feat(core.manager): 大于API 33，安装插件时，禁止插件文件可写入

由于插件apk都是BasePluginManager负责解压缩的，所以它应该负责它们禁止可写。

但是PluginManager本身的apk更新应该由更新文件的代码本身禁止文件可写入。

#1344

Author: shifujun

projects/sample/source/sample-host/src/main/java/com/tencent/shadow/sample/host/manager/FixedPathPmUpdater.java

@@ -18,6 +18,8 @@
 
 package com.tencent.shadow.sample.host.manager;
 
+import android.os.Build;
+
 import com.tencent.shadow.dynamic.host.PluginManagerUpdater;
 
 import java.io.File;
@@ -29,6 +31,12 @@ public class FixedPathPmUpdater implements PluginManagerUpdater {
 
     FixedPathPmUpdater(File apk) {
         this.apk = apk;
+
+        //在API 33以上的系统上，禁止动态加载文件可写入，满足系统安全限制
+        if (Build.VERSION.SDK_INT > Build.VERSION_CODES.TIRAMISU) {
+            //noinspection ResultOfMethodCallIgnored
+            apk.setWritable(false);
+        }
     }
 
 

projects/sdk/core/manager/src/main/java/com/tencent/shadow/core/manager/BasePluginManager.java

@@ -136,9 +136,25 @@ public final void onInstallCompleted(PluginConfig pluginConfig,
         String oDexDir = ODexBloc.isEffective() ?
                 AppCacheFolderManager.getODexDir(root, pluginConfig.UUID).getAbsolutePath() : null;
 
+        //在API 33以上的系统上，禁止动态加载文件可写入，满足系统安全限制
+        if (Build.VERSION.SDK_INT > Build.VERSION_CODES.TIRAMISU) {
+            setWritableFalseForPluginFiles(pluginConfig);
+        }
+
         mInstalledDao.insert(pluginConfig, soDirMap, oDexDir);
     }
 
+    private static void setWritableFalseForPluginFiles(PluginConfig pluginConfig) {
+        List<PluginConfig.FileInfo> list = new ArrayList<>();
+        list.add(pluginConfig.pluginLoader);
+        list.add(pluginConfig.runTime);
+        list.addAll(pluginConfig.plugins.values());
+        for (PluginConfig.FileInfo fileInfo : list) {
+            //noinspection ResultOfMethodCallIgnored
+            fileInfo.file.setWritable(false);
+        }
+    }
+
     protected InstalledPlugin.Part getPluginPartByPartKey(String uuid, String partKey) {
         InstalledPlugin installedPlugin = mInstalledDao.getInstalledPluginByUUID(uuid);
         if (installedPlugin == null) {

projects/test/dynamic/host/test-dynamic-host/src/main/java/com/tencent/shadow/test/dynamic/host/PluginHelper.java

@@ -75,6 +75,10 @@ public void run() {
     private void preparePlugin() {
         try {
             InputStream is = mContext.getAssets().open(sPluginManagerName);
+
+            //noinspection ResultOfMethodCallIgnored
+            pluginManagerFile.setWritable(true);
+
             FileUtils.copyInputStreamToFile(is, pluginManagerFile);
 
             InputStream zip = mContext.getAssets().open(sPluginZip);

projects/test/dynamic/host/test-dynamic-host/src/main/java/com/tencent/shadow/test/dynamic/host/manager/FixedPathPmUpdater.java

@@ -18,6 +18,8 @@
 
 package com.tencent.shadow.test.dynamic.host.manager;
 
+import android.os.Build;
+
 import com.tencent.shadow.dynamic.host.PluginManagerUpdater;
 
 import java.io.File;
@@ -29,6 +31,12 @@ public class FixedPathPmUpdater implements PluginManagerUpdater {
 
     FixedPathPmUpdater(File apk) {
         this.apk = apk;
+
+        //在API 33以上的系统上，禁止动态加载文件可写入，满足系统安全限制
+        if (Build.VERSION.SDK_INT > Build.VERSION_CODES.TIRAMISU) {
+            //noinspection ResultOfMethodCallIgnored
+            apk.setWritable(false);
+        }
     }