This change adds a mechanism for restricting permissions (only runtime
for now), so that an app cannot hold the permission if it is not white
listed. The whitelisting can happen at install or at any later point.
There are three whitelists: system: OS managed with default grants
and role holders being on it; upgrade: only OS puts on this list
apps when upgrading from a pre to post restriction permission database
version and OS and installer on record can remove; installer: only
the installer on record can add and remove (and the system of course).
Added a permission policy service that sits on top of permissions
and app ops and is responsible to sync between permissions and app
ops when there is an interdependecy in any direction.
Added versioning to the runtime permissions database to allow operations
that need to be done once on upgrade such as adding all permissions held
by apps pre upgrade to the upgrade whitelist if the new permisison version
inctroduces a new restricted permission. The upgrade logic is in the
permission controller and we will eventually put the default grants there.
NOTE: This change is reacting to a VP feedback for how we would handle
SMS/CallLog restriction as we pivoted from role based approach to roles
for things the user would understand plus whitelist for everything else.
This would also help us roll out softly the storage permisison as there
is too much churm coming from developer feedback.
Exempt-From-Owner-Approval: trivial change due to APi adjustment
Test: atest CtsAppSecurityHostTestCases:android.appsecurity.cts.PermissionsHostTest
Test: atest CtsPermissionTestCases
Test: atest CtsPermission2TestCases
Test: atest RoleManagerTestCases
bug:124769181
Change-Id: Ic48e3c728387ecf02f89d517ba1fe785ab9c75fd
We were persisting jobs' battery-not-low constraints but were not
properly restoring that constraint when the job was inflated at boot.
This could result in a runtime bootloop (!) if the job had no other
constraints, requiring a factory reset to restore the device to
usability.
We now:
* properly inflate the battery-not-low constraint;
* persist & inflate the storage-not-low constraint, which previously was
being stripped entirely and could result in a similar crash-at-boot;
* ignore the job rather than crash the system if one is inflated into
a non-viable state; and
* formally test previously-untested constraint persistence
Bug: 130012063
Test: atest $ANDROID_BUILD_TOP/frameworks/base/services/tests/servicestests/src/com/android/server/job/JobStoreTest.java
Test: atest CtsJobSchedulerTestCases
Test: JobStoreTest with forced throw in JobInfo.Builder#build()
Change-Id: Ia3ab1eb16aeaa85336409368b4340622cec19f4c
Make errors in ApplicationLoaders caching hard failures since they are
only ever expected under bad configuration. Tests for these are also
added.
Test: atest android.app.ApplicationLoadersTest
Bug: 128529256
Change-Id: Ib259bcdf472e6a2f7f6b1071bb70cfead4502231
(cherry picked from commit 0975a412b3)
Inform ART about the location of the app's data directory when setting
up the process. This is part of an optimization that has ART cache
verification data into that directory.
Test: compiles, boots
Bug: 72131483
Change-Id: Ic80526b6ee383733eb5860e66f6c608109d838fb
Tidy up InstallSystemUpdateCallback#UPDATE_ERROR_UPDATE_FILE_INVALID
javadoc.
Test: Javadoc change only
Change-Id: I114c60ec330c1cea96a187f727570373b4e7f3bc
This is needed by Tinker, a hotfix framework commonly used in China so
it can continue working in Q.
Bug: 129726065
Test: m
Change-Id: Ie559b1bd9ad256de789e387c3f2b182bd761d23f
For service and provider bindings from TOP and
FOREGROUND_SERVICE apps, don't elevate bound apps
to above BOUND_FOREGROUND_SERVICE.
For service bindings, it is possible to explicitly
request the binding to match the foreground app
such that the bound app can get similar privileges
of foreground permissions.
For instance, when a foreground service has a location
type, providers it binds to don't automatically get the
location privilege. On the other hand, sometimes apps
showing UI want to treat their dependencies also as if
they are showing UI.
This change does not affect the oom_adj calculation,
only the proc state calculation for bound processes.
New BIND_INCLUDE_CAPABILITIES flag can be used to restore old
behavior for bound services.
Introduces a new state PROCESS_STATE_BOUND_TOP
Bug: 128337543
Test: atest CtsAppTestCases:ActivityManagerProcessStateTest
Change-Id: I13733e7f43a78903299254bc110cd8f7a8db4c40
- Also remove typed media permissions
- Leave typed media app-ops
Bug: 129716569
Test: Used apps, looked at permissions in the UI
Change-Id: If7714fb1a6955584157e1a60ab72b09e35287827
Since this is no longer called in ART, pass it down in bind application.
Bug: 37291459
Test: test-art-host
Change-Id: I23623e9b8e9ca6261d90cc1ae1c5d8c24cc4eba5
Fix the javadoc of DevicePolicyManager#setAutoTimeRequired to mention
that PO support is only from O onwards.
Fixes: 126325573
Test: Javadoc change only
Change-Id: Ib415e20a312d2cc454843562bff6cc0eb1e98244
Change the javadoc of isManagedKiosk and isUnattendedManagedKiosk to
reflect feedback from the CDD update process at http://b/124358598.
Bug: 124358598
Fixes: 129458503
Test: Javadoc only
Change-Id: Iad69be116ccd62ff8091d1be412a06afdd714603
The DATA column points at raw filesystem locations, which aren't
always valid when an app is placed into a sandbox, so apps need to
move away from using them.
We had hoped to block this access based on an app targeting Q, but
we've received feedback that it's too painful for apps to transition,
so we'll continue returning paths that can be translated.
Also reduce CPU usage by skipping permission checks when not
processing an IPC, such as when called by ModernMediaScanner.
Bug: 128452447, 125725916
Test: atest --test-mapping packages/providers/MediaProvider
Change-Id: Ibd41d8ddedfaf9807333560b2d8e64e42ea7a1ba
* changes:
Revert ContextImpl LoadedApk packageInfo caching workaround
Fix AssetManager2 isUpToDate check
Diff resource dirs when checking LoadedApk packageInfo cache in ActivityThread
Diff overlays between PackageManagerService and OverlayManagerService
Propagate base code path and split dir changes to Resources objects
This adds a request to ActivityManager to track the system server's pss heap
and make sure it doesn't go above a predefined limit. If it does, the dump is
generated and a notification is posted.
Bug: 77490269
Test: flash device and test with 100MB and 150MB limits
Change-Id: Ie886cc36860e8557fbd037b3bfd4975d12806a4b
Reverts changes made for b/120987987 that are no longer necessary
with changes for b/124363683.
Test: manually built, enabled/disabled FontCursiveMonospaceOverlay
Change-Id: Ied18a412d30514b40cc720d9a1af5c0d2053d795
