Previously, this permission would give the holder the media_rw gid
thereby granting access to the following file paths on disk:
1. /data/media
2. /mnt/media_rw
3. /mnt/expand/<uuid>/data/media
With the introduction of a stacked FUSE filesystem on external
storage, modifying any files directly on the lower filesystem (the
paths listed above) could lead to VFS cache inconsistencies and file
corruption.
To mitigate this risk, this cl blocks unneeded access to the lower
filesystem. Apps relying on this permission should instead use
android.permission.MANAGE_EXTERNAL_STORAGE.
Test: cat /proc/<pid>/status of mediaprovider doesn't have media_rw
Bug: 144914977
Change-Id: I8335d18067231657ac9793f7b1dcf6adb617ecfc
As part of migrating the pullers to the new API, we modify
permission checks within BatteryStatsService. Previously, a Binder
thread within StatsCompanionService (with statsd's calling identity)
called BatteryStatsService functions, which was why statsd was assigned
the BATTERY_STATS permission. Now, that call is being made from the
system process Background thread. Because enforceCallingPermission
outside of Binder threads, we switched to enforceCallingOrSelfPermission.
Test: m -j
Test: adb shell cmd stats pull-source 10039
Test: adb shell cmd stats pull-source 10040
Test: adb shell cmd stats pull-source 10041
Test: atest CtsStatsdHostTestCases:UidAtomTests#testDeviceCalculatedPowerUse
Test: atest
CtsStatsdHostTestCases:UidAtomTests#testDeviceCalculatedPowerBlameUid
Test: atest CtsStatsdHostTestCases:BatteryStatsValidationTests#testPowerUse
Bug: 145565211
Change-Id: Ie009e6eead3e48ecee6b40d9a38c9d571d4d4117
Previously, the power to preempt sound trigger recognition sessions
for the sake of being able to capture audio on platforms that don't
support doing both concurrently, was implicitly granted based on
process (audio_server) co-location with the sound trigger service.
Since this service is now being migrated out of audio_server, a new
permission is introduced and granted to the audio server.
Change-Id: Ifcdfc2a5543d814fb0630a45cdd9bcdba4d92107
Bug: 142070343
This reverts commit 27c4e658b3.
Reason for revert: <potential performance regression. revert for now and looking for possible optimization from ART team>
Change-Id: I5bf728e4f6789d7e6398cf90f22fbf3a24d481c2
And also pre-grant it to all apps that currently get any storage
permission pre-granted
cherry-pick for qt-qpr1-dev Ib9f50d25c002036f13cf2d42fc4d1b214f20920c
Test: - straight cherry-pick
- atest SplitPermissionTest
Bug: 141048840,140961754
Change-Id: Ia2219639a2104965a382ffef647e5ebaa0f9d540
And also pre-grant it to all apps that currently get any storage
permission pre-granted
Test: atest SplitPermissionTest
m -j gts && gts-tradefed run commandAndExit gts-dev -m GtsPermissionTestCases --test=com.google.android.permission.gts.DefaultPermissionGrantPolicyTest#testDefaultGrantsWithRemoteExceptions
Manual testing:
All combinations of
- App targetSdk = 28 and 29 (and 22 for extra credit)
- App having the <uses-permission> tag for
ACCESS_MEDIA_LOCATION or not
- Upgrade from P->Q-QPR and from vanilla Q->Q-QPR
Further upgrade of targetSdk from 28->29 while on Q-QPR
==> All permission behavior should make sense. Sometimes there
are weird, but expected behaviors. Hence we need to
collect the results and then look at the unexpected ones.
See SplitPermissionTest for some tests I added for the
location-background permission which was split from
the fine/coarse-location permissions
Fixes: 141048840,140961754
Change-Id: Ib9f50d25c002036f13cf2d42fc4d1b214f20920c
telephony-common is not intended to used by any apps and
being in boot class is not updatability friendly.
We are removing telephony-common from bootclass and apply
<uses-library> in manifest instead.
for apps targeting < R will auto load telephony-common lib
for app compatibility. For apos >=R, only allow usage for
phone UID.
Bug: 135955937
Test: Build
Change-Id: Ia318661546df6d8516328886e5cc0c54d5cfafe6
The native services should specify their permissions in platform.xml if
they need internet permission, otherwise the eBPF program will block the
socket creation request. Fixing the known services that are in group
AID_INET but didn't specify their permission in the xml file.
