="@drawable/ic_launcher"
         android:label="@string/app_name"
+        android:networkSecurityConfig="@xml/network_security_config"
         android:roundIcon="@drawable/ic_launcher"
         android:supportsRtl="false"
-        android:theme="@style/AppTheme"
-        android:usesCleartextTraffic="true">
+        android:theme="@style/AppTheme">
 
         <meta-data
             android:name="channel"

app/src/main/kotlin/li/songe/gkd/MainViewModel.kt

@@ -288,7 +288,8 @@ class MainViewModel : BaseViewModel(), OnSimpleLife {
         shizukuErrorFlow.value = e
     }
 
-    suspend fun grantPermissionByShizuku(command: String) {
+    suspend fun guardShizukuContext() {
+        if (shizukuContextFlow.value.ok) return
         if (updateBinderMutex.mutex.isLocked) {
             toast("正在连接 Shizuku 服务，请稍后")
             stopCoroutine()
@@ -304,10 +305,8 @@ class MainViewModel : BaseViewModel(), OnSimpleLife {
                 delay(100)
             }
         }
-        val service = shizukuContextFlow.value.serviceWrapper ?: stopCoroutine()
-        if (!service.execCommandForResult(command).ok) {
-            stopCoroutine()
-        }
+        if (shizukuContextFlow.value.ok) return
+        stopCoroutine()
     }
 
     val a11yServiceEnabledFlow = useA11yServiceEnabledFlow()

app/src/main/kotlin/li/songe/gkd/a11y/A11yFeat.kt

@@ -15,7 +15,6 @@ import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.flow.debounce
 import kotlinx.coroutines.flow.update
 import kotlinx.coroutines.launch
-import li.songe.gkd.META
 import li.songe.gkd.appScope
 import li.songe.gkd.isActivityVisible
 import li.songe.gkd.permission.shizukuOkState
@@ -52,12 +51,12 @@ fun onA11yFeatInit() = service.run {
 
 private fun A11yService.useAttachState() {
     onCreated {
-        if (isActivityVisible() || META.debuggable) {
+        if (isActivityVisible()) {
             toast("无障碍已启动")
         }
     }
     onDestroyed {
-        if (isActivityVisible() || META.debuggable) {
+        if (isActivityVisible()) {
             if (willDestroyByBlock) {
                 toast("无障碍已局部关闭")
             } else {

app/src/main/kotlin/li/songe/gkd/permission/PermissionDialog.kt

@@ -53,31 +53,21 @@ sealed class PermissionResult {
     data class Denied(val doNotAskAgain: Boolean) : PermissionResult()
 }
 
-private suspend fun checkOrRequestPermission(
-    context: MainActivity,
-    permissionState: PermissionState
-): Boolean {
-    if (!permissionState.updateAndGet()) {
-        val result = permissionState.request?.invoke(context)
-        if (result == null) {
-            context.mainVm.authReasonFlow.value = permissionState.reason
-            return false
-        } else if (result is PermissionResult.Denied) {
-            if (result.doNotAskAgain) {
-                context.mainVm.authReasonFlow.value = permissionState.reason
-            }
-            return false
-        }
-    }
-    return true
-}
-
 suspend fun requiredPermission(
     context: MainActivity,
     permissionState: PermissionState
 ) {
-    val r = checkOrRequestPermission(context, permissionState)
-    if (!r) {
+    if (permissionState.updateAndGet()) return
+    permissionState.grantSelf?.invoke()
+    if (permissionState.updateAndGet()) return
+    val result = permissionState.request?.invoke(context)
+    if (result == null) {
+        context.mainVm.authReasonFlow.value = permissionState.reason
+        stopCoroutine()
+    } else if (result is PermissionResult.Denied) {
+        if (result.doNotAskAgain) {
+            context.mainVm.authReasonFlow.value = permissionState.reason
+        }
         stopCoroutine()
     }
 }

app/src/main/kotlin/li/songe/gkd/permission/PermissionState.kt

@@ -15,8 +15,8 @@ import kotlinx.coroutines.flow.MutableStateFlow
 import kotlinx.coroutines.flow.updateAndGet
 import li.songe.gkd.MainActivity
 import li.songe.gkd.app
-import li.songe.gkd.isActivityVisible
 import li.songe.gkd.shizuku.shizukuCheckGranted
+import li.songe.gkd.shizuku.shizukuContextFlow
 import li.songe.gkd.ui.share.LocalMainViewModel
 import li.songe.gkd.util.AndroidTarget
 import li.songe.gkd.util.mayQueryPkgNoAccessFlow
@@ -26,26 +26,29 @@ import li.songe.gkd.util.updateAppMutex
 
 class PermissionState(
     val check: () -> Boolean,
+    val grantSelf: (() -> Unit)? = null,
     val request: (suspend (context: MainActivity) -> PermissionResult)? = null,
     /**
      * show it when user doNotAskAgain
      */
     val reason: AuthReason? = null,
 ) {
     val stateFlow = MutableStateFlow(false)
-    val value: Boolean
-        get() = stateFlow.value
+    val value get() = stateFlow.value
 
     fun updateAndGet(): Boolean {
         return stateFlow.updateAndGet { check() }
     }
 
