It wasn't including pre-created users; as such, apps that were not
installed on pre-created users got installed on reboot.
To test it:
adb shell pm create-user --pre-create-only
m ApiDemos
adb install --user current ~/Downloads/apk/ApiDemos.apk
adb shell dumpsys package com.example.android.apis |egrep ".*User .*:"|grep installed
adb shell stop && adb shell start
adb shell dumpsys package com.example.android.apis |egrep ".*User .*:"|grep installed
Without this fix, the second dumpsys would show the app installed
for the pre-created user.
Test: see above
Test: atest CtsMultiUserHostTestCases:android.host.multiuser.PreCreateUsersTest # will be added later on AOSP branch
Bug: 160252062
Change-Id: I46c2ec94a3ab422e3e39b66239c21fb6cbff5a8e
Merged-In: I46c2ec94a3ab422e3e39b66239c21fb6cbff5a8e
(cherry picked from commit 2c43b50331eaf428df3e7cb1886fd7d60f41ad54)
It's up to system-server to make sure it's doing the right thing.
-50ms create time for PM
Bug: 157191740
Test: adb reboot; adb logcat | grep -e PackageManagerTiming
Change-Id: I8b64164464fcc6447871cfb94475af7379b72c16
* if no apps are suspended by the DO prior to migration, nothing
changes
* if some apps were suspended by the DO and the DPC targets R+
via DPM.setPackagesSuspended(), this will result in personal
apps suspended explicitly by the PO DPC as if it called
DPM.setPersonalAppsSuspended(). The apps will stay suspended.
* if the DPC target SDK is below R, the apps will be unsuspended
because the DPC won't have a way to unsuspend them. And the
user will be stuck with suspended apps.
+ when unsuspending apps, don't collect the list of apps subject
to suspension, but rather unsuspend all that is suspended. It
is more robust, e.g. when some app stops meeting the
conditions, e.g. not SMS app anymore.
Bug: 157270093
Test: com.android.server.devicepolicy.DevicePolicyManagerServiceMigrationTest
Test: Manual, with TestDPC, also patching it to target R
Change-Id: I1eba7216dd557c94bef822b77d25b484dfcd6f63
Do not update package mappings for the system user when the user is
first unlocked. Instead, schedule a job to be executed after 24 to 48
hours from when the system user is unlocked. This makes the service
initialization phase for the system user a little quicker since their
data is not likely to be stale. Additionally, this also ensures that
restored data is not pruned by mistake if there is a device restart
before restore is completed. The updating of the mappings occurs
normally for other users, on user service initialization.
Bug: 155209652
Test: manually ensure job is skipped for system user
Test: atest android.app.usage.cts.UsageStatsTest
Change-Id: I2c03a1a05246d6b454569c4569813e90bede3693
Another way was to clear it using existing APIs for each package
but each call would cause Package Manager to re-serialize the
package-restrictions.xml, so I added a separate API to do it in
one go.
Bug: 149075700
Test: manual, set TestDPC as a DO, block uninstall, remove DO.
Test: manual, set TestDPC in COMP, block uninstall, migrate to COPE.
Change-Id: I9be69af5d7ae9e0ddda087d3e01e35f3429f25f4
PackageCacher uses file name and modified time to determine if the
parsed cache is still valid. However, all APK-in-APEX would have
the same name and modified time. This results in the out-of-date
cache would be treated as valid.
We need to invlidate the cache for the APK-in-APEX when that APEX
is going to be installed.
Bug: 152352677
Test: atest -p frameworks/base/core/java/android/content/pm
Test: atest -p frameworks/base/services/core/java/android/content/pm
Test: Update/rollback an APK-in-APEX, and check its version code
Change-Id: I2a722036d8b1e9c5121d385f8d0667fb908cc7a1
* Sort the user restrictions to local restriction
set and global bundle in DPMS instead of User
Manager.
* Simplify pushUserRestrictions.
* Split the list of user restrictions the profile
owner of an organization-owned device can set into
a global and local list. The user restrictions in
the local list will only be applied to the personal
profile as opposed to the whole device.
Bug: 149743941
148453838
Test: atest com.android.cts.devicepolicy.UserRestrictionsTest
atest com.android.server.devicepolicy.DevicePolicyManagerTest
atest com.android.server.pm.UserRestrictionsUtilsTest
atest com.android.cts.devicepolicy.OrgOwnedProfileOwnerTest#testUserRestrictionSetOnParentLogged
atest com.android.cts.devicepolicy.OrgOwnedProfileOwnerTest#testUserRestrictionsSetOnParentAreNotPersisted
Change-Id: I1faa1f4776deb98e38595a358c01c3fbabfb1840
The UserSystemPackageInstaller (USPI) uninstalls system
packages that are not needed, depending on the user type.
