Privileged apps can now be located in the vendor partition. This is
mainly to move SoC-dependent apks to the vendor partition so that the
system partition becomes more generic.
Like existing privileged apps in the system partition, the list of
privileged apps in the vendor partition and the permissions they are
using must be white-listed. The whitelist can be specified via
<privapp-permissions> tags in one of /vendor/etc/permissions/*.xml
files. Note: vendors can only white-list the apps in vendor partition,
but not the apps in system partition.
This change also introduces a new flag 'vendor-privileged' to the
permission protection level. It is used to expose platform-defined
permissions to the privileged vendor apps. If a platform permission does
not have this flag, it is not granted to vendor apps even when the app
is privileged and white-listed.
Bug: 35301609
Test: `mm` under frameworks/base/tests/privapp-permissions
adb sync && adb reboot
adb shell cmd package \
com.android.framework.permission.privapp.tests.vendor
shows that the app is installed.
android.permission.BIND_IMS_SERVICE is in the installed permissions list
android.permission.MANAGE_USE is not in the installed permissions list,
but is in the requested permissions list.
Change-Id: I196375aaaa9ea3a2ba15686ef08cf3f70ade7046
When emitting a method or field, verify that we're able to reference
all mentioned types. This ensures that we don't accidentally
reference undefined classes/interfaces.
Test: manual inspection of API files
Bug: 69791141
Change-Id: I84e0c87fe83daa118661f61dbdf17b58ea5282d4
In several locations we were passing both a parsed Package object
and a scanFile File object. But, the Package object was parsed from
the scanFile! Instead, just pass the singular Package object and
pull the scanned file from it.
Bug: 63539144
Test: bit FrameworksServicesTests:com.android.server.pm.
Change-Id: Ibd200fb567e005869de61d9c123f211fa9a38f0a
Parse flags are often used confusingly to control policy during
APK parsing. Additionally, some flags [such as PARSE_IS_PRIVILEGED
or PARSE_IS_SYSTEM] aren't always determined based upon APK location
[they change based upon which apps are installed]. This means we
have to perform some gymnastics to set them correctly _before_
parsing a package.
Instead, these should be scan flags that can be determined at a
later point during package parsing. Then, based upon the scan flag
we apply policy on the package object to create the resulting
data structures.
Bug: 63539144
Bug: 69663125
Test: Manual; it builds, runs and applications can be installed / removed
Test: bit FrameworksServicesTests:com.android.server.pm.
Change-Id: I53fb18e58544e0a39f35eb6fb53c950e5c696aee
Adds publicly-visible API for compile SDK version and codename. AAPT2 does
not support these yet, but that will be included in a follow-up CL.
Also refactors the Unsupported Display Size dialog out to a generic app
warnings manager class and fixes a bug there where the "always show"
preference was not persisted.
Improves documentation around threading and concurrency guarantees.
Bug: 64107584
Fixes: 68995409
Test: CtsActivityManagerDeviceTestCases
Change-Id: Ic86efa554b8b1caf80e5e004fda897d3483a68e8
Modify "cmd package bg-dexopt-job" to accept an optional list of
packages to run bg-dexopt on to help with testing.
Test: make && flashall && automated tests (ag/2959616)
Test: adb shell cmd package bg-dexopt-job
Test: adb shell cmd package bg-dexopt-job pkg_name
BUG: 64807719
Change-Id: Ibf1fda88810dd4ec19fbbfe3322c35b201727707
Also removed everything needed only for this path
Test: Installed app via package installer, adb, google play store
Bug: 65261282
Change-Id: Ia8a03fa5900687cd2adf844ba7e6c07e0537382e
Tried to find the right middle ground in between
- not exposing potentially changing implementation details
- being clear on what it is for and what not
- being too alarmist vs. being to weak
Test: compiled
Bug: 69177691
Change-Id: Ifb40e350a18bf72c113229f31e129b7e8fdacd2a
This API will primarily be used by GmsCore to send updated configs.
Also, sending a config will implicitly notify the StatsD that this
client wants to know when it should request data for this config.
We send a broadcast so that all interested subscribers can know if
data needs to be pulled.
Test: Manually tested that sending broadcast works via new adb
command added in StatsService.
Change-Id: I23cdd1df706036e14b32c3d01af30c3d4af819fa
Redirect developers to use the Support Library
versions of Fragments and Loaders to ensure that
they get consistent behavior across versions of
Android and all devices as well as access to
Lifecycle improvements.
Test: Confirmed APIs deprecated in current.txt
BUG: 68381801
Change-Id: I58ec599e557fc93c8547c45ba7c9ced96b0c8616
ContentProviderClient has a nice setDetectNotResponding() method
that detects hanging calls to remote providers, and it can trigger
an ANR to kill the app and release the blocked thread.