-    fun checkOrToast(): Boolean {
+    fun checkOrToast(): Boolean = if (!updateAndGet()) {
+        grantSelf?.invoke()
         val r = updateAndGet()
         if (!r) {
             reason?.text?.let { toast(it()) }
         }
-        return r
+        r
+    } else {
+        true
     }
 }
 
@@ -83,27 +86,27 @@ private suspend fun asyncRequestPermission(
 }
 
 @Suppress("SameParameterValue")
-private fun checkOpNoThrow(op: String): Int {
-    if (AndroidTarget.Q) {
-        try {
-            return app.appOpsManager.checkOpNoThrow(
-                op,
-                android.os.Process.myUid(),
-                app.packageName
-            )
-        } catch (e: Throwable) {
-            e.printStackTrace()
-        }
-    }
-    return AppOpsManager.MODE_ALLOWED
+private fun checkAllowedOp(op: String): Boolean = app.appOpsManager.checkOpNoThrow(
+    op,
+    android.os.Process.myUid(),
+    app.packageName
+).let {
+    it != AppOpsManager.MODE_IGNORED && it != AppOpsManager.MODE_ERRORED
 }
 
 // https://github.com/gkd-kit/gkd/issues/954
 // https://github.com/gkd-kit/gkd/issues/887
 val foregroundServiceSpecialUseState by lazy {
     PermissionState(
         check = {
-            checkOpNoThrow("android:foreground_service_special_use") != AppOpsManager.MODE_IGNORED
+            if (AndroidTarget.UPSIDE_DOWN_CAKE) {
+                checkAllowedOp("android:foreground_service_special_use")
+            } else {
+                true
+            }
+        },
+        grantSelf = {
+            shizukuContextFlow.value.appOpsManager?.allowAllSelfMode()
         },
         reason = AuthReason(
             text = { "当前操作权限「特殊用途的前台服务」已被限制, 请先解除限制" },
@@ -123,6 +126,9 @@ val notificationState by lazy {
         check = {
             XXPermissions.isGrantedPermission(app, permission)
         },
+        grantSelf = {
+            shizukuContextFlow.value.appOpsManager?.allowAllSelfMode()
+        },
         request = { asyncRequestPermission(it, permission) },
         reason = AuthReason(
             text = { "当前操作需要「通知权限」\n请先前往权限页面授权" },
@@ -157,13 +163,12 @@ val canDrawOverlaysState by lazy {
             // https://developer.android.com/security/fraud-prevention/activities?hl=zh-cn#hide_overlay_windows
             Settings.canDrawOverlays(app)
         },
+        grantSelf = {
+            shizukuContextFlow.value.appOpsManager?.allowAllSelfMode()
+        },
         reason = AuthReason(
             text = {
-                if (isActivityVisible()) {
-                    "当前操作需要「悬浮窗权限」\n请先前往权限页面授权"
-                } else {
-                    "缺少「悬浮窗权限」请先授权\n或当前应用拒绝显示悬浮窗"
-                }
+                "当前操作需要「悬浮窗权限」\n请先前往权限页面授权"
             },
             confirm = {
                 XXPermissions.startPermissionActivity(
@@ -206,6 +211,9 @@ val canWriteExternalStorage by lazy {
 val writeSecureSettingsState by lazy {
     PermissionState(
         check = { checkSelfPermission(Manifest.permission.WRITE_SECURE_SETTINGS) },
+        grantSelf = {
+            shizukuContextFlow.value.packageManager?.grantSelfPermission(Manifest.permission.WRITE_SECURE_SETTINGS)
+        },
     )
 }
 

app/src/main/kotlin/li/songe/gkd/service/GkdTileService.kt

@@ -49,8 +49,11 @@ fun switchA11yService() = modifyA11yRun {
         A11yService.instance?.disableSelf()
     } else {
         if (!writeSecureSettingsState.updateAndGet()) {
-            toast("请先授予「写入安全设置权限」")
-            return@modifyA11yRun
+            writeSecureSettingsState.grantSelf?.invoke()
+            if (!writeSecureSettingsState.updateAndGet()) {
+                toast("请先授予「写入安全设置权限」")
+                return@modifyA11yRun
+            }
         }
         val names = app.getSecureA11yServices()
         app.putSecureInt(Settings.Secure.ACCESSIBILITY_ENABLED, 1)

