For apps which target Q or above, add the O_CLOEXEC flags to
ParcelFileDescriptors.
O_CLOEXEC is essential for ensuring that file descriptors do not leak
across an exec() boundary. Setting O_CLOEXEC ensures that file
descriptors can't linger around unnecessarily in an exec()ed process
which doesn't use them, making more efficient use of resources.
Additionally, O_CLOEXEC is important in ensuring that untrusted
exec()ed code cannot take advantage of leaked file descriptors.
Test: Android compiles and boots
Bug: 120983106
Change-Id: Idb3eb8f0e43968396a3b3a8bddc26a8d94c55bde
The currently requested feature flag value may lag behind what's
actually active for the current boot, so take a snapshot of the value
that's being used for the current boot.
Bug: 121195267
Test: manual
Change-Id: I969f1d9d385e7610b366df41d2c7728a596d114c
Don't use Os.dup(), as it creates file handles which leak across exec()
boundaries. Instead, use fcntl(F_DUPFD_CLOEXEC);
O_CLOEXEC is essential for ensuring that file descriptors do not leak
across an exec() boundary. Setting O_CLOEXEC ensures that file
descriptors can't linger around unnecessarily in an exec()ed process
which doesn't use them, making more efficient use of resources.
Additionally, O_CLOEXEC is important in ensuring that untrusted
exec()ed code cannot take advantage of leaked file descriptors.
Test: Android compiles and boots
Bug: 120983106
Change-Id: I99a66834cc6b9bb25e1b4daf75384ec6a91ae9e2
O_RDONLY, O_WRONLY, and O_RDWR are not flags. Rather, they are the
integer values 0, 1, and 2, respectively.
#define O_RDONLY 00000000
#define O_WRONLY 00000001
#define O_RDWR 00000002
Quoting "man 2 open"
* File access mode *
Unlike the other values that can be specified in flags,
the access mode values O_RDONLY, O_WRONLY, and O_RDWR do not
specify individual bits. Rather, they define the low order
two bits of flags, and are defined respectively as 0, 1, and
2. In other words, the combination O_RDONLY | O_WRONLY is a
logical error, and certainly does not have the same meaning
as O_RDWR.
Linux reserves the special, nonstandard access mode 3
(binary 11) in flags to mean: check for read and write
permission on the file and return a file descriptor that
can't be used for reading or writing. This nonstandard access
mode is used by some Linux drivers to return a file
descriptor that is to be used only for device-specific
ioctl(2) operations.
Rather than treat these values like flags, use O_ACCMODE to extract the
values and then perform the comparisons.
Introduced in 63280e06fc.
Test: android compiles and boots.
Change-Id: I4d3185e835615ffba3a7854d3d58351e124599d0
Moving forward as we start enabling isolated storage in various
dogfood groups, we'll need to maintain separate values for the
feature flag for both "local" and "remote" opinions. Any strongly
expressed local opinion will always take precidence over any remote
opinion.
Any changes to these feature flags means that we need to invalidate
any PackageManager parsed APKs, since PackageParser changes it's
output depending on the flag state. Since other feature flags are
likely to need this type of invalidation in the future, define the
PackageManager cache using a SHA-1 hash of a collection of values
that should invalidate the cache.
Bug: 112545973
Test: atest android.os.SystemPropertiesTest
Change-Id: Ifafcdf15e40e694eb4126e06981aeb82df51da33
Properties accessed across partitions are now schematized and will
become APIs to make explicit interfaces among partitions.
Bug: 117924132
Test: m -j
Change-Id: I8e04f643197b6c8a60cc38c6979e41c5de3469f5
Merged-In: Iedfd3c1dda665006ea5410ee787c3ca447ac7db1
(cherry picked from commit c1246e6c36)
New external storage mount mode for installers so
that they can access obb dirs of all apps.
Bug: 111789719
Test: atest android.appsecurity.cts#testExternalStorageObbGifts
Change-Id: Ifab3c0702a431d542a6a3ae82ca8b67d9fcd7506
NETWORK_TYPE_NR was added in ag/5629764.
This cl adds this new type to the human-readable dump output and ensures
that new network types won't crash the dumpsys (instead they'll print
ERROR).
