It allows badging an image regardless of of the user (no
user id parameter). The styling for managed users is applied.
This is useful for new cases where the existing functions
wouldn't badge the icon, but we need it.
Bug: 25192539
Change-Id: I20ca2d7265cbc3a47c050a72ec1843cc0a481c74
Ensure we're using file paths from the correct package. Also cleans up
synchronization to avoid synchronizing on local variables which, while
not an issue in the current implementation, is generally unsafe.
Bug: 27313689
Change-Id: Ib8550909e7b02ea88d19ce2fc43756a16f9664ab
Similar to first patch, but now using new "rethrowFromSystemServer()"
method which internally translates DeadObjectException into
DeadSystemException. New logic over in Log.printlns() now
suppresses the DeadSystemException stack traces, since they're
misleading and just added pressure to the precious log buffer space.
Add some extra RuntimeInit checks to suppress logging-about-logging
when the system server is dead.
Bug: 27364859
Change-Id: I05316b3e8e42416b30a56a76c09cd3113a018123
An attacker could downgrade a package to an older version with known
security vulnerabilities and then use some of the vulnerabilities to
access the application's data. This would constitute a bypass of
Android Application Sandbox. Thus, downgrading while keeping
application data is no longer permitted.
To help developers debug their apps, packages marked as debuggable can
still be downgraded while keeping their data. This does not put the
installed base at risk because, as a security measure, most
application stores reject packages marked as debuggable.
To downgrade a non-debuggable (i.e., release) package, uninstall the
package (thus wiping its data), then install the older version of the
package.
Bug: 27327503
Change-Id: Iac75ed3c3831b5d925dfd8b660527cfa95813da8
Once the ephemeral user stops, the user's deletion is scheduled.
It takes a while before the user actually disappears and it is not
desirable for the user to be re-entered in the meantime.
Mark the user as disabled on stop and check this flag
in the activity manager to prevent the user from being switched
to again. Also hide the user from user-switching UI.
BUG: 26795729
BUG: 26780152
Change-Id: I83a61674958954b5a210114b88ffa5ae55922c1f
Developers usually do not need to check the result of getDrawable(), so
we shouldn't be annotating it like they do.
Bug: 27134828
Change-Id: I0db0ca806fd89c18781da452fe3f31ef344f3cca
There are some permissions that were removed from the platform
and guard nothing but legacy apps may be checking them before
calling APIs. Hence, these apps should get the permissions as
expected despite them being a no-op. To address this the platform
declares removed permissions as normal permissions that are hidden
such that legacy apps can always get them. These permissions are
not shown in the UI. Play needs a way to filter out these
permissions like the platform as they have permissions UI too.
bug:23361760
Change-Id: I10f442dfc09a299ddc5480d8bf2db0bd786aec62
FEATURE_VULKAN_HARDWARE_FEATURES describes the feature set supported
by the device hardware and driver. FEATURE_VULKAN_HARDWARE_VERSION
describes the Vulkan API version supported by the driver, which may be
lower than the API version supported by a particular Android release.
Bug: 26583896
Change-Id: Ia3e6be496abf631cb677eb838d632d3c7b4dd24b
Add a separate system service RecoverySystemService to handle recovery
related requests (calling uncrypt to de-encrypt the OTA package on the
/data partition, setting up bootloader control block (aka BCB) and etc).
We used to trigger uncrypt in ShutdownThread before rebooting into
recovery. Now we expose new SystemApi (RecoverySystem.processPackage())
to allow the caller (e.g. GmsCore) to call that upfront before
initiating a reboot. This will reduce the reboot time and get rid of the
progress bar ("processing update package"). However, we need to reserve
the functionality in ShutdownThread to optionally call uncrypt if
finding that's still needed.
In order to support the update-on-boot feature, we also add new
SystemApis scheduleUpdateOnBoot() and cancelScheduledUpdate() into
android.os.RecoverySystem. They allow the caller (e.g. GmsCore) to
schedule / cancel an update by setting up the BCB, which will be read by
the bootloader and the recovery image. With the new SystemApis, an
update package can be processed (uncrypt'd) in the background and
scheduled to be installed at the next boot.