When that determination changes (or the feature is disabled)
it can also re-install those packages.
This cl specifies when it is appropriate for USPI to actually
perform the (un)installation.
1.
Introduces uninstallReason: records the reason why a package
was uninstalled from a given user. Right now, the only values
are UNKNOWN and USER_TYPE. The latter indicates that the USPI
system uninstalled the package. If the USPI whitelist changes
(or the USPI feature is disabled), uninstalled packages will
only be installed by USPI if the uninstallReason was USER_TYPE.
Any further uninstalls (e.g. by ManagedProvisioning) will reset
the uninstallReason to UNKNOWN, so USPI will no longer install
such packages in the future.
This prevents USPI from reinstalling system packages that other
mechanisms (such as ManagedProvisioning) uninstalled.
2.
USPI will uninstall a system package if it is blacklisted, but
only if that system package is new, i.e in two circumstances:
a. on first boot
b. on an OTA where the package was not present prior to the OTA
Bug: 143200798
Test: atest UserSystemPackageInstallerTest
Test: Confirmed (un)installations during manually simulated OTAs
Change-Id: Ia0714d1faa8f7c79082f2cc93a92ae36b9a4c918
Merged-In: Ia0714d1faa8f7c79082f2cc93a92ae36b9a4c918
* changes:
Remove telephony protection level.
Revert "Allowed telephony to bind network service"
Revert "add telephony role to some permissions needed by telephony module"
The android.os.action.POWER_SAVE_MODE_CHANGED broadcast already exists for context-registered receivers, this additionally sends the broadcast to a manifest-registered receiver specified in config_powerSaveModeChangedListenerPackage string.
Bug: 149978380
Test: manual using demo apk
Change-Id: I6a363650da7aee11f8f820a0ff78e7a2ec434fad
If the version of the permsision controller is different than what was
persisted then call the upgrade controller defined in the permission
controller.
Exempt-From-Owner-Approval: Got verbal approval from an OWNER
Bug: 148595539
Test: Manual; verify the version is persisted in runtime-permissions.xml
verify the upgrade is run when changing the version number
move runtime-permissions.xml to old location, verify works
Change-Id: I873ea4d5a0f1f66fed121e38cc6be62fa046a210
This change adds logging for debuggable and test-only apps when they are
the caller and visibility of another app is blocked due to app
enumeration.
It also adds an adb command to turn logging on and off for other apps to
help developers while debugging issues.
Test: atest AppsFilterTest AppEnumerationTests PackageManagerPerfTest
Bug: 145623959
Change-Id: I1fa930ef40bf08b00c41f51aa25c50b2189395bf
The session id will be used by RollbackManager to simplify the code in
searching for rollbacks and sessions.
(Cherry-picked from 503c1aca53)
Bug: 149663536
Test: m
Merged-In: I94003873f4f244fd6543f22bdbe7b6d4a31aceaf
Change-Id: I94003873f4f244fd6543f22bdbe7b6d4a31aceaf
When permission is granted to another app via URI, we implicitly grant
visibility to that app of the app ID that that URI resolves to.
Test: atest AppSecurityTests
Fixes: 149781706
Fixes: 145677500
Exempt-From-Owner-Approval: Owner approved prior to cherry-pick
Change-Id: I7c8967a4464fd821e4f95d8eb6c0bcfadadb912e
Serialising package restrictions uses synchronous disk access; callers
of these methods should probably use background threads for this.
Bug: 149216360
Test: TreeHugger
Change-Id: I6607a7225bf7daaad8a78e4d1e4c585ba5ac3efc
Signed-off-by: Julius D'souza <jdsouza@google.com>
There may be policy critical apps that must not be suspended by the
user in a managed profile. The owner can now use either of the following
to block suspension of apps:
- DISALLOW_APPS_CONTROL: Blocks suspension of all apps in the user
- DISALLOW_UNINSTALL_APPS: Blocks suspension of all apps in the user
- setUninstallBlocked: Blocks suspension of a given package.
The same also block any of the DistractionRestriction to be set via
PackageManager#setDistractingPackageRestrictions. This is to make sure
the apps can still show notifications.
Since the owner should have the final call, these do not block the owner
from adding app suspensions itself. Whenever either of these are set,
any app suspensions that were not originally added by the owner are
lifted immediately and any distraction restrictions that were added are
removed.
Also, clearing restrictions and suspensions if an app with SUSPEND_APPS
permission is disabled. Even though it is expected that UI not allow
such an app to be disabled, it is hard to enforce across all device
implementations. And a missed edge case would lead to permanently
unusable apps on the device.
