The hidden API is used by SystemUI process to adjust the system UI based
on when a certain camera is opened or closed.
Test: Manually observe callbacks in SystemUI when running camera CTS
Bug: 150540299
Change-Id: I04cae782d96f0e32be8ef588dcd328f84b32887a
Merged-In: I04cae782d96f0e32be8ef588dcd328f84b32887a
ACCESS_SHORTCUTS and UNLIMITED_SHORTCUTS_API_CALLS should be granted to
an app predictor rather than a text classifier.
Bug: 139523153
Test: atest CtsPermission2TestCases
Change-Id: I12360b5d5ba3c75bb2dfffd86bd6069b75fbdb53
(cherry picked from commit b6a7851271)
Make sure the broadcasts used by the Wi-Fi framework are protected:
i.e. can only be transmitted by privileged components (as opposed to
any 3rd party app).
Broadcast: Suggestion API
Bug: 146642727
Test: atest android.net.wifi
Test: atest com.android.server.wifi
Merged-In: I9a0bf4428774b13cc6414a223f378e09341a6a55
Change-Id: I9a0bf4428774b13cc6414a223f378e09341a6a55
Make sure the broadcasts used by the Wi-Fi framework are protected:
i.e. can only be transmitted by privileged components (as opposed to
any 3rd party app).
Broadcast: MAC randomization
Bug: 146642727
Test: atest android.net.wifi
Test: atest com.android.server.wifi
Change-Id: Id4c7c0868ced4b3edb8752e10c0350c190cee862
Merged-In: I9a0bf4428774b13cc6414a223f378e09341a6a55
All permissions that are suitable for use by third-party apps and
aren't deprecated now contain a paragraph in their descriptions that
lists the protection level for a given permission, such as:
Protection level: signature|privileged
Test: make ds-docs
Bug: 137260540
Change-Id: I45eada81bf4aa83480ff2e701a9e0e9932b66b88
The case failed due to AutofillManager can not find the ResolveInfo of AutofillCompatAccessibilityService.
AutofillCompatAccessibilityService is not visible for instant App.
Cts test process is working at other users. And the calling App is instant App.
So cts test process can’t get service info of AutofillCompatAccessibilityService.
Bug: 137236035
Test: run cts -m CtsAutoFillServiceTestCases
Change-Id: I4dffc615ea1d8290bc02e51a9aa055fa0ead467f
(Goodbye, hypno-P and your '90s tech magazine color palette.)
Bug: 123903304
Test: adb shell am start -n android/com.android.internal.app.PlatLogoActivity
Test: adb shell am start -c com.android.internal.category.PLATLOGO -a android.intent.action.MAIN
Test: adb shell am start -n com.android.egg/.paint.PaintActivity # still works
Change-Id: I4865024a14b6a78e7a043c56d2330b5f9dd214c6
Merged-In: I4865024a14b6a78e7a043c56d2330b5f9dd214c6
Not from WRITE_EXTERNAL_STORAGE. Otherwise it is not clear what happens
if one of the permissions is white-listed and one not. This can lead to
a loop where we try to set LEGACY_STORAGE to two different values.
Fixes: 135763654, 135742960
Bug: 135933014
Test: atest RestrictedPermissionsTest
Change-Id: I35883f12525360fd7f760750505a27644342955c
Also :
- Fix testUidFilteringDuringVpnConnectDisconnectAndUidUpdates that
was failing on devices with a first released SDK >= Q
- Add a test actually tests that the system has the permission, as
the test was only testing what's in the mock
Bug: 119770201
Test: New test making sure this stays true
Merged-In: I74cf5f0fa17fcf818f1fed78c7e3e4375c20152e
Change-Id: I0daa644fbad8e389ad7cfa66c0e3b3480c8bb50a
(cherry picked from commit 629b49d58f)
Fixes: 132175290
Test: Checked that restriction related flags are set in adb shell
dumpsys package
Change-Id: Idfc3a948713396f831530dd9e07c0a916c259e66
When requesting background location access (for "all-the-time" access
to device location), it's possible to request *either* coarse or fine
location access along with background location access. Updated the
docs to mention this important point.
