This method was added to operate as an internal variant of the
public getPackageUid method since pmInternal#getPackageUid already
exist. However, pmInternal#getPackageUid method just called to the
public interface, and enforcing permissions and visibility checks.
Since we don't expect any UID/permission checks in a local service,
any callers to this method requiring permission checks should be
migrated onto the PackageManager public method. Remove the original
pmInternal#getPackageUid and rename #getPackageUidInternal to take
its place.
Bug: 148235092
Test: Build pass and boot
Change-Id: Ibd4aa8a6a7743ff378a23e21c68efc52692580c7
UserController calls SystemServiceManager on some stages of the user
switch lifecycle, and SystemServiceManager calls the respective
callbacks in the SystemService objects it manage.
Prior to Android 11, these callbacks would take a @UserIdInt userid,
but now they take a TargetUser (which in turns contains a Userinfo).
So, currently, UserController calls SystemServiceManager passing the
userid, and SystemServiceManager gets the UserInfo from
UserManagerService. That works fine most of the time, but there might
be some race conditions when a user is removed that can crash the
system when such user is stopped (because UserManagerService doesn't
have its UserInfo anymore).
This CL fixes this issue by refactoring the user switch workflow so:
- TargetUser doesn't hold a reference to the UserInfo anymore, but
offer the methods needed by SystemService implementations.
- SystemServiceManager keeps track of the TargetUser objects used in
the callbacks.
Test: manual verification
Fixes: 159831354
Change-Id: If68ab1b5e247c7389c8cac16432d8b8809507e86
Alongside SIGNATURE and ACTOR_SIGNATURE policies, add CONFIG_SIGNATURE
policy to overlayable that overlay fulfills if it is signed with the
same certificate as the reference package whose package name is
declared in 'config-signature' tag of SystemConfig and is vetted by
OMS that it's a system pre-installed package.
BUG: 158726924
TEST: regular aapt2, idmap2, OMS tests
Change-Id: I645ee72271496008742886274be0d63a2985201b
It's up to system-server to make sure it's doing the right thing.
-50ms create time for PM
Bug: 157191740
Test: adb reboot; adb logcat | grep -e PackageManagerTiming
Change-Id: I8b64164464fcc6447871cfb94475af7379b72c16
* if no apps are suspended by the DO prior to migration, nothing
changes
* if some apps were suspended by the DO and the DPC targets R+
via DPM.setPackagesSuspended(), this will result in personal
apps suspended explicitly by the PO DPC as if it called
DPM.setPersonalAppsSuspended(). The apps will stay suspended.
* if the DPC target SDK is below R, the apps will be unsuspended
because the DPC won't have a way to unsuspend them. And the
user will be stuck with suspended apps.
+ when unsuspending apps, don't collect the list of apps subject
to suspension, but rather unsuspend all that is suspended. It
is more robust, e.g. when some app stops meeting the
conditions, e.g. not SMS app anymore.
Bug: 157270093
Test: com.android.server.devicepolicy.DevicePolicyManagerServiceMigrationTest
Test: Manual, with TestDPC, also patching it to target R
Change-Id: I1eba7216dd557c94bef822b77d25b484dfcd6f63
Do not update package mappings for the system user when the user is
first unlocked. Instead, schedule a job to be executed after 24 to 48
hours from when the system user is unlocked. This makes the service
initialization phase for the system user a little quicker since their
data is not likely to be stale. Additionally, this also ensures that
restored data is not pruned by mistake if there is a device restart
before restore is completed. The updating of the mappings occurs
normally for other users, on user service initialization.
Bug: 155209652
Test: manually ensure job is skipped for system user
Test: atest android.app.usage.cts.UsageStatsTest
Change-Id: I2c03a1a05246d6b454569c4569813e90bede3693
Another way was to clear it using existing APIs for each package
but each call would cause Package Manager to re-serialize the
package-restrictions.xml, so I added a separate API to do it in
one go.
Bug: 149075700
Test: manual, set TestDPC as a DO, block uninstall, remove DO.
Test: manual, set TestDPC in COMP, block uninstall, migrate to COPE.
Change-Id: I9be69af5d7ae9e0ddda087d3e01e35f3429f25f4
PackageCacher uses file name and modified time to determine if the
parsed cache is still valid. However, all APK-in-APEX would have
the same name and modified time. This results in the out-of-date
cache would be treated as valid.