This change also fixes a bug where any DistractionRestrictions set
weren't cleared on suspending app data clear.
Test: atest GtsSuspendAppsTestCases
Bug: 144826981
Bug: 145735990
Change-Id: I81a492e1d07a8cc9aeb0acd7e5142826824a42ae
Moves all system state out of AndroidPackage and into
PackageStateUnserialized, which lives inside a PackageSetting.
This makes AndroidPackage effectively immutable after it exits
the scan/install process.
Specifically, moves isUpdatedSystemApp, isHiddenUntilInstalled,
seInfoOverride, cpuAbiOverride, PackageUsage,
and sharedLibraryFiles/Infos.
Bug: 135203078
Test: atest com.android.server.pm.parsing
Change-Id: I44baab113f3b6b138472b15a61e0874173bc694f
Removes the massive old ComponentParseUtils in favor of
the new split classes.
Cleans up the parsing code to be uniform, removing the
String[] outError pattern in favor of ParseInput.
Bug: 135203078
Test: atest com.android.server.pm
Change-Id: I584ed37d4715300453dbe760d45d1eb4759b3dd3
Part of the Parsing/ParsedPackage split into core/server.
This splits all the "important" changes, or those which change
significant code/logic and that requires a closer look during
review.
Bug: 135203078
Test: enumerated in first commit of change ID
Ib4fe51d729a56bfb0ea1316e577358ba0dfceccf
Change-Id: Ie0e4394de2b3063121d850060fcd58622511c59d
* changes:
Clear preferred activities affected by MIME groups changes
Implement new API to modify MIME groups by adding/removing MIME types
Add mimeGroup tag to intent filters
This change adds two new flags for starting activities:
FLAG_ACTIVITY_REQUIRE_NON_BROWSER and FLAG_ACTIVITY_REQUIRE_DEFAULT.
The first will only start if the result is a non-browser result. The
second will only start if the result is not the resolver activity.
Bug: 148452357
Test: Builds
Change-Id: I1f25bd78b6231c08036c15436bd8c2e3dccf56d6
MIME groups can now be modified via PackageManager.
MIME group modification will affect intent-filters
that were declared with that |mimeGroup| in manifest
in the same way, as if intent-filter was initially
declared with |mimeType| attributes that correspond to
MIME types in MIME group
Preferred activities will be handled in the next CL
Bug: 134736173
Bug: 136635677
Test: atest android.content.pm.PackageParserTest#testPackageWithIntentFilters*
Change-Id: I083a8794897e632aad5325a67311931193c69a3c
UsageStats will return obfuscated NOTIFICATION_SEEN or
NOTIFICATION_INTERRUPTION events to callers of #queryEvents
and #queryEventsForUser if they don't hold the MANAGE_NOTIFICATIONS
permission.
Additionaly, refactor the query API in UsageStats to take in flags as
defined in UsageEvents to make future obfuscation/visibility parameters
cleaner.
Also, add the MANAGE_NOTIFICATIONS permission to shell for CTS test.
Bug: 144724524
Test: atest android.app.usage.cts.UsageStatsTest
Test: atest com.android.server.people.data.UsageStatsQueryHelperTest
Test: atest android.content.pm.cts.shortcutmanager.ShortcutManagerUsageTest
Change-Id: I118de7e589ac8dd5924d3740c70903fa484b79b5
UsageStats will not return LOCUS_ID_SET events to callers
of #queryEvents and #queryEventsForUser if they don't have visibility.
Bug: 148821246
Test: manual, atest tests/tests/app.usage/src/android/app/usage/cts/UsageStatsTest
Change-Id: Ic904a97e66775ef63bc8b84e67e8f430b2a4121b
Revert "Adjust monkey to changed internal APIs"
Revert "Test featureId is correctly used in startActivity"
Revert submission 10111030-activityStarter_featureId
Reason for revert: presubmit test breakage
Reverted Changes:
Ic7056b492: Activity start: Send featureId from context->AppOp...
I8e2a07da7: Adjust monkey to changed internal APIs
I7a6af6fb1: Test featureId is correctly used in startActivity
Change-Id: I48c55a962c990b22ea49e923baa7c73b121d179b
The expected usage pattern for noteOp is to get the
Context#getOpPackageName() and Context#getFeatureId() in the calling app
and the call
noteOp(callingPackageName, Binder.getCallingUid(), callingFeatureId)
As the featureId parameter is new this parameter has to been piped all
through from the ...Manager classes running in the app all way deep into
the bowels of the system server.