Test: make ds-docs -j32
Bug: 133248358
Change-Id: Ia10e493ecb33b6e971b53d3ff348a495417d9b38
Now that we have LocalCallingIdentity, we can start caching it in
very narrow cases. We must be careful to not cache too long, since
any changes to granted permissions for the UID mean we need to
re-evaluate any cached answers.
The best middle-ground for this in the Q release is to use an active
camera session as a proxy for when we should create a cache object
and then later invalidate it. (It's very unlikely that a user
changes permissions while actively using the camera, and this is
a strong signal that the caller is sensitive to performance.)
Many other sprinkled optimizations to avoid extra binder calls into
the OS, such as aggressively caching VolumeInfo related details.
Track IDs that are owned by each LocalCallingIdentity, to speed up
all future security checks.
Dispatch all change notifications asynchronously, and delay them by
several seconds while the camera is being actively used, to give
more important foreground work a fighting chance. Invalidate
thumbnails asynchronously.
Optimizations to ModernMediaScanner where it's safe to skip the
"reconcile" and "clean" steps when we're focused on a single file
that we successfully scanned.
Local tests show this CL improves performance of a test app that
takes 100 rapid shots by 45%. (All the collective optimizations
done so far this week add up to a 70% improvement.)
Bug: 130758409
Test: atest --test-mapping packages/providers/MediaProvider
Exempt-From-Owner-Approval: trivial manifest change
Change-Id: I38cc826af47d41219ef44eae6fbd293caa0c01d5
Adding a new intent acttion for the permission controller to ask an
app to show its permission usage to help the user understand what
and why is being used. We are adding a permission to protect this
action to prevent apps trampolining into other apps when asked to
show their permission usge.
Test: compiles
bug:131760942
Change-Id: I5217d6319fd98d40c8879bdd7af5fe466bf9143e
Make PackageManager send a ACTION_CANCEL_ENABLE_ROLLBACK intent to
RollbackManager. RollbackManager marks the relevant rollback as invalid.
Allow enable rollback to continue as usual, before making the rollback
available, RollbackManager checks whether it's valid. If it's not, the
rollback data is deleted.
Add a test case for expired rollback enabling attempt in RollbackTest.
Test: atest RollbackTest#testEnableRollbackTimeoutFailsRollback
Test: manual -
* Set ENABLE_ROLLBACK_TIMEOUT_MILLIS to 1 ms using DeviceConfig
* Install a mainline module with rollback enabled
* adb shell dumpsys rollback
* observe that no rollback was made available
Fixes: 131679409
Change-Id: Iaa4dbff002b820aff1fc3e1b985f129cf5ebe2e6
This change makes storage a soft restricted permission. When the
permission is whitelisted for an app then hodlding it allows the
app to access the full SD card as on a P device. If howerver, the
permisison is not whitelisted for an app then holding it allows
accessing the visual/aural collections in media store while the
app would run in its own isolated storage sandbox.
This change also connects the opt in/out application attribute
to how external storage is mounted remocing temporary code. The
attribute was renamed to convey that opting in legacy mode is
not somethung that is desirable or would be available in the long
run.
White at this also fix the default state of app ops for restricted
permissions to avoid allowing ops for non requested restricted
permissions to every UID as component access could skip permission
checks by cannot skip app op checks.
bug:130327036
atest CtsPermission2TestCases
atest CtsPermissionTestCases
atest CtsAppOpsTestCases
atest atest CtsAppSecurityHostTestCases:android.appsecurity.cts.ExternalStorageHostTest
atest CtsAppSecurityHostTestCases:android.appsecurity.cts.PermissionsHostTest
Change-Id: Ibb23cbb6a5c66d9c3823cc13562a1b903b391ffd
This change adds a mechanism for restricting permissions (only runtime
for now), so that an app cannot hold the permission if it is not white
listed. The whitelisting can happen at install or at any later point.