Bug: 120778989
Test: android.dumpsys.cts.BatteryStatsDumpsysTest#testBatterystatsOutput
Change-Id: I9a6b966ca961bde37eadd924ce3ba0166a943ff8
While making the Developer Options changes, the app startup time was
increased due to reading the Global.Settings values incorrectly. As Cody
had already determined, we need to use the Bundle.getString() values,
rather than reading them from the Context. This change re-introduces
that fix.
Based on b/120784945, I'm looking at the 'bindApplication' values that's
output from the following test:
$ atest -it google/perf/app-startup/benchmark-app-hermetic/cold-dropcache-test --verbose
Without this fix:
bindApplication: 22.67
bindApplication: 21.47
bindApplication: 19.40
With this fix:
bindApplication: 16.67
bindApplication: 16.33
bindApplication: 16.67
Based on the above values, this appears to recover the missing time.
Bug: 120784945
Test: Verify app startup time is reduced.
Test: Verify ANGLE can still be enabled/disabled with the
Global.Settings values.
Test: Verify CtsAngleIntegrationHostTestCases passes.
Change-Id: I0435702c3708c8566e94673dd3a2a40eb8253052
Everything that is marked SystemApi or TestApi, but not @hide is still
part of the public SDK, it is therefore not sound to have that combination.
In the future, specifing such a combination will be considered an error
to prevent inadvertently exposing SystemApi and TestApi as public API.
Bug: 115333477
Change-Id: Ibd5d6a22862fdbc1e20a1cb3925280f5a682edea
Merged-In: Ibd5d6a22862fdbc1e20a1cb3925280f5a682edea
Test: METALAVA_PREPEND_ARGS="--error UnhiddenSystemApi" m checkapi
Exempt-From-Owner-Approval: API cleanup
- Adds @SystemApi to the work source apis. Work source will help us to
better understand who is responsible for resources usage (starting with
cpu usage)
- Adds @SystemApi to the transact listener to allow system apps to
intercept outgoing transactions in order to the set work source.
Bug: 111534779
Test: n/a - just adding annotations
Change-Id: Ie86696228bb9df57f640b978a1d78439c99626d3
Everything that is marked SystemApi or TestApi, but not @hide is still
part of the public SDK, it is therefore not sound to have that combination.
In the future, specifing such a combination will be considered an error
to prevent inadvertently exposing SystemApi and TestApi as public API.
Bug: 115333477
Change-Id: Ibd5d6a22862fdbc1e20a1cb3925280f5a682edea
Test: METALAVA_PREPEND_ARGS="--error UnhiddenSystemApi" m checkapi
Exempt-From-Owner-Approval: API cleanup
We'll come back in a future change to wire up automatic hashing in
onIdleMaintenance(), but we'll hold off on that until we've
implemented our optimized in-kernel hashing.
For now, generate the has when demanded via canonicalize(), and
clear any hash whenever the file is edited. Tests to verify sanity.
Bug: 120782363
Test: atest android.provider.cts.MediaStoreTest
Change-Id: I287f7a204655b37e4efd519579b12084ee4fb8e3
* changes:
Only keep one overflow entry per uid.
Add app id instead of uid to WorkSourceProvider whitelist.
Sets ThreadLocalWorkSource to authorized work source.
Make sure callEnded is always called.
Currently checkParcel might throw for instance although this is not
enabled by default.
Test: atest binderLibTest BinderWorkSourceTest BinderCallsStatsServiceTest
Change-Id: Ia836da7daa690dfa176d48cfe86ca4b7eb7cccc6
Add system APIs isManagedKiosk and isUnattendedManagedKiosk. These will
be defined in the CDD.
The intention is to have privacy and security-approved definitions that
future features (removing user consent dialogs, stronger APIs) can use
specifically for publicly-accessible dedicated devices.
We use 'kiosk' rather than 'publicly-accessible dedicated device' for
ease-of-use, which is actually consistent with ChromeOS.
Bug: 111384878
Test: Each use will have its own CTS tests. The definitions themselves
will be in CDD. Currently tested by calling the methods in TestDPC.
Change-Id: If080a3b9dae285bc28823e6004750908009130d2