We need to invlidate the cache for the APK-in-APEX when that APEX
is going to be installed.
Bug: 152352677
Test: atest -p frameworks/base/core/java/android/content/pm
Test: atest -p frameworks/base/services/core/java/android/content/pm
Test: Update/rollback an APK-in-APEX, and check its version code
Change-Id: I2a722036d8b1e9c5121d385f8d0667fb908cc7a1
* Sort the user restrictions to local restriction
set and global bundle in DPMS instead of User
Manager.
* Simplify pushUserRestrictions.
* Split the list of user restrictions the profile
owner of an organization-owned device can set into
a global and local list. The user restrictions in
the local list will only be applied to the personal
profile as opposed to the whole device.
Bug: 149743941
148453838
Test: atest com.android.cts.devicepolicy.UserRestrictionsTest
atest com.android.server.devicepolicy.DevicePolicyManagerTest
atest com.android.server.pm.UserRestrictionsUtilsTest
atest com.android.cts.devicepolicy.OrgOwnedProfileOwnerTest#testUserRestrictionSetOnParentLogged
atest com.android.cts.devicepolicy.OrgOwnedProfileOwnerTest#testUserRestrictionsSetOnParentAreNotPersisted
Change-Id: I1faa1f4776deb98e38595a358c01c3fbabfb1840
The UserSystemPackageInstaller (USPI) uninstalls system
packages that are not needed, depending on the user type.
When that determination changes (or the feature is disabled)
it can also re-install those packages.
This cl specifies when it is appropriate for USPI to actually
perform the (un)installation.
1.
Introduces uninstallReason: records the reason why a package
was uninstalled from a given user. Right now, the only values
are UNKNOWN and USER_TYPE. The latter indicates that the USPI
system uninstalled the package. If the USPI whitelist changes
(or the USPI feature is disabled), uninstalled packages will
only be installed by USPI if the uninstallReason was USER_TYPE.
Any further uninstalls (e.g. by ManagedProvisioning) will reset
the uninstallReason to UNKNOWN, so USPI will no longer install
such packages in the future.
This prevents USPI from reinstalling system packages that other
mechanisms (such as ManagedProvisioning) uninstalled.
2.
USPI will uninstall a system package if it is blacklisted, but
only if that system package is new, i.e in two circumstances:
a. on first boot
b. on an OTA where the package was not present prior to the OTA
Bug: 143200798
Test: atest UserSystemPackageInstallerTest
Test: Confirmed (un)installations during manually simulated OTAs
Change-Id: Ia0714d1faa8f7c79082f2cc93a92ae36b9a4c918
Merged-In: Ia0714d1faa8f7c79082f2cc93a92ae36b9a4c918
* changes:
Remove telephony protection level.
Revert "Allowed telephony to bind network service"
Revert "add telephony role to some permissions needed by telephony module"
The android.os.action.POWER_SAVE_MODE_CHANGED broadcast already exists for context-registered receivers, this additionally sends the broadcast to a manifest-registered receiver specified in config_powerSaveModeChangedListenerPackage string.
Bug: 149978380
Test: manual using demo apk
Change-Id: I6a363650da7aee11f8f820a0ff78e7a2ec434fad
If the version of the permsision controller is different than what was
persisted then call the upgrade controller defined in the permission
controller.
Exempt-From-Owner-Approval: Got verbal approval from an OWNER
Bug: 148595539
Test: Manual; verify the version is persisted in runtime-permissions.xml
verify the upgrade is run when changing the version number
move runtime-permissions.xml to old location, verify works
Change-Id: I873ea4d5a0f1f66fed121e38cc6be62fa046a210
This change adds logging for debuggable and test-only apps when they are
the caller and visibility of another app is blocked due to app
enumeration.
It also adds an adb command to turn logging on and off for other apps to
help developers while debugging issues.
Test: atest AppsFilterTest AppEnumerationTests PackageManagerPerfTest
Bug: 145623959
Change-Id: I1fa930ef40bf08b00c41f51aa25c50b2189395bf
The session id will be used by RollbackManager to simplify the code in
searching for rollbacks and sessions.
