* changes:
Use setEnable() when there is an installed image
Use gsid.isGsiEnabled to refine DynamicSystemService
Use FeatureFlagPersistent to guard DynamicSystem
Make feature flag settings_dynamic_system persistent
Check persistent feature flag 'settings_dynamic_system' before
invoking the installation service. User can still use gsi_tool if
the device is unlocked.
Bug: 119647479
Test: Verified with 'adb shell am' and test app.
Change-Id: If2265d877bc7eedf9b7a107bba04d2e95cf1b89a
System.currentTimeMillis() is NEVER okay to use to calculate a time delta.
The original spirit of this probably should have used SystemClock.uptimeMillis(),
but use SystemClock.elapsedRealtime because it's the same as
System.currentTimeMillis() in all the cases where System.currentTimeMillis() is
correct.
Test: Treehugger
Change-Id: Ib6e090425af83e7e822fb12814d87e8a37e2d2ac
For service and provider bindings from TOP and
FOREGROUND_SERVICE apps, don't elevate bound apps
to above BOUND_FOREGROUND_SERVICE.
For service bindings, it is possible to explicitly
request the binding to match the foreground app
such that the bound app can get similar privileges
of foreground permissions.
For instance, when a foreground service has a location
type, providers it binds to don't automatically get the
location privilege. On the other hand, sometimes apps
showing UI want to treat their dependencies also as if
they are showing UI.
This change does not affect the oom_adj calculation,
only the proc state calculation for bound processes.
New BIND_INCLUDE_CAPABILITIES flag can be used to restore old
behavior for bound services.
Introduces a new state PROCESS_STATE_BOUND_TOP
Bug: 128337543
Test: atest CtsAppTestCases:ActivityManagerProcessStateTest
Change-Id: I13733e7f43a78903299254bc110cd8f7a8db4c40
Per design pivot, access to legacy behavior will be determined by
the new "allowExternalStorageSandbox" manifest flag.
Bug: 124818022, 129487770
Test: atest --test-mapping packages/providers/MediaProvider
Test: atest android.appsecurity.cts.ExternalStorageHostTest
Change-Id: I169e5eb3612c23aad47204cde9ff263f9df6f8c1
- Also remove typed media permissions
- Leave typed media app-ops
Bug: 129716569
Test: Used apps, looked at permissions in the UI
Change-Id: If7714fb1a6955584157e1a60ab72b09e35287827
Add a new setting that allows a developer to specify where
to load ANGLE libraries from, rather than the default location.
This is only allowed for apps that are dumpable, i.e. can have
libraries injected. That includes debuggable, profileable,
and root.
To use the new setting:
adb shell settings put global angle_debug_package <package>
This allows a developer to build an APK directly from Chromium
and use it with a production build of Android. It will override
pre-installed system packages and updates.
Note: Use of ANGLE Developer Options UI will cease to function
until the debug package is uninstalled.
Bug: 80239516
Test: Apply setting, see new ANGLE used
Test: cts-tradefed run singleCommand cts -m CtsAngleIntegrationHostTestCases
Change-Id: Ib3b1fb52c0eb669e7ea931959a73aba2bd15bedf
1. Making a full copy of the config Builder's map so that changing
the map in the builder doesn't change the config's map.
2. Ensuring that location mode and brightness adjustment factors are
within valid ranges.
Bug: 129474588
Test: manual
Change-Id: I6117b7857afa10d71c1fc3de818c51d8719a281b
We're iterating on the design to let apps request via a manifest
flag if they'd like to opt-in or opt-out of storage sandboxing. The
default is to assume that P apps don't allow sandboxing, and that
Q apps do allow sandboxing.
Bug: 129487770
Test: manual
Change-Id: I8fddb35eed412c78622be4ccae57c7b7d2aa1286
DropBox entry spamming can negatively impact system and apps listening
to the ACTION_DROPBOX_ENTRY_ADDED broadcast.
Global settings with the DropBox tag prefix can now mark low priority
tags. Low priority tagged entries will have their
ACTION_DROPBOX_ENTRY_ADDED broadcast delayed and the broad cast will be
dropped in spammy situations.
