Show a warning toast when an app starts an activity inside a broadcast
receiver in response to a notification or notification action click.
This is to gather dogfood feedback in preparation for blocking such
activity starts. See go/notification-trampolines for more info. For now,
only taking care of broadcast receivers, the services case will be in a
future CL.
The toast is only shown once per package. This is to avoid annoying
dogfooders.
The actual block will be gated on targetSdk, however since very few
apps (any?) will be targeting the latest SDK on dogfood and we are still
allowing the activity start, we're going to show a toast regardless of
targetSdk to collect more feedback.
A side-effect of the way we implemented the rule that allowed
notification trampolines in BAL is that in the case that the user clicks
on a broadcast/service-trampoline notification of an app that also
happens to be in the foreground (on top for example) we can't
differentiate if an activity start came from the broadcast/service or
from the activity itself (or some other part of the app). Because of
this, in this case, we won't show the warning toast (and I'd say we
might not block the launch in the future, but this discussion can wait).
Implementation:
We determine at PendingIntent fire time if the receiver is allowed to
start activities. However, we pass a boolean to represent the grant to
start activities and this boolean also takes into account another case
that allows such starts. To correctly identify at activity start time
that it was allowed due to notification-click scenario we pass in the
token that was embeded in the PendingIntent (and was validated in the
PendingIntentRecord) by notification manager.
The set of components in ProcessRecord becomes a map to contain the
originating tokens. Since now WindowProcessController needs to have the
token to trace back the grant, I've replaced the boolean flag with the
map from ProcessRecord. We move the grant rule to the bottom of the
method areBackgroundActivityStartsAllowed() to make sure the start was
allowed exclusively due to notification-click interaction.
We then let notification manager register a callback with activity task
manager that will be called whenever a background activity start is
allowed exclusively due to a token provided in that callback. In that
callback we show the warning toast.
Test: atest BroadcastRecordTest BackgroundActivityLaunchTest
ActivityStartControllerTests ActivityStarterTests
RecentsAnimationTest WindowProcessControllerMapTests
WindowProcessControllerMapTests
Test: Posted a broadcast-trampoline notification, clicked on it and
observed the toast was shown.
Change-Id: Ica479d7d2f6b5f2ddaac4c59e12d0b25cd637717
When constructing a classloader for a different app, don't include
it's private data dir in libraryPermittedPath if we don't have access
to it. (Which we often won't, although it depends on target SDK,
whether it has a shared UID, etc.)
This avoids generating SELinux denials at boot and other times,
e.g. when initialising WebView.
Bug: 161356067
Test: Boots, denials not seen, WebView works.
Change-Id: Ib246af979783e80fde3313f8aed6c3b7a886e6b2
Since Android 7.0, partners were able to export some of their native
shared libraries to apps. So far, the native libraries were provided to
all apps regardless of whether they are actually needed or not. Even
worse, it was impossible to prevent the installation of an app to the
device where the some (or all) of the required native libs don't exist;
the apps had to manually handle the case, which sometimes impossible
when the dependency is so fundamental.
This change introduces a new tag <uses-native-library> to the app
manifest. Similary to the existing <uses-library> tag which is for
(java) shared libraries, the new tag is used to describe the depedencies
to the native shared libraries.
Apps targeting Android S or higher are required to use the tag to import
the native shared libraries. Libraries that are not depended on won't be
available to the app even if the libraries are listed in the
public.libraries*.txt files. Furthermore, when the dependency can't be
satisfied for an app, the package manager refejects installing the app.
The dependency can be optional using the `android:required` attribute.
When it is set to true, the absence of the lib on the device doesn't
prevent the app from being installed. However, the app has to gracefully
deal with the absence.
The changed behavior only affects apps targeting S or higher. Existing
apps are unaffected; they still get all the public native libraries
regardless of whether they have <uses-native-library> tags or not; the
tags are simply ignored.
This is the first version of the implementation and therefore needs
further refinements. The followings are two major TODOs.
1) The native shared lib dependencies of the java shared libraries
are not enforced. For example, if an app depends on a java shared
library foo and foo depends on some native shared libraries, the
classloader where code from foo is loaded still gets all native shared
libraries. This should be fixed.
2) New APIs should be added. SharedLibraryInfo should be extended to
represent native shared libraries. The meaning of
ApplicationInfo.sharedLibraryFiles should be revised. Finally, the new
tag should be made public.
Bug: 142191088
Test: atest CtsUsesNativeLibraryTest
Change-Id: Iceb038aa86872d23e9faf582ae91b1fdcaf5c64c
This CL adds a system API to NotificationManager for checking whether
the NotificationListener for the current package name and user id is
enabled or not.
