Bug: 120096113
Test: Build with built-in libraries that declares new depedency flag, no
more boot errors (tested with cheets_x86_64 and crosshatch_userdebug)
Change-Id: I6b3e2ab7626ed8f04c0bf1a5b3c32204a2f2c56b
This change updates the permissions design to use app-ops for
controlling write access, which is only extended to the default app
for a particular collection type.
Bug: 119713234
Test: atest android.appsecurity.cts.PermissionsHostTest
Test: atest android.appsecurity.cts.ExternalStorageHostTest
Test: atest cts/tests/tests/provider/src/android/provider/cts/MediaStore*
Change-Id: I40811ff175b3b8410b58ed901948a23a56f8a8c2
BatteryStats calculates power usage of the device and various components
(such as apps). This information is used, e.g., in the battery panel of
Settings. We now log it to statsd. It can be used for validating how
good the information displayed in Settings is. In the long-term, it is
likely not ideal for off-device calculations, since that can be
hopefully estimated using statsd's raw data.
Three atoms: one for the total power use, one for the power use of each
uid, and one for each non-uid component. Since they will all likely be
pulled together, StatsCompanionService will provide stale data for
BatteryStats pulls called within a second of a previous BatteryStats
pull.
Also in this cl:
Remove StatsLogEventWrapper.writeDouble. Statsd doesn't support actually
writing doubles into its proto reports, so having this function is
misleading (the data will get to statsd and then be completely ignored).
It's less confusing if we don't pretend it does something.
Change-Id: If80bab8ea938afa4632535bb88ff59879fbe8099
Fixes: 119111972
Test: cts-tradefed run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.UidAtomTests#testDeviceCalculatedPowerUse
Test: cts-tradefed run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.UidAtomTests#testDeviceCalculatedPowerBlameUid
Test: BatteryStatsHelperTest#testDrainTypesSyncedWithProto
Ia5b3f47b73c9feea924373268a4eee142f555091 introduced a bug where the targetSdk for android.permission.ACCESS_FINE_LOCATION and android.permission.ACCESS_COARSE_LOCATION was set to 28 instead of Q (10000).
Test: CtsAppThatRequestsLocationPermission28.apk requests android.permission.ACCESS_COARSE_LOCATION and android.permission.ACCESS_BACKGROUND_LOCATION
Bug: 118882117
Bug: 111411340
Change-Id: I532379aa2c8a173a516d38e1c8568cff5dbaed33
Instead of defining split permissions in Java file, we now move them to XML allowing us define vendor specific split permissions.
Test: Activity recognition is split correctly and auto granted when below split targetSdk.
Bug: 111411340
Change-Id: Ia5b3f47b73c9feea924373268a4eee142f555091
These two libraries:
android.hidl.base-V1.0-java
android.hidl.manager-V1.0-java
are being removed from BOOT_JARS. This change facilitates linking to them
for libraries or prebuilts in or before P.
Test: atest android.content.pm.AndroidHidlUpdaterTest
Bug: 77307025
Change-Id: Ic0db24cc68d66f5dbfab126ce7e304eec0bfc969
android.test.* are built with java_sdk_library and api files are added
by running "make update-api".
android.test.base_static is created for allowing to use
android.test.base as a static library.
Bug:77577799
Test: make -j
Test: make checkapi
Test: make checkapi fails with a random change in the txt file
Test: adb shell cmd package list libraries |\
grep android.test.*
And check the android.test.* libraries
Merged-In: Ia27612657532e50b077a9c55dbef59ee3ec04b8a
Change-Id: Ia27612657532e50b077a9c55dbef59ee3ec04b8a
There are some scenarios under which com.android.proxyhandler is
considered by the framework as never being launched (e.g. if a PAC proxy
is added after a long wait time after an upgrade), which makes all of
its network traffic to be blackholed, due to it being subjected to the
fw_standby firewall chain. Given that all of the outgoing packets from
this app are being dropped, whenever Chrome WebView (or most other apps)
uses a PAC proxy for its networking, it is completely unable to initiate
outgoing connections.
