The default SMS, Phone, Browser are selected in the UI and we
grant default permissions to these. We do this regardless if
they are on the system image as the user has made an explicit
choice in the UI and the permission we grant are considered
essential for such type of a core app to operate properly.
bug:22104986
Change-Id: Ide8caeb524b43dde11a20460666cf34c4d35f84b
That restriction applies only to default-app linkage verification, and
not to any general questions of "is this app effectively a web browser?"
Bug 21688029
Change-Id: I9f6a7bc6dcac5e12ee07f8da6465ad51c1aeddfb
The media provider and some other things need to be given storage access.
Also, seems like we should give storage access to the camera app as well.
And add a dump dump command that will dump data about a particular
permission name.
Change-Id: Idaaa9bba2ff4dc95290cf6d17e5df933df91e909
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app. This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.
The only thing left that can change dynamically is the filesystem
itself, so let's do that. This means changing the FUSE daemon to
present itself as three different views:
/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access
There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.
During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions. When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.
Bug: 21858077
Change-Id: I62fb25d126dd815aea699b33d580e3afb90f8fd2
It is malformed to write a single intent filter like this:
<intent-filter android:autoVerify="true">
<data android:host="foo.example"
android:path="/"
android:scheme="http" />
<data android:host="*"
android:path="/custom"
android:scheme="fooexamplecustomscheme" />
</intent-filter>
In practice this app is accidentally defining a filter that will match
"http://*". This is now detected, and will never be auto-verified for
any of the mentioned domains.
Verified intent filters must *only* handle the http & https schemes.
Bug 21920537
Change-Id: I933cddbea23185d242565cac940e1e7a7e4e289b
Clarify docs that runtime permissions can be granted or revoked by
a profile owner/device owner only for MNC apps and not legacy apps.
Check the targetSdkVersion and return false if legacy app.
Remove all policy flags from permissions when cleaning up
a device or profile owner.
Bug: 21835304
Bug: 21889278
Change-Id: I4271394737990983449048d112a1830f9d0f2d78
Grant permissions in the PHONE and LOCATION buckets to default carrier
apps as defined by the telephony stack. Provide a system API to grant
default permissions for carrier apps, as the set of apps may change
when a new SIM is inserted.
Since the phone process is separate from the system process, we need
to allow for binder calls to these APIs.
Also fix a log tag that is too long (android.util.Log drops messages
silently if the tag is > 23 characters).
Bug: 21696731
Change-Id: I98ca0c49c69f621f835ba57c1fd0505f2cec0d0d
For apps not present on device, the state inherited from the ancestral
device is applied when the app is ultimately installed.
Bug 20144515
Change-Id: Ie05b4f1751357fc62f14e259da174b8cf465e913
BUG: 18266674
1) If a sync has up/downloaded less than 10bytes in 60 seconds it is
considered to be making no progress and is summarily cancelled.
2) Apply a 30min hard time-out to initialization syncs.
Note that there is little proof that cancelling a sync has an
impact. All it results in is a Thread.interrupt on the sync
thread, which the adapter must itself implement. To this effect
this CL also updates the javadoc to make this clearer, and adds
some (unimplemented) threats about killing the hosting process.
Change-Id: I83c447648152ccbf76bb1fbd7e9216e01a37952f
Now runtime permissions are granted only to components that are
part of the system or perform special system operations. For
exmple, the shell UID gets its runtime permissions granted by
default and the default phone app gets the phone permissions
granted by default.
bug:21764803
Change-Id: If8b8cadbd1980ffe7a6fc15bbb5f54a425f6e8f9
Set sync adapters to active if the associated content providers are used
at foreground process state.
Minimize how frequently published content providers are reported by
keeping track of last reported time.
Also cache sync adapters associated with an authority in SyncManager.
Bug: 21785111
Change-Id: Ic2c8cb6a27f005d1a1d0aad21d36b1510160753a
Issue #21814207: AlarmManager.setAndAllowWhileIdle should also allow wake locks.
Introduce a whole new infrastructure for providing options when
sending broadcasts, much like ActivityOptions. There is a single
option right now, asking the activity manager to apply a tempory
whitelist to each receiver of the broadcast.
Issue #21814212: Need to allow configuration of alarm manager parameters
The various alarm manager timing configurations are not modifiable
through settings, much like DeviceIdleController. Also did a few
tweaks in the existing DeviceIdleController impl.
Change-Id: Ifd01013185acc4de668617b1e46e78e30ebed041
ext4 filenames are at most 255 bytes. vfat filenames are bit more
lax, but we're often saving them on ext4 through a FUSE daemon, so
limit them the same way.
Since package names are used as directory names, verify that they're
valid filenames.
Tests to verify behavior.
Bug: 18689171
Change-Id: If7df4c40d352954510b71de4ff05d78259c721ed
Issue #21039494: API Review: android.os.PowerManager.isDeviceIdleMode()
Issue #21347000: API Review: android.content.IntentFilter
Issue #20654534: API Review: android.app.assist
Also allow use of ActivityManager.setWatchHeapLimit on any platform
build as long as the calling app is debuggable.
Change-Id: Ic597e596fa772fcdf2553b64f444b3d9269e8b92
Expose this method so that subclasses can declare new types of services
that can be returned by getSystemService(Class<T>).
Bug: 21343770
Change-Id: I08bdfa61153d19298645dc495deb2d535e54f9f0