Bug: 26830925
Change-Id: Ic606fcf5b31c54ce54f0ab12c1768fef0fa64560
This partially reverts the previous commit [1], which allowed special
components to be granted some pre-configured default permissions.
With this CL, we no longer grant Contacts permissions to pre-installed
IMEs. Rationals are:
1. Even without this CL, not the all pre-installed IMEs are granted
Contacts permission by default, because it was done during the boot
time where InputMethodManagerService is not yet completely
initialized. The current behavior is confusing not only for users
but also for developers.
2. In almost all the cases, IMEs are supposed to be able to work
without Contacts permission. Hence it is not too late to ask users
to grant the permission to the IME after the initial setup is
completed.
3. It is difficult to add new features such as File-Based Encryption
(FBE) with keeping the current implementation, because currently we
dynamically call mSettings.setCurrentUserId(userId) just to
enumerate what IMEs will be enabled for a given user. Adding
another condition (whether the user has already unlocked the device
or not) would make things more complicated.
Note that LatinIME has already support the case where Contacts
permission is not granted by default. It does not ask users for
anything until Setup-Wizard is completed, and requests Contacts
permission only when the user taps a message in the suggestion strip
that suggests users to use contacts name for typing suggestions.
[1] If8b8cadbd1980ffe7a6fc15bbb5f54a425f6e8f9
adc1cf4604
Bug: 24756974
Bug: 26743676
Change-Id: Ief2a40b5971b3eb97d765f934d20ce7f2ef25665
An app can now declare that it really needs to be backed up
whenever possible even if it is currently engaged in foreground-
equivalent work. Only applies to full-data backup clients: key/value
backups are not intrusive on normal lifecycle so they can already
happen in such circumstances.
Bug 26790411
Change-Id: Ia0ebcc7a53da888ae9ae4d63cd4bcab6e3a2e866
Backup requires both CE and DE storage to be available, so delay
spinning up the backup system until the user is unlocked, since
that's when CE storage becomes available. Note that devices without
FBE immediately transition USER_SYSTEM into the unlocked state,
since their CE is always available.
Offer to backup and restore files under both CE and DE. Since DE
is effectively the same as CE, most logic is simply duplicated for
now, but it could be simplified in the future. Since system apps
can force their default storage location to DE, we always build
explicit CE and DE paths.
Add getDataDir() to give clean access to the top-level private data
directory, but disclaim that apps shouldn't create files there.
Bug: 26279618
Change-Id: Ic34a4b330223725db93b1d0f5c9dffc88002c61f
This change makes StorageManager.getVolumesList(),
StorageManager.getPrimaryVolume(), and StorageVolume public and adds a
buildAccessIntent() in the latter to automatically generate the
ACTION_OPEN_EXTERNAL_DIRECTORY intent, but it doesn't change the
ACTION_OPEN_EXTERNAL_DIRECTORY implementation yet (i.e., it still takes an URI with the physical path of the directory, instead of a StorageVolume and
a directorny name).
BUG: 26742218
Change-Id: I36c59c42b6579e125ec7f03c3af141260875a491
Refactor setPackageSuspended into setPackagesSuspended. The rationale
is that the consumers of this API are likely to want to remove
multiple packages at once. Rather than calling the API N times, call
it just once.
The good part is that we already have the broadcast intent for
suspended packages take an array so only one broadcast. Less stress
on the system.
Another good part is that (right now) we only have one consumer of
this API and it will be easy to make changes once this CL goes in.
As a shell command, for consistency only allowed one package at
a time.
Bug: 22776761
Change-Id: Ic8b8cf64d0a288ea3a282bb7b72f9d663b3b0049
Instead of always rebuilding the full ApplicationInfo for a
package when callers are only interested in the suspended status
add a new fast API in Packagemanager (which only checks the
suspended user setting for the requested package and returns
a boolean) and change the appropriate caller code too.
Bug: 26794775
Bug: 22776761
Change-Id: Ide8428ef734479360d5a8a75fd8e0ed8ddf2da7a
We were previously only doing it for SCREEN_ORIENTATION_UNSPECIFIED,
but there are other orientation settings that aren't fixed that we
need to handle.
Change-Id: If21fcd8312b6267407d94b6646158ac6eae44b44
We're starting to see more instances of device features that will
increment separately from the SDK API level, such as camera HAL,
GPU capabilities, Bluetooth, and other hardware standards.
