Use ContentProvider.enforceWritePermissionInner() to handle all edge
cases around checking if caller has write permissions. This fixes
bug where call() would throw if caller and provider were the same app.
Bug: 11464234
Change-Id: Iace8e0e4243d56ed1cdcc9680383103975107036
AssetFileDescriptor augments a ParcelFileDescriptor with details
about how it should be interpreted, so extend it to support a Bundle
of extras. Then use these extras to share thumbnail orientation
metadata.
The raw image data of EXIF thumbnails matches the orientation of
the enclosing image, but the thumbnail data doesn't repeat the EXIF
flags. This meant that receivers of openDocumentThumbnail() would
get an image that needed to be transformed, but without enough
context to actually transform it.
Instead of transforming and recompressing the image on the fly on
the provider side, send a transformation hint that the receiver
side can interpret.
Bug: 11205688
Change-Id: Ibc5a7ad002377a55e6ffcb5ac5c8829841002e06
Bug:11064918
If the ContentResolver sync API is used with the empty ("")
string as a provider, the ContentService will throw an RTE.
This cl addresses all the entry points of the API that could
allow this, as well as adds an ifEmpty check at the point of
failure.
Also removed RTE throws from public functions(no point in
crashing the phone).
Change-Id: I57427d12a6cafb3e6d7a32ca0c10b05315b20580
This enables apps to discover and clean up persisted Uri grants when
the underlying Uri becomes invalid, such as when an account is
removed.
Bug: 11142566
Change-Id: Ieeb36cb1155acf226327ebe91cdd30b822d69d1b
For the new documents work, we're only interested in the subset of
ContentProviders that actually implement DocumentsContract. Instead
of returning all providers, add <intent-filter> support to make it
easier to limit the set of returned ProviderInfo.
Define a well-known action for DocumentsProviders, and start using it
when querying for roots. Continue supporting the old <meta-data>
approach until all apps have been updated.
Bug: 8599233
Change-Id: I05f049bba21311f5421738002f99ee214447c909
All background work is going through AsyncTasks, which uses a shared
thread pool. Even with the new ContentProviderClient logic to detect
ANRs, the UI can still appear to be unresponsive for 20 seconds, even
if the user attempted to switch to a different backend. In the worst
case, a backlog of thumbnail requests would end up wedging Loaders
for a long time, since they all share the same THREAD_POOL_EXECUTOR.
This change isolates calls to each provider onto their own thread,
which they're free to wedge and recover from over time.
It also means we no longer need a dedicated thread pool for recents
loading, and can use a simpler Semaphore instead.
Disables thumbnails in recents on svelte devices.
Bug: 10993301, 11014856
Change-Id: I7f8a5bbb5f64437e006cb2c48b7e854136d5c38c
All ContentProvider calls are currently blocking, making it hard for
an app to recover when a remote provider is wedged. This change adds
hidden support to ContentProviderClient to timeout remote calls,
treating them as ANRs. This behavior is disabled by default.
Update DocumentsUI to use a 20 second timeout whenever interacting
with a storage provider.
Bug: 10993301, 10819461, 10852518
Change-Id: I10fa3c425c6a7225fff9cb7a0a07659028230cd3
Change our Intent flag to indicate that a Uri permission grant is
persistable, but don't actually persist it until explicitly taken by
the receiving app. This prevents apps from spamming each other if
persisted permissions aren't really required.
Remember the last time a persisted grant was taken by an app, and
use this to prune away the oldest grants when the number of grants
grows too large. Allow apps to query persisted grants they are
holding, and allow them to release previously persisted grants. Add
public UriPermission class to return grant details and timestamp.
Track various permission strengths separately, and combine together
after each mutation pass. Persistable grants are currently treated
like global grants, but they could be moved to have owners in the
future. Require that grant holders trying to extend a persistable
permission actually hold a persistable permission themselves.
Bug: 10835779
Change-Id: I95b2f797c04ce7fd2612f9a644685dbd44e03759
The problem was that the ResolverActivity filters some activities
out of the list it shows, but it uses that display list as the
list of components the preference is set against when ultimately
setting it on the package manager... but that filtered list is *not*
the right component set, since it is not the same as the package
manager's view on it.
The fix here is to retain the original set of matching components
and use that when setting the preferred activity. Note that this
does mean that in very unusual cases where filtering is happeing
(such as one of the activities not being exported but being seen
as a possible completion from another app), then you will be setting
the preference for the complete set. Ultimately we probably need
to have the package manager apply these filtering rules up-front so
this is all consistent, but this is a very rare case so not that
important.
