In Q, these APIs were either:
- removed from the greylist entirely without good reason
- Moved to the restricted greylist without any public alternative
information added
So they are being moved back to the greylist for Q.
Test: Treehugger
Bug: 136102585
Change-Id: I5ac8b8b9b23c3789d80239cf456072cc7dfa1203
Exempts this new ContentProvider for providing mainline module licenses.
Also sets ApplicationInfo.publicSourceDir for APEXes.
Bug: 135183006
Test: open module licenses, click app, verify file opens
Change-Id: Iec4f1de198525f7cd176a52d8448a2c71b6aabc0
Using this flag when binding to a service will
allow the bound process to be held at a low
oom_adj of 250, so that it can be expunged to
reclaim memory if a more user-visible app needs
it.
Use for bindings such as job services and other
connections that the caller can easily recover
from and restart if necessary.
Adjust the lmk thresholds to use this oom_adj
as one of the levels, so they're killed before
perceptible apps (such as foreground services).
Bug: 135219821
Test: CtsAppTestCases
Manually check notification listener oom_adj
and dumpsys activity services output
Change-Id: I9f6d0891d842e4d12f7995b9b1a8f57b0903a16d
The operation can potentially take a long time to complete
depending on the volume of data to be copied, so move it off
the ActivityManager handler thread that needs to be available
for other operations.
Bug: 134570017
Test: manual; set a 1 minute sleep in migrate_legacy_obb_data.sh
Change-Id: I3d2c52e8b012ed71c53810e6919d11be9a97cc6c
AppicationPackageManager.loadUnbadgedItemIcon would call
UserManager.getUserIcon if the icon was supposed to represent
switching to another the parent user (from a work profile).
However, that call requires extra permissions which may not be
available, which would cause a crash. The work profile doesn't
generally have permission to see the parent's icon, so rather
than showing the actual icon, a generic user icon is shown instead.
Bug: 134177607
Test: Manual confirmation: create a work profile and try to share a
picture (from Photos) to the personal profile.
Change-Id: Id79ca50b8e0a26593addbacf1a0ea709a2bc4da2
Currently the backup of user data is done in the enable rollback stage,
during which there is no guarantee that the package being backed up is
not currently running. Moving the backup to the post install stage will
guarantee that the package is not running.
Test: atest RollbackTest
Test: atest StagedRollbackTest
Bug: 124032231
Change-Id: I4b42a0c5ade1645585d1d6f698637df950d05c72
When INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS was added, its value
conflicted with iINSTALL_FORCE_VOLUME_UUID. A subsequent change added
INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS to all adb install
requests, resulting in all adb installs being force UUID installs and
thus breaking adoptable storage CTS. This change fixes that overlap.
Fixes: 133215060
Test: atest android.appsecurity.cts.AdoptableHostTest#testPackageInstaller
Change-Id: I8fbfcc0eea4f4447e4a446fe188b6edfc9cec0f6
Persons field in ShortcutInfo should only be accessible when caller
has the MANAGE_APP_PREDICTIONS permission.
Bug: 123959894
Test: atest com.android.server.pm.ShortcutManagerTest1 \
com.android.server.pm.ShortcutManagerTest2 \
com.android.server.pm.ShortcutManagerTest3 \
com.android.server.pm.ShortcutManagerTest4 \
com.android.server.pm.ShortcutManagerTest5 \
com.android.server.pm.ShortcutManagerTest6 \
com.android.server.pm.ShortcutManagerTest7 \
com.android.server.pm.ShortcutManagerTest8 \
com.android.server.pm.ShortcutManagerTest9 \
com.android.server.pm.ShortcutManagerTest10
Change-Id: I1908496dfbf9b11624b0746154bb5ea6f2d30c38
Add functionality to ApexManager to filter the list of all APEX
packages in order to obtain lists of inactive or factory APEXs.
Expose this information to dumpsys.
Test: adb shell dumpsys package
Test: adb shell pm list packages -a --apex-only
Test: atest PackageParserTest
Bug: 123680735
Bug: 119767311
Change-Id: Id8ffe6320b55f647cdf550abfd6703cd868565ff
- For users running when the PermissionPolicyService is initialized we
are not running onStartUser. Hence we have force to do this in
onBootPhase
- Only write the runtime-permission fingerprint after all permission
upgrade steps are done
- This also means that if a user was not started in the first boot
after an OTA we do not upgrade the fingerprint until the user was
eventually started
Fixes: 132737426
Test: - Started a fresh build
- Rebooted
- Simulated an OTA
- Added a second user
- Simulated an OTA with a second user, rebooted and only then
started the second user
Change-Id: I0758e8bdfefc16139bde2444f126adc3b0a17526
Otherwise we won't detect the change when a package is set to
installed for an user.
Also added the number of enabled components to the hash so that when
an enabled component get disabled but the order didn't change, we can
still detect the change.
Fixes: 129004850
Test: follow the repro step in b/129004850 and confirm it's fixed
Change-Id: I87d62daf0f6a4d34939ee03ee783e9bdb19bf558
Allow Telephony to mark a SIM PhoneAccount as
emergency preferred, meaning that Telecom will
override a user's PhoneAccount preference for
emergency calls if the PhoneAccount has the
CAPABILITY_EMERGENCY_PREFERRED capability.