This change adds the ability for device features to specify a
version, which is defined to be backwards compatible. That is, apps
requesting an older version of a feature must continue working on
devices with a newer version of that same feature.
When a version is undefined, we assume the default version "0".
Bug: 27162500
Change-Id: If890bf3f3dbb715e8feb80e7059a0d65618482ea
Allow launcher to see and attempt to launch non-crypto
aware application when profile is locked.
Hide unlock notification until parent user is unlocked.
Have unlock notitication use confirm credentials to unlock
the profile.
Updated notification strings as per suggestions in mocks
to make it clearer between users and profiles.
Bug: 27038260
Change-Id: If2d2c8148670d814544f4edd44193d15da32a289
We feel this experience is better than the 2-finger gesture.
Added ActivityInfo.RESIZE_MODE_FORCE_RESIZEABLE resizeMode
to indicate we are force resizing an app.
Bug: 27132829
Bug: 26847884
Change-Id: I65db2de0d9f3f171cc3bb136cc1282b3ef3549b0
Adds a bindService variant to run the ServiceConnection callbacks
on a dedicated Handler.
Changes KeyguardService binding to use the foreground thread
instead of the main thread and changes state to the
KeyguardScrim on the UI thread.
Bug: 26954967
Change-Id: I9d7bd85382816cd0e23772b14ff6518266a9d232
The servcies shared lib contains components apps can invoke such
as services to bind to, activities to start, UI choosers, etc.
This lib is built from AOSP code but an OEM may chage its
package name. For example, Google renames the package names for
GMS apps from android.foo.bar to com.google.android.foo.bar.
While we have more than one shared lib that are a part of the
platform (currently shared and services libs) the serivces lib
is the only one clients need to start components in, thus need
to know its package name. This change adds an API to query the
package name of the services shared lib. The API is hidden as
currently the only clients are a part of the system.
Change-Id: Ied48fa4819024522791764b22b3336d4f4b42cc3
Bug: 26874366
On Multiarch apps, it might be necessary to prioritize 32bit Abi ahead
of 64bit ones. The use32bitAbi flag enables this.
This CL also reverts the public api changes in I2c1fd1d036efe72b28b5fe996416df69a583959f and Ie3ecea6d84e2cb1522e736a21c3a3a24ac62eb27. Previously
the same functionality was provided using a raw abi string that
utilized cpuabioverride flag.
Change-Id: Idce3cbfedd11ef9079ce8a2901e69d30b1cf9ef4
This change introduces the ability to have multiple packages per
APK. The feature is currently restricted to privileged apps and
updates to such apps.
In essence the manifest can have multiple child package declarations.
A child package can declare everything an Android package can except
some tags or attributes that are not applicable and instead inherited
from the parent when needed. For example, the target SDK of the parent
applies to all children.
A child package can be updated only through the parent package.
A package with multiple child packages is installed, uninstalled
atomically - no partial installs where some child packages are not
installed.
The remaining work is to ensure broadcasts are also sent for child
packages. This will come in a subsequent change.
Sample app:ag/848432
Design doc: https://docs.google.com/document/d/18nFWtJuZchLxrHf5SBbJW03-Ky9Rh_G0-OVB14b6u78
Change-Id: I6fd021d981bf5786290e0c53502724a14c97358c
When a system app requests "forceDeviceEncrypted" they expect their
default app storage to point at a consistent location regardless of
device FBE support. So when booting upgraded non-FBE devices, we
may need to migrate any data from CE to DE. Note that on non-FBE
devices these are just semantic locations with identical protection.
This migration *only* works for non-FBE devices; changing
forceDeviceEncrypted flags on an FBE device always requires a full
data wipe.
Bug: 26668510
Change-Id: Ic5dfeaaf2db26c385901a638ca8ec35eb3c52859
Whitelist two more legacy intent actions, and don't enforce the
StrictMode checks when resolving intents that might be coming from
legacy apps. Newer apps would have already been yelled at directly
before getting to the resolver.
Bug: 26976516, 26977622
Change-Id: Ibf72a361ed68c52cfaac16c32ab40e79005a42e7