This change whitelists com.android.proxyhandler so that this does not
happen.
Bug: 110762695
Test: dumpsys usagestats' | grep proxy
...
package=com.android.proxyhandler u=0 bucket=5 reason=d ... idle=n
Change-Id: I9e4debc876cbdd2f6ba35928faff8c0beca77ae1
javax.obex is built with java_sdk_library and api files are added by
running "make update-api".
Remove java.obex is from platform.xml, since it will be generated
automatically by soong when the library is built with java_sdk_library.
Bug:77577799
Test: make -j
make checkapi
Change-Id: Ib94955e62582ffbdfc7eb88cd0e494c61757c7aa
org.apache.http.legacy is now built using java_sdk_library. Since the
share lib defintion file for the lib is automatically created and
installed, we don't need to have duplicated entry for the lib.
Bug: 77577799
Test: m -j
Test: adb shell cmd package list libraries shows an entry for
org.apache.http.legacy
Merged-In: I06b356c2ba08abc6c1cece81daf7c1773ed93ed0
Change-Id: I06b356c2ba08abc6c1cece81daf7c1773ed93ed0
(cherry picked from commit 49c0a86955)
org.apache.http.legacy is now built using java_sdk_library. Since the
share lib defintion file for the lib is automatically created and
installed, we don't need to have duplicated entry for the lib.
Bug: 77577799
Test: m -j
Test: adb shell cmd package list libraries shows an entry for
org.apache.http.legacy
Merged-In: I06b356c2ba08abc6c1cece81daf7c1773ed93ed0
Change-Id: I06b356c2ba08abc6c1cece81daf7c1773ed93ed0
(cherry picked from commit 49c0a86955)
APIs that return package usage data (such as the new StatsManager)
must ensure that callers hold both the PACKAGE_USAGE_STATS permission
and the OP_GET_USAGE_STATS app-op.
Add noteOp() method that can be called from native code.
Also add missing security checks on command interface.
Bug: 77662908, 78121728
Test: builds, boots
Change-Id: Ie0d51e4baaacd9d7d36ba0c587ec91a870b9df17
System singed components can watch for starting/finishing of
long running app ops. Also protected the APIs to watch op mode
changes with a singature permission for the cross-uid use case.
Test: atest com.android.server.appops.AppOpsActiveWatcherTest
bug:64085448
Change-Id: Id7fe79ce1de4c5690b4f52786424ec5a5d9eb0fa
The WRITE_MEDIA_STORAGE permission had inadvertently been giving apps
the "default" view of storage. This had worked for a long since,
since we also gave them the "sdcard_rw" permission, but a recent
security patch broke this for secondary users.
Apps holding this permission should have been mounted "write" all
along, and relied on that view to access storage devices. This also
means they no longer need the "sdcard_rw" GID.
Test: builds, boots, secondary user media/camera works
Bug: 72732906, 71737806, 72224817
Change-Id: I5cd687a1e128024f33b4acd93c15e75192ed1c85
This makes the runtime handling of the android.test.base library
conditional based on a build flag REMOVE_ATB_FROM_BCP.
When REMOVE_ATB_FROM_BCP=true:
* The framework-atb-backward-compatibility is added to the
bootclasspath instead of android.test.base.
* Any APK that targets pre-P (or has a dependency on android.test.runner)
has android.test.base added to their library list.
Otherwise:
* The android.test.base library is added to the bootclasspath.
* Any APK that explicitly specifies that it depends on the
android.test.base library has the library removed as the classes
are available at runtime.
Added android.test.base to platform libraries so it can be used when
not on the bootclasspath.
Tested both cases by building with or without the build flag, flashing,
setting up, adding an account, adding a trusted place.