And then most of the change here is just improving the debug
output for intent resolution.
Change-Id: Ie35ac2c05a45946439951bbf41433c8b7de79c05
When a file already exists on disk, try adding a counter suffix to
make a unique name. Move services near top of roots list, just below
recents. Remove "Documents" root.
Increase number of recents allowed from single provider, and add more
logging to diagnose wedged loaders.
When launching GET_CONTENT apps, wait for successful result before
relaying result; canceled requests now return to DocumentsUI.
Add CloseGuard to ContentProviderClients, since leaked instances can
keep the remote process alive.
Fix UI bug around trailing breadcrumbs. Fix bug that dropped Recents
from roots list. Add up action to Settings activity. Give our
activity a default icon while waiting for async roots to load.
Bug: 10818683, 10819461, 10819461, 10819196, 10860199
Change-Id: I7b9e26b1cf8353dd3175458b23da2b4bda6c5831
- Adds null checks when setting mCompatibilityInfo and uses default no-op
CompatibilityInfo object instead of null
- Removes null checks when calling methods on mCompatibilityInfo since it is never
null
bug:10204942
Change-Id: I36e88f5cdceb46b8b19fb902270ef74023a81546
...while setting up a new user from settings.
We can now delay broadcasts when there are enough background services
currently starting (still set to 1 for svelte devices, 3 for normal
devices).
Add new intent flag to not allow receivers to abort broadcasts, which
I use to fix an issue with the initial BOOT_COMPLETED broadcast not
actually requesting pss data at the right time -- it can now be sent
as an ordered broadcast without the ability for the receivers to cancel
it.
Change-Id: I51155bbbabe23e187003f3e2abd7b754e55d3c95
Code path to release content provider associated with the PFD was
inadvertently bypassed by a previous change. Reinstate that code
when closing the PFD.
Bug: 10767447
Change-Id: I23306cfb3c28c99e587892b17ca85efd3f7a8a07
Bug: 9520957
DevicePolicyManagerService will play dumb if the feature is not installed.
Continue to keep track of failed password attempts for keyguard's use.
Change-Id: I28d258dc09a8b4976b188da6f453d8daabcc4bdd
This way an application can automatically sunset its permission requests
when running on later versions of the OS where those permissions are no
longer relevant, but may be alarming to the user. A canonical example
is WRITE_EXTERNAL_STORAGE, which as of KLP becomes unnecessary for an app
to use the external storage volume solely for its own large-data needs,
without the need for actual file-system sharing among multiple apps.
Bug 9761041
Change-Id: I60130af3a108fe4a750c356038a1c8cb897e9c8b
We now have the activity manager kill long-running processes
during idle maintanence.
This involved adding some more information to the activity manager
about the current memory state, so that it could know if it really
should bother killing anything. While doing this, I also improved
how we determine when memory is getting low by better ignoring cases
where processes are going away for other reasons (such as now idle
maintenance). We now won't raise our memory state if either a process
is going away because we wanted it gone for another reason or the
total number of processes is not decreasing.
The idle maintanence killing also uses new per-process information
about whether the process has ever gone into the cached state since
the last idle maintenance, and the initial pss and current pss size
over its run time.
Change-Id: Iceaa7ffb2ad2015c33a64133a72a272b56dbad53
Support decoding thumbnails delivered over pipes by wrapping in a
buffered stream. Also switch to using unstable provider references
to avoid crashing DocumentsUI.
Bug: 10516148, 10510851
Change-Id: I85f6eeaca70c97742bf79656d1d0c6da381fdd47
java.lang.SecurityException: Operation not allowed
There was a situation I wasn't taking into account -- components
declared by the system has a special ability to run in the processes
of other uids. This means that if that code loaded into another
process tries to do anything needing an app op verification, it will
fail, because it will say it is calling as the system package name but
it is not actually coming from the system uid.
To fix this, we add a new Context.getOpPackageName() to go along-side
getBasePackageName(). This is a special call for use by all app ops
verification, which will be initialized with either the base package
name, the actual package name, or now the default package name of the
process if we are creating a context for system code being loaded into
a non-system process.
I had to update all of the code doing app ops checks to switch to this
method to get the calling package name.
Also improve the security exception throw to have a more descriptive
error message.
Change-Id: Ic04f77b3938585b02fccabbc12d2f0dc62b9ef25
Reverts extension to assist context API to query
foreground services for assist context data.
Also hides Intent.ACTION_VOICE_ASSIST because
nobody's actually using it yet.
Bug: 10461702
Change-Id: Idf6836adc659b434e11ebb2b98e8b814c94a7227
