The implementation will filter apps eligible to receive exemption from
permission auto-revoke to just the apps that declare feature usage.
Having the manifest declaration is important for us to be able to
implement a whitelist policy.
Bug: 146513245
Test: lint/presubmit
Change-Id: I87652c276568bf2dd1c48f7cacebbc930334a7c4
Serialising package restrictions uses synchronous disk access; callers
of these methods should probably use background threads for this.
Bug: 149216360
Test: TreeHugger
Change-Id: I6607a7225bf7daaad8a78e4d1e4c585ba5ac3efc
Signed-off-by: Julius D'souza <jdsouza@google.com>
There may be policy critical apps that must not be suspended by the
user in a managed profile. The owner can now use either of the following
to block suspension of apps:
- DISALLOW_APPS_CONTROL: Blocks suspension of all apps in the user
- DISALLOW_UNINSTALL_APPS: Blocks suspension of all apps in the user
- setUninstallBlocked: Blocks suspension of a given package.
The same also block any of the DistractionRestriction to be set via
PackageManager#setDistractingPackageRestrictions. This is to make sure
the apps can still show notifications.
Since the owner should have the final call, these do not block the owner
from adding app suspensions itself. Whenever either of these are set,
any app suspensions that were not originally added by the owner are
lifted immediately and any distraction restrictions that were added are
removed.
Also, clearing restrictions and suspensions if an app with SUSPEND_APPS
permission is disabled. Even though it is expected that UI not allow
such an app to be disabled, it is hard to enforce across all device
implementations. And a missed edge case would lead to permanently
unusable apps on the device.
This change also fixes a bug where any DistractionRestrictions set
weren't cleared on suspending app data clear.
Test: atest GtsSuspendAppsTestCases
Bug: 144826981
Bug: 145735990
Change-Id: I81a492e1d07a8cc9aeb0acd7e5142826824a42ae
Moves all system state out of AndroidPackage and into
PackageStateUnserialized, which lives inside a PackageSetting.
This makes AndroidPackage effectively immutable after it exits
the scan/install process.
Specifically, moves isUpdatedSystemApp, isHiddenUntilInstalled,
seInfoOverride, cpuAbiOverride, PackageUsage,
and sharedLibraryFiles/Infos.
Bug: 135203078
Test: atest com.android.server.pm.parsing
Change-Id: I44baab113f3b6b138472b15a61e0874173bc694f
Removes the massive old ComponentParseUtils in favor of
the new split classes.
Cleans up the parsing code to be uniform, removing the
String[] outError pattern in favor of ParseInput.
Bug: 135203078
Test: atest com.android.server.pm
Change-Id: I584ed37d4715300453dbe760d45d1eb4759b3dd3
Part of the Parsing/ParsedPackage split into core/server.
This splits all the "important" changes, or those which change
significant code/logic and that requires a closer look during
review.
Bug: 135203078
Test: enumerated in first commit of change ID
Ib4fe51d729a56bfb0ea1316e577358ba0dfceccf
Change-Id: Ie0e4394de2b3063121d850060fcd58622511c59d
* changes:
Clear preferred activities affected by MIME groups changes
Implement new API to modify MIME groups by adding/removing MIME types
Add mimeGroup tag to intent filters
This change adds two new flags for starting activities:
FLAG_ACTIVITY_REQUIRE_NON_BROWSER and FLAG_ACTIVITY_REQUIRE_DEFAULT.
The first will only start if the result is a non-browser result. The
second will only start if the result is not the resolver activity.
Bug: 148452357
Test: Builds
Change-Id: I1f25bd78b6231c08036c15436bd8c2e3dccf56d6
MIME groups can now be modified via PackageManager.