Also, tested that all combinations of REMOVE_ATB_FROM_BCP and
REMOVE_OAHL_FROM_BCP work.
adb install -r -g out/target/product/marlin/testcases/FrameworksCoreTests/FrameworksCoreTests.apk
adb shell am instrument -w -e class android.content.pm.PackageBackwardCompatibilityTest,android.content.pm.AndroidTestRunnerSplitUpdaterTest,android.content.pm.OrgApacheHttpLegacyUpdaterTest,android.content.pm.RemoveUnnecessaryOrgApacheHttpLegacyLibraryTest,android.content.pm.RemoveUnnecessaryAndroidTestBaseLibraryTest,android.content.pm.AndroidTestBaseUpdaterTest com.android.frameworks.coretests/android.support.test.runner.AndroidJUnitRunner
Bug: 30188076
Test: as above
Change-Id: I4b9d8a5bed6787cd334c2b13a458bbc0efc3f3b6
If a UID is idle (being in the background for more than
cartain amount of time) it should not be able to use the
camera. If the UID becomes idle we generate an eror and
close the cameras for this UID. If an app in an idle UID
tries to use the camera we immediately generate an error.
Since apps already should handle these errors it is safe
to apply this policy to all apps to protect user privacy.
Test: Pass - cts-tradefed run cts -m CtsCameraTestCases
Added - CameraTest#testCameraAccessForIdleUid
Change-Id: If6ad1662f2af6592b6aca1aeee4bd481389b5e00
+ Assign permission android.permission.STATSCOMPANION to statsd
+ Fixes in StatsCompanionService to allow statsd to get uid mapping
Test: manual
Change-Id: I3e6ca79eefed7f93a4588578c156321c4c278fd3
We recently created a new GID that can be granted to critical system
processes, so that the system is usable enough for the user to free
up disk space used by abusive apps.
Define a permission for the GID so we can grant it to system apps,
and add the GID to core apps needed for system stability. (The list
was mostly derived from filling a disk and seeing what caused the
device to fall over.)
Test: builds, boots
Bug: 62024591
Change-Id: Icdf471ed3bed4eeb8c01f1d39f0b40c1ea098396
If a UID is in an idle state we don't allow recording to protect
user's privacy. If the UID is in an idle state we allow recording
but report empty data (all zeros in the byte array) and once
the process goes in an active state we report the real mic data.
This avoids the race between the app being notified aboout its
lifecycle and the audio system being notified about the state
of a UID.
Test: Added - AudioRecordTest#testRecordNoDataForIdleUids
Passing - cts-tradefed run cts-dev -m CtsMediaTestCases
-t android.media.cts.AudioRecordTest
bug:63938985
Change-Id: I15264c5c4b47813ca60280bce30b22b8b1f87eab
Updated data/etc/platform.xml to make the org.apache.http.legacy library
usable by applications. The runtime location of the
org.apache.http.legacy library is
/system/framework/org.apache.http.legacy.boot.jar not
/system/framework/org.apache.http.legacy.jar.
Stop removing org.apache.http.legacy from the required and optional
shared library lists and instead add it to the required list if it is
not present in either and the package is targeted at SDK
version <= O_MR1.
Bug: 18027885
Test: make FrameworksCoreTests, install and run
Change-Id: I686e3c20f5860e58825e1b88f220f9b8c335849c
This is a backwards incompatible change against System API,
but as there are no existing radio apps, nobody uses it.
Bug: b/63405337
Test: manual
Change-Id: Iaf6085914434be01e1c1e363609e5b0087ffe127
The UPDATE_DEVICE_STATS permission has become the de-facto mechanism
that platform components use to shift blame for resource usage, so
it's confusing to also have a separate MODIFY_NETWORK_ACCOUNTING
permission. So this change replaces MODIFY_NETWORK_ACCOUNTING with
UPDATE_DEVICE_STATS.
Bug: 62483389
Test: builds, boots
Exempt-From-Owner-Approval: Bug 63673347
Change-Id: I872759f02327b6d531ec2338bd876890aded60ad
This is needed in order to make the following manifest entry work
properly.
