When PackageInstaller was originally written, we needed a way to
ensure that untrusted apps were fully hands-off of any opened
FileDescriptors before we could proceed with certificate checks.
The best way to satisfy this security constraint was to build
a utility called FileBridge which was a (terribly slow) RPC
mechanism that could be cut off when needed.
However, a new feature called "AppFuse" offers to create a "proxy"
FileDescriptor which relays file operations back into userspace, and
it's much more performant than FileBridge. (Local benchmark tests
that deliver a 64MB APK show that AppFuse is about 45% faster than
FileBridge.) Because userspace is still involved in every operation,
we can still "revoke" access at any time to deliver on our security
requirements.
This change adds support for AppFuse, while keeping around FileBridge
as the default for now. An upcoming flag-flip CL can be used to
easily switch between the two modes.
Test: builds, boots, benchmarking, stress tests
Bug: 35728404, 31332379, 25510838
Change-Id: I2a70c0ca922a5ba468ffdef7b2fd8ab79f7cfefd
These broadcasts resulted in a terrible user experience where dozens
of apps would wake up and try deleting everything they possibly can,
meaning that we'd thrash between showing/hiding the low space
notification to users.
Instead, if apps have data that they're okay being purged when the
system is chronically low on space, we want to strongly encourage
them to rely on the much-improved getCacheDir() behaviors in OC.
Test: builds, boots
Bug: 35406598
Change-Id: I74abfba1b8d3948363b79f8b66ca0ad60faac756
This change will affects 2 types of apps: autofill service implementations
and apps that use autofill APIs.
Since just the former is known to be used at the moment, we're not trying
to keep backward compatibility with the latter.
Bug: 35956626
Test: CtsAutoFillServiceTestCases pass
Test: android.provider.SettingsBackupTest pass
Change-Id: Ia720083508716deae9e887f9faa7ae7c5a82f471
Bug 33185424
When stopping an CursorLoader while data is being loaded,
the load task will be canceled. This CL marks the data as
changed if the cancel is called while the loader is stopped.
Test: I63b48210a25be72d13a2a6182eb1757cbe6a1949
Change-Id: Ibf9c5facdcc5160f6ed146c5fdd063549ac2a7a8
Over the last month we've been moving everyone over to the new
StorageStatsManager public APIs, but we missed these users.
The ApplicationsState changes are straightforward, but we had to
completely rewrite StorageMeasurement to use the new fast-path
quota APIs.
Test: builds, boots, UI using StorageMeasurement works.
Bug: 36056120
Change-Id: If02177c95bf8c96ae4eceac4d631a168f99bef84
Instant apps can only send broadcasts to receivers that are declared in
the manifest with android:visibleToInstantApps=true or if the app
registers a receiver at runtime using the new methods that take
visibleToInstantApps.
Bug:33350280
Test: Manually sending broadcasts from Instant Apps only goes to
receivers with visibleToInstantApps set to true.
Test: Receiving a broadcast from within the same app does not require
visibleToInstantApps to be set.
Change-Id: I54d79a502ba9c5fd03ede3c09e08afc88fe2775f
This lets settings use one call to set the current theme overlay
for the "android" package.
Test: Change theme in Settings -> Display
Change-Id: Ia566e58c5479dedb7184f4218151f8080f8ebc0f
These were created in MR1 but couldn't be submitted because
they were defined too late [after API freeze].
Change-Id: Ie6884236776bd26e9d0b557fd125b8c77b0ad93b
Fixes: 34890162
Fixes: 35193180
Fixes: 35193418
Test: manual
To do this, the developer must specify the set of certificate
hashes that represent the authority's app. This allows us to
verify that the authority we find is indeed the one intended
by the developer.
