This takes advantage of the recently added behavior that offers to
send Parcelable exception types across Binder calls.
Certain SecurityException can be resolved if we involve the end user,
such as when a password has expired, or a user challenge is required
to proceed. This new subclass of SecurityException provides
user-visible messaging and convenience methods for quickly rendering
that messaging as a notification or dialog.
Test: builds, boots, throws, shows as notification and dialog
Bug: 33749182
Change-Id: Iba66c7466b8fabca9e3f83c60db5a4ab849a256f
No longer need to look up the application info, target SDK is
explicitly passed in to the check. For the external method, we
change this to just checked to see if background is completely
disabled, which doesn't need a target SDK check (and is the only
thing any of the current clients care about).
Now allow SystemUI to put targets of notification pending intents
on the temporary whitelist when they fire, so developers can avoid
dealing with background restrictions in this case (if the user
interacts with their notification, they will temporarily be
considered in the foreground).
Remove any thoughts of enforing restrictions on registerReceiver(),
so we don't need to deal with target SDK versions there (which can't
be done all that efficiently).
Also bring back the old "allow starts coming from foreground apps"
only for the MODE_IGNORE app op, since it should provide some
better compatibility.
Test: ran them.
Change-Id: Id4ea7f992d12ce4bd8e54f1dbaeb4a460a3dee59
Fixes isDeviceSecure and isDeviceLocked APIs to use
the user id of the app that executes the code rather
than that of any incoming binder call.
Change-Id: Ib7772b60c35a3ebf96830f9b013c539021e1f063
Fixes: 34592592
Test: manual
Induce a normal VM crash via adb, because it's quite different from the
effects of 'am kill'.
Test: induced crashes via adb shell using both pid & pkg
Change-Id: I79654afa7c4a70364cfd7d3af3e80a7b0e59b882
It should be checking if the UID argument passed in has the requested
permission; not the calling UID.
Test: builds, boots
Bug: 34528367
Change-Id: Ie1828f571d9f143ce9f5bdca2eedcf2fa6ccfd79
This change creates a new FontManagerService, in charge of providing
font management data. It exposes a public API to retrieve the
information in fonts.xml without accessing it directly. To do this,
it also refactors FontListParser's internal classes into a new public
FontConfig class holding all the font data.
getSystemFonts() returns all the available information in fonts.xml
as well as file descriptors for all the fonts. This allows us to
share the memory consumed by these files between all clients.
Bug: 34190490
Test: See attached CTS change in topic
Change-Id: I0e922f8bcc9a197a1988d04071eb485328d66fb7
We add a variant of notifyPendingSystemUpdate method which takes an
additional isSecurityPatch boolean flag. This information, if available,
will be persisted and available to device and profile owners when they
call getPendingSystemUpdate method.
Test: gts-tradefed run gts -m GtsGmscoreHostTestCases -t com.google.android.gts.devicepolicy.DeviceOwnerTest#testPendingSystemUpdate
Test: gts-tradefed run gts -m GtsGmscoreHostTestCases -t com.google.android.gts.devicepolicy.ManagedProfileTest#testPendingSystemUpdate
Bug: 33102479
Bug: 30961046
Change-Id: If3f1b765bb18a359836ac43ac9a0a9f29e9f8428
This change adds support for static shared libraries that
emulate static linking allowing apps that statically link
against the same library version to share a common
implementation. A library is hosed by a package in a standard
APK.
Static shared libraries have a name and a version declared
by a dedicated manifest tag. A client uses also a new tag
to refer to the static library it uses by specifying the
lib name, version, and the hash of the signing certificate.
This allows two apps to rely on two different library versions
and prevents impersonation of the shared library by a side-loaded
app with the same package name.
Internally apps providing static libs use synthetic package
name generated from the manifest package name and the library
version. This allows having different "versions" of the same
package installed at the same time.
An application cannot be installed if a static shared lib it
depends on is missing. A used shared library cannot be uninstalled.
Shared libraries can rotate certificates like normal apps. The
versions of these libs should be ordered similarly to the version
codes of the hosting package. Such libs cannot use shared user
id, cannot be ephemeral, cannot declare other libraries, cannot
rename their package, cannot declare child-packages. They must
target O SDK. Also they cannot be suspended or hidden or their
uninstall blocked. Generally, speaking policy regarding code in
static shared libs should be applied to the packages using the
library as it could have just statically linked the code.
We now have APIs to query information about the shared libraries
on the device in general. To clients static shared libraries are
presented as multiple versions of the same package which is how
they are declared and published. Therefore, one can have two
versions of the same package which means we need way to query
for and uninstall a specific version of a package. Also static
shared libs can depend on other static shared libs which are
versioned packages. To ease representation we add the concept
of a versioned package which should be used in the case of
static shared libs.
A client can see only the static shared libs it depends on and
more specifically only the versions it depends would be retrieved
by using the standard package manager APIs. There is a new
dedicated API to get info about all shared libraries which
would provide data about all static shared lib versions. Also
these libraries must use v2 signing scheme.
Test: CTS tests pass
bug:30974070
Change-Id: I4f3d537ee7a81f880950377b996e1d9d4813da5c
When a device gets stuck in a crash loop, it's pretty much unusable
and impossible for users to recover from.