MIME group modification will affect intent-filters
that were declared with that |mimeGroup| in manifest
in the same way, as if intent-filter was initially
declared with |mimeType| attributes that correspond to
MIME types in MIME group
Preferred activities will be handled in the next CL
Bug: 134736173
Bug: 136635677
Test: atest android.content.pm.PackageParserTest#testPackageWithIntentFilters*
Change-Id: I083a8794897e632aad5325a67311931193c69a3c
UsageStats will return obfuscated NOTIFICATION_SEEN or
NOTIFICATION_INTERRUPTION events to callers of #queryEvents
and #queryEventsForUser if they don't hold the MANAGE_NOTIFICATIONS
permission.
Additionaly, refactor the query API in UsageStats to take in flags as
defined in UsageEvents to make future obfuscation/visibility parameters
cleaner.
Also, add the MANAGE_NOTIFICATIONS permission to shell for CTS test.
Bug: 144724524
Test: atest android.app.usage.cts.UsageStatsTest
Test: atest com.android.server.people.data.UsageStatsQueryHelperTest
Test: atest android.content.pm.cts.shortcutmanager.ShortcutManagerUsageTest
Change-Id: I118de7e589ac8dd5924d3740c70903fa484b79b5
UsageStats will not return LOCUS_ID_SET events to callers
of #queryEvents and #queryEventsForUser if they don't have visibility.
Bug: 148821246
Test: manual, atest tests/tests/app.usage/src/android/app/usage/cts/UsageStatsTest
Change-Id: Ic904a97e66775ef63bc8b84e67e8f430b2a4121b
Revert "Adjust monkey to changed internal APIs"
Revert "Test featureId is correctly used in startActivity"
Revert submission 10111030-activityStarter_featureId
Reason for revert: presubmit test breakage
Reverted Changes:
Ic7056b492: Activity start: Send featureId from context->AppOp...
I8e2a07da7: Adjust monkey to changed internal APIs
I7a6af6fb1: Test featureId is correctly used in startActivity
Change-Id: I48c55a962c990b22ea49e923baa7c73b121d179b
The expected usage pattern for noteOp is to get the
Context#getOpPackageName() and Context#getFeatureId() in the calling app
and the call
noteOp(callingPackageName, Binder.getCallingUid(), callingFeatureId)
As the featureId parameter is new this parameter has to been piped all
through from the ...Manager classes running in the app all way deep into
the bowels of the system server.
There is a special featureId==null for the "default" feature. This is
used in two cases:
- In case the system server (packageName == null || packageName ==
"android") makes a call
- In the case there is no caller. In this case I left annotations in the
code to make clear that the default feature is used
Raw binder interfaces (defined in AIDL files) are not supposed to be
used by apps. Still historically this has happened and we ended up with
@UnsupportedAppUsage tags in these files. Also AIDL does not support
two methods with the same name but different parameters. I.e. in the
case when I had to add a paramater to a method tagged as UnsupportedAppUsage I
- created a new method ...WithFeature with the additional paramter
- set a maxTargetSDK for the old method and mention the public API to
use in the deprecation method
This is really not pretty. Once there is no more app using the old
internal API this hack can be removed.
Additionally this change removed all internal calls to
AppOpsService.noteOperation and AppOpsService.checkOperation and
replaces them with the public API equivalent. This sometimes means to
move the resolution of the mAppOpsManager to be lazy.
Exempt-From-Owner-Approval:: Just piping through arguments
Bug: 136595429
Test: atest --test-mapping frameworks/base/services/core/java/com/android/server/am/
atest CtsAppOpsTestCases added test to cover activity start
atest WmTests
Change-Id: Ic7056b492cb1c9a79158e6c2b4864898a0eb5b2a
Permissions that have the new wellbeing protection flag will be granted
to the retail demo app, as defined by the OEM in the system resource.
The PACAKGE_USAGE_STATS permission is updated to use the retailDemo
flag.
Bug: 146043112
Test: atest CtsPermission2TestCases:PermissionPolicyTest
Change-Id: I30b451e6e88a4d65af5e5f774bcd30a14721a8a9
Add locus update event to the Usage Stats.
Test: Build and run on a test device with a test app.
