Only user-originated grant actions are backed up/restored. This
includes outright grants, one-time denials, and "never ask again"
type denials.
Bug 19870549
Change-Id: I78b4a8abb713dc5d74b93cb53217b212d57b26e4
This makes Package Manager check whether an APK is signed using APK
Signature Scheme v2 and, if it is, verify the APK's signatures using
that scheme rather than the usual JAR signature scheme.
APK Signature Scheme v2 is a whole-file signature scheme which aims
to protect every single bit of the APK as opposed to the JAR signature
scheme which protects only the names and uncompressed contents of ZIP
entries.
The two main goals of APK Signature Scheme v2 are:
1. Detect any unauthorized modifications to the APK. This is achieved
by making the signature cover every byte of the APK being signed.
2. Enable much faster signature and integrity verification. This is
achieved by requiring only a minimal amount of APK parsing before
the signature is verified, thus completely bypassing ZIP entry
decompression and by making integrity verification parallelizable
by employing a hash tree.
Bug: 25794543
Change-Id: If59fe013f2e62bac7677bb20e65f6061b91eec2e
When the caller hasn't specific encryption-related matching flags,
we should match both aware and unaware components.
Bug: 26508249
Change-Id: I2c35f6e00e451ba3f5fa0810223b7a3d80dee233
This adds android:externalService boolean attribute to <service>. If that
attribute is true, then bindService() may be called with
BIND_EXTERNAL_SERVICE to create the new service process under the calling
package's name and uid. The service will execute the code from the package in
which it is declared, but will appear to run as the calling application.
External services may only be used if android:exported="false" and
android:isolatedProcess="true".
Bug: 22084679
Bug: 21643067
Change-Id: I3c3a5f0ef58738316c5efeab9044e43e09220d01
When starting encryption-aware apps while the device is locked, we
can only spin up ContentProviders that have been marked as
encryption-aware. Once the user is unlocked, we need to go back and
install non-encryption-aware providers in already running apps.
Fix bugs in getPackageInfo() where only one of the various MATCH_
flags was being consulted (!). Move matching logic to single unified
location in PackageUserState so we have consistent behavior.
Fix another class of bugs where Safe Mode wasn't correctly filtering
package details (!). These bugs are fixed by splicing in the new
MATCH_SYSTEM_ONLY flag as part of state-based flag mutation that was
added for encryption.
Bug: 25944787
Change-Id: I39c8da74b1f9ba944cc817176983f50ba322329c
In order to support backup/restore on devices without native FBE
support, we always need to make the DE storage area available. Add
docs clarifying the lifecycle.
Bug: 26279618
Change-Id: I789915f295b10aca6bf80ca58406aea212835ffd
Also define InstallFlags and DeleteFlags, and point installPackage()
users towards new PackageInstaller APIs. Remove old movePackage()
API that is no longer used.
Change-Id: I661a65149e4778a7591dbd912b72b4dd81b266da
Finish moving all UID/GID callers to single AIDL method that requires
callers to provide flags.
Triage AppWidgets and PrintServices, which currently can only live on
internal storage; we should revisit that later.
Fix two bugs where we'd drop pending install sessions and persisted
Uri grants for apps installed on external storage.
Bug: 26471205
Change-Id: I66fdfc737fda0042050d81ff8839de55c2b4effd
Catch a bunch of simple cases where the PackageManager flags are
obvious. Add the ability to use the MATCH_SYSTEM_ONLY flag on
PackageInfo and ApplicationInfo queries.
Re-examine recent tasks after a user is unlocked, since some of the
activities may now be available and runnable.
Bug: 26471205, 26253870
Change-Id: I989d9f8409070e5cae13202b47e2c7de85bf4a5b
If they don't have code, give the developer a somewhat helpful error
message instead of later falling into a weird classpath failure.
Change-Id: Iebda10173ff99943cbbd71127ae24aa455b709f4
This gives callers the ability to request details for missing
packages. Also add annotations for userId and appId variables and
start tagging their usage.
Change-Id: I63d5d7f870ac4b7ebae501e0ba4f40e08b14f3f6
Since this technically wasn't an API change, there isn't a good
reason to protect with target API. So change the behavior based on
the caller for now.
Bug: 26438049
Change-Id: I65aa1fc9af1f935544f8e191444440af4f98f26f
When hidden PackageManager methods take a userId argument, they
should be named explicitly with the "AsUser" suffix. This fixes
several lagging examples so that we can pave the way to safely
start passing flags to new methods without scary overloading.
Also fix spacing issues in various logging statements.
Change-Id: I1e42f7f66427410275df713bea04f6e0445fba28
Verifiers or installers may not be encryption-aware, or the user may
have disabled them, so we probe pretty deeply during system boot to
resolve them. Use the new MATCH_SYSTEM_ONLY flag to limit results to
packages on the system image.
When there are multiple matches, pick the one with highest priority
instead of crashing the system.
Switch to updated MATCH_ constants in more places.
Bug: 26250295
Change-Id: Ia7a3b1fb74da6c3b9d2c2edbf1deaa9fb52fc40a
Caching against resource ID leads to incorrect cache hits, since multiple
files (ex. within drawable-mdpi, drawable-ldpi) may map to the same ID.
Also adds nullability annotations.
Bug: 26400880
Change-Id: I4d83caf3c44dc9b546511753e9e72171e8850eb2
Moving forward, all client file access really needs to be going
through explicit APIs like openFileDescriptor(), since that allows
the provider to better protect its underlying files.
This change also changes several classes to use the AutoClosable
pattern, which enables try-with-resources usage. Older release()
methods are deprecated in favor of close().
Uniformly apply CloseGuard across several classes, using
AtomicBoolean to avoid double-freeing, and fix several resource
leaks and bugs related to MediaScanner allocation. Switch
MediaScanner and friends to use public API instead of raw AIDL calls.
Bug: 22958127
Change-Id: Id722379f72c9e4b80d8b72550d7ce90e5e2bc786
Intercept calls to start activities from the recents
stack and show the Work Challenge if needed. This requires
passing the taskId to ConfirmDeviceCredential so it can
launch the recents task itself when the credentials are
confirmed.
Change-Id: I013b134f3f31a35b551ad683c68cc89b8af44499
