This was broken in the original migration, causing this field to be
dropped on reboot.
Bug: 178209505
Test: TODO, separate change will include comprehensive parceling test
Change-Id: I67219fe00c7b92677391fd46305bf0424d74e5f3
(cherry picked from commit 00f69942be)
Delegate the resetting of the INTERACT_ACROSS_PROFILES app-op to
DevicePolicyManager, which knows whether it should be pre-granted and
knows to apply it equally across all users in the profile group.
Further unit tests for DevicePolicyManagerInternal will be added in
b/175440570 when we have the better infra for that.
The CrossProfileAppsServiceImpl changes look more complex than they are.
They consist of the following:
- Inclusive language changes to 'allowlist'
- Static imports of permissions to improve readability
- Previously, the setInteractAcrossProfilesAppOp method would set the
app-op for every user within the profile group of the 'calling user'.
However, given that we are now exposing this as a server-side internal
API where we need to pass in a user ID (from AppOpsService), we don't
necessarily have the guarantee that the 'calling user' is in the same
profile group. So we split it up: the client-side API and AIDL API still
set the app-op for the calling profile group, whereas the internal API
sets the app-op for every user within the profile group of the provided
user. The changes simply abstract away references to the 'calling user
ID'.
Fixes: 166561076
Bug: 175440570
Test: atest services/robotests/src/com/android/server/pm/CrossProfileAppsServiceImplRoboTest.java --verbose -c
Test: manual
Change-Id: I2181fe66022aaf6c3e6d784c0569d2f41ab66537
(cherry picked from commit d004f41188)
Update both versions of CrossProfileApps#startActivity to refer to
passing the result back to the passed in calling activity.
Bug: 174506563
Fixes: 171957840
Test: atest com.android.cts.devicepolicy.CrossProfileAppsHostSideTest#testStartActivityIntent_crossProfile_returnsResult
Change-Id: I14bf779d9307232b31300b828a1606c7411c7bb3
For apps that target Android 11 and higher, the methods in this class
each return a filtered list by default, because of the new package
visibility behavior.
Test: m ds-docs-java
Bug: 173104139
Exempt-From-Owner-Approval: Docs-only change
Change-Id: Idd239a6a9b4e1764b8285f73a341adc024281be2
If an app is pinned we want to avoid ways to unpin without entering a
set passcode. If the package of the base activity in the pinned activity
stack is uninstalled then the device exits pinning mode so we want to
restrict uninstalling this package.
Bug: 135604684
Test: Pin test app, test app tries to uninstall itself
Pin test app, `adb uninstall`
Pin test app, test app launches second test app, assert that
second test app can be uninstalled but base test app can't
Change-Id: I32ee438e9dd9e245bed6e6a9f4efd0abbb70de1f
Merged-In: I32ee438e9dd9e245bed6e6a9f4efd0abbb70de1f
This attribute is useful to identify (on bugreports) whether a
user was created "from scratch" or converted from a pre-created user.
Test: adb shell cmd user list --all -v
Test: adb shell dumpsys user
Test: atest UserControllerTest UserManagerServiceUserInfoTest
Fixes: 165703573
Change-Id: Iee9df636db5677b4d968d49bb5f5b3fbb9a7f02d
Merged-In: Iee9df636db5677b4d968d49bb5f5b3fbb9a7f02d
(cherry picked from commit c5986436a9779bbe9068609062fb231aff37e1d4)
This change exposes the method to grant implicit visibility access via
IPackageManager and as a hidden API in PackageManager. This variant of
the method takes a recipient UID and the authority that it should see
and limits access to only the contacts provider on device.
Bug: 158688602
Test: PackageManagerTests
Change-Id: I0050593e4aa734af1a69a40a60746f7cf0ea72df
Transfer API should throw security exception when transfering the
session which is not installing the original installer.
Moving it onto commit stage and still fail the installation.
Fixes: 165775712
Test: atest InstallSessionTransferTest
Test: atest -p frameworks/base/services/core/java/com/android/server/pm
Change-Id: I8511d4357788e70f83bcbd366908b42a691afbcb
Merged-In: I8511d4357788e70f83bcbd366908b42a691afbcb
The information of protectionLevel companion is missing when dumping
to string.