<uses-library android:name="android.test.mock"/>
Tested by adding the entry to an APK and installing it which caused an
error about an unknown library. Then updated this file, rebuilt,
reflashed and installed APK again at which point it worked.
Follow up change to cts/tests/signature will add proper test for this
library.
Bug: 30188076
Test: see above
Change-Id: I630b7bc48a50ab1c52bb5feed54c2e4deb876339
This CL is in support of another CL c/2048848, topic
'Refactor hid command in /frameworks/base/cmds'
in internal master. Adding the permissions for bluetooth
devices here to access uhid_node as part of the new 'uhid'
group.
Bug: 34052337
Test: Tested on angler, bluetooth mouse works OK.
Change-Id: I63963984a0a3dccb4fccc64bb6fef4e809e2737e
...starting services from jobs
Bring back the correct bg check restrictions on jobs, but also
bring back whitelisting of dmagent so it doesn't crash.
Test: booted and ran
Change-Id: I78892386bdcd4f39e0b1a6d33b224bdff958af37
This should be reverted before O is shipped.
Test: Found DMAgent in the whitelist in Settings.
Bug: 36856786
Change-Id: I7828566e4bc93a30457c594471fa43270c0bf3b3
Notice that app put in this list is also exempted from doze.
Also, this only exempts us from the service restriction, but not the broadcast one.
Test: adb shell am make-uid-idle --user 0 com.android.managedprovisioning
&& adb shell am broadcast -a android.intent.action.PRE_BOOT_COMPLETED -n com.android.managedprovisioning/com.android.managedprovisioning.ota.PreBootListener
Observe there is no crash
Change-Id: Ic0a943a9b66c909a6727f9411af519a8c6cf0157
Fix: 36705375
Caused b/35926593 because ExternalStorageProvider needs raw
access to underlying devices that aren't mounted visibly, like
USB mass storage devices.
This reverts commit 53d64fc839.
The new sdcardfs filesystem requires that we have stricter access
controls around /data/media style locations. Start by taking away
the "media_rw" GID from apps requesting the WRITE_MEDIA_STORAGE
permission.
Common use-cases like music playback appear to continue working fine,
as clients should only be attempting to use /data/media paths after
calling maybeTranslateEmulatedPathToInternal().
Test: builds, boots, music playback works
Bug: 35447080
Change-Id: Iba9f3ef41d3277c75497f675a1fe6d3406cf4542
...when using device on mobile data
Whitelist CellBroadcastReceiver, this is a core OS component anyway
so this probably makes sense.
Test: manual
Change-Id: I1560093640e81064ad123ff0bbcb307583fc47c6
Camera service will need to a way to query
the process state and oom score.
BUG: 34701266
Test: Manual testing + cts-tradefd run cts -m Camera --abi armeabi-v7a --disable-reboot
Change-Id: I4df704817d2fc728d421daeffbbbcee2e61d8c3b
DownloadProvider is now based completely on JobScheduler, and deep
inside the platform we allow foreground
downloads (FLAG_WILL_BE_FOREGROUND) to run even while the device is in
doze, so it doesn't need to be temporarily whitelisted anymore.
BUG: 29056149
Change-Id: I3658bb42aeeee5d5528f91ec990d6e1bc54257b6
These are permissions that were mapped to gids but we need
to keep them listed event though they are no longer mapped
to gis until an upgrade from L to the current version is to
be supported. These permissions are built-in and in L were
not stored in packages.xml as a result if they are not defined
in the platform.xml while parsing packages.xml we would
ignore these permissions being granted to apps and not
propagate the granted state.
From N we are storing the built-in permissions in packages.xml
as the saved storage is negligible (one tag with the permission)
compared to the fragility as one can remove a built-in permission
which no longer needs to be mapped to gids and break grant
propagation.
bug:27185272
Change-Id: I65e05c4f7edd9a934888b4d0974100aa4e9a9453