We typically don't want to perform blocking calls from the system
server, but we're okay allowing them on CPCs that are using
setDetectNotResponding() to watch for hung clients.
Test: builds, boots
Bug: 69128093
Change-Id: I223aaf1d0cef0f8dee28f800d9e3c101d7449952
Network security watchlist service is a service to monitor all potential
harmful network traffic. By setting a network watchlist, any connections
that visit any site from watchlist will be logged.
Logs will be aggregated everyday and encoded using differential
privacy before exporting it from framework.
This feature is disabled now, run "setprop ro.network_watchlist_enabled true" to enable it.
All network events are handled in an async bg thread, it should not
cause any delay in netd. Also, it uses the hooks in enterprise network logging,
so we can run netd_benchmark to measure the impact to netd.
Here are the things not included in this CL:
- ConfigUpdater to get and set watchlist
- Differential privacy encoding logic and reporting
- CTS
- Memory and performance optimization for internal watchlist data structure
Test: manual - turn on the feature, hard code a watchlist xml, process
that visited that domain is being logged in sqlite.
Test: run netd_benchmark - seems no obvious performance change.
Test: bit FrameworksCoreTests:android.net.NetworkWatchlistManagerTests
Test: runtest frameworks-net
Test: runtest frameworks-services -p com.android.server.net.watchlist
Bug: 63908748
Change-Id: I09595178bac0070a867bc5e0501a7bf2c840e398
The shortcut manager now has a set of additional packages that
have access, which the voice interaction system service feeds in
to.
Bug: 68760723
Test: CtsVoiceInteractionTestCases
Change-Id: I2a69f83569eb350f405bdd548998570ceef9ea7e
It's expected to be set with ACTION_FACTORY_RESET intents, and this
action was exposed as a @SystemApi in b/32974361.
Change-Id: Ib29ffb8d62460eb4ec0208076331bbba3272f290
Fixes: 67751036
Test: Just TreeHugger; no functional changes
CTS will be in next CL.
APIs for labels/ icons of profile switching are not implemented yet.
Test: Wrote a test app to play around the APIs
Test: bit FrameworksServicesTests:com.android.server.pm.crossprofile.CrossProfileAppsServiceImplTest
BUG: 67765768
Change-Id: I27714aa4a8d61c6df398cbc5112cb4c35316a3fb
This changelist removes checks that enforce that only fullscreen,
opaque activities may request orientation changes. An application
may itself be compatible with the change and update their SDK level.
However, it is possible they use a library that has not itself been
updated and still leverages this feature for non-fullscreen
activities.
Change-Id: Ie1d300e3531fc8c588d2124dea698e4a876713c2
Fixes: 68684796
Test: bit FrameworksServicesTests:com.android.server.wm.AppWindowTokenTests
This changelist removes checks that enforce that only fullscreen,
opaque activities may request orientation changes. An application
may itself be compatible with the change and update their SDK level.
However, it is possible they use a library that has not itself been
updated and still leverages this feature for non-fullscreen
activities.
Fixes: 68684796
Test: bit FrameworksServicesTests:com.android.server.wm.AppWindowTokenTests
Change-Id: Ib5a60f0b660ad145d07e953e541a0a1b801aeef2
We can use the new mechanism to ask the calling shell to open
a file in order to implement the rest of these commands, allowing
you to give the path to an apk to install. That API is thus
extended to allow you to open readable files, not just opening
file for writing.
Doing this however means we no longer can pass a file path to
AssetManager for the apk to parse, we only have an already open
fd for that. Extending AssetManager to allow adding apks from
fds is not that hard, however, since the underlying zip library
already supports this.
This main thing this changes is in AssetManager.cpp where we
retrieve the open zip file for a particular apk that has been
added. This used to look up the zip file by path every time
it was needed, but that won't work anymore now that we can have
things added by fd. Instead, we keep track of each opened zip
in the AssetManager, so we can just directly retrieve it from
the asset_path representing the item that was added. As a
side-effect, this means for normal paths we no longer need to
look up by name, but just have the opened zip file directly
accessible. (This is probably good, but it does mean that we
no longer run the logic of seeing if the zip file's timestamp
has changed and re-opening it if it has. We probably shouldn't
be relying on that for an active AssetManager anyway, and maybe
it is even good that we don't allow the zip file to change
under it?)
A follow-up change will finally remove the Pm.java implementation
and turn the pm "command" into a simple shell script that runs
cmd package.
Test: manual
Change-Id: Ie103e3bdaa5b706796cc329254f2638151a3924f
