If a system component calls to a remote provider, and that provider
hangs, we end up burning that Binder thread until the remote process
is killed for some unrelated reason.
This change adds an API to detect these hangs, and kill the remote
process after a specific timeout, but only when the caller holds a
permission that lets them kill other apps.
Bug: 117635768
Test: atest android.content.cts.ContentResolverTest
Change-Id: I81b0d993d9d585cdeb5e2559c68052ba6cbbced9
Accepting only ContentResolver arguments was quite limiting, so use
the newly created super-interface ContentInterface, which lets
callers use a ContentResolver, and ContentProviderClient, or even a
specific ContentProvider.
This is a safe API change, since we're accepting a more-general
argument, and existing API users can continue passing ContentResolver
to these methods.
Bug: 117635768
Test: atest DocumentsUITests
Test: atest android.appsecurity.cts.DocumentsTest
Change-Id: I8f0cd1335c9b763dd81eeb237fb0517e9073b625
Existing APIs that accept a ContentResolver are too restrictive when
the caller has their own ContentProviderClient already bound and
configured, so we're in the market for a solution to open those
existing APIs to accept a wider range of inputs.
The solution we've come up with is to introduce a super-interface
which contains the common ContentProvider APIs, and then make
ContentProvider, ContentResolver, and ContentProviderClient all
implement that interface for consistency.
After this change lands, we can then safely relax existing APIs to
accept this new ContentInterface, offering a clean path to solving
the problem outlined above.
Bug: 117635768
Test: atest android.content.cts
Test: atest android.provider.cts
Change-Id: Ic5ae08107f7dd3dd23dcaec2df40c16543e0d86e
Exempted-From-Owner-Approval: keep tests working
Bunch of changes:
- Split public SmartSuggestionsService info ContentCaptureService and
AugmentedAutofillService
- Renamed 'intelligence' packages to either 'contentcapture' or
'autofil.augmented'
- Renamed internal packages and classes.
- Changed permissions, resource names, etc...
- Moved Augmented Autofill logic from IntelligeceManagerService (R.I.P.) to
Autofill.
- Optimized IPCs by passing a String instead of the InteractionSessionId
(that also solves the view -> service dependency).
Test: atest CtsContentCaptureServiceTestCases \
CtsAutoFillServiceTestCases \
FrameworksCoreTests:SettingsBackupTest
Test: manual verification with Augmented Autofill Service
Bug: 119638877
Bug: 117944706
Change-Id: I787fc2a0dbd9ad53e4d5edb0d2a9242346e4652d
This patch adds a feature flag for IPsec Tunnel Mode. This implies VTI
(with output-mark updating), or XFRM-I in the kernels.
Bug: 117183273
Test: Compiles
Change-Id: I6dd0e429cc0bd100f2ef1140a6651f6ef5294c79
Everything needed to get the CTS tests to work.
Also:
- Change process names to be unique per isolated instance,
and no longer use isolated uid in proc stats, so we don't
have a crazy number of process entries there.
- Again move activity manager dumpsys output so we aren't
spewing less useful stuff at the end where it hides the
core state about processes.
- Fix protos so that we can read InstrumentationInfo from the
activity manager protos. (There was confusion about writing
protos for a PackageItemInfo vs. an ApplicationInfo.)
Test: atest CtsAppTestCases:ServiceTest\#testActivityServiceBindingLru
Bug: 111434506
Change-Id: I2c86bd1daa582a5c60950173ca12e8ec21b13ead
REVIEW_PERMISSION_USAGE now supports being passed a permission name.
Document that in the comment.
Bug: 120222495
Test: Compile
Change-Id: Iedd2d98b5150bdf21fa80489889a0672d58dd1f2
Make sure testers have a way to quickly determine when an app is trying to access
call logs or SMS without being the default handler, so we don't get inundated with
bugs about correct behavior
Test: proofread
Change-Id: I46b9dc86073101f8ca08ac1bc90c79338afd114f
And check parameters at trust boundaries
Test: Looked at AppInfo in Settings (uses RuntimePermissionPresenterService)
Change-Id: Ie70f64c1bc5435e1d284c37cc6fec208468b3a0a
This name is too generic, so we split it in 2 parts:
- ContentCaptureManager: the public API used by views and apps to report their
structure.
- SmartSuggestionsServiec: the system service use to consume these events and
provide autofill suggestions.
This CL also:
- Optimizes ContentCaptureManager allocation so they are not created on contexts that are not
capturing events (such as views from the system server).
- Uses a generic ContentCaptureEventsRequest (rather than a list of events) to make it easier
to be extended.