There is a special featureId==null for the "default" feature. This is
used in two cases:
- In case the system server (packageName == null || packageName ==
"android") makes a call
- In the case there is no caller. In this case I left annotations in the
code to make clear that the default feature is used
Raw binder interfaces (defined in AIDL files) are not supposed to be
used by apps. Still historically this has happened and we ended up with
@UnsupportedAppUsage tags in these files. Also AIDL does not support
two methods with the same name but different parameters. I.e. in the
case when I had to add a paramater to a method tagged as UnsupportedAppUsage I
- created a new method ...WithFeature with the additional paramter
- set a maxTargetSDK for the old method and mention the public API to
use in the deprecation method
This is really not pretty. Once there is no more app using the old
internal API this hack can be removed.
Additionally this change removed all internal calls to
AppOpsService.noteOperation and AppOpsService.checkOperation and
replaces them with the public API equivalent. This sometimes means to
move the resolution of the mAppOpsManager to be lazy.
Exempt-From-Owner-Approval:: Just piping through arguments
Bug: 136595429
Test: atest --test-mapping frameworks/base/services/core/java/com/android/server/am/
atest CtsAppOpsTestCases added test to cover activity start
atest WmTests
Change-Id: Ic7056b492cb1c9a79158e6c2b4864898a0eb5b2a
Permissions that have the new wellbeing protection flag will be granted
to the retail demo app, as defined by the OEM in the system resource.
The PACAKGE_USAGE_STATS permission is updated to use the retailDemo
flag.
Bug: 146043112
Test: atest CtsPermission2TestCases:PermissionPolicyTest
Change-Id: I30b451e6e88a4d65af5e5f774bcd30a14721a8a9
Add locus update event to the Usage Stats.
Test: Build and run on a test device with a test app.
Bug: 147594233, 147100454
Change-Id: I1e058ac87244d47719606d8dcfaea2df4bff43d2
Signed-off-by: Yuliya Kamatkova <yuliyak@google.com>
Previous implementation was a direct callthrough to the public facing
method. This change deprecates the original method and introduces a new
method with the "Internal" suffix until we can clean up all uses of the
existing method.
Test: boots
Bug: 142386643
Change-Id: I86f92508f0236dbe611ac895fec0ad94f8e80afe
The flag PackageManager.DONT_DELETE_DATA was renamed to DELETE_KEEP_DATA
long ago in commit 7767eac.
Bug: 28343859
Test: n/a
Change-Id: I9e4079ec394f92a3e293df7b80b627e2b6130827
Added @SystemApi to all APIs currently used by TvProfileService that were @hide only.
Bug: 139914710
Test: Apps built with stable_system or experimental_system can use the APIs
Change-Id: I3499244b4d545a7a9401c7941663045bcd89c6fe
Add new manifest tags for declaring processes that an app
will use. While declaring these processes, one can specify
specific permissions that will be denied to that process.
Doing so will result in any gids associated with that permission
from being given to that process, and any permission checks
that include a pid (which is not all of them) will fail when
checking a permission for that process.
For now, we limit these declarations to only the internet
permission, since we really need to do a lot of auditing to
determine how many other permissions can be denied (based on
how many permission checks for it are including the pid).
That said, this is explicitly not a security guarantee, so it
isn't a problem if there are ways around it (the process could
always IPC to another of the app's processes to do the same
thing).
One thing to be done is have the parser enforce that once an
app declares processes, it can only run things in those processes
and no others.
At this point the code is not yet tested at all. That will be
coming in later. This gets the APIs and various infrastructure
in place.
Bug: 143085640
Test: not yet tested
Change-Id: I27e8d0c811a5004fe251883f243517bb00d32d67
Overlays targeting shared libraries should be loaded into the
resources of every target that depends on the shared library.
Static shared libraries are currently not supported because overlays
should override all versions of static shared libraries and there is
not currently support for an overlay targeting multiple APKs.
Also created a test instrumentation and host test suite for testing
overlays and packages on the system image.
Bug: 140790224
Test: atest OverlayRemountedTest
Change-Id: I20a217b6368d6cf92b2b9f46908fd58012933f72
Currently, the RollbackManager is not aware of the apk-in-apex being
installed since the install is done by PM during scan phase of boot. As
such, RM does not backup the user data of the apk-in-apex.
In the new implementation, we ask the RM to snapshot/restore user data
of apk-in-apex while resuming the apex session in StagingManager.
Bug: 142712057
Test: atest StagedRollbackTest#testRollbackApexWithApk
Test: atest AppDataRollbackHelperTest
Test: atest RollbackStoreTest
Test: atest RollbackUnitTest
Change-Id: Ibbaa5d0c98cb883588c085d77bc89c3e8217d76a
