On Pixel 2 devices, /product is a symlink to /system/product. The
product partition has a higher partition precedence than the system
partition so the app should be installed as a system app on the product
partition.
This change also unifies methods for checking whether a file is within
a partition so we will paths will always be canonicalized before the
check.
Bug: 152522330
Test: update system app in system/product/privapp, uninstall updates,
verify that the app was scanned as privileged
Change-Id: I646a5f293b977a78daa2102b73f1d3122f774a2a
Currently when a package is installed / updated in a sharedUid the
signatures for the sharedUid are not updated unless the new package
adds a new signer to the lineage; in this case the new lineage is
assigned to the sharedUid without consideration for the existing
lineage. This leads to the following problems:
1. If the current sharedUid lineage is A -> B and the new package has
lineage B -> C then this is used for the sharedUid and A is lost from
the lineage.
2. If the new lineage revokes one or more capabilities from a previous
signer in the lineage these updated capabilities are ignored unless the
lineage added a new signer as well.
3. If the new lineage revokes the sharedUid capability from a previous
signing key in the lineage and another app is installed as part of the
sharedUid and signed with that key the new app's installation is allowed
to proceed.
4. If only a single app is installed as part of a sharedUid, and that
app is updated with a rotated key and a lineage that revokes the
previous signing key's sharedUid capability the update is blocked.
5. If an app is installed as part of the sharedUid and has a diverged
signer in the lineage (ie sharedUid lineage is Y -> A -> B and new app
lineage is Z -> A -> B -> C) the installation is allowed and Y is lost
from the lineage.
Problems 1 and 2 are addressed with the new SigningDetails
mergeLineageWith method that merges common signers between two lineages
and also updates their capabilities to the most restrictive between
the two lineages (capabilities are anded together). Problems 3 is
addressed by checking the signatures of each of the packages in the
sharedUid for any signed with an ancestor for which the sharedUid
capability may have been revoked. Problem 4 is addressed by checking
if the package being updated is the only one in the sharedUid; if so
the update to the new lineage is allowed to proceed. Problem 5 is
addressed by verifying the new app's lineage is the same, a subset, or
a superset of the other.
Bug: 152046935
Test: atest PkgInstallSignatureVerificationTest
Test: atest SigningDetailsTest
Test: atest PackageManagerTests
Test: atest PackageManagerTest
Change-Id: I420c309f522bb47b65ca40ee848024c85cd5804d
By adding a util method that prefers longlabel and
falls back to shortlabel.
Test: atest
Bug: 157140669
Change-Id: Ib7229b75b7a8ab87274e9aab1c7816129f04e505
This was moved to PackageCacher, but the old and unused counter
was not removed.
Bug: 154310064
Test: manual device reboots and logs cached count >0
Change-Id: I32fdb4b8fccd281fe61c64f231cb0ba154934679
This change updates the docs for the MATCH_UNINSTALLED flag to note that
without the QUERY_ALL_PACKAGES permission, uninstalled packages will not
be returned.
Bug: 149846504
Test: builds
Change-Id: Id0c5b7f29172bd334dc1b2a32ce1f4eb7b1f0bd3
It requires a permission which we can't force apps to take to
maintain backwards compatibility. We also arguably cannot because
it leaks visibility, although only for debuggable apps/non-release
builds.
Instead, there's a new static method for getting the raw targetSdk
to gate against and the check is done manually, ignoring
enabled/disabled state. This will cause a mismatch between certain
apps and some system services like AppIntegrityManager, but the
effects should be minimal if we assume that most people ship
valid APKs. At worse the integrity check will pass an APK that
PM will fail, which doesn't break the feature.
Bug: 156356591
Bug: 156778241
Test: manual device boots
Change-Id: I877a5061476b86b9d63c34e75f16b38be8c3e1c2
This change treats any filter with a mimegroup as if it matches all or
no mime types when matching for the purpose of app enumeration.
Fixes: 155379839
Test: atest IntentFilterTest
Change-Id: I358872082524a4001179bb145053d006622898a7
This change ensures that we don't take port into account when matching
queries tags against intent filters as port is not a supported value in
a queries intent tag. Adding support for this in a future release will
just limit the scope of the queries tag on thos releases; it will still
be ignored in this release.
Bug: 151638510
Test: atest IntentFilterTest
Change-Id: I69d77ae6bebf3984bfe8e8a0f6c2e9e91ee69298
Since running the front and back camera at the same time has been
possible since forever, there's no reason devices on older API levels
can't declare the FEATURE_CAMERA_CONCURRENT flag, even with the new
query APIs not present. Explicitly document that the flag can be set
on API level 29 or earlier, and what it means.
Test: m offline-sdk-docs
Bug: 77960042
Change-Id: I186cb53d95debcc62c98afdef8c629bd9c6a5919
Add a package manager flag so that apps can programmatically query
whether the device have system interface to support the Controls API
Bug: 156096063
Test: manual
Change-Id: I2dab2ecb762b59308c51615137f89733ff42caeb
This new API allows an app to be uninstalled silently by any app holding
the DELETE_PACKAGES permission, as long as the app is installed in
another user so won't be fully removed from the device.