(Cherry-picked from 503c1aca53)
Bug: 149663536
Test: m
Merged-In: I94003873f4f244fd6543f22bdbe7b6d4a31aceaf
Change-Id: I94003873f4f244fd6543f22bdbe7b6d4a31aceaf
When permission is granted to another app via URI, we implicitly grant
visibility to that app of the app ID that that URI resolves to.
Test: atest AppSecurityTests
Fixes: 149781706
Fixes: 145677500
Exempt-From-Owner-Approval: Owner approved prior to cherry-pick
Change-Id: I7c8967a4464fd821e4f95d8eb6c0bcfadadb912e
Serialising package restrictions uses synchronous disk access; callers
of these methods should probably use background threads for this.
Bug: 149216360
Test: TreeHugger
Change-Id: I6607a7225bf7daaad8a78e4d1e4c585ba5ac3efc
Signed-off-by: Julius D'souza <jdsouza@google.com>
There may be policy critical apps that must not be suspended by the
user in a managed profile. The owner can now use either of the following
to block suspension of apps:
- DISALLOW_APPS_CONTROL: Blocks suspension of all apps in the user
- DISALLOW_UNINSTALL_APPS: Blocks suspension of all apps in the user
- setUninstallBlocked: Blocks suspension of a given package.
The same also block any of the DistractionRestriction to be set via
PackageManager#setDistractingPackageRestrictions. This is to make sure
the apps can still show notifications.
Since the owner should have the final call, these do not block the owner
from adding app suspensions itself. Whenever either of these are set,
any app suspensions that were not originally added by the owner are
lifted immediately and any distraction restrictions that were added are
removed.
Also, clearing restrictions and suspensions if an app with SUSPEND_APPS
permission is disabled. Even though it is expected that UI not allow
such an app to be disabled, it is hard to enforce across all device
implementations. And a missed edge case would lead to permanently
unusable apps on the device.
This change also fixes a bug where any DistractionRestrictions set
weren't cleared on suspending app data clear.
Test: atest GtsSuspendAppsTestCases
Bug: 144826981
Bug: 145735990
Change-Id: I81a492e1d07a8cc9aeb0acd7e5142826824a42ae
Moves all system state out of AndroidPackage and into
PackageStateUnserialized, which lives inside a PackageSetting.
This makes AndroidPackage effectively immutable after it exits
the scan/install process.
Specifically, moves isUpdatedSystemApp, isHiddenUntilInstalled,
seInfoOverride, cpuAbiOverride, PackageUsage,
and sharedLibraryFiles/Infos.
Bug: 135203078
Test: atest com.android.server.pm.parsing
Change-Id: I44baab113f3b6b138472b15a61e0874173bc694f
Removes the massive old ComponentParseUtils in favor of
the new split classes.
Cleans up the parsing code to be uniform, removing the
String[] outError pattern in favor of ParseInput.
Bug: 135203078
Test: atest com.android.server.pm
Change-Id: I584ed37d4715300453dbe760d45d1eb4759b3dd3
Part of the Parsing/ParsedPackage split into core/server.
This splits all the "important" changes, or those which change
significant code/logic and that requires a closer look during
review.
Bug: 135203078
Test: enumerated in first commit of change ID
Ib4fe51d729a56bfb0ea1316e577358ba0dfceccf
Change-Id: Ie0e4394de2b3063121d850060fcd58622511c59d
* changes:
Clear preferred activities affected by MIME groups changes
Implement new API to modify MIME groups by adding/removing MIME types
Add mimeGroup tag to intent filters
This change adds two new flags for starting activities:
FLAG_ACTIVITY_REQUIRE_NON_BROWSER and FLAG_ACTIVITY_REQUIRE_DEFAULT.
The first will only start if the result is a non-browser result. The
second will only start if the result is not the resolver activity.
Bug: 148452357
Test: Builds
Change-Id: I1f25bd78b6231c08036c15436bd8c2e3dccf56d6
MIME groups can now be modified via PackageManager.
MIME group modification will affect intent-filters
that were declared with that |mimeGroup| in manifest
in the same way, as if intent-filter was initially
declared with |mimeType| attributes that correspond to
MIME types in MIME group
Preferred activities will be handled in the next CL
Bug: 134736173
Bug: 136635677
Test: atest android.content.pm.PackageParserTest#testPackageWithIntentFilters*
Change-Id: I083a8794897e632aad5325a67311931193c69a3c
UsageStats will return obfuscated NOTIFICATION_SEEN or
NOTIFICATION_INTERRUPTION events to callers of #queryEvents
and #queryEventsForUser if they don't hold the MANAGE_NOTIFICATIONS
permission.