Bug: 132217906
Test: CtsJdwpTestCases dumpsys netd trafficcontroller
Change-Id: I84cde7d3757953bc0bf761727d64a715bcdd68bb
Merged-In: I84cde7d3757953bc0bf761727d64a715bcdd68bb
(cherry picked from commit e5d6f0fa6c)
The native services should specify their permissions in platform.xml if
they need internet permission, otherwise the eBPF program will block the
socket creation request. Fixing the known services that are in group
AID_INET but didn't specify their permission in the xml file.
Bug: 132217906
Test: CtsJdwpTestCases dumpsys netd trafficcontroller
Change-Id: I84cde7d3757953bc0bf761727d64a715bcdd68bb
Hence mark the new split permissions as 29 instead of 10000.
Fixes: 132898943
Test: atest SplitPermissionTest
Change-Id: I0aa3e9b4d60cea1a59b891f2fb2d94a734efebf2
If an app can access the fine location it can obviously also access the
coarse location. There is code inside checkPermission that encapsulates
the logic.
This code fixes two issues:
- checkPermission might return for the coarse location even though the
permission is not even mentioned in PackageInfo.requestedPermissions.
Now the coarse location is always added to requstedPermissions when
the fine location is in the manifest even if the app does not have
the coarse location in the manifest
- If the app requests the fine location only we might unintentionally
kill the requesting app.
1. App does not have any permissions granted
2. App request FINE_LOCATION
3. Permission controller reads (and caches) permission state: FINE=revoked,
COARSE=revoked
4. User grants FINE_LOCATION -> Perm controller updates internal
state: FINE=revoked, COARSE=revoke
5. Perm controller applies FINE_LOCATION state to the system
6. Perm controller looks as COARSE and checks if it is granted.
Because it is implied, it now shows up as granted. Hence perm
controller will try to revoke it which kills the app
The solution is that it will be impossible to only request
FINE_LOCATION by itself. This change will automatically add requesting
COARSE_LOCATION, whenever FINE_LOCATION is requested
Fixes: 130358762
Test: Reproduced scenario in bug 130358762
Change-Id: I217c0b23063617f60b98c805af1d122a6ec0608e
- Also remove typed media permissions
- Leave typed media app-ops
Bug: 129716569
Test: Used apps, looked at permissions in the UI
Change-Id: If7714fb1a6955584157e1a60ab72b09e35287827
- Pre-Q apps use the legacy READ/WRITE_EXTERNAL_STORAGE permissions
- Post-Q apps use the READ_MEDIA_* permissions
- Grandfathered Q apps have all storage permission granted fixed. In the
UI they show only the legacy storage permissions
- The OP_LEGACY_STORAGE controls whether an app is grandfathered
Data providers should check both old and new permission model as
permissions that are not used are set as granted.
Test: atest CtsPermissionTestCases:android.permission.cts.DualStoragePermissionModelTest
Fixes: 126785920
Change-Id: I668530e62125d95f122a94ae39f17007391bcaa5
It is a helper in the system process that helps dumpstate and incidentd get
user confirmation to share reports
Bug: 123543706
Test: bit GooglePermissionControllerTest:*
Change-Id: Ia3fe4bd5257044ed89fe56ce683876fa03ba6c36
The impl lib name of java_sdk_library is changed to {module_name}.jar
instead of {module_name}.impl.jar
android.test.mock.impl is removed from stubs_defaults.
RepetitiveTest class is added to public API in android.test.base
Bug: 110404779
Test: m -j
Change-Id: I5dd7f3a28bc22136b4e921de3eb5a3e77e5fc75f
Merged-In: I5dd7f3a28bc22136b4e921de3eb5a3e77e5fc75f
(cherry picked from commit b7540bf1a3)
The impl lib name of java_sdk_library is changed to {module_name}.jar
instead of {module_name}.impl.jar
android.test.mock.impl is removed from stubs_defaults.
RepetitiveTest class is added to public API in android.test.base
Bug: 110404779
Test: m -j
Change-Id: I5dd7f3a28bc22136b4e921de3eb5a3e77e5fc75f
Bug: 120096113
Test: Build with built-in libraries that declares new depedency flag, no
more boot errors (tested with cheets_x86_64 and crosshatch_userdebug)
Change-Id: I6b3e2ab7626ed8f04c0bf1a5b3c32204a2f2c56b
This change updates the permissions design to use app-ops for
controlling write access, which is only extended to the default app
for a particular collection type.