Bug: 149601842
Test: atest UninstallExistingPackageTest
Merged-In: I69fe4d1dd4e9da83574b431257f7be6d1ac8b2bb
Change-Id: I69fe4d1dd4e9da83574b431257f7be6d1ac8b2bb
This is the bridge to link customized adjustments to an activity
or window token.
The DisplayAdjustments in ResourcesImpl is associated with
ResourcesKey. The new usage requires to associate with token.
That is why the new field is added in Resources.
Bug: 147213487
Test: atest ResourcesManagerTest#testOverrideDisplayAdjustments
Change-Id: Ie79c331654d564aee7af8c6ce98a4c72dd3132b1
This is a relatively easy and safe change that should significantly
reduce boot time.
Test: atest google/perf/boottime/boottime-test
Test: atest PackageManagerTest
Bug: 155535721
Bug: 155513789
Bug: 155525390
Change-Id: Ib5152892184d407361ce3698575075ec0138edbf
Uses ParsingPackageImpl to generate the PackageInfo for
PackageManager's getPackageArchiveInfo API.
This keeps the migration to v2 hidden and thus the API can
be shipped for this release and then deprecated entirely
if necessary.
Exempt-From-Owner-Approval: Has approval on previous patchsets,
will need non-logic updates to resolve merge conflict and CP
into rvc-dev properly
Bug: 135203078
Bug: 146575910
Bug: 153880854
Test: atest com.android.server.pm.parsing
Test: atest android.content.pm.PackageManagerTests
Merged-In: Ib21dbbdc556502144df8e3d7a26b7a9d33885cd9
Change-Id: Ib21dbbdc556502144df8e3d7a26b7a9d33885cd9
Clarify when some of the ContentResolver APIs could return null.
Bug: 112833761
Test: builds (documentation update)
Change-Id: I3af1a23bc484d05b167a86bbff0c93ff1bd364e7
Two recent checkins broke the Javadoc (in both cases, an <h3> wasn't
properly closed). Made the fix by hand to the HTML output in
cl/309818465 but we need to make the corresponding change to
the Java source or it'll get reverted next time we update the reference
docs.
Staged to:
go/dac-stage/reference/android/content/pm/LauncherApps.PinItemRequest
go/dac-stage/reference/android/service/autofill/AutofillService
go/dac-stage/reference/kotlin/android/content/pm/LauncherApps.PinItemRequest
go/dac-stage/reference/kotlin/android/service/autofill/AutofillService
BUG: 155669442
Exempt-from-owner-approval: Docs-only change
Test: make ds-docs
Change-Id: I97be9550689544304dff276cf3c9406f9cd98408
These were previously being suppressed by doclava but with this change,
all failures are fixed and the suppression logic has been removed.
To fix the issues, there were a few possible changes made:
- broken reference to a public API (such as incorrect parameters): fixed
- unnecessary @link inside an @see tag: fixed
- @see referring to an @hide or @SystemApi: reference removed
- broken references to inner class constructors
- worked around by fully qualifying the constructor
Bug: 6963924
Test: make doc-comment-check-docs
Exempt-From-Owner-Approval: cherry-picked from master
Change-Id: Ifbdce2de96cdffa560bd90f549fa7184d1f9af85
Merged-In: Ifbdce2de96cdffa560bd90f549fa7184d1f9af85
(cherry picked from commit e0624c7a40)
There are specific cases where a package should be ignored by
whoever is parsing it, either because the device was configured to
ignore it, or the device doesn't support it.
While mostly used for testing, this adds a skip method to
ParseInput and a matching install error code to explicitly express
this case during parsing.
Bug: 155420149
Test: atest com.android.server.pm.parsing
Change-Id: I7eff53544341e21108d9d027f3afe75a1e845f40
An earlier CL with benchmarks has shown that sending strings as UTF-8
is 50% faster for US-ASCII strings, and still 68% faster for complex
strings referencing higher Unicode planes. (So an improvement in
both cases!)
Since code across the OS still makes heavy assumptions about Parcel
strings typically being UTF-16, we need to carefully migrate
Parcelables by hand, which is what this CLs begins doing.
Bug: 154436100
Test: manual
Change-Id: I9a675473e0ce3a4a5c5e305dd851b40bb1560e1c
This is a temporary failure, does not fail the session, but requires
caller to re-commit. E.g. there are connectivity issues which can be
fixed later.
Bug: b/153874006
Test: atest PackageManagerShellCommandTest PackageManagerShellCommandIncrementalTest IncrementalServiceTest
Change-Id: I02791a2963130dbecb510c4a7cafcf04f6245761
When a package that is part of a shareduid is installed / updated its
lineage is compared against the current signature / lineage for the
shareduid. If the new package has more than one signature in the lineage
an IndexOutOfBoundsException is thrown by SigningDetails#hasAncestor
crashing the system server. This commit ensures the ancestor check
is only performed against the current signer for the shareduid.
Fixes: 155134046
Test: atest SigningDetailsTest
Change-Id: Icef9f21c6901e255e5276085259d2f773f41e858
This change removes the initial target SDK check which prevents apps
that target pre-Q from testing that they fail to be install if the
compatibility change is enabled for pre-Q packages.
Bug: 132742131
Test: adb shell am compat enable 132742131 for app with compressed ARSC
that targets pre-R
Change-Id: I7e568a9e99045c09565bb372e454f573b954fea5