Bug: 161855740
Test: atest CtsPermission2TestCases:PermissionPolicyTest
Change-Id: Ifa9099541df1c287e5883a801ed14d34dad6287b
Merged-In: Ifa9099541df1c287e5883a801ed14d34dad6287b
When updating an existing Configuration instance, don't create a new
clone of the pattern's embedded Locale unless it is materially different
from the existing instance's own.
Bug: 161264248
Test: boot & run
Test: atest AppConfigurationTests
Test: atest ConfigChangeTests
Test: atest LocaleListTest
Change-Id: I5dc0598b89305c488ba50c1774ecdabf939a6ccc
Merged-In: I5dc0598b89305c488ba50c1774ecdabf939a6ccc
Checking carrier privileges for UIDs with lots of shared apps can incur
a significant performance hit. For UIDs that are fixed and trusted
(system and phone), skip the permission check and always allow.
Also, double the cache size for getPackageInfo in order to reduce the
rate of cache misses.
Bug: 160971853
Test: manual verification -- observed lower rate of cache misses for
getPackageInfo from com.android.phone.
Change-Id: I1399cab579308479d7cf191b8795441cbcd3ff65
This change ensures that while parsing a package, we require an explicit
wildcard in the queries->intent->data->host field. Prior to this change,
we were defaulting to wildcard when not provided. This resulted in,
e.g. someone trying to get visibility to just browsers actually getting
access to all packages that handle any web intent.
Fixes: 160868841
Test: atest AppEnumerationTests IntentFilterTest
Change-Id: I771845467928b6655fe19efe89bd2ca548dca6e5
Add null checks in both ContextWrapper and before obtaining
ContextImpl#getOuterContext.
Test: atest ContextTest#testIsUiContext_ContextWrapper
fixes: 160037462
Change-Id: Ic6a71dd9ac4b195d219d6e5431f2f2b199a400fa
The behavior of the adjacent flag is changed. It can be changed to split-screen mode if supported by the system.
Fixes: 155050369
Test: n/a
Change-Id: Ia19e0228442e7c8847d403ee2def841f1c0b712b
Android 11 requires a minimum V2 APK signature for apps targeting SDK
version 30+; however some apps on a system partition can only be signed
with the V1 signature scheme. This commit relaxes the minimum signature
scheme version to allow for these apps on a system partition.
Bug: 158728035
Test: atest PackageManagerTest
Test: atest PackageManagerTests
Test: atest PkgInstallSignatureVerificationTest
Change-Id: I1a95fd6894cc937e00ad1ac54d1846b51b48e9cd
Bug: 158007508
Test: Make and manually check the log using
"adb logcat -b events | grep sysui_multi_action".
Change-Id: I8365bbaa0abf65bdffd8da9462a2295a5e37b3c2
Only if the application is profileable.
Bug: 158238023
Fixes: 158238023
Test: atest PackageManagerShellCommandTest PackageManagerShellCommandIncrementalTest IncrementalServiceTest PackageParserTest
Change-Id: I8575830ec3f29850297fdbfbaa157072d6350a28
Merged-In: I8575830ec3f29850297fdbfbaa157072d6350a28
The subfolders can be null depending on the partition.
Bug: 158671002
Test: manual was tested as part of not yet merged
Ie09ccf4b64a0be26d19c9034a68ca4877ca49b81
Change-Id: Ic3a07867cb50b6b0b0e265e9540c52ee94c68050
To mitigate a boot loop with reading a massive
install_sessions.xml file, this restricts the amount of
data that can be written by limiting the size of
unbounded parameters like package name and app label.
This introduces a lowered max session count. 50 for general
applications without the INSTALL_PACKAGES permission, and
the same 1024 for those with the permission.
Also truncates labels read from PackageItemInfo to 1000
characters, which is probably enough.
These changes restrict a malicious third party app to ~0.15 MB
written to disk, and a valid installer to ~3.6 MB, as opposed to
the >1000 MB previously allowed.