Bug: 119713234
Test: atest android.appsecurity.cts.PermissionsHostTest
Test: atest android.appsecurity.cts.ExternalStorageHostTest
Test: atest cts/tests/tests/provider/src/android/provider/cts/MediaStore*
Change-Id: I40811ff175b3b8410b58ed901948a23a56f8a8c2
BatteryStats calculates power usage of the device and various components
(such as apps). This information is used, e.g., in the battery panel of
Settings. We now log it to statsd. It can be used for validating how
good the information displayed in Settings is. In the long-term, it is
likely not ideal for off-device calculations, since that can be
hopefully estimated using statsd's raw data.
Three atoms: one for the total power use, one for the power use of each
uid, and one for each non-uid component. Since they will all likely be
pulled together, StatsCompanionService will provide stale data for
BatteryStats pulls called within a second of a previous BatteryStats
pull.
Also in this cl:
Remove StatsLogEventWrapper.writeDouble. Statsd doesn't support actually
writing doubles into its proto reports, so having this function is
misleading (the data will get to statsd and then be completely ignored).
It's less confusing if we don't pretend it does something.
Change-Id: If80bab8ea938afa4632535bb88ff59879fbe8099
Fixes: 119111972
Test: cts-tradefed run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.UidAtomTests#testDeviceCalculatedPowerUse
Test: cts-tradefed run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.UidAtomTests#testDeviceCalculatedPowerBlameUid
Test: BatteryStatsHelperTest#testDrainTypesSyncedWithProto
Ia5b3f47b73c9feea924373268a4eee142f555091 introduced a bug where the targetSdk for android.permission.ACCESS_FINE_LOCATION and android.permission.ACCESS_COARSE_LOCATION was set to 28 instead of Q (10000).
Test: CtsAppThatRequestsLocationPermission28.apk requests android.permission.ACCESS_COARSE_LOCATION and android.permission.ACCESS_BACKGROUND_LOCATION
Bug: 118882117
Bug: 111411340
Change-Id: I532379aa2c8a173a516d38e1c8568cff5dbaed33
Instead of defining split permissions in Java file, we now move them to XML allowing us define vendor specific split permissions.
Test: Activity recognition is split correctly and auto granted when below split targetSdk.
Bug: 111411340
Change-Id: Ia5b3f47b73c9feea924373268a4eee142f555091
These two libraries:
android.hidl.base-V1.0-java
android.hidl.manager-V1.0-java
are being removed from BOOT_JARS. This change facilitates linking to them
for libraries or prebuilts in or before P.
Test: atest android.content.pm.AndroidHidlUpdaterTest
Bug: 77307025
Change-Id: Ic0db24cc68d66f5dbfab126ce7e304eec0bfc969
android.test.* are built with java_sdk_library and api files are added
by running "make update-api".
android.test.base_static is created for allowing to use
android.test.base as a static library.
Bug:77577799
Test: make -j
Test: make checkapi
Test: make checkapi fails with a random change in the txt file
Test: adb shell cmd package list libraries |\
grep android.test.*
And check the android.test.* libraries
Merged-In: Ia27612657532e50b077a9c55dbef59ee3ec04b8a
Change-Id: Ia27612657532e50b077a9c55dbef59ee3ec04b8a
There are some scenarios under which com.android.proxyhandler is
considered by the framework as never being launched (e.g. if a PAC proxy
is added after a long wait time after an upgrade), which makes all of
its network traffic to be blackholed, due to it being subjected to the
fw_standby firewall chain. Given that all of the outgoing packets from
this app are being dropped, whenever Chrome WebView (or most other apps)
uses a PAC proxy for its networking, it is completely unable to initiate
outgoing connections.
This change whitelists com.android.proxyhandler so that this does not
happen.
Bug: 110762695
Test: dumpsys usagestats' | grep proxy
...
package=com.android.proxyhandler u=0 bucket=5 reason=d ... idle=n
Change-Id: I9e4debc876cbdd2f6ba35928faff8c0beca77ae1
javax.obex is built with java_sdk_library and api files are added by
running "make update-api".
Remove java.obex is from platform.xml, since it will be generated
automatically by soong when the library is built with java_sdk_library.
Bug:77577799
Test: make -j
make checkapi
Change-Id: Ib94955e62582ffbdfc7eb88cd0e494c61757c7aa
org.apache.http.legacy is now built using java_sdk_library. Since the
share lib defintion file for the lib is automatically created and
installed, we don't need to have duplicated entry for the lib.