Bug: 35025705
Test: runtest --path frameworks/base/core/tests/coretests/src/android/provider/FontsContractTest.java
runtest --path frameworks/base/core/tests/coretests/src/android/content/res/FontResourcesParserTest.java
CTS attached to topic
Change-Id: I605f9a93bbca8705936ead08efb4a5b4fdcc4882
In order to prevent Instant Apps from receiving potentially sensitive
broadcasts they will only receive those that the sender explicitly
exposes to Instant Apps by setting
Intent.FLAG_RECEIVER_VISIBLE_TO_INSTANT_APPS.
Bug:33350280
Test: `adb shell am broadcast` does not get delivered to Instant App
Test: `adb shell am broadcast -f 0x0x200000` gets delivered to Instant
App
Test: Verified that an Instant App can send a broadcast to itself
without FLAG_RECEIVER_VISIBLE_TO_INSTANT_APPS
Change-Id: Ie363448bf224abba530dd4caf69258939fff00af
* Change name to InstantAppResolverService
* Left old service in place to handle existing client
[to be removed prior to O launch]
* When resolving phase II, return a list instead of a single item
Bug: 34763730
Test: Build and verify resolution occurs w/ legacy & new resolver service
Change-Id: Ieccaf91538bd91c04f4be4e35d8264619d7cd6d7
.. since it is implemented by a system app. This allows the
CTS test that verifies android.* namespace intents to pass.
Change-Id: I083e1d12a79fa67e15158ca7390353303cd0e06e
Fixes: 35274957
Test: cts-tradefed run cts-dev -m CtsSignatureTestCases
This will let the ResourcesImpl be updated and handle null cases
better.
Test: Select text while composing email.
Change-Id: Ia8aed22f02b040a202db9cbb2bc02687c693cfa1
Fixes: 34761805
Fixes: 35869547
Also defining an extra constant for widget preview which can be used by
developers to provide a snapshot of the widget with the pin request
Bug: 35811129
Test: All exisiting tests passing
for f in 1 2 3 4 5 6 7 8 9 10; do \
adb shell am instrument -e class com.android.server.pm.ShortcutManagerTest$f \
-w com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner; \
done;
adb shell am instrument -e class com.android.server.appwidget.AppWidgetServiceImplTest \
-w com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner
Change-Id: Id854bd28468a5bf0416ff1a1b19c44d850016f32
Two new attributes for <uses-permission>: android:requiredFeature and
android:requiredNotFeature.
Also update aapt to include this information in badging:
uses-permission: name='android.content.cts.REQUIRED_NOT_FEATURE_UNDEFINED' requiredNotFeature='android.software.cts.undefined'
uses-permission: name='android.content.cts.REQUIRED_MULTI_DENY' requiredFeature='android.software.cts.undefined' requiredNotFeature='android.software.cts'
Test: new PermissionFeatureTest suite.
Change-Id: Icc1f815a4675ae9dd2cb7f61730ab28b5c11228a
- When registering and notifying observers, we should use the user in the
context as opposed to current user.
- Relax the permission check while registering and notifying content observers
to use INTERACT_ACROSS_USERS instead of INTERACT_ACROSS_USERS_FULL permission.
Change-Id: I973936903d4a2272c5722f3b98a057a40c0402be
Fixes: 32955100
Test: Created managed profile and verified that there are not failures.
runtest -x core/tests/coretests/src/android/content/SecondaryUserContentResolverTest.java
runtest -x core/tests/coretests/src/android/content/ManagedUserContentResolverTest.java
I found there was a dead lock among main, android.display and GC threads
when running monkey test.
- Main thread got a mutex and was suspended by GC thread.
- Android.display thread waited for mutex held by main thread.
- GC thread waited for suspention of android.display thread.
This will lead to ANR or screen freeze.
Fixes: 32480078
Test: builds
Change-Id: I13cf1eca3cb3b7c01aa754874f2b48aab0b472e8
This CL adds an API to set up an IPSec Security Association
and Security Policy to perform Transport-Mode and Tunnel-Mode encapuslation
of IP Packets.
Bug: 30984788
Bug: 34811752
Test: 34812052, 34811227
Change-Id: Ic9f63c7bb366302a24baa3e1b79020210910ac0a