Bug: 119132031
Test: atest CtsDropBoxManagerTestCases
Change-Id: I56554a15e0afb6e1686a33c59b3d6a8d426c2fc6
Change the file format to store the
experiment IDs direclty so we don't
need to parse the proto when reading
the values out.
Bug: 129099771
Test: bit statsd_test:* && adb shell cmd stats pull-source 10051
Change-Id: I0dc1fd118f4d9ba597c2f0959648136bbafb5aab
A major goal of the Q release is to promote user transparency around
permission usage, and to also give user controls over those
permissions. To further this goal, all apps requesting the
internal WRITE_MEDIA_STORAGE permission must also request (and be
granted) the "Storage" runtime permission in order to gain the
associated access.
If the user revokes the "Storage" runtime permission, then the app
must lose all access granted to it via WRITE_MEDIA_STORAGE.
Bug: 129144016
Test: atest --test-mapping packages/providers/MediaProvider
Change-Id: I0e685136d2b823e618bbc85cc79e656c9d4aad38
This opens the door to the same consistent logic being shared by
anyone across the OS who wants to enforce storage permissions.
Bug: 126788266
Test: atest --test-mapping packages/apps/MediaProvider
Exempted-From-Owner-Approval: Trivial permissions refactoring
Change-Id: I3107425f8dafa6ba05918bb67c3c0cb5d3899657
Apps that allow themselves to be profiled locally are also eligible
to load layers, since they are set dumpable. They can opt in by
setting the following in AndroidManifest.xml:
<!-- App opts-in to being profiled by the shell -->
<application>
...
<profileable shell=”true”/>
</application>
Bug: 128637647
Test: atest CtsGpuToolsHostTestCases
Test: Modify CtsGpuToolsHostTestCases to use profileable="true"
and ensure loading from external works.
Change-Id: Ib072d07408c2abd8fee7179fec3a0d28d72d6398
If we're checkpointing, we can roll back instead of wiping. If the
update was the problem, we will succeed. Otherwise, RescueParty will
catch the issue again and prompt the wipe later
Test: setprop persist.sys.enable_rescue 1
Set device to not commit checkpoints
vdc checkpoint StartCheckpoint 3
reboot
adb shell setprop debug.crash_system 1
adb shell stop
adb shell start
Rescue Party causes reboot instead of wipe
repeat without checkpointing to get wipe
Change-Id: Iba0263214baa7a0c3d5565b4393d03f975d8000a
We already have a permission, MANAGE_DYNAMIC_SYSTEM, whose protection
level is signature. Only platform applications holding it can interact
directly with DynamicSystemService, a wrapper of native GsiService. In
our design, DynamicSystemInstallationService is the sole platform app
holding it.
Then we need another permission for non-platform but privileged apps.
This new permission doesn't give apps access to DynamicSystemService,
but only to system API DynamicSystemClient. DynamicSystemClient works
with underneath DynamicSystemInstallationService and allows privileged
apps to install DynamicSystem images and get status updates in our
designed manner.
Bug: 128982216
Test: verified using DynamicSystemClient.
Change-Id: I3e67322511e3ab08db87bfad40d8c3d3cf6fdfe5
Device configuration properties in ZygoteConfig.java used old names for
certain values. These name strings have been updated to the correct
values and additional logging has been added to help catch future
issues.
Test: m
Test: boot and check log for USAP messages
Change-Id: I2fb92afe7edd9b1254dd3be659ec5063aa0b8e16
There was some confusion caused by the names so this CL
changes them to make the differentiation more clear hopefully.
Test: robotests pass, build runs, functionality of clients intact
Bug: 126944845
Change-Id: I626dd8e38c59fb5c061e4d0fdcf8c81701c459a3
TEXTURE_TICK is a new constant that is expected to be called repeatedly
in order to simulate a texture effect when a user is interacting with
the device, like with TEXT_HANDLE_MOVE.
Bug: 111461797
Test: Manual
Change-Id: Ia21de3ce1755a908b4bd4fcbdda411864e5b9fe9