Bug: 131203278
Test: Manual testing, Telecom/Telephony unit testing
Change-Id: I88b8bbfa444f5445b2f0d6a1542c6406a19b240f
When MediaProvider db gets recreated, all the media content ids
get renumbered. It's possible that when DownloadProvider is
trying to delete an entry, it is holding onto a invalid mediastore
uri. So, don't use linked mediastore uris in DownloadProvider
operations. Also, revoke any prior uri grants of media content from
DownloadStorageProvider.
Bug: 132087334
Test: manual
Test: atest DownloadProviderTests
Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java
Test: atest cts/tests/app/DownloadManagerLegacyTest/src/android/app/cts/DownloadManagerLegacyTest.java
Test: atest cts/tests/app/DownloadManagerApi28Test/src/android/app/cts/DownloadManagerApi28Test.java
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/AppSecurityTests.java
Change-Id: I4885f5a0ae0b3ab660426605a8a43b8c1d66a4c7
Background:
The applications with the granted INTERNAL_SYSTEM_WINDOW and
INTERACT_ACROSS_USERS_FULL means that it could show the same
window for all of users. i.e. to use user 0 presents all of
UI things to all of users.
INTERNAL_SYSTEM_WINDOW usually comes with INTERACT_ACROSS_USERS_FULL
because it will serve all of users to know the information that
comes from framework and system server.
Solution:
Because SystemUI never restarts after the user changing,
ClipboardService can't tell if the callingUid has the the same userId
with the current user or not. The solution is to use the permission
check. Especially, INTERACT_ACROSS_USERS_FULL and
INTERNAL_SYSTEM_WINDOW. To check INTERACT_ACROSS_USERS_FULL by using
ActivityManagerInternal.handleIncomingUser.
Caution:
The application with INTERNAL_SYSTEM_WINDOW usually use user 0
to show the window. But, the current user is user 10, WindowManager
know the focus windows is belong to user 0 rather user 10. That's
why user 10 can't copy the the text from systemui directly reply to
the other applications.
Readability:
ClipboardService use callingUid everywhere but actaully it is not
appropriated to fix this kind of bug. This patch refactor the naming
to produce two name. i.e. intendingUid and intentdingUserId that are
validated by ActivityManagerInternal.handleIncomingUser.
Test: manual test
Test: atest android.widget.cts.TextViewTest
Test: atest CtsTextTestCases
Test: atest CtsContentTestCases
Bug: 123232892
Bug: 117768051
Change-Id: Ie3daecd1e8fc2f7fdf37baeb5979da9f2e0b3937
These traces are small and noisy, so they hurt performance more than they help.
This reverts commit c37457799b.
Test: m
Bug: 132721345
Change-Id: I9ef719f54f2bc8a54f23e88f46d74e35417a6519
(cherry picked from commit 3509b624fe)
The logic in MediaProvider is technically correct, but it's sometimes
inefficient in calling into the OS multiple times with the same
questions, such as validating getCallingPackage().
To mitigate this overhead, and start paving the way for more dynamic
delegation of permission checks, collect these details into a
LocalCallingIdentity object. We carefully perform all permissions
checking against this new object, and avoid using any other
thread-local values from ContentProvider or Binder.
Local tests show this CL improves performance of a test app that
takes 100 rapid shots by 37%.
This change is a no-op refactoring.
Bug: 130758409, 115619667
Test: atest --test-mapping packages/providers/MediaProvider
Change-Id: If250a7675f2246cd10881acf615619d6d6061f3d
The code allows to also whitelist only a select set of permissions, but
this is not yet exposed in the API.
Also: Fix up shell commands for restricted permissions
Fixes: 132368462
Test: - Enabled app via device admin in secondary profile
-> verified that permissions were whitelisted
- Installed existing and new app using --restrictpermissions and
not
-> verified that permissions were whitelisted or not
atest AppRestrictionsHelperTest
RestrictedPermissionsTest
Change-Id: I9cd76c555b40663f2e25ad86e8a54991baae346c
Merged-In: I9787e63d8beb8f6b1ba2d15532d4c0f69dbdf863
Adding a new intent acttion for the permission controller to ask an
app to show its permission usage to help the user understand what
and why is being used. We are adding a permission to protect this
action to prevent apps trampolining into other apps when asked to
show their permission usge.
Test: compiles
bug:131760942
Change-Id: I5217d6319fd98d40c8879bdd7af5fe466bf9143e
Explain under what conditions #query and #insert may return null.
Bug: 31043947
Test: n/a (docs update only)
Change-Id: I8880f80bfa2efff296a0a07c0bf28e9606d6db65
The hidden flags should use higher values so as to not
interleave with public flags.
Bug: 132438913
Test: CtsAppTestCases
Change-Id: Ic1dad21c2da5e5e60dc0401ee163f2188cc0f5dc
The ACCESS_MEDIA_LOCATION and WRITE_OBB permissions will always be
available.
Bug: 112545973
Fixes: 132226317
Test: presubmit
Change-Id: Ie61eba427b48f347438522bc11cfa748ad5ba1f1