app/src/main/kotlin/li/songe/gkd/service/StatusService.kt

@@ -53,11 +53,13 @@ class StatusService : Service(), OnSimpleLife {
         } else {
             META.appName
         }
-        return if (!abRunning) {
+        return if (shizukuWarn) {
+            Triple(title, "Shizuku 未连接，请授权或关闭优化", "gkd://page/1")
+        } else if (!abRunning) {
             val text = if (a11yServiceEnabledFlow.value) {
                 "无障碍发生故障"
             } else if (writeSecureSettingsState.updateAndGet()) {
-                if (store.enableService && a11yPartDisabledFlow.value) {
+                if (store.enableService && store.enableBlockA11yAppList && a11yPartDisabledFlow.value) {
                     "无障碍已局部关闭"
                 } else {
                     "无障碍已关闭"
@@ -68,8 +70,6 @@ class StatusService : Service(), OnSimpleLife {
             Triple(title, text, abNotif.uri)
         } else if (!store.enableMatch) {
             Triple(title, "暂停规则匹配", "gkd://page?tab=1")
-        } else if (shizukuWarn) {
-            Triple(title, "Shizuku 未连接，请授权或关闭优化", "gkd://page/1")
         } else if (store.useCustomNotifText) {
             Triple(
                 title,

app/src/main/kotlin/li/songe/gkd/shizuku/AppOpsManager.kt

@@ -0,0 +1,51 @@
+package li.songe.gkd.shizuku
+
+import android.app.AppOpsManager
+import android.app.AppOpsManagerHidden
+import android.content.Context
+import com.android.internal.app.IAppOpsService
+import li.songe.gkd.META
+import li.songe.gkd.util.AndroidTarget
+import li.songe.gkd.util.checkExistClass
+
+class SafeAppOpsManager(
+    private val value: IAppOpsService
+) {
+    companion object {
+        val isAvailable: Boolean
+            get() = checkExistClass("com.android.internal.app.IAppOpsService")
+
+        fun newBinder() = getStubService(
+            Context.APP_OPS_SERVICE,
+            isAvailable,
+        )?.let {
+            SafeAppOpsManager(IAppOpsService.Stub.asInterface(it))
+        }
+    }
+
+    fun setMode(
+        code: Int,
+        uid: Int = currentUserId,
+        packageName: String,
+        mode: Int
+    ) = safeInvokeMethod {
+        value.setMode(code, uid, packageName, mode)
+    }
+
+    private fun setAllowSelfMode(code: Int) = setMode(
+        code = code,
+        packageName = META.appId,
+        mode = AppOpsManager.MODE_ALLOWED,
+    )
+
+    fun allowAllSelfMode() {
+        setAllowSelfMode(AppOpsManagerHidden.OP_POST_NOTIFICATION)
+        setAllowSelfMode(AppOpsManagerHidden.OP_SYSTEM_ALERT_WINDOW)
+        if (AndroidTarget.TIRAMISU) {
+            setAllowSelfMode(AppOpsManagerHidden.OP_ACCESS_RESTRICTED_SETTINGS)
+        }
+        if (AndroidTarget.UPSIDE_DOWN_CAKE) {
+            setAllowSelfMode(AppOpsManagerHidden.OP_FOREGROUND_SERVICE_SPECIAL_USE)
+        }
+    }
+}

app/src/main/kotlin/li/songe/gkd/shizuku/PackageManager.kt

@@ -2,6 +2,7 @@ package li.songe.gkd.shizuku
 
 import android.content.pm.IPackageManager
 import android.content.pm.PackageInfo
+import li.songe.gkd.META
 import li.songe.gkd.util.checkExistClass
 import kotlin.reflect.typeOf
 
@@ -41,4 +42,21 @@ class SafePackageManager(private val value: IPackageManager) {
     fun getInstalledPackages(flags: Int, userId: Int): List<PackageInfo> {
         return safeInvokeMethod { value.compatGetInstalledPackages(flags, userId) } ?: emptyList()
     }
+
+    fun grantRuntimePermission(
+        packageName: String,
+        permissionName: String,
+        userId: Int = currentUserId,
+    ) = safeInvokeMethod {
+        value.grantRuntimePermission(
+            packageName,
+            permissionName,
+            userId
+        )
+    }
+
+    fun grantSelfPermission(permissionName: String) = grantRuntimePermission(
+        packageName = META.appId,
+        permissionName = permissionName,
+    )
 }