Bug: 147594233, 147100454
Change-Id: I1e058ac87244d47719606d8dcfaea2df4bff43d2
Signed-off-by: Yuliya Kamatkova <yuliyak@google.com>
Previous implementation was a direct callthrough to the public facing
method. This change deprecates the original method and introduces a new
method with the "Internal" suffix until we can clean up all uses of the
existing method.
Test: boots
Bug: 142386643
Change-Id: I86f92508f0236dbe611ac895fec0ad94f8e80afe
The flag PackageManager.DONT_DELETE_DATA was renamed to DELETE_KEEP_DATA
long ago in commit 7767eac.
Bug: 28343859
Test: n/a
Change-Id: I9e4079ec394f92a3e293df7b80b627e2b6130827
Added @SystemApi to all APIs currently used by TvProfileService that were @hide only.
Bug: 139914710
Test: Apps built with stable_system or experimental_system can use the APIs
Change-Id: I3499244b4d545a7a9401c7941663045bcd89c6fe
Add new manifest tags for declaring processes that an app
will use. While declaring these processes, one can specify
specific permissions that will be denied to that process.
Doing so will result in any gids associated with that permission
from being given to that process, and any permission checks
that include a pid (which is not all of them) will fail when
checking a permission for that process.
For now, we limit these declarations to only the internet
permission, since we really need to do a lot of auditing to
determine how many other permissions can be denied (based on
how many permission checks for it are including the pid).
That said, this is explicitly not a security guarantee, so it
isn't a problem if there are ways around it (the process could
always IPC to another of the app's processes to do the same
thing).
One thing to be done is have the parser enforce that once an
app declares processes, it can only run things in those processes
and no others.
At this point the code is not yet tested at all. That will be
coming in later. This gets the APIs and various infrastructure
in place.
Bug: 143085640
Test: not yet tested
Change-Id: I27e8d0c811a5004fe251883f243517bb00d32d67
Overlays targeting shared libraries should be loaded into the
resources of every target that depends on the shared library.
Static shared libraries are currently not supported because overlays
should override all versions of static shared libraries and there is
not currently support for an overlay targeting multiple APKs.
Also created a test instrumentation and host test suite for testing
overlays and packages on the system image.
Bug: 140790224
Test: atest OverlayRemountedTest
Change-Id: I20a217b6368d6cf92b2b9f46908fd58012933f72
Currently, the RollbackManager is not aware of the apk-in-apex being
installed since the install is done by PM during scan phase of boot. As
such, RM does not backup the user data of the apk-in-apex.
In the new implementation, we ask the RM to snapshot/restore user data
of apk-in-apex while resuming the apex session in StagingManager.
Bug: 142712057
Test: atest StagedRollbackTest#testRollbackApexWithApk
Test: atest AppDataRollbackHelperTest
Test: atest RollbackStoreTest
Test: atest RollbackUnitTest
Change-Id: Ibbaa5d0c98cb883588c085d77bc89c3e8217d76a
Setting a package as protected prevents user from clearing app data and
force stopping apps from Settings and Launcher. Added two apis
* setProtectedPackages()
* getProtectedPackages()
Bug: 135486391
Test: atest DevicePolicyManagerTest
Change-Id: I28858aca89a52ba06af033a24da43f394ed79a0e
Replace gstSharedUserIdForPackage() and getPackagesForSharedUserId()
with a function to combine the two,
getSharedUserPackagesForPackage(). This satisfies all the existing use
cases with reasonably clean semantics, and avoids the need to
special-case the situation where the package doesn't have a shared
UID.
Clarify that the result is never null, and remove some redundant null
checks.
Fixes: 146418551
Test: atest PackageManagerTests
Change-Id: I8f34c9071434f908893437a5c6c89defaa5fd576
These information are needed to isolate apps data directory.
Only normal app zygote forks require these info, as
- system process - Does not need data isolation
- app zygote - It's for generating isolated process, so don't need
access apps data.
webview zygote - Similar to isolated process, don't need to access
apps data.
