This change adds a mechanism for restricting permissions (only runtime
for now), so that an app cannot hold the permission if it is not white
listed. The whitelisting can happen at install or at any later point.
There are three whitelists: system: OS managed with default grants
and role holders being on it; upgrade: only OS puts on this list
apps when upgrading from a pre to post restriction permission database
version and OS and installer on record can remove; installer: only
the installer on record can add and remove (and the system of course).
Added a permission policy service that sits on top of permissions
and app ops and is responsible to sync between permissions and app
ops when there is an interdependecy in any direction.
Added versioning to the runtime permissions database to allow operations
that need to be done once on upgrade such as adding all permissions held
by apps pre upgrade to the upgrade whitelist if the new permisison version
inctroduces a new restricted permission. The upgrade logic is in the
permission controller and we will eventually put the default grants there.
NOTE: This change is reacting to a VP feedback for how we would handle
SMS/CallLog restriction as we pivoted from role based approach to roles
for things the user would understand plus whitelist for everything else.
This would also help us roll out softly the storage permisison as there
is too much churm coming from developer feedback.
Exempt-From-Owner-Approval: trivial change due to APi adjustment
Test: atest CtsAppSecurityHostTestCases:android.appsecurity.cts.PermissionsHostTest
Test: atest CtsPermissionTestCases
Test: atest CtsPermission2TestCases
Test: atest RoleManagerTestCases
bug:124769181
Change-Id: Ic48e3c728387ecf02f89d517ba1fe785ab9c75fd
This is a follow up CL to my previous CL [1], which introduced
RegisterStatusBarResult to consolidate return values from
StatusBarManagerService#registerStatusBar().
It turns out that the following fields are not correctly unmarshalled.
- RegisterStatusBarResult#mFullscreenStackBounds
- RegisterStatusBarResult#mDockedStackBounds
This is because those two fields were written with
Parcel#writeParcelable() while we were reading them directly with
Rect.CREATOR#createFromParcel(). Parcel#writeParcelable() needs to be
used with Parcel#readParcelable() for null handling and custom
class-loader handling.
With this CL, we now read/write these two fields with the following
methods, which can also be used to write/read Parcelable objects in a
bit more simpler style unless as long as we can rely on the default
class-loader.
- Parcel#writeTypedObject()
- Parcel#readTypedObject()
This CL also adds unit tests for StatusBarIcon and
RegisterStatusBarResult to make sure that these classes can be sent
over Parcel.
[1]: Ib1c0ae8f591ca09d0bce7a39f85ba57aad386e47
49efa718a8
Bug: 122439339
Test: atest FrameworksCoreTests:StatusBarIconTest
Test: atest FrameworksCoreTests:RegisterStatusBarResultTest
Change-Id: I0f41cbcb4c2f1222f18e1e34e3cf40bb0dfdfdb3
1. Add ripple feedback to clipboard copy even though the sharesheet
disappears really fast and you may not see it.
2. Make sure file icon is gray and not influence by the overlay.
3. Default multiple file sharing to file preview area and not image
preview area when there are mixed file types
Bug: 129979196
Test: Visual inspection
Change-Id: Ia86d418ccaca9a122f00dbc3e9c3b30785fb2abd
StateMachine.toString() calls mSmHandler.getCurrentState(). In the
rare case when mStateStackTopIndex is -1 due to the StateMachine being
not yet initalized, this results in an ArrayIndexOutOfBoundsException.
Bug: 124858416
Test: none
Change-Id: Id558be95b6e12d8a923d325bca5f6f6d7f942b22
Calculating the reserved height was using the wrong figures. Expose
the correct reserved alwaysShow height, and use it to determine the
offset for scrolling.
Bug: 120419081
Test: manual, rotate device
Change-Id: I21fd9fa8494a258d17f6002f79967aacc0efde34
This is a preparation to fix an issue that IME cannot enable light
navigation bar on direct-reply.
The initial state of StatusBar client is provided as return values of
IStatusBarService#registerStatusBar(). However, the way for the
client to receive the return values is to rely on "out" parameters in
the Binder method as follows.
void registerStatusBar(IStatusBar callbacks,
out List<String> iconSlots,
out List<StatusBarIcon> iconList,
out int[] switches,
out List<IBinder> binders,
out Rect fullscreenStackBounds,
out Rect dockedStackBounds);
The issue is that if I want to add a new parameter into
StatusBarManagerService to fix Bug 122439339, then it needs to be
notified back to the client via one of these out values, e.g. a new
element in "switches", which is hard to understand and maintain.
It'd be better to introduce a dedicated return object as follows.
RegisterStatusBarResult registerStatusBar(IStatusBar callbacks);
This is a purely mechanical code clean-up. Hence there should be no
behavior change.
Bug: 122439339
Test: presubmit
Change-Id: Ib1c0ae8f591ca09d0bce7a39f85ba57aad386e47
For gestural navigation, having a small bar drawn by SystemUI
looks really really weird. Since we force the status bar
background to be drawn in the client, we can also force the
navigation bar background without expecting any compat issues.
Bug: 129751541
Test: Open legacy app, ensure black is drawn in the client
Change-Id: I9cd4c5dd799324ff10bf9d28750e8f238ab1e459
(cherry picked from commit 461bb11371)
To answer the question if users share mainly with 1 or 2 direct targets
or with a multitude of contacts, we need to log the direct target +
package name. For privacy, this gets hashed with a salt that expires by
default every 7 days. The PH flag will allow us to change the expiration
time if we obtain PWG permission for that.