This replaces existing implementation which was using binder calls
directly to NotificationManagerService.
Bug: 160762852
Test: atest CtsMediaHostTestCases:\
android.media.session.cts.MediaSessionManagerHostTest\
#testGetActiveSessions_withSession2
-> MediaSessionManager#getActiveSessions verifies call by checking if
the notification listener is currently enabled.
Change-Id: Ic730b0abfe08c40171062421b2015be9cc05310a
Don't clone-then-discard, just work from what we have already, and start
fresh for potential new work.
Bug: 161534313
Test: atest android.content.cts.SharedPreferencesTest
Change-Id: I6edb2b09537f5e77cc2ad3e4d2f32a89b945ad80
Add a removeListener method to allow deregistration of interest in
config changes, update tests. Also, hide binder interfaces on the
android.app methods.
Test: Treehugger / atest of touched test files
Bug: 149014708
Bug: 159888952
Change-Id: Ic1a14c34334eb276724d97c4e763360d51cb035b
This app op was introduced to support --no-isolated-storage
instrumentation flag in MediaProvider mainline module. Because it was
very late in the release cycle, app op wasn't exposed as @SystemApi in
rvc-dev, even though there CTS tests written around it, and
MediaProvider module depends on it.
To make things fair, expose it as @SystemApi.
Test: atest CtsScopedStorageHostTest
Bug: 159708202
Change-Id: Ifddf2cb920285eda5f859972937b0f9084fc32a3
With this change, if user selects a preferred activity with "Always"
checked, there will only be one mAlways=true intent filter
for a given action.
BUG: 161394369
Test: manual
Test: atest FrameworksServicesTests
Change-Id: I3d5ee0130f6f07530bb53f9c1509d5121a46a34a
This CL changes the behavior of pressing the back button on a root
activity so that the task is moved to the back, instead of the activity
being finished.
This removes the IRequestFinishCallback which IActivityTaskManager would
previously have triggered to make the Activity finish itself.
Bug: 146418616
Test: atest WmTests
Test: manual: flash crosshatch, press back button on a root activity,
observe task is moved to back.
Change-Id: I48ec35f841ab3b306fe80845150000c390908f5e
This change includes the following commits that are related to
CertInstaller and KeyChain:
7a5c8fe4afd KeyChain: Unify manual and programmatic key installation flows
a894225c7da Added functionality to select type of certificate to be installed from the Settings app
a9131939a35 Add KeyChain.KEY_ALIAS_SELECTION_DENIED constant.
485be505f19 Fix KeyChain.KEY_ALIAS_SELECTION_DENIED
Bug: 161347472
Test: builds & manual testing
Change-Id: I560bade479b41a5b88f81ea6dfdecba689c2f4ad
Bug: 159039903
A set of small changes to the class to allow for addition debugging.
1. Distinguish a cache that is disabled because the nonce has not
set from a cache that is disabled because it is corked.
2. Count the times the cache was bypassed because it was corked, unset,
or disabled. This does not count the times the cache was bypassed
because it was locally disabled. Add these counts to dumpsys.
3. Count the number of times a cache is invalidated, corked, and
recorked (corked while already corked). Add these counts to dumpsys.
4. Log some additional information if cache inconsistency is detected.
5. Record cache overflows and cache high-water marks.
Test: Run the following tests with and without the changes. Verify that
the changes do not affect behavior.
* CtsContactsProviderTestCases
* FrameworksServicesTests
* FrameworksServicesTests:UserManagerServiceCreateProfileTest
* PlatformScenarioTests
* PtsChreTestCases
* FrameworksServicesTests:UserManagerServiceUserInfoTest
* FrameworksServicesTests:UserManagerServiceIdRecyclingTest
* CtsProviderTestCases
* FrameworksServicesTests:UserSystemPackageInstallerTest
* FrameworksServicesTests:PackageManagerSettingsTests
* FrameworksServicesTests:UserLifecycleTests
* CtsCalendarProviderTestCases
* BluetoothInstrumentationTests
Pull a bug report and verify that the new counters are included.
Change-Id: I38d5545947d6f09c7e62e094c7b2858aab4a8cf9
... in the AppError
The processName could be different in case the crashing component
specifies a different one other than the global process name.
Bug: 161165487
Test: atest android.jobscheduler.cts
Test: Manual - induce a crash in a receiver w/ different proc name \
verify the proc name is showing up in dumpsys
Change-Id: Ied1658091edbd16d75a61e15e3501a92b222ab42
Add an override of BackupManager#requestBackup where type of the
operation (a regular backup or a migration) can be specified.
Bug: 160407842
Test: atest UserBackupManagerServiceTest
Change-Id: Ia54fa26b040c3ec3612672585561794ff831afef