There are three whitelists: system: OS managed with default grants
and role holders being on it; upgrade: only OS puts on this list
apps when upgrading from a pre to post restriction permission database
version and OS and installer on record can remove; installer: only
the installer on record can add and remove (and the system of course).
Added a permission policy service that sits on top of permissions
and app ops and is responsible to sync between permissions and app
ops when there is an interdependecy in any direction.
Added versioning to the runtime permissions database to allow operations
that need to be done once on upgrade such as adding all permissions held
by apps pre upgrade to the upgrade whitelist if the new permisison version
inctroduces a new restricted permission. The upgrade logic is in the
permission controller and we will eventually put the default grants there.
NOTE: This change is reacting to a VP feedback for how we would handle
SMS/CallLog restriction as we pivoted from role based approach to roles
for things the user would understand plus whitelist for everything else.
This would also help us roll out softly the storage permisison as there
is too much churm coming from developer feedback.
Exempt-From-Owner-Approval: trivial change due to APi adjustment
Test: atest CtsAppSecurityHostTestCases:android.appsecurity.cts.PermissionsHostTest
Test: atest CtsPermissionTestCases
Test: atest CtsPermission2TestCases
Test: atest RoleManagerTestCases
bug:124769181
Change-Id: Ic48e3c728387ecf02f89d517ba1fe785ab9c75fd
- Also remove typed media permissions
- Leave typed media app-ops
Bug: 129716569
Test: Used apps, looked at permissions in the UI
Change-Id: If7714fb1a6955584157e1a60ab72b09e35287827
- Restrict unprivileged apps to use
NetworkRequest.Builder#setSignalStrength.
- Remove the "throws NullPointerException" in
CaptivePortalProbeSpec constructor.
- Remove the null check in LinkProperties.
- Add annotataion into all ConnectivityManager.NetworkCallback
methods.
Change-Id: Id275cac1d6a30d7515cd7b113394f5e8a0179314
Fix: 129097486
Test: atest FrameworksNetTests
We deprecated the NEW_OUTGOING_CALL broadcast which uses this, so we
should also deprecate the permission to make it more clear to the
developers.
Test: Build / make api
Bug: 129531123
Bug: 129572090
Change-Id: Iac4979ffe29c33eb2ed8ffe4a7799e7caa794951
Adding a new permission for carrier provisioning app to access privileged
network operations.
Bug: 129401919
Test: Compiles
Change-Id: I86e6aa3aaeabbc3637977f9e9a34daaec92d59aa
Instead of doing a tethering entitlement check whenever we turn
on tethering, provisioning result should only affect mobile
upstream. List behavior changes below:
1. Change tether entitlement check from pre-flight check to
run-time check.
2. Only run entitlement check when upstream is mobile.
3. Move schedule entitlement re-check logic from Settings to
framework.
4. Run all entitlement thing in TetherMaster thread to avoid
multi-thread problem.
Test: -atest FrameworksNetTests
-build, flash, booted
bug: 111490073
Change-Id: Ic2980b4d6864d6f7287816c43eb6cf7a5cdec541
Merged-in: Ic2980b4d6864d6f7287816c43eb6cf7a5cdec541
Changes for Telecom to bind third party companion apps or
automotive ui installed from Play Store. Add new permissions and
settings for the third party InCallService APIs.
Bug: 78174835
Test: Manual
Change-Id: I1b4eff28b9dfd61f1c951d14b6c82395b51fe769
Merged-In: I1b4eff28b9dfd61f1c951d14b6c82395b51fe769
Instead of doing a tethering entitlement check whenever we turn
on tethering, provisioning result should only affect mobile
upstream. List behavior changes below:
1. Change tether entitlement check from pre-flight check to
run-time check.
2. Only run entitlement check when upstream is mobile.
3. Move schedule entitlement re-check logic from Settings
framework.
4. Run all entitlement thing in TetherMaster thread to avoid
multi-thread problem.
Test: -atest FrameworksNetTests
-build, flash, booted
bug: 111490073
Change-Id: Ic2980b4d6864d6f7287816c43eb6cf7a5cdec541