Bug: 126365511
Test: New test in ChooserActivityTest + manual testing of consistency
and flag rollout using adb shell device_config put systemui
hash_salt_max_days with multiple values
Change-Id: Ib4255b3eb39ca91ccb5803dc036ffe0ea83a27c9
In order to notify netd to swap eBPF maps before pulling the
networkStats from eBPF maps, NetworkStatsFactory need to use the
NetdServices to issue binder calls. So it need to be moved from
framework/base/core to framework/base/service since object in
framework/base/core cannot get any system services. This change is also
necessary for setting up a lock inside NetworkStatsFactory to prevent
racing between two netstats caller since the lock need to be hold before
netd trigger the map swap.
Also fix the compile problem caused by moving the NetworkStatsFactory
and the related tests. Rename the packages and the jni functions to a
more proper name.
Bug: 124764595
Bug: 128900919
Test: NetworkStatsFactoryTest
android.app.usage.cts.NetworkUsageStatsTest
android.net.cts.TrafficStatsTest
Change-Id: Ifcfe4df81caf8ede2e4e66a76552cb3200378fa8
This patch replaces three seperate native initialization functions with
a single function, reducing the number of times we need to cross the JNI
boundary. In addition this loads an empty performance profile for the
zygote to address b/129704892.
Bug: 129704892
Test: make & boot
Test: Treehugger
Change-Id: I0413f554e0963a714e0b4de3196d31ffe6775a3a
This condition never made any sense because we checked the
systemUiVisibility field for a WindowManager flag. Instead of
trying to fix it, let's just remove the check to keep the
behavior.
Test: boots
Bug: 129751541
Change-Id: Ib0ace4d47f5623b32430a8a7e4f25f5a259451ea
Previously, the best color was picked by checking the colors
against the blacklist. The logic was for picking the best color
was broken When the blacklist was removed for
b/124180048.
Fixes: b129762944
Test: New test points added to TonalTest.java
Change-Id: Ie51806735910bb40e5e66d7baf545ea213e4a01e
For service and provider bindings from TOP and
FOREGROUND_SERVICE apps, don't elevate bound apps
to above BOUND_FOREGROUND_SERVICE.
For service bindings, it is possible to explicitly
request the binding to match the foreground app
such that the bound app can get similar privileges
of foreground permissions.
For instance, when a foreground service has a location
type, providers it binds to don't automatically get the
location privilege. On the other hand, sometimes apps
showing UI want to treat their dependencies also as if
they are showing UI.
This change does not affect the oom_adj calculation,
only the proc state calculation for bound processes.
New BIND_INCLUDE_CAPABILITIES flag can be used to restore old
behavior for bound services.
Introduces a new state PROCESS_STATE_BOUND_TOP
Bug: 128337543
Test: atest CtsAppTestCases:ActivityManagerProcessStateTest
Change-Id: I13733e7f43a78903299254bc110cd8f7a8db4c40
Limit the direct share list to MAX_SERVICE_COUNT and discard any
results over that. Do not furthur rank results from App Prediction
Service, and also give other shortcut results priority over older
direct share targets
Bug: 126568576
Test: atest ChooserActivityTest
Change-Id: I2e2d53134273583a504c71ae4daa9f1db951b164
The issue stems from adding the incorrect userid when first entering
the sharesheet. The flow from Photos sendkit directly to the work
profile sharesheet was setting the incorrect userid on the content
uris. Move this logic to the correct location.
Bug: 129280812
Test: Manually retest Photos->Share->Work Profile->Chat
Change-Id: I3660684336450172852cf86bea1f3c60cf15aa87
- Also remove typed media permissions
- Leave typed media app-ops
Bug: 129716569
Test: Used apps, looked at permissions in the UI
Change-Id: If7714fb1a6955584157e1a60ab72b09e35287827
In some cases, returned ResolveInfo may not have a set icon but
it will always have an associated ActivityInfo. Fall back to
that ActivityInfo when no icon is set. Permissioned apps now
properly have their icon fetched.
Fixes: 129460747
Fixes: 125908050
Test: manual
Change-Id: I624b1d455106c987b1e3f6623ef9e69d22882e59
ListView will try to prevent errant touches while data is being
loaded. With Sharesheet, this can happen quite frequently so 1:
eliminate unnecessary notifyDataSetChanged calls and 2: batch up the
remaining calls and release a single call on an interval.
Bug: 126568576
Test: atest ChooserActivityTest && atest ResolverActivityTest
Change-Id: I3207f207910a0c9223a1b562243d9db612f93b0a
* changes:
Revert ContextImpl LoadedApk packageInfo caching workaround
Fix AssetManager2 isUpToDate check
Diff resource dirs when checking LoadedApk packageInfo cache in ActivityThread
Diff overlays between PackageManagerService and OverlayManagerService
Propagate base code path and split dir changes to Resources objects
Shows activity and app label for all share targets except those
with the right permission. Shows 2 wrapping lines as a label for
all direct share targets. Brings grid item layout closer to spec.
Fixes several associated bugs.
Fixes: 125908050
Test: included label test, manual
Change-Id: I5c2cc0700b59911d79aebf2582176497c30bf85c
Also refactored how the SecurityException is thrown back to the caller app.
Bug: 122959591
Test: manual verification
Test: atest CtsContentCaptureServiceTestCases # sanity check (minus usual flakiness)
Change-Id: I4d2a68e61dc1c801d80734a30f4bbe6fdae8555d
* changes:
Move BatteryStats and StatsCompanionService to use NetworkStatsService.
NetworkStatsService: Fix getDetailedUidStats to take VPNs into account.
Take all VPN underlying networks into account when migrating traffic for VPN uid.
