Delay mounting of storage devices until after the user is unlocked,
which means any emulated storage areas will be ready for use. Track
separate per-user unlocked states for local versus system lifecycle
state.
Switch to explicitly lock or unlock user keys during boot of a
device without native FBE support. This allows us to recover when
the user has disabled emulated FBE.
Force reboot when changing FBE emulation state.
Bug: 26010607, 26027473
Change-Id: Idaf8b63e69f886ddbd848a9fab6d143a5fd10500
Quiet mode means the user will be free from visual and audio interruptions
from apps inside the managed profile, including notifications, widgets and
others. This CL adds the underlying state bit to users and exposes various
APIs to control and query the quiet mode state.
Bug: 22541941
Change-Id: If5f8e5a897843050e83b6ec26cb39561098f12b9
Certain system services would like to throw exceptions
with specific error codes, so that the framework can catch
these specific conditions and express them appropriately.
Bug: 25800533
Change-Id: I94b3d30fa131f5e14bba893c971615840085459f
The system can now boot in a "locked" state where only encryption
aware (EA) components can be safely started. When in this state,
PackageManager already filters away non-EA components, but system
services like AccountManager and SyncManager need to carefully handle
these temporarily "missing" components.
As a guiding principle, all known Accounts are still present when
the device is locked, but communication with underlying non-EA
authenticators is blocked.
To keep things simple for now, all SyncManager requests are kept
dormant until the user enters the unlocked state.
The core of this logic is that RegisteredServicesCache now works
with all components regardless of EA status, which prevents us from
accidentally thinking a service was removed when the user is locked.
Bug: 25945136
Change-Id: I8714121f6236b00821769023c4df7de1c8a99944
* Add a new --ephemeral argument to 'adb install'
* Add plumbing to internally track ephemeralness
* Create new app directory for ephemeral installs
Bug: 25119046
Change-Id: I1d379f5ccd42e9444c9051eef2d025a37bd824fe
Make the meaning of CONTENTS_FILE_DESCRIPTOR more explicit, and
emphasize that describeContents() applies to the current object
instance, not to the class generically.
Change-Id: Ie5010e24c2e57bdc6c982249adb9d4c871d46f5a
It forces the user to stop instead of going into the background. Also
changed behavior of stopUser method. Now it also attempts to stop related
users along with the specified userId.
Based on ag/807976, with the only difference that it's now a user restriction.
Bug: 24579258
Bug: 24708668
Change-Id: I357298908816fc58feeed83b7e9979fc33d25da6
The body of {@code} must not be HTML escaped. This is one of
several changes that fix the source in conjunction with a
doclava fix.
Bug: 25757239
Change-Id: Ib38a0fa2dd2a3d68e467f78a812071e763d7e881
For some markets we have to allow the user to review permissions
for legacy apps at runtime despite them not supporting the new
permission model. This is achieved by showing a review UI before
launching any app component. If an update is installed the user
should see a permission review UI for the newly requested
permissions.
To allow distinguishing which permissions need a review we set
a special flag in the permission flags that a review is required.
This flag is set if a runtime permission is granted to a legacy
app and the system does not launch any app components until this
flag is cleared. Since install permissions are shared across all
users the dangerous permissions for legacy apps in review mode
are represented as always granted runtime permissions since the
reivew requirement is on a per user basis.
Whether the build supports permission review for legacy apps is
determined by a build constant allowing us to compile away the
unnecessary code for markets that do not require a permissions
review.
If an app launches an activity in another app that has some
permissions needing review, we launch the permissions review
UI and pass it a pending intent to launch the activity after
the review is completed.
If an app sends a broadcast to another app that has some permissions
needing review, we do not deliver the broadcast and if the sending
app is in the foreground plus the broadcast is explicit (has a
component) we launch the review UI giving it a pending intent to
send the broadcast after the review is completed.
If an app starts a service in another app that has some permissions
needing review, we do not start the service and if the calling app
is in the foreground we launch the review UI and pass it a pending
intent to start the service after the review is completed.
