When callers are inserting or updating raw "_data" paths, we need to
sanity check them to make sure they're not "crossing the streams"
between storage devices. For example, it would be really broken to
insert a file on the SD card into the "internal" storage volume.
This also enforces that callers don't "cross the streams" between
multiple storage volumes on devices that support them, since
otherwise they'd end up with very confusing behavior, such as
the same underlying file being inserted into multiple databases.
Also, the "internal" storage volume should really only be used for
common media (such as ringtones), and it shouldn't be allowed to
point into private app data directories, since MODE_WORLD_READABLE
has been deprecated for many years now.
Bug: 117932814
Test: atest MediaProviderTests
Test: atest cts/tests/tests/media/src/android/media/cts/MediaScanner*
Test: atest cts/tests/tests/provider/src/android/provider/cts/MediaStore*
Change-Id: I267eacd45bbd270b8ce9b28de9d6e209f780f31a
This class is useful as a system API because:
- It is one of the few exceptions that is natively Parcelable.
- It is directly supported by native code without using JNI,
using Status::fromServiceSpecificError.
- Unlike other natively parcelable exceptions, it contains both
an error message and an error code.
Test: m
Bug: 112869080
Change-Id: Ica3e88c2b6877e429a61b053d75f69b9f19fc74a
Apps that are already installed on the device before isolated_storage
feature is enabled will be granted MOUNT_EXTERNAL_LEGACY mode. In this
mode, /mnt/runtime/write will be mounted at /storage giving them same
level of access as in P.
A new mount directory /mnt/runtime/full is also created which will be
used for mounting at /storage for apps started with MOUNT_EXTERNAL_FULL
mode. This will allow apps with WRITE_MEDIA_STORAGE permission to
read/write anywhere on the secondary devices without needing to bypass
sdcardfs.
Bug: 121277410
Test: manual
Test: atest android.appsecurity.cts.ExternalStorageHostTest
Change-Id: I4ec73276d7c586ae4afc482580d1eb8ee03d5be1
The dire warning about canonicalising paths before calling
FileUtils#contains was present on two overloads but not the
third. Added it there to try to make it harder to miss.
Test: Builds.
Change-Id: I983fe86e57ff3f7052f4f5d55f2bbd9e5740429a
The application zygote can run untrusted user code; since it also
has the capability to change the uid/gid of the process, we need
to ensure that any changes to the uid and/or gid stay within the
range that we have allocated for this application zygote.
For application zygotes, we install the app_zygote seccomp
filter instead of the regular app filter; the only difference
between this filter and the app one is that it allows
setuid/setgid calls.
To further limit this, pass down the allocated UID range to the
Zygote itself, which in turn installs an additional seccomp
filter that restricts setuid/setgid calls to this range.
The actual calls into seccomp are commented out until the seccomp
changes are merged; to avoid catastrophe, this will leave the
regular app filter for the app_zygote, which is more restrictive
and doesn't allow setuid at all.
Bug: 111434506
Test: atest CtsSeccompHostTestCases passes
Change-Id: I112419629f5ee4774ccbf77e2b1cfa5ddcf77e73
Add methods used by VintfDeviceInfo, a CTS test, to TestApi.
Also remove them from greylist.
Bug: 111610941
Test: builds
Change-Id: Ieccf8c9225132fd604d7df0fc7e9976f63f9077c
We only want to load a temporary rules file for processing if the
current app is debuggable or if adb is running as root. The logic to
do this is a bit less than straightforward to read and we don't
currently log the values to help make it clearer (though we know they were
both 'false' to return early). This change helps make the code a bit
easier to read and adds some logging that helps make reading the logs a
little easier too.
Bug: 122612037
Test: atest CtsAngleIntegrationHostTestCases
Change-Id: I38baf02ebdb847f9423a80a1093385903eda1686
Based on ro.build.version.preview_sdk_fingerprint, which is
generated by the build system based on the contents of the
public / system API fingerprint. This value helps implement
finer grained targeting of packages to preview releases.
Test: atest BuildTest; manual
Bug: 120439642
Change-Id: Ib2c28d96ea0fa2ed9a6be4c05580c164e39cdd9f
Make Nat464Xlat talk to netd directly instead of through
NetworkManagementService. The methods in NetworkmanagementService
don't really provide any value: since the only thing they do is
call into netd, we might as well have the callers talk to netd
directly,
In order to do this, pass INetworkManagementService and INetd to
the NetworkAgentInfo constructor, and update callers appropriately.
Bug: 65674744
Test: builds, boots
Test: atest FrameworksNetTests
Change-Id: Iac4cfe709c6279e4d9682b6754963e533707bd12
Since the CTS test for android.os is build with test_current.
Bug: 78650449
Test: android.os.cts
Change-Id: If784f4949af931c6c4efc284f1d16414705fe2d4
Merged-In: If784f4949af931c6c4efc284f1d16414705fe2d4
Add dummy implementations for status, error and finished callbacks.
Next step: wire these up end-to-end; change Shell's listener to be
BugreportManager.BugreportListener, and make it communicate with the
native service explicitly through the new system api.
BUG: 111441001
Test: Verified progress in interactive bugreport still works
Change-Id: Iad0bb7b23b04f6bc7e3b31e5071df42409c78684