- Fixed IntelligencePerUserService so it clears the sessions when the
implementation changes.
Test: manual verification
Bug: 119776618
Bug: 117944706
Bug: 119638877
Change-Id: I069bcd23dda94afe18b2781fd3981b8b555afa56
Change 1/2. Change 2/2 will setup the class loader namespace for
shared libraries.
This change sets up shared libraries class loaders for applications
and for dexopt.
bug: 111174995
Test: DexoptUtilsTest, device boots
Exempt-From-Owner-Approval: PS1 was approved by owner, PS2 is a build fix.
(cherry picked from commit 8d144eb8bd)
Merged-In: Ie9a2b4eaa85cda59951703433f7a2d03bc12095d
Change-Id: I76383308418485ad6739f8a404d02c2771e4afe4
Developers often accept selection clauses from untrusted code, and
SQLiteQueryBuilder already supports a "strict" mode to help catch
SQL injection attacks. This change extends the builder to support
update() and delete() calls, so that we can help secure those
selection clauses too.
Extend it to support selection arguments being provided when
appending appendWhere() clauses, meaning developers no longer need
to manually track their local selection arguments along with
remote arguments.
Extend it to support newer ContentProvider.query() variant that
accepts "Bundle queryArgs", and have all query() callers flow
through that common code path. (This paves the way for a future
CL that will offer to gracefully extract non-WHERE clauses that
callers have tried smashing into their selections.)
Updates ContentValues to internally use more efficient ArrayMap.
Bug: 111268862
Test: atest frameworks/base/core/tests/utiltests/src/com/android/internal/util/ArrayUtilsTest.java
Test: atest cts/tests/tests/database/src/android/database/sqlite/cts/SQLiteQueryBuilderTest.java
Merged-In: I60b6f69045766bb28d2f21a32c120ec8c383b917
Change-Id: I60b6f69045766bb28d2f21a32c120ec8c383b917
The APIs for "preferred" packages and activites have been superseded
by modern activity-based preferences.
Bug: 120291723
Test: build (javadoc-only change)
Change-Id: I4242a10e1612f7e203256e4c26c5e8c518cc7656
This computes and stores a hash of significant (for PermissionController)
packages state for the time when granting last ran.
Test: - enable DEBUG flag
- using logcat ensure roles granted on first bootloader
- adb reboot
- ensure roles granting skipped
- disable a package
- adb reboot
- ensure roles granting ran on boot
Change-Id: Idaea40c0ea34feaedfbe357627201f85e66876d5
Mostly designed for use by tests, but start using it elsewhere in OS
for consistency.
Bug: 119713234
Test: manual
Change-Id: I803671fd84547b75337bebf00c2fa2bdaf0f72e7
New category of hidden API has been created. Update the script
generate_hiddenapi_lists.py with the new flag name.
Test: m, phone boots
Change-Id: I79e5478678880939e20e500cb8dad9b2a56fc84f
Applications will be able to add information to their uses-permission
elements about how the data protected by that permission is used.
Currently the system does not use this information, that will be done in
a follow up CL.
Test: atest PermissionUsageTest
Bug: 111207567
Change-Id: Ic168684cc800febc8fb3a3f807e1917f1f1585a4
This reverts commit ed98828335.
Reason for revert: The exposed API is not needed anymore
Test: Built
Bug: 118437704
Change-Id: I155eb0f7241327b34ea5beaabee514ba2a018998
Add a new intent to be broadcast when a new configuration has been
installed to signal that it is time to reboot the modem, refresh caches,
etc. To receive the intent, recipients must hold the new permission
"android.permission.RECEIVE_DEVICE_CUSTOMIZATION_READY".
This CL registers the intent, but does not send it: that is the
responsibility of the customization client, e.g. Phonesky. The sender is
expected to call PackageManager.sendDeviceCustomizationReadyBroadcast
and hold the new permission "android.permission.SEND_DEVICE_CUSTOMIZATION_READY".
Bug: 118462251
Test: manual (custom apps)
Change-Id: I9a723ca9ade16e8c5d316efbc7effd01e13ff2e7
Switch from idmap to idmap2.
This CL is the safety pin for idmap2. If idmap2 causes issues during
dogfooding it is easy go back to idmap by reverting this CL.
Once idmap2 has proven itself during a suitable period of time, the
FEATURE_FLAG_IDMAP2 flag and the obsolete idmap code will be removed.
Also add an .rc file to tell init to launch idmap2d.
Bug: 78815803
Test: atest OverlayDeviceTests OverlayHostTests
Change-Id: I5ca1388ac2f8a9379fed0c257247d351a5c7a3c4