These numbers assume no install granted runtime permissions.
Those were not restricted since there's no good way to do so,
but it's assumed that any installer with that permission is
highly privleged and doesn't need to be limited.
Along the same lines, DataLoaderParams are also not restricted.
This will have to be added if that API is ever made public.
However, installer package was restricted, even though the API is
hidden. It was an easy add and may have some effect since the value
is derived from other data and passed through by other system
components.
It's still possible to inflate the file size if a lot of
different apps attempt to install a large number of packages,
but that would require thousands of malicious apps to be installed.
Bug: 157224146
Test: atest android.content.pm.PackageSessionTests
Change-Id: Iec42bee08d19d4ac53b361a92be6bc1401d9efc8
The camera API, MediaStore.ACTION_IMAGE_CAPTURE requires apps to pass
a content:// URI with write permissions to the camera. Unfortunately,
apps haven't been doing this and we only started hitting problems in R
for two reasons:
1. The FileUriExposedException that should crash apps when they try to
share file:// URIs acroos binder is skipped. This is because, the
image_capture intent is passed across binder as a field in a
ChooserActivity Intent and the child intents are not checked for
file URI exposed
2. Prior to R, when camera gets a file:// URI, camera issues a file
open(2) in its process. This open(2) succeeds because the camera had
write_external_storage permission which gave it write access to all
files on external storage
Now, camera targets R and (2) fails because camera does not have write
access to files owned by other apps. To workaround, we do the
following in the apps process when it targets < R:
a. When we detect a file:// URI for the camera in an Intent, we create
the file on disk if it is not already created.
b. Scan the file to insert it in the database and retrieve a
content:// URI
c. Replace the file:// URI with the content URI in the image_capture
intent
This works because, the system will ensure the camera is granted write
access to the content URI.
Test: Manual
Bug: 156336269
Change-Id: I4849ff5e806a8207650ff7534846c36ecdc6d3c0
For Activity aliases, it's possible some values are already
set, which means they cannot be assumed to be 0, and can't be
overwritten if a attribute in the alias is undefined. For the
parsing v2 refactor, this was cleaned up to avoid
redundant != 0 checks, but those checks are indeed necessary.
This copies over the old logic and uses it exactly.
In some future cleanup, there should be a more structured way
of doing this, since it's not immediately obvious which values
are overridden or not. For example, description is always
overwritten even if no new value is provided in the alias.
This also fixes up the comparison tests and other bugs that
popped up because of them. The core issue was that when
auto-generating the dumpToString methods, the Alt+Insert
macro default selects all the fields in the current class,
but not all the parent classes, so some shared fields like
name/icon were not considered.
A notable case that was found when running the comparison tests
is that persistableMode is now "fixed" with v2. Previously,
a bug in PackageParser caused this value to be dropped if
the ActivityInfo object ever had to be copied. This is a change
from Q behavior, but there's no good way to reconcile this, and
it's better to be correct and consistent than broken, so this
fix was left in and excluded from the comparison tests.
Bug: 150106908
Test: manual run through steps in bug
Test: atest com.android.server.pm.parsing
Merged-In: I1301e28540314d0e643b73af7146c1a366eca6b5
Change-Id: I1301e28540314d0e643b73af7146c1a366eca6b5
Introduce meta-data tag "android.supports_size_changes" which will indicated that an activity works well with size changes like display changing size.
Test: Manual - Run by adding metadata to the app running with SizeCompatMode.
Bug: 155041354
Change-Id: I0f358f63c9e14c63294275c0bfcd08744bee1108
On Pixel 2 devices, /product is a symlink to /system/product. The
product partition has a higher partition precedence than the system
partition so the app should be installed as a system app on the product
partition.
This change also unifies methods for checking whether a file is within
a partition so we will paths will always be canonicalized before the
check.
Bug: 152522330
Test: update system app in system/product/privapp, uninstall updates,
verify that the app was scanned as privileged
Change-Id: I646a5f293b977a78daa2102b73f1d3122f774a2a