Bug: 77577799
Test: m -j
Test: adb shell cmd package list libraries shows an entry for
org.apache.http.legacy
Merged-In: I06b356c2ba08abc6c1cece81daf7c1773ed93ed0
Change-Id: I06b356c2ba08abc6c1cece81daf7c1773ed93ed0
(cherry picked from commit 49c0a86955)
org.apache.http.legacy is now built using java_sdk_library. Since the
share lib defintion file for the lib is automatically created and
installed, we don't need to have duplicated entry for the lib.
Bug: 77577799
Test: m -j
Test: adb shell cmd package list libraries shows an entry for
org.apache.http.legacy
Merged-In: I06b356c2ba08abc6c1cece81daf7c1773ed93ed0
Change-Id: I06b356c2ba08abc6c1cece81daf7c1773ed93ed0
(cherry picked from commit 49c0a86955)
APIs that return package usage data (such as the new StatsManager)
must ensure that callers hold both the PACKAGE_USAGE_STATS permission
and the OP_GET_USAGE_STATS app-op.
Add noteOp() method that can be called from native code.
Also add missing security checks on command interface.
Bug: 77662908, 78121728
Test: builds, boots
Change-Id: Ie0d51e4baaacd9d7d36ba0c587ec91a870b9df17
System singed components can watch for starting/finishing of
long running app ops. Also protected the APIs to watch op mode
changes with a singature permission for the cross-uid use case.
Test: atest com.android.server.appops.AppOpsActiveWatcherTest
bug:64085448
Change-Id: Id7fe79ce1de4c5690b4f52786424ec5a5d9eb0fa
The WRITE_MEDIA_STORAGE permission had inadvertently been giving apps
the "default" view of storage. This had worked for a long since,
since we also gave them the "sdcard_rw" permission, but a recent
security patch broke this for secondary users.
Apps holding this permission should have been mounted "write" all
along, and relied on that view to access storage devices. This also
means they no longer need the "sdcard_rw" GID.
Test: builds, boots, secondary user media/camera works
Bug: 72732906, 71737806, 72224817
Change-Id: I5cd687a1e128024f33b4acd93c15e75192ed1c85
This makes the runtime handling of the android.test.base library
conditional based on a build flag REMOVE_ATB_FROM_BCP.
When REMOVE_ATB_FROM_BCP=true:
* The framework-atb-backward-compatibility is added to the
bootclasspath instead of android.test.base.
* Any APK that targets pre-P (or has a dependency on android.test.runner)
has android.test.base added to their library list.
Otherwise:
* The android.test.base library is added to the bootclasspath.
* Any APK that explicitly specifies that it depends on the
android.test.base library has the library removed as the classes
are available at runtime.
Added android.test.base to platform libraries so it can be used when
not on the bootclasspath.
Tested both cases by building with or without the build flag, flashing,
setting up, adding an account, adding a trusted place.
Also, tested that all combinations of REMOVE_ATB_FROM_BCP and
REMOVE_OAHL_FROM_BCP work.
adb install -r -g out/target/product/marlin/testcases/FrameworksCoreTests/FrameworksCoreTests.apk
adb shell am instrument -w -e class android.content.pm.PackageBackwardCompatibilityTest,android.content.pm.AndroidTestRunnerSplitUpdaterTest,android.content.pm.OrgApacheHttpLegacyUpdaterTest,android.content.pm.RemoveUnnecessaryOrgApacheHttpLegacyLibraryTest,android.content.pm.RemoveUnnecessaryAndroidTestBaseLibraryTest,android.content.pm.AndroidTestBaseUpdaterTest com.android.frameworks.coretests/android.support.test.runner.AndroidJUnitRunner
Bug: 30188076
Test: as above
Change-Id: I4b9d8a5bed6787cd334c2b13a458bbc0efc3f3b6
If a UID is idle (being in the background for more than
cartain amount of time) it should not be able to use the
camera. If the UID becomes idle we generate an eror and
close the cameras for this UID. If an app in an idle UID
tries to use the camera we immediately generate an error.
Since apps already should handle these errors it is safe
to apply this policy to all apps to protect user privacy.
Test: Pass - cts-tradefed run cts -m CtsCameraTestCases
Added - CameraTest#testCameraAccessForIdleUid
Change-Id: If6ad1662f2af6592b6aca1aeee4bd481389b5e00