If an app binds to a service in another app that has some permissions
needing review, we schedule the binding but do not spin the target
service's process and we launch the review UI and pass it a callback
to invoke after the review is completed which spins the service
process and completes the binding.
If an app requests a content provider in another app that has some
permissions needing review we do not return the provider and if
the calling app is in the foreground we show the review UI.
Change-Id: I550f5ff6cadc46a98a1d1a7b8415eca551203acf
Now that the activity manager keeps track of per-uid process states,
we can push that already rolled-up data into battery stats to directly
track the times in those states.
The problem with the reporting was actually that we weren't dealing
correctly with negative process states, which is now fixed. (It was
interpreting them as FOREGROUND rather than not running.)
Also split out a number of new states -- TOP, FOREGROUND_SERVICE,
TOP_SLEEPING -- from FOREGROUND. This should allow us to get a much
better idea of how much an app has been actively in use: TOP is when
it is directly visible to the user or in use by such, FOREGROUND_SERVICE
is when it is running in the background in a way the user is aware of.
Also when reporting these numbers, they are no longer added together as
reported but kept as separate times.
Change-Id: I6d307503a4b4ad5c0d5d49305ef63f8eb858e2c9
Use restrictions from mGuestRestrictions when creating a guest. Initially
phone calls, SMS and installing from unknown sources is not allowed.
Bug: 25904144
Bug: 25729516
Change-Id: I461c492ad64842d3707f73dfd83b533aa31b63ef
Add support for reading and writing double arrays in
Parcel.readValue() and Parcel.writeValue.
Also, remove some trailing whitespaces in Parcel.java.
BUG: 25848659
Change-Id: Ib5430f492df4195051b83d9bf2b5163ec684bbff
- Also make sure DPMS.mOwners is always guarded with DPMS.this.
(and remove synchronization from Owners.)
Bug 25796840
Change-Id: I83f7b78e7b437d9c2a2b1d6e714346cd15f95330
Now that we don't have UM.setUserRestriction*s*() that could remove
all existing restrictions, there's almost no point handling
DISALLOW_RECORD_AUDIO differently.
Now DISALLOW_RECORD_AUDIO is handled just like other restrictions,
except we don't persist it.
Bug 24954662
Change-Id: I27875b4a74dd95a3ce6bb774081eeaf718eaec15
Due to org.apache.harmony.security package removal,
RecoverySystem#verifyPackage was rewritten to use
sun.security.pkcs package for verifining package
signature.
(cherry-picked from 84acbd76f7e1300e8404ac1b94f008826f9cc0fb)
Change-Id: I3a2058982beadab1aaae793c25db5c6f7387a72b
- Now when DO/PO sets a user restriction, DPMS pushes it to UMS and
then UMS persists it, in order for UserManager.hasUserRestriction()
to never have to talk with DPMS, which would cause lock inversion.
- Also apply user restrictions when a user start.
- This is an updated version of the abandoned CL -- the difference
is, ActivityManager no longer has to call DPMS.
- Also removed an unnecessary write to userlist.xml in UMS.
upgradeIfNecessaryLP().
Bug 23902097
Bug 25388912
Bug 25354031
Bug 25641040
Change-Id: I0948aea06ad7d0f45fe612a431d765faddfe3c58
Add new "am unlock-user" command so we can trigger changes from the
command line.
Move FBE check to static method so it can safely be called early
during boot before the mount service is ready. Move FBE emulation
to persisted system property, and start reading/writing that value.
Change default permission grants to ignore current encryption-aware
flags, since many of the target apps aren't crypto aware.
Always prepare package data directories, which is how we create the
new "user_de" paths during boot.
Bug: 22358539
Change-Id: I6f58ea2d34b3a466d3775d614f8a13de92272621
- Cleanup: rename the "open copy destination" action to "pick copy
destination", which better reflects what it does.
- Move DocumentsIntent from BaseActivity to Shared.
- Rename ACTION_BROWSE_DOCUMENT_ROOT to ACTION_BROWSE for general browsing.
- Use the new ACTION_BROWSE to open the copy destination when copy
notifications are tapped.
BUG=23137963
Change-Id: I10480b45a16ce716febac5453cb5015d26bb0062