Additionaly, refactor the query API in UsageStats to take in flags as
defined in UsageEvents to make future obfuscation/visibility parameters
cleaner.
Also, add the MANAGE_NOTIFICATIONS permission to shell for CTS test.
Bug: 144724524
Test: atest android.app.usage.cts.UsageStatsTest
Test: atest com.android.server.people.data.UsageStatsQueryHelperTest
Test: atest android.content.pm.cts.shortcutmanager.ShortcutManagerUsageTest
Change-Id: I118de7e589ac8dd5924d3740c70903fa484b79b5
UsageStats will not return LOCUS_ID_SET events to callers
of #queryEvents and #queryEventsForUser if they don't have visibility.
Bug: 148821246
Test: manual, atest tests/tests/app.usage/src/android/app/usage/cts/UsageStatsTest
Change-Id: Ic904a97e66775ef63bc8b84e67e8f430b2a4121b
Revert "Adjust monkey to changed internal APIs"
Revert "Test featureId is correctly used in startActivity"
Revert submission 10111030-activityStarter_featureId
Reason for revert: presubmit test breakage
Reverted Changes:
Ic7056b492: Activity start: Send featureId from context->AppOp...
I8e2a07da7: Adjust monkey to changed internal APIs
I7a6af6fb1: Test featureId is correctly used in startActivity
Change-Id: I48c55a962c990b22ea49e923baa7c73b121d179b
The expected usage pattern for noteOp is to get the
Context#getOpPackageName() and Context#getFeatureId() in the calling app
and the call
noteOp(callingPackageName, Binder.getCallingUid(), callingFeatureId)
As the featureId parameter is new this parameter has to been piped all
through from the ...Manager classes running in the app all way deep into
the bowels of the system server.
There is a special featureId==null for the "default" feature. This is
used in two cases:
- In case the system server (packageName == null || packageName ==
"android") makes a call
- In the case there is no caller. In this case I left annotations in the
code to make clear that the default feature is used
Raw binder interfaces (defined in AIDL files) are not supposed to be
used by apps. Still historically this has happened and we ended up with
@UnsupportedAppUsage tags in these files. Also AIDL does not support
two methods with the same name but different parameters. I.e. in the
case when I had to add a paramater to a method tagged as UnsupportedAppUsage I
- created a new method ...WithFeature with the additional paramter
- set a maxTargetSDK for the old method and mention the public API to
use in the deprecation method
This is really not pretty. Once there is no more app using the old
internal API this hack can be removed.
Additionally this change removed all internal calls to
AppOpsService.noteOperation and AppOpsService.checkOperation and
replaces them with the public API equivalent. This sometimes means to
move the resolution of the mAppOpsManager to be lazy.
Exempt-From-Owner-Approval:: Just piping through arguments
Bug: 136595429
Test: atest --test-mapping frameworks/base/services/core/java/com/android/server/am/
atest CtsAppOpsTestCases added test to cover activity start
atest WmTests
Change-Id: Ic7056b492cb1c9a79158e6c2b4864898a0eb5b2a
Permissions that have the new wellbeing protection flag will be granted
to the retail demo app, as defined by the OEM in the system resource.
The PACAKGE_USAGE_STATS permission is updated to use the retailDemo
flag.
Bug: 146043112
Test: atest CtsPermission2TestCases:PermissionPolicyTest
Change-Id: I30b451e6e88a4d65af5e5f774bcd30a14721a8a9
Add locus update event to the Usage Stats.
Test: Build and run on a test device with a test app.
Bug: 147594233, 147100454
Change-Id: I1e058ac87244d47719606d8dcfaea2df4bff43d2
Signed-off-by: Yuliya Kamatkova <yuliyak@google.com>
Previous implementation was a direct callthrough to the public facing
method. This change deprecates the original method and introduces a new
method with the "Internal" suffix until we can clean up all uses of the
existing method.
Test: boots
Bug: 142386643
Change-Id: I86f92508f0236dbe611ac895fec0ad94f8e80afe