Bug: 143937733
Test: Able to see the package name, volume uuid, and inode nuber
for each visible package in zygote
Change-Id: I281e113d2a13d103c8967b37a06b639c5a5a8ff8
In the new COPE mode, some user restrictions should be applied globally
when called by the Work Profile PO.
Previously, the APIs addUserRestriction, clearUserRestriction and
getUserRestrictions did not support explicitly querying the parent
profile. This CL allows the WP DPC to now call these methods,
allowing the WP DPC to apply some restrictions globally.
This CL also introduces the enforcingUserId parameter to
setDevicePolicyUserRestriction. This new paramter is used as the
key of mDevicePolicyGlobalUserRestrictions and
mDevicePolicyLocalUserRestrictions.
Bug: 138709470
Test: Manual testing with testdpc
atest com.android.server.devicepolicy.DevicePolicyManagerTest
atest com.android.cts.devicepolicy.UserRestrictionsTest
atest com.android.server.pm.UserRestrictionsUtilsTest
atest com.android.cts.devicepolicy.OrgOwnedProfileOwnerTest#testUserRestrictionsSetOnParentAreNotPersisted
atest com.android.cts.devicepolicy.OrgOwnedProfileOwnerTest#testDevicePolicyManagerParentSupport
Change-Id: Idfafd100bfcb250998a8628aba4cc378f1fc2c84
Add a per-user job to prune any usage stats data which belongs to a
recently removed package. This job will be scheduled when a package is
removed and it will be executed when the device is considered to be
idle. The jobs are persisted by job scheduler and they are also removed
when a user is removed since all usage stats data is deleted on user
removal.
When executed, the job reads all of the stats on disk and removes those
that belong to removed packages (packages which don't have a token
mapping). If no data is ommitted on read, a write is not performed. If
the user is in a locked state when the job is executed, the job will
keep getting rescheduled until a sucessful pruning of the data.
Additionally, add logic to prune any obsolete usage stats data on a
database upgrade, pruning all data belonging to packages which have
been uninstalled. This ensures that all data in UsageStats in R belongs
to packages that are currently installed or to packages whose
DONT_DELETE_DATA flag was set when uninstalling.
Also remove the clean-up mappings step on boot. That was added as a
safety measure to ensure the mappings file is always updated. However,
with the logic to prune on upgrade and on package uninstalls, that step
is now unnecessary.
This CL also refactors how the UserUsageStatsService is fetched and
initialized within UsageStatsService. This is to ensure there is no lock
contention when the user service is initialized and it also makes way
for other refactorings in the future related to the user service
initialization.
Bug: 143889121
Test: atest UsageStatsDatabaseTest
Test: atest android.app.usage.cts.UsageStatsTest
Change-Id: If475fc018a930d0956b85a64b4e34e2c75b2476f
Currently, uninstalling APEXs checks whether the userId is equal
to UserHandle.USER_ALL, but recent changes mean that this will
never be the case. Instead, pass the uninstall flags to
uninstallApex() and only uninstall if the DELETE_ALL_USERS flag
has been set.
Test: atest RollbackManagerHostTest
Bug: 145341792
Bug: 145313329
Change-Id: Iff02ae6d2aa6de2c824220f0248efb41d6190978
In the new COPE mode, some user restrictions should be applied globally
when called by the Work Profile PO. This CL introduces a new @IntDef int
parameter, called admin, which can be either DEVICE_OWNER, PROFILE_OWNER or
PROFILE_OWNER_ORG_OWNED_DEVICE.
If admin is PROFILE_OWNER_ORG_OWNER_DEVICE then specific user restrictions
will be added to the global bundle instead of the local bundle.
This CL also removes the parameter cameraRestrictionScope and isDeviceOwner.
Bug: 138709470
Test: UserRestrictionsUtilsTest
DevicePolicyManagerTest
UserRestrictionsTest
Change-Id: Iaa0abbac47708d2d54bcf6c3df582414dff5a6c3