To help rescue devices from this state, this change introduces a new
feature that watches for runtime restart loops and persistent app
crash loops, and escalates through a series of increasingly
aggressive rescue operations. Currently these rescue levels walk
through clearing any experiments in SettingsProvider before finally
rebooting and prompting the user to wipe data.
Crash loops are detected based on a number of events in a specific
window of time. App stats can be stored in memory, but boot stats
need to be stored in system properties to be more robust.
Start up RecoveryService much earlier during the boot so we can
reboot into recovery when needed.
Add properties tha push system_server or SystemUI into a crash loops
for testing purposes.
Test: builds, boots, forced crashing walks through modes
Bug: 24872457, 30951331
Change-Id: I6cdd37682973fe18de0f08521e88f70ee7d7728b
Test: Manually tested onDeviceUnlockLockout being called with an actual
TestAgentService implementation.
Notes:
- Active Trust Agents are no longer killed/unbinded from when a temporary
device lockout occurs. Instead, the onDeviceUnlockLockout callback of
the agent is called.
Change-Id: Ifa0984d1d7e5153568334d736e9ebd5a00ef1297
Bug: 34198873
The rationale is that the notification importance on TV doesn't
always align with their importance on other devices.
Thus we need the ability to post notification to different
channels just on TV.
Test: ag/1808384
Change-Id: I90a84e3f74d59ca45dac3c6414285bed26482008
There is a new APP_START_MODE_DELAYED_RIGID which means that
things discovering something is not allowed to start should
report a clear error back to the caller. This is how apps
that opt in to bg check should behave, and will now
be used if the app op mode is set to ERRORED.
This (for now?) removes the code that allows services to
be started if the request is coming from a foreground process.
That behavior isn't in the current bg check spec, and
probably not what we want as the standard platform model (since
it makes knowing when a service can start even harder to
determine). It was originally done for the experimental
bg check work in N to see how much we could avoid
breaking existing apps, so not relevant when apps need to
explicitly opt in.
Also report temporary whitelist changes to activity manager for
it to lift background restrictions temporarily for apps. Being
on the whitelist is now part of UidRecord, preventing a uid from
going idle.
Test: Initial CTS test added.
Change-Id: I36fd906fa69de8b7ff360605ae17c088f182e172
Added an app op to control which package and uid can install apps on the
device and an intent action to launch the settings fragment.
Test: Will include in follow up CL, tracked in b/33792674
Bug: 31002700
Change-Id: Ic073495759d9867f8001a6c712e402398c53dfc9
- Consolidating to enterPictureInPictureMode(), the new method will
attempt to put the activity into picture-in-picture mode if the
activity is visible or pausing in a state that would allow us to
pip it. Also consolidate the setting of the PiP aspect ratio and
actions into setPictureInPictureArgs().
- Fixing issue with onPause not completing when moving the
paused activity between stacks while dispatching onPause
Bug: 33692987
Test: android.server.cts.ActivityManagerPinnedStackTests
Change-Id: I3af2365f31a9b95de4a92eae46b77108947b2a49
Apps that target O+ are always subject to background restrictions.
Legacy apps' background restriction is subject to the OP_RUN_IN_BACKGROUND
app op.
Apps with these properties are exempted from background restrictions:
- persistent process
- currently on the idle battery whitelist
- global whitelist for things like bluetooth services
Bug 30953212
Change-Id: Icc19b2fbc05f40dcf8c3fc4abf718c373dc8d4f6
When an ApplicationInfo object is updated and we want to update
code paths without restarting the app's process, we need to make
sure that we only update the paths that have changed. This means
diffing between the old paths and the new paths.
Test: watch /proc/<pid>/maps for dex entries before and after
running adb exec-out am update-appinfos all <package>
Change-Id: I6855d860478ade3184bbb578a5483d8548396daa
ag/1633903 added config_allow3rdPartyAppOnInternal flag to specify
whether 3rd party apps are allowed on internal storage. We need to
respect the flag when moving apps between storages.
Bug: 30980219
Test: Added ApplicationPackageManagertest
Change-Id: I0f8e76467b5071d70f40da28c2087e689c049c06
This cl adds a new requestBackup API to
BackupManager that takes in an int flag
to indicate whether the caller wants the
entire key value set to be passed to the
transport and not just a diff.
Change-Id: Ia225797a58c4431fe742f2f116b257d006b30cd1
Bug: 33749084
Ref: go/request-backup-api-changes
Test: GTS Test at ag/1774002
- Only happens when the caller is not from the same package.
Bug: 33754261
Test: Open a PIP activity, try to launch it again from launcher
Change-Id: I3c364ebe31a7626b9133d9c4c1fafc718c2eecf9
It was trying to interact through null, which could throw an exception. Example:
01-18 18:28:12.609 862 2038 W Binder : Binder call failed.
01-18 18:28:12.609 862 2038 W Binder : java.lang.NullPointerException: Attempt to get length of null array
01-18 18:28:12.609 862 2038 W Binder : at android.app.Notification$Action$Builder.build(Notification.java:1289)
Test: manual verification
Change-Id: I84fda80ebd12df7d90730b17fa77d4b9ce5f58d2